Your message dated Fri, 26 Dec 2025 19:36:50 +0000
with message-id <[email protected]>
and subject line Bug#1121085: fixed in xz-utils 5.8.2-1
has caused the Debian Bug report #1121085,
regarding Landlock: Workaround a bug in RHEL 9 kernel
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1121085: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121085
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: xz-utils
Version: 5.8.1-1
Severity: normal
Dear fellow Maintainer,
RedHat has released a broken kernel 5.14.0-611.el9, which contains a
backport of the landlock API 6. Sadly they forgot one patch, so the API
6 is incomplete. XZ depends on that and aborts with the following error
message:
> xz: Failed to enable the sandbox
Sadly there is no runtime option to disable using the sandbox.
This is a problem when the docker images "debian:trixie" or
"debian:forky" are used on a RedHat powered host (CentOS Stream CoreOS
9.0.20250827-0).
Therefore it would help if Debian could cherry-pick
https://github.com/tukaani-project/xz/commit/5630c33a43a28a3d11030aa9d25fa8617e98da91
into `xz-utils` and release fixed versions for both "stable-security"
and "unstable".
So far I have seen `tar -J` failing as it calls `xz` as a child process,
which then aborts with the above message.
I have *not* seen `dpkg-deb` fail as it only links to `liblzma`, which
by default does not use the landlock sandbox.
So far we have tried to overwrite `lsm=` via the Linux Kernel command
line to remove `landlock` from the list of enabled LSMs, but that was
not successful so far.
An alternative might be to configure a reduced SECCOMP profile for out
k8s cluster, where all 3 syscalls for landlock are removed:
```console
$ grep landlock_ /usr/share/containers/seccomp.json
"landlock_add_rule",
"landlock_create_ruleset",
"landlock_restrict_self",
```
Thank you
Philipp Hahn
-- System Information:
Debian Release: 13.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.12.57+deb13-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages xz-utils depends on:
ii libc6 2.41-12
ii liblzma5 5.8.1-1
xz-utils recommends no packages.
xz-utils suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: xz-utils
Source-Version: 5.8.2-1
Done: Sebastian Andrzej Siewior <[email protected]>
We believe that the bug you reported is fixed in the latest version of
xz-utils, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Andrzej Siewior <[email protected]> (supplier of updated
xz-utils package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 26 Dec 2025 19:52:09 +0100
Source: xz-utils
Architecture: source
Version: 5.8.2-1
Distribution: unstable
Urgency: medium
Maintainer: Sebastian Andrzej Siewior <[email protected]>
Changed-By: Sebastian Andrzej Siewior <[email protected]>
Closes: 1121085
Changes:
xz-utils (5.8.2-1) unstable; urgency=medium
.
* Import 5.8.2
- Add a workaround for Red Hat Enterprise Linux 9 kernel bug
(Closes: #1121085).
Checksums-Sha1:
6a9f65ef19b70ed9b4e004373d21e44d630d7535 2530 xz-utils_5.8.2-1.dsc
4b4b3c2cd242874929a11e4ff57498ef7efdcd1a 1511132 xz-utils_5.8.2.orig.tar.xz
0daac1fd46cf1b47a37c5f7d61e535b72b50cc07 877 xz-utils_5.8.2.orig.tar.xz.asc
39c536e6a8098f293492328dc0e449a0cd4b7ec8 24800 xz-utils_5.8.2-1.debian.tar.xz
Checksums-Sha256:
87f0db65eab5054173057b9bf90b650175cd5fbce6a7917502320a7106bc5fc6 2530
xz-utils_5.8.2-1.dsc
890966ec3f5d5cc151077879e157c0593500a522f413ac50ba26d22a9a145214 1511132
xz-utils_5.8.2.orig.tar.xz
d04e180b3cdf93af5b723d7f52286ecd2b7ffd59cc34f891aab1a30644fb4063 877
xz-utils_5.8.2.orig.tar.xz.asc
60f998c2f27eded515f379cb6d73eb4a6846bd60f00eae18065210e1c5823978 24800
xz-utils_5.8.2-1.debian.tar.xz
Files:
b45b684a541d3bc4144f2653a034e43c 2530 utils optional xz-utils_5.8.2-1.dsc
87c8bb8addf7189d3a51f6a5f03163fc 1511132 utils optional
xz-utils_5.8.2.orig.tar.xz
7f1a03bc6844bbce235ba0dcbb58b4b4 877 utils optional
xz-utils_5.8.2.orig.tar.xz.asc
038efd984a278362d45f5afa1b8a9af6 24800 utils optional
xz-utils_5.8.2-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQGzBAEBCgAdFiEEV4kucFIzBRM39v3RBWQfF1cS+lsFAmlO2fkACgkQBWQfF1cS
+lufnQv+Kxe/pONbCiXcV82Nbl/+3w24eDeYeXe81bW/KxTHGoNJ5Ezvr7jXsGZD
ubuWLrS6ozCfw8C4egtTAsgyni2qnBabgB1ZU07sLALmMGt92Gr+vLZCU5I0RpGO
AeXg5twTX3xjXEFatRfTkKi4eqkL7e+PSH15SsQspI4PWtERt7BOnZklTKEwHhgr
pbrvZ0iGoYc36M+smYrC/xx5kdjE6UVCdkSc3G/fbA7/Hdulh7qtem7OUef95QLk
Fv9Dd+T1JDowql9wGzWRwShsNR4hpMhNPjgFQC8Xl3QBwhx/5HGdROH6oaqRwn5j
edx5xYu2zAJoMgNUTHdhpaZDPWBjNsbOXtHdCQ+NAhKmav4u4O150jw6TzM7dFi6
TK0rehz6oY7XMUy+IxkvwXClUdnZIswj47ROesZ40+v2tD8Roc0JYhnaAOHd/w5f
WgoyvNkQQmS/6CWcBoYPaBQerCT+fBBoUCsugFgds0RQd8V+UwYQ0I4SYKBRLHMi
Xz2to91E
=Md5n
-----END PGP SIGNATURE-----
pgp8OSx5EQoC_.pgp
Description: PGP signature
--- End Message ---
