[Touch-packages] [Bug 1834494] Re: latest bzip2 reports crc errors incorrectly
Filled respective bug in Debian as well as per https://bugs.debian.org/931278 ** Bug watch added: Debian Bug tracker #931278 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931278 ** Also affects: bzip2 (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931278 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to bzip2 in Ubuntu. https://bugs.launchpad.net/bugs/1834494 Title: latest bzip2 reports crc errors incorrectly Status in bzip2: New Status in bzip2 package in Ubuntu: Confirmed Status in bzip2 source package in Xenial: New Status in bzip2 source package in Bionic: New Status in bzip2 source package in Cosmic: New Status in bzip2 source package in Disco: New Status in bzip2 package in Debian: Unknown Bug description: I just got the bzip2 1.0.6-8.1ubuntu0.1 updates pushed to my machine and am now having problems with some .tbz2 archives. In particular, I can no longer extract this one: https://developer.nvidia.com/embedded/dlc/l4t-jetson-xavier-driver- package-31-1-0 Downloading this and running: bunzip2 -tvv Jetson_Linux_R31.1.0_aarch64.tbz2 ...yields a CRC error. The previous version of bunzip2 does not report any errors with this archive. To manage notifications about this bug go to: https://bugs.launchpad.net/bzip2/+bug/1834494/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1822590] Re: Found storing user fingerprints without encryption
** Bug watch added: Debian Bug tracker #926749 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926749 ** Also affects: apparmor (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926749 Importance: Unknown Status: Unknown ** No longer affects: apparmor (Debian) ** Also affects: debian via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926749 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1822590 Title: Found storing user fingerprints without encryption Status in fprintd: New Status in apparmor package in Ubuntu: New Status in fprintd package in Ubuntu: Triaged Status in Debian: Unknown Bug description: Dear all, I would like to report a new issue as follows. ‘fprintd’ saves a fingerprint data, ISO/IEC 19794-2 formatted, to a file on the host without any encryption. Though fprintd generates fingerprint image with root permission for protecting the file from attackers, it is not of itself sufficient. It is well known threat model that a formatted fingerprint data can be restored to original image about a decade ago. [1-4] are presented to create sophisticated and natural-looking fingerprints only from the numerical template data format as defined in ISO/IEC 19794-2. They also successfully evaluated these approaches against a number of undisclosed state-of-the-art algorithms and the NIST Fingerprint Image Software. We need improvements of those issues. [1] R. Cappelli et al., “Fingerprint Image Reconstruction from Standard Templates”, IEEE Trans. on Pattern Analysis and Machine Intelligence, vol.29, no.9, pp.1489-1503, 2007. [2] A. Ross et al., “From template to image: Reconstructing fingerprints from minutiae points”, IEEE Trans on Pattern Analysis and Machine Intelligence, vol.29, no.4, pp.544-560, 2007. [3] R. Cappelli et al., “Can Fingerprints be reconstructed from ISO Templates?”, IEEE ICARCV 2006. [4] J. Feng et al., “Fingerprint Reconstruction: From Minutiae to Phase”, IEEE Trans on Pattern Analysis and Machine Intelligence, vol.33, no.2, pp.209-223, 2011. Sincerely, Seong-Joong Kim To manage notifications about this bug go to: https://bugs.launchpad.net/fprintd/+bug/1822590/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1783591] Re: lxc-user-nic allows unprivileged users to open arbitrary files
One can still test existence of files with those patches, but I guess this was explicitly not part of the fixes? ** Bug watch added: Debian Bug tracker #905586 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=905586 ** Also affects: lxc (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=905586 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1783591 Title: lxc-user-nic allows unprivileged users to open arbitrary files Status in lxc package in Ubuntu: Fix Released Status in lxc source package in Xenial: Triaged Status in lxc source package in Bionic: Fix Released Status in lxc source package in Cosmic: Fix Released Status in lxc package in Debian: Unknown Bug description: Matthias Gerstner from SUSE reported the following: ``` Hello, following the lxc security reporting guidelines [1] I am reporting a finding in the lxc-user-nic setuid binary. I'm encrypting this mail as a best practice and because I found valid GPG keys for all of your adresses. Please find my public key attached to this mail. In the context of an openSUSE security audit of the lxc-user-nic setuid binary [2] (currently private bug) I came across an issue that should be adressed. In the "delete" case the program runs the following piece of code unconditionally with effective uid 0 (from lxc_user_nic.c): ``` } else if (request == LXC_USERNIC_DELETE) { netns_fd = open(args.pid, O_RDONLY); if (netns_fd < 0) { usernic_error("Could not open \"%s\": %s\n", args.pid, strerror(errno)); exit(EXIT_FAILURE); } } ``` `args.pid` is a user controlled parameter and can be an arbitrary path at the moment. Nothing is done with this file descriptor later on in the program except an attempt at `setns(fd, CLONE_NEWNET)` in `is_privileged_over_netns()`. Still this allows the unprivileged caller of the setuid binary to achieve the following: - it can test for existence of files normally not accessible to the caller (information leak). Example: ``` # this file is existing $ /usr/lib/lxc/lxc-user-nic delete path name /root/.bash_history type bridge nic lxc_user_nic.c: 1017: is_privileged_over_netns: Failed to setns() to network namespace Invalid argument lxc_user_nic.c: 1161: main: Process is not privileged over network namespace # this file is not existing $ /usr/lib/lxc/lxc-user-nic delete path name /root/.zsh_history type bridge nic lxc_user_nic.c: 1130: main: Could not open "/root/.zsh_history": No such file or directory ``` - it allows to trigger code paths in the kernel that are normally not accessible to the caller. This can happen when opening special files like character and block devices or files in /proc or /sys. Opening some of these files can cause lock or alloc operations or even more complex things to happen like when opening /dev/ptmx, which causes the allocation of a new master/slave pseudo terminal. Therefore this can lead to DoS like situations or have further unspecified impact. For fixing this I suggest opening the file supplied in `args.pid` only with the permissions of the real user, since this is already done in `is_privileged_over_netns()` anyway. Another approach would be the normalization of the input path and then only allowing a path of the pattern /proc//ns/net. [1] https://github.com/lxc/lxc/blob/master/README.md#reporting-security-issues [2] https://bugzilla.suse.com/show_bug.cgi?id=988348 Best regards Matthias ``` To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1783591/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp