Bug#1036811: bullseye-pu: package ncurses/6.2+20201114-2+deb11u2

[Sven Joachim]

Package: release.debian.org
Severity: normal
Tags: bullseye d-i
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: ncur...@packages.debian.org, debian-boot@lists.debian.org
Control: affects -1 + src:ncurses

I would like to address CVE-2023-29491[1] aka bug #1034372[2] in
Bullseye.  The changes are the same as in version 6.4-3 (see
#1035351[3]), except that there is no need to patch configure.in this
time.

[ Reason ]
Various memory corruption bugs exist when loading specifically crafted
terminfo database files.  This is a security problem in programs running
with elevated privileges, as users are allowed to provide their own
terminfo files under ${HOME}/.terminfo or via the TERMINFO or
TERMINFO_DIRS environment variables.

Backporting the upstream fixes would be too intrusive (and has not been
attempted in Bookworm either), but via a configure option it is possible
to prevent setuid/setgid programs from loading custom terminfo files
supplied by the user, after which the bugs are no longer security
relevant.

[ Impact ]
Local users could try privilege escalations in setuid/setgid programs
linked to the tinfo library.  How easily those can be achieved probably
depends on the program.

[ Tests ]
No automatic tests exist.  I have manually verified that programs can no
longer use custom terminfo files if their effective UID or GID differs
from the real one.  Also I have verified that the terminfo database in
the ncurses-{base,term} packages is unchanged from 6.2+20201114-2+deb11u2.

[ Risks ]
Users who are relying on their own terminfo files under
${HOME}/.terminfo can no longer use them in setuid/setgid programs and
will have to work around that, e.g. by changing their TERM environment
variable, using a different terminal emulator or asking their sysadmin
for help.

On my systems I did not find any setuid binaries linked to the tinfo
library, but some setgid games in the bsdgames package.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

I have slightly edited the debdiff to exclude spurious changes to the
debian/lib{32,64}tinfo6.symbols files, as these are just symlinks to
libtinfo6.symbols.  See devscripts bug #773762[4].

[ Other info ]
Since ncurses produces a udeb I have CC'ed debian-boot and tagged the
bug accordingly.  The screen binary in the screen-udeb package is
actually affected by the change, as it is installed setgid utmp.  This
should not really matter though, since the terminfo files in the
di-utils-terminfo package are installed in the standard place under
/lib/terminfo.

Thanks for consideration.

Cheers,
   Sven


1. https://security-tracker.debian.org/tracker/CVE-2023-29491
2. https://bugs.debian.org/1034372
3. https://bugs.debian.org/1035351
4. https://bugs.debian.org/773762

diff -Nru ncurses-6.2+20201114/debian/changelog ncurses-6.2+20201114/debian/changelog
--- ncurses-6.2+20201114/debian/changelog	2023-02-08 20:16:03.0 +0100
+++ ncurses-6.2+20201114/debian/changelog	2023-05-26 20:31:08.0 +0200
@@ -1,3 +1,17 @@
+ncurses (6.2+20201114-2+deb11u2) bullseye; urgency=medium
+
+  * Configure with "--disable-root-environ" to disallow loading of
+custom terminfo entries in setuid/setgid programs, mitigating the
+impact of CVE-2023-29491 (see #1034372).
+- Update the symbols files for the newly exported symbol
+  _nc_env_access.
+- New patch debian-env-access.diff, changing the behavior of the
+  "--disable-root-environ" configure option to not restrict programs
+  run by the superuser, equivalent to the "--disable-setuid-environ"
+  option introduced in the 20230423 patchlevel.
+
+ -- Sven Joachim   Fri, 26 May 2023 20:31:08 +0200
+
 ncurses (6.2+20201114-2+deb11u1) bullseye; urgency=medium
 
   * New patch CVE-2022-29458.diff: add a limit-check to guard against
diff -Nru ncurses-6.2+20201114/debian/libtinfo5.symbols ncurses-6.2+20201114/debian/libtinfo5.symbols
--- ncurses-6.2+20201114/debian/libtinfo5.symbols	2021-01-01 10:31:15.0 +0100
+++ ncurses-6.2+20201114/debian/libtinfo5.symbols	2023-05-26 19:46:17.0 +0200
@@ -95,6 +95,7 @@
  _nc_curr_col@NCURSES_TINFO_5.0.19991023 6
  _nc_curr_line@NCURSES_TINFO_5.0.19991023 6
  _nc_doalloc@NCURSES_TINFO_5.0.19991023 6
+ _nc_env_access@NCURSES_TINFO_5.2.20001021 6.2+20201114-2+deb11u2~
  _nc_err_abort@NCURSES_TINFO_5.0.19991023 6
  _nc_fallback@NCURSES_TINFO_5.0.19991023 6
  _nc_find_entry@NCURSES_TINFO_5.0.19991023 6
diff -Nru ncurses-6.2+20201114/debian/libtinfo6.symbols ncurses-6.2+20201114/debian/libtinfo6.symbols
--- ncurses-6.2+20201114/debian/libtinfo6.symbols	2021-01-01 10:31:15.0 +0100
+++ ncurses-6.2+20201114/debian/libtinfo6.symbols	2023-05-26 19:46:17.0 +0200
@@ -94,6 +94,7 @@
  _nc_curr_col@NCURSES6_TINFO_5.0.19991023 6
  _nc_curr_line@NCURSES6_TINFO_5.0.19991023 6

Bug#1035096: GRUB not installed or installed to the wrong device

[Peter Ehlert]

On 5/26/23 06:42, Pascal Hambourg wrote:

On 26/05/2023 at 15:29, Peter Ehlert wrote:


On 5/17/23 10:14, Pascal Hambourg wrote:


1. Copy the attached patched grub-installer onto a second USB drive 
formatted with FAT, ext* or any filesystem type the installer can read.


2. Start the installer (expert install recommended).

3. Between the steps "Load installer components from installation 
media" and "Install the GRUB boot loader", switch to a shell with 
Ctrl+Alt+F2.


4. Connect and mount the second USB drive seen as /dev/sdXY :
# mount -r /dev/sdXY /mnt


I am unable to get it to mount

using blkid I see the second USB as /dev/sdf1 with the label I gave 
it "grub-installer"


however running # mount -r /dev/sdf1 /mnt
says
mount: mounting /dev/sdf1 on /mnt failed: Invalid argument


What filesystem is it ?

ext4

Bug#1035096: GRUB not installed or installed to the wrong device

[Pascal Hambourg]

On 26/05/2023 at 15:29, Peter Ehlert wrote:


On 5/17/23 10:14, Pascal Hambourg wrote:


1. Copy the attached patched grub-installer onto a second USB drive 
formatted with FAT, ext* or any filesystem type the installer can read.


2. Start the installer (expert install recommended).

3. Between the steps "Load installer components from installation 
media" and "Install the GRUB boot loader", switch to a shell with 
Ctrl+Alt+F2.


4. Connect and mount the second USB drive seen as /dev/sdXY :
# mount -r /dev/sdXY /mnt


I am unable to get it to mount

using blkid I see the second USB as /dev/sdf1 with the label I gave it 
"grub-installer"


however running # mount -r /dev/sdf1 /mnt
says
mount: mounting /dev/sdf1 on /mnt failed: Invalid argument


What filesystem is it ?

Bug#1035096: GRUB not installed or installed to the wrong device

[Peter Ehlert]

On 5/17/23 10:14, Pascal Hambourg wrote:

On 17/05/2023 at 16:47, Peter Ehlert wrote:
On May 17, 2023 5:48:14 AM Pascal Hambourg  
wrote:


The proposed patch has not been accepted yet so is not applied to RC3.


Thanks, I was not aware of that.


If you are still willing to test it I can send you instructions.


Yes, I would like to try.
Instructions need to be simple. This is obviously new to me.


1. Copy the attached patched grub-installer onto a second USB drive 
formatted with FAT, ext* or any filesystem type the installer can read.


2. Start the installer (expert install recommended).

3. Between the steps "Load installer components from installation 
media" and "Install the GRUB boot loader", switch to a shell with 
Ctrl+Alt+F2.


4. Connect and mount the second USB drive seen as /dev/sdXY :
# mount -r /dev/sdXY /mnt


I am unable to get it to mount

using blkid I see the second USB as /dev/sdf1 with the label I gave it 
"grub-installer"


however running # mount -r /dev/sdf1 /mnt
says
mount: mounting /dev/sdf1 on /mnt failed: Invalid argument



5. Copy the file (check the executable permission is preserved):
# cp /mnt/grub-installer /usr/bin/grub-installer

6. Unmount and disconnect the USB drive:
# umount /mnt

7. Switch back to the installer with Alt+F1 if text or Alt+F5 if 
graphic, and resume the installation.

finish-install_2.117_source.changes ACCEPTED into unstable

[Debian FTP Masters]

Thank you for your contribution to Debian.



Accepted:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Fri, 26 May 2023 09:10:29 +
Source: finish-install
Architecture: source
Version: 2.117
Distribution: unstable
Urgency: medium
Maintainer: Debian Install System Team 
Changed-By: Cyril Brulebois 
Closes: 1036788
Changes:
 finish-install (2.117) unstable; urgency=medium
 .
   * Add bochs/cirrus to the initramfs if detected (Closes: #1036788).
Checksums-Sha1:
 273ec769b26240dff7c216ec6d40895bd1fd2385 1665 finish-install_2.117.dsc
 bf24053586e40fdfd3f6e17686d68e4f6fb69517 63344 finish-install_2.117.tar.xz
 3a75bc8c84e84119b93b8a46445c966be2f41f94 5720 
finish-install_2.117_source.buildinfo
Checksums-Sha256:
 64cedff8f783f030658728606724c0d46a7fa56fb86c1546f31e6df3803f8941 1665 
finish-install_2.117.dsc
 075e1f113382f28d36c90127eeafba819acb934402cda61be682e7349c194b8c 63344 
finish-install_2.117.tar.xz
 5870f211dad3c4ba68e0eb93257e790cea126b2bbc691049b0c2cea094bde94c 5720 
finish-install_2.117_source.buildinfo
Files:
 f25bdd359761c0b4fe8d87b46c4103ac 1665 debian-installer required 
finish-install_2.117.dsc
 5acc40d2c147ff6d216efbfb3e206cba 63344 debian-installer required 
finish-install_2.117.tar.xz
 d0c914ca3b20f8b5ee7fb288101244c1 5720 debian-installer required 
finish-install_2.117_source.buildinfo

-BEGIN PGP SIGNATURE-

iQJEBAEBCgAuFiEEtg6/KYRFPHDXTPR4/5FK8MKzVSAFAmRwd9YQHGtpYmlAZGVi
aWFuLm9yZwAKCRD/kUrwwrNVIOSqEACwkK95QY0juoGevd3R0KcFFS7De7dlvSSG
dAbEYF01R+VB0NnPl5iCSNOmg1kHwXFJp7zv4zwEwiDdoHr5TW7JPoIa2REXI+Nn
KZVUII+H+tfkcEnu+XPYe3Rnw/fvawheBYhjP9iwtKyaIf18RVr03D74wi9szpbM
zoH9VXN5ScQ8muLaHr5YWaypPfBKZxeaNtIyaG8FE1r6wmayTS8R53N+b6aEfeNX
sKsNvU2SBeLCqVZ+ao6xmWTSKreEIPngrvv4ipq6XsW4VEQ5ZwWqJH/3xWEf4vze
5sXdpykdHQfc1GnRc8R3llgnW8C+xs3bWMH11O2SmUROZLUAGGC18fd2czt5RW1H
wiKskEc2K0t7WqwfTyEJzwWImFSKNaTxkGahedZoMt99XdI7iUXGiEpezaUcXXbJ
khiwYTng3VvOqT8v+mGQ/Z4MRbtXgxU8j7U0TheBVb0lBwK47jZc58ea69cGOCzm
YD1Vt7Xndx8TktO0dZe2TN1NVoyhSI2oW8lDQop9X9V+DLi5cGvCczZlmj5Nvln8
k0P0ZTkVXkxHfrk0hoaR9JsmPhaxkEx9I96pnH9CiAiX44D4OreON+hXJRCEhbRm
8i/pINAuVMDuub0rSlE0CLMD+GEMnx24c1ZPIHez/p8G/KtWqzKrNMNPHWU6QoQS
4z2kareKHg==
=pKGi
-END PGP SIGNATURE-

