[Touch-packages] [Bug 2051540] Re: ufw ftbfs with Python 3.12 as default
** Also affects: ufw Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/2051540 Title: ufw ftbfs with Python 3.12 as default Status in ufw: New Status in ufw package in Ubuntu: Confirmed Bug description: == ERROR: test_ufwcommand_parse (tests.unit.test_parser.ParserTestCase.test_ufwcommand_parse) Test UFWCommand.parse() -- Traceback (most recent call last): File "/<>/tests/unit/test_parser.py", line 88, in test_ufwcommand_parse self.assertEquals('status', pr.action, "%s != 'status'" % (pr.action)) ^ AttributeError: 'ParserTestCase' object has no attribute 'assertEquals'. Did you mean: 'assertEqual'? == ERROR: test_ufwcommand_rule_get_command (tests.unit.test_parser.ParserTestCase.test_ufwcommand_rule_get_command) Test UFWCommand(Route)Rule.get_command() -- Traceback (most recent call last): File "/<>/tests/unit/test_parser.py", line 375, in test_ufwcommand_rule_get_command self.assertEquals(len(errors), 0, ^ AttributeError: 'ParserTestCase' object has no attribute 'assertEquals'. Did you mean: 'assertEqual'? -- Ran 24 tests in 7.584s FAILED (errors=9) test_skeleton test_example (tests.unit.test_skeleton.SkeletonTestCase.test_example) Test example dummy test ... ok -- Ran 1 test in 0.000s OK To manage notifications about this bug go to: https://bugs.launchpad.net/ufw/+bug/2051540/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2051540] Re: ufw ftbfs with Python 3.12 as default
Both deb8 tests already declares a Depends on python3-distutils - and we can see that the current test runs all used the 3.11 based python3-distutils - do we need a no-change-rebuild of python3-stdlib- extensions so that it builds against python 3.12? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/2051540 Title: ufw ftbfs with Python 3.12 as default Status in ufw: Fix Committed Status in ufw package in Ubuntu: Confirmed Status in ufw package in Debian: Fix Released Bug description: == ERROR: test_ufwcommand_parse (tests.unit.test_parser.ParserTestCase.test_ufwcommand_parse) Test UFWCommand.parse() -- Traceback (most recent call last): File "/<>/tests/unit/test_parser.py", line 88, in test_ufwcommand_parse self.assertEquals('status', pr.action, "%s != 'status'" % (pr.action)) ^ AttributeError: 'ParserTestCase' object has no attribute 'assertEquals'. Did you mean: 'assertEqual'? == ERROR: test_ufwcommand_rule_get_command (tests.unit.test_parser.ParserTestCase.test_ufwcommand_rule_get_command) Test UFWCommand(Route)Rule.get_command() -- Traceback (most recent call last): File "/<>/tests/unit/test_parser.py", line 375, in test_ufwcommand_rule_get_command self.assertEquals(len(errors), 0, ^ AttributeError: 'ParserTestCase' object has no attribute 'assertEquals'. Did you mean: 'assertEqual'? -- Ran 24 tests in 7.584s FAILED (errors=9) test_skeleton test_example (tests.unit.test_skeleton.SkeletonTestCase.test_example) Test example dummy test ... ok -- Ran 1 test in 0.000s OK To manage notifications about this bug go to: https://bugs.launchpad.net/ufw/+bug/2051540/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2054924] Re: color emoji are broken with fontconfig 2.15
As per https://gitlab.freedesktop.org/fontconfig/fontconfig/-/issues/409#note_2298588 this can also be fixed by adding an additional rule to /etc/fonts/conf.d/70-no-bitmaps.conf of the form: false ** Bug watch added: gitlab.freedesktop.org/fontconfig/fontconfig/-/issues #409 https://gitlab.freedesktop.org/fontconfig/fontconfig/-/issues/409 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to fontconfig in Ubuntu. https://bugs.launchpad.net/bugs/2054924 Title: color emoji are broken with fontconfig 2.15 Status in Fontconfig: Fix Released Status in fontconfig package in Ubuntu: Triaged Status in fonts-noto-color-emoji package in Ubuntu: Triaged Status in fontconfig package in Debian: Confirmed Bug description: The Noto Color Emoji font is no longer used to show emoji. Many emoji no longer show and the few that do are not in color. To manage notifications about this bug go to: https://bugs.launchpad.net/fontconfig/+bug/2054924/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2056496] Re: [FFe] AppArmor 4.0-beta2 + prompting support for noble
Uploaded to noble-proposed yesterday https://launchpad.net/ubuntu/+source/apparmor/4.0.0~beta2-0ubuntu3 ** Changed in: apparmor (Ubuntu) Status: Triaged => Fix Committed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2056496 Title: [FFe] AppArmor 4.0-beta2 + prompting support for noble Status in apparmor package in Ubuntu: Fix Committed Bug description: AppArmor 4.0-beta2 contains fixes that prevented AppArmor 4.0-beta1 from landing pre feature freeze. Landing AppArmor 4.0-beta's will enable us to more easily track upstream bug fixes, and is needed to support network rules in prompting. The addition of the prompting patch on top of AppArmor 4.0 is required to support snapd prompting in general for both file and network rules. Currently the prompting patch is not part of the upstream release but is part of the vendored apparmor in snapd. In ordered for snapd to be able to vendor the noble release of apparmor it requires support for prompting. The prompting patch is a straight rebase to AppArmor 4.0 of the patch that has been in testing in snapd prompting for more than six months. Changes from 4.0.0~alpha4-0ubuntu1 (current noble) version Beta1 added three additional features that were not present in alpha4 (current Noble). • support for fine grained (address based) IPv4 and IPv6 mediation (required for prompting to support networking). • aa-notify support message filters to reduce notifications • aa-logprof/genprof support for mount rules None of these features affect existing policy, which will continue to function under the abi that it was developed under. This can be seen in the regression testing below. I addition to the 3 features introduced in Beta1, Beta1 and Beta2 add several bug fixes the most important are highlighted below with the full list available in the upstream release notes, available at https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.0-beta1 and https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.0-beta2 • new unconfined profiles in support of unprivileged user namespace mediation https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626 ∘ nautalus, devhelp, element-desktop, epiphany, evolution, keybase, opam • fix policy generation for non-af_inet rules (MR:1175) • Fix race when reading proc files (AABUG:355, MR:1157) • handle unprivileged_userns transition in userns tests (MR:1146) • fix usr-merge failures on exec and regex tests (MR:1146) This proposed change has been tested via the QA Regression Testing project, in particular with the specific test added in https://git.launchpad.net/qa-regression- testing/commit/?id=6f2c5ab7c8659174adac772ce0e894328bb5045d The output of a test run is in the attached qrt.output file. Of which the summary is below Ran 62 tests in 811.542s OK (skipped=3) apparmor_4.0.0~beta2-0ubuntu3 has been installed on several up to date (as of March 7) noble systems. Boot/Reboot and regression tests have been done, against different kernel versions. 6.8.0-11-generic #11-Ubuntu 6.5.0-14-generic #14-Ubuntu 6.7.0 (upstream custom build) 6.8-rc3 (upstream custom build) The changelog is available here https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-devel/+files/apparmor_4.0.0~beta2-0ubuntu3_source.changes The prepared package is available via the ppa https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-ffe To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056496/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2056696] Re: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors
> Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="ListActivatableNames" mask="send" name="org.freedesktop.DBus" pid=2950 label="snap.element-desktop.element-desktop" peer_label="unconfined" This is provided by the system-observe interface in snapd - currently it looks like element-desktop does not plug this so the element-desktop snap needs to be updated to include this. > Log: apparmor="DENIED" operation="dbus_method_call" bus="session" > path="/modules/kwalletd5" interface="org.kde.KWallet" member="isEnabled" > mask="send" name="org.kde.kwalletd5" pid=2950 > label="snap.element-desktop.element-desktop" peer_pid=1762 > peer_label="unconfined" > Log: apparmor="DENIED" operation="dbus_method_call" bus="session" > path="/modules/kwalletd5" interface="org.kde.KWallet" member="close" > mask="send" name="org.kde.kwalletd5" pid=2950 > label="snap.element-desktop.element-desktop" peer_pid=1762 > peer_label="unconfined" These are provided by the password-manager-service interface in snapd - again currently it looks like element-desktop does not plug this so the element-desktop snap needs to be updated to include this as well. Finally, for the last two > Log: apparmor="DENIED" operation="dbus_method_call" bus="session" > path="/StatusNotifierItem" interface="org.freedesktop.DBus.Properties" > member="GetAll" name=":1.45" mask="receive" pid=2950 > label="snap.element-desktop.element-desktop" peer_pid=2394 > peer_label="plasmashell" > Log: apparmor="DENIED" operation="dbus_signal" bus="session" > path="/StatusNotifierItem" interface="org.kde.StatusNotifierItem" > member="NewToolTip" mask="send" name="org.freedesktop.DBus" pid=2950 > label="snap.element-desktop.element-desktop" peer_pid=2394 > peer_label="plasmashell" Yes this is due to the peer_label mismatch - previously plasmashell would run without an AppArmor profile and so was "unconfined" - the most recent apparmor release in Noble contains a new profile for plasmashell in /etc/apparmor.d/plasmashell with the label "plasmashell" - and so now the peer_label doesn't match. This likely needs to be fixed on the snapd side (or we figure out a way in apparmor to not ship this profile). -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2056696 Title: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors Status in snapd: New Status in apparmor package in Ubuntu: Confirmed Bug description: OS: Kubuntu Noble 24.04 Alpha (two-day old install) snapd version: 2.61.2 Affected Snaps: firefox, thunderbird, element-desktop Steps to reproduce: # For Firefox: 1. Open the Firefox Snap. 2. Open https://www.bennish.net/web-notifications.html. 3. Click "Authorize" and allow the website to send notifications. 4. Click "Show". Expected result: A notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: The notification shows up in the upper-right corner of the display, improperly themed and obviously generated by Firefox as a fallback. # For Thunderbird: 1. Open the Thunderbird Snap. 2. Ensure you are connected to an email account. 3. Unfocus the Thunderbird window. 4. Wait for an email to come through. Expected result: When the email comes through, a notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: The notification shows up improperly themed and obviously generated by Thunderbird as a fallback. # For Element: 1. Open the Element Snap. Expected result: An apptray indicator should appear in the system tray with the Element logo. Actual result: No such indicator appears. 2. Log in, ask someone to ping you, then unfocus the window and wait for the ping to come through. Expected result: A notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: No notification appears at all. Additional information: Based on the output of snappy-debug, this appears to be AppArmor related, at least for element-desktop (but presumably for the others too). Of note are some of the following log entries: ``` = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="ListActivatableNames" mask="send" name="org.freedesktop.DBus" pid=2950 label="snap.element-desktop.element-desktop" peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/modules/kwalletd5" interface="org.kde.KWallet" member="isEnabled" mask="send" name="org.kde.kwalletd5" pid=2950 label="snap.elemen
[Touch-packages] [Bug 2058329] [NEW] Update apparmor to 4.0.0-beta3 in noble
Public bug reported: Latest upstream release https://gitlab.com/apparmor/apparmor/-/releases/v4.0.0-beta3 Contains only bug fixes since 4.0.0-beta2 which is currently in noble- proposed thus does not require a FFe. ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2058329 Title: Update apparmor to 4.0.0-beta3 in noble Status in apparmor package in Ubuntu: New Bug description: Latest upstream release https://gitlab.com/apparmor/apparmor/-/releases/v4.0.0-beta3 Contains only bug fixes since 4.0.0-beta2 which is currently in noble- proposed thus does not require a FFe. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2058329/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2056696] Re: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors
So I installed kubuntu-desktop on an up-to-date noble VM and then after logging into the kubuntu session I was able to reproduce the issue for Notifications but I couldn't see anything owning the /StatusNotifierItem dbus path. For notifications I submitted https://github.com/snapcore/snapd/pull/13737 to snapd which should resolve that but if anyone can help me reproduce the issue for the status notifier item that would be great. FWIW I have attached a screenshot of d-feet showing the various dbus paths owned by plasmashell and /StatusNotifierItem is not listed. Am I perhaps missing some other package that doesn't get pulled in by the standard kubuntu-desktop metapackage? ** Attachment added: "Pasted image.png" https://bugs.launchpad.net/snapd/+bug/2056696/+attachment/5757409/+files/Pasted%20image.png -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2056696 Title: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors Status in snapd: New Status in apparmor package in Ubuntu: Confirmed Bug description: OS: Kubuntu Noble 24.04 Alpha (two-day old install) snapd version: 2.61.2 Affected Snaps: firefox, thunderbird, element-desktop Steps to reproduce: # For Firefox: 1. Open the Firefox Snap. 2. Open https://www.bennish.net/web-notifications.html. 3. Click "Authorize" and allow the website to send notifications. 4. Click "Show". Expected result: A notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: The notification shows up in the upper-right corner of the display, improperly themed and obviously generated by Firefox as a fallback. # For Thunderbird: 1. Open the Thunderbird Snap. 2. Ensure you are connected to an email account. 3. Unfocus the Thunderbird window. 4. Wait for an email to come through. Expected result: When the email comes through, a notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: The notification shows up improperly themed and obviously generated by Thunderbird as a fallback. # For Element: 1. Open the Element Snap. Expected result: An apptray indicator should appear in the system tray with the Element logo. Actual result: No such indicator appears. 2. Log in, ask someone to ping you, then unfocus the window and wait for the ping to come through. Expected result: A notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: No notification appears at all. Additional information: Based on the output of snappy-debug, this appears to be AppArmor related, at least for element-desktop (but presumably for the others too). Of note are some of the following log entries: ``` = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="ListActivatableNames" mask="send" name="org.freedesktop.DBus" pid=2950 label="snap.element-desktop.element-desktop" peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/modules/kwalletd5" interface="org.kde.KWallet" member="isEnabled" mask="send" name="org.kde.kwalletd5" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=1762 peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/modules/kwalletd5" interface="org.kde.KWallet" member="close" mask="send" name="org.kde.kwalletd5" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=1762 peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/StatusNotifierItem" interface="org.freedesktop.DBus.Properties" member="GetAll" name=":1.45" mask="receive" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=2394 peer_label="plasmashell" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_signal" bus="session" path="/StatusNotifierItem" interface="org.kde.StatusNotifierItem" member="NewToolTip" mask="send" name="org.freedesktop.DBus" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=2394 peer_label="plasmashell" DBus access ``` Booting with `apparmor=0` set on the kernel command line fixes the issue with Element (apptray indicator appears, notifications show up). Obviously this is not a solution, but it does isolate AppArmor as being at least partially at fault. This issue seems to be somewhat similar to https://forum.snapcraft.io/t/dbus-related-apparmor-denials/37422, howeve
[Touch-packages] [Bug 2056696] Re: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors
Yes I hit that exact issue in Calamares but after fixing it I then hit another similar crash in a different script in calamares - will see if I can reproduce and provide you with details. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2056696 Title: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors Status in snapd: New Status in apparmor package in Ubuntu: Confirmed Bug description: OS: Kubuntu Noble 24.04 Alpha (two-day old install) snapd version: 2.61.2 Affected Snaps: firefox, thunderbird, element-desktop Steps to reproduce: # For Firefox: 1. Open the Firefox Snap. 2. Open https://www.bennish.net/web-notifications.html. 3. Click "Authorize" and allow the website to send notifications. 4. Click "Show". Expected result: A notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: The notification shows up in the upper-right corner of the display, improperly themed and obviously generated by Firefox as a fallback. # For Thunderbird: 1. Open the Thunderbird Snap. 2. Ensure you are connected to an email account. 3. Unfocus the Thunderbird window. 4. Wait for an email to come through. Expected result: When the email comes through, a notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: The notification shows up improperly themed and obviously generated by Thunderbird as a fallback. # For Element: 1. Open the Element Snap. Expected result: An apptray indicator should appear in the system tray with the Element logo. Actual result: No such indicator appears. 2. Log in, ask someone to ping you, then unfocus the window and wait for the ping to come through. Expected result: A notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: No notification appears at all. Additional information: Based on the output of snappy-debug, this appears to be AppArmor related, at least for element-desktop (but presumably for the others too). Of note are some of the following log entries: ``` = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="ListActivatableNames" mask="send" name="org.freedesktop.DBus" pid=2950 label="snap.element-desktop.element-desktop" peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/modules/kwalletd5" interface="org.kde.KWallet" member="isEnabled" mask="send" name="org.kde.kwalletd5" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=1762 peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/modules/kwalletd5" interface="org.kde.KWallet" member="close" mask="send" name="org.kde.kwalletd5" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=1762 peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/StatusNotifierItem" interface="org.freedesktop.DBus.Properties" member="GetAll" name=":1.45" mask="receive" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=2394 peer_label="plasmashell" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_signal" bus="session" path="/StatusNotifierItem" interface="org.kde.StatusNotifierItem" member="NewToolTip" mask="send" name="org.freedesktop.DBus" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=2394 peer_label="plasmashell" DBus access ``` Booting with `apparmor=0` set on the kernel command line fixes the issue with Element (apptray indicator appears, notifications show up). Obviously this is not a solution, but it does isolate AppArmor as being at least partially at fault. This issue seems to be somewhat similar to https://forum.snapcraft.io/t/dbus-related-apparmor-denials/37422, however it seems as if Element is trying to hit the right paths and interfaces and is still being denied (based on looking at the info in https://github.com/snapcore/snapd/blob/master/interfaces/builtin/desktop_legacy.go and comparing the paths and interfaces there with the paths and interfaces shown by snappy-debug. I talked about this issue with Erich Eickmeyer and he mentioned that it occurred after a Plasma update. This doesn't make a great deal of sense to me, and I suspect possibly some other component of the affected systems happened to get updated at the same time (perhaps the snapd Snap), but it's de
[Touch-packages] [Bug 2056696] Re: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors
Ah although it seems I can reboot the VM at this point and whilst Calamares appeared to run again again in the rebooted vm if I choose Install Calamares closes and I see the installed kubuntu environment - weird Anyway I think I will be able to use this to debug the original issue further - will continue and let you know what I find. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2056696 Title: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors Status in snapd: New Status in apparmor package in Ubuntu: Confirmed Bug description: OS: Kubuntu Noble 24.04 Alpha (two-day old install) snapd version: 2.61.2 Affected Snaps: firefox, thunderbird, element-desktop Steps to reproduce: # For Firefox: 1. Open the Firefox Snap. 2. Open https://www.bennish.net/web-notifications.html. 3. Click "Authorize" and allow the website to send notifications. 4. Click "Show". Expected result: A notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: The notification shows up in the upper-right corner of the display, improperly themed and obviously generated by Firefox as a fallback. # For Thunderbird: 1. Open the Thunderbird Snap. 2. Ensure you are connected to an email account. 3. Unfocus the Thunderbird window. 4. Wait for an email to come through. Expected result: When the email comes through, a notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: The notification shows up improperly themed and obviously generated by Thunderbird as a fallback. # For Element: 1. Open the Element Snap. Expected result: An apptray indicator should appear in the system tray with the Element logo. Actual result: No such indicator appears. 2. Log in, ask someone to ping you, then unfocus the window and wait for the ping to come through. Expected result: A notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: No notification appears at all. Additional information: Based on the output of snappy-debug, this appears to be AppArmor related, at least for element-desktop (but presumably for the others too). Of note are some of the following log entries: ``` = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="ListActivatableNames" mask="send" name="org.freedesktop.DBus" pid=2950 label="snap.element-desktop.element-desktop" peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/modules/kwalletd5" interface="org.kde.KWallet" member="isEnabled" mask="send" name="org.kde.kwalletd5" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=1762 peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/modules/kwalletd5" interface="org.kde.KWallet" member="close" mask="send" name="org.kde.kwalletd5" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=1762 peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/StatusNotifierItem" interface="org.freedesktop.DBus.Properties" member="GetAll" name=":1.45" mask="receive" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=2394 peer_label="plasmashell" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_signal" bus="session" path="/StatusNotifierItem" interface="org.kde.StatusNotifierItem" member="NewToolTip" mask="send" name="org.freedesktop.DBus" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=2394 peer_label="plasmashell" DBus access ``` Booting with `apparmor=0` set on the kernel command line fixes the issue with Element (apptray indicator appears, notifications show up). Obviously this is not a solution, but it does isolate AppArmor as being at least partially at fault. This issue seems to be somewhat similar to https://forum.snapcraft.io/t/dbus-related-apparmor-denials/37422, however it seems as if Element is trying to hit the right paths and interfaces and is still being denied (based on looking at the info in https://github.com/snapcore/snapd/blob/master/interfaces/builtin/desktop_legacy.go and comparing the paths and interfaces there with the paths and interfaces shown by snappy-debug. I talked about this issue with Erich Eickmeyer and he mentioned that it occurred after a Plasma update. This doesn't make a great deal of sense to m
[Touch-packages] [Bug 2056696] Re: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors
The subsequent error is: Main script file /usr/lib/x86_64-linux- gnu/calamares/modules/automirror/main.py for python job automirror raised an exception. Is there any way I can debug this further? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2056696 Title: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors Status in snapd: New Status in apparmor package in Ubuntu: Confirmed Bug description: OS: Kubuntu Noble 24.04 Alpha (two-day old install) snapd version: 2.61.2 Affected Snaps: firefox, thunderbird, element-desktop Steps to reproduce: # For Firefox: 1. Open the Firefox Snap. 2. Open https://www.bennish.net/web-notifications.html. 3. Click "Authorize" and allow the website to send notifications. 4. Click "Show". Expected result: A notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: The notification shows up in the upper-right corner of the display, improperly themed and obviously generated by Firefox as a fallback. # For Thunderbird: 1. Open the Thunderbird Snap. 2. Ensure you are connected to an email account. 3. Unfocus the Thunderbird window. 4. Wait for an email to come through. Expected result: When the email comes through, a notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: The notification shows up improperly themed and obviously generated by Thunderbird as a fallback. # For Element: 1. Open the Element Snap. Expected result: An apptray indicator should appear in the system tray with the Element logo. Actual result: No such indicator appears. 2. Log in, ask someone to ping you, then unfocus the window and wait for the ping to come through. Expected result: A notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: No notification appears at all. Additional information: Based on the output of snappy-debug, this appears to be AppArmor related, at least for element-desktop (but presumably for the others too). Of note are some of the following log entries: ``` = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="ListActivatableNames" mask="send" name="org.freedesktop.DBus" pid=2950 label="snap.element-desktop.element-desktop" peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/modules/kwalletd5" interface="org.kde.KWallet" member="isEnabled" mask="send" name="org.kde.kwalletd5" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=1762 peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/modules/kwalletd5" interface="org.kde.KWallet" member="close" mask="send" name="org.kde.kwalletd5" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=1762 peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/StatusNotifierItem" interface="org.freedesktop.DBus.Properties" member="GetAll" name=":1.45" mask="receive" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=2394 peer_label="plasmashell" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_signal" bus="session" path="/StatusNotifierItem" interface="org.kde.StatusNotifierItem" member="NewToolTip" mask="send" name="org.freedesktop.DBus" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=2394 peer_label="plasmashell" DBus access ``` Booting with `apparmor=0` set on the kernel command line fixes the issue with Element (apptray indicator appears, notifications show up). Obviously this is not a solution, but it does isolate AppArmor as being at least partially at fault. This issue seems to be somewhat similar to https://forum.snapcraft.io/t/dbus-related-apparmor-denials/37422, however it seems as if Element is trying to hit the right paths and interfaces and is still being denied (based on looking at the info in https://github.com/snapcore/snapd/blob/master/interfaces/builtin/desktop_legacy.go and comparing the paths and interfaces there with the paths and interfaces shown by snappy-debug. I talked about this issue with Erich Eickmeyer and he mentioned that it occurred after a Plasma update. This doesn't make a great deal of sense to me, and I suspect possibly some other component of the affected systems happened to get updated at the same time (perhaps the snapd Snap),
[Touch-packages] [Bug 2056696] Re: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors
Ok whilst I still can't see the /StatusNotifierItem object listed via d-feet I can reproduce the denials when launching element-desktop so I have added some additional changes to the aforementioned PR which resolve these as well. With all the changes from that PR in place all of these mentioned denials are resolved. ** Changed in: snapd Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2056696 Title: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors Status in snapd: In Progress Status in apparmor package in Ubuntu: Confirmed Bug description: OS: Kubuntu Noble 24.04 Alpha (two-day old install) snapd version: 2.61.2 Affected Snaps: firefox, thunderbird, element-desktop Steps to reproduce: # For Firefox: 1. Open the Firefox Snap. 2. Open https://www.bennish.net/web-notifications.html. 3. Click "Authorize" and allow the website to send notifications. 4. Click "Show". Expected result: A notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: The notification shows up in the upper-right corner of the display, improperly themed and obviously generated by Firefox as a fallback. # For Thunderbird: 1. Open the Thunderbird Snap. 2. Ensure you are connected to an email account. 3. Unfocus the Thunderbird window. 4. Wait for an email to come through. Expected result: When the email comes through, a notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: The notification shows up improperly themed and obviously generated by Thunderbird as a fallback. # For Element: 1. Open the Element Snap. Expected result: An apptray indicator should appear in the system tray with the Element logo. Actual result: No such indicator appears. 2. Log in, ask someone to ping you, then unfocus the window and wait for the ping to come through. Expected result: A notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: No notification appears at all. Additional information: Based on the output of snappy-debug, this appears to be AppArmor related, at least for element-desktop (but presumably for the others too). Of note are some of the following log entries: ``` = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="ListActivatableNames" mask="send" name="org.freedesktop.DBus" pid=2950 label="snap.element-desktop.element-desktop" peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/modules/kwalletd5" interface="org.kde.KWallet" member="isEnabled" mask="send" name="org.kde.kwalletd5" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=1762 peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/modules/kwalletd5" interface="org.kde.KWallet" member="close" mask="send" name="org.kde.kwalletd5" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=1762 peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/StatusNotifierItem" interface="org.freedesktop.DBus.Properties" member="GetAll" name=":1.45" mask="receive" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=2394 peer_label="plasmashell" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_signal" bus="session" path="/StatusNotifierItem" interface="org.kde.StatusNotifierItem" member="NewToolTip" mask="send" name="org.freedesktop.DBus" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=2394 peer_label="plasmashell" DBus access ``` Booting with `apparmor=0` set on the kernel command line fixes the issue with Element (apptray indicator appears, notifications show up). Obviously this is not a solution, but it does isolate AppArmor as being at least partially at fault. This issue seems to be somewhat similar to https://forum.snapcraft.io/t/dbus-related-apparmor-denials/37422, however it seems as if Element is trying to hit the right paths and interfaces and is still being denied (based on looking at the info in https://github.com/snapcore/snapd/blob/master/interfaces/builtin/desktop_legacy.go and comparing the paths and interfaces there with the paths and interfaces shown by snappy-debug. I talked about this issue with Erich Eickmeyer and he mentioned that it occurred after a Plasma update. This
[Touch-packages] [Bug 2059417] Re: Sync xz-utils 5.6.1-1 (main) from Debian unstable (main)
Given this has been reverted in Debian, it should not be synced into Ubuntu. ** Changed in: xz-utils (Ubuntu) Status: New => Won't Fix -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to xz-utils in Ubuntu. https://bugs.launchpad.net/bugs/2059417 Title: Sync xz-utils 5.6.1-1 (main) from Debian unstable (main) Status in xz-utils package in Ubuntu: Won't Fix Bug description: Please sync xz-utils 5.6.1-1 (main) from Debian unstable (main) Hello! I am one of the upstream maintainers for XZ Utils. Version 5.6.1 was recently released and uploaded to Debian as a bugfix only release. Notably, this fixes a bug that causes Valgrind to issue a warning on any application dynamically linked with liblzma. This includes a lot of important applications. This could break build scripts and test pipelines that expect specific output from Valgrind in order to pass. Additionally, this fixes a small typo for the man pages translations for Brazilian Portuguese, German, French, Korean, Romanian, and Ukrainian, and removes the need for patches applied for version 5.6.0-0.2. The other bugfixes in this release have no impact on Ubuntu. They involve building with CMake or when building on a system without Landlock system calls defined (these are defined in Ubuntu). Changelog entries since current noble version 5.6.0-0.2: xz-utils (5.6.1-1) unstable; urgency=medium * Non-maintainer upload. * Import 5.6.1 (Closes: #1067708). * Takeover maintenance of the package. -- Sebastian Andrzej Siewior Wed, 27 Mar 2024 22:53:21 +0100 Excerpt from the NEWS entry from upstream: 5.6.1 (2024-03-09) * liblzma: Fixed two bugs relating to GNU indirect function (IFUNC) with GCC. The more serious bug caused a program linked with liblzma to crash on start up if the flag -fprofile-generate was used to build liblzma. The second bug caused liblzma to falsely report an invalid write to Valgrind when loading liblzma. * xz: Changed the messages for thread reduction due to memory constraints to only appear under the highest verbosity level. * Build: - Fixed a build issue when the header file was present on the system but the Landlock system calls were not defined in . - The CMake build now warns and disables NLS if both gettext tools and pre-created .gmo files are missing. Previously, this caused the CMake build to fail. * Minor improvements to man pages. * Minor improvements to tests. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xz-utils/+bug/2059417/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2062440] Re: A few days ago I realized that the time was four hours behind despite it being automatic with the correct time zone.
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to tzdata in Ubuntu. https://bugs.launchpad.net/bugs/2062440 Title: A few days ago I realized that the time was four hours behind despite it being automatic with the correct time zone. Status in tzdata package in Ubuntu: New Bug description: A few days ago I realized that the time was four hours behind despite it being automatic with the correct time zone. root@lmobile4dcda1:/etc# apt reinstall tzdata Reading package lists... Done Building dependency tree... Done Reading state information... Done 0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 0 not upgraded. Need to get 348 kB of archives. After this operation, 0 B of additional disk space will be used. Get:1 https://mirror.mia.velocihost.net/ubuntu jammy-updates/main amd64 tzdata all 2024a-0ubuntu0.22.04 [348 kB] Fetched 348 kB in 6s (61,9 kB/s) Preconfiguring packages ... (Reading database ... 244685 files and directories currently installed.) Preparing to unpack .../tzdata_2024a-0ubuntu0.22.04_all.deb ... Unpacking tzdata (2024a-0ubuntu0.22.04) over (2024a-0ubuntu0.22.04) ... Setting up tzdata (2024a-0ubuntu0.22.04) ... Current default time zone: 'America/Caracas' Local time is now: jue 18 abr 2024 17:11:26 -04. Universal Time is now: Thu Apr 18 21:11:26 UTC 2024. Run 'dpkg-reconfigure tzdata' if you wish to change it. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: tzdata 2024a-0ubuntu0.22.04 ProcVersionSignature: Ubuntu 6.5.0-27.28~22.04.1-generic 6.5.13 Uname: Linux 6.5.0-27-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.5 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: GNOME Date: Thu Apr 18 16:52:36 2024 InstallationDate: Installed on 2023-11-18 (151 days ago) InstallationMedia: Ubuntu 22.04.3 LTS "Jammy Jellyfish" - Release amd64 (20230807.2) PackageArchitecture: all SourcePackage: tzdata UpgradeStatus: Upgraded to jammy on 2024-01-06 (103 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tzdata/+bug/2062440/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2061856] Re: gnome terminal
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public ** Changed in: xorg (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to xorg in Ubuntu. https://bugs.launchpad.net/bugs/2061856 Title: gnome terminal Status in xorg package in Ubuntu: Incomplete Bug description: Ola Bomdia Eu estou com um problema no terminal shell do ubuntu ele esta fechando assim que clico para abrir elefecha automaticamente ja tentetei usar outro terminal e tambem faz a mesma coisa eu tenho o fish instalado tambem mas esta fazendo a mesma coisa fechando automaticamente, o unico que funciona e o terminal do vscode. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: xorg 1:7.7+19ubuntu7.1 ProcVersionSignature: Ubuntu 4.15.0-213.224-generic 4.15.18 Uname: Linux 4.15.0-213-generic i686 .tmp.unity_support_test.0: ApportVersion: 2.20.9-0ubuntu7.29 Architecture: i386 CompizPlugins: No value set for `/apps/compiz-1/general/screen0/options/active_plugins' CompositorRunning: None Date: Tue Apr 16 12:04:00 2024 DistUpgraded: Fresh install DistroCodename: bionic DistroVariant: ubuntu ExtraDebuggingInterest: Yes GraphicsCard: Intel Corporation Core Processor Integrated Graphics Controller [8086:0042] (rev 12) (prog-if 00 [VGA controller]) Subsystem: Elitegroup Computer Systems Core Processor Integrated Graphics Controller [1019:1324] InstallationDate: Installed on 2023-07-23 (267 days ago) InstallationMedia: Ubuntu 16.04.2 LTS "Xenial Xerus" - Release i386 (20170215.2) Lsusb: Bus 002 Device 006: ID 04f3:0210 Elan Microelectronics Corp. Optical Mouse Bus 002 Device 002: ID 8087:0020 Intel Corp. Integrated Rate Matching Hub Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 001 Device 002: ID 8087:0020 Intel Corp. Integrated Rate Matching Hub Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub MachineType: MEGAWARE H55H-CM ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.15.0-213-generic root=UUID=3cfdb2f5-e8ec-4728-844a-29c984321037 ro quiet splash vt.handoff=1 Renderer: Software SourcePackage: xorg UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 05/18/2010 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: 080015 dmi.board.asset.tag: To Be Filled By O.E.M. dmi.board.name: MW-H55H-CM dmi.board.vendor: MEGAWARE dmi.board.version: 1.0 dmi.chassis.asset.tag: M0418501001 dmi.chassis.type: 3 dmi.chassis.vendor: MEGAWARE dmi.chassis.version: 1.0 dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvr080015:bd05/18/2010:svnMEGAWARE:pnH55H-CM:pvrMEGAWARE:rvnMEGAWARE:rnMW-H55H-CM:rvr1.0:cvnMEGAWARE:ct3:cvr1.0: dmi.product.family: To Be Filled By O.E.M. dmi.product.name: H55H-CM dmi.product.version: MEGAWARE dmi.sys.vendor: MEGAWARE version.compiz: compiz 1:0.9.13.1+18.04.20180302-0ubuntu1 version.libdrm2: libdrm2 2.4.101-2~18.04.1 version.libgl1-mesa-dri: libgl1-mesa-dri 20.0.8-0ubuntu1~18.04.1 version.libgl1-mesa-glx: libgl1-mesa-glx 20.0.8-0ubuntu1~18.04.1 version.xserver-xorg-core: xserver-xorg-core 2:1.19.6-1ubuntu4.15 version.xserver-xorg-input-evdev: xserver-xorg-input-evdev 1:2.10.5-1ubuntu1 version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:18.0.1-1 version.xserver-xorg-video-intel: xserver-xorg-video-intel 2:2.99.917+git20171229-1 version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 1:1.0.15-2 xserver.bootTime: Thu Apr 4 13:22:01 2024 xserver.configfile: default xserver.devices: inputPower Button KEYBOARD, id 6 inputPower Button KEYBOARD, id 7 inputPS/2+USB Mouse MOUSE, id 8 inputAT Translated Set 2 keyboard KEYBOARD, id 9 xserver.logfile: /var/log/Xorg.0.log xserver.version: 2:1.19.6-1ubuntu4.15 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xorg/+bug/2061856/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2061856]
Thanks for taking the time to report this bug and helping to make Ubuntu better. Your bug report is more likely to get attention if it is made in English, since this is the language understood by the majority of Ubuntu developers. Additionally, please only mark a bug as "security" if it shows evidence of allowing attackers to cross privilege boundaries or to directly cause loss of data/privacy. Please feel free to report any other bugs you may find. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to xorg in Ubuntu. https://bugs.launchpad.net/bugs/2061856 Title: gnome terminal Status in xorg package in Ubuntu: Incomplete Bug description: Ola Bomdia Eu estou com um problema no terminal shell do ubuntu ele esta fechando assim que clico para abrir elefecha automaticamente ja tentetei usar outro terminal e tambem faz a mesma coisa eu tenho o fish instalado tambem mas esta fazendo a mesma coisa fechando automaticamente, o unico que funciona e o terminal do vscode. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: xorg 1:7.7+19ubuntu7.1 ProcVersionSignature: Ubuntu 4.15.0-213.224-generic 4.15.18 Uname: Linux 4.15.0-213-generic i686 .tmp.unity_support_test.0: ApportVersion: 2.20.9-0ubuntu7.29 Architecture: i386 CompizPlugins: No value set for `/apps/compiz-1/general/screen0/options/active_plugins' CompositorRunning: None Date: Tue Apr 16 12:04:00 2024 DistUpgraded: Fresh install DistroCodename: bionic DistroVariant: ubuntu ExtraDebuggingInterest: Yes GraphicsCard: Intel Corporation Core Processor Integrated Graphics Controller [8086:0042] (rev 12) (prog-if 00 [VGA controller]) Subsystem: Elitegroup Computer Systems Core Processor Integrated Graphics Controller [1019:1324] InstallationDate: Installed on 2023-07-23 (267 days ago) InstallationMedia: Ubuntu 16.04.2 LTS "Xenial Xerus" - Release i386 (20170215.2) Lsusb: Bus 002 Device 006: ID 04f3:0210 Elan Microelectronics Corp. Optical Mouse Bus 002 Device 002: ID 8087:0020 Intel Corp. Integrated Rate Matching Hub Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 001 Device 002: ID 8087:0020 Intel Corp. Integrated Rate Matching Hub Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub MachineType: MEGAWARE H55H-CM ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.15.0-213-generic root=UUID=3cfdb2f5-e8ec-4728-844a-29c984321037 ro quiet splash vt.handoff=1 Renderer: Software SourcePackage: xorg UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 05/18/2010 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: 080015 dmi.board.asset.tag: To Be Filled By O.E.M. dmi.board.name: MW-H55H-CM dmi.board.vendor: MEGAWARE dmi.board.version: 1.0 dmi.chassis.asset.tag: M0418501001 dmi.chassis.type: 3 dmi.chassis.vendor: MEGAWARE dmi.chassis.version: 1.0 dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvr080015:bd05/18/2010:svnMEGAWARE:pnH55H-CM:pvrMEGAWARE:rvnMEGAWARE:rnMW-H55H-CM:rvr1.0:cvnMEGAWARE:ct3:cvr1.0: dmi.product.family: To Be Filled By O.E.M. dmi.product.name: H55H-CM dmi.product.version: MEGAWARE dmi.sys.vendor: MEGAWARE version.compiz: compiz 1:0.9.13.1+18.04.20180302-0ubuntu1 version.libdrm2: libdrm2 2.4.101-2~18.04.1 version.libgl1-mesa-dri: libgl1-mesa-dri 20.0.8-0ubuntu1~18.04.1 version.libgl1-mesa-glx: libgl1-mesa-glx 20.0.8-0ubuntu1~18.04.1 version.xserver-xorg-core: xserver-xorg-core 2:1.19.6-1ubuntu4.15 version.xserver-xorg-input-evdev: xserver-xorg-input-evdev 1:2.10.5-1ubuntu1 version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:18.0.1-1 version.xserver-xorg-video-intel: xserver-xorg-video-intel 2:2.99.917+git20171229-1 version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 1:1.0.15-2 xserver.bootTime: Thu Apr 4 13:22:01 2024 xserver.configfile: default xserver.devices: inputPower Button KEYBOARD, id 6 inputPower Button KEYBOARD, id 7 inputPS/2+USB Mouse MOUSE, id 8 inputAT Translated Set 2 keyboard KEYBOARD, id 9 xserver.logfile: /var/log/Xorg.0.log xserver.version: 2:1.19.6-1ubuntu4.15 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xorg/+bug/2061856/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2061191]
Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures ** Tags added: community-security ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to qtwebkit-opensource-src in Ubuntu. https://bugs.launchpad.net/bugs/2061191 Title: Probably stone-age old and insecure version with remote code execution Status in qtwebkit-opensource-src package in Ubuntu: New Bug description: Hi, Ubuntu 24.04 beta still uses libqt5webkit5. It is not obvious, where it comes from, but the version is still an alpha4, and the link in the README seems to suggest, that it still comes from https://github.com/annulen/webkit, which redirects to https://github.com/qtwebkit/qtwebkit , where the alpha4 tag is over 4 years old. There, the latest README tells: Code in this repository is obsolete. If you are looking for up-to-date QtWebKit use this fork: https://github.com/movableink/webkit https://github.com/movableink/webkit seems to be still maintained – more or less. And calls itself "inofficial mirror" Have a look at https://blogs.gnome.org/mcatanzaro/2022/11/04/stop-using-qtwebkit/ which calls qtwebkit insecure, poorly maintained, and cites CVEs about remote code execution (some of them would have to be fixed in the fork, but probably not in the version here in ubuntu). The problem is, that tools like wkhtmltopdf do use this library and are typically used to pull contents from a given URL, i.e. from foreign websites. Processing foreign HTML and Javascript code in conjunction with vulnerabilities to remote code execution, this is highly dangerous. ProblemType: Bug DistroRelease: Ubuntu 24.04 Package: libqt5webkit5 5.212.0~alpha4-34ubuntu4 ProcVersionSignature: Ubuntu 6.8.0-22.22-generic 6.8.1 Uname: Linux 6.8.0-22-generic x86_64 ApportVersion: 2.28.0-0ubuntu1 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: KDE Date: Fri Apr 12 23:31:43 2024 InstallationDate: Installed on 2024-04-12 (0 days ago) InstallationMedia: Kubuntu 24.04 LTS "Noble Numbat" - Beta amd64 (20240411.2) SourcePackage: qtwebkit-opensource-src UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/qtwebkit-opensource-src/+bug/2061191/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2063271] Re: Illegal opcode in libssl
Thanks for reporting this issue - but it is strange since this update has been published since 2024-02-27 and this is the first such report of any issues. Also given this update has been available for nearly 2 months it is surprising you are seeing errors from it so much later - I wonder if instead whether the on-disk binary has been corrupted? Can you please try reinstalling libssl3 and see if that resolves the issue: sudo apt install --reinstall libssl3 If this does resolve the issue, it might be worth checking whether you have any failing hardware / disks etc that may have led to this problem. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2063271 Title: Illegal opcode in libssl Status in openssh package in Ubuntu: New Bug description: Many programs using openssl now fail, typically with messages such as Illegal instruction (core dumped) This seems to be a serious error, since it affects, for example, update-manager. Since this makes it harder to get security updates, I would also consider it a security vulnerability. The issue seems to be that openssl seems to be an attempt to use an illegal opcode. A few sample entries in /var/log/syslog are: Apr 21 19:16:39 einstein kernel: [495465.431588] traps: update-manager[396881] trap invalid opcode ip:740964b8ac6b sp:7409552125b0 error:0 in libssl.so.3[740964b7a000+5b000] Apr 21 19:16:55 einstein kernel: [495482.104658] traps: python3[396949] trap invalid opcode ip:73607be8ac6b sp:736074d8d5b0 error:0 in libssl.so.3[73607be7a000+5b000] Apr 21 19:40:05 einstein kernel: [496871.653271] traps: chrome-gnome-sh[397293] trap invalid opcode ip:79432ffa7c6b sp:7ffd6bc03e70 error:0 in libssl.so.3[79432ff97000+5b000] Apr 22 16:23:08 einstein kernel: [501744.765118] traps: check-new-relea[400397] trap invalid opcode ip:797c7cc8ac6b sp:797c6cace5b0 error:0 in libssl.so.3[797c7cc7a000+5b000] Apr 23 15:08:03 einstein kernel: [518701.050526] traps: wget[443588] trap invalid opcode ip:73a8b2eb4c6b sp:7ffc04918740 error:0 in libssl.so.3[73a8b2ea4000+5b000] Apr 23 15:12:55 einstein kernel: [518992.493020] traps: curl[443851] trap invalid opcode ip:7e4e3951dc6b sp:7ffc804d2ed0 error:0 in libssl.so.3[7e4e3950d000+5b000] Apr 23 15:13:32 einstein kernel: [519029.181422] traps: apport-gtk[04] trap invalid opcode ip:7039180f5c6b sp:703902bfaad0 error:0 in libssl.so.3[7039180e5000+5b000] This bug report itself had to be submitted manually since ubuntu-bug now itself fails. lsb_release -rd reports: Description:Ubuntu 22.04.4 LTS Release:22.04 apt-cache policy openssl reports: openssl: Installed: 3.0.2-0ubuntu1.15 Candidate: 3.0.2-0ubuntu1.15 Version table: *** 3.0.2-0ubuntu1.15 500 500 http://us.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages 100 /var/lib/dpkg/status 3.0.2-0ubuntu1 500 500 http://us.archive.ubuntu.com/ubuntu jammy/main amd64 Packages /proc/version for my computer gives Linux version 6.5.0-28-generic (buildd@lcy02-amd64-098) (x86_64-linux-gnu-gcc-12 (Ubuntu 12.3.0-1ubuntu1~22.04) 12.3.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #29~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Apr 4 14:39:20 UTC 2 /proc/cpuinfo for my computer starts processor : 0 vendor_id : GenuineIntel cpu family: 6 model : 78 model name: Intel(R) Core(TM) i7-6500U CPU @ 2.50GHz stepping : 3 microcode : 0xf0 cpu MHz : 500.018 cache size: 4096 KB physical id : 0 siblings : 4 core id : 0 cpu cores : 2 apicid: 0 initial apicid: 0 fpu : yes fpu_exception : yes cpuid level : 22 wp: yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb invpcid_single pti ssbd ibrs ibpb stibp fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid mpx rdseed adx smap clflushopt intel_pt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp md_clear flush_l1d arch_capabilities bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs itlb_multihit srbds mmio_stale_data retbleed gds bogomips : 5199.98 clflush size : 64 cache_alignment : 64 address sizes : 39 bits physical, 48 b
[Touch-packages] [Bug 1977710] Re: /etc/adduser.conf.dpkg-save created by postinst since 3.121ubuntu1
>From what I can see of this postinst this looks to be a bug from adduser in debian itself - and would appear to come from https://salsa.debian.org/debian/adduser/-/blob/master/debian/postinst#L33 - ie. if the default value is unchanged then an /etc/adduser.conf.dpkg- save is always generated when the value of DIR_MODE is appended to /etc/adduser.conf. Can you confirm if this also occurs when debootstrapping a system from debian? ** Changed in: adduser (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to adduser in Ubuntu. https://bugs.launchpad.net/bugs/1977710 Title: /etc/adduser.conf.dpkg-save created by postinst since 3.121ubuntu1 Status in adduser package in Ubuntu: Incomplete Bug description: Since version 3.121ubuntu1 adduser's postinst script creates /etc/adduser.conf.dpkg-save file on debootstrap's root filesystem, that is, even when /etc/adduser.conf doesn't exist prior to package installation. Because of the change below the postinst script changes packaged /etc/adduser.conf and creates /etc/adduser.conf.dpkg-save as a backup: - Enable private home directories by default (LP: #48734) + Set DIR_MODE=0750 in the default adduser.conf + Change the description and default value to select private home directories by default in debconf template + Change the DIR_MODE when private home directories is configured via debconf from 0751 to 0750 to ensure files are truly private The .dpkg-save file shouldn't be present on debootstrapped system. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/1977710/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1978042] Re: adduser doesn't support extrausers for group management
This looks like a duplicate of LP: #1959375 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to adduser in Ubuntu. https://bugs.launchpad.net/bugs/1978042 Title: adduser doesn't support extrausers for group management Status in adduser package in Ubuntu: Fix Released Status in shadow package in Ubuntu: Fix Released Status in adduser source package in Focal: New Status in shadow source package in Focal: New Status in adduser source package in Impish: Fix Released Status in shadow source package in Impish: Fix Released Status in adduser source package in Jammy: Fix Released Status in shadow source package in Jammy: Fix Released Status in adduser source package in Kinetic: Fix Released Status in shadow source package in Kinetic: Fix Released Bug description: [Impact] When using adduser --extrausers on Ubuntu Core the command attempts to use the /etc/group file instead of /var/lib/extrausers/group. e.g. the following commands will fail: $ adduser --extrausers user group $ adduser --extrausers --ingroup group user [Test Plan] 1. Install libnss-extrausers 2. Add a new group: $ sudo adduser --extrausers --group test-group 3. Create a new user with this group: $ adduser --extrausers --ingroup test-group test-user1 4. Create a new user and add them to this group: $ adduser --extrausers test-user2 $ adduser --extrausers test-user2 test-group Expected result: Two new users (test-user1 and test-user2) are successfully added to the system and are entered in /var/lib/extrausers/{passwd,shadow}. A new group (test-group) is successfully added to /var/lib/extrausers/group and contains the new users. [Where problems could occur] Existing users of adduser and gpasswd that don't use --extrausers are unlikely to hit any issues, as their codepath is unchanged. Existing users that use --extrausers will have a behavior change, but the existing behavior was to fail so this is unlikely to introduce any new issues. There is the risk of introducing new bugs by this change, but it has used since impish without any issues being detected. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/1978042/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1969896] Re: Evince Document Viewer(42.0) does not remember last page in 22.04 and opens in a tiny window when launched
FYI I have sent a MR to the upstream AppArmor project to remove this dbus deny rule from the exo-open abstraction: https://gitlab.com/apparmor/apparmor/-/merge_requests/884 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1969896 Title: Evince Document Viewer(42.0) does not remember last page in 22.04 and opens in a tiny window when launched Status in apparmor package in Ubuntu: New Status in evince package in Ubuntu: In Progress Bug description: Just switched from Ubuntu 20.04 to 22.04 and realized that Document Viewer no longer open on the last viewed page and doesn't remember the side pane preference even after using the "Save Current Settings as Default" option. Kindly advise ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: evince 42.1-3 ProcVersionSignature: Ubuntu 5.15.0-25.25-generic 5.15.30 Uname: Linux 5.15.0-25-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.20.11-0ubuntu82 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Fri Apr 22 15:58:50 2022 InstallationDate: Installed on 2022-03-19 (34 days ago) InstallationMedia: Ubuntu 20.04.4 LTS "Focal Fossa" - Release amd64 (20220223) ProcEnviron: PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: evince UpgradeStatus: Upgraded to jammy on 2022-04-21 (0 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1969896/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1969896] Re: Evince Document Viewer(42.0) does not remember last page in 22.04 and opens in a tiny window when launched
** Also affects: evince (Ubuntu Jammy) Importance: Undecided Status: New ** Also affects: apparmor (Ubuntu Jammy) Importance: Undecided Status: New ** Also affects: evince (Ubuntu Kinetic) Importance: High Status: In Progress ** Also affects: apparmor (Ubuntu Kinetic) Importance: High Status: Confirmed ** Changed in: apparmor (Ubuntu Kinetic) Status: Confirmed => In Progress ** Changed in: apparmor (Ubuntu Jammy) Status: New => In Progress ** Changed in: apparmor (Ubuntu Kinetic) Assignee: (unassigned) => Alex Murray (alexmurray) ** Changed in: apparmor (Ubuntu Jammy) Assignee: (unassigned) => Alex Murray (alexmurray) ** Changed in: apparmor (Ubuntu Jammy) Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1969896 Title: Evince Document Viewer(42.0) does not remember last page in 22.04 and opens in a tiny window when launched Status in apparmor package in Ubuntu: In Progress Status in evince package in Ubuntu: In Progress Status in apparmor source package in Jammy: In Progress Status in evince source package in Jammy: New Status in apparmor source package in Kinetic: In Progress Status in evince source package in Kinetic: In Progress Bug description: Just switched from Ubuntu 20.04 to 22.04 and realized that Document Viewer no longer open on the last viewed page and doesn't remember the side pane preference even after using the "Save Current Settings as Default" option. Kindly advise ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: evince 42.1-3 ProcVersionSignature: Ubuntu 5.15.0-25.25-generic 5.15.30 Uname: Linux 5.15.0-25-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.20.11-0ubuntu82 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Fri Apr 22 15:58:50 2022 InstallationDate: Installed on 2022-03-19 (34 days ago) InstallationMedia: Ubuntu 20.04.4 LTS "Focal Fossa" - Release amd64 (20220223) ProcEnviron: PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: evince UpgradeStatus: Upgraded to jammy on 2022-04-21 (0 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1969896/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 283115] Re: Gimp: toolbox windows can't be minimized
** Changed in: gimp (Ubuntu) Status: Fix Released => Invalid -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to gtk+2.0 in Ubuntu. https://bugs.launchpad.net/bugs/283115 Title: Gimp: toolbox windows can't be minimized Status in The Gimp: Fix Released Status in GTK+: Unknown Status in gimp package in Ubuntu: Invalid Status in gtk+2.0 package in Ubuntu: New Bug description: gimp 2.6 in intrepid: it is impossible to minimize toolbar windows; they have only a x-Button to close ideally, these windows should be minimized automatically when the (last) Gimp image window is minimized Update While waiting, I designed some sort of workaround : Gnome>System>Preferences>Windows>Double-click titlebar>Roll up To manage notifications about this bug go to: https://bugs.launchpad.net/gimp/+bug/283115/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1972654] Re: [security review] Sync policykit-1 0.120-6 (main) from Debian experimental
> I do not intend to take further action to modify those packages. If it is a > blocker for Ubuntu > that they are fixed, then someone from Ubuntu will need to do that work. Given the relationship between the packages has now changed - ie. polkitd-pkla is not mutually exclusive from the javascript backend and then allows both legacy pkla policies as well as the "new" javascript policies to be handled - then this is not a blocker anymore from my point of view. I suspect Marc may also agree (especially given the relatively small number of packages in this category). -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1972654 Title: [security review] Sync policykit-1 0.120-6 (main) from Debian experimental Status in policykit-1 package in Ubuntu: Confirmed Bug description: Please sync policykit-1 0.120-6 (main) from Debian experimental Changelog entries since current kinetic version 0.105-33: https://tracker.debian.org/media/packages/p/policykit-1/changelog-0.120-6 In particular, see the 0.120-4 changelog entry. I am filing a bug for Security Team review. Previously, Debian and Ubuntu developers agreed to keep using the last version of policykit before it switched to using JavaScript rules. But that was years ago. I believe Debian & Ubuntu are the only distros to have opted out of the new policykit. It is harder to maintain the old style rules when upstream rules use the new format. And it is a challenge to backport security and other bugfixes from the new series, without making mistakes or missing important details. There was a proposal to use duktape instead of mozjs for the JavaScript interpreter but I don't think that's been merged yet. It appears the Debian maintainer is considering switching Debian to the updated version in time for the next Debian Stable release (so uploading to unstable later this year). My requested deadline is August 25, Ubuntu 22.10 Feature Freeze. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1972654/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1989309] [NEW] [FFe] apparmor 3.1.1 upstream release
Public bug reported: Placeholder for preparation of AppArmor 3.1.1 for kinetic. ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New ** Summary changed: - [FFe] apparmor 3.1.0 upstream release + [FFe] apparmor 3.1.1 upstream release -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1989309 Title: [FFe] apparmor 3.1.1 upstream release Status in apparmor package in Ubuntu: New Bug description: Placeholder for preparation of AppArmor 3.1.1 for kinetic. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989309/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2056696] Re: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors
** Changed in: snapd Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2056696 Title: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors Status in snapd: Fix Released Status in apparmor package in Ubuntu: Invalid Bug description: OS: Kubuntu Noble 24.04 Alpha (two-day old install) snapd version: 2.61.2 Affected Snaps: firefox, thunderbird, element-desktop Steps to reproduce: # For Firefox: 1. Open the Firefox Snap. 2. Open https://www.bennish.net/web-notifications.html. 3. Click "Authorize" and allow the website to send notifications. 4. Click "Show". Expected result: A notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: The notification shows up in the upper-right corner of the display, improperly themed and obviously generated by Firefox as a fallback. # For Thunderbird: 1. Open the Thunderbird Snap. 2. Ensure you are connected to an email account. 3. Unfocus the Thunderbird window. 4. Wait for an email to come through. Expected result: When the email comes through, a notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: The notification shows up improperly themed and obviously generated by Thunderbird as a fallback. # For Element: 1. Open the Element Snap. Expected result: An apptray indicator should appear in the system tray with the Element logo. Actual result: No such indicator appears. 2. Log in, ask someone to ping you, then unfocus the window and wait for the ping to come through. Expected result: A notification should be displayed by Plasma, similar to other notifications the system displays. Actual result: No notification appears at all. Additional information: Based on the output of snappy-debug, this appears to be AppArmor related, at least for element-desktop (but presumably for the others too). Of note are some of the following log entries: ``` = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="ListActivatableNames" mask="send" name="org.freedesktop.DBus" pid=2950 label="snap.element-desktop.element-desktop" peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/modules/kwalletd5" interface="org.kde.KWallet" member="isEnabled" mask="send" name="org.kde.kwalletd5" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=1762 peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/modules/kwalletd5" interface="org.kde.KWallet" member="close" mask="send" name="org.kde.kwalletd5" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=1762 peer_label="unconfined" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/StatusNotifierItem" interface="org.freedesktop.DBus.Properties" member="GetAll" name=":1.45" mask="receive" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=2394 peer_label="plasmashell" DBus access = AppArmor = Time: 2024-03-10T13:4 Log: apparmor="DENIED" operation="dbus_signal" bus="session" path="/StatusNotifierItem" interface="org.kde.StatusNotifierItem" member="NewToolTip" mask="send" name="org.freedesktop.DBus" pid=2950 label="snap.element-desktop.element-desktop" peer_pid=2394 peer_label="plasmashell" DBus access ``` Booting with `apparmor=0` set on the kernel command line fixes the issue with Element (apptray indicator appears, notifications show up). Obviously this is not a solution, but it does isolate AppArmor as being at least partially at fault. This issue seems to be somewhat similar to https://forum.snapcraft.io/t/dbus-related-apparmor-denials/37422, however it seems as if Element is trying to hit the right paths and interfaces and is still being denied (based on looking at the info in https://github.com/snapcore/snapd/blob/master/interfaces/builtin/desktop_legacy.go and comparing the paths and interfaces there with the paths and interfaces shown by snappy-debug. I talked about this issue with Erich Eickmeyer and he mentioned that it occurred after a Plasma update. This doesn't make a great deal of sense to me, and I suspect possibly some other component of the affected systems happened to get updated at the same time (perhaps the snapd Snap), but it's definitely worth mentioning. An example of one of Thunderbird's fallback notifications is attached as a screenshot
[Touch-packages] [Bug 2056555] Re: Allow bitbake to create user namespace
FWIW I don't think this proposed profile should be shipped upstream or in Ubuntu for bitbake - it allows any file anywhere on the filesystem under a path bitbake/bin/bitbake to use unprivileged user namespaces - ie. if I was a malware author I would have my malware create a second stage malware file called $HOME/bitbake/bin/bitbake it it would then be granted the use of userns by this profile (and hence could take advantage of userns as part of further exploitation). The specified attachment path regex is too broad. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2056555 Title: Allow bitbake to create user namespace Status in apparmor package in Ubuntu: Confirmed Bug description: Occurs since an update around March 2 Ubuntu 24.04. Bitbake is broken due to file permission problem. Traceback (most recent call last): File "/home/hains/openpli-oe-core/bitbake/bin/bitbake-worker", line 268, in child bb.utils.disable_network(uid, gid) File "/home/hains/openpli-oe-core/bitbake/lib/bb/utils.py", line 1653, in disable_network with open("/proc/self/uid_map", "w") as f: PermissionError: [Errno 1] Operation not permitted Test code with open("/proc/self/uid_map", "w") as f: f.write("%s %s 1" % (1000, 1000)) ProblemType: Bug DistroRelease: Ubuntu 24.04 Package: dash 0.5.12-6ubuntu4 ProcVersionSignature: Ubuntu 6.8.0-11.11-generic 6.8.0-rc4 Uname: Linux 6.8.0-11-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.28.0-0ubuntu1 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Fri Mar 8 14:34:08 2024 InstallationDate: Installed on 2023-03-24 (350 days ago) InstallationMedia: Ubuntu 22.10 "Kinetic Kudu" - Release amd64 (20221020) SourcePackage: dash UpgradeStatus: Upgraded to noble on 2024-01-10 (58 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2056555/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2039589] Re: Nwidia driver Ubuntu bug
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to xorg in Ubuntu. https://bugs.launchpad.net/bugs/2039589 Title: Nwidia driver Ubuntu bug Status in xorg package in Ubuntu: New Bug description: Nvidia driver error 470: UFW main window not displayed properly and Help not displayed. The issue affects Ubuntu 22.04.3 LTS, Ubuntu 23.10 and Linux Mint. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: xorg 1:7.7+23ubuntu2 ProcVersionSignature: Ubuntu 6.2.0-34.34~22.04.1-generic 6.2.16 Uname: Linux 6.2.0-34-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia .proc.driver.nvidia.capabilities.gpu0: Error: path was not a regular file. .proc.driver.nvidia.capabilities.mig: Error: path was not a regular file. .proc.driver.nvidia.gpus..01.00.0: Error: path was not a regular file. .proc.driver.nvidia.registry: Binary: "" .proc.driver.nvidia.suspend: suspend hibernate resume .proc.driver.nvidia.suspend_depth: default modeset uvm .proc.driver.nvidia.version: NVRM version: NVIDIA UNIX x86_64 Kernel Module 470.199.02 Thu May 11 11:46:56 UTC 2023 GCC version: ApportVersion: 2.20.11-0ubuntu82.5 Architecture: amd64 BootLog: Error: [Errno 13] Brak dostępu: '/var/log/boot.log' CasperMD5CheckResult: pass CompositorRunning: None CurrentDesktop: ubuntu:GNOME Date: Tue Oct 17 18:13:32 2023 DistUpgraded: Fresh install DistroCodename: jammy DistroVariant: ubuntu GraphicsCard: NVIDIA Corporation GK107 [GeForce GTX 650] [10de:0fc6] (rev a1) (prog-if 00 [VGA controller]) Subsystem: CardExpert Technology GK107 [GeForce GTX 650] [10b0:0fc6] InstallationDate: Installed on 2023-10-16 (1 days ago) InstallationMedia: Ubuntu 22.04.3 LTS "Jammy Jellyfish" - Release amd64 (20230807.2) MachineType: Gigabyte Technology Co., Ltd. To be filled by O.E.M. ProcEnviron: PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=pl_PL.UTF-8 SHELL=/bin/bash ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-6.2.0-34-generic root=UUID=7faab2db-29fa-4024-ae67-d6f019c15904 ro quiet splash vt.handoff=7 SourcePackage: xorg Symptom: display UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 02/25/2014 dmi.bios.release: 4.6 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: 10b dmi.board.asset.tag: To be filled by O.E.M. dmi.board.name: H61M-S1 dmi.board.vendor: Gigabyte Technology Co., Ltd. dmi.board.version: x.x dmi.chassis.asset.tag: To Be Filled By O.E.M. dmi.chassis.type: 3 dmi.chassis.vendor: Gigabyte Technology Co., Ltd. dmi.chassis.version: To Be Filled By O.E.M. dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvr10b:bd02/25/2014:br4.6:svnGigabyteTechnologyCo.,Ltd.:pnTobefilledbyO.E.M.:pvrTobefilledbyO.E.M.:rvnGigabyteTechnologyCo.,Ltd.:rnH61M-S1:rvrx.x:cvnGigabyteTechnologyCo.,Ltd.:ct3:cvrToBeFilledByO.E.M.:skuTobefilledbyO.E.M.: dmi.product.family: To be filled by O.E.M. dmi.product.name: To be filled by O.E.M. dmi.product.sku: To be filled by O.E.M. dmi.product.version: To be filled by O.E.M. dmi.sys.vendor: Gigabyte Technology Co., Ltd. version.compiz: compiz N/A version.libdrm2: libdrm2 2.4.113-2~ubuntu0.22.04.1 version.libgl1-mesa-dri: libgl1-mesa-dri 23.0.4-0ubuntu1~22.04.1 version.libgl1-mesa-glx: libgl1-mesa-glx N/A version.nvidia-graphics-drivers: nvidia-graphics-drivers-* N/A version.xserver-xorg-core: xserver-xorg-core 2:21.1.4-2ubuntu1.7~22.04.1 version.xserver-xorg-input-evdev: xserver-xorg-input-evdev N/A version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:19.1.0-2ubuntu1 version.xserver-xorg-video-intel: xserver-xorg-video-intel 2:2.99.917+git20210115-1 version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 1:1.0.17-2build1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xorg/+bug/2039589/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2040484] Re: ubuntu_seccomp pseudo-syscall fails on s390
Adding a task against libseccomp until we know more about where the bug lies. ** Also affects: libseccomp (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/2040484 Title: ubuntu_seccomp pseudo-syscall fails on s390 Status in ubuntu-kernel-tests: New Status in libseccomp package in Ubuntu: New Bug description: libseccomp upstream has changed the test code for 29-sim- pseudo_syscall.c, which has broken it for s390. Perhaps s390 has been broken since forever and the test change is just uncovering it. We need to investigate if the fix would be needed in the test, libseccomp or the kernel. This seems to affect at least 4.4 and 5.4 kernels, but may affect everything. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-kernel-tests/+bug/2040484/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2043711] Re: Open3.pm tries to run code in /tmp when updating ubuntu-drivers-common
I am struggling to see the vulnerability here still - the path used in this case is /tmp/ubuntu-drivers-common.config.55GJ8b appears to have a randomly generated suffix and so couldn't have been guessed beforehand nor preseeded with other contents by a local attacker - so the only way then that I can see that this could be a vulnerability would be if this file was world-writable - but it is not clear that this is the case either. Assuming this file comes from debconf, from what I can see in its sources, it creates temporary files via the https://perldoc.perl.org/File::Temp package - which states that files are created with permissions 0600 by default too. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to perl in Ubuntu. https://bugs.launchpad.net/bugs/2043711 Title: Open3.pm tries to run code in /tmp when updating ubuntu-drivers-common Status in perl package in Ubuntu: Invalid Bug description: During update of ubuntu-drivers-common: Can't exec "/tmp/ubuntu-drivers-common.config.55GJ8b": Permission denied at /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm line 178, line 1. open2: exec of /tmp/ubuntu-drivers-common.config.55GJ8b configure 1:0.9.6.2~0.22.04.4 failed: Permission denied at /usr/share/perl5/Debconf/ConfModule.pm line 59. Preconfiguring packages ... Can't exec "/tmp/ubuntu-drivers-common.config.uSPrCH": Permission denied at /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm line 178, line 1. open2: exec of /tmp/ubuntu-drivers-common.config.uSPrCH configure 1:0.9.6.2~0.22.04.4 failed: Permission denied at /usr/share/perl5/Debconf/ConfModule.pm line 59. /tmp is mounted with noexec because running code from /tmp has been a vulnerability vector for several decades, hence reporting this as a vulnerability in perl-base. This error did not appear to prevent the update of ubuntu-drivers- common and "dpkg --verify ubuntu-drivers-common" returns 0. ___ Attempting to use the package search on this form by clicking the 🔍 created a modal in which there is an error Sorry, something went wrong with your search. We've recorded what happened, and we'll fix it as soon as possible. (Error ID: OOPS-c80f71590b02908a1187b9f743c53eac) which is repeated with any attempt to search for a package. ___ Submitting this form gives an error "perl-base" does not exist in Ubuntu. Please choose a different package. If you're unsure, please select "I don't know" $ dpkg -S /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm perl-base: /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm $ dpkg -l perl-base Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-=--=> ii perl-base 5.34.0-3ubuntu1.2 amd64minimal Perl system Looks like a package to me. Nevertheless, using "Did you mean..." offers "perl". ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: perl-base 5.34.0-3ubuntu1.2 ProcVersionSignature: Ubuntu 6.5.0-1007.7-oem 6.5.3 Uname: Linux 6.5.0-1007-oem x86_64 ApportVersion: 2.20.11-0ubuntu82.5 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Thu Nov 16 10:08:48 2023 InstallationDate: Installed on 2016-04-23 (2763 days ago) InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1) ProcEnviron: TERM=rxvt PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: perl UpgradeStatus: Upgraded to jammy on 2022-08-19 (453 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/perl/+bug/2043711/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2044625] Re: package libgdk-pixbuf-2.0-0:amd64 2.42.10+dfsg-1build1 failed to install/upgrade: зацикливание триггеров, отмена работы
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to gdk-pixbuf in Ubuntu. https://bugs.launchpad.net/bugs/2044625 Title: package libgdk-pixbuf-2.0-0:amd64 2.42.10+dfsg-1build1 failed to install/upgrade: зацикливание триггеров, отмена работы Status in gdk-pixbuf package in Ubuntu: New Bug description: ubuntu update to lunar lobster version ProblemType: Package DistroRelease: Ubuntu 23.04 Package: libgdk-pixbuf-2.0-0:amd64 2.42.10+dfsg-1build1 ProcVersionSignature: Ubuntu 5.15.0-89.99-generic 5.15.126 Uname: Linux 5.15.0-89-generic x86_64 ApportVersion: 2.26.1-0ubuntu2.1 Architecture: amd64 CasperMD5CheckResult: unknown Date: Sun Nov 26 02:02:30 2023 ErrorMessage: зацикливание триггеров, отмена работы InstallationDate: Installed on 2023-11-25 (0 days ago) InstallationMedia: Ubuntu 20.04.6 LTS "Focal Fossa" - Release amd64 (20230316) Python3Details: /usr/bin/python3.11, Python 3.11.4, python3-minimal, 3.11.2-1 PythonDetails: N/A RebootRequiredPkgs: Error: path contained symlinks. RelatedPackageVersions: dpkg 1.21.21ubuntu1 apt 2.6.0ubuntu0.1 SourcePackage: gdk-pixbuf Title: package libgdk-pixbuf-2.0-0:amd64 2.42.10+dfsg-1build1 failed to install/upgrade: зацикливание триггеров, отмена работы UpgradeStatus: Upgraded to lunar on 2023-11-25 (0 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gdk-pixbuf/+bug/2044625/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2029464] Re: A stack overflow in GNU Tar
@kerneldude - do you know if MITRE ever assigned a CVE for this? ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to tar in Ubuntu. https://bugs.launchpad.net/bugs/2029464 Title: A stack overflow in GNU Tar Status in tar package in Ubuntu: New Bug description: A stack overflow vulnerability exists in GNU Tar up to including v1.34, as far as I can see, Ubuntu is using v1.3. The bug exists in the function xattr_decoder() in xheader.c, where alloca() is used and it may overflow the stack if a sufficiently long xattr key is used. The vulnerability can be triggered when extracting a tar/pax archive that contains such a long xattr key. Vulnerable code: https://git.savannah.gnu.org/cgit/tar.git/tree/src/xheader.c?h=release_1_34#n1723 PoC tar archive is attached in a zip archive to reduce the size. I reported the vulnerability yesterday to GNU Tar maintainers and they replied that the issue was fixed in the version that was released two weeks ago: "Sergey fixed that bug here: https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4 and the fix appears in tar 1.35, released July 18. " To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tar/+bug/2029464/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2029464] Re: A stack overflow in GNU Tar
Excellent - thanks for letting us know. So since a CVE has already been assigned then we won't assign an additional one. I'll add the details to our CVE tracker. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to tar in Ubuntu. https://bugs.launchpad.net/bugs/2029464 Title: A stack overflow in GNU Tar Status in tar package in Ubuntu: New Bug description: A stack overflow vulnerability exists in GNU Tar up to including v1.34, as far as I can see, Ubuntu is using v1.3. The bug exists in the function xattr_decoder() in xheader.c, where alloca() is used and it may overflow the stack if a sufficiently long xattr key is used. The vulnerability can be triggered when extracting a tar/pax archive that contains such a long xattr key. Vulnerable code: https://git.savannah.gnu.org/cgit/tar.git/tree/src/xheader.c?h=release_1_34#n1723 PoC tar archive is attached in a zip archive to reduce the size. I reported the vulnerability yesterday to GNU Tar maintainers and they replied that the issue was fixed in the version that was released two weeks ago: "Sergey fixed that bug here: https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4 and the fix appears in tar 1.35, released July 18. " To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tar/+bug/2029464/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2029464] Re: A stack overflow in GNU Tar
@kerneldude - any chance you could share your poc (perhaps email it to secur...@ubuntu.com rather than post it publicly here)? I have tried creating one via the following but I hit the CLI args limit before I can get an xattr key long enough: touch bar tar --pax-option SCHILY.xattr.user.$(python3 -c "print('a'*131048)"):=test -cf poc-crafted.tar bar -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to tar in Ubuntu. https://bugs.launchpad.net/bugs/2029464 Title: A stack overflow in GNU Tar Status in tar package in Ubuntu: New Bug description: A stack overflow vulnerability exists in GNU Tar up to including v1.34, as far as I can see, Ubuntu is using v1.3. The bug exists in the function xattr_decoder() in xheader.c, where alloca() is used and it may overflow the stack if a sufficiently long xattr key is used. The vulnerability can be triggered when extracting a tar/pax archive that contains such a long xattr key. Vulnerable code: https://git.savannah.gnu.org/cgit/tar.git/tree/src/xheader.c?h=release_1_34#n1723 PoC tar archive is attached in a zip archive to reduce the size. I reported the vulnerability yesterday to GNU Tar maintainers and they replied that the issue was fixed in the version that was released two weeks ago: "Sergey fixed that bug here: https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4 and the fix appears in tar 1.35, released July 18. " To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tar/+bug/2029464/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2029464] Re: A stack overflow in GNU Tar
So I managed to create a tar file with an extended attribute name of length of ~ 36 bytes long (the largest I can do without exceeding the existing check on maximum extended header lengths it seems) but this is not able to trigger the vuln - so if you are able to share your PoC that would be great. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to tar in Ubuntu. https://bugs.launchpad.net/bugs/2029464 Title: A stack overflow in GNU Tar Status in tar package in Ubuntu: New Bug description: A stack overflow vulnerability exists in GNU Tar up to including v1.34, as far as I can see, Ubuntu is using v1.3. The bug exists in the function xattr_decoder() in xheader.c, where alloca() is used and it may overflow the stack if a sufficiently long xattr key is used. The vulnerability can be triggered when extracting a tar/pax archive that contains such a long xattr key. Vulnerable code: https://git.savannah.gnu.org/cgit/tar.git/tree/src/xheader.c?h=release_1_34#n1723 PoC tar archive is attached in a zip archive to reduce the size. I reported the vulnerability yesterday to GNU Tar maintainers and they replied that the issue was fixed in the version that was released two weeks ago: "Sergey fixed that bug here: https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4 and the fix appears in tar 1.35, released July 18. " To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tar/+bug/2029464/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2029464] Re: A stack overflow in GNU Tar
Actually I just got it working - no need to send PoC @kerneldude - I made my own. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to tar in Ubuntu. https://bugs.launchpad.net/bugs/2029464 Title: A stack overflow in GNU Tar Status in tar package in Ubuntu: New Bug description: A stack overflow vulnerability exists in GNU Tar up to including v1.34, as far as I can see, Ubuntu is using v1.3. The bug exists in the function xattr_decoder() in xheader.c, where alloca() is used and it may overflow the stack if a sufficiently long xattr key is used. The vulnerability can be triggered when extracting a tar/pax archive that contains such a long xattr key. Vulnerable code: https://git.savannah.gnu.org/cgit/tar.git/tree/src/xheader.c?h=release_1_34#n1723 PoC tar archive is attached in a zip archive to reduce the size. I reported the vulnerability yesterday to GNU Tar maintainers and they replied that the issue was fixed in the version that was released two weeks ago: "Sergey fixed that bug here: https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4 and the fix appears in tar 1.35, released July 18. " To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tar/+bug/2029464/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1926820]
Thank you for taking the time to report this bug and helping to make Ubuntu better. Reviewing your dmesg attachment to this bug report it seems that there may be a problem with your hardware. I'd recommend performing a back up and then investigating the situation. Measures you might take include checking cable connections and using software tools to investigate the health of your hardware. In the event that is is not in fact an error with your hardware please set the bug's status back to New. Thanks and good luck! ** Tags added: hardware-error -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1926820 Title: package libseccomp2:amd64 2.4.3-1ubuntu3.20.04.3 failed to install/upgrade: package is in a very bad inconsistent state; you should reinstall it before attempting configuration Status in libseccomp package in Ubuntu: Invalid Bug description: Programs are not being installed. I am new to ubuntu. ProblemType: Package DistroRelease: Ubuntu 20.04 Package: libseccomp2:amd64 2.4.3-1ubuntu3.20.04.3 ProcVersionSignature: Ubuntu 5.8.0-50.56~20.04.1-generic 5.8.18 Uname: Linux 5.8.0-50-generic x86_64 ApportVersion: 2.20.11-0ubuntu27.16 Architecture: amd64 CasperMD5CheckResult: skip Date: Fri Apr 30 21:37:01 2021 DpkgTerminalLog: [1mdpkg:[0m error processing package libseccomp2:amd64 (--configure): package is in a very bad inconsistent state; you should reinstall it before attempting configuration ErrorMessage: package is in a very bad inconsistent state; you should reinstall it before attempting configuration InstallationDate: Installed on 2021-04-30 (0 days ago) InstallationMedia: Ubuntu 20.04.2.0 LTS "Focal Fossa" - Release amd64 (20210209.1) Python3Details: /usr/bin/python3.8, Python 3.8.5, python3-minimal, 3.8.2-0ubuntu2 PythonDetails: N/A RelatedPackageVersions: dpkg 1.19.7ubuntu3 apt 2.0.4 SourcePackage: libseccomp Title: package libseccomp2:amd64 2.4.3-1ubuntu3.20.04.3 failed to install/upgrade: package is in a very bad inconsistent state; you should reinstall it before attempting configuration UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1926820/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1926820] Re: package libseccomp2:amd64 2.4.3-1ubuntu3.20.04.3 failed to install/upgrade: package is in a very bad inconsistent state; you should reinstall it before attempting c
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public ** Changed in: libseccomp (Ubuntu) Status: New => Invalid ** Changed in: libseccomp (Ubuntu) Importance: Undecided => Low -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1926820 Title: package libseccomp2:amd64 2.4.3-1ubuntu3.20.04.3 failed to install/upgrade: package is in a very bad inconsistent state; you should reinstall it before attempting configuration Status in libseccomp package in Ubuntu: Invalid Bug description: Programs are not being installed. I am new to ubuntu. ProblemType: Package DistroRelease: Ubuntu 20.04 Package: libseccomp2:amd64 2.4.3-1ubuntu3.20.04.3 ProcVersionSignature: Ubuntu 5.8.0-50.56~20.04.1-generic 5.8.18 Uname: Linux 5.8.0-50-generic x86_64 ApportVersion: 2.20.11-0ubuntu27.16 Architecture: amd64 CasperMD5CheckResult: skip Date: Fri Apr 30 21:37:01 2021 DpkgTerminalLog: [1mdpkg:[0m error processing package libseccomp2:amd64 (--configure): package is in a very bad inconsistent state; you should reinstall it before attempting configuration ErrorMessage: package is in a very bad inconsistent state; you should reinstall it before attempting configuration InstallationDate: Installed on 2021-04-30 (0 days ago) InstallationMedia: Ubuntu 20.04.2.0 LTS "Focal Fossa" - Release amd64 (20210209.1) Python3Details: /usr/bin/python3.8, Python 3.8.5, python3-minimal, 3.8.2-0ubuntu2 PythonDetails: N/A RelatedPackageVersions: dpkg 1.19.7ubuntu3 apt 2.0.4 SourcePackage: libseccomp Title: package libseccomp2:amd64 2.4.3-1ubuntu3.20.04.3 failed to install/upgrade: package is in a very bad inconsistent state; you should reinstall it before attempting configuration UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1926820/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1928346] Re: package libseccomp2:amd64 2.5.1-1ubuntu1 failed to install/upgrade: package is in a very bad inconsistent state; you should reinstall it before attempting configura
Thanks for reporting this issue - can you please try running the following in a terminal and see if this resolves the problem: sudo apt-get install -f --reinstall libseccomp2 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1928346 Title: package libseccomp2:amd64 2.5.1-1ubuntu1 failed to install/upgrade: package is in a very bad inconsistent state; you should reinstall it before attempting configuration Status in libseccomp package in Ubuntu: New Bug description: Broken in mid of upgrade from 20.10 to 21.04 ProblemType: Package DistroRelease: Ubuntu 21.04 Package: libseccomp2:amd64 2.5.1-1ubuntu1 ProcVersionSignature: Ubuntu 5.8.0-53.60-generic 5.8.18 Uname: Linux 5.8.0-53-generic x86_64 ApportVersion: 2.20.11-0ubuntu50.6 Architecture: amd64 CasperMD5CheckResult: skip Date: Thu May 13 19:56:07 2021 ErrorMessage: package is in a very bad inconsistent state; you should reinstall it before attempting configuration InstallationDate: Installed on 2018-12-12 (883 days ago) InstallationMedia: Ubuntu 16.04.5 LTS "Xenial Xerus" - Release amd64 (20180731) Python3Details: /usr/bin/python3.8, Python 3.8.6, python3-minimal, 3.8.6-0ubuntu1 PythonDetails: N/A RelatedPackageVersions: dpkg 1.20.9ubuntu1 apt 2.1.10ubuntu0.3 SourcePackage: libseccomp Title: package libseccomp2:amd64 2.5.1-1ubuntu1 failed to install/upgrade: package is in a very bad inconsistent state; you should reinstall it before attempting configuration UpgradeStatus: Upgraded to hirsute on 2021-05-13 (0 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1928346/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1927078] Re: Don't allow useradd to use fully numeric names
Thanks for looking at this @William - sorry to nitpick but I wonder if rewriting the test as follows could make it a bit easier to parse (at least for me I find this version easier to grok what is being tested for): if (*name < '1' || *name > '9') -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to shadow in Ubuntu. https://bugs.launchpad.net/bugs/1927078 Title: Don't allow useradd to use fully numeric names Status in shadow package in Ubuntu: New Status in shadow source package in Focal: New Status in shadow source package in Groovy: New Status in shadow source package in Hirsute: New Status in shadow source package in Impish: New Bug description: [Description] Fully numeric names support in Ubuntu is inconsistent in Focal onwards because systemd does not like them[1] but are still allowed by default by useradd, leaving the session behavior in hands of the running applications. Two examples: 1. After creating a user named "0", the user can log in via ssh or console but loginctl won't create a session for it: root@focal:/home/ubuntu# useradd -m 0 root@focal:/home/ubuntu# id 0 uid=1005(0) gid=1005(0) groups=1005(0) .. 0@192.168.122.6's password: Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.8.0-48-generic x86_64) Last login: Thu Apr 8 16:17:06 2021 from 192.168.122.1 $ loginctl No sessions. $ w 16:20:09 up 4 min, 1 user, load average: 0.03, 0.14, 0.08 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT 0pts/0192.168.122.116:170.00s 0.00s 0.00s w And pam-systemd shows the following message: Apr 08 16:17:06 focal sshd[1584]: pam_unix(sshd:session): session opened for user 0 by (uid=0) Apr 08 16:17:06 focal sshd[1584]: pam_systemd(sshd:session): pam-systemd initializing Apr 08 16:17:06 focal sshd[1584]: pam_systemd(sshd:session): Failed to get user record: Invalid argument 2. With that same username, every successful authentication in gdm will loop back to gdm again instead of starting gnome, making the user unable to login. Making useradd fail (unless --badnames is set) when a fully numeric name is used will make the default OS behavior consistent. [Other info] - Upstream does not support fully numeric usernames - useradd has a --badnames parameter that would still allow the use of these type of names To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1927078/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1452115] Re: Python interpreter binary is not compiled as PIE
Thanks @doko :) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to python2.7 in Ubuntu. https://bugs.launchpad.net/bugs/1452115 Title: Python interpreter binary is not compiled as PIE Status in Python: New Status in python2.7 package in Ubuntu: Fix Released Status in python3.10 package in Ubuntu: Fix Committed Status in python3.4 package in Ubuntu: Fix Released Status in python3.6 package in Ubuntu: Confirmed Status in python3.7 package in Ubuntu: Confirmed Status in python3.8 package in Ubuntu: Confirmed Status in python3.9 package in Ubuntu: New Status in python3.7 package in Debian: New Status in python3.8 package in Debian: New Bug description: The python2.7 binary (installed at /usr/bin/python2.7; package version 2.7.6-8) is not compiled as a position independent executable (PIE). It appears that the python compilation process is somewhat arcane and the hardening wrapper probably doesn't do the trick for it. This is incredibly dangerous as it means that any vulnerability within a native module (e.g. ctypes-based), or within python itself will expose an incredibly large amount of known memory contents at known addresses (including a large number of dangerous instruction groupings). This enables ROP-based (https://en.wikipedia.org/wiki/Return-oriented_programming) to abuse the interpreter itself to bypass non-executable page protections. I have put together an example vulnerable C shared object (with a buffer overflow) accessed via python through the ctypes interface as an example. This uses a single ROP "gadget" on top of using the known PLT location for system(3) (https://en.wikipedia.org/wiki/Return-to-libc_attack) to call "id". The example code is accessible at: - https://gist.github.com/ChaosData/ae6076cb1c3cc7b0a367 I'm not exactly familiar enough with the python build process to say where exactly an -fPIE needs to be injected into a script/makefile, but I feel that given the perceived general preference for ctypes- based modules over python written ones, as the native code implementations tend to be more performant, this feels like a large security hole within the system. Given the nature of this "issue," I'm not 100% sure of where it is best reported, but from what I can tell, this conflicts with the Ubuntu hardening features and is definitely exploitable should a native module contain a sufficiently exploitable vulnerability that allows for control of the instruction register. To manage notifications about this bug go to: https://bugs.launchpad.net/python/+bug/1452115/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1452115] Re: Python interpreter binary is not compiled as PIE
