diff -Nru fwupd-1.2.10/debian/changelog fwupd-1.2.10/debian/changelog
--- fwupd-1.2.10/debian/changelog	2020-01-09 08:25:38.000000000 +0000
+++ fwupd-1.2.10/debian/changelog	2020-06-09 13:54:51.000000000 +0000
@@ -1,3 +1,13 @@
+fwupd (1.2.10-1ubuntu2~ubuntu18.04.5) bionic-security; urgency=medium
+
+  * SECURITY UPDATE: Signature verification bypass
+    - debian/patches/CVE-2020-10759.patch: validate that
+      gpgme_op_verify_result() returned at least one signature in
+      src/fu-keyring-gpg.c.
+    - CVE-2020-10759
+
+ -- Leonidas S. Barbosa <leo.barbosa@canonical.com>  Tue, 09 Jun 2020 10:54:51 -0300
+
 fwupd (1.2.10-1ubuntu2~ubuntu18.04.3) bionic; urgency=medium
 
   * d/p/0001-dont-semver-conversion.patch, d/p/0001-version-handling.patch
diff -Nru fwupd-1.2.10/debian/patches/CVE-2020-10759.patch fwupd-1.2.10/debian/patches/CVE-2020-10759.patch
--- fwupd-1.2.10/debian/patches/CVE-2020-10759.patch	1970-01-01 00:00:00.000000000 +0000
+++ fwupd-1.2.10/debian/patches/CVE-2020-10759.patch	2020-06-09 13:54:46.000000000 +0000
@@ -0,0 +1,37 @@
+From 21f2d12fccef63b8aaa99ec53278ce18250b0444 Mon Sep 17 00:00:00 2001
+From: Richard Hughes <richard@hughsie.com>
+Date: Thu, 28 May 2020 16:42:18 +0100
+Subject: [PATCH] Validate that gpgme_op_verify_result() returned at least one
+ signature
+
+If a detached signature is actually a PGP message, gpgme_op_verify() returns
+the rather perplexing GPG_ERR_NO_ERROR, and then gpgme_op_verify_result()
+builds an empty list.
+
+Explicitly check for no signatures present to avoid returning a FuKeyringResult
+with no timestamp and an empty authority.
+
+Many thanks to Justin Steven <justin@justinsteven.com> for the discovery and
+coordinated disclosure of this issue. Fixes CVE-2020-10759
+---
+ src/fu-keyring-gpg.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/src/fu-keyring-gpg.c b/src/fu-keyring-gpg.c
+index f06449cf2..15d6e2c32 100644
+--- a/src/fu-keyring-gpg.c
++++ b/src/fu-keyring-gpg.c
+@@ -297,6 +297,13 @@ fu_keyring_gpg_verify_data (FuKeyring *keyring,
+ 				     "no result record from libgpgme");
+ 		return NULL;
+ 	}
++	if (result->signatures == NULL) {
++		g_set_error_literal (error,
++				     FWUPD_ERROR,
++				     FWUPD_ERROR_INTERNAL,
++				     "no signatures from libgpgme");
++		return NULL;
++	}
+ 
+ 	/* look at each signature */
+ 	for (s = result->signatures; s != NULL ; s = s->next ) {
diff -Nru fwupd-1.2.10/debian/patches/series fwupd-1.2.10/debian/patches/series
--- fwupd-1.2.10/debian/patches/series	2020-01-09 08:25:01.000000000 +0000
+++ fwupd-1.2.10/debian/patches/series	2020-06-09 13:54:46.000000000 +0000
@@ -6,3 +6,4 @@
 0001-version-handling.patch
 0001-plain_support_in_version.patch
 
+CVE-2020-10759.patch