Processing of finish-install_2.117_source.changes

[Debian FTP Masters]

finish-install_2.117_source.changes uploaded successfully to localhost
along with the files:
  finish-install_2.117.dsc
  finish-install_2.117.tar.xz
  finish-install_2.117_source.buildinfo

Greetings,

Your Debian queue daemon (running on host usper.debian.org)

Bug#1036788: marked as done (finish-install: detect and add bochs/cirrus to the initramfs)

[Debian Bug Tracking System]

Your message dated Fri, 26 May 2023 09:33:52 +
with message-id 
and subject line Bug#1036788: fixed in finish-install 2.117
has caused the Debian Bug report #1036788,
regarding finish-install: detect and add bochs/cirrus to the initramfs
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1036788: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036788
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: hw-detect
Severity: important

Hi,

This is another expression of the problem I've started documenting in
#1036019: under UEFI/SB, using the std (bochs) or cirrus graphics
drivers leads to corrupted graphics.

[ I'm even able to get a 800×599 resolution via cirrus! ]


I've implemented a workaround in the installer by shipping the two
relevant DRM modules (bochs.ko, cirrus.ko), which makes the install
process itself run fine.

Unfortunately, upon rebooting, since the initramfs doesn't contain
bochs.ko or cirrus.ko by default, the LUKS passphrase prompt is
corrupted as well (efifb, which is built-in, is likely in charge at this
point). Once LUKS has been unlocked, the console becomes readable, and
one can type login and password normally.

The LUKS prompt is worrying on its own, but I'm also worried one might
be missing critical messages, even on non-LUKS systems, if the boot
sequence breaks early.


Therefore, I'm considering detecting when bochs.ko and/or cirrus.ko are
loaded, adding them to /etc/initramfs-tools/modules, and requesting an
update-initramfs call (see #1036019).

The cost/benefit ratio makes it look like a no-brainer to me, but I'm
happy to hear about other opinions.


Cheers,
-- 
Cyril Brulebois (k...@debian.org)
D-I release manager -- Release team member -- Freelance Consultant
--- End Message ---
--- Begin Message ---
Source: finish-install
Source-Version: 2.117
Done: Cyril Brulebois 

We believe that the bug you reported is fixed in the latest version of
finish-install, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1036...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Cyril Brulebois  (supplier of updated finish-install package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Fri, 26 May 2023 09:10:29 +
Source: finish-install
Architecture: source
Version: 2.117
Distribution: unstable
Urgency: medium
Maintainer: Debian Install System Team 
Changed-By: Cyril Brulebois 
Closes: 1036788
Changes:
 finish-install (2.117) unstable; urgency=medium
 .
   * Add bochs/cirrus to the initramfs if detected (Closes: #1036788).
Checksums-Sha1:
 273ec769b26240dff7c216ec6d40895bd1fd2385 1665 finish-install_2.117.dsc
 bf24053586e40fdfd3f6e17686d68e4f6fb69517 63344 finish-install_2.117.tar.xz
 3a75bc8c84e84119b93b8a46445c966be2f41f94 5720 
finish-install_2.117_source.buildinfo
Checksums-Sha256:
 64cedff8f783f030658728606724c0d46a7fa56fb86c1546f31e6df3803f8941 1665 
finish-install_2.117.dsc
 075e1f113382f28d36c90127eeafba819acb934402cda61be682e7349c194b8c 63344 
finish-install_2.117.tar.xz
 5870f211dad3c4ba68e0eb93257e790cea126b2bbc691049b0c2cea094bde94c 5720 
finish-install_2.117_source.buildinfo
Files:
 f25bdd359761c0b4fe8d87b46c4103ac 1665 debian-installer required 
finish-install_2.117.dsc
 5acc40d2c147ff6d216efbfb3e206cba 63344 debian-installer required 
finish-install_2.117.tar.xz
 d0c914ca3b20f8b5ee7fb288101244c1 5720 debian-installer required 
finish-install_2.117_source.buildinfo

-BEGIN PGP SIGNATURE-

iQJEBAEBCgAuFiEEtg6/KYRFPHDXTPR4/5FK8MKzVSAFAmRwd9YQHGtpYmlAZGVi
aWFuLm9yZwAKCRD/kUrwwrNVIOSqEACwkK95QY0juoGevd3R0KcFFS7De7dlvSSG
dAbEYF01R+VB0NnPl5iCSNOmg1kHwXFJp7zv4zwEwiDdoHr5TW7JPoIa2REXI+Nn
KZVUII+H+tfkcEnu+XPYe3Rnw/fvawheBYhjP9iwtKyaIf18RVr03D74wi9szpbM
zoH9VXN5ScQ8muLaHr5YWaypPfBKZxeaNtIyaG8FE1r6wmayTS8R53N+b6aEfeNX
sKsNvU2SBeLCqVZ+ao6xmWTSKreEIPngrvv4ipq6XsW4VEQ5ZwWqJH/3xWEf4vze
5sXdpykdHQfc1GnRc8R3llgnW8C+xs3bWMH11O2SmUROZLUAGGC18fd2czt5RW1H
wiKskEc2K0t7WqwfTyEJzwWImFSKNaTxkGahedZoMt99XdI7iUXGiEpezaUcXXbJ
khiwYTng3VvOqT8v+mGQ/Z4MRbtXgxU8j7U0TheBVb0lBwK47jZc58ea69cGOCzm
YD1Vt7Xndx8TktO0dZe2TN1NVoyhSI2oW8lDQop9X9V+DLi5cGvCczZlmj5Nvln

debian-installer_20230526_source.changes ACCEPTED into unstable

[Debian FTP Masters]

Thank you for your contribution to Debian.



Accepted:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Fri, 26 May 2023 09:08:23 +0200
Source: debian-installer
Architecture: source
Version: 20230526
Distribution: unstable
Urgency: medium
Maintainer: Debian Install System Team 
Changed-By: Cyril Brulebois 
Closes: 1036215 1036771
Changes:
 debian-installer (20230526) unstable; urgency=medium
 .
   [ Emanuele Rocca ]
   * build/config/x86.cfg: add /splash.png symlink to make GRUB load the
 splash screen when using netboot (Closes: #1036215).
 .
   [ Cyril Brulebois ]
   * Update translation-status for the release.
   * Fix colors in GRUB submenus for x86 netboot (Closes: #1036771).
   * Add CHECK_MINIMAL_VERSION support, so that the release manager can
 combine speedy uploads and peace of mind.
Checksums-Sha1:
 488baa18d3bac1724cb3672cef9f391e9d477be9 4015 debian-installer_20230526.dsc
 c125688b03e48b42ca637c3c7626b74f9a6e242d 1194156 
debian-installer_20230526.tar.xz
 8a137139db73f5606c81960931d1b3ca12df8327 12687 
debian-installer_20230526_source.buildinfo
Checksums-Sha256:
 380d300a6b0da7aaf0cde3c1129e47fb42d95f19ad79d01555fe5f8e361c2511 4015 
debian-installer_20230526.dsc
 c2594f02dac014270b1d6b5823278da4936c70b4d4d4dfe0f1ad3d1bc6363249 1194156 
debian-installer_20230526.tar.xz
 823a3e2d3c204a0aef0f7bcd88246275f362a97d315cc9be6cbb5845bfe42a04 12687 
debian-installer_20230526_source.buildinfo
Files:
 62b88c04f3d223840920163e917bdb10 4015 devel optional 
debian-installer_20230526.dsc
 0d2c16ac0bb96e362756a08522820322 1194156 devel optional 
debian-installer_20230526.tar.xz
 89ba62b361e1e128b3baf94f45412253 12687 devel optional 
debian-installer_20230526_source.buildinfo

-BEGIN PGP SIGNATURE-

iQJEBAEBCgAuFiEEtg6/KYRFPHDXTPR4/5FK8MKzVSAFAmRwXF0QHGtpYmlAZGVi
aWFuLm9yZwAKCRD/kUrwwrNVINqHEACsjKQmmvwVsNJmEQ2mazds4TgBxk6dio/q
4Qlb4vmAN0r9eQTqdzM3q3/XSdfVtCQ7LVU3EDX2n3+bZbfB/K11WarH2RB1l0Ah
ypVVYyBgp1OnPq3jknrk84CeWagBK2EbLvd/kcQWE0X6mTQJz1FGGvmnUuxwPGpg
yi+BGW5Q+4YzIkxIa1SRiwFj6u277LQA/7GfpGCLe5YsAXL0SHueC8HkC1rmbwnw
8R7Z5p30e+2JfIVfeTel2MhbOKEBPc+1Ly4p+Fh1xunoa3KcEia9rU61ixirtj56
WzOpx2J7nNCzZshs13Rpi+21Rc4bBUJkSHQgDJjMgt6vWMgCvwMn0iJPfVeaYni1
e9EYYQW6BJxW+IfBVR4x7matZU9q7p1Kh7+gk+/iY6dCp2WtVi8IRHukUII5lgTT
CnM7wYtR/gf55EdvykbZfyHLG50TakyC5u5uMXHoYUwKdFhYDXAKOGXTKZ0QOfkn
+er+OucHctTpXLDp+pjargE//d4WxMQR08FZ7c5bZ7sjrPeaRp/0ZwNS7vCIO27c
PiAsIrjK7m/btGmua00IWyF/FSYxgDD4UGlQ6PBH6C0KCBrw9g02Pnygtx96LHSC
cdl1in6gcHY17Hds+IN0U5lD4ebfzVacqS468QRWK7k3vikfdaBLg6ML/1PTyOvO
jNzd1bwKqw==
=UVEF
-END PGP SIGNATURE-

Processing of debian-installer_20230526_source.changes

[Debian FTP Masters]

debian-installer_20230526_source.changes uploaded successfully to localhost
along with the files:
  debian-installer_20230526.dsc
  debian-installer_20230526.tar.xz
  debian-installer_20230526_source.buildinfo

Greetings,

Your Debian queue daemon (running on host usper.debian.org)

Bug#1036215: marked as done (installation-reports: PXE netboot x86_64 libvirt guest on aarch64 host)

[Debian Bug Tracking System]

Your message dated Fri, 26 May 2023 07:34:31 +
with message-id 
and subject line Bug#1036215: fixed in debian-installer 20230526
has caused the Debian Bug report #1036215,
regarding installation-reports: PXE netboot x86_64 libvirt guest on aarch64 host
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1036215: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036215
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: installation-reports

Boot method: PXE netboot
Image version: netboot.tar.gz from 
https://deb.debian.org/debian/dists/testing/main/installer-amd64/20230515/images/netboot/

Machine: QEMU TCG x86_64 libvirt guest on aarch64 host

Base System Installation Checklist:
[O] = OK, [E] = Error (please elaborate below), [ ] = didn't try it

Initial boot:   [O]
Detect network card:[O]
Configure network:  [O]
Detect media:   [O]
Load installer modules: [O]
Clock/timezone setup:   [O]
User/password setup:[O]
Detect hard drives: [O]
Partition hard drives:  [O]
Install base system:[O]
Install tasks:  [O]
Install boot loader:[O]
Overall install:[O]

Comments/Problems:

This report is about the successful installation of Bookworm on a x86_64 guest
running on a aarch64 host. The guest was installed with virt-manager using PXE
boot and UEFI Secure Boot enabled. Everything went smoothly except:

(A) some troubles with the UEFI PXE boot device to choose
(B) failure to load the grub splash screen

(A)
At VM startup I've entered the UEFI firmware and booted selecting the first
PXEv4 option, see [0].

Choosing the first one *seemed* to work fine, but it ended up in a Secure Boot
error (see [1]). Disabling Secure Boot did not fix the problem, I still got a
"Invalid Parameter" error. It eventually became clear that I had to boot with
[2] instead. I'm not really sure what the difference between the two may be,
and if this is an issue in the Tianocore firmware.

At any rate, [2] worked fine with and without Secure Boot enabled. I went on
with a preseeded installation, which finished uneventfully.

I then noticed the following errors in the libvirtd logs on the host (B):

 sarzana dnsmasq-tftp[7413]: file /srv/tftp/bookworm/isolinux/splash.png not 
found for 192.168.122.7
 sarzana dnsmasq-tftp[7413]: file /srv/tftp/bookworm/splash.png not found for 
192.168.122.7

The grub.cfg file under /debian-installer/amd64/grub/grub.cfg has the following
conditionals:

 if background_image /isolinux/splash.png; then
[...]
 elif background_image /splash.png; then

The splash screen is loaded correctly replacing either of those with
/debian-installer/amd64/boot-screens/splash.png instead.

[0] https://people.debian.org/~ema/RC3-x86_64-uefi-firmware.png
[1] https://people.debian.org/~ema/RC3-x86_64-uefi-firmware-sb-error.png
[2] https://people.debian.org/~ema/RC3-x86_64-uefi-firmware-right-entry.png

PS:

To test PXE boot with libvirt I've edited the default network with:

 $ sudo virsh net-edit default

Here's what the  part looks like:



  
  

I've untarred netboot.tar.gz under /srv/tftp/bookworm/.

After editing the network, I re-created it with:

 $ sudo virsh net-destroy default && sudo virsh net-start default

Although I'm not 100% sure it was necessary, I've also restarted libvirt and
shot a couple of dnsmasq processes that seemed to want to stick around: 

 $ sudo systemctl stop libvirtd && sudo pkill dnsmasq && sudo systemctl start 
libvirtd
--- End Message ---
--- Begin Message ---
Source: debian-installer
Source-Version: 20230526
Done: Cyril Brulebois 

We believe that the bug you reported is fixed in the latest version of
debian-installer, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1036...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Cyril Brulebois  (supplier of updated debian-installer package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Fri, 26 May 2023 09:08:23 +0200
Source: debian-installer
Architecture: source
Version: 20230526
Distribution: u

Processed: Bug#1036771 marked as pending in debian-installer

[Debian Bug Tracking System]

Processing control commands:

> tag -1 pending
Bug #1036771 [debian-installer] debian-installer: Wrong colors in GRUB submenus 
for netboot on x86
Added tag(s) pending.

-- 
1036771: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036771
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#1036780: hw-detect: detect and add bochs/cirrus to the initramfs

[Debian Bug Tracking System]

Processing control commands:

> clone -1 -2
Bug #1036780 [hw-detect] hw-detect: detect and add bochs/cirrus to the initramfs
Bug 1036780 cloned as bug 1036788
> reassign -2 finish-install
Bug #1036788 [hw-detect] hw-detect: detect and add bochs/cirrus to the initramfs
Bug reassigned from package 'hw-detect' to 'finish-install'.
Ignoring request to alter found versions of bug #1036788 to the same values 
previously set
Ignoring request to alter fixed versions of bug #1036788 to the same values 
previously set
> retitle -2 finish-install: detect and add bochs/cirrus to the initramfs
Bug #1036788 [finish-install] hw-detect: detect and add bochs/cirrus to the 
initramfs
Changed Bug title to 'finish-install: detect and add bochs/cirrus to the 
initramfs' from 'hw-detect: detect and add bochs/cirrus to the initramfs'.

-- 
1036780: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036780
1036788: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036788
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1036780: hw-detect: detect and add bochs/cirrus to the initramfs

[Cyril Brulebois]

Control: clone -1 -2
Control: reassign -2 finish-install
Control: retitle -2 finish-install: detect and add bochs/cirrus to the initramfs

Cyril Brulebois  (2023-05-26):
> Therefore, I'm considering detecting when bochs.ko and/or cirrus.ko are
> loaded, adding them to /etc/initramfs-tools/modules, and requesting an
> update-initramfs call (see #1036019).

This last reference was meant to be #1036779 instead, which I've just
followed up to. Since there is no easy/quick fix for the reasons
mentioned there, I'm going to:
 - keep -1 against hw-detect for the long term (it still feels better
   to have hw-detect be knowledgeable about HW problems…), once we
   implement factorization.
 - implement -2 in finish-install, and make sure to avoid a double u-i
   run if we happen to have both LUKS and bochs/cirrus.

This means a single upload, keeping track of an extra variable within a
single finish-install script, and coming up with a better long term
solution later.


Cheers,
-- 
Cyril Brulebois (k...@debian.org)
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature