Bug ID 1133082
Summary Base:System/fwupd: updating build to 1.2.7 needs new polkit privileges
Classification openSUSE
Product openSUSE Tumbleweed
Version Current
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Security
Assignee security-team@suse.de
Reporter maurizio.galli@gmail.com
QA Contact qa-bugs@suse.de
CC glin@suse.com
Found By ---
Blocker --- 

Created attachment 803402 [details]
fwupd 1.2.7 build log

Updating fwupd build to current 1.2.7 needs attention of security team.


[  158s] RPMLINT report:
[  158s] ===============
[  167s] fwupd.x86_64: I: polkit-cant-acquire-privilege
org.freedesktop.fwupd.device-activate (auth_admin:no:auth_admin_keep)
[  167s] fwupd.x86_64: I: polkit-cant-acquire-privilege
org.freedesktop.fwupd.self-sign (auth_admin:no:auth_admin_keep)
[  167s] fwupd.x86_64: I: polkit-cant-acquire-privilege
org.freedesktop.fwupd.set-approved-firmware (auth_admin:no:auth_admin_keep)
[  167s] Usability can be improved by allowing users to acquire privileges via
[  167s] authentication. Use e.g. 'auth_admin' instead of 'no' and make sure to
define
[  167s] 'allow_any'. This is an issue only if the privilege is not listed in
[  167s] /etc/polkit-default-privs.*
[  167s] 
[  167s] fwupd.x86_64: W: files-duplicate
/etc/pki/fwupd/GPG-KEY-Linux-Vendor-Firmware-Service
/etc/pki/fwupd-metadata/GPG-KEY-Linux-Vendor-Firmware-Service
[  167s] fwupd.x86_64: W: files-duplicate /etc/pki/fwupd/LVFS-CA.pem
/etc/pki/fwupd-metadata/LVFS-CA.pem
[  167s] fwupd.x86_64: W: non-conffile-in-etc
/etc/dbus-1/system.d/org.freedesktop.fwupd.conf
[  167s] fwupd.x86_64: W: non-conffile-in-etc
/etc/pki/fwupd-metadata/GPG-KEY-Linux-Foundation-Metadata
[  167s] fwupd.x86_64: W: non-conffile-in-etc
/etc/pki/fwupd-metadata/GPG-KEY-Linux-Vendor-Firmware-Service
[  167s] fwupd.x86_64: W: non-conffile-in-etc
/etc/pki/fwupd-metadata/LVFS-CA.pem
[  167s] fwupd.x86_64: W: non-conffile-in-etc
/etc/pki/fwupd/GPG-KEY-Hughski-Limited
[  167s] fwupd.x86_64: W: non-conffile-in-etc
/etc/pki/fwupd/GPG-KEY-Linux-Foundation-Firmware
[  167s] fwupd.x86_64: W: non-conffile-in-etc
/etc/pki/fwupd/GPG-KEY-Linux-Vendor-Firmware-Service
[  167s] fwupd.x86_64: W: non-conffile-in-etc /etc/pki/fwupd/LVFS-CA.pem
[  167s] A non-executable file in your package is being installed in /etc, but
is not a
[  167s] configuration file. All non-executable files in /etc should be
configuration
[  167s] files. Mark the file as %config in the spec file.
[  167s] 
[  167s] fwupd.x86_64: W: obsolete-not-provided fwupdate
[  167s] If a package is obsoleted by a compatible replacement, the obsoleted
package
[  167s] should also be provided in order to not cause unnecessary dependency
breakage.
[  167s] If the obsoleting package is not a compatible replacement for the old
one,
[  167s] leave out the Provides.
[  167s] 
[  167s] fwupd.x86_64: W: pem-certificate /etc/pki/fwupd-metadata/LVFS-CA.pem
[  167s] fwupd.x86_64: W: pem-certificate /etc/pki/fwupd/LVFS-CA.pem
[  167s] Shipping a PEM certificate is likely wrong. If used for the default
[  167s] configuration, this is insecure ( since the certificate is public ).
If this
[  167s] is used for validation, ie a CA certificate store, then this must be
kept up
[  167s] to date due to CA compromise. The only valid reason is for testing
purpose, so
[  167s] ignore this warning if this is the case.
[  167s] 
[  167s] fwupd.x86_64: W: polkit-unauthorized-rules
/usr/share/polkit-1/rules.d/org.freedesktop.fwupd.rules
[  167s] A polkit rules file installed by this package is not whitelisted in
the
[  167s] polkit-whitelisting package. If the package is intended for inclusion
in any
[  167s] SUSE product please open a bug report to request review of the package
by the
[  167s] security team. Please refer to
[  167s]
https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for
[  167s] more information.
[  167s] 
[  167s] fwupd.x86_64: E: polkit-untracked-privilege (Badness: 10000)
org.freedesktop.fwupd.device-activate (auth_admin:no:auth_admin_keep)
[  167s] fwupd.x86_64: E: polkit-untracked-privilege (Badness: 10000)
org.freedesktop.fwupd.self-sign (auth_admin:no:auth_admin_keep)
[  167s] fwupd.x86_64: E: polkit-untracked-privilege (Badness: 10000)
org.freedesktop.fwupd.set-approved-firmware (auth_admin:no:auth_admin_keep)
[  167s] The privilege is not listed in /etc/polkit-default-privs.* which makes
it
[  167s] harder for admins to find. Furthermore polkit authorization checks can
easily
[  167s] introduce security issues. If the package is intended for inclusion in
any
[  167s] SUSE product please open a bug report to request review of the package
by the
[  167s] security team. Please refer to
[  167s]
https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for
[  167s] more information.
[  167s] 
[  167s] (none): E: badness 30000 exceeds threshold 1000, aborting.
[  167s] 7 packages and 0 specfiles checked; 3 errors, 14 warnings.
[  167s] 
[  167s] 
[  167s] lamb16 failed "build fwupd.spec" at Mon Apr 22 16:11:43 UTC 2019.

Reference OBS:
https://build.opensuse.org/package/show/home:mauriziogalli:branches:Base:System/fwupd


Full Build log attached.

You are receiving this mail because: