from:"Kees Cook"

[Touch-packages] [Bug 1013012] Re: regression with sendmail and Android clients

2022-05-23 Thread Kees Cook

No current issues with modern android and modern ubuntu

** Changed in: openssl (Ubuntu)
   Status: Incomplete => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1013012

Title:
  regression with sendmail and Android clients

Status in openssl package in Ubuntu:
  Fix Released

Bug description:
  Something appear to be broken between the Android SSL library used by K-9 
Mail (and the native Android "E-mail" client), and the 1.0.0 openssl in 12.04 
as used by sendmail. I am seeing this error with K-9 Mail clients trying to 
talk to sendmail:
  http://code.google.com/p/k9mail/issues/detail?id=3022

  If I downgrade the sendmail-bin package to the version from Natty
  (which uses openssl 0.9.8), everything is fine again. Oddly, the logs
  in K-9 Mail show successful post-SSL-handshake communication. It is
  extremely unclear what is going on here.

  Since nothing changed in the sendmail package between natty and
  precise, I'm opening this against openssl. The problem could probably
  be anywhere in openssl, sendmail, K-9 Mail, or the Android SSL
  libraries, but there is at least a visible regression seen when
  changing from 0.9.8 to 1.0.0 on Ubuntu. :(

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1013012/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1773859] Re: upgrades to 18.04 fail

2019-09-30 Thread Kees Cook

Hmm, I don't have any systems left with systemd-shim installed, so I
can't do a "real world" test of this. The test case is the description
seems reasonable, so if that passes, I would consider this bug fixed. :)
Thanks!

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd-shim in Ubuntu.
https://bugs.launchpad.net/bugs/1773859

Title:
  upgrades to 18.04 fail

Status in systemd package in Ubuntu:
  Fix Released
Status in systemd-shim package in Ubuntu:
  Won't Fix
Status in systemd source package in Bionic:
  Fix Committed
Status in systemd-shim source package in Bionic:
  Won't Fix
Status in systemd source package in Cosmic:
  Fix Released
Status in systemd-shim source package in Cosmic:
  Won't Fix

Bug description:
  [Impact]

   * Some systems fail to upgrade due to conflicts between systemd and
  the (now removed from the archive) systemd-shim / upstart.

   * Instead of trying to work out what's the problem in ordering /
  removal of diverts, ensure that systemd is never unpacked whilst
  systemd-shim/upstart are still on disk. Thus declare conflicts against
  systemd-shim/upstart packages in systemd package.

  [Test Case]

   * monitor drop-off of upgrades with below reported problem

   * Check that it is possible to upgrade to bionic's libpam-systemd
  from xenial with systemd-shim installed on xenial, ie.

  lxc launch ubuntu-daily:xenial test-shim-upgrade
  lxc exec test-shim-upgrade
  apt update
  apt install systemd-shim
  wget 
https://deb.debian.org/debian/pool/main/s/systemd-shim/systemd-shim_10-3_amd64.deb
  apt install ./systemd-shim_10-3_amd64.deb 
  sed 's/xenial/bionic/' -i /etc/apt/sources.list
  apt update
  apt install systemd

  this currently passes, however, systemd-shim remains installed. It
  should be removed instead. Apt install systemd should have lines like
  this:

  The following packages will be REMOVED:
systemd-shim
  ...
  Removing 'diversion of 
/usr/share/dbus-1/system-services/org.freedesktop.systemd1.service to 
/usr/share/dbus-1/system-services/org.freedesktop.systemd1.service.systemd by 
systemd-shim'
  ...

  
  [Regression Potential]

   * systemd-shim/upstart are both removed and not supported in bionic,
  thus forcing their removal via conflicts should bring the system into
  an expected state.

  [Other Info]

   * original bug report

  $ sudo apt upgrade
  Reading package lists... Done
  Building dependency tree
  Reading state information... Done
  Calculating upgrade... Done
  The following packages will be REMOVED:
    systemd-shim
  0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
  1 not fully installed or removed.
  After this operation, 71.7 kB disk space will be freed.
  Do you want to continue? [Y/n] y
  (Reading database ... 63 files and directories currently installed.)
  Removing systemd-shim (9-1bzr4ubuntu1) ...
  Removing 'diversion of 
/usr/share/dbus-1/system-services/org.freedesktop.systemd1.service to 
/usr/share/dbus-1/system-services/org.freedesktop.systemd1.service.systemd by 
systemd-shim'
  dpkg-divert: error: rename involves overwriting 
'/usr/share/dbus-1/system-services/org.freedesktop.systemd1.service' with
    different file 
'/usr/share/dbus-1/system-services/org.freedesktop.systemd1.service.systemd', 
not allowed
  dpkg: error processing package systemd-shim (--remove):
   subprocess installed post-removal script returned error exit status 2
  Errors were encountered while processing:
   systemd-shim
  E: Sub-process /usr/bin/dpkg returned an error code (1)

  Commenting out the dpkg-divert in systemd-shim's postrm solved this
  for me and I was about to continue the upgrade.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1773859/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1767172] Re: Regression: /etc/modules checked against blacklist or it's really hard to load blacklisted watchdog modules when one really wants one

2019-05-20 Thread Kees Cook

I think it's fine. It sounds like there will just be no way to override
package-installed blacklists any more. That's unfortunate, but it's a
very rare situation.

** Changed in: systemd (Ubuntu)
   Status: Incomplete => Won't Fix

** Changed in: linux (Ubuntu)
   Status: Incomplete => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1767172

Title:
  Regression: /etc/modules checked against blacklist or it's really hard
  to load blacklisted watchdog modules when one really wants one

Status in linux package in Ubuntu:
  Invalid
Status in systemd package in Ubuntu:
  Won't Fix

Bug description:
  Impossible / hard to force the system to load a watchdog module
  because it is blacklisted by the kernel auto-generated list of
  "watchdog" modules.

  /etc/modules used to "just work" before.

  e.g. bcm2835_wdt module on arm64

  ===

  Before systemd-modules-load, /etc/init.d/kmod would load modules
  directly with "modprobe" (and _not_ "modprobe -b"):

  load_module() {
    local module args
    module="$1"
    args="$2"

    if [ "$VERBOSE" != no ]; then
  log_action_msg "Loading kernel module $module"
  modprobe $module $args || true
    else
  modprobe $module $args > /dev/null 2>&1 || true
    fi
  }

  However, under 18.04, systemd-modules-load will _ignore_ modules that
  are manually listed in /etc/modules and process them with the
  blacklist (the same as "modprobe -b" would). This means that it is not
  possible to manually load modules that are blacklisted (like watchdog
  modules):

  systemd-238/src/modules-load/modules-load.c:

  static int load_module(struct kmod_ctx *ctx, const char *m) {
  const int probe_flags = KMOD_PROBE_APPLY_BLACKLIST;
  ...
  default:
  err = kmod_module_probe_insert_module(mod, 
probe_flags,
    NULL, NULL, 
NULL, NULL);

  if (err == 0)
  log_info("Inserted module '%s'", 
kmod_module_get_name(mod));
  else if (err == KMOD_PROBE_APPLY_BLACKLIST)
  log_info("Module '%s' is blacklisted", 
kmod_module_get_name(mod));

  Blacklists should _not_ be applied by systemd-modules-load.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1767172/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 305901]

2019-02-22 Thread Kees Cook

So I'd like to bring this back up and reiterate the issue: there is no
benefit to the early truncation, and it actively breaks lots of existing
software (which is why Debian and Ubuntu have had this fix for 10 years
now).

What is the _benefit_ of early truncation that justifies breaking so
many existing cases?

Can glibc please take this patch? http://paste.ubuntu.com/p/CbrxmSfKD4/

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to binutils in Ubuntu.
https://bugs.launchpad.net/bugs/305901

Title:
  Intrepid gcc -O2 breaks string appending with sprintf(), due to
  fortify source patch

Status in GLibC:
  Confirmed
Status in 4g8 package in Ubuntu:
  Invalid
Status in abiword package in Ubuntu:
  Invalid
Status in asterisk package in Ubuntu:
  Invalid
Status in atomicparsley package in Ubuntu:
  Invalid
Status in audacious-plugins package in Ubuntu:
  Invalid
Status in barnowl package in Ubuntu:
  Invalid
Status in billard-gl package in Ubuntu:
  Invalid
Status in binutils package in Ubuntu:
  Invalid
Status in blender package in Ubuntu:
  Invalid
Status in ctn package in Ubuntu:
  Invalid
Status in gcc-4.3 package in Ubuntu:
  Invalid
Status in glibc package in Ubuntu:
  Fix Released
Status in hypermail package in Ubuntu:
  Invalid
Status in mpeg4ip package in Ubuntu:
  Invalid
Status in nagios-plugins package in Ubuntu:
  Invalid
Status in owl package in Ubuntu:
  Invalid
Status in xmcd package in Ubuntu:
  Invalid
Status in 4g8 source package in Intrepid:
  Invalid
Status in abiword source package in Intrepid:
  Invalid
Status in asterisk source package in Intrepid:
  Invalid
Status in atomicparsley source package in Intrepid:
  Invalid
Status in audacious-plugins source package in Intrepid:
  Invalid
Status in barnowl source package in Intrepid:
  Invalid
Status in billard-gl source package in Intrepid:
  Invalid
Status in binutils source package in Intrepid:
  Invalid
Status in blender source package in Intrepid:
  Invalid
Status in ctn source package in Intrepid:
  Invalid
Status in gcc-4.3 source package in Intrepid:
  Invalid
Status in glibc source package in Intrepid:
  Fix Released
Status in hypermail source package in Intrepid:
  Invalid
Status in mpeg4ip source package in Intrepid:
  Invalid
Status in nagios-plugins source package in Intrepid:
  Invalid
Status in owl source package in Intrepid:
  Invalid
Status in xmcd source package in Intrepid:
  Invalid
Status in 4g8 source package in Jaunty:
  Invalid
Status in abiword source package in Jaunty:
  Invalid
Status in asterisk source package in Jaunty:
  Invalid
Status in atomicparsley source package in Jaunty:
  Invalid
Status in audacious-plugins source package in Jaunty:
  Invalid
Status in barnowl source package in Jaunty:
  Invalid
Status in billard-gl source package in Jaunty:
  Invalid
Status in binutils source package in Jaunty:
  Invalid
Status in blender source package in Jaunty:
  Invalid
Status in ctn source package in Jaunty:
  Invalid
Status in gcc-4.3 source package in Jaunty:
  Invalid
Status in glibc source package in Jaunty:
  Fix Released
Status in hypermail source package in Jaunty:
  Invalid
Status in mpeg4ip source package in Jaunty:
  Invalid
Status in nagios-plugins source package in Jaunty:
  Invalid
Status in owl source package in Jaunty:
  Invalid
Status in xmcd source package in Jaunty:
  Invalid

Bug description:
  Binary package hint: gcc-4.3

  In Hardy and previous releases, one could use statements such as
sprintf(buf, "%s %s%d", buf, foo, bar);
  to append formatted text to a buffer buf.  Intrepid’s gcc-4.3, which has 
fortify source turned on by default when compiling with -O2, breaks this 
pattern.  This introduced mysterious bugs into an application I was compiling 
(the BarnOwl IM client).

  Test case: gcc -O2 sprintf-test.c -o sprintf-test
  :
#include 
char buf[80] = "not ";
int main()
{
sprintf(buf, "%sfail", buf);
puts(buf);
return 0;
}
  This outputs "not fail" in Hardy, and "fail" in Intrepid.

  The assembly output shows that the bug has been introduced by
  replacing the sprintf(buf, "%sfail", buf) call with __sprintf_chk(buf,
  1, 80, "%sfail", buf).  A workaround is to disable fortify source (gcc
  -U_FORTIFY_SOURCE).

  One might argue that this usage of sprintf() is questionable.  I had
  been under the impression that it is valid, and found many web pages
  that agree with me, though I was not able to find an authoritative
  statement either way citing the C specification.  I decided to
  investigate how common this pattern is in real source code.

  You can search a source file for instances of it with this regex:
pcregrep -M 'sprintf\s*\(\s*([^,]*)\s*,\s*"%s[^"]*"\s*,\s*\1\s*,'

  To determine how common the pattern is, I wrote a script to track down 
instances using Google Code Search, and found 2888 matches:

[Touch-packages] [Bug 305901]

2019-02-22 Thread Kees Cook

It's not defined in POSIX, but it has worked a certain way in glibc for
decades. There's no _reason_ to break it for _FORTIFY_SOURCE. Pre-
truncating just silently breaks programs and does weird stuff. If you
want to expose it with _FORITFY_SOURCE then have vsprintf notice that
the target and first format argument are the same variable, and refuse
to build.

Either pretruncation should be eliminated, or the undefined behavior
should be explicitly detected and dealt with. Just having programs lose
data while running with no indication of the cause seems like a terrible
user experience.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to binutils in Ubuntu.
https://bugs.launchpad.net/bugs/305901

Title:
  Intrepid gcc -O2 breaks string appending with sprintf(), due to
  fortify source patch

Status in GLibC:
  Confirmed
Status in 4g8 package in Ubuntu:
  Invalid
Status in abiword package in Ubuntu:
  Invalid
Status in asterisk package in Ubuntu:
  Invalid
Status in atomicparsley package in Ubuntu:
  Invalid
Status in audacious-plugins package in Ubuntu:
  Invalid
Status in barnowl package in Ubuntu:
  Invalid
Status in billard-gl package in Ubuntu:
  Invalid
Status in binutils package in Ubuntu:
  Invalid
Status in blender package in Ubuntu:
  Invalid
Status in ctn package in Ubuntu:
  Invalid
Status in gcc-4.3 package in Ubuntu:
  Invalid
Status in glibc package in Ubuntu:
  Fix Released
Status in hypermail package in Ubuntu:
  Invalid
Status in mpeg4ip package in Ubuntu:
  Invalid
Status in nagios-plugins package in Ubuntu:
  Invalid
Status in owl package in Ubuntu:
  Invalid
Status in xmcd package in Ubuntu:
  Invalid
Status in 4g8 source package in Intrepid:
  Invalid
Status in abiword source package in Intrepid:
  Invalid
Status in asterisk source package in Intrepid:
  Invalid
Status in atomicparsley source package in Intrepid:
  Invalid
Status in audacious-plugins source package in Intrepid:
  Invalid
Status in barnowl source package in Intrepid:
  Invalid
Status in billard-gl source package in Intrepid:
  Invalid
Status in binutils source package in Intrepid:
  Invalid
Status in blender source package in Intrepid:
  Invalid
Status in ctn source package in Intrepid:
  Invalid
Status in gcc-4.3 source package in Intrepid:
  Invalid
Status in glibc source package in Intrepid:
  Fix Released
Status in hypermail source package in Intrepid:
  Invalid
Status in mpeg4ip source package in Intrepid:
  Invalid
Status in nagios-plugins source package in Intrepid:
  Invalid
Status in owl source package in Intrepid:
  Invalid
Status in xmcd source package in Intrepid:
  Invalid
Status in 4g8 source package in Jaunty:
  Invalid
Status in abiword source package in Jaunty:
  Invalid
Status in asterisk source package in Jaunty:
  Invalid
Status in atomicparsley source package in Jaunty:
  Invalid
Status in audacious-plugins source package in Jaunty:
  Invalid
Status in barnowl source package in Jaunty:
  Invalid
Status in billard-gl source package in Jaunty:
  Invalid
Status in binutils source package in Jaunty:
  Invalid
Status in blender source package in Jaunty:
  Invalid
Status in ctn source package in Jaunty:
  Invalid
Status in gcc-4.3 source package in Jaunty:
  Invalid
Status in glibc source package in Jaunty:
  Fix Released
Status in hypermail source package in Jaunty:
  Invalid
Status in mpeg4ip source package in Jaunty:
  Invalid
Status in nagios-plugins source package in Jaunty:
  Invalid
Status in owl source package in Jaunty:
  Invalid
Status in xmcd source package in Jaunty:
  Invalid

Bug description:
  Binary package hint: gcc-4.3

  In Hardy and previous releases, one could use statements such as
sprintf(buf, "%s %s%d", buf, foo, bar);
  to append formatted text to a buffer buf.  Intrepid’s gcc-4.3, which has 
fortify source turned on by default when compiling with -O2, breaks this 
pattern.  This introduced mysterious bugs into an application I was compiling 
(the BarnOwl IM client).

  Test case: gcc -O2 sprintf-test.c -o sprintf-test
  :
#include 
char buf[80] = "not ";
int main()
{
sprintf(buf, "%sfail", buf);
puts(buf);
return 0;
}
  This outputs "not fail" in Hardy, and "fail" in Intrepid.

  The assembly output shows that the bug has been introduced by
  replacing the sprintf(buf, "%sfail", buf) call with __sprintf_chk(buf,
  1, 80, "%sfail", buf).  A workaround is to disable fortify source (gcc
  -U_FORTIFY_SOURCE).

  One might argue that this usage of sprintf() is questionable.  I had
  been under the impression that it is valid, and found many web pages
  that agree with me, though I was not able to find an authoritative
  statement either way citing the C specification.  I decided to
  investigate how common this pattern is in real source code.

  You can search a source file for instances of it with this regex:

[Touch-packages] [Bug 305901]

2019-02-22 Thread Kees Cook

I'd still like to have this patch applied -- while we can claim the
behavior is "undefined", it is not, in fact, undefined. It behaves one
way without -D_FORTIFY_SOURCE=2, and differently with it. And that
difference doesn't need to exist. Ubuntu carried this patch for quite a
while.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to binutils in Ubuntu.
https://bugs.launchpad.net/bugs/305901

Title:
  Intrepid gcc -O2 breaks string appending with sprintf(), due to
  fortify source patch

Status in GLibC:
  Confirmed
Status in 4g8 package in Ubuntu:
  Invalid
Status in abiword package in Ubuntu:
  Invalid
Status in asterisk package in Ubuntu:
  Invalid
Status in atomicparsley package in Ubuntu:
  Invalid
Status in audacious-plugins package in Ubuntu:
  Invalid
Status in barnowl package in Ubuntu:
  Invalid
Status in billard-gl package in Ubuntu:
  Invalid
Status in binutils package in Ubuntu:
  Invalid
Status in blender package in Ubuntu:
  Invalid
Status in ctn package in Ubuntu:
  Invalid
Status in gcc-4.3 package in Ubuntu:
  Invalid
Status in glibc package in Ubuntu:
  Fix Released
Status in hypermail package in Ubuntu:
  Invalid
Status in mpeg4ip package in Ubuntu:
  Invalid
Status in nagios-plugins package in Ubuntu:
  Invalid
Status in owl package in Ubuntu:
  Invalid
Status in xmcd package in Ubuntu:
  Invalid
Status in 4g8 source package in Intrepid:
  Invalid
Status in abiword source package in Intrepid:
  Invalid
Status in asterisk source package in Intrepid:
  Invalid
Status in atomicparsley source package in Intrepid:
  Invalid
Status in audacious-plugins source package in Intrepid:
  Invalid
Status in barnowl source package in Intrepid:
  Invalid
Status in billard-gl source package in Intrepid:
  Invalid
Status in binutils source package in Intrepid:
  Invalid
Status in blender source package in Intrepid:
  Invalid
Status in ctn source package in Intrepid:
  Invalid
Status in gcc-4.3 source package in Intrepid:
  Invalid
Status in glibc source package in Intrepid:
  Fix Released
Status in hypermail source package in Intrepid:
  Invalid
Status in mpeg4ip source package in Intrepid:
  Invalid
Status in nagios-plugins source package in Intrepid:
  Invalid
Status in owl source package in Intrepid:
  Invalid
Status in xmcd source package in Intrepid:
  Invalid
Status in 4g8 source package in Jaunty:
  Invalid
Status in abiword source package in Jaunty:
  Invalid
Status in asterisk source package in Jaunty:
  Invalid
Status in atomicparsley source package in Jaunty:
  Invalid
Status in audacious-plugins source package in Jaunty:
  Invalid
Status in barnowl source package in Jaunty:
  Invalid
Status in billard-gl source package in Jaunty:
  Invalid
Status in binutils source package in Jaunty:
  Invalid
Status in blender source package in Jaunty:
  Invalid
Status in ctn source package in Jaunty:
  Invalid
Status in gcc-4.3 source package in Jaunty:
  Invalid
Status in glibc source package in Jaunty:
  Fix Released
Status in hypermail source package in Jaunty:
  Invalid
Status in mpeg4ip source package in Jaunty:
  Invalid
Status in nagios-plugins source package in Jaunty:
  Invalid
Status in owl source package in Jaunty:
  Invalid
Status in xmcd source package in Jaunty:
  Invalid

Bug description:
  Binary package hint: gcc-4.3

  In Hardy and previous releases, one could use statements such as
sprintf(buf, "%s %s%d", buf, foo, bar);
  to append formatted text to a buffer buf.  Intrepid’s gcc-4.3, which has 
fortify source turned on by default when compiling with -O2, breaks this 
pattern.  This introduced mysterious bugs into an application I was compiling 
(the BarnOwl IM client).

  Test case: gcc -O2 sprintf-test.c -o sprintf-test
  :
#include 
char buf[80] = "not ";
int main()
{
sprintf(buf, "%sfail", buf);
puts(buf);
return 0;
}
  This outputs "not fail" in Hardy, and "fail" in Intrepid.

  The assembly output shows that the bug has been introduced by
  replacing the sprintf(buf, "%sfail", buf) call with __sprintf_chk(buf,
  1, 80, "%sfail", buf).  A workaround is to disable fortify source (gcc
  -U_FORTIFY_SOURCE).

  One might argue that this usage of sprintf() is questionable.  I had
  been under the impression that it is valid, and found many web pages
  that agree with me, though I was not able to find an authoritative
  statement either way citing the C specification.  I decided to
  investigate how common this pattern is in real source code.

  You can search a source file for instances of it with this regex:
pcregrep -M 'sprintf\s*\(\s*([^,]*)\s*,\s*"%s[^"]*"\s*,\s*\1\s*,'

  To determine how common the pattern is, I wrote a script to track down 
instances using Google Code Search, and found 2888 matches:

  (For the curious: the script uses a variant of the

[Touch-packages] [Bug 1773859] Re: upgrades to 18.04 fail

2018-06-12 Thread Kees Cook

# dpkg -L systemd-shim
/.
/usr
/usr/lib
/usr/lib/i386-linux-gnu
/usr/lib/i386-linux-gnu/systemd-shim
/usr/lib/i386-linux-gnu/systemd-shim-cgroup-release-agent
/usr/lib/systemd
/usr/lib/systemd/ntp-units.d
/usr/lib/systemd/ntp-units.d/systemd-shim.list
/usr/share
/usr/share/dbus-1
/usr/share/dbus-1/system-services
/usr/share/dbus-1/system-services/org.freedesktop.systemd1.service
package diverts others to: 
/usr/share/dbus-1/system-services/org.freedesktop.systemd1.service.systemd
/usr/share/doc
/usr/share/doc/systemd-shim
/usr/share/doc/systemd-shim/copyright
/usr/share/doc/systemd-shim/changelog.Debian.gz


# cat /var/lib/dpkg/info/systemd-shim.postrm 
#!/bin/sh

set -e

if [ "$1" = remove -o "$1" = purge ]; then
dpkg-divert --package systemd-shim --remove --rename --divert \

/usr/share/dbus-1/system-services/org.freedesktop.systemd1.service.systemd \

/usr/share/dbus-1/system-services/org.freedesktop.systemd1.service
fi

# Automatically added by dh_installdeb
dpkg-maintscript-helper rm_conffile 
/etc/dbus-1/system.d/org.freedesktop.systemd-shim.conf 8-4 systemd-shim -- "$@"
# End automatically added section
# Automatically added by dh_installdeb
dpkg-maintscript-helper rm_conffile 
/etc/dbus-1/system.d/org.freedesktop.systemd1.conf 6-2 systemd-shim -- "$@"
# End automatically added section


The error was:

Removing systemd-shim (9-1bzr4ubuntu1) ...
Removing 'diversion of 
/usr/share/dbus-1/system-services/org.freedesktop.systemd1.service to 
/usr/share/dbus-1/system-services/org.freedesktop.systemd1.service.systemd by 
systemd-shim'
dpkg-divert: error: rename involves overwriting 
'/usr/share/dbus-1/system-services/org.freedesktop.systemd1.service' with
  different file 
'/usr/share/dbus-1/system-services/org.freedesktop.systemd1.service.systemd', 
not allowed


I have no idea what the dpkg-divert error means there, but I assume there's 
some interaction I'm not following with the divert...

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1773859

Title:
  upgrades to 18.04 fail

Status in systemd package in Ubuntu:
  New
Status in systemd-shim package in Ubuntu:
  Incomplete
Status in systemd source package in Bionic:
  New
Status in systemd-shim source package in Bionic:
  New

Bug description:
  $ sudo apt upgrade
  Reading package lists... Done
  Building dependency tree
  Reading state information... Done
  Calculating upgrade... Done
  The following packages will be REMOVED:
systemd-shim
  0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
  1 not fully installed or removed.
  After this operation, 71.7 kB disk space will be freed.
  Do you want to continue? [Y/n] y
  (Reading database ... 63 files and directories currently installed.)
  Removing systemd-shim (9-1bzr4ubuntu1) ...
  Removing 'diversion of 
/usr/share/dbus-1/system-services/org.freedesktop.systemd1.service to 
/usr/share/dbus-1/system-services/org.freedesktop.systemd1.service.systemd by 
systemd-shim'
  dpkg-divert: error: rename involves overwriting 
'/usr/share/dbus-1/system-services/org.freedesktop.systemd1.service' with
different file 
'/usr/share/dbus-1/system-services/org.freedesktop.systemd1.service.systemd', 
not allowed
  dpkg: error processing package systemd-shim (--remove):
   subprocess installed post-removal script returned error exit status 2
  Errors were encountered while processing:
   systemd-shim
  E: Sub-process /usr/bin/dpkg returned an error code (1)

  Commenting out the dpkg-divert in systemd-shim's postrm solved this
  for me and I was about to continue the upgrade.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1773859/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1773859] Re: upgrades to 18.04 fail

2018-06-12 Thread Kees Cook

# cat /usr/share/dbus-1/system-services/org.freedesktop.systemd1.service
[D-BUS Service]
Name=org.freedesktop.systemd1
User=root
Exec=/usr/lib/x86_64-linux-gnu/systemd-shim

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1773859

Title:
  upgrades to 18.04 fail

Status in systemd package in Ubuntu:
  New
Status in systemd-shim package in Ubuntu:
  Incomplete
Status in systemd source package in Bionic:
  New
Status in systemd-shim source package in Bionic:
  New

Bug description:
  $ sudo apt upgrade
  Reading package lists... Done
  Building dependency tree
  Reading state information... Done
  Calculating upgrade... Done
  The following packages will be REMOVED:
systemd-shim
  0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
  1 not fully installed or removed.
  After this operation, 71.7 kB disk space will be freed.
  Do you want to continue? [Y/n] y
  (Reading database ... 63 files and directories currently installed.)
  Removing systemd-shim (9-1bzr4ubuntu1) ...
  Removing 'diversion of 
/usr/share/dbus-1/system-services/org.freedesktop.systemd1.service to 
/usr/share/dbus-1/system-services/org.freedesktop.systemd1.service.systemd by 
systemd-shim'
  dpkg-divert: error: rename involves overwriting 
'/usr/share/dbus-1/system-services/org.freedesktop.systemd1.service' with
different file 
'/usr/share/dbus-1/system-services/org.freedesktop.systemd1.service.systemd', 
not allowed
  dpkg: error processing package systemd-shim (--remove):
   subprocess installed post-removal script returned error exit status 2
  Errors were encountered while processing:
   systemd-shim
  E: Sub-process /usr/bin/dpkg returned an error code (1)

  Commenting out the dpkg-divert in systemd-shim's postrm solved this
  for me and I was about to continue the upgrade.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1773859/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1593924] Re: systemd-shim was not installed in 16.10 and now cannot purge or remove

2018-05-28 Thread Kees Cook

** Package changed: libjpeg-turbo (Ubuntu) => systemd-shim (Ubuntu)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd-shim in Ubuntu.
https://bugs.launchpad.net/bugs/1593924

Title:
  systemd-shim was not installed in 16.10 and now cannot purge or remove

Status in systemd-shim package in Ubuntu:
  Invalid

Bug description:
  spsanchez@spsanchez-OEM:~$ sudo apt upgrade
  Reading package lists... Done
  Building dependency tree   
  Reading state information... Done
  Calculating upgrade... Done
  The following packages will be REMOVED:
systemd-shim
  0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
  1 not fully installed or removed.
  After this operation, 71.7 kB disk space will be freed.
  Do you want to continue? [Y/n] y
  (Reading database ... 63 files and directories currently installed.)
  Removing systemd-shim (9-1bzr4ubuntu1) ...
  Removing 'diversion of 
/usr/share/dbus-1/system-services/org.freedesktop.systemd1.service to 
/usr/share/dbus-1/system-services/org.freedesktop.systemd1.service.systemd by 
systemd-shim'
  dpkg-divert: error: rename involves overwriting 
'/usr/share/dbus-1/system-services/org.freedesktop.systemd1.service' with
different file 
'/usr/share/dbus-1/system-services/org.freedesktop.systemd1.service.systemd', 
not allowed
  dpkg: error processing package systemd-shim (--remove):
   subprocess installed post-removal script returned error exit status 2
  Errors were encountered while processing:
   systemd-shim
  E: Sub-process /usr/bin/dpkg returned an error code (1)
  spsanchez@spsanchez-OEM:~$

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd-shim/+bug/1593924/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1773859] [NEW] upgrades to 18.04 fail

2018-05-28 Thread Kees Cook

Public bug reported:

$ sudo apt upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages will be REMOVED:
  systemd-shim
0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
1 not fully installed or removed.
After this operation, 71.7 kB disk space will be freed.
Do you want to continue? [Y/n] y
(Reading database ... 63 files and directories currently installed.)
Removing systemd-shim (9-1bzr4ubuntu1) ...
Removing 'diversion of 
/usr/share/dbus-1/system-services/org.freedesktop.systemd1.service to 
/usr/share/dbus-1/system-services/org.freedesktop.systemd1.service.systemd by 
systemd-shim'
dpkg-divert: error: rename involves overwriting 
'/usr/share/dbus-1/system-services/org.freedesktop.systemd1.service' with
  different file 
'/usr/share/dbus-1/system-services/org.freedesktop.systemd1.service.systemd', 
not allowed
dpkg: error processing package systemd-shim (--remove):
 subprocess installed post-removal script returned error exit status 2
Errors were encountered while processing:
 systemd-shim
E: Sub-process /usr/bin/dpkg returned an error code (1)

Commenting out the dpkg-divert in systemd-shim's postrm solved this for
me and I was about to continue the upgrade.

** Affects: systemd (Ubuntu)
 Importance: Undecided
 Status: New

** Affects: systemd-shim (Ubuntu)
 Importance: Undecided
 Status: New

** Affects: systemd (Ubuntu Bionic)
 Importance: Undecided
 Status: New

** Affects: systemd-shim (Ubuntu Bionic)
 Importance: Undecided
 Status: New

** Also affects: systemd (Ubuntu)
   Importance: Undecided
   Status: New

** Also affects: systemd (Ubuntu Bionic)
   Importance: Undecided
   Status: New

** Also affects: systemd-shim (Ubuntu Bionic)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd-shim in Ubuntu.
https://bugs.launchpad.net/bugs/1773859

Title:
  upgrades to 18.04 fail

Status in systemd package in Ubuntu:
  New
Status in systemd-shim package in Ubuntu:
  New
Status in systemd source package in Bionic:
  New
Status in systemd-shim source package in Bionic:
  New

Bug description:
  $ sudo apt upgrade
  Reading package lists... Done
  Building dependency tree
  Reading state information... Done
  Calculating upgrade... Done
  The following packages will be REMOVED:
systemd-shim
  0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
  1 not fully installed or removed.
  After this operation, 71.7 kB disk space will be freed.
  Do you want to continue? [Y/n] y
  (Reading database ... 63 files and directories currently installed.)
  Removing systemd-shim (9-1bzr4ubuntu1) ...
  Removing 'diversion of 
/usr/share/dbus-1/system-services/org.freedesktop.systemd1.service to 
/usr/share/dbus-1/system-services/org.freedesktop.systemd1.service.systemd by 
systemd-shim'
  dpkg-divert: error: rename involves overwriting 
'/usr/share/dbus-1/system-services/org.freedesktop.systemd1.service' with
different file 
'/usr/share/dbus-1/system-services/org.freedesktop.systemd1.service.systemd', 
not allowed
  dpkg: error processing package systemd-shim (--remove):
   subprocess installed post-removal script returned error exit status 2
  Errors were encountered while processing:
   systemd-shim
  E: Sub-process /usr/bin/dpkg returned an error code (1)

  Commenting out the dpkg-divert in systemd-shim's postrm solved this
  for me and I was about to continue the upgrade.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1773859/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1767172] Re: Regression: /etc/modules checked against blacklist

2018-04-26 Thread Kees Cook

https://github.com/systemd/systemd/pull/8830

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1767172

Title:
  Regression: /etc/modules checked against blacklist

Status in systemd package in Ubuntu:
  New

Bug description:
  Before systemd-modules-load, /etc/init.d/kmod would load modules
  directly with "modprobe" (and _not_ "modprobe -b"):

  load_module() {
local module args
module="$1"
args="$2"

if [ "$VERBOSE" != no ]; then
  log_action_msg "Loading kernel module $module"
  modprobe $module $args || true
else
  modprobe $module $args > /dev/null 2>&1 || true
fi
  }

  However, under 18.04, systemd-modules-load will _ignore_ modules that
  are manually listed in /etc/modules and process them with the
  blacklist (the same as "modprobe -b" would). This means that it is not
  possible to manually load modules that are blacklisted (like watchdog
  modules):

  systemd-238/src/modules-load/modules-load.c:

  static int load_module(struct kmod_ctx *ctx, const char *m) {
  const int probe_flags = KMOD_PROBE_APPLY_BLACKLIST;
  ...
  default:
  err = kmod_module_probe_insert_module(mod, 
probe_flags,
NULL, NULL, 
NULL, NULL);

  if (err == 0)
  log_info("Inserted module '%s'", 
kmod_module_get_name(mod));
  else if (err == KMOD_PROBE_APPLY_BLACKLIST)
  log_info("Module '%s' is blacklisted", 
kmod_module_get_name(mod));

  Blacklists should _not_ be applied by systemd-modules-load.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1767172/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1767172] [NEW] Regression: /etc/modules checked against blacklist

2018-04-26 Thread Kees Cook

Public bug reported:

Before systemd-modules-load, /etc/init.d/kmod would load modules
directly with "modprobe" (and _not_ "modprobe -b"):

load_module() {
  local module args
  module="$1"
  args="$2"

  if [ "$VERBOSE" != no ]; then
log_action_msg "Loading kernel module $module"
modprobe $module $args || true
  else
modprobe $module $args > /dev/null 2>&1 || true
  fi
}

However, under 18.04, systemd-modules-load will _ignore_ modules that
are manually listed in /etc/modules and process them with the blacklist
(the same as "modprobe -b" would). This means that it is not possible to
manually load modules that are blacklisted (like watchdog modules):

systemd-238/src/modules-load/modules-load.c:

static int load_module(struct kmod_ctx *ctx, const char *m) {
const int probe_flags = KMOD_PROBE_APPLY_BLACKLIST;
...
default:
err = kmod_module_probe_insert_module(mod, probe_flags,
  NULL, NULL, NULL, 
NULL);

if (err == 0)
log_info("Inserted module '%s'", 
kmod_module_get_name(mod));
else if (err == KMOD_PROBE_APPLY_BLACKLIST)
log_info("Module '%s' is blacklisted", 
kmod_module_get_name(mod));

Blacklists should _not_ be applied by systemd-modules-load.

** Affects: systemd (Ubuntu)
 Importance: Undecided
 Status: New


** Tags: regression-release

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1767172

Title:
  Regression: /etc/modules checked against blacklist

Status in systemd package in Ubuntu:
  New

Bug description:
  Before systemd-modules-load, /etc/init.d/kmod would load modules
  directly with "modprobe" (and _not_ "modprobe -b"):

  load_module() {
local module args
module="$1"
args="$2"

if [ "$VERBOSE" != no ]; then
  log_action_msg "Loading kernel module $module"
  modprobe $module $args || true
else
  modprobe $module $args > /dev/null 2>&1 || true
fi
  }

  However, under 18.04, systemd-modules-load will _ignore_ modules that
  are manually listed in /etc/modules and process them with the
  blacklist (the same as "modprobe -b" would). This means that it is not
  possible to manually load modules that are blacklisted (like watchdog
  modules):

  systemd-238/src/modules-load/modules-load.c:

  static int load_module(struct kmod_ctx *ctx, const char *m) {
  const int probe_flags = KMOD_PROBE_APPLY_BLACKLIST;
  ...
  default:
  err = kmod_module_probe_insert_module(mod, 
probe_flags,
NULL, NULL, 
NULL, NULL);

  if (err == 0)
  log_info("Inserted module '%s'", 
kmod_module_get_name(mod));
  else if (err == KMOD_PROBE_APPLY_BLACKLIST)
  log_info("Module '%s' is blacklisted", 
kmod_module_get_name(mod));

  Blacklists should _not_ be applied by systemd-modules-load.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1767172/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1747711] Re: file mis-identifies modern executables as application/x-sharedlib

2018-02-17 Thread Kees Cook

This is (sort of) a bug in file. The problem is not being able to
distinguish between shared objects and PIE binaries. (The latter have
INTERP ELF sections and can be run directly.)

$ readelf -l /bin/true
...
Elf file type is EXEC (Executable file)
...
  INTERP 0x0238 0x00400238 0x00400238
 0x001c 0x001c  R  1
  [Requesting program interpreter: /lib64/ld-linux-x86-64.so.2]
...


$ readelf -l /usr/lib/x86_64-linux-gnu/libmagic.so.1.0.0
...
Elf file type is DYN (Shared object file)
...[no INTERP]...


$ readelf -l /usr/bin/ssh
...
Elf file type is DYN (Shared object file)
...
  INTERP 0x0238 0x0238 0x0238
 0x001c 0x001c  R  1
  [Requesting program interpreter: /lib64/ld-linux-x86-64.so.2]

So for mime types to distinguish, "file" needs to grow reporting of the
INTERP presence.

This has become an issue in bionic due to PIE-by-default.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to file in Ubuntu.
https://bugs.launchpad.net/bugs/1747711

Title:
  file mis-identifies modern executables as application/x-sharedlib

Status in file package in Ubuntu:
  New

Bug description:
  file doesn't recognize modern PIE (Position Independent Executable)
  x86 executables as such, reporting them as “application/x-sharedlib”.
  Consequently, only non-PIE executables can be opened in graphical file
  managers such as nautilus. This may cause a minor (?) security risk if
  a commonly-published workaround is attempted.

  Expected behaviour:

  $ echo "int main() { return 0; }" > foo.c
  $ gcc -o foo foo.c
  $ file foo
  foo: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically 
linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, 
BuildID[sha1]=6e7749f995a89a53f74ec29d3c16fcf3f56be90f, not stripped
  $ file --mime-type foo
  foo: application/x-executable

  Actual behaviour:

  $ echo "int main() { return 0; }" > foo.c
  $ gcc -o foo foo.c
  $ file foo
  foo: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically 
linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, 
BuildID[sha1]=6e7749f995a89a53f74ec29d3c16fcf3f56be90f, not stripped
  $ file --mime-type foo
  foo: application/x-sharedlib

  Workaround (unsafe?):

  $ echo "int main() { return 0; }" > foo.c
  $ gcc -o foo-nopie foo.c -no-pie
  $ file foo-nopie
  foo-nopie: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), 
dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 
3.2.0, BuildID[sha1]=3eb8c581f43c19997e3c828f5a9730dbdc794470, not stripped
  $ file --mime-type foo-nopie
  foo-nopie: application/x-executable

  gcc now defaults to building with PIE enabled for security reasons.

  Also affects: nautilus (and likely other graphical file managers like
  those on Lubuntu) - because nautilus uses mime-type to determine if a
  file is executable, double-click to run a program no longer works.

  Also noted on: Gnome Bugs -
  https://bugzilla.gnome.org/show_bug.cgi?id=737849 (2014) - before PIE
  became the default build option.

  This may be an upstream issue. This may not affect architectures
  outside x86.*

  ProblemType: Bug
  DistroRelease: Ubuntu 17.10
  Package: file 1:5.32-1
  ProcVersionSignature: Ubuntu 4.13.0-32.35-generic 4.13.13
  Uname: Linux 4.13.0-32-generic x86_64
  ApportVersion: 2.20.7-0ubuntu3.7
  Architecture: amd64
  CurrentDesktop: GNOME
  Date: Tue Feb  6 11:21:20 2018
  InstallationDate: Installed on 2017-05-11 (270 days ago)
  InstallationMedia: Ubuntu-GNOME 17.04 "Zesty Zapus" - Release amd64 (20170412)
  SourcePackage: file
  UpgradeStatus: Upgraded to artful on 2017-10-21 (108 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/file/+bug/1747711/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1658236] Re: php abstraction not updated for php7

2017-01-20 Thread Kees Cook

This creates an upgrade burden on anyone already including the php5
abstraction. I think there should be a single abstraction (named php)
but a symlink back to php5 that includes 5 and current...

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1658236

Title:
  php abstraction not updated for php7

Status in apparmor package in Ubuntu:
  New

Bug description:
  The php abstraction (also wrongly named php5 now) was not updated for
  php7. Attached is a diff I used...

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1658236/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1658238] [NEW] apache2 abstraction incomplete

2017-01-20 Thread Kees Cook

Public bug reported:

Apache2 needs updates for proper signal handling, optional saslauth, and
OCSP stapling...


--- apache2-common  2014-06-24 11:06:06.0 -0700
+++ /etc/apparmor.d/abstractions/apache2-common 2015-05-21 07:51:49.0 
-0700
@@ -8,6 +8,8 @@
   signal (receive) peer=unconfined,
   # Allow apache to send us signals by default
   signal (receive) peer=/usr/sbin/apache2,
+  # Allow other hats to signal by default
+  signal peer=/usr/sbin/apache2//*,
   # Allow us to signal ourselves
   signal peer=@{profile_name},

@@ -25,3 +27,12 @@

   /dev/urandomr,

+  # sasl-auth
+  /run/saslauthd/mux rw,
+
+  # OCSP stapling
+  /var/log/apache2/stapling-cache rw,

** Affects: apparmor (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1658238

Title:
  apache2 abstraction incomplete

Status in apparmor package in Ubuntu:
  New

Bug description:
  Apache2 needs updates for proper signal handling, optional saslauth,
  and OCSP stapling...

  
  --- apache2-common  2014-06-24 11:06:06.0 -0700
  +++ /etc/apparmor.d/abstractions/apache2-common 2015-05-21 07:51:49.0 
-0700
  @@ -8,6 +8,8 @@
 signal (receive) peer=unconfined,
 # Allow apache to send us signals by default
 signal (receive) peer=/usr/sbin/apache2,
  +  # Allow other hats to signal by default
  +  signal peer=/usr/sbin/apache2//*,
 # Allow us to signal ourselves
 signal peer=@{profile_name},

  @@ -25,3 +27,12 @@

 /dev/urandomr,

  +  # sasl-auth
  +  /run/saslauthd/mux rw,
  +
  +  # OCSP stapling
  +  /var/log/apache2/stapling-cache rw,

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1658238/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1658239] [NEW] base abstraction missing glibc /proc/$pid/ things

2017-01-20 Thread Kees Cook

Public bug reported:

There are yet more glibc-needed files missing from the base abstraction:

--- base2017-01-20 15:37:50.0 -0800
+++ /etc/apparmor.d/abstractions/base   2016-12-06 14:13:58.0 -0800
@@ -92,7 +92,7 @@
   /sys/devices/system/cpu/online r,

   # glibc's *printf protections read the maps file
-  @{PROC}/@{pid}/mapsr,
+  @{PROC}/@{pid}/{maps,auxv,status}r,

   # libgcrypt reads some flags from /proc
   @{PROC}/sys/crypto/*   r,

** Affects: apparmor (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1658239

Title:
  base abstraction missing glibc /proc/$pid/ things

Status in apparmor package in Ubuntu:
  New

Bug description:
  There are yet more glibc-needed files missing from the base
  abstraction:

  --- base2017-01-20 15:37:50.0 -0800
  +++ /etc/apparmor.d/abstractions/base   2016-12-06 14:13:58.0 -0800
  @@ -92,7 +92,7 @@
 /sys/devices/system/cpu/online r,

 # glibc's *printf protections read the maps file
  -  @{PROC}/@{pid}/mapsr,
  +  @{PROC}/@{pid}/{maps,auxv,status}r,

 # libgcrypt reads some flags from /proc
 @{PROC}/sys/crypto/*   r,

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1658239/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1658236] [NEW] php abstraction not updated for php7

2017-01-20 Thread Kees Cook

Public bug reported:

The php abstraction (also wrongly named php5 now) was not updated for
php7. Attached is a diff I used...

** Affects: apparmor (Ubuntu)
 Importance: Undecided
 Status: New

** Patch added: "php.diff"
   https://bugs.launchpad.net/bugs/1658236/+attachment/4806929/+files/php.diff

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1658236

Title:
  php abstraction not updated for php7

Status in apparmor package in Ubuntu:
  New

Bug description:
  The php abstraction (also wrongly named php5 now) was not updated for
  php7. Attached is a diff I used...

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1658236/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1645501] Re: corefiles not created in armhf chroot on arm64 porter

2016-11-29 Thread Kees Cook

ptrace(PTRACE_GETREGSET, 27642, NT_FPREGSET, 0xffcc67f0) = -1 EINVAL
(Invalid argument)

NT_FPREGSET is "2", which the kernel calls NT_PRFPREG.

arm64 kernels don't implement this for compat processes, they only
support NT_ARM_VFP. If I understand correctly, VFP is hard float, so it
seems like this is a bug in gdb: it should only ask for NT_ARM_VFP, not
NT_PRFPREG.

If I'm mistaken, then the kernel is missing support for compat tasks to
issue NT_PRFPREG requests...

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to gdb in Ubuntu.
https://bugs.launchpad.net/bugs/1645501

Title:
  corefiles not created in armhf chroot on arm64 porter

Status in gdb package in Ubuntu:
  New

Bug description:
  I'm filing this about gdb per Steve's suggestion, although this could
  be an issue somewhere else.

  I recently discovered that the apport-test-crash
  (https://code.launchpad.net/~daisy-pluckers/error-tracker-deployment
  /test-crashes) crash files produced for armhf are crash files without
  CoreDumps.  This happened sometime between 20160531 and 20161025.
  I've recreated this on the porter-arm64 box with the following minimal
  test case (generate-sigsegv-crash.py is from apport-test-crashes):

  schroot -c yakkety-armhf
  python generate-sigsegv-crash.py cat

  Running this on both armhf and arm64 we can see the following
  different output.

  armhf chroot on porter-armhf:

47 Program received signal SIGSEGV, Segmentation fault.
48 0xb6f599e4 in read () at ../sysdeps/unix/syscall-template.S:84
49 84  ../sysdeps/unix/syscall-template.S: No such file or directory.
50 (gdb) Saved corefile /tmp/tmp840s08i1/my.core

  armhf chroot on porter-arm64:

47 Program received signal SIGSEGV, Segmentation fault.
48 0xf772f9e4 in read () at ../sysdeps/unix/syscall-template.S:84
49 84  ../sysdeps/unix/syscall-template.S: No such file or directory.
50 (gdb) Unable to fetch the floating point registers.: Invalid argument.

  Notice how there is no core file save on porter-arm64.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gdb/+bug/1645501/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1586673] Re: Backport GCC 5.4.0 and binutils 2.26.1 to 16.04 LTS

2016-07-12 Thread Kees Cook

I'm able to use these (and I can verify they fix the problems I was
having), so +1 to promotion to -updates. Thanks!

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to binutils in Ubuntu.
https://bugs.launchpad.net/bugs/1586673

Title:
  Backport GCC 5.4.0 and binutils 2.26.1 to 16.04 LTS

Status in binutils package in Ubuntu:
  Fix Released
Status in gcc-5 package in Ubuntu:
  Fix Released
Status in gcc-5-cross package in Ubuntu:
  Fix Released
Status in gcc-5-cross-ports package in Ubuntu:
  Fix Released
Status in binutils source package in Xenial:
  Fix Committed
Status in gcc-5 source package in Xenial:
  Fix Committed
Status in gcc-5-cross source package in Xenial:
  Fix Committed
Status in gcc-5-cross-ports source package in Xenial:
  Fix Committed

Bug description:
  Backport GCC 5.4.0 and binutils 2.26.1 to 16.04 LTS.  16.04 LTS ships
  binutils and gcc-5 versions taken from the release branches, which saw
  more regression fixes and support for new hardware until the 5.4.0 and
  2.26.1 point releases. The idea is to include these final point
  releases into 16.04.1 LTS, with test rebuilds done for all packages,
  and regression checks for seeded packages.

  Acceptance criteria should be no regressions for the seeded packages,
  plus a best effort for unseeded packages.  During the analysis of the
  build failures, one gcc regression (libstdc++ header reorg) was found
  and reverted, and validated, that these build failures are fixed (plus
  affected seeded packages were uploaded to xenial-proposed anyway).

  reference test rebuild:
  
http://people.ubuntuwire.org/~wgrant/rebuild-ftbfs-test/test-rebuild-20160614-baseline-xenial.html

  test rebuild (xenial-release):
  
http://people.ubuntuwire.org/~wgrant/rebuild-ftbfs-test/test-rebuild-20160614-xenial.html

  test rebuild (xenial-updates):
  
http://people.ubuntuwire.org/~wgrant/rebuild-ftbfs-test/test-rebuild-20160614-updates-xenial.html

  The test rebuild was done using packages from the ubuntu-
  toolchain-r/ppa.

  Attached is an analysis of the build failures, and whether they are
  regressions, or already are present in the xenial release.

  main component
  ==

  bzr
LP: #1592731, fixed in -proposed
  ecj
LP: #1592801, fixed in -updates
  freerdp
not a regression
  gcc-5-cross
needs update after gcc-5 acceptance
  gnutls28
LP: #1592693, fixed in -updates
  kmod
unrelated, tracked in LP: #1592722
  libnih
not a regression
  llvm-toolchain-3.6
not a regression
  migrate
unrelated (mysql-5.7), tracked in LP: #1592663
  neon27 (s390x)
unrelated, traked in LP: #1592698
  openvswitch
not a regression, tracked in LP: #1592793
  python-pymysql
unrelated (mysql-5.7), tracked in LP: #1592664
  python-tooz
unrelated, tracked in LP: #1592660
  sbsigntool
not a regression
  shim
not a regression
  strongswan
racy test, unrelated, tracked in LP: #1592706
  ubuntu-defaults-builder
unrelated, LP: #1597370, waiting for approval
  upstart
not a regression
  whoopsie
LP: #1592649, fixed in -updates
  yaboot
not a regression

  bzr package set
  ===

  bzr-builder
  bzr-upload
no regressions

  cli-mono package set
  

  gbrainy
  ikvm
  monodevelop
  tangerine
no regressions

  desktop-extra package set
  =

  java-gnome
not a regressions

  edubuntu package set
  

  atomix
  gbrainy
no regressions

  input-methods package set
  =

  fcitx-table-other
  libkkc
no regressions

  kubuntu package set (minus packages from main)
  ==

  avogadro
not a regression
  eigen2
not a regression
  fam
not a regression
  farstream-0.2
not a regression
  gst-plugins-base0.10
not a regression
  gst-plugins-good0.10
not a regression
  gstreamer0.10
not a regression
  kqoauth
not a regression
  kubuntu-web-shortcuts
not a regression
  libmpc
not a regression
  libmygpo-qt
not a regression
  libspe2
not a regression
  networkmanager-qt
obsoleted by version in -updates
  plotutils
not a regression
  qtcurve
not a regression
  tbb
not a regression
  telepathy-haze
not a regression
  telepathy-qt
not a regression

  
  lubuntu package set
  

  hardinfo
not a regression
  libguess
not a regression

  mozilla package set
  

  eclipse
  xiphos
no regressions

  mythbuntu package set
  =

  piston-mini-client
not a regression

  schooltool package set
  ==

  schooltool-book
not a regression

[Touch-packages] [Bug 1534340] Re: openssh server 6.6 does not report max auth failures

2016-01-14 Thread Kees Cook

** Changed in: openssh (Ubuntu Trusty)
   Status: New => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1534340

Title:
  openssh server 6.6 does not report max auth failures

Status in openssh package in Ubuntu:
  Fix Released
Status in openssh source package in Trusty:
  In Progress

Bug description:
  Brute force attacks against openssh on Trusty will not log "max auth"
  key-based attempts, leaving their brute forcing invisible to the logs
  and anything that consumes logs, like fail2ban. Version 6.7 introduced
  the logging, but it's missing in Trusty. Since Trusty is LTS, it would
  seem sensible to have this feature backported.

  [Impact] Bruce force attempts using private keys are invisible to
  logs, which renders defenses like fail2ban useless.

  [Test case] Create 20 SSH keys, try to log in over SSH, note lack of
  logging the failures.

  [Regression Potential] Very unlikely regression potential as the "max
  auth" condition is already handled in code, it just wasn't logging.
  The change only adds the missing logging.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1534340/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1534340] [NEW] openssh server 6.6 does not report max auth failures

2016-01-14 Thread Kees Cook

Public bug reported:

Brute force attacks against openssh on Trusty will not log "max auth"
key-based attempts, leaving their brute forcing invisible to the logs
and anything that consumes logs, like fail2ban. Version 6.7 introduced
the logging, but it's missing in Trusty. Since Trusty is LTS, it would
seem sensible to have this feature backported.

[Impact] Bruce force attempts using private keys are invisible to logs,
which renders defenses like fail2ban useless.

[Test case] Create 20 SSH keys, try to log in over SSH, note lack of
logging the failures.

[Regression Potential] Very unlikely regression potential as the "max
auth" condition is already handled in code, it just wasn't logging. The
change only adds the missing logging.

** Affects: openssh (Ubuntu)
 Importance: Undecided
 Status: Fix Released

** Affects: openssh (Ubuntu Trusty)
 Importance: Undecided
 Assignee: Kees Cook (kees)
 Status: New

** Also affects: openssh (Ubuntu Trusty)
   Importance: Undecided
   Status: New

** Changed in: openssh (Ubuntu)
   Status: New => Fix Released

** Changed in: openssh (Ubuntu Trusty)
 Assignee: (unassigned) => Kees Cook (kees)

** Description changed:

  Brute force attacks against openssh on Trusty will not log "max auth"
  key-based attempts, leaving their brute forcing invisible to the logs
  and anything that consumes logs, like fail2ban. Version 6.7 introduced
  the logging, but it's missing in Trusty. Since Trusty is LTS, it would
  seem sensible to have this feature backported.
+ 
+ [Impact] Bruce force attempts using private keys are invisible to logs,
+ which renders defenses like fail2ban useless.
+ 
+ [Test case] Create 20 SSH keys, try to log in over SSH, note lack of
+ logging the failures.
+ 
+ [Regression Potential] Very unlikely regression potential as the "max
+ auth" condition is already handled in code, it just wasn't logging. The
+ change only adds the missing logging.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1534340

Title:
  openssh server 6.6 does not report max auth failures

Status in openssh package in Ubuntu:
  Fix Released
Status in openssh source package in Trusty:
  New

Bug description:
  Brute force attacks against openssh on Trusty will not log "max auth"
  key-based attempts, leaving their brute forcing invisible to the logs
  and anything that consumes logs, like fail2ban. Version 6.7 introduced
  the logging, but it's missing in Trusty. Since Trusty is LTS, it would
  seem sensible to have this feature backported.

  [Impact] Bruce force attempts using private keys are invisible to
  logs, which renders defenses like fail2ban useless.

  [Test case] Create 20 SSH keys, try to log in over SSH, note lack of
  logging the failures.

  [Regression Potential] Very unlikely regression potential as the "max
  auth" condition is already handled in code, it just wasn't logging.
  The change only adds the missing logging.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1534340/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1534340] Re: openssh server 6.6 does not report max auth failures

2016-01-14 Thread Kees Cook

** Patch added: "openssh_6.6p1-2ubuntu2.5.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1534340/+attachment/4550125/+files/openssh_6.6p1-2ubuntu2.5.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1534340

Title:
  openssh server 6.6 does not report max auth failures

Status in openssh package in Ubuntu:
  Fix Released
Status in openssh source package in Trusty:
  New

Bug description:
  Brute force attacks against openssh on Trusty will not log "max auth"
  key-based attempts, leaving their brute forcing invisible to the logs
  and anything that consumes logs, like fail2ban. Version 6.7 introduced
  the logging, but it's missing in Trusty. Since Trusty is LTS, it would
  seem sensible to have this feature backported.

  [Impact] Bruce force attempts using private keys are invisible to
  logs, which renders defenses like fail2ban useless.

  [Test case] Create 20 SSH keys, try to log in over SSH, note lack of
  logging the failures.

  [Regression Potential] Very unlikely regression potential as the "max
  auth" condition is already handled in code, it just wasn't logging.
  The change only adds the missing logging.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1534340/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1532911] Re: [regression] 2.12.23-12ubuntu2.4 breaks sha512 certificates

2016-01-11 Thread Kees Cook

Thanks to mdeslaur for finding that the _root_ cert is the problem, not
mine, nor a code problem with gnutls:

http://blog.cacert.org/2015/12/re-signing-root-certificate/

** Changed in: gnutls26 (Ubuntu)
   Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to gnutls26 in Ubuntu.
https://bugs.launchpad.net/bugs/1532911

Title:
  [regression] 2.12.23-12ubuntu2.4 breaks sha512 certificates

Status in gnutls26 package in Ubuntu:
  Invalid

Bug description:
  $ gnutls-cli -p 587 smtp.outflux.net -s --print-cert
  STARTTLS
  ctrl-D
  *** Starting TLS handshake
  *** Fatal error: The signature algorithm is not supported.
  *** Handshake has failed

  This does not happen with 2.12.23-12ubuntu2.3.

  $ echo QUIT | openssl s_client -connect smtp.outflux.net:587 -starttls smtp 
-showcerts 2>/dev/null | openssl x509 -noout -text
  ...
  Signature Algorithm: sha512WithRSAEncryption
  ...
  Public Key Algorithm: rsaEncryption
  ...

  There's no MD5 visible.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1532911/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1532911] [NEW] [regression] 2.12.23-12ubuntu2.4 breaks sha512 certificates

2016-01-11 Thread Kees Cook

Public bug reported:

$ gnutls-cli -p 587 smtp.outflux.net -s --print-cert
STARTTLS
ctrl-D
*** Starting TLS handshake
*** Fatal error: The signature algorithm is not supported.
*** Handshake has failed

This does not happen with 2.12.23-12ubuntu2.3.

$ echo QUIT | openssl s_client -connect smtp.outflux.net:587 -starttls smtp 
-showcerts 2>/dev/null | openssl x509 -noout -text
...
Signature Algorithm: sha512WithRSAEncryption
...
Public Key Algorithm: rsaEncryption
...

There's no MD5 visible.

** Affects: gnutls26 (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to gnutls26 in Ubuntu.
https://bugs.launchpad.net/bugs/1532911

Title:
  [regression] 2.12.23-12ubuntu2.4 breaks sha512 certificates

Status in gnutls26 package in Ubuntu:
  New

Bug description:
  $ gnutls-cli -p 587 smtp.outflux.net -s --print-cert
  STARTTLS
  ctrl-D
  *** Starting TLS handshake
  *** Fatal error: The signature algorithm is not supported.
  *** Handshake has failed

  This does not happen with 2.12.23-12ubuntu2.3.

  $ echo QUIT | openssl s_client -connect smtp.outflux.net:587 -starttls smtp 
-showcerts 2>/dev/null | openssl x509 -noout -text
  ...
  Signature Algorithm: sha512WithRSAEncryption
  ...
  Public Key Algorithm: rsaEncryption
  ...

  There's no MD5 visible.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1532911/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1317555] Re: 'signal peer=@{profile_name}, ' does not work as expected when in a profile using a regex match as a name

2015-06-10 Thread Kees Cook

Hit this bug again while trying to use:
http://bazaar.launchpad.net/~apparmor-dev/apparmor-profiles/master/view/head:/ubuntu/14.04/usr.lib.postgresql.bin.postgres

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1317555

Title:
  'signal peer=@{profile_name},' does not work as expected when in a
  profile using a regex match as a name

Status in AppArmor Linux application security framework:
  Triaged
Status in apparmor package in Ubuntu:
  Triaged

Bug description:
  Kees Cook reported signal mediation issues stemming from the 'signal
  peer=@{profile_name},' rule in the base abstraction. It does not work
  as expected when @{profile_name} contains a regex match. If an
  application confined with a profile that uses a regex match as the
  name attempts to signal itself, the signal is denied.

  Here's a simple reproducer:

  # Set up the test environment
  $ mkdir /tmp/test
  $ cd /tmp/test
  $ cp -a /bin/kill .
  $ cp -a /bin/sleep .

  # Run the unconfined test to verify that it works (it does)
  $ /tmp/test/sleep 30s 
  [2] 31464
  $ /tmp/test/kill -USR1 $!
  [2]+  User defined signal 1   /tmp/test/sleep 30s

  # Create and load the AppArmor profile
  $ cat  EOF  profile
  #include tunables/global

  /tmp/test/{kill,sleep} {
#include abstractions/base
file,
  }

  profile test {
#include abstractions/base
file,
  }
  EOF
  $ sudo apparmor_parser -r profile

  # Run the test under /tmp/test/{kill,sleep} confinement
  # Note that this will not work, likely due to the regex in the profile name
  $ /tmp/test/sleep 30s 
  [1] 31473
  $ /tmp/test/kill -USR1 $!

  # Look at the new denials
  # Oddly, comm=kill is in both denials, despite the denials being for send 
and receive masks
  type=AVC msg=audit(1399560667.038:720): apparmor=DENIED operation=signal 
profile=/tmp/test/{kill,sleep} pid=31474 comm=kill requested_mask=send 
denied_mask=send signal=usr1 peer=/tmp/test/{kill,sleep}
  type=AVC msg=audit(1399560667.038:720): apparmor=DENIED operation=signal 
profile=/tmp/test/{kill,sleep} pid=31474 comm=kill requested_mask=receive 
denied_mask=receive signal=usr1 peer=/tmp/test/{kill,sleep}

  # Run the test once more under the test profile (it succeeds)
  $ aa-exec -p test -- /tmp/test/sleep 30s 
  [1] 31476
  $ aa-exec -p test -- /tmp/test/kill -USR1 $!
  [1]+  User defined signal 1   aa-exec -p test -- /tmp/test/sleep 30s

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1317555/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1185331] Re: Apparmor logs error messages regarding evince on normal use.

2015-05-17 Thread Kees Cook

Running fc-cache -sfv as root solved the warning about
/var/cache/fontconfig chmod stuff.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1185331

Title:
  Apparmor logs error messages regarding evince on normal use.

Status in apparmor package in Ubuntu:
  Invalid

Bug description:
  Hello,

  It seems that each time evince is used, system logs get cluttered with
  messages like:

  ** Observed :

  May 29 10:46:28 n55sf-l kernel: [314668.526878] type=1400 
audit(1369817188.984:85): apparmor=DENIED operation=chmod parent=17861 
profile=/usr/bin/evince name=/var/cache/fontconfig/ pid=21378 comm=evince 
requested_mask=w denied_mask=w fsuid=1000 ouid=0
  May 29 10:46:28 n55sf-l kernel: [314668.528826] type=1400 
audit(1369817188.988:86): apparmor=DENIED operation=chmod parent=17861 
profile=/usr/bin/evince name=/var/cache/fontconfig/ pid=21378 comm=evince 
requested_mask=w denied_mask=w fsuid=1000 ouid=0

  And also like:

  May 29 10:39:03 n55sf-l kernel: [314223.459554] type=1400
  audit(1369816743.428:83): apparmor=DENIED operation=open parent=1
  profile=/usr/bin/evince
  
name=/mycomplicatedpathtomyhomedironaseparatepartition/.fontconfig/fonts.conf
  pid=21716 comm=evince requested_mask=r denied_mask=r fsuid=1000
  ouid=1000

  Reporting on apparmor instead of evince because dpkg indicates that
  apparmor holds configuration for many programs (instead of programs
  holding configuration for apparmor, as logcheck does), including
  /etc/apparmor.d/abstractions/evince .

  Here's a mini-stat gathering different messages and count of
  occurrences in recent logs :

  zcat kern.log.* | grep -i apparmor.*evince.* -o  | sed -e 's
  (mylongpath) /longpathtomyhomedir ' -e 's/pid=[0-9]*/pid=xxx/g' -e
  's/parent=[0-9]*/parent=xxx/g' -e 's|(somepath)[^]*|somepath|g' |
  sort | uniq -c

    1 apparmor=DENIED operation=capable parent=xxx 
profile=/usr/bin/evince pid=xxx comm=dbus-launch pid=xxx comm=dbus-launch 
capability=1  capname=dac_override
    1 apparmor=DENIED operation=capable parent=xxx 
profile=/usr/bin/evince pid=xxx comm=dbus-launch pid=xxx comm=dbus-launch 
capability=2  capname=dac_read_search
    1 apparmor=DENIED operation=capable parent=xxx 
profile=/usr/bin/evince pid=xxx comm=evince pid=xxx comm=evince 
capability=1  capname=dac_override
    1 apparmor=DENIED operation=capable parent=xxx 
profile=/usr/bin/evince pid=xxx comm=evince pid=xxx comm=evince 
capability=2  capname=dac_read_search
    2 apparmor=DENIED operation=open parent=xxx 
profile=/usr/bin/evince name=(some hex string) pid=xxx comm=EvJobScheduler 
requested_mask=r denied_mask=r fsuid=1000 ouid=1000
    2 apparmor=DENIED operation=open parent=xxx 
profile=/usr/bin/evince name=(some hex string) pid=xxx comm=EvJobScheduler 
requested_mask=r denied_mask=r fsuid=1000 ouid=1000
  376 apparmor=DENIED operation=open parent=xxx 
profile=/usr/bin/evince name=/longpathtomyhomedir/.fontconfig/fonts.conf 
pid=xxx comm=evince requested_mask=r denied_mask=r fsuid=1000 ouid=1000
  219 apparmor=DENIED operation=open parent=xxx 
profile=/usr/bin/evince name=/longpathtomyhomedir/.fonts.conf pid=xxx 
comm=evince requested_mask=r denied_mask=r fsuid=1000 ouid=1000
    3 apparmor=DENIED operation=open parent=xxx 
profile=/usr/bin/evince name=somepath pid=xxx comm=EvJobScheduler 
requested_mask=r denied_mask=r fsuid=1000 ouid=1000
    1 apparmor=DENIED operation=open parent=xxx 
profile=/usr/bin/evince name=somepath pid=xxx comm=pool 
requested_mask=r denied_mask=r fsuid=1000 ouid=1000
    1 apparmor=DENIED operation=open parent=xxx 
profile=/usr/bin/evince name=/tmp/.X0-lock pid=xxx comm=pool 
requested_mask=r denied_mask=r fsuid=1000 ouid=0
    1 apparmor=DENIED operation=open parent=xxx 
profile=/usr/bin/evince-previewer 
name=/longpathtomyhomedir/.fontconfig/fonts.conf pid=xxx 
comm=evince-previewe requested_mask=r denied_mask=r fsuid=1000 ouid=1000
   10 apparmor=DENIED operation=open parent=xxx 
profile=/usr/bin/evince-previewer name=/longpathtomyhomedir/.fonts.conf 
pid=xxx comm=evince-previewe requested_mask=r denied_mask=r fsuid=1000 
ouid=1000
   58 apparmor=DENIED operation=open parent=xxx 
profile=/usr/bin/evince-thumbnailer 
name=/longpathtomyhomedir/.fontconfig/fonts.conf pid=xxx 
comm=evince-thumbnai requested_mask=r denied_mask=r fsuid=1000 ouid=1000
   21 apparmor=DENIED operation=open parent=xxx 
profile=/usr/bin/evince-thumbnailer name=/longpathtomyhomedir/.fonts.conf 
pid=xxx comm=evince-thumbnai requested_mask=r denied_mask=r fsuid=1000 
ouid=1000
    2 apparmor=DENIED operation=open parent=xxx 
profile=/usr/bin/evince-thumbnailer 
name=/media/stephane/n55s494G/stephane/.goutputstream-8KGWMW pid=xxx 
comm=evince-thumbnai requested_mask=r denied_mask=r fsuid=1000 ouid=1000
    2 apparmor=DENIED operation=open parent=xxx

[Touch-packages] [Bug 537746] Re: mount.nfs fails stating incorrect mount option but succeeds if -v option is used

2015-01-28 Thread Kees Cook

Using nfsvers=2 worked for me, but if you need =3, this seems like a
bug in util-linux.

** Changed in: util-linux (Ubuntu)
   Status: Invalid = Confirmed

** Also affects: util-linux (Ubuntu Vivid)
   Importance: Undecided
   Status: Confirmed

** Also affects: util-linux (Ubuntu Utopic)
   Importance: Undecided
   Status: New

** Also affects: util-linux (Ubuntu Trusty)
   Importance: Undecided
   Status: New

** Changed in: util-linux (Ubuntu Vivid)
   Status: Confirmed = New

** Changed in: util-linux (Ubuntu Trusty)
   Status: New = Confirmed

** Tags added: regression-release

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to util-linux in Ubuntu.
https://bugs.launchpad.net/bugs/537746

Title:
  mount.nfs fails stating incorrect mount option but succeeds if -v
  option is used

Status in util-linux package in Ubuntu:
  New
Status in util-linux source package in Trusty:
  Confirmed
Status in util-linux source package in Utopic:
  New
Status in util-linux source package in Vivid:
  New

Bug description:
  Binary package hint: mount

  with /etc/fstab containing;

  n2:/db /db nfs auto,nfsvers=3   0 0

  OR containing

  n2:/db /db nfs auto 0 0

  # mount /db

  fails with message mount.nfs: an incorrect mount option was
  specified

  # mount n2:/db /db

  also fails with the same message

  BUT the following succeeds despite the Operation not supported
  message

  # mount n2:/db /db -v
  mount: no type was given - I'll assume nfs because of the colon
  mount.nfs: timeout set for Thu Mar 11 15:14:50 2010
  mount.nfs: text-based options: 'addr=63.227.222.65'
  mount.nfs: mount(2): Operation not supported
  mount.nfs: trying 63.227.222.65 prog 13 vers 3 prot UDP port 2049
  mount.nfs: trying 63.227.222.65 prog 15 vers 3 prot UDP port 32767
  mount.nfs: text-based options (retry): 
'addr=63.227.222.65,vers=3,proto=udp,mountvers=3,mountproto=udp,mountport=32767'
  n2:/db on /db type nfs (rw)

  This system in question dual boots 10.04 and 8.04; under 8.04 ALL of
  the above succeeds without error messages.

  This error is preventing NFS mounts in /etc/fstab; without a
  workaround or fix this prevents any deployment of Ubuntu 10.04 for us.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/537746/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1013012] Re: regression with sendmail and Android clients

[Touch-packages] [Bug 1773859] Re: upgrades to 18.04 fail

[Touch-packages] [Bug 1767172] Re: Regression: /etc/modules checked against blacklist or it's really hard to load blacklisted watchdog modules when one really wants one

[Touch-packages] [Bug 305901]

[Touch-packages] [Bug 305901]

[Touch-packages] [Bug 305901]

[Touch-packages] [Bug 1773859] Re: upgrades to 18.04 fail

[Touch-packages] [Bug 1773859] Re: upgrades to 18.04 fail

[Touch-packages] [Bug 1593924] Re: systemd-shim was not installed in 16.10 and now cannot purge or remove

[Touch-packages] [Bug 1773859] [NEW] upgrades to 18.04 fail

[Touch-packages] [Bug 1767172] Re: Regression: /etc/modules checked against blacklist

[Touch-packages] [Bug 1767172] [NEW] Regression: /etc/modules checked against blacklist

[Touch-packages] [Bug 1747711] Re: file mis-identifies modern executables as application/x-sharedlib

[Touch-packages] [Bug 1658236] Re: php abstraction not updated for php7

[Touch-packages] [Bug 1658238] [NEW] apache2 abstraction incomplete

[Touch-packages] [Bug 1658239] [NEW] base abstraction missing glibc /proc/$pid/ things

[Touch-packages] [Bug 1658236] [NEW] php abstraction not updated for php7

[Touch-packages] [Bug 1645501] Re: corefiles not created in armhf chroot on arm64 porter

[Touch-packages] [Bug 1586673] Re: Backport GCC 5.4.0 and binutils 2.26.1 to 16.04 LTS

[Touch-packages] [Bug 1534340] Re: openssh server 6.6 does not report max auth failures

[Touch-packages] [Bug 1534340] [NEW] openssh server 6.6 does not report max auth failures

[Touch-packages] [Bug 1534340] Re: openssh server 6.6 does not report max auth failures

[Touch-packages] [Bug 1532911] Re: [regression] 2.12.23-12ubuntu2.4 breaks sha512 certificates

[Touch-packages] [Bug 1532911] [NEW] [regression] 2.12.23-12ubuntu2.4 breaks sha512 certificates

[Touch-packages] [Bug 1317555] Re: 'signal peer=@{profile_name}, ' does not work as expected when in a profile using a regex match as a name

[Touch-packages] [Bug 1185331] Re: Apparmor logs error messages regarding evince on normal use.

[Touch-packages] [Bug 537746] Re: mount.nfs fails stating incorrect mount option but succeeds if -v option is used

27 matches

Site Navigation

Mail list logo

Footer information