Nice - thanks @sdeziel -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to python2.7 in Ubuntu. https://bugs.launchpad.net/bugs/1452115 Title: Python interpreter binary is not compiled as PIE Status in Python: New Status in python2.7 package in Ubuntu: Fix Released Status in python3.10 package in Ubuntu: Fix Released Status in python3.4 package in Ubuntu: Fix Released Status in python3.6 package in Ubuntu: Confirmed Status in python3.7 package in Ubuntu: Confirmed Status in python3.8 package in Ubuntu: Confirmed Status in python3.9 package in Ubuntu: New Status in python3.7 package in Debian: New Status in python3.8 package in Debian: New Bug description: The python2.7 binary (installed at /usr/bin/python2.7; package version 2.7.6-8) is not compiled as a position independent executable (PIE). It appears that the python compilation process is somewhat arcane and the hardening wrapper probably doesn't do the trick for it. This is incredibly dangerous as it means that any vulnerability within a native module (e.g. ctypes-based), or within python itself will expose an incredibly large amount of known memory contents at known addresses (including a large number of dangerous instruction groupings). This enables ROP-based (https://en.wikipedia.org/wiki/Return-oriented_programming) to abuse the interpreter itself to bypass non-executable page protections. I have put together an example vulnerable C shared object (with a buffer overflow) accessed via python through the ctypes interface as an example. This uses a single ROP "gadget" on top of using the known PLT location for system(3) (https://en.wikipedia.org/wiki/Return-to-libc_attack) to call "id". The example code is accessible at: - https://gist.github.com/ChaosData/ae6076cb1c3cc7b0a367 I'm not exactly familiar enough with the python build process to say where exactly an -fPIE needs to be injected into a script/makefile, but I feel that given the perceived general preference for ctypes- based modules over python written ones, as the native code implementations tend to be more performant, this feels like a large security hole within the system. Given the nature of this "issue," I'm not 100% sure of where it is best reported, but from what I can tell, this conflicts with the Ubuntu hardening features and is definitely exploitable should a native module contain a sufficiently exploitable vulnerability that allows for control of the instruction register. To manage notifications about this bug go to: https://bugs.launchpad.net/python/+bug/1452115/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1968402] Re: Ubuntu 20.04.3 boots to black screen, no TTY available
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to xorg in Ubuntu. https://bugs.launchpad.net/bugs/1968402 Title: Ubuntu 20.04.3 boots to black screen, no TTY available Status in gdm: New Status in gnome-session: New Status in grub: New Status in os-prober-efi/trunk: New Status in shim: New Status in subiquity: New Status in tty: New Status in grub2 package in Ubuntu: New Status in mutter package in Ubuntu: New Status in nvidia-graphics-drivers-450 package in Ubuntu: New Status in wayland package in Ubuntu: New Status in xorg package in Ubuntu: New Bug description: A fresh attempted install failed utterly, just as 20.04.1 failed two years ago. Has anyone been paying attention? Ubuntu 20.04.3 burned just now to a USB stick and attempted to be installed. The first fail was that the stick booted to a couple of impenetrable boot-time messages and hung. Really. I'm not making this up. It didn't just open the installer, as it should. The second fail was having just to guess that rebooting and trying another GRUB menu option might work and give that a try. Really. I'm not making this up, either. The installer was entirely incapable of providing any direction The third failure was that the installer was incapable of detecting the video configuration and proceeding accordingly. This is 20.04.3, the third attempt at getting this right, and it still fails. The fourth fail was an error message insisting on a designation of where root should be, even after the destination partition already had been specified. The fifth failure was that no obvious means existed to satisfy the installer about the root specification, which of course already had been made by specifying the destination partition. All one could do was to see whether a context menu existed for any object on the screen that might possibly drill down through a few layers to something approximating what the content of the error message suggested. The sixth failure was that no GRUB menu appeared during boot, notwithstanding that the EFI system partition had clearly been identified in the installer. The seventh failure was that the machine booted only to a black screen with a non-blinking _ midway toward the upper left. No login screen/display manager. No GUI at all. Just this little _. The eighth failure was that Ctrl-alt-f2, ctrl-alt-f5-f12 have no effect. No TTY is available. There is no way whatsoever to interact with the system. Expected behavior: The software would install and the computer would work. Actual behavior: The installer bricked my workstation. Obviously, no debug information is available BECAUSE THE SOFTWARE FAILED. This post is being made from a borrowed Windows laptop. Any thoughts about how to get a working system would be appreciated. I am not optimistic about the prospects for 22.04. To manage notifications about this bug go to: https://bugs.launchpad.net/gdm/+bug/1968402/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1968397] Re: bootloader
Thank you for taking the time to report this bug and helping to make Ubuntu better. Unfortunately we can't fix it, because your description didn't include enough information. You may find it helpful to read 'How to report bugs effectively' http://www.chiark.greenend.org.uk/~sgtatham/bugs.html. We'd be grateful if you would then provide a more complete description of the problem. We have instructions on debugging some types of problems at http://wiki.ubuntu.com/DebuggingProcedures. At a minimum, we need: 1. the specific steps or actions you took that caused you to encounter the problem, 2. the behavior you expected, and 3. the behavior you actually encountered (in as much detail as possible). Thanks! ** Changed in: xorg (Ubuntu) Status: New => Incomplete ** Information type changed from Private Security to Public ** Changed in: xorg (Ubuntu) Status: Incomplete => Invalid -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to xorg in Ubuntu. https://bugs.launchpad.net/bugs/1968397 Title: bootloader Status in xorg package in Ubuntu: Invalid Bug description: root@a-ThinkPad-X220:~# apt install telnetd E: 无法获得锁 /var/lib/dpkg/lock-frontend - open (11: 资源暂时不可用) E: 无法获取 dpkg 前端锁 (/var/lib/dpkg/lock-frontend),是否有其他进程正占用它? root@a-ThinkPad-X220:~# apt install telnetd E: 无法获得锁 /var/lib/dpkg/lock-frontend - open (11: 资源暂时不可用) E: 无法获取 dpkg 前端锁 (/var/lib/dpkg/lock-frontend),是否有其他进程正占用它? root@a-ThinkPad-X220:~# killall ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: xorg 1:7.7+13ubuntu3.1 ProcVersionSignature: Ubuntu 4.15.0-112.113~16.04.1-generic 4.15.18 Uname: Linux 4.15.0-112-generic x86_64 .tmp.unity_support_test.0: ApportVersion: 2.20.1-0ubuntu2.24 Architecture: amd64 CompizPlugins: No value set for `/apps/compiz-1/general/screen0/options/active_plugins' CompositorRunning: compiz CompositorUnredirectDriverBlacklist: '(nouveau|Intel).*Mesa 8.0' CompositorUnredirectFSW: true Date: Sat Apr 9 13:01:34 2022 DistUpgraded: Fresh install DistroCodename: xenial DistroVariant: ubuntu ExtraDebuggingInterest: No GraphicsCard: Intel Corporation 2nd Generation Core Processor Family Integrated Graphics Controller [8086:0116] (rev 09) (prog-if 00 [VGA controller]) Subsystem: Lenovo 2nd Generation Core Processor Family Integrated Graphics Controller [17aa:21da] InstallationDate: Installed on 2022-04-07 (1 days ago) InstallationMedia: Ubuntu 16.04.7 LTS "Xenial Xerus" - Release amd64 (20200806) MachineType: LENOVO 4286AC9 ProcEnviron: LANGUAGE=zh_CN:zh PATH=(custom, no user) LANG=zh_CN.UTF-8 SHELL=/bin/bash ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.15.0-112-generic root=UUID=cf25f7a7-bda4-4979-9a0f-eb1cb472be49 ro quiet splash vt.handoff=7 SourcePackage: xorg UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 06/21/2018 dmi.bios.vendor: LENOVO dmi.bios.version: 8DET76WW (1.46 ) dmi.board.asset.tag: Not Available dmi.board.name: 4286AC9 dmi.board.vendor: LENOVO dmi.board.version: Not Available dmi.chassis.asset.tag: No Asset Information dmi.chassis.type: 10 dmi.chassis.vendor: LENOVO dmi.chassis.version: Not Available dmi.modalias: dmi:bvnLENOVO:bvr8DET76WW(1.46):bd06/21/2018:svnLENOVO:pn4286AC9:pvrThinkPadX220:rvnLENOVO:rn4286AC9:rvrNotAvailable:cvnLENOVO:ct10:cvrNotAvailable: dmi.product.family: ThinkPad X220 dmi.product.name: 4286AC9 dmi.product.version: ThinkPad X220 dmi.sys.vendor: LENOVO version.compiz: compiz 1:0.9.12.3+16.04.20180221-0ubuntu1 version.ia32-libs: ia32-libs N/A version.libdrm2: libdrm2 2.4.91-2~16.04.1 version.libgl1-mesa-dri: libgl1-mesa-dri 18.0.5-0ubuntu0~16.04.1 version.libgl1-mesa-dri-experimental: libgl1-mesa-dri-experimental N/A version.libgl1-mesa-glx: libgl1-mesa-glx 18.0.5-0ubuntu0~16.04.1 version.xserver-xorg-core: xserver-xorg-core N/A version.xserver-xorg-input-evdev: xserver-xorg-input-evdev N/A version.xserver-xorg-video-ati: xserver-xorg-video-ati N/A version.xserver-xorg-video-intel: xserver-xorg-video-intel N/A version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau N/A xserver.bootTime: Sat Apr 9 20:55:35 2022 xserver.configfile: default xserver.errors: xserver.logfile: /var/log/Xorg.0.log xserver.version: 2:1.19.6-1ubuntu4.1~16.04.2 xserver.video_driver: modeset To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xorg/+bug/1968397/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1968397]
Thank you for using Ubuntu and taking the time to report a bug. Your report should contain, at a minimum, the following information so we can better find the source of the bug and work to resolve it. Submitting the bug about the proper source package is essential. For help see https://wiki.ubuntu.com/Bugs/FindRightPackage . Additionally, in the report please include: 1) The release of Ubuntu you are using, via 'cat /etc/lsb-release' or System -> About Ubuntu. 2) The version of the package you are using, via 'dpkg -l PKGNAME | cat' or by checking in Synaptic. 3) What happened and what you expected to happen. The Ubuntu community has also created debugging procedures for a wide variety of packages at https://wiki.ubuntu.com/DebuggingProcedures . Following the debugging instructions for the affected package will make your bug report much more complete. Thanks! -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to xorg in Ubuntu. https://bugs.launchpad.net/bugs/1968397 Title: bootloader Status in xorg package in Ubuntu: Invalid Bug description: root@a-ThinkPad-X220:~# apt install telnetd E: 无法获得锁 /var/lib/dpkg/lock-frontend - open (11: 资源暂时不可用) E: 无法获取 dpkg 前端锁 (/var/lib/dpkg/lock-frontend),是否有其他进程正占用它? root@a-ThinkPad-X220:~# apt install telnetd E: 无法获得锁 /var/lib/dpkg/lock-frontend - open (11: 资源暂时不可用) E: 无法获取 dpkg 前端锁 (/var/lib/dpkg/lock-frontend),是否有其他进程正占用它? root@a-ThinkPad-X220:~# killall ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: xorg 1:7.7+13ubuntu3.1 ProcVersionSignature: Ubuntu 4.15.0-112.113~16.04.1-generic 4.15.18 Uname: Linux 4.15.0-112-generic x86_64 .tmp.unity_support_test.0: ApportVersion: 2.20.1-0ubuntu2.24 Architecture: amd64 CompizPlugins: No value set for `/apps/compiz-1/general/screen0/options/active_plugins' CompositorRunning: compiz CompositorUnredirectDriverBlacklist: '(nouveau|Intel).*Mesa 8.0' CompositorUnredirectFSW: true Date: Sat Apr 9 13:01:34 2022 DistUpgraded: Fresh install DistroCodename: xenial DistroVariant: ubuntu ExtraDebuggingInterest: No GraphicsCard: Intel Corporation 2nd Generation Core Processor Family Integrated Graphics Controller [8086:0116] (rev 09) (prog-if 00 [VGA controller]) Subsystem: Lenovo 2nd Generation Core Processor Family Integrated Graphics Controller [17aa:21da] InstallationDate: Installed on 2022-04-07 (1 days ago) InstallationMedia: Ubuntu 16.04.7 LTS "Xenial Xerus" - Release amd64 (20200806) MachineType: LENOVO 4286AC9 ProcEnviron: LANGUAGE=zh_CN:zh PATH=(custom, no user) LANG=zh_CN.UTF-8 SHELL=/bin/bash ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.15.0-112-generic root=UUID=cf25f7a7-bda4-4979-9a0f-eb1cb472be49 ro quiet splash vt.handoff=7 SourcePackage: xorg UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 06/21/2018 dmi.bios.vendor: LENOVO dmi.bios.version: 8DET76WW (1.46 ) dmi.board.asset.tag: Not Available dmi.board.name: 4286AC9 dmi.board.vendor: LENOVO dmi.board.version: Not Available dmi.chassis.asset.tag: No Asset Information dmi.chassis.type: 10 dmi.chassis.vendor: LENOVO dmi.chassis.version: Not Available dmi.modalias: dmi:bvnLENOVO:bvr8DET76WW(1.46):bd06/21/2018:svnLENOVO:pn4286AC9:pvrThinkPadX220:rvnLENOVO:rn4286AC9:rvrNotAvailable:cvnLENOVO:ct10:cvrNotAvailable: dmi.product.family: ThinkPad X220 dmi.product.name: 4286AC9 dmi.product.version: ThinkPad X220 dmi.sys.vendor: LENOVO version.compiz: compiz 1:0.9.12.3+16.04.20180221-0ubuntu1 version.ia32-libs: ia32-libs N/A version.libdrm2: libdrm2 2.4.91-2~16.04.1 version.libgl1-mesa-dri: libgl1-mesa-dri 18.0.5-0ubuntu0~16.04.1 version.libgl1-mesa-dri-experimental: libgl1-mesa-dri-experimental N/A version.libgl1-mesa-glx: libgl1-mesa-glx 18.0.5-0ubuntu0~16.04.1 version.xserver-xorg-core: xserver-xorg-core N/A version.xserver-xorg-input-evdev: xserver-xorg-input-evdev N/A version.xserver-xorg-video-ati: xserver-xorg-video-ati N/A version.xserver-xorg-video-intel: xserver-xorg-video-intel N/A version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau N/A xserver.bootTime: Sat Apr 9 20:55:35 2022 xserver.configfile: default xserver.errors: xserver.logfile: /var/log/Xorg.0.log xserver.version: 2:1.19.6-1ubuntu4.1~16.04.2 xserver.video_driver: modeset To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xorg/+bug/1968397/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1971288] Re: Merge libseccomp from Debian unstable for kinetic
I uploaded https://launchpad.net/ubuntu/+source/libseccomp/2.5.4-1ubuntu1 earlier today. ** Changed in: libseccomp (Ubuntu) Status: New => Fix Committed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1971288 Title: Merge libseccomp from Debian unstable for kinetic Status in libseccomp package in Ubuntu: Fix Committed Bug description: Upstream: tbd Debian: 2.5.4-1 Ubuntu: 2.5.3-2ubuntu2 ### Old Ubuntu Delta ### libseccomp (2.5.3-2ubuntu2) jammy; urgency=medium * No-change rebuild with Python 3.10 only -- Graham Inggs Thu, 17 Mar 2022 19:27:18 + libseccomp (2.5.3-2ubuntu1) jammy; urgency=medium * Merge from Debian unstable; remaining changes: - Add autopkgtests * Added changes: - Update autopkgtests to use syscalls from 5.16-rc1 -- Alex Murray Thu, 24 Feb 2022 09:53:35 +1030 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1971288/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1973654] Re: Using debian-installer on a server with a Let's Encrypt cert dies
I believe this is caused by debootstrap - it only uses packages from the release pocket (and this is frozen from the time Ubuntu 20.04 LTS was originally released). This is a known issue https://askubuntu.com/questions/744684/latest-security-updates-with- debootstrap but I am not sure if there is much you can do to get debian- installer to say use multistrap instead of debootstrap. ** Package changed: ca-certificates (Ubuntu) => debian-installer (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ca-certificates in Ubuntu. https://bugs.launchpad.net/bugs/1973654 Title: Using debian-installer on a server with a Let's Encrypt cert dies Status in debian-installer package in Ubuntu: New Bug description: While using debian-installer to install Ubuntu Focal, I get the following error: May 16 22:02:41 base-installer: Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate. Could not handshake: Error in the certificate verification. [IP: 129.59.59.10 443] There was an issue in 2021, where the "DST_Root_CA_X3.crt" certificate used by Let's Encrypt expired. https://letsencrypt.org/docs/dst-root-ca-x3-expiration- september-2021/ The problem is that the certificate is still included in the "ca- certificates_20190110ubuntu1_all.deb" that debian-installer fetches during install. May 16 22:02:17 debootstrap: Preparing to unpack .../ca-certificates_20190110ubuntu1_all.deb ... May 16 22:02:17 debootstrap: Unpacking ca-certificates (20190110ubuntu1) ... May 16 22:02:31 debootstrap: Setting up ca-certificates (20190110ubuntu1) ... May 16 22:02:40 debootstrap: Processing triggers for ca-certificates (20190110ubuntu1) ... May 16 22:02:40 debootstrap: Running hooks in /etc/ca-certificates/update.d... Because the certificate is expired, debian-installer dies with: May 16 22:02:41 base-installer: Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate. Could not handshake: Error in the certificate verification. [IP: 129.59.59.10 443] te is NOT trusted. The certificate chain uses expired certificate. Could not handshake: Error in the certificate verification. [IP: 129.59.59.10 443] Can Ubuntu update the ca-certificate .deb pulled during install to one that does not have DST_Root_CA_X3.crt? Thanks. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/debian-installer/+bug/1973654/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1975381] Re: firewall gets disabled
Thank you for taking the time to report this bug and helping to make Ubuntu better. Unfortunately we can't fix it, because your description didn't include enough information. You may find it helpful to read 'How to report bugs effectively' http://www.chiark.greenend.org.uk/~sgtatham/bugs.html. We'd be grateful if you would then provide a more complete description of the problem. We have instructions on debugging some types of problems at http://wiki.ubuntu.com/DebuggingProcedures. At a minimum, we need: 1. the specific steps or actions you took that caused you to encounter the problem, 2. the behavior you expected, and 3. the behavior you actually encountered (in as much detail as possible). Thanks! ** Changed in: iptables (Ubuntu) Status: New => Incomplete ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to iptables in Ubuntu. https://bugs.launchpad.net/bugs/1975381 Title: firewall gets disabled Status in iptables package in Ubuntu: Incomplete Bug description: Operating System: Ubuntu 22.04 Life cycle: LTS Architecture: AMD64 Kernel version (uname -a): 5.15.0-30-generic ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: iptables 1.8.7-1ubuntu5 ProcVersionSignature: Ubuntu 5.15.0-30.31-generic 5.15.30 Uname: Linux 5.15.0-30-generic x86_64 ApportVersion: 2.20.11-0ubuntu82 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Mon May 16 23:44:26 2022 SourcePackage: iptables UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/1975381/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1975408] Re: Performance is much worse than expected (Normal friendly behaviors)
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to xorg in Ubuntu. https://bugs.launchpad.net/bugs/1975408 Title: Performance is much worse than expected (Normal friendly behaviors) Status in xorg package in Ubuntu: New Bug description: Operating System: Ubuntu 22.04 Life cycle: LTS Architecture: AMD64 Kernel version (uname -a): 5.15.0-30-generic ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: xorg 1:7.7+23ubuntu2 ProcVersionSignature: Ubuntu 5.15.0-30.31-generic 5.15.30 Uname: Linux 5.15.0-30-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.1 Architecture: amd64 CasperMD5CheckResult: unknown CompizPlugins: No value set for `/apps/compiz-1/general/screen0/options/active_plugins' CompositorRunning: None CurrentDesktop: ubuntu:GNOME Date: Sun May 22 12:10:30 2022 DistUpgraded: Fresh install DistroCodename: jammy DistroVariant: ubuntu DkmsStatus: sysdig/0.27.1, 5.15.0-30-generic, x86_64: installed ExtraDebuggingInterest: Yes, if not too technical GraphicsCard: Intel Corporation 3rd Gen Core processor Graphics Controller [8086:0166] (rev 09) (prog-if 00 [VGA controller]) Subsystem: Hewlett-Packard Company 3rd Gen Core processor Graphics Controller [103c:17f4] MachineType: Hewlett-Packard HP ProBook 4540s ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-5.15.0-30-generic root=UUID=cf164159-2e29-4cee-aef2-f8d16c319f1a ro snapd_recovery_mode snap_core quiet splash crashkernel=512M-:192M vt.handoff=7 SourcePackage: xorg Symptom: display UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 04/11/2019 dmi.bios.release: 15.104 dmi.bios.vendor: Hewlett-Packard dmi.bios.version: 68IRR Ver. F.68 dmi.board.name: 17F6 dmi.board.vendor: Hewlett-Packard dmi.board.version: KBC Version 58.21 dmi.chassis.type: 10 dmi.chassis.vendor: Hewlett-Packard dmi.ec.firmware.release: 88.33 dmi.modalias: dmi:bvnHewlett-Packard:bvr68IRRVer.F.68:bd04/11/2019:br15.104:efr88.33:svnHewlett-Packard:pnHPProBook4540s:pvrA1008C11:rvnHewlett-Packard:rn17F6:rvrKBCVersion58.21:cvnHewlett-Packard:ct10:cvr:skuB7A48EA#ABV: dmi.product.family: 103C_5336AN G=N L=BUS B=HP S=PRO dmi.product.name: HP ProBook 4540s dmi.product.sku: B7A48EA#ABV dmi.product.version: A1008C11 dmi.sys.vendor: Hewlett-Packard version.compiz: compiz 1:0.9.14.1+22.04.20211217-0ubuntu2 version.libdrm2: libdrm2 2.4.110+git2205140500.3f266e~oibaf~j version.libgl1-mesa-dri: libgl1-mesa-dri 22.2~git2205160600.3c0f34~oibaf~j version.libgl1-mesa-glx: libgl1-mesa-glx 22.2~git2205170600.fffafa~oibaf~j version.xserver-xorg-core: xserver-xorg-core 2:21.1.3-2ubuntu2 version.xserver-xorg-input-evdev: xserver-xorg-input-evdev N/A version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:19.1.0-2build3 version.xserver-xorg-video-intel: xserver-xorg-video-intel 2:2.99.917+git20210115-1 version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 1:1.0.17-2build1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xorg/+bug/1975408/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1975407] Re: pulseaudio is getting crashed
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1975407 Title: pulseaudio is getting crashed Status in pulseaudio package in Ubuntu: New Bug description: Operating System: Ubuntu 22.04 Life cycle: LTS Architecture: AMD64 Kernel version (uname -a): 5.15.0-30-generic ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: pulseaudio 1:15.99.1+dfsg1-1ubuntu1 ProcVersionSignature: Ubuntu 5.15.0-30.31-generic 5.15.30 Uname: Linux 5.15.0-30-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.1 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC0: johnm 3822 F pulseaudio CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Sun May 22 12:08:58 2022 PulseList: Error: command ['pacmd', 'list'] failed with exit code 1: XDG_RUNTIME_DIR (/run/user/1000) is not owned by us (uid 0), but by uid 1000! (This could e.g. happen if you try to connect to a non-root PulseAudio as a root user, over the native protocol. Don't do that.) No PulseAudio daemon running, or not running as session daemon. SourcePackage: pulseaudio Symptom: audio UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 04/11/2019 dmi.bios.release: 15.104 dmi.bios.vendor: Hewlett-Packard dmi.bios.version: 68IRR Ver. F.68 dmi.board.name: 17F6 dmi.board.vendor: Hewlett-Packard dmi.board.version: KBC Version 58.21 dmi.chassis.type: 10 dmi.chassis.vendor: Hewlett-Packard dmi.ec.firmware.release: 88.33 dmi.modalias: dmi:bvnHewlett-Packard:bvr68IRRVer.F.68:bd04/11/2019:br15.104:efr88.33:svnHewlett-Packard:pnHPProBook4540s:pvrA1008C11:rvnHewlett-Packard:rn17F6:rvrKBCVersion58.21:cvnHewlett-Packard:ct10:cvr:skuB7A48EA#ABV: dmi.product.family: 103C_5336AN G=N L=BUS B=HP S=PRO dmi.product.name: HP ProBook 4540s dmi.product.sku: B7A48EA#ABV dmi.product.version: A1008C11 dmi.sys.vendor: Hewlett-Packard modified.conffile..etc.xdg.autostart.pulseaudio.desktop: [modified] mtime.conffile..etc.xdg.autostart.pulseaudio.desktop: 2022-01-28T22:42:20.933634 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1975407/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1871148] Re: services start before apparmor profiles are loaded
@mardy I thought we had snapd.apparmor specifically to avoid this scenario but I can't see that service mentioned at all in systemd- analyze plot... -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1871148 Title: services start before apparmor profiles are loaded Status in AppArmor: Invalid Status in snapd: Fix Released Status in apparmor package in Ubuntu: Fix Released Status in snapd package in Ubuntu: Fix Released Status in zsys package in Ubuntu: Invalid Status in apparmor source package in Focal: Fix Released Status in snapd source package in Focal: Fix Released Status in zsys source package in Focal: Invalid Bug description: Per discussion with Zyga in #snapd on Freenode, I have hit a race condition where services are being started by the system before apparmor has been started. I have a complete log of my system showing the effect somewhere within at https://paste.ubuntu.com/p/Jyx6gfFc3q/. Restarting apparmor using `sudo systemctl restart apparmor` is enough to bring installed snaps back to full functionality. Previously, when running any snap I would receive the following in the terminal: --- cannot change profile for the next exec call: No such file or directory snap-update-ns failed with code 1: File exists --- Updated to add for Jamie: $ snap version snap2.44.2+20.04 snapd 2.44.2+20.04 series 16 ubuntu 20.04 kernel 5.4.0-21-generic To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1871148/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1941752] Re: Regression: exiv2 0.27.3-3ubuntu1.5 makes Gwenview crash when opening images exported by darktable
@leosilva - as you did the original update for exiv2 could you please sponsor the attached debdiff? Thanks. ** Changed in: exiv2 (Ubuntu) Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to exiv2 in Ubuntu. https://bugs.launchpad.net/bugs/1941752 Title: Regression: exiv2 0.27.3-3ubuntu1.5 makes Gwenview crash when opening images exported by darktable Status in Gwenview: Fix Released Status in exiv2 package in Ubuntu: Confirmed Status in gwenview package in Ubuntu: Confirmed Bug description: Since the recent security update of exiv2, Gwenview crashes when trying to open image files that got exported by darktable. Steps to reproduce: * Make a test installation of Kubuntu 21.04 in VirtualBox * Install all updates * Install darktable * Copy one of the images in /usr/share/wallpapers (or any other image) to your home directory and open it with darktable * Within darktable, export a copy of the image (no need to do any actual modifications) * Try to open that copy with Gwenview. Gwenview will crash. I'm attaching a crash report hinting that this is related to exiv2. Temporary workaround: If I downgrade libexiv2-27 to 0.27.3-3ubuntu1.4, Gwenview doesn't crash, so it seems the crash is related to changes in 0.27.3-3ubuntu1.5. I don't know if the underlying cause is actually some bug in exiv2, Gwenview or darktable. Kind regards, Jan ProblemType: Bug DistroRelease: Ubuntu 21.04 Package: libexiv2-27 0.27.3-3ubuntu1.5 ProcVersionSignature: Ubuntu 5.11.0-31.33-generic 5.11.22 Uname: Linux 5.11.0-31-generic x86_64 ApportVersion: 2.20.11-0ubuntu65.1 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: KDE Date: Thu Aug 26 15:16:47 2021 InstallationDate: Installed on 2021-08-26 (0 days ago) InstallationMedia: Kubuntu 21.04 "Hirsute Hippo" - Release amd64 (20210420) SourcePackage: exiv2 UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/gwenview/+bug/1941752/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1957024] [NEW] pam-mkhomedir does not honor private home directories
Public bug reported: As reported in https://discourse.ubuntu.com/t/private-home-directories- for-ubuntu-21-04-onwards/19533/13: A common situation is to have a central set of users (e.g. in LDAP) and use pam_mkhomedir.so to create the home directory when the user first logs in. These changes do not cover this situation. The default configuration of pam_mkhomedir.so will result in a home directory created with 0755 permissions. To make pam_mkhomedir.so create a home directory by default with permissions consistent with the other tools then a umask argument can be added to the pam_mkhomedir.so module in the file /usr/share/pam- configs/mkhomedir. I believe this would have to be done before enabling the module. The file is part of the libpam-modules package. ** Affects: pam (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pam in Ubuntu. https://bugs.launchpad.net/bugs/1957024 Title: pam-mkhomedir does not honor private home directories Status in pam package in Ubuntu: New Bug description: As reported in https://discourse.ubuntu.com/t/private-home- directories-for-ubuntu-21-04-onwards/19533/13: A common situation is to have a central set of users (e.g. in LDAP) and use pam_mkhomedir.so to create the home directory when the user first logs in. These changes do not cover this situation. The default configuration of pam_mkhomedir.so will result in a home directory created with 0755 permissions. To make pam_mkhomedir.so create a home directory by default with permissions consistent with the other tools then a umask argument can be added to the pam_mkhomedir.so module in the file /usr/share/pam- configs/mkhomedir. I believe this would have to be done before enabling the module. The file is part of the libpam-modules package. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/1957024/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1957781] Re: when i upgrade my package ask me yes or no ?
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find. ** Information type changed from Private Security to Public ** Package changed: ubuntu => apt (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1957781 Title: when i upgrade my package ask me yes or no ? Status in apt package in Ubuntu: New Bug description: ubuntu 21.10 use sudo apt upgrade toshiba@toshiba-Satellite-C850-B908:~$ sudo apt upgrade Reading package lists... Done Building dependency tree... Done Reading state information... Done Calculating upgrade... Done The following NEW packages will be installed: linux-headers-5.13.0-25 linux-headers-5.13.0-25-generic linux-image-5.13.0-25-generic linux-modules-5.13.0-25-generic linux-modules-extra-5.13.0-25-generic The following packages will be upgraded: ghostscript ghostscript-x gir1.2-javascriptcoregtk-4.0 gir1.2-webkit2-4.0 libexiv2-27 libfprint-2-2 libgs9 libgs9-common libjavascriptcoregtk-4.0-18 libnss-systemd libpam-systemd libqt5core5a libqt5dbus5 libqt5gui5 libqt5network5 libqt5widgets5 libsystemd0 libudev1 libwebkit2gtk-4.0-37 linux-generic-hwe-20.04 linux-headers-generic-hwe-20.04 linux-image-generic-hwe-20.04 linux-libc-dev openssh-client qt5-gtk-platformtheme systemd systemd-sysv systemd-timesyncd udev 29 upgraded, 5 newly installed, 0 to remove and 0 not upgraded. 27 standard security updates Need to get 148 MB of archives. After this operation, 504 MB of additional disk space will be used. Do you want to continue? [Y/n] 1 Get:1 http://sy.archive.ubuntu.com/ubuntu impish-updates/main amd64 systemd-timesyncd amd64 248.3-1ubuntu8.2 [30.8 kB] -- so i click 1 not y or yes ? and the upgrading begin? is that normal ? i mean using 1 as yes? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1957781/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1961196] Re: apparmor autotest failure on jammy with linux 5.15
FYI I am working on merging apparmor-3.0.4 from debian unstable to jammy at the moment which should resolve this. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1961196 Title: apparmor autotest failure on jammy with linux 5.15 Status in apparmor package in Ubuntu: New Status in apparmor source package in Jammy: New Bug description: [Impact] test-aa-notify is also checking if the output of `aa-notify --help` matches a specific text. However it looks like this output has changed in jammy so the autopkgtest is reporting errors like this: 05:17:31 ERROR| [stderr] === test-aa-notify.py === 05:17:31 ERROR| [stderr] .ssF. 05:17:31 ERROR| [stderr] == 05:17:31 ERROR| [stderr] FAIL: test_help_contents (__main__.AANotifyTest) 05:17:31 ERROR| [stderr] Test output of help text 05:17:31 ERROR| [stderr] -- 05:17:31 ERROR| [stderr] Traceback (most recent call last): 05:17:31 ERROR| [stderr] File "/tmp/testlibmse00lib/source/jammy/apparmor-3.0.3/utils/test/test-aa-notify.py", line 178, in test_help_contents 05:17:31 ERROR| [stderr] self.assertEqual(expected_output_is, output, result + output) 05:17:31 ERROR| [stderr] AssertionError: 'usag[189 chars]ptional arguments:\n -h, --helpsh[746 chars]de\n' != 'usag[189 chars]ptions:\n -h, --helpshow this hel[735 chars]de\n' 05:17:31 ERROR| [stderr] usage: aa-notify [-h] [-p] [--display DISPLAY] [-f FILE] [-l] [-s NUM] [-v] 05:17:31 ERROR| [stderr][-u USER] [-w NUM] [--debug] 05:17:31 ERROR| [stderr] 05:17:31 ERROR| [stderr] Display AppArmor notifications or messages for DENIED entries. 05:17:31 ERROR| [stderr] 05:17:31 ERROR| [stderr] - optional arguments: 05:17:31 ERROR| [stderr] + options: 05:17:31 ERROR| [stderr] -h, --helpshow this help message and exit 05:17:31 ERROR| [stderr] -p, --pollpoll AppArmor logs and display notifications 05:17:31 ERROR| [stderr] --display DISPLAY set the DISPLAY environment variable (might be needed if 05:17:31 ERROR| [stderr] sudo resets $DISPLAY) 05:17:31 ERROR| [stderr] -f FILE, --file FILE search FILE for AppArmor messages 05:17:31 ERROR| [stderr] -l, --since-last display stats since last login 05:17:31 ERROR| [stderr] -s NUM, --since-days NUM 05:17:31 ERROR| [stderr] show stats for last NUM days (can be used alone or with 05:17:31 ERROR| [stderr] -p) 05:17:31 ERROR| [stderr] -v, --verbose show messages with stats 05:17:31 ERROR| [stderr] -u USER, --user USER user to drop privileges to when not using sudo 05:17:31 ERROR| [stderr] -w NUM, --wait NUMwait NUM seconds before displaying notifications (with 05:17:31 ERROR| [stderr] -p) 05:17:31 ERROR| [stderr] --debug debug mode 05:17:31 ERROR| [stderr] : Got output "usage: aa-notify [-h] [-p] [--display DISPLAY] [-f FILE] [-l] [-s NUM] [-v] 05:17:31 ERROR| [stderr] [-u USER] [-w NUM] [--debug] [Test case] Simply run test-aa-notify.py from the autopkgtests. [Fix] Update the expected output returned by `aa-notify --help` in test-aa- notify.py. [Regression potential] This is just an autopkgtest, we may see regressions if the test is used with older version of apparmor-notify. With newer versions there's no risk of regressions. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1961196/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1961196] Re: apparmor autotest failure on jammy with linux 5.15
FYI I am preparing this in https://bileto.ubuntu.com/#/ticket/4796 - I have included the original patch from arighi to fix the aa-notify tests too. Once britney looks happy with this I will upload it to jammy- proposed. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1961196 Title: apparmor autotest failure on jammy with linux 5.15 Status in apparmor package in Ubuntu: New Status in apparmor source package in Jammy: New Bug description: [Impact] test-aa-notify is also checking if the output of `aa-notify --help` matches a specific text. However it looks like this output has changed in jammy so the autopkgtest is reporting errors like this: 05:17:31 ERROR| [stderr] === test-aa-notify.py === 05:17:31 ERROR| [stderr] .ssF. 05:17:31 ERROR| [stderr] == 05:17:31 ERROR| [stderr] FAIL: test_help_contents (__main__.AANotifyTest) 05:17:31 ERROR| [stderr] Test output of help text 05:17:31 ERROR| [stderr] -- 05:17:31 ERROR| [stderr] Traceback (most recent call last): 05:17:31 ERROR| [stderr] File "/tmp/testlibmse00lib/source/jammy/apparmor-3.0.3/utils/test/test-aa-notify.py", line 178, in test_help_contents 05:17:31 ERROR| [stderr] self.assertEqual(expected_output_is, output, result + output) 05:17:31 ERROR| [stderr] AssertionError: 'usag[189 chars]ptional arguments:\n -h, --helpsh[746 chars]de\n' != 'usag[189 chars]ptions:\n -h, --helpshow this hel[735 chars]de\n' 05:17:31 ERROR| [stderr] usage: aa-notify [-h] [-p] [--display DISPLAY] [-f FILE] [-l] [-s NUM] [-v] 05:17:31 ERROR| [stderr][-u USER] [-w NUM] [--debug] 05:17:31 ERROR| [stderr] 05:17:31 ERROR| [stderr] Display AppArmor notifications or messages for DENIED entries. 05:17:31 ERROR| [stderr] 05:17:31 ERROR| [stderr] - optional arguments: 05:17:31 ERROR| [stderr] + options: 05:17:31 ERROR| [stderr] -h, --helpshow this help message and exit 05:17:31 ERROR| [stderr] -p, --pollpoll AppArmor logs and display notifications 05:17:31 ERROR| [stderr] --display DISPLAY set the DISPLAY environment variable (might be needed if 05:17:31 ERROR| [stderr] sudo resets $DISPLAY) 05:17:31 ERROR| [stderr] -f FILE, --file FILE search FILE for AppArmor messages 05:17:31 ERROR| [stderr] -l, --since-last display stats since last login 05:17:31 ERROR| [stderr] -s NUM, --since-days NUM 05:17:31 ERROR| [stderr] show stats for last NUM days (can be used alone or with 05:17:31 ERROR| [stderr] -p) 05:17:31 ERROR| [stderr] -v, --verbose show messages with stats 05:17:31 ERROR| [stderr] -u USER, --user USER user to drop privileges to when not using sudo 05:17:31 ERROR| [stderr] -w NUM, --wait NUMwait NUM seconds before displaying notifications (with 05:17:31 ERROR| [stderr] -p) 05:17:31 ERROR| [stderr] --debug debug mode 05:17:31 ERROR| [stderr] : Got output "usage: aa-notify [-h] [-p] [--display DISPLAY] [-f FILE] [-l] [-s NUM] [-v] 05:17:31 ERROR| [stderr] [-u USER] [-w NUM] [--debug] [Test case] Simply run test-aa-notify.py from the autopkgtests. [Fix] Update the expected output returned by `aa-notify --help` in test-aa- notify.py. [Regression potential] This is just an autopkgtest, we may see regressions if the test is used with older version of apparmor-notify. With newer versions there's no risk of regressions. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1961196/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1961196] Re: apparmor autotest failure on jammy with linux 5.15
Hmm so had to redo my merge after the 3.0.3-0ubuntu9 upload... see new bileto ticket/PPA for the current version of it https://bileto.ubuntu.com/#/ticket/4797 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1961196 Title: apparmor autotest failure on jammy with linux 5.15 Status in apparmor package in Ubuntu: New Status in apparmor source package in Jammy: New Bug description: [Impact] test-aa-notify is also checking if the output of `aa-notify --help` matches a specific text. However it looks like this output has changed in jammy so the autopkgtest is reporting errors like this: 05:17:31 ERROR| [stderr] === test-aa-notify.py === 05:17:31 ERROR| [stderr] .ssF. 05:17:31 ERROR| [stderr] == 05:17:31 ERROR| [stderr] FAIL: test_help_contents (__main__.AANotifyTest) 05:17:31 ERROR| [stderr] Test output of help text 05:17:31 ERROR| [stderr] -- 05:17:31 ERROR| [stderr] Traceback (most recent call last): 05:17:31 ERROR| [stderr] File "/tmp/testlibmse00lib/source/jammy/apparmor-3.0.3/utils/test/test-aa-notify.py", line 178, in test_help_contents 05:17:31 ERROR| [stderr] self.assertEqual(expected_output_is, output, result + output) 05:17:31 ERROR| [stderr] AssertionError: 'usag[189 chars]ptional arguments:\n -h, --helpsh[746 chars]de\n' != 'usag[189 chars]ptions:\n -h, --helpshow this hel[735 chars]de\n' 05:17:31 ERROR| [stderr] usage: aa-notify [-h] [-p] [--display DISPLAY] [-f FILE] [-l] [-s NUM] [-v] 05:17:31 ERROR| [stderr][-u USER] [-w NUM] [--debug] 05:17:31 ERROR| [stderr] 05:17:31 ERROR| [stderr] Display AppArmor notifications or messages for DENIED entries. 05:17:31 ERROR| [stderr] 05:17:31 ERROR| [stderr] - optional arguments: 05:17:31 ERROR| [stderr] + options: 05:17:31 ERROR| [stderr] -h, --helpshow this help message and exit 05:17:31 ERROR| [stderr] -p, --pollpoll AppArmor logs and display notifications 05:17:31 ERROR| [stderr] --display DISPLAY set the DISPLAY environment variable (might be needed if 05:17:31 ERROR| [stderr] sudo resets $DISPLAY) 05:17:31 ERROR| [stderr] -f FILE, --file FILE search FILE for AppArmor messages 05:17:31 ERROR| [stderr] -l, --since-last display stats since last login 05:17:31 ERROR| [stderr] -s NUM, --since-days NUM 05:17:31 ERROR| [stderr] show stats for last NUM days (can be used alone or with 05:17:31 ERROR| [stderr] -p) 05:17:31 ERROR| [stderr] -v, --verbose show messages with stats 05:17:31 ERROR| [stderr] -u USER, --user USER user to drop privileges to when not using sudo 05:17:31 ERROR| [stderr] -w NUM, --wait NUMwait NUM seconds before displaying notifications (with 05:17:31 ERROR| [stderr] -p) 05:17:31 ERROR| [stderr] --debug debug mode 05:17:31 ERROR| [stderr] : Got output "usage: aa-notify [-h] [-p] [--display DISPLAY] [-f FILE] [-l] [-s NUM] [-v] 05:17:31 ERROR| [stderr] [-u USER] [-w NUM] [--debug] [Test case] Simply run test-aa-notify.py from the autopkgtests. [Fix] Update the expected output returned by `aa-notify --help` in test-aa- notify.py. [Regression potential] This is just an autopkgtest, we may see regressions if the test is used with older version of apparmor-notify. With newer versions there's no risk of regressions. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1961196/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1962036] Re: dbus was stopped during today's jammy update, breaking desktop
I hit this too - just reported https://bugs.launchpad.net/ubuntu/+source/gnome-shell/+bug/1962127 from the associated gnome-shell crash. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to dbus in Ubuntu. https://bugs.launchpad.net/bugs/1962036 Title: dbus was stopped during today's jammy update, breaking desktop Status in dbus package in Ubuntu: Confirmed Bug description: Impact: logind stopped, so desktop stopped, ssh stopped, got no getty. Had to hard reset. Today's jammy upgrade stopped dbus at 19:46:27 Feb 23 19:46:27 jak-t480s systemd[1]: Stopping D-Bus System Message Bus... This should not happen. I don't know which package caused this, but presumably dbus should not be stoppable in the first place. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: dbus 1.12.20-2ubuntu3 ProcVersionSignature: Ubuntu 5.15.0-22.22-generic 5.15.19 Uname: Linux 5.15.0-22-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.11-0ubuntu78 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: GNOME Date: Wed Feb 23 20:03:41 2022 InstallationDate: Installed on 2018-03-14 (1442 days ago) InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Alpha amd64 (20180313) RebootRequiredPkgs: Error: path contained symlinks. SourcePackage: dbus UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dbus/+bug/1962036/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1962276] Re: [jammy] Laptop monitor does not turn off/disconnect when the lid is closed
This appears to be caused (for me at least) by upower 0.99.16-1 - after upgrading today to 0.99.16-2 things are working again as expected. ** Also affects: upower (Ubuntu) Importance: Undecided Status: New ** Bug watch added: Debian Bug tracker #1006368 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1006368 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to upower in Ubuntu. https://bugs.launchpad.net/bugs/1962276 Title: [jammy] Laptop monitor does not turn off/disconnect when the lid is closed Status in gnome-settings-daemon package in Ubuntu: New Status in linux package in Ubuntu: Confirmed Status in mutter package in Ubuntu: New Status in upower package in Ubuntu: New Bug description: After today's updates I can no longer run my Laptop in clam shell mode. I don't use a dock. I connect the second monitor via HDMI cable and and external keyboard/mouse via a USB hub. Usually I can just plugin the monitor and close the lid and the primary display will switch to the external monitor. Now it will default to Monitor 2 as part of the joint display. I also tested booting the machine and closing the lid but this still defaulted to the external monitor as the 2nd display. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: xorg 1:7.7+23ubuntu1 ProcVersionSignature: Ubuntu 5.15.0-18.18-generic 5.15.12 Uname: Linux 5.15.0-18-generic x86_64 ApportVersion: 2.20.11-0ubuntu78 Architecture: amd64 BootLog: Error: [Errno 13] Permission denied: '/var/log/boot.log' CasperMD5CheckResult: pass CompositorRunning: None CurrentDesktop: ubuntu:GNOME Date: Fri Feb 25 16:44:37 2022 DistUpgraded: Fresh install DistroCodename: jammy DistroVariant: ubuntu ExtraDebuggingInterest: Yes, if not too technical GraphicsCard: Intel Corporation HD Graphics 5500 [8086:1616] (rev 09) (prog-if 00 [VGA controller]) Subsystem: Lenovo HD Graphics 5500 [17aa:2226] InstallationDate: Installed on 2022-02-23 (1 days ago) InstallationMedia: Ubuntu 22.04 LTS "Jammy Jellyfish" - Alpha amd64 (20220202) MachineType: LENOVO 20CLS3JN0F ProcEnviron: LANGUAGE=en_NZ:en PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_NZ.UTF-8 SHELL=/bin/bash ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-5.15.0-18-generic root=/dev/mapper/vgubuntu-root ro quiet splash vt.handoff=7 SourcePackage: xorg Symptom: display UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 03/05/2015 dmi.bios.release: 1.7 dmi.bios.vendor: LENOVO dmi.bios.version: N10ET30W (1.07 ) dmi.board.asset.tag: Not Available dmi.board.name: 20CLS3JN0F dmi.board.vendor: LENOVO dmi.board.version: SDK0E50510 WIN dmi.chassis.asset.tag: No Asset Information dmi.chassis.type: 10 dmi.chassis.vendor: LENOVO dmi.chassis.version: None dmi.ec.firmware.release: 1.9 dmi.modalias: dmi:bvnLENOVO:bvrN10ET30W(1.07):bd03/05/2015:br1.7:efr1.9:svnLENOVO:pn20CLS3JN0F:pvrThinkPadX250:rvnLENOVO:rn20CLS3JN0F:rvrSDK0E50510WIN:cvnLENOVO:ct10:cvrNone:skuLENOVO_MT_20CL_BU_Think_FM_ThinkPadX250: dmi.product.family: ThinkPad X250 dmi.product.name: 20CLS3JN0F dmi.product.sku: LENOVO_MT_20CL_BU_Think_FM_ThinkPad X250 dmi.product.version: ThinkPad X250 dmi.sys.vendor: LENOVO version.compiz: compiz N/A version.libdrm2: libdrm2 2.4.109-2ubuntu1 version.libgl1-mesa-dri: libgl1-mesa-dri 21.2.2-1ubuntu1 version.libgl1-mesa-glx: libgl1-mesa-glx N/A version.xserver-xorg-core: xserver-xorg-core 2:1.20.14-1ubuntu1 version.xserver-xorg-input-evdev: xserver-xorg-input-evdev N/A version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:19.1.0-2build1 version.xserver-xorg-video-intel: xserver-xorg-video-intel 2:2.99.917+git20200714-1ubuntu2 version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 1:1.0.17-1build1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-settings-daemon/+bug/1962276/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1962276] Re: [jammy] Laptop monitor does not turn off/disconnect when the lid is closed
See this related debian bug https://bugs.debian.org/cgi- bin/bugreport.cgi?bug=1006368 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to upower in Ubuntu. https://bugs.launchpad.net/bugs/1962276 Title: [jammy] Laptop monitor does not turn off/disconnect when the lid is closed Status in gnome-settings-daemon package in Ubuntu: New Status in linux package in Ubuntu: Confirmed Status in mutter package in Ubuntu: New Status in upower package in Ubuntu: New Bug description: After today's updates I can no longer run my Laptop in clam shell mode. I don't use a dock. I connect the second monitor via HDMI cable and and external keyboard/mouse via a USB hub. Usually I can just plugin the monitor and close the lid and the primary display will switch to the external monitor. Now it will default to Monitor 2 as part of the joint display. I also tested booting the machine and closing the lid but this still defaulted to the external monitor as the 2nd display. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: xorg 1:7.7+23ubuntu1 ProcVersionSignature: Ubuntu 5.15.0-18.18-generic 5.15.12 Uname: Linux 5.15.0-18-generic x86_64 ApportVersion: 2.20.11-0ubuntu78 Architecture: amd64 BootLog: Error: [Errno 13] Permission denied: '/var/log/boot.log' CasperMD5CheckResult: pass CompositorRunning: None CurrentDesktop: ubuntu:GNOME Date: Fri Feb 25 16:44:37 2022 DistUpgraded: Fresh install DistroCodename: jammy DistroVariant: ubuntu ExtraDebuggingInterest: Yes, if not too technical GraphicsCard: Intel Corporation HD Graphics 5500 [8086:1616] (rev 09) (prog-if 00 [VGA controller]) Subsystem: Lenovo HD Graphics 5500 [17aa:2226] InstallationDate: Installed on 2022-02-23 (1 days ago) InstallationMedia: Ubuntu 22.04 LTS "Jammy Jellyfish" - Alpha amd64 (20220202) MachineType: LENOVO 20CLS3JN0F ProcEnviron: LANGUAGE=en_NZ:en PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_NZ.UTF-8 SHELL=/bin/bash ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-5.15.0-18-generic root=/dev/mapper/vgubuntu-root ro quiet splash vt.handoff=7 SourcePackage: xorg Symptom: display UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 03/05/2015 dmi.bios.release: 1.7 dmi.bios.vendor: LENOVO dmi.bios.version: N10ET30W (1.07 ) dmi.board.asset.tag: Not Available dmi.board.name: 20CLS3JN0F dmi.board.vendor: LENOVO dmi.board.version: SDK0E50510 WIN dmi.chassis.asset.tag: No Asset Information dmi.chassis.type: 10 dmi.chassis.vendor: LENOVO dmi.chassis.version: None dmi.ec.firmware.release: 1.9 dmi.modalias: dmi:bvnLENOVO:bvrN10ET30W(1.07):bd03/05/2015:br1.7:efr1.9:svnLENOVO:pn20CLS3JN0F:pvrThinkPadX250:rvnLENOVO:rn20CLS3JN0F:rvrSDK0E50510WIN:cvnLENOVO:ct10:cvrNone:skuLENOVO_MT_20CL_BU_Think_FM_ThinkPadX250: dmi.product.family: ThinkPad X250 dmi.product.name: 20CLS3JN0F dmi.product.sku: LENOVO_MT_20CL_BU_Think_FM_ThinkPad X250 dmi.product.version: ThinkPad X250 dmi.sys.vendor: LENOVO version.compiz: compiz N/A version.libdrm2: libdrm2 2.4.109-2ubuntu1 version.libgl1-mesa-dri: libgl1-mesa-dri 21.2.2-1ubuntu1 version.libgl1-mesa-glx: libgl1-mesa-glx N/A version.xserver-xorg-core: xserver-xorg-core 2:1.20.14-1ubuntu1 version.xserver-xorg-input-evdev: xserver-xorg-input-evdev N/A version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:19.1.0-2build1 version.xserver-xorg-video-intel: xserver-xorg-video-intel 2:2.99.917+git20200714-1ubuntu2 version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 1:1.0.17-1build1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-settings-daemon/+bug/1962276/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1452115] Re: Python interpreter binary is not compiled as PIE
I am actively looking at this - FWIW the performance results with PIE enabled look good - https://paste.ubuntu.com/p/PZjqMFSNSR/ - so I am discussing internally whether this is something that can still land for Ubuntu 22.04. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to python2.7 in Ubuntu. https://bugs.launchpad.net/bugs/1452115 Title: Python interpreter binary is not compiled as PIE Status in Python: New Status in python2.7 package in Ubuntu: Fix Released Status in python3.10 package in Ubuntu: New Status in python3.4 package in Ubuntu: Fix Released Status in python3.6 package in Ubuntu: Confirmed Status in python3.7 package in Ubuntu: Confirmed Status in python3.8 package in Ubuntu: Confirmed Status in python3.9 package in Ubuntu: New Status in python3.7 package in Debian: New Status in python3.8 package in Debian: New Bug description: The python2.7 binary (installed at /usr/bin/python2.7; package version 2.7.6-8) is not compiled as a position independent executable (PIE). It appears that the python compilation process is somewhat arcane and the hardening wrapper probably doesn't do the trick for it. This is incredibly dangerous as it means that any vulnerability within a native module (e.g. ctypes-based), or within python itself will expose an incredibly large amount of known memory contents at known addresses (including a large number of dangerous instruction groupings). This enables ROP-based (https://en.wikipedia.org/wiki/Return-oriented_programming) to abuse the interpreter itself to bypass non-executable page protections. I have put together an example vulnerable C shared object (with a buffer overflow) accessed via python through the ctypes interface as an example. This uses a single ROP "gadget" on top of using the known PLT location for system(3) (https://en.wikipedia.org/wiki/Return-to-libc_attack) to call "id". The example code is accessible at: - https://gist.github.com/ChaosData/ae6076cb1c3cc7b0a367 I'm not exactly familiar enough with the python build process to say where exactly an -fPIE needs to be injected into a script/makefile, but I feel that given the perceived general preference for ctypes- based modules over python written ones, as the native code implementations tend to be more performant, this feels like a large security hole within the system. Given the nature of this "issue," I'm not 100% sure of where it is best reported, but from what I can tell, this conflicts with the Ubuntu hardening features and is definitely exploitable should a native module contain a sufficiently exploitable vulnerability that allows for control of the instruction register. To manage notifications about this bug go to: https://bugs.launchpad.net/python/+bug/1452115/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1452115] Re: Python interpreter binary is not compiled as PIE
For posterity - this is how I did the analysis above: # download the current python3.9 source package and rebuild it with PIE enabled apt source python3.9 cd python3.9-3.9.10/ sed -i "/export DEB_BUILD_MAINT_OPTIONS=hardening=-pie/d" debian/rules dch -i -D jammy "Enable PIE (LP: #1452115)" update-maintainer # sbuild assumes you already have a jammy-amd64 schroot setup sbuild # use a LXD VM for testing lxc launch --vm images:ubuntu/jammy sec-jammy-amd64 # stop the VM and disable UEFI secure boot lxc stop sec-jammy-amd64 # ensure secureboot is not used so we can use the msr module later lxc config set set-jammy-amd64 security.secureboot=false lxc start sec-jammy-amd64 # make sure VM has full disk allocated lxc exec sec-jammy-amd64 -- growpart /dev/sda 2 lxc exec sec-jammy-amd64 -- resize2fs /dev/sda2 lxc file push ../*.deb sec-jammy-amd64/root/ lxc shell sec-jammy-amd64 # then inside the LXD VM install and run pyperformance with and without the new python3.9 apt install python3-pip pip3 install pyperformance # tune for system performance modprobe msr python3.9 -m pyperf system tune # get baseline numbers without PIE pyperformance run --python=/usr/bin/python3.9 -o py3.9.json # install our debs we built above that have PIE enabled apt install ./python3.9_3.9.10-2ubuntu1_amd64.deb ./libpython3.9-stdlib_3.9.10-2ubuntu1_amd64.deb ./python3.9-minimal_3.9.10-2ubuntu1_amd64.deb ./libpython3.9-minimal_3.9.10-2ubuntu1_amd64.deb ./libpython3.9_3.9.10-2ubuntu1_amd64.deb ./libpython3.9-dev_3.9.10-2ubuntu1_amd64.deb ./python3.9-dev_3.9.10-2ubuntu1_amd64.deb # check they have PIE apt install devscripts hardening-check /usr/bin/python3.9 # re-run pyperformance with PIE pyperformance run --python=/usr/bin/python3.9 -o py3.9-pie.json # and compare the results python3 -m pyperf compare_to py3.9.json py3.9-pie.json --table -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to python2.7 in Ubuntu. https://bugs.launchpad.net/bugs/1452115 Title: Python interpreter binary is not compiled as PIE Status in Python: New Status in python2.7 package in Ubuntu: Fix Released Status in python3.10 package in Ubuntu: New Status in python3.4 package in Ubuntu: Fix Released Status in python3.6 package in Ubuntu: Confirmed Status in python3.7 package in Ubuntu: Confirmed Status in python3.8 package in Ubuntu: Confirmed Status in python3.9 package in Ubuntu: New Status in python3.7 package in Debian: New Status in python3.8 package in Debian: New Bug description: The python2.7 binary (installed at /usr/bin/python2.7; package version 2.7.6-8) is not compiled as a position independent executable (PIE). It appears that the python compilation process is somewhat arcane and the hardening wrapper probably doesn't do the trick for it. This is incredibly dangerous as it means that any vulnerability within a native module (e.g. ctypes-based), or within python itself will expose an incredibly large amount of known memory contents at known addresses (including a large number of dangerous instruction groupings). This enables ROP-based (https://en.wikipedia.org/wiki/Return-oriented_programming) to abuse the interpreter itself to bypass non-executable page protections. I have put together an example vulnerable C shared object (with a buffer overflow) accessed via python through the ctypes interface as an example. This uses a single ROP "gadget" on top of using the known PLT location for system(3) (https://en.wikipedia.org/wiki/Return-to-libc_attack) to call "id". The example code is accessible at: - https://gist.github.com/ChaosData/ae6076cb1c3cc7b0a367 I'm not exactly familiar enough with the python build process to say where exactly an -fPIE needs to be injected into a script/makefile, but I feel that given the perceived general preference for ctypes- based modules over python written ones, as the native code implementations tend to be more performant, this feels like a large security hole within the system. Given the nature of this "issue," I'm not 100% sure of where it is best reported, but from what I can tell, this conflicts with the Ubuntu hardening features and is definitely exploitable should a native module contain a sufficiently exploitable vulnerability that allows for control of the instruction register. To manage notifications about this bug go to: https://bugs.launchpad.net/python/+bug/1452115/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1964325] Re: Fails to print due to apparmor denied connect operation for cupsd - /run/systemd/userdb/io.systemd.Machine
I have proposed a fix for this upstream - https://gitlab.com/apparmor/apparmor/-/merge_requests/861 - once that is reviewed then we can include the fix in jammy. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1964325 Title: Fails to print due to apparmor denied connect operation for cupsd - /run/systemd/userdb/io.systemd.Machine Status in apparmor package in Ubuntu: New Bug description: On an up to date Jammy machine, printing fails and there is the following apparmor denied message in the journal: apparmor="DENIED" operation="connect" profile="/usr/sbin/cupsd" name="/run/systemd/userdb/io.systemd.Machine" pid=892182 comm="cupsd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 Printing works after running aa-complain cupsd. The printer is a driverless HP Envy 5020 ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: apparmor 3.0.4-2ubuntu1 ProcVersionSignature: Ubuntu 5.15.0-18.18-generic 5.15.12 Uname: Linux 5.15.0-18-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.11-0ubuntu78 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Wed Mar 9 10:25:10 2022 InstallationDate: Installed on 2020-05-31 (647 days ago) InstallationMedia: Ubuntu 20.10 "Groovy Gorilla" - Alpha amd64 (20200527) ProcKernelCmdline: BOOT_IMAGE=/BOOT/ubuntu_nt06gx@/vmlinuz-5.15.0-18-generic root=ZFS=rpool/ROOT/ubuntu_nt06gx ro snd-intel-dspcfg.dsp_driver=1 RebootRequiredPkgs: Error: path contained symlinks. SourcePackage: apparmor UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1964325/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1944436] Re: Please backport support for "close_range" syscall
Can you please post a simple reproducer? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1944436 Title: Please backport support for "close_range" syscall Status in libseccomp package in Ubuntu: New Bug description: Please backport support for the "close_range" syscall .. may be as simple as cherrypicking https://github.com/seccomp/libseccomp/commit/01e5750e7c84bb14e5a5410c924bed519209db06 from upstream. I've hit problems running buildah in a systemd-nspawn container, but this will probably affect people trying to run modern code in other container systems as well, e.g. docker. ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: libseccomp2 2.5.1-1ubuntu1~20.04.1 ProcVersionSignature: Ubuntu 5.4.0-84.94-generic 5.4.133 Uname: Linux 5.4.0-84-generic x86_64 ApportVersion: 2.20.11-0ubuntu27.20 Architecture: amd64 CasperMD5CheckResult: skip CurrentDesktop: Xpra Date: Tue Sep 21 15:10:54 2021 InstallationDate: Installed on 2017-01-08 (1717 days ago) InstallationMedia: Xubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1) SourcePackage: libseccomp UpgradeStatus: Upgraded to focal on 2021-09-02 (19 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1944436/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
Is there any option to do this via portals - ie can evince use https://flatpak.github.io/xdg-desktop-portal/portal-docs.html#gdbus- org.freedesktop.portal.OpenURI to open the URI? Would then this allow to avoid going via xdg-open? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap Status in apparmor package in Ubuntu: Confirmed Status in evince package in Ubuntu: Triaged Bug description: This is related to bug #1792648. After fixing that one (see discussion at https://salsa.debian.org/gnome-team/evince/merge_requests/1), clicking a hyperlink in a PDF opens it correctly if the default browser is a well-known application (such as /usr/bin/firefox), but it fails to do so if the default browser is a snap (e.g. the chromium snap). This is not a recent regression, it's not working on bionic either. ProblemType: Bug DistroRelease: Ubuntu 18.10 Package: evince 3.30.0-2 ProcVersionSignature: Ubuntu 4.18.0-7.8-generic 4.18.5 Uname: Linux 4.18.0-7-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.10-0ubuntu11 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Mon Sep 24 12:28:06 2018 EcryptfsInUse: Yes InstallationDate: Installed on 2016-07-02 (813 days ago) InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1) SourcePackage: evince UpgradeStatus: Upgraded to cosmic on 2018-09-14 (9 days ago) modified.conffile..etc.apparmor.d.abstractions.evince: [modified] mtime.conffile..etc.apparmor.d.abstractions.evince: 2018-09-24T11:35:41.904158 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1949316] [NEW] kmod modprobe.d scripts are named with non-inclusive language
Public bug reported: The kmod package ships with a number of files in /etc/modprobe.d which have non-inclusive names: $ dpkg -L kmod | grep blacklist /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf These should be renamed using the term denylist instead. Similarly, they should accept the term `denylist` rather than `blacklist` to specify modules that should not be loaded / aliases that should be ignored etc. ** Affects: kmod (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to kmod in Ubuntu. https://bugs.launchpad.net/bugs/1949316 Title: kmod modprobe.d scripts are named with non-inclusive language Status in kmod package in Ubuntu: New Bug description: The kmod package ships with a number of files in /etc/modprobe.d which have non-inclusive names: $ dpkg -L kmod | grep blacklist /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf These should be renamed using the term denylist instead. Similarly, they should accept the term `denylist` rather than `blacklist` to specify modules that should not be loaded / aliases that should be ignored etc. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kmod/+bug/1949316/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1951161] Re: Please merge shadow 1:4.8.1-2 (main) from Debian unstable
I think the changelog entry should still list the private home dirs change for login.defs under Remaining changes -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to shadow in Ubuntu. https://bugs.launchpad.net/bugs/1951161 Title: Please merge shadow 1:4.8.1-2 (main) from Debian unstable Status in shadow package in Ubuntu: Confirmed Bug description: This merge is necessary because there are changes present in Ubuntu that are not present in Debian. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1951161/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1953428] [NEW] /etc/PackageKit/Vendor.conf specifies invalid CodecUrl
Public bug reported: CodecUrl in /etc/PackageKit/Vendor.conf on Impish at least currently has: http://shop.canonical.com/index.php?cPath=19&osCsid=f1e370ea7563ed5e654c10450364ff24 shop.canonical.com does not have a DNS record and has been dead for a long time so this should be removed. ** Affects: packagekit (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to packagekit in Ubuntu. https://bugs.launchpad.net/bugs/1953428 Title: /etc/PackageKit/Vendor.conf specifies invalid CodecUrl Status in packagekit package in Ubuntu: New Bug description: CodecUrl in /etc/PackageKit/Vendor.conf on Impish at least currently has: http://shop.canonical.com/index.php?cPath=19&osCsid=f1e370ea7563ed5e654c10450364ff24 shop.canonical.com does not have a DNS record and has been dead for a long time so this should be removed. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/packagekit/+bug/1953428/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1953301] Re: Segfault on AArch64 caused by OpenSSL affecting numerous packages
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1953301 Title: Segfault on AArch64 caused by OpenSSL affecting numerous packages Status in openssl package in Ubuntu: New Bug description: OpenSSL causes crashes when reaching to some URLs on AArch64 platform, affecting Ubuntu, but not Fedora for instance. Initially reported in https://mediasoup.discourse.group/t/mediasoup- worker-default-make-failed/3647/12, more details and reproductions in https://github.com/mesonbuild/meson/issues/9690 Affects curl, wget, python and probably everything else. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1953301/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1953301] Re: Segfault on AArch64 caused by OpenSSL affecting numerous packages
FWIW I can't reproduce this on a RPi 4 running the aarch64/arm64 Ubuntu 20.04 LTS image: ubuntu@rpi4:~$ wget https://wrapdb.mesonbuild.com/v2/libuv_1.42.0-1/get_patch --2021-12-07 05:50:01-- https://wrapdb.mesonbuild.com/v2/libuv_1.42.0-1/get_patch Resolving wrapdb.mesonbuild.com (wrapdb.mesonbuild.com)... 138.201.247.118 Connecting to wrapdb.mesonbuild.com (wrapdb.mesonbuild.com)|138.201.247.118|:443... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: https://github.com/mesonbuild/wrapdb/releases/download/libuv_1.42.0-1/libuv_1.42.0-1_patch.zip [following] --2021-12-07 05:50:03-- https://github.com/mesonbuild/wrapdb/releases/download/libuv_1.42.0-1/libuv_1.42.0-1_patch.zip Resolving github.com (github.com)... 13.236.229.21 Connecting to github.com (github.com)|13.236.229.21|:443... connected. HTTP request sent, awaiting response... 302 Found Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/236250352/46c49bec-514b-4411-afe8-46ac8cb2e82f?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20211207%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20211207T054758Z&X-Amz-Expires=300&X-Amz-Signature=504c83b4d0c3567dc2f509362714a5b5709951655612c5665ca7d3e1f09050c5&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=236250352&response-content-disposition=attachment%3B%20filename%3Dlibuv_1.42.0-1_patch.zip&response-content-type=application%2Foctet-stream [following] --2021-12-07 05:50:03-- https://objects.githubusercontent.com/github-production-release-asset-2e65be/236250352/46c49bec-514b-4411-afe8-46ac8cb2e82f?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20211207%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20211207T054758Z&X-Amz-Expires=300&X-Amz-Signature=504c83b4d0c3567dc2f509362714a5b5709951655612c5665ca7d3e1f09050c5&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=236250352&response-content-disposition=attachment%3B%20filename%3Dlibuv_1.42.0-1_patch.zip&response-content-type=application%2Foctet-stream Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.110.133, 185.199.108.133, 185.199.109.133, ... Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.110.133|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 5146 (5.0K) [application/octet-stream] Saving to: ‘get_patch’ get_patch 100%[=>] 5.03K --.-KB/sin 0.009s 2021-12-07 05:50:04 (590 KB/s) - ‘get_patch’ saved [5146/5146] ubuntu@rpi4:~$ dpkg -l openssl Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-=-- ii openssl1.1.1f-1ubuntu2.9 arm64Secure Sockets Layer toolkit - cryptographic utility ubuntu@rpi4:~$ uname -a Linux rpi4 5.4.0-1047-raspi #52-Ubuntu SMP PREEMPT Wed Nov 24 08:16:38 UTC 2021 aarch64 aarch64 aarch64 GNU/Linux Can you please provide more details on what hardware platform is being used in your case and what Ubuntu version / openssl version is in use? The meson github issue appears to mention Ubuntu 20.04 but some more details would be useful. ** Changed in: openssl (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1953301 Title: Segfault on AArch64 caused by OpenSSL affecting numerous packages Status in openssl package in Ubuntu: Incomplete Bug description: OpenSSL causes crashes when reaching to some URLs on AArch64 platform, affecting Ubuntu, but not Fedora for instance. Initially reported in https://mediasoup.discourse.group/t/mediasoup- worker-default-make-failed/3647/12, more details and reproductions in https://github.com/mesonbuild/meson/issues/9690 Affects curl, wget, python and probably everything else. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1953301/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1899218] Re: Incorrect warning from apparmor_parser on force complained profiles
This bug is fixed and the behaviour you are seeing is expected - ie. it is expected that AppArmor prints a warning about forcing complain mode for the usr.sbin.sssd profile and that it then also prints a warning about caching being disabled for that due to it being in force complain mode. This is expected and normal behaviour. However, if you feel this expected behaviour is a bug, please file a separate bug report for that and describe what you think is incorrect about this behaviour and how instead you feel it should behave. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1899218 Title: Incorrect warning from apparmor_parser on force complained profiles Status in apparmor package in Ubuntu: Fix Released Bug description: apparmor_parser on a force complained profile produces an incorrect warning message: $ sudo apparmor_parser -rW /etc/apparmor.d/usr.sbin.sssd Warning: found usr.sbin.sssd in /etc/apparmor.d/force-complain, forcing complain mode Warning from /etc/apparmor.d/usr.sbin.sssd (/etc/apparmor.d/usr.sbin.sssd line 54): Warning failed to create cache: usr.sbin.sssd Even though not generating the cache at all is expected, the warning should describe caching is disabled for force complained profiles instead of failure to create it. $ lsb_release -rd Description: Ubuntu Groovy Gorilla (development branch) Release: 20.10 $ apt-cache policy apparmor apparmor: Installed: 3.0.0~beta1-0ubuntu6 Candidate: 3.0.0~beta1-0ubuntu6 Version table: *** 3.0.0~beta1-0ubuntu6 500 500 http://archive.ubuntu.com/ubuntu groovy/main amd64 Packages 100 /var/lib/dpkg/status To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1899218/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2024637] [NEW] apparmor.service tries to load snapd generated apparmor profiles but fails
Public bug reported: As of snapd 2.60, when installed as a snap, snapd includes its own vendored apparmor_parser and configuration. As such, it generates profiles using newer apparmor features than the system installed apparmor may support. This is seen as a failure to load the apparmor.service at boot once this new snapd snap with the vendored apparmor is installed: root@sec-bionic-amd64:~# systemctl status apparmor ● apparmor.service - AppArmor initialization Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Thu 2023-06-22 06:51:32 UTC; 8min ago Docs: man:apparmor(7) http://wiki.apparmor.net/ Main PID: 1590 (code=exited, status=123) Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /etc/apparmor.d/usr.lib.snapd.snap-confine.real in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /etc/apparmor.d/usr.lib.snapd.snap-confine.real in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap-confine.snapd.19567 in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap-confine.snapd.19567 in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]:...fail! Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Main process exited, code=exited, status=123/n/a Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Failed with result 'exit-code'. Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: Failed to start AppArmor initialization. root@sec-bionic-amd64:~# snap version snap2.60 snapd 2.60 series 16 ubuntu 18.04 kernel 4.15.0-212-generic root@sec-bionic-amd64:~# snap debug sandbox-features --required \ apparmor:parser:snapd-internal && echo snapd has internal vendored apparmor snapd has internal vendored apparmor In LP: #1871148 apparmor was updated in focal+ to stop loading apparmor profiles generated by snapd as since snapd 2.44.3 it has shipped the snapd.apparmor.service unit which loads its apparmor profiles on boot. apparmor in bionic and xenial should be updated to stop loading snapd generated apparmor profiles and instead leave this up to snapd.apparmor.service. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: apparmor 2.12-4ubuntu5.1 ProcVersionSignature: Ubuntu 4.15.0-212.223-generic 4.15.18 Uname: Linux 4.15.0-212-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.29 Architecture: amd64 Date: Thu Jun 22 06:52:02 2023 ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-4.15.0-212-generic root=UUID=da79cdd1-11be-4719-8482-46ce30623eaa ro quiet splash console=tty1 console=ttyS0 vt.handoff=1 PstreeP: Error: [Errno 2] No such file or directory: '/usr/bin/pstree': '/usr/bin/pstree' SourcePackage: apparmor UpgradeStatus: No upgrade log present (probably fresh install) ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug bionic ** Description changed: As of snapd 2.60, when installed as a snap, snapd includes its own vendored apparmor_parser and configuration. As such, it generates profiles using newer apparmor features than the system installed apparmor may support. - In LP: #1871148 apparmor was updated in focal+ to stop loading apparmor - profiles generated by snapd as since snapd 2.44.3 it has shipped the - snapd.apparmor.service unit which loads its apparmor profiles on boot. + This is seen as a failure to load the apparmor.service at boot once this + new snapd snap with the vendored apparmor is installed: + + root@sec-bionic-amd64:~# systemctl status apparmor + ● apparmor.service - AppArmor initialization +Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled) +Active: failed (Result: exit-code) since Thu 2023-06-22 06:51:32 UTC; 8min ago + Docs: man:apparmor(7) +http://wiki.apparmor.net/ + Main PID: 1590 (code=exited, status=123) + + Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /etc/apparmor.d/usr.lib.snapd.snap-confine.real in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. + Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in /etc/apparmor.d/disable: usr
[Touch-packages] [Bug 2024637] Re: apparmor.service tries to load snapd generated apparmor profiles but fails
** Also affects: apparmor (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: apparmor (Ubuntu Bionic) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2024637 Title: apparmor.service tries to load snapd generated apparmor profiles but fails Status in apparmor package in Ubuntu: New Status in apparmor source package in Xenial: New Status in apparmor source package in Bionic: New Bug description: As of snapd 2.60, when installed as a snap, snapd includes its own vendored apparmor_parser and configuration. As such, it generates profiles using newer apparmor features than the system installed apparmor may support. This is seen as a failure to load the apparmor.service at boot once this new snapd snap with the vendored apparmor is installed: root@sec-bionic-amd64:~# systemctl status apparmor ● apparmor.service - AppArmor initialization Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Thu 2023-06-22 06:51:32 UTC; 8min ago Docs: man:apparmor(7) http://wiki.apparmor.net/ Main PID: 1590 (code=exited, status=123) Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /etc/apparmor.d/usr.lib.snapd.snap-confine.real in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /etc/apparmor.d/usr.lib.snapd.snap-confine.real in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap-confine.snapd.19567 in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap-confine.snapd.19567 in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]:...fail! Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Main process exited, code=exited, status=123/n/a Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Failed with result 'exit-code'. Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: Failed to start AppArmor initialization. root@sec-bionic-amd64:~# snap version snap2.60 snapd 2.60 series 16 ubuntu 18.04 kernel 4.15.0-212-generic root@sec-bionic-amd64:~# snap debug sandbox-features --required \ apparmor:parser:snapd-internal && echo snapd has internal vendored apparmor snapd has internal vendored apparmor In LP: #1871148 apparmor was updated in focal+ to stop loading apparmor profiles generated by snapd as since snapd 2.44.3 it has shipped the snapd.apparmor.service unit which loads its apparmor profiles on boot. apparmor in bionic and xenial should be updated to stop loading snapd generated apparmor profiles and instead leave this up to snapd.apparmor.service. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: apparmor 2.12-4ubuntu5.1 ProcVersionSignature: Ubuntu 4.15.0-212.223-generic 4.15.18 Uname: Linux 4.15.0-212-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.29 Architecture: amd64 Date: Thu Jun 22 06:52:02 2023 ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-4.15.0-212-generic root=UUID=da79cdd1-11be-4719-8482-46ce30623eaa ro quiet splash console=tty1 console=ttyS0 vt.handoff=1 PstreeP: Error: [Errno 2] No such file or directory: '/usr/bin/pstree': '/usr/bin/pstree' SourcePackage: apparmor UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2024637/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2024637] Re: apparmor.service tries to load snapd generated apparmor profiles but fails
** Also affects: snapd (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2024637 Title: apparmor.service tries to load snapd generated apparmor profiles but fails Status in apparmor package in Ubuntu: New Status in snapd package in Ubuntu: New Status in apparmor source package in Xenial: New Status in snapd source package in Xenial: New Status in apparmor source package in Bionic: New Status in snapd source package in Bionic: New Bug description: As of snapd 2.60, when installed as a snap, snapd includes its own vendored apparmor_parser and configuration. As such, it generates profiles using newer apparmor features than the system installed apparmor may support. This is seen as a failure to load the apparmor.service at boot once this new snapd snap with the vendored apparmor is installed: root@sec-bionic-amd64:~# systemctl status apparmor ● apparmor.service - AppArmor initialization Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Thu 2023-06-22 06:51:32 UTC; 8min ago Docs: man:apparmor(7) http://wiki.apparmor.net/ Main PID: 1590 (code=exited, status=123) Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /etc/apparmor.d/usr.lib.snapd.snap-confine.real in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /etc/apparmor.d/usr.lib.snapd.snap-confine.real in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap-confine.snapd.19567 in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap-confine.snapd.19567 in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]:...fail! Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Main process exited, code=exited, status=123/n/a Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Failed with result 'exit-code'. Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: Failed to start AppArmor initialization. root@sec-bionic-amd64:~# snap version snap2.60 snapd 2.60 series 16 ubuntu 18.04 kernel 4.15.0-212-generic root@sec-bionic-amd64:~# snap debug sandbox-features --required \ apparmor:parser:snapd-internal && echo snapd has internal vendored apparmor snapd has internal vendored apparmor In LP: #1871148 apparmor was updated in focal+ to stop loading apparmor profiles generated by snapd as since snapd 2.44.3 it has shipped the snapd.apparmor.service unit which loads its apparmor profiles on boot. apparmor in bionic and xenial should be updated to stop loading snapd generated apparmor profiles and instead leave this up to snapd.apparmor.service. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: apparmor 2.12-4ubuntu5.1 ProcVersionSignature: Ubuntu 4.15.0-212.223-generic 4.15.18 Uname: Linux 4.15.0-212-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.29 Architecture: amd64 Date: Thu Jun 22 06:52:02 2023 ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-4.15.0-212-generic root=UUID=da79cdd1-11be-4719-8482-46ce30623eaa ro quiet splash console=tty1 console=ttyS0 vt.handoff=1 PstreeP: Error: [Errno 2] No such file or directory: '/usr/bin/pstree': '/usr/bin/pstree' SourcePackage: apparmor UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2024637/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2024637] Re: apparmor.service tries to load snapd generated apparmor profiles but fails
A possible fix on the snapd side is being prepared in tandem in https://github.com/snapcore/snapd/pull/12909 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2024637 Title: apparmor.service tries to load snapd generated apparmor profiles but fails Status in apparmor package in Ubuntu: New Status in snapd package in Ubuntu: New Status in apparmor source package in Xenial: New Status in snapd source package in Xenial: New Status in apparmor source package in Bionic: New Status in snapd source package in Bionic: New Bug description: As of snapd 2.60, when installed as a snap, snapd includes its own vendored apparmor_parser and configuration. As such, it generates profiles using newer apparmor features than the system installed apparmor may support. This is seen as a failure to load the apparmor.service at boot once this new snapd snap with the vendored apparmor is installed: root@sec-bionic-amd64:~# systemctl status apparmor ● apparmor.service - AppArmor initialization Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Thu 2023-06-22 06:51:32 UTC; 8min ago Docs: man:apparmor(7) http://wiki.apparmor.net/ Main PID: 1590 (code=exited, status=123) Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /etc/apparmor.d/usr.lib.snapd.snap-confine.real in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /etc/apparmor.d/usr.lib.snapd.snap-confine.real in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap-confine.snapd.19567 in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap-confine.snapd.19567 in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]:...fail! Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Main process exited, code=exited, status=123/n/a Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Failed with result 'exit-code'. Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: Failed to start AppArmor initialization. root@sec-bionic-amd64:~# snap version snap2.60 snapd 2.60 series 16 ubuntu 18.04 kernel 4.15.0-212-generic root@sec-bionic-amd64:~# snap debug sandbox-features --required \ apparmor:parser:snapd-internal && echo snapd has internal vendored apparmor snapd has internal vendored apparmor In LP: #1871148 apparmor was updated in focal+ to stop loading apparmor profiles generated by snapd as since snapd 2.44.3 it has shipped the snapd.apparmor.service unit which loads its apparmor profiles on boot. apparmor in bionic and xenial should be updated to stop loading snapd generated apparmor profiles and instead leave this up to snapd.apparmor.service. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: apparmor 2.12-4ubuntu5.1 ProcVersionSignature: Ubuntu 4.15.0-212.223-generic 4.15.18 Uname: Linux 4.15.0-212-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.29 Architecture: amd64 Date: Thu Jun 22 06:52:02 2023 ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-4.15.0-212-generic root=UUID=da79cdd1-11be-4719-8482-46ce30623eaa ro quiet splash console=tty1 console=ttyS0 vt.handoff=1 PstreeP: Error: [Errno 2] No such file or directory: '/usr/bin/pstree': '/usr/bin/pstree' SourcePackage: apparmor UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2024637/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1990064] Re: unconfined profile denies userns_create for chromium based processes
This sounds like a kernel regression. The commit you link to is for SELinux, which is not enabled by default in Ubuntu, so I doubt it is that specifically - instead I suspect this is due to the following commit: https://git.launchpad.net/~ubuntu- kernel/ubuntu/+source/linux/+git/kinetic/commit/?h=master- next&id=30bce26855c9171f8dee74d93308fd506730c914 The logic here: int aa_profile_ns_perm(struct aa_profile *profile, struct common_audit_data *sa, u32 request) { ... if (profile_unconfined(profile)) { if (!unprivileged_userns_restricted || ns_capable_noaudit(current_user_ns(), CAP_SYS_ADMIN)) return 0; aad(sa)->info = "User namespace creation restricted"; /* fall through to below allows complain mode to override */ } else { struct aa_ruleset *rules = list_first_entry(&profile->rules, typeof(*rules), list); aa_state_t state; state = RULE_MEDIATES(rules, aad(sa)->class); if (!state) /* TODO: add flag to complain about unmediated */ return 0; perms = *aa_lookup_perms(&rules->policy, state); } aa_apply_modes_to_perms(profile, &perms); return aa_check_perms(profile, &perms, request, sa, audit_ns_cb); } Seems to indicate that all unconfined processes that do not have CAP_SYS_ADMIN will be denied the ability to use user namespaces - this feels like a definite regression / policy change within the kernel itself. Should the kernel instead be built with CONFIG_SECURITY_APPARMOR_RESTRICT_USERNS=n ? Or is this code not doing what it was intended to do. ** Also affects: linux (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1990064 Title: unconfined profile denies userns_create for chromium based processes Status in apparmor package in Ubuntu: New Status in linux package in Ubuntu: New Bug description: For Ubuntu 22.10, since the last kernel update, i can´t launch any chromium based browser, due to apparmor denying userns_create dmesg shows: apparmor="DENIED" operation="userns_create" class="namespace" info="User namespace creation restricted" error=-13 profile="unconfined" pid=21323 comm="steamwebhelper" requested="userns_create" denied="userns_create" This happens for every process which uses a chromium engine, like google chrome itself or in this case steamwebhelper. Might be related to this change?: https://patchwork.kernel.org/project/netdevbpf/patch/20220801180146.1157914-5-f...@cloudflare.com/ not sure if it got merged in this form though.. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1990064/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1989309] Re: [FFe] apparmor 3.1.1 upstream release
** Attachment added: "apparmor-3.0.7-to-3.1.1-git-log.log" https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989309/+attachment/5617640/+files/apparmor-3.0.7-to-3.1.1-git-log.log ** Description changed: AppArmor 3.1.1 is the latest upstream version of the apparmor userspace tooling. This includes a large number of bug fixes since the 3.0.7 release which is currently in kinetic, as well as various cleanups and optimisations to the different tools to improve performance and maintainability. The full ChangeLog can be seen at [1]. Upstream does not provide a ChangeLog file, however I have generated one based on the git commit history of apparmor from the 3.0.7 tag to 3.1.1 as: $ git log v3.0.7...v3.1.1 -- > ~/Downloads/apparmor-3.0.7-to-3.1.1-git- log.log - This can be seen in the attached file. - + This can be seen in the attached file + https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989309/+attachment/5617640/+files/apparmor-3.0.7-to-3.1.1-git- + log.log TESTING This has been extensively tested by the security team - this includes following the documented Ubuntu merges test plan[2] for AppArmor and the extensive QA Regression Tests[3] for AppArmor as well. This ensures that the various applications that make heavy use of AppArmor (LXD, docker, lxc, dbus, libvirt, snapd etc) have all been exercised and no regressions have been observed. All tests have passed and demonstrated both apparmor and the various applications that use it to be working as expected. BUILD LOGS This is currently uploaded to https://launchpad.net/~alexmurray/+archive/ubuntu/lp1989309, build logs can be found on Launchpad at: https://launchpad.net/~alexmurray/+archive/ubuntu/lp1989309/+build/24491969 for amd64 etc DEBDIFF The debdiff can be found in the PPA: https://launchpad.net/~alexmurray/+archive/ubuntu/lp1989309/+files/apparmor_3.0.7-1ubuntu1_3.1.1-0ubuntu1.diff.gz INSTALL / UPGRADE LOG The apt upgrade log is attached in https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989309/+attachment/5617638/+files/apparmor-3.1.1-0ubuntu1-apt- upgrade.log [1] https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.1 [2] https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor [3] https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1989309 Title: [FFe] apparmor 3.1.1 upstream release Status in apparmor package in Ubuntu: New Bug description: AppArmor 3.1.1 is the latest upstream version of the apparmor userspace tooling. This includes a large number of bug fixes since the 3.0.7 release which is currently in kinetic, as well as various cleanups and optimisations to the different tools to improve performance and maintainability. The full ChangeLog can be seen at [1]. Upstream does not provide a ChangeLog file, however I have generated one based on the git commit history of apparmor from the 3.0.7 tag to 3.1.1 as: $ git log v3.0.7...v3.1.1 -- > ~/Downloads/apparmor-3.0.7-to-3.1.1-git-log.log This can be seen in the attached file https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989309/+attachment/5617640/+files/apparmor-3.0.7-to-3.1.1-git- log.log TESTING This has been extensively tested by the security team - this includes following the documented Ubuntu merges test plan[2] for AppArmor and the extensive QA Regression Tests[3] for AppArmor as well. This ensures that the various applications that make heavy use of AppArmor (LXD, docker, lxc, dbus, libvirt, snapd etc) have all been exercised and no regressions have been observed. All tests have passed and demonstrated both apparmor and the various applications that use it to be working as expected. BUILD LOGS This is currently uploaded to https://launchpad.net/~alexmurray/+archive/ubuntu/lp1989309, build logs can be found on Launchpad at: https://launchpad.net/~alexmurray/+archive/ubuntu/lp1989309/+build/24491969 for amd64 etc DEBDIFF The debdiff can be found in the PPA: https://launchpad.net/~alexmurray/+archive/ubuntu/lp1989309/+files/apparmor_3.0.7-1ubuntu1_3.1.1-0ubuntu1.diff.gz INSTALL / UPGRADE LOG The apt upgrade log is attached in https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989309/+attachment/5617638/+files/apparmor-3.1.1-0ubuntu1-apt- upgrade.log [1] https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.1 [2] https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor [3] https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989309/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Po
[Touch-packages] [Bug 1989309] Re: [FFe] apparmor 3.1.1 upstream release
** Description changed: - Placeholder for preparation of AppArmor 3.1.1 for kinetic. + AppArmor 3.1.1 is the latest upstream version of the apparmor userspace + tooling. + + This includes a large number of bug fixes since the 3.0.7 release which + is currently in kinetic, as well as various cleanups and optimisations + to the different tools to improve performance and maintainability. + + The full ChangeLog can be seen at [1] + + + TESTING + + This has been extensively tested by the security team - this includes + following the documented Ubuntu merges test plan[2] for AppArmor and the + extensive QA Regression Tests[3] for AppArmor as well. This ensures that + the various applications that make heavy use of AppArmor (LXD, docker, + lxc, dbus, libvirt, snapd etc) have all been exercised and no regressions + have been observed. All tests have passed and demonstrated both apparmor + and the various applications that use it to be working as expected. + + + BUILD LOGS + + This is currently uploaded to https://launchpad.net/~alexmurray/+archive/ubuntu/lp1989309, build logs can be found on + Launchpad at: + https://launchpad.net/~alexmurray/+archive/ubuntu/lp1989309/+build/24491969 for amd64 etc + + + DEBDIFF + + The debdiff can be found in the PPA: + https://launchpad.net/~alexmurray/+archive/ubuntu/lp1989309/+files/apparmor_3.0.7-1ubuntu1_3.1.1-0ubuntu1.diff.gz + + + INSTALL / UPGRADE LOG + + The apt upgrade log is attached. + + + [1] https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.1 + [2] https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor + [3] https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py ** Attachment added: "apparmor-3.1.1-0ubuntu1-apt-upgrade.log" https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989309/+attachment/5617638/+files/apparmor-3.1.1-0ubuntu1-apt-upgrade.log ** Description changed: AppArmor 3.1.1 is the latest upstream version of the apparmor userspace tooling. This includes a large number of bug fixes since the 3.0.7 release which is currently in kinetic, as well as various cleanups and optimisations to the different tools to improve performance and maintainability. The full ChangeLog can be seen at [1] - TESTING This has been extensively tested by the security team - this includes following the documented Ubuntu merges test plan[2] for AppArmor and the extensive QA Regression Tests[3] for AppArmor as well. This ensures that - the various applications that make heavy use of AppArmor (LXD, docker, - lxc, dbus, libvirt, snapd etc) have all been exercised and no regressions - have been observed. All tests have passed and demonstrated both apparmor + the various applications that make heavy use of AppArmor (LXD, docker, + lxc, dbus, libvirt, snapd etc) have all been exercised and no regressions + have been observed. All tests have passed and demonstrated both apparmor and the various applications that use it to be working as expected. - BUILD LOGS This is currently uploaded to https://launchpad.net/~alexmurray/+archive/ubuntu/lp1989309, build logs can be found on Launchpad at: https://launchpad.net/~alexmurray/+archive/ubuntu/lp1989309/+build/24491969 for amd64 etc - DEBDIFF The debdiff can be found in the PPA: https://launchpad.net/~alexmurray/+archive/ubuntu/lp1989309/+files/apparmor_3.0.7-1ubuntu1_3.1.1-0ubuntu1.diff.gz - INSTALL / UPGRADE LOG - The apt upgrade log is attached. - + The apt upgrade log is attached in + https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989309/+attachment/5617638/+files/apparmor-3.1.1-0ubuntu1-apt- + upgrade.log [1] https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.1 [2] https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor [3] https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py ** Description changed: AppArmor 3.1.1 is the latest upstream version of the apparmor userspace tooling. This includes a large number of bug fixes since the 3.0.7 release which is currently in kinetic, as well as various cleanups and optimisations to the different tools to improve performance and maintainability. - The full ChangeLog can be seen at [1] + The full ChangeLog can be seen at [1]. Upstream does not provide a + ChangeLog file, however I have generated one based on the git commit + history of apparmor from the 3.0.7 tag to 3.1.1 as: + + $ git log v3.0.7...v3.1.1 -- > ~/Downloads/apparmor-3.0.7-to-3.1.1-git- + log.log + + This can be seen in the attached file. + TESTING This has been extensively tested by the security team - this includes following the documented Ubuntu merges test plan[2] for AppArmor and the extensive QA Regression Tests[3] for AppArmor as well. This ensures that the various applications that make heavy use of AppArmor (LXD, docker, lxc, dbus, libvirt, snapd etc) have all been exercised and no regr
[Touch-packages] [Bug 1810241] Re: NULL dereference when decompressing specially crafted archives
Thanks I have updated the status of this CVE in the Ubuntu CVE tracker. ** Changed in: tar (Ubuntu) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to tar in Ubuntu. https://bugs.launchpad.net/bugs/1810241 Title: NULL dereference when decompressing specially crafted archives Status in tar package in Ubuntu: Fix Released Bug description: Hi, Fuzzing tar with checksums disabled reveals a NULL pointer dereference when parsing certain archives that have malformed extended headers. This affects tar from (at least) Trusty, Bionic and Cosmic. I haven't tested Xenial's version. A test case with fixed checksums is attached. To avoid breaking anything that looks inside tar archives, I have converted it to text with xxd. To reproduce: $ xxd -r gnutar-crash.tar.txt gnutar-crash.tar $ tar Oxf gnutar-crash.tar tar: Ignoring unknown extended header keyword 'GNU.sparse.minTr' tar: Malformed extended header: missing length Segmentation fault (core dumped) I have also attached a patch against the latest upstream git and against 1.30 (in Cosmic). This fixes the issue by detecting the null result before it is dereferenced. Regards, Daniel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tar/+bug/1810241/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1992430] Re: Snap based apps crash after 5.19.0-18->5.19.0-19 kernel upgrade
*** This bug is a duplicate of bug 1991691 *** https://bugs.launchpad.net/bugs/1991691 ** This bug has been marked a duplicate of bug 1991691 cannot change mount namespace -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1992430 Title: Snap based apps crash after 5.19.0-18->5.19.0-19 kernel upgrade Status in apparmor package in Ubuntu: New Bug description: This occurs on Ubuntu ver. 22.10. Here is an example: skype update.go:85: cannot change mount namespace according to change mount (/run/user/1000/doc/by-app/snap.skype /run/user/1000/doc none bind,rw,x-snapd.ignore-missing 0 0): cannot inspect "/run/user/1000/doc": lstat /run/user/1000/doc: permission denied + [ -f /home/user/snap/skype/common/.config/skypeforlinux/settings.json ] + export SKYPE_LOGS=/home/user/snap/skype/231/logs + [ ! -d /home/user/snap/skype/231/logs ] + exec /snap/skype/231/usr/share/skypeforlinux/skypeforlinux (skypeforlinux:9439): Gtk-WARNING **: 10:13:12.251: Theme parsing error: gtk.css:3536:25: 'font-feature-settings' is not a valid property name Gtk-Message: 10:13:12.294: Failed to load module "colorreload-gtk-module" Gtk-Message: 10:13:12.295: Failed to load module "window-decorations-gtk-module" [1011/101312.442717:ERROR:scoped_ptrace_attach.cc(27)] ptrace: Permission denied (13) Nyomkövetési/töréspont csapda (core készült) Google translation: Trace/breakpoint trap (core made) Here is an another one: teams update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/share/fonts /usr/share/fonts none bind,ro 0 0): cannot inspect "/var/lib/snapd/hostfs/usr/share/fonts": lstat /var/lib/snapd/hostfs/usr/share/fonts: permission denied update.go:85: cannot change mount namespace according to change mount (/var/lib/snapd/hostfs/usr/local/share/fonts /usr/local/share/fonts none bind,ro 0 0): cannot inspect "/usr/local/share/fonts": lstat /usr/local/share/fonts: permission denied update.go:85: cannot change mount namespace according to change mount (/run/user/1000/doc/by-app/snap.teams /run/user/1000/doc none bind,rw,x-snapd.ignore-missing 0 0): cannot inspect "/run/user/1000/doc": lstat /run/user/1000/doc: permission denied Loading of the previous kernel fixes the issue this is why I think it could be kernel-related or something like that. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1992430/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1992580] Re: i915 DG1 fails to load
*** This bug is a duplicate of bug 1991704 *** https://bugs.launchpad.net/bugs/1991704 ** This bug has been marked a duplicate of bug 1991704 Kinetic kernels 5.19.0-18/19-generic won't boot on Intel 11th/12th gen -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to initramfs-tools in Ubuntu. https://bugs.launchpad.net/bugs/1992580 Title: i915 DG1 fails to load Status in initramfs-tools package in Ubuntu: New Status in linux package in Ubuntu: Confirmed Bug description: On kernel 5.19 in Ubuntu Jammy i915 fails to initialize Intel DG1 GPU --- ProblemType: Bug ApportVersion: 2.23.1-0ubuntu2 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME DistroRelease: Ubuntu 22.10 InstallationDate: Installed on 2020-12-06 (674 days ago) InstallationMedia: Ubuntu 20.10 "Groovy Gorilla" - Release amd64 (20201022) Package: linux PackageArchitecture: all ProcVersionSignature: Ubuntu 5.19.0-19.19-generic 5.19.7 Tags: wayland-session kinetic Uname: Linux 5.19.0-19-generic x86_64 UpgradeStatus: Upgraded to kinetic on 2022-09-19 (22 days ago) UserGroups: adm cdrom dip docker libvirt lpadmin lxd plugdev sambashare sudo wireshark _MarkForUpload: True To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/1992580/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1992930] Re: chromium won't launch at menu when installed; lubuntu kinetic
This current bug looks like LP: #1991691 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1992930 Title: chromium won't launch at menu when installed; lubuntu kinetic Status in apparmor package in Ubuntu: New Bug description: Lubuntu kinetic live test `chromium` snap once installed; will not open from menu, but will open if started from terminal. This maybe filed against incorrect package sorry. Originally reported here - https://discourse.lubuntu.me/t/lubuntu- kinetic-after-5-19-update-chromium-only-start-from-terminal/3685 where it was reported as an issue on the 5.19.0-19-generic kernel update ** to re-create - boot currently lubuntu kinetic daily - snap install chromium - using menu, attempt to run chromium from internet apps ** expected outcome chromium starts ** actual outcome menu just closes; no messages. ** further notes u/FossFreedom (Ubuntu Budgie) reports no issues with Ubuntu Budgie kinetic starting Chromium. On Lubuntu's discourse; u/neblaz (OP for issue) also reported issues starting Opera; with that package being the snap (loaded from discover) and reported as (using `snap list`) opera 91.0.4516.77202 latest/stable ** in `dmesg` I note the following (this may be unrelated or unhelpful sorry) [ 1510.255228] loop7: detected capacity change from 0 to 293648 [ 1510.739240] audit: type=1400 audit(1665727470.633:54): apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap-update-ns.chromium" pid=3359 comm="apparmor_parser" [ 1510.820094] audit: type=1400 audit(1665727470.713:55): apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.chromium.chromedriver" pid=3360 comm="apparmor_parser" [ 1511.014103] audit: type=1400 audit(1665727470.909:56): apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.chromium.chromium" pid=3361 comm="apparmor_parser" [ 1511.071575] audit: type=1400 audit(1665727470.965:57): apparmor="STATUS" operation="profile_load" profile="unconfined" name="snap.chromium.hook.configure" pid=3362 comm="apparmor_parser" [ 1515.313383] audit: type=1400 audit(1665727475.206:58): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/snapd/17029/usr/lib/snapd/snap-confine" pid=3496 comm="apparmor_parser" [ 1515.313401] audit: type=1400 audit(1665727475.206:59): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/snap/snapd/17029/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=3496 comm="apparmor_parser" [ 1516.817149] audit: type=1400 audit(1665727476.710:60): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap-update-ns.chromium" pid=3498 comm="apparmor_parser" [ 1518.067335] audit: type=1400 audit(1665727477.962:61): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.chromium.chromedriver" pid=3499 comm="apparmor_parser" [ 1518.568962] audit: type=1400 audit(1665727478.462:62): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.chromium.hook.configure" pid=3501 comm="apparmor_parser" [ 1519.485025] audit: type=1400 audit(1665727479.378:63): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.chromium.chromium" pid=3500 comm="apparmor_parser" [ 1520.203518] audit: type=1400 audit(1665727480.098:64): apparmor="DENIED" operation="getattr" class="file" profile="snap-update-ns.chromium" name="/meta/snap.yaml" pid=3518 comm="6" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 1520.245234] audit: type=1400 audit(1665727480.142:65): apparmor="DENIED" operation="getattr" class="file" profile="snap-update-ns.chromium" name="/usr/local/share/fonts/" pid=3518 comm="6" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 1520.245256] audit: type=1400 audit(1665727480.142:66): apparmor="DENIED" operation="getattr" class="file" profile="snap-update-ns.chromium" name="/usr/local/share/" pid=3518 comm="6" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 1520.246876] audit: type=1400 audit(1665727480.142:67): apparmor="DENIED" operation="getattr" class="file" profile="snap-update-ns.chromium" name="/var/lib/snapd/hostfs/usr/share/doc/" pid=3518 comm="6" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 1520.246933] audit: type=1400 audit(1665727480.142:68): apparmor="DENIED" operation="getattr" class="file" profile="snap-update-ns.chromium" name="/var/lib/snapd/hostfs/usr/share/fonts/" pid=3518 comm="6" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [ 1520.349971] audit: type=1400 audit(1665727480.246:69): apparmor="DENIED" operation="getattr" class="file" profile="snap-update-ns.ch
[Touch-packages] [Bug 1994146] Re: [SRU] apparmor - Focal, Jammy
These have now been uploaded to -proposed and are sitting in UNAPPROVED: https://launchpad.net/ubuntu/jammy/+queue?queue_state=1&queue_text=apparmor https://launchpad.net/ubuntu/focal/+queue?queue_state=1&queue_text=apparmor ** Changed in: apparmor (Ubuntu Focal) Status: Confirmed => In Progress ** Changed in: apparmor (Ubuntu Jammy) Status: Confirmed => In Progress -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1994146 Title: [SRU] apparmor - Focal, Jammy Status in apparmor package in Ubuntu: Confirmed Status in apparmor source package in Focal: In Progress Status in apparmor source package in Jammy: In Progress Bug description: [ Impact ] This is a SRU proposal for apparmor in Focal and Jammy. For focal, we want to SRU fixes for Bug 1964636 which introduces the capability upstream patches. We are also fixing Bug 1728130 and Bug 1993353 which are introducing full backport of abi from apparmor-3.0 and support for POSIX message queue rules, which are both a request from Honeywell. Note that specifically for message queue rules, we are overriding the abi behavior. Message queue mediation is not a part of the 2.13 abi we are pinning. Honeywell has a kernel that has message queue mediation, but their policy does not contain an abi specified, so when we pin the abi for a kernel that does not mediate message queue, it will break Honeywell's AppArmor policies. So we are making an exception: when abi is not specified in the policy, and the policy contain mqueue rules, we are enforcing mqueue rules. When the policy does not contain mqueue rules, then they are not being enforced. This is so we do not break Honeywell policies and we also are not breaking policies that were developed when there was no mqueue or abi support. For jammy, we are SRUing fixes for Bug 1993353 which adds message queue rules support. [ Test Plan ] This has been extensively tested by using QA Regression Tests[1] for AppArmor. All tests have passed and demonstrated AppArmor to be working as expected. We are also adding regression tests for message queue rules[2] which guarantees it is working as expected. [1] https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py [2] https://gitlab.com/apparmor/apparmor/-/merge_requests/858 [ Where problems could occur ] The message queue rules support could cause issues for AppArmor policies that were developed before there was support for mqueues, that's why we are also backporting abi support and pinning the abi on parser.conf on focal. Jammy already has the abi pinned for a kernel that does not have support for mqueue mediation. [ Other Info ] The patches for both focal and jammy can be found at: https://launchpad.net/~georgiag/+archive/ubuntu/mqueue-sru/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1994146/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1915250] Re: buildd file owner/group for shared libraries
This is currently affecting snapd 2.49+21.04 which is in hirsute- proposed - https://forum.snapcraft.io/t/snapd-from-hirsute-proposed- wont-allow-snaps-to-run/22733/8 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to binutils in Ubuntu. https://bugs.launchpad.net/bugs/1915250 Title: buildd file owner/group for shared libraries Status in binutils package in Ubuntu: Confirmed Status in debhelper package in Ubuntu: Confirmed Status in fakeroot package in Ubuntu: Confirmed Status in glibc package in Ubuntu: Confirmed Status in debhelper package in Debian: Unknown Bug description: the current state of -proposed creates deb packages with buildd file owner/group for shared libraries. reported at least for kwayland-integration. $ dpkg -c kwayland-integration_5.20.90-0ubuntu1_amd64.deb|grep \.so -rw-r--r-- doko/doko 18984 2021-01-21 23:44 ./usr/lib/x86_64-linux-gnu/qt5/plugins/kf5/kguiaddons/kmodifierkey/kmodifierkey_wayland.so -rw-r--r-- doko/doko 85392 2021-01-21 23:44 ./usr/lib/x86_64-linux-gnu/qt5/plugins/kf5/kwindowsystem/KF5WindowSystemKWaylandPlugin.so -rw-r--r-- doko/doko 35536 2021-01-21 23:44 ./usr/lib/x86_64-linux-gnu/qt5/plugins/kf5/org.kde.kidletime.platforms/KF5IdleTimeKWaylandPlugin.so - in a release pocket, rebuild binutils from proposed. correctly restores the file ownership - in a release pocket, update glibc from proposed. then rebuild binutils from proposed. shows the wrong ownership To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1915250/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1915250] Re: buildd file owner/group for shared libraries
Oh I see - this was for shared libraries but I suspect it is also affecting setuid binaries as well? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to binutils in Ubuntu. https://bugs.launchpad.net/bugs/1915250 Title: buildd file owner/group for shared libraries Status in binutils package in Ubuntu: Confirmed Status in debhelper package in Ubuntu: Confirmed Status in fakeroot package in Ubuntu: Confirmed Status in glibc package in Ubuntu: Confirmed Status in debhelper package in Debian: Unknown Bug description: the current state of -proposed creates deb packages with buildd file owner/group for shared libraries. reported at least for kwayland-integration. $ dpkg -c kwayland-integration_5.20.90-0ubuntu1_amd64.deb|grep \.so -rw-r--r-- doko/doko 18984 2021-01-21 23:44 ./usr/lib/x86_64-linux-gnu/qt5/plugins/kf5/kguiaddons/kmodifierkey/kmodifierkey_wayland.so -rw-r--r-- doko/doko 85392 2021-01-21 23:44 ./usr/lib/x86_64-linux-gnu/qt5/plugins/kf5/kwindowsystem/KF5WindowSystemKWaylandPlugin.so -rw-r--r-- doko/doko 35536 2021-01-21 23:44 ./usr/lib/x86_64-linux-gnu/qt5/plugins/kf5/org.kde.kidletime.platforms/KF5IdleTimeKWaylandPlugin.so - in a release pocket, rebuild binutils from proposed. correctly restores the file ownership - in a release pocket, update glibc from proposed. then rebuild binutils from proposed. shows the wrong ownership To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1915250/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1915250] Re: buildd file owner/group for shared libraries
$ dpkg -c snapd_2.49+21.04_amd64.deb | grep buildd -rwxr-xr-x buildd/buildd 30952 2021-02-10 20:17 ./lib/systemd/system-generators/snapd-generator -rwxr-xr-x buildd/buildd 19558008 2021-02-10 20:17 ./usr/bin/snap -rwxr-xr-x buildd/buildd43304 2021-02-10 20:17 ./usr/bin/snapfuse -rwxr-xr-x buildd/buildd 11012584 2021-02-10 20:17 ./usr/lib/snapd/snap-bootstrap -rwsr-xr-x buildd/buildd 134216 2021-02-10 20:17 ./usr/lib/snapd/snap-confine -rwxr-xr-x buildd/buildd35048 2021-02-10 20:17 ./usr/lib/snapd/snap-discard-ns -rwxr-xr-x buildd/buildd 3086648 2021-02-10 20:17 ./usr/lib/snapd/snap-exec -rwxr-xr-x buildd/buildd 3352968 2021-02-10 20:17 ./usr/lib/snapd/snap-failure -rwxr-xr-x buildd/buildd18664 2021-02-10 20:17 ./usr/lib/snapd/snap-gdb-shim -rwxr-xr-x buildd/buildd18664 2021-02-10 20:17 ./usr/lib/snapd/snap-gdbserver-shim -rwxr-xr-x buildd/buildd 7602312 2021-02-10 20:17 ./usr/lib/snapd/snap-preseed -rwxr-xr-x buildd/buildd 7566920 2021-02-10 20:17 ./usr/lib/snapd/snap-recovery-chooser -rwxr-xr-x buildd/buildd 8760296 2021-02-10 20:17 ./usr/lib/snapd/snap-repair -rwxr-xr-x buildd/buildd 2530704 2021-02-10 20:17 ./usr/lib/snapd/snap-seccomp -rwxr-xr-x buildd/buildd 4535424 2021-02-10 20:17 ./usr/lib/snapd/snap-update-ns -rwxr-xr-x buildd/buildd 6447800 2021-02-10 20:17 ./usr/lib/snapd/snapctl -rwxr-xr-x buildd/buildd 23371432 2021-02-10 20:17 ./usr/lib/snapd/snapd -rwxr-xr-x buildd/buildd 921504 2021-02-10 20:17 ./usr/lib/snapd/system-shutdown -rwxr-xr-x buildd/buildd22760 2021-02-10 20:17 ./usr/lib/systemd/system-environment-generators/snapd-env-generator -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to binutils in Ubuntu. https://bugs.launchpad.net/bugs/1915250 Title: buildd file owner/group for shared libraries Status in binutils package in Ubuntu: Confirmed Status in debhelper package in Ubuntu: Confirmed Status in fakeroot package in Ubuntu: Confirmed Status in glibc package in Ubuntu: Confirmed Status in debhelper package in Debian: Unknown Bug description: the current state of -proposed creates deb packages with buildd file owner/group for shared libraries. reported at least for kwayland-integration. $ dpkg -c kwayland-integration_5.20.90-0ubuntu1_amd64.deb|grep \.so -rw-r--r-- doko/doko 18984 2021-01-21 23:44 ./usr/lib/x86_64-linux-gnu/qt5/plugins/kf5/kguiaddons/kmodifierkey/kmodifierkey_wayland.so -rw-r--r-- doko/doko 85392 2021-01-21 23:44 ./usr/lib/x86_64-linux-gnu/qt5/plugins/kf5/kwindowsystem/KF5WindowSystemKWaylandPlugin.so -rw-r--r-- doko/doko 35536 2021-01-21 23:44 ./usr/lib/x86_64-linux-gnu/qt5/plugins/kf5/org.kde.kidletime.platforms/KF5IdleTimeKWaylandPlugin.so - in a release pocket, rebuild binutils from proposed. correctly restores the file ownership - in a release pocket, update glibc from proposed. then rebuild binutils from proposed. shows the wrong ownership To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1915250/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1915307] Re: Please merge sudo 1.9.5p2-2 (main) from Debian unstable (main)
@iLogin - this is likely caused by https://bugs.launchpad.net/ubuntu/+source/fakeroot/+bug/1915250 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to sudo in Ubuntu. https://bugs.launchpad.net/bugs/1915307 Title: Please merge sudo 1.9.5p2-2 (main) from Debian unstable (main) Status in sudo package in Ubuntu: Fix Committed Bug description: This requires a merge because there are changes in the Ubuntu version not present in the Debian version. -- Justification of patches removed from debian/patches/series -- * typo-in-classic-insults.diff * This exact patch is present in upstream version 1.9.5p2-2 * paths-in-samples.diff * This exact patch is present in upstream version 1.9.5p2-2 * Whitelist-DPKG_COLORS-environment-variable.diff * This exact patch is present in upstream version 1.9.5p2-2 * CVE-2021-23239.patch * This exact patch is NOT present in upstream version 1.9.5p2-2 * The patch is made to address a vulnerability wherein users were able to gain information about what directories existed that they should not have had access to. * Upstream version 1.9.5p2-2 addresses this vulnerability using the function sudo_edit_parent_valid in the file src/sudo_edit.c * Since the vulnerability is addressed in upstream version 1.9.5p2-2 it can safely be dropped * CVE-2021-3156-1.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-2.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-3.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-4.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-5.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * ineffective_no_root_mailer.patch * This exact patch is present in upstream version 1.9.5p2-2 under the name fix-no-root-mailer.diff Changes: * Merge from Debian unstable. (LP: #1915307) Remaining changes: - debian/rules: + use dh-autoreconf - debian/rules: stop shipping init scripts, as they are no longer necessary. - debian/rules: + compile with --without-lecture --with-tty-tickets --enable-admin-flag + install man/man8/sudo_root.8 in both flavours + install apport hooks - debian/sudo-ldap.dirs, debian/sudo.dirs: + add usr/share/apport/package-hooks - debian/sudo.pam: + Use pam_env to read /etc/environment and /etc/default/locale environment files. Reading ~/.pam_environment is not permitted due to security reasons. - debian/sudoers: + also grant admin group sudo access + include /snap/bin in the secure_path sudo (1.9.5p2-2) unstable; urgency=medium * patch from upstream repo to fix NO_ROOT_MAILER sudo (1.9.5p2-1) unstable; urgency=high * new upstream version, addresses CVE-2021-3156 sudo (1.9.5p1-1.1) unstable; urgency=high * Non-maintainer upload. * Heap-based buffer overflow (CVE-2021-3156) - Reset valid_flags to MODE_NONINTERACTIVE for sudoedit - Add sudoedit flag checks in plugin that are consistent with front-end - Fix potential buffer overflow when unescaping backslashes in user_args - Fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL - Don't assume that argv is allocated as a single flat buffer sudo (1.9.5p1-1) unstable; urgency=medium * new upstream version, closes: #980028 sudo (1.9.5-1) unstable; urgency=medium * new upstream version sudo (1.9.4p2-2ubuntu3) hirsute; urgency=medium * SECURITY UPDATE: ineffective NO_ROOT_MAILER hardening option - debian/patches/ineffective_no_root_mailer.patch: fix NO_ROOT_MAILER in plugins/sudoers/logging.c, plugins/sudoers/policy.c. - No CVE number sudo (1.9.4p2-2ubuntu2) hirsute; urgency=medium * SECURITY UPDATE: dir existence issue via sudoedit race - debian/patches/CVE-2021-23239.patch: fix potential directory existing info leak in sudoedit in src/sudo_edit.c. - CVE-2021-23239 * SECURITY UPDATE: heap-based buffer overflow - debian/patches/CVE-2021-3156-1.patch: reset valid_flags to MODE_NONINTERACTIVE for sudoedit in src/parse_args.c. - debian/patches/CVE-2021-3156-2.patch: add sudoedit flag checks in plugin in plugins/sudoers/policy.c. - debian/patches/CVE-2021-3156-3.patch: fix potential buffer overflow when unescaping backslashes in plugins/sudoers/sudoers.c. - debian/patches/CVE-2021-3156-4.patch: fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL in plugins/sudoers/timestamp.c. - debian/patches/CVE-2021-3156-5.patch: don't as
[Touch-packages] [Bug 1915792] Re: sudo is no longer owned by root so it no longer works
*** This bug is a duplicate of bug 1915250 *** https://bugs.launchpad.net/bugs/1915250 ** This bug has been marked a duplicate of bug 1915250 buildd file owner/group for shared libraries -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to sudo in Ubuntu. https://bugs.launchpad.net/bugs/1915792 Title: sudo is no longer owned by root so it no longer works Status in sudo package in Ubuntu: New Bug description: sudo is no longer owned by root, so it no longer works: $ sudo dmesg sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set $ ls -l `which sudo` -rwsr-xr-x 1 2001 2501 190952 Feb 10 12:42 /usr/bin/sudo ProblemType: Bug DistroRelease: Ubuntu 21.04 Package: sudo 1.9.5p2-2ubuntu1 ProcVersionSignature: Ubuntu 5.10.0-14.15-generic 5.10.11 Uname: Linux 5.10.0-14-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair nvidia_modeset nvidia ApportVersion: 2.20.11-0ubuntu58 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: Budgie:GNOME Date: Tue Feb 16 09:55:07 2021 InstallationDate: Installed on 2018-07-25 (936 days ago) InstallationMedia: Ubuntu-Budgie 18.04 LTS "Bionic Beaver" - Release amd64 (20180426) RebootRequiredPkgs: gnome-shell zfs-dkms zfs-dkms SourcePackage: sudo UpgradeStatus: Upgraded to hirsute on 2020-10-31 (107 days ago) VisudoCheck: /etc/sudoers: parsed OK /etc/sudoers.d/README: parsed OK /etc/sudoers.d/zfs: parsed OK modified.conffile..etc.sudoers: [inaccessible: [Errno 13] Permission denied: '/etc/sudoers'] modified.conffile..etc.sudoers.d.README: [inaccessible: [Errno 13] Permission denied: '/etc/sudoers.d/README'] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1915792/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1915801] Re: version 1.9.5p2-2ubuntu1 broke system
*** This bug is a duplicate of bug 1915250 *** https://bugs.launchpad.net/bugs/1915250 ** This bug has been marked a duplicate of bug 1915250 buildd file owner/group for shared libraries -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to sudo in Ubuntu. https://bugs.launchpad.net/bugs/1915801 Title: version 1.9.5p2-2ubuntu1 broke system Status in sudo package in Ubuntu: New Bug description: just upgraded sudo from 1.9.4p2-2ubuntu3 to 1.9.5p2-2ubuntu1 and sudo does not work any more. here is the result: $ sudo ls sudo: /usr/bin/sudo must be owned by uid 0 and have the setuid bit set Here is a long ls for sudo binary: -rwsr-xr-x 1 2001 2501 187K Feb 10 15:12 /usr/bin/sudo ProblemType: Bug DistroRelease: Ubuntu 21.04 Package: sudo 1.9.5p2-2ubuntu1 ProcVersionSignature: Ubuntu 5.10.0-14.15-generic 5.10.11 Uname: Linux 5.10.0-14-generic x86_64 ApportVersion: 2.20.11-0ubuntu58 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Tue Feb 16 13:31:00 2021 InstallationDate: Installed on 2019-11-01 (472 days ago) InstallationMedia: Ubuntu 19.10 "Eoan Ermine" - Release amd64 (20191017) RebootRequiredPkgs: gnome-shell SourcePackage: sudo UpgradeStatus: No upgrade log present (probably fresh install) VisudoCheck: /etc/sudoers: parsed OK /etc/sudoers.d/README: parsed OK modified.conffile..etc.sudoers: [inaccessible: [Errno 13] Permission denied: '/etc/sudoers'] modified.conffile..etc.sudoers.d.README: [inaccessible: [Errno 13] Permission denied: '/etc/sudoers.d/README'] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1915801/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1915874] Re: autopkgtest fails in hirsute on armhf with glibc 2.33
I'm in the process of preparing libseccomp 2.5.1 for hirsute so will add this patch for it's autopkgtests as part of that. Thanks. ** Changed in: libseccomp (Ubuntu) Assignee: (unassigned) => Alex Murray (alexmurray) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1915874 Title: autopkgtest fails in hirsute on armhf with glibc 2.33 Status in libseccomp package in Ubuntu: New Bug description: https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-hirsute/hirsute/armhf/libs/libseccomp/20210214_103448_4822f@/log.gz ... autopkgtest [10:33:19]: test test-filter: [--- = ./debian/tests/data/all-3.19.filter = DEBUG: seccomp_load_filters ./debian/tests/data/all-3.19.filter Bad system call (core dumped) FAIL: expected to pass ... The problem seems to be that with the new glibc upstream version the test binaries started using statx which is not listed in the .filter files. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1915874/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1915906] Re: Ensure SRP BN_mod_exp follows the constant time path
** Information type changed from Public to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1915906 Title: Ensure SRP BN_mod_exp follows the constant time path Status in openssl package in Ubuntu: New Bug description: Hello, I'd like to point out that there are two fixes missing from the upstream, is there any chance to get them incorporated? https://github.com/openssl/openssl/pull/13888 https://github.com/openssl/openssl/pull/13889 There was no CVE assigned, it was fixed between 1.1.1i and 1.1.1j. Best regards To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1915906/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1915874] Re: autopkgtest fails in hirsute on armhf with glibc 2.33
** Changed in: libseccomp (Ubuntu) Status: New => Fix Committed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1915874 Title: autopkgtest fails in hirsute on armhf with glibc 2.33 Status in libseccomp package in Ubuntu: Fix Committed Bug description: https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-hirsute/hirsute/armhf/libs/libseccomp/20210214_103448_4822f@/log.gz ... autopkgtest [10:33:19]: test test-filter: [--- = ./debian/tests/data/all-3.19.filter = DEBUG: seccomp_load_filters ./debian/tests/data/all-3.19.filter Bad system call (core dumped) FAIL: expected to pass ... The problem seems to be that with the new glibc upstream version the test binaries started using statx which is not listed in the .filter files. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1915874/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1916669] [NEW] autopkgtests flaky for hirsute across various architectures
Public bug reported: Currently the lxc 1:4.0.4-1:4.0.4-0ubuntu3 and 1:4.0.6-0ubuntu1 autopkgtests for hirsute are quite flaky across most architectures: amd64 - https://autopkgtest.ubuntu.com/packages/l/lxc/hirsute/amd64 --- only 3 out of the last 8 runs were successful even after multiple manual retries for the same trigger package. arm64 - https://autopkgtest.ubuntu.com/packages/l/lxc/hirsute/arm64 --- only 3 out of the last 10 runs were successful even after multiple manual retries for the same trigger package. s390x - https://autopkgtest.ubuntu.com/packages/l/lxc/hirsute/s390x --- only 1 out of the last 12 runs were successful even after multiple manual retries for the same trigger package. ppc64el - https://autopkgtest.ubuntu.com/packages/l/lxc/hirsute/ppc64el --- this seems to be running better more recently but was failing previously for the same trigger packages against the same lxc package As such I feel it makes sense to mark both of these versions as force- reset-test so that lxc failures do not block other packages migrating. ** Affects: lxc (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1916669 Title: autopkgtests flaky for hirsute across various architectures Status in lxc package in Ubuntu: New Bug description: Currently the lxc 1:4.0.4-1:4.0.4-0ubuntu3 and 1:4.0.6-0ubuntu1 autopkgtests for hirsute are quite flaky across most architectures: amd64 - https://autopkgtest.ubuntu.com/packages/l/lxc/hirsute/amd64 --- only 3 out of the last 8 runs were successful even after multiple manual retries for the same trigger package. arm64 - https://autopkgtest.ubuntu.com/packages/l/lxc/hirsute/arm64 --- only 3 out of the last 10 runs were successful even after multiple manual retries for the same trigger package. s390x - https://autopkgtest.ubuntu.com/packages/l/lxc/hirsute/s390x --- only 1 out of the last 12 runs were successful even after multiple manual retries for the same trigger package. ppc64el - https://autopkgtest.ubuntu.com/packages/l/lxc/hirsute/ppc64el --- this seems to be running better more recently but was failing previously for the same trigger packages against the same lxc package As such I feel it makes sense to mark both of these versions as force- reset-test so that lxc failures do not block other packages migrating. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1916669/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
As I understand it I don't see there is any issue here with libseccomp in Ubuntu as it currently stands - whilst the aforementioned runc workaround commit description specifies a number of shortcomings with libseccomp and the inability to easily handle and distinguish newly added syscalls between it and glibc etc, until there is some more generic mechanism for either libseccomp policy authors, or libseccomp itself, to easily identify what syscalls are supported by a given system and therefore whether the generated policy is sufficient to enumerate these, there is no obvious "fix" for libseccomp itself. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in glibc package in Ubuntu: Triaged Status in libseccomp package in Ubuntu: Fix Committed Status in glibc source package in Hirsute: Triaged Status in libseccomp source package in Hirsute: Fix Committed Bug description: glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--== ii apt2.1.20 amd64commandline package manager ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement Hi, for 3 days our CI pipelines to recreate Docker images fails for the Hirsute images. From comparison this seems to be caused by apt 2.1.20. The build fails with: 0E: gnupg, gnupg2 and unupg1 do not seem to be installed, but one of them is required for this operation The simple Dockerfile to reproduce the error - "docker build -t foo ." FROM amd64/ubuntu:hirsute MAINTAINER Florian Lohoff USER root RUN apt-get update \ && DEBIAN_FRONTEND=noninteractive apt-get -y install curl gnupg apt \ && curl https://syncthing.net/release-key.txt | apt-key add - Breaking it down it this seems to be an issue that there is new functionality in apt/apt-key e.g. security hardening that docker prohibits in its containers. Running this manually works only in an --privileged container. So adding keys in unpriviledged container or possibly kubernetes will not work anymore. Flo To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1916485/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1891810] Re: Missing openat2 syscall, causes problems for fuse-overlayfs in nspawn containers
** Also affects: libseccomp (Ubuntu Hirsute) Importance: Undecided Assignee: Alex Murray (alexmurray) Status: New ** Changed in: libseccomp (Ubuntu Hirsute) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1891810 Title: Missing openat2 syscall, causes problems for fuse-overlayfs in nspawn containers Status in libseccomp package in Ubuntu: Fix Released Status in libseccomp source package in Xenial: New Status in libseccomp source package in Bionic: New Status in libseccomp source package in Focal: New Status in libseccomp source package in Groovy: New Status in libseccomp source package in Hirsute: Fix Released Bug description: The version of libseccomp2 in bionic does not know about the openat2 syscall. In my particular usecase, I was trying to run podman/buildah in an nspawn container, using fuse-overlayfs. This leads to peculiar failure modes as described in this issue: https://github.com/containers/fuse-overlayfs/issues/220 This could well cause other problems, previously issues like that have affected snapd, etc. Backporting the master branch of libseccomp fixed this for me, but for an SRU a cherrypick of https://github.com/seccomp/libseccomp/commit/b3206ad5645dceda89538ea8acc984078ab697ab might be sufficient... ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: libseccomp2 2.4.3-1ubuntu3.18.04.3 ProcVersionSignature: Ubuntu 5.4.0-42.46~18.04.1-generic 5.4.44 Uname: Linux 5.4.0-42-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.16 Architecture: amd64 Date: Sun Aug 16 17:35:09 2020 Dependencies: gcc-8-base 8.4.0-1ubuntu1~18.04 libc6 2.27-3ubuntu1.2 libgcc1 1:8.4.0-1ubuntu1~18.04 ProcEnviron: TERM=screen.xterm-256color PATH=(custom, no user) LANG=en_GB.UTF-8 SHELL=/bin/bash SourcePackage: libseccomp UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1891810/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1917920] Re: magic-proxy broke with iptables 1.8.7-1ubuntu2
I tried to reproduce this in an up-to-date bionic VM as follows: # inside the bionic VM sudo snap install lxd sudo lxd init # accept defauls sudo lxc launch ubuntu-daily:hirsute hirsute sudo lxc exec hirsute /bin/bash # then inside the hirsute container install livecd-rootfs apt update apt install livecd-rootfs # http works as expected with no changes wget -q www.google.com -O/dev/null && echo Working || echo Failed Working # works as expected with no iptables rule # add iptables rule manually iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner daemon \ -j REDIRECT --to 8080 # now we expect it to fail as there is no magic-proxy running yet wget -q www.google.com -O/dev/null && echo Working || echo Failed Failed # start the magic-proxy manually /usr/share/livecd-rootfs/magic-proxy \ --address="127.0.0.1" \ --port=8080\ --run-as=daemon\ --cutoff-time=0\ --log-file=livecd.magic-proxy.log \ --pid-file=magic-proxy.pid \ --background \ --setsid # wget works as expected via the proxy wget -q www.google.com -O/dev/null && echo Working || echo Failed Working # kill the proxy killall magic-proxy # fails again wget -q www.google.com -O/dev/null && echo Working || echo Failed Failed # remove iptables rule iptables -t nat -D OUTPUT -p tcp --dport 80 -m owner ! --uid-owner daemon \ -j REDIRECT --to 8080 # works as normal wget -q www.google.com -O/dev/null && echo Working || echo Failed Working -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to iptables in Ubuntu. https://bugs.launchpad.net/bugs/1917920 Title: magic-proxy broke with iptables 1.8.7-1ubuntu2 Status in Launchpad itself: New Status in iptables package in Ubuntu: New Status in livecd-rootfs package in Ubuntu: New Status in lxd package in Ubuntu: New Bug description: when iptables got upgraded from 1.8.5-3ubuntu4 to 1.8.7-1ubuntu2 magic proxy stopped working in livecd-rootfs. It does very simple thing: iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner daemon -j REDIRECT --to 8080 inside hirsute lxd container, with quite high privileges, in a bionic VM, running 4.15 kernel. With 1.8.5 above worked fine, with 1.8.7 somehow there was no outbound connectivity the very first http networking command after the above call would just hang indefinitely. However, if one does this instead: iptables -vv -t nat -S iptables-legacy -vv -t nat -S iptables -vv -t nat -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner daemon -j REDIRECT --to 8080 somehow magically everything starts to work fine. weird. To manage notifications about this bug go to: https://bugs.launchpad.net/launchpad/+bug/1917920/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1917920] Re: magic-proxy broke with iptables 1.8.7-1ubuntu2
Good point re google.com - I just repeated the above test but replacing www.google.com with http://neverssl.com and verified it worked as expected so it doesn't look like http->https redirect affected the results. Hmmm perhaps there is something else at play compared to when testing locally vs on launchpad - with your original test-case, does using `iptables -L -t nat` behave any differently than `iptables -S -t nat` in terms of working around this? Perhaps there is something in the existing iptables setup on launchpad that is not present in our local testing which may be needed to reproduce this? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to iptables in Ubuntu. https://bugs.launchpad.net/bugs/1917920 Title: magic-proxy broke with iptables 1.8.7-1ubuntu2 Status in Launchpad itself: New Status in iptables package in Ubuntu: New Status in livecd-rootfs package in Ubuntu: New Status in lxd package in Ubuntu: New Bug description: when iptables got upgraded from 1.8.5-3ubuntu4 to 1.8.7-1ubuntu2 magic proxy stopped working in livecd-rootfs. It does very simple thing: iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner daemon -j REDIRECT --to 8080 inside hirsute lxd container, with quite high privileges, in a bionic VM, running 4.15 kernel. With 1.8.5 above worked fine, with 1.8.7 somehow there was no outbound connectivity the very first http networking command after the above call would just hang indefinitely. However, if one does this instead: iptables -vv -t nat -S iptables-legacy -vv -t nat -S iptables -vv -t nat -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner daemon -j REDIRECT --to 8080 somehow magically everything starts to work fine. weird. To manage notifications about this bug go to: https://bugs.launchpad.net/launchpad/+bug/1917920/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1919078] Re: Ubuntu SSO login - not working (Throws "Error connecting to server"
** Package changed: ubuntu => gnome-online-accounts (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to gnome-online-accounts in Ubuntu. https://bugs.launchpad.net/bugs/1919078 Title: Ubuntu SSO login - not working (Throws "Error connecting to server" Status in gnome-online-accounts package in Ubuntu: New Bug description: Hi, I'm looking for possible ways to add an Ubuntu SSO account with my Ubuntu system for the past few weeks. But I'm getting the error as "Error connecting to Ubuntu SSO server. Something went wrong. Please try again later". I tried to login via the web, it works fine. I'm on the latest build. Check my system version at https://ibb.co/7bc1JgP Screenshot (of error): https://ibb.co/v1JvKZ6 Kindly help me with this error. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-online-accounts/+bug/1919078/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1891810] Re: Missing openat2 syscall, causes problems for fuse-overlayfs in nspawn containers
Updating libseccomp to 2.5.1 breaks the systemd unit tests on ppc64el since the behaviour around filtering of the multiplexed socket() system call changes - as such a fix for systemd in https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1918696 is also required. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1891810 Title: Missing openat2 syscall, causes problems for fuse-overlayfs in nspawn containers Status in libseccomp package in Ubuntu: Fix Released Status in libseccomp source package in Xenial: New Status in libseccomp source package in Bionic: New Status in libseccomp source package in Focal: New Status in libseccomp source package in Groovy: New Status in libseccomp source package in Hirsute: Fix Released Bug description: The version of libseccomp2 in bionic does not know about the openat2 syscall. In my particular usecase, I was trying to run podman/buildah in an nspawn container, using fuse-overlayfs. This leads to peculiar failure modes as described in this issue: https://github.com/containers/fuse-overlayfs/issues/220 This could well cause other problems, previously issues like that have affected snapd, etc. Backporting the master branch of libseccomp fixed this for me, but for an SRU a cherrypick of https://github.com/seccomp/libseccomp/commit/b3206ad5645dceda89538ea8acc984078ab697ab might be sufficient... ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: libseccomp2 2.4.3-1ubuntu3.18.04.3 ProcVersionSignature: Ubuntu 5.4.0-42.46~18.04.1-generic 5.4.44 Uname: Linux 5.4.0-42-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.16 Architecture: amd64 Date: Sun Aug 16 17:35:09 2020 Dependencies: gcc-8-base 8.4.0-1ubuntu1~18.04 libc6 2.27-3ubuntu1.2 libgcc1 1:8.4.0-1ubuntu1~18.04 ProcEnviron: TERM=screen.xterm-256color PATH=(custom, no user) LANG=en_GB.UTF-8 SHELL=/bin/bash SourcePackage: libseccomp UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1891810/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1916485] Re: test -x fails inside shell scripts in containers
@oded-geek - yes, the libseccomp SRU to backport 2.5.1 to these releases is being handled in https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1891810 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1916485 Title: test -x fails inside shell scripts in containers Status in docker.io package in Ubuntu: New Status in glibc package in Ubuntu: Opinion Status in libseccomp package in Ubuntu: Fix Committed Status in runc package in Ubuntu: New Status in systemd package in Ubuntu: Fix Released Status in docker.io source package in Xenial: New Status in glibc source package in Xenial: Invalid Status in libseccomp source package in Xenial: New Status in runc source package in Xenial: New Status in systemd source package in Xenial: New Status in docker.io source package in Bionic: New Status in glibc source package in Bionic: Invalid Status in libseccomp source package in Bionic: New Status in runc source package in Bionic: New Status in systemd source package in Bionic: New Status in docker.io source package in Focal: New Status in glibc source package in Focal: Invalid Status in libseccomp source package in Focal: New Status in runc source package in Focal: New Status in systemd source package in Focal: New Status in docker.io source package in Groovy: New Status in glibc source package in Groovy: Invalid Status in libseccomp source package in Groovy: New Status in runc source package in Groovy: New Status in systemd source package in Groovy: Fix Released Status in docker.io source package in Hirsute: New Status in glibc source package in Hirsute: Opinion Status in libseccomp source package in Hirsute: Fix Committed Status in runc source package in Hirsute: New Status in systemd source package in Hirsute: Fix Released Bug description: (SRU template for systemd) [impact] bash (and some other shells) builtin test command -x operation fails [test case] on any affected host system, start nspawn container, e.g.: $ sudo apt install systemd-container $ wget https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz $ mkdir h $ cd h $ tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz $ sudo systemd-nspawn Then from a bash shell, verify if test -x works: root@h:~# ls -l /usr/bin/gpg -rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg root@h:~# test -x /usr/bin/gpg || echo "fail" fail [regression potential] any regression would likely occur during a syscall, most likely faccessat2(), or during other syscalls. [scope] this is needed for b/f this is fixed upstream by commit bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so this is fixed in h this was pulled into Debian at version 246.2 in commit e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g in x, the entire systemd seccomp code is completely different and the patch doesn't apply, nor does it appear to be needed, as the problem doesn't reproduce in a h container under x. [other info] this needs fixing in libseccomp as well [original description] glibc regression causes test -x to fail inside scripts inside docker/podman, dash and bash are broken, mksh and zsh are fine: root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail" Fail root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail" root@0df2ce5d7a46:/# root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# mksh -c "[ -x /usr/bin/gpg ] || echo Fail" root@0df2ce5d7a46:/# dash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail root@0df2ce5d7a46:/# bash -c "[ -x /usr/bin/gpg ] || echo Fail" Fail The -f flag works, as does /usr/bin/test: # bash -c "test -f /usr/bin/gpg || echo Fail" # bash -c "/usr/bin/test -x /usr/bin/gpg || echo Fail" # [Original bug report] root@84b750e443f8:/# lsb_release -rd Description: Ubuntu Hirsute Hippo (development branch) Release: 21.04 root@84b750e443f8:/# dpkg -l gnupg apt Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-===--== ii apt2.1.20 amd64commandline package manager ii gnupg 2.2.20-1ubuntu2 all GNU privacy guard - a free PGP replacement Hi, for 3 days our CI pipelines to recreate Docker images fails for the Hirsute ima
[Touch-packages] [Bug 1891810] Re: Missing openat2 syscall, causes problems for fuse-overlayfs in nspawn containers
** Patch added: "libseccomp_2.5.1-1ubuntu1~18.04.1.debdiff" https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1891810/+attachment/5476577/+files/libseccomp_2.5.1-1ubuntu1~18.04.1.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1891810 Title: Missing openat2 syscall, causes problems for fuse-overlayfs in nspawn containers Status in libseccomp package in Ubuntu: Fix Released Status in libseccomp source package in Xenial: New Status in libseccomp source package in Bionic: New Status in libseccomp source package in Focal: New Status in libseccomp source package in Groovy: New Status in libseccomp source package in Hirsute: Fix Released Bug description: [Impact] The version of libseccomp2 in X/B/F/G does not know about the openat2 syscall. As such applications that use libseccomp cannot specify a system-call filter against this system-call and so it cannot be mediated. [Test Plan] This can be tested by simply running scmp_sys_resolver from the seccomp binary package and specifying this system-call: Existing behaviour: $ scmp_sys_resolver openat2 -1 Expected behaviour: $ scmp_sys_resolver openat2 437 (Note this value will be different on other architectures) [Where problems could occur] In version 2.5.1 of libseccomp which adds this new system-call, changes were also made in the way the socket system-call is handled by libseccomp on PPC platforms - this resulted in a change in the expected behaviour and so this has already been noticed and a fix is required for the systemd unit tests as a result https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1918696 There was also a similar change for s390x but so far no regressions have been observed as a result as systemd already expected that behaviour from libseccomp, it was only PPC that was missing. In the event that a regression is observed however, we can easily either patch the affected package to cope with the new behaviour of this updated libseccomp since in each case the change in behaviour only affects a few system calls on particular architectures, or we can revert this update. [Other Info] * As usual thorough testing of this update has been performed both manually via the QA Regression Testing scripts, and via the autopkgtest infrastructure against packages in the Ubuntu Security Proposed PPA https://launchpad.net/~ubuntu-security- proposed/+archive/ubuntu/ppa/ with results seen https://people.canonical.com/~platform/security-britney/current/ I have attached debdiffs of the prepared updates which are also sitting in the Ubuntu Security Proposed PPA. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1891810/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp