[Bug 1990272] Re: PCIe Bus Error: Uncorrected, Transaction Layer, device [8086:51b0], AER UnsupReq
I'm having similar issues - the PCIe device in question seems to be the wireless card in my case. Every now and then my system (Dell Optiplex 3050) will lock up entirely; no app hosting, no SSH, no anything, and only a forced reboot will fix it - for a while, before it locks up again. Syslog has a _slew_ of these errors present before the new- session/reboot takes effect. Coming from Focal, and that machine hardly every had any problems. #[about 40 pages of the same error above] #--- Jun 23 07:04:13 optiplex2 kernel: [403063.425670] pcieport :00:1c.7: AER: Corrected error message received from :00:1c.7 Jun 23 07:04:13 optiplex2 kernel: [403063.425680] pcieport :00:1c.7: PCIe Bus Error: severity=Corrected, type=Physical Layer, (Receiver ID) Jun 23 07:04:13 optiplex2 kernel: [403063.425682] pcieport :00:1c.7: device [8086:a297] error status/mask=0001/2000 Jun 23 07:04:13 optiplex2 kernel: [403063.425685] pcieport :00:1c.7:[ 0] RxErr #---then force rebooted later in the morning after server had crashed overnight--- Jun 23 19:09:06 optiplex2 systemd-modules-load[438]: Inserted module 'msr' Jun 23 19:09:06 optiplex2 kernel: [0.00] microcode: microcode updated early to revision 0xf8, date = 2023-09-28 Jun 23 19:09:06 optiplex2 kernel: [0.00] Linux version 5.15.0-112-generic (buildd@lcy02-amd64-051) (gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #122-Ubuntu SMP Thu May 23 07:48:21 UTC 2024 (Ubuntu 5.15.0-112.122-generic 5.15.152) Jun 23 19:09:06 optiplex2 kernel: [0.00] Command line: BOOT_IMAGE=/boot/vmlinuz-5.15.0-112-generic root=UUID=694b220d-e9d0-47d3-9b8b-3e069ee1983c ro Jun 23 19:09:06 optiplex2 kernel: [0.00] KERNEL supported cpus: Linux optiplex2 5.15.0-112-generic #122-Ubuntu SMP Thu May 23 07:48:21 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1990272 Title: PCIe Bus Error: Uncorrected, Transaction Layer, device [8086:51b0],AER UnsupReq To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1990272/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2067973] Re: A series of infinite loop vulnerabilities in the os_ken
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2067973 Title: A series of infinite loop vulnerabilities in the os_ken To manage notifications about this bug go to: https://bugs.launchpad.net/dragonflow/+bug/2067973/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2070259] Re: CVE-2022-30333
Marking public https://ubuntu.com/security/CVE-2022-30333 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-30333 ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2070259 Title: CVE-2022-30333 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2070259/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2069596] Re: blocks wrong IPv4 and IPv6 addresses on LE systems (reversed byte order)
Cyril, upstream has agreed to assign a CVE. That will alert the Go ecosystem and distros to the issue and fix \o/ I will update you when I learn more. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2069596 Title: blocks wrong IPv4 and IPv6 addresses on LE systems (reversed byte order) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/crowdsec-firewall-bouncer/+bug/2069596/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2059734] Re: Tar fails to extract archives that include folders with certain permissions on armhf
Presumably via /usr/bin/runc. ``` # ldd /usr/bin/runc linux-vdso.so.1 (0x003940e63000) libseccomp.so.2 => /lib/riscv64-linux-gnu/libseccomp.so.2 (0x003940e3a000) libc.so.6 => /lib/riscv64-linux-gnu/libc.so.6 (0x003940cba000) /lib/ld-linux-riscv64-lp64d.so.1 (0x003940e65000) ``` -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2059734 Title: Tar fails to extract archives that include folders with certain permissions on armhf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/2059734/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2059734] Re: Tar fails to extract archives that include folders with certain permissions on armhf
I confirm that this also affects Noble. If libseccomp2 is >= 2.55, then Docker must be >= 25.0.3. I looked at fixing the Docker profile, and this works for `docker run`, but `docker build` always uses the build-in/default profile, so it's a limited workaround. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2059734 Title: Tar fails to extract archives that include folders with certain permissions on armhf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/2059734/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2069596] Re: blocks wrong IPv4 and IPv6 addresses on LE systems (reversed byte order)
Thank you for taking the time to report this Cyril. Do you know if Google intends to assign a CVE? ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2069596 Title: blocks wrong IPv4 and IPv6 addresses on LE systems (reversed byte order) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/crowdsec-firewall-bouncer/+bug/2069596/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2069490] Re: Possible fingerjacking vulnerability: CVE-2024-37408
Is Ubuntu affected by default or is this an administrative choice? https://www.openwall.com/lists/oss-security/2024/05/30/3 ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2069490 Title: Possible fingerjacking vulnerability: CVE-2024-37408 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/2069490/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2068831] Re: Thunderbird icon missing in panel of Cinnamon
Ooo, interesting. If I use the `Papirus` icon theme, then thunderbird gets its icon. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2068831 Title: Thunderbird icon missing in panel of Cinnamon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cinnamon-desktop-environment/+bug/2068831/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2068831] Re: Thunderbird icon missing in panel of Cinnamon
Dist-upgrade from early release of 22.04 to 23.10 then to 24.04. Thunderbird DEB package replaced by SNAP package in the process. If I search for Thunderbird and pin it, then there's an icon in Grouped Window List. If I click the icon, it opens new window without an Icon in the Grouped Window List. If I pin the new no-icon window, then it leaves a small gap between other pinned icons/windows. What logs or information do you need to investigate further? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2068831 Title: Thunderbird icon missing in panel of Cinnamon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cinnamon-desktop-environment/+bug/2068831/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064751] Re: [SRU] revert security-regression in Focal's libcrypto++
Andreas asked that I re-verify that Ubuntu Security wishes to make this change through SRU. We do. Since the regression was inherited from sid, it feels most appropriate to SRU a change into -updates. Also, since a working 5.6 patch for CVE-2019-14318 does not exist we do not have a fix for the security pocket. This SRU needs a sponsor. ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-14318 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064751 Title: [SRU] revert security-regression in Focal's libcrypto++ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/2064751/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064751] Re: [SRU] revert security-regression in Focal's libcrypto++
Marking this as invalid, since devel is not affected. Only focal is affected. ** Package changed: libcrypto++ (Ubuntu) => ubuntu ** Changed in: ubuntu Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064751 Title: [SRU] revert security-regression in Focal's libcrypto++ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/2064751/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2059734] Re: Tar fails to extract archives that include folders with certain permissions on armhf
I did some analysis [here](https://github.com/ocaml/infrastructure/issues/121). libseccomp needs to be >= 2.55 and Docker >= 25.0.3 and then this issue goes away. Without these the system call `fchmodat2` return EPERM rather than `ENOSYS`. ** Bug watch added: github.com/ocaml/infrastructure/issues #121 https://github.com/ocaml/infrastructure/issues/121 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2059734 Title: Tar fails to extract archives that include folders with certain permissions on armhf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tar/+bug/2059734/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2067494] [NEW] Unrecognized parameter "append_to" when an extension tries to construct an animated icon
Public bug reported: This bug has been reported to the extension developer here: https://github.com/2nv2u/gnome-shell-extension-syncthing- indicator/issues/39 It appears that some upstream Gnome change which the extension developer tracked and compensated for in their recent Gnome 46 compatibility release did not make the cut for the 24.04 Ubuntu release. ``` Description:Ubuntu 24.04 LTS Release:24.04 ``` ``` $ apt-cache policy gnome-shell gnome-shell: Installed: 46.0-0ubuntu5.1 Candidate: 46.0-0ubuntu5.1 Version table: *** 46.0-0ubuntu5.1 500 500 http://ch.archive.ubuntu.com/ubuntu noble-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu noble-security/main amd64 Packages 100 /var/lib/dpkg/status 46.0-0ubuntu5 500 500 http://ch.archive.ubuntu.com/ubuntu noble/main amd64 Packages ``` Expected: the extension should load and run as in other Gnome 46 distributions What happened instead: the extension throws an error, which interestingly is not caught by the extension manager, but is at least reported. Stack trace from the upstream error report in GitHub: ``` Stack trace: parse@resource:///org/gnome/shell/misc/params.js:24:23 _init@resource:///org/gnome/shell/ui/animation.js:20:25 Animation@resource:///org/gnome/shell/ui/animation.js:17:1 SyncthingPanelIcon@file:///home/mark/.local/share/gnome-shell/extensions/syncth...@gnome.2nv2u.com/extension> _init@file:///home/mark/.local/share/gnome-shell/extensions/syncth...@gnome.2nv2u.com/extension.js:456:15 ButtonBox@resource:///org/gnome/shell/ui/panelMenu.js:12:1 PanelMenuButton@resource:///org/gnome/shell/ui/panelMenu.js:97:4 SyncthingIndicator@file:///home/mark/.local/share/gnome-shell/extensions/syncth...@gnome.2nv2u.com/extension> enable@file:///home/mark/.local/share/gnome-shell/extensions/syncth...@gnome.2nv2u.com/extension.js:546:20 _callExtensionEnable@resource:///org/gnome/shell/ui/extensionSystem.js:267:38 loadExtension@resource:///org/gnome/shell/ui/extensionSystem.js:479:32 async*_loadExtensions@resource:///org/gnome/shell/ui/extensionSystem.js:795:24 async*_enableAllExtensions@resource:///org/gnome/shell/ui/extensionSystem.js:801:48 _sessionUpdated@resource:///org/gnome/shell/ui/extensionSystem.js:836:20 async*init@resource:///org/gnome/shell/ui/extensionSystem.js:77:14 _initializeUI@resource:///org/gnome/shell/ui/main.js:313:22 start@resource:///org/gnome/shell/ui/main.js:185:11 @resource:///org/gnome/shell/ui/init.js:12:47 @resource:///org/gnome/shell/ui/init.js:21:20 ``` ** Affects: gnome-shell (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2067494 Title: Unrecognized parameter "append_to" when an extension tries to construct an animated icon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-shell/+bug/2067494/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 129133] Re: mc uses predictable temp directory path
Sounds good! The impact does sound low. Mostly I recommend CVEs if you want to make sure that downstreams apply a security patch. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/129133 Title: mc uses predictable temp directory path To manage notifications about this bug go to: https://bugs.launchpad.net/mc/+bug/129133/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 129133] Re: mc uses predictable temp directory path
Hi @zyw o/ _If_ your project wants, I'm happy to assign and publish a CVE for this. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/129133 Title: mc uses predictable temp directory path To manage notifications about this bug go to: https://bugs.launchpad.net/mc/+bug/129133/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2065738] Re: Leaks wireguard keys
*** This bug is a duplicate of bug 1987842 *** https://bugs.launchpad.net/bugs/1987842 Please refer to this issue as CVE-2022-4968. Marking this bug as a duplicate to https://bugs.launchpad.net/netplan/+bug/1987842 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-4968 ** Information type changed from Private Security to Public Security ** This bug has been marked a duplicate of bug 1987842 wireguard: netdev file can leak private key -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2065738 Title: Leaks wireguard keys To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/netplan.io/+bug/2065738/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2066828] [NEW] do-release-upgrade fails, mantic to noble
Public bug reported: previous non lts upgrades have all completed. This upgrade fails and their is no specific information in the logs which I could interpret. ProblemType: Bug DistroRelease: Ubuntu 23.10 Package: ubuntu-release-upgrader-core 1:23.10.14 ProcVersionSignature: Ubuntu 6.5.0-26.26-generic 6.5.13 Uname: Linux 6.5.0-26-generic x86_64 ApportVersion: 2.27.0-0ubuntu5 Architecture: amd64 CasperMD5CheckResult: unknown CrashDB: ubuntu CurrentDesktop: KDE Date: Thu May 23 16:18:48 2024 InstallationDate: Installed on 2020-07-16 (1406 days ago) InstallationMedia: Kubuntu 20.04 LTS "Focal Fossa" - Release amd64 (20200423) PackageArchitecture: all SourcePackage: ubuntu-release-upgrader UpgradeStatus: Upgraded to mantic on 2024-05-23 (0 days ago) ** Affects: ubuntu-release-upgrader (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug dist-upgrade mantic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2066828 Title: do-release-upgrade fails, mantic to noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-release-upgrader/+bug/2066828/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2066372] Re: Ubuntu 22.04 LTS - swaylock -v 1.5 - lock screen bypasses
Focal (20.04) and Jammy (22.04) swaylock versions are affected https://ubuntu.com/security/CVE-2022-26530 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-26530 ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2066372 Title: Ubuntu 22.04 LTS - swaylock -v 1.5 - lock screen bypasses To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/swayidle/+bug/2066372/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2066035] [NEW] KWM Switch causes logout
Public bug reported: I have a 2x1 KVM switch between my work laptop (win10) and my Ubuntu 24.04 (noble) desktop. When I switch from Ubuntu to the work laptop - whether I have locked the screen or not - the Ubuntu session logs me out. I had originally thought it was rebooting the desktop, but using the uptime command, I can see that the machine have been online since my last manual reboot (this morning - I have rebooted a number of times over the last few days to try to clear the issue). Everything worked fine when the desktop was on Ubuntu 23.10. ProblemType: Bug DistroRelease: Ubuntu 24.04 Package: gnome (not installed) ProcVersionSignature: Ubuntu 6.8.0-31.31-generic 6.8.1 Uname: Linux 6.8.0-31-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.28.1-0ubuntu3 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: ubuntu:GNOME Date: Fri May 17 11:56:54 2024 InstallationDate: Installed on 2024-04-13 (34 days ago) InstallationMedia: Ubuntu 24.04 LTS "Noble Numbat" - Beta amd64 (20240410.2) SourcePackage: meta-gnome3 UpgradeStatus: No upgrade log present (probably fresh install) ** Affects: meta-gnome3 (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug noble -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2066035 Title: KWM Switch causes logout To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/meta-gnome3/+bug/2066035/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1721428] Re: Artful (17.10) Session logout after screen turned off
This bug affects me on 24.04 noble too. It did not on 23.10. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1721428 Title: Artful (17.10) Session logout after screen turned off To manage notifications about this bug go to: https://bugs.launchpad.net/gnome-shell/+bug/1721428/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2020212] Re: /proc//stat doesn't update after resume from hibernation
Same behaviour across CentOS 7.9.2009 on AWS ** Also affects: centos Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2020212 Title: /proc//stat doesn't update after resume from hibernation To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-signed-gcp/+bug/2020212/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2059847] Re: Input lag or freezes on Nvidia desktops with X11 after logging "MetaSyncRing: Sync object is not ready -- were events handled properly?"
Ubuntu LTS 22.04.4 I ran Deku's script, from message 102 above: sudo apt install -y --allow-downgrades \ gir1.2-mutter-10=42.9-0ubuntu7vv1 \ mutter-common=42.9-0ubuntu7vv1 \ libmutter-10-0=42.9-0ubuntu7vv1; That cleared things up, no lag / MetaSyncRing errors, but Ubuntu now wants to re-upgrade the packages back to 42.9-0ubuntu7.1 I tried installing the 0ubuntu8 packages from Tais in message 111, but apt couldn't find them -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2059847 Title: Input lag or freezes on Nvidia desktops with X11 after logging "MetaSyncRing: Sync object is not ready -- were events handled properly?" To manage notifications about this bug go to: https://bugs.launchpad.net/mutter/+bug/2059847/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2059847] Re: Input lag or freezes on Nvidia desktops with X11 after logging "MetaSyncRing: Sync object is not ready -- were events handled properly?"
Thanks Deku. With just a very quick test (applied then rebooted), the snippet posted above seems to be working for me with Ubuntu 22.04.4 LTS. I had to add the apt option --allow-downgrades Mark -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2059847 Title: Input lag or freezes on Nvidia desktops with X11 after logging "MetaSyncRing: Sync object is not ready -- were events handled properly?" To manage notifications about this bug go to: https://bugs.launchpad.net/mutter/+bug/2059847/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064999] Re: Prevent soft lockups during IOMMU streaming DMA mapping by limiting nvme max_hw_sectors_kb to cache optimised size
Hey folks, I think we may have encountered this or a variant of this while running extremely strenuous Ceph performance tests on a very high speed cluster we designed for a customer. We have a write-up that includes a section on needing to disable iommu here: https://ceph.io/en/news/blog/2024/ceph-a-journey-to-1tibps/ Good job figuring this one out to everyone involved! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064999 Title: Prevent soft lockups during IOMMU streaming DMA mapping by limiting nvme max_hw_sectors_kb to cache optimised size To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2064999/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1948714] Re: After reboot, the password set at install time doesn't work.
*** This bug is a duplicate of bug 1875062 *** https://bugs.launchpad.net/bugs/1875062 This bug is back in 24.04 (noble). Same issue - Set the keyboard to UK at install, but the keyboard used is US layout so special characters e.g. # & £ are transposed, and therefore doesn't work at first login. (At least I could see the error now) Tried on a Desktop install from the Beta, and also on a laptop install using the full release. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1948714 Title: After reboot, the password set at install time doesn't work. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubiquity/+bug/1948714/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046084] Re: HID gamepad not working when paired with blueman on bluez 5.68-0ubuntu1.1
*** This bug is a duplicate of bug 2045931 *** https://bugs.launchpad.net/bugs/2045931 Ack, thanks for the explanation. ** Tags added: regression-security regression-update -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046084 Title: HID gamepad not working when paired with blueman on bluez 5.68-0ubuntu1.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/blueman/+bug/2046084/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046116] Re: bluetooth device connected but not recognised as output device
@vorlon answered why in https://bugs.launchpad.net/ubuntu/+source/blueman/+bug/2046084/comments/7 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046116 Title: bluetooth device connected but not recognised as output device To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bluez/+bug/2046116/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064966] Re: "accept_source_route" enabled by default in 24.04
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064966 Title: "accept_source_route" enabled by default in 24.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/2064966/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046116] Re: bluetooth device connected but not recognised as output device
@vanvugt, @vorlon, why is this marked as a regression? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046116 Title: bluetooth device connected but not recognised as output device To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bluez/+bug/2046116/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046084] Re: HID gamepad not working when paired with blueman on bluez 5.68-0ubuntu1.1
*** This bug is a duplicate of bug 2045931 *** https://bugs.launchpad.net/bugs/2045931 This is not a security regression. This is upstreams fix to prevent https://github.com/skysafe/reblog/blob/main/cve-2024-0230/README.md If you wish to to enable legacy devices (and the vulnerability) with the most recent version of BlueZ set `ClassicBondedOnly=false` in `/etc/bluetooth/input.conf`, and then run `systemctl restart bluetooth`. Removing regression tags and marking as a duplicate of https://bugs.launchpad.net/ubuntu/+source/bluez/+bug/2045931 ** This bug has been marked a duplicate of bug 2045931 ps3 sixasis controller request pin to connect to bt ** Tags removed: regression-security regression-update -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046084 Title: HID gamepad not working when paired with blueman on bluez 5.68-0ubuntu1.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/blueman/+bug/2046084/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064751] Re: [SRU] revert security-regression in Focal's libcrypto++
** Description changed: [ Impact ] Focal's libcrypto++ 5.6.4-9 regresses elliptic curve generation. Uploading this version from Debian appears to have been a mistake. This is a security regression, but was not published through the security pocket. As far as I am aware, Debian only packaged 5.6.4-9 in sid. Buster's latest version is 5.6.4-8: the version immediately before the regression. This version includes an _incomplete_ security patch for CVE-2019-14318 which breaks elliptic curve arithmetic. - https://github.com/weidai11/cryptopp/issues/869 states that this 5.6 security patch is incomplete. - https://github.com/weidai11/cryptopp/issues/994#issuecomment-752399981 states that the 2019 patch (which 5.6 and 8.3.0 received) has a regression. See https://github.com/weidai11/cryptopp/issues/1269 and LP#2060564 for a deeper exploration of this Ubuntu Focal issue. - The root cause of LP#1893934 appears to be caused by this regression. As - reported on the urbackup forums, rolling back to the previous version - solves this crash. + The root cause of LP#1893934 appears to be caused by this regression. + - As reported on the urbackup forums, rolling back to the previous + version solves this crash. - https://forums.urbackup.org/t/urbackupsrv-crashes-on-ubuntu-20-04/ [ Test Plan ] 1. To test the regression: Compile and use @ekera[@]github.com's PoC (attached as main.cpp): ``` $ g++ main.cpp -lcryptopp -o test $ ./test ``` The PoC will report `X is *NOT* as expected.` on miscomputations. See https://github.com/weidai11/cryptopp/issues/1269 Both Bionic 18.04.06 (libcrypto++ version 5.6.4-8) and Jammy 22.04.04 (libcrypto++ version 8.6.0-2ubuntu1) had the expected result. Focal fails - with 5.6.4-8. Rolling back the version allows the PoC test to past. + with 5.6.4-8. Rolling back the version allows the PoC test to past. Using + a version built with the attached debdiff also passes the PoC. 2. Package tests: All package build tests pass regardless of the regression. Checking that new failures do not occur is a sanity test. To test builtin tests run: `cd /usr/share/crypto++ && cryptest v` X. Note: Unfortunately there are no autopkgtests. `reverse-depends -r focal src:libcrypto++` includes five, possibly minor, reverse dependencies. libcrypto++ is mostly used as a dependency outside of the Ubuntu Archive. i.e., we have low visibility on how this package is used. I am hoping that the PoC and built in tests are enough to prove the sanity of this security regression SRU. [ Other Info ] A big thank you to Martin Ekerå (@ekera[@]github.com) for identifying this issue and writing a thorough bug report and PoC on GitHub \o/ This is my first SRU. I need a sponsor and help tagging on LP. I have performed the Test Plan. The fix solely involves on removing a d/patch file. Removing the patch causes the following (expected) symbol changes in ./usr/lib/x86_64-linux-gnu/libcrypto++.so.6.0.0: ``` +CryptoPP::ProjectivePoint::~ProjectivePoint() W +std::vector >::~vector() W +void std::vector >::_M_realloc_insert(__gnu_cxx::__normal_iterator > >, CryptoPP::ProjectivePoint const&) W ``` [ Where problems could occur ] Two systems both using software based on the regressed version of Crypto++ *could possibly* communicate through incorrectly generated keys together. This seems unlikely and, if it is even possible, we should discourage or even break the use of miscalculated elliptic curves. A regression in reverting the regressed patch is possible. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064751 Title: [SRU] revert security-regression in Focal's libcrypto++ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libcrypto++/+bug/2064751/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064751] Re: [SRU] revert security-regression in Focal's libcrypto++
** Description changed: [ Impact ] Focal's libcrypto++ 5.6.4-9 regresses elliptic curve generation. Uploading this version from Debian appears to have been a mistake. This is a security regression, but was not published through the security pocket. As far as I am aware, Debian only packaged 5.6.4-9 in sid. Buster's latest version is 5.6.4-8: the version immediately before the regression. This version includes an _incomplete_ security patch for CVE-2019-14318 which breaks elliptic curve arithmetic. - - https://github.com/weidai11/cryptopp/issues/869 states that this 5.6 -security patch is incomplete. - - https://github.com/weidai11/cryptopp/issues/994#issuecomment-752399981 -states that the 2019 patch (which 5.6 and 8.3.0 received) has a -regression. + - https://github.com/weidai11/cryptopp/issues/869 states that this 5.6 + security patch is incomplete. + - https://github.com/weidai11/cryptopp/issues/994#issuecomment-752399981 + states that the 2019 patch (which 5.6 and 8.3.0 received) has a + regression. See https://github.com/weidai11/cryptopp/issues/1269 and LP#2060564 for a deeper exploration of this Ubuntu Focal issue. The root cause of LP#1893934 appears to be caused by this regression. As reported on the urbackup forums, rolling back to the previous version solves this crash. - - https://forums.urbackup.org/t/urbackupsrv-crashes-on-ubuntu-20-04/ + - https://forums.urbackup.org/t/urbackupsrv-crashes-on-ubuntu-20-04/ [ Test Plan ] 1. To test the regression: - Compile and use @ek...@github.com's PoC (attached as main.cpp): + Compile and use @ekera[@]github.com's PoC (attached as main.cpp): ``` $ g++ main.cpp -lcryptopp -o test $ ./test ``` The PoC will report `X is *NOT* as expected.` on miscomputations. See https://github.com/weidai11/cryptopp/issues/1269 Both Bionic 18.04.06 (libcrypto++ version 5.6.4-8) and Jammy 22.04.04 (libcrypto++ version 8.6.0-2ubuntu1) had the expected result. Focal fails with 5.6.4-8. Rolling back the version allows the PoC test to past. 2. Package tests: All package build tests pass regardless of the regression. Checking that new failures do not occur is a sanity test. To test builtin tests run: `cd /usr/share/crypto++ && cryptest v` X. Note: Unfortunately there are no autopkgtests. `reverse-depends -r focal src:libcrypto++` includes five, possibly minor, reverse dependencies. libcrypto++ is mostly used as a dependency outside of the Ubuntu Archive. i.e., we have low visibility on how this package is used. - I am hoping that the PoC built in tests are enough to prove the sanity of - this security regression SRU. + I am hoping that the PoC and built in tests are enough to prove the sanity + of this security regression SRU. [ Other Info ] - - A big thank you to Martin Ekerå (@ek...@github.com) for identifying this + + A big thank you to Martin Ekerå (@ekera[@]github.com) for identifying this issue and writing a thorough bug report and PoC on GitHub \o/ This is my first SRU. I need a sponsor and help tagging on LP. I have performed the Test Plan. The fix solely involves on removing a d/patch file. Removing the patch causes the following (expected) symbol changes in ./usr/lib/x86_64-linux-gnu/libcrypto++.so.6.0.0: ``` +CryptoPP::ProjectivePoint::~ProjectivePoint() W +std::vector >::~vector() W +void std::vector >::_M_realloc_insert(__gnu_cxx::__normal_iterator > >, CryptoPP::ProjectivePoint const&) W ``` [ Where problems could occur ] Two systems both using software based on the regressed version of Crypto++ *could possibly* communicate through incorrectly generated keys together. This seems unlikely and, if it is even possible, we should discourage or even break the use of miscalculated elliptic curves. A regression in reverting the regressed patch is possible. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064751 Title: [SRU] revert security-regression in Focal's libcrypto++ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libcrypto++/+bug/2064751/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064751] [NEW] [SRU] revert security-regression in Focal's libcrypto++
Public bug reported: [ Impact ] Focal's libcrypto++ 5.6.4-9 regresses elliptic curve generation. Uploading this version from Debian appears to have been a mistake. This is a security regression, but was not published through the security pocket. As far as I am aware, Debian only packaged 5.6.4-9 in sid. Buster's latest version is 5.6.4-8: the version immediately before the regression. This version includes an _incomplete_ security patch for CVE-2019-14318 which breaks elliptic curve arithmetic. - https://github.com/weidai11/cryptopp/issues/869 states that this 5.6 security patch is incomplete. - https://github.com/weidai11/cryptopp/issues/994#issuecomment-752399981 states that the 2019 patch (which 5.6 and 8.3.0 received) has a regression. See https://github.com/weidai11/cryptopp/issues/1269 and LP#2060564 for a deeper exploration of this Ubuntu Focal issue. The root cause of LP#1893934 appears to be caused by this regression. As reported on the urbackup forums, rolling back to the previous version solves this crash. - https://forums.urbackup.org/t/urbackupsrv-crashes-on-ubuntu-20-04/ [ Test Plan ] 1. To test the regression: Compile and use @ek...@github.com's PoC (attached as main.cpp): ``` $ g++ main.cpp -lcryptopp -o test $ ./test ``` The PoC will report `X is *NOT* as expected.` on miscomputations. See https://github.com/weidai11/cryptopp/issues/1269 Both Bionic 18.04.06 (libcrypto++ version 5.6.4-8) and Jammy 22.04.04 (libcrypto++ version 8.6.0-2ubuntu1) had the expected result. Focal fails with 5.6.4-8. Rolling back the version allows the PoC test to past. 2. Package tests: All package build tests pass regardless of the regression. Checking that new failures do not occur is a sanity test. To test builtin tests run: `cd /usr/share/crypto++ && cryptest v` X. Note: Unfortunately there are no autopkgtests. `reverse-depends -r focal src:libcrypto++` includes five, possibly minor, reverse dependencies. libcrypto++ is mostly used as a dependency outside of the Ubuntu Archive. i.e., we have low visibility on how this package is used. I am hoping that the PoC built in tests are enough to prove the sanity of this security regression SRU. [ Other Info ] A big thank you to Martin Ekerå (@ek...@github.com) for identifying this issue and writing a thorough bug report and PoC on GitHub \o/ This is my first SRU. I need a sponsor and help tagging on LP. I have performed the Test Plan. The fix solely involves on removing a d/patch file. Removing the patch causes the following (expected) symbol changes in ./usr/lib/x86_64-linux-gnu/libcrypto++.so.6.0.0: ``` +CryptoPP::ProjectivePoint::~ProjectivePoint() W +std::vector >::~vector() W +void std::vector >::_M_realloc_insert(__gnu_cxx::__normal_iterator > >, CryptoPP::ProjectivePoint const&) W ``` [ Where problems could occur ] Two systems both using software based on the regressed version of Crypto++ *could possibly* communicate through incorrectly generated keys together. This seems unlikely and, if it is even possible, we should discourage or even break the use of miscalculated elliptic curves. A regression in reverting the regressed patch is possible. ** Affects: libcrypto++ (Ubuntu) Importance: Undecided Status: New ** Affects: libcrypto++ (Ubuntu Focal) Importance: Undecided Status: New ** Tags: regression-update -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064751 Title: [SRU] revert security-regression in Focal's libcrypto++ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libcrypto++/+bug/2064751/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064751] Re: [SRU] revert security-regression in Focal's libcrypto++
** Attachment added: "main.cpp" https://bugs.launchpad.net/ubuntu/+source/libcrypto++/+bug/2064751/+attachment/5774479/+files/main.cpp -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064751 Title: [SRU] revert security-regression in Focal's libcrypto++ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libcrypto++/+bug/2064751/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064751] Re: [SRU] revert security-regression in Focal's libcrypto++
** Patch added: "libcrypto++_5.6.4-9ubuntu1.debdiff" https://bugs.launchpad.net/ubuntu/+source/libcrypto++/+bug/2064751/+attachment/5774481/+files/libcrypto++_5.6.4-9ubuntu1.debdiff ** Also affects: libcrypto++ (Ubuntu Focal) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064751 Title: [SRU] revert security-regression in Focal's libcrypto++ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libcrypto++/+bug/2064751/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2059734] Re: Tar fails to extract archives that include folders with certain permissions on armhf
If you compile tar from scratch within the Docker container, then you do not see the error. ``` wget https://ftp.gnu.org/gnu/tar/tar-1.35.tar.gz tar -xzf tar-1.35.tar.gz ``` Ignore the errors from the tar process :-) ``` apt install build-essential libacl1-dev -y cd tar-1.35 FORCE_UNSAFE_CONFIGURE=1 ./configure --prefix=/usr make install ``` Now `tar -xf` works as expected. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2059734 Title: Tar fails to extract archives that include folders with certain permissions on armhf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tar/+bug/2059734/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2059734] Re: Tar fails to extract archives that include folders with certain permissions on armhf
This also affects ppc64le Docker images. These commands work fine on x86_64, arm64 and s390 but fail on POWER9. ``` docker run -it --rm ubuntu:noble apt-get -y update apt install -y wget cd /tmp wget a-tar-file-of-your-choice.tar.gz tar -xzf a-tar-file-of-your-choice.tar.gz ``` Error message: ... tar: your/file.1: Cannot change mode to rwxrwxr-x: Operation not permitted tar: your/file.2: Cannot change mode to rwxrwxr-x: Operation not permitted tar: your/file.3: Cannot change mode to rwxrwxr-x: Operation not permitted tar: Exiting with failure status due to previous errors ``` -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2059734 Title: Tar fails to extract archives that include folders with certain permissions on armhf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tar/+bug/2059734/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2040137] Re: exposing the EFI shell in Secure Boot mode can lead to security bypass
This has been addressed in the LXD snaps 5.21/stable (https://github.com/canonical/lxd-pkg-snap/commit/764ee08b) and 5.0/edge (https://github.com/canonical/lxd-pkg-snap/commit/bfe4270e). All LXD software before version 4 are not affected. Jammy, Mantic, and Noble do not have debs. Focal's deb is a snap installer. If LP is meant to track affected debs, all tagged LXD releases are invalid. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2040137 Title: exposing the EFI shell in Secure Boot mode can lead to security bypass To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/2040137/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2062667] Re: Fails on (and should be removed from) raspi desktop
This impacts all arm64 installs, not just raspberry pi. The MIR for qrtr and protection-domain-mapper [0] was requested late in the Mantic cycle and was only approved by Security since it was promised to only be used for x13s hardware enablement. Hopefully Qualcomm IPC is only enabled for x13s kernels. As noted in the qrtr MIR: > We should be cautious of IPC routers running root permissions. Similar code > has > enabled vendor backdoors [1]. Furthermore, qrtr has nearly no documentation and has no inline code comments [2]. Please remove this from the mantic and noble's ubuntu-meta package. [0] https://bugs.launchpad.net/ubuntu/+source/qrtr/+bug/2038942 [1] https://redmine.replicant.us/projects/replicant/wiki/samsunggalaxybackdoor [2] https://github.com/linux-msm/qrtr -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2062667 Title: Fails on (and should be removed from) raspi desktop To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/protection-domain-mapper/+bug/2062667/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2063961] [NEW] Microsoft 365 account keeps disconnecting
Public bug reported: When I use the new (24.04) settings and 'Online Accounts' to connect to Microsoft 365, it authenticates, works well for about 5 minutes and then disconnects. I have to remove that account and redo it every time I want to use it. ProblemType: Bug DistroRelease: Ubuntu 24.04 Package: ubuntu-settings 24.04.3 ProcVersionSignature: Ubuntu 6.8.0-31.31-generic 6.8.1 Uname: Linux 6.8.0-31-generic x86_64 ApportVersion: 2.28.1-0ubuntu2 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: ubuntu:GNOME Date: Sat Apr 27 19:04:06 2024 InstallationDate: Installed on 2024-04-27 (0 days ago) InstallationMedia: Ubuntu 24.04 LTS "Noble Numbat" - Release amd64 (20240424) PackageArchitecture: all SourcePackage: ubuntu-settings UpgradeStatus: No upgrade log present (probably fresh install) ** Affects: ubuntu-settings (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug noble -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2063961 Title: Microsoft 365 account keeps disconnecting To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-settings/+bug/2063961/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2063308] Re: lenovo p1g5 suspend issues with docking stations
Can we get the system config details please - CPU, GPU in particular. Also confirm if WWAN is enabled Which dock is being used? Can you confirm if AMT is enabled or not in the BIOS? We've seen issues with AMT enabled with the TBT dock, especially with networking. Will look to reproduce the issue with high power numbers after the ME FW update - agreed that looks like a FW issue. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2063308 Title: lenovo p1g5 suspend issues with docking stations To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2063308/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2063227] [NEW] Feh crashes on double finger tapping
Public bug reported: 1. No LSB modules are available. Description:Ubuntu 24.04 LTS Release:24.04 2. feh: Installed: 3.10.1-1build3 Candidate: 3.10.1-1build3 Version table: *** 3.10.1-1build3 500 500 http://us.archive.ubuntu.com/ubuntu noble/universe amd64 Packages 100 /var/lib/dpkg/status 3. When clicking on an image in feh with two fingers (not double click) on the touch-pad, this happens: *** buffer overflow detected ***: terminated Aborted (core dumped) And feh crashes. I did not expect it to crash. 4. It crashes. ProblemType: Bug DistroRelease: Ubuntu 24.04 Package: feh 3.10.1-1build3 ProcVersionSignature: Ubuntu 6.8.0-31.31-generic 6.8.1 Uname: Linux 6.8.0-31-generic x86_64 ApportVersion: 2.28.1-0ubuntu2 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Tue Apr 23 12:57:28 2024 ProcEnviron: LANG=en_US.UTF-8 PATH=(custom, no user) SHELL=/bin/bash TERM=xterm-256color XDG_RUNTIME_DIR= SourcePackage: feh UpgradeStatus: No upgrade log present (probably fresh install) ** Affects: feh (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug noble wayland-session -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2063227 Title: Feh crashes on double finger tapping To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/feh/+bug/2063227/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1990655] Re: MIR: libgit2, http-parser
http-parser has been deprecated [0] for llhttp [1] in libgit2 \o/ [0] https://github.com/libgit2/libgit2/issues/6074 [1] https://github.com/libgit2/libgit2/pull/6713 ** Bug watch added: github.com/libgit2/libgit2/issues #6074 https://github.com/libgit2/libgit2/issues/6074 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1990655 Title: MIR: libgit2, http-parser To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/http-parser/+bug/1990655/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2063160] Re: Security Update required
Thank you! This was mistriaged as not affecting Ubuntu, which has been corrected: https://git.launchpad.net/ubuntu-cve- tracker/commit/?id=83e00d6f10a8f7a234751a97f87a62c88d0143cb I have messaged Debian Security to track this as well. ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-28184 ** Information type changed from Private Security to Public Security ** Changed in: weasyprint (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2063160 Title: Security Update required To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/weasyprint/+bug/2063160/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2063014] Re: CVE-2023-50246 and CVE-2023-50268
** Changed in: jq (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2063014 Title: CVE-2023-50246 and CVE-2023-50268 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/jq/+bug/2063014/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2063014] Re: CVE-2023-50246 and CVE-2023-50268
CVE-2023-50246 only affects jq >= 1.7 until 1.7.1. That issue was introduced with cf4b48c7ba30cb30e116b523cff036ea481459f6. Mantic (23.10) has jq version 1.6-3 and Noble (24.04) has 1.7.1-3build1. This is why unaffected versions are labeled as "Not vulnerable (code not present)" on https://ubuntu.com/security/CVE-2023-50246 CVE-2023-50268 has the same story. The break appears to be 680baeffeb7983e7570b5e68db07fe47f94db8c7 which was introduced in 1.7 and fixed in 1.7.1. https://ubuntu.com/security/CVE-2023-50268 ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2063014 Title: CVE-2023-50246 and CVE-2023-50268 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/jq/+bug/2063014/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2004516] Re: [MIR] libyuv (transitive dependency of libheif)
I reviewed libyuv 0.0~git202401110.af6ac82-1 as checked into noble. This shouldn't be considered a full audit but rather a quick gauge of maintainability. libyuv is an open source project that includes YUV scaling and conversion functionality. - CVE History: - none - open bug reports are not a security concern - https://bugs.chromium.org/p/libyuv/issues/list - Build-Depends? - googletest build depend - pre/post inst/rm scripts? - none - init scripts? - none - systemd units? - none - dbus services? - none - setuid binaries? - none - binaries in PATH? - from libyuv-utils - ./usr/bin/yuvconstants - ./usr/bin/yuvconvert - sudo fragments? - none - polkit files? - none - udev rules? - none - unit tests / autopkgtests? - from d/rules, it appears all tests on armel s390x powerpc ppc64 and sparc64 are disabled - on amd64, 40 disabled tests - 256 counts of -Wstringop-overflow in build logs due to tests - more bugs in test possible, see coverity section - rather thorough testing otherwise - cron jobs? - none - Build logs: - missing man pages for binaries - 256 counts of -Wstringop-overflow due to tests - Processes spawned? - only in python, and in a script for maintaining upstream deps - not relevant - Memory management? - tests cause string overflows with memtest - just a bug, not a security concern - see coverity section - moderate memcpy use outside of tests - looks okay - File IO? - c++ fopen use appears safe - ignoring python upstream maintenance helper scripts - Logging? - no logging outside of python - Python uses logging.debug and logging.error - Environment variable usage? - only used for tests - Use of privileged functions? - none - Use of cryptography / random number sources etc? - none - Use of temp files? - none - Use of networking? - none - Use of PolicyKit? - none - Any significant cppcheck results? - not a concern - Any significant Coverity results? - non-security bug reported - https://bugs.chromium.org/p/libyuv/issues/detail?id=979 - many more non-relevant issues in tests - ignoring - upstream should improve unit tests. - ./tools_libyuv/ seems dangerous, but appears to only be for upstream maintenance - okay - unchecked return in ./util/yuconvert.cc:243 - report of uninitialized scalar variabile in ./util/yuconvert.cc seems difficult to trigger - MJpegDecoder::MJpegDecoder() does not initialize buf_vec_.pos - this is set early in MJpegDecoder::LoadFrame(), so probably *fine* - Any significant shellcheck results? - none - Any significant bandit results? - none - only in irrelevant source code maintenance scripts This was an expedited and less thorough review. Security team ACK for promoting foot to main. ** Changed in: libyuv (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2004516 Title: [MIR] libyuv (transitive dependency of libheif) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libyuv/+bug/2004516/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2061750] Re: [MIR] python-s3transfer as indirect dependency of simplestreams (simplestreams -> python-boto3 -> python-s3transfer)
** Tags added: sec-4083 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2061750 Title: [MIR] python-s3transfer as indirect dependency of simplestreams (simplestreams -> python-boto3 -> python-s3transfer) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-s3transfer/+bug/2061750/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2061751] Re: [MIR] python-botocore as indirect dependency of simplestreams (simplestreams -> python-boto3 -> python-s3transfer -> python-botocore)
** Tags added: sec-4084 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2061751 Title: [MIR] python-botocore as indirect dependency of simplestreams (simplestreams -> python-boto3 -> python-s3transfer -> python- botocore) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-botocore/+bug/2061751/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2061217] Re: [MIR] python-boto3 as a dependency of simplestreams
** Tags added: sec-4082 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2061217 Title: [MIR] python-boto3 as a dependency of simplestreams To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-boto3/+bug/2061217/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2061924] Re: grip missing from (pre)noble (2024-04-16)
Thanks! That's the detail I was hoping for. (In the meantime I found that "pandoc --from gfm --to html" did just as good a job and swapped over to it, so I am no longer personally concerned about the package itself.) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2061924 Title: grip missing from (pre)noble (2024-04-16) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grip/+bug/2061924/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2061924] [NEW] grip missing from (pre)noble (2024-04-16)
Public bug reported: $ apt-cache show grip N: Unable to locate package grip E: No packages found Jammy/22.04 had grip_4.2.0-3_all.deb "Preview GitHub Markdown files like Readme locally". (Not the ancient gnome cd player/ripper app.) Didn't see any bugs here about the package being dropped. No sources.list.d changes (machine was installed from a pre-noble iso about half an hour ago, full-upgrade changed nothing.) (Looking at https://tracker.debian.org/pkg/grip it's been untouched in a while and fell out of debian main releases; perhaps that's the cause, though it is still in sid. I'm just not sure why I don't see some matching reference ubuntu-side.) ** Affects: grip (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2061924 Title: grip missing from (pre)noble (2024-04-16) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grip/+bug/2061924/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2061217] Re: [MIR] python-boto3 as a dependency of simplestreams
Hello, the MIR process says any MIRs assigned to the security team after the Beta Freeze deadline need to be discussed with the Director of Security Engineering: For a MIR to be considered for a release, it must be assigned to the Security team (by the MIR team) before Beta Freeze. This does not guarantee that a security review can be completed by Final Release. Ask the director of Security for exceptions. https://github.com/canonical/ubuntu-mir?tab=readme-ov-file#security- reviews Please find a few minutes on Alex Burrage's calendar and schedule a meeting. Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2061217 Title: [MIR] python-boto3 as a dependency of simplestreams To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-boto3/+bug/2061217/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1875062] Re: [20.04] Keyboard layout changes during installation before typing username/password
Dag,
Can you confirm you mean 24.04 and not 22.04, please?
On Mon, 15 Apr 2024 at 17:25, Dag Bjerkeli <1875...@bugs.launchpad.net>
wrote:
> I've just tested this, and can confirm that there is a bug regarding
> keyboard layout in 22.04 beta. As this time the error also appears when
> you select the keyboard initially it could a new error.
>
> I also have a preview image of 22.04 dated mars 27th that does not have
> the error, even after updated installer.
>
>
> ** Attachment added: "Entering æøå after selecting Norwegian keyboard does
> not show correct keys"
>
> https://bugs.launchpad.net/ubuntu/+source/ubiquity/+bug/1875062/+attachment/5765721/+files/not%20norwegian%20in%20install.png
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1875062
>
> Title:
> [20.04] Keyboard layout changes during installation before typing
> username/password
>
> Status in Release Notes for Ubuntu:
> Fix Released
> Status in ubiquity package in Ubuntu:
> Fix Released
> Status in ubiquity source package in Focal:
> Triaged
> Status in ubiquity source package in Hirsute:
> Won't Fix
>
> Bug description:
> During a fresh install of Ubuntu 20.04, selecting Norwegian keyboard
> is provided and keys are responding correctly at that stage. But later
> when entering user information the keyboard setting is wrong.
>
> It looks like it have fallen back to English keyboard-layout.
> I failed to log in after my first install, so a new attempt I tried to
> write some special letters in the name field, and noticed that I got the
> wrong characters for the key.
>
> The install is done in VMware workstation 15.
>
> In the attached screendump, the characters (';[":{) after my name
> should have been (æøåÆØÅ) that is norwegian characters.
>
> Problem analysis
>
>
> * ubiquity installs open-vm-tools.
> * open-vm-tools calls "udevadm trigger" in it's postinst script (line 8).
> * udevadm triggers all udev rules which includes all input devices.
> * gdm-x-session reads /etc/default/keyboard and sets the keyboard layout.
> * gnome-shell sets the keyboard layout as well.
>
> ubiquity already sets /etc/default/keyboard, but does not change the
> keyboard layout in the GNOME session.
>
> Proposed solution
> =
>
> Let ubiquity also configure the GNOME session to use the selected
> keyboard layout.
>
> ProblemType: Bug
> DistroRelease: Ubuntu 20.04
> Package: ubiquity (not installed)
> ProcVersionSignature: Ubuntu 5.4.0-26.30-generic 5.4.30
> Uname: Linux 5.4.0-26-generic x86_64
> ApportVersion: 2.20.11-0ubuntu27
> Architecture: amd64
> CasperMD5CheckResult: skip
> CurrentDesktop: ubuntu:GNOME
> Date: Sat Apr 25 19:27:41 2020
> InstallCmdLine: file=/cdrom/preseed/ubuntu.seed initrd=/casper/initrd
> quiet splash --- maybe-ubiquity
> InstallationDate: Installed on 2020-04-25 (0 days ago)
> InstallationMedia: Ubuntu 20.04 LTS "Focal Fossa" - Release amd64
> (20200423)
> SourcePackage: ubiquity
> Symptom: installer
> UpgradeStatus: No upgrade log present (probably fresh install)
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu-release-notes/+bug/1875062/+subscriptions
>
> Launchpad-Notification-Type: bug
> Launchpad-Bug: product=ubuntu-release-notes; status=Fix Released;
> importance=Undecided; assignee=None;
> Launchpad-Bug: distribution=ubuntu; sourcepackage=ubiquity;
> component=main; milestone=ubuntu-22.04; status=Fix Released;
> importance=High; assignee=lukasz.zemc...@canonical.com;
> Launchpad-Bug: distribution=ubuntu; distroseries=focal;
> sourcepackage=ubiquity; component=main; milestone=focal-updates;
> status=Triaged; importance=High; assignee=None;
> Launchpad-Bug: distribution=ubuntu; distroseries=hirsute;
> sourcepackage=ubiquity; component=None; milestone=ubuntu-21.04;
> status=Won't Fix; importance=High; assignee=lukasz.zemc...@canonical.com;
> Launchpad-Bug-Tags: amd64 apport-bug focal fr-1091
> id-5ef4c1e222b6324e1c59ad48 iso-testing patch ubiquity-20.04.15
> Launchpad-Bug-Information-Type: Public
> Launchpad-Bug-Private: no
> Launchpad-Bug-Security-Vulnerability: no
> Launchpad-Bug-Commenters: bdrung brian-murray coeur-noir dag-e gunnarhj
> janitor jeando jessicavdh juglugs1974 michel.ekimia nm sh-yaron
> shlomzions sil2100 simosx ubuntuqa vorlon xnox
> Launchpad-Bug-Reporter: Dag Bjerkeli (dag-e)
> Launchpad-Bug-Modifier: Dag Bjerkeli (dag-e)
> Launchpad-Message-Rationale: Subscriber
> Launchpad-Message-For: juglugs1974
>
>
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1875062
Title:
[20.04] Keyboard layout changes during installation before typing
username/password
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-release-notes/+bug/1875062/+subscriptions
--
[Bug 1875062] Re: [20.04] Keyboard layout changes during installation before typing username/password
Hi guys, I'm sorry to say that this bug is back in 24.04 Beta. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1875062 Title: [20.04] Keyboard layout changes during installation before typing username/password To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/1875062/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2060564] Re: miscomputation of ECP::ScalarMultiply() using 5.6.4-9
There is a strong chance that https://bugs.launchpad.net/ubuntu/+source/libcrypto++/+bug/1893934 is related to the incomplete CVE-2019-14318 patch regression. I plan to propose an SRU to effectively downgrade this regressed package to 5.6.4-8. Please see https://github.com/weidai11/cryptopp/issues/1269 for more details. ** Bug watch added: github.com/weidai11/cryptopp/issues #1269 https://github.com/weidai11/cryptopp/issues/1269 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2060564 Title: miscomputation of ECP::ScalarMultiply() using 5.6.4-9 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libcrypto++/+bug/2060564/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2004516] Re: [MIR] libyuv (transitive dependency of libheif)
When is Security review absolutely needed by? Is April 17th, the day before Final Freeze okay? Would that give Foundation's enough time to promote to main? There may not be enough time for Security to complete a review by Final Freeze, but we are looking for someone to take this asap. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2004516 Title: [MIR] libyuv (transitive dependency of libheif) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libyuv/+bug/2004516/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2030880] Re: [MIR] libemail-mime-perl (libmail-dmarc-perl dependency)
Setting to In Progress per https://bugs.launchpad.net/ubuntu/+source/libmail-dmarc- perl/+bug/2023971/comments/28 ** Changed in: libemail-mime-perl (Ubuntu) Status: Won't Fix => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2030880 Title: [MIR] libemail-mime-perl (libmail-dmarc-perl dependency) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2004516] Re: [MIR] libyuv (transitive dependency of libheif)
** Tags added: sec-4053 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2004516 Title: [MIR] libyuv (transitive dependency of libheif) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libyuv/+bug/2004516/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2060035] Re: [MIR] msgraph
** Tags added: sec-4054 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2060035 Title: [MIR] msgraph To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/msgraph/+bug/2060035/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2060564] Re: miscomputation of ECP::ScalarMultiply() using 5.6.4-9
Debian `libcrypto++` 5.6.4-9 introduced a security patch for CVE-2019-14318. According to a post in 2019 , https://github.com/weidai11/cryptopp/issues/869, the CVE-2019-14318 patch for 5.6.4 was incomplete. A comment in a later 2020 issue mentions that the 2019 8.3 patch was broken: https://github.com/weidai11/cryptopp/issues/994#issuecomment-752399981 Debian's 5.6.4-9 uses the 2019 patch which likely contains a regression. It does not appear that a fully working fix for CVE-2019-14318 in 5.6.4 was made. ** Bug watch added: github.com/weidai11/cryptopp/issues #869 https://github.com/weidai11/cryptopp/issues/869 ** Bug watch added: github.com/weidai11/cryptopp/issues #994 https://github.com/weidai11/cryptopp/issues/994 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-14318 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2060564 Title: miscomputation of ECP::ScalarMultiply() using 5.6.4-9 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libcrypto++/+bug/2060564/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2060564] Re: miscomputation of ECP::ScalarMultiply() using 5.6.4-9
With fresh amd64 VMs using the latest Ubuntu point releases, I was able to reproduce your report on Ubuntu Focal 20.04.06 (`libcrypto++` version 5.6.4-9build1). Both Bionic 18.04.06 (`libcrypto++` version 5.6.4-8) and Jammy 22.04.04 (`libcrypto++` version 8.6.0-2ubuntu1) had the expected result. Also on Ubuntu Focal 20.04.04, I installed [Debian's `libcrypto++` version 5.6.4-9](https://snapshot.debian.org/package/libcrypto++/5.6.4-9/) directly. This version also has the error. Debian's `libcrypto++` version immediately prior [5.6.4-8](https://snapshot.debian.org/package/libcrypto++/5.6.4-8/) is not affected. The Debian version afterwards, [5.6.4-10](https://snapshot.debian.org/package/libcrypto++/5.6.4-10/), is affected, but [6.1.0-1](https://snapshot.debian.org/package/libcrypto++/6.1.0-1/) is not. So, the issue is only known to affect packages based on Debian `libcrypto++` 5.6.4-9 and 5.6.4-10. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2060564 Title: miscomputation of ECP::ScalarMultiply() using 5.6.4-9 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libcrypto++/+bug/2060564/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2060564] [NEW] miscomputation of ECP::ScalarMultiply() using 5.6.4-9
*** This bug is a security vulnerability ***
Public security bug reported:
This issue was reported to the Security team over email and originally
posted to https://github.com/weidai11/cryptopp/issues/1269
> I typically never use Crypto++, but I had to yesterday, and I then
> experienced a strange behavior that I felt I had to somehow report. Having
> read your [security
> policy](https://github.com/weidai11/cryptopp/security/policy), I decided that
> the appropriate course of action was to open an issue here.
>
> ### Background
>
> I used the default Crypto++ package provided by [Ubuntu 20.04.6 LTS (Focal
> Fossa)](https://releases.ubuntu.com/focal/) running on a computer with a
> 64-bit Intel CPU.
>
> More specifically, Crypto++ was installed on the machine via `apt` as follows:
>
> ```
> $ sudo apt update && sudo apt upgrade
> (..)
> $ sudo apt install libcrypto++-dev
> (..)
> libcrypto++-dev is already the newest version (5.6.4-9build1).
> ```
>
> The package version 5.6.4 leads me to think that it installs the (old) v5.6.4
> release of Crypto++ from [this GitHub
> repository](https://github.com/weidai11/cryptopp), although it is not
> entirely clear from the metadata for the package.
> ### The issue
>
> When using Crypto++ as provided by the above package, it seems
> `ECP::ScalarMultiply()` may miscompute. Specifically, it seems to miscompute
> if the scalar is on [2, 32), i.e. of bit length less than or equal to 5. This
> would appear to be related to the difference in behavior induced by the
> branching on [this
> line](https://github.com/weidai11/cryptopp/blob/782057f5f18fbdad2bd2b291fb1ec558a8ab8225/ecp.cpp#L387)
> in the source code for Crypto++.
>
> To exemplify, I obtain the below result:
>
> ```
> Q1.x =
> 33306590390930540189669946118275349837741820479536661896440526521039379673897.
> Q1.y =
> 51671163428562425671907826722938384860953039014408454870632045822359784767650.
>
> >> Q1 is *NOT* as expected.
> >> Q1 is *NOT* on E.
>
> Q2.x =
> 33898744863829483362161709717034397769364896634277352921440311777960767108802.
> Q2.y =
> 23483645583050324501141112153509270605088748325709409281081826839369927198174.
>
> >> Q2 is as expected.
> >> Q2 is on E.
>
> >> T1 is equal to T2 for d = 1.
> >> T1 is *NOT* equal to T2 for d = 2.
> >> T1 is *NOT* equal to T2 for d = 3.
> >> T1 is *NOT* equal to T2 for d = 4.
> >> T1 is *NOT* equal to T2 for d = 5.
> >> T1 is *NOT* equal to T2 for d = 6.
> >> T1 is *NOT* equal to T2 for d = 7.
> >> T1 is *NOT* equal to T2 for d = 8.
> >> T1 is *NOT* equal to T2 for d = 9.
> >> T1 is *NOT* equal to T2 for d = 10.
> >> T1 is *NOT* equal to T2 for d = 11.
> >> T1 is *NOT* equal to T2 for d = 12.
> >> T1 is *NOT* equal to T2 for d = 13.
> >> T1 is *NOT* equal to T2 for d = 14.
> >> T1 is *NOT* equal to T2 for d = 15.
> >> T1 is *NOT* equal to T2 for d = 16.
> >> T1 is *NOT* equal to T2 for d = 17.
> >> T1 is *NOT* equal to T2 for d = 18.
> >> T1 is *NOT* equal to T2 for d = 19.
> >> T1 is *NOT* equal to T2 for d = 20.
> >> T1 is *NOT* equal to T2 for d = 21.
> >> T1 is *NOT* equal to T2 for d = 22.
> >> T1 is *NOT* equal to T2 for d = 23.
> >> T1 is *NOT* equal to T2 for d = 24.
> >> T1 is *NOT* equal to T2 for d = 25.
> >> T1 is *NOT* equal to T2 for d = 26.
> >> T1 is *NOT* equal to T2 for d = 27.
> >> T1 is *NOT* equal to T2 for d = 28.
> >> T1 is *NOT* equal to T2 for d = 29.
> >> T1 is *NOT* equal to T2 for d = 30.
> >> T1 is *NOT* equal to T2 for d = 31.
> >> T1 is equal to T2 for d = 32.
> >> T1 is equal to T2 for d = 33.
> >> T1 is equal to T2 for d = 34.
>
> >> T1 is equal to T2 for d =
> >> 4838386420901692723041175965060989195194280026704430236348655611663611748562.
> ```
>
> The source code in `main.cpp` is as follows:
>
> ```c++
> #include
>
> using std::cout;
> using std::endl;
>
> #include "cryptopp/ecp.h"
>
> using CryptoPP::Integer;
> using CryptoPP::ECPPoint;
> using CryptoPP::ECP;
>
> int main() {
> const Integer
> p("68563679381982577622739666783671143994995151030968464702867583019834252739659");
>
> const Integer
> a("38340410290425650555291103033366954895786709470949111520317038818740559472271");
> const Integer
> b("61862461829344747002414367293848044144907923329445405487651446734863421214369");
>
> const ECP E = ECP(p, a, b);
>
> const Integer
> q("17140919845495644405684916695917785998672015991198074381415721324869292128811");
>
> /* Note: The curve E has order r = 2^2 * q where q is prime. */
>
> const Integer
> x("49783729659862894673603312242618433622969024866008586212478256625771510792958");
> const Integer
> y("18916745246771588809190938755787142016135405279727789454979776401687407939506");
>
> const ECPPoint P = ECP::Point(x, y);
>
> /* Note: The point P is on E and of order r so it generates all of E. */
>
> /* Note: Let us now compute the point Q = [4] P of prime order q. */
>
> const Integer
>
[Bug 2054127] Re: grub-efi crashes upon `exit`
A fix has been released to Noble proposed and the CVE has been published. https://launchpad.net/ubuntu/+source/grub2/2.12-1ubuntu7 ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2054127 Title: grub-efi crashes upon `exit` To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2-unsigned/+bug/2054127/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2048781] Re: [MIR] authd
I believe this issue can be set to In Progress and is ready for promotion to main. @didrocks, @slyon: please ping me if anything is needed from Security. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2048781 Title: [MIR] authd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/authd/+bug/2048781/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2048781] Re: [MIR] authd
I am posting this Security MIR on behalf of Sudhakar Verma (@sudhackar) since he is out of the office. --- I reviewed authd 0.2.1 as checked into noble. This shouldn't be considered a full audit but rather a quick gauge of maintainability. authd is a service that builds cloud based authentication and MFA from clouds such as Open ID connect or Microsoft Azure / Entra ID. This is also a framework that will help create authentication broker services. - CVE History - no CVE found - Build-Depends - pam related libraries - libpam0g-dev - language runtimes - golang-go - dh-cargo - jq - protobuf-compiler - pre/post inst/rm scripts - add/remove authd to /etc/nsswitch.conf - init scripts - No - systemd units - Creates 'authd.service' - which is expected since this is a service to manage the authentication with a daemon - dbus services - No - setuid binaries - No - binaries in PATH - /usr/sbin/authd - sudo fragments - No - polkit files - No - udev rules - No - unit tests / autopkgtests - unit tests and autopkgtests are there and working quite fine - cron jobs - No - Build logs - some warnings from tests and autopkgtests but nothing major - Processes spawned - gpasswd is spawned to manage user - groups associations. The path seems to be hardcoded - Memory management - code is mostly go - some glue for handling native libs in rust and C but no problems seen there. The tests cover the cases well. - File IO - the daemon relies on a database file, config files and files related to user accounts - like /etc/group. The config files could be based in user's home, /etc - nothing concerning. Seems safe. - Logging - logrus is used - under vendor. Seems safe. - Environment variable usage - Used to enable debugging, PAM specific glue, DBUS etc. Seems safe. - Use of privileged functions - No - Use of cryptography / random number sources etc - RNG - uses crypto/rand from stdlib which is a CSPRNG. Seems safe. - Cryptography - Uses RSA from crypto/rsa - PKCS #1 and RFC 8017 for PAM side encryption. Seems safe. - Hashing - Only uses sha512 from crypto/sha512. Seems safe. - Use of temp files - only while testing. Seems safe. - Use of networking - All networking is done through unix sockets within PAM. Seems safe. - Use of WebKit - No. - Use of PolicyKit - No. - Any significant cppcheck results - No - Any significant Coverity results - No - Any significant shellcheck results - No. authd only has scripts which are used during building. - Any significant bandit results - No - Any significant govulncheck results - No - Any significant Semgrep results - go.grpc.security.grpc-server-insecure-connection - The connection is through a unix socket, so it's only accessible locally and is within PAM, so we are protected by the pam stack as well. - go.lang.security.audit.dangerous-exec-command - The command is static - 'gpasswd' as defined in defaultOptions, so this is an FP. authd is a daemon that implements managing user authentication and related services like MFA. It can be used to integrate with different auth providers with our own brokers by exposing a dbus interface. It maintains a database at runtime locally to handle user accounts. It also exposes NSS and PAM services over grpc. What this basically means is - authd is a complex project that talks to various services and exposes a few of its own - its stateful and is a daemon. It also handles authentication - one of the key foundation to security of a system. However the project looks good in terms of maintainability. There re plenty of integration, unit and end to end tests. The project is well documented, and is well maintained. The history looks clean and the maintainers are easy to approach and talk to. Security team ACK for promoting authd to main. ** Changed in: authd (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2048781 Title: [MIR] authd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/authd/+bug/2048781/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2051850] Re: [MIR] trace-cmd
I reviewed trace-cmd 3.2-1 as checked into noble. This shouldn't be considered a full audit but rather a quick gauge of maintainability. > TRACE-CMD: The front-end application to Ftrace. The back-end application to KernelShark. - CVE History - none - Build-Depends - most are for docs - libtrace* mirs are ack'd - note the d/control suggestion for installing kernelshark - trace-cmd is the backend for kernelshark - https://git.kernel.org/pub/scm/utils/trace-cmd/kernel-shark.git/ - pre/post inst/rm scripts - none - init scripts - none - systemd units - none - dbus services - none - setuid binaries - none - binaries in PATH - root owned ./usr/bin/trace-cmd - sudo fragments - none - polkit files - none - udev rules - none - cron jobs - none - unit tests / autopkgtests - needs tests, see MIR team's requirements - Build logs - -Walloc-size-larger-than= - -Wformat-overflow= - -Wunused-result - please do not use in production environments - Processes spawned - moderate use, as expected by nature of program - root user privileges are expected when using this tool - checked uses and attempts looks okay - in traceinput.c, regexec() is controlled by root unprivileged user - note that arbitrary commands can be specified to run based on tracing triggers - Memory management - extremely heavy use - this code is unlikely safe to be used in production. this is meant for development. - we should never suggest usecases that input is untrusted - e.g., network traffic from untrusted sources - File IO - heavy use - Logging - some use of tracecmd_debug(), mostly perror() - Environment variable usage - TRACECMD_PLUGIN_DIR, HOME, USER, LOGNAME, PATH - mostly used to run commands as another user - Use of privileged functions - setuid, setgid, ioctl, initgroups - used to run arbitrary commands as an abitrary user by record_trace_command() - ioctl used to get the local context id of a vm socket - hardcoded to use Linux Kernel constant 0x7b9 +1 - see https://github.com/mdlayher/vsock/blob/main/fd_linux.go and past ioctl_linux.go iteration - Use of cryptography / random number sources etc - none - Use of temp files - safe use of mkstemp - Use of networking - yes, heavy socket use - Use of WebKit - none - Use of PolicyKit - none - Any significant cppcheck and Coverity results - many results, most are likely false-positives - potential memory leaks caused by jumps - treating these as bugs in a _development tool_ - this is not meant for _production_ - checked OOB reports are false-positives - Any significant shellcheck results - none - Any significant bandit results - none - Any significant govulncheck results - none - Any significant Semgrep results - none - noisy rule complains about strtok v. strtok_r - see tracecmd/trace-cmd.c:53 - proper use is understood Security is content to review this as a _development tool_. Extreme caution should be taken if used in production. Security team ACK for promoting trace-cmd to main. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2051850 Title: [MIR] trace-cmd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/trace-cmd/+bug/2051850/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2051916] Re: [MIR] promote libtraceevent as a trace-cmd dependency
I reviewed libtraceevent 1:1.8.2-1 as checked into noble. This shouldn't be considered a full audit but rather a quick gauge of maintainability. > libtraceevent - Linux kernel trace event library - CVE History: - none - Build-Depends? - nothing concerning - most dependencies are for building documentation - pre/post inst/rm scripts? - none - init scripts? - none - systemd units? - none - dbus services? - none - setuid binaries? - none - binaries in PATH? - none - sudo fragments? - none - polkit files? - none - udev rules? - none - cron jobs? - none - unit tests / autopkgtests? - in progress by owning team - Build logs: - missing MAN pages - documentation warnings make build logs noisy - W: libtraceevent source: build-depends-on-obsolete-package Build-Depends: pkg-config => pkgconf - Processes spawned? - ./src/parse-filter.c runs regexec - this is a library, secure implementation depends on downstream projects - Memory management? - heavy use - care seems to be taken - as a root process, bugs are unlikely to cause vulnerabilities - this is a library, secure implementation depends on downstream projects - File IO? - load_plugin() from ./src/event-plugin.c use dlopen - security depends on how downstream projects load plugins - assume plugins are root - Logging? - contains error handling messages - mostly in ./src/parse-filter.c - Environment variable usage? - TRACEEVENT_PLUGIN_DIR - HOME - Use of privileged functions? - none - Use of cryptography / random number sources etc? - none - Use of temp files? - none - Use of networking? - minimal use in ./src/event-parse.c - Use of WebKit? - none - Use of PolicyKit? - none - Any significant cppcheck and Coverityresults? - false positives - these looked relevant at first glance, but not after analysis - Any significant shellcheck results? - none, all reports are for manpages/tests/building - Any significant bandit results? - none Security team ACK for promoting libtraceevent to main. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2051916 Title: [MIR] promote libtraceevent as a trace-cmd dependency To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libtraceevent/+bug/2051916/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2030880] Re: [MIR] libemail-mime-perl (libmail-dmarc-perl dependency)
Per MIR Team's #3 requirement, the described issue was patched on May 20th 2020 (although the GH bug remains open). There are three commits: a fix, a test, and documentation. These landed in upstream version 1.947. Please see https://github.com/rjbs/Email- MIME/issues/66#issuecomment-2019041975 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2030880 Title: [MIR] libemail-mime-perl (libmail-dmarc-perl dependency) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2059048] [NEW] adduser allows no password when PAM's pwquality is restrictively set
Public bug reported: If pam_pwqaulity is restrictively set a user can still be created by adduser without a password. e.g., ``` eslerm@mino:~$ cat /etc/pam.d/common-password |grep pwquality password requisite pam_pwquality.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root eslerm@mino:~$ sudo adduser bar info: Adding user `bar' ... info: Selecting UID/GID from range 1000 to 5 ... info: Adding new group `bar' (1002) ... info: Adding new user `bar' (1002) with group `bar (1002)' ... info: Creating home directory `/home/bar' ... info: Copying files from `/etc/skel' ... New password: BAD PASSWORD: The password contains less than 1 digits New password: BAD PASSWORD: The password contains less than 1 digits New password: BAD PASSWORD: The password contains less than 1 digits passwd: Have exhausted maximum number of retries for service passwd: password unchanged Try again? [y/N] N Changing the user information for bar Enter the new value, or press ENTER for the default Full Name []: Room Number []: Work Phone []: Home Phone []: Other []: Is the information correct? [Y/n] info: Adding new user `bar' to supplemental / extra groups `users' ... info: Adding user `bar' to group `users' ... eslerm@mino:~$ sudo cat /etc/shadow|grep bar bar:!:19802:0:9:7::: ``` This was raised as an issue to the Security team. Foundations suggested to file a bug. This is possibly only a feature request. If this behavior is unexpected by the maintainers, it is likely a security issue. I am leaning towards this being a feature request and not marking the bug for Public/Private Security. ** Affects: adduser (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2059048 Title: adduser allows no password when PAM's pwquality is restrictively set To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/2059048/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2059049] [NEW] adduser allows no password when PAM's pwquality is restrictively set
Public bug reported: If pam_pwqaulity is restrictively set a user can still be created by adduser without a password. e.g., ``` eslerm@mino:~$ cat /etc/pam.d/common-password |grep pwquality password requisite pam_pwquality.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root eslerm@mino:~$ sudo adduser bar info: Adding user `bar' ... info: Selecting UID/GID from range 1000 to 5 ... info: Adding new group `bar' (1002) ... info: Adding new user `bar' (1002) with group `bar (1002)' ... info: Creating home directory `/home/bar' ... info: Copying files from `/etc/skel' ... New password: BAD PASSWORD: The password contains less than 1 digits New password: BAD PASSWORD: The password contains less than 1 digits New password: BAD PASSWORD: The password contains less than 1 digits passwd: Have exhausted maximum number of retries for service passwd: password unchanged Try again? [y/N] N Changing the user information for bar Enter the new value, or press ENTER for the default Full Name []: Room Number []: Work Phone []: Home Phone []: Other []: Is the information correct? [Y/n] info: Adding new user `bar' to supplemental / extra groups `users' ... info: Adding user `bar' to group `users' ... eslerm@mino:~$ sudo cat /etc/shadow|grep bar bar:!:19802:0:9:7::: ``` This was raised as an issue to the Security team. Foundations suggested to file a bug. This is possibly only a feature request. If this behavior is unexpected by the maintainers, it is likely a security issue. I am leaning towards this being a feature request and not marking the bug for Public/Private Security. ** Affects: adduser (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2059049 Title: adduser allows no password when PAM's pwquality is restrictively set To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/2059049/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2054480] Re: [MIR] nbd-client
Thanks Wouter It appears nbd-client existed in main at some point http://old- releases.ubuntu.com/ubuntu/pool/main/n/nbd/ (thanks Seth). Between this MIR and tree's LP#2056099 I am concerned that Security is being bypassed as NN approaches. That's not to say anything is wrong with how nbd-client uses ioctl, but we haven't looked. Security is not asking to review this for NN, just flagging for MIR Team discussion. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2054480 Title: [MIR] nbd-client To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nbd/+bug/2054480/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2056099] Re: [MIR] tree
Security is not asking to review this for NN, but this might have odd code. ``` /* Should probably use strdup(), but we like our xmalloc() */ #define scopy(x)strcpy(xmalloc(strlen(x)+1),(x)) ``` -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2056099 Title: [MIR] tree To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tree/+bug/2056099/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2054480] Re: [MIR] nbd-client
Was -server code ever reviewed by a MIR? The client contains many ioctl calls. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2054480 Title: [MIR] nbd-client To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nbd/+bug/2054480/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2037082] Re: UBSAN: array-index-out-of-bounds with kernel 6.5 on Mantic
I had this problem with Ubuntu 24.04 with VirtualBox 7.0.14-dfsg-4 on my computer Fixed it for now by installing Oracle test 7.0.15 test build https://www.virtualbox.org/download/testcase/VirtualBox-7.0.15-162366-Linux_amd64.run from https://www.virtualbox.org/wiki/Testbuilds -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2037082 Title: UBSAN: array-index-out-of-bounds with kernel 6.5 on Mantic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/virtualbox/+bug/2037082/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2052652] Re: [MIR] gnome-snapshot
There are unnecessary crates being vendored. I filed an upstream issue: https://gitlab.gnome.org/GNOME/snapshot/-/issues/137 This causes a bandwidth strain on mirrors or wherever the source package is needed. To be clear, this is not a Security issue and does not impact Security's review (since owning team is responsible for maintaining security of vendored packages). This pattern has been raised as a MIR issue: https://github.com/canonical/ubuntu-mir/issues/51 ** Bug watch added: gitlab.gnome.org/GNOME/snapshot/-/issues #137 https://gitlab.gnome.org/GNOME/snapshot/-/issues/137 ** Bug watch added: github.com/canonical/ubuntu-mir/issues #51 https://github.com/canonical/ubuntu-mir/issues/51 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2052652 Title: [MIR] gnome-snapshot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-snapshot/+bug/2052652/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1977614] Re: [MIR] fdk-aac-free
The upstream chain for fdk-aac-free is precarious. The Debian package fdk-aac-free watches https://gitlab.freedesktop.org/wtaymans/fdk-aac-stripped/ This version specifically removes the HE (High Efficiency) and HEv2 profiles which have patent concerns (see README.fedora). This version does not regularly sync from upstream: https://sourceforge.net/projects/opencore-amr/ Note that https://github.com/mstorsjo/fdk-aac is a downstream of Fraunhofer's code distributed on https://android.googlesource.com/platform/external/aac Jorge has reported a potential vulnerability to https://github.com/mstorsjo/fdk-aac/issues/167 and to Android's VRP. Android responded saying that they require a PoC and directed Jorge to https://bughunters.google.com/learn/invalid-reports/android- platform/5148417640366080/bugs-with-negligible-security- impact#unreachable-bugs fdk-aac-free is not being maintained by syncing with upstream which may contain security patches. Reporting issues about fdk-aac has so far been fruitless. Security could conclude our MIR now, but I suggest that fdk-aac-free is reviewed next cycle if the owning team plans to work with fdk-aac-free. Note that Fedora is also invested in fdk-aac-free and may share concerns if made aware. Side note: iiuc, the advantage of fdk-aac is that it works well on low resource systems, like cell phones and possibly for remote desktop. This advantage may not exist if HE profiles are stripped. If that is the case, there are aac alternatives. ** Bug watch added: github.com/mstorsjo/fdk-aac/issues #167 https://github.com/mstorsjo/fdk-aac/issues/167 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1977614 Title: [MIR] fdk-aac-free To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/fdk-aac-free/+bug/1977614/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2015538] Re: [MIR] dbus-broker
Thank you @seb128. I was asked to get your feedback before completing the Security review. Get well soon! Security team ACK for promoting dbus-broker to main, under the condition that src:dbus' binary packages are split as described by @paelzer in comment #19. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2015538 Title: [MIR] dbus-broker To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dbus-broker/+bug/2015538/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2052809] Re: [MIR] bpftrace
I reviewed bpftrace 0.20.1 as checked into noble. This shouldn't be considered a full audit but rather a quick gauge of maintainability. > bpftrace is a high-level tracing language for Linux enhanced Berkeley Packet Filter (eBPF) available in recent Linux kernels (4.x). bpftrace uses LLVM as a backend to compile scripts to BPF-bytecode and makes use of BCC for interacting with the Linux BPF system, as well as existing Linux tracing capabilities: kernel dynamic tracing (kprobes), user-level dynamic tracing (uprobes), and tracepoints. The bpftrace language is inspired by awk and C, and predecessor tracers such as DTrace and SystemTap. bpftrace was created by Alastair Robertson. - CVE History: - none - Build-Depends? - nothing concerning - except what MIR Team mentions (libcereal-dev) - pre/post inst/rm scripts? - none - init scripts? - none - systemd units? - none - dbus services? - none - setuid binaries? - none - binaries in PATH? - ./usr/bin/bpftrace - ./usr/bin/bpftrace-aotrt - ./usr/sbin/*.bt - these are bpftrace tools/examples - they are based on bcc code included in bpfcc-tools - sudo fragments? - none - polkit files? - none - udev rules? - none - unit tests / autopkgtests? - none ! - the ./usr/sbin/*.bt files would make excellent test cases though ! - cron jobs? - none - Build logs: - warning building bpftrace(8) man page - other binaries missing man pages - -Wmaybe-uninitialized - source: superfluous-file-pattern - Processes spawned? - can run modprobe kheaders - exec rm -rf temp dir - execve and exec_system expected for tracing - ./src/bpftrace.cpp line 666 o.o - Memory management? - relatively light, mostly sprintf and memcpy - see comments in bpftrace.cpp's perf_event_printer() - memory use is carefully thought out - File IO? - opens /sys/kernel/kheaders.tar.xz (module must be loaded) - files, descriptors, pipes, and pcap used for tracing - Logging? - extremely heavy use, as expected for tracing - Environment variable usage? - mostly BPFTRACE_ variables - Use of privileged functions? - ./src/attached_probe.cpp uses ioctl twice - Use of cryptography / random number sources etc? - none - Use of temp files? - yes, to load kheaders - temp path is predictable, `// already unpacked` - potentially, an unprivileged attacker could exploit this when a root user runs bpftrace and loads Kernel Headers - Resolved quickly by upstream! CVE-2024-2313 - Use of networking? - moderate use - potential danger for crafted input - Use of WebKit? - none - Use of PolicyKit? - none - Any significant cppcheck results? - none, besides tests and scripts - Any significant Coverity results? - appear to be false positives - Any significant shellcheck results? - none, besides tests, scripts, and CI - Any significant bandit results? - none Running bpftrace without root privilege results in 'ERROR: bpftrace currently only supports running as the root user.' :) In most cases a bug in bpftrace will not cause a loss of security; root already has complete control. Giving access to bpftrace to an unprivileged user, telnet, etc would not be a vulnerability in bpftrace. Running dangerous BPF code is not the fault of bpftrace. Attacks based on parsing untrusted data, such as network traffic, is a threat. This package is for performing inherently dangerous wizardry. This review expects that developers will want to use these tools and that system administrators will make wise choices. Binaries from bpfcc-tools, libbpfcc, and bpftrace have redundant functions. Please consder which binaries should be made default. In particular, most bpftrace binaries are merely examples. CONFIG_IKHEADERS=m is already available \o/ Recent breaking change to `args` in v19.0 (Noble has 20.1, Jammy has 14.0). https://github.com/bpftrace/bpftrace/pull/2578 In code comments should be reviewed upstream: `// FIXME when iovisor/bcc#2064 is merged` - https://github.com/bpftrace/bpftrace/issues/3061 Upstream was extraordinarily quick at addressing a potential security which was reported to them \o/ - CVE-2024-2313 Security team ACK for promoting bpftrace to main. ** Changed in: bpftrace (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2052809 Title: [MIR] bpftrace To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bpftrace/+bug/2052809/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2052809] Re: [MIR] bpftrace
Assigning to Security early, so that this is not blocked for 24.04. After Feature Freeze, if the MIR Team has requirements for a package, but is reasonably sure that the owning-team will accomplish them, please assign MIRs to the Security team immediately. ** Changed in: bpftrace (Ubuntu) Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security) ** Bug watch added: github.com/bpftrace/bpftrace/issues #3061 https://github.com/bpftrace/bpftrace/issues/3061 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-2313 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2052809 Title: [MIR] bpftrace To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bpftrace/+bug/2052809/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2052813] Re: [MIR] bpfcc
I reviewed bpfcc 0.29.1+ds-1ubuntu2 as checked into noble. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
- CVE History
- no CVEs tracked in UCT, initially
- searching for "bcc" CVEs finds false-positives
- Build-Depends
- nothing concerning
- pre/post inst/rm scripts
- typical dh_python3 for python3-bpfcc
- init scripts
- none
- systemd units
- none
- dbus services
- none
- setuid binaries
- none
- binaries in PATH
- numerous. +220.
- sudo fragments
- none
- polkit files
- none
- udev rules
- none
- unit tests / autopkgtests
- some added
- cron jobs
- none
- Build logs
- hardening-no-pie is not a concern in this case
- manual page warnings
- W: libbpfcc: package-name-doesnt-match-sonames libbcc-bpf0 libbcc0
- Processes spawned
- popen use looks okay
- system("clear") is fine
- memleak.c uses fork, etc
- Memory management
- extremely heavy use
- in context, I am not concerned with occult practices in this package
- File IO
- heavy use
- Logging
- extremely heavy use
- Environment variable usage
- none
- Use of privileged functions
- Security's MIR tooling finds many false-positives
- vmlinux headers are fine
- Use of cryptography / random number sources etc
- none
- vminux*.h sets certificate configs
- Use of temp files
- tmp race conditions possibly allow unauthenticated users to control
unpacked kernel headers
- Resolved quickly by upstream! CVE-2024-2314
- see related issue in bpftrace MIR (LP#2052809)
- Use of networking
- heavy use
- Use of WebKit
- none
- Use of PolicyKit
- none
- Any significant cppcheck and Covreity results
- bugs found (memory leaks etc), but not concerned about these being
vulnerabilities in context
- parsing untrusted data (e.g., network traffic) could possibly lead to
exploitation
- coverity.txt attached
- Any significant shellcheck results
- not concerning
- Any significant bandit results
- none
- subprocess calls cannot be controlled without root access
- Any significant govulncheck results
- none
- Any significant Semgrep results
- none
- complaints about system() and strtok excused in context
There is 986,872 loc. Security's review is limited.
As with bpftrace, these are admin tools which require root access. It is
unlikely that most bugs in bpfcc would cause a loss of security and
become a vulnerability; root already has control. Parsing untrusted data
with a root process can lead to trouble. This review expects that
developers will want to use these tools and that system administrators
will make wise choices.
Some binaries do not work out of box. This needs testings. e.g.,
/usr/sbin/tcptop-bpfcc from bpfcc-tools does not work, but
/usr/sbin/tcptop from libbpfcc does.
Binaries from bpfcc-tools, libbpfcc, and bpftrace have redundant
functions. Please consider which binaries should be made default. In
particular, most bpftrace binaries are merely examples.
The bcc snap is published by Canonical and should be updated. See
./snap/README.md
Upstream was extraordinarily quick at addressing a potential security issue
which was reported to them \o/
- CVE-2024-2314
Security team ACK for promoting bpfcc to main. Note that Security's ACK
is for all packages generated by the bpfcc source package, the MIR
Team's ACK may only be for a subset of binary packages.
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-2314
** Changed in: bpfcc (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2052813
Title:
[MIR] bpfcc
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bpfcc/+bug/2052813/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2015538] Re: [MIR] dbus-broker
@seb128, could you please review the recent discussion? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2015538 Title: [MIR] dbus-broker To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dbus-broker/+bug/2015538/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2024284] Re: SEGV vulnerability in command-line parser
Apologize for not responding earlier! This slipped through my emails. > I know Canonical is also Root CNA, why are you redirecting to another CNA? Canonical is a CNA, not a Root CNA. I don't see how an _unprivileged_ attacker could leverage this bug to be a vulnerability. A clear proof of concept example would help demonstrate that this bug can become an exploit. Making issue public, since the GitHub issue is public https://github.com/rwpenney/cryptmount/issues/1 ** Bug watch added: github.com/rwpenney/cryptmount/issues #1 https://github.com/rwpenney/cryptmount/issues/1 ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2024284 Title: SEGV vulnerability in command-line parser To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cryptmount/+bug/2024284/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2056495] [NEW] Ubiquity crashes a few seconds into the install process
Public bug reported:
I'm following the instructions at:
https://mutschler.dev/linux/ubuntu-btrfs-20-04/#create-filesystems-for-root-and-efi-system-partitions.
All goes well until I attempt to work with the installer ("ubiquity
--no-bootloader" command).
I can select language (English), keyboard (English) and TZ.
When I begin to fill out my user and machine information, ubiquity crashes.
In looking at the crash report, it seems casper is seeing some invalid stdin
input.
I've double-checked the editing of /usr/lib/partman/mount.d/70btrfs and
/usr/lib/partman/fstab.d/btrfs and all looks good. The only change I made was
to not use the "noatime" parameter in the above edits.
I'm using Ubuntu desktop 22.04.4 from a USB stick to attempt the
installation.
ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: ubiquity 22.04.20 [modified: lib/partman/fstab.d/btrfs
lib/partman/mount.d/70btrfs]
ProcVersionSignature: Ubuntu 6.5.0-18.18~22.04.1-generic 6.5.8
Uname: Linux 6.5.0-18-generic x86_64
NonfreeKernelModules: zfs
ApportVersion: 2.20.11-0ubuntu82.5
Architecture: amd64
CasperMD5CheckResult: pass
CasperVersion: 1.470.2
CurrentDesktop: MATE
Date: Thu Mar 7 17:00:17 2024
InstallCmdLine: BOOT_IMAGE=/casper/vmlinuz file=/cdrom/preseed/ubuntu-mate.seed
maybe-ubiquity quiet splash ---
LiveMediaBuild: Ubuntu-MATE 22.04.4 LTS "Jammy Jellyfish" - Release amd64
(20240216.1)
SourcePackage: ubiquity
UpgradeStatus: No upgrade log present (probably fresh install)
** Affects: ubiquity (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug jammy ubiquity-22.04.20 ubuntu-mate
** Attachment added: "partman"
https://bugs.launchpad.net/bugs/2056495/+attachment/5753914/+files/partman
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2056495
Title:
Ubiquity crashes a few seconds into the install process
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubiquity/+bug/2056495/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1231178] Re: Altec Lansing speakers remote control not working
** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1231178 Title: Altec Lansing speakers remote control not working To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1231178/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 927225] Re: Yukon Optima 88E8059 fails to come up as a network interface when system is powered on without AC or network cable
** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/927225 Title: Yukon Optima 88E8059 fails to come up as a network interface when system is powered on without AC or network cable To manage notifications about this bug go to: https://bugs.launchpad.net/linux/+bug/927225/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1884207] Re: Wifi Enterprice Login Page does not appear at connect
** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1884207 Title: Wifi Enterprice Login Page does not appear at connect To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1884207/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1696859] Re: package linux-image-4.10.0-22-generic (not installed) failed to install/upgrade: subprocess new pre-installation script returned error exit status 128
** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1696859 Title: package linux-image-4.10.0-22-generic (not installed) failed to install/upgrade: subprocess new pre-installation script returned error exit status 128 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1696859/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1919150] Re: My keyboard stop working
** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1919150 Title: My keyboard stop working To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1919150/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1904391] Re: Touchpad and Keyboard not detectable in the new kernel
** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1904391 Title: Touchpad and Keyboard not detectable in the new kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1904391/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2055450] Re: Uploading package to server with self-signed certificate on https fails despite adding cert to trust-store
Update: after a lot of discussion with Mitch Burton on the Landscape team, he was able to demonstrate this working with a self-signed certificate. We think that this may actually not be strictly an issue with the self-signed SSL, but rather that the name in the cert is not an FQDN, and instead is just the bare hostname. Upon further testing myself, I swapped the hostname on my test instance from landscape-2310-jammy to landscape-2310-jammy.lxd just as a test. I then updated my /etc/hosts file, the certificates configured in Apache, and imported the newly generated cert into ca-certificates. After this dput worked just fine. dput lds:ubuntu/jammy/upload hello.changes D: Splitting host argument out of lds:ubuntu/jammy/upload. D: Setting host argument. Checking signature on .changes gpg: /root/hello.changes: Valid signature from 5E1E964200F3EA3D Uploading to lds (via https to landscape-2310-jammy.lxd): Uploading hello_2.10-2ubuntu4+esm1_amd64.deb: done. Uploading hello.changes: done. Successfully uploaded packages. This seems to confirm that the issue is not necessarily with dput directly, but in how python's urllib is checking the domain/cert on the connection. This may be something that can be worked around in dput to allow for a bare hostname that is not an FQDN, but either way figured it would be relevant to add this information. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2055450 Title: Uploading package to server with self-signed certificate on https fails despite adding cert to trust-store To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dput/+bug/2055450/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2051850] Re: [MIR] trace-cmd
** Tags added: sec-3932 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2051850 Title: [MIR] trace-cmd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/trace-cmd/+bug/2051850/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2051916] Re: [MIR] promote libtraceevent as a trace-cmd dependency
** Tags added: sec-3931 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2051916 Title: [MIR] promote libtraceevent as a trace-cmd dependency To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libtraceevent/+bug/2051916/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2055450] [NEW] Uploading package to server with self-signed certificate on https fails despite adding cert to trust-store
Public bug reported:
On Ubuntu 22.04 with dput version 1.1.0ubuntu2.1, and python3 3.10.x,
customers using a self-signed SSL for https are getting the following:
File "/usr/bin/dput", line 37, in
sys.exit(load_entry_point('dput==1.1.0+ubuntu2.1', 'console_scripts',
'execute-dput')())
File "/usr/share/dput/dput/dput.py", line 1235, in main
upload_methods[method](
File "/usr/share/dput/dput/methods/https.py", line 18, in upload
return http.upload(
File "/usr/share/dput/dput/methods/http.py", line 138, in upload
conn.endheaders()
File "/usr/lib/python3.10/http/client.py", line 1278, in endheaders
self._send_output(message_body, encode_chunked=encode_chunked)
File "/usr/lib/python3.10/http/client.py", line 1038, in _send_output
self.send(msg)
File "/usr/lib/python3.10/http/client.py", line 976, in send
self.connect()
File "/usr/lib/python3.10/http/client.py", line 1455, in connect
self.sock = self._context.wrap_socket(self.sock,
File "/usr/lib/python3.10/ssl.py", line 513, in wrap_socket
return self.sslsocket_class._create(
File "/usr/lib/python3.10/ssl.py", line 1100, in _create
self.do_handshake()
File "/usr/lib/python3.10/ssl.py", line 1371, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate
verify failed: self-signed certificate (_ssl.c:1007)
This seems to be an issue in how the SSL for the https connection is
validated. Even after adding the self-signed certificate to the trust
store with update-ca-certificates, this is not being read by the python
code for validation of the cert on the mirror.
The immediate solution has been to modify the main dput file to import
the ssl library, and tell it to not validate the certificate for the
connection:
import ssl
ssl._create_default_https_context = ssl._create_unverified_context
This is discussed further at the following link:
https://stackoverflow.com/questions/77639570/ssl-verification-problem-
when-uploading-a-deb-package-using-dput
This seems like a change in python behavior given this discussion:
https://stackoverflow.com/questions/35569042/ssl-certificate-verify-
failed-with-python3
I am not sure what the best path forward is, I would think that ideally
there may be an environment variable to tell python to read the
certificate from the standard trust-store /etc/ssl/certs/ca-
certificates.crt, or otherwise to skip certificate validation, without
needing to modify dput directly.
I do not see this happening on 20.04 with python 3.8.x and dput
1.0.3ubuntu1.1, so this seems to be a relatively recent change in
behavior.
** Affects: dput (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2055450
Title:
Uploading package to server with self-signed certificate on https
fails despite adding cert to trust-store
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dput/+bug/2055450/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 2043524] Re: audio disappeared after upgrade to Ubuntu 23.10
I eventually figured out that the control bar for my external speaker had been turned off somehow in the process. I turned it on and it has worked fine since. On Thursday, February 29, 2024 at 07:46:16 AM EST, Pablo Fontoura <2043...@bugs.launchpad.net> wrote: Same thing here. Fresh 23.10 installation and no sound. My USB headset is working properly. -- You received this bug notification because you are subscribed to the bug report. https://bugs.launchpad.net/bugs/2043524 Title: audio disappeared after upgrade to Ubuntu 23.10 Status in pulseaudio package in Ubuntu: Confirmed Bug description: I upgraded to Ubuntu 23.10 from 23.04. Everything seems to work except there is no audio output on streaming functions. The external bluetooth speaker is connected and detected. It is charged and responds to testing. Just no sound when playing videos or podcasts. ProblemType: Bug DistroRelease: Ubuntu 23.10 Package: pulseaudio 1:16.1+dfsg1-2ubuntu4 ProcVersionSignature: Ubuntu 6.5.0-10.10-generic 6.5.3 Uname: Linux 6.5.0-10-generic x86_64 ApportVersion: 2.27.0-0ubuntu5 Architecture: amd64 AudioDevicesInUse: USER PID ACCESS COMMAND /dev/snd/controlC0: owner 975 F wireplumber /dev/snd/seq: owner 971 F pipewire CasperMD5CheckResult: fail CurrentDesktop: KDE Date: Tue Nov 14 17:50:17 2023 InstallationDate: Installed on 2023-04-15 (213 days ago) InstallationMedia: Kubuntu 22.10 "Kinetic Kudu" - Release amd64 (20221020) ProcEnviron: LANG=en_US.UTF-8 PATH=(custom, no user) SHELL=/bin/bash XDG_RUNTIME_DIR= PulseList: Error: command ['pacmd', 'list'] failed with exit code 1: No PulseAudio daemon running, or not running as session daemon. SourcePackage: pulseaudio Symptom: audio UpgradeStatus: Upgraded to mantic on 2023-11-09 (5 days ago) dmi.bios.date: 07/04/2012 dmi.bios.release: 4.6 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: V3.0 dmi.board.asset.tag: To be filled by O.E.M. dmi.board.name: H61M-P31/W8 (MS-7788) dmi.board.vendor: MSI dmi.board.version: 1.0 dmi.chassis.asset.tag: To Be Filled By O.E.M. dmi.chassis.type: 3 dmi.chassis.vendor: MSI dmi.chassis.version: 1.0 dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvrV3.0:bd07/04/2012:br4.6:svnMSI:pnMS-7788:pvr1.0:rvnMSI:rnH61M-P31/W8(MS-7788):rvr1.0:cvnMSI:ct3:cvr1.0:skuTobefilledbyO.E.M.: dmi.product.family: To be filled by O.E.M. dmi.product.name: MS-7788 dmi.product.sku: To be filled by O.E.M. dmi.product.version: 1.0 dmi.sys.vendor: MSI To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/2043524/+subscriptions -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2043524 Title: audio disappeared after upgrade to Ubuntu 23.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/2043524/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2052813] Re: [MIR] bpfcc
Some of the bpf tools do not work on mantic. e.g. `/usr/sbin/tcptop-bpfcc` from `bpfcc-tools` does not work, but `/usr/sbin/tcptop` from `libbpfcc` does (on mantic) Kernel configs and pahole version used to build mantic's kernel should be okay https://github.com/iovisor/bcc/tree/master/libbpf-tools ? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2052813 Title: [MIR] bpfcc To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bpfcc/+bug/2052813/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2052652] Re: [MIR] gnome-snapshot
** Changed in: gnome-snapshot (Ubuntu) Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security) ** Tags added: sec-3916 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2052652 Title: [MIR] gnome-snapshot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-snapshot/+bug/2052652/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2048781] Re: [MIR] authd
A centralized vendor-linter is the best longterm option. Toolchains needs more resources before they can provide a solution (FR-6859). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2048781 Title: [MIR] authd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/authd/+bug/2048781/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2052813] Re: [MIR] bpfcc
Máté, could you please see if the rational can be broadened for FO147? I suspect that libbpf-tools is also important. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2052813 Title: [MIR] bpfcc To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bpfcc/+bug/2052813/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
