Package: firefox
Version: 62.0.2-1
Severity: normal
Tags: upstream
Dear Maintainer,
I am using Firefox confined with "unofficial" AppArmor profile, and
noticed that this produces a lot of strange denials, as Firefox for
unknown reason tries to write to the /usr/* directories, something to do
with
Looks like Thunderbird behaves the same:
```
type=AVC msg=audit(1538066122.223:896): apparmor="DENIED" operation="mknod" profile="thunderbird"
name="/usr/share/fonts/X11/encodings/large/.uuid.TMP-7ayDB6
" pid=9152 comm="thunderbird" requested_mask="c" denied_mask="c" fsuid=1000
ouid=1000
```
Yep, same issue with Kate text editor, and yes, it's fontconfig:
```
Thread 1 "kate" hit Catchpoint 1 (returned from syscall openat), 0x75e42e69 in __libc_open64
(file=0x55930da0 "/usr/share/fonts/type1/gsfonts/.uuid", oflag=524288) at
../sysdeps/unix/sysv/linux/open64.c:47
47
Running `sudo fc-cache -f` didn't helped.
Freecad crashes while importing any .svg:
1. Open Inkscape
2. Save to "drwing.svg" or whatever (yes, empty file)
3. Launch Freecad
4. File -> New
5. File -> Import -> select drawing.svg -> check "SVG as geometry" -> Select ->
Crash happens:
```
Thread 1 "freecad" received signal SIGSEGV, Segmen
On 9/12/18 9:10 AM, intrigeri wrote:
Worst case I'll look into it within a month but help is welcome.
Vincas, maybe? :)
Yeah I'll try. I have already agreed to check similar Thunderbird issue [0] but haven't got into
these yet :( .
[0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=908206
Package: thunderbird
Version: 1:60.0-3~deb9u1
Severity: normal
Tags: upstream
User: pkg-apparmor-t...@lists.alioth.debian.org
Usertags: modify-profile
Dear Maintainer,
It appears that Thunderbird now needs access to /etc/ld.so.conf on
Stretch, while AppArmor profile does not allow that:
```
type
What is strange here, that Thunderbird some times still executes browser directly, as in this case,
clicking the link inside notification email from github.com:
```
$ sudo sysdig "proc.name=thunderbird and evt.type=execve"
150186 18:52:01.190105156 0 thunderbird (11430) > execve
filename=/usr/b
On 9/19/18 8:10 PM, intrigeri wrote:
It appears that Thunderbird now needs access to /etc/ld.so.conf on
Stretch, while AppArmor profile does not allow that:
What's the practical effect of this denial, if any?
I haven't noticed any negative effects so far.
On Thu, 20 Sep 2018 16:53:44 -0400 Anthony DeRobertis wrote> would make sense
to allow a mail program to read ~/.mailcap (and execute
the programs found there, no idea how that's done in apparmor)
Allowing to read that file will be trivial, but AppArmor will not be able to parse it and
dynami
I believe the "perfect" solution would be to implement a child profile, that would allow only to
launch browsers, as as far as I can see, only links (not attachments) are opened with this new gio
helper.
Consider:
```
...
/usr/lib/@{multiarch}/glib-[0-9].[0-9]/gio-launch-desktop Cx ->
gi
On Fri, 11 May 2018 15:12:55 +0200 Sebastian Ramacher
wrote:
> On 2018-05-10 06:43:34, Vincas Dargis wrote:
> > If I export these variables:
> >
> > export DEB_BUILD_MAINT_OPTIONS=sanitize=+address,+undefined
>
> You'll need to pass that via DEB_BUILD_OPTIONS to
I have manged to rebuild vlc and libavcodec packages with address
sanitizer. I still had problems to make llvm-symbolizer work... but anyway,
it's double-free:
```
libvlc: removing module "avcodec"
=
==3782==ERROR: AddressSanitizer: a
Looks like there is much simpler workaround:
PRIMUS_UPLOAD=1 primusrun glxgears
Works for wine too.
Thanks to Reddit user huttukuttu! [0]
[0]
https://www.reddit.com/r/debian/comments/8wu8t8/bumblebee_causes_segfault_in_i965_driso/e1ywduu
On Mon, 9 Jul 2018 05:32:06 +0200 Andreas Beckmann wrote:
Is this still an issue with the latest driver (390.67) available in sid,
buster, and (soon) stretch-backports?
I believe this bug has been fixed. This is quite old bug, I simply forgot that it even existed.
Sorry for that.
THOUGH, cu
Package: minissdpd
Version: 1.5.20180223-2
Severity: normal
Dear Maintainer,
I've discovered that syslog contains lots of "Address already in use"
messages:
```
-- Logs begin at Sat 2018-07-14 19:49:37 EEST, end at Sat 2018-07-14
21:08:02 EEST. --
liep. 14 19:49:42 vinco systemd[1]: Starting kee
On Sun, 17 Jun 2018 16:36:39 +0200 intrigeri wrote:
Vincas Dargis:
> linux-compiler-gcc-7-x86 needs gcc-7 that is not available?
For Tails we work this around with equivs:
https://git-tails.immerda.ch/tails/tree/config/chroot_local-hooks/12-kernel-modules-build-environment
I've ma
Package: clamav-freshclam
Version: 0.100.0+dfsg-0+deb9u2
Severity: minor
Control: user pkg-apparmor-t...@lists.alioth.debian.org
Control: usertag -1 platform
Dear Maintainer,
I've discovered DENIED message that appears (apparently) only first time
after clamav is installed:
```
type=AVC msg=aud
This doesn't seem to reproduce on Sid though.
Control: user pkg-apparmor-t...@lists.alioth.debian.org
Control: usertag -1 +modify-profile
On Mon, 16 Jul 2018 16:58:24 +0200 Carsten Schoenert
wrote:
Hello Vincas,
may I point you to this report?
Sure!
On Mon, Jul 16, 2018 at 12:45:49PM +0100, Nuno Oliveira wrote:
> Actually, better mak
Package: cpqarrayd
Version: 2.3.5+b1
Severity: normal
Dear Maintainer,
I've installed Debian Stretch on a bit old DL380 G6 server, and tried to
use cpqarrayd to monitor RAID status, but logs shows that controller is
not found:
```
Jul 17 16:28:13 dl380 systemd[1]: Starting LSB: Start/Stop Compaq
On Mon, 7 May 2018 06:40:36 +0200 "Sten Heinze" wrote:> I definitely experience a much
shorter delay if I press keys on the keyboard vs. doing nothing; the delay decreases from >5 minutes
to 10-20 seconds before sddm appears.
Yes! I have same problem, thought not with 4.16, but with 4.17. If I
Upstream bug report has been marked as "Out of scope".
So what now, libqt5core5 package must depend on haveged? :)
(or Qt recompiled without getentropy() ?)
On 7/22/18 3:19 PM, intrigeri wrote:
Vincas Dargis:
Now that "/sys/devices/system/memory/block_size_bytes r," needs simple
backport, as
is is already available in more recent AppArmor [0].
Unless this denial triggers important user-visible issues, I say let's
ignore it for
On 7/22/18 3:48 PM, intrigeri wrote:
Hi Vincas,
Vincas Dargis:
I've managed to install 4.17.0-rc3 and 4.18.0-rc4 with equivs hack, and I did
not see
any immediate problems with some lightweight testing.
Great.
Both on Stretch, right?
Yes.
Did you disable feature-set pinning ent
Package: salt-master
Version: 2017.7.3+dfsg1-1
Severity: important
Dear Maintainer,
After recent upgrade in Sid I've noticed that `salt` cannot execute commands due
to permissions issues:
```
root@debian-sid:/media/cdrom# salt "*" test.ping
Failed to authenticate! This is most likely because th
On Fri, 16 Feb 2018 08:48:06 -0700 Thomas Vaughan
wrote:
I see that this bug is closed, but I see something similar in my
system log. I am running Debian unstable updated as of yesterday. It
seems that libreoffice is trying to make use of OpenCL, and I have a
couple of OpenCL ICDs installed.
On 3/4/18 1:52 PM, Rene Engelhard wrote:
On Sat, Mar 03, 2018 at 03:10:45PM +0200, Vincas Dargis wrote:
I'm on switching laptop (Intel + NVIDIA). Maybe I have to enable OpenCL for
Libreoffice somehow?
Tools->Options-OpenCL. Though that setting doesn't persist here,
probably becau
On 3/4/18 1:52 PM, Rene Engelhard wrote:
Tools->Options-OpenCL. Though that setting doesn't persist here,
probably because LO notices I don't have a working OpenCL config..
After some testing, it seems that OpenCL option persist for me only if I
launch LO through `optirun` command, that enable
Same in 5.4.13-1.
Package: lvm2
Version: 2.03.11-2.1
Severity: normal
Dear Maintainer,
We have two similar machines working as database master & replica. They both
use same HDD drives and Areca ARC-1261 HW raid controllers, with same LVM
volume groups set up.
I've noticed that during boot, and before rebooting, b
Package: src:linux
Version: 5.16.12-1~bpo11+1
Severity: normal
Dear Maintainer,
It seems we can't use Linux for cloning drive data from faulty drives
(with bad blocks) using USB SATA adapters.
I wanted to clone data from this old SSD:
```
Device Model: LITEONIT LCM-128M3S 2.5" 7mm 128GB
Ser
2022-04-24 12:20, Salvatore Bonaccorso rašė:
Would you be able to test the current kernel from unstable so we can
confirm it's fixed in 5.17.3-1?
I am not sure if I want to install kernel from unstable into production machine.. :) . I believe I'll wait for Bullseye
backport to see if it helps.
On Sun, 2 May 2021 14:03:24 +0200 Salvatore Bonaccorso
wrote:
is this still reproducible with a recent kernel?
I am running linux-image-5.16.0-6-amd64 5.16.18-1 with commented-out (disabled) workaround "ethtool -K enp5s0f1 tx off
sg off tso off" and I no longer see any problems.
It seems that this might be fixed in ~5.17, based on this [0] message in thread that speaks about problem seemingly
similar to mine:
Yes, I expect to submit it into the next merge window (not the current
v5.16 merge window, but v5.17). However, if your situation is urgent, and
if it works for
On Sun, 24 Apr 2022 11:20:30 +0200 Salvatore Bonaccorso
wrote:
Would you be able to test the current kernel from unstable so we can
confirm it's fixed in 5.17.3-1?
I've installed 5.18 from bullseye-backports:
Aug 19 23:45:36 dl380 kernel: [0.00] Linux version 5.18.0-0.bpo.1-amd64 (de
Package: thunderbird
Version: 1:102.0.1-1
Severity: grave
Justification: renders package unusable
Dear Maintainer,
Please see screenshot attached - no account tree is visible after
upgrade.
In settings I do see all accounts set up as it was before though.
AppArmor profile was always enabled, th
I've found a fix:
```
thunderbird --safe-mode --jsconsole
```
(--jsconsole probably is not deeded).
In a popup shown, I've selected to "Disable all addons" and "Reset toolbars and controls". Clicking "Make changes and
restart" made UI work again, even with AppArmor.
On 2022-07-09 13:36, Carsten Schoenert wrote:
In about 80% of problems some external Add-ons are the root of problems.
I see there's "SenderAddressColumn (disabled)" addon, but I doubt it was enabled before upgrade. Last addon update was
in 2016.
I blieve what helped is resetting controls vi
I have reproduced issue on my Sid virtual machine. I've copied (pre-upgrade) profile from backup, upgraded Thunderbird
and same issue appeared.
To fix I launched --safe-mode, and selected to reset toolbars and controls. I did not
check "Disable all addons".
Sadly, --verbose did not produce any
Package: src:linux
Version: 5.10.120-1
Severity: normal
Dear Maintainer,
I've noticed in Munin graphs that entropy dropped significantly after
reboot to 5.10.120-1. Please see images attached.
Not sure if this is actually a problem/bug, but that kind of drop "out
of nowhere" seems at least suspi
Workaround is to downgrade python3-aiorpcx package like this:
cd /tmp/
debsnap --binary -d . python3-aiorpcx 0.18.5-1
dpkg -i python3-aiorpcx_0.18.5-1_all.deb
Package: src:linux
Version: 5.10.106-1
Severity: minor
Dear Maintainer,
After linux-image-5.10.0-12-amd64 5.10.103-1 was installed, kernel log
started to be "spammed" with "clocksource:" messages on HP ProLiant
DL380 G6 server. Same on latest 5.10.0-13 package.
Version 5.10.103-1 changelog does
Package: pgbouncer
Version: 1.17.0-3.pgdg110+1
Severity: minor
Dear Maintainer,
After upgrading pgbouncer from pgdg and stopping pgbouncer service, that
service is reported as failed, triggering monitoring notifications we have set
up:
```
$ systemctl status pgbouncer.service
● pgbouncer.service
It does right job if I change authentication method to "SASL PLAIN".
Package: apparmor-profiles
Version: 2.13.2-10
Severity: normal
Tags: upstream
Dear Maintainer,
This is produced if usr.sbin.dovecot is copied to /etc/apparmor.d:
```
type=AVC msg=audit(1598556536.092:901): apparmor="DENIED" operation="open"
profile="dovecot" name="/usr/share/dovecot/dh.pem" pid
Package: apparmor
Version: 2.13.4-3
Severity: minor
Tags: upstream
Dear Maintainer,
Just got this denial (while running some absolutely propiertary application via
Steam):
```
type=AVC msg=audit(1598788812.837:495): apparmor="DENIED" operation="open"
profile="nvidia_modprobe" name="/proc/drive
OK so it looks like after 2020-09-01 updates that had lot's of NVIDIA stuff,
same error reproduces again:
```
$ pvkrun vkcube
primus: fatal: Bumblebee daemon reported: error: [XORG] (EE) Unable to locate/open config directory:
"/etc/bumblebee/xorg.conf.d"
```
```
$ optirun glxgears
[ 5856.436
Sadly, purge & reinstall did not help this time...
from `/var/log/Xorg.8.log`
[ 2486.434] (II) NVIDIA dlloader X Driver 450.66 Wed Aug 12 19:44:12 UTC 2020
[ 2486.434] (II) NVIDIA Unified Driver for all Supported NVIDIA GPUs
[ 2486.435] (EE) No devices detected.
[ 2486.435] (EE)
Fatal server error:
[ 2486.435] (EE) no screens found(EE)
[
In https://wiki.debian.org/Bumblebee#Debian_10_and_older I've found this hint:
```
[ERROR]Cannot access secondary GPU - error: [XORG] (EE) No devices detected
You may have to set the BusID manually, in /etc/bumblebee/xorg.conf.nvidia. To get the BusID, run lspci | egrep 'VGA|3D'
in a terminal.
Package: fonts-fantasque-sans
Version: 1.7.2~alpha.3~dfsg-2
Severity: wishlist
Dear Maintainer,
fonts-fantasque-sans package provides files in
`/usr/share/fantasque-sans/` directory, while it seems there's a common
pattern to store fonts in `/usr/share/fonts-foo-bar` directory (or
/usr/share/foo/
Package: bumblebee-nvidia
Version: 3.2.1-23
Severity: important
Dear Maintainer,
After some updates I cannot use primusrun/optirun/pvkrun on my Sid:
```
$ primusrun glxgears
primus: fatal: Bumblebee daemon reported: error: [XORG] (EE) Unable to
locate/open config directory: "/etc/bumblebee/xorg.
In bumblebee changelog I see:
* Simplify rules and use bumblebee.install etc. for installation.
* Remove obsolete conffile /etc/bumblebee/xorg.conf.d/10-dummy.conf.
Could these introduce some sort of regression in my case?
$ sudo strace -efile -f -p $(pgrep bumblebeed) 2>&1 | fgrep /etc/bumblebee
[pid 7068] execve("/usr/lib/xorg/Xorg", ["/usr/lib/xorg/Xorg", ":8", "-config",
"/etc/bumblebee/xorg.conf.nouveau", "-configdir", "/etc/bumblebee/xorg.conf.d", "-sharevts",
"-nolisten", "tcp", "-noreset", "-verbose", "3"
I just this:
sudo apt purge --autoremove nvidia*
sudo apt install nvidia-driver bumblebee-nvidia primus-nvidia primus-vk-nvidia
And after reinstalling driver and all other bumbleblee-related packages, it
started to work again.
Package: konversation
Version: 1.7.5-3
Severity: normal
Dear Maintainer,
Recently I've noticed that I a missing some channels after
(auto-)connecting to chat.freenode.net.
Log shows this:
[21:13] [Pastabos] -NickServ- This nickname is registered. Please choose a
different nickname, or identify
Thanks for this "solution". You probably can't tell what changed (likely
in /etc) after purge+reinstall?
Sadly, no. I could have taken copy if /etc, just haven't thought of it, sorry.
All I see is that `/etc/bumblebee/xorg.conf.d/` is still empty as it where,
can't comment any more.
Quite some time passed since February...
My Sid just updated to 5.5, and NVidia (via optirun) no longer works, seen that
build error too.
Is there any hope to make it work again..?
I'm using Legacy because I've seen NEWS that I should use that one for my
GM107M [GeForce GTX 860M]...
Package: src:linux
Version: 5.5.13-2
Severity: important
Dear Maintainer,
After upgrading to 5.5 on Sid, I've experiencing full computer freeze after
some time of playing, for example, minetest for some time (even though I use
`optirun` to use discrete graphics).
Problems are completely gone if
Control: found 1.17.2-1
Hi,
It does not seem to be fixed. Packaged does not have apparmor files:
```
$ dpkg -L qtox | fgrep apparmor
$
```
There should be `/etc/apparmor.d/usr.bin.qtox`, `/etc/apparmor.d/tunables/usr.bin.qtox`, see
https://github.com/qTox/qTox/tree/master/security/apparmor/2.
Also, it would be nice to have NEWS entry about availability of AppArmor profile, with hint how to
enable it, and link to https://wiki.debian.org/AppArmor maybe.
Control: user -1 pkg-apparmor-t...@lists.alioth.debian.org
Control: usertag -1 modify-profile
Yes.
I've reproduced this on Debian 10 XFCE VM, and fix is just adding a single line:
```
owner @{HOME}/.config/xfce4/helpers.rc r,
```
I'll prepare upstream MR to update AA profile.
2020-05-15 09:35
Package: sysdig
Version: 0.26.4-1
Severity: grave
Justification: renders package unusable
Dear Maintainer,
sysdig does not run at all:
```
$ sudo sysdig
sysdig: symbol lookup error: sysdig: undefined symbol:
_ZN4grpc13ClientContextC1Ev
```
-- System Information:
Debian Release: bullseye/sid
On Thu, 14 Nov 2019 20:14:10 +0100 Jonas Smedegaard wrote:
What I expect to be realistic is including e.g. 0.20.0 shortly before
freeze of bullseye, have it included when bullseye becomes stable 3-6
months later, and then when 0.20.1 comes out...
Ping. 0.20.1 is now available.
On 2019-04-24 00:50, Aurélien COUDERC wrote:
Took a bit of time but you may have seen that the fix did land in buster by
now. :)
I did noticed this, thanks!
Control: reassign -1 libmtp9
Looks more like a problem in libmtp9 (or maybe the kernel).
Reassigning to libmtp9.
I don't see it being reassigned, trying again.
Control: found -1 1.1.16-1
Control: severity -1 serious
I've downgraded to 1.1.13-1.1 and my phone is accessible again. Upgrading version introduces problem
again.
Naively bumping severity in hope to be fixed for Buster.
Control: forwarded -1 https://sourceforge.net/p/libmtp/bugs/1818/
Looks like there are problems with more phones (forwarded to bug about Moto G
regression).
On 2019-03-21 08:27, Nikita Yushchenko wrote:
I was able to fix this by adding
/usr/lib/chromium/chrome-sandbox PUxr
line to /etc/apparmor.d/abstractions/ubuntu-helpers, near other
chrome-related lines.
This is already fixed of Buster:
https://salsa.debian.org/apparmor-team/apparmor/blob/58
Control: tags -1 +fixed-upstream
Control: forwarded -1 https://github.com/qTox/qTox/pull/5577
qTox now has bran new profile in upstream, that will hopefully will be
available in Buster+1 :) .
401 - 471 of 471 matches
Mail list logo