[Bug 1802533] Re: [MIR] pipewire
This second review will only document the areas that some difference was found from the first review. I reviewed pipewire 0.3.15-1 as checked into hirsute. This shouldn't be considered a full audit but rather a quick gauge of maintainability. - Build-Depends: debhelper-compat (= 13), libasound2-dev, libbluetooth-dev, libdbus-1-dev, libglib2.0-dev (>= 2.32.0), libgstreamer-plugins-base1.0-dev, libgstreamer1.0-dev, libjack-jackd2-dev (>= 1.9.10), libpulse-dev (>= 11.1), libsbc-dev, libsdl2-dev, libsndfile1-dev (>= 1.0.20), libsystemd-dev, libudev-dev, libv4l-dev, meson (>= 0.50.0), pkg-config (>= 0.22), systemd, xmltoman, doxygen, graphviz - pre/post inst/rm scripts: dh_installsystemduser automatically adds postinst scripts to enable the pipewire.service and pipewire.socket units. dh_installsystemduser automatically adds a postrm that removes or purges the pipewire.socket and pipewire.service. - udev rules : 90-pipewire-alsa.rules - autopkgtests - 3 bash scripts to test interaction with gnome,gstreamer and libpipewire. There are also tests integrated into the source code. They are run during the build cycle. There are also examples and tests packaged in pipewire.test pkg. - Build logs: Built successfully. However, because the code contains unusual characters in comments, there were many "bogus" warnings during the build. i.e., /** \class pw_filter * * \brief PipeWire filter object class * * The filter object provides a convenient way to implement * processing filters. * * See also \ref page_filters and \ref page_core_api */ - LINTIAN ran successfully with some errors and warnings: E: pipewire changes: bad-distribution-in-changes-file unstable E: pipewire-audio-client-libraries: custom-library-search-path usr/lib/x86_64-linux-gnu/pipewire-0.3/pulse/libpulse-mainloop-glib.so.0.315.0 /usr/${LIB}/pipewire-0.3/pulse E: pipewire-audio-client-libraries: custom-library-search-path usr/lib/x86_64-linux-gnu/pipewire-0.3/pulse/libpulse-simple.so.0.315.0 /usr/${LIB}/pipewire-0.3/pulse E: pipewire-audio-client-libraries: library-not-linked-against-libc usr/lib/x86_64-linux-gnu/pipewire-0.3/jack/libjacknet.so.0.315.0 E: pipewire-audio-client-libraries: library-not-linked-against-libc usr/lib/x86_64-linux-gnu/pipewire-0.3/jack/libjackserver.so.0.315.0 W: pipewire-bin: no-manual-page usr/bin/pipewire-media-session W: pipewire-bin: no-manual-page usr/bin/pw-reserve W: pipewire-bin: no-manual-page usr/bin/spa-acp-tool W: pipewire-bin: no-manual-page usr/bin/spa-inspect W: pipewire-bin: no-manual-page usr/bin/spa-monitor W: pipewire-bin: no-manual-page usr/bin/spa-resample N: 7 tags overridden (7 errors) - spawns a daemon, code looks ok. - Memory management: Quite a bit of malloc|calloc|realloc used without checking return value before use. Especially in spa/plugins. - A lot of environment variables. Looking at a random sampling, code-wise looks ok, but use of them in some places may be questionable. i.e. 1. - pw-pulse.in and pw-jack.in shell scripts use and modify LD_LIBRARY_PATH so applications load pipewire's pulseaudio or jack instead of Jack's and PulseAudio's. 2. The pipewire daemon uses env vars to set alternative name and config ile for the daemon. The name can also be set with a cmdline option to the daemon. So can change the name in 2 different places. 3. pw_init() contains env vars when the daemon initializes to change defaults such as the spa plugin directory. Wonder why not use a config file for some of these? - cppcheck reports a lot of uninitialized variables. Conclusions: Significant source code growth and changes since first security MIR review. Code base seems to be transitioning from new development to stability. Security team ACK for promoting pipewire to main. ** Changed in: pipewire (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1802533 Title: [MIR] pipewire To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pipewire/+bug/1802533/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1802533] Re: [MIR] pipewire
** Changed in: pipewire (Ubuntu) Status: Triaged => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1802533 Title: [MIR] pipewire To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pipewire/+bug/1802533/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1898078] Re: FIPS OpenSSL crashes Python2.7 hashlib when using MD5
This has been fixed in bionic. Already fixed in xenial. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1898078 Title: FIPS OpenSSL crashes Python2.7 hashlib when using MD5 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1898078/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1731410] Re: package pcscd 1.8.14-1ubuntu1.16.04.1 failed to install/upgrade: подпроцесс установлен сценарий post-installation возвратил код ошибки 1
Hi, Is this still an issue? Changing the status to incomplete. ** Changed in: pcsc-lite (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1731410 Title: package pcscd 1.8.14-1ubuntu1.16.04.1 failed to install/upgrade: подпроцесс установлен сценарий post-installation возвратил код ошибки 1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/1731410/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1683378] Re: package libpcsclite1:amd64 1.8.14-1ubuntu1.16.04.1 failed to install/upgrade: package is in a very bad inconsistent state; you should reinstall it before attempting configuration
Hi, Is this still an issue? Changing the status to incomplete. ** Changed in: pcsc-lite (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1683378 Title: package libpcsclite1:amd64 1.8.14-1ubuntu1.16.04.1 failed to install/upgrade: package is in a very bad inconsistent state; you should reinstall it before attempting configuration To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/1683378/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1690543] Re: package libpcsclite1 1.8.14-1ubuntu1.16.04.1 failed to install/upgrade: a tentar sobreescrever '/usr/share/doc/libpcsclite1/changelog.Debian.gz' partilhado, que é diferente de outras
Hi, Is this still an issue? Changing the status to incomplete. ** Changed in: pcsc-lite (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1690543 Title: package libpcsclite1 1.8.14-1ubuntu1.16.04.1 failed to install/upgrade: a tentar sobreescrever '/usr/share/doc/libpcsclite1/changelog.Debian.gz' partilhado, que é diferente de outras instâncias do pacote libpcsclite1:amd64 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/1690543/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1570359] Re: pcscd crashed with SIGSEGV in __elf_set___libc_thread_subfreeres_element___rpc_thread_destroy__()
Hi, Is this still an issue? Changing the status to incomplete. ** Changed in: pcsc-lite (Ubuntu) Status: Confirmed => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1570359 Title: pcscd crashed with SIGSEGV in __elf_set___libc_thread_subfreeres_element___rpc_thread_destroy__() To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/1570359/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1539999] Re: Omnikey Cardreader not working
Is this still an issue? Changing to incomplete. ** Changed in: pcsc-lite (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/153 Title: Omnikey Cardreader not working To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/153/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1366152] Re: System crash when Vasco-card-reader is plugged in at powerup
This bugreport has had no activity and has eol. Closing. ** Changed in: pcsc-lite (Ubuntu) Status: New => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1366152 Title: System crash when Vasco-card-reader is plugged in at powerup To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/1366152/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1700104] Re: package pcscd 1.8.10-1ubuntu1.1 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1
Fixed in subsequent release. Closing. ** Changed in: pcsc-lite (Ubuntu) Status: Confirmed => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1700104 Title: package pcscd 1.8.10-1ubuntu1.1 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/1700104/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1161882] Re: ACR38U Does not work on 12.10
This bug was not applicable to pcsc-lite package. Closing since no activity and eol. ** Changed in: pcsc-lite (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1161882 Title: ACR38U Does not work on 12.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/1161882/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1090238] Re: pcscd hangs after ejecting Rutoken ECP making some comunication with token
This was fixed in subsequent release. Closing. ** Changed in: pcsc-lite (Ubuntu) Status: Confirmed => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1090238 Title: pcscd hangs after ejecting Rutoken ECP making some comunication with token To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/1090238/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1061947] Re: pcscd (auto)starting and permission troubles
This is most likely fixed via pcscd starting from systemd in current releases. Closing this since it has had no activity and has eol. ** Changed in: pcsc-lite (Ubuntu) Status: Confirmed => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1061947 Title: pcscd (auto)starting and permission troubles To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/1061947/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1004683] Re: pcscd fails to access Reiner SCT CyberJack card reader
This bugreport has had no activity and has eol. Closing. ** Changed in: pcsc-lite (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1004683 Title: pcscd fails to access Reiner SCT CyberJack card reader To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/1004683/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 796893] Re: Rutoken Magistra init fails in natty
This bugreport has had no activity and has eol. Closing. ** Changed in: pcsc-lite (Ubuntu) Status: New => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/796893 Title: Rutoken Magistra init fails in natty To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/796893/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 795540] Re: package pcscd 1.7.0-2ubuntu2 failed to install/upgrade: ErrorMessage: subprocess installed post-installation script returned error exit status 1
This bugreport has had no activity and has eol. Closing. ** Changed in: pcsc-lite (Ubuntu) Status: Confirmed => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/795540 Title: package pcscd 1.7.0-2ubuntu2 failed to install/upgrade: ErrorMessage: subprocess installed post-installation script returned error exit status 1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/795540/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 790502] Re: If OS has started the pcscd service won'n start up
This bugreport has had no activity and has eol. Closing. ** Changed in: pcsc-lite (Ubuntu) Status: Confirmed => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/790502 Title: If OS has started the pcscd service won'n start up To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/790502/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 776082] Re: pcscd spams syslog whenever mozilla is running and CAC card is not inserted/present
This bugreport has had no activity and has eol. Closing. ** Changed in: pcsc-lite (Ubuntu) Status: New => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/776082 Title: pcscd spams syslog whenever mozilla is running and CAC card is not inserted/present To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/776082/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 336815] Re: Aladdin etoken pro not supported anymore with pcscd
This bug appears to have been fixed in an update. Closing. ** Changed in: pcsc-lite (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/336815 Title: Aladdin etoken pro not supported anymore with pcscd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/336815/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1898078] Re: FIPS OpenSSL crashes Python2.7 hashlib when using MD5
** Description changed: - The fix for #1835135 was not included into the python2.7 update. This - bug has been opened to include it. + The fix for #1835135 was included into a python2.7 ver when python2.7 + was updated, the fix was not included. It needs to be put pack into the + latest version pf python2.7 to prevent FIPS issues when using fips + openssl with python's hashlib. This is only a problem in latest + python2.7 versions in xenial, bionic, focal, and groovy. python3 + versions do not have this problem on the above releases. + + The fix was a backport of + https://github.com/python/cpython/pull/1777/commits/5e3e3568d27b99dabe44b8aa6283dc76d70f2dae ** Description changed: - The fix for #1835135 was included into a python2.7 ver when python2.7 - was updated, the fix was not included. It needs to be put pack into the - latest version pf python2.7 to prevent FIPS issues when using fips - openssl with python's hashlib. This is only a problem in latest - python2.7 versions in xenial, bionic, focal, and groovy. python3 - versions do not have this problem on the above releases. + LP #1835135 was fixed in python2.7. However, when python2.7 was updated + to current verion, the fix was not included. It needs to be included + again into current version of python2.7 to prevent FIPS issues when + using fips openssl with python's hashlib. This is only a problem in + latest python2.7 versions in xenial, bionic, focal, and groovy. python3 + versions do not have this problem in these releases. The fix was a backport of https://github.com/python/cpython/pull/1777/commits/5e3e3568d27b99dabe44b8aa6283dc76d70f2dae -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1898078 Title: FIPS OpenSSL crashes Python2.7 hashlib when using MD5 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1898078/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1898078] Re: FIPS OpenSSL crashes Python2.7 hashlib when using MD5
** Also affects: python2.7 (Ubuntu Groovy) Importance: Undecided Status: New ** Also affects: python2.7 (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: python2.7 (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: python2.7 (Ubuntu Focal) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1898078 Title: FIPS OpenSSL crashes Python2.7 hashlib when using MD5 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1898078/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1898078] [NEW] FIPS OpenSSL crashes Python2.7 hashlib when using MD5
Public bug reported: The fix for #1835135 was not included into the python2.7 update. This bug has been opened to include it. ** Affects: python2.7 (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1898078 Title: FIPS OpenSSL crashes Python2.7 hashlib when using MD5 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1898078/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1892559] Re: [MIR] ccid libpam-pkcs1 libpcsc-perl opensc pcsc-tools pcsc-lite
pcsc-lite source package provides pcscd and libpcsclite1 and thus is needed for smartcard deployment. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1892559 Title: [MIR] ccid libpam-pkcs1 libpcsc-perl opensc pcsc-tools pcsc-lite To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ccid/+bug/1892559/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1892559] Re: [MIR] ccid libpam-pkcs1 libpcsc-perl opensc pcsc-tools pcsc-lite
pcscd is required. When removed, I am not able to get any info from the driver about the reader or the smartcard. pcscd loads the smartcard driver and coordinates communications. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1892559 Title: [MIR] ccid libpam-pkcs1 libpcsc-perl opensc pcsc-tools pcsc-lite To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ccid/+bug/1892559/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1892559] Re: [MIR] ccid libpam-pkcs1 libpcsc-perl opensc pcsc-tools pcsc-lite
Hi Seth and Christian, I did a smartcard setup and confirmed I did not have to use anything from pcsc-tools. And pcsc-tools seem to depend on libpcsc-perl, so won't need pcsc-perl either. My "sudo apt install opensc" pulled in libccid, libpcslite1, opensc- pkcs11 and pcscd binary packages. I only needed one additional install of "libpam-pkcs11". Next, I am looking into the pcscd requirement. Will comment shortly. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1892559 Title: [MIR] ccid libpam-pkcs1 libpcsc-perl opensc pcsc-tools pcsc-lite To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ccid/+bug/1892559/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1802533] Re: [MIR] pipewire
Reassigning so that necessary work is done to get pipewire updated, building and working in groovy. ** Changed in: pipewire (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1802533 Title: [MIR] pipewire To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pipewire/+bug/1802533/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1802533] Re: [MIR] pipewire
Hi, security team is wanting to do a MIR audit on pipewire for groovy. Unfortunately, the current pipewire source downloaded from groovy does not appear to have been updated nor does it build. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1802533 Title: [MIR] pipewire To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pipewire/+bug/1802533/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1851682] Re: oscap is broken in ubuntu 19.10
Verified this on both bionic and focal. Testcase: (focal) $ dpkg -l | grep libopenscap8 ii libopenscap8 1.2.16-2ubuntu3.1 amd64Set of libraries enabling integration of the SCAP line of standards $ oscap oval eval --report cve-report.html com.ubuntu.focal.cve.oval.xml The scan was successful and generated a report. Testcase: (bionic) $ dpkg -l | grep libopenscap8 ii libopenscap8 1.2.15-1ubuntu0.2 amd64Set of libraries enabling integration of the SCAP line of standards $oscap oval eval --report cve-report.html com.ubuntu.bionic.cve.oval.xml The scan was successful and generate a report. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1851682 Title: oscap is broken in ubuntu 19.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1851682/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1851682] Re: oscap is broken in ubuntu 19.10
** Tags removed: verification-needed-bionic ** Tags added: verification-done-bionic ** Tags removed: verification-needed-focal ** Tags added: verification-done-focal -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1851682 Title: oscap is broken in ubuntu 19.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1851682/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1884265] Re: [fips] ntpq segfaults when attempting to use MD5 from FIPS-openssl library.
** Description changed: [Impact] In FIPS mode on Bionic MD5 is semi-disabled causing some applications to segfault. ntpq uses crypto hashes to authenticate its requests. By default it uses md5. However, when compiled with openssl it creates a lists of acceptable hashes from openssl that can be used. + + This issue is only applicable in bionic when using fips-openssl. [Test Steps] Test case: sudo apt install ntp ntpq -p Segmentation fault (core dumped) What happens there is ntpq wants to iterate all available digests (list_digest_names in ntpq.c). It uses EVP_MD_do_all_sorted for this task. EVP_MD_do_all_sorted eventually runs openssl_add_all_digests_int in c_alld.c. For FIPS mode it adds: EVP_add_digest(EVP_md5()); What happens later in ntpq is (list_md_fn function inside ntpq.c): ctx = EVP_MD_CTX_new(); EVP_DigestInit(ctx, EVP_get_digestbyname(name)); EVP_DigestFinal(ctx, digest, _len); First digest it gets is MD5, but while running EVP_DigestInit for it, it gets to this point (openssl/crypto/evp/digest.c EVP_DigestInit_ex): #ifdef OPENSSL_FIPS if (FIPS_mode()) { if (!(type->flags & EVP_MD_FLAG_FIPS) && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) { EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS); return 0; } } #endif Due to type->flags for MD5 being 0 there's an error set (EVP_R_DISABLED_FOR_FIPS). After getting back to ntpq.c: ctx->engine and ctx->digest are not set (due to the mentioned error), hence inside EVP_DigestFinal_ex (openssl/crypto/evp/digest.c) OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE); causes a segfault (ctx->digest is NULL). So either MD5 shouldn't be added in FIPS mode or it should have the EVP_MD_FLAG_FIPS to be properly initialized. [Regression Potential] I don't think this should regress ntpq + openssl from the Ubuntu archive. Current archive ntpq + openssl behaviour: - openssl includes all message digests and hands ntpq a sorted digest-list. + openssl includes all message digests and hands ntpq a sorted digest-list. ntpq doesn't check return from EVP_Digest(Init|Final) and assumes all is well and sticks all digests into its list regardless if it is working or not. - i.e. + i.e. ntpq> help keytype function: set key type to use for authenticated requests, one of: - MD4, MD5, RIPEMD160, SHA1, SHAKE128 + MD4, MD5, RIPEMD160, SHA1, SHAKE128 If somehow openssl library is corrupted and sends back erroneous results, its possible the authentication will just not ever work. Newly fixed archive ntpq + oenssl beahviour: openssl includes all message digests and hands ntpq a sorted digest-list. ntpq checks each one and includes each working digest. With a non-corrupted openssl, everything works fine and ntpq includes each into its list. Ends up with a list identical to the one above. - - If somehow opensll library is corrupted and sends back erroneous results, ntpq will hopefully catch it by checking return code and include only those algos that appear to be working. Its possible authentication will work for ntpq. + + If somehow opensll library is corrupted and sends back erroneous + results, ntpq will hopefully catch it by checking return code and + include only those algos that appear to be working. Its possible + authentication will work for ntpq. The difference will be seen in ntpq + fips-openssl. ntpq will check return, and for fips-not-approved algos, return will indicate an error. So these algos will be skipped and ntpq will not include into its digest list. Resulting in a much shorter list of only fips-approved algos. i.e. ntpq> help keytype function: set key type to use for authenticated requests, one of: - SHA1, SHAKE128 + SHA1, SHAKE128 - Since md5 is ntpq's default auth algo, this will need to be changed to one of the above algos in the config files. + Since md5 is ntpq's default auth algo, this will need to be changed to one of the above algos in the config files. But I think it is somewhat understood that MD5 is bad in a FIPS environment. ** Description changed: [Impact] In FIPS mode on Bionic MD5 is semi-disabled causing some applications to segfault. ntpq uses crypto hashes to authenticate its requests. By default it uses md5. However, when compiled with openssl it creates a lists of acceptable hashes from openssl that can be used. - This issue is only applicable in bionic when using fips-openssl. + This issue is only applicable in bionic and when using fips-openssl. [Test Steps] Test case: sudo apt install ntp ntpq -p Segmentation fault (core dumped) What happens there is ntpq wants to iterate all available digests (list_digest_names in ntpq.c). It uses EVP_MD_do_all_sorted for this task. EVP_MD_do_all_sorted eventually
[Bug 1884265] Re: [fips] ntpq segfaults when attempting to use MD5 from FIPS-openssl library.
** Summary changed: - [fips] Not fully initialized digest segfaulting some client applications + [fips] ntpq segfaults when attempting to use MD5 from FIPS-openssl library. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1884265 Title: [fips] ntpq segfaults when attempting to use MD5 from FIPS-openssl library. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications
** Changed in: openssl (Ubuntu) Assignee: (unassigned) => Joy Latten (j-latten) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1884265 Title: [fips] Not fully initialized digest segfaulting some client applications To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications
Additional testing for ntpq authentication to ensure MD5 still works for ntpq in archive NOTE: The shown testing is ntpq(with patch) + openssl from archive. To ensure all still works. Testing with ntpq + fips-openssl was also done successfully. VM-A (ntp server) 1. Edit /etc/ntp.keys to include, 1 SHA1 austintexas 2 MD5 cedarpark 2. Edit /etc/ntp.conf to include. keys /etc/ntp.keys trustedkey 2 controlkey 2 requestkey 2 3. restart ntp sudo service ntp restart VM-B (ntp client) $ dpkg -l | grep ntp ii ntp1:4.2.8p10+dfsg-5ubuntu7.1+ppa1 amd64Network Time Protocol daemon and utility programs 1. Edit /etc/ntp.keys to include, 1 SHA1 austintexas 2 MD5 cedarpark 2. Edit /etc/ntp.conf to include, keys /etc/ntp.keys server key 2 trustedkey 2 controlkey 2 requestkey 2 3. I commented out all the "pool" entries in /etc/ntp.conf 4. restart ntp sudo service ntp restart On the client, $ ntpq -c as ind assid status conf reach auth condition last_event cnt === 1 46728 f014 yes yes ok reject reachable 1 Notice that "auth" is ok. $ ntpq ntpq> keytype keytype is MD5 with 16 octet digests ntpq> keyid 2 ntpq> ifstats MD5 Password: interface namesend # address/broadcast drop flag ttl mc received sent failed peers uptime == 0 v6wildcard D 81 0 0 0 0 0 0 96 [::]:123 1 v4wildcard D 89 0 0 0 0 0 0 96 0.0.0.0:123 2 lo .5 0 0 2 1 0 0 96 127.0.0.1:123 3 ens3 . 19 0 0 2 2 0 1 96 192.168.122.105:123 4 lo .5 0 0 0 0 0 0 96 [::1]:123 5 ens3 . 11 0 0 0 0 0 0 96 [fe80::5054:ff:fefe:b092%2]:123 ntpq> Note: issuing "ifstats" requires authentication. I also tested with SHA1 and it worked as well. And last test on client, ntpq -p remote refid st t when poll reach delay offset jitter == 192.168.122.106 204.11.201.123 u 56 6471.5412.723 0.826 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1884265 Title: [fips] Not fully initialized digest segfaulting some client applications To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications
Testing: There are no autopkgtests for ntp pkg and we do not run "make check" in the tests dir as part of the build. So, just in case it is applicable, I ran make check on my local build to ensure everything passes. ** Attachment added: "Results of running make check in ../tests directory" https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+attachment/5392383/+files/ntp-test-results -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1884265 Title: [fips] Not fully initialized digest segfaulting some client applications To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications
** Description changed: [Impact] In FIPS mode on Bionic MD5 is semi-disabled causing some applications to segfault. - ntpq uses crypto hashes to authenticate its requests. By default it appears to use an internal md5 implementation. However, when compiled with openssl it creates a lists of acceptable hashes from openssl that can be used. - + ntpq uses crypto hashes to authenticate its requests. By default it uses + md5. However, when compiled with openssl it creates a lists of + acceptable hashes from openssl that can be used. + [Test Steps] Test case: sudo apt install ntp ntpq -p Segmentation fault (core dumped) What happens there is ntpq wants to iterate all available digests (list_digest_names in ntpq.c). It uses EVP_MD_do_all_sorted for this task. EVP_MD_do_all_sorted eventually runs openssl_add_all_digests_int in c_alld.c. For FIPS mode it adds: EVP_add_digest(EVP_md5()); What happens later in ntpq is (list_md_fn function inside ntpq.c): ctx = EVP_MD_CTX_new(); EVP_DigestInit(ctx, EVP_get_digestbyname(name)); EVP_DigestFinal(ctx, digest, _len); First digest it gets is MD5, but while running EVP_DigestInit for it, it gets to this point (openssl/crypto/evp/digest.c EVP_DigestInit_ex): #ifdef OPENSSL_FIPS if (FIPS_mode()) { if (!(type->flags & EVP_MD_FLAG_FIPS) && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) { EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS); return 0; } } #endif Due to type->flags for MD5 being 0 there's an error set (EVP_R_DISABLED_FOR_FIPS). After getting back to ntpq.c: ctx->engine and ctx->digest are not set (due to the mentioned error), hence inside EVP_DigestFinal_ex (openssl/crypto/evp/digest.c) OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE); causes a segfault (ctx->digest is NULL). So either MD5 shouldn't be added in FIPS mode or it should have the EVP_MD_FLAG_FIPS to be properly initialized. [Regression Potential] - I believe the resolution to check the return code and if unsuccessful, do not include the hash algorithm in the internal ntpq digest list, should not introduce any regression. - It will simply not add md5 and md5_sha1 to its lists of digests when compiled with openssl. Instead it will add the others like sha1, sha2, and sha3. + I don't think this should regress ntpq + openssl from the Ubuntu + archive. + + Current archive ntpq + openssl behaviour: + openssl includes all message digests and hands ntpq a sorted digest-list. + ntpq doesn't check return from EVP_Digest(Init|Final) and assumes all is well and sticks all digests into its list regardless if it is working or not. + + i.e. + ntpq> help keytype + function: set key type to use for authenticated requests, one of: + MD4, MD5, RIPEMD160, SHA1, SHAKE128 + + If somehow openssl library is corrupted and sends back erroneous + results, its possible the authentication will just not ever work. + + Newly fixed archive ntpq + oenssl beahviour: + openssl includes all message digests and hands ntpq a sorted digest-list. + ntpq checks each one and includes each working digest. With a non-corrupted openssl, everything works fine and ntpq includes each into its list. Ends up with a list identical to the one above. + + If somehow opensll library is corrupted and sends back erroneous results, ntpq will hopefully catch it by checking return code and include only those algos that appear to be working. Its possible authentication will work for ntpq. + + The difference will be seen in ntpq + fips-openssl. ntpq will check + return, and for fips-not-approved algos, return will indicate an error. + So these algos will be skipped and ntpq will not include into its digest + list. Resulting in a much shorter list of only fips-approved algos. + + i.e. + ntpq> help keytype + function: set key type to use for authenticated requests, one of: + SHA1, SHAKE128 + + Since md5 is ntpq's default auth algo, this will need to be changed to one of the above algos in the config files. + But I think it is somewhat understood that MD5 is bad in a FIPS environment. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1884265 Title: [fips] Not fully initialized digest segfaulting some client applications To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications
** Description changed: - In FIPS mode on Bionic MD5 is semi-disabled causing some applications to - segfault. + [Impact] + In FIPS mode on Bionic MD5 is semi-disabled causing some applications to segfault. + ntpq uses crypto hashes to authenticate its requests. By default it appears to use an internal md5 implementation. However, when compiled with openssl it creates a lists of acceptable hashes from openssl that can be used. + + [Test Steps] Test case: sudo apt install ntp ntpq -p Segmentation fault (core dumped) What happens there is ntpq wants to iterate all available digests (list_digest_names in ntpq.c). It uses EVP_MD_do_all_sorted for this task. EVP_MD_do_all_sorted eventually runs openssl_add_all_digests_int in c_alld.c. For FIPS mode it adds: EVP_add_digest(EVP_md5()); What happens later in ntpq is (list_md_fn function inside ntpq.c): ctx = EVP_MD_CTX_new(); EVP_DigestInit(ctx, EVP_get_digestbyname(name)); EVP_DigestFinal(ctx, digest, _len); First digest it gets is MD5, but while running EVP_DigestInit for it, it gets to this point (openssl/crypto/evp/digest.c EVP_DigestInit_ex): #ifdef OPENSSL_FIPS if (FIPS_mode()) { if (!(type->flags & EVP_MD_FLAG_FIPS) && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) { EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS); return 0; } } #endif Due to type->flags for MD5 being 0 there's an error set (EVP_R_DISABLED_FOR_FIPS). After getting back to ntpq.c: ctx->engine and ctx->digest are not set (due to the mentioned error), hence inside EVP_DigestFinal_ex (openssl/crypto/evp/digest.c) OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE); causes a segfault (ctx->digest is NULL). So either MD5 shouldn't be added in FIPS mode or it should have the EVP_MD_FLAG_FIPS to be properly initialized. + + [Regression Potential] + + I believe the resolution to check the return code and if unsuccessful, do not include the hash algorithm in the internal ntpq digest list, should not introduce any regression. + It will simply not add md5 and md5_sha1 to its lists of digests when compiled with openssl. Instead it will add the others like sha1, sha2, and sha3. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1884265 Title: [fips] Not fully initialized digest segfaulting some client applications To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications
Build log: https://launchpad.net/~j-latten/+archive/ubuntu/joyppa/+build/19570468 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1884265 Title: [fips] Not fully initialized digest segfaulting some client applications To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications
debdiff for bionic ** Attachment added: "debdiff.bionic" https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+attachment/5391374/+files/debdiff.bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1884265 Title: [fips] Not fully initialized digest segfaulting some client applications To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications
I added return checks to ntpq code and this appears to solve the problem. Is it ok to make this an SRU? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1884265 Title: [fips] Not fully initialized digest segfaulting some client applications To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications
Also, this is only applicable in bionic. Neither xenial nor focal experience this issue. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1884265 Title: [fips] Not fully initialized digest segfaulting some client applications To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications
It seems 2 things are happening to generate this issue 1.fips-openssl in bionic has md5 and md5_sha1 in fips digest list with explicit purpose of accommodating PRF use only in fips mode. But you must pass the flag, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW to successfully use them. 2. ntpq does not check return codes from EVP_ calls. It has, ctx = EVP_MD_CTX_new(); EVP_DigestInit(ctx, EVP_get_digestbyname(name)); EVP_DigestFinal(ctx, digest, _len); EVP_MD_CTX_free(ctx); if (digest_len > (MAX_MAC_LEN - sizeof(keyid_t))) return; EVP_DigestInit() would have returned 0 in this case indicating a failure. Possible fixes: 1. in fips-libcrypto library remove md5 from fips digest list and keep md5_sha1 for PRF and mark as fips-allowed. Can still use md5 with EVP_MD_CTX_FLAG_NON_FIPS_ALLOW flag, but its just not in fips digest list. Note: this fix can be put in fips-update ppa for availability. But, it may be a while before it is re-certified. 2. ntpq should check its return codes and do appropriate thing on error. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1884265 Title: [fips] Not fully initialized digest segfaulting some client applications To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications
Investigating. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1884265 Title: [fips] Not fully initialized digest segfaulting some client applications To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1865504] Re: hwclock reports incorrect status in audit message
** Tags added: verification-done-eoan ** Tags added: verification-done-bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1865504 Title: hwclock reports incorrect status in audit message To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1865504] Re: hwclock reports incorrect status in audit message
Successful verification on amd64 for bionic $ dpkg -l | grep util-linux ii util-linux2.31.1-0.4ubuntu3.6 amd64miscellaneous system utilities $ cat /etc/lsb-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=18.04 DISTRIB_CODENAME=bionic DISTRIB_DESCRIPTION="Ubuntu 18.04.3 LTS" type=USYS_CONFIG msg=audit(1584464596.658:106): pid=13437 uid=0 auid=1000 ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname =bionic-fips addr=? terminal=pts/0 res=success' type=USYS_CONFIG msg=audit(1584464615.494:117): pid=13441 uid=0 auid=1000 ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname =bionic-fips addr=? terminal=pts/0 res=success' -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1865504 Title: hwclock reports incorrect status in audit message To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1865504] Re: hwclock reports incorrect status in audit message
Successful verification on amd64 for eaon $ dpkg -l | grep util-linux ii util-linux 2.34-0.1ubuntu2.4 amd64miscellaneous system utilities Audit records found in /var/log/audit/audit.log, type=USYS_CONFIG msg=audit(1584463433.533:68): pid=4263 uid=0 auid=1000 ses=1 msg='op=change-system-time exe="/usr/sbin/hwclock" hostname=eaon- server addr=? terminal=pts/0 res=success' type=USYS_CONFIG msg=audit(1584463480.497:81): pid=4268 uid=0 auid=1000 ses=1 msg='op=change-system-time exe="/usr/sbin/hwclock" hostname=eaon- server addr=? terminal=pts/0 res=success' -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1865504 Title: hwclock reports incorrect status in audit message To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1865504] Re: hwclock reports incorrect status in audit message
Mauricio, Thank you so much for handling. Much appreciated. I took a quick look at the above #15 and #16 and perhaps a retry may be beneficial... there were some timeouts... -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1865504 Title: hwclock reports incorrect status in audit message To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1865504] Re: hwclock reports incorrect status in audit message
** Also affects: util-linux (Ubuntu Eoan) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1865504 Title: hwclock reports incorrect status in audit message To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1865504] Re: hwclock reports incorrect status in audit message
** Also affects: util-linux (Ubuntu Bionic) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1865504 Title: hwclock reports incorrect status in audit message To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1865504] Re: hwclock reports incorrect status in audit message
The debdiff for focal ** Attachment removed: "debdiff for focal" https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+attachment/5333544/+files/debdiff.focal ** Attachment added: "debdiff.focal" https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+attachment/5333895/+files/debdiff.focal -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1865504 Title: hwclock reports incorrect status in audit message To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1865504] Re: hwclock reports incorrect status in audit message
Build log https://launchpad.net/~j-latten/+archive/ubuntu/joyppa/+build/18795481 ** Bug watch added: Debian Bug tracker #953065 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953065 ** Also affects: util-linux (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953065 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1865504 Title: hwclock reports incorrect status in audit message To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1865504] Re: hwclock reports incorrect status in audit message
** Attachment added: "debdiff for focal" https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+attachment/5333544/+files/debdiff.focal -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1865504 Title: hwclock reports incorrect status in audit message To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1865504] Re: hwclock reports incorrect status in audit message
** Description changed: + [IMPACT] + hwclock reports incrorect status in audit message + + hwclock calls audit_log_user_message(3) to create an audit entry. audit_log_user_message(3) result 1 is "success" and 0 is "failed", hwclock use standard EXIT_{SUCCESS,FAILURE} macros with reverse - status. Thus reports status incorrectly in audit message. This has been fixed upstream in https://github.com/karelzak/util-linux/commit/189edf1fe501ea39b35911337eab1740888fae7a + status. Thus reports it's status incorrectly in audit message. + + It is a requirement for Common Criteria Certification that hwclock + reports correct status in audit message. + + This has been fixed upstream in https://github.com/karelzak/util- + linux/commit/189edf1fe501ea39b35911337eab1740888fae7a + + [TEST] + + Steps to test: + 1. Install auditd + 2. Run following testcase, + + # hwclock + 2020-03-02 15:03:03.280351+ + # hwclock --set --date "1/1/2000 00:00:00" + # echo $? + 0 + # hwclock + 2000-01-01 00:00:05.413924+ + # hwclock --utc --systohc + # echo $? + 0 + # hwclock + 2020-03-02 15:07:00.264331+ + + Following audit messages from /var/log/audit/audit.log, + + type=USYS_CONFIG msg=audit(1583161562.884:105): pid=2084 uid=0 auid=1000 ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname=bionic-fips addr=? terminal=pts/0 res=failed' + type=USYS_CONFIG msg=audit(1583161614.497:106): pid=2103 uid=0 auid=1000 ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname=bionic-fips addr=? terminal=pts/0 res=failed' + + Note that last entry in each audit record produced when hardware clock + was modified has, "res=failed". Although, testcase shows no failure + occurred. + + [Regression Potential] + There should not be any regression to fix the status given to auditd. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1865504 Title: hwclock reports incorrect status in audit message To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1865504] [NEW] hwclock reports incorrect status in audit message
Public bug reported: audit_log_user_message(3) result 1 is "success" and 0 is "failed", hwclock use standard EXIT_{SUCCESS,FAILURE} macros with reverse status. Thus reports status incorrectly in audit message. This has been fixed upstream in https://github.com/karelzak/util-linux/commit/189edf1fe501ea39b35911337eab1740888fae7a ** Affects: util-linux (Ubuntu) Importance: High Assignee: Joy Latten (j-latten) Status: New ** Changed in: util-linux (Ubuntu) Importance: Undecided => Medium ** Changed in: util-linux (Ubuntu) Importance: Medium => High ** Changed in: util-linux (Ubuntu) Assignee: (unassigned) => Joy Latten (j-latten) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1865504 Title: hwclock reports incorrect status in audit message To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1853506] Re: [MIR] ndctl
I reviewed ndctl as checked into focal. This shouldn't be considered a full audit but rather a quick gauge of maintainability. ndctl is comprised of utilities and libraries for managing the libnvdimm (non-volatile memory device) sub-system in the Linux kernel - No CVEs readily found. Gleaned the git repository, https://github.com/pmem/ndctl. Appears to be actively maintained. Security-wise, noted fixes for a memory leak and non-null terminated strings. - Build-Depends: debhelper-compat (= 12), pkg-config, libkmod-dev, libudev-dev, uuid-dev, libjson-c-dev, bash-completion, systemd, libkeyutils-dev, asciidoctor - No pre/post inst/rm scripts. - There is an init script, debian/ndctl.init that is is installed as /etc/init.d/ndctl-monitor. All actions are circumvented to systemctl. - There is a systemd unit file, ndctl-monitor.service, for the ndctl monitor daemon. The daemon catches smart events notify from firmware and outputs the notifications (in json format) to a logfile. - No dbus services. - No setuid binaries. - 2 binaries, ndctl and daxctl in /usr/bin - No sudo fragments. - No udev rules. - There are unit-tests and autopkgtests. The unit tests were skipped. There has been considerable discussion in this bugreport about providing regression testing. - No cron jobs. - Build reported following... - configure: WARNING: unrecognized options: --disable-maintainer-mode - quite a few alignment warnings for "address-of-packed-member", i.e., nfit.c: In function ‘ndctl_bus_cmd_new_translate_spa’: nfit.c:65:25: warning: taking address of packed member of ‘struct nd_cmd_translate_spa’ may result in an unaligned pointer value [-Waddress-of-packed-member] 65 | cmd->firmware_status = _spa->status; | ^~ - following lintian warnings, - malformed-deb-archive newer compressed control.tar.xz - init.d-script-uses-usr-interpreter etc/init.d/ndctl-monitor /usr/bin/env E: ndctl: init.d-script-does-not-implement-required-option etc/init.d/ndctl-monitor start E: ndctl: init.d-script-does-not-implement-required-option etc/init.d/ndctl-monitor stop E: ndctl: init.d-script-does-not-implement-required-option etc/init.d/ndctl-monitor restart E: ndctl: init.d-script-does-not-implement-required-option etc/init.d/ndctl-monitor force-reload W: ndctl: unusual-interpreter etc/init.d/ndctl-monitor #!/lib/init/init-d-script W: ndctl: init.d-script-does-not-source-init-functions etc/init.d/ndctl-monitor - following dpkg warnings dpkg-shlibdeps: warning: package could avoid a useless dependency if debian/daxctl/usr/bin/daxctl was not linked against libndctl.so.6 (it uses none of the library's symbols) dpkg-shlibdeps: warning: package could avoid a useless dependency if debian/daxctl/usr/bin/daxctl was not linked against libuuid.so.1 (it uses none of the library's symbols) - execlp() called without an absolute path to bring up help pages. A call to "kfmclient" and once to call "man". - Inspecting a random sampling of memory mgmt routines, the memory allocation looked good; memcpy() ok; none of the sprintf() nor asprintf() checked return value. - File IO looked ok. - Logging looked ok. We do not --enable-debug so limited debugging available. -daxctl_set_log_fn allows user to write custom function to override default! -There are several environment vars. Could not readily find documentation on any of them. - log_env overrides log priority set in config file but uses secure_logenv so probably ok. - code does getenv("MANPATH"); then calls setenv("MANPATH") with gotten value. Seems bad idea. - ioctls looked ok. - Cryptography: looks ok. ndctl-setup|update|remove-passphrase uses the kernel keyring to enable a security passphrase for NVDIMM(s). binary blobs of the encrypted masterkey and NVDIMM passphrase(s) are stored in /etc/ndctl/keys directory and loaded into memory and compared (in a way validated) with kernel keyring with ndctl command. - a single testcase uses hard-coded tmp file but this testcase is skipped. - No WebKit. - No PolicyKit. - There were some cppcheck results, upon closer examination they seem ok. [ndctl/check.c:1150]: (error) Signed integer overflow for expression '(549755813888)-4096'. [ndctl/dimm.c:1216]: (error) Memory leak: actx.f_out [util/json.c:871]: (error) Uninitialized variable: raw_uuid [ndctl/lib/libndctl.c:5577]: (error) Uninitialized variable: uuid [ndctl/lib/libndctl.c:5578]: (error) Uninitialized variable: uuid - Quite a few scripts in test directory reported following warning, "Double quote to prevent globbing and word splitting" GENERAL COMMENTS - There are other licenses besides GPL licences. - Note: opened an issue upstream about the unaligned pointer warning from compiler, https://github.com/pmem/ndctl/issues/131 Security team ACK only on condition that regression tests are available. ** Bug watch added: github.com/pmem/ndctl/issues #131
[Bug 1853506] Re: [MIR] ndctl
** Changed in: ndctl (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1853506 Title: [MIR] ndctl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ndctl/+bug/1853506/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1802533] Re: [MIR] pipewire
I reviewed pipewire 0.2.5-1 as checked into eoan. This shouldn't be considered a full audit but rather a quick gauge of maintainability. pipewire is a multimedia sharing and processing engine. It is comprised of a server and userspace API to handle multimedia pipelines. The pipewire package contains a library, utilities, a daemon and several plugins. pipewire seems to be relatively new and indications are that while usable, it is still being developed (https://github.com/PipeWire/pipewire/wiki/FAQ). It is meant to overhaul audit/video processing by doing what pulseaudio and Jack do and leveraging Wayland remote screen capabilities. - No CVEs. Also examined git repository in github, https://github.com/PipeWire/pipewire. Seems to be a lot of active development and bugfixing. - Build-Depends: debhelper (>= 11), libasound2-dev, libavcodec-dev, libavfilter-dev, libavformat-dev, libdbus-1-dev, libglib2.0-dev, libgstreamer1.0-dev, libgstreamer-plugins-base1.0-dev, libsbc-dev, libsdl2-dev, libudev-dev, libva-dev, libv4l-dev, libx11-dev, meson (>= 0.47), pkg-config (>= 0.22), systemd, xmltoman, doxygen, graphviz **Note: Uses meson build system - There are no pre/post inst/rm scripts. - No init scripts - There are systemd unit files - There is pipewire.socket, a systemd socket unit for automatic socket activation. Appears to be a AF_Unix socket - There is pipewire.service, a system unit file for the daemon. It requires the pipewire.socket to be active first. - dbus services are used - the rtkit (realtimekit) module uses dbus to talk to RealtimeKit to be allowed permission to take on realtime property. - the flatpak module uses dbus in similar manner to acquire permission to record screen or audio. - the Simple plugin API provides dbus services via D-Bus low-level public API to plugins. - No setuid binaries - Several binaries installed in /usr/bin/ and /usr/lib/x86_64-linux-gnu/ dirs. - No sudo fragments. - No udev rules. However, the ALSA (advanced linux sound architecture) and V4l2 (video) plugins do make udev calls to acquire device info. - No autopkgtests. There are a few tests in spa/test dir but they do not seem to have run. - No cron jobs. - Build logs indicated a successful build. However there was a compile error and many compile warnings pertaining to -Wdepracated-declarations and -Wunused-result. There also appeared to be many failures while generating docs. - No processes spawned. - Quite a bit of memory mgmt. Inspecting a random sampling of memory mgmt routines, the memcpy() seem ok, the return value not checked for any of the asprintf() and a number of calloc()|realloc() did not check the return value for failure. - No File IO issues readily found. Noticed v4l2 plugin open() the playback(video capture) device. The default is /dev/video0. The alsa plugin opens an audio device using snd_pcm_open. The default device is hw:0. - Logging: both pipewire and spa (simple plugin api) define their own logging facilities. Use of vsnprintf seems ok. Noted that except for pw_log_trace, logging appears to go to stderr... pw_log_trace writes to a lockfree ringbuffer which seems to be written out from main thread. - There are environment variables. They appear to be ok. - No File IO issues. The v4l2 plugin uses ioctl cnd xioctl calls on VIDIOC_*, the videocapture device. Look ok. - pipewire uses a random number to generate a random cookie that identifies the instance of pipewire - No temp file issues. - Networking: pipewire seem to use "nodes" which are physical playback and recording points for audio. Nodes can be separate processes that use sockets and filedescriptors to communicate and pass around multimedia data. pipewire opens local sockets and pass around file descriptors to do this. - Does not use WebKit. - Does not use PolicyKit. - cppcheck results: [spa/tests/test-props4.c:147]: (error) va_list 'args' was opened but not closed by va_end(). [spa/tests/test-props4.c:427]: (error) va_list 'args' was opened but not closed by va_end(). - Coverity not run. Misc Notes: Entry from https://github.com/PipeWire/pipewire/wiki/FAQ, "Is PipeWire ready yet? No, it is under heavy development It is currently reasonably safe to use the remote API to connect to a PipeWire daemon and the stream API (stream.h) to send and retrieve data. I do not expect this API to change in incompatible ways. The protocol is not fixed yet; it is not safe to assume I will make backward compatible changes in the future. This means that it is not safe to assume that older versions of the library will be able to communicate with newer versions of the daemon (or vice versa). This is usually not a problem because both client and server share the same version of the library. It can be a problem when dealing with sandboxes that have their own (old) copy of PipeWire." The security team will NAK this for now. The above FAQ entry indicates pipewire is still under heavy development
[Bug 1802533] Re: [MIR] pipewire
** Changed in: pipewire (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1802533 Title: [MIR] pipewire To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pipewire/+bug/1802533/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1835135] Re: FIPS OpenSSL crashes Python2 hashlib
The 2.7 and 3.5 python packages in the security proposed PPA have been successfully tested in a fips and non-fips xenial environment. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1835135 Title: FIPS OpenSSL crashes Python2 hashlib To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1835135/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1802614] Re: [MIR] gnome-remote-desktop
** Changed in: gnome-remote-desktop (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1802614 Title: [MIR] gnome-remote-desktop To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-remote-desktop/+bug/1802614/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1802614] Re: [MIR] gnome-remote-desktop
I would like to add an additional condition to the security team ACK. The pipewire MIR must also be ACK'd. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1802614 Title: [MIR] gnome-remote-desktop To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-remote-desktop/+bug/1802614/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1802614] Re: [MIR] gnome-remote-desktop
I reviewed gnome-remote-desktop 0.1.7-1 as checked into eoan. This shouldn't be considered a full audit but rather a quick gauge of maintainability. gnome-remote-desktop is a remote desktop daemon for GNOME using VNC with pipewire. It is suppose to work with both X and Wayland. - No CVEs. Also Examined the git histories at both * https://gitlab.gnome.org/jadahl/gnome-remote-desktop * https://salsa.debian.org/gnome-team/gnome-remote-desktop - Build-Depends: debhelper (>= 11), gnome-pkg-tools, libglib2.0-dev, libnotify-dev, libpipewire-0.2-dev, libsecret-1-dev, libvncserver-dev, meson (>= 0.36.0) **Note: Uses meson build system - No Debian pre/post inst/rm scripts. However, there is a meson_post_install.py script that appears to compile gsettings schemas. - No init scripts. - There is a systemd service unit file installed in /usr/lib/systemd/user directory. It is used to start the daemon. - Appears to use glib bindings for dbus. Uses introspection data format and is used for both screen casting and remote desktop. The remote desktop uses dbus to, create, start, and stop remote desktop sessions. Notifications for pointer button motions and whether pressed. Notification if a key identified by a keysym was pressed. - Remote desktop driven screen casts are started and stopped by the remote desktop session using dbus. Also uses dbus to record a monitor during the screen cast. - No setuid/setgid binaries nor in the code. - Nothing added to PATH. - No sudo fragments. - No udev rules. - No testcases. However, when I looked upstream, a few have been added. https://gitlab.gnome.org/jadahl/gnome-remote-desktop/tree/master/tests - No cron jobs. - Build logs showed a successful build, but there were following warnings: Binary packages built successfully but there was the following warning(s): dpkg-gencontrol: warning: package gnome-remote-desktop: substitution variable ${gnome:NextVersion} unused, but is defined dpkg-gencontrol: warning: package gnome-remote-desktop: substitution variable ${gnome:Version} unused, but is defined dpkg-gencontrol: warning: package gnome-remote-desktop: substitution variable ${gnome:NextVersion} unused, but is defined dpkg-gencontrol: warning: package gnome-remote-desktop: substitution variable ${gnome:Version} unused, but is defined -Error during source build: dh clean --with gnome --buildsystem=meson dh: Sorry, but 10 is the highest compatibility level supported by this debhelper. debian/rules:7: recipe for target 'clean' failed make: *** [clean] Error 25 dpkg-buildpackage: error: fakeroot debian/rules clean gave error exit status 2 debuild: fatal error at line 1376: dpkg-buildpackage -rfakeroot -d -us -uc -S failed FAIL - No spawned processes. - Memory management uses quite a bit of glib memory mgmt calls. They all seen to be used ok. - No File IO issues. - Logging uses glib logging and looks ok. - Environment variable usage looks ok and only one is used to enable debugging. - No privileged functions. - This app uses libsecret for password storage and lookup. Calls into libsecret to get and store encrypted passwords. Uses libvncserver to encrypt keys for storage. Uses 3DES encryption algo. encrypts user password and then compares it with the stored one to validate. - No temp files. - For networking, uses libpipewire for data transfer when doing screen casting. Using glib calls, vnc server listens on a socket|port for all interfaces. It seems to handle only one session an on the listening socket. Could not get it to work to test that out. The socket handling seems ok. - Does not use WebKit - Does not seem to use PolicyKit - Clean cppcheck MISC NOTES Authentication seems to be permitted in 1 of 2 ways: 1. password authentication 2. prompting - that is user is alerted that someone wants to connect and whether they will give permission or not. The hardening-check tool reported, Fortify Source functions: no, only unprotected functions found! The old Free Software Foundation address is used in many of the source files. A lintian warning about debian/control W: gnome-remote-desktop source: newer-standards-version 4.3.0 (current is 3.9.7) (but googling reported latest version is 4.3.0.3) The debian/control has following sentence in it, "This feature will not work on Ubuntu until mutter is recompiled with the remote desktop option enabled." Security team ACK only on condition that it works, and help preparing updates and testing. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1802614 Title: [MIR] gnome-remote-desktop To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-remote-desktop/+bug/1802614/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1835135] Re: FIPS OpenSSL crashes Python2 hashlib
Upon looking at the source for both python2.7 and python3.5 in xenial, neither checks the return value from EVP_DigestInit in Modules/_hashopenssl.c file. However, python3.6 (in bionic, cosmic and disco) does have the check. So the check will need to be backported to python 2.7 and python 3.5 in xenial. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1835135 Title: FIPS OpenSSL crashes Python2 hashlib To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1835135/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1835135] Re: FIPS OpenSSL crashes Python2 hashlib
Like python3, python2 should check the return value of EVP_DigestInit. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1835135 Title: FIPS OpenSSL crashes Python2 hashlib To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1835135/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1835135] Re: FIPS OpenSSL crashes Python2 hashlib
The assessment is accurate. FIPS 140-2 does not allow MD5 except for use in PRF. Thus the OpenSSL_add_all_digests in fips openssl does not include MD5. However, SSL_library_init() does include MD5 but only for use in calculating the PRF. Notice in tls1_P_hash() in ssl/t1_enc.c the flag, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW, is set in the context to permit this use of MD5. Apps wishing to calculate their own PRF can do the same. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1835135 Title: FIPS OpenSSL crashes Python2 hashlib To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1835135/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1835135] Re: FIPS OpenSSL crashes Python2 hashlib
Investigating -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1835135 Title: FIPS OpenSSL crashes Python2 hashlib To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1835135/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1807439] Re: openvpn crashes when run with fips openssl
verification done on following: xenial: openvpn-2.3.10-1ubuntu2.2 bionic: openvpn-2.4.4-2ubuntu1.2 cosmic: openvpn-2.4.6-1ubuntu2.1 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1807439 Title: openvpn crashes when run with fips openssl To manage notifications about this bug go to: https://bugs.launchpad.net/openvpn/+bug/1807439/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1807439] Re: openvpn crashes when run with fips openssl
Verified using same test data allowing for interoperability testing between the various releases and with fips for xenial and bionic. ** Tags removed: verification-needed-bionic verification-needed-cosmic verification-needed-xenial ** Tags added: verification-done-bionic verification-done-cosmic verification-done-xenial ** Tags removed: verification-needed ** Tags added: verification-done -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1807439 Title: openvpn crashes when run with fips openssl To manage notifications about this bug go to: https://bugs.launchpad.net/openvpn/+bug/1807439/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1807439] Re: openvpn crashes when run with fips openssl
Successfully verified xenial, bionic, and cosmic. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1807439 Title: openvpn crashes when run with fips openssl To manage notifications about this bug go to: https://bugs.launchpad.net/openvpn/+bug/1807439/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1807439] Re: openvpn crashes when run with fips openssl
Testing in progress... -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1807439 Title: openvpn crashes when run with fips openssl To manage notifications about this bug go to: https://bugs.launchpad.net/openvpn/+bug/1807439/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1807439] Re: openvpn crashes when run with fips openssl
This bug has been reported: 1.Upstream Bug: https://community.openvpn.net/openvpn/ticket/725 2.Suse Bug report: https://build.opensuse.org/package/view_file/network:vpn/openvpn/openvpn-fips140-2.3.2.patch ** Description changed: [IMPACT] + openvpn segfaults when using fips-mode openssl because of MD5. + + xenial has version 2.3.x and subsequent releases have 2.4.x. + MD5 is used in 2 places in 2.3.x and one place in 2.4.x. + + First place: openvpn when estabishing a tls connection will segfault when used with Ubuntu's FIPS 140-2 libcrypto.so (openssl). openvpn tls connection does TLS PRF(pseudorandom function) to produce securely generated pseudo random output that is used to generate keys. MD5 is used as the hash in this computation. FIPS 140-2 does not permit MD5 use except when used for pseudorandom function (PRF). When openvpn requests MD5 operation to FIPS-mode libcrypto.so, since it is not allowed in general, FIPS-mode libcrypto.so goes into an error state. - openvpn needs to set and pass a flag that FIPS-mode libcrypto.so - recognizes and that indicates it is using MD5 for PRF, thereby FIPS-mode - libcrypto.so will grant the request instead of entering an error state. - In non-FIPS libcrypto.so the flag has no meaning. + The context flag value, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW, is defined in + both FIPS and non-FIPS libcrypto.so. However, the MD5 check for it is + only in FIPS-mode libcrypto.so to permit MD5. In non-FIPS libcrypto.so + this check does not exist since it always permits MD5. openvpn should + use this flag when it makes its MD5 request. - **NOTE: The openvpn 2.3 version in xenial has the above issue and an - additional one. It also use MD5 internally for configuration status - verification. It is not communicated externally. However, this - particular use of MD5 is not allowed by FIPS and thus when openvpn tries - to use FIPS-mode libcrypto.so to compute MD5, it results in openvpn - segfaulting. This 2nd issue was fixed by upstream openvpn community in - subsequent versions(2.4) to not use MD5 and use SHA(256) instead and - thus why bionic and disco do not require any change for this 2nd issue. + Second place (only in 2.3.x): + **NOTE: The openvpn 2.3 version in xenial has the above issue and an additional one. It also use MD5 internally for configuration status verification. It is not communicated externally. However, this particular use of MD5 is not allowed by FIPS and thus when openvpn tries to use FIPS-mode libcrypto.so to compute MD5, it results in openvpn segfaulting. This 2nd issue was fixed by upstream openvpn community in subsequent versions(2.4) to not use MD5 and use SHA(256) instead and thus why bionic, cosmic, and disco do not require any change for this 2nd issue. [TEST] Test data including commands and parameters are included below. Testing comprised establishing a tls connection between an openvpn client and server. Once the connection was successfully established, a ping thru the established vpn tunnel was done from the client for assurance. Interoperability testing was done to ensure no regression. Test data reflects testing was done between openvpn server and client with and without the patch and between various releases (xenial, bionic, and disco). Test was also done with FIPS-enabled libcrypto.so to ensure everything worked in FIPS mode. [REGRESSION] - The FIPS-mode libcrypto.so flag passed by openvpn has no meaning in non-FIPS libcrypto.so. Thus nothing changes for openvpn behaviour in non-FIPS mode in regards to this. + The context flag value, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW, is defined in both FIPS-mode openssl and non-FIPS openssl. However, the MD5-permit check against this flag-value does not occur in non-FIPS libcrypto.so, so there should be no change in behaviour. non-FIPS libcrypto.so should continue to service all MD5 requests. - xenial has additional change of using SHA instead of MD5 for - configuration status verification. This is an internal hash that is not - communicated externally. Thus it should not regress interoperability or - ability to establish connections. + xenial with version 2.3.x, has additional change of using SHA instead of + MD5 for configuration status verification. This is an internal hash that + is not communicated externally. Thus it should not regress + interoperability or ability to establish connections. ** Bug watch added: community.openvpn.net/openvpn/ #725 https://community.openvpn.net/openvpn/ticket/725 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1807439 Title: openvpn crashes when run with fips openssl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1807439/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com
[Bug 1807439] Re: openvpn crashes when run with fips openssl
Applied fixes for above comments. After some team discussion, decided to use sha256 for internal hash rather than sha1 in xenial as well. Internal hash is never communicated externally. Performed additional interoperability testing successfully using same test parameters as previously. cosmic(with patch) <--> xenial (with patch) cosmic(with patch) <--> xenial (with patch and in fips mode) xenial(without patch) <--> xenial(with patch) xenial(without patch) <--> xenial (with patch and fips mode) xenial(with patch) <--> xenial (with patch) xenial (with patch) <--> xenial (with patch and fips mode) xenial (with patch and fips mode) <--> xenial(with patch and fips mode) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1807439 Title: openvpn crashes when run with fips openssl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1807439/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1807439] Re: openvpn crashes when run with fips openssl
** Changed in: openvpn (Ubuntu Bionic) Status: Incomplete => New ** Changed in: openvpn (Ubuntu Xenial) Status: Incomplete => New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1807439 Title: openvpn crashes when run with fips openssl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1807439/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1807439] Re: openvpn crashes when run with fips openssl
** Description changed: [IMPACT] openvpn when estabishing a tls connection will segfault when used with Ubuntu's FIPS 140-2 libcrypto.so (openssl). - openvpn tls connection does TLS PRF(pseudorandom function) to produce securely generated pseudo random output that is used to generate keys. - MD5 is used as the hash in this computation. + openvpn tls connection does TLS PRF(pseudorandom function) to produce securely generated pseudo random output that is used to generate keys. + MD5 is used as the hash in this computation. FIPS 140-2 does not permit MD5 use except when used for pseudorandom function (PRF). When openvpn requests MD5 operation to FIPS-mode libcrypto.so, since it is not allowed in general, FIPS-mode libcrypto.so goes into an error state. openvpn needs to set and pass a flag that FIPS-mode libcrypto.so recognizes and that indicates it is using MD5 for PRF, thereby FIPS-mode libcrypto.so will grant the request instead of entering an error state. In non-FIPS libcrypto.so the flag has no meaning. + **NOTE: The openvpn 2.3 version in xenial has the above issue and an + additional one. It also use MD5 internally for configuration status + verification. It is not communicated externally. However, this + particular use of MD5 is not allowed by FIPS and thus when openvpn tries + to use FIPS-mode libcrypto.so to compute MD5, it results in openvpn + segfaulting. This 2nd issue was fixed by upstream openvpn community in + subsequent versions(2.4) to not use MD5 and use SHA(256) instead and + thus why bionic and disco do not require any change for this 2nd issue. + [TEST] - Testing comprised establishing a tls connection between an openvpn client and server. Once the connection was successfully established, a ping thru the established vpn tunnel was done from the client for assurance. - - Because this flag has no meaning in non-FIPS libcrypto.so, nothing changes for openvpn behaviour in disco. Interoperability testing was done to ensure no regression. Test data reflects testing was done between openvpn server and client with and without the patch and between various releases (xenial, bionic, and disco). + Test data including commands and parameters are included below. - Test Data will be attached below. + Testing comprised establishing a tls connection between an openvpn + client and server. Once the connection was successfully established, a + ping thru the established vpn tunnel was done from the client for + assurance. - Note: a test was also done with a FIPS-enabled system to ensure - everything worked and no regression. + Interoperability testing was done to ensure no regression. Test data + reflects testing was done between openvpn server and client with and + without the patch and between various releases (xenial, bionic, and + disco). + + Test was also done with FIPS-enabled libcrypto.so to ensure everything + worked in FIPS mode. + + [REGRESSION] + The FIPS-mode libcrypto.so flag passed by openvpn has no meaning in non-FIPS libcrypto.so. Thus nothing changes for openvpn behaviour in non-FIPS mode in regards to this. + + xenial has additional change of using SHA instead of MD5 for + configuration status verification. This is an internal hash that is not + communicated externally. Thus it should not regress interoperability or + ability to establish connections. ** Changed in: openvpn (Ubuntu Disco) Status: Incomplete => New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1807439 Title: openvpn crashes when run with fips openssl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1807439/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1807439] Re: openvpn crashes when run with fips openssl
2 testcases using same parameters for prior testcases, except that installed FIPS-mode libcrypto.so to test and ensure FIPS-mode libcrypto.so honors the flag to allow MD5 in PRF and does not cause openvpn to segfault because MD5 is missing. ** Attachment added: "testcase-data-fips" https://bugs.launchpad.net/ubuntu/xenial/+source/openvpn/+bug/1807439/+attachment/5222137/+files/testcase-data-fips -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1807439 Title: openvpn crashes when run with fips openssl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1807439/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1807439] Re: openvpn crashes when run with fips openssl
The xenial patch has additional code. In version 2.3.10, openvpn uses MD5 for PRF and internally for configuration status verification. FIPS 140-2 permits MD5 for PRF, but not as a hash for internal verification. Subsequent versions of openvpn (2.4) was changed upstream to not use MD5, instead uses SHA256. The attached patch provided by atsec uses SHA1 instead of MD5. ** Attachment added: "debdiff.xenial" https://bugs.launchpad.net/ubuntu/xenial/+source/openvpn/+bug/1807439/+attachment/5222055/+files/debdiff.xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1807439 Title: openvpn crashes when run with fips openssl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1807439/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1807439] Re: openvpn crashes when run with fips openssl
** Attachment added: "debdiff.bionic" https://bugs.launchpad.net/ubuntu/xenial/+source/openvpn/+bug/1807439/+attachment/5222054/+files/debdiff.bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1807439 Title: openvpn crashes when run with fips openssl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1807439/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1807439] Re: openvpn crashes when run with fips openssl
build log for xenial: https://launchpad.net/~j-latten/+archive/ubuntu/joyppa/+build/15743720 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1807439 Title: openvpn crashes when run with fips openssl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1807439/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1807439] Re: openvpn crashes when run with fips openssl
build log for bionic: https://launchpad.net/~j-latten/+archive/ubuntu/joyppa/+build/15743676 ** Also affects: openvpn (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: openvpn (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: openvpn (Ubuntu Xenial) Status: New => Incomplete ** Changed in: openvpn (Ubuntu Bionic) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1807439 Title: openvpn crashes when run with fips openssl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1807439/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1807439] Re: openvpn crashes when run with fips openssl
Hi Christian, Hopefully the testcase-data file follows what you described. If not, let me know and I can reorganize it for improved readability. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1807439 Title: openvpn crashes when run with fips openssl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1807439/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1807439] Re: openvpn crashes when run with fips openssl
** Attachment added: "debdiff.disco" https://bugs.launchpad.net/ubuntu/disco/+source/openvpn/+bug/1807439/+attachment/5222037/+files/debdiff.disco -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1807439 Title: openvpn crashes when run with fips openssl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1807439/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1807439] Re: openvpn crashes when run with fips openssl
** Attachment removed: "debdiff for disco" https://bugs.launchpad.net/ubuntu/disco/+source/openvpn/+bug/1807439/+attachment/5222035/+files/debdiff.disco -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1807439 Title: openvpn crashes when run with fips openssl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1807439/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1807439] Re: openvpn crashes when run with fips openssl
testcase-data contains some of the data produces as a result of interoperability testing. It is applicable to xenial, bionic and disco. ** Attachment added: "testcase-data" https://bugs.launchpad.net/ubuntu/disco/+source/openvpn/+bug/1807439/+attachment/5222036/+files/testcase-data -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1807439 Title: openvpn crashes when run with fips openssl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1807439/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1807439] Re: openvpn crashes when run with fips openssl
build log for disco: https://launchpad.net/~j-latten/+archive/ubuntu/joyppa/+build/15743680 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1807439 Title: openvpn crashes when run with fips openssl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1807439/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1807439] Re: openvpn crashes when run with fips openssl
debdiff.disco ** Attachment added: "debdiff for disco" https://bugs.launchpad.net/ubuntu/disco/+source/openvpn/+bug/1807439/+attachment/5222035/+files/debdiff.disco -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1807439 Title: openvpn crashes when run with fips openssl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1807439/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1807439] Re: openvpn crashes when run with fips openssl
** Description changed: - FIPS 140-2 does not permit MD5 except when used for pseudorandom - function (PRF). When openvpn requests MD5 operation to FIPS-mode- - openssl, since it is not allowed in general, fips-mode-openssl goes into - an error state. + [IMPACT] + openvpn when estabishing a tls connection will segfault when used with Ubuntu's FIPS 140-2 libcrypto.so (openssl). - openvpn needs to set a specific fips-mode-openssl flag to indicate it is - using MD5 for PRF, thereby fips-mode-openssl will grant the request - instead of entering an error state. In non-fips-openssl the flag has no - meaning. + openvpn tls connection does TLS PRF(pseudorandom function) to produce securely generated pseudo random output that is used to generate keys. + MD5 is used as the hash in this computation. + + FIPS 140-2 does not permit MD5 use except when used for pseudorandom + function (PRF). When openvpn requests MD5 operation to FIPS-mode + libcrypto.so, since it is not allowed in general, FIPS-mode libcrypto.so + goes into an error state. + + openvpn needs to set and pass a flag that FIPS-mode libcrypto.so + recognizes and that indicates it is using MD5 for PRF, thereby FIPS-mode + libcrypto.so will grant the request instead of entering an error state. + In non-FIPS libcrypto.so the flag has no meaning. + + [TEST] + Testing comprised establishing a tls connection between an openvpn client and server. Once the connection was successfully established, a ping thru the established vpn tunnel was done from the client for assurance. + + Because this flag has no meaning in non-FIPS libcrypto.so, nothing changes for openvpn behaviour in disco. Interoperability testing was done to ensure no regression. Test data reflects testing was done between openvpn server and client with and without the patch and between various releases (xenial, bionic, and disco). + + Test Data will be attached below. + + Note: a test was also done with a FIPS-enabled system to ensure + everything worked and no regression. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1807439 Title: openvpn crashes when run with fips openssl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1807439/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1807439] [NEW] openvpn crashes when run with fips openssl
Public bug reported: FIPS 140-2 does not permit MD5 except when used for pseudorandom function (PRF). When openvpn requests MD5 operation to FIPS-mode- openssl, since it is not allowed in general, fips-mode-openssl goes into an error state. openvpn needs to set a specific fips-mode-openssl flag to indicate it is using MD5 for PRF, thereby fips-mode-openssl will grant the request instead of entering an error state. In non-fips-openssl the flag has no meaning. ** Affects: openvpn (Ubuntu) Importance: Undecided Status: New ** Affects: openvpn (Ubuntu Disco) Importance: Undecided Status: New ** Also affects: openvpn (Ubuntu Disco) Importance: Undecided Status: New ** Description changed: FIPS 140-2 does not permit MD5 except when used for pseudorandom function (PRF). When openvpn requests MD5 operation to FIPS-mode- openssl, since it is not allowed in general, fips-mode-openssl goes into an error state. - openvpn needs to set a specific fips-mode-openssl flag to indicate to it - is using MD5 for PRF, thereby fips-mode-openssl will grant the request - instead of entering an error state. + openvpn needs to set a specific fips-mode-openssl flag to indicate it is + using MD5 for PRF, thereby fips-mode-openssl will grant the request + instead of entering an error state. In non-fips-openssl the flag has no + meaning. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1807439 Title: openvpn crashes when run with fips openssl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1807439/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1782031] Re: [SRU][xenial] Enable SCE option and systemd probe in libopenscap8
Hi Robie, I tested this SRU with the new package in proposed and verified. $ dpkg -l | grep libopenscap8 ii libopenscap8 1.2.8-1ubuntu0.1 amd64Set of libraries enabling integration of the SCAP line of standards I ran a few rules in my oval that use the systemd probe and they now come back as passing, $ sudo oscap oval eval --id oval:com.ubuntu.xenial.cis:def:6400 Ubuntu_16.04_LTS_CIS_Benchmark-oval-sec2.xmlDefinition oval:com.ubuntu.xenial.cis:def:6400: true Evaluation done. $ sudo oscap oval eval --id oval:com.ubuntu.xenial.cis:def:6600 Ubuntu_16.04_LTS_CIS_Benchmark-oval-sec2.xml Definition oval:com.ubuntu.xenial.cis:def:6600: true Evaluation done. I ran a few scripts (SCE) and they now pass, $ ls *.sh CIS-3.6.2.sh CIS-3.6.3.sh CIS-3.6.5.sh CIS-5.4.1.5.sh CIS-6.2.9.sh Title Ensure users own their home directories Rulexccdf_com.ubuntu.xenial.cis_rule_CIS-6.2.9 Result pass Title Ensure all users last password change date is in the past Rulexccdf_com.ubuntu.xenial.cis_rule_CIS-5.4.1.5 Result pass To note any regression, I ran the entire testsuite and saw similar output (other than those that now pass). I consider this verification for this SRU. ** Tags added: verification-done-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1782031 Title: [SRU][xenial] Enable SCE option and systemd probe in libopenscap8 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1782031/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1782031] Re: [SRU][xenial] Enable SCE option and systemd probe in libopenscap8
I agree with the above analysis. There is something else I have noticed... the openscap community consists of several components, one of them implements security-guides (scap content (checklists) to pass to oscap). xenial did not ship any security-guide component. However, bionic does. Bionic also includes the above mentioned changes. In the past year the openscap community has made many improvements to the security-guides including creating a small checklist specifically for ubuntu-16.04. Bionic ships the security-guides in several packages, - ssg-debderived (contains ubuntu-16.04 checklist) - ssg-nondebian (contains rhel and sles checklists) - ssg-debian (contains debian checklist) It is possible ubuntu users will try several things using the ssg-debderived package - take the ubuntu-16.04 checklist file and try to run it on a xenial system However, there are systemd checks in this xccdf. It is possible a bugreport will be generated. - try to run the ubuntu-16.04 checklists file on bionic. This will fail because checklist file first looks to verify is a 16.04 system. A savvy user can modify the xccdf (checklist file) to recognize 18.04. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1782031 Title: [SRU][xenial] Enable SCE option and systemd probe in libopenscap8 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1782031/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1782031] Re: [SRU][xenial] Enable SCE option and systemd probe in libopenscap8
Hi Robie, Yes, you are correct. This SRU enables 2 things. First, it enables systemd probes/schema. The user would have to have oval code that implements this schema/probe for it to be used. So, several things are likely: 1. users did not implement code using this schema since it was unavailable. 2. if there were codes using this schema, and they were not commented out, the results probably came back "unknown" since it was not available. Enabling this systemd probe/schema, users with #1 scenario will not notice anything. users with #2 scenario will now have those particular checks come back with "pass" or "fail" instead of "unknown". The 2nd thing it enables is the script-check-engine (SCE), which allows oscap to include bash or python scripts to assist in scans/checks. The xccdf/xml code has to explicitly call a particular script. And the script would have had to been written for the xccdf. So several things are likely: 1. user's implemented xccdf code without using this feature since it is not available. These users won't see any change when this is enabled. 2. user's xccdf code does call particular scripts. As of now, these checks will always result in a "notchecked" since SCE is not there. When this feature is enabled, for these users, the check will then come back as "pass" or "fail" instead of "notchecked". In all these scenarios, existing checks that do not implement sce or systemd schemas will continue as they always have and will not be impacted. Hopefully this is all ok? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1782031 Title: [SRU][xenial] Enable SCE option and systemd probe in libopenscap8 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1782031/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1782031] Re: [SRU][xenial] Enable SCE option and systemd probe in libopenscap8
libopenscap8 in bionic contains the changes requested in this SRU for xenial. Thus bionic and cosmic do not require this change since already done. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1782031 Title: [SRU][xenial] Enable SCE option and systemd probe in libopenscap8 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1782031/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1658792] Re: libopenscap8: Enable SCE option to make broader SCAP content available for Ubuntu users
*** This bug is a duplicate of bug 1782031 *** https://bugs.launchpad.net/bugs/1782031 ** This bug has been marked a duplicate of bug 1782031 [SRU][xenial] Enable SCE option and systemd probe in libopenscap8 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1658792 Title: libopenscap8: Enable SCE option to make broader SCAP content available for Ubuntu users To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1658792/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1661401] Re: libopenscap8: missing dependency resulting in missing OVAL objects support
*** This bug is a duplicate of bug 1782031 *** https://bugs.launchpad.net/bugs/1782031 ** This bug has been marked a duplicate of bug 1782031 [SRU][xenial] Enable SCE option and systemd probe in libopenscap8 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1661401 Title: libopenscap8: missing dependency resulting in missing OVAL objects support To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1661401/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1782031] Re: [SRU][xenial] Enable SCE option and systemd probe in libopenscap8
** Attachment added: "debdiff.xenial" https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1782031/+attachment/5167767/+files/debdiff.xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1782031 Title: [SRU][xenial] Enable SCE option and systemd probe in libopenscap8 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1782031/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1782031] Re: [SRU][xenial] Enable SCE option and systemd probe in libopenscap8
Testcases: The testcases included with the libopenscap8 source are disabled. It appears they do not all compile or run correctly, thus disabled. To test this I did the following: 1. oscap --v Shows that SCE plugin has been enabled and also that the 2 systemd probes have been enabled. (See attachment) 2. Our SCAP content for those rules using SCE or systemdprobes now run and also pass. Rule 1.1.21 uses the systemdunitdependency probe to check that autofs is disabled. This check now passes with the systemd probes enabled. Title Disable Automounting Rule xccdf_com.ubuntu.xenial.cis_rule_CIS-1.1.21 Resultpass Rule 6.2.9 uses a script to check that users own their home directory. Title Ensure users own their home directories Rule xccdf_com.ubuntu.xenial.cis_rule_CIS-6.2.9 Resultpass ** Attachment added: "Attachment shows output of oscap --v with updated libopenscap8" https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1782031/+attachment/5167766/+files/oscap--v -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1782031 Title: [SRU][xenial] Enable SCE option and systemd probe in libopenscap8 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1782031/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1782031] Re: [SRU][xenial] Enable SCE option and systemd probe in libopenscap8
build log: https://launchpad.net/~j-latten/+archive/ubuntu/joyppa/+build/15137237 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1782031 Title: [SRU][xenial] Enable SCE option and systemd probe in libopenscap8 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1782031/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1782031] Re: [SRU][xenial] Enable SCE option and systemd probe in libopenscap8
This bug is to enable 2 options available in the libopenscap8 source. Both of these options have been enabled in artful, bionic and cosmic. Both options have also been enabled in Debian via the following Debian bugreports, https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=853995 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=852826 There are 2 Debian bugs, but I was able to add only 1 above. Since these are small changes, I am hoping one Ubuntu bug will be ok. If not, I can open another bugreport. Prior bugs, https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1658792 AND https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1661401 were opened to address this. The original bugreporter is no longer available. I would like to duplicate those to this bug and use this one to address and resolve this issue. ** Bug watch added: Debian Bug tracker #853995 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=853995 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1782031 Title: [SRU][xenial] Enable SCE option and systemd probe in libopenscap8 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1782031/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1782031] [NEW] [SRU][xenial] Enable SCE option and systemd probe in libopenscap8
Public bug reported: [Impact] Canonical security certification team is automating Ubuntu specific security hardening guides using Security Content Automation Protcol (SCAP). SCAP requires Open Vulnerability and Assessment Language (xccdf and xml) to implement SCAP content. The openSCAP implementation processes SCAP content, but has been extended to also process python and bash scripts via a Script Check Engine (SCE). This ability to process bash and python scripts is needed because OVAL is somewhat limited in what it can do. We have had to write a few python and bash scripts. SCE is not enabled by default, and will require the addition of the "--enable-sce" option in the "debian/rules" file to turn it on. There are security hardening rules for systemd. There is also OVAL schema implemented as "probes" in openSCAP. The systemd probe to be enabled requires libdbus-1-dev during build. This would be set in the debian/control file The attached patch has all the necessary code change. These 2 changes were made in more current versions of libopenscap8 in Debian as indicated above. As a result, Artful, Bionic and Cosmic also have these changes. The automation we are working on is required for Xenial though. [Test Case] 1. run the command "oscap --v", and should see following with SEC option enabled, Capabilities added by auto-loaded plugins SCE Version: 1.0 (from libopenscap_sce.so.8) without the SCE option enabled, the list of plugins is empty. Also, should see under " Supported OVAL objects and associated OpenSCAP probes " systemdunitproperty probe_systemdunitproperty systemdunitdependencyprobe_systemdunitdependency 2. The second testcase requires running our SCAP content and verifying that those rules using scripts are run and those rules using systemd probes are run. [Regression Potential] The regression potential should be small. The changes proposed enables new functionality that is already included in the source package, and does not change the behavior of existing functionality. ** Affects: openscap (Ubuntu) Importance: Undecided Status: New ** Affects: openscap (Debian) Importance: Unknown Status: Unknown ** Bug watch added: Debian Bug tracker #852826 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=852826 ** Also affects: openscap (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=852826 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1782031 Title: [SRU][xenial] Enable SCE option and systemd probe in libopenscap8 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1782031/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1722313] Re: Enable auditing in util-linux.
Update on Artful regression analysis from comment #22. 1. Same as in comment #22. Hopefully these can be ignored as they were for xenial. 2. Same as in comment #22. tests passed in different runs as stated above. When the failures occurred, was because of time outs while waiting for something. Failures appear to be intermittent and not related to change made here. 3. gnocchi - appear to be a testcase usage message from python. Not related to change made in this bug. 4. libdata-uuid-libuuid-perl (s390x) Julian did a test here using hello and prior version of util-linux and they both failed with same error. So this error is not related to this bug change. Something else changed perhaps in testcase or test environment. 5. tracker passes on a re-run 6. nplan passes on a re-run Conclusion: Hopefully above explanations result in regressions having been resolved so util-linux in artful can be promoted. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1722313 Title: Enable auditing in util-linux. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1722313] Re: Enable auditing in util-linux.
Summary of analysis of the autopkgtest failures listed for his SRU in http://people.canonical.com/~ubuntu-archive/pending-sru.html For Artful regressions: 1. dpdk (s390x), ocfs2-tools (s390x), lxcfs(s390x), ori(s390x), network-manager(s390x), lxd(s390x) These all have failing testcases that were skipped in prior version of util-linux. The same reason stated in comment #21 above may be applicable here as well. 2. network-manager(ppc64el) - has had 2 runs. In one run, test_wpa1_ip4 fails, test_rfkill pass. In the other run, test_wpa1_ip4 pass and test_rfkill fail. A timeout results in the failure. Seems testcases do pass for this version of util-linux but sensitive current workload maybe... 3. gnocchi(all platforms) - further investigating. 4. libdata-uuid-libuuid-perl(s390x) - might be to the change in test environment such as #1. 5. tracker(arm64) - further investigation. no prior run to compare with. 6. nplan(arm64) - further investigation. no prior run to compare with. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1722313 Title: Enable auditing in util-linux. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1722313] Re: Enable auditing in util-linux.
Summary of analysis of the autopkgtest failures listed for this SRU in http://people.canonical.com/~ubuntu-archive/pending-sru.html For Xenial regressions: 1. In xenial, the failing testcases had been skipped in prior versions and not run. i.e. "SKIP Test requires machine-level isolation but testbed does not provide that" I talked to Julian who informed me that s390x testd went from LXC containers to VMs. Now those tests that had not been run before, were executing and failing. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1722313 Title: Enable auditing in util-linux. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs