[Bug 1648921] Re: Sandbox the tracker extractor
** Changed in: tracker (Ubuntu Yakkety) Status: Fix Committed => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1648921 Title: Sandbox the tracker extractor To manage notifications about this bug go to: https://bugs.launchpad.net/tracker/+bug/1648921/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1648921] Re: Sandbox the tracker extractor
When I looked earlier, I couldn't easily backport this to 16.04 LTS. After a few months, I believe the tracker sandbox still causes regressions since it blocks stuff that used to be allowed. The new tracker (with sandbox) will be shipped in 17.04 and Debian stretch, but I think this update is not worth doing for 17.04 given that 17.04 is already halfway through it short life and given that we are unlikely to be able to fix all regressions it introduces. ** Tags removed: verification-needed ** Tags added: verification-failed ** Changed in: tracker (Ubuntu Xenial) Status: New => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1648921 Title: Sandbox the tracker extractor To manage notifications about this bug go to: https://bugs.launchpad.net/tracker/+bug/1648921/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1648921] Re: Sandbox the tracker extractor
** Changed in: tracker (Ubuntu) Importance: Undecided => High ** Changed in: tracker (Ubuntu Yakkety) Importance: Undecided => High ** Changed in: tracker (Ubuntu Xenial) Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1648921 Title: Sandbox the tracker extractor To manage notifications about this bug go to: https://bugs.launchpad.net/tracker/+bug/1648921/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1648921] Re: Sandbox the tracker extractor
Hello Jeremy, or anyone else affected, Accepted tracker into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/tracker/1.10.2-0ubuntu0.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! ** Changed in: tracker (Ubuntu Yakkety) Status: In Progress => Fix Committed ** Tags added: verification-needed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1648921 Title: Sandbox the tracker extractor To manage notifications about this bug go to: https://bugs.launchpad.net/tracker/+bug/1648921/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1648921] Re: Sandbox the tracker extractor
I went ahead and uploaded this for yakkety as a regular SRU (it's in the unapproved queue now) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1648921 Title: Sandbox the tracker extractor To manage notifications about this bug go to: https://bugs.launchpad.net/tracker/+bug/1648921/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1648921] Re: Sandbox the tracker extractor
** Tags added: xenial yakkety zesty ** Changed in: tracker (Ubuntu) Status: New => Fix Released ** Changed in: tracker (Ubuntu Yakkety) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1648921 Title: Sandbox the tracker extractor To manage notifications about this bug go to: https://bugs.launchpad.net/tracker/+bug/1648921/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1648921] Re: Sandbox the tracker extractor
tracker was not included by default in any Ubuntu 12.04 flavor and libseccomp is only available in backports there. I don't intend to try to backport this change for Ubuntu 14.04 either. Ubuntu GNOME 14.04 has only a few months of support left. I don't feel it's worth the work to try to make these changes there. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1648921 Title: Sandbox the tracker extractor To manage notifications about this bug go to: https://bugs.launchpad.net/tracker/+bug/1648921/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1648921] Re: Sandbox the tracker extractor
** Description changed: - * SECURITY UPDATE: extractor now runs in a sandbox confined by libseccomp - - extractor's filesystem and network access is limited to being read and - local only (LP: #1619600) - - No CVE number + * SECURITY UPDATE: extractor now runs in a sandbox confined by libseccomp + - extractor's filesystem and network access is limited to being read and + local only (LP: #1648921) + - No CVE number The tracker developers have recently confined their extractor to attempt to make tracker more resilient to attacks, especially involving flaws in gstreamer parsers. There is no CVE number assigned to this issue. https://lwn.net/Articles/708196/ https://scarybeastsecurity.blogspot.com/2016/11/0day-poc-risky-design-decisions-in.html The gstreamer security fixes are being handled separately. See bug 1619600 ** Also affects: tracker (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: tracker (Ubuntu Xenial) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1648921 Title: Sandbox the tracker extractor To manage notifications about this bug go to: https://bugs.launchpad.net/tracker/+bug/1648921/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1648921] Re: Sandbox the tracker extractor
** Description changed: - The tracker developers have recently confined their extractor to attempt to make tracker more resilient to attacks, especially involving flaws in gstreamer parsers. - + * SECURITY UPDATE: extractor now runs in a sandbox confined by libseccomp + - extractor's filesystem and network access is limited to being read and + local only (LP: #1619600) + - No CVE number + + The tracker developers have recently confined their extractor to attempt + to make tracker more resilient to attacks, especially involving flaws in + gstreamer parsers. + There is no CVE number assigned to this issue. https://lwn.net/Articles/708196/ https://scarybeastsecurity.blogspot.com/2016/11/0day-poc-risky-design-decisions-in.html The gstreamer security fixes are being handled separately. See bug 1619600 ** Information type changed from Public to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1648921 Title: Sandbox the tracker extractor To manage notifications about this bug go to: https://bugs.launchpad.net/tracker/+bug/1648921/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1648921] Re: Sandbox the tracker extractor
** Description changed: - . + The tracker developers have recently confined their extractor to attempt to make tracker more resilient to attacks, especially involving flaws in gstreamer parsers. + + There is no CVE number assigned to this issue. + + https://lwn.net/Articles/708196/ + https://scarybeastsecurity.blogspot.com/2016/11/0day-poc-risky-design-decisions-in.html + + The gstreamer security fixes are being handled separately. See bug + 1619600 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1648921 Title: Sandbox the tracker extractor To manage notifications about this bug go to: https://bugs.launchpad.net/tracker/+bug/1648921/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1648921] Re: Sandbox the tracker extractor
** Changed in: tracker Status: Unknown => Fix Released ** Changed in: tracker Importance: Unknown => High -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1648921 Title: Sandbox the tracker extractor To manage notifications about this bug go to: https://bugs.launchpad.net/tracker/+bug/1648921/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
