I'm currently working on integrating Firebase Analytics into my android app. The problem that I'm encountering is that Firebase adds some new permissions. These permissions are

permission.WAKE_LOCK
com.google.android.c2dm.permission.RECEIVE

My question is: What happens when the user wants to (automatically) update my app in pre Marshmallow versions? Is he asked for permission or not, because it is a normal permission?

In post Marshmallow the documentation is quite clear. It simply doesn't ask the user at all, because it is a normal permission (https://developer.android.com/guide/topics/security/normal-permissions.html).

no WAKE_LOCK is not type of danger permission and user are asked only for danger permissions. as you can read more about this here Types Of permissions

On Android it is not possible to reliably start a service from a broadcast receiver w/o the use of wakelock for the hand off period from the receiver to the service. To support this common scenario Android provides WakefulBroadcastReceiver class. One of the objective of Firebase Analytics is to accurately measure your app. To do so it needs to a properly handle the data you provide and therefore required WAKE_LOCK permissions. Firebase Analytics is also built to either provide reliable data or no data at all so if your app is missing the WAKE_LOCK permission Firebase Analytics will refuse to report any data.