Fwupd 2.1.4 has been released as the latest update to the Linux firmware update daemon. One main addition is support for NixOS in the quickstart script, making it easier to set up fwupd on that distribution. The update also adds a libcrypto-based JCat implementation for Android, support for the Compal BIOS version format, and lets a remote specify if a username or password is required.
Fwupd 2.1.4 also allows storing a per-user password in XDG_CONFIG_HOME, detects encrypted swap devices below device-mapper, ensures all firmware subclasses set the maximum size, and saves the SMBIOS BiosReleaseDate string to uploaded reports. Star Labs coreboot users can now be told to update manually when required.
Another notable change is the removal of the flashrom plugin. Flashrom is commonly used for reading, writing, and verifying flash chips, but fwupd 2.1.4 no longer includes its plugin for that integration.
The bug-fix list is extensive and includes several security-relevant changes. The release fixes a potential path traversal vulnerability in firmware backup, prevents NVRAM-seeded path traversal when loading ESP files, restricts Curl protocols to reduce SSRF risk, and restricts ModifyRemote to prevent supply-chain redirection.
The update tightens authorization requirements for firmware installation on emulated devices and adds more D-Bus methods for non-local users. Plus, fwupd now filters install flags from D-Bus clients, limits the number of hints a client can set, and redacts usernames and passwords of remotes when used from a non-active console.
Moreover, several overflow and size-related fixes are present. These include avoiding truncation when calculating the AMD GPU AtomBIOS size, checking for multiplication overflow in the BCM57xx stage1 size calculation, checking for overflow when writing to CCGX DMC devices, validating the Corsair write size before subtracting the header size, and preventing a possible division-by-zero error in the progress bar code.
Device-specific reliability fixes cover Goodix MoC devices, Dell docks, Lenovo docks, Sunplus cameras, Novatek boot updates, Intel SPI controllers, Pixart touchpads, Synaptics RMI devices, and other hardware paths. Lenovo dock recovery has been improved when the internal state is invalid, while failing Goodix MoC updates now have a retry limit.
Hardware support has been expanded as well. The release adds support for Egis MoC devices with PID 9201, Intel Arc Pro B65 and Arc Pro B70 GPUs, Lenovo dock devices in provisioned mode, Pixart TP devices with PID 1343, and several GigaDevice and Puya SPI chips.
More details are available in the project’s GitHub changelog.
