import fwupd-1.5.5-3.el8

2021-05-18 02:54:07 -04:00 · 2021-05-18 02:54:07 -04:00 · 937960e649
commit 937960e649
parent 0cc62e157a
18 changed files with 952 additions and 208 deletions
--- a/.fwupd.metadata
+++ b/.fwupd.metadata
@ -1,2 +1,8 @@
-c152547682cb354b69e4e1a89b53369dd42f3e53 SOURCES/fwupd-1.4.2.tar.xz
-6991b6879b438a4672e97c534d10737bc54e6f39 SOURCES/libjcat-0.1.2.tar.xz
+b2620c36bd23ca699567fd4e4add039ee4375247 SOURCES/DBXUpdate-20100307-x64.cab
+dfdb1d0d42c1563ca63bd45c7e2ddc48cbfc5023 SOURCES/DBXUpdate-20140413-x64.cab
+a5f73c606abb93bf61625e4628d27a2cd460f162 SOURCES/DBXUpdate-20160809-x64.cab
+b5b2dc87daca1d3f8081a323290432c141aa405d SOURCES/DBXUpdate-20200729-aa64.cab
+3fb407561768a3a2f5fb49d7738b5e0650e70810 SOURCES/DBXUpdate-20200729-ia32.cab
+89db93c9d9d20f81791a262e817b99d8882c8bb0 SOURCES/DBXUpdate-20200729-x64.cab
+acaf6614e6a7af7014c1697b7c440ef0c394a2f6 SOURCES/fwupd-1.5.5.tar.xz
+e01a97b6d16a188a43cb25caa42cdf9771803531 SOURCES/libjcat-0.1.5.tar.xz
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,8 @@
-SOURCES/fwupd-1.4.2.tar.xz
-SOURCES/libjcat-0.1.2.tar.xz
+SOURCES/DBXUpdate-20100307-x64.cab
+SOURCES/DBXUpdate-20140413-x64.cab
+SOURCES/DBXUpdate-20160809-x64.cab
+SOURCES/DBXUpdate-20200729-aa64.cab
+SOURCES/DBXUpdate-20200729-ia32.cab
+SOURCES/DBXUpdate-20200729-x64.cab
+SOURCES/fwupd-1.5.5.tar.xz
+SOURCES/libjcat-0.1.5.tar.xz
--- a/SOURCES/0001-Validate-that-gpgme_op_verify_result-returned-at-lea.patch
+++ b/SOURCES/0001-Validate-that-gpgme_op_verify_result-returned-at-lea.patch
@ -1,114 +0,0 @@
-From 839b89f45a38b2373bf5836337a33f450aaab72e Mon Sep 17 00:00:00 2001
-From: Richard Hughes <richard@hughsie.com>
-Date: Thu, 28 May 2020 10:41:23 +0100
-Subject: [PATCH] Validate that gpgme_op_verify_result() returned at least one
- signature
-
-If a detached signature is actually a PGP message, gpgme_op_verify() returns
-the rather perplexing GPG_ERR_NO_ERROR, and then gpgme_op_verify_result()
-builds an empty list.
-
-Explicitly check for no signatures present to avoid returning a JcatResult with
-no timestamp and an empty authority.
-
-Many thanks to Justin Steven <justin@justinsteven.com> for the discovery and
-coordinated disclosure of this issue. Fixes CVE-2020-10759
---
- libjcat/jcat-gpg-engine.c |  7 +++++
- libjcat/jcat-self-test.c  | 55 +++++++++++++++++++++++++++++++++++++++
- 2 files changed, 62 insertions(+)
-
-diff --git libjcat/jcat-gpg-engine.c libjcat/jcat-gpg-engine.c
-index 0812a62..bd44dba 100644
--- libjcat/jcat-gpg-engine.c
-+++ libjcat/jcat-gpg-engine.c
-@@ -267,6 +267,13 @@ jcat_gpg_engine_pubkey_verify (JcatEngine *engine,
- 				     "no result record from libgpgme");
- 		return NULL;
- 	}
-+	if (result->signatures == NULL) {
-+		g_set_error_literal (error,
-+				     G_IO_ERROR,
-+				     G_IO_ERROR_FAILED,
-+				     "no signatures from libgpgme");
-+		return NULL;
-+	}
- 
- 	/* look at each signature */
- 	for (s = result->signatures; s != NULL ; s = s->next ) {
-diff --git libjcat/jcat-self-test.c libjcat/jcat-self-test.c
-index d79a3a9..fd4295e 100644
--- libjcat/jcat-self-test.c
-+++ libjcat/jcat-self-test.c
-@@ -393,6 +393,60 @@ jcat_gpg_engine_func (void)
- #endif
- }
- 
-+static void
-+jcat_gpg_engine_msg_func (void)
-+{
-+#ifdef ENABLE_GPG
-+	g_autofree gchar *fn = NULL;
-+	g_autofree gchar *pki_dir = NULL;
-+	g_autoptr(GBytes) data = NULL;
-+	g_autoptr(GBytes) data_sig = NULL;
-+	g_autoptr(GError) error = NULL;
-+	g_autoptr(JcatContext) context = jcat_context_new ();
-+	g_autoptr(JcatEngine) engine = NULL;
-+	g_autoptr(JcatResult) result = NULL;
-+	const gchar *sig =
-+	"-----BEGIN PGP MESSAGE-----\n"
-+	"owGbwMvMwMEovmZX76/pfOKMp0WSGOLOX3/ikZqTk6+jUJ5flJOiyNXJaMzCwMjB\n"
-+	"ICumyCJmt5VRUil28/1+z1cwbaxMID0MXJwCMJG4RxwMLUYXDkUad34I3vrT8+X2\n"
-+	"m+ZyHyMWnTiQYaQb/eLJGqbiAJc5Jr4a/PPqHNi7auwzGsKsljebabjtnJRzpDr0\n"
-+	"YvwrnmmWLJUnTzjM3MH5Kn+RzqXkywsYdk9yD2OUdLy736CiemFMdcuF02lOZvPU\n"
-+	"HaTKl76wW62QH8Lr8yGMQ1Xgc6nC2ZwUhvctky7NOZtc1T477uBTL81p31ZmaIUJ\n"
-+	"paS8uWZl8UzX5sFsqQi37G1TbDc8Cm+oU/yRkFj2pLBzw367ncsa4n7EqEWu1yrN\n"
-+	"yD39LUeErePdqfKCG+xhL6WkWt5ZJ/6//XnjouXhl5Z4tWspT49MtNp5d3aDQ43c\n"
-+	"mnbresn6A7KMZgdOiwIA\n"
-+	"=a9ui\n"
-+	"-----END PGP MESSAGE-----\n";
-+
-+	/* set up context */
-+	jcat_context_set_keyring_path (context, "/tmp/libjcat-self-test/var");
-+	pki_dir = g_test_build_filename (G_TEST_DIST, "pki", NULL);
-+	jcat_context_add_public_keys (context, pki_dir);
-+
-+	/* get engine */
-+	engine = jcat_context_get_engine (context, JCAT_BLOB_KIND_GPG, &error);
-+	g_assert_no_error (error);
-+	g_assert_nonnull (engine);
-+	g_assert_cmpint (jcat_engine_get_kind (engine), ==, JCAT_BLOB_KIND_GPG);
-+	g_assert_cmpint (jcat_engine_get_verify_kind (engine), ==, JCAT_ENGINE_VERIFY_KIND_SIGNATURE);
-+
-+	/* verify with GnuPG, which should fail as the signature is not a
-+	 * detached signature at all, but gnupg stabs us in the back by returning
-+	 * success from gpgme_op_verify() with an empty list of signatures */
-+	fn = g_test_build_filename (G_TEST_DIST, "colorhug", "firmware.bin", NULL);
-+	data = jcat_get_contents_bytes (fn, &error);
-+	g_assert_no_error (error);
-+	g_assert_nonnull (data);
-+	data_sig = g_bytes_new_static (sig, strlen (sig));
-+	result = jcat_engine_pubkey_verify (engine, data, data_sig,
-+					    JCAT_VERIFY_FLAG_NONE, &error);
-+	g_assert_error (error, G_IO_ERROR, G_IO_ERROR_FAILED);
-+	g_assert_null (result);
-+#else
-+	g_test_skip ("no GnuPG support enabled");
-+#endif
-+}
-+
- static void
- jcat_pkcs7_engine_func (void)
- {
-@@ -753,6 +807,7 @@ main (int argc, char **argv)
- 	g_test_add_func ("/jcat/engine{sha1}", jcat_sha1_engine_func);
- 	g_test_add_func ("/jcat/engine{sha256}", jcat_sha256_engine_func);
- 	g_test_add_func ("/jcat/engine{gpg}", jcat_gpg_engine_func);
-+	g_test_add_func ("/jcat/engine{gpg-msg}", jcat_gpg_engine_msg_func);
- 	g_test_add_func ("/jcat/engine{pkcs7}", jcat_pkcs7_engine_func);
- 	g_test_add_func ("/jcat/engine{pkcs7-self-signed}", jcat_pkcs7_engine_self_signed_func);
- 	g_test_add_func ("/jcat/context{verify-blob}", jcat_context_verify_blob_func);
-- 
-2.26.2
-
--- a/SOURCES/0001-stm-dfu-fix-dnload-wBlockNum-wraparound.patch
+++ b/SOURCES/0001-stm-dfu-fix-dnload-wBlockNum-wraparound.patch
@ -0,0 +1,25 @@
+From 8d550213da363af1ca95252b4699bdf30efab5cb Mon Sep 17 00:00:00 2001
+From: Ilya Guterman <amfernusus@gmail.com>
+Date: Mon, 11 Jan 2021 18:10:09 +0200
+Subject: [PATCH 01/11] stm-dfu: fix dnload wBlockNum wraparound
+
+---
+ plugins/dfu/dfu-target-stm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git plugins/dfu/dfu-target-stm.c plugins/dfu/dfu-target-stm.c
+index faf027d1..b9adb725 100644
+--- plugins/dfu/dfu-target-stm.c
+++ plugins/dfu/dfu-target-stm.c
+@@ -364,7 +364,7 @@ dfu_target_stm_download_element (DfuTarget *target,
+ 			 g_bytes_get_size (bytes_tmp));
+ 		/* ST uses wBlockNum=0 for DfuSe commands and wBlockNum=1 is reserved */
+ 		if (!dfu_target_download_chunk (target,
+-						(guint8) (i + 2),
+						(i + 2),
+ 						bytes_tmp,
+ 						error))
+ 			return FALSE;
+-- 
+2.29.2
+
--- a/SOURCES/0001-synaptics-prometheus-Force-the-minor-version-from-0x.patch
+++ b/SOURCES/0001-synaptics-prometheus-Force-the-minor-version-from-0x.patch
@ -1,32 +0,0 @@
-From d7a1eb17bef650f13e7f96430f99294c36a40806 Mon Sep 17 00:00:00 2001
-From: Vincent Huang <vincent.huang@tw.synaptics.com>
-Date: Tue, 19 May 2020 13:09:28 +0800
-Subject: [PATCH] synaptics-prometheus: Force the minor version from 0x02 to
- 0x01 to make sure the devices can be updated back to 0x01.
-
---
- plugins/synaptics-prometheus/fu-synaprom-device.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git plugins/synaptics-prometheus/fu-synaprom-device.c plugins/synaptics-prometheus/fu-synaprom-device.c
-index 5a19203c..299ebde2 100644
--- a/plugins/synaptics-prometheus/fu-synaprom-device.c
-+++ b/plugins/synaptics-prometheus/fu-synaprom-device.c
-@@ -142,6 +142,14 @@ fu_synaprom_device_set_version (FuSynapromDevice *self,
- {
- 	g_autofree gchar *str = NULL;
- 
-+	/* We decide to skip 10.02.xxxxxx firmware, so we force the minor version from 0x02 
-+	** to 0x01 to make the devices with 0x02 minor version firmware allow to be updated
-+	** back to minor version 0x01. */
-+	if (vmajor == 0x0a && vminor == 0x02) {
-+		g_debug ("quirking vminor from %02x to 01", vminor);
-+		vminor = 0x01;
-+	}
-+
- 	/* set display version */
- 	str = g_strdup_printf ("%02u.%02u.%u", vmajor, vminor, buildnum);
- 	fu_device_set_version (FU_DEVICE (self), str);
-- 
-2.26.2
-
--- a/SOURCES/0002-rename-config-section-in-uefi_capsule.conf-to-plugin.patch
+++ b/SOURCES/0002-rename-config-section-in-uefi_capsule.conf-to-plugin.patch
@ -0,0 +1,30 @@
+From f7e99feb9bd49b4f7b05ba4c07398e1421b62164 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=D0=94=D0=B0=D0=BC=D1=98=D0=B0=D0=BD=20=D0=93=D0=B5=D0=BE?=
+ =?UTF-8?q?=D1=80=D0=B3=D0=B8=D0=B5=D0=B2=D1=81=D0=BA=D0=B8?=
+ <gdamjan@gmail.com>
+Date: Tue, 12 Jan 2021 18:36:40 +0100
+Subject: [PATCH 02/11] rename config section in uefi_capsule.conf to plugin
+ name
+
+in ee2e2c36749298e58b34dca163ea48a7fc925da6 the plugin name was changed
+from uefi to uefi_capsule. while the config file name was changed, the
+section name should also be changed.
+
+fixes #2748
+---
+ plugins/uefi-capsule/uefi_capsule.conf | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git plugins/uefi-capsule/uefi_capsule.conf plugins/uefi-capsule/uefi_capsule.conf
+index d9775263..c543a7f2 100644
+--- plugins/uefi-capsule/uefi_capsule.conf
+++ plugins/uefi-capsule/uefi_capsule.conf
+@@ -1,4 +1,4 @@
+-[uefi]
+[uefi_capsule]
+ 
+ # the shim loader is required to chainload the fwupd EFI binary unless
+ # the fwupd.efi file has been self-signed manually
+-- 
+2.29.2
+
--- a/SOURCES/0003-Ask-the-user-to-reboot-when-required-if-downgrading.patch
+++ b/SOURCES/0003-Ask-the-user-to-reboot-when-required-if-downgrading.patch
@ -0,0 +1,32 @@
+From 4952d5f8bdf8ed801d2a449f589592d0d6356833 Mon Sep 17 00:00:00 2001
+From: Richard Hughes <richard@hughsie.com>
+Date: Wed, 13 Jan 2021 09:58:16 +0000
+Subject: [PATCH 03/11] Ask the user to reboot when required if downgrading
+
+This matches the behaviour of install and reinstall.
+---
+ src/fu-util.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git src/fu-util.c src/fu-util.c
+index 05f429bf..d5936e65 100644
+--- src/fu-util.c
+++ src/fu-util.c
+@@ -1835,7 +1835,13 @@ fu_util_downgrade (FuUtilPrivate *priv, gchar **values, GError **error)
+ 	if (!fu_util_maybe_send_reports (priv, remote_id, error))
+ 		return FALSE;
+ 
+-	return TRUE;
+	/* we don't want to ask anything */
+	if (priv->no_reboot_check) {
+		g_debug ("skipping reboot check");
+		return TRUE;
+	}
+
+	return fu_util_prompt_complete (priv->completion_flags, TRUE, error);
+ }
+ 
+ static gboolean
+-- 
+2.29.2
+
--- a/SOURCES/0004-Do-not-show-Unknown-for-every-client-connection.patch
+++ b/SOURCES/0004-Do-not-show-Unknown-for-every-client-connection.patch
@ -0,0 +1,33 @@
+From 002863121ed42f33507ce5663a3b22fabdfa5c36 Mon Sep 17 00:00:00 2001
+From: Richard Hughes <richard@hughsie.com>
+Date: Thu, 14 Jan 2021 10:03:51 +0000
+Subject: [PATCH 04/11] Do not show Unknown [***] for every client connection
+
+Ignore the initial client state change from UNKNOWN to IDLE which was being set
+as part of the fix in fb36f22.
+
+Fixes https://github.com/fwupd/fwupd/issues/2766
+---
+ src/fu-progressbar.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git src/fu-progressbar.c src/fu-progressbar.c
+index 9a7378c5..5dd9ff39 100644
+--- src/fu-progressbar.c
+++ src/fu-progressbar.c
+@@ -297,6 +297,12 @@ fu_progressbar_update (FuProgressbar *self, FwupdStatus status, guint percentage
+ {
+ 	g_return_if_fail (FU_IS_PROGRESSBAR (self));
+ 
+	/* ignore initial client connection */
+	if (self->status == FWUPD_STATUS_UNKNOWN && status == FWUPD_STATUS_IDLE) {
+		self->status = status;
+		return;
+	}
+
+ 	/* use cached value */
+ 	if (status == FWUPD_STATUS_UNKNOWN)
+ 		status = self->status;
+-- 
+2.29.2
+
--- a/SOURCES/0005-esp-list-allow-external-ESP-again.patch
+++ b/SOURCES/0005-esp-list-allow-external-ESP-again.patch
@ -0,0 +1,58 @@
+From d179875e1025cbf0df3987a9c3b42a996eae5354 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=C4=90o=C3=A0n=20Tr=E1=BA=A7n=20C=C3=B4ng=20Danh?=
+ <congdanhqx@gmail.com>
+Date: Sat, 23 Jan 2021 11:36:26 +0700
+Subject: [PATCH 05/11] esp-list: allow external ESP again
+
+In fwupd 1.5.1 and before, we allowed ESP on external device.
+From 56d816a5, (Fall back to FAT32 internal partitions for detecting
+ESP, 2020-11-11), we started to only consider internal devices only.
+
+While it would be desirable to only consider internal devices for
+fallback esp partition, there're some setup that put ESP on external
+device, e.g. full disk encryption with /boot on a USB.
+
+Let's allow external ESP again.
+---
+ src/fu-tool.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git src/fu-tool.c src/fu-tool.c
+index 8624dfed..7c913f29 100644
+--- src/fu-tool.c
+++ src/fu-tool.c
+@@ -2431,6 +2431,7 @@ fu_util_prompt_for_volume (GError **error)
+ {
+ 	FuVolume *volume;
+ 	guint idx;
+	gboolean is_fallback = FALSE;
+ 	g_autoptr(GPtrArray) volumes = NULL;
+ 	g_autoptr(GPtrArray) volumes_vfat = g_ptr_array_new ();
+ 	g_autoptr(GError) error_local = NULL;
+@@ -2438,6 +2439,7 @@ fu_util_prompt_for_volume (GError **error)
+ 	/* exactly one */
+ 	volumes = fu_common_get_volumes_by_kind (FU_VOLUME_KIND_ESP, &error_local);
+ 	if (volumes == NULL) {
+		is_fallback = TRUE;
+ 		g_debug ("%s, falling back to %s", error_local->message, FU_VOLUME_KIND_BDP);
+ 		volumes = fu_common_get_volumes_by_kind (FU_VOLUME_KIND_BDP, error);
+ 		if (volumes == NULL) {
+@@ -2445,13 +2447,13 @@ fu_util_prompt_for_volume (GError **error)
+ 			return NULL;
+ 		}
+ 	}
+-	/* only add internal vfat partitions */
+	/* on fallback: only add internal vfat partitions */
+ 	for (guint i = 0; i < volumes->len; i++) {
+ 		FuVolume *vol = g_ptr_array_index (volumes, i);
+ 		g_autofree gchar *type = fu_volume_get_id_type (vol);
+ 		if (type == NULL)
+ 			continue;
+-		if (!fu_volume_is_internal (vol))
+		if (is_fallback && !fu_volume_is_internal (vol))
+ 			continue;
+ 		if (g_strcmp0 (type, "vfat") == 0)
+ 			g_ptr_array_add (volumes_vfat, vol);
+-- 
+2.29.2
+
--- a/SOURCES/0006-Fix-a-crash-when-using-fwupdtool.patch
+++ b/SOURCES/0006-Fix-a-crash-when-using-fwupdtool.patch
@ -0,0 +1,41 @@
+From 9b48540a255bc91679de93a388600a61d9ca02c6 Mon Sep 17 00:00:00 2001
+From: Richard Hughes <richard@hughsie.com>
+Date: Wed, 27 Jan 2021 10:45:21 +0000
+Subject: [PATCH 06/11] Fix a crash when using fwupdtool
+
+The docs for `fwupd_device_get_children()` make it very clear that only the
+parent should be assigned. Also add a warning to `fwupd_device_add_child()`
+explaining it is for internal daemon use only.
+---
+ libfwupd/fwupd-device.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git libfwupd/fwupd-device.c libfwupd/fwupd-device.c
+index 7e3ceca9..2f3f4ddb 100644
+--- libfwupd/fwupd-device.c
+++ libfwupd/fwupd-device.c
+@@ -370,6 +370,9 @@ fwupd_device_set_parent (FwupdDevice *device, FwupdDevice *parent)
+  * Adds a child device. An child device is logically linked to the primary
+  * device in some way.
+  *
+ * NOTE: You should never call this function from user code, it is for daemon
+ * use only. Only use fwupd_device_set_parent() to set up a logical tree.
+ *
+  * Since: 1.5.1
+  **/
+ void
+@@ -2646,10 +2649,8 @@ fwupd_device_array_ensure_parents (GPtrArray *devices)
+ 		if (parent_id != NULL) {
+ 			FwupdDevice *dev_tmp;
+ 			dev_tmp = g_hash_table_lookup (devices_by_id, parent_id);
+-			if (dev_tmp != NULL) {
+-				fwupd_device_add_child (dev_tmp, dev);
+			if (dev_tmp != NULL)
+ 				fwupd_device_set_parent (dev, dev_tmp);
+-			}
+ 		}
+ 	}
+ }
+-- 
+2.29.2
+
--- a/SOURCES/0007-jabra-Ensure-the-protocol-is-set-to-avoid-a-daemon-w.patch
+++ b/SOURCES/0007-jabra-Ensure-the-protocol-is-set-to-avoid-a-daemon-w.patch
@ -0,0 +1,25 @@
+From b04116d4defad3b243a109d9d79ad11eceecd6cc Mon Sep 17 00:00:00 2001
+From: Richard Hughes <richard@hughsie.com>
+Date: Mon, 1 Feb 2021 09:32:11 +0000
+Subject: [PATCH 07/11] jabra: Ensure the protocol is set to avoid a daemon
+ warning
+
+---
+ plugins/jabra/fu-jabra-device.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git plugins/jabra/fu-jabra-device.c plugins/jabra/fu-jabra-device.c
+index 7a6aff9a..055a3b30 100644
+--- plugins/jabra/fu-jabra-device.c
+++ plugins/jabra/fu-jabra-device.c
+@@ -146,6 +146,7 @@ fu_jabra_device_init (FuJabraDevice *self)
+ 	fu_device_add_flag (FU_DEVICE (self), FWUPD_DEVICE_FLAG_UPDATABLE);
+ 	fu_device_add_flag (FU_DEVICE (self), FWUPD_DEVICE_FLAG_ADD_COUNTERPART_GUIDS);
+ 	fu_device_set_remove_delay (FU_DEVICE (self), 20000); /* 10+10s! */
+	fu_device_set_protocol (FU_DEVICE (self), "org.usb.dfu");
+ }
+ 
+ static void
+-- 
+2.29.2
+
--- a/SOURCES/0008-wacom-usb-Fix-a-crash-detected-by-AddressSanitizer.patch
+++ b/SOURCES/0008-wacom-usb-Fix-a-crash-detected-by-AddressSanitizer.patch
@ -0,0 +1,25 @@
+From b943adc496451975a9b959d78c0859a7fea5e483 Mon Sep 17 00:00:00 2001
+From: Richard Hughes <richard@hughsie.com>
+Date: Sun, 7 Feb 2021 16:55:02 +0000
+Subject: [PATCH 08/11] wacom-usb: Fix a crash detected by AddressSanitizer
+
+---
+ plugins/wacom-usb/fu-wac-firmware.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git plugins/wacom-usb/fu-wac-firmware.c plugins/wacom-usb/fu-wac-firmware.c
+index fc54cf10..d3a41682 100644
+--- plugins/wacom-usb/fu-wac-firmware.c
+++ plugins/wacom-usb/fu-wac-firmware.c
+@@ -44,7 +44,7 @@ fu_wac_firmware_parse (FuFirmware *firmware,
+ 
+ 	/* check the prefix (BE) */
+ 	data = (guint8 *) g_bytes_get_data (fw, &len);
+-	if (memcmp (data, "WACOM", 5) != 0) {
+	if (len < 5 || memcmp (data, "WACOM", 5) != 0) {
+ 		g_set_error_literal (error,
+ 				     FWUPD_ERROR,
+ 				     FWUPD_ERROR_INTERNAL,
+-- 
+2.29.2
+
--- a/SOURCES/0009-trivial-Fix-a-buffer-overread-spotted-by-AddressSani.patch
+++ b/SOURCES/0009-trivial-Fix-a-buffer-overread-spotted-by-AddressSani.patch
@ -0,0 +1,34 @@
+From b743836b16c64e2d726f85113cd4ab6f18ed4df0 Mon Sep 17 00:00:00 2001
+From: Richard Hughes <richard@hughsie.com>
+Date: Mon, 8 Feb 2021 16:47:05 +0000
+Subject: [PATCH 09/11] trivial: Fix a buffer-overread spotted by
+ AddressSanitizer
+
+---
+ libfwupdplugin/fu-common.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git libfwupdplugin/fu-common.c libfwupdplugin/fu-common.c
+index d4dd4aef..094f2d23 100644
+--- libfwupdplugin/fu-common.c
+++ libfwupdplugin/fu-common.c
+@@ -1856,14 +1856,12 @@ fu_common_strsafe (const gchar *str, gsize maxsz)
+ 	gboolean valid = FALSE;
+ 	g_autoptr(GString) tmp = NULL;
+ 
+-	g_return_val_if_fail (maxsz > 0, NULL);
+-
+ 	/* sanity check */
+-	if (str == NULL)
+	if (str == NULL || maxsz == 0)
+ 		return NULL;
+ 
+ 	/* replace non-printable chars with '.' */
+-	tmp = g_string_sized_new (strlen (str));
+	tmp = g_string_sized_new (maxsz);
+ 	for (gsize i = 0; str[i] != '\0' && i < maxsz; i++) {
+ 		if (!g_ascii_isprint (str[i])) {
+ 			g_string_append_c (tmp, '.');
+-- 
+2.29.2
+
--- a/SOURCES/0010-ihex-Fix-a-buffer-overread-spotted-by-AddressSanitiz.patch
+++ b/SOURCES/0010-ihex-Fix-a-buffer-overread-spotted-by-AddressSanitiz.patch
@ -0,0 +1,38 @@
+From 6077051e173770cf357703a3d776ceac2c53d963 Mon Sep 17 00:00:00 2001
+From: Richard Hughes <richard@hughsie.com>
+Date: Mon, 8 Feb 2021 18:10:38 +0000
+Subject: [PATCH 10/11] ihex: Fix a buffer-overread spotted by AddressSanitizer
+
+---
+ libfwupdplugin/fu-ihex-firmware.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git libfwupdplugin/fu-ihex-firmware.c libfwupdplugin/fu-ihex-firmware.c
+index 8d4fc6a6..5df8a948 100644
+--- libfwupdplugin/fu-ihex-firmware.c
+++ libfwupdplugin/fu-ihex-firmware.c
+@@ -90,11 +90,6 @@ fu_ihex_firmware_record_new (guint ln, const gchar *line,
+ 	rcd->ln = ln;
+ 	rcd->data = g_byte_array_new ();
+ 	rcd->buf = g_string_new (line);
+-	rcd->byte_cnt = fu_firmware_strparse_uint8 (line + 1);
+-	rcd->addr = fu_firmware_strparse_uint16 (line + 3);
+-	rcd->record_type = fu_firmware_strparse_uint8 (line + 7);
+-
+-	/* check there's enough data for the smallest possible record */
+ 	if (rcd->buf->len < 11) {
+ 		g_set_error (error,
+ 			     FWUPD_ERROR,
+@@ -103,6 +98,9 @@ fu_ihex_firmware_record_new (guint ln, const gchar *line,
+ 			     (guint) rcd->buf->len);
+ 		return NULL;
+ 	}
+	rcd->byte_cnt = fu_firmware_strparse_uint8 (line + 1);
+	rcd->addr = fu_firmware_strparse_uint16 (line + 3);
+	rcd->record_type = fu_firmware_strparse_uint8 (line + 7);
+ 
+ 	/* position of checksum */
+ 	line_end = 9 + rcd->byte_cnt * 2;
+-- 
+2.29.2
+
--- a/SOURCES/0011-wacom-usb-Fix-a-buffer-overread-spotted-by-AddressSa.patch
+++ b/SOURCES/0011-wacom-usb-Fix-a-buffer-overread-spotted-by-AddressSa.patch
@ -0,0 +1,26 @@
+From 60b5598032b3c36660984e7d49a5ff929ecd6e26 Mon Sep 17 00:00:00 2001
+From: Richard Hughes <richard@hughsie.com>
+Date: Mon, 8 Feb 2021 18:41:45 +0000
+Subject: [PATCH 11/11] wacom-usb: Fix a buffer-overread spotted by
+ AddressSanitizer
+
+---
+ plugins/wacom-usb/fu-wac-firmware.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git plugins/wacom-usb/fu-wac-firmware.c plugins/wacom-usb/fu-wac-firmware.c
+index d3a41682..ae1e7cac 100644
+--- plugins/wacom-usb/fu-wac-firmware.c
+++ plugins/wacom-usb/fu-wac-firmware.c
+@@ -65,7 +65,7 @@ fu_wac_firmware_parse (FuFirmware *firmware,
+ 			guint cmdlen = strlen (lines[i]);
+ 
+ 			/* header info record */
+-			if (memcmp (lines[i] + 2, "COM", 3) == 0) {
+			if (cmdlen > 3 && memcmp (lines[i] + 2, "COM", 3) == 0) {
+ 				guint8 header_image_cnt = 0;
+ 				if (cmdlen != 40) {
+ 					g_set_error (error,
+-- 
+2.29.2
+
--- a/SOURCES/0012-goodix-moc-Fix-several-places-where-the-plugin-code-.patch
+++ b/SOURCES/0012-goodix-moc-Fix-several-places-where-the-plugin-code-.patch
@ -0,0 +1,381 @@
+From e80f277f4c268d69c162123bc8cbb1819224cea2 Mon Sep 17 00:00:00 2001
+From: Richard Hughes <richard@hughsie.com>
+Date: Wed, 10 Feb 2021 13:22:59 +0000
+Subject: [PATCH 12/12] goodix-moc: Fix several places where the plugin code
+ might crash
+
+Fixes https://github.com/fwupd/fwupd/issues/2850
+---
+ plugins/goodix-moc/fu-goodixmoc-common.c |  83 ----------------
+ plugins/goodix-moc/fu-goodixmoc-common.h |  19 +---
+ plugins/goodix-moc/fu-goodixmoc-device.c | 120 +++++++++++++----------
+ plugins/goodix-moc/meson.build           |   1 -
+ 4 files changed, 72 insertions(+), 151 deletions(-)
+ delete mode 100644 plugins/goodix-moc/fu-goodixmoc-common.c
+
+diff --git plugins/goodix-moc/fu-goodixmoc-common.c plugins/goodix-moc/fu-goodixmoc-common.c
+deleted file mode 100644
+index 7c81434d..00000000
+--- plugins/goodix-moc/fu-goodixmoc-common.c
+++ /dev/null
+@@ -1,83 +0,0 @@
+-/*
+- * Copyright (C) 2016 Richard Hughes <richard@hughsie.com>
+- * Copyright (C) 2020 boger wang <boger@goodix.com>
+- *
+- * SPDX-License-Identifier: LGPL-2.1+
+- */
+-
+-#include "config.h"
+-
+-#include <fwupd.h>
+-#include <string.h>
+-
+-#include "fu-common.h"
+-#include "fu-goodixmoc-common.h"
+-
+-void
+-fu_goodixmoc_build_header (GxfpPkgHeader *pheader,
+-			   guint16	  len,
+-			   guint8	  cmd0,
+-			   guint8	  cmd1,
+-			   GxPkgType	  type)
+-{
+-	static guint8 dummy_seq = 0;
+-
+-	g_return_if_fail (pheader != NULL);
+-
+-	pheader->cmd0 = (cmd0);
+-	pheader->cmd1 = (cmd1);
+-	pheader->pkg_flag = (guint8)type;
+-	pheader->reserved = dummy_seq++;
+-	pheader->len = len + GX_SIZE_CRC32;
+-	pheader->crc8 = fu_common_crc8 ((guint8 *)pheader, 6);
+-	pheader->rev_crc8 = ~pheader->crc8;
+-}
+-
+-gboolean
+-fu_goodixmoc_parse_header (guint8 *buf, guint32 bufsz,
+-			   GxfpPkgHeader *pheader, GError **error)
+-{
+-	g_return_val_if_fail (buf != NULL, FALSE);
+-	g_return_val_if_fail (pheader != NULL, FALSE);
+-
+-	if (!fu_memcpy_safe ((guint8 *) &pheader, sizeof(*pheader), 0x0,	/* dst */
+-			     buf, bufsz, 0x01,					/* src */
+-			     sizeof(*pheader), error))
+-		return FALSE;
+-	memcpy (pheader, buf, sizeof(*pheader));
+-	pheader->len = GUINT16_FROM_LE(*(buf + 4));
+-	pheader->len -= GX_SIZE_CRC32;
+-	return TRUE;
+-}
+-
+-gboolean
+-fu_goodixmoc_parse_body (guint8 cmd, guint8 *buf, guint32 bufsz,
+-			 GxfpCmdResp *presp, GError **error)
+-{
+-	g_return_val_if_fail (buf != NULL, FALSE);
+-	g_return_val_if_fail (presp != NULL, FALSE);
+-
+-	presp->result = buf[0];
+-	switch (cmd) {
+-	case GX_CMD_ACK:
+-		if (bufsz == 0) {
+-			g_set_error_literal (error,
+-					     FWUPD_ERROR,
+-					     FWUPD_ERROR_INTERNAL,
+-					     "invalid bufsz");
+-			return FALSE;
+-		}
+-		presp->ack_msg.cmd = buf[1];
+-		break;
+-	case GX_CMD_VERSION:
+-		if (!fu_memcpy_safe ((guint8 *) &presp->version_info,
+-				     sizeof(presp->version_info), 0x0,		/* dst */
+-				     buf, bufsz, 0x01,				/* src */
+-				     sizeof(GxfpVersiomInfo), error))
+-			return FALSE;
+-		break;
+-	default:
+-		break;
+-	}
+-	return TRUE;
+-}
+diff --git plugins/goodix-moc/fu-goodixmoc-common.h plugins/goodix-moc/fu-goodixmoc-common.h
+index 4bbdc0c8..c4b69954 100644
+--- plugins/goodix-moc/fu-goodixmoc-common.h
+++ plugins/goodix-moc/fu-goodixmoc-common.h
+@@ -35,7 +35,7 @@ typedef struct {
+ 	guint8		 protocol[8];
+ 	guint8		 flashVersion[8];
+ 	guint8		 reserved[62];
+-} GxfpVersiomInfo;
+} GxfpVersionInfo;
+ 
+ typedef struct {
+ 	guint8		 cmd;
+@@ -46,7 +46,7 @@ typedef struct {
+ 	guint8		 result;
+ 	union {
+ 		GxfpAckMsg	ack_msg;
+-		GxfpVersiomInfo version_info;
+		GxfpVersionInfo version_info;
+ 	};
+ } GxfpCmdResp;
+ 
+@@ -64,18 +64,3 @@ typedef struct __attribute__((__packed__)) {
+ 	guint8		 crc8;
+ 	guint8		 rev_crc8;
+ } GxfpPkgHeader;
+-
+-void		 fu_goodixmoc_build_header	(GxfpPkgHeader	*pheader,
+-						 guint16	 len,
+-						 guint8		 cmd0,
+-						 guint8		 cmd1,
+-						 GxPkgType	 type);
+-gboolean	 fu_goodixmoc_parse_header	(guint8		*buf,
+-						 guint32	 bufsz,
+-						 GxfpPkgHeader	*pheader,
+-						 GError		**error);
+-gboolean	 fu_goodixmoc_parse_body	(guint8		 cmd,
+-						 guint8		*buf,
+-						 guint32	 bufsz,
+-						 GxfpCmdResp	*presp,
+-						 GError		**error);
+diff --git plugins/goodix-moc/fu-goodixmoc-device.c plugins/goodix-moc/fu-goodixmoc-device.c
+index f216aec7..3d359dab 100644
+--- plugins/goodix-moc/fu-goodixmoc-device.c
+++ plugins/goodix-moc/fu-goodixmoc-device.c
+@@ -14,6 +14,7 @@
+ 
+ struct _FuGoodixMocDevice {
+ 	FuUsbDevice	parent_instance;
+	guint8		dummy_seq;
+ };
+ 
+ G_DEFINE_TYPE (FuGoodixMocDevice, fu_goodixmoc_device, FU_TYPE_USB_DEVICE)
+@@ -27,26 +28,34 @@ G_DEFINE_TYPE (FuGoodixMocDevice, fu_goodixmoc_device, FU_TYPE_USB_DEVICE)
+ #define GX_FLASH_TRANSFER_BLOCK_SIZE	1000	/* 1000 */
+ 
+ static gboolean
+-goodixmoc_device_cmd_send (GUsbDevice *usbdevice,
+goodixmoc_device_cmd_send (FuGoodixMocDevice *self,
+ 			   guint8      cmd0,
+ 			   guint8      cmd1,
+ 			   GxPkgType   type,
+ 			   GByteArray *req,
+ 			   GError    **error)
+ {
+-	GxfpPkgHeader header = { 0 };
+-	guint32 crc_actual = 0;
+	GUsbDevice *usb_device = fu_usb_device_get_dev (FU_USB_DEVICE (self));
+	guint32 crc_all = 0;
+	guint32 crc_hdr = 0;
+ 	gsize actual_len = 0;
+ 	g_autoptr(GByteArray) buf = g_byte_array_new ();
+ 
+-	fu_goodixmoc_build_header (&header, req->len, cmd0, cmd1, type);
+-	g_byte_array_append (buf, (guint8 *)&header, sizeof(header));
+	/* build header */
+	fu_byte_array_append_uint8 (buf, cmd0);
+	fu_byte_array_append_uint8 (buf, cmd1);
+	fu_byte_array_append_uint8 (buf, type);			/* pkg_flag */
+	fu_byte_array_append_uint8 (buf, self->dummy_seq++);	/* reserved */
+	fu_byte_array_append_uint16 (buf, req->len + GX_SIZE_CRC32, G_LITTLE_ENDIAN);
+	crc_hdr = fu_common_crc8 (buf->data, buf->len);
+	fu_byte_array_append_uint8 (buf, crc_hdr);
+	fu_byte_array_append_uint8 (buf, ~crc_hdr);
+ 	g_byte_array_append (buf, req->data, req->len);
+-	crc_actual = fu_common_crc32 (buf->data, sizeof(header) + req->len);
+-	fu_byte_array_append_uint32 (buf, crc_actual, G_LITTLE_ENDIAN);
+	crc_all = fu_common_crc32 (buf->data, buf->len);
+	fu_byte_array_append_uint32 (buf, crc_all, G_LITTLE_ENDIAN);
+ 
+ 	/* send zero length package */
+-	if (!g_usb_device_bulk_transfer (usbdevice,
+	if (!g_usb_device_bulk_transfer (usb_device,
+ 					 GX_USB_BULK_EP_OUT,
+ 					 NULL,
+ 					 0,
+@@ -62,7 +71,7 @@ goodixmoc_device_cmd_send (GUsbDevice *usbdevice,
+ 	}
+ 
+ 	/* send data */
+-	if (!g_usb_device_bulk_transfer (usbdevice,
+	if (!g_usb_device_bulk_transfer (usb_device,
+ 					 GX_USB_BULK_EP_OUT,
+ 					 buf->data,
+ 					 buf->len,
+@@ -84,12 +93,12 @@ goodixmoc_device_cmd_send (GUsbDevice *usbdevice,
+ }
+ 
+ static gboolean
+-goodixmoc_device_cmd_recv (GUsbDevice  *usbdevice,
+goodixmoc_device_cmd_recv (FuGoodixMocDevice *self,
+ 			   GxfpCmdResp *presponse,
+ 			   gboolean     data_reply,
+ 			   GError     **error)
+ {
+-	GxfpPkgHeader header = { 0 };
+	GUsbDevice *usb_device = fu_usb_device_get_dev (FU_USB_DEVICE (self));
+ 	guint32 crc_actual = 0;
+ 	guint32 crc_calculated = 0;
+ 	gsize actual_len = 0;
+@@ -102,9 +111,11 @@ goodixmoc_device_cmd_recv (GUsbDevice  *usbdevice,
+ 	* | zlp | ack | zlp | data |
+ 	*/
+ 	while (1) {
+		guint16 header_len = 0x0;
+		guint8 header_cmd0 = 0x0;
+ 		g_autoptr(GByteArray) reply = g_byte_array_new ();
+ 		fu_byte_array_set_size (reply, GX_FLASH_TRANSFER_BLOCK_SIZE);
+-		if (!g_usb_device_bulk_transfer (usbdevice,
+		if (!g_usb_device_bulk_transfer (usb_device,
+ 						 GX_USB_BULK_EP_IN,
+ 						 reply->data,
+ 						 reply->len,
+@@ -125,12 +136,14 @@ goodixmoc_device_cmd_recv (GUsbDevice  *usbdevice,
+ 		}
+ 
+ 		/* parse package header */
+-		if (!fu_goodixmoc_parse_header (reply->data,
+-						actual_len,
+-						&header,
+-						error))
+		if (!fu_common_read_uint8_safe (reply->data, reply->len, 0x0,
+						&header_cmd0, error))
+			return FALSE;
+		if (!fu_common_read_uint16_safe	(reply->data, reply->len, 0x4,
+						 &header_len, G_LITTLE_ENDIAN,
+						 error))
+ 			return FALSE;
+-		offset = sizeof(header) + header.len;
+		offset = sizeof(GxfpPkgHeader) + header_len - GX_SIZE_CRC32;
+ 		crc_actual = fu_common_crc32 (reply->data, offset);
+ 		if (!fu_common_read_uint32_safe	(reply->data,
+ 						 reply->len,
+@@ -149,15 +162,33 @@ goodixmoc_device_cmd_recv (GUsbDevice  *usbdevice,
+ 		}
+ 
+ 		/* parse package data */
+-		if (!fu_goodixmoc_parse_body (header.cmd0,
+-					      reply->data + sizeof(header),
+-					      header.len,
+-					      presponse,
+-					      error))
+		if (!fu_common_read_uint8_safe (reply->data, reply->len,
+						sizeof(GxfpPkgHeader) + 0x00,
+						&presponse->result, error))
+ 			return FALSE;
+		if (header_cmd0 == GX_CMD_ACK) {
+			if (header_len == 0) {
+				g_set_error_literal (error,
+						     FWUPD_ERROR,
+						     FWUPD_ERROR_INTERNAL,
+						     "invalid bufsz");
+				return FALSE;
+			}
+			if (!fu_common_read_uint8_safe (reply->data, reply->len,
+							sizeof(GxfpPkgHeader) + 0x01,
+							&presponse->ack_msg.cmd, error))
+				return FALSE;
+		} else if (header_cmd0 == GX_CMD_VERSION) {
+			if (!fu_memcpy_safe ((guint8 *) &presponse->version_info,
+					     sizeof(presponse->version_info), 0x0,	/* dst */
+					     reply->data, reply->len,
+					     sizeof(GxfpPkgHeader) + 0x01,		/* src */
+					     sizeof(GxfpVersionInfo), error))
+				return FALSE;
+		}
+ 
+ 		/* continue after ack received */
+-		if (header.cmd0 == GX_CMD_ACK && data_reply)
+		if (header_cmd0 == GX_CMD_ACK && data_reply)
+ 			continue;
+ 		break;
+ 	}
+@@ -176,36 +207,27 @@ fu_goodixmoc_device_cmd_xfer (FuGoodixMocDevice	*device,
+ 			      gboolean		 data_reply,
+ 			      GError		**error)
+ {
+-	GUsbDevice *usb_device = fu_usb_device_get_dev (FU_USB_DEVICE(device));
+-	if (!goodixmoc_device_cmd_send (usb_device, cmd0, cmd1, type, req, error))
+	FuGoodixMocDevice *self = FU_GOODIXMOC_DEVICE(device);
+	if (!goodixmoc_device_cmd_send (self, cmd0, cmd1, type, req, error))
+ 		return FALSE;
+-	return goodixmoc_device_cmd_recv (usb_device, presponse, data_reply, error);
+	return goodixmoc_device_cmd_recv (self, presponse, data_reply, error);
+ }
+ 
+-static gchar *
+-fu_goodixmoc_device_get_version (FuGoodixMocDevice *self, GError **error)
+static gboolean
+fu_goodixmoc_device_setup_version (FuGoodixMocDevice *self, GError **error)
+ {
+ 	GxfpCmdResp rsp = { 0 };
+-	gchar ver[9] = { 0 };
+-	guint8 dummy = 0;
+	g_autofree gchar *version = NULL;
+ 	g_autoptr(GByteArray) req = g_byte_array_new ();
+ 
+-	fu_byte_array_append_uint8 (req, dummy);
+	fu_byte_array_append_uint8 (req, 0);	/* dummy */
+ 	if (!fu_goodixmoc_device_cmd_xfer (self, GX_CMD_VERSION, GX_CMD1_DEFAULT,
+-					  GX_PKG_TYPE_EOP,
+-					  req,
+-					  &rsp,
+-					  TRUE,
+-					  error))
+-		return NULL;
+-	if (!fu_memcpy_safe ((guint8 *) ver, sizeof(ver), 0x0,
+-			      rsp.version_info.fwversion,
+-			      sizeof(rsp.version_info.fwversion),
+-			      0x0,
+-			      sizeof(rsp.version_info.fwversion),
+-			      error))
+-		return NULL;
+-	return g_strndup (ver, sizeof(ver));
+					  GX_PKG_TYPE_EOP, req, &rsp, TRUE, error))
+		return FALSE;
+	version = g_strndup ((const gchar *) rsp.version_info.fwversion,
+			     sizeof(rsp.version_info.fwversion));
+	fu_device_set_version (FU_DEVICE (self), version);
+	return TRUE;
+ }
+ 
+ static gboolean
+@@ -281,15 +303,13 @@ fu_goodixmoc_device_open (FuUsbDevice *device, GError **error)
+ static gboolean
+ fu_goodixmoc_device_setup (FuDevice *device, GError **error)
+ {
+-	FuGoodixMocDevice *self = FU_GOODIXMOC_DEVICE(device);
+-	g_autofree gchar *version = NULL;
+	FuGoodixMocDevice *self = FU_GOODIXMOC_DEVICE (device);
+ 
+-	version = fu_goodixmoc_device_get_version (self, error);
+-	if (version == NULL) {
+	/* ensure version */
+	if (!fu_goodixmoc_device_setup_version (self, error)) {
+ 		g_prefix_error (error, "failed to get firmware version: ");
+ 		return FALSE;
+ 	}
+-	fu_device_set_version (device, version);
+ 
+ 	/* success */
+ 	return TRUE;
+diff --git plugins/goodix-moc/meson.build plugins/goodix-moc/meson.build
+index 4e1287e4..178b35d8 100644
+--- plugins/goodix-moc/meson.build
+++ plugins/goodix-moc/meson.build
+@@ -9,7 +9,6 @@ install_data([
+ shared_module('fu_plugin_goodixmoc',
+   fu_hash,
+   sources : [
+-    'fu-goodixmoc-common.c',
+     'fu-goodixmoc-device.c',
+     'fu-plugin-goodixmoc.c',
+   ],
+-- 
+2.29.2
+
--- a/SOURCES/deps.patch
+++ b/SOURCES/deps.patch
@ -0,0 +1,39 @@
+diff --git meson.build meson.build
+index 02a93f57..93f77e62 100644
+--- meson.build
+++ meson.build
+@@ -206,7 +206,7 @@ else
+   gudev = dependency('', required : false)
+ endif
+ libxmlb = dependency('xmlb', version : '>= 0.1.13', fallback : ['libxmlb', 'libxmlb_dep'])
+-gusb = dependency('gusb', version : '>= 0.3.5', fallback : ['gusb', 'gusb_dep'])
+gusb = dependency('gusb', version : '>= 0.3.0', fallback : ['gusb', 'gusb_dep'])
+ sqlite = dependency('sqlite3')
+ libarchive = dependency('libarchive')
+ endif
+diff --git plugins/cros-ec/fu-cros-ec-usb-device.c plugins/cros-ec/fu-cros-ec-usb-device.c
+index 5bf6f7e1..79a29b2d 100644
+--- plugins/cros-ec/fu-cros-ec-usb-device.c
+++ plugins/cros-ec/fu-cros-ec-usb-device.c
+@@ -109,6 +109,7 @@ static gboolean
+ fu_cros_ec_usb_device_find_interface (FuUsbDevice *device,
+ 				      GError **error)
+ {
+#if G_USB_CHECK_VERSION(0,3,3)
+ 	GUsbDevice *usb_device = fu_usb_device_get_dev (device);
+ 	FuCrosEcUsbDevice *self = FU_CROS_EC_USB_DEVICE (device);
+ 	g_autoptr(GPtrArray) intfs = NULL;
+@@ -142,6 +143,13 @@ fu_cros_ec_usb_device_find_interface (FuUsbDevice *device,
+ 			     FWUPD_ERROR_NOT_FOUND,
+ 			     "no update interface found");
+ 	return FALSE;
+#else
+	g_set_error_literal (error,
+			     FWUPD_ERROR,
+			     FWUPD_ERROR_NOT_SUPPORTED,
+			     "this version of GUsb is not supported");
+	return FALSE;
+#endif
+ }
+ 
+ static gboolean
--- a/SPECS/fwupd.spec
+++ b/SPECS/fwupd.spec
@ -1,12 +1,20 @@
 %global glib2_version 2.45.8
 %global libxmlb_version 0.1.3
 %global libgusb_version 0.2.11
-%global libsoup_version 2.51.92
+%global libcurl_version 7.61.0
 %global systemd_version 231
 %global json_glib_version 1.1.1
 %global __meson_wrap_mode default

+# although we ship a few tiny python files these are utilities that 99.99%
+# of users do not need -- use this to avoid dragging python onto CoreOS
+%global __requires_exclude ^%{python3}$
+
+# PPC64 is too slow to complete the tests under 3 minutes...
+%ifnarch ppc64le
 %global enable_tests 1
+%endif
+
 %global enable_dummy 1

 # fwupd.efi is only available on these arches
@ -14,9 +22,8 @@
 %global have_uefi 1
 %endif

-# redfish is only available on this arch
-%ifarch x86_64
-%global have_redfish 1
+%ifarch i686 x86_64
+%global have_msr 1
 %endif

 # libsmbios is only available on x86
@ -31,12 +38,19 @@

 Summary:   Firmware update daemon
 Name:      fwupd
-Version:   1.4.2
-Release:   4%{?dist}
+Version:   1.5.5
+Release:   3%{?dist}
 License:   LGPLv2+
 URL:       https://github.com/fwupd/fwupd
 Source0:   http://people.freedesktop.org/~hughsient/releases/%{name}-%{version}.tar.xz
-Source1:   http://people.freedesktop.org/~hughsient/releases/libjcat-0.1.2.tar.xz
+Source1:   http://people.freedesktop.org/~hughsient/releases/libjcat-0.1.5.tar.xz
+
+Source10:  http://people.redhat.com/rhughes/dbx/DBXUpdate-20100307-x64.cab
+Source11:  http://people.redhat.com/rhughes/dbx/DBXUpdate-20140413-x64.cab
+Source12:  http://people.redhat.com/rhughes/dbx/DBXUpdate-20160809-x64.cab
+Source13:  http://people.redhat.com/rhughes/dbx/DBXUpdate-20200729-aa64.cab
+Source14:  http://people.redhat.com/rhughes/dbx/DBXUpdate-20200729-ia32.cab
+Source15:  http://people.redhat.com/rhughes/dbx/DBXUpdate-20200729-x64.cab

 # these are numbered high just to keep them wildly away from colliding with
 # the real package sources, in order to reduce churn.
@ -45,9 +59,22 @@ Source301:   redhatsecureboot301.cer
 Source500:   redhatsecurebootca5.cer
 Source503:   redhatsecureboot503.cer

-Patch1:    0001-synaptics-prometheus-Force-the-minor-version-from-0x.patch
 Patch2:    0001-Do-not-use-the-LVFS.patch
-Patch3:    0001-Validate-that-gpgme_op_verify_result-returned-at-lea.patch
+Patch4:    deps.patch
+
+# these are important fixes already upstream
+Patch101:  0001-stm-dfu-fix-dnload-wBlockNum-wraparound.patch
+Patch102:  0002-rename-config-section-in-uefi_capsule.conf-to-plugin.patch
+Patch103:  0003-Ask-the-user-to-reboot-when-required-if-downgrading.patch
+Patch104:  0004-Do-not-show-Unknown-for-every-client-connection.patch
+Patch105:  0005-esp-list-allow-external-ESP-again.patch
+Patch106:  0006-Fix-a-crash-when-using-fwupdtool.patch
+Patch107:  0007-jabra-Ensure-the-protocol-is-set-to-avoid-a-daemon-w.patch
+Patch108:  0008-wacom-usb-Fix-a-crash-detected-by-AddressSanitizer.patch
+Patch109:  0009-trivial-Fix-a-buffer-overread-spotted-by-AddressSani.patch
+Patch110:  0010-ihex-Fix-a-buffer-overread-spotted-by-AddressSanitiz.patch
+Patch111:  0011-wacom-usb-Fix-a-buffer-overread-spotted-by-AddressSa.patch
+Patch112:  0012-goodix-moc-Fix-several-places-where-the-plugin-code-.patch

 BuildRequires: efi-srpm-macros
 BuildRequires: gettext
@ -56,11 +83,12 @@ BuildRequires: libxmlb-devel >= %{libxmlb_version}
 BuildRequires: libgcab1-devel
 BuildRequires: libgudev1-devel
 BuildRequires: libgusb-devel >= %{libgusb_version}
-BuildRequires: libsoup-devel >= %{libsoup_version}
+BuildRequires: libcurl-devel >= %{libcurl_version}
 BuildRequires: polkit-devel >= 0.103
 BuildRequires: sqlite-devel
 BuildRequires: gpgme-devel
 BuildRequires: systemd >= %{systemd_version}
+BuildRequires: systemd-devel
 BuildRequires: libarchive-devel
 BuildRequires: gobject-introspection-devel
 BuildRequires: gcab
@ -79,19 +107,12 @@ BuildRequires: vala
 BuildRequires: python3-devel
 BuildRequires: bash-completion
 BuildRequires: git-core
-%if 0%{?have_flashrom}
-BuildRequires: flashrom-devel >= 1.2-2
-%endif

 %if 0%{?have_modem_manager}
 BuildRequires: ModemManager-glib-devel >= 1.10.0
 BuildRequires: libqmi-devel >= 1.22.0
 %endif

-%if 0%{?have_redfish}
-BuildRequires: efivar-devel >= 33
-%endif
-
 %if 0%{?have_uefi}
 BuildRequires: efivar-devel >= 33
 BuildRequires: python3 python3-cairo python3-gobject python3-pillow
@ -116,7 +137,6 @@ Requires(postun): systemd
 Requires: glib2%{?_isa} >= %{glib2_version}
 Requires: libxmlb%{?_isa} >= %{libxmlb_version}
 Requires: libgusb%{?_isa} >= %{libgusb_version}
-Requires: libsoup%{?_isa} >= %{libsoup_version}
 Requires: bubblewrap
 Requires: shared-mime-info

@ -124,7 +144,13 @@ Obsoletes: fwupd-sign < 0.1.6
 Obsoletes: libebitdo < 0.7.5-3
 Obsoletes: libdfu < 1.0.0
 Obsoletes: fwupd-labels < 1.1.0-1
-Obsoletes: fwupdate
+Obsoletes: fwupdate < 13
+
+Obsoletes: dbxtool < 9
+Provides: dbxtool
+
+# optional, but a really good idea
+Recommends: udisks2

 %description
 fwupd is a daemon to allow session software to update device firmware.
@ -147,15 +173,23 @@ Data files for installed tests.
 %prep
 %setup -q
 %patch2 -p1 -b .lvfs-disabled
+%patch4 -p0 -b .deps
+%patch101 -p0
+%patch102 -p0
+%patch103 -p0
+%patch104 -p0
+%patch105 -p0
+%patch106 -p0
+%patch107 -p0
+%patch108 -p0
+%patch109 -p0
+%patch110 -p0
+%patch111 -p0
+%patch112 -p0

 mkdir -p subprojects/libjcat
 tar xfvs %{SOURCE1} -C subprojects/libjcat --strip-components=1

-# apply patch to subproject
-cd subprojects/libjcat
-%patch3 -p0 -b .gpgme-parsing
-cd -
-
 sed -ri '1s=^#!/usr/bin/(env )?python3=#!%{__python3}=' \
        contrib/ci/*.py \
        contrib/firmware_packager/*.py \
@ -176,7 +210,7 @@ export RHEL_ALLOW_PYTHON2_FOR_BUILD=1
 %meson \
    -Dgtkdoc=true \
    -Defi_os_dir=%{efi_vendor} \
-    -Dplugin_tpm=false \
+    -Dsupported_build=true \
    -Dlibjcat:gtkdoc=false \
    -Dlibjcat:introspection=false \
    -Dlibjcat:tests=false \
@ -190,23 +224,21 @@ export RHEL_ALLOW_PYTHON2_FOR_BUILD=1
 %else
    -Dplugin_dummy=false \
 %endif
-%if 0%{?have_flashrom}
-    -Dplugin_flashrom=true \
-%else
    -Dplugin_flashrom=false \
+%if 0%{?have_msr}
+    -Dplugin_msr=true \
+%else
+    -Dplugin_msr=false \
 %endif
    -Dplugin_thunderbolt=true \
-%if 0%{?have_redfish}
-    -Dplugin_redfish=true \
-%else
-    -Dplugin_redfish=false \
-%endif
 %if 0%{?have_uefi}
-    -Dplugin_uefi=true \
-    -Dplugin_nvme=true \
+    -Dplugin_uefi_capsule=true \
+    -Dplugin_uefi_pk=false \
+    -Dtpm=false \
 %else
-    -Dplugin_uefi=false \
-    -Dplugin_nvme=false \
+    -Dplugin_uefi_capsule=false \
+    -Dplugin_uefi_pk=false \
+    -Dtpm=false \
 %endif
 %if 0%{?have_dell}
    -Dplugin_dell=true \
@ -232,6 +264,10 @@ export RHEL_ALLOW_PYTHON2_FOR_BUILD=1
 %install
 %meson_install

+# on RHEL the LVFS is disabled by default
+mkdir -p %{buildroot}/%{_datadir}/dbxtool
+install %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} %{buildroot}/%{_datadir}/dbxtool
+
 # sign fwupd.efi loader
 %if 0%{?have_uefi}
 %ifarch x86_64
@ -256,6 +292,13 @@ mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/cache/fwupd
 %post
 %systemd_post fwupd.service

+# change vendor-installed remotes to use the default keyring type
+for fn in /etc/fwupd/remotes.d/*.conf; do
+    if grep -q "Keyring=gpg" "$fn"; then
+        sed -i 's/Keyring=gpg/#Keyring=pkcs/g' "$fn";
+    fi
+done
+
 %preun
 %systemd_preun fwupd.service

@ -266,18 +309,18 @@ mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/cache/fwupd
 %files -f %{name}.lang
 %doc README.md AUTHORS
 %license COPYING
-%config(noreplace)%{_sysconfdir}/fwupd/ata.conf
 %config(noreplace)%{_sysconfdir}/fwupd/daemon.conf
 %config(noreplace)%{_sysconfdir}/fwupd/upower.conf
 %if 0%{?have_uefi}
-%config(noreplace)%{_sysconfdir}/fwupd/uefi.conf
+%config(noreplace)%{_sysconfdir}/fwupd/uefi_capsule.conf
 %endif
-%if 0%{?have_redfish}
 %config(noreplace)%{_sysconfdir}/fwupd/redfish.conf
-%endif
 %config(noreplace)%{_sysconfdir}/fwupd/thunderbolt.conf
 %dir %{_libexecdir}/fwupd
 %{_libexecdir}/fwupd/fwupd
+%ifarch i686 x86_64
+%{_libexecdir}/fwupd/fwupd-detect-cet
+%endif
 %{_libexecdir}/fwupd/fwupdoffline
 %if 0%{?have_uefi}
 %{_libexecdir}/fwupd/efi/*.efi
@ -285,6 +328,9 @@ mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/cache/fwupd
 %{_bindir}/fwupdate
 %endif
 %{_bindir}/dfu-tool
+%if 0%{?have_uefi}
+%{_bindir}/dbxtool
+%endif
 %{_bindir}/fwupdmgr
 %{_bindir}/fwupdtool
 %{_bindir}/fwupdagent
@ -300,6 +346,9 @@ mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/cache/fwupd
 %config(noreplace)%{_sysconfdir}/fwupd/remotes.d/vendor-directory.conf
 %config(noreplace)%{_sysconfdir}/pki/fwupd
 %{_sysconfdir}/pki/fwupd-metadata
+%if 0%{?have_msr}
+/usr/lib/modules-load.d/fwupd-msr.conf
+%endif
 %{_datadir}/dbus-1/system.d/org.freedesktop.fwupd.conf
 %{_datadir}/bash-completion/completions/fwupdmgr
 %{_datadir}/bash-completion/completions/fwupdtool
@ -314,14 +363,24 @@ mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/cache/fwupd
 %{_datadir}/polkit-1/actions/org.freedesktop.fwupd.policy
 %{_datadir}/polkit-1/rules.d/org.freedesktop.fwupd.rules
 %{_datadir}/dbus-1/system-services/org.freedesktop.fwupd.service
-%{_datadir}/man/man1/fwupdtool.1.gz
-%{_datadir}/man/man1/fwupdagent.1.gz
-%{_datadir}/man/man1/dfu-tool.1.gz
-%{_datadir}/man/man1/fwupdmgr.1.gz
+%dir %{_datadir}/dbxtool
+%{_datadir}/dbxtool/DBXUpdate-20100307-x64.cab
+%{_datadir}/dbxtool/DBXUpdate-20140413-x64.cab
+%{_datadir}/dbxtool/DBXUpdate-20160809-x64.cab
+%{_datadir}/dbxtool/DBXUpdate-20200729-aa64.cab
+%{_datadir}/dbxtool/DBXUpdate-20200729-ia32.cab
+%{_datadir}/dbxtool/DBXUpdate-20200729-x64.cab
+%{_mandir}/man1/fwupdtool.1*
+%{_mandir}/man1/fwupdagent.1*
+%{_mandir}/man1/dfu-tool.1*
 %if 0%{?have_uefi}
-%{_datadir}/man/man1/fwupdate.1.gz
+%{_mandir}/man1/dbxtool.*
 %endif
-%{_datadir}/man/man1/jcat-tool.1*
+%{_mandir}/man1/fwupdmgr.1*
+%if 0%{?have_uefi}
+%{_mandir}/man1/fwupdate.1*
+%endif
+%{_mandir}/man1/jcat-tool.1*
 %{_datadir}/metainfo/org.freedesktop.fwupd.metainfo.xml
 %{_datadir}/icons/hicolor/scalable/apps/org.freedesktop.fwupd.svg
 %{_datadir}/fwupd/firmware_packager.py
@ -346,12 +405,16 @@ mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/cache/fwupd
 /usr/lib/udev/rules.d/*.rules
 /usr/lib/systemd/system-shutdown/fwupd.shutdown
 %dir %{_libdir}/fwupd-plugins-3
+%{_libdir}/fwupd-plugins-3/libfu_plugin_acpi_dmar.so
+%{_libdir}/fwupd-plugins-3/libfu_plugin_acpi_facp.so
 %{_libdir}/fwupd-plugins-3/libfu_plugin_altos.so
 %{_libdir}/fwupd-plugins-3/libfu_plugin_amt.so
 %{_libdir}/fwupd-plugins-3/libfu_plugin_ata.so
+%{_libdir}/fwupd-plugins-3/libfu_plugin_bcm57xx.so
 %{_libdir}/fwupd-plugins-3/libfu_plugin_ccgx.so
 %{_libdir}/fwupd-plugins-3/libfu_plugin_colorhug.so
 %{_libdir}/fwupd-plugins-3/libfu_plugin_coreboot.so
+%{_libdir}/fwupd-plugins-3/libfu_plugin_cros_ec.so
 %{_libdir}/fwupd-plugins-3/libfu_plugin_csr.so
 %{_libdir}/fwupd-plugins-3/libfu_plugin_cpu.so
 %if 0%{?have_dell}
@ -361,25 +424,28 @@ mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/cache/fwupd
 %{_libdir}/fwupd-plugins-3/libfu_plugin_dell_dock.so
 %{_libdir}/fwupd-plugins-3/libfu_plugin_dfu.so
 %{_libdir}/fwupd-plugins-3/libfu_plugin_ebitdo.so
+%{_libdir}/fwupd-plugins-3/libfu_plugin_elantp.so
 %{_libdir}/fwupd-plugins-3/libfu_plugin_emmc.so
 %{_libdir}/fwupd-plugins-3/libfu_plugin_ep963x.so
 %{_libdir}/fwupd-plugins-3/libfu_plugin_fastboot.so
-%if 0%{?have_flashrom}
-%{_libdir}/fwupd-plugins-3/libfu_plugin_flashrom.so
-%endif
 %{_libdir}/fwupd-plugins-3/libfu_plugin_fresco_pd.so
+%{_libdir}/fwupd-plugins-3/libfu_plugin_hailuck.so
+%{_libdir}/fwupd-plugins-3/libfu_plugin_iommu.so
 %{_libdir}/fwupd-plugins-3/libfu_plugin_jabra.so
-%if 0%{?have_modem_manager}
-%{_libdir}/fwupd-plugins-3/libfu_plugin_modem_manager.so
+%{_libdir}/fwupd-plugins-3/libfu_plugin_linux_lockdown.so
+%{_libdir}/fwupd-plugins-3/libfu_plugin_linux_sleep.so
+%{_libdir}/fwupd-plugins-3/libfu_plugin_linux_swap.so
+%{_libdir}/fwupd-plugins-3/libfu_plugin_linux_tainted.so
+%if 0%{?have_msr}
+%{_libdir}/fwupd-plugins-3/libfu_plugin_msr.so
 %endif
 %{_libdir}/fwupd-plugins-3/libfu_plugin_nitrokey.so
-%if 0%{?have_uefi}
 %{_libdir}/fwupd-plugins-3/libfu_plugin_nvme.so
-%endif
 %{_libdir}/fwupd-plugins-3/libfu_plugin_optionrom.so
-%if 0%{?have_redfish}
+%{_libdir}/fwupd-plugins-3/libfu_plugin_pci_bcr.so
+%{_libdir}/fwupd-plugins-3/libfu_plugin_pci_mei.so
+%{_libdir}/fwupd-plugins-3/libfu_plugin_pixart_rf.so
 %{_libdir}/fwupd-plugins-3/libfu_plugin_redfish.so
-%endif
 %{_libdir}/fwupd-plugins-3/libfu_plugin_rts54hid.so
 %{_libdir}/fwupd-plugins-3/libfu_plugin_rts54hub.so
 %{_libdir}/fwupd-plugins-3/libfu_plugin_solokey.so
@ -397,9 +463,10 @@ mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/cache/fwupd
 %endif
 %{_libdir}/fwupd-plugins-3/libfu_plugin_thelio_io.so
 %{_libdir}/fwupd-plugins-3/libfu_plugin_thunderbolt.so
-%{_libdir}/fwupd-plugins-3/libfu_plugin_thunderbolt_power.so
 %if 0%{?have_uefi}
-%{_libdir}/fwupd-plugins-3/libfu_plugin_uefi.so
+%{_libdir}/fwupd-plugins-3/libfu_plugin_bios.so
+%{_libdir}/fwupd-plugins-3/libfu_plugin_uefi_capsule.so
+%{_libdir}/fwupd-plugins-3/libfu_plugin_uefi_dbx.so
 %{_libdir}/fwupd-plugins-3/libfu_plugin_uefi_recovery.so
 %endif
 %{_libdir}/fwupd-plugins-3/libfu_plugin_logind.so
@ -408,10 +475,14 @@ mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/cache/fwupd
 %{_libdir}/fwupd-plugins-3/libfu_plugin_vli.so
 %{_libdir}/fwupd-plugins-3/libfu_plugin_wacom_raw.so
 %{_libdir}/fwupd-plugins-3/libfu_plugin_wacom_usb.so
+%{_libdir}/fwupd-plugins-3/libfu_plugin_goodixmoc.so
 %ghost %{_localstatedir}/lib/fwupd/gnupg
 %if 0%{?have_uefi}
 %{_datadir}/locale/*/LC_IMAGES/fwupd*
 %endif
+%if 0%{?have_modem_manager}
+%{_libdir}/fwupd-plugins-3/libfu_plugin_modem_manager.so
+%endif

 %files devel
 %{_datadir}/gir-1.0/Fwupd-2.0.gir
@ -433,11 +504,31 @@ mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/cache/fwupd
 %{_datadir}/installed-tests/fwupd/*.test
 %{_datadir}/installed-tests/fwupd/*.cab
 %{_datadir}/installed-tests/fwupd/*.sh
+%{_libexecdir}/installed-tests/fwupd/*
 %dir %{_sysconfdir}/fwupd/remotes.d
 %config(noreplace)%{_sysconfdir}/fwupd/remotes.d/fwupd-tests.conf
 %endif

 %changelog
+* Wed Feb 10 2021 Richard Hughes <richard@hughsie.com> 1.5.5-3
+- Backport a fix from upstream to fix a crash in the Goodix MOC plugin.
+- Resolves: #1927091
+
+* Tue Feb 09 2021 Richard Hughes <richard@hughsie.com> 1.5.5-2
+- Do not invalidate all remote timestamps during package install to fix rpm -V.
+- Backport some important high priority fixes from upstream.
+- Resolves: #1926382
+
+* Mon Jan 11 2021 Richard Hughes <richard@hughsie.com> 1.5.5-1
+- Rebase package to include support for latest OEM hardware and to
+  support deploying UEFI SecureBoot dbx updates.
+- Resolves: #1870811
+
+* Wed Dec 16 2020 Richard Hughes <richard@hughsie.com> 1.5.4-1
+- Rebase package to include support for latest OEM hardware and to
+  support deploying UEFI SecureBoot dbx updates.
+- Resolves: #1870811
+
 * Fri Jul 24 2020 Peter Jones <pjones@redhat.com> - 1.4.2-4
 - Add signing with redhatsecureboot503 cert
  Related: CVE-2020-10713