-
Bug
-
Resolution: Done-Errata
-
Undefined
-
rhel-9.3.0.z
-
None
-
linux-firmware-20240603-144.el9
-
None
-
None
-
rhel-sst-kernel-maintainers
-
ssg_core_kernel
-
None
-
False
-
-
None
-
Red Hat Enterprise Linux
-
None
-
-
All
-
None
What were you trying to do that didn't work?
I was trying to understand what content was being shipped in the firmware packages. I ran into a password protected zip file to which I did not have the password, and which caused me to look further.
Please provide the package NVR for which bug is seen:
$ rpm -q linux-firmware
linux-firmware-20230814-142.el9_3.noarch
Presumed also present in other releases.
How reproducible:
Always.
Steps to reproduce
$ rpm -q linux-firmware
linux-firmware-20230814-142.el9_3.noarch
$ rpm -qil linux-firmware | grep ncf
/usr/lib/firmware/vxge/X3fw-pxe.ncf.xz
/usr/lib/firmware/vxge/X3fw.ncf.xz
$ xzdec /usr/lib/firmware/vxge/X3fw-pxe.ncf.xz > /tmp/X3fw-pxe.ncf
$ unzip -l /tmp/X3fw-pxe.ncf
Archive: X3fw-pxe.ncf
Length Date Time Name
--------- ---------- ----- ----
19 11-15-2010 18:32 T1:X3_101115_1_8_1_expROM_FW_uni_template_rmt_cmd_line.txt
2097152 11-15-2010 18:32 T1:X3_101115_1_8_1_expROM_FW_uni_template_flash0.bin
1024 11-15-2010 18:32 T1:X3_101115_1_8_1_expROM_FW_uni_template_eeprom0.bin
19 11-15-2010 18:32 T1A:X3_101115_1_8_1_expROM_FW_uni_template_rmt_cmd_line.txt
2097152 11-15-2010 18:32 T1A:X3_101115_1_8_1_expROM_FW_uni_template_flash0.bin
1024 11-15-2010 18:32 T1A:X3_101115_1_8_1_expROM_FW_uni_template_eeprom0.bin
--------- -------
4196390 6 files
$ unzip /tmp/X3fw-pxe.ncf
Archive: X3fw-pxe.ncf
[X3fw-pxe.ncf] T1:X3_101115_1_8_1_expROM_FW_uni_template_rmt_cmd_line.txt password:
Expected results
I would not expect to have password protected files being shipped by my operating system.
Actual results
Password protected files are shipped, the contents of which I do not have access to.
In looking into this, I find reference in a very old ticket – https://bugzilla.redhat.com/show_bug.cgi?id=1016595
Quoting that ticket:
Can Red Hatbug 1122334 join this bug? That is, can you remove the X3fw-pxe.ncf and X3fw.ncf blobs too? These firmware blobs are for the Exar 10Gb NICs but Exar exited that business in 2011, and I do not see the vxge.ko driver in the RHEL7 kernel, so I believe these are also good candidates for removal.
And, also, https://bugzilla.redhat.com/show_bug.cgi?id=1122334 asking for the actual password (reported 2014; last modified 2019). This happened, but the files have since been reintroduced in the rhel-9 packages.
- is cloned by
-
-
- Closed
-
- links to
-
RHSA-2024:132906
linux-firmware update
[RHEL-32145] linux-firmware: remove encrypted zip files (named *.ncf)
Dave Baker
added a comment - Looks at this closer, I see the files did actually get removed from rhel-7 and rhel8. There seems to be a reversion somewhere between rhel-8.9.0 and rhel-9.0.0 that's caused them to re-appear for 9.x
This is the changelog for the corresponding 8.x change.
- Tue Jul 26 2022 Jarod Wilson <jarod@redhat.com> - 20220726-110.git150864a4
- Omit unused password-protected vxge firmware files from package (rhbz 2108051)
Dave Baker
added a comment - Looks at this closer, I see the files did actually get removed from rhel-7 and rhel8. There seems to be a reversion somewhere between rhel-8.9.0 and rhel-9.0.0 that's caused them to re-appear for 9.x
This is the changelog for the corresponding 8.x change.
Tue Jul 26 2022 Jarod Wilson <jarod@redhat.com> - 20220726-110.git150864a4
Omit unused password-protected vxge firmware files from package (rhbz 2108051)
Since the problem described in this issue should be resolved in a recent advisory, it has been closed.
For information on the advisory (linux-firmware bug fix and enhancement update), and where to find the updated files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2024:9364