[Kernel-packages] [Bug 1816756] Re: squashfs hardening

Sun, 03 Mar 2019 18:31:06 -0800 

** Changed in: linux (Ubuntu Xenial)
       Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1816756

Title:
  squashfs hardening

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Xenial:
  Fix Committed
Status in linux source package in Bionic:
  Fix Committed

Bug description:
  [Impact]

  There are a number of recent squashfs hardening fixes in the upstream
  kernel. They don't have CVE number assigned but it would be good to
  backport the fixes to harden our kernel against malicious squashfs
  images. They would harden Ubuntu kernels against potentially malicious
  snaps.

  The changes are:

  * 
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=01cfb7937a9af2abb1136c7e89fbf3fd92952956
  * 
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/id=d512584780d3e6a7cacb2f482834849453d444a1
  * 
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cdbb65c4c7ead680ebe54f4f0d486e2847a500ea
  * 
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=71755ee5350b63fb1f283de8561cdb61b47f4d1d
  * 
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a3f94cb99a854fa381fe7fadd97c4f61633717a5

  [Test Case]

  Unfortunately, we don't have access to the reproducers and I'm unaware
  of any regression tests for the squashfs kernel driver. It is very
  important that we don't regress snap usage in Ubuntu. In previous
  squashfs/snap testing, we've noticed that large snaps, such as
  chromium and libreoffice, do a good job of exercising the squashfs
  code. It should be sufficient if we make sure those snaps continue to
  install and work correctly.

  $ sudo snap install chromium
  $ sudo snap install libreoffice
  $ chromium
  < ensure you can browse to various websites >
  $ libreoffice
  < ensure you can create, save, open documents >

  [ Regression Potential ]

  Fairly low. The patches are intended to catch corrupted and/or
  malicious squashfs images. They should not affect well formed squashfs
  images. These patches are already present in the Cosmic (and Disco)
  kernel with no known bug reports despite a considerable number of
  Cosmic users exercising these changes via snaps.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1816756/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to