[Touch-packages] [Bug 1367609] [NEW] AppArmor: Prevents connection to system dbus (disconnected path)
Public bug reported: AppArmor seems to prevent cupsd from connecting to the system dbus: Sep 10 09:06:00 callisto kernel: audit: type=1400 audit(1410332760.203:112): apparmor=DENIED operation=connect info=Failed name lookup - disconnected path error=-13 profile=/usr/sbin/cupsd name=run/dbus/system_bus_socket pid=3608 comm=cupsd requested_mask=rw denied_mask=rw fsuid=0 ouid=0 Sep 10 09:06:31 callisto cupsd[3608]: process 3608: arguments to dbus_connection_unref() were incorrect, assertion connection != NULL failed in file ../../dbus/dbus-connection.c line 2794. Sep 10 09:06:31 callisto cupsd[3608]: This is normally a bug in some application using the D-Bus library. I got these errors since upgrading to utopic (Aug 22). Might be worth noting that I'm using systemd as init. Adding flags=(attach_disconnected) to the /usr/sbin/cupsd profile seems to fix this problem. ** Affects: cups (Ubuntu) Importance: Undecided Status: New ** Tags: apparmor -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1367609 Title: AppArmor: Prevents connection to system dbus (disconnected path) Status in “cups” package in Ubuntu: New Bug description: AppArmor seems to prevent cupsd from connecting to the system dbus: Sep 10 09:06:00 callisto kernel: audit: type=1400 audit(1410332760.203:112): apparmor=DENIED operation=connect info=Failed name lookup - disconnected path error=-13 profile=/usr/sbin/cupsd name=run/dbus/system_bus_socket pid=3608 comm=cupsd requested_mask=rw denied_mask=rw fsuid=0 ouid=0 Sep 10 09:06:31 callisto cupsd[3608]: process 3608: arguments to dbus_connection_unref() were incorrect, assertion connection != NULL failed in file ../../dbus/dbus-connection.c line 2794. Sep 10 09:06:31 callisto cupsd[3608]: This is normally a bug in some application using the D-Bus library. I got these errors since upgrading to utopic (Aug 22). Might be worth noting that I'm using systemd as init. Adding flags=(attach_disconnected) to the /usr/sbin/cupsd profile seems to fix this problem. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1367609/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1370228] [NEW] init script returns 0 even after parsing failure
Public bug reported: The apparmor init script (and likely the upstart job, but haven't checked) returns exit code 0 even when a profile can't be loaded. In /lib/apparmor/functions foreach_configured_profile first loads profiles from /etc/apparmor.d and then from /var/lib/apparmor/profiles. Parsing errors in the first dir are ignored. The attached patch returns the first non-zero return code or zero if there are no errors. ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New ** Patch added: apparmor_init_exit_code.diff https://bugs.launchpad.net/bugs/1370228/+attachment/4205841/+files/apparmor_init_exit_code.diff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1370228 Title: init script returns 0 even after parsing failure Status in “apparmor” package in Ubuntu: New Bug description: The apparmor init script (and likely the upstart job, but haven't checked) returns exit code 0 even when a profile can't be loaded. In /lib/apparmor/functions foreach_configured_profile first loads profiles from /etc/apparmor.d and then from /var/lib/apparmor/profiles. Parsing errors in the first dir are ignored. The attached patch returns the first non-zero return code or zero if there are no errors. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1370228/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1370228] Re: init script returns 0 even after parsing failure
Tested with apparmor 2.8.96~2652-0ubuntu4. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1370228 Title: init script returns 0 even after parsing failure Status in “apparmor” package in Ubuntu: New Bug description: The apparmor init script (and likely the upstart job, but haven't checked) returns exit code 0 even when a profile can't be loaded. In /lib/apparmor/functions foreach_configured_profile first loads profiles from /etc/apparmor.d and then from /var/lib/apparmor/profiles. Parsing errors in the first dir are ignored. The attached patch returns the first non-zero return code or zero if there are no errors. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1370228/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1373085] Re: Parser error when using regex profile names in IPC rules
Tested with apparmor 2.8.96~2652-0ubuntu5.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1373085
Title:
Parser error when using regex profile names in IPC rules
Status in “apparmor” package in Ubuntu:
New
Bug description:
I tried to add this rule to the firefox profile:
unix (send, receive) type=stream
peer=(label=/usr/lib/firefox/firefox\{,\*\[^s\]\[^h\]\}//plugincontainer),
apparmor_parser fails with:
syntax error, unexpected TOK_CONDID, expecting TOK_EQUALS or TOK_IN
When I add quotes around the label the parser fails with:
Found unexpected character: ''
I found this minimal test case:
unix peer=(label=\{,\}),
and
unix peer=(label=\{,\}),
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1373085/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1373085] [NEW] Parser error when using regex profile names in IPC rules
Public bug reported:
I tried to add this rule to the firefox profile:
unix (send, receive) type=stream
peer=(label=/usr/lib/firefox/firefox\{,\*\[^s\]\[^h\]\}//plugincontainer),
apparmor_parser fails with:
syntax error, unexpected TOK_CONDID, expecting TOK_EQUALS or TOK_IN
When I add quotes around the label the parser fails with:
Found unexpected character: ''
I found this minimal test case:
unix peer=(label=\{,\}),
and
unix peer=(label=\{,\}),
** Affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1373085
Title:
Parser error when using regex profile names in IPC rules
Status in “apparmor” package in Ubuntu:
New
Bug description:
I tried to add this rule to the firefox profile:
unix (send, receive) type=stream
peer=(label=/usr/lib/firefox/firefox\{,\*\[^s\]\[^h\]\}//plugincontainer),
apparmor_parser fails with:
syntax error, unexpected TOK_CONDID, expecting TOK_EQUALS or TOK_IN
When I add quotes around the label the parser fails with:
Found unexpected character: ''
I found this minimal test case:
unix peer=(label=\{,\}),
and
unix peer=(label=\{,\}),
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1373085/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1374583] Re: Sync libjpeg-turbo 1:1.3.1-3 (main) from Debian unstable (main)
Unsubscribing ubuntu-sponsors as there's nothing to do at the moment. I think now that debian has switched to libjpeg-turbo too there is no reason anymore for an ubuntu delta. You can't say that without actually checking the delta. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libjpeg-turbo in Ubuntu. https://bugs.launchpad.net/bugs/1374583 Title: Sync libjpeg-turbo 1:1.3.1-3 (main) from Debian unstable (main) Status in “libjpeg-turbo” package in Ubuntu: New Bug description: Please sync libjpeg-turbo 1:1.3.1-3 (main) from Debian unstable (main) I think now that debian has switched to libjpeg-turbo too there is no reason anymore for an ubuntu delta. However I think the sync should be done when V will open for development. Explanation of the Ubuntu delta and why it can be dropped: * SECURITY UPDATE: information disclosure via uninitialized memory in the get_sos function (LP: #1252912) - debian/patches/CVE-2013-6629.patch: check for duplications in jdmarker.c. - CVE-2013-6629 * SECURITY UPDATE: information disclosure via uninitialized memory in the get_dht function (LP: #1252912) - debian/patches/CVE-2013-6630.patch: properly clear out memory in jdmarker.c. - CVE-2013-6630 * SECURITY UPDATE: information disclosure via uninitialized memory in the get_sos function (LP: #1252912) - debian/patches/CVE-2013-6629.patch: check for duplications in jdmarker.c. - CVE-2013-6629 * SECURITY UPDATE: information disclosure via uninitialized memory in the get_dht function (LP: #1252912) - debian/patches/CVE-2013-6630.patch: properly clear out memory in jdmarker.c. - CVE-2013-6630 * New upstream release. - drop debian/patches/branch-updates.diff - refresh tjunittest.patch (now renamed to install-tjunittest.patch) * Update debian/control: - add myself to Uploaders. * Update debian/copyright: - add RSA Data Security copyright (md5). * Update debian/libturbojpeg.install: - install libturbojpeg.so.0* (needed by tjunittest and tjbench). * New upstream release. - drop debian/patches/branch-updates.diff - refresh tjunittest.patch (now renamed to install-tjunittest.patch) * Update debian/control: - add myself to Uploaders. * Update debian/copyright: - add RSA Data Security copyright (md5). * Update debian/libturbojpeg.install: - install libturbojpeg.so.0* (needed by tjunittest and tjbench). * libjpeg-turbo-test: Depend on libjpegturbo. LP: #1053273. * libjpeg-turbo-test: Depend on libjpegturbo. LP: #1053273. * libjpeg-turbo-test: Depend on libjpegturbo. LP: #1053273. [ Tom Gall ] * Update to stable 1.2.1. LP: #1012861. * Addresses CVE-2012-2806. LP: #1025537. A Heap-based buffer overflow was found in the way libjpeg-turbo decompressed certain corrupt JPEG images in which the component count was erroneously set to a large value. An attacker could create a specially-crafted JPEG image that, when opened, could cause an application using libpng to crash or, possibly, execute arbitrary code with the privileges of the user running the application. * Cosmetic fixes to argument lists * Added flags to the TurboJPEG API that allow the caller to force the use of either the fast or the accurate DCT/IDCT algorithms in the underlying codec. * More recent versions of autoconf add -traditional-cpp to the CPP flags, which causes jsimdcfg.inc.h to not preprocess correctly unless we expand all of the instances of the #definev macro. * Fixed regression caused by a bug in the 32-bit strict memory access code in jdmrgss2.asm (contributed by Chromium to stop valgrind from whining whenever the output buffer size was not evenly divisible by 16 bytes.) On Linux/x86, this regression generated incorrect pixels on the right-hand side of images whose rows were not 16-byte aligned, whenever fancy upsampling was used. This patch also enables the strict memory access code on all platforms, not just Linux (it does no harm on other platforms) and removes a couple of pcmpeqb instructions that were rendered unnecessary by r835. * Accelerated 4:2:2 upsampling routine for ARM (improves performance ~20-30% when decompressing 4:2:2 JPEGs using fancy upsampling) * Eliminate the use of the MASKMOVDQU instruction, to speed up decompression performance by 10x on AMD Bobcat embedded processors (and ~5% on AMD desktop processors.) * add tjbench to libjpeg-turbo-test packages * Guard against num_components being a ridiculous value due to a corrupt header * Preserve all 128 bits of xmm6 and xmm7 [ Matthias
[Touch-packages] [Bug 1376611] [NEW] AppArmor: cupsd not allowed to send signals to third_party
Public bug reported: The cups 1.7.5-3 AppArmor profile has this rule which seems to be ineffective: signal (receive, send) peer=third_party, I get this denial log entry when (re)installing cups: audit: type=1400 audit(1412239287.417:110): apparmor=DENIED operation=signal profile=/usr/sbin/cupsd pid=28964 comm=cupsd requested_mask=send denied_mask=send signal=term peer=/usr/sbin/cupsd//third_party Changing it to the absolute profile name seems to work: signal (receive, send) peer=/usr/sbin/cupsd//third_party, I guess apparmor_parser can't distinguish between a profile named third_party and a subprofile named third_party. ** Affects: cups (Ubuntu) Importance: Undecided Status: New ** Tags: apparmor ** Tags added: apparmor -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1376611 Title: AppArmor: cupsd not allowed to send signals to third_party Status in “cups” package in Ubuntu: New Bug description: The cups 1.7.5-3 AppArmor profile has this rule which seems to be ineffective: signal (receive, send) peer=third_party, I get this denial log entry when (re)installing cups: audit: type=1400 audit(1412239287.417:110): apparmor=DENIED operation=signal profile=/usr/sbin/cupsd pid=28964 comm=cupsd requested_mask=send denied_mask=send signal=term peer=/usr/sbin/cupsd//third_party Changing it to the absolute profile name seems to work: signal (receive, send) peer=/usr/sbin/cupsd//third_party, I guess apparmor_parser can't distinguish between a profile named third_party and a subprofile named third_party. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1376611/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1359671] Re: New upstream version 3.13.90
This pygobject update causes virt-manager to crash on startup, see bug #1359815 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pygobject in Ubuntu. https://bugs.launchpad.net/bugs/1359671 Title: New upstream version 3.13.90 Status in “pygobject” package in Ubuntu: Fix Released Bug description: We currently ship an early development release of pygobject in utopic (3.13.3). GNOME 3.13.90 was released, so we should update pygobject. I'm filing this with block-proposed, so that we can stage and test everything in -proposed and then release after TRAINCON-0 has been lifted. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pygobject/+bug/1359671/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1386257] Re: intel-microcode should be installed by default, when the CPU is GenuineIntel
I have strongly mixed feelings about installing intel-microcode by default. Of course it's good to have the latest microcode bugfixes. What worries me is that Intel provides no release notes at all. They didn't even put up a warning for the update that disables the TSX instruction. Removing an instruction while processes are already running is of course highly problematic, see bug #1370352. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ubuntu-meta in Ubuntu. https://bugs.launchpad.net/bugs/1386257 Title: intel-microcode should be installed by default, when the CPU is GenuineIntel Status in intel: New Status in ubuntu-drivers-common package in Ubuntu: In Progress Status in ubuntu-meta package in Ubuntu: In Progress Bug description: intel-microcode should be installed by default on the bare-metal systems which are running on GenuineIntel CPUs, by the installers. Similarly other microcode packages for other CPUs brands should be considered for inclusion (e.g. amd64-microcode). I hope that ubuntu-drivers-common can gain ability to detect cpu series and/or vendors, packages that provide microcodes similarly declare support for cpu series and/or vendors, the microcode packages are shipped on the CDs in the pool directory, and installed on to the target machines as part of the installation. This should help with rapid correction of bugs and behaviour of the CPUs in the field. To manage notifications about this bug go to: https://bugs.launchpad.net/intel/+bug/1386257/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1404475] Re: Multi-Arch support
Please consider sponsoring the attached changes: * Mark libopus0, libopus-dev and libopus-dbg as Multi-Arch: same. (LP: #1404475) * Update the symbols file. ** Patch added: opus_1.1-0ubuntu2.debdiff https://bugs.launchpad.net/ubuntu/+source/opus/+bug/1404475/+attachment/4291589/+files/opus_1.1-0ubuntu2.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to opus in Ubuntu. https://bugs.launchpad.net/bugs/1404475 Title: Multi-Arch support Status in opus package in Ubuntu: New Bug description: libopus0 package lacks multi-arch support as for ubuntu 14.10 Running 'sudo apt-get install libopus0 libopus0:i386' fails because of this And there is not signs of Multi-Arch: same when running 'apt-cache show libopus0' also To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/opus/+bug/1404475/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1404475] Re: Multi-Arch support
** Changed in: opus (Ubuntu) Status: New = Triaged -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to opus in Ubuntu. https://bugs.launchpad.net/bugs/1404475 Title: Multi-Arch support Status in opus package in Ubuntu: Triaged Bug description: libopus0 package lacks multi-arch support as for ubuntu 14.10 Running 'sudo apt-get install libopus0 libopus0:i386' fails because of this And there is not signs of Multi-Arch: same when running 'apt-cache show libopus0' also To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/opus/+bug/1404475/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1779721] Re: systemd-networkd does not configure DHCPv4
This is not really a bug in systemd-networkd. It just adheres more
strictly to the standard.
In this case the DHCP server doesn't send the Option 51 "IP Address
Lease Time" in the DHCPOFFER. RFC2131 declares this a MUST (see Table 3:
Fields and options used by DHCP servers).
I encountered a similar problem where a DHCP server doesn't send the
"Server identifier" option.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1779721
Title:
systemd-networkd does not configure DHCPv4
Status in netplan.io package in Ubuntu:
Invalid
Status in systemd package in Ubuntu:
Confirmed
Bug description:
I have an up-to-date Ubuntu 18.04 (bionic) server installation (with
systemd 237-3ubuntu10) which has following netplan configuration:
```
root@ubuntu:~# cat /etc/netplan/01-netcfg.yaml
# This file describes the network interfaces available on your system
# For more information, see netplan(5).
network:
version: 2
renderer: networkd
ethernets:
all:
match: {}
dhcp4: yes
root@ubuntu:~# cat /run/systemd/network/10-netplan-all.network
[Match]
[Network]
DHCP=ipv4
[DHCP]
UseMTU=true
RouteMetric=100
```
Despite having DHCPv4 configured, no IPv4 address is configured on the
ethernet device:
```
root@ubuntu:~# ip a show ens6
2: ens6: mtu 64000 qdisc fq_codel state UP
group default qlen 1000
link/ether 02:01:71:8f:cc:72 brd ff:ff:ff:ff:ff:ff
inet6 fe80::1:71ff:fe8f:cc72/64 scope link
valid_lft forever preferred_lft forever
```
The kernel dmesg has no related messages and the journal log also
looks normal:
```
root@ubuntu:~# journalctl -u systemd-networkd
Jul 02 16:36:51 ubuntu systemd[1]: Starting Network Service...
Jul 02 16:36:51 ubuntu systemd-networkd[1790]: ens6: Gained IPv6LL
Jul 02 16:36:51 ubuntu systemd-networkd[1790]: Enumeration completed
Jul 02 16:36:51 ubuntu systemd[1]: Started Network Service.
Jul 02 16:36:51 ubuntu systemd-networkd[1790]: lo: Link is not managed by us
Jul 02 16:36:51 ubuntu systemd-networkd[1790]: lo: Configured
```
Calling dhclient sets up the device correctly:
```
root@ubuntu:~# dhclient ens6
root@ubuntu:~# cat /var/lib/dhcp/dhclient.leases
lease {
interface "ens6";
fixed-address 87.106.172.36;
option subnet-mask 255.255.255.255;
option dhcp-lease-time 600;
option routers 87.106.172.1;
option dhcp-message-type 5;
option domain-name-servers 46.16.74.70,46.16.72.37;
option dhcp-server-identifier 87.106.172.1;
option interface-mtu 64000;
option host-name "ubuntu-18_04-fkb-2018-07-02";
renew 1 2018/07/02 16:46:51;
rebind 1 2018/07/02 16:51:31;
expire 1 2018/07/02 16:52:46;
}
root@ubuntu:~# ip a show ens6
2: ens6: mtu 64000 qdisc fq_codel state UP
group default qlen 1000
link/ether 02:01:71:8f:cc:72 brd ff:ff:ff:ff:ff:ff
inet 87.106.172.36/32 brd 87.106.172.36 scope global ens6
valid_lft forever preferred_lft forever
inet6 fe80::1:71ff:fe8f:cc72/64 scope link
valid_lft forever preferred_lft forever
```
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/netplan.io/+bug/1779721/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
