[Touch-packages] [Bug 2051540] Re: ufw ftbfs with Python 3.12 as default

[Alex Murray]

** Also affects: ufw
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ufw in Ubuntu.
https://bugs.launchpad.net/bugs/2051540

Title:
  ufw ftbfs with Python 3.12 as default

Status in ufw:
  New
Status in ufw package in Ubuntu:
  Confirmed

Bug description:
  ==
  ERROR: test_ufwcommand_parse 
(tests.unit.test_parser.ParserTestCase.test_ufwcommand_parse)
  Test UFWCommand.parse()
  --
  Traceback (most recent call last):
File "/<>/tests/unit/test_parser.py", line 88, in 
test_ufwcommand_parse
  self.assertEquals('status', pr.action, "%s != 'status'" % (pr.action))
  ^
  AttributeError: 'ParserTestCase' object has no attribute 'assertEquals'. Did 
you mean: 'assertEqual'?

  ==
  ERROR: test_ufwcommand_rule_get_command 
(tests.unit.test_parser.ParserTestCase.test_ufwcommand_rule_get_command)
  Test UFWCommand(Route)Rule.get_command()
  --
  Traceback (most recent call last):
File "/<>/tests/unit/test_parser.py", line 375, in 
test_ufwcommand_rule_get_command
  self.assertEquals(len(errors), 0,
  ^
  AttributeError: 'ParserTestCase' object has no attribute 'assertEquals'. Did 
you mean: 'assertEqual'?

  --
  Ran 24 tests in 7.584s

  FAILED (errors=9)
  test_skeleton
  test_example (tests.unit.test_skeleton.SkeletonTestCase.test_example)
  Test example dummy test ... ok

  --
  Ran 1 test in 0.000s

  OK

To manage notifications about this bug go to:
https://bugs.launchpad.net/ufw/+bug/2051540/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2051540] Re: ufw ftbfs with Python 3.12 as default

[Alex Murray]

Both deb8 tests already declares a Depends on python3-distutils - and we
can see that the current test runs all used the 3.11 based
python3-distutils - do we need a no-change-rebuild of python3-stdlib-
extensions so that it builds against python 3.12?

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ufw in Ubuntu.
https://bugs.launchpad.net/bugs/2051540

Title:
  ufw ftbfs with Python 3.12 as default

Status in ufw:
  Fix Committed
Status in ufw package in Ubuntu:
  Confirmed
Status in ufw package in Debian:
  Fix Released

Bug description:
  ==
  ERROR: test_ufwcommand_parse 
(tests.unit.test_parser.ParserTestCase.test_ufwcommand_parse)
  Test UFWCommand.parse()
  --
  Traceback (most recent call last):
File "/<>/tests/unit/test_parser.py", line 88, in 
test_ufwcommand_parse
  self.assertEquals('status', pr.action, "%s != 'status'" % (pr.action))
  ^
  AttributeError: 'ParserTestCase' object has no attribute 'assertEquals'. Did 
you mean: 'assertEqual'?

  ==
  ERROR: test_ufwcommand_rule_get_command 
(tests.unit.test_parser.ParserTestCase.test_ufwcommand_rule_get_command)
  Test UFWCommand(Route)Rule.get_command()
  --
  Traceback (most recent call last):
File "/<>/tests/unit/test_parser.py", line 375, in 
test_ufwcommand_rule_get_command
  self.assertEquals(len(errors), 0,
  ^
  AttributeError: 'ParserTestCase' object has no attribute 'assertEquals'. Did 
you mean: 'assertEqual'?

  --
  Ran 24 tests in 7.584s

  FAILED (errors=9)
  test_skeleton
  test_example (tests.unit.test_skeleton.SkeletonTestCase.test_example)
  Test example dummy test ... ok

  --
  Ran 1 test in 0.000s

  OK

To manage notifications about this bug go to:
https://bugs.launchpad.net/ufw/+bug/2051540/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2054924] Re: color emoji are broken with fontconfig 2.15

[Alex Murray]

As per
https://gitlab.freedesktop.org/fontconfig/fontconfig/-/issues/409#note_2298588
this can also be fixed by adding an additional rule to
/etc/fonts/conf.d/70-no-bitmaps.conf of the form:

false

** Bug watch added: gitlab.freedesktop.org/fontconfig/fontconfig/-/issues #409
   https://gitlab.freedesktop.org/fontconfig/fontconfig/-/issues/409

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to fontconfig in Ubuntu.
https://bugs.launchpad.net/bugs/2054924

Title:
  color emoji are broken with fontconfig 2.15

Status in Fontconfig:
  Fix Released
Status in fontconfig package in Ubuntu:
  Triaged
Status in fonts-noto-color-emoji package in Ubuntu:
  Triaged
Status in fontconfig package in Debian:
  Confirmed

Bug description:
  The Noto Color Emoji font is no longer used to show emoji. Many emoji
  no longer show and the few that do are not in color.

To manage notifications about this bug go to:
https://bugs.launchpad.net/fontconfig/+bug/2054924/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2056496] Re: [FFe] AppArmor 4.0-beta2 + prompting support for noble

[Alex Murray]

Uploaded to noble-proposed yesterday
https://launchpad.net/ubuntu/+source/apparmor/4.0.0~beta2-0ubuntu3

** Changed in: apparmor (Ubuntu)
   Status: Triaged => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2056496

Title:
  [FFe] AppArmor 4.0-beta2 + prompting support for noble

Status in apparmor package in Ubuntu:
  Fix Committed

Bug description:
  AppArmor 4.0-beta2 contains fixes that prevented AppArmor 4.0-beta1
  from landing pre feature freeze.

  Landing AppArmor 4.0-beta's will enable us to more easily track
  upstream bug fixes, and is needed to support network rules in
  prompting. The addition of the prompting patch on top of AppArmor 4.0
  is required to support snapd prompting in general for both file and
  network rules. Currently the prompting patch is not part of the
  upstream release but is part of the vendored apparmor in snapd. In
  ordered for snapd to be able to vendor the noble release of apparmor
  it requires support for prompting. The prompting patch is a straight
  rebase to AppArmor 4.0 of the patch that has been in testing in snapd
  prompting for more than six months.

  Changes from 4.0.0~alpha4-0ubuntu1 (current noble) version

  Beta1 added three additional features that were not present in alpha4 
(current Noble).
  • support for fine grained (address based) IPv4 and IPv6 mediation (required 
for prompting to support networking).
  • aa-notify support message filters to reduce notifications
  • aa-logprof/genprof support for mount rules

  None of these features affect existing policy, which will continue to
  function under the abi that it was developed under. This can be seen
  in the regression testing below.

  I addition to the 3 features introduced in Beta1, Beta1 and Beta2 add
  several bug fixes the most important are highlighted below with the
  full list available in the upstream release notes, available at
  https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.0-beta1
  and
  https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.0-beta2

  • new unconfined profiles in support of unprivileged user namespace mediation 
 
https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626
  ∘ nautalus, devhelp, element-desktop, epiphany, evolution, keybase, opam
  • fix policy generation for non-af_inet rules (MR:1175)
  • Fix race when reading proc files (AABUG:355, MR:1157)
  • handle unprivileged_userns transition in userns tests (MR:1146)
  • fix usr-merge failures on exec and regex tests (MR:1146)

  This proposed change has been tested via the QA Regression Testing
  project, in particular with the specific test added in
  https://git.launchpad.net/qa-regression-
  testing/commit/?id=6f2c5ab7c8659174adac772ce0e894328bb5045d

  The output of a test run is in the attached qrt.output file. Of which the 
summary is below
  Ran 62 tests in 811.542s

  OK (skipped=3)

  apparmor_4.0.0~beta2-0ubuntu3 has been installed on several up to date (as of 
March 7) noble systems. Boot/Reboot and regression tests have been done, 
against 
  different kernel versions.
     6.8.0-11-generic #11-Ubuntu
     6.5.0-14-generic #14-Ubuntu
     6.7.0 (upstream custom build)
     6.8-rc3 (upstream custom build)

  The changelog is available here
  
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-devel/+files/apparmor_4.0.0~beta2-0ubuntu3_source.changes

  The prepared package is available via the ppa
  https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-ffe

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056496/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2056696] Re: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors

[Alex Murray]

> Log: apparmor="DENIED" operation="dbus_method_call" bus="session"
path="/org/freedesktop/DBus" interface="org.freedesktop.DBus"
member="ListActivatableNames" mask="send" name="org.freedesktop.DBus"
pid=2950 label="snap.element-desktop.element-desktop"
peer_label="unconfined"

This is provided by the system-observe interface in snapd - currently it
looks like element-desktop does not plug this so the element-desktop
snap needs to be updated to include this.

> Log: apparmor="DENIED" operation="dbus_method_call" bus="session" 
> path="/modules/kwalletd5" interface="org.kde.KWallet" member="isEnabled" 
> mask="send" name="org.kde.kwalletd5" pid=2950 
> label="snap.element-desktop.element-desktop" peer_pid=1762 
> peer_label="unconfined"
> Log: apparmor="DENIED" operation="dbus_method_call" bus="session" 
> path="/modules/kwalletd5" interface="org.kde.KWallet" member="close" 
> mask="send" name="org.kde.kwalletd5" pid=2950 
> label="snap.element-desktop.element-desktop" peer_pid=1762 
> peer_label="unconfined"

These are provided by the password-manager-service interface in snapd -
again currently it looks like element-desktop does not plug this so the
element-desktop snap needs to be updated to include this as well.


Finally, for the last two

> Log: apparmor="DENIED" operation="dbus_method_call" bus="session" 
> path="/StatusNotifierItem" interface="org.freedesktop.DBus.Properties" 
> member="GetAll" name=":1.45" mask="receive" pid=2950 
> label="snap.element-desktop.element-desktop" peer_pid=2394 
> peer_label="plasmashell"
> Log: apparmor="DENIED" operation="dbus_signal" bus="session" 
> path="/StatusNotifierItem" interface="org.kde.StatusNotifierItem" 
> member="NewToolTip" mask="send" name="org.freedesktop.DBus" pid=2950 
> label="snap.element-desktop.element-desktop" peer_pid=2394 
> peer_label="plasmashell"

Yes this is due to the peer_label mismatch - previously plasmashell
would run without an AppArmor profile and so was "unconfined" - the most
recent apparmor release in Noble contains a new profile for plasmashell
in /etc/apparmor.d/plasmashell with the label "plasmashell" - and so now
the peer_label doesn't match.

This likely needs to be fixed on the snapd side (or we figure out a way
in apparmor to not ship this profile).

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2056696

Title:
  All Snaps are denied the ability to use DBus for notifications and
  apptray indicators in KDE-based flavors

Status in snapd:
  New
Status in apparmor package in Ubuntu:
  Confirmed

Bug description:
  OS: Kubuntu Noble 24.04 Alpha (two-day old install)
  snapd version: 2.61.2
  Affected Snaps: firefox, thunderbird, element-desktop

  Steps to reproduce:

  # For Firefox:
  1. Open the Firefox Snap.
  2. Open https://www.bennish.net/web-notifications.html.
  3. Click "Authorize" and allow the website to send notifications.
  4. Click "Show".
  Expected result: A notification should be displayed by Plasma, similar to 
other notifications the system displays.
  Actual result: The notification shows up in the upper-right corner of the 
display, improperly themed and obviously generated by Firefox as a fallback.

  # For Thunderbird:
  1. Open the Thunderbird Snap.
  2. Ensure you are connected to an email account.
  3. Unfocus the Thunderbird window.
  4. Wait for an email to come through.
  Expected result: When the email comes through, a notification should be 
displayed by Plasma, similar to other notifications the system displays.
  Actual result: The notification shows up improperly themed and obviously 
generated by Thunderbird as a fallback.

  # For Element:
  1. Open the Element Snap.
  Expected result: An apptray indicator should appear in the system tray with 
the Element logo.
  Actual result: No such indicator appears.
  2. Log in, ask someone to ping you, then unfocus the window and wait for the 
ping to come through.
  Expected result: A notification should be displayed by Plasma, similar to 
other notifications the system displays.
  Actual result: No notification appears at all.

  Additional information:

  Based on the output of snappy-debug, this appears to be AppArmor related,  at 
least for element-desktop (but presumably for the others too). Of note are some 
of the following log entries:
  ```
  = AppArmor =
  Time: 2024-03-10T13:4
  Log: apparmor="DENIED" operation="dbus_method_call"  bus="session" 
path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" 
member="ListActivatableNames" mask="send" name="org.freedesktop.DBus" pid=2950 
label="snap.element-desktop.element-desktop" peer_label="unconfined"
  DBus access

  = AppArmor =
  Time: 2024-03-10T13:4
  Log: apparmor="DENIED" operation="dbus_method_call"  bus="session" 
path="/modules/kwalletd5" interface="org.kde.KWallet" member="isEnabled" 
mask="send" name="org.kde.kwalletd5" pid=2950 
label="snap.elemen

[Touch-packages] [Bug 2058329] [NEW] Update apparmor to 4.0.0-beta3 in noble

[Alex Murray]

Public bug reported:

Latest upstream release
https://gitlab.com/apparmor/apparmor/-/releases/v4.0.0-beta3

Contains only bug fixes since 4.0.0-beta2 which is currently in noble-
proposed thus does not require a FFe.

** Affects: apparmor (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2058329

Title:
  Update apparmor to 4.0.0-beta3 in noble

Status in apparmor package in Ubuntu:
  New

Bug description:
  Latest upstream release
  https://gitlab.com/apparmor/apparmor/-/releases/v4.0.0-beta3

  Contains only bug fixes since 4.0.0-beta2 which is currently in noble-
  proposed thus does not require a FFe.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2058329/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2056696] Re: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors

[Alex Murray]

So I installed kubuntu-desktop on an up-to-date noble VM and then after
logging into the kubuntu session I was able to reproduce the issue for
Notifications but I couldn't see anything owning the /StatusNotifierItem
dbus path.

For notifications I submitted
https://github.com/snapcore/snapd/pull/13737 to snapd which should
resolve that but if anyone can help me reproduce the issue for the
status notifier item that would be great. FWIW I have attached a
screenshot of d-feet showing the various dbus paths owned by plasmashell
and /StatusNotifierItem is not listed. Am I perhaps missing some other
package that doesn't get pulled in by the standard kubuntu-desktop
metapackage?

** Attachment added: "Pasted image.png"
   
https://bugs.launchpad.net/snapd/+bug/2056696/+attachment/5757409/+files/Pasted%20image.png

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2056696

Title:
  All Snaps are denied the ability to use DBus for notifications and
  apptray indicators in KDE-based flavors

Status in snapd:
  New
Status in apparmor package in Ubuntu:
  Confirmed

Bug description:
  OS: Kubuntu Noble 24.04 Alpha (two-day old install)
  snapd version: 2.61.2
  Affected Snaps: firefox, thunderbird, element-desktop

  Steps to reproduce:

  # For Firefox:
  1. Open the Firefox Snap.
  2. Open https://www.bennish.net/web-notifications.html.
  3. Click "Authorize" and allow the website to send notifications.
  4. Click "Show".
  Expected result: A notification should be displayed by Plasma, similar to 
other notifications the system displays.
  Actual result: The notification shows up in the upper-right corner of the 
display, improperly themed and obviously generated by Firefox as a fallback.

  # For Thunderbird:
  1. Open the Thunderbird Snap.
  2. Ensure you are connected to an email account.
  3. Unfocus the Thunderbird window.
  4. Wait for an email to come through.
  Expected result: When the email comes through, a notification should be 
displayed by Plasma, similar to other notifications the system displays.
  Actual result: The notification shows up improperly themed and obviously 
generated by Thunderbird as a fallback.

  # For Element:
  1. Open the Element Snap.
  Expected result: An apptray indicator should appear in the system tray with 
the Element logo.
  Actual result: No such indicator appears.
  2. Log in, ask someone to ping you, then unfocus the window and wait for the 
ping to come through.
  Expected result: A notification should be displayed by Plasma, similar to 
other notifications the system displays.
  Actual result: No notification appears at all.

  Additional information:

  Based on the output of snappy-debug, this appears to be AppArmor related,  at 
least for element-desktop (but presumably for the others too). Of note are some 
of the following log entries:
  ```
  = AppArmor =
  Time: 2024-03-10T13:4
  Log: apparmor="DENIED" operation="dbus_method_call"  bus="session" 
path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" 
member="ListActivatableNames" mask="send" name="org.freedesktop.DBus" pid=2950 
label="snap.element-desktop.element-desktop" peer_label="unconfined"
  DBus access

  = AppArmor =
  Time: 2024-03-10T13:4
  Log: apparmor="DENIED" operation="dbus_method_call"  bus="session" 
path="/modules/kwalletd5" interface="org.kde.KWallet" member="isEnabled" 
mask="send" name="org.kde.kwalletd5" pid=2950 
label="snap.element-desktop.element-desktop" peer_pid=1762 
peer_label="unconfined"
  DBus access

  = AppArmor =
  Time: 2024-03-10T13:4
  Log: apparmor="DENIED" operation="dbus_method_call"  bus="session" 
path="/modules/kwalletd5" interface="org.kde.KWallet" member="close" 
mask="send" name="org.kde.kwalletd5" pid=2950 
label="snap.element-desktop.element-desktop" peer_pid=1762 
peer_label="unconfined"
  DBus access

  = AppArmor =
  Time: 2024-03-10T13:4
  Log: apparmor="DENIED" operation="dbus_method_call"  bus="session" 
path="/StatusNotifierItem" interface="org.freedesktop.DBus.Properties" 
member="GetAll" name=":1.45" mask="receive" pid=2950 
label="snap.element-desktop.element-desktop" peer_pid=2394 
peer_label="plasmashell"
  DBus access

  = AppArmor =
  Time: 2024-03-10T13:4
  Log: apparmor="DENIED" operation="dbus_signal"  bus="session" 
path="/StatusNotifierItem" interface="org.kde.StatusNotifierItem" 
member="NewToolTip" mask="send" name="org.freedesktop.DBus" pid=2950 
label="snap.element-desktop.element-desktop" peer_pid=2394 
peer_label="plasmashell"
  DBus access
  ```

  Booting with `apparmor=0` set on the kernel command line fixes the
  issue with Element (apptray indicator appears, notifications show up).
  Obviously this is not a solution, but it does isolate AppArmor as
  being at least partially at fault.

  This issue seems to be somewhat similar to
  https://forum.snapcraft.io/t/dbus-related-apparmor-denials/37422,
  howeve

[Touch-packages] [Bug 2056696] Re: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors

[Alex Murray]

Yes I hit that exact issue in Calamares but after fixing it I then hit
another similar crash in a different script in calamares - will see if I
can reproduce and provide you with details.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2056696

Title:
  All Snaps are denied the ability to use DBus for notifications and
  apptray indicators in KDE-based flavors

Status in snapd:
  New
Status in apparmor package in Ubuntu:
  Confirmed

Bug description:
  OS: Kubuntu Noble 24.04 Alpha (two-day old install)
  snapd version: 2.61.2
  Affected Snaps: firefox, thunderbird, element-desktop

  Steps to reproduce:

  # For Firefox:
  1. Open the Firefox Snap.
  2. Open https://www.bennish.net/web-notifications.html.
  3. Click "Authorize" and allow the website to send notifications.
  4. Click "Show".
  Expected result: A notification should be displayed by Plasma, similar to 
other notifications the system displays.
  Actual result: The notification shows up in the upper-right corner of the 
display, improperly themed and obviously generated by Firefox as a fallback.

  # For Thunderbird:
  1. Open the Thunderbird Snap.
  2. Ensure you are connected to an email account.
  3. Unfocus the Thunderbird window.
  4. Wait for an email to come through.
  Expected result: When the email comes through, a notification should be 
displayed by Plasma, similar to other notifications the system displays.
  Actual result: The notification shows up improperly themed and obviously 
generated by Thunderbird as a fallback.

  # For Element:
  1. Open the Element Snap.
  Expected result: An apptray indicator should appear in the system tray with 
the Element logo.
  Actual result: No such indicator appears.
  2. Log in, ask someone to ping you, then unfocus the window and wait for the 
ping to come through.
  Expected result: A notification should be displayed by Plasma, similar to 
other notifications the system displays.
  Actual result: No notification appears at all.

  Additional information:

  Based on the output of snappy-debug, this appears to be AppArmor related,  at 
least for element-desktop (but presumably for the others too). Of note are some 
of the following log entries:
  ```
  = AppArmor =
  Time: 2024-03-10T13:4
  Log: apparmor="DENIED" operation="dbus_method_call"  bus="session" 
path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" 
member="ListActivatableNames" mask="send" name="org.freedesktop.DBus" pid=2950 
label="snap.element-desktop.element-desktop" peer_label="unconfined"
  DBus access

  = AppArmor =
  Time: 2024-03-10T13:4
  Log: apparmor="DENIED" operation="dbus_method_call"  bus="session" 
path="/modules/kwalletd5" interface="org.kde.KWallet" member="isEnabled" 
mask="send" name="org.kde.kwalletd5" pid=2950 
label="snap.element-desktop.element-desktop" peer_pid=1762 
peer_label="unconfined"
  DBus access

  = AppArmor =
  Time: 2024-03-10T13:4
  Log: apparmor="DENIED" operation="dbus_method_call"  bus="session" 
path="/modules/kwalletd5" interface="org.kde.KWallet" member="close" 
mask="send" name="org.kde.kwalletd5" pid=2950 
label="snap.element-desktop.element-desktop" peer_pid=1762 
peer_label="unconfined"
  DBus access

  = AppArmor =
  Time: 2024-03-10T13:4
  Log: apparmor="DENIED" operation="dbus_method_call"  bus="session" 
path="/StatusNotifierItem" interface="org.freedesktop.DBus.Properties" 
member="GetAll" name=":1.45" mask="receive" pid=2950 
label="snap.element-desktop.element-desktop" peer_pid=2394 
peer_label="plasmashell"
  DBus access

  = AppArmor =
  Time: 2024-03-10T13:4
  Log: apparmor="DENIED" operation="dbus_signal"  bus="session" 
path="/StatusNotifierItem" interface="org.kde.StatusNotifierItem" 
member="NewToolTip" mask="send" name="org.freedesktop.DBus" pid=2950 
label="snap.element-desktop.element-desktop" peer_pid=2394 
peer_label="plasmashell"
  DBus access
  ```

  Booting with `apparmor=0` set on the kernel command line fixes the
  issue with Element (apptray indicator appears, notifications show up).
  Obviously this is not a solution, but it does isolate AppArmor as
  being at least partially at fault.

  This issue seems to be somewhat similar to
  https://forum.snapcraft.io/t/dbus-related-apparmor-denials/37422,
  however it seems as if Element is trying to hit the right paths and
  interfaces and is still being denied (based on looking at the info in
  
https://github.com/snapcore/snapd/blob/master/interfaces/builtin/desktop_legacy.go
  and comparing the paths and interfaces there with the paths and
  interfaces shown by snappy-debug.

  I talked about this issue with Erich Eickmeyer and he mentioned that
  it occurred after a Plasma update. This doesn't make a great deal of
  sense to me, and I suspect possibly some other component of the
  affected systems happened to get updated at the same time (perhaps the
  snapd Snap), but it's de

[Touch-packages] [Bug 2056696] Re: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors

[Alex Murray]

Ah although it seems I can reboot the VM at this point and whilst
Calamares appeared to run again again in the rebooted vm if I choose
Install Calamares closes and I see the installed kubuntu environment -
weird

Anyway I think I will be able to use this to debug the original issue
further - will continue and let you know what I find.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2056696

Title:
  All Snaps are denied the ability to use DBus for notifications and
  apptray indicators in KDE-based flavors

Status in snapd:
  New
Status in apparmor package in Ubuntu:
  Confirmed

Bug description:
  OS: Kubuntu Noble 24.04 Alpha (two-day old install)
  snapd version: 2.61.2
  Affected Snaps: firefox, thunderbird, element-desktop

  Steps to reproduce:

  # For Firefox:
  1. Open the Firefox Snap.
  2. Open https://www.bennish.net/web-notifications.html.
  3. Click "Authorize" and allow the website to send notifications.
  4. Click "Show".
  Expected result: A notification should be displayed by Plasma, similar to 
other notifications the system displays.
  Actual result: The notification shows up in the upper-right corner of the 
display, improperly themed and obviously generated by Firefox as a fallback.

  # For Thunderbird:
  1. Open the Thunderbird Snap.
  2. Ensure you are connected to an email account.
  3. Unfocus the Thunderbird window.
  4. Wait for an email to come through.
  Expected result: When the email comes through, a notification should be 
displayed by Plasma, similar to other notifications the system displays.
  Actual result: The notification shows up improperly themed and obviously 
generated by Thunderbird as a fallback.

  # For Element:
  1. Open the Element Snap.
  Expected result: An apptray indicator should appear in the system tray with 
the Element logo.
  Actual result: No such indicator appears.
  2. Log in, ask someone to ping you, then unfocus the window and wait for the 
ping to come through.
  Expected result: A notification should be displayed by Plasma, similar to 
other notifications the system displays.
  Actual result: No notification appears at all.

  Additional information:

  Based on the output of snappy-debug, this appears to be AppArmor related,  at 
least for element-desktop (but presumably for the others too). Of note are some 
of the following log entries:
  ```
  = AppArmor =
  Time: 2024-03-10T13:4
  Log: apparmor="DENIED" operation="dbus_method_call"  bus="session" 
path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" 
member="ListActivatableNames" mask="send" name="org.freedesktop.DBus" pid=2950 
label="snap.element-desktop.element-desktop" peer_label="unconfined"
  DBus access

  = AppArmor =
  Time: 2024-03-10T13:4
  Log: apparmor="DENIED" operation="dbus_method_call"  bus="session" 
path="/modules/kwalletd5" interface="org.kde.KWallet" member="isEnabled" 
mask="send" name="org.kde.kwalletd5" pid=2950 
label="snap.element-desktop.element-desktop" peer_pid=1762 
peer_label="unconfined"
  DBus access

  = AppArmor =
  Time: 2024-03-10T13:4
  Log: apparmor="DENIED" operation="dbus_method_call"  bus="session" 
path="/modules/kwalletd5" interface="org.kde.KWallet" member="close" 
mask="send" name="org.kde.kwalletd5" pid=2950 
label="snap.element-desktop.element-desktop" peer_pid=1762 
peer_label="unconfined"
  DBus access

  = AppArmor =
  Time: 2024-03-10T13:4
  Log: apparmor="DENIED" operation="dbus_method_call"  bus="session" 
path="/StatusNotifierItem" interface="org.freedesktop.DBus.Properties" 
member="GetAll" name=":1.45" mask="receive" pid=2950 
label="snap.element-desktop.element-desktop" peer_pid=2394 
peer_label="plasmashell"
  DBus access

  = AppArmor =
  Time: 2024-03-10T13:4
  Log: apparmor="DENIED" operation="dbus_signal"  bus="session" 
path="/StatusNotifierItem" interface="org.kde.StatusNotifierItem" 
member="NewToolTip" mask="send" name="org.freedesktop.DBus" pid=2950 
label="snap.element-desktop.element-desktop" peer_pid=2394 
peer_label="plasmashell"
  DBus access
  ```

  Booting with `apparmor=0` set on the kernel command line fixes the
  issue with Element (apptray indicator appears, notifications show up).
  Obviously this is not a solution, but it does isolate AppArmor as
  being at least partially at fault.

  This issue seems to be somewhat similar to
  https://forum.snapcraft.io/t/dbus-related-apparmor-denials/37422,
  however it seems as if Element is trying to hit the right paths and
  interfaces and is still being denied (based on looking at the info in
  
https://github.com/snapcore/snapd/blob/master/interfaces/builtin/desktop_legacy.go
  and comparing the paths and interfaces there with the paths and
  interfaces shown by snappy-debug.

  I talked about this issue with Erich Eickmeyer and he mentioned that
  it occurred after a Plasma update. This doesn't make a great deal of
  sense to m

[Touch-packages] [Bug 2056696] Re: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors

[Alex Murray]

The subsequent error is:

Main script file /usr/lib/x86_64-linux-
gnu/calamares/modules/automirror/main.py for python job automirror
raised an exception.


Is there any way I can debug this further?

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2056696

Title:
  All Snaps are denied the ability to use DBus for notifications and
  apptray indicators in KDE-based flavors

Status in snapd:
  New
Status in apparmor package in Ubuntu:
  Confirmed

Bug description:
  OS: Kubuntu Noble 24.04 Alpha (two-day old install)
  snapd version: 2.61.2
  Affected Snaps: firefox, thunderbird, element-desktop

  Steps to reproduce:

  # For Firefox:
  1. Open the Firefox Snap.
  2. Open https://www.bennish.net/web-notifications.html.
  3. Click "Authorize" and allow the website to send notifications.
  4. Click "Show".
  Expected result: A notification should be displayed by Plasma, similar to 
other notifications the system displays.
  Actual result: The notification shows up in the upper-right corner of the 
display, improperly themed and obviously generated by Firefox as a fallback.

  # For Thunderbird:
  1. Open the Thunderbird Snap.
  2. Ensure you are connected to an email account.
  3. Unfocus the Thunderbird window.
  4. Wait for an email to come through.
  Expected result: When the email comes through, a notification should be 
displayed by Plasma, similar to other notifications the system displays.
  Actual result: The notification shows up improperly themed and obviously 
generated by Thunderbird as a fallback.

  # For Element:
  1. Open the Element Snap.
  Expected result: An apptray indicator should appear in the system tray with 
the Element logo.
  Actual result: No such indicator appears.
  2. Log in, ask someone to ping you, then unfocus the window and wait for the 
ping to come through.
  Expected result: A notification should be displayed by Plasma, similar to 
other notifications the system displays.
  Actual result: No notification appears at all.

  Additional information:

  Based on the output of snappy-debug, this appears to be AppArmor related,  at 
least for element-desktop (but presumably for the others too). Of note are some 
of the following log entries:
  ```
  = AppArmor =
  Time: 2024-03-10T13:4
  Log: apparmor="DENIED" operation="dbus_method_call"  bus="session" 
path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" 
member="ListActivatableNames" mask="send" name="org.freedesktop.DBus" pid=2950 
label="snap.element-desktop.element-desktop" peer_label="unconfined"
  DBus access

  = AppArmor =
  Time: 2024-03-10T13:4
  Log: apparmor="DENIED" operation="dbus_method_call"  bus="session" 
path="/modules/kwalletd5" interface="org.kde.KWallet" member="isEnabled" 
mask="send" name="org.kde.kwalletd5" pid=2950 
label="snap.element-desktop.element-desktop" peer_pid=1762 
peer_label="unconfined"
  DBus access

  = AppArmor =
  Time: 2024-03-10T13:4
  Log: apparmor="DENIED" operation="dbus_method_call"  bus="session" 
path="/modules/kwalletd5" interface="org.kde.KWallet" member="close" 
mask="send" name="org.kde.kwalletd5" pid=2950 
label="snap.element-desktop.element-desktop" peer_pid=1762 
peer_label="unconfined"
  DBus access

  = AppArmor =
  Time: 2024-03-10T13:4
  Log: apparmor="DENIED" operation="dbus_method_call"  bus="session" 
path="/StatusNotifierItem" interface="org.freedesktop.DBus.Properties" 
member="GetAll" name=":1.45" mask="receive" pid=2950 
label="snap.element-desktop.element-desktop" peer_pid=2394 
peer_label="plasmashell"
  DBus access

  = AppArmor =
  Time: 2024-03-10T13:4
  Log: apparmor="DENIED" operation="dbus_signal"  bus="session" 
path="/StatusNotifierItem" interface="org.kde.StatusNotifierItem" 
member="NewToolTip" mask="send" name="org.freedesktop.DBus" pid=2950 
label="snap.element-desktop.element-desktop" peer_pid=2394 
peer_label="plasmashell"
  DBus access
  ```

  Booting with `apparmor=0` set on the kernel command line fixes the
  issue with Element (apptray indicator appears, notifications show up).
  Obviously this is not a solution, but it does isolate AppArmor as
  being at least partially at fault.

  This issue seems to be somewhat similar to
  https://forum.snapcraft.io/t/dbus-related-apparmor-denials/37422,
  however it seems as if Element is trying to hit the right paths and
  interfaces and is still being denied (based on looking at the info in
  
https://github.com/snapcore/snapd/blob/master/interfaces/builtin/desktop_legacy.go
  and comparing the paths and interfaces there with the paths and
  interfaces shown by snappy-debug.

  I talked about this issue with Erich Eickmeyer and he mentioned that
  it occurred after a Plasma update. This doesn't make a great deal of
  sense to me, and I suspect possibly some other component of the
  affected systems happened to get updated at the same time (perhaps the
  snapd Snap), 

[Touch-packages] [Bug 2056696] Re: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors

[Alex Murray]

Ok whilst I still can't see the /StatusNotifierItem object listed via
d-feet I can reproduce the denials when launching element-desktop so I
have added some additional changes to the aforementioned PR which
resolve these as well. With all the changes from that PR in place all of
these mentioned denials are resolved.

** Changed in: snapd
   Status: New => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2056696

Title:
  All Snaps are denied the ability to use DBus for notifications and
  apptray indicators in KDE-based flavors

Status in snapd:
  In Progress
Status in apparmor package in Ubuntu:
  Confirmed

Bug description:
  OS: Kubuntu Noble 24.04 Alpha (two-day old install)
  snapd version: 2.61.2
  Affected Snaps: firefox, thunderbird, element-desktop

  Steps to reproduce:

  # For Firefox:
  1. Open the Firefox Snap.
  2. Open https://www.bennish.net/web-notifications.html.
  3. Click "Authorize" and allow the website to send notifications.
  4. Click "Show".
  Expected result: A notification should be displayed by Plasma, similar to 
other notifications the system displays.
  Actual result: The notification shows up in the upper-right corner of the 
display, improperly themed and obviously generated by Firefox as a fallback.

  # For Thunderbird:
  1. Open the Thunderbird Snap.
  2. Ensure you are connected to an email account.
  3. Unfocus the Thunderbird window.
  4. Wait for an email to come through.
  Expected result: When the email comes through, a notification should be 
displayed by Plasma, similar to other notifications the system displays.
  Actual result: The notification shows up improperly themed and obviously 
generated by Thunderbird as a fallback.

  # For Element:
  1. Open the Element Snap.
  Expected result: An apptray indicator should appear in the system tray with 
the Element logo.
  Actual result: No such indicator appears.
  2. Log in, ask someone to ping you, then unfocus the window and wait for the 
ping to come through.
  Expected result: A notification should be displayed by Plasma, similar to 
other notifications the system displays.
  Actual result: No notification appears at all.

  Additional information:

  Based on the output of snappy-debug, this appears to be AppArmor related,  at 
least for element-desktop (but presumably for the others too). Of note are some 
of the following log entries:
  ```
  = AppArmor =
  Time: 2024-03-10T13:4
  Log: apparmor="DENIED" operation="dbus_method_call"  bus="session" 
path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" 
member="ListActivatableNames" mask="send" name="org.freedesktop.DBus" pid=2950 
label="snap.element-desktop.element-desktop" peer_label="unconfined"
  DBus access

  = AppArmor =
  Time: 2024-03-10T13:4
  Log: apparmor="DENIED" operation="dbus_method_call"  bus="session" 
path="/modules/kwalletd5" interface="org.kde.KWallet" member="isEnabled" 
mask="send" name="org.kde.kwalletd5" pid=2950 
label="snap.element-desktop.element-desktop" peer_pid=1762 
peer_label="unconfined"
  DBus access

  = AppArmor =
  Time: 2024-03-10T13:4
  Log: apparmor="DENIED" operation="dbus_method_call"  bus="session" 
path="/modules/kwalletd5" interface="org.kde.KWallet" member="close" 
mask="send" name="org.kde.kwalletd5" pid=2950 
label="snap.element-desktop.element-desktop" peer_pid=1762 
peer_label="unconfined"
  DBus access

  = AppArmor =
  Time: 2024-03-10T13:4
  Log: apparmor="DENIED" operation="dbus_method_call"  bus="session" 
path="/StatusNotifierItem" interface="org.freedesktop.DBus.Properties" 
member="GetAll" name=":1.45" mask="receive" pid=2950 
label="snap.element-desktop.element-desktop" peer_pid=2394 
peer_label="plasmashell"
  DBus access

  = AppArmor =
  Time: 2024-03-10T13:4
  Log: apparmor="DENIED" operation="dbus_signal"  bus="session" 
path="/StatusNotifierItem" interface="org.kde.StatusNotifierItem" 
member="NewToolTip" mask="send" name="org.freedesktop.DBus" pid=2950 
label="snap.element-desktop.element-desktop" peer_pid=2394 
peer_label="plasmashell"
  DBus access
  ```

  Booting with `apparmor=0` set on the kernel command line fixes the
  issue with Element (apptray indicator appears, notifications show up).
  Obviously this is not a solution, but it does isolate AppArmor as
  being at least partially at fault.

  This issue seems to be somewhat similar to
  https://forum.snapcraft.io/t/dbus-related-apparmor-denials/37422,
  however it seems as if Element is trying to hit the right paths and
  interfaces and is still being denied (based on looking at the info in
  
https://github.com/snapcore/snapd/blob/master/interfaces/builtin/desktop_legacy.go
  and comparing the paths and interfaces there with the paths and
  interfaces shown by snappy-debug.

  I talked about this issue with Erich Eickmeyer and he mentioned that
  it occurred after a Plasma update. This 

[Touch-packages] [Bug 2059417] Re: Sync xz-utils 5.6.1-1 (main) from Debian unstable (main)

[Alex Murray]

Given this has been reverted in Debian, it should not be synced into
Ubuntu.

** Changed in: xz-utils (Ubuntu)
   Status: New => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to xz-utils in Ubuntu.
https://bugs.launchpad.net/bugs/2059417

Title:
  Sync xz-utils 5.6.1-1 (main) from Debian unstable (main)

Status in xz-utils package in Ubuntu:
  Won't Fix

Bug description:
  Please sync xz-utils 5.6.1-1 (main) from Debian unstable (main)

  Hello! I am one of the upstream maintainers for XZ Utils. Version 5.6.1
  was recently released and uploaded to Debian as a bugfix only release.
  Notably, this fixes a bug that causes Valgrind to issue a warning on
  any application dynamically linked with liblzma. This includes a lot of
  important applications. This could break build scripts and test
  pipelines that expect specific output from Valgrind in order to pass.

  Additionally, this fixes a small typo for the man pages translations
  for Brazilian Portuguese, German, French, Korean, Romanian, and
  Ukrainian, and removes the need for patches applied for version
  5.6.0-0.2.

  The other bugfixes in this release have no impact on Ubuntu. They
  involve building with CMake or when building on a system without
  Landlock system calls defined (these are defined in Ubuntu).

  Changelog entries since current noble version 5.6.0-0.2:

  xz-utils (5.6.1-1) unstable; urgency=medium

    * Non-maintainer upload.
    * Import 5.6.1 (Closes: #1067708).
    * Takeover maintenance of the package.

   -- Sebastian Andrzej Siewior   Wed, 27 Mar
  2024 22:53:21 +0100

  
  Excerpt from the NEWS entry from upstream:

  5.6.1 (2024-03-09)

  * liblzma: Fixed two bugs relating to GNU indirect function (IFUNC)
with GCC. The more serious bug caused a program linked with
liblzma to crash on start up if the flag -fprofile-generate was
used to build liblzma. The second bug caused liblzma to falsely
report an invalid write to Valgrind when loading liblzma.

  * xz: Changed the messages for thread reduction due to memory
constraints to only appear under the highest verbosity level.

  * Build:

  - Fixed a build issue when the header file 
was present on the system but the Landlock system calls were
not defined in .

  - The CMake build now warns and disables NLS if both gettext
tools and pre-created .gmo files are missing. Previously,
this caused the CMake build to fail.

  * Minor improvements to man pages.

  * Minor improvements to tests.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xz-utils/+bug/2059417/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2062440] Re: A few days ago I realized that the time was four hours behind despite it being automatic with the correct time zone.

[Alex Murray]

Thanks for taking the time to report this bug and helping to make Ubuntu
better. We appreciate the difficulties you are facing, but this appears
to be a "regular" (non-security) bug.  I have unmarked it as a security
issue since this bug does not show evidence of allowing attackers to
cross privilege boundaries nor directly cause loss of data/privacy.
Please feel free to report any other bugs you may find.

** Information type changed from Private Security to Public

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to tzdata in Ubuntu.
https://bugs.launchpad.net/bugs/2062440

Title:
  A few days ago I realized that the time was four hours behind despite
  it being automatic with the correct time zone.

Status in tzdata package in Ubuntu:
  New

Bug description:
  A few days ago I realized that the time was four hours behind despite
  it being automatic with the correct time zone.

  root@lmobile4dcda1:/etc# apt reinstall tzdata 
  Reading package lists... Done
  Building dependency tree... Done
  Reading state information... Done
  0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 0 not upgraded.
  Need to get 348 kB of archives.
  After this operation, 0 B of additional disk space will be used.
  Get:1 https://mirror.mia.velocihost.net/ubuntu jammy-updates/main amd64 
tzdata all 2024a-0ubuntu0.22.04 [348 kB]
  Fetched 348 kB in 6s (61,9 kB/s)
  Preconfiguring packages ...
  (Reading database ... 244685 files and directories currently installed.)
  Preparing to unpack .../tzdata_2024a-0ubuntu0.22.04_all.deb ...
  Unpacking tzdata (2024a-0ubuntu0.22.04) over (2024a-0ubuntu0.22.04) ...
  Setting up tzdata (2024a-0ubuntu0.22.04) ...

  Current default time zone: 'America/Caracas'
  Local time is now:  jue 18 abr 2024 17:11:26 -04.
  Universal Time is now:  Thu Apr 18 21:11:26 UTC 2024.
  Run 'dpkg-reconfigure tzdata' if you wish to change it.

  ProblemType: Bug
  DistroRelease: Ubuntu 22.04
  Package: tzdata 2024a-0ubuntu0.22.04
  ProcVersionSignature: Ubuntu 6.5.0-27.28~22.04.1-generic 6.5.13
  Uname: Linux 6.5.0-27-generic x86_64
  ApportVersion: 2.20.11-0ubuntu82.5
  Architecture: amd64
  CasperMD5CheckResult: pass
  CurrentDesktop: GNOME
  Date: Thu Apr 18 16:52:36 2024
  InstallationDate: Installed on 2023-11-18 (151 days ago)
  InstallationMedia: Ubuntu 22.04.3 LTS "Jammy Jellyfish" - Release amd64 
(20230807.2)
  PackageArchitecture: all
  SourcePackage: tzdata
  UpgradeStatus: Upgraded to jammy on 2024-01-06 (103 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tzdata/+bug/2062440/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2061856] Re: gnome terminal

[Alex Murray]

Thanks for taking the time to report this bug and helping to make Ubuntu
better. We appreciate the difficulties you are facing, but this appears
to be a "regular" (non-security) bug.  I have unmarked it as a security
issue since this bug does not show evidence of allowing attackers to
cross privilege boundaries nor directly cause loss of data/privacy.
Please feel free to report any other bugs you may find.

** Information type changed from Private Security to Public

** Changed in: xorg (Ubuntu)
   Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to xorg in Ubuntu.
https://bugs.launchpad.net/bugs/2061856

Title:
  gnome terminal

Status in xorg package in Ubuntu:
  Incomplete

Bug description:
  Ola Bomdia Eu estou com um problema no terminal shell do ubuntu ele
  esta fechando assim que clico para abrir elefecha automaticamente ja
  tentetei usar outro terminal e tambem faz a mesma coisa eu tenho  o
  fish instalado tambem mas esta fazendo a mesma coisa fechando
  automaticamente, o unico que funciona e o terminal do vscode.

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: xorg 1:7.7+19ubuntu7.1
  ProcVersionSignature: Ubuntu 4.15.0-213.224-generic 4.15.18
  Uname: Linux 4.15.0-213-generic i686
  .tmp.unity_support_test.0:
   
  ApportVersion: 2.20.9-0ubuntu7.29
  Architecture: i386
  CompizPlugins: No value set for 
`/apps/compiz-1/general/screen0/options/active_plugins'
  CompositorRunning: None
  Date: Tue Apr 16 12:04:00 2024
  DistUpgraded: Fresh install
  DistroCodename: bionic
  DistroVariant: ubuntu
  ExtraDebuggingInterest: Yes
  GraphicsCard:
   Intel Corporation Core Processor Integrated Graphics Controller [8086:0042] 
(rev 12) (prog-if 00 [VGA controller])
 Subsystem: Elitegroup Computer Systems Core Processor Integrated Graphics 
Controller [1019:1324]
  InstallationDate: Installed on 2023-07-23 (267 days ago)
  InstallationMedia: Ubuntu 16.04.2 LTS "Xenial Xerus" - Release i386 
(20170215.2)
  Lsusb:
   Bus 002 Device 006: ID 04f3:0210 Elan Microelectronics Corp. Optical Mouse
   Bus 002 Device 002: ID 8087:0020 Intel Corp. Integrated Rate Matching Hub
   Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
   Bus 001 Device 002: ID 8087:0020 Intel Corp. Integrated Rate Matching Hub
   Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
  MachineType: MEGAWARE H55H-CM
  ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.15.0-213-generic 
root=UUID=3cfdb2f5-e8ec-4728-844a-29c984321037 ro quiet splash vt.handoff=1
  Renderer: Software
  SourcePackage: xorg
  UpgradeStatus: No upgrade log present (probably fresh install)
  dmi.bios.date: 05/18/2010
  dmi.bios.vendor: American Megatrends Inc.
  dmi.bios.version: 080015
  dmi.board.asset.tag: To Be Filled By O.E.M.
  dmi.board.name: MW-H55H-CM
  dmi.board.vendor: MEGAWARE
  dmi.board.version: 1.0
  dmi.chassis.asset.tag: M0418501001
  dmi.chassis.type: 3
  dmi.chassis.vendor: MEGAWARE
  dmi.chassis.version: 1.0
  dmi.modalias: 
dmi:bvnAmericanMegatrendsInc.:bvr080015:bd05/18/2010:svnMEGAWARE:pnH55H-CM:pvrMEGAWARE:rvnMEGAWARE:rnMW-H55H-CM:rvr1.0:cvnMEGAWARE:ct3:cvr1.0:
  dmi.product.family: To Be Filled By O.E.M.
  dmi.product.name: H55H-CM
  dmi.product.version: MEGAWARE
  dmi.sys.vendor: MEGAWARE
  version.compiz: compiz 1:0.9.13.1+18.04.20180302-0ubuntu1
  version.libdrm2: libdrm2 2.4.101-2~18.04.1
  version.libgl1-mesa-dri: libgl1-mesa-dri 20.0.8-0ubuntu1~18.04.1
  version.libgl1-mesa-glx: libgl1-mesa-glx 20.0.8-0ubuntu1~18.04.1
  version.xserver-xorg-core: xserver-xorg-core 2:1.19.6-1ubuntu4.15
  version.xserver-xorg-input-evdev: xserver-xorg-input-evdev 1:2.10.5-1ubuntu1
  version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:18.0.1-1
  version.xserver-xorg-video-intel: xserver-xorg-video-intel 
2:2.99.917+git20171229-1
  version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 1:1.0.15-2
  xserver.bootTime: Thu Apr  4 13:22:01 2024
  xserver.configfile: default
  xserver.devices:
   inputPower Button KEYBOARD, id 6
   inputPower Button KEYBOARD, id 7
   inputPS/2+USB Mouse   MOUSE, id 8
   inputAT Translated Set 2 keyboard KEYBOARD, id 9
  xserver.logfile: /var/log/Xorg.0.log
  xserver.version: 2:1.19.6-1ubuntu4.15

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xorg/+bug/2061856/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2061856]

[Alex Murray]

Thanks for taking the time to report this bug and helping to make Ubuntu
better. Your bug report is more likely to get attention if it is made in
English, since this is the language understood by the majority of Ubuntu
developers.  Additionally, please only mark a bug as "security" if it
shows evidence of allowing attackers to cross privilege boundaries or to
directly cause loss of data/privacy. Please feel free to report any
other bugs you may find.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to xorg in Ubuntu.
https://bugs.launchpad.net/bugs/2061856

Title:
  gnome terminal

Status in xorg package in Ubuntu:
  Incomplete

Bug description:
  Ola Bomdia Eu estou com um problema no terminal shell do ubuntu ele
  esta fechando assim que clico para abrir elefecha automaticamente ja
  tentetei usar outro terminal e tambem faz a mesma coisa eu tenho  o
  fish instalado tambem mas esta fazendo a mesma coisa fechando
  automaticamente, o unico que funciona e o terminal do vscode.

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: xorg 1:7.7+19ubuntu7.1
  ProcVersionSignature: Ubuntu 4.15.0-213.224-generic 4.15.18
  Uname: Linux 4.15.0-213-generic i686
  .tmp.unity_support_test.0:
   
  ApportVersion: 2.20.9-0ubuntu7.29
  Architecture: i386
  CompizPlugins: No value set for 
`/apps/compiz-1/general/screen0/options/active_plugins'
  CompositorRunning: None
  Date: Tue Apr 16 12:04:00 2024
  DistUpgraded: Fresh install
  DistroCodename: bionic
  DistroVariant: ubuntu
  ExtraDebuggingInterest: Yes
  GraphicsCard:
   Intel Corporation Core Processor Integrated Graphics Controller [8086:0042] 
(rev 12) (prog-if 00 [VGA controller])
 Subsystem: Elitegroup Computer Systems Core Processor Integrated Graphics 
Controller [1019:1324]
  InstallationDate: Installed on 2023-07-23 (267 days ago)
  InstallationMedia: Ubuntu 16.04.2 LTS "Xenial Xerus" - Release i386 
(20170215.2)
  Lsusb:
   Bus 002 Device 006: ID 04f3:0210 Elan Microelectronics Corp. Optical Mouse
   Bus 002 Device 002: ID 8087:0020 Intel Corp. Integrated Rate Matching Hub
   Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
   Bus 001 Device 002: ID 8087:0020 Intel Corp. Integrated Rate Matching Hub
   Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
  MachineType: MEGAWARE H55H-CM
  ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.15.0-213-generic 
root=UUID=3cfdb2f5-e8ec-4728-844a-29c984321037 ro quiet splash vt.handoff=1
  Renderer: Software
  SourcePackage: xorg
  UpgradeStatus: No upgrade log present (probably fresh install)
  dmi.bios.date: 05/18/2010
  dmi.bios.vendor: American Megatrends Inc.
  dmi.bios.version: 080015
  dmi.board.asset.tag: To Be Filled By O.E.M.
  dmi.board.name: MW-H55H-CM
  dmi.board.vendor: MEGAWARE
  dmi.board.version: 1.0
  dmi.chassis.asset.tag: M0418501001
  dmi.chassis.type: 3
  dmi.chassis.vendor: MEGAWARE
  dmi.chassis.version: 1.0
  dmi.modalias: 
dmi:bvnAmericanMegatrendsInc.:bvr080015:bd05/18/2010:svnMEGAWARE:pnH55H-CM:pvrMEGAWARE:rvnMEGAWARE:rnMW-H55H-CM:rvr1.0:cvnMEGAWARE:ct3:cvr1.0:
  dmi.product.family: To Be Filled By O.E.M.
  dmi.product.name: H55H-CM
  dmi.product.version: MEGAWARE
  dmi.sys.vendor: MEGAWARE
  version.compiz: compiz 1:0.9.13.1+18.04.20180302-0ubuntu1
  version.libdrm2: libdrm2 2.4.101-2~18.04.1
  version.libgl1-mesa-dri: libgl1-mesa-dri 20.0.8-0ubuntu1~18.04.1
  version.libgl1-mesa-glx: libgl1-mesa-glx 20.0.8-0ubuntu1~18.04.1
  version.xserver-xorg-core: xserver-xorg-core 2:1.19.6-1ubuntu4.15
  version.xserver-xorg-input-evdev: xserver-xorg-input-evdev 1:2.10.5-1ubuntu1
  version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:18.0.1-1
  version.xserver-xorg-video-intel: xserver-xorg-video-intel 
2:2.99.917+git20171229-1
  version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 1:1.0.15-2
  xserver.bootTime: Thu Apr  4 13:22:01 2024
  xserver.configfile: default
  xserver.devices:
   inputPower Button KEYBOARD, id 6
   inputPower Button KEYBOARD, id 7
   inputPS/2+USB Mouse   MOUSE, id 8
   inputAT Translated Set 2 keyboard KEYBOARD, id 9
  xserver.logfile: /var/log/Xorg.0.log
  xserver.version: 2:1.19.6-1ubuntu4.15

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xorg/+bug/2061856/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2061191]

[Alex Murray]

Thanks for taking the time to report this bug and helping to make Ubuntu
better. Since the package referred to in this bug is in universe or
multiverse, it is community maintained. If you are able, I suggest
coordinating with upstream and posting a debdiff for this issue. When a
debdiff is available, members of the security team will review it and
publish the package. See the following link for more information:
https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

** Tags added: community-security

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to qtwebkit-opensource-src in
Ubuntu.
https://bugs.launchpad.net/bugs/2061191

Title:
  Probably stone-age old and insecure version with remote code execution

Status in qtwebkit-opensource-src package in Ubuntu:
  New

Bug description:
  Hi,

  Ubuntu 24.04 beta still uses libqt5webkit5.

  It is not obvious, where it comes from, but the version is still an
  alpha4, and the link in the README seems to suggest, that it still
  comes from https://github.com/annulen/webkit, which redirects to
  https://github.com/qtwebkit/qtwebkit , where the alpha4 tag is over 4
  years old.

  There, the latest README tells:

  Code in this repository is obsolete. If you are looking for up-to-date
  QtWebKit use this fork: https://github.com/movableink/webkit

  
  https://github.com/movableink/webkit seems to be still maintained – more or 
less. And calls itself "inofficial mirror"


  Have a look at

  https://blogs.gnome.org/mcatanzaro/2022/11/04/stop-using-qtwebkit/

  which calls qtwebkit insecure, poorly maintained, and cites CVEs about
  remote code execution (some of them would have to be fixed in the
  fork, but probably not in the version here in ubuntu).


  
  The problem is, that tools like wkhtmltopdf do use this library and are 
typically used to pull contents from a given URL, i.e. from foreign websites. 

  
  Processing foreign HTML and Javascript code in conjunction with 
vulnerabilities to remote code execution, this is highly dangerous.

  ProblemType: Bug
  DistroRelease: Ubuntu 24.04
  Package: libqt5webkit5 5.212.0~alpha4-34ubuntu4
  ProcVersionSignature: Ubuntu 6.8.0-22.22-generic 6.8.1
  Uname: Linux 6.8.0-22-generic x86_64
  ApportVersion: 2.28.0-0ubuntu1
  Architecture: amd64
  CasperMD5CheckResult: unknown
  CurrentDesktop: KDE
  Date: Fri Apr 12 23:31:43 2024
  InstallationDate: Installed on 2024-04-12 (0 days ago)
  InstallationMedia: Kubuntu 24.04 LTS "Noble Numbat" - Beta amd64 (20240411.2)
  SourcePackage: qtwebkit-opensource-src
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/qtwebkit-opensource-src/+bug/2061191/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2063271] Re: Illegal opcode in libssl

[Alex Murray]

Thanks for reporting this issue - but it is strange since this update
has been published since 2024-02-27 and this is the first such report of
any issues.

Also given this update has been available for nearly 2 months it is
surprising you are seeing errors from it so much later - I wonder if
instead whether the on-disk binary has been corrupted? Can you please
try reinstalling libssl3 and see if that resolves the issue:

sudo apt install --reinstall libssl3

If this does resolve the issue, it might be worth checking whether you
have any failing hardware / disks etc that may have led to this problem.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2063271

Title:
  Illegal opcode in libssl

Status in openssh package in Ubuntu:
  New

Bug description:
  Many programs using openssl now fail, typically with messages such as

Illegal instruction (core dumped)

  This seems to be a serious error, since it affects, for example,
  update-manager. Since this makes it harder to get security updates, I
  would also consider it a security vulnerability.

  The issue seems to be that openssl seems to be an attempt to use an
  illegal opcode. A few sample entries in /var/log/syslog are:

  Apr 21 19:16:39 einstein kernel: [495465.431588] traps: 
update-manager[396881] trap invalid opcode ip:740964b8ac6b sp:7409552125b0 
error:0 in libssl.so.3[740964b7a000+5b000]
  Apr 21 19:16:55 einstein kernel: [495482.104658] traps: python3[396949] trap 
invalid opcode ip:73607be8ac6b sp:736074d8d5b0 error:0 in 
libssl.so.3[73607be7a000+5b000]
  Apr 21 19:40:05 einstein kernel: [496871.653271] traps: 
chrome-gnome-sh[397293] trap invalid opcode ip:79432ffa7c6b sp:7ffd6bc03e70 
error:0 in libssl.so.3[79432ff97000+5b000]
  Apr 22 16:23:08 einstein kernel: [501744.765118] traps: 
check-new-relea[400397] trap invalid opcode ip:797c7cc8ac6b sp:797c6cace5b0 
error:0 in libssl.so.3[797c7cc7a000+5b000]
  Apr 23 15:08:03 einstein kernel: [518701.050526] traps: wget[443588] trap 
invalid opcode ip:73a8b2eb4c6b sp:7ffc04918740 error:0 in 
libssl.so.3[73a8b2ea4000+5b000]
  Apr 23 15:12:55 einstein kernel: [518992.493020] traps: curl[443851] trap 
invalid opcode ip:7e4e3951dc6b sp:7ffc804d2ed0 error:0 in 
libssl.so.3[7e4e3950d000+5b000]
  Apr 23 15:13:32 einstein kernel: [519029.181422] traps: apport-gtk[04] 
trap invalid opcode ip:7039180f5c6b sp:703902bfaad0 error:0 in 
libssl.so.3[7039180e5000+5b000]

  This bug report itself had to be submitted manually since ubuntu-bug
  now itself fails.

  lsb_release -rd reports:

Description:Ubuntu 22.04.4 LTS
Release:22.04

  apt-cache policy openssl reports:

openssl:
  Installed: 3.0.2-0ubuntu1.15
  Candidate: 3.0.2-0ubuntu1.15
  Version table:
 *** 3.0.2-0ubuntu1.15 500
500 http://us.archive.ubuntu.com/ubuntu jammy-updates/main amd64 
Packages
500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 
Packages
100 /var/lib/dpkg/status
 3.0.2-0ubuntu1 500
 500 http://us.archive.ubuntu.com/ubuntu jammy/main amd64 Packages

  /proc/version for my computer gives

Linux version 6.5.0-28-generic (buildd@lcy02-amd64-098) 
(x86_64-linux-gnu-gcc-12 (Ubuntu 12.3.0-1ubuntu1~22.04) 12.3.0, GNU ld (GNU 
Binutils for Ubuntu) 2.38) #29~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu 
Apr  4 14:39:20 UTC 2

  /proc/cpuinfo for my computer starts

  processor : 0
  vendor_id : GenuineIntel
  cpu family: 6
  model : 78
  model name: Intel(R) Core(TM) i7-6500U CPU @ 2.50GHz
  stepping  : 3
  microcode : 0xf0
  cpu MHz   : 500.018
  cache size: 4096 KB
  physical id   : 0
  siblings  : 4
  core id   : 0
  cpu cores : 2
  apicid: 0
  initial apicid: 0
  fpu   : yes
  fpu_exception : yes
  cpuid level   : 22
  wp: yes
  flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov 
pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb 
rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology 
nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl est tm2 ssse3 
sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt 
tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch 
cpuid_fault epb invpcid_single pti ssbd ibrs ibpb stibp fsgsbase tsc_adjust 
bmi1 avx2 smep bmi2 erms invpcid mpx rdseed adx smap clflushopt intel_pt 
xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify 
hwp_act_window hwp_epp md_clear flush_l1d arch_capabilities
  bugs  : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds 
swapgs itlb_multihit srbds mmio_stale_data retbleed gds
  bogomips  : 5199.98
  clflush size  : 64
  cache_alignment   : 64
  address sizes : 39 bits physical, 48 b

[Touch-packages] [Bug 1977710] Re: /etc/adduser.conf.dpkg-save created by postinst since 3.121ubuntu1

[Alex Murray]

>From what I can see of this postinst this looks to be a bug from adduser
in debian itself - and would appear to come from
https://salsa.debian.org/debian/adduser/-/blob/master/debian/postinst#L33
- ie. if the default value is unchanged then an /etc/adduser.conf.dpkg-
save is always generated when the value of DIR_MODE is appended to
/etc/adduser.conf.

Can you confirm if this also occurs when debootstrapping a system from
debian?

** Changed in: adduser (Ubuntu)
   Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to adduser in Ubuntu.
https://bugs.launchpad.net/bugs/1977710

Title:
  /etc/adduser.conf.dpkg-save created by postinst since 3.121ubuntu1

Status in adduser package in Ubuntu:
  Incomplete

Bug description:
  Since version 3.121ubuntu1 adduser's postinst script creates
  /etc/adduser.conf.dpkg-save file on debootstrap's root filesystem,
  that is, even when /etc/adduser.conf doesn't exist prior to package
  installation.

  Because of the change below the postinst script changes packaged
  /etc/adduser.conf and creates /etc/adduser.conf.dpkg-save as a backup:

- Enable private home directories by default (LP: #48734)
  + Set DIR_MODE=0750 in the default adduser.conf
  + Change the description and default value to select private home
directories by default in debconf template
  + Change the DIR_MODE when private home directories is configured via
debconf from 0751 to 0750 to ensure files are truly private

  The .dpkg-save file shouldn't be present on debootstrapped system.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/1977710/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1978042] Re: adduser doesn't support extrausers for group management

[Alex Murray]

This looks like a duplicate of LP: #1959375

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to adduser in Ubuntu.
https://bugs.launchpad.net/bugs/1978042

Title:
  adduser doesn't support extrausers for group management

Status in adduser package in Ubuntu:
  Fix Released
Status in shadow package in Ubuntu:
  Fix Released
Status in adduser source package in Focal:
  New
Status in shadow source package in Focal:
  New
Status in adduser source package in Impish:
  Fix Released
Status in shadow source package in Impish:
  Fix Released
Status in adduser source package in Jammy:
  Fix Released
Status in shadow source package in Jammy:
  Fix Released
Status in adduser source package in Kinetic:
  Fix Released
Status in shadow source package in Kinetic:
  Fix Released

Bug description:
  [Impact]

  When using adduser --extrausers on Ubuntu Core the command attempts to
  use the /etc/group file instead of /var/lib/extrausers/group. e.g. the
  following commands will fail:

  $ adduser --extrausers user group
  $ adduser --extrausers --ingroup group user

  [Test Plan]

  1. Install libnss-extrausers
  2. Add a new group:
  $ sudo adduser --extrausers --group test-group
  3. Create a new user with this group:
  $ adduser --extrausers --ingroup test-group test-user1
  4. Create a new user and add them to this group:
  $ adduser --extrausers test-user2
  $ adduser --extrausers test-user2 test-group

  Expected result:
  Two new users (test-user1 and test-user2) are successfully added to the 
system and are entered in /var/lib/extrausers/{passwd,shadow}.
  A new group (test-group) is successfully added to /var/lib/extrausers/group 
and contains the new users.

  [Where problems could occur]
  Existing users of adduser and gpasswd that don't use --extrausers are 
unlikely to hit any issues, as their codepath is unchanged.
  Existing users that use --extrausers will have a behavior change, but the 
existing behavior was to fail so this is unlikely to introduce any new issues. 
  There is the risk of introducing new bugs by this change, but it has used 
since impish without any issues being detected.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/1978042/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1969896] Re: Evince Document Viewer(42.0) does not remember last page in 22.04 and opens in a tiny window when launched

[Alex Murray]

FYI I have sent a MR to the upstream AppArmor project to remove this
dbus deny rule from the exo-open abstraction:
https://gitlab.com/apparmor/apparmor/-/merge_requests/884

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1969896

Title:
  Evince Document Viewer(42.0) does not remember last page in 22.04 and
  opens in a tiny window when launched

Status in apparmor package in Ubuntu:
  New
Status in evince package in Ubuntu:
  In Progress

Bug description:
  Just switched from Ubuntu 20.04 to 22.04 and realized that Document
  Viewer no longer open on the last viewed page and doesn't remember the
  side pane preference even after using the "Save Current Settings as
  Default" option. Kindly advise

  ProblemType: Bug
  DistroRelease: Ubuntu 22.04
  Package: evince 42.1-3
  ProcVersionSignature: Ubuntu 5.15.0-25.25-generic 5.15.30
  Uname: Linux 5.15.0-25-generic x86_64
  NonfreeKernelModules: nvidia_modeset nvidia
  ApportVersion: 2.20.11-0ubuntu82
  Architecture: amd64
  CasperMD5CheckResult: unknown
  CurrentDesktop: ubuntu:GNOME
  Date: Fri Apr 22 15:58:50 2022
  InstallationDate: Installed on 2022-03-19 (34 days ago)
  InstallationMedia: Ubuntu 20.04.4 LTS "Focal Fossa" - Release amd64 (20220223)
  ProcEnviron:
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: evince
  UpgradeStatus: Upgraded to jammy on 2022-04-21 (0 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1969896/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1969896] Re: Evince Document Viewer(42.0) does not remember last page in 22.04 and opens in a tiny window when launched

[Alex Murray]

** Also affects: evince (Ubuntu Jammy)
   Importance: Undecided
   Status: New

** Also affects: apparmor (Ubuntu Jammy)
   Importance: Undecided
   Status: New

** Also affects: evince (Ubuntu Kinetic)
   Importance: High
   Status: In Progress

** Also affects: apparmor (Ubuntu Kinetic)
   Importance: High
   Status: Confirmed

** Changed in: apparmor (Ubuntu Kinetic)
   Status: Confirmed => In Progress

** Changed in: apparmor (Ubuntu Jammy)
   Status: New => In Progress

** Changed in: apparmor (Ubuntu Kinetic)
 Assignee: (unassigned) => Alex Murray (alexmurray)

** Changed in: apparmor (Ubuntu Jammy)
 Assignee: (unassigned) => Alex Murray (alexmurray)

** Changed in: apparmor (Ubuntu Jammy)
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1969896

Title:
  Evince Document Viewer(42.0) does not remember last page in 22.04 and
  opens in a tiny window when launched

Status in apparmor package in Ubuntu:
  In Progress
Status in evince package in Ubuntu:
  In Progress
Status in apparmor source package in Jammy:
  In Progress
Status in evince source package in Jammy:
  New
Status in apparmor source package in Kinetic:
  In Progress
Status in evince source package in Kinetic:
  In Progress

Bug description:
  Just switched from Ubuntu 20.04 to 22.04 and realized that Document
  Viewer no longer open on the last viewed page and doesn't remember the
  side pane preference even after using the "Save Current Settings as
  Default" option. Kindly advise

  ProblemType: Bug
  DistroRelease: Ubuntu 22.04
  Package: evince 42.1-3
  ProcVersionSignature: Ubuntu 5.15.0-25.25-generic 5.15.30
  Uname: Linux 5.15.0-25-generic x86_64
  NonfreeKernelModules: nvidia_modeset nvidia
  ApportVersion: 2.20.11-0ubuntu82
  Architecture: amd64
  CasperMD5CheckResult: unknown
  CurrentDesktop: ubuntu:GNOME
  Date: Fri Apr 22 15:58:50 2022
  InstallationDate: Installed on 2022-03-19 (34 days ago)
  InstallationMedia: Ubuntu 20.04.4 LTS "Focal Fossa" - Release amd64 (20220223)
  ProcEnviron:
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: evince
  UpgradeStatus: Upgraded to jammy on 2022-04-21 (0 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1969896/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 283115] Re: Gimp: toolbox windows can't be minimized

[Alex Murray]

** Changed in: gimp (Ubuntu)
   Status: Fix Released => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to gtk+2.0 in Ubuntu.
https://bugs.launchpad.net/bugs/283115

Title:
  Gimp: toolbox windows can't be minimized

Status in The Gimp:
  Fix Released
Status in GTK+:
  Unknown
Status in gimp package in Ubuntu:
  Invalid
Status in gtk+2.0 package in Ubuntu:
  New

Bug description:
  gimp 2.6 in intrepid:
  it is impossible to minimize toolbar windows; they have only a x-Button to 
close

  ideally, these windows should be minimized automatically when the
  (last) Gimp image window is minimized

  Update
  While waiting, I designed some sort of workaround :
  Gnome>System>Preferences>Windows>Double-click titlebar>Roll up

To manage notifications about this bug go to:
https://bugs.launchpad.net/gimp/+bug/283115/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1972654] Re: [security review] Sync policykit-1 0.120-6 (main) from Debian experimental

[Alex Murray]

> I do not intend to take further action to modify those packages. If it is a 
> blocker for Ubuntu 
> that they are fixed, then someone from Ubuntu will need to do that work.

Given the relationship between the packages has now changed - ie.
polkitd-pkla is not mutually exclusive from the javascript backend and
then allows both legacy pkla policies as well as the "new" javascript
policies to be handled - then this is not a blocker anymore from my
point of view. I suspect Marc may also agree (especially given the
relatively small number of packages in this category).

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to policykit-1 in Ubuntu.
https://bugs.launchpad.net/bugs/1972654

Title:
  [security review] Sync policykit-1 0.120-6 (main) from Debian
  experimental

Status in policykit-1 package in Ubuntu:
  Confirmed

Bug description:
  Please sync policykit-1 0.120-6 (main) from Debian experimental

  Changelog entries since current kinetic version 0.105-33:
  https://tracker.debian.org/media/packages/p/policykit-1/changelog-0.120-6

  In particular, see the 0.120-4 changelog entry.

  I am filing a bug for Security Team review.
  Previously, Debian and Ubuntu developers agreed to keep using
  the last version of policykit before it switched to using JavaScript rules.

  But that was years ago. I believe Debian & Ubuntu are the only distros
  to have opted out of the new policykit. It is harder to maintain
  the old style rules when upstream rules use the new format. And it is
  a challenge to backport security and other bugfixes from the new
  series, without making mistakes or missing important details.

  There was a proposal to use duktape instead of mozjs for the JavaScript
  interpreter but I don't think that's been merged yet.

  It appears the Debian maintainer is considering switching Debian to the
  updated version in time for the next Debian Stable release (so uploading
  to unstable later this year).

  My requested deadline is August 25, Ubuntu 22.10 Feature Freeze.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1972654/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1989309] [NEW] [FFe] apparmor 3.1.1 upstream release

[Alex Murray]

Public bug reported:

Placeholder for preparation of AppArmor 3.1.1 for kinetic.

** Affects: apparmor (Ubuntu)
 Importance: Undecided
 Status: New

** Summary changed:

- [FFe] apparmor 3.1.0 upstream release
+ [FFe] apparmor 3.1.1 upstream release

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1989309

Title:
  [FFe] apparmor 3.1.1 upstream release

Status in apparmor package in Ubuntu:
  New

Bug description:
  Placeholder for preparation of AppArmor 3.1.1 for kinetic.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989309/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2056696] Re: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors

[Alex Murray]

** Changed in: snapd
   Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2056696

Title:
  All Snaps are denied the ability to use DBus for notifications and
  apptray indicators in KDE-based flavors

Status in snapd:
  Fix Released
Status in apparmor package in Ubuntu:
  Invalid

Bug description:
  OS: Kubuntu Noble 24.04 Alpha (two-day old install)
  snapd version: 2.61.2
  Affected Snaps: firefox, thunderbird, element-desktop

  Steps to reproduce:

  # For Firefox:
  1. Open the Firefox Snap.
  2. Open https://www.bennish.net/web-notifications.html.
  3. Click "Authorize" and allow the website to send notifications.
  4. Click "Show".
  Expected result: A notification should be displayed by Plasma, similar to 
other notifications the system displays.
  Actual result: The notification shows up in the upper-right corner of the 
display, improperly themed and obviously generated by Firefox as a fallback.

  # For Thunderbird:
  1. Open the Thunderbird Snap.
  2. Ensure you are connected to an email account.
  3. Unfocus the Thunderbird window.
  4. Wait for an email to come through.
  Expected result: When the email comes through, a notification should be 
displayed by Plasma, similar to other notifications the system displays.
  Actual result: The notification shows up improperly themed and obviously 
generated by Thunderbird as a fallback.

  # For Element:
  1. Open the Element Snap.
  Expected result: An apptray indicator should appear in the system tray with 
the Element logo.
  Actual result: No such indicator appears.
  2. Log in, ask someone to ping you, then unfocus the window and wait for the 
ping to come through.
  Expected result: A notification should be displayed by Plasma, similar to 
other notifications the system displays.
  Actual result: No notification appears at all.

  Additional information:

  Based on the output of snappy-debug, this appears to be AppArmor related,  at 
least for element-desktop (but presumably for the others too). Of note are some 
of the following log entries:
  ```
  = AppArmor =
  Time: 2024-03-10T13:4
  Log: apparmor="DENIED" operation="dbus_method_call"  bus="session" 
path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" 
member="ListActivatableNames" mask="send" name="org.freedesktop.DBus" pid=2950 
label="snap.element-desktop.element-desktop" peer_label="unconfined"
  DBus access

  = AppArmor =
  Time: 2024-03-10T13:4
  Log: apparmor="DENIED" operation="dbus_method_call"  bus="session" 
path="/modules/kwalletd5" interface="org.kde.KWallet" member="isEnabled" 
mask="send" name="org.kde.kwalletd5" pid=2950 
label="snap.element-desktop.element-desktop" peer_pid=1762 
peer_label="unconfined"
  DBus access

  = AppArmor =
  Time: 2024-03-10T13:4
  Log: apparmor="DENIED" operation="dbus_method_call"  bus="session" 
path="/modules/kwalletd5" interface="org.kde.KWallet" member="close" 
mask="send" name="org.kde.kwalletd5" pid=2950 
label="snap.element-desktop.element-desktop" peer_pid=1762 
peer_label="unconfined"
  DBus access

  = AppArmor =
  Time: 2024-03-10T13:4
  Log: apparmor="DENIED" operation="dbus_method_call"  bus="session" 
path="/StatusNotifierItem" interface="org.freedesktop.DBus.Properties" 
member="GetAll" name=":1.45" mask="receive" pid=2950 
label="snap.element-desktop.element-desktop" peer_pid=2394 
peer_label="plasmashell"
  DBus access

  = AppArmor =
  Time: 2024-03-10T13:4
  Log: apparmor="DENIED" operation="dbus_signal"  bus="session" 
path="/StatusNotifierItem" interface="org.kde.StatusNotifierItem" 
member="NewToolTip" mask="send" name="org.freedesktop.DBus" pid=2950 
label="snap.element-desktop.element-desktop" peer_pid=2394 
peer_label="plasmashell"
  DBus access
  ```

  Booting with `apparmor=0` set on the kernel command line fixes the
  issue with Element (apptray indicator appears, notifications show up).
  Obviously this is not a solution, but it does isolate AppArmor as
  being at least partially at fault.

  This issue seems to be somewhat similar to
  https://forum.snapcraft.io/t/dbus-related-apparmor-denials/37422,
  however it seems as if Element is trying to hit the right paths and
  interfaces and is still being denied (based on looking at the info in
  
https://github.com/snapcore/snapd/blob/master/interfaces/builtin/desktop_legacy.go
  and comparing the paths and interfaces there with the paths and
  interfaces shown by snappy-debug.

  I talked about this issue with Erich Eickmeyer and he mentioned that
  it occurred after a Plasma update. This doesn't make a great deal of
  sense to me, and I suspect possibly some other component of the
  affected systems happened to get updated at the same time (perhaps the
  snapd Snap), but it's definitely worth mentioning.

  An example of one of Thunderbird's fallback notifications is attached
  as a screenshot

[Touch-packages] [Bug 2056555] Re: Allow bitbake to create user namespace

[Alex Murray]

FWIW I don't think this proposed profile should be shipped upstream or
in Ubuntu for bitbake - it allows any file anywhere on the filesystem
under a path bitbake/bin/bitbake to use unprivileged user namespaces -
ie. if I was a malware author I would have my malware create a second
stage malware file called $HOME/bitbake/bin/bitbake it it would then be
granted the use of userns by this profile (and hence could take
advantage of userns as part of further exploitation). The specified
attachment path regex is too broad.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2056555

Title:
  Allow bitbake to create user namespace

Status in apparmor package in Ubuntu:
  Confirmed

Bug description:
  Occurs since an update around March 2 Ubuntu 24.04.

  Bitbake is broken due to file permission problem.

  Traceback (most recent call last):
File "/home/hains/openpli-oe-core/bitbake/bin/bitbake-worker", line 268, in 
child
  bb.utils.disable_network(uid, gid)
File "/home/hains/openpli-oe-core/bitbake/lib/bb/utils.py", line 1653, in 
disable_network
  with open("/proc/self/uid_map", "w") as f:
  PermissionError: [Errno 1] Operation not permitted

  Test code

  with open("/proc/self/uid_map", "w") as f:
f.write("%s %s 1" % (1000, 1000))

  ProblemType: Bug
  DistroRelease: Ubuntu 24.04
  Package: dash 0.5.12-6ubuntu4
  ProcVersionSignature: Ubuntu 6.8.0-11.11-generic 6.8.0-rc4
  Uname: Linux 6.8.0-11-generic x86_64
  NonfreeKernelModules: nvidia_modeset nvidia
  ApportVersion: 2.28.0-0ubuntu1
  Architecture: amd64
  CasperMD5CheckResult: unknown
  CurrentDesktop: ubuntu:GNOME
  Date: Fri Mar  8 14:34:08 2024
  InstallationDate: Installed on 2023-03-24 (350 days ago)
  InstallationMedia: Ubuntu 22.10 "Kinetic Kudu" - Release amd64 (20221020)
  SourcePackage: dash
  UpgradeStatus: Upgraded to noble on 2024-01-10 (58 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056555/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2039589] Re: Nwidia driver Ubuntu bug

[Alex Murray]

Thanks for taking the time to report this bug and helping to make Ubuntu
better. We appreciate the difficulties you are facing, but this appears
to be a "regular" (non-security) bug.  I have unmarked it as a security
issue since this bug does not show evidence of allowing attackers to
cross privilege boundaries nor directly cause loss of data/privacy.
Please feel free to report any other bugs you may find.

** Information type changed from Private Security to Public

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to xorg in Ubuntu.
https://bugs.launchpad.net/bugs/2039589

Title:
  Nwidia driver Ubuntu bug

Status in xorg package in Ubuntu:
  New

Bug description:
  Nvidia driver error 470: UFW main window not displayed properly and
  Help not displayed. The issue affects Ubuntu 22.04.3 LTS, Ubuntu 23.10
  and Linux Mint.

  ProblemType: Bug
  DistroRelease: Ubuntu 22.04
  Package: xorg 1:7.7+23ubuntu2
  ProcVersionSignature: Ubuntu 6.2.0-34.34~22.04.1-generic 6.2.16
  Uname: Linux 6.2.0-34-generic x86_64
  NonfreeKernelModules: nvidia_modeset nvidia
  .proc.driver.nvidia.capabilities.gpu0: Error: path was not a regular file.
  .proc.driver.nvidia.capabilities.mig: Error: path was not a regular file.
  .proc.driver.nvidia.gpus..01.00.0: Error: path was not a regular file.
  .proc.driver.nvidia.registry: Binary: ""
  .proc.driver.nvidia.suspend: suspend hibernate resume
  .proc.driver.nvidia.suspend_depth: default modeset uvm
  .proc.driver.nvidia.version:
   NVRM version: NVIDIA UNIX x86_64 Kernel Module  470.199.02  Thu May 11 
11:46:56 UTC 2023
   GCC version:
  ApportVersion: 2.20.11-0ubuntu82.5
  Architecture: amd64
  BootLog: Error: [Errno 13] Brak dostępu: '/var/log/boot.log'
  CasperMD5CheckResult: pass
  CompositorRunning: None
  CurrentDesktop: ubuntu:GNOME
  Date: Tue Oct 17 18:13:32 2023
  DistUpgraded: Fresh install
  DistroCodename: jammy
  DistroVariant: ubuntu
  GraphicsCard:
   NVIDIA Corporation GK107 [GeForce GTX 650] [10de:0fc6] (rev a1) (prog-if 00 
[VGA controller])
 Subsystem: CardExpert Technology GK107 [GeForce GTX 650] [10b0:0fc6]
  InstallationDate: Installed on 2023-10-16 (1 days ago)
  InstallationMedia: Ubuntu 22.04.3 LTS "Jammy Jellyfish" - Release amd64 
(20230807.2)
  MachineType: Gigabyte Technology Co., Ltd. To be filled by O.E.M.
  ProcEnviron:
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=
   LANG=pl_PL.UTF-8
   SHELL=/bin/bash
  ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-6.2.0-34-generic 
root=UUID=7faab2db-29fa-4024-ae67-d6f019c15904 ro quiet splash vt.handoff=7
  SourcePackage: xorg
  Symptom: display
  UpgradeStatus: No upgrade log present (probably fresh install)
  dmi.bios.date: 02/25/2014
  dmi.bios.release: 4.6
  dmi.bios.vendor: American Megatrends Inc.
  dmi.bios.version: 10b
  dmi.board.asset.tag: To be filled by O.E.M.
  dmi.board.name: H61M-S1
  dmi.board.vendor: Gigabyte Technology Co., Ltd.
  dmi.board.version: x.x
  dmi.chassis.asset.tag: To Be Filled By O.E.M.
  dmi.chassis.type: 3
  dmi.chassis.vendor: Gigabyte Technology Co., Ltd.
  dmi.chassis.version: To Be Filled By O.E.M.
  dmi.modalias: 
dmi:bvnAmericanMegatrendsInc.:bvr10b:bd02/25/2014:br4.6:svnGigabyteTechnologyCo.,Ltd.:pnTobefilledbyO.E.M.:pvrTobefilledbyO.E.M.:rvnGigabyteTechnologyCo.,Ltd.:rnH61M-S1:rvrx.x:cvnGigabyteTechnologyCo.,Ltd.:ct3:cvrToBeFilledByO.E.M.:skuTobefilledbyO.E.M.:
  dmi.product.family: To be filled by O.E.M.
  dmi.product.name: To be filled by O.E.M.
  dmi.product.sku: To be filled by O.E.M.
  dmi.product.version: To be filled by O.E.M.
  dmi.sys.vendor: Gigabyte Technology Co., Ltd.
  version.compiz: compiz N/A
  version.libdrm2: libdrm2 2.4.113-2~ubuntu0.22.04.1
  version.libgl1-mesa-dri: libgl1-mesa-dri 23.0.4-0ubuntu1~22.04.1
  version.libgl1-mesa-glx: libgl1-mesa-glx N/A
  version.nvidia-graphics-drivers: nvidia-graphics-drivers-* N/A
  version.xserver-xorg-core: xserver-xorg-core 2:21.1.4-2ubuntu1.7~22.04.1
  version.xserver-xorg-input-evdev: xserver-xorg-input-evdev N/A
  version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:19.1.0-2ubuntu1
  version.xserver-xorg-video-intel: xserver-xorg-video-intel 
2:2.99.917+git20210115-1
  version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 
1:1.0.17-2build1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xorg/+bug/2039589/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2040484] Re: ubuntu_seccomp pseudo-syscall fails on s390

[Alex Murray]

Adding a task against libseccomp until we know more about where the bug
lies.

** Also affects: libseccomp (Ubuntu)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libseccomp in Ubuntu.
https://bugs.launchpad.net/bugs/2040484

Title:
  ubuntu_seccomp pseudo-syscall fails on s390

Status in ubuntu-kernel-tests:
  New
Status in libseccomp package in Ubuntu:
  New

Bug description:
  libseccomp upstream has changed the test code for 29-sim-
  pseudo_syscall.c, which has broken it for s390. Perhaps s390 has been
  broken since forever and the test change is just uncovering it. We
  need to investigate if the fix would be needed in the test, libseccomp
  or the kernel. This seems to affect at least 4.4 and 5.4 kernels, but
  may affect everything.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-kernel-tests/+bug/2040484/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2043711] Re: Open3.pm tries to run code in /tmp when updating ubuntu-drivers-common

[Alex Murray]

I am struggling to see the vulnerability here still - the path used in
this case is /tmp/ubuntu-drivers-common.config.55GJ8b appears to have a
randomly generated suffix and so couldn't have been guessed beforehand
nor preseeded with other contents by a local attacker - so the only way
then that I can see that this could be a vulnerability would be if this
file was world-writable - but it is not clear that this is the case
either.

Assuming this file comes from debconf, from what I can see in its
sources, it creates temporary files via the
https://perldoc.perl.org/File::Temp package - which states that files
are created with permissions 0600 by default too.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to perl in Ubuntu.
https://bugs.launchpad.net/bugs/2043711

Title:
  Open3.pm tries to run code in /tmp when updating ubuntu-drivers-common

Status in perl package in Ubuntu:
  Invalid

Bug description:
  During update of ubuntu-drivers-common:

Can't exec "/tmp/ubuntu-drivers-common.config.55GJ8b": Permission denied at 
/usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm line 178,  line 1.
  open2: exec of /tmp/ubuntu-drivers-common.config.55GJ8b configure 
1:0.9.6.2~0.22.04.4 failed: Permission 
denied at /usr/share/perl5/Debconf/ConfModule.pm line 59.
Preconfiguring packages ...
Can't exec "/tmp/ubuntu-drivers-common.config.uSPrCH": Permission denied at 
/usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm line 178,  line 1.
open2: exec of /tmp/ubuntu-drivers-common.config.uSPrCH configure 
1:0.9.6.2~0.22.04.4 failed: Permission 
denied at /usr/share/perl5/Debconf/ConfModule.pm line 59.

  /tmp is mounted with noexec because running code from /tmp has been a
  vulnerability vector for several decades, hence reporting this as a
  vulnerability in perl-base.

  This error did not appear to prevent the update of ubuntu-drivers-
  common and "dpkg --verify ubuntu-drivers-common" returns 0.

  
___

  Attempting to use the package search on this form by clicking the 🔍
  created a modal in which there is an error

Sorry, something went wrong with your search. We've recorded what
  happened, and we'll fix it as soon as possible. (Error ID:
  OOPS-c80f71590b02908a1187b9f743c53eac)

  which is repeated with any attempt to search for a package.

  
___

  Submitting this form gives an error

"perl-base" does not exist in Ubuntu. Please choose a different
  package. If you're unsure, please select "I don't know"

$ dpkg -S /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm
perl-base: /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm
$ dpkg -l perl-base
Desired=Unknown/Install/Remove/Purge/Hold
| 
Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name   Version   Architecture Description

+++-==-=--=>
ii  perl-base  5.34.0-3ubuntu1.2 amd64minimal Perl system

  Looks like a package to me. Nevertheless, using "Did you mean..."
  offers "perl".

  ProblemType: Bug
  DistroRelease: Ubuntu 22.04
  Package: perl-base 5.34.0-3ubuntu1.2
  ProcVersionSignature: Ubuntu 6.5.0-1007.7-oem 6.5.3
  Uname: Linux 6.5.0-1007-oem x86_64
  ApportVersion: 2.20.11-0ubuntu82.5
  Architecture: amd64
  CasperMD5CheckResult: unknown
  CurrentDesktop: ubuntu:GNOME
  Date: Thu Nov 16 10:08:48 2023
  InstallationDate: Installed on 2016-04-23 (2763 days ago)
  InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 
(20160420.1)
  ProcEnviron:
   TERM=rxvt
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: perl
  UpgradeStatus: Upgraded to jammy on 2022-08-19 (453 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/perl/+bug/2043711/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2044625] Re: package libgdk-pixbuf-2.0-0:amd64 2.42.10+dfsg-1build1 failed to install/upgrade: зацикливание триггеров, отмена работы

[Alex Murray]

Thanks for taking the time to report this bug and helping to make Ubuntu
better. We appreciate the difficulties you are facing, but this appears
to be a "regular" (non-security) bug.  I have unmarked it as a security
issue since this bug does not show evidence of allowing attackers to
cross privilege boundaries nor directly cause loss of data/privacy.
Please feel free to report any other bugs you may find.

** Information type changed from Private Security to Public

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to gdk-pixbuf in Ubuntu.
https://bugs.launchpad.net/bugs/2044625

Title:
  package libgdk-pixbuf-2.0-0:amd64 2.42.10+dfsg-1build1 failed to
  install/upgrade: зацикливание триггеров, отмена работы

Status in gdk-pixbuf package in Ubuntu:
  New

Bug description:
  ubuntu update to lunar lobster version

  ProblemType: Package
  DistroRelease: Ubuntu 23.04
  Package: libgdk-pixbuf-2.0-0:amd64 2.42.10+dfsg-1build1
  ProcVersionSignature: Ubuntu 5.15.0-89.99-generic 5.15.126
  Uname: Linux 5.15.0-89-generic x86_64
  ApportVersion: 2.26.1-0ubuntu2.1
  Architecture: amd64
  CasperMD5CheckResult: unknown
  Date: Sun Nov 26 02:02:30 2023
  ErrorMessage: зацикливание триггеров, отмена работы
  InstallationDate: Installed on 2023-11-25 (0 days ago)
  InstallationMedia: Ubuntu 20.04.6 LTS "Focal Fossa" - Release amd64 (20230316)
  Python3Details: /usr/bin/python3.11, Python 3.11.4, python3-minimal, 3.11.2-1
  PythonDetails: N/A
  RebootRequiredPkgs: Error: path contained symlinks.
  RelatedPackageVersions:
   dpkg 1.21.21ubuntu1
   apt  2.6.0ubuntu0.1
  SourcePackage: gdk-pixbuf
  Title: package libgdk-pixbuf-2.0-0:amd64 2.42.10+dfsg-1build1 failed to 
install/upgrade: зацикливание триггеров, отмена работы
  UpgradeStatus: Upgraded to lunar on 2023-11-25 (0 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gdk-pixbuf/+bug/2044625/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2029464] Re: A stack overflow in GNU Tar

[Alex Murray]

@kerneldude - do you know if MITRE ever assigned a CVE for this?

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to tar in Ubuntu.
https://bugs.launchpad.net/bugs/2029464

Title:
  A stack overflow in GNU Tar

Status in tar package in Ubuntu:
  New

Bug description:
  A stack overflow vulnerability exists in GNU Tar up to including v1.34, as 
far as I can see, Ubuntu is using v1.3.
  The bug exists in the function xattr_decoder() in xheader.c, where alloca() 
is used and it may overflow the stack if a sufficiently long xattr key is used. 
The vulnerability can be triggered when extracting a tar/pax archive that 
contains such a long xattr key.

  Vulnerable code:
  
https://git.savannah.gnu.org/cgit/tar.git/tree/src/xheader.c?h=release_1_34#n1723

  PoC tar archive is attached in a zip archive to reduce the size.

  I reported the vulnerability yesterday to GNU Tar maintainers and they
  replied that the issue was fixed in the version that was released two
  weeks ago:

  
  "Sergey fixed that bug here:

  
https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4

  and the fix appears in tar 1.35, released July 18.
  "

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tar/+bug/2029464/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2029464] Re: A stack overflow in GNU Tar

[Alex Murray]

Excellent - thanks for letting us know. So since a CVE has already been
assigned then we won't assign an additional one. I'll add the details to
our CVE tracker.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to tar in Ubuntu.
https://bugs.launchpad.net/bugs/2029464

Title:
  A stack overflow in GNU Tar

Status in tar package in Ubuntu:
  New

Bug description:
  A stack overflow vulnerability exists in GNU Tar up to including v1.34, as 
far as I can see, Ubuntu is using v1.3.
  The bug exists in the function xattr_decoder() in xheader.c, where alloca() 
is used and it may overflow the stack if a sufficiently long xattr key is used. 
The vulnerability can be triggered when extracting a tar/pax archive that 
contains such a long xattr key.

  Vulnerable code:
  
https://git.savannah.gnu.org/cgit/tar.git/tree/src/xheader.c?h=release_1_34#n1723

  PoC tar archive is attached in a zip archive to reduce the size.

  I reported the vulnerability yesterday to GNU Tar maintainers and they
  replied that the issue was fixed in the version that was released two
  weeks ago:

  
  "Sergey fixed that bug here:

  
https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4

  and the fix appears in tar 1.35, released July 18.
  "

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tar/+bug/2029464/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2029464] Re: A stack overflow in GNU Tar

[Alex Murray]

@kerneldude - any chance you could share your poc (perhaps email it to
secur...@ubuntu.com rather than post it publicly here)? I have tried
creating one via the following but I hit the CLI args limit before I can
get an xattr key long enough:

touch bar
tar --pax-option SCHILY.xattr.user.$(python3 -c "print('a'*131048)"):=test -cf 
poc-crafted.tar bar

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to tar in Ubuntu.
https://bugs.launchpad.net/bugs/2029464

Title:
  A stack overflow in GNU Tar

Status in tar package in Ubuntu:
  New

Bug description:
  A stack overflow vulnerability exists in GNU Tar up to including v1.34, as 
far as I can see, Ubuntu is using v1.3.
  The bug exists in the function xattr_decoder() in xheader.c, where alloca() 
is used and it may overflow the stack if a sufficiently long xattr key is used. 
The vulnerability can be triggered when extracting a tar/pax archive that 
contains such a long xattr key.

  Vulnerable code:
  
https://git.savannah.gnu.org/cgit/tar.git/tree/src/xheader.c?h=release_1_34#n1723

  PoC tar archive is attached in a zip archive to reduce the size.

  I reported the vulnerability yesterday to GNU Tar maintainers and they
  replied that the issue was fixed in the version that was released two
  weeks ago:

  
  "Sergey fixed that bug here:

  
https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4

  and the fix appears in tar 1.35, released July 18.
  "

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tar/+bug/2029464/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2029464] Re: A stack overflow in GNU Tar

[Alex Murray]

So I managed to create a tar file with an extended attribute name of
length of ~ 36 bytes long (the largest I can do without exceeding
the existing check on maximum extended header lengths it seems) but this
is not able to trigger the vuln - so if you are able to share your PoC
that would be great.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to tar in Ubuntu.
https://bugs.launchpad.net/bugs/2029464

Title:
  A stack overflow in GNU Tar

Status in tar package in Ubuntu:
  New

Bug description:
  A stack overflow vulnerability exists in GNU Tar up to including v1.34, as 
far as I can see, Ubuntu is using v1.3.
  The bug exists in the function xattr_decoder() in xheader.c, where alloca() 
is used and it may overflow the stack if a sufficiently long xattr key is used. 
The vulnerability can be triggered when extracting a tar/pax archive that 
contains such a long xattr key.

  Vulnerable code:
  
https://git.savannah.gnu.org/cgit/tar.git/tree/src/xheader.c?h=release_1_34#n1723

  PoC tar archive is attached in a zip archive to reduce the size.

  I reported the vulnerability yesterday to GNU Tar maintainers and they
  replied that the issue was fixed in the version that was released two
  weeks ago:

  
  "Sergey fixed that bug here:

  
https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4

  and the fix appears in tar 1.35, released July 18.
  "

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tar/+bug/2029464/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2029464] Re: A stack overflow in GNU Tar

[Alex Murray]

Actually I just got it working - no need to send PoC @kerneldude - I
made my own.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to tar in Ubuntu.
https://bugs.launchpad.net/bugs/2029464

Title:
  A stack overflow in GNU Tar

Status in tar package in Ubuntu:
  New

Bug description:
  A stack overflow vulnerability exists in GNU Tar up to including v1.34, as 
far as I can see, Ubuntu is using v1.3.
  The bug exists in the function xattr_decoder() in xheader.c, where alloca() 
is used and it may overflow the stack if a sufficiently long xattr key is used. 
The vulnerability can be triggered when extracting a tar/pax archive that 
contains such a long xattr key.

  Vulnerable code:
  
https://git.savannah.gnu.org/cgit/tar.git/tree/src/xheader.c?h=release_1_34#n1723

  PoC tar archive is attached in a zip archive to reduce the size.

  I reported the vulnerability yesterday to GNU Tar maintainers and they
  replied that the issue was fixed in the version that was released two
  weeks ago:

  
  "Sergey fixed that bug here:

  
https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4

  and the fix appears in tar 1.35, released July 18.
  "

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tar/+bug/2029464/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1926820]

[Alex Murray]

Thank you for taking the time to report this bug and helping to make
Ubuntu better.  Reviewing your dmesg attachment to this bug report it
seems that there may be a problem with your hardware.  I'd recommend
performing a back up and then investigating the situation.  Measures you
might take include checking cable connections and using software tools
to investigate the health of your hardware.  In the event that is is not
in fact an error with your hardware please set the bug's status back to
New.  Thanks and good luck!

** Tags added: hardware-error

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libseccomp in Ubuntu.
https://bugs.launchpad.net/bugs/1926820

Title:
  package libseccomp2:amd64 2.4.3-1ubuntu3.20.04.3 failed to
  install/upgrade: package is in a very bad inconsistent state; you
  should  reinstall it before attempting configuration

Status in libseccomp package in Ubuntu:
  Invalid

Bug description:
  Programs are not being installed. I am new to ubuntu.

  ProblemType: Package
  DistroRelease: Ubuntu 20.04
  Package: libseccomp2:amd64 2.4.3-1ubuntu3.20.04.3
  ProcVersionSignature: Ubuntu 5.8.0-50.56~20.04.1-generic 5.8.18
  Uname: Linux 5.8.0-50-generic x86_64
  ApportVersion: 2.20.11-0ubuntu27.16
  Architecture: amd64
  CasperMD5CheckResult: skip
  Date: Fri Apr 30 21:37:01 2021
  DpkgTerminalLog:
   dpkg: error processing package libseccomp2:amd64 (--configure):
package is in a very bad inconsistent state; you should
reinstall it before attempting configuration
  ErrorMessage: package is in a very bad inconsistent state; you should  
reinstall it before attempting configuration
  InstallationDate: Installed on 2021-04-30 (0 days ago)
  InstallationMedia: Ubuntu 20.04.2.0 LTS "Focal Fossa" - Release amd64 
(20210209.1)
  Python3Details: /usr/bin/python3.8, Python 3.8.5, python3-minimal, 
3.8.2-0ubuntu2
  PythonDetails: N/A
  RelatedPackageVersions:
   dpkg 1.19.7ubuntu3
   apt  2.0.4
  SourcePackage: libseccomp
  Title: package libseccomp2:amd64 2.4.3-1ubuntu3.20.04.3 failed to 
install/upgrade: package is in a very bad inconsistent state; you should  
reinstall it before attempting configuration
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1926820/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1926820] Re: package libseccomp2:amd64 2.4.3-1ubuntu3.20.04.3 failed to install/upgrade: package is in a very bad inconsistent state; you should reinstall it before attempting c

[Alex Murray]

Thanks for taking the time to report this bug and helping to make Ubuntu
better. We appreciate the difficulties you are facing, but this appears
to be a "regular" (non-security) bug.  I have unmarked it as a security
issue since this bug does not show evidence of allowing attackers to
cross privilege boundaries nor directly cause loss of data/privacy.
Please feel free to report any other bugs you may find.

** Information type changed from Private Security to Public

** Changed in: libseccomp (Ubuntu)
   Status: New => Invalid

** Changed in: libseccomp (Ubuntu)
   Importance: Undecided => Low

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libseccomp in Ubuntu.
https://bugs.launchpad.net/bugs/1926820

Title:
  package libseccomp2:amd64 2.4.3-1ubuntu3.20.04.3 failed to
  install/upgrade: package is in a very bad inconsistent state; you
  should  reinstall it before attempting configuration

Status in libseccomp package in Ubuntu:
  Invalid

Bug description:
  Programs are not being installed. I am new to ubuntu.

  ProblemType: Package
  DistroRelease: Ubuntu 20.04
  Package: libseccomp2:amd64 2.4.3-1ubuntu3.20.04.3
  ProcVersionSignature: Ubuntu 5.8.0-50.56~20.04.1-generic 5.8.18
  Uname: Linux 5.8.0-50-generic x86_64
  ApportVersion: 2.20.11-0ubuntu27.16
  Architecture: amd64
  CasperMD5CheckResult: skip
  Date: Fri Apr 30 21:37:01 2021
  DpkgTerminalLog:
   dpkg: error processing package libseccomp2:amd64 (--configure):
package is in a very bad inconsistent state; you should
reinstall it before attempting configuration
  ErrorMessage: package is in a very bad inconsistent state; you should  
reinstall it before attempting configuration
  InstallationDate: Installed on 2021-04-30 (0 days ago)
  InstallationMedia: Ubuntu 20.04.2.0 LTS "Focal Fossa" - Release amd64 
(20210209.1)
  Python3Details: /usr/bin/python3.8, Python 3.8.5, python3-minimal, 
3.8.2-0ubuntu2
  PythonDetails: N/A
  RelatedPackageVersions:
   dpkg 1.19.7ubuntu3
   apt  2.0.4
  SourcePackage: libseccomp
  Title: package libseccomp2:amd64 2.4.3-1ubuntu3.20.04.3 failed to 
install/upgrade: package is in a very bad inconsistent state; you should  
reinstall it before attempting configuration
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1926820/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1928346] Re: package libseccomp2:amd64 2.5.1-1ubuntu1 failed to install/upgrade: package is in a very bad inconsistent state; you should reinstall it before attempting configura

[Alex Murray]

Thanks for reporting this issue - can you please try running the
following in a terminal and see if this resolves the problem:

sudo apt-get install -f --reinstall libseccomp2

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libseccomp in Ubuntu.
https://bugs.launchpad.net/bugs/1928346

Title:
  package libseccomp2:amd64 2.5.1-1ubuntu1 failed to install/upgrade:
  package is in a very bad inconsistent state; you should  reinstall it
  before attempting configuration

Status in libseccomp package in Ubuntu:
  New

Bug description:
  Broken in mid of upgrade from 20.10 to 21.04

  ProblemType: Package
  DistroRelease: Ubuntu 21.04
  Package: libseccomp2:amd64 2.5.1-1ubuntu1
  ProcVersionSignature: Ubuntu 5.8.0-53.60-generic 5.8.18
  Uname: Linux 5.8.0-53-generic x86_64
  ApportVersion: 2.20.11-0ubuntu50.6
  Architecture: amd64
  CasperMD5CheckResult: skip
  Date: Thu May 13 19:56:07 2021
  ErrorMessage: package is in a very bad inconsistent state; you should  
reinstall it before attempting configuration
  InstallationDate: Installed on 2018-12-12 (883 days ago)
  InstallationMedia: Ubuntu 16.04.5 LTS "Xenial Xerus" - Release amd64 
(20180731)
  Python3Details: /usr/bin/python3.8, Python 3.8.6, python3-minimal, 
3.8.6-0ubuntu1
  PythonDetails: N/A
  RelatedPackageVersions:
   dpkg 1.20.9ubuntu1
   apt  2.1.10ubuntu0.3
  SourcePackage: libseccomp
  Title: package libseccomp2:amd64 2.5.1-1ubuntu1 failed to install/upgrade: 
package is in a very bad inconsistent state; you should  reinstall it before 
attempting configuration
  UpgradeStatus: Upgraded to hirsute on 2021-05-13 (0 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1928346/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1927078] Re: Don't allow useradd to use fully numeric names

[Alex Murray]

Thanks for looking at this @William - sorry to nitpick but I wonder if
rewriting the test as follows could make it a bit easier to parse (at
least for me I find this version easier to grok what is being tested
for):

if (*name < '1' || *name > '9')

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to shadow in Ubuntu.
https://bugs.launchpad.net/bugs/1927078

Title:
  Don't allow useradd to use fully numeric names

Status in shadow package in Ubuntu:
  New
Status in shadow source package in Focal:
  New
Status in shadow source package in Groovy:
  New
Status in shadow source package in Hirsute:
  New
Status in shadow source package in Impish:
  New

Bug description:
  [Description]

  Fully numeric names support in Ubuntu is inconsistent in Focal onwards
  because systemd does not like them[1] but are still allowed by default
  by useradd, leaving the session behavior in hands of the running
  applications. Two examples:

  1. After creating a user named "0", the user can log in via ssh or
  console but loginctl won't create a session for it:

  root@focal:/home/ubuntu# useradd -m 0
  root@focal:/home/ubuntu# id 0
  uid=1005(0) gid=1005(0) groups=1005(0)

  ..

  0@192.168.122.6's password:
  Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.8.0-48-generic x86_64)

  Last login: Thu Apr  8 16:17:06 2021 from 192.168.122.1
  $ loginctl
  No sessions.
  $ w
   16:20:09 up 4 min,  1 user,  load average: 0.03, 0.14, 0.08
  USER TTY  FROM LOGIN@   IDLE   JCPU   PCPU WHAT
  0pts/0192.168.122.116:170.00s  0.00s  0.00s w  

  And pam-systemd shows the following message:

  Apr 08 16:17:06 focal sshd[1584]: pam_unix(sshd:session): session opened for 
user 0 by (uid=0)
  Apr 08 16:17:06 focal sshd[1584]: pam_systemd(sshd:session): pam-systemd 
initializing
  Apr 08 16:17:06 focal sshd[1584]: pam_systemd(sshd:session): Failed to get 
user record: Invalid argument

  
  2. With that same username, every successful authentication in gdm will loop 
back to gdm again instead of starting gnome, making the user unable to login.

  
  Making useradd fail (unless --badnames is set) when a fully numeric name is 
used will make the default OS behavior consistent.

  
  [Other info]

  - Upstream does not support fully numeric usernames
  - useradd has a --badnames parameter that would still allow the use of these 
type of names

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1927078/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1452115] Re: Python interpreter binary is not compiled as PIE

[Alex Murray]

Thanks @doko :)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to python2.7 in Ubuntu.
https://bugs.launchpad.net/bugs/1452115

Title:
  Python interpreter binary is not compiled as PIE

Status in Python:
  New
Status in python2.7 package in Ubuntu:
  Fix Released
Status in python3.10 package in Ubuntu:
  Fix Committed
Status in python3.4 package in Ubuntu:
  Fix Released
Status in python3.6 package in Ubuntu:
  Confirmed
Status in python3.7 package in Ubuntu:
  Confirmed
Status in python3.8 package in Ubuntu:
  Confirmed
Status in python3.9 package in Ubuntu:
  New
Status in python3.7 package in Debian:
  New
Status in python3.8 package in Debian:
  New

Bug description:
  The python2.7 binary (installed at /usr/bin/python2.7; package version
  2.7.6-8) is not compiled as a position independent executable (PIE).
  It appears that the python compilation process is somewhat arcane and
  the hardening wrapper probably doesn't do the trick for it.

  This is incredibly dangerous as it means that any vulnerability within
  a native module (e.g. ctypes-based), or within python itself will
  expose an incredibly large amount of known memory contents at known
  addresses (including a large number of dangerous instruction
  groupings). This enables ROP-based
  (https://en.wikipedia.org/wiki/Return-oriented_programming) to abuse
  the interpreter itself to bypass non-executable page protections.

  I have put together an example vulnerable C shared object (with a buffer 
overflow) accessed via python through the ctypes interface as an example. This 
uses a single ROP "gadget" on top of using the known PLT location for system(3) 
(https://en.wikipedia.org/wiki/Return-to-libc_attack) to call "id". The example 
code is accessible at:
  - https://gist.github.com/ChaosData/ae6076cb1c3cc7b0a367

  I'm not exactly familiar enough with the python build process to say
  where exactly an -fPIE needs to be injected into a script/makefile,
  but I feel that given the perceived general preference for ctypes-
  based modules over python written ones, as the native code
  implementations tend to be more performant, this feels like a large
  security hole within the system. Given the nature of this "issue," I'm
  not 100% sure of where it is best reported, but from what I can tell,
  this conflicts with the Ubuntu hardening features and is definitely
  exploitable should a native module contain a sufficiently exploitable
  vulnerability that allows for control of the instruction register.

To manage notifications about this bug go to:
https://bugs.launchpad.net/python/+bug/1452115/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1452115] Re: Python interpreter binary is not compiled as PIE

[Alex Murray]

Nice - thanks @sdeziel

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to python2.7 in Ubuntu.
https://bugs.launchpad.net/bugs/1452115

Title:
  Python interpreter binary is not compiled as PIE

Status in Python:
  New
Status in python2.7 package in Ubuntu:
  Fix Released
Status in python3.10 package in Ubuntu:
  Fix Released
Status in python3.4 package in Ubuntu:
  Fix Released
Status in python3.6 package in Ubuntu:
  Confirmed
Status in python3.7 package in Ubuntu:
  Confirmed
Status in python3.8 package in Ubuntu:
  Confirmed
Status in python3.9 package in Ubuntu:
  New
Status in python3.7 package in Debian:
  New
Status in python3.8 package in Debian:
  New

Bug description:
  The python2.7 binary (installed at /usr/bin/python2.7; package version
  2.7.6-8) is not compiled as a position independent executable (PIE).
  It appears that the python compilation process is somewhat arcane and
  the hardening wrapper probably doesn't do the trick for it.

  This is incredibly dangerous as it means that any vulnerability within
  a native module (e.g. ctypes-based), or within python itself will
  expose an incredibly large amount of known memory contents at known
  addresses (including a large number of dangerous instruction
  groupings). This enables ROP-based
  (https://en.wikipedia.org/wiki/Return-oriented_programming) to abuse
  the interpreter itself to bypass non-executable page protections.

  I have put together an example vulnerable C shared object (with a buffer 
overflow) accessed via python through the ctypes interface as an example. This 
uses a single ROP "gadget" on top of using the known PLT location for system(3) 
(https://en.wikipedia.org/wiki/Return-to-libc_attack) to call "id". The example 
code is accessible at:
  - https://gist.github.com/ChaosData/ae6076cb1c3cc7b0a367

  I'm not exactly familiar enough with the python build process to say
  where exactly an -fPIE needs to be injected into a script/makefile,
  but I feel that given the perceived general preference for ctypes-
  based modules over python written ones, as the native code
  implementations tend to be more performant, this feels like a large
  security hole within the system. Given the nature of this "issue," I'm
  not 100% sure of where it is best reported, but from what I can tell,
  this conflicts with the Ubuntu hardening features and is definitely
  exploitable should a native module contain a sufficiently exploitable
  vulnerability that allows for control of the instruction register.

To manage notifications about this bug go to:
https://bugs.launchpad.net/python/+bug/1452115/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1968402] Re: Ubuntu 20.04.3 boots to black screen, no TTY available

[Alex Murray]

Thanks for taking the time to report this bug and helping to make Ubuntu
better. We appreciate the difficulties you are facing, but this appears
to be a "regular" (non-security) bug.  I have unmarked it as a security
issue since this bug does not show evidence of allowing attackers to
cross privilege boundaries nor directly cause loss of data/privacy.
Please feel free to report any other bugs you may find.

** Information type changed from Private Security to Public

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to xorg in Ubuntu.
https://bugs.launchpad.net/bugs/1968402

Title:
  Ubuntu 20.04.3 boots to black screen, no TTY available

Status in gdm:
  New
Status in gnome-session:
  New
Status in grub:
  New
Status in os-prober-efi/trunk:
  New
Status in shim:
  New
Status in subiquity:
  New
Status in tty:
  New
Status in grub2 package in Ubuntu:
  New
Status in mutter package in Ubuntu:
  New
Status in nvidia-graphics-drivers-450 package in Ubuntu:
  New
Status in wayland package in Ubuntu:
  New
Status in xorg package in Ubuntu:
  New

Bug description:
  A fresh attempted install failed utterly, just as 20.04.1 failed two
  years ago.  Has anyone been paying attention?

  Ubuntu 20.04.3 burned just now to a USB stick and attempted to be
  installed.

  The first fail was that the stick booted to a couple of impenetrable
  boot-time messages and hung.  Really.  I'm not making this up.  It
  didn't just open the installer, as it should.

  The second fail was having just to guess that rebooting and trying
  another GRUB menu option might work and give that a try.  Really.  I'm
  not making this up, either.  The installer was entirely incapable of
  providing any direction

  The third failure was that the installer was incapable of detecting
  the video configuration and proceeding accordingly.  This is 20.04.3,
  the third attempt at getting this right, and it still fails.

  The fourth fail was an error message insisting on a designation of
  where root should be, even after the destination partition already had
  been specified.

  The fifth failure was that no obvious means existed to satisfy the
  installer about the root specification, which of course already had
  been made by specifying the destination partition.  All one could do
  was to see whether a context menu existed for any object on the screen
  that might possibly drill down through a few layers to something
  approximating what the content of the error message suggested.

  The sixth failure was that no GRUB menu appeared during boot,
  notwithstanding that the EFI system partition had clearly been
  identified in the installer.

  The seventh failure was that the machine booted only to a black screen
  with a non-blinking _ midway toward the upper left.  No login
  screen/display manager.  No GUI at all.  Just this little _.

  The eighth failure was that Ctrl-alt-f2, ctrl-alt-f5-f12 have no
  effect.  No TTY is available.  There is no way whatsoever to interact
  with the system.

  Expected behavior:  The software would install and the computer would
  work.

  Actual behavior:  The installer bricked my workstation.

  Obviously, no debug information is available BECAUSE THE SOFTWARE
  FAILED.  This post is being made from a borrowed Windows laptop.

  Any thoughts about how to get a working system would be appreciated.
  I am not optimistic about the prospects for 22.04.

To manage notifications about this bug go to:
https://bugs.launchpad.net/gdm/+bug/1968402/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1968397] Re: bootloader

[Alex Murray]

Thank you for taking the time to report this bug and helping to make
Ubuntu better. Unfortunately we can't fix it, because your description
didn't include enough information. You may find it helpful to read 'How
to report bugs effectively'
http://www.chiark.greenend.org.uk/~sgtatham/bugs.html. We'd be grateful
if you would then provide a more complete description of the problem.
We have instructions on debugging some types of problems at
http://wiki.ubuntu.com/DebuggingProcedures. At a minimum, we need: 1.
the specific steps or actions you took that caused you to encounter the
problem, 2. the behavior you expected, and 3. the behavior you actually
encountered (in as much detail as possible). Thanks!

** Changed in: xorg (Ubuntu)
   Status: New => Incomplete

** Information type changed from Private Security to Public

** Changed in: xorg (Ubuntu)
   Status: Incomplete => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to xorg in Ubuntu.
https://bugs.launchpad.net/bugs/1968397

Title:
  bootloader

Status in xorg package in Ubuntu:
  Invalid

Bug description:
  root@a-ThinkPad-X220:~# apt install telnetd
  E: 无法获得锁 /var/lib/dpkg/lock-frontend - open (11: 资源暂时不可用)
  E: 无法获取 dpkg 前端锁 (/var/lib/dpkg/lock-frontend)，是否有其他进程正占用它？
  root@a-ThinkPad-X220:~# apt install telnetd
  E: 无法获得锁 /var/lib/dpkg/lock-frontend - open (11: 资源暂时不可用)
  E: 无法获取 dpkg 前端锁 (/var/lib/dpkg/lock-frontend)，是否有其他进程正占用它？
  root@a-ThinkPad-X220:~# killall

  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: xorg 1:7.7+13ubuntu3.1
  ProcVersionSignature: Ubuntu 4.15.0-112.113~16.04.1-generic 4.15.18
  Uname: Linux 4.15.0-112-generic x86_64
  .tmp.unity_support_test.0:
   
  ApportVersion: 2.20.1-0ubuntu2.24
  Architecture: amd64
  CompizPlugins: No value set for 
`/apps/compiz-1/general/screen0/options/active_plugins'
  CompositorRunning: compiz
  CompositorUnredirectDriverBlacklist: '(nouveau|Intel).*Mesa 8.0'
  CompositorUnredirectFSW: true
  Date: Sat Apr  9 13:01:34 2022
  DistUpgraded: Fresh install
  DistroCodename: xenial
  DistroVariant: ubuntu
  ExtraDebuggingInterest: No
  GraphicsCard:
   Intel Corporation 2nd Generation Core Processor Family Integrated Graphics 
Controller [8086:0116] (rev 09) (prog-if 00 [VGA controller])
 Subsystem: Lenovo 2nd Generation Core Processor Family Integrated Graphics 
Controller [17aa:21da]
  InstallationDate: Installed on 2022-04-07 (1 days ago)
  InstallationMedia: Ubuntu 16.04.7 LTS "Xenial Xerus" - Release amd64 
(20200806)
  MachineType: LENOVO 4286AC9
  ProcEnviron:
   LANGUAGE=zh_CN:zh
   PATH=(custom, no user)
   LANG=zh_CN.UTF-8
   SHELL=/bin/bash
  ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.15.0-112-generic 
root=UUID=cf25f7a7-bda4-4979-9a0f-eb1cb472be49 ro quiet splash vt.handoff=7
  SourcePackage: xorg
  UpgradeStatus: No upgrade log present (probably fresh install)
  dmi.bios.date: 06/21/2018
  dmi.bios.vendor: LENOVO
  dmi.bios.version: 8DET76WW (1.46 )
  dmi.board.asset.tag: Not Available
  dmi.board.name: 4286AC9
  dmi.board.vendor: LENOVO
  dmi.board.version: Not Available
  dmi.chassis.asset.tag: No Asset Information
  dmi.chassis.type: 10
  dmi.chassis.vendor: LENOVO
  dmi.chassis.version: Not Available
  dmi.modalias: 
dmi:bvnLENOVO:bvr8DET76WW(1.46):bd06/21/2018:svnLENOVO:pn4286AC9:pvrThinkPadX220:rvnLENOVO:rn4286AC9:rvrNotAvailable:cvnLENOVO:ct10:cvrNotAvailable:
  dmi.product.family: ThinkPad X220
  dmi.product.name: 4286AC9
  dmi.product.version: ThinkPad X220
  dmi.sys.vendor: LENOVO
  version.compiz: compiz 1:0.9.12.3+16.04.20180221-0ubuntu1
  version.ia32-libs: ia32-libs N/A
  version.libdrm2: libdrm2 2.4.91-2~16.04.1
  version.libgl1-mesa-dri: libgl1-mesa-dri 18.0.5-0ubuntu0~16.04.1
  version.libgl1-mesa-dri-experimental: libgl1-mesa-dri-experimental N/A
  version.libgl1-mesa-glx: libgl1-mesa-glx 18.0.5-0ubuntu0~16.04.1
  version.xserver-xorg-core: xserver-xorg-core N/A
  version.xserver-xorg-input-evdev: xserver-xorg-input-evdev N/A
  version.xserver-xorg-video-ati: xserver-xorg-video-ati N/A
  version.xserver-xorg-video-intel: xserver-xorg-video-intel N/A
  version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau N/A
  xserver.bootTime: Sat Apr  9 20:55:35 2022
  xserver.configfile: default
  xserver.errors:
   
  xserver.logfile: /var/log/Xorg.0.log
  xserver.version: 2:1.19.6-1ubuntu4.1~16.04.2
  xserver.video_driver: modeset

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xorg/+bug/1968397/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1968397]

[Alex Murray]

Thank you for using Ubuntu and taking the time to report a bug. Your
report should contain, at a minimum, the following information so we can
better find the source of the bug and work to resolve it.

Submitting the bug about the proper source package is essential. For
help see https://wiki.ubuntu.com/Bugs/FindRightPackage . Additionally,
in the report please include:

1) The release of Ubuntu you are using, via 'cat /etc/lsb-release' or System -> 
About Ubuntu.
2) The version of the package you are using, via 'dpkg -l PKGNAME | cat' or by 
checking in Synaptic.
3) What happened and what you expected to happen.

The Ubuntu community has also created debugging procedures for a wide
variety of packages at https://wiki.ubuntu.com/DebuggingProcedures .
Following the debugging instructions for the affected package will make
your bug report much more complete. Thanks!

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to xorg in Ubuntu.
https://bugs.launchpad.net/bugs/1968397

Title:
  bootloader

Status in xorg package in Ubuntu:
  Invalid

Bug description:
  root@a-ThinkPad-X220:~# apt install telnetd
  E: 无法获得锁 /var/lib/dpkg/lock-frontend - open (11: 资源暂时不可用)
  E: 无法获取 dpkg 前端锁 (/var/lib/dpkg/lock-frontend)，是否有其他进程正占用它？
  root@a-ThinkPad-X220:~# apt install telnetd
  E: 无法获得锁 /var/lib/dpkg/lock-frontend - open (11: 资源暂时不可用)
  E: 无法获取 dpkg 前端锁 (/var/lib/dpkg/lock-frontend)，是否有其他进程正占用它？
  root@a-ThinkPad-X220:~# killall

  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: xorg 1:7.7+13ubuntu3.1
  ProcVersionSignature: Ubuntu 4.15.0-112.113~16.04.1-generic 4.15.18
  Uname: Linux 4.15.0-112-generic x86_64
  .tmp.unity_support_test.0:
   
  ApportVersion: 2.20.1-0ubuntu2.24
  Architecture: amd64
  CompizPlugins: No value set for 
`/apps/compiz-1/general/screen0/options/active_plugins'
  CompositorRunning: compiz
  CompositorUnredirectDriverBlacklist: '(nouveau|Intel).*Mesa 8.0'
  CompositorUnredirectFSW: true
  Date: Sat Apr  9 13:01:34 2022
  DistUpgraded: Fresh install
  DistroCodename: xenial
  DistroVariant: ubuntu
  ExtraDebuggingInterest: No
  GraphicsCard:
   Intel Corporation 2nd Generation Core Processor Family Integrated Graphics 
Controller [8086:0116] (rev 09) (prog-if 00 [VGA controller])
 Subsystem: Lenovo 2nd Generation Core Processor Family Integrated Graphics 
Controller [17aa:21da]
  InstallationDate: Installed on 2022-04-07 (1 days ago)
  InstallationMedia: Ubuntu 16.04.7 LTS "Xenial Xerus" - Release amd64 
(20200806)
  MachineType: LENOVO 4286AC9
  ProcEnviron:
   LANGUAGE=zh_CN:zh
   PATH=(custom, no user)
   LANG=zh_CN.UTF-8
   SHELL=/bin/bash
  ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.15.0-112-generic 
root=UUID=cf25f7a7-bda4-4979-9a0f-eb1cb472be49 ro quiet splash vt.handoff=7
  SourcePackage: xorg
  UpgradeStatus: No upgrade log present (probably fresh install)
  dmi.bios.date: 06/21/2018
  dmi.bios.vendor: LENOVO
  dmi.bios.version: 8DET76WW (1.46 )
  dmi.board.asset.tag: Not Available
  dmi.board.name: 4286AC9
  dmi.board.vendor: LENOVO
  dmi.board.version: Not Available
  dmi.chassis.asset.tag: No Asset Information
  dmi.chassis.type: 10
  dmi.chassis.vendor: LENOVO
  dmi.chassis.version: Not Available
  dmi.modalias: 
dmi:bvnLENOVO:bvr8DET76WW(1.46):bd06/21/2018:svnLENOVO:pn4286AC9:pvrThinkPadX220:rvnLENOVO:rn4286AC9:rvrNotAvailable:cvnLENOVO:ct10:cvrNotAvailable:
  dmi.product.family: ThinkPad X220
  dmi.product.name: 4286AC9
  dmi.product.version: ThinkPad X220
  dmi.sys.vendor: LENOVO
  version.compiz: compiz 1:0.9.12.3+16.04.20180221-0ubuntu1
  version.ia32-libs: ia32-libs N/A
  version.libdrm2: libdrm2 2.4.91-2~16.04.1
  version.libgl1-mesa-dri: libgl1-mesa-dri 18.0.5-0ubuntu0~16.04.1
  version.libgl1-mesa-dri-experimental: libgl1-mesa-dri-experimental N/A
  version.libgl1-mesa-glx: libgl1-mesa-glx 18.0.5-0ubuntu0~16.04.1
  version.xserver-xorg-core: xserver-xorg-core N/A
  version.xserver-xorg-input-evdev: xserver-xorg-input-evdev N/A
  version.xserver-xorg-video-ati: xserver-xorg-video-ati N/A
  version.xserver-xorg-video-intel: xserver-xorg-video-intel N/A
  version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau N/A
  xserver.bootTime: Sat Apr  9 20:55:35 2022
  xserver.configfile: default
  xserver.errors:
   
  xserver.logfile: /var/log/Xorg.0.log
  xserver.version: 2:1.19.6-1ubuntu4.1~16.04.2
  xserver.video_driver: modeset

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xorg/+bug/1968397/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1971288] Re: Merge libseccomp from Debian unstable for kinetic

[Alex Murray]

I uploaded
https://launchpad.net/ubuntu/+source/libseccomp/2.5.4-1ubuntu1 earlier
today.

** Changed in: libseccomp (Ubuntu)
   Status: New => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libseccomp in Ubuntu.
https://bugs.launchpad.net/bugs/1971288

Title:
  Merge libseccomp from Debian unstable for kinetic

Status in libseccomp package in Ubuntu:
  Fix Committed

Bug description:
  Upstream: tbd
  Debian:   2.5.4-1
  Ubuntu:   2.5.3-2ubuntu2


  
  ### Old Ubuntu Delta ###

  libseccomp (2.5.3-2ubuntu2) jammy; urgency=medium

* No-change rebuild with Python 3.10 only

   -- Graham Inggs   Thu, 17 Mar 2022 19:27:18 +

  libseccomp (2.5.3-2ubuntu1) jammy; urgency=medium

* Merge from Debian unstable; remaining changes:
  - Add autopkgtests
* Added changes:
  - Update autopkgtests to use syscalls from 5.16-rc1

   -- Alex Murray   Thu, 24 Feb 2022 09:53:35
  +1030

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1971288/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1973654] Re: Using debian-installer on a server with a Let's Encrypt cert dies

[Alex Murray]

I believe this is caused by debootstrap - it only uses packages from the
release pocket (and this is frozen from the time Ubuntu 20.04 LTS was
originally released). This is a known issue
https://askubuntu.com/questions/744684/latest-security-updates-with-
debootstrap but I am not sure if there is much you can do to get debian-
installer to say use multistrap instead of debootstrap.

** Package changed: ca-certificates (Ubuntu) => debian-installer
(Ubuntu)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ca-certificates in Ubuntu.
https://bugs.launchpad.net/bugs/1973654

Title:
  Using debian-installer on a server with a Let's Encrypt cert dies

Status in debian-installer package in Ubuntu:
  New

Bug description:
  While using debian-installer to install Ubuntu Focal, I get the
  following error:

  May 16 22:02:41 base-installer:   Certificate verification failed:
  The certificate is NOT trusted. The certificate chain uses expired
  certificate.  Could not handshake: Error in the certificate
  verification. [IP: 129.59.59.10 443]

  There was an issue in 2021, where the "DST_Root_CA_X3.crt" certificate
  used by Let's Encrypt expired.

  https://letsencrypt.org/docs/dst-root-ca-x3-expiration-
  september-2021/

  The problem is that the certificate is still included in the "ca-
  certificates_20190110ubuntu1_all.deb" that debian-installer fetches
  during install.

  May 16 22:02:17 debootstrap: Preparing to unpack 
.../ca-certificates_20190110ubuntu1_all.deb ...
  May 16 22:02:17 debootstrap: Unpacking ca-certificates (20190110ubuntu1) 
...
  May 16 22:02:31 debootstrap: Setting up ca-certificates (20190110ubuntu1) 
...
  May 16 22:02:40 debootstrap: Processing triggers for ca-certificates 
(20190110ubuntu1) ...
  May 16 22:02:40 debootstrap: Running hooks in 
/etc/ca-certificates/update.d...

  Because the certificate is expired, debian-installer dies with:

  May 16 22:02:41 base-installer:   Certificate verification failed: The 
certificate is NOT trusted. The certificate chain uses expired certificate.  
Could not handshake: Error in the certificate verification. [IP: 129.59.59.10 
443]
  te is NOT trusted. The certificate chain uses expired certificate.  Could not 
handshake: Error in the certificate verification. [IP: 129.59.59.10 443]

  Can Ubuntu update the ca-certificate .deb pulled during install to one
  that does not have DST_Root_CA_X3.crt?   Thanks.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/debian-installer/+bug/1973654/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1975381] Re: firewall gets disabled

[Alex Murray]

Thank you for taking the time to report this bug and helping to make
Ubuntu better. Unfortunately we can't fix it, because your description
didn't include enough information. You may find it helpful to read 'How
to report bugs effectively'
http://www.chiark.greenend.org.uk/~sgtatham/bugs.html. We'd be grateful
if you would then provide a more complete description of the problem.
We have instructions on debugging some types of problems at
http://wiki.ubuntu.com/DebuggingProcedures. At a minimum, we need: 1.
the specific steps or actions you took that caused you to encounter the
problem, 2. the behavior you expected, and 3. the behavior you actually
encountered (in as much detail as possible). Thanks!

** Changed in: iptables (Ubuntu)
   Status: New => Incomplete

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to iptables in Ubuntu.
https://bugs.launchpad.net/bugs/1975381

Title:
  firewall gets disabled

Status in iptables package in Ubuntu:
  Incomplete

Bug description:
  Operating System: Ubuntu 22.04
  Life cycle: LTS
  Architecture: AMD64
  Kernel version (uname -a): 5.15.0-30-generic

  ProblemType: Bug
  DistroRelease: Ubuntu 22.04
  Package: iptables 1.8.7-1ubuntu5
  ProcVersionSignature: Ubuntu 5.15.0-30.31-generic 5.15.30
  Uname: Linux 5.15.0-30-generic x86_64
  ApportVersion: 2.20.11-0ubuntu82
  Architecture: amd64
  CasperMD5CheckResult: unknown
  CurrentDesktop: ubuntu:GNOME
  Date: Mon May 16 23:44:26 2022
  SourcePackage: iptables
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/1975381/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1975408] Re: Performance is much worse than expected (Normal friendly behaviors)

[Alex Murray]

Thanks for taking the time to report this bug and helping to make Ubuntu
better. We appreciate the difficulties you are facing, but this appears
to be a "regular" (non-security) bug.  I have unmarked it as a security
issue since this bug does not show evidence of allowing attackers to
cross privilege boundaries nor directly cause loss of data/privacy.
Please feel free to report any other bugs you may find.

** Information type changed from Private Security to Public

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to xorg in Ubuntu.
https://bugs.launchpad.net/bugs/1975408

Title:
  Performance is much worse than expected (Normal friendly behaviors)

Status in xorg package in Ubuntu:
  New

Bug description:
  Operating System: Ubuntu 22.04
  Life cycle: LTS
  Architecture: AMD64
  Kernel version (uname -a): 5.15.0-30-generic

  ProblemType: Bug
  DistroRelease: Ubuntu 22.04
  Package: xorg 1:7.7+23ubuntu2
  ProcVersionSignature: Ubuntu 5.15.0-30.31-generic 5.15.30
  Uname: Linux 5.15.0-30-generic x86_64
  ApportVersion: 2.20.11-0ubuntu82.1
  Architecture: amd64
  CasperMD5CheckResult: unknown
  CompizPlugins: No value set for 
`/apps/compiz-1/general/screen0/options/active_plugins'
  CompositorRunning: None
  CurrentDesktop: ubuntu:GNOME
  Date: Sun May 22 12:10:30 2022
  DistUpgraded: Fresh install
  DistroCodename: jammy
  DistroVariant: ubuntu
  DkmsStatus: sysdig/0.27.1, 5.15.0-30-generic, x86_64: installed
  ExtraDebuggingInterest: Yes, if not too technical
  GraphicsCard:
   Intel Corporation 3rd Gen Core processor Graphics Controller [8086:0166] 
(rev 09) (prog-if 00 [VGA controller])
 Subsystem: Hewlett-Packard Company 3rd Gen Core processor Graphics 
Controller [103c:17f4]
  MachineType: Hewlett-Packard HP ProBook 4540s
  ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-5.15.0-30-generic 
root=UUID=cf164159-2e29-4cee-aef2-f8d16c319f1a ro snapd_recovery_mode snap_core 
quiet splash crashkernel=512M-:192M vt.handoff=7
  SourcePackage: xorg
  Symptom: display
  UpgradeStatus: No upgrade log present (probably fresh install)
  dmi.bios.date: 04/11/2019
  dmi.bios.release: 15.104
  dmi.bios.vendor: Hewlett-Packard
  dmi.bios.version: 68IRR Ver. F.68
  dmi.board.name: 17F6
  dmi.board.vendor: Hewlett-Packard
  dmi.board.version: KBC Version 58.21
  dmi.chassis.type: 10
  dmi.chassis.vendor: Hewlett-Packard
  dmi.ec.firmware.release: 88.33
  dmi.modalias: 
dmi:bvnHewlett-Packard:bvr68IRRVer.F.68:bd04/11/2019:br15.104:efr88.33:svnHewlett-Packard:pnHPProBook4540s:pvrA1008C11:rvnHewlett-Packard:rn17F6:rvrKBCVersion58.21:cvnHewlett-Packard:ct10:cvr:skuB7A48EA#ABV:
  dmi.product.family: 103C_5336AN G=N L=BUS B=HP S=PRO
  dmi.product.name: HP ProBook 4540s
  dmi.product.sku: B7A48EA#ABV
  dmi.product.version: A1008C11
  dmi.sys.vendor: Hewlett-Packard
  version.compiz: compiz 1:0.9.14.1+22.04.20211217-0ubuntu2
  version.libdrm2: libdrm2 2.4.110+git2205140500.3f266e~oibaf~j
  version.libgl1-mesa-dri: libgl1-mesa-dri 22.2~git2205160600.3c0f34~oibaf~j
  version.libgl1-mesa-glx: libgl1-mesa-glx 22.2~git2205170600.fffafa~oibaf~j
  version.xserver-xorg-core: xserver-xorg-core 2:21.1.3-2ubuntu2
  version.xserver-xorg-input-evdev: xserver-xorg-input-evdev N/A
  version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:19.1.0-2build3
  version.xserver-xorg-video-intel: xserver-xorg-video-intel 
2:2.99.917+git20210115-1
  version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 
1:1.0.17-2build1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xorg/+bug/1975408/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1975407] Re: pulseaudio is getting crashed

[Alex Murray]

Thanks for taking the time to report this bug and helping to make Ubuntu
better. We appreciate the difficulties you are facing, but this appears
to be a "regular" (non-security) bug.  I have unmarked it as a security
issue since this bug does not show evidence of allowing attackers to
cross privilege boundaries nor directly cause loss of data/privacy.
Please feel free to report any other bugs you may find.

** Information type changed from Private Security to Public

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/1975407

Title:
  pulseaudio is getting crashed

Status in pulseaudio package in Ubuntu:
  New

Bug description:
  Operating System: Ubuntu 22.04
  Life cycle: LTS
  Architecture: AMD64
  Kernel version (uname -a): 5.15.0-30-generic

  ProblemType: Bug
  DistroRelease: Ubuntu 22.04
  Package: pulseaudio 1:15.99.1+dfsg1-1ubuntu1
  ProcVersionSignature: Ubuntu 5.15.0-30.31-generic 5.15.30
  Uname: Linux 5.15.0-30-generic x86_64
  ApportVersion: 2.20.11-0ubuntu82.1
  Architecture: amd64
  AudioDevicesInUse:
   USERPID ACCESS COMMAND
   /dev/snd/controlC0:  johnm  3822 F pulseaudio
  CasperMD5CheckResult: unknown
  CurrentDesktop: ubuntu:GNOME
  Date: Sun May 22 12:08:58 2022
  PulseList:
   Error: command ['pacmd', 'list'] failed with exit code 1: XDG_RUNTIME_DIR 
(/run/user/1000) is not owned by us (uid 0), but by uid 1000! (This could e.g. 
happen if you try to connect to a non-root PulseAudio as a root user, over the 
native protocol. Don't do that.)
   No PulseAudio daemon running, or not running as session daemon.
  SourcePackage: pulseaudio
  Symptom: audio
  UpgradeStatus: No upgrade log present (probably fresh install)
  dmi.bios.date: 04/11/2019
  dmi.bios.release: 15.104
  dmi.bios.vendor: Hewlett-Packard
  dmi.bios.version: 68IRR Ver. F.68
  dmi.board.name: 17F6
  dmi.board.vendor: Hewlett-Packard
  dmi.board.version: KBC Version 58.21
  dmi.chassis.type: 10
  dmi.chassis.vendor: Hewlett-Packard
  dmi.ec.firmware.release: 88.33
  dmi.modalias: 
dmi:bvnHewlett-Packard:bvr68IRRVer.F.68:bd04/11/2019:br15.104:efr88.33:svnHewlett-Packard:pnHPProBook4540s:pvrA1008C11:rvnHewlett-Packard:rn17F6:rvrKBCVersion58.21:cvnHewlett-Packard:ct10:cvr:skuB7A48EA#ABV:
  dmi.product.family: 103C_5336AN G=N L=BUS B=HP S=PRO
  dmi.product.name: HP ProBook 4540s
  dmi.product.sku: B7A48EA#ABV
  dmi.product.version: A1008C11
  dmi.sys.vendor: Hewlett-Packard
  modified.conffile..etc.xdg.autostart.pulseaudio.desktop: [modified]
  mtime.conffile..etc.xdg.autostart.pulseaudio.desktop: 
2022-01-28T22:42:20.933634

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1975407/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1871148] Re: services start before apparmor profiles are loaded

[Alex Murray]

@mardy I thought we had snapd.apparmor specifically to avoid this
scenario but I can't see that service mentioned at all in systemd-
analyze plot...

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1871148

Title:
  services start before apparmor profiles are loaded

Status in AppArmor:
  Invalid
Status in snapd:
  Fix Released
Status in apparmor package in Ubuntu:
  Fix Released
Status in snapd package in Ubuntu:
  Fix Released
Status in zsys package in Ubuntu:
  Invalid
Status in apparmor source package in Focal:
  Fix Released
Status in snapd source package in Focal:
  Fix Released
Status in zsys source package in Focal:
  Invalid

Bug description:
  Per discussion with Zyga in #snapd on Freenode, I have hit a race
  condition where services are being started by the system before
  apparmor has been started. I have a complete log of my system showing
  the effect somewhere within at https://paste.ubuntu.com/p/Jyx6gfFc3q/.
  Restarting apparmor using `sudo systemctl restart apparmor` is enough
  to bring installed snaps back to full functionality.

  Previously, when running any snap I would receive the following in the
  terminal:

  ---
  cannot change profile for the next exec call: No such file or directory
  snap-update-ns failed with code 1: File exists
  ---

  Updated to add for Jamie:

  $ snap version
  snap2.44.2+20.04
  snapd   2.44.2+20.04
  series  16
  ubuntu  20.04
  kernel  5.4.0-21-generic

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1871148/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1941752] Re: Regression: exiv2 0.27.3-3ubuntu1.5 makes Gwenview crash when opening images exported by darktable

[Alex Murray]

@leosilva - as you did the original update for exiv2 could you please
sponsor the attached debdiff? Thanks.

** Changed in: exiv2 (Ubuntu)
 Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to exiv2 in Ubuntu.
https://bugs.launchpad.net/bugs/1941752

Title:
  Regression: exiv2 0.27.3-3ubuntu1.5 makes Gwenview crash when opening
  images exported by darktable

Status in Gwenview:
  Fix Released
Status in exiv2 package in Ubuntu:
  Confirmed
Status in gwenview package in Ubuntu:
  Confirmed

Bug description:
  Since the recent security update of exiv2, Gwenview crashes when
  trying to open image files that got exported by darktable.

  Steps to reproduce:

  * Make a test installation of Kubuntu 21.04 in VirtualBox
  * Install all updates
  * Install darktable
  * Copy one of the images in /usr/share/wallpapers (or any other image) to 
your home directory and open it with darktable
  * Within darktable, export a copy of the image (no need to do any actual 
modifications)
  * Try to open that copy with Gwenview. Gwenview will crash.

  I'm attaching a crash report hinting that this is related to exiv2.

  Temporary workaround:
  If I downgrade libexiv2-27 to 0.27.3-3ubuntu1.4, Gwenview doesn't crash, so 
it seems the crash is related to changes in 0.27.3-3ubuntu1.5.

  I don't know if the underlying cause is actually some bug in exiv2,
  Gwenview or darktable.

  Kind regards, Jan

  ProblemType: Bug
  DistroRelease: Ubuntu 21.04
  Package: libexiv2-27 0.27.3-3ubuntu1.5
  ProcVersionSignature: Ubuntu 5.11.0-31.33-generic 5.11.22
  Uname: Linux 5.11.0-31-generic x86_64
  ApportVersion: 2.20.11-0ubuntu65.1
  Architecture: amd64
  CasperMD5CheckResult: pass
  CurrentDesktop: KDE
  Date: Thu Aug 26 15:16:47 2021
  InstallationDate: Installed on 2021-08-26 (0 days ago)
  InstallationMedia: Kubuntu 21.04 "Hirsute Hippo" - Release amd64 (20210420)
  SourcePackage: exiv2
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/gwenview/+bug/1941752/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1957024] [NEW] pam-mkhomedir does not honor private home directories

[Alex Murray]

Public bug reported:

As reported in https://discourse.ubuntu.com/t/private-home-directories-
for-ubuntu-21-04-onwards/19533/13:

A common situation is to have a central set of users (e.g. in LDAP) and
use pam_mkhomedir.so to create the home directory when the user first
logs in.

These changes do not cover this situation. The default configuration of
pam_mkhomedir.so will result in a home directory created with 0755
permissions.

To make pam_mkhomedir.so create a home directory by default with
permissions consistent with the other tools then a umask argument can be
added to the pam_mkhomedir.so module in the file /usr/share/pam-
configs/mkhomedir. I believe this would have to be done before enabling
the module. The file is part of the libpam-modules package.

** Affects: pam (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/1957024

Title:
  pam-mkhomedir does not honor private home directories

Status in pam package in Ubuntu:
  New

Bug description:
  As reported in https://discourse.ubuntu.com/t/private-home-
  directories-for-ubuntu-21-04-onwards/19533/13:

  A common situation is to have a central set of users (e.g. in LDAP)
  and use pam_mkhomedir.so to create the home directory when the user
  first logs in.

  These changes do not cover this situation. The default configuration
  of pam_mkhomedir.so will result in a home directory created with 0755
  permissions.

  To make pam_mkhomedir.so create a home directory by default with
  permissions consistent with the other tools then a umask argument can
  be added to the pam_mkhomedir.so module in the file /usr/share/pam-
  configs/mkhomedir. I believe this would have to be done before
  enabling the module. The file is part of the libpam-modules package.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/1957024/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1957781] Re: when i upgrade my package ask me yes or no ?

[Alex Murray]

Thanks for taking the time to report this bug and helping to make Ubuntu
better. We appreciate the difficulties you are facing, but this appears
to be a "regular" (non-security) bug.  I have unmarked it as a security
issue since this bug does not show evidence of allowing attackers to
cross privilege boundaries nor directly cause loss of data/privacy.
Please feel free to report any other bugs you may find.

** Information type changed from Private Security to Public

** Package changed: ubuntu => apt (Ubuntu)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1957781

Title:
  when i  upgrade my package ask me yes or no ?

Status in apt package in Ubuntu:
  New

Bug description:
  ubuntu 21.10

  use  sudo apt  upgrade
  toshiba@toshiba-Satellite-C850-B908:~$ sudo apt upgrade
  Reading package lists... Done
  Building dependency tree... Done
  Reading state information... Done
  Calculating upgrade... Done
  The following NEW packages will be installed:
linux-headers-5.13.0-25 linux-headers-5.13.0-25-generic
linux-image-5.13.0-25-generic linux-modules-5.13.0-25-generic
linux-modules-extra-5.13.0-25-generic
  The following packages will be upgraded:
ghostscript ghostscript-x gir1.2-javascriptcoregtk-4.0 gir1.2-webkit2-4.0
libexiv2-27 libfprint-2-2 libgs9 libgs9-common libjavascriptcoregtk-4.0-18
libnss-systemd libpam-systemd libqt5core5a libqt5dbus5 libqt5gui5
libqt5network5 libqt5widgets5 libsystemd0 libudev1 libwebkit2gtk-4.0-37
linux-generic-hwe-20.04 linux-headers-generic-hwe-20.04
linux-image-generic-hwe-20.04 linux-libc-dev openssh-client
qt5-gtk-platformtheme systemd systemd-sysv systemd-timesyncd udev
  29 upgraded, 5 newly installed, 0 to remove and 0 not upgraded.
  27 standard security updates
  Need to get 148 MB of archives.
  After this operation, 504 MB of additional disk space will be used.
  Do you want to continue? [Y/n] 1
  Get:1 http://sy.archive.ubuntu.com/ubuntu impish-updates/main amd64 
systemd-timesyncd amd64 248.3-1ubuntu8.2 [30.8 kB]


  --
  so i click 1 not y or yes ? and the upgrading begin?
  is that normal ?
  i mean using 1 as yes?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1957781/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1961196] Re: apparmor autotest failure on jammy with linux 5.15

[Alex Murray]

FYI I am working on merging apparmor-3.0.4 from debian unstable to jammy
at the moment which should resolve this.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1961196

Title:
  apparmor autotest failure on jammy with linux 5.15

Status in apparmor package in Ubuntu:
  New
Status in apparmor source package in Jammy:
  New

Bug description:
  [Impact]

  test-aa-notify is also checking if the output of `aa-notify --help`
  matches a specific text. However it looks like this output has changed
  in jammy so the autopkgtest is reporting errors like this:

  05:17:31 ERROR| [stderr] === test-aa-notify.py ===
  05:17:31 ERROR| [stderr] .ssF.
  05:17:31 ERROR| [stderr] 
==
  05:17:31 ERROR| [stderr] FAIL: test_help_contents (__main__.AANotifyTest)
  05:17:31 ERROR| [stderr] Test output of help text
  05:17:31 ERROR| [stderr] 
--
  05:17:31 ERROR| [stderr] Traceback (most recent call last):
  05:17:31 ERROR| [stderr]   File 
"/tmp/testlibmse00lib/source/jammy/apparmor-3.0.3/utils/test/test-aa-notify.py",
 line 178, in test_help_contents
  05:17:31 ERROR| [stderr] self.assertEqual(expected_output_is, output, 
result + output)
  05:17:31 ERROR| [stderr] AssertionError: 'usag[189 chars]ptional arguments:\n 
 -h, --helpsh[746 chars]de\n' != 'usag[189 chars]ptions:\n  -h, 
--helpshow this hel[735 chars]de\n'
  05:17:31 ERROR| [stderr]   usage: aa-notify [-h] [-p] [--display DISPLAY] [-f 
FILE] [-l] [-s NUM] [-v]
  05:17:31 ERROR| [stderr][-u USER] [-w NUM] [--debug]
  05:17:31 ERROR| [stderr]
  05:17:31 ERROR| [stderr]   Display AppArmor notifications or messages for 
DENIED entries.
  05:17:31 ERROR| [stderr]
  05:17:31 ERROR| [stderr] - optional arguments:
  05:17:31 ERROR| [stderr] + options:
  05:17:31 ERROR| [stderr] -h, --helpshow this help message and 
exit
  05:17:31 ERROR| [stderr] -p, --pollpoll AppArmor logs and 
display notifications
  05:17:31 ERROR| [stderr] --display DISPLAY set the DISPLAY 
environment variable (might be needed if
  05:17:31 ERROR| [stderr]   sudo resets $DISPLAY)
  05:17:31 ERROR| [stderr] -f FILE, --file FILE  search FILE for AppArmor 
messages
  05:17:31 ERROR| [stderr] -l, --since-last  display stats since last 
login
  05:17:31 ERROR| [stderr] -s NUM, --since-days NUM
  05:17:31 ERROR| [stderr]   show stats for last NUM 
days (can be used alone or with
  05:17:31 ERROR| [stderr]   -p)
  05:17:31 ERROR| [stderr] -v, --verbose show messages with stats
  05:17:31 ERROR| [stderr] -u USER, --user USER  user to drop privileges to 
when not using sudo
  05:17:31 ERROR| [stderr] -w NUM, --wait NUMwait NUM seconds before 
displaying notifications (with
  05:17:31 ERROR| [stderr]   -p)
  05:17:31 ERROR| [stderr] --debug   debug mode
  05:17:31 ERROR| [stderr]  : Got output "usage: aa-notify [-h] [-p] [--display 
DISPLAY] [-f FILE] [-l] [-s NUM] [-v]
  05:17:31 ERROR| [stderr]  [-u USER] [-w NUM] [--debug]

  [Test case]

  Simply run test-aa-notify.py from the autopkgtests.

  [Fix]

  Update the expected output returned by `aa-notify --help` in test-aa-
  notify.py.

  [Regression potential]

  This is just an autopkgtest, we may see regressions if the test is
  used with older version of apparmor-notify. With newer versions
  there's no risk of regressions.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1961196/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1961196] Re: apparmor autotest failure on jammy with linux 5.15

[Alex Murray]

FYI I am preparing this in https://bileto.ubuntu.com/#/ticket/4796 - I
have included the original patch from arighi to fix the aa-notify tests
too. Once britney looks happy with this I will upload it to jammy-
proposed.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1961196

Title:
  apparmor autotest failure on jammy with linux 5.15

Status in apparmor package in Ubuntu:
  New
Status in apparmor source package in Jammy:
  New

Bug description:
  [Impact]

  test-aa-notify is also checking if the output of `aa-notify --help`
  matches a specific text. However it looks like this output has changed
  in jammy so the autopkgtest is reporting errors like this:

  05:17:31 ERROR| [stderr] === test-aa-notify.py ===
  05:17:31 ERROR| [stderr] .ssF.
  05:17:31 ERROR| [stderr] 
==
  05:17:31 ERROR| [stderr] FAIL: test_help_contents (__main__.AANotifyTest)
  05:17:31 ERROR| [stderr] Test output of help text
  05:17:31 ERROR| [stderr] 
--
  05:17:31 ERROR| [stderr] Traceback (most recent call last):
  05:17:31 ERROR| [stderr]   File 
"/tmp/testlibmse00lib/source/jammy/apparmor-3.0.3/utils/test/test-aa-notify.py",
 line 178, in test_help_contents
  05:17:31 ERROR| [stderr] self.assertEqual(expected_output_is, output, 
result + output)
  05:17:31 ERROR| [stderr] AssertionError: 'usag[189 chars]ptional arguments:\n 
 -h, --helpsh[746 chars]de\n' != 'usag[189 chars]ptions:\n  -h, 
--helpshow this hel[735 chars]de\n'
  05:17:31 ERROR| [stderr]   usage: aa-notify [-h] [-p] [--display DISPLAY] [-f 
FILE] [-l] [-s NUM] [-v]
  05:17:31 ERROR| [stderr][-u USER] [-w NUM] [--debug]
  05:17:31 ERROR| [stderr]
  05:17:31 ERROR| [stderr]   Display AppArmor notifications or messages for 
DENIED entries.
  05:17:31 ERROR| [stderr]
  05:17:31 ERROR| [stderr] - optional arguments:
  05:17:31 ERROR| [stderr] + options:
  05:17:31 ERROR| [stderr] -h, --helpshow this help message and 
exit
  05:17:31 ERROR| [stderr] -p, --pollpoll AppArmor logs and 
display notifications
  05:17:31 ERROR| [stderr] --display DISPLAY set the DISPLAY 
environment variable (might be needed if
  05:17:31 ERROR| [stderr]   sudo resets $DISPLAY)
  05:17:31 ERROR| [stderr] -f FILE, --file FILE  search FILE for AppArmor 
messages
  05:17:31 ERROR| [stderr] -l, --since-last  display stats since last 
login
  05:17:31 ERROR| [stderr] -s NUM, --since-days NUM
  05:17:31 ERROR| [stderr]   show stats for last NUM 
days (can be used alone or with
  05:17:31 ERROR| [stderr]   -p)
  05:17:31 ERROR| [stderr] -v, --verbose show messages with stats
  05:17:31 ERROR| [stderr] -u USER, --user USER  user to drop privileges to 
when not using sudo
  05:17:31 ERROR| [stderr] -w NUM, --wait NUMwait NUM seconds before 
displaying notifications (with
  05:17:31 ERROR| [stderr]   -p)
  05:17:31 ERROR| [stderr] --debug   debug mode
  05:17:31 ERROR| [stderr]  : Got output "usage: aa-notify [-h] [-p] [--display 
DISPLAY] [-f FILE] [-l] [-s NUM] [-v]
  05:17:31 ERROR| [stderr]  [-u USER] [-w NUM] [--debug]

  [Test case]

  Simply run test-aa-notify.py from the autopkgtests.

  [Fix]

  Update the expected output returned by `aa-notify --help` in test-aa-
  notify.py.

  [Regression potential]

  This is just an autopkgtest, we may see regressions if the test is
  used with older version of apparmor-notify. With newer versions
  there's no risk of regressions.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1961196/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1961196] Re: apparmor autotest failure on jammy with linux 5.15

[Alex Murray]

Hmm so had to redo my merge after the 3.0.3-0ubuntu9 upload... see new
bileto ticket/PPA for the current version of it
https://bileto.ubuntu.com/#/ticket/4797

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1961196

Title:
  apparmor autotest failure on jammy with linux 5.15

Status in apparmor package in Ubuntu:
  New
Status in apparmor source package in Jammy:
  New

Bug description:
  [Impact]

  test-aa-notify is also checking if the output of `aa-notify --help`
  matches a specific text. However it looks like this output has changed
  in jammy so the autopkgtest is reporting errors like this:

  05:17:31 ERROR| [stderr] === test-aa-notify.py ===
  05:17:31 ERROR| [stderr] .ssF.
  05:17:31 ERROR| [stderr] 
==
  05:17:31 ERROR| [stderr] FAIL: test_help_contents (__main__.AANotifyTest)
  05:17:31 ERROR| [stderr] Test output of help text
  05:17:31 ERROR| [stderr] 
--
  05:17:31 ERROR| [stderr] Traceback (most recent call last):
  05:17:31 ERROR| [stderr]   File 
"/tmp/testlibmse00lib/source/jammy/apparmor-3.0.3/utils/test/test-aa-notify.py",
 line 178, in test_help_contents
  05:17:31 ERROR| [stderr] self.assertEqual(expected_output_is, output, 
result + output)
  05:17:31 ERROR| [stderr] AssertionError: 'usag[189 chars]ptional arguments:\n 
 -h, --helpsh[746 chars]de\n' != 'usag[189 chars]ptions:\n  -h, 
--helpshow this hel[735 chars]de\n'
  05:17:31 ERROR| [stderr]   usage: aa-notify [-h] [-p] [--display DISPLAY] [-f 
FILE] [-l] [-s NUM] [-v]
  05:17:31 ERROR| [stderr][-u USER] [-w NUM] [--debug]
  05:17:31 ERROR| [stderr]
  05:17:31 ERROR| [stderr]   Display AppArmor notifications or messages for 
DENIED entries.
  05:17:31 ERROR| [stderr]
  05:17:31 ERROR| [stderr] - optional arguments:
  05:17:31 ERROR| [stderr] + options:
  05:17:31 ERROR| [stderr] -h, --helpshow this help message and 
exit
  05:17:31 ERROR| [stderr] -p, --pollpoll AppArmor logs and 
display notifications
  05:17:31 ERROR| [stderr] --display DISPLAY set the DISPLAY 
environment variable (might be needed if
  05:17:31 ERROR| [stderr]   sudo resets $DISPLAY)
  05:17:31 ERROR| [stderr] -f FILE, --file FILE  search FILE for AppArmor 
messages
  05:17:31 ERROR| [stderr] -l, --since-last  display stats since last 
login
  05:17:31 ERROR| [stderr] -s NUM, --since-days NUM
  05:17:31 ERROR| [stderr]   show stats for last NUM 
days (can be used alone or with
  05:17:31 ERROR| [stderr]   -p)
  05:17:31 ERROR| [stderr] -v, --verbose show messages with stats
  05:17:31 ERROR| [stderr] -u USER, --user USER  user to drop privileges to 
when not using sudo
  05:17:31 ERROR| [stderr] -w NUM, --wait NUMwait NUM seconds before 
displaying notifications (with
  05:17:31 ERROR| [stderr]   -p)
  05:17:31 ERROR| [stderr] --debug   debug mode
  05:17:31 ERROR| [stderr]  : Got output "usage: aa-notify [-h] [-p] [--display 
DISPLAY] [-f FILE] [-l] [-s NUM] [-v]
  05:17:31 ERROR| [stderr]  [-u USER] [-w NUM] [--debug]

  [Test case]

  Simply run test-aa-notify.py from the autopkgtests.

  [Fix]

  Update the expected output returned by `aa-notify --help` in test-aa-
  notify.py.

  [Regression potential]

  This is just an autopkgtest, we may see regressions if the test is
  used with older version of apparmor-notify. With newer versions
  there's no risk of regressions.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1961196/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1962036] Re: dbus was stopped during today's jammy update, breaking desktop

[Alex Murray]

I hit this too - just reported
https://bugs.launchpad.net/ubuntu/+source/gnome-shell/+bug/1962127 from
the associated gnome-shell crash.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to dbus in Ubuntu.
https://bugs.launchpad.net/bugs/1962036

Title:
  dbus was stopped during today's jammy update, breaking desktop

Status in dbus package in Ubuntu:
  Confirmed

Bug description:
  Impact: logind stopped, so desktop stopped, ssh stopped, got no getty.
  Had to hard reset.

  Today's jammy upgrade stopped dbus at 19:46:27

  Feb 23 19:46:27 jak-t480s systemd[1]: Stopping D-Bus System Message
  Bus...

  This should not happen. I don't know which package caused this, but
  presumably dbus should not be stoppable in the first place.


  ProblemType: Bug
  DistroRelease: Ubuntu 22.04
  Package: dbus 1.12.20-2ubuntu3
  ProcVersionSignature: Ubuntu 5.15.0-22.22-generic 5.15.19
  Uname: Linux 5.15.0-22-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
  ApportVersion: 2.20.11-0ubuntu78
  Architecture: amd64
  CasperMD5CheckResult: unknown
  CurrentDesktop: GNOME
  Date: Wed Feb 23 20:03:41 2022
  InstallationDate: Installed on 2018-03-14 (1442 days ago)
  InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Alpha amd64 (20180313)
  RebootRequiredPkgs: Error: path contained symlinks.
  SourcePackage: dbus
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dbus/+bug/1962036/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1962276] Re: [jammy] Laptop monitor does not turn off/disconnect when the lid is closed

[Alex Murray]

This appears to be caused (for me at least) by upower 0.99.16-1 - after
upgrading today to 0.99.16-2 things are working again as expected.

** Also affects: upower (Ubuntu)
   Importance: Undecided
   Status: New

** Bug watch added: Debian Bug tracker #1006368
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1006368

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to upower in Ubuntu.
https://bugs.launchpad.net/bugs/1962276

Title:
  [jammy] Laptop monitor does not turn off/disconnect when the lid is
  closed

Status in gnome-settings-daemon package in Ubuntu:
  New
Status in linux package in Ubuntu:
  Confirmed
Status in mutter package in Ubuntu:
  New
Status in upower package in Ubuntu:
  New

Bug description:
  After today's updates I can no longer run my Laptop in clam shell mode. 
  I don't use a dock. I connect the second monitor via HDMI cable and and 
external keyboard/mouse via a USB hub. 

  Usually I can just plugin the monitor and close the lid and the
  primary display will switch to the external monitor. Now it will
  default to Monitor 2 as part of the joint display.

  I also tested booting the machine and closing the lid but this still
  defaulted to the external monitor as the 2nd display.

  ProblemType: Bug
  DistroRelease: Ubuntu 22.04
  Package: xorg 1:7.7+23ubuntu1
  ProcVersionSignature: Ubuntu 5.15.0-18.18-generic 5.15.12
  Uname: Linux 5.15.0-18-generic x86_64
  ApportVersion: 2.20.11-0ubuntu78
  Architecture: amd64
  BootLog: Error: [Errno 13] Permission denied: '/var/log/boot.log'
  CasperMD5CheckResult: pass
  CompositorRunning: None
  CurrentDesktop: ubuntu:GNOME
  Date: Fri Feb 25 16:44:37 2022
  DistUpgraded: Fresh install
  DistroCodename: jammy
  DistroVariant: ubuntu
  ExtraDebuggingInterest: Yes, if not too technical
  GraphicsCard:
   Intel Corporation HD Graphics 5500 [8086:1616] (rev 09) (prog-if 00 [VGA 
controller])
 Subsystem: Lenovo HD Graphics 5500 [17aa:2226]
  InstallationDate: Installed on 2022-02-23 (1 days ago)
  InstallationMedia: Ubuntu 22.04 LTS "Jammy Jellyfish" - Alpha amd64 (20220202)
  MachineType: LENOVO 20CLS3JN0F
  ProcEnviron:
   LANGUAGE=en_NZ:en
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=
   LANG=en_NZ.UTF-8
   SHELL=/bin/bash
  ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-5.15.0-18-generic 
root=/dev/mapper/vgubuntu-root ro quiet splash vt.handoff=7
  SourcePackage: xorg
  Symptom: display
  UpgradeStatus: No upgrade log present (probably fresh install)
  dmi.bios.date: 03/05/2015
  dmi.bios.release: 1.7
  dmi.bios.vendor: LENOVO
  dmi.bios.version: N10ET30W (1.07 )
  dmi.board.asset.tag: Not Available
  dmi.board.name: 20CLS3JN0F
  dmi.board.vendor: LENOVO
  dmi.board.version: SDK0E50510 WIN
  dmi.chassis.asset.tag: No Asset Information
  dmi.chassis.type: 10
  dmi.chassis.vendor: LENOVO
  dmi.chassis.version: None
  dmi.ec.firmware.release: 1.9
  dmi.modalias: 
dmi:bvnLENOVO:bvrN10ET30W(1.07):bd03/05/2015:br1.7:efr1.9:svnLENOVO:pn20CLS3JN0F:pvrThinkPadX250:rvnLENOVO:rn20CLS3JN0F:rvrSDK0E50510WIN:cvnLENOVO:ct10:cvrNone:skuLENOVO_MT_20CL_BU_Think_FM_ThinkPadX250:
  dmi.product.family: ThinkPad X250
  dmi.product.name: 20CLS3JN0F
  dmi.product.sku: LENOVO_MT_20CL_BU_Think_FM_ThinkPad X250
  dmi.product.version: ThinkPad X250
  dmi.sys.vendor: LENOVO
  version.compiz: compiz N/A
  version.libdrm2: libdrm2 2.4.109-2ubuntu1
  version.libgl1-mesa-dri: libgl1-mesa-dri 21.2.2-1ubuntu1
  version.libgl1-mesa-glx: libgl1-mesa-glx N/A
  version.xserver-xorg-core: xserver-xorg-core 2:1.20.14-1ubuntu1
  version.xserver-xorg-input-evdev: xserver-xorg-input-evdev N/A
  version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:19.1.0-2build1
  version.xserver-xorg-video-intel: xserver-xorg-video-intel 
2:2.99.917+git20200714-1ubuntu2
  version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 
1:1.0.17-1build1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnome-settings-daemon/+bug/1962276/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1962276] Re: [jammy] Laptop monitor does not turn off/disconnect when the lid is closed

[Alex Murray]

See this related debian bug https://bugs.debian.org/cgi-
bin/bugreport.cgi?bug=1006368

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to upower in Ubuntu.
https://bugs.launchpad.net/bugs/1962276

Title:
  [jammy] Laptop monitor does not turn off/disconnect when the lid is
  closed

Status in gnome-settings-daemon package in Ubuntu:
  New
Status in linux package in Ubuntu:
  Confirmed
Status in mutter package in Ubuntu:
  New
Status in upower package in Ubuntu:
  New

Bug description:
  After today's updates I can no longer run my Laptop in clam shell mode. 
  I don't use a dock. I connect the second monitor via HDMI cable and and 
external keyboard/mouse via a USB hub. 

  Usually I can just plugin the monitor and close the lid and the
  primary display will switch to the external monitor. Now it will
  default to Monitor 2 as part of the joint display.

  I also tested booting the machine and closing the lid but this still
  defaulted to the external monitor as the 2nd display.

  ProblemType: Bug
  DistroRelease: Ubuntu 22.04
  Package: xorg 1:7.7+23ubuntu1
  ProcVersionSignature: Ubuntu 5.15.0-18.18-generic 5.15.12
  Uname: Linux 5.15.0-18-generic x86_64
  ApportVersion: 2.20.11-0ubuntu78
  Architecture: amd64
  BootLog: Error: [Errno 13] Permission denied: '/var/log/boot.log'
  CasperMD5CheckResult: pass
  CompositorRunning: None
  CurrentDesktop: ubuntu:GNOME
  Date: Fri Feb 25 16:44:37 2022
  DistUpgraded: Fresh install
  DistroCodename: jammy
  DistroVariant: ubuntu
  ExtraDebuggingInterest: Yes, if not too technical
  GraphicsCard:
   Intel Corporation HD Graphics 5500 [8086:1616] (rev 09) (prog-if 00 [VGA 
controller])
 Subsystem: Lenovo HD Graphics 5500 [17aa:2226]
  InstallationDate: Installed on 2022-02-23 (1 days ago)
  InstallationMedia: Ubuntu 22.04 LTS "Jammy Jellyfish" - Alpha amd64 (20220202)
  MachineType: LENOVO 20CLS3JN0F
  ProcEnviron:
   LANGUAGE=en_NZ:en
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=
   LANG=en_NZ.UTF-8
   SHELL=/bin/bash
  ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-5.15.0-18-generic 
root=/dev/mapper/vgubuntu-root ro quiet splash vt.handoff=7
  SourcePackage: xorg
  Symptom: display
  UpgradeStatus: No upgrade log present (probably fresh install)
  dmi.bios.date: 03/05/2015
  dmi.bios.release: 1.7
  dmi.bios.vendor: LENOVO
  dmi.bios.version: N10ET30W (1.07 )
  dmi.board.asset.tag: Not Available
  dmi.board.name: 20CLS3JN0F
  dmi.board.vendor: LENOVO
  dmi.board.version: SDK0E50510 WIN
  dmi.chassis.asset.tag: No Asset Information
  dmi.chassis.type: 10
  dmi.chassis.vendor: LENOVO
  dmi.chassis.version: None
  dmi.ec.firmware.release: 1.9
  dmi.modalias: 
dmi:bvnLENOVO:bvrN10ET30W(1.07):bd03/05/2015:br1.7:efr1.9:svnLENOVO:pn20CLS3JN0F:pvrThinkPadX250:rvnLENOVO:rn20CLS3JN0F:rvrSDK0E50510WIN:cvnLENOVO:ct10:cvrNone:skuLENOVO_MT_20CL_BU_Think_FM_ThinkPadX250:
  dmi.product.family: ThinkPad X250
  dmi.product.name: 20CLS3JN0F
  dmi.product.sku: LENOVO_MT_20CL_BU_Think_FM_ThinkPad X250
  dmi.product.version: ThinkPad X250
  dmi.sys.vendor: LENOVO
  version.compiz: compiz N/A
  version.libdrm2: libdrm2 2.4.109-2ubuntu1
  version.libgl1-mesa-dri: libgl1-mesa-dri 21.2.2-1ubuntu1
  version.libgl1-mesa-glx: libgl1-mesa-glx N/A
  version.xserver-xorg-core: xserver-xorg-core 2:1.20.14-1ubuntu1
  version.xserver-xorg-input-evdev: xserver-xorg-input-evdev N/A
  version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:19.1.0-2build1
  version.xserver-xorg-video-intel: xserver-xorg-video-intel 
2:2.99.917+git20200714-1ubuntu2
  version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 
1:1.0.17-1build1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnome-settings-daemon/+bug/1962276/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1452115] Re: Python interpreter binary is not compiled as PIE

[Alex Murray]

I am actively looking at this - FWIW the performance results with PIE
enabled look good - https://paste.ubuntu.com/p/PZjqMFSNSR/ - so I am
discussing internally whether this is something that can still land for
Ubuntu 22.04.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to python2.7 in Ubuntu.
https://bugs.launchpad.net/bugs/1452115

Title:
  Python interpreter binary is not compiled as PIE

Status in Python:
  New
Status in python2.7 package in Ubuntu:
  Fix Released
Status in python3.10 package in Ubuntu:
  New
Status in python3.4 package in Ubuntu:
  Fix Released
Status in python3.6 package in Ubuntu:
  Confirmed
Status in python3.7 package in Ubuntu:
  Confirmed
Status in python3.8 package in Ubuntu:
  Confirmed
Status in python3.9 package in Ubuntu:
  New
Status in python3.7 package in Debian:
  New
Status in python3.8 package in Debian:
  New

Bug description:
  The python2.7 binary (installed at /usr/bin/python2.7; package version
  2.7.6-8) is not compiled as a position independent executable (PIE).
  It appears that the python compilation process is somewhat arcane and
  the hardening wrapper probably doesn't do the trick for it.

  This is incredibly dangerous as it means that any vulnerability within
  a native module (e.g. ctypes-based), or within python itself will
  expose an incredibly large amount of known memory contents at known
  addresses (including a large number of dangerous instruction
  groupings). This enables ROP-based
  (https://en.wikipedia.org/wiki/Return-oriented_programming) to abuse
  the interpreter itself to bypass non-executable page protections.

  I have put together an example vulnerable C shared object (with a buffer 
overflow) accessed via python through the ctypes interface as an example. This 
uses a single ROP "gadget" on top of using the known PLT location for system(3) 
(https://en.wikipedia.org/wiki/Return-to-libc_attack) to call "id". The example 
code is accessible at:
  - https://gist.github.com/ChaosData/ae6076cb1c3cc7b0a367

  I'm not exactly familiar enough with the python build process to say
  where exactly an -fPIE needs to be injected into a script/makefile,
  but I feel that given the perceived general preference for ctypes-
  based modules over python written ones, as the native code
  implementations tend to be more performant, this feels like a large
  security hole within the system. Given the nature of this "issue," I'm
  not 100% sure of where it is best reported, but from what I can tell,
  this conflicts with the Ubuntu hardening features and is definitely
  exploitable should a native module contain a sufficiently exploitable
  vulnerability that allows for control of the instruction register.

To manage notifications about this bug go to:
https://bugs.launchpad.net/python/+bug/1452115/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1452115] Re: Python interpreter binary is not compiled as PIE

[Alex Murray]

For posterity - this is how I did the analysis above:

# download the current python3.9 source package and rebuild it with PIE enabled
apt source python3.9
cd python3.9-3.9.10/
sed -i "/export DEB_BUILD_MAINT_OPTIONS=hardening=-pie/d" debian/rules
dch -i -D jammy "Enable PIE (LP: #1452115)"
update-maintainer
# sbuild assumes you already have a jammy-amd64 schroot setup
sbuild


# use a LXD VM for testing
lxc launch --vm images:ubuntu/jammy sec-jammy-amd64

# stop the VM and disable UEFI secure boot
lxc stop sec-jammy-amd64

# ensure secureboot is not used so we can use the msr module later
lxc config set set-jammy-amd64 security.secureboot=false

lxc start sec-jammy-amd64

# make sure VM has full disk allocated
lxc exec sec-jammy-amd64 -- growpart /dev/sda 2
lxc exec sec-jammy-amd64 -- resize2fs /dev/sda2
lxc file push ../*.deb sec-jammy-amd64/root/

lxc shell sec-jammy-amd64

# then inside the LXD VM install and run pyperformance with and without the new 
python3.9
apt install python3-pip
pip3 install pyperformance

# tune for system performance
modprobe msr
python3.9 -m pyperf system tune

# get baseline numbers without PIE
pyperformance run --python=/usr/bin/python3.9 -o py3.9.json

# install our debs we built above that have PIE enabled
apt install ./python3.9_3.9.10-2ubuntu1_amd64.deb  
./libpython3.9-stdlib_3.9.10-2ubuntu1_amd64.deb 
./python3.9-minimal_3.9.10-2ubuntu1_amd64.deb 
./libpython3.9-minimal_3.9.10-2ubuntu1_amd64.deb 
./libpython3.9_3.9.10-2ubuntu1_amd64.deb 
./libpython3.9-dev_3.9.10-2ubuntu1_amd64.deb  
./python3.9-dev_3.9.10-2ubuntu1_amd64.deb

# check they have PIE
apt install devscripts
hardening-check /usr/bin/python3.9

# re-run pyperformance with PIE
pyperformance run --python=/usr/bin/python3.9 -o py3.9-pie.json

# and compare the results
python3 -m pyperf compare_to py3.9.json py3.9-pie.json --table

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to python2.7 in Ubuntu.
https://bugs.launchpad.net/bugs/1452115

Title:
  Python interpreter binary is not compiled as PIE

Status in Python:
  New
Status in python2.7 package in Ubuntu:
  Fix Released
Status in python3.10 package in Ubuntu:
  New
Status in python3.4 package in Ubuntu:
  Fix Released
Status in python3.6 package in Ubuntu:
  Confirmed
Status in python3.7 package in Ubuntu:
  Confirmed
Status in python3.8 package in Ubuntu:
  Confirmed
Status in python3.9 package in Ubuntu:
  New
Status in python3.7 package in Debian:
  New
Status in python3.8 package in Debian:
  New

Bug description:
  The python2.7 binary (installed at /usr/bin/python2.7; package version
  2.7.6-8) is not compiled as a position independent executable (PIE).
  It appears that the python compilation process is somewhat arcane and
  the hardening wrapper probably doesn't do the trick for it.

  This is incredibly dangerous as it means that any vulnerability within
  a native module (e.g. ctypes-based), or within python itself will
  expose an incredibly large amount of known memory contents at known
  addresses (including a large number of dangerous instruction
  groupings). This enables ROP-based
  (https://en.wikipedia.org/wiki/Return-oriented_programming) to abuse
  the interpreter itself to bypass non-executable page protections.

  I have put together an example vulnerable C shared object (with a buffer 
overflow) accessed via python through the ctypes interface as an example. This 
uses a single ROP "gadget" on top of using the known PLT location for system(3) 
(https://en.wikipedia.org/wiki/Return-to-libc_attack) to call "id". The example 
code is accessible at:
  - https://gist.github.com/ChaosData/ae6076cb1c3cc7b0a367

  I'm not exactly familiar enough with the python build process to say
  where exactly an -fPIE needs to be injected into a script/makefile,
  but I feel that given the perceived general preference for ctypes-
  based modules over python written ones, as the native code
  implementations tend to be more performant, this feels like a large
  security hole within the system. Given the nature of this "issue," I'm
  not 100% sure of where it is best reported, but from what I can tell,
  this conflicts with the Ubuntu hardening features and is definitely
  exploitable should a native module contain a sufficiently exploitable
  vulnerability that allows for control of the instruction register.

To manage notifications about this bug go to:
https://bugs.launchpad.net/python/+bug/1452115/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1964325] Re: Fails to print due to apparmor denied connect operation for cupsd - /run/systemd/userdb/io.systemd.Machine

[Alex Murray]

I have proposed a fix for this upstream -
https://gitlab.com/apparmor/apparmor/-/merge_requests/861 - once that is
reviewed then we can include the fix in jammy.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1964325

Title:
  Fails to print due to apparmor denied connect operation for cupsd -
  /run/systemd/userdb/io.systemd.Machine

Status in apparmor package in Ubuntu:
  New

Bug description:
  On an up to date Jammy machine, printing fails and there is the
  following apparmor denied message in the journal:

  apparmor="DENIED" operation="connect" profile="/usr/sbin/cupsd"
  name="/run/systemd/userdb/io.systemd.Machine" pid=892182 comm="cupsd"
  requested_mask="w" denied_mask="w" fsuid=0 ouid=0

  Printing works after running aa-complain cupsd.

  The printer is a driverless HP Envy 5020

  ProblemType: Bug
  DistroRelease: Ubuntu 22.04
  Package: apparmor 3.0.4-2ubuntu1
  ProcVersionSignature: Ubuntu 5.15.0-18.18-generic 5.15.12
  Uname: Linux 5.15.0-18-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
  ApportVersion: 2.20.11-0ubuntu78
  Architecture: amd64
  CasperMD5CheckResult: unknown
  CurrentDesktop: ubuntu:GNOME
  Date: Wed Mar  9 10:25:10 2022
  InstallationDate: Installed on 2020-05-31 (647 days ago)
  InstallationMedia: Ubuntu 20.10 "Groovy Gorilla" - Alpha amd64 (20200527)
  ProcKernelCmdline: BOOT_IMAGE=/BOOT/ubuntu_nt06gx@/vmlinuz-5.15.0-18-generic 
root=ZFS=rpool/ROOT/ubuntu_nt06gx ro snd-intel-dspcfg.dsp_driver=1
  RebootRequiredPkgs: Error: path contained symlinks.
  SourcePackage: apparmor
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1964325/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1944436] Re: Please backport support for "close_range" syscall

[Alex Murray]

Can you please post a simple reproducer?

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libseccomp in Ubuntu.
https://bugs.launchpad.net/bugs/1944436

Title:
  Please backport support for "close_range" syscall

Status in libseccomp package in Ubuntu:
  New

Bug description:
  Please backport support for the "close_range" syscall .. may be as
  simple as cherrypicking

  
https://github.com/seccomp/libseccomp/commit/01e5750e7c84bb14e5a5410c924bed519209db06

  from upstream. I've hit problems running buildah in a systemd-nspawn
  container, but this will probably affect people trying to run modern
  code in other container systems as well, e.g. docker.

  ProblemType: Bug
  DistroRelease: Ubuntu 20.04
  Package: libseccomp2 2.5.1-1ubuntu1~20.04.1
  ProcVersionSignature: Ubuntu 5.4.0-84.94-generic 5.4.133
  Uname: Linux 5.4.0-84-generic x86_64
  ApportVersion: 2.20.11-0ubuntu27.20
  Architecture: amd64
  CasperMD5CheckResult: skip
  CurrentDesktop: Xpra
  Date: Tue Sep 21 15:10:54 2021
  InstallationDate: Installed on 2017-01-08 (1717 days ago)
  InstallationMedia: Xubuntu 16.04 LTS "Xenial Xerus" - Release amd64 
(20160420.1)
  SourcePackage: libseccomp
  UpgradeStatus: Upgraded to focal on 2021-09-02 (19 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1944436/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap

[Alex Murray]

Is there any option to do this via portals - ie can evince use
https://flatpak.github.io/xdg-desktop-portal/portal-docs.html#gdbus-
org.freedesktop.portal.OpenURI to open the URI? Would then this allow to
avoid going via xdg-open?

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1794064

Title:
  Clicking a hyperlink in a PDF fails to open it if the default browser
  is a snap

Status in apparmor package in Ubuntu:
  Confirmed
Status in evince package in Ubuntu:
  Triaged

Bug description:
  This is related to bug #1792648. After fixing that one (see discussion
  at https://salsa.debian.org/gnome-team/evince/merge_requests/1),
  clicking a hyperlink in a PDF opens it correctly if the default
  browser is a well-known application (such as /usr/bin/firefox), but it
  fails to do so if the default browser is a snap (e.g. the chromium
  snap).

  This is not a recent regression, it's not working on bionic either.

  ProblemType: Bug
  DistroRelease: Ubuntu 18.10
  Package: evince 3.30.0-2
  ProcVersionSignature: Ubuntu 4.18.0-7.8-generic 4.18.5
  Uname: Linux 4.18.0-7-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
  ApportVersion: 2.20.10-0ubuntu11
  Architecture: amd64
  CurrentDesktop: ubuntu:GNOME
  Date: Mon Sep 24 12:28:06 2018
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2016-07-02 (813 days ago)
  InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 
(20160420.1)
  SourcePackage: evince
  UpgradeStatus: Upgraded to cosmic on 2018-09-14 (9 days ago)
  modified.conffile..etc.apparmor.d.abstractions.evince: [modified]
  mtime.conffile..etc.apparmor.d.abstractions.evince: 2018-09-24T11:35:41.904158

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1949316] [NEW] kmod modprobe.d scripts are named with non-inclusive language

[Alex Murray]

Public bug reported:

The kmod package ships with a number of files in /etc/modprobe.d which
have non-inclusive names:

$ dpkg -L kmod | grep blacklist
/etc/modprobe.d/blacklist-ath_pci.conf
/etc/modprobe.d/blacklist-firewire.conf
/etc/modprobe.d/blacklist-framebuffer.conf
/etc/modprobe.d/blacklist-rare-network.conf
/etc/modprobe.d/blacklist.conf


These should be renamed using the term denylist instead.

Similarly, they should accept the term `denylist` rather than
`blacklist` to specify modules that should not be loaded / aliases that
should be ignored etc.

** Affects: kmod (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to kmod in Ubuntu.
https://bugs.launchpad.net/bugs/1949316

Title:
  kmod modprobe.d scripts are named with non-inclusive language

Status in kmod package in Ubuntu:
  New

Bug description:
  The kmod package ships with a number of files in /etc/modprobe.d which
  have non-inclusive names:

  $ dpkg -L kmod | grep blacklist
  /etc/modprobe.d/blacklist-ath_pci.conf
  /etc/modprobe.d/blacklist-firewire.conf
  /etc/modprobe.d/blacklist-framebuffer.conf
  /etc/modprobe.d/blacklist-rare-network.conf
  /etc/modprobe.d/blacklist.conf

  
  These should be renamed using the term denylist instead.

  Similarly, they should accept the term `denylist` rather than
  `blacklist` to specify modules that should not be loaded / aliases
  that should be ignored etc.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/kmod/+bug/1949316/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1951161] Re: Please merge shadow 1:4.8.1-2 (main) from Debian unstable

[Alex Murray]

I think the changelog entry should still list the private home dirs
change for login.defs under Remaining changes

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to shadow in Ubuntu.
https://bugs.launchpad.net/bugs/1951161

Title:
  Please merge shadow 1:4.8.1-2 (main) from Debian unstable

Status in shadow package in Ubuntu:
  Confirmed

Bug description:
  This merge is necessary because there are changes present in Ubuntu
  that are not present in Debian.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1951161/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1953428] [NEW] /etc/PackageKit/Vendor.conf specifies invalid CodecUrl

[Alex Murray]

Public bug reported:

CodecUrl in /etc/PackageKit/Vendor.conf on Impish at least currently
has:
http://shop.canonical.com/index.php?cPath=19&osCsid=f1e370ea7563ed5e654c10450364ff24

shop.canonical.com does not have a DNS record and has been dead for a
long time so this should be removed.

** Affects: packagekit (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to packagekit in Ubuntu.
https://bugs.launchpad.net/bugs/1953428

Title:
  /etc/PackageKit/Vendor.conf specifies invalid CodecUrl

Status in packagekit package in Ubuntu:
  New

Bug description:
  CodecUrl in /etc/PackageKit/Vendor.conf on Impish at least currently
  has:
  
http://shop.canonical.com/index.php?cPath=19&osCsid=f1e370ea7563ed5e654c10450364ff24

  shop.canonical.com does not have a DNS record and has been dead for a
  long time so this should be removed.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/packagekit/+bug/1953428/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1953301] Re: Segfault on AArch64 caused by OpenSSL affecting numerous packages

[Alex Murray]

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1953301

Title:
  Segfault on AArch64 caused by OpenSSL affecting numerous packages

Status in openssl package in Ubuntu:
  New

Bug description:
  OpenSSL causes crashes when reaching to some URLs on AArch64 platform,
  affecting Ubuntu, but not Fedora for instance.

  Initially reported in https://mediasoup.discourse.group/t/mediasoup-
  worker-default-make-failed/3647/12, more details and reproductions in
  https://github.com/mesonbuild/meson/issues/9690

  Affects curl, wget, python and probably everything else.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1953301/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1953301] Re: Segfault on AArch64 caused by OpenSSL affecting numerous packages

[Alex Murray]

FWIW I can't reproduce this on a RPi 4 running the aarch64/arm64 Ubuntu
20.04 LTS image:

ubuntu@rpi4:~$ wget https://wrapdb.mesonbuild.com/v2/libuv_1.42.0-1/get_patch
--2021-12-07 05:50:01--  
https://wrapdb.mesonbuild.com/v2/libuv_1.42.0-1/get_patch
Resolving wrapdb.mesonbuild.com (wrapdb.mesonbuild.com)... 138.201.247.118
Connecting to wrapdb.mesonbuild.com 
(wrapdb.mesonbuild.com)|138.201.247.118|:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: 
https://github.com/mesonbuild/wrapdb/releases/download/libuv_1.42.0-1/libuv_1.42.0-1_patch.zip
 [following]
--2021-12-07 05:50:03--  
https://github.com/mesonbuild/wrapdb/releases/download/libuv_1.42.0-1/libuv_1.42.0-1_patch.zip
Resolving github.com (github.com)... 13.236.229.21
Connecting to github.com (github.com)|13.236.229.21|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: 
https://objects.githubusercontent.com/github-production-release-asset-2e65be/236250352/46c49bec-514b-4411-afe8-46ac8cb2e82f?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20211207%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20211207T054758Z&X-Amz-Expires=300&X-Amz-Signature=504c83b4d0c3567dc2f509362714a5b5709951655612c5665ca7d3e1f09050c5&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=236250352&response-content-disposition=attachment%3B%20filename%3Dlibuv_1.42.0-1_patch.zip&response-content-type=application%2Foctet-stream
 [following]
--2021-12-07 05:50:03--  
https://objects.githubusercontent.com/github-production-release-asset-2e65be/236250352/46c49bec-514b-4411-afe8-46ac8cb2e82f?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20211207%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20211207T054758Z&X-Amz-Expires=300&X-Amz-Signature=504c83b4d0c3567dc2f509362714a5b5709951655612c5665ca7d3e1f09050c5&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=236250352&response-content-disposition=attachment%3B%20filename%3Dlibuv_1.42.0-1_patch.zip&response-content-type=application%2Foctet-stream
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 
185.199.110.133, 185.199.108.133, 185.199.109.133, ...
Connecting to objects.githubusercontent.com 
(objects.githubusercontent.com)|185.199.110.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5146 (5.0K) [application/octet-stream]
Saving to: ‘get_patch’

get_patch
100%[=>]
5.03K  --.-KB/sin 0.009s

2021-12-07 05:50:04 (590 KB/s) - ‘get_patch’ saved [5146/5146]

ubuntu@rpi4:~$ dpkg -l openssl
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name   Version   Architecture Description
+++-==-=--
ii  openssl1.1.1f-1ubuntu2.9 arm64Secure Sockets Layer toolkit 
- cryptographic utility
ubuntu@rpi4:~$ uname -a
Linux rpi4 5.4.0-1047-raspi #52-Ubuntu SMP PREEMPT Wed Nov 24 08:16:38 UTC 2021 
aarch64 aarch64 aarch64 GNU/Linux

Can you please provide more details on what hardware platform is being
used in your case and what Ubuntu version / openssl version is in use?
The meson github issue appears to mention Ubuntu 20.04 but some more
details would be useful.


** Changed in: openssl (Ubuntu)
   Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1953301

Title:
  Segfault on AArch64 caused by OpenSSL affecting numerous packages

Status in openssl package in Ubuntu:
  Incomplete

Bug description:
  OpenSSL causes crashes when reaching to some URLs on AArch64 platform,
  affecting Ubuntu, but not Fedora for instance.

  Initially reported in https://mediasoup.discourse.group/t/mediasoup-
  worker-default-make-failed/3647/12, more details and reproductions in
  https://github.com/mesonbuild/meson/issues/9690

  Affects curl, wget, python and probably everything else.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1953301/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1899218] Re: Incorrect warning from apparmor_parser on force complained profiles

[Alex Murray]

This bug is fixed and the behaviour you are seeing is expected - ie. it
is expected that AppArmor prints a warning about forcing complain mode
for the usr.sbin.sssd profile and that it then also prints a warning
about caching being disabled for that due to it being in force complain
mode. This is expected and normal behaviour.

However, if you feel this expected behaviour is a bug, please file a
separate bug report for that and describe what you think is incorrect
about this behaviour and how instead you feel it should behave.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1899218

Title:
  Incorrect warning from apparmor_parser on force complained profiles

Status in apparmor package in Ubuntu:
  Fix Released

Bug description:
  apparmor_parser on a force complained profile produces an incorrect
  warning message:

  $ sudo apparmor_parser -rW /etc/apparmor.d/usr.sbin.sssd
  Warning: found usr.sbin.sssd in /etc/apparmor.d/force-complain, forcing 
complain mode
  Warning from /etc/apparmor.d/usr.sbin.sssd (/etc/apparmor.d/usr.sbin.sssd 
line 54): Warning failed to create cache: usr.sbin.sssd

  Even though not generating the cache at all is expected, the warning
  should describe caching is disabled for force complained profiles
  instead of failure to create it.

  $ lsb_release -rd
  Description:  Ubuntu Groovy Gorilla (development branch)
  Release:  20.10

  $ apt-cache policy apparmor
  apparmor:
    Installed: 3.0.0~beta1-0ubuntu6
    Candidate: 3.0.0~beta1-0ubuntu6
    Version table:
   *** 3.0.0~beta1-0ubuntu6 500
  500 http://archive.ubuntu.com/ubuntu groovy/main amd64 Packages
  100 /var/lib/dpkg/status

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1899218/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2024637] [NEW] apparmor.service tries to load snapd generated apparmor profiles but fails

[Alex Murray]

Public bug reported:

As of snapd 2.60, when installed as a snap, snapd includes its own
vendored apparmor_parser and configuration. As such, it generates
profiles using newer apparmor features than the system installed
apparmor may support.

This is seen as a failure to load the apparmor.service at boot once this
new snapd snap with the vendored apparmor is installed:

root@sec-bionic-amd64:~# systemctl status apparmor
● apparmor.service - AppArmor initialization
   Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor 
preset: enabled)
   Active: failed (Result: exit-code) since Thu 2023-06-22 06:51:32 UTC; 8min 
ago
 Docs: man:apparmor(7)
   http://wiki.apparmor.net/
 Main PID: 1590 (code=exited, status=123)

Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for 
/etc/apparmor.d/usr.lib.snapd.snap-confine.real in 
/var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf.
Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in 
/etc/apparmor.d/disable: usr.sbin.rsyslogd
Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for 
/etc/apparmor.d/usr.lib.snapd.snap-confine.real in 
/var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf.
Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in 
/etc/apparmor.d/disable: usr.sbin.rsyslogd
Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for 
/var/lib/snapd/apparmor/profiles/snap-confine.snapd.19567 in 
/var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf.
Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for 
/var/lib/snapd/apparmor/profiles/snap-confine.snapd.19567 in 
/var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf.
Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]:...fail!
Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Main process 
exited, code=exited, status=123/n/a
Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Failed with 
result 'exit-code'.
Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: Failed to start AppArmor 
initialization.

root@sec-bionic-amd64:~# snap version
snap2.60
snapd   2.60
series  16
ubuntu  18.04
kernel  4.15.0-212-generic
root@sec-bionic-amd64:~# snap debug sandbox-features --required \
apparmor:parser:snapd-internal && echo snapd has internal vendored apparmor
snapd has internal vendored apparmor


In LP: #1871148 apparmor was updated in focal+ to stop loading apparmor 
profiles generated by snapd as since snapd 2.44.3 it has shipped the 
snapd.apparmor.service unit which loads its apparmor profiles on boot.

apparmor in bionic and xenial should be updated to stop loading snapd
generated apparmor profiles and instead leave this up to
snapd.apparmor.service.


ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: apparmor 2.12-4ubuntu5.1
ProcVersionSignature: Ubuntu 4.15.0-212.223-generic 4.15.18
Uname: Linux 4.15.0-212-generic x86_64
ApportVersion: 2.20.9-0ubuntu7.29
Architecture: amd64
Date: Thu Jun 22 06:52:02 2023
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=
 LANG=en_US.UTF-8
 SHELL=/bin/bash
ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-4.15.0-212-generic 
root=UUID=da79cdd1-11be-4719-8482-46ce30623eaa ro quiet splash console=tty1 
console=ttyS0 vt.handoff=1
PstreeP: Error: [Errno 2] No such file or directory: '/usr/bin/pstree': 
'/usr/bin/pstree'
SourcePackage: apparmor
UpgradeStatus: No upgrade log present (probably fresh install)

** Affects: apparmor (Ubuntu)
 Importance: Undecided
 Status: New


** Tags: amd64 apport-bug bionic

** Description changed:

  As of snapd 2.60, when installed as a snap, snapd includes its own
  vendored apparmor_parser and configuration. As such, it generates
  profiles using newer apparmor features than the system installed
  apparmor may support.
  
- In LP: #1871148 apparmor was updated in focal+ to stop loading apparmor
- profiles generated by snapd as since snapd 2.44.3 it has shipped the
- snapd.apparmor.service unit which loads its apparmor profiles on boot.
+ This is seen as a failure to load the apparmor.service at boot once this
+ new snapd snap with the vendored apparmor is installed:
+ 
+ root@sec-bionic-amd64:~# systemctl status apparmor
+ ● apparmor.service - AppArmor initialization
+Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor 
preset: enabled)
+Active: failed (Result: exit-code) since Thu 2023-06-22 06:51:32 UTC; 8min 
ago
+  Docs: man:apparmor(7)
+http://wiki.apparmor.net/
+  Main PID: 1590 (code=exited, status=123)
+ 
+ Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for 
/etc/apparmor.d/usr.lib.snapd.snap-confine.real in 
/var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf.
+ Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in 
/etc/apparmor.d/disable: usr

[Touch-packages] [Bug 2024637] Re: apparmor.service tries to load snapd generated apparmor profiles but fails

[Alex Murray]

** Also affects: apparmor (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: apparmor (Ubuntu Bionic)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2024637

Title:
  apparmor.service tries to load snapd generated apparmor profiles but
  fails

Status in apparmor package in Ubuntu:
  New
Status in apparmor source package in Xenial:
  New
Status in apparmor source package in Bionic:
  New

Bug description:
  As of snapd 2.60, when installed as a snap, snapd includes its own
  vendored apparmor_parser and configuration. As such, it generates
  profiles using newer apparmor features than the system installed
  apparmor may support.

  This is seen as a failure to load the apparmor.service at boot once
  this new snapd snap with the vendored apparmor is installed:

  root@sec-bionic-amd64:~# systemctl status apparmor
  ● apparmor.service - AppArmor initialization
 Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor 
preset: enabled)
 Active: failed (Result: exit-code) since Thu 2023-06-22 06:51:32 UTC; 8min 
ago
   Docs: man:apparmor(7)
 http://wiki.apparmor.net/
   Main PID: 1590 (code=exited, status=123)

  Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for 
/etc/apparmor.d/usr.lib.snapd.snap-confine.real in 
/var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf.
  Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in 
/etc/apparmor.d/disable: usr.sbin.rsyslogd
  Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for 
/etc/apparmor.d/usr.lib.snapd.snap-confine.real in 
/var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf.
  Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in 
/etc/apparmor.d/disable: usr.sbin.rsyslogd
  Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for 
/var/lib/snapd/apparmor/profiles/snap-confine.snapd.19567 in 
/var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf.
  Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for 
/var/lib/snapd/apparmor/profiles/snap-confine.snapd.19567 in 
/var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf.
  Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]:...fail!
  Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Main process 
exited, code=exited, status=123/n/a
  Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Failed with 
result 'exit-code'.
  Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: Failed to start AppArmor 
initialization.

  root@sec-bionic-amd64:~# snap version
  snap2.60
  snapd   2.60
  series  16
  ubuntu  18.04
  kernel  4.15.0-212-generic
  root@sec-bionic-amd64:~# snap debug sandbox-features --required \
  apparmor:parser:snapd-internal && echo snapd has internal vendored apparmor
  snapd has internal vendored apparmor

  
  In LP: #1871148 apparmor was updated in focal+ to stop loading apparmor 
profiles generated by snapd as since snapd 2.44.3 it has shipped the 
snapd.apparmor.service unit which loads its apparmor profiles on boot.

  apparmor in bionic and xenial should be updated to stop loading snapd
  generated apparmor profiles and instead leave this up to
  snapd.apparmor.service.


  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: apparmor 2.12-4ubuntu5.1
  ProcVersionSignature: Ubuntu 4.15.0-212.223-generic 4.15.18
  Uname: Linux 4.15.0-212-generic x86_64
  ApportVersion: 2.20.9-0ubuntu7.29
  Architecture: amd64
  Date: Thu Jun 22 06:52:02 2023
  ProcEnviron:
   TERM=xterm-256color
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-4.15.0-212-generic 
root=UUID=da79cdd1-11be-4719-8482-46ce30623eaa ro quiet splash console=tty1 
console=ttyS0 vt.handoff=1
  PstreeP: Error: [Errno 2] No such file or directory: '/usr/bin/pstree': 
'/usr/bin/pstree'
  SourcePackage: apparmor
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2024637/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2024637] Re: apparmor.service tries to load snapd generated apparmor profiles but fails

[Alex Murray]

** Also affects: snapd (Ubuntu)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2024637

Title:
  apparmor.service tries to load snapd generated apparmor profiles but
  fails

Status in apparmor package in Ubuntu:
  New
Status in snapd package in Ubuntu:
  New
Status in apparmor source package in Xenial:
  New
Status in snapd source package in Xenial:
  New
Status in apparmor source package in Bionic:
  New
Status in snapd source package in Bionic:
  New

Bug description:
  As of snapd 2.60, when installed as a snap, snapd includes its own
  vendored apparmor_parser and configuration. As such, it generates
  profiles using newer apparmor features than the system installed
  apparmor may support.

  This is seen as a failure to load the apparmor.service at boot once
  this new snapd snap with the vendored apparmor is installed:

  root@sec-bionic-amd64:~# systemctl status apparmor
  ● apparmor.service - AppArmor initialization
 Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor 
preset: enabled)
 Active: failed (Result: exit-code) since Thu 2023-06-22 06:51:32 UTC; 8min 
ago
   Docs: man:apparmor(7)
 http://wiki.apparmor.net/
   Main PID: 1590 (code=exited, status=123)

  Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for 
/etc/apparmor.d/usr.lib.snapd.snap-confine.real in 
/var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf.
  Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in 
/etc/apparmor.d/disable: usr.sbin.rsyslogd
  Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for 
/etc/apparmor.d/usr.lib.snapd.snap-confine.real in 
/var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf.
  Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in 
/etc/apparmor.d/disable: usr.sbin.rsyslogd
  Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for 
/var/lib/snapd/apparmor/profiles/snap-confine.snapd.19567 in 
/var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf.
  Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for 
/var/lib/snapd/apparmor/profiles/snap-confine.snapd.19567 in 
/var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf.
  Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]:...fail!
  Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Main process 
exited, code=exited, status=123/n/a
  Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Failed with 
result 'exit-code'.
  Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: Failed to start AppArmor 
initialization.

  root@sec-bionic-amd64:~# snap version
  snap2.60
  snapd   2.60
  series  16
  ubuntu  18.04
  kernel  4.15.0-212-generic
  root@sec-bionic-amd64:~# snap debug sandbox-features --required \
  apparmor:parser:snapd-internal && echo snapd has internal vendored apparmor
  snapd has internal vendored apparmor

  
  In LP: #1871148 apparmor was updated in focal+ to stop loading apparmor 
profiles generated by snapd as since snapd 2.44.3 it has shipped the 
snapd.apparmor.service unit which loads its apparmor profiles on boot.

  apparmor in bionic and xenial should be updated to stop loading snapd
  generated apparmor profiles and instead leave this up to
  snapd.apparmor.service.


  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: apparmor 2.12-4ubuntu5.1
  ProcVersionSignature: Ubuntu 4.15.0-212.223-generic 4.15.18
  Uname: Linux 4.15.0-212-generic x86_64
  ApportVersion: 2.20.9-0ubuntu7.29
  Architecture: amd64
  Date: Thu Jun 22 06:52:02 2023
  ProcEnviron:
   TERM=xterm-256color
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-4.15.0-212-generic 
root=UUID=da79cdd1-11be-4719-8482-46ce30623eaa ro quiet splash console=tty1 
console=ttyS0 vt.handoff=1
  PstreeP: Error: [Errno 2] No such file or directory: '/usr/bin/pstree': 
'/usr/bin/pstree'
  SourcePackage: apparmor
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2024637/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2024637] Re: apparmor.service tries to load snapd generated apparmor profiles but fails

[Alex Murray]

A possible fix on the snapd side is being prepared in tandem in
https://github.com/snapcore/snapd/pull/12909

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2024637

Title:
  apparmor.service tries to load snapd generated apparmor profiles but
  fails

Status in apparmor package in Ubuntu:
  New
Status in snapd package in Ubuntu:
  New
Status in apparmor source package in Xenial:
  New
Status in snapd source package in Xenial:
  New
Status in apparmor source package in Bionic:
  New
Status in snapd source package in Bionic:
  New

Bug description:
  As of snapd 2.60, when installed as a snap, snapd includes its own
  vendored apparmor_parser and configuration. As such, it generates
  profiles using newer apparmor features than the system installed
  apparmor may support.

  This is seen as a failure to load the apparmor.service at boot once
  this new snapd snap with the vendored apparmor is installed:

  root@sec-bionic-amd64:~# systemctl status apparmor
  ● apparmor.service - AppArmor initialization
 Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor 
preset: enabled)
 Active: failed (Result: exit-code) since Thu 2023-06-22 06:51:32 UTC; 8min 
ago
   Docs: man:apparmor(7)
 http://wiki.apparmor.net/
   Main PID: 1590 (code=exited, status=123)

  Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for 
/etc/apparmor.d/usr.lib.snapd.snap-confine.real in 
/var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf.
  Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in 
/etc/apparmor.d/disable: usr.sbin.rsyslogd
  Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for 
/etc/apparmor.d/usr.lib.snapd.snap-confine.real in 
/var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf.
  Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in 
/etc/apparmor.d/disable: usr.sbin.rsyslogd
  Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for 
/var/lib/snapd/apparmor/profiles/snap-confine.snapd.19567 in 
/var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf.
  Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for 
/var/lib/snapd/apparmor/profiles/snap-confine.snapd.19567 in 
/var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf.
  Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]:...fail!
  Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Main process 
exited, code=exited, status=123/n/a
  Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Failed with 
result 'exit-code'.
  Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: Failed to start AppArmor 
initialization.

  root@sec-bionic-amd64:~# snap version
  snap2.60
  snapd   2.60
  series  16
  ubuntu  18.04
  kernel  4.15.0-212-generic
  root@sec-bionic-amd64:~# snap debug sandbox-features --required \
  apparmor:parser:snapd-internal && echo snapd has internal vendored apparmor
  snapd has internal vendored apparmor

  
  In LP: #1871148 apparmor was updated in focal+ to stop loading apparmor 
profiles generated by snapd as since snapd 2.44.3 it has shipped the 
snapd.apparmor.service unit which loads its apparmor profiles on boot.

  apparmor in bionic and xenial should be updated to stop loading snapd
  generated apparmor profiles and instead leave this up to
  snapd.apparmor.service.


  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: apparmor 2.12-4ubuntu5.1
  ProcVersionSignature: Ubuntu 4.15.0-212.223-generic 4.15.18
  Uname: Linux 4.15.0-212-generic x86_64
  ApportVersion: 2.20.9-0ubuntu7.29
  Architecture: amd64
  Date: Thu Jun 22 06:52:02 2023
  ProcEnviron:
   TERM=xterm-256color
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-4.15.0-212-generic 
root=UUID=da79cdd1-11be-4719-8482-46ce30623eaa ro quiet splash console=tty1 
console=ttyS0 vt.handoff=1
  PstreeP: Error: [Errno 2] No such file or directory: '/usr/bin/pstree': 
'/usr/bin/pstree'
  SourcePackage: apparmor
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2024637/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1990064] Re: unconfined profile denies userns_create for chromium based processes

[Alex Murray]

This sounds like a kernel regression.

The commit you link to is for SELinux, which is not enabled by default
in Ubuntu, so I doubt it is that specifically - instead I suspect this
is due to the following commit: https://git.launchpad.net/~ubuntu-
kernel/ubuntu/+source/linux/+git/kinetic/commit/?h=master-
next&id=30bce26855c9171f8dee74d93308fd506730c914

The logic here:

int aa_profile_ns_perm(struct aa_profile *profile, struct common_audit_data *sa,
  u32 request)
{
...
   if (profile_unconfined(profile)) {
   if (!unprivileged_userns_restricted ||
   ns_capable_noaudit(current_user_ns(), CAP_SYS_ADMIN))
   return 0;

   aad(sa)->info = "User namespace creation restricted";
   /* fall through to below allows complain mode to override */
   } else {
   struct aa_ruleset *rules = list_first_entry(&profile->rules,
   typeof(*rules),
   list);
   aa_state_t state;

   state = RULE_MEDIATES(rules, aad(sa)->class);
   if (!state)
   /* TODO: add flag to complain about unmediated */
   return 0;
   perms = *aa_lookup_perms(&rules->policy, state);
   }

   aa_apply_modes_to_perms(profile, &perms);
   return aa_check_perms(profile, &perms, request, sa, audit_ns_cb);
}

Seems to indicate that all unconfined processes that do not have
CAP_SYS_ADMIN will be denied the ability to use user namespaces - this
feels like a definite regression / policy change within the kernel
itself.

Should the kernel instead be built with
CONFIG_SECURITY_APPARMOR_RESTRICT_USERNS=n ?

Or is this code not doing what it was intended to do.

** Also affects: linux (Ubuntu)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1990064

Title:
  unconfined profile denies userns_create for chromium based processes

Status in apparmor package in Ubuntu:
  New
Status in linux package in Ubuntu:
  New

Bug description:
  For Ubuntu 22.10, since the last kernel update, i can´t launch any
  chromium based browser, due to apparmor denying userns_create

  dmesg shows:
  apparmor="DENIED" operation="userns_create" class="namespace" info="User 
namespace creation restricted" error=-13 profile="unconfined" pid=21323 
comm="steamwebhelper" requested="userns_create" denied="userns_create"

  This happens for every process which uses a chromium engine, like
  google chrome itself or in this case steamwebhelper.

  Might be related to this change?:
  
https://patchwork.kernel.org/project/netdevbpf/patch/20220801180146.1157914-5-f...@cloudflare.com/

  not sure if it got merged in this form though..

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1990064/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1989309] Re: [FFe] apparmor 3.1.1 upstream release

[Alex Murray]

** Attachment added: "apparmor-3.0.7-to-3.1.1-git-log.log"
   
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989309/+attachment/5617640/+files/apparmor-3.0.7-to-3.1.1-git-log.log

** Description changed:

  AppArmor 3.1.1 is the latest upstream version of the apparmor userspace
  tooling.
  
  This includes a large number of bug fixes since the 3.0.7 release which
  is currently in kinetic, as well as various cleanups and optimisations
  to the different tools to improve performance and maintainability.
  
  The full ChangeLog can be seen at [1]. Upstream does not provide a
  ChangeLog file, however I have generated one based on the git commit
  history of apparmor from the 3.0.7 tag to 3.1.1 as:
  
  $ git log v3.0.7...v3.1.1 -- > ~/Downloads/apparmor-3.0.7-to-3.1.1-git-
  log.log
  
- This can be seen in the attached file.
- 
+ This can be seen in the attached file
+ 
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989309/+attachment/5617640/+files/apparmor-3.0.7-to-3.1.1-git-
+ log.log
  
  TESTING
  
  This has been extensively tested by the security team - this includes
  following the documented Ubuntu merges test plan[2] for AppArmor and the
  extensive QA Regression Tests[3] for AppArmor as well. This ensures that
  the various applications that make heavy use of AppArmor (LXD, docker,
  lxc, dbus, libvirt, snapd etc) have all been exercised and no regressions
  have been observed. All tests have passed and demonstrated both apparmor
  and the various applications that use it to be working as expected.
  
  BUILD LOGS
  
  This is currently uploaded to 
https://launchpad.net/~alexmurray/+archive/ubuntu/lp1989309, build logs can be 
found on
  Launchpad at:
  https://launchpad.net/~alexmurray/+archive/ubuntu/lp1989309/+build/24491969 
for amd64 etc
  
  DEBDIFF
  
  The debdiff can be found in the PPA:
  
https://launchpad.net/~alexmurray/+archive/ubuntu/lp1989309/+files/apparmor_3.0.7-1ubuntu1_3.1.1-0ubuntu1.diff.gz
  
  INSTALL / UPGRADE LOG
  
  The apt upgrade log is attached in
  
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989309/+attachment/5617638/+files/apparmor-3.1.1-0ubuntu1-apt-
  upgrade.log
  
  [1] https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.1
  [2] https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor
  [3] 
https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1989309

Title:
  [FFe] apparmor 3.1.1 upstream release

Status in apparmor package in Ubuntu:
  New

Bug description:
  AppArmor 3.1.1 is the latest upstream version of the apparmor
  userspace tooling.

  This includes a large number of bug fixes since the 3.0.7 release
  which is currently in kinetic, as well as various cleanups and
  optimisations to the different tools to improve performance and
  maintainability.

  The full ChangeLog can be seen at [1]. Upstream does not provide a
  ChangeLog file, however I have generated one based on the git commit
  history of apparmor from the 3.0.7 tag to 3.1.1 as:

  $ git log v3.0.7...v3.1.1 -- >
  ~/Downloads/apparmor-3.0.7-to-3.1.1-git-log.log

  This can be seen in the attached file
  
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989309/+attachment/5617640/+files/apparmor-3.0.7-to-3.1.1-git-
  log.log

  TESTING

  This has been extensively tested by the security team - this includes
  following the documented Ubuntu merges test plan[2] for AppArmor and the
  extensive QA Regression Tests[3] for AppArmor as well. This ensures that
  the various applications that make heavy use of AppArmor (LXD, docker,
  lxc, dbus, libvirt, snapd etc) have all been exercised and no regressions
  have been observed. All tests have passed and demonstrated both apparmor
  and the various applications that use it to be working as expected.

  BUILD LOGS

  This is currently uploaded to 
https://launchpad.net/~alexmurray/+archive/ubuntu/lp1989309, build logs can be 
found on
  Launchpad at:
  https://launchpad.net/~alexmurray/+archive/ubuntu/lp1989309/+build/24491969 
for amd64 etc

  DEBDIFF

  The debdiff can be found in the PPA:
  
https://launchpad.net/~alexmurray/+archive/ubuntu/lp1989309/+files/apparmor_3.0.7-1ubuntu1_3.1.1-0ubuntu1.diff.gz

  INSTALL / UPGRADE LOG

  The apt upgrade log is attached in
  
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989309/+attachment/5617638/+files/apparmor-3.1.1-0ubuntu1-apt-
  upgrade.log

  [1] https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.1
  [2] https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor
  [3] 
https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989309/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Po

[Touch-packages] [Bug 1989309] Re: [FFe] apparmor 3.1.1 upstream release

[Alex Murray]

** Description changed:

- Placeholder for preparation of AppArmor 3.1.1 for kinetic.
+ AppArmor 3.1.1 is the latest upstream version of the apparmor userspace
+ tooling.
+ 
+ This includes a large number of bug fixes since the 3.0.7 release which
+ is currently in kinetic, as well as various cleanups and optimisations
+ to the different tools to improve performance and maintainability.
+ 
+ The full ChangeLog can be seen at [1]
+ 
+ 
+ TESTING
+ 
+ This has been extensively tested by the security team - this includes
+ following the documented Ubuntu merges test plan[2] for AppArmor and the
+ extensive QA Regression Tests[3] for AppArmor as well. This ensures that
+ the various applications that make heavy use of AppArmor (LXD, docker, 
+ lxc, dbus, libvirt, snapd etc) have all been exercised and no regressions 
+ have been observed. All tests have passed and demonstrated both apparmor 
+ and the various applications that use it to be working as expected.
+ 
+ 
+ BUILD LOGS
+ 
+ This is currently uploaded to 
https://launchpad.net/~alexmurray/+archive/ubuntu/lp1989309, build logs can be 
found on
+ Launchpad at:
+ https://launchpad.net/~alexmurray/+archive/ubuntu/lp1989309/+build/24491969 
for amd64 etc
+ 
+ 
+ DEBDIFF
+ 
+ The debdiff can be found in the PPA:
+ 
https://launchpad.net/~alexmurray/+archive/ubuntu/lp1989309/+files/apparmor_3.0.7-1ubuntu1_3.1.1-0ubuntu1.diff.gz
+ 
+ 
+ INSTALL / UPGRADE LOG
+ 
+ The apt upgrade log is attached.
+ 
+ 
+ [1] https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.1
+ [2] https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor
+ [3] 
https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py

** Attachment added: "apparmor-3.1.1-0ubuntu1-apt-upgrade.log"
   
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989309/+attachment/5617638/+files/apparmor-3.1.1-0ubuntu1-apt-upgrade.log

** Description changed:

  AppArmor 3.1.1 is the latest upstream version of the apparmor userspace
  tooling.
  
  This includes a large number of bug fixes since the 3.0.7 release which
  is currently in kinetic, as well as various cleanups and optimisations
  to the different tools to improve performance and maintainability.
  
  The full ChangeLog can be seen at [1]
  
- 
  TESTING
  
  This has been extensively tested by the security team - this includes
  following the documented Ubuntu merges test plan[2] for AppArmor and the
  extensive QA Regression Tests[3] for AppArmor as well. This ensures that
- the various applications that make heavy use of AppArmor (LXD, docker, 
- lxc, dbus, libvirt, snapd etc) have all been exercised and no regressions 
- have been observed. All tests have passed and demonstrated both apparmor 
+ the various applications that make heavy use of AppArmor (LXD, docker,
+ lxc, dbus, libvirt, snapd etc) have all been exercised and no regressions
+ have been observed. All tests have passed and demonstrated both apparmor
  and the various applications that use it to be working as expected.
- 
  
  BUILD LOGS
  
  This is currently uploaded to 
https://launchpad.net/~alexmurray/+archive/ubuntu/lp1989309, build logs can be 
found on
  Launchpad at:
  https://launchpad.net/~alexmurray/+archive/ubuntu/lp1989309/+build/24491969 
for amd64 etc
  
- 
  DEBDIFF
  
  The debdiff can be found in the PPA:
  
https://launchpad.net/~alexmurray/+archive/ubuntu/lp1989309/+files/apparmor_3.0.7-1ubuntu1_3.1.1-0ubuntu1.diff.gz
  
- 
  INSTALL / UPGRADE LOG
  
- The apt upgrade log is attached.
- 
+ The apt upgrade log is attached in
+ 
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989309/+attachment/5617638/+files/apparmor-3.1.1-0ubuntu1-apt-
+ upgrade.log
  
  [1] https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.1
  [2] https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor
  [3] 
https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py

** Description changed:

  AppArmor 3.1.1 is the latest upstream version of the apparmor userspace
  tooling.
  
  This includes a large number of bug fixes since the 3.0.7 release which
  is currently in kinetic, as well as various cleanups and optimisations
  to the different tools to improve performance and maintainability.
  
- The full ChangeLog can be seen at [1]
+ The full ChangeLog can be seen at [1]. Upstream does not provide a
+ ChangeLog file, however I have generated one based on the git commit
+ history of apparmor from the 3.0.7 tag to 3.1.1 as:
+ 
+ $ git log v3.0.7...v3.1.1 -- > ~/Downloads/apparmor-3.0.7-to-3.1.1-git-
+ log.log
+ 
+ This can be seen in the attached file.
+ 
  
  TESTING
  
  This has been extensively tested by the security team - this includes
  following the documented Ubuntu merges test plan[2] for AppArmor and the
  extensive QA Regression Tests[3] for AppArmor as well. This ensures that
  the various applications that make heavy use of AppArmor (LXD, docker,
  lxc, dbus, libvirt, snapd etc) have all been exercised and no regr

[Touch-packages] [Bug 1810241] Re: NULL dereference when decompressing specially crafted archives

[Alex Murray]

Thanks I have updated the status of this CVE in the Ubuntu CVE tracker.

** Changed in: tar (Ubuntu)
   Status: Triaged => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to tar in Ubuntu.
https://bugs.launchpad.net/bugs/1810241

Title:
  NULL dereference when decompressing specially crafted archives

Status in tar package in Ubuntu:
  Fix Released

Bug description:
  Hi,

  Fuzzing tar with checksums disabled reveals a NULL pointer dereference
  when parsing certain archives that have malformed extended headers.
  This affects tar from (at least) Trusty, Bionic and Cosmic. I haven't
  tested Xenial's version.

  A test case with fixed checksums is attached. To avoid breaking
  anything that looks inside tar archives, I have converted it to text
  with xxd. To reproduce:

  $ xxd -r gnutar-crash.tar.txt gnutar-crash.tar
  $ tar Oxf gnutar-crash.tar 
  tar: Ignoring unknown extended header keyword 'GNU.sparse.minTr'
  tar: Malformed extended header: missing length
  Segmentation fault (core dumped)

  I have also attached a patch against the latest upstream git and
  against 1.30 (in Cosmic). This fixes the issue by detecting the null
  result before it is dereferenced.

  Regards,
  Daniel

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tar/+bug/1810241/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1992430] Re: Snap based apps crash after 5.19.0-18->5.19.0-19 kernel upgrade

[Alex Murray]

*** This bug is a duplicate of bug 1991691 ***
https://bugs.launchpad.net/bugs/1991691

** This bug has been marked a duplicate of bug 1991691
   cannot change mount namespace

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1992430

Title:
  Snap based apps crash after 5.19.0-18->5.19.0-19 kernel upgrade

Status in apparmor package in Ubuntu:
  New

Bug description:
  This occurs on Ubuntu ver. 22.10.
  Here is an example:

  skype 
  update.go:85: cannot change mount namespace according to change mount 
(/run/user/1000/doc/by-app/snap.skype /run/user/1000/doc none 
bind,rw,x-snapd.ignore-missing 0 0): cannot inspect "/run/user/1000/doc": lstat 
/run/user/1000/doc: permission denied
  + [ -f /home/user/snap/skype/common/.config/skypeforlinux/settings.json ]
  + export SKYPE_LOGS=/home/user/snap/skype/231/logs
  + [ ! -d /home/user/snap/skype/231/logs ]
  + exec /snap/skype/231/usr/share/skypeforlinux/skypeforlinux

  (skypeforlinux:9439): Gtk-WARNING **: 10:13:12.251: Theme parsing error: 
gtk.css:3536:25: 'font-feature-settings' is not a valid property name
  Gtk-Message: 10:13:12.294: Failed to load module "colorreload-gtk-module"
  Gtk-Message: 10:13:12.295: Failed to load module 
"window-decorations-gtk-module"
  [1011/101312.442717:ERROR:scoped_ptrace_attach.cc(27)] ptrace: Permission 
denied (13)
  Nyomkövetési/töréspont csapda (core készült)

  Google translation: Trace/breakpoint trap (core made)

  Here is an another one:
  teams
  update.go:85: cannot change mount namespace according to change mount 
(/var/lib/snapd/hostfs/usr/share/fonts /usr/share/fonts none bind,ro 0 0): 
cannot inspect "/var/lib/snapd/hostfs/usr/share/fonts": lstat 
/var/lib/snapd/hostfs/usr/share/fonts: permission denied
  update.go:85: cannot change mount namespace according to change mount 
(/var/lib/snapd/hostfs/usr/local/share/fonts /usr/local/share/fonts none 
bind,ro 0 0): cannot inspect "/usr/local/share/fonts": lstat 
/usr/local/share/fonts: permission denied
  update.go:85: cannot change mount namespace according to change mount 
(/run/user/1000/doc/by-app/snap.teams /run/user/1000/doc none 
bind,rw,x-snapd.ignore-missing 0 0): cannot inspect "/run/user/1000/doc": lstat 
/run/user/1000/doc: permission denied

  Loading of the previous kernel fixes the issue this is why I think it
  could be kernel-related or something like that.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1992430/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1992580] Re: i915 DG1 fails to load

[Alex Murray]

*** This bug is a duplicate of bug 1991704 ***
https://bugs.launchpad.net/bugs/1991704

** This bug has been marked a duplicate of bug 1991704
   Kinetic kernels 5.19.0-18/19-generic won't boot on Intel 11th/12th gen

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to initramfs-tools in Ubuntu.
https://bugs.launchpad.net/bugs/1992580

Title:
  i915 DG1 fails to load

Status in initramfs-tools package in Ubuntu:
  New
Status in linux package in Ubuntu:
  Confirmed

Bug description:
  On kernel 5.19 in Ubuntu Jammy i915 fails to initialize Intel DG1 GPU
  --- 
  ProblemType: Bug
  ApportVersion: 2.23.1-0ubuntu2
  Architecture: amd64
  CasperMD5CheckResult: unknown
  CurrentDesktop: ubuntu:GNOME
  DistroRelease: Ubuntu 22.10
  InstallationDate: Installed on 2020-12-06 (674 days ago)
  InstallationMedia: Ubuntu 20.10 "Groovy Gorilla" - Release amd64 (20201022)
  Package: linux
  PackageArchitecture: all
  ProcVersionSignature: Ubuntu 5.19.0-19.19-generic 5.19.7
  Tags:  wayland-session kinetic
  Uname: Linux 5.19.0-19-generic x86_64
  UpgradeStatus: Upgraded to kinetic on 2022-09-19 (22 days ago)
  UserGroups: adm cdrom dip docker libvirt lpadmin lxd plugdev sambashare sudo 
wireshark
  _MarkForUpload: True

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/1992580/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1992930] Re: chromium won't launch at menu when installed; lubuntu kinetic

[Alex Murray]

This current bug looks like LP: #1991691

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1992930

Title:
  chromium won't launch at menu when installed; lubuntu kinetic

Status in apparmor package in Ubuntu:
  New

Bug description:
  Lubuntu kinetic live test

  `chromium` snap once installed; will not open from menu, but will open
  if started from terminal.  This maybe filed against incorrect package
  sorry.

  Originally reported here - https://discourse.lubuntu.me/t/lubuntu-
  kinetic-after-5-19-update-chromium-only-start-from-terminal/3685 where
  it was reported as an issue on the 5.19.0-19-generic kernel update

  ** to re-create

  - boot currently lubuntu kinetic daily
  - snap install chromium
  - using menu, attempt to run chromium from internet apps

  ** expected outcome

  chromium starts

  ** actual outcome

  menu just closes; no messages.

  ** further notes

  u/FossFreedom (Ubuntu Budgie) reports no issues with Ubuntu Budgie
  kinetic starting Chromium.

  On Lubuntu's discourse; u/neblaz (OP for issue) also reported issues starting 
Opera; with that package being the snap (loaded from discover) and reported as 
(using `snap list`)
  opera   91.0.4516.77202
latest/stable

  
  ** in `dmesg` I note the following (this may be unrelated or unhelpful sorry)

  [ 1510.255228] loop7: detected capacity change from 0 to 293648
  [ 1510.739240] audit: type=1400 audit(1665727470.633:54): apparmor="STATUS" 
operation="profile_load" profile="unconfined" name="snap-update-ns.chromium" 
pid=3359 comm="apparmor_parser"
  [ 1510.820094] audit: type=1400 audit(1665727470.713:55): apparmor="STATUS" 
operation="profile_load" profile="unconfined" name="snap.chromium.chromedriver" 
pid=3360 comm="apparmor_parser"
  [ 1511.014103] audit: type=1400 audit(1665727470.909:56): apparmor="STATUS" 
operation="profile_load" profile="unconfined" name="snap.chromium.chromium" 
pid=3361 comm="apparmor_parser"
  [ 1511.071575] audit: type=1400 audit(1665727470.965:57): apparmor="STATUS" 
operation="profile_load" profile="unconfined" 
name="snap.chromium.hook.configure" pid=3362 comm="apparmor_parser"
  [ 1515.313383] audit: type=1400 audit(1665727475.206:58): apparmor="STATUS" 
operation="profile_replace" info="same as current profile, skipping" 
profile="unconfined" name="/snap/snapd/17029/usr/lib/snapd/snap-confine" 
pid=3496 comm="apparmor_parser"
  [ 1515.313401] audit: type=1400 audit(1665727475.206:59): apparmor="STATUS" 
operation="profile_replace" info="same as current profile, skipping" 
profile="unconfined" 
name="/snap/snapd/17029/usr/lib/snapd/snap-confine//mount-namespace-capture-helper"
 pid=3496 comm="apparmor_parser"
  [ 1516.817149] audit: type=1400 audit(1665727476.710:60): apparmor="STATUS" 
operation="profile_replace" profile="unconfined" name="snap-update-ns.chromium" 
pid=3498 comm="apparmor_parser"
  [ 1518.067335] audit: type=1400 audit(1665727477.962:61): apparmor="STATUS" 
operation="profile_replace" profile="unconfined" 
name="snap.chromium.chromedriver" pid=3499 comm="apparmor_parser"
  [ 1518.568962] audit: type=1400 audit(1665727478.462:62): apparmor="STATUS" 
operation="profile_replace" profile="unconfined" 
name="snap.chromium.hook.configure" pid=3501 comm="apparmor_parser"
  [ 1519.485025] audit: type=1400 audit(1665727479.378:63): apparmor="STATUS" 
operation="profile_replace" profile="unconfined" name="snap.chromium.chromium" 
pid=3500 comm="apparmor_parser"
  [ 1520.203518] audit: type=1400 audit(1665727480.098:64): apparmor="DENIED" 
operation="getattr" class="file" profile="snap-update-ns.chromium" 
name="/meta/snap.yaml" pid=3518 comm="6" requested_mask="r" denied_mask="r" 
fsuid=0 ouid=0
  [ 1520.245234] audit: type=1400 audit(1665727480.142:65): apparmor="DENIED" 
operation="getattr" class="file" profile="snap-update-ns.chromium" 
name="/usr/local/share/fonts/" pid=3518 comm="6" requested_mask="r" 
denied_mask="r" fsuid=0 ouid=0
  [ 1520.245256] audit: type=1400 audit(1665727480.142:66): apparmor="DENIED" 
operation="getattr" class="file" profile="snap-update-ns.chromium" 
name="/usr/local/share/" pid=3518 comm="6" requested_mask="r" denied_mask="r" 
fsuid=0 ouid=0
  [ 1520.246876] audit: type=1400 audit(1665727480.142:67): apparmor="DENIED" 
operation="getattr" class="file" profile="snap-update-ns.chromium" 
name="/var/lib/snapd/hostfs/usr/share/doc/" pid=3518 comm="6" 
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 1520.246933] audit: type=1400 audit(1665727480.142:68): apparmor="DENIED" 
operation="getattr" class="file" profile="snap-update-ns.chromium" 
name="/var/lib/snapd/hostfs/usr/share/fonts/" pid=3518 comm="6" 
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 1520.349971] audit: type=1400 audit(1665727480.246:69): apparmor="DENIED" 
operation="getattr" class="file" profile="snap-update-ns.ch

[Touch-packages] [Bug 1994146] Re: [SRU] apparmor - Focal, Jammy

[Alex Murray]

These have now been uploaded to -proposed and are sitting in UNAPPROVED:

https://launchpad.net/ubuntu/jammy/+queue?queue_state=1&queue_text=apparmor
https://launchpad.net/ubuntu/focal/+queue?queue_state=1&queue_text=apparmor

** Changed in: apparmor (Ubuntu Focal)
   Status: Confirmed => In Progress

** Changed in: apparmor (Ubuntu Jammy)
   Status: Confirmed => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1994146

Title:
  [SRU] apparmor - Focal, Jammy

Status in apparmor package in Ubuntu:
  Confirmed
Status in apparmor source package in Focal:
  In Progress
Status in apparmor source package in Jammy:
  In Progress

Bug description:
  [ Impact ]

  This is a SRU proposal for apparmor in Focal and Jammy.
  For focal, we want to SRU fixes for Bug 1964636 which introduces the
  capability upstream patches. We are also fixing Bug 1728130 and
  Bug 1993353 which are introducing full backport of abi from
  apparmor-3.0 and support for POSIX message queue rules, which are both
  a request from Honeywell.

  Note that specifically for message queue rules, we are overriding the
  abi behavior.
  Message queue mediation is not a part of the 2.13 abi we are
  pinning. Honeywell has a kernel that has message queue mediation,
  but their policy does not contain an abi specified, so when we pin the
  abi for a kernel that does not mediate message queue, it will break
  Honeywell's AppArmor policies. So we are making an exception: when abi
  is not specified in the policy, and the policy contain mqueue rules,
  we are enforcing mqueue rules. When the policy does not contain mqueue
  rules, then they are not being enforced. This is so we do not break
  Honeywell policies and we also are not breaking policies that were
  developed when there was no mqueue or abi support.

  For jammy, we are SRUing fixes for Bug 1993353 which adds message
  queue rules support. 

  
  [ Test Plan ]

  This has been extensively tested by using QA Regression Tests[1] for
  AppArmor. All tests have passed and demonstrated AppArmor to be
  working as expected. We are also adding regression tests for message
  queue rules[2] which guarantees it is working as expected.

  [1] 
https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py
  [2] https://gitlab.com/apparmor/apparmor/-/merge_requests/858

  [ Where problems could occur ]

  The message queue rules support could cause issues for AppArmor
  policies that were developed before there was support for mqueues,
  that's why we are also backporting abi support and pinning the abi on
  parser.conf on focal. Jammy already has the abi pinned for a kernel
  that does not have support for mqueue mediation.

  [ Other Info ]

  The patches for both focal and jammy can be found at:
  https://launchpad.net/~georgiag/+archive/ubuntu/mqueue-sru/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1994146/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1915250] Re: buildd file owner/group for shared libraries

[Alex Murray]

This is currently affecting snapd 2.49+21.04 which is in hirsute-
proposed - https://forum.snapcraft.io/t/snapd-from-hirsute-proposed-
wont-allow-snaps-to-run/22733/8

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to binutils in Ubuntu.
https://bugs.launchpad.net/bugs/1915250

Title:
  buildd file owner/group for shared libraries

Status in binutils package in Ubuntu:
  Confirmed
Status in debhelper package in Ubuntu:
  Confirmed
Status in fakeroot package in Ubuntu:
  Confirmed
Status in glibc package in Ubuntu:
  Confirmed
Status in debhelper package in Debian:
  Unknown

Bug description:
  the current state of -proposed creates deb packages with buildd file
  owner/group for shared libraries.

  reported at least for kwayland-integration.

  $ dpkg -c kwayland-integration_5.20.90-0ubuntu1_amd64.deb|grep \.so
  -rw-r--r-- doko/doko 18984 2021-01-21 23:44 
./usr/lib/x86_64-linux-gnu/qt5/plugins/kf5/kguiaddons/kmodifierkey/kmodifierkey_wayland.so
  -rw-r--r-- doko/doko 85392 2021-01-21 23:44 
./usr/lib/x86_64-linux-gnu/qt5/plugins/kf5/kwindowsystem/KF5WindowSystemKWaylandPlugin.so
  -rw-r--r-- doko/doko 35536 2021-01-21 23:44 
./usr/lib/x86_64-linux-gnu/qt5/plugins/kf5/org.kde.kidletime.platforms/KF5IdleTimeKWaylandPlugin.so

   - in a release pocket, rebuild binutils from proposed. correctly
 restores the file ownership

   - in a release pocket, update glibc from proposed. then rebuild
 binutils from proposed. shows the wrong ownership

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1915250/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1915250] Re: buildd file owner/group for shared libraries

[Alex Murray]

Oh I see - this was for shared libraries but I suspect it is also
affecting setuid binaries as well?

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to binutils in Ubuntu.
https://bugs.launchpad.net/bugs/1915250

Title:
  buildd file owner/group for shared libraries

Status in binutils package in Ubuntu:
  Confirmed
Status in debhelper package in Ubuntu:
  Confirmed
Status in fakeroot package in Ubuntu:
  Confirmed
Status in glibc package in Ubuntu:
  Confirmed
Status in debhelper package in Debian:
  Unknown

Bug description:
  the current state of -proposed creates deb packages with buildd file
  owner/group for shared libraries.

  reported at least for kwayland-integration.

  $ dpkg -c kwayland-integration_5.20.90-0ubuntu1_amd64.deb|grep \.so
  -rw-r--r-- doko/doko 18984 2021-01-21 23:44 
./usr/lib/x86_64-linux-gnu/qt5/plugins/kf5/kguiaddons/kmodifierkey/kmodifierkey_wayland.so
  -rw-r--r-- doko/doko 85392 2021-01-21 23:44 
./usr/lib/x86_64-linux-gnu/qt5/plugins/kf5/kwindowsystem/KF5WindowSystemKWaylandPlugin.so
  -rw-r--r-- doko/doko 35536 2021-01-21 23:44 
./usr/lib/x86_64-linux-gnu/qt5/plugins/kf5/org.kde.kidletime.platforms/KF5IdleTimeKWaylandPlugin.so

   - in a release pocket, rebuild binutils from proposed. correctly
 restores the file ownership

   - in a release pocket, update glibc from proposed. then rebuild
 binutils from proposed. shows the wrong ownership

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1915250/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1915250] Re: buildd file owner/group for shared libraries

[Alex Murray]

$ dpkg -c snapd_2.49+21.04_amd64.deb  | grep buildd
-rwxr-xr-x buildd/buildd 30952 2021-02-10 20:17 
./lib/systemd/system-generators/snapd-generator
-rwxr-xr-x buildd/buildd 19558008 2021-02-10 20:17 ./usr/bin/snap
-rwxr-xr-x buildd/buildd43304 2021-02-10 20:17 ./usr/bin/snapfuse
-rwxr-xr-x buildd/buildd 11012584 2021-02-10 20:17 
./usr/lib/snapd/snap-bootstrap
-rwsr-xr-x buildd/buildd   134216 2021-02-10 20:17 ./usr/lib/snapd/snap-confine
-rwxr-xr-x buildd/buildd35048 2021-02-10 20:17 
./usr/lib/snapd/snap-discard-ns
-rwxr-xr-x buildd/buildd  3086648 2021-02-10 20:17 ./usr/lib/snapd/snap-exec
-rwxr-xr-x buildd/buildd  3352968 2021-02-10 20:17 ./usr/lib/snapd/snap-failure
-rwxr-xr-x buildd/buildd18664 2021-02-10 20:17 ./usr/lib/snapd/snap-gdb-shim
-rwxr-xr-x buildd/buildd18664 2021-02-10 20:17 
./usr/lib/snapd/snap-gdbserver-shim
-rwxr-xr-x buildd/buildd  7602312 2021-02-10 20:17 ./usr/lib/snapd/snap-preseed
-rwxr-xr-x buildd/buildd  7566920 2021-02-10 20:17 
./usr/lib/snapd/snap-recovery-chooser
-rwxr-xr-x buildd/buildd  8760296 2021-02-10 20:17 ./usr/lib/snapd/snap-repair
-rwxr-xr-x buildd/buildd  2530704 2021-02-10 20:17 ./usr/lib/snapd/snap-seccomp
-rwxr-xr-x buildd/buildd  4535424 2021-02-10 20:17 
./usr/lib/snapd/snap-update-ns
-rwxr-xr-x buildd/buildd  6447800 2021-02-10 20:17 ./usr/lib/snapd/snapctl
-rwxr-xr-x buildd/buildd 23371432 2021-02-10 20:17 ./usr/lib/snapd/snapd
-rwxr-xr-x buildd/buildd   921504 2021-02-10 20:17 
./usr/lib/snapd/system-shutdown
-rwxr-xr-x buildd/buildd22760 2021-02-10 20:17 
./usr/lib/systemd/system-environment-generators/snapd-env-generator

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to binutils in Ubuntu.
https://bugs.launchpad.net/bugs/1915250

Title:
  buildd file owner/group for shared libraries

Status in binutils package in Ubuntu:
  Confirmed
Status in debhelper package in Ubuntu:
  Confirmed
Status in fakeroot package in Ubuntu:
  Confirmed
Status in glibc package in Ubuntu:
  Confirmed
Status in debhelper package in Debian:
  Unknown

Bug description:
  the current state of -proposed creates deb packages with buildd file
  owner/group for shared libraries.

  reported at least for kwayland-integration.

  $ dpkg -c kwayland-integration_5.20.90-0ubuntu1_amd64.deb|grep \.so
  -rw-r--r-- doko/doko 18984 2021-01-21 23:44 
./usr/lib/x86_64-linux-gnu/qt5/plugins/kf5/kguiaddons/kmodifierkey/kmodifierkey_wayland.so
  -rw-r--r-- doko/doko 85392 2021-01-21 23:44 
./usr/lib/x86_64-linux-gnu/qt5/plugins/kf5/kwindowsystem/KF5WindowSystemKWaylandPlugin.so
  -rw-r--r-- doko/doko 35536 2021-01-21 23:44 
./usr/lib/x86_64-linux-gnu/qt5/plugins/kf5/org.kde.kidletime.platforms/KF5IdleTimeKWaylandPlugin.so

   - in a release pocket, rebuild binutils from proposed. correctly
 restores the file ownership

   - in a release pocket, update glibc from proposed. then rebuild
 binutils from proposed. shows the wrong ownership

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1915250/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1915307] Re: Please merge sudo 1.9.5p2-2 (main) from Debian unstable (main)

[Alex Murray]

@iLogin - this is likely caused by
https://bugs.launchpad.net/ubuntu/+source/fakeroot/+bug/1915250

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to sudo in Ubuntu.
https://bugs.launchpad.net/bugs/1915307

Title:
  Please merge sudo 1.9.5p2-2 (main) from Debian unstable (main)

Status in sudo package in Ubuntu:
  Fix Committed

Bug description:
  This requires a merge because there are changes in the Ubuntu version
  not present in the Debian version.

  -- Justification of patches removed from debian/patches/series --
  * typo-in-classic-insults.diff
* This exact patch is present in upstream version 1.9.5p2-2
  * paths-in-samples.diff
* This exact patch is present in upstream version 1.9.5p2-2
  * Whitelist-DPKG_COLORS-environment-variable.diff
* This exact patch is present in upstream version 1.9.5p2-2
  * CVE-2021-23239.patch
* This exact patch is NOT present in upstream version 1.9.5p2-2
  * The patch is made to address a vulnerability wherein users
were able to gain information about what directories existed
that they should not have had access to.
  * Upstream version 1.9.5p2-2 addresses this vulnerability using
the function sudo_edit_parent_valid in the file src/sudo_edit.c
  * Since the vulnerability is addressed in upstream version
1.9.5p2-2 it can safely be dropped
  * CVE-2021-3156-1.patch
* The code from this patch already exitsts in upstream
  version 1.9.5p2-2
  * CVE-2021-3156-2.patch
* The code from this patch already exitsts in upstream
  version 1.9.5p2-2
  * CVE-2021-3156-3.patch
* The code from this patch already exitsts in upstream
  version 1.9.5p2-2
  * CVE-2021-3156-4.patch
* The code from this patch already exitsts in upstream
  version 1.9.5p2-2
  * CVE-2021-3156-5.patch
* The code from this patch already exitsts in upstream
  version 1.9.5p2-2
  * ineffective_no_root_mailer.patch
* This exact patch is present in upstream version 1.9.5p2-2
  under the name fix-no-root-mailer.diff

  Changes:
* Merge from Debian unstable. (LP: #1915307)
  Remaining changes:
  - debian/rules:
+ use dh-autoreconf
  - debian/rules: stop shipping init scripts, as they are no longer
necessary.
  - debian/rules:
+ compile with --without-lecture --with-tty-tickets --enable-admin-flag
+ install man/man8/sudo_root.8 in both flavours
+ install apport hooks
  - debian/sudo-ldap.dirs, debian/sudo.dirs:
+ add usr/share/apport/package-hooks
  - debian/sudo.pam:
+ Use pam_env to read /etc/environment and /etc/default/locale
  environment files. Reading ~/.pam_environment is not permitted due
  to security reasons.
  - debian/sudoers:
+ also grant admin group sudo access
+ include /snap/bin in the secure_path

  sudo (1.9.5p2-2) unstable; urgency=medium

* patch from upstream repo to fix NO_ROOT_MAILER

  sudo (1.9.5p2-1) unstable; urgency=high

* new upstream version, addresses CVE-2021-3156

  sudo (1.9.5p1-1.1) unstable; urgency=high

* Non-maintainer upload.
* Heap-based buffer overflow (CVE-2021-3156)
  - Reset valid_flags to MODE_NONINTERACTIVE for sudoedit
  - Add sudoedit flag checks in plugin that are consistent with front-end
  - Fix potential buffer overflow when unescaping backslashes in user_args
  - Fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL
  - Don't assume that argv is allocated as a single flat buffer

  sudo (1.9.5p1-1) unstable; urgency=medium

* new upstream version, closes: #980028

  sudo (1.9.5-1) unstable; urgency=medium

* new upstream version

  sudo (1.9.4p2-2ubuntu3) hirsute; urgency=medium

* SECURITY UPDATE: ineffective NO_ROOT_MAILER hardening option
  - debian/patches/ineffective_no_root_mailer.patch: fix NO_ROOT_MAILER
in plugins/sudoers/logging.c, plugins/sudoers/policy.c.
  - No CVE number

  sudo (1.9.4p2-2ubuntu2) hirsute; urgency=medium

* SECURITY UPDATE: dir existence issue via sudoedit race
  - debian/patches/CVE-2021-23239.patch: fix potential directory existing
info leak in sudoedit in src/sudo_edit.c.
  - CVE-2021-23239
* SECURITY UPDATE: heap-based buffer overflow
  - debian/patches/CVE-2021-3156-1.patch: reset valid_flags to
MODE_NONINTERACTIVE for sudoedit in src/parse_args.c.
  - debian/patches/CVE-2021-3156-2.patch: add sudoedit flag checks in
plugin in plugins/sudoers/policy.c.
  - debian/patches/CVE-2021-3156-3.patch: fix potential buffer overflow
when unescaping backslashes in plugins/sudoers/sudoers.c.
  - debian/patches/CVE-2021-3156-4.patch: fix the memset offset when
converting a v1 timestamp to TS_LOCKEXCL in
plugins/sudoers/timestamp.c.
  - debian/patches/CVE-2021-3156-5.patch: don't as

[Touch-packages] [Bug 1915792] Re: sudo is no longer owned by root so it no longer works

[Alex Murray]

*** This bug is a duplicate of bug 1915250 ***
https://bugs.launchpad.net/bugs/1915250

** This bug has been marked a duplicate of bug 1915250
   buildd file owner/group for shared libraries

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to sudo in Ubuntu.
https://bugs.launchpad.net/bugs/1915792

Title:
  sudo is no longer owned by root so it no longer works

Status in sudo package in Ubuntu:
  New

Bug description:
  sudo is no longer owned by root, so it no longer works:

  $ sudo dmesg
  sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set

  $ ls -l `which sudo`
  -rwsr-xr-x 1 2001 2501 190952 Feb 10 12:42 /usr/bin/sudo

  ProblemType: Bug
  DistroRelease: Ubuntu 21.04
  Package: sudo 1.9.5p2-2ubuntu1
  ProcVersionSignature: Ubuntu 5.10.0-14.15-generic 5.10.11
  Uname: Linux 5.10.0-14-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair nvidia_modeset 
nvidia
  ApportVersion: 2.20.11-0ubuntu58
  Architecture: amd64
  CasperMD5CheckResult: unknown
  CurrentDesktop: Budgie:GNOME
  Date: Tue Feb 16 09:55:07 2021
  InstallationDate: Installed on 2018-07-25 (936 days ago)
  InstallationMedia: Ubuntu-Budgie 18.04 LTS "Bionic Beaver" - Release amd64 
(20180426)
  RebootRequiredPkgs:
   gnome-shell
   zfs-dkms
   zfs-dkms
  SourcePackage: sudo
  UpgradeStatus: Upgraded to hirsute on 2020-10-31 (107 days ago)
  VisudoCheck:
   /etc/sudoers: parsed OK
   /etc/sudoers.d/README: parsed OK
   /etc/sudoers.d/zfs: parsed OK
  modified.conffile..etc.sudoers: [inaccessible: [Errno 13] Permission denied: 
'/etc/sudoers']
  modified.conffile..etc.sudoers.d.README: [inaccessible: [Errno 13] Permission 
denied: '/etc/sudoers.d/README']

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1915792/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1915801] Re: version 1.9.5p2-2ubuntu1 broke system

[Alex Murray]

*** This bug is a duplicate of bug 1915250 ***
https://bugs.launchpad.net/bugs/1915250

** This bug has been marked a duplicate of bug 1915250
   buildd file owner/group for shared libraries

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to sudo in Ubuntu.
https://bugs.launchpad.net/bugs/1915801

Title:
  version 1.9.5p2-2ubuntu1 broke system

Status in sudo package in Ubuntu:
  New

Bug description:
  just upgraded sudo from 1.9.4p2-2ubuntu3 to 1.9.5p2-2ubuntu1 and sudo
  does not work any more.

  here is the result:

  $ sudo ls
  sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set

  Here is a long ls for sudo binary:
  -rwsr-xr-x 1 2001 2501 187K Feb   10 15:12 /usr/bin/sudo

  ProblemType: Bug
  DistroRelease: Ubuntu 21.04
  Package: sudo 1.9.5p2-2ubuntu1
  ProcVersionSignature: Ubuntu 5.10.0-14.15-generic 5.10.11
  Uname: Linux 5.10.0-14-generic x86_64
  ApportVersion: 2.20.11-0ubuntu58
  Architecture: amd64
  CasperMD5CheckResult: unknown
  CurrentDesktop: ubuntu:GNOME
  Date: Tue Feb 16 13:31:00 2021
  InstallationDate: Installed on 2019-11-01 (472 days ago)
  InstallationMedia: Ubuntu 19.10 "Eoan Ermine" - Release amd64 (20191017)
  RebootRequiredPkgs: gnome-shell
  SourcePackage: sudo
  UpgradeStatus: No upgrade log present (probably fresh install)
  VisudoCheck:
   /etc/sudoers: parsed OK
   /etc/sudoers.d/README: parsed OK
  modified.conffile..etc.sudoers: [inaccessible: [Errno 13] Permission denied: 
'/etc/sudoers']
  modified.conffile..etc.sudoers.d.README: [inaccessible: [Errno 13] Permission 
denied: '/etc/sudoers.d/README']

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1915801/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1915874] Re: autopkgtest fails in hirsute on armhf with glibc 2.33

[Alex Murray]

I'm in the process of preparing libseccomp 2.5.1 for hirsute so will add
this patch for it's autopkgtests as part of that. Thanks.

** Changed in: libseccomp (Ubuntu)
 Assignee: (unassigned) => Alex Murray (alexmurray)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libseccomp in Ubuntu.
https://bugs.launchpad.net/bugs/1915874

Title:
  autopkgtest fails in hirsute on armhf with glibc 2.33

Status in libseccomp package in Ubuntu:
  New

Bug description:
  
https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-hirsute/hirsute/armhf/libs/libseccomp/20210214_103448_4822f@/log.gz
  ...
  autopkgtest [10:33:19]: test test-filter: [---
  = ./debian/tests/data/all-3.19.filter =
  DEBUG: seccomp_load_filters ./debian/tests/data/all-3.19.filter
  Bad system call (core dumped)
  FAIL: expected to pass
  ...

  The problem seems to be that with the new glibc upstream version the
  test binaries started using statx which is not listed in the .filter
  files.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1915874/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1915906] Re: Ensure SRP BN_mod_exp follows the constant time path

[Alex Murray]

** Information type changed from Public to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1915906

Title:
  Ensure SRP BN_mod_exp follows the constant time path

Status in openssl package in Ubuntu:
  New

Bug description:
  Hello,

  I'd like to point out that there are two fixes missing from the
  upstream, is there any chance to get them incorporated?

  https://github.com/openssl/openssl/pull/13888
  https://github.com/openssl/openssl/pull/13889

  There was no CVE assigned, it was fixed between 1.1.1i and 1.1.1j.

  Best regards

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1915906/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1915874] Re: autopkgtest fails in hirsute on armhf with glibc 2.33

[Alex Murray]

** Changed in: libseccomp (Ubuntu)
   Status: New => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libseccomp in Ubuntu.
https://bugs.launchpad.net/bugs/1915874

Title:
  autopkgtest fails in hirsute on armhf with glibc 2.33

Status in libseccomp package in Ubuntu:
  Fix Committed

Bug description:
  
https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-hirsute/hirsute/armhf/libs/libseccomp/20210214_103448_4822f@/log.gz
  ...
  autopkgtest [10:33:19]: test test-filter: [---
  = ./debian/tests/data/all-3.19.filter =
  DEBUG: seccomp_load_filters ./debian/tests/data/all-3.19.filter
  Bad system call (core dumped)
  FAIL: expected to pass
  ...

  The problem seems to be that with the new glibc upstream version the
  test binaries started using statx which is not listed in the .filter
  files.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1915874/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1916669] [NEW] autopkgtests flaky for hirsute across various architectures

[Alex Murray]

Public bug reported:

Currently the lxc 1:4.0.4-1:4.0.4-0ubuntu3 and 1:4.0.6-0ubuntu1
autopkgtests for hirsute are quite flaky across most architectures:

amd64 - https://autopkgtest.ubuntu.com/packages/l/lxc/hirsute/amd64
---
only 3 out of the last 8 runs were successful even after multiple manual 
retries for the same trigger package.

arm64 - https://autopkgtest.ubuntu.com/packages/l/lxc/hirsute/arm64
---
only 3 out of the last 10 runs were successful even after multiple manual 
retries for the same trigger package.

s390x - https://autopkgtest.ubuntu.com/packages/l/lxc/hirsute/s390x
---
only 1 out of the last 12 runs were successful even after multiple manual 
retries for the same trigger package.

ppc64el - https://autopkgtest.ubuntu.com/packages/l/lxc/hirsute/ppc64el
---
this seems to be running better more recently but was failing previously for 
the same trigger packages against the same lxc package

As such I feel it makes sense to mark both of these versions as force-
reset-test so that lxc failures do not block other packages migrating.

** Affects: lxc (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1916669

Title:
  autopkgtests flaky for hirsute across various architectures

Status in lxc package in Ubuntu:
  New

Bug description:
  Currently the lxc 1:4.0.4-1:4.0.4-0ubuntu3 and 1:4.0.6-0ubuntu1
  autopkgtests for hirsute are quite flaky across most architectures:

  amd64 - https://autopkgtest.ubuntu.com/packages/l/lxc/hirsute/amd64
  ---
  only 3 out of the last 8 runs were successful even after multiple manual 
retries for the same trigger package.

  arm64 - https://autopkgtest.ubuntu.com/packages/l/lxc/hirsute/arm64
  ---
  only 3 out of the last 10 runs were successful even after multiple manual 
retries for the same trigger package.

  s390x - https://autopkgtest.ubuntu.com/packages/l/lxc/hirsute/s390x
  ---
  only 1 out of the last 12 runs were successful even after multiple manual 
retries for the same trigger package.

  ppc64el - https://autopkgtest.ubuntu.com/packages/l/lxc/hirsute/ppc64el
  ---
  this seems to be running better more recently but was failing previously for 
the same trigger packages against the same lxc package

  As such I feel it makes sense to mark both of these versions as force-
  reset-test so that lxc failures do not block other packages migrating.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1916669/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers

[Alex Murray]

As I understand it I don't see there is any issue here with libseccomp
in Ubuntu as it currently stands - whilst the aforementioned runc
workaround commit description specifies a number of shortcomings with
libseccomp and the inability to easily handle and distinguish newly
added syscalls between it and glibc etc, until there is some more
generic mechanism for either libseccomp policy authors, or libseccomp
itself, to easily identify what syscalls are supported by a given system
and therefore whether the generated policy is sufficient to enumerate
these, there is no obvious "fix" for libseccomp itself.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libseccomp in Ubuntu.
https://bugs.launchpad.net/bugs/1916485

Title:
  test -x fails inside shell scripts in containers

Status in glibc package in Ubuntu:
  Triaged
Status in libseccomp package in Ubuntu:
  Fix Committed
Status in glibc source package in Hirsute:
  Triaged
Status in libseccomp source package in Hirsute:
  Fix Committed

Bug description:
  glibc regression causes test -x to fail inside scripts inside
  docker/podman, dash and bash are broken, mksh and zsh are fine:

  root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail
  root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail"
  Fail
  root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail"
  Fail
  root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail"
  root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail"
  root@0df2ce5d7a46:/#

  root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail"
  root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail"
  root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail"
  Fail
  root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail"
  Fail

  The -f flag works, as does /usr/bin/test:
  # bash -c "test -f /usr/bin/gpg  || echo Fail"
  # bash -c "/usr/bin/test -x /usr/bin/gpg  || echo Fail"
  #

  [Original bug report]
  root@84b750e443f8:/# lsb_release -rd
  Description:  Ubuntu Hirsute Hippo (development branch)
  Release:  21.04
  root@84b750e443f8:/# dpkg -l gnupg apt
  Desired=Unknown/Install/Remove/Purge/Hold
  | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
  |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
  ||/ Name   Version Architecture Description
  
+++-==-===--==
  ii  apt2.1.20  amd64commandline package manager
  ii  gnupg  2.2.20-1ubuntu2 all  GNU privacy guard - a free 
PGP replacement

  Hi,
  for 3 days our CI pipelines to recreate Docker images fails for the Hirsute 
images. From comparison this seems to be caused by apt 2.1.20.

  The build fails with:

  0E: gnupg, gnupg2 and unupg1 do not seem to be installed, but one of
  them is required for this operation

  The simple Dockerfile to reproduce the error - "docker build -t foo ."

  FROM amd64/ubuntu:hirsute
  MAINTAINER Florian Lohoff 

  USER root

  RUN apt-get update \
   && DEBIAN_FRONTEND=noninteractive apt-get -y install curl gnupg apt \
    && curl https://syncthing.net/release-key.txt | apt-key add -

  Breaking it down it this seems to be an issue that there is new
  functionality in apt/apt-key e.g. security hardening that docker
  prohibits in its containers. Running this manually works only in an
  --privileged container.

  So adding keys in unpriviledged container or possibly kubernetes will
  not work anymore.

  Flo

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1916485/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1891810] Re: Missing openat2 syscall, causes problems for fuse-overlayfs in nspawn containers

[Alex Murray]

** Also affects: libseccomp (Ubuntu Hirsute)
   Importance: Undecided
 Assignee: Alex Murray (alexmurray)
   Status: New

** Changed in: libseccomp (Ubuntu Hirsute)
   Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libseccomp in Ubuntu.
https://bugs.launchpad.net/bugs/1891810

Title:
  Missing openat2 syscall, causes problems for fuse-overlayfs in nspawn
  containers

Status in libseccomp package in Ubuntu:
  Fix Released
Status in libseccomp source package in Xenial:
  New
Status in libseccomp source package in Bionic:
  New
Status in libseccomp source package in Focal:
  New
Status in libseccomp source package in Groovy:
  New
Status in libseccomp source package in Hirsute:
  Fix Released

Bug description:
  The version of libseccomp2 in bionic does not know about the openat2
  syscall.

  In my particular usecase, I was trying to run podman/buildah in an
  nspawn container, using fuse-overlayfs. This leads to peculiar failure
  modes as described in this issue:

  https://github.com/containers/fuse-overlayfs/issues/220

  This could well cause other problems, previously issues like that have
  affected snapd, etc.

  Backporting the master branch of libseccomp fixed this for me, but for
  an SRU a cherrypick of
  
https://github.com/seccomp/libseccomp/commit/b3206ad5645dceda89538ea8acc984078ab697ab
  might be sufficient...

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: libseccomp2 2.4.3-1ubuntu3.18.04.3
  ProcVersionSignature: Ubuntu 5.4.0-42.46~18.04.1-generic 5.4.44
  Uname: Linux 5.4.0-42-generic x86_64
  ApportVersion: 2.20.9-0ubuntu7.16
  Architecture: amd64
  Date: Sun Aug 16 17:35:09 2020
  Dependencies:
   gcc-8-base 8.4.0-1ubuntu1~18.04
   libc6 2.27-3ubuntu1.2
   libgcc1 1:8.4.0-1ubuntu1~18.04
  ProcEnviron:
   TERM=screen.xterm-256color
   PATH=(custom, no user)
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SourcePackage: libseccomp
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1891810/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1917920] Re: magic-proxy broke with iptables 1.8.7-1ubuntu2

[Alex Murray]

I tried to reproduce this in an up-to-date bionic VM as follows:

# inside the bionic VM
sudo snap install lxd
sudo lxd init # accept defauls
sudo lxc launch ubuntu-daily:hirsute hirsute
sudo lxc exec hirsute /bin/bash


# then inside the hirsute container install livecd-rootfs
apt update
apt install livecd-rootfs

# http works as expected with no changes
wget -q www.google.com -O/dev/null && echo Working || echo Failed
Working # works as expected with no iptables rule

# add iptables rule manually
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner daemon \
   -j REDIRECT --to 8080

# now we expect it to fail as there is no magic-proxy running yet
wget -q www.google.com -O/dev/null && echo Working || echo Failed
Failed

# start the magic-proxy manually
/usr/share/livecd-rootfs/magic-proxy  \
   --address="127.0.0.1"  \
   --port=8080\
   --run-as=daemon\
   --cutoff-time=0\
   --log-file=livecd.magic-proxy.log  \
   --pid-file=magic-proxy.pid \
   --background   \
   --setsid

# wget works as expected via the proxy
wget -q www.google.com -O/dev/null && echo Working || echo Failed
Working

# kill the proxy
killall magic-proxy

# fails again
wget -q www.google.com -O/dev/null && echo Working || echo Failed
Failed

# remove iptables rule
iptables -t nat -D OUTPUT -p tcp --dport 80 -m owner ! --uid-owner daemon \
   -j REDIRECT --to 8080

# works as normal
wget -q www.google.com -O/dev/null && echo Working || echo Failed
Working

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to iptables in Ubuntu.
https://bugs.launchpad.net/bugs/1917920

Title:
  magic-proxy broke with iptables 1.8.7-1ubuntu2

Status in Launchpad itself:
  New
Status in iptables package in Ubuntu:
  New
Status in livecd-rootfs package in Ubuntu:
  New
Status in lxd package in Ubuntu:
  New

Bug description:
  when iptables got upgraded from 1.8.5-3ubuntu4 to 1.8.7-1ubuntu2 magic
  proxy stopped working in livecd-rootfs.

  It does very simple thing:

  iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner
  daemon -j REDIRECT --to 8080

  inside hirsute lxd container, with quite high privileges, in a bionic
  VM, running 4.15 kernel.

  With 1.8.5 above worked fine, with 1.8.7 somehow there was no outbound
  connectivity the very first http networking command after the above
  call would just hang indefinitely.

  However, if one does this instead:

  iptables -vv -t nat -S
  iptables-legacy -vv -t nat -S
  iptables -vv -t nat -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner daemon 
-j REDIRECT --to 8080

  somehow magically everything starts to work fine.

  weird.

To manage notifications about this bug go to:
https://bugs.launchpad.net/launchpad/+bug/1917920/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1917920] Re: magic-proxy broke with iptables 1.8.7-1ubuntu2

[Alex Murray]

Good point re google.com - I just repeated the above test but replacing
www.google.com with http://neverssl.com and verified it worked as
expected so it doesn't look like http->https redirect affected the
results.

Hmmm perhaps there is something else at play compared to when testing
locally vs on launchpad - with your original test-case, does using
`iptables -L -t nat` behave any differently than `iptables -S -t nat` in
terms of working around this? Perhaps there is something in the existing
iptables setup on launchpad that is not present in our local testing
which may be needed to reproduce this?

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to iptables in Ubuntu.
https://bugs.launchpad.net/bugs/1917920

Title:
  magic-proxy broke with iptables 1.8.7-1ubuntu2

Status in Launchpad itself:
  New
Status in iptables package in Ubuntu:
  New
Status in livecd-rootfs package in Ubuntu:
  New
Status in lxd package in Ubuntu:
  New

Bug description:
  when iptables got upgraded from 1.8.5-3ubuntu4 to 1.8.7-1ubuntu2 magic
  proxy stopped working in livecd-rootfs.

  It does very simple thing:

  iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner
  daemon -j REDIRECT --to 8080

  inside hirsute lxd container, with quite high privileges, in a bionic
  VM, running 4.15 kernel.

  With 1.8.5 above worked fine, with 1.8.7 somehow there was no outbound
  connectivity the very first http networking command after the above
  call would just hang indefinitely.

  However, if one does this instead:

  iptables -vv -t nat -S
  iptables-legacy -vv -t nat -S
  iptables -vv -t nat -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner daemon 
-j REDIRECT --to 8080

  somehow magically everything starts to work fine.

  weird.

To manage notifications about this bug go to:
https://bugs.launchpad.net/launchpad/+bug/1917920/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1919078] Re: Ubuntu SSO login - not working (Throws "Error connecting to server"

[Alex Murray]

** Package changed: ubuntu => gnome-online-accounts (Ubuntu)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to gnome-online-accounts in
Ubuntu.
https://bugs.launchpad.net/bugs/1919078

Title:
  Ubuntu SSO login - not working (Throws "Error connecting to server"

Status in gnome-online-accounts package in Ubuntu:
  New

Bug description:
  Hi,

  I'm looking for possible ways to add an Ubuntu SSO account with my
  Ubuntu system for the past few weeks.

  But I'm getting the error as "Error connecting to Ubuntu SSO server.
  Something went wrong. Please try again later".

  I tried to login via the web, it works fine.

  
  I'm on the latest build.
  Check my system version at https://ibb.co/7bc1JgP

  Screenshot (of error):
  https://ibb.co/v1JvKZ6

  
  Kindly help me with this error.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnome-online-accounts/+bug/1919078/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1891810] Re: Missing openat2 syscall, causes problems for fuse-overlayfs in nspawn containers

[Alex Murray]

Updating libseccomp to 2.5.1 breaks the systemd unit tests on ppc64el
since the behaviour around filtering of the multiplexed socket() system
call changes - as such a fix for systemd in
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1918696 is also
required.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libseccomp in Ubuntu.
https://bugs.launchpad.net/bugs/1891810

Title:
  Missing openat2 syscall, causes problems for fuse-overlayfs in nspawn
  containers

Status in libseccomp package in Ubuntu:
  Fix Released
Status in libseccomp source package in Xenial:
  New
Status in libseccomp source package in Bionic:
  New
Status in libseccomp source package in Focal:
  New
Status in libseccomp source package in Groovy:
  New
Status in libseccomp source package in Hirsute:
  Fix Released

Bug description:
  The version of libseccomp2 in bionic does not know about the openat2
  syscall.

  In my particular usecase, I was trying to run podman/buildah in an
  nspawn container, using fuse-overlayfs. This leads to peculiar failure
  modes as described in this issue:

  https://github.com/containers/fuse-overlayfs/issues/220

  This could well cause other problems, previously issues like that have
  affected snapd, etc.

  Backporting the master branch of libseccomp fixed this for me, but for
  an SRU a cherrypick of
  
https://github.com/seccomp/libseccomp/commit/b3206ad5645dceda89538ea8acc984078ab697ab
  might be sufficient...

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: libseccomp2 2.4.3-1ubuntu3.18.04.3
  ProcVersionSignature: Ubuntu 5.4.0-42.46~18.04.1-generic 5.4.44
  Uname: Linux 5.4.0-42-generic x86_64
  ApportVersion: 2.20.9-0ubuntu7.16
  Architecture: amd64
  Date: Sun Aug 16 17:35:09 2020
  Dependencies:
   gcc-8-base 8.4.0-1ubuntu1~18.04
   libc6 2.27-3ubuntu1.2
   libgcc1 1:8.4.0-1ubuntu1~18.04
  ProcEnviron:
   TERM=screen.xterm-256color
   PATH=(custom, no user)
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SourcePackage: libseccomp
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1891810/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers

[Alex Murray]

@oded-geek - yes, the libseccomp SRU to backport 2.5.1 to these releases
is being handled in
https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1891810

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1916485

Title:
  test -x fails inside shell scripts in containers

Status in docker.io package in Ubuntu:
  New
Status in glibc package in Ubuntu:
  Opinion
Status in libseccomp package in Ubuntu:
  Fix Committed
Status in runc package in Ubuntu:
  New
Status in systemd package in Ubuntu:
  Fix Released
Status in docker.io source package in Xenial:
  New
Status in glibc source package in Xenial:
  Invalid
Status in libseccomp source package in Xenial:
  New
Status in runc source package in Xenial:
  New
Status in systemd source package in Xenial:
  New
Status in docker.io source package in Bionic:
  New
Status in glibc source package in Bionic:
  Invalid
Status in libseccomp source package in Bionic:
  New
Status in runc source package in Bionic:
  New
Status in systemd source package in Bionic:
  New
Status in docker.io source package in Focal:
  New
Status in glibc source package in Focal:
  Invalid
Status in libseccomp source package in Focal:
  New
Status in runc source package in Focal:
  New
Status in systemd source package in Focal:
  New
Status in docker.io source package in Groovy:
  New
Status in glibc source package in Groovy:
  Invalid
Status in libseccomp source package in Groovy:
  New
Status in runc source package in Groovy:
  New
Status in systemd source package in Groovy:
  Fix Released
Status in docker.io source package in Hirsute:
  New
Status in glibc source package in Hirsute:
  Opinion
Status in libseccomp source package in Hirsute:
  Fix Committed
Status in runc source package in Hirsute:
  New
Status in systemd source package in Hirsute:
  Fix Released

Bug description:
  (SRU template for systemd)

  [impact]

  bash (and some other shells) builtin test command -x operation fails

  [test case]

  on any affected host system, start nspawn container, e.g.:

  $ sudo apt install systemd-container
  $ wget 
https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz
  $ mkdir h
  $ cd h
  $ tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz
  $ sudo systemd-nspawn

  Then from a bash shell, verify if test -x works:

  root@h:~# ls -l /usr/bin/gpg
  -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg
  root@h:~# test -x /usr/bin/gpg || echo "fail"
  fail

  [regression potential]

  any regression would likely occur during a syscall, most likely
  faccessat2(), or during other syscalls.

  [scope]

  this is needed for b/f

  this is fixed upstream by commit
  bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so
  this is fixed in h

  this was pulled into Debian at version 246.2 in commit
  e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g

  in x, the entire systemd seccomp code is completely different and the
  patch doesn't apply, nor does it appear to be needed, as the problem
  doesn't reproduce in a h container under x.

  [other info]

  this needs fixing in libseccomp as well

  [original description]

  glibc regression causes test -x to fail inside scripts inside
  docker/podman, dash and bash are broken, mksh and zsh are fine:

  root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail
  root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail"
  Fail
  root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail"
  Fail
  root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail"
  root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail"
  root@0df2ce5d7a46:/#

  root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail"
  root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail"
  root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail"
  Fail
  root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail"
  Fail

  The -f flag works, as does /usr/bin/test:
  # bash -c "test -f /usr/bin/gpg  || echo Fail"
  # bash -c "/usr/bin/test -x /usr/bin/gpg  || echo Fail"
  #

  [Original bug report]
  root@84b750e443f8:/# lsb_release -rd
  Description:  Ubuntu Hirsute Hippo (development branch)
  Release:  21.04
  root@84b750e443f8:/# dpkg -l gnupg apt
  Desired=Unknown/Install/Remove/Purge/Hold
  | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
  |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
  ||/ Name   Version Architecture Description
  
+++-==-===--==
  ii  apt2.1.20  amd64commandline package manager
  ii  gnupg  2.2.20-1ubuntu2 all  GNU privacy guard - a free 
PGP replacement

  Hi,
  for 3 days our CI pipelines to recreate Docker images fails for the Hirsute 
ima

[Touch-packages] [Bug 1891810] Re: Missing openat2 syscall, causes problems for fuse-overlayfs in nspawn containers

[Alex Murray]

** Patch added: "libseccomp_2.5.1-1ubuntu1~18.04.1.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1891810/+attachment/5476577/+files/libseccomp_2.5.1-1ubuntu1~18.04.1.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libseccomp in Ubuntu.
https://bugs.launchpad.net/bugs/1891810

Title:
  Missing openat2 syscall, causes problems for fuse-overlayfs in nspawn
  containers

Status in libseccomp package in Ubuntu:
  Fix Released
Status in libseccomp source package in Xenial:
  New
Status in libseccomp source package in Bionic:
  New
Status in libseccomp source package in Focal:
  New
Status in libseccomp source package in Groovy:
  New
Status in libseccomp source package in Hirsute:
  Fix Released

Bug description:
  [Impact]

  The version of libseccomp2 in X/B/F/G does not know about the openat2
  syscall. As such applications that use libseccomp cannot specify a
  system-call filter against this system-call and so it cannot be
  mediated.

  [Test Plan]

  This can be tested by simply running scmp_sys_resolver from the
  seccomp binary package and specifying this system-call:

  Existing behaviour:

  $ scmp_sys_resolver openat2
  -1

  Expected behaviour:

  $ scmp_sys_resolver openat2
  437

  (Note this value will be different on other architectures)

  [Where problems could occur]

  In version 2.5.1 of libseccomp which adds this new system-call,
  changes were also made in the way the socket system-call is handled by
  libseccomp on PPC platforms - this resulted in a change in the
  expected behaviour and so this has already been noticed and a fix is
  required for the systemd unit tests as a result
  https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1918696

  There was also a similar change for s390x but so far no regressions
  have been observed as a result as systemd already expected that
  behaviour from libseccomp, it was only PPC that was missing.

  In the event that a regression is observed however, we can easily
  either patch the affected package to cope with the new behaviour of
  this updated libseccomp since in each case the change in behaviour
  only affects a few system calls on particular architectures, or we can
  revert this update.

  [Other Info]

   * As usual thorough testing of this update has been performed both
  manually via the QA Regression Testing scripts, and via the
  autopkgtest infrastructure against packages in the Ubuntu Security
  Proposed PPA https://launchpad.net/~ubuntu-security-
  proposed/+archive/ubuntu/ppa/ with results seen
  https://people.canonical.com/~platform/security-britney/current/

  I have attached debdiffs of the prepared updates which are also
  sitting in the Ubuntu Security Proposed PPA.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1891810/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp