[Touch-packages] [Bug 1550090] [NEW] linux-image-3.19.0-51-generic fails to boot to desktop under VMWare Player

2016-02-25 Thread Alex Murray
Public bug reported: After updating my VMWare Player install of Ubuntu 14.04 amd64 to linux- image-3.19.0-51-generic it fails to boot - plymouth appears to hang during boot and so it never reaches the GDM login screen - also seems I am not alone:

[Touch-packages] [Bug 1785024] Re: It gives error

2018-08-02 Thread Alex Murray
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

[Touch-packages] [Bug 1785024]

2018-08-02 Thread Alex Murray
Thank you for taking the time to report this bug and helping to make Ubuntu better. Unfortunately we can't fix it, because your description didn't include enough information. You may find it helpful to read 'How to report bugs effectively' http://www.chiark.greenend.org.uk/~sgtatham/bugs.html.

[Touch-packages] [Bug 1785176] Re: GnuPG 1.4.23 released on 2018-06-11, addresses CVE-2017-7526

2018-08-02 Thread Alex Murray
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to gnupg in Ubuntu. https://bugs.launchpad.net/bugs/1785176 Title: GnuPG 1.4.23 released on 2018-06-11,

[Touch-packages] [Bug 1785176] Re: GnuPG 1.4.23 released on 2018-06-11, addresses CVE-2017-7526

2018-08-03 Thread Alex Murray
Thanks for reporting this - FYI you can see the status of each CVE via the CVE tracker http://people.canonical.com/~ubuntu-security/cve/ ie. https://people.canonical.com/~ubuntu- security/cve/2017/CVE-2017-7526.html This CVE was triaged against libgrypt only - not against gnupg1 - and all the

[Touch-packages] [Bug 1784892] Re: package tracker-extract 1.6.2-0ubuntu1.1 failed to install/upgrade: O pacote está num mau estado de inconsistência; deve reinstala-lo antes de tentar configura-lo.

2018-08-01 Thread Alex Murray
Thank you for taking the time to file a bug report. This looks like a local issue that occurred during the time of upgrade. Since it seems likely to me that this is a local configuration problem, rather than a bug in Ubuntu, I am marking this bug as 'Incomplete'. However, if you believe that

[Touch-packages] [Bug 1784892] Re: package tracker-extract 1.6.2-0ubuntu1.1 failed to install/upgrade: O pacote está num mau estado de inconsistência; deve reinstala-lo antes de tentar configura-lo.

2018-08-01 Thread Alex Murray
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

[Touch-packages] [Bug 1784883] Re: crashing

2018-08-01 Thread Alex Murray
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

[Touch-packages] [Bug 1784883] Re: crashing

2018-08-01 Thread Alex Murray
I can see from the attached logs there are file-system errors (likely due to incomplete shutdowns in the past) but I am surprised by the presence of XFS and QNX file-system drivers both being loaded - can you describe this system in more details - also any details you can provide about the crash

[Touch-packages] [Bug 1784894] Re: crashes

2018-08-01 Thread Alex Murray
*** This bug is a duplicate of bug 1784883 *** https://bugs.launchpad.net/bugs/1784883 Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as

[Touch-packages] [Bug 1784883]

2018-08-01 Thread Alex Murray
Thank you for taking the time to report this bug and helping to make Ubuntu better. Unfortunately we can't fix it, because your description didn't include enough information. You may find it helpful to read 'How to report bugs effectively' http://www.chiark.greenend.org.uk/~sgtatham/bugs.html.

[Touch-packages] [Bug 1784894] Re: crashes

2018-08-01 Thread Alex Murray
*** This bug is a duplicate of bug 1784883 *** https://bugs.launchpad.net/bugs/1784883 Please try to avoid creating duplicate bug reports for the same issue. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to xorg in

[Touch-packages] [Bug 1784894]

2018-08-01 Thread Alex Murray
*** This bug is a duplicate of bug 1784883 *** https://bugs.launchpad.net/bugs/1784883 Thank you for taking the time to report this bug and helping to make Ubuntu better. This particular bug has already been reported and is a duplicate of bug 1784883, so it is being marked as such. Please

[Touch-packages] [Bug 1784964] Re: Regression due to CVE-2018-1116 (processes not inheriting user ID or groups )

2018-08-01 Thread Alex Murray
I can't reproduce this myself but I am using the default shell (bash provided by dash) and gnome-terminal. My understanding of the change to policykit-1 https://git.launchpad.net/ubuntu/+source/policykit-1/commit/?h=applied/ubuntu /bionic-devel=840c50182f5ab1ba28c1d20cce4c207364852935 is that

[Touch-packages] [Bug 1784964] Re: Regression due to CVE-2018-1116 (processes not inheriting user ID or groups )

2018-08-01 Thread Alex Murray
I've tried replicating your setup in a fresh bionic VM (ie. using tmux as default shell which then launches bash) and I can't replicate this: amurray@sec-bionic-amd64:~$ grep amurray /etc/passwd amurray:x:1000:1000:Ubuntu,,,:/home/amurray:/usr/bin/tmux amurray@sec-bionic-amd64:~$ echo $SHELL

[Touch-packages] [Bug 1784964] Re: Regression due to CVE-2018-1116 (processes not inheriting user ID or groups )

2018-08-01 Thread Alex Murray
** Attachment added: "Screenshot from 2018-08-02 14-11-37.png" https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1784964/+attachment/5170643/+files/Screenshot%20from%202018-08-02%2014-11-37.png -- You received this bug notification because you are a member of Ubuntu Touch seeded

[Touch-packages] [Bug 1784964] Re: Regression due to CVE-2018-1116 (processes not inheriting user ID or groups )

2018-08-01 Thread Alex Murray
@TJ re comment:6 that fix is already in for both xenial and bionic as far as I can see. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to policykit-1 in Ubuntu. https://bugs.launchpad.net/bugs/1784964 Title: Regression due

[Touch-packages] [Bug 1784518] Re: package openssh-server 1:7.2p2-4ubuntu2.4 failed to install/upgrade: sub-processo script post-installation instalado retornou estado de saída de erro 1

2018-07-30 Thread Alex Murray
It looks like you have some invalid configuration parameters in your /etc/ssh/ssh_config file since the upgrade encountered an error when trying to restart sshd (from your attached DpkgTerminalLog.txt): Jul 30 22:15:28 kike-pc sshd[23579]: bad addr or host: 192.168.*.* (Name or...n) -- You

[Touch-packages] [Bug 1784518] Re: package openssh-server 1:7.2p2-4ubuntu2.4 failed to install/upgrade: sub-processo script post-installation instalado retornou estado de saída de erro 1

2018-07-30 Thread Alex Murray
Thank you for taking the time to file a bug report. Looks like an invalid configuration option was listed - did you modify the configuration? Since there is not enough information in your report to begin triage or to differentiate between a local configuration problem and a bug in Ubuntu, I am

[Touch-packages] [Bug 1785176] Re: GnuPG 1.4.23 released on 2018-06-11, addresses CVE-2017-7526

2018-08-07 Thread Alex Murray
https://usn.ubuntu.com/3733-1/ ** Changed in: gnupg (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to gnupg in Ubuntu. https://bugs.launchpad.net/bugs/1785176 Title: GnuPG 1.4.23

[Touch-packages] [Bug 1765304] Re: Ubuntu 18.04's ibus package breaks password fields in Firefox (by lowering & raising window whenever they're focused)

2018-08-30 Thread Alex Murray
Seems this is an issue with gnome-shell: https://gitlab.gnome.org/GNOME /gnome-shell/issues/391 I have rebuilt gnome-shell with the patch from that upstream issue and it resolves this for me - if anyone wants to test I've put it in the following PPA (I just uploaded it so it will take a while to

[Touch-packages] [Bug 1779622] Re: issue is regarding boot hanging between work

2018-07-04 Thread Alex Murray
** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to xorg in Ubuntu. https://bugs.launchpad.net/bugs/1779622 Title: issue is regarding boot hanging between work

[Touch-packages] [Bug 1779201] Re: package python3 3.6.5-3ubuntu1 failed to install/upgrade: installed python3 package post-installation script subprocess returned error exit status 4

2018-07-04 Thread Alex Murray
*** This bug is a duplicate of bug 1779237 *** https://bugs.launchpad.net/bugs/1779237 ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to python3-defaults in

[Touch-packages] [Bug 1780311] Re: package initramfs-tools 0.130ubuntu3.1 failed to install/upgrade: instalado initramfs-tools paquete post-installation guión el subproceso devolvió un error con estad

2018-07-05 Thread Alex Murray
** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to initramfs-tools in Ubuntu. https://bugs.launchpad.net/bugs/1780311 Title: package initramfs-tools 0.130ubuntu3.1

[Touch-packages] [Bug 1780548] Re: SSH server won't start, exit code 255

2018-07-08 Thread Alex Murray
It looks like the ssh server configuration file has become corrupted - notice the error message: Error: command ['/usr/sbin/sshd', '-T'] failed with exit code 255: /etc/ssh/sshd_config: line 1: Bad configuration option: \342\200\213\342\200\213 /etc/ssh/sshd_config: terminating, 1 bad

[Touch-packages] [Bug 1798725] [NEW] Content "n\xff=" can crash libpcre when an application is matching the pattern \s*=

2018-10-18 Thread Alex Murray
*** This bug is a security vulnerability *** Public security bug reported: Reported upstream at https://bugs.exim.org/show_bug.cgi?id=2330 - libpcre3 can be made to crash when matching the pattern \s*= when the context is n\xff= Able to reproduce on current Bionic using the PoC attached (which

[Touch-packages] [Bug 1798725] Re: Content "n\xff=" can crash libpcre when an application is matching the pattern \s*=

2018-10-25 Thread Alex Murray
** Attachment added: "PoC using libpcre (ie without libglib)" https://bugs.launchpad.net/ubuntu/+source/pcre3/+bug/1798725/+attachment/5205348/+files/PoC.c -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pcre3 in Ubuntu.

[Touch-packages] [Bug 1798725] Re: Content "n\xff=" can crash libpcre when an application is matching the pattern \s*=

2018-10-25 Thread Alex Murray
I have reworked the PoC to one which allows to reproduce the crash directly just using libpcre, and have verified this works directly on the upstream libpcre releases 8.39, 8.40, 8.41 & 8.42 - waiting on response from upstream - https://bugs.exim.org/show_bug.cgi?id=2330#c2 ** Bug watch added:

[Touch-packages] [Bug 1801410] Re: Icons.keep.flashing

2018-11-05 Thread Alex Murray
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

[Touch-packages] [Bug 1801383] Re: apport uploading WifiSyslog to public bug reports is a major privacy risk

2018-11-05 Thread Alex Murray
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1801383 Title: apport uploading WifiSyslog to public

[Touch-packages] [Bug 1798725] Re: Content "n\xff=" can crash libpcre when an application is matching the pattern \s*=

2018-10-26 Thread Alex Murray
Seems this is a bug in gvfs not properly validating as UTF8 before calling into glib: https://bugs.exim.org/show_bug.cgi?id=2330#c9 ** Package changed: pcre3 (Ubuntu) => gvfs (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is

[Touch-packages] [Bug 1802600] Re: ??????

2018-11-11 Thread Alex Murray
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

[Touch-packages] [Bug 1795921] Re: Out-of-Bounds write in systemd-networkd dhcpv6 option handling

2018-11-05 Thread Alex Murray
@yassine-mrabet - In general, Ubuntu does not upgrade major versions of software and instead backports security fixes to the current version - also we track CVEs independently in our own CVE tracker - in this case please see https://people.canonical.com/~ubuntu-

[Touch-packages] [Bug 1793607] Re: GPU Overheats and laptop shuts off

2018-09-21 Thread Alex Murray
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

[Touch-packages] [Bug 1792967] Re: CVE-2018-7738 - command execution via unmount's bash-completion

2018-09-20 Thread Alex Murray
** Changed in: util-linux (Ubuntu) Status: New => Confirmed ** Changed in: util-linux (Ubuntu) Importance: Undecided => Low -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to util-linux in Ubuntu.

[Touch-packages] [Bug 1812468] Re: package linux-firmware 1.173.3 failed to install/upgrade: installed linux-firmware package post-installation script subprocess returned error exit status 1

2019-01-22 Thread Alex Murray
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

[Touch-packages] [Bug 1805316] Re: systemd 229-4ubuntu21.9 faulty - breaks the system!

2018-11-27 Thread Alex Murray
*** This bug is a duplicate of bug 1804847 *** https://bugs.launchpad.net/bugs/1804847 I've marked this as a duplicate of bug #1804847 - please add any further comments to that bug instead. ** This bug has been marked a duplicate of bug 1804847 systemd=229-4ubuntu21.8 use of fchownat

[Touch-packages] [Bug 1791405] Re: bluetooth always in discoverable mode (security issue)

2018-09-17 Thread Alex Murray
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1791405 Title: bluetooth always in discoverable mode

[Touch-packages] [Bug 1532314] Re: Buffer overflow in cgmanager

2018-09-17 Thread Alex Murray
Based on the most recent comments, changing the priority back to undecided since there is no clear path forward for now. ** Changed in: libnih (Ubuntu) Importance: High => Undecided ** Changed in: lxc (Ubuntu) Importance: High => Undecided ** Changed in: cgmanager (Ubuntu) Status:

[Touch-packages] [Bug 1371170] Re: information disclosure: clipboard contents can be obtained without user knowledge

2018-09-17 Thread Alex Murray
** Changed in: content-hub (Ubuntu) Status: New => Won't Fix ** Changed in: mir (Ubuntu) Status: New => Confirmed ** Changed in: canonical-devices-system-image Status: Confirmed => Invalid -- You received this bug notification because you are a member of Ubuntu Touch

[Touch-packages] [Bug 1790377] Re: Ubuntu 18.04.1 and below: Information disclosure through world readable by default home directory permissions

2018-09-17 Thread Alex Murray
*** This bug is a duplicate of bug 48734 *** https://bugs.launchpad.net/bugs/48734 ** This bug has been marked a duplicate of bug 48734 Home permissions too open ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a

[Touch-packages] [Bug 1792241] Re: package systemd-sysv 237-3ubuntu10.3 failed to install/upgrade: installed systemd-shim package post-removal script subprocess returned error exit status 2

2018-09-17 Thread Alex Murray
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

[Touch-packages] [Bug 1792135] Re: jackd crashed with SIGABRT in std::terminate()

2018-09-17 Thread Alex Murray
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

[Touch-packages] [Bug 1822736] Re: Passwords longer than 255 characters break authentication

2019-04-02 Thread Alex Murray
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pam in Ubuntu. https://bugs.launchpad.net/bugs/1822736 Title: Passwords longer than 255 characters break

[Touch-packages] [Bug 1821030] Re: [To Be Filled By O.E.M., Realtek ALC662 rev1, Green Line Out, Rear] No sound at all

2019-03-20 Thread Alex Murray
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

[Touch-packages] [Bug 1821508] Re: there is a lagging while i am accessing the software or browing

2019-03-24 Thread Alex Murray
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

[Touch-packages] [Bug 1820319] Re: [To Be Filled By O.E.M., Realtek ALC662 rev1, Blue Line In, Rear] No sound at all

2019-03-17 Thread Alex Murray
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

[Touch-packages] [Bug 1819240] Re: Many sites will not connect. Very slow. Some siezing.

2019-03-11 Thread Alex Murray
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

[Touch-packages] [Bug 1830629] Re: Errors when extracting ZIP files. It can not differentiate between files and directories

2019-05-30 Thread Alex Murray
Thanks for reporting this issue - this would appear to have potential security implications, however as it is already public I see no reason to keep this private - if a CVE were to be assigned then this could be fixed via a security update by the security team, otherwise this would be fixed via

[Touch-packages] [Bug 1828474] Re: package sudo 1.8.3p1-1ubuntu3.7 failed to install/upgrade: subprocess installed pre-removal script returned error exit status 1

2019-05-09 Thread Alex Murray
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

[Touch-packages] [Bug 1828190] Re: latest wget debian for ubuntu 16.04

2019-05-10 Thread Alex Murray
Which fix are you referring to? There is nothing specifically mentioned in this bug report - as noted in comment#2 you can see the current status of security fix backports in the CVE tracker. If you had looked you would have noticed there is currently no outstanding CVEs for wget therefore the

[Touch-packages] [Bug 1828124] Re: org.gnome.evolution.dataserver.Source completely unveils account credentials in plain text while using dbus-monitor

2019-05-12 Thread Alex Murray
>From a security PoV this is basic security by obscurity and effectively pointless - they are simply XORing each byte with a fixed value and then base64 encoding it - since the source code is public anyone can easily find this out and hence easily decode it - the only way to do this securely would

[Touch-packages] [Bug 1828190] Re: latest wget debian for ubuntu 16.04

2019-05-08 Thread Alex Murray
As noted in the Ubuntu Security Team FAQ we do not upgrade versions for stable Ubuntu releases - however the Security Team does backport security fixes where possible https://wiki.ubuntu.com/SecurityTeam/FAQ#Versions To determine any possible outstanding vulnerabilities for wget please check the

[Touch-packages] [Bug 1828190] Re: latest wget debian for ubuntu 16.04

2019-05-08 Thread Alex Murray
As noted in the Ubuntu Security Team FAQ we do not upgrade versions for stable Ubuntu releases - however the Security Team does backport security fixes where possible https://wiki.ubuntu.com/SecurityTeam/FAQ#Versions To determine any possible outstanding vulnerabilities for glibc please check the

[Touch-packages] [Bug 1828218] Re: boeug

2019-05-08 Thread Alex Murray
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

[Touch-packages] [Bug 1781699] Re: DHCPv6 server crashes regularly (bionic)

2019-05-02 Thread Alex Murray
This looks like a possible use-after-free so likely has a security impact (at a minimum it is a denial of service due to the crash, especially if it can be triggered remotely) - I've reported it to ISC as such who will hopefully assign a CVE and then we can fix it as a security update. For future

[Touch-packages] [Bug 1781699] Re: DHCPv6 server crashes regularly (bionic)

2019-05-03 Thread Alex Murray
This has been assigned CVE-2019-6470 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-6470 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to isc-dhcp in Ubuntu. https://bugs.launchpad.net/bugs/1781699 Title:

[Touch-packages] [Bug 1833479] Re: libjack-jackd2-0 double close on a failure to connect to jackd which causes crashes in multithreaded programs

2019-07-05 Thread Alex Murray
>From a security point of view, it is best if this issue is fixed not just in Ubuntu but other distributions - and the best way to ensure that is to get a CVE assigned for it. Has a CVE been applied for for this issue? If not, could you please submit one to MITRE and when one is assigned please

[Touch-packages] [Bug 1835181] Bug is not a security issue

2019-07-04 Thread Alex Murray
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

[Touch-packages] [Bug 1834815] Re: usb mouse is not being detect

2019-07-05 Thread Alex Murray
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

[Touch-packages] [Bug 1830858] Re: TOCTOU vulnerability in _get_ignore_dom (report.py)

2019-07-08 Thread Alex Murray
** Branch linked: lp:~alexmurray/apport/apport -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1830858 Title: TOCTOU vulnerability in _get_ignore_dom (report.py) Status in

[Touch-packages] [Bug 1830863] Re: Integer overflow in parse_report (whoopsie.c:425)

2019-07-08 Thread Alex Murray
** Branch linked: lp:~alexmurray/whoopsie/whoopsie -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to whoopsie in Ubuntu. https://bugs.launchpad.net/bugs/1830863 Title: Integer overflow in parse_report (whoopsie.c:425)

[Touch-packages] [Bug 1830863] Re: Integer overflow in parse_report (whoopsie.c:425)

2019-07-08 Thread Alex Murray
** Attachment removed: "PoC.tar.bz2" https://bugs.launchpad.net/ubuntu/+source/whoopsie/+bug/1830863/+attachment/5267311/+files/PoC.tar.bz2 ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch

[Touch-packages] [Bug 1830858] Re: TOCTOU vulnerability in _get_ignore_dom (report.py)

2019-07-08 Thread Alex Murray
** Information type changed from Private Security to Public Security ** Attachment removed: "PoC.tar.bz2" https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1830858/+attachment/5267305/+files/PoC.tar.bz2 -- You received this bug notification because you are a member of Ubuntu Touch

[Touch-packages] [Bug 1835181] Re: OpenLDAP LDAP_OPT_X_TLS_REQUIRE_CERT handling differences between ldaps:// and ldap:// with STARTTLS

2019-07-08 Thread Alex Murray
** Changed in: openldap (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1835181 Title: OpenLDAP LDAP_OPT_X_TLS_REQUIRE_CERT

[Touch-packages] [Bug 1835181] Re: OpenLDAP LDAP_OPT_X_TLS_REQUIRE_CERT handling differences between ldaps:// and ldap:// with STARTTLS

2019-07-07 Thread Alex Murray
Apologies for misinterpreting this issue when initially triaging it - I have re-marked it as Security. I notice from your linked bug report that this was still happening with the upstream code as of September 2016 - but upstream did not appear to engage on the issue. Can you confirm whether this

[Touch-packages] [Bug 1842902] Re: FFe: create zfs dataset for each user automatically

2019-09-05 Thread Alex Murray
Didier - could you please add some checks on the return values from the various open/dup2/execvl syscalls? Whilst currently I can't see a huge problem if these silently fail (open returns -1, dup2 then fails, or if dup2 fails anyway - then the only consequence is stdout/stderr is not silenced) I

[Touch-packages] [Bug 1842902] Re: FFe: create zfs dataset for each user automatically

2019-09-06 Thread Alex Murray
Thanks Didier, looks great :) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to shadow in Ubuntu. https://bugs.launchpad.net/bugs/1842902 Title: FFe: create zfs dataset for each user automatically Status in shadow package

[Touch-packages] [Bug 1842383] Re: openssl 1.1.1 memory overuse/leak

2019-09-13 Thread Alex Murray
Thanks for reporting this issue - this sounds like it might be suitable as a StableReleaseUpdate - in particular the Regressions section https://wiki.ubuntu.com/StableReleaseUpdates#Regressions sounds relevant in this case. Could you please adapt this bug report following the template in

[Touch-packages] [Bug 1830858] Re: TOCTOU vulnerability in _get_ignore_dom (report.py)

2019-07-30 Thread Alex Murray
** CVE removed: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-3560 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1830858 Title: TOCTOU vulnerability in

[Touch-packages] [Bug 1830858] Re: TOCTOU vulnerability in _get_ignore_dom (report.py)

2019-07-22 Thread Alex Murray
** Changed in: apport Status: New => Fix Committed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1830858 Title: TOCTOU vulnerability in _get_ignore_dom (report.py)

[Touch-packages] [Bug 1835181] Re: OpenLDAP LDAP_OPT_X_TLS_REQUIRE_CERT handling differences between ldaps:// and ldap:// with STARTTLS

2019-07-07 Thread Alex Murray
** Information type changed from Public to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1835181 Title: OpenLDAP LDAP_OPT_X_TLS_REQUIRE_CERT handling

[Touch-packages] [Bug 1839420] Re: Per-process user controllable Apport socket file

2019-10-30 Thread Alex Murray
** Description changed: Author: Sander Bos, Date: 2019-07-30 As defined in data/apport, when Apport thinks a crash originated in a container it will forward the crash handling to a /proc//root/run/apport.socket file, using /proc/ information from the

[Touch-packages] [Bug 1839415] Re: Fully user controllable lock file due to lock file being located in world-writable directory

2019-10-30 Thread Alex Murray
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1839415 Title: Fully user controllable lock file due to

[Touch-packages] [Bug 1839795] Re: PID recycling enables an unprivileged user to generate and read a crash report for a privileged process

2019-10-30 Thread Alex Murray
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1839795 Title: PID recycling enables an unprivileged

[Touch-packages] [Bug 1839420] Re: Per-process user controllable Apport socket file

2019-10-30 Thread Alex Murray
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1839420 Title: Per-process user controllable Apport

[Touch-packages] [Bug 1830862] Re: Apport reads arbitrary files if ~/.config/apport/settings is a symlink

2019-10-30 Thread Alex Murray
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1830862 Title: Apport reads arbitrary files if

[Touch-packages] [Bug 1839417] Re: Potentially existing (legitimate, root owned) lock file getting deleted by Apport daily cron(8) script

2019-10-30 Thread Alex Murray
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1839417 Title: Potentially existing (legitimate, root

[Touch-packages] [Bug 1839413] Re: TOCTTOU ("time of check to time of use") "cwd" variable race condition

2019-10-30 Thread Alex Murray
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1839413 Title: TOCTTOU ("time of check to time of use")

[Touch-packages] [Bug 1839418] Re: Partially user controllable lock file due to incorrect, too broad permissions

2019-10-30 Thread Alex Murray
*** This bug is a duplicate of bug 1839415 *** https://bugs.launchpad.net/bugs/1839415 ** This bug has been marked a duplicate of bug 1839415 Fully user controllable lock file due to lock file being located in world-writable directory ** Information type changed from Private Security to

[Touch-packages] [Bug 1839414] Re: Apport follows symbolic links in path components when creating core dump file

2019-10-30 Thread Alex Murray
*** This bug is a duplicate of bug 1839413 *** https://bugs.launchpad.net/bugs/1839413 ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in

[Touch-packages] [Bug 1844853] Re: IBus no longer works in Qt applications after upgrade

2019-11-03 Thread Alex Murray
@gunnarhj - updated packages for ibus are now available in the ubuntu- security-proposed PPA at https://launchpad.net/~ubuntu-security- proposed/+archive/ubuntu/ppa Also I note the bug descriptions lists ibus in Focal as Fix Released - but the latest version in focal (1.5.21-1~exp2ubuntu2) is the

[Touch-packages] [Bug 1452115] Re: Python interpreter binary is not compiled as PIE

2019-11-10 Thread Alex Murray
** Bug watch added: Debian Bug tracker #919134 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919134 ** Also affects: python via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919134 Importance: Unknown Status: Unknown -- You received this bug notification because you are

[Touch-packages] [Bug 1839417] Re: Potentially existing (legitimate, root owned) lock file getting deleted by Apport daily cron(8) script

2019-10-31 Thread Alex Murray
*** This bug is a duplicate of bug 1839415 *** https://bugs.launchpad.net/bugs/1839415 Yes - marking this as a duplicate against LP #1839415 as noted by Seth earlier too. ** This bug has been marked a duplicate of bug 1839415 Fully user controllable lock file due to lock file being

[Touch-packages] [Bug 1848784] Re: Crash in Qt 5.12.2

2019-11-20 Thread Alex Murray
Removing the bionic task since the version in bionic is not affected (it doesn't contain the original vulnerability). ** No longer affects: qtbase-opensource-src (Ubuntu Bionic) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed

[Touch-packages] [Bug 1849920] Re: ubuntu display problem

2019-10-27 Thread Alex Murray
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross

[Touch-packages] [Bug 1848784] Re: Crash in Qt 5.12.2

2019-10-21 Thread Alex Murray
This would appear to have security implications since I imagine if an email were sent to a KMail recipient which was crafted in this same way it would crash KMail? If this is likely true a CVE should be requested from MITRE via https://cveform.mitre.org/ so that other distros etc can ensure they

[Touch-packages] [Bug 1848784] Re: Crash in Qt 5.12.2

2019-10-23 Thread Alex Murray
MITRE has assigned CVE-2019-18281 for this issue. ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-18281 ** Changed in: qtbase-opensource-src (Ubuntu) Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a

[Touch-packages] [Bug 1853879] Re: Dell E310dw: Default driver doesn't work, driverless fails on sides=two-sided-long-edge

2019-11-30 Thread Alex Murray
** Attachment added: "error_log" https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1853879/+attachment/5309038/+files/error_log -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cups in Ubuntu.

[Touch-packages] [Bug 1853879] Re: Dell E310dw: Default driver doesn't work, driverless fails on sides=two-sided-long-edge

2019-11-30 Thread Alex Murray
I have the same problem with a Brother HL L2375-DW printer on Ubuntu 19.10. This was auto-detected and added to the GNOME Printers as 'Brother_HL_L2375DW_series' - if I print double sided (long-edge) using the then it prints the second page upside down (as though I had selected short-edge) - but

[Touch-packages] [Bug 1853879] Re: Dell E310dw: Default driver doesn't work, driverless fails on sides=two-sided-long-edge

2019-11-30 Thread Alex Murray
Let me know which of these PPDs to attach: $ ls -la /etc/cups/ppd/Brother_HL_L2375DW_series* -rw-r--r-- 1 root root 8499 Dec 1 17:14 /etc/cups/ppd/brother_hl_l2375dw_ser...@brw0c96e67e441e.local.ppd -rw-r- 1 root lp 8424 Dec 1 17:13

[Touch-packages] [Bug 1853879] Re: Dell E310dw: Default driver doesn't work, driverless fails on sides=two-sided-long-edge

2019-11-30 Thread Alex Murray
** Attachment added: "attrs.txt" https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1853879/+attachment/5309039/+files/attrs.txt -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cups in Ubuntu.

[Touch-packages] [Bug 1853879] Re: Dell E310dw: Default driver doesn't work, driverless fails on sides=two-sided-long-edge

2019-12-01 Thread Alex Murray
** Attachment added: "brother_hl_l2375dw_ser...@brw0c96e67e441e.local.ppd" https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1853879/+attachment/5309145/+files/Brother_HL_L2375DW_series%40BRW0C96E67E441E.local.ppd -- You received this bug notification because you are a member of Ubuntu

[Touch-packages] [Bug 1853879] Re: Dell E310dw: Default driver doesn't work, driverless fails on sides=two-sided-long-edge

2019-12-01 Thread Alex Murray
** Attachment added: "Brother_HL_L2375DW_series.ppd" https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1853879/+attachment/5309146/+files/Brother_HL_L2375DW_series.ppd -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to

[Touch-packages] [Bug 1830865] Re: Integer overflow in bson_ensure_space (bson.c:613)

2019-10-29 Thread Alex Murray
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to whoopsie in Ubuntu. https://bugs.launchpad.net/bugs/1830865 Title: Integer overflow in bson_ensure_space

[Touch-packages] [Bug 1814596] Re: DynamicUser can create setuid binaries when assisted by another process

2019-10-09 Thread Alex Murray
DynamicUser is only supported in systemd>=235 so this is not needed for xenial, only bionic and disco. ** Also affects: systemd (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: systemd (Ubuntu Disco) Importance: Undecided Status: New -- You received this

[Touch-packages] [Bug 1507025] Re: Shell Command Injection with the hostname

2019-12-19 Thread Alex Murray
Even our oldest supported (as extended security maintenance) release Ubuntu 12.04 had bash 4.2 (https://launchpad.net/ubuntu/+source/bash) - so whether this affects bash 3.2.57 is not relevant to Ubuntu anymore. -- You received this bug notification because you are a member of Ubuntu Touch

[Touch-packages] [Bug 1862717] [NEW] Automatic crash report bug reports opened in gedit rather than the browser

2020-02-10 Thread Alex Murray
Public bug reported: If a crash report is triggered automatically (say from a program crash etc) then the Apport UI pops up asking whether to report this - if I choose to proceed, after about 30 seconds gedit pops up with a HTML document showing 'OpenID transaction in progress' - which is the

[Touch-packages] [Bug 1862717] Re: Automatic crash report bug reports opened in gedit rather than the browser

2020-02-10 Thread Alex Murray
Relevant parts from journalctl: Feb 11 13:03:53 slate systemd[6652]: Starting Notification regarding a crash report... Feb 11 13:03:53 slate update-notifier-crash[260823]: /usr/bin/whoopsie Feb 11 13:03:54 slate update-notifier-crash[260837]: /var/crash/libdleyna-core-1 Feb 11 13:04:19 slate

[Touch-packages] [Bug 1862112] Re: apparmor prevents DHCP from starting with IPoIB interface

2020-02-05 Thread Alex Murray
Can you try adding the following to /etc/apparmor.d/local/usr.sbin.dhcpd: network packet dgram, And then running sudo apparmor_parser -rT /etc/apparmor.d/usr.sbin.dhcpd And see if restart dhcpd then works? -- You received this bug notification because you are a member of Ubuntu Touch

  1   2   >