[Bug 1915304] Re: linux-stable v4.14.217 causes skb_mark_not_on_list() build failure
I wish you'd not waste time on this downstream stuff. wireguard-linux- compat v1.0.20210219 has the proper fix (along with other important fixes). Simply import the package from debian and be done with it. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1915304 Title: linux-stable v4.14.217 causes skb_mark_not_on_list() build failure To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wireguard-linux-compat/+bug/1915304/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906947] Re: package wireguard-dkms 1.0.20201112-1~20.04.1 failed to install/upgrade: installed wireguard-dkms package post-installation script subprocess returned error exit status 10
apw - I'll leave this to you. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906947 Title: package wireguard-dkms 1.0.20201112-1~20.04.1 failed to install/upgrade: installed wireguard-dkms package post-installation script subprocess returned error exit status 10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wireguard-linux-compat/+bug/1906947/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1907996] Re: Wireguard-tools misses some bash completion
Thank you for the report. Fixed upstream now: https://git.zx2c4.com /wireguard-tools/commit/?id=7e506135f7da13cc13b51f2d0db47da364b2de7b This will trickle down to Ubuntu whenever I make a release upstream and then Debian and Ubuntu do their thing. ** Changed in: wireguard (Ubuntu) Status: New => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1907996 Title: Wireguard-tools misses some bash completion To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wireguard/+bug/1907996/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1856539] Re: wireguard package doesn't work on ubuntu eon
The Ubuntu kernel team seems to be behind in deploying a fix for this. In the interim you can solve this by using the WireGuard project's PPA, which now has backports for 19.10. Run this command to fix your issue: sudo add-apt-repository ppa:wireguard/wireguard && sudo apt-get update && sudo apt-get upgrade -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1856539 Title: wireguard package doesn't work on ubuntu eon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1856539/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1862413] Re: wireguard-dkms 0.0.20190913-1ubuntu1: wireguard kernel module failed to build
The Ubuntu kernel team seems to be behind in deploying a fix for this. In the interim you can solve this by using the WireGuard project's PPA, which now has backports for 19.10. Run this command to fix your issue: sudo add-apt-repository ppa:wireguard/wireguard && sudo apt-get update && sudo apt-get upgrade -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1862413 Title: wireguard-dkms 0.0.20190913-1ubuntu1: wireguard kernel module failed to build To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wireguard/+bug/1862413/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1851295] Re: dkms error with wireguard on upgrafe to 19.10
Consult /var/lib/dkms/wireguard/0.0.20190913/build/make.log for more information. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1851295 Title: dkms error with wireguard on upgrafe to 19.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1851295/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854225] Re: Kernel oops and system lock up when invoking wg-quick up
Doesn't look like a WireGuard bug. ** Package changed: wireguard (Ubuntu) => linux (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854225 Title: Kernel oops and system lock up when invoking wg-quick up To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1854225/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1856539] Re: wireguard package doesn't work on ubuntu eon
[ 15.589541] module: x86/modules: Skipping invalid relocation target, existing value is nonzero for type 1, loc f4677a21, val c1171b82 Looks like a dkms issue? Thankfully we won't need that for 20.04 and also earlier kernels once things are backported. I'll reassign this to the canonical kernel people. ** Package changed: wireguard (Ubuntu) => linux (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1856539 Title: wireguard package doesn't work on ubuntu eon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1856539/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1858807] Re: Wireguard install fails on 19.10
The kernel team can backport things need be. ** Package changed: wireguard (Ubuntu) => linux (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1858807 Title: Wireguard install fails on 19.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1858807/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1851295] Re: dkms error with wireguard on upgrafe to 19.10
Seems dkms related. ** Package changed: wireguard (Ubuntu) => linux (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1851295 Title: dkms error with wireguard on upgrafe to 19.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1851295/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854225] Re: Kernel oops and system lock up when invoking wg-quick up
Thanks for the bug report. That kern.log is useful. The relevant part is reproduced below in this comment. Looks like wg-quick(8) invokes sysctl(8), which then uses /proc/sys/, and somehow invokes a null pointer dereference while holding a spinlock, leading to that lock being hit by other cores, eventually locking up your system. Nov 26 23:20:01 padbeast kernel: [16283.030060] BUG: kernel NULL pointer dereference, address: 0011 Nov 26 23:20:01 padbeast kernel: [16283.030064] #PF: supervisor read access in kernel mode Nov 26 23:20:01 padbeast kernel: [16283.030065] #PF: error_code(0x) - not-present page Nov 26 23:20:01 padbeast kernel: [16283.030067] PGD 0 P4D 0 Nov 26 23:20:01 padbeast kernel: [16283.030070] Oops: [#1] SMP NOPTI Nov 26 23:20:01 padbeast kernel: [16283.030073] CPU: 1 PID: 6983 Comm: sysctl Tainted: G OE 5.3.0-23-generic #25-Ubuntu Nov 26 23:20:01 padbeast kernel: [16283.030074] Hardware name: LENOVO 2325A39/2325A39, BIOS G2ETB3WW (2.73 ) 06/19/2018 Nov 26 23:20:01 padbeast kernel: [16283.030080] RIP: 0010:rb_first+0xb/0x20 Nov 26 23:20:01 padbeast kernel: [16283.030082] Code: fe ff ff 4c 89 e9 4c 89 f2 4d 89 ee 49 89 c5 e9 81 fe ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 48 8b 07 48 85 c0 74 10 49 89 c0 <48> 8b 40 10 48 85 c0 75 f4 4c 89 c0 c3 45 31 c0 eb f7 0f 1f 00 48 Nov 26 23:20:01 padbeast kernel: [16283.030083] RSP: 0018:b662c21efe18 EFLAGS: 00010202 Nov 26 23:20:01 padbeast kernel: [16283.030085] RAX: 0001 RBX: b662c21efec0 RCX: Nov 26 23:20:01 padbeast kernel: [16283.030087] RDX: 0001 RSI: b71e1b73 RDI: 9e25445eea50 Nov 26 23:20:01 padbeast kernel: [16283.030088] RBP: b662c21efe70 R08: 0001 R09: 0004 Nov 26 23:20:01 padbeast kernel: [16283.030090] R10: b71e1b71 R11: R12: 9e24f782ead8 Nov 26 23:20:01 padbeast kernel: [16283.030091] R13: 9e24f782ea80 R14: 9e24f75cb400 R15: b60e2ba0 Nov 26 23:20:01 padbeast kernel: [16283.030093] FS: 7f669f9d6580() GS:9e255604() knlGS: Nov 26 23:20:01 padbeast kernel: [16283.030095] CS: 0010 DS: ES: CR0: 80050033 Nov 26 23:20:01 padbeast kernel: [16283.030096] CR2: 0011 CR3: 000147bb8006 CR4: 001606e0 Nov 26 23:20:01 padbeast kernel: [16283.030098] Call Trace: Nov 26 23:20:01 padbeast kernel: [16283.030104] ? proc_sys_readdir+0x11a/0x2c0 Nov 26 23:20:01 padbeast kernel: [16283.030109] iterate_dir+0x9a/0x1b0 Nov 26 23:20:01 padbeast kernel: [16283.030112] ksys_getdents64+0x9c/0x130 Nov 26 23:20:01 padbeast kernel: [16283.030114] ? iterate_dir+0x1b0/0x1b0 Nov 26 23:20:01 padbeast kernel: [16283.030117] __x64_sys_getdents64+0x1a/0x20 Nov 26 23:20:01 padbeast kernel: [16283.030120] do_syscall_64+0x5a/0x130 Nov 26 23:20:01 padbeast kernel: [16283.030124] entry_SYSCALL_64_after_hwframe+0x44/0xa9 Nov 26 23:20:01 padbeast kernel: [16283.030126] RIP: 0033:0x7f669f8c507b Nov 26 23:20:01 padbeast kernel: [16283.030129] Code: 0f 1e fa 48 8b 47 20 c3 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 81 fa ff ff ff 7f b8 ff ff ff 7f 48 0f 47 d0 b8 d9 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 8b 15 e1 8d 10 00 f7 d8 Nov 26 23:20:01 padbeast kernel: [16283.030130] RSP: 002b:7ffc1e7e4ef8 EFLAGS: 0293 ORIG_RAX: 00d9 Nov 26 23:20:01 padbeast kernel: [16283.030132] RAX: ffda RBX: 562cc04d9ce0 RCX: 7f669f8c507b Nov 26 23:20:01 padbeast kernel: [16283.030134] RDX: 8000 RSI: 562cc04d9ce0 RDI: 0007 Nov 26 23:20:01 padbeast kernel: [16283.030135] RBP: ff80 R08: 0030 R09: 007c Nov 26 23:20:01 padbeast kernel: [16283.030137] R10: R11: 0293 R12: 562cc04d9cb4 Nov 26 23:20:01 padbeast kernel: [16283.030138] R13: R14: 562cc04d9cb0 R15: 562cc04c1bc0 Nov 26 23:20:01 padbeast kernel: [16283.030140] Modules linked in: binfmt_misc wireguard(OE) ip6_udp_tunnel udp_tunnel acpi_call(OE) msr ccm uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common videodev mc nls_iso8859_1 mei_hdcp intel_rapl_msr snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic snd_hda_intel snd_hda_codec iwldvm snd_hda_core snd_hwdep mac80211 joydev snd_pcm input_leds libarc4 wmi_bmof snd_seq_midi snd_seq_midi_event iwlwifi snd_rawmidi thinkpad_acpi cfg80211 nvram ledtrig_audio snd_seq snd_seq_device snd_timer intel_rapl_common x86_pkg_temp_thermal snd intel_powerclamp coretemp kvm_intel kvm mei_me soundcore mei mac_hid irqbypass intel_cstate serio_raw intel_rapl_perf sch_fq_codel parport_pc ppdev lp parport ip_tables x_tables autofs4 dm_crypt crct10dif_pclmul crc32_pclmul ghash_clmulni_intel i915 aesni_intel i2c_algo_bit aes_x86_64 crypto_simd drm_kms_helper sdhci_pci cryptd glue_helper psmouse cqhci syscopyarea ahci i2c_i801 libahci s
[Bug 1858807] Re: Wireguard install fails on 19.10
This is fixed upstream, but the Ubuntu package is old. Maybe somebody can do something about this. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1858807 Title: Wireguard install fails on 19.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wireguard/+bug/1858807/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1856539] Re: wireguard package doesn't work on ubuntu eon
Run `sudo modprobe wireguard`, and then after run `dmesg`, and paste the output of your dmesg. Most likely you need to do some sort of dkms rebuilding. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1856539 Title: wireguard package doesn't work on ubuntu eon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wireguard/+bug/1856539/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1842447] Re: Kernel Panic with linux-image-4.15.0-60-generic when specifying nameserver in docker-compose
It's possible this same issue is responsible for this crash in WireGuard: https://lists.zx2c4.com/pipermail/wireguard/2019-September/004495.html -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1842447 Title: Kernel Panic with linux-image-4.15.0-60-generic when specifying nameserver in docker-compose To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1842447/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1685522] Re: out of date snapshot
Hey apw and adconrad -- a long time ago (2.5 years) we decided to keep WireGuard from migrating into Ubuntu. There's been tons of progress since then. It's now in the progress of migrating down into Debian testing and stable. I think it's time we let it migrate into Ubuntu too. Is there anything that needs to be done on your part of the build infra to unblock this? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1685522 Title: out of date snapshot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/zesty/+source/wireguard/+bug/1685522/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1685522] Re: out of date snapshot
** No longer affects: wireguard (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1685522 Title: out of date snapshot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/zesty/+source/wireguard/+bug/1685522/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1847478] Re: wireguard crashes system shortly after wg-quick down wg0
Most likely this is related to an invocation to `ip rule` that's being made, not WireGuard. Take a look at this mailing list post: https://lists.zx2c4.com/pipermail/wireguard/2019-October/004588.html -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1847478 Title: wireguard crashes system shortly after wg-quick down wg0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wireguard/+bug/1847478/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1847478] Re: wireguard crashes system shortly after wg-quick down wg0
Yep, confirmed that Eoan is broken. Here's reproduction steps: root@scw-competent-dirac:~# uname -a Linux scw-competent-dirac 5.3.0-13-generic #14-Ubuntu SMP Tue Sep 24 02:46:08 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux root@scw-competent-dirac:~# ip netns add crash root@scw-competent-dirac:~# ip -n crash link add dummy1 type dummy root@scw-competent-dirac:~# ip -n crash link set dummy1 up root@scw-competent-dirac:~# ip -n crash -6 route add default dev dummy1 root@scw-competent-dirac:~# ip -n crash -6 rule add table main suppress_prefixlength 0 root@scw-competent-dirac:~# ip netns exec crash ping -f -c 1000 -W 1 1234::1 || true PING 1234::1(1234::1) 56 data bytes ..Segmentation fault root@scw-competent-dirac:~# ip -n crash -6 rule del table main suppress_prefixlength 0 root@scw-competent-dirac:~# ip -n crash link del dummy1 [ 100.388052] general protection fault: [#1] SMP NOPTI [ 100.396544] CPU: 1 PID: 1680 Comm: ping Tainted: GW 5.3.0-13-generic #14-Ubuntu [ 100.398869] Hardware name: Scaleway Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015 [ 100.401359] RIP: 0010:ip6_dst_hoplimit+0x1b/0x50 [ 100.402157] Code: 85 c9 44 8b 45 d0 74 9b eb 82 0f 1f 44 00 00 0f 1f 44 00 00 48 8b 47 10 55 48 83 e0 fc 8b 40 24 48 89 e5 85 c0 75 15 48 8b 07 <48> 8b 90 10 03 00 00 48 85 d2 74 08 8b 82 1c 01 00 00 5d c3 48 8b [ 100.405133] RSP: 0018:b7dcc04e3c20 EFLAGS: 00010246 [ 100.405940] RAX: 3b3856482af84913 RBX: a01db31d3cf0 RCX: [ 100.407045] RDX: RSI: a01dada4e300 RDI: a01dada4e300 [ 100.408261] RBP: b7dcc04e3c20 R08: 0006 R09: [ 100.409433] R10: b7dcc04e3d00 R11: 0039 R12: b7dcc04e3e10 [ 100.410611] R13: b7dcc04e3d00 R14: a01db31d3900 R15: [ 100.411889] FS: 7f6c12b8e040() GS:a01dbf70() knlGS: [ 100.413180] CS: 0010 DS: ES: CR0: 80050033 [ 100.414126] CR2: 7f5c067453e0 CR3: 3190 CR4: 003406e0 [ 100.415335] Call Trace: [ 100.415746] rawv6_sendmsg+0x81c/0xad0 [ 100.416474] ? sock_common_recvmsg+0x49/0x70 [ 100.417131] inet_sendmsg+0x6c/0x70 [ 100.417730] ? security_socket_sendmsg+0x3f/0x60 [ 100.418468] ? inet_sendmsg+0x6c/0x70 [ 100.419109] sock_sendmsg+0x5e/0x70 [ 100.419775] __sys_sendto+0x113/0x190 [ 100.420517] ? __sys_recvmsg+0x59/0xa0 [ 100.421307] __x64_sys_sendto+0x29/0x30 [ 100.422036] do_syscall_64+0x5a/0x130 [ 100.422692] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 100.423479] RIP: 0033:0x7f6c12cd58aa [ 100.424123] Code: 48 c7 c0 ff ff ff ff eb bc 0f 1f 80 00 00 00 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 76 c3 0f 1f 44 00 00 55 48 83 ec 30 44 89 4c [ 100.426939] RSP: 002b:7ffe8eed1d28 EFLAGS: 0246 ORIG_RAX: 002c [ 100.428248] RAX: ffda RBX: 0040 RCX: 7f6c12cd58aa [ 100.429498] RDX: 0040 RSI: 560c046766c0 RDI: 0004 [ 100.430647] RBP: 560c046766c0 R08: 560c04674640 R09: 001c [ 100.431843] R10: R11: 0246 R12: 7ffe8eed3028 [ 100.433031] R13: 560c046766c0 R14: 001d0001 R15: 560c046723a0 [ 100.434158] Modules linked in: dummy nls_iso8859_1 dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua kvm_amd ccp kvm irqbypass joydev input_leds serio_raw mac_hid qemu_fw_cfg sch_fq_codel ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel aes_x86_64 crypto_simd cryptd glue_helper psmouse virtio_blk virtio_net net_failover virtio_scsi failover pata_acpi i2c_piix4 floppy [ 100.442203] ---[ end trace 2009978ed4c4e669 ]--- [ 100.443005] RIP: 0010:ip6_dst_hoplimit+0x1b/0x50 [ 100.443802] Code: 85 c9 44 8b 45 d0 74 9b eb 82 0f 1f 44 00 00 0f 1f 44 00 00 48 8b 47 10 55 48 83 e0 fc 8b 40 24 48 89 e5 85 c0 75 15 48 8b 07 <48> 8b 90 10 03 00 00 48 85 d2 74 08 8b 82 1c 01 00 00 5d c3 48 8b [ 100.446933] RSP: 0018:b7dcc04e3c20 EFLAGS: 00010246 [ 100.447801] RAX: 3b3856482af84913 RBX: a01db31d3cf0 RCX: [ 100.449171] RDX: RSI: a01dada4e300 RDI: a01dada4e300 [ 100.450486] RBP: b7dcc04e3c20 R08: 0006 R09: [ 100.451647] R10: b7dcc04e3d00 R11: 0039 R12: b7dcc04e3e10 [ 100.452695] R13: b7dcc04e3d00 R14: a01db31d3900 R15: [ 100.453774] FS: 7f6c12b8e040() GS:a01dbf70() knlGS: [ 100.455125] CS: 0010 DS: ES: CR0: 80050033 [ 100.456141] CR2: 7f5c067453e0 CR3: 3190 CR4: 003406e0 [ 100.484084] general protection fault: [#2] SMP NOPTI [ 100.485628]
[Bug 1847478] Re: wireguard crashes system shortly after wg-quick down wg0
Here's a one liner that *doesn't require root* that you can use to test whether the kernel fix has landed: unshare -rUn sh -c 'ip link add dummy1 type dummy && ip link set dummy1 up && ip -6 route add default dev dummy1 && ip -6 rule add table main suppress_prefixlength 0 && ping -f 1234::1' Note: this will crash your system. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1847478 Title: wireguard crashes system shortly after wg-quick down wg0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wireguard/+bug/1847478/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1847478] Re: eoan kernel does not contain "ipv6: do not free rt if FIB_LOOKUP_NOREF is set on suppress rule"
** Summary changed: - wireguard crashes system shortly after wg-quick down wg0 + eoan kernel does not contain "ipv6: do not free rt if FIB_LOOKUP_NOREF is set on suppress rule" ** Package changed: wireguard (Ubuntu) => linux-meta (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1847478 Title: eoan kernel does not contain "ipv6: do not free rt if FIB_LOOKUP_NOREF is set on suppress rule" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1847478/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1844521] Re: DEP8 test reaches out to demo.wireguard.com
In lieu of Debian changing something, I'd suggest replacing this package with the one we actually develop specifically for Ubuntu: https://launchpad.net/~wireguard/+archive/ubuntu/wireguard Could you take care of importing 0.0.20190913 (or newer, depending on when you read this) from there? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1844521 Title: DEP8 test reaches out to demo.wireguard.com To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wireguard/+bug/1844521/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1910404] Re: wireguard-dkms 1.0.20201112-1~16.04.1 failed to build
** Changed in: wireguard-linux-compat (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1910404 Title: wireguard-dkms 1.0.20201112-1~16.04.1 failed to build To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wireguard-linux-compat/+bug/1910404/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1910404] Re: wireguard-dkms 1.0.20201112-1~16.04.1 failed to build
> Building initial module for 4.4.0-31-generic That doesn't look like a recent kernel. Purge old kernels. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1910404 Title: wireguard-dkms 1.0.20201112-1~16.04.1 failed to build To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wireguard-linux-compat/+bug/1910404/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1896777] Re: wireguard-dkms 1.0.20200611-1ubuntu1~16.04.1: wireguard kernel module failed to build
You forgot to update your system. apt update && apt upgrade ** Changed in: wireguard-linux-compat (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1896777 Title: wireguard-dkms 1.0.20200611-1ubuntu1~16.04.1: wireguard kernel module failed to build To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wireguard-linux-compat/+bug/1896777/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1915304] Re: linux-stable v4.14.217 causes skb_mark_not_on_list() build failure
This was fixed in the latest upstream wireguard-linux-compat release on Jan 24. ** Changed in: wireguard-linux-compat (Ubuntu) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1915304 Title: linux-stable v4.14.217 causes skb_mark_not_on_list() build failure To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wireguard-linux-compat/+bug/1915304/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1915304] Re: linux-stable v4.14.217 causes skb_mark_not_on_list() build failure
Due to inconsistent use of ubuntu-specific identifiers and complexity introduced HWE and such, wireguard-linux-compat develops against the latest kernels for each of the Ubuntu releases -- listed on https://www.wireguard.com/build-status/ , ctrl+F for ubuntu. This already amounts to ~7 kernels. So the thing to do here would be to add !defined(ISUBUNTU1804) to the relevant ifdef: #if (LINUX_VERSION_CODE < KERNEL_VERSION(4, 19, 10) && LINUX_VERSION_CODE >= KERNEL_VERSION(4, 15, 0) && !defined(ISRHEL8) && !defined(ISUBUNTU1804)) || LINUX_VERSION_CODE < KERNEL_VERSION(4, 14, 217) Afterwards, if you want to apply additional patches downstream so that this works on older kernels within each Ubuntu release, that would make sense. But upstream should first always be made to work against the latest kernel version in each Ubuntu release. If you have advanced knowledge that something is about to break (because of this or that backport), then please push a patch upstream for that. apw@ knows how this works, if you want to talk to somebody internal about it. Otherwise I'm zx2c4 on Freenode and happy to help. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1915304 Title: linux-stable v4.14.217 causes skb_mark_not_on_list() build failure To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wireguard-linux-compat/+bug/1915304/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1890201] Re: Depends on wireguard-modules | wireguard-dkms are inverted
The real issue here is that Andy forgot to add `Provides: wireguard- modules` to the linux-meta-oem package, and maybe some others here: - https://lists.zx2c4.com/pipermail/wireguard/2020-August/005743.html - https://lists.zx2c4.com/pipermail/wireguard/2020-August/005746.html - https://lists.zx2c4.com/pipermail/wireguard/2020-August/005747.html - https://lists.zx2c4.com/pipermail/wireguard/2020-August/005752.html I'd recommend that any fix here prioritize fixing the root cause issue - the missing Provides:. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1890201 Title: Depends on wireguard-modules | wireguard-dkms are inverted To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wireguard/+bug/1890201/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1890286] Re: ansi escape sequence injection into add-apt-repository
Looks like this has come up before in other utilities and was fixed, such as https://bugs.launchpad.net/ubuntu/+source/base- files/+bug/1649352 . ** Summary changed: - ansi escape sequence injection into add-apt-repository + ansi escape sequence injection in add-apt-repository -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1890286 Title: ansi escape sequence injection in add-apt-repository To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/1890286/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1890286] [NEW] ansi escape sequence injection in add-apt-repository
*** This bug is a security vulnerability *** Public security bug reported: This was reported to oss-security and to secur...@ubuntu.com, but I figure I should make a real bug report, as otherwise it'll probably be missed. Original post from https://www.openwall.com/lists/oss- security/2020/08/03/1 follows below. -- Hi, I've found a rather low grade concern: I'm able to inject ANSI escape sequences into PPA descriptions on Launchpad, and then have them rendered by add-apt-repository *before* the user consents to actually adding that repository. There might be some sort of trust barrier issue with that. This could be used to clear the screen and imitate a fresh bash prompt, upload files, dump the current screen to a file, or other classic shenanigans, well chronicled in the archives of oss-sec. PoC time -- I'm using this "feature" for good at the moment to announce the deprecation in bold text of a PPA that I maintain: https://data.zx2c4.com/add-apt-repository-ansi-injection.png The proper fix to this is likely to do sanitization on the add-apt-repository side. Regards, Jason ** Affects: software-properties (Ubuntu) Importance: Undecided Status: New ** Information type changed from Private Security to Public ** Information type changed from Public to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1890286 Title: ansi escape sequence injection in add-apt-repository To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/1890286/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1890201] Re: Depends on wireguard-modules | wireguard-dkms are inverted
Great that this is going through the various levels of approval for SRU, but I do hope the actual bug -- Provides: being missing -- is fixed with this same level of urgency. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1890201 Title: Depends on wireguard-modules | wireguard-dkms are inverted To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wireguard/+bug/1890201/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1890201] Re: Depends on wireguard-modules | wireguard-dkms are inverted
Super! Sounds like a big improvement. Thanks for rolling this out so quickly. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1890201 Title: Depends on wireguard-modules | wireguard-dkms are inverted To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wireguard/+bug/1890201/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1890286] Re: ansi escape sequence injection in add-apt-repository
I'm not convinced that really cuts it. Namely, from the diff: -print(" %s" % (info["description"] or "")) +# strip ANSI escape sequences +description = re.sub(r"(\x9B|\x1B\[)[0-?]*[ -/]*[@-~]", + "", info["description"] or "") + +print(" %s" % description) There are sequences that don't get filtered by that. Aside from the usual things like \r or \b, it looks like https://man7.org/linux/man- pages/man4/console_codes.4.html lists a few codes that defy it too. While that diff above might be the "stackoverflow answer", it doesn't seem complete. Instead, why not just adopt a whitelist policy? Only allow visible and space characters, or something like that. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1890286 Title: ansi escape sequence injection in add-apt-repository To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/1890286/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1890286] Re: ansi escape sequence injection in add-apt-repository
You might be right that the remaining ones that slip through your regex are mere "nuisance"s. But you know how those things go - one man's nuisance is another man's vuln. Some of those, anyhow, are implemented by the Linux console driver. Why not just take the tried and true "safe" route, as implemented by vis(3)'s VIS_SAFE or similar? Otherwise it sounds like you're playing with a bit of fire. Put differently, is there some legitimate use case of the ANSI escape characters that make you want to preserve some of their usage while disallowing other parts? If so, that would really surprise me. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1890286 Title: ansi escape sequence injection in add-apt-repository To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/1890286/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1892798] Re: eliminating resolvconf/openresolv dependencies
Thanks for bringing this to my attention. I believe your assessment is correct. Do you know which Ubuntu first started using resolved? How far back do we need to make changes? There are two facets of this: 1) The Ubuntu systemd package should install the resolvconf compatibility symlink. I have no idea why this isn't already the case, and that seems like a bug that should be remedied ASAP. resolvconf(8) is the standard interface for programs to interact with DNS, which is why systemd provides it. Not providing it is super confusing. 2) The Recommends in the wireguard package should be adjusted. I believe apw@ can handle (2). Somebody on the systemd team should handle (1). ** Changed in: wireguard (Ubuntu) Status: New => Confirmed ** Also affects: systemd (Ubuntu) Importance: Undecided Status: New ** Changed in: systemd (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1892798 Title: eliminating resolvconf/openresolv dependencies To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1892798/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1861284] Re: Build and ship a signed wireguard.ko
** Tags added: verification-needed-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1861284 Title: Build and ship a signed wireguard.ko To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1861284/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1879952] Re: wireguard-dkms 1.0.20200429-2~19.10: wireguard kernel module failed to build
Looks like your wireguard-dkms package is out of date. This is apw's area. I'll add him to the bug. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1879952 Title: wireguard-dkms 1.0.20200429-2~19.10: wireguard kernel module failed to build To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wireguard-linux-compat/+bug/1879952/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 725126]
This problem still exists on binutils 2.33 when -fvisibility=hidden is passed to cflags. I imagine this is so due to some conflicting code where the forced B.W is only generated for static functions, since non- static ones will be relocated differently, but then because of -fvisibility=hidden, they get treated like statics, only B is used instead of the forced B.W, causing this issue to crop up again. OpenWRT experienced this when including WireGuard on a new board. I fixed it like this: https://git.zx2c4.com/wireguard-linux- compat/commit/?id=178cdfffb99f2fd6fb4a5bfd2f9319461d93f53b -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/725126 Title: gas may assemble b to locally-defined, preemptible global symbol as "b.n" To manage notifications about this bug go to: https://bugs.launchpad.net/binutils/+bug/725126/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 725126]
Tracking the new bug here now: https://sourceware.org/bugzilla/show_bug.cgi?id=26141 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/725126 Title: gas may assemble b to locally-defined, preemptible global symbol as "b.n" To manage notifications about this bug go to: https://bugs.launchpad.net/binutils/+bug/725126/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1873288] Re: wireguard-tools should NOT recommend wireguard-dkms
The wireguard virtual package should imply "modules|dkms", and in general the order for the recommends here should change to "modules|dkms". Additionally, the dkms module should skip kernels that already have wireguard. We fixed this in Debian two ways, here: 1. https://salsa.debian.org/debian/wireguard-linux-compat/-/blob/debian/master/debian/patches/0002-Avoid-trying-to-compile-on-debian-5.5-kernels-Closes.patch Ubuntu will need a similar patch as this, but with slightly different semantics, likely. 2. https://salsa.debian.org/debian/wireguard/-/commit/2d36365079f4668660963c5c819db3b544c5d56f This changes the Depends order accordingly. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1873288 Title: wireguard-tools should NOT recommend wireguard-dkms To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wireguard/+bug/1873288/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1873288] Re: wireguard-tools should NOT recommend wireguard-dkms
The kernel package has a "Provides: wireguard-modules", as wireguard- modules is a virtual. At least that's how it's supposed to work. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1873288 Title: wireguard-tools should NOT recommend wireguard-dkms To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wireguard/+bug/1873288/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1873288] Re: wireguard-tools should NOT recommend wireguard-dkms
To add to the list above of debian things: 3. https://salsa.debian.org/debian/wireguard/-/commit/b536ea7e12ee259e5d16e7e66a7b921837223023 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1873288 Title: wireguard-tools should NOT recommend wireguard-dkms To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wireguard/+bug/1873288/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1873288] Re: wireguard-tools should NOT recommend wireguard-dkms
> The wireguard{,-dkms,-tools} versions do not align: wireguard-dkms is newer. Maybe that's not relevant but I thought I'd mention it. This part doesn't matter. They're separate packages with separate releases and don't need to align. https://git.zx2c4.com/wireguard-linux-compat/refs/ https://git.zx2c4.com/wireguard-tools/refs/ However, your mention about the Depends not actually being there is worrying. I thought I had observed the same thing the other day, but Unit193 convinced me I was mistaken, but I don't remember why. I'll wait for him or apw to chime in. I suspect there's an issue here though... If so, that would mean we need the following to happen: 1. Reverse the order of wireguard-modules and wireguard-dkms in both the Depends: and Recommends:. Importing the latest Debian package will do this. ( https://salsa.debian.org/debian/wireguard/-/commit/2d36365079f4668660963c5c819db3b544c5d56f and https://salsa.debian.org/debian/wireguard/-/commit/b536ea7e12ee259e5d16e7e66a7b921837223023 ) 2. Add Provides: wireguard-modules to the kernel package, just like Debian does ( https://salsa.debian.org/kernel-team/linux/-/commit/5a0532517e072117af71beb281b2cad86e55ba05 ) 3. Tweak Debian's semantics for wireguard-dkms to handle the changed build exclusion based on Ubuntu's particulars. (modify https://salsa.debian.org/debian/wireguard-linux-compat/-/blob/debian/master/debian/patches/0002-Avoid-trying-to-compile-on-debian-5.5-kernels-Closes.patch ) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1873288 Title: wireguard-tools should NOT recommend wireguard-dkms To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wireguard/+bug/1873288/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1873288] Re: wireguard-tools should NOT recommend wireguard-dkms
Okay something is very amiss, and at this point a member of Canonical's kernel team is going to have to check. I downloaded the latest one from the mirrors: https://mirrors.edge.kernel.org/ubuntu/pool/main/l/linux-meta/linux- image-generic_5.4.0.24.29_amd64.deb This has: Provides: virtualbox-guest-modules (= 6.1.4-dfsg-2), zfs-modules (= 0.8.3-1ubuntu11) No wireguard-modules! But then if I look at a much earlier deb, such as https://launchpad.net /~canonical-kernel-team/+archive/ubuntu/unstable/+build/18884574/+files /linux-image-generic_5.4.0.20.24_amd64.deb : Provides: virtualbox-guest-modules (= 6.1.4-dfsg-2), wireguard-modules (= 0.0.20200318-1ubuntu1), zfs-modules (= 0.8.3-1ubuntu8) So what's going on here? Looks like there was some regression in Canonical's complex build scripts maybe? Somebody else is going to have to look into this. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1873288 Title: wireguard-tools should NOT recommend wireguard-dkms To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wireguard/+bug/1873288/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1873288] Re: wireguard-tools should NOT recommend wireguard-dkms
I've let people know in #ubuntu-kernel, so hopefully Canonical will take a look. To recap for whoever inherits this bug, the following things need to be done: 1. Add back the "Provides: wireguard-modules" in linux-image-generic. This is really important. It used to be there but has strangely been dropped, which is why this bug report was filed by a user. 2.. Reverse the order of wireguard-modules and wireguard-dkms in both the Depends: and Recommends:. Importing the latest Debian package will do this: https://salsa.debian.org/debian/wireguard/-/commit/2d36365079f4668660963c5c819db3b544c5d56f https://salsa.debian.org/debian/wireguard/-/commit/b536ea7e12ee259e5d16e7e66a7b921837223023 3. Optional: tweak Debian's semantics for wireguard-dkms to handle the changed build exclusion based on Ubuntu's particulars. That involves modifying: https://salsa.debian.org/debian/wireguard-linux-compat/-/blob/debian/master/debian/patches/0002-Avoid-trying-to-compile-on-debian-5.5-kernels-Closes.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1873288 Title: wireguard-tools should NOT recommend wireguard-dkms To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wireguard/+bug/1873288/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1873288] Re: wireguard-tools should NOT recommend wireguard-dkms
> Actually, it looks like it was dropped intentionally here by apw: > https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/focal/commit/debian?h=master-next&id=95b5fab11fa1e681a3adaba4f669efef8a18fd70 > But maybe it never got added to the meta as the commit message describes? Actually, even weirder. That commit has in it: BugLink: https://bugs.launchpad.net/bugs/1856414 That bug mentions nvidia, not wireguard. Is it possible that the Provides was simply removed for the wrong package? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1873288 Title: wireguard-tools should NOT recommend wireguard-dkms To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wireguard/+bug/1873288/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1873288] Re: wireguard-tools should NOT recommend wireguard-dkms
> linux-image-generic only ships the vmlinuz so I believe that's why it doesn't directly "Provides: wireguard-modules". This is missing from linux-modules-5.4.0-XX-generic though which outta have it because does provides the .ko Not sure this logic holds, considering that has Provides for other modules for which there is a .ko not in linux-image-generic. wireguard-modules used to be there. Now it's not. A regression happened at some point. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1873288 Title: wireguard-tools should NOT recommend wireguard-dkms To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wireguard/+bug/1873288/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1873288] Re: wireguard-tools should NOT recommend wireguard-dkms
Actually, it looks like it was dropped intentionally here by apw: https://git.launchpad.net/~ubuntu- kernel/ubuntu/+source/linux/+git/focal/commit/debian?h=master- next&id=95b5fab11fa1e681a3adaba4f669efef8a18fd70 But maybe it never got added to the meta as the commit message describes? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1873288 Title: wireguard-tools should NOT recommend wireguard-dkms To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wireguard/+bug/1873288/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1873288] Re: wireguard-tools should NOT recommend wireguard-dkms
Simon - to keep you updated on the bug you reported, this fixes issue (1), as described in comment #9: https://git.launchpad.net/~ubuntu- kernel/ubuntu/+source/linux- meta/+git/focal/commit/?id=204fb3b2ae6b0c8c41c339f47949b45d571c4953 We'll keep this open until there's a decision/fix on (2) and (3), as described in comment #9. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1873288 Title: wireguard-tools should NOT recommend wireguard-dkms To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-meta/+bug/1873288/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1873288] Re: wireguard-tools should NOT recommend wireguard-dkms
Ah, looks like I can't. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1873288 Title: wireguard-tools should NOT recommend wireguard-dkms To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-meta/+bug/1873288/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1873288] Re: wireguard-tools should NOT recommend wireguard-dkms
Reopening this until we have some conclusion on (2) and (3) of #9. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1873288 Title: wireguard-tools should NOT recommend wireguard-dkms To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-meta/+bug/1873288/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1873288] Re: wireguard-tools should NOT recommend wireguard-dkms
Looks like it's still in -proposed, not -updates: zx2c4@thinkpad ~ $ curl -s http://archive.ubuntu.com/ubuntu/dists/focal-proposed/main/binary-amd64/Packages.xz | unxz | grep -B11 Provides:.*wireguard | grep ^Package: Package: linux-image-aws Package: linux-image-azure Package: linux-image-gcp Package: linux-image-generic Package: linux-image-generic-hwe-20.04 Package: linux-image-gke Package: linux-image-kvm Package: linux-image-lowlatency Package: linux-image-lowlatency-hwe-20.04 Package: linux-image-oracle Package: linux-image-virtual Package: linux-image-virtual-hwe-20.04 zx2c4@thinkpad ~ $ curl -s http://archive.ubuntu.com/ubuntu/dists/focal-updates/main/binary-amd64/Packages.xz | unxz | grep -B11 Provides:.*wireguard | grep ^Package: Package: linux-image-generic Package: linux-image-generic-hwe-20.04 Package: linux-image-lowlatency Package: linux-image-lowlatency-hwe-20.04 Package: linux-image-virtual Package: linux-image-virtual-hwe-20.04 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1873288 Title: wireguard-tools should NOT recommend wireguard-dkms To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-meta/+bug/1873288/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1873288] Re: wireguard-tools should NOT recommend wireguard-dkms
All set now! zx2c4@thinkpad ~ $ curl -s http://archive.ubuntu.com/ubuntu/dists/focal-updates/main/binary-amd64/Packages.xz | unxz | grep -B11 Provides:.*wireguard | grep ^Package: Package: linux-image-aws Package: linux-image-azure Package: linux-image-gcp Package: linux-image-generic Package: linux-image-generic-hwe-20.04 Package: linux-image-gke Package: linux-image-kvm Package: linux-image-lowlatency Package: linux-image-lowlatency-hwe-20.04 Package: linux-image-oracle Package: linux-image-virtual Package: linux-image-virtual-hwe-20.04 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1873288 Title: wireguard-tools should NOT recommend wireguard-dkms To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-meta/+bug/1873288/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1680811] Re: Request to add wireguard interface to interface-order
It might make more sense to simply switch to using openresolv, which is a proper resolvconf implementation, which doesn't rely on this silly hard-coded list. Alternatively, you could just backport features one by one from openresolv, such as '-m 0 and '-x'. But really, since openresolv has no downsides and only upsides, and Debian's homebaked resolvconf is rotting and has issues, you'd really be better off just removing Debian's resolvconf from Ubuntu and relying instead on openresolv. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1680811 Title: Request to add wireguard interface to interface-order To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/resolvconf/+bug/1680811/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1683884] [NEW] openresolv is less crippled than debian-resolvconf for security-focused configurations
Public bug reported: Ubuntu relies on Debian's own "resolvconf" which is vastly inferior to Openresolv and makes it impossible to securely set up DNS servers for ephemeral secure tunnel interfaces. Specifically, Debian's "resolvconf" relies on a hard coded list of interface templates. For virtual interfaces or renamed interfaces -- such as those used for creating secure tunnels -- the DNS entries will be lowest priority. This means it's not possible to override the current DNS with a DNS bound to particular arbitrarily-named interface. In other words, Debian's "resolvconf" explicitly ties interface naming templates to interface metrics. Openresolv has the `-m` option for this. Using `-m 0` will give an interface's DNS servers top priority. Secondly, and importantly, Debian's "resolvconf" does not support the `-x` option, which specifies that a DNS servers of an interface should be the _exclusive_ servers in use. This option is necessary to prevent leaking DNS queries over another interface. Even with the aforementioned `-m 0` option, an attacker could DoS the top priority DNS server in order to leak queries to the second priority DNS server. Openresolv's `-x` option fixes this, by allowing marking an interface as having "exclusive" control over DNS. Therefore, I'd suggest that either: a) Ubuntu switch to using Openresolv by default instead of its own "resolvconf". The openresolv package already "Provides: resolvconf",so it should be a drop-in replacement; or b) Debian's "resolvconf" backport these useful and necessary features from Openresolv. For my specific usage, the recommendation in https://bugs.launchpad.net/ubuntu/+source/resolvconf/+bug/1680811 might work as a fix for the `-m 0` issue, but it is less than ideal and does accomplish `-x`. Therefore, I recommend doing either (a) or (b), preferably (a). ** Affects: resolvconf (Ubuntu) Importance: Undecided Status: New ** Description changed: Ubuntu relies on Debian's own "resolvconf" which is vastly inferior to Openresolv and makes it impossible to securely set up DNS servers for ephemeral secure tunnel interfaces. Specifically, Debian's "resolvconf" relies on a hard coded list of interface templates. For virtual interfaces or renamed interfaces -- such as those used for creating secure tunnels -- the DNS entries will be lowest priority. This means it's not possible to override the current DNS with a DNS bound to particular arbitrarily-named interface. In other words, Debian's "resolvconf" explicitly ties interface naming templates to interface metrics. Openresolv has the `-m` option for this. Using `-m 0` will give an interface's DNS servers top priority. Secondly, and importantly, Debian's "resolvconf" does not support the `-x` option, which specifies that a DNS servers of an interface should be the _exclusive_ servers in use. This option is necessary to prevent leaking DNS queries over another interface. Even with the aforementioned `-m 0` option, an attacker could DoS the top priority DNS server in order to leak queries to the second priority DNS server. Openresolv's `-x` option fixes this, by allowing marking an interface as having "exclusive" control over DNS. Therefore, I'd suggest that either: - a) Ubuntu switch to using Openresolv by default instead of its own "resolvconf". The openresolv package already "Provides: openresolv",so it should be a drop-in replacement; or + a) Ubuntu switch to using Openresolv by default instead of its own "resolvconf". The openresolv package already "Provides: resolvconf",so it should be a drop-in replacement; or b) Debian's "resolvconf" backport these useful and necessary features from Openresolv. For my specific usage, the recommendation in https://bugs.launchpad.net/ubuntu/+source/resolvconf/+bug/1680811 might work as a fix for the `-m 0` issue, but it is less than ideal and does accomplish `-x`. Therefore, I recommend doing either (a) or (b), preferably (a). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1683884 Title: openresolv is less crippled than debian-resolvconf for security- focused configurations To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/resolvconf/+bug/1683884/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1685416] [NEW] Virtio Fixes Not Backported --> Google Cloud Platform Drops Packets
Public bug reported: The HWE kernel, and possibly others too, backport some virtio improvements related to setting VIRTIO_NET_HDR_F_DATA_VALID on received packets so that the CPU doesn't have to checksum packets that have already been verified by hardware. In the initial implementation of this, the kernel erroneously set this flag too for transmitted packets, which is explicitly forbidden by the virtio spec. It was rectified in these two commits: 501db511397fd6efff3aa5b4e8de415b9550 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=501db511397fd6efff3aa5b4e8de415b9550 6391a4481ba0796805d6581e42f9f0418c099e34 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6391a4481ba0796805d6581e42f9f0418c099e34 Both of these must be backported into your HWE kernel and perhaps other Ubuntu kernels too. (They were both backported into the kernel.org stable kernels.) While mostly nobody cares about this "correctness" issue, it turns out that Google Cloud Platform -- which uses the HWE kernel by default -- does care and will silently and mysteriously drop packets. This leads to packets being dropped entirely when being forwarded between various types of network drivers. This issue must be fixed in order to use Ubuntu on Google Cloud Platform. ** Affects: linux (Ubuntu) Importance: Undecided Status: Incomplete ** Description changed: The HWE kernel, and possibly others too, backport some virtio improvements related to setting VIRTIO_NET_HDR_F_DATA_VALID on received packets so that the CPU doesn't have to checksum packets that have already been verified by hardware. In the initial implementation of - this, the kernel erroneously set this flag too for transmitted flags, + this, the kernel erroneously set this flag too for transmitted packets, which is explicitly forbidden by the virtio spec. It was rectified in these two commits: 501db511397fd6efff3aa5b4e8de415b9550 6391a4481ba0796805d6581e42f9f0418c099e34 Both of these must be backported into your HWE kernel, and others too. While mostly nobody cares about this "correctness" issue, it turns out that Google Cloud Platform -- which uses the HWE kernel by default -- does care and will silently and mysteriously drop packets. This leads to packets being dropped entirely when being forwarded between various types of network drivers. This issue must be fixed in order to use Ubuntu on Google Cloud Platform. ** Description changed: The HWE kernel, and possibly others too, backport some virtio improvements related to setting VIRTIO_NET_HDR_F_DATA_VALID on received packets so that the CPU doesn't have to checksum packets that have already been verified by hardware. In the initial implementation of this, the kernel erroneously set this flag too for transmitted packets, which is explicitly forbidden by the virtio spec. It was rectified in these two commits: 501db511397fd6efff3aa5b4e8de415b9550 6391a4481ba0796805d6581e42f9f0418c099e34 - Both of these must be backported into your HWE kernel, and others too. - While mostly nobody cares about this "correctness" issue, it turns out - that Google Cloud Platform -- which uses the HWE kernel by default -- - does care and will silently and mysteriously drop packets. This leads to - packets being dropped entirely when being forwarded between various - types of network drivers. + Both of these must be backported into your HWE kernel, and perhaps other + Ubuntu kernels too. While mostly nobody cares about this "correctness" + issue, it turns out that Google Cloud Platform -- which uses the HWE + kernel by default -- does care and will silently and mysteriously drop + packets. This leads to packets being dropped entirely when being + forwarded between various types of network drivers. This issue must be fixed in order to use Ubuntu on Google Cloud Platform. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1685416 Title: Virtio Fixes Not Backported --> Google Cloud Platform Drops Packets To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1685416/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1685416] Re: Virtio Fixes Not Backported --> Google Cloud Platform Drops Packets
** Description changed: The HWE kernel, and possibly others too, backport some virtio improvements related to setting VIRTIO_NET_HDR_F_DATA_VALID on received packets so that the CPU doesn't have to checksum packets that have already been verified by hardware. In the initial implementation of this, the kernel erroneously set this flag too for transmitted packets, which is explicitly forbidden by the virtio spec. It was rectified in these two commits: 501db511397fd6efff3aa5b4e8de415b9550 + https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=501db511397fd6efff3aa5b4e8de415b9550 + 6391a4481ba0796805d6581e42f9f0418c099e34 + https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6391a4481ba0796805d6581e42f9f0418c099e34 - Both of these must be backported into your HWE kernel, and perhaps other - Ubuntu kernels too. While mostly nobody cares about this "correctness" + Both of these must be backported into your HWE kernel and perhaps other + Ubuntu kernels too. (They were both backported into the kernel.org + stable kernels.) While mostly nobody cares about this "correctness" issue, it turns out that Google Cloud Platform -- which uses the HWE kernel by default -- does care and will silently and mysteriously drop packets. This leads to packets being dropped entirely when being forwarded between various types of network drivers. This issue must be fixed in order to use Ubuntu on Google Cloud Platform. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1685416 Title: Virtio Fixes Not Backported --> Google Cloud Platform Drops Packets To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1685416/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1685416] Re: Virtio Fixes Not Backported --> Google Cloud Platform Drops Packets
No such log is necessary. You simply forgot to backport two critical patches. ** Changed in: linux (Ubuntu) Status: Incomplete => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1685416 Title: Virtio Fixes Not Backported --> Google Cloud Platform Drops Packets To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1685416/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1685416] Re: Virtio Fixes Not Backported --> Google Cloud Platform Drops Packets
** Also affects: linux-hwe (Ubuntu) Importance: Undecided Status: New ** Changed in: linux-hwe (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1685416 Title: Virtio Fixes Not Backported --> Google Cloud Platform Drops Packets To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1685416/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1685522] [NEW] out of date snapshot
Public bug reported: This package *MUST* be consistently sync'd against the upstream Debian package, since its version is a fastly moving *snapshot* with no security guarantees. The Debian package makes careful note of it, which is why it's pinned to sid. The WireGuard documentation also is very explicit about this. So, please set this package up to automatically mirror the Debian sid one. ** Affects: wireguard (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1685522 Title: out of date snapshot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wireguard/+bug/1685522/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1685522] Re: out of date snapshot
** Description changed: This package *MUST* be consistently sync'd against the upstream Debian package, since its version is a fastly moving *snapshot* with no security guarantees. The Debian package makes careful note of it, which is why it's pinned to sid. The WireGuard documentation also is very explicit about this. So, please set this package up to automatically mirror the Debian sid - one. + one. If you're unable to do that, then this package needs to not be + included in any Ubuntu repository until we actually make a non-snapshot + release. Pick one of these options; obviously, I prefer the former -- + mirror the Debian sid package. The current status-quo, however, is not + okay under any circumstances. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1685522 Title: out of date snapshot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wireguard/+bug/1685522/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1685522] Re: out of date snapshot
As discussed on IRC, the following empty package should be put into Zesty. ** Attachment added: "wireguard_0.0.20170214-1ubuntu0.17.04.tar.gz" https://bugs.launchpad.net/ubuntu/+source/wireguard/+bug/1685522/+attachment/4867059/+files/wireguard_0.0.20170214-1ubuntu0.17.04.tar.gz -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1685522 Title: out of date snapshot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wireguard/+bug/1685522/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1685416] Re: Virtio Fixes Not Backported --> Google Cloud Platform Drops Packets
Hi Stefan -- thanks for taking ownership of this bug. Could you give a rough timeline on when you expect to roll out the next kernel update that contains these commits? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1685416 Title: Virtio Fixes Not Backported --> Google Cloud Platform Drops Packets To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1685416/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1685522] Re: out of date snapshot
This appears to have been added to the queue and is now waiting for approval: https://launchpad.net/ubuntu/zesty/+queue?queue_state=1&queue_text=wireguard -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1685522 Title: out of date snapshot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wireguard/+bug/1685522/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1683947] Re: ubuntu 4.8 kernel, virtio_net error causes NAT packets to be lost
Hey Jay, I found this same issue here -- https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1685416 -- when debugging WireGuard issues on GCE. I'm curious how you found it and what your debugging was like. Do you work for Google and could debug their virtio implementation? I spent a really long time just rebuilding things and tweaking stuff and following the skb all the way down to the output path. When I had nearly given up, I thought, "you know, maybe I really _should_ take a look at this virtio header stuff." After setting that flag back to zero, and seeing what other successful packets were doing, I had figured it out. At first I thought it was a real kernel bug, and then later saw it was a backporting issue and hence reported it. Anyway, really traumatic debugging blitz that extended through the night. I'm curious about your story... Jason -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1683947 Title: ubuntu 4.8 kernel, virtio_net error causes NAT packets to be lost To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1683947/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1685522] Re: out of date snapshot
[Impact] * After discussion on IRC with the release team, it seems clear that this package should have stayed in Debian sid and not migrated into a stable release of Ubuntu. This sentiment is reflected in the original Debian bug report about such. * Thus, rather than keep a rolling package up to date in a stable distro, this update simply removes the package and informs users about the situation. * This was determined to be the right path forward in discussions with cjwatson and infinity. [Test Case] * This package was tested by installing both resultant .deb files on a fresh VM. * The behavior was perfect, seeing as this package is so simple. [Regression Potential] * There is little regression potential at all for removing this experimental snapshot. Users wanting to user WireGuard on Ubuntu already use the up to date PPA instead. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1685522 Title: out of date snapshot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wireguard/+bug/1685522/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1685522] Re: out of date snapshot
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1685522 Title: out of date snapshot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wireguard/+bug/1685522/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1685522] Re: out of date snapshot
The uploaded package is wrong. This tarball contains actual minimal contents, as it should be. ** Attachment added: "wireguard_0.0.20170214-1ubuntu0.17.04.1.tar.gz" https://bugs.launchpad.net/ubuntu/+source/wireguard/+bug/1685522/+attachment/4867673/+files/wireguard_0.0.20170214-1ubuntu0.17.04.1.tar.gz -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1685522 Title: out of date snapshot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wireguard/+bug/1685522/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1685522] Re: out of date snapshot
Using the .deb builds provided on https://launchpad.net/ubuntu/+source/wireguard/0.0.20170214-1ubuntu0.17.04.1/+build/12474101 , I can confirm that the packages work exactly as intended. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1685522 Title: out of date snapshot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wireguard/+bug/1685522/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1685522] Re: out of date snapshot
I have performed testing with four separate VMs: 1. A fresh install of the -proposed package on a minimal server. 2. An update from the previous package to the -proposed package on a minimal server. 3. A fresh install of the -proposed package on a desktop with many packages. 4. An update from the previous package to the -proposed package on a desktop with many packages. I can confirm that this process worked exactly as intended. Therefore, this SRU can proceed. ** Tags removed: verification-needed ** Tags added: verification-done -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1685522 Title: out of date snapshot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wireguard/+bug/1685522/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1685522] Re: out of date snapshot
Any update on this SRU? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1685522 Title: out of date snapshot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wireguard/+bug/1685522/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1413440] Re: USB stops working after a while (xhci_hcd 0000:00:14.0: Timeout while waiting for setup device command)
I'm having this issue on kernel 4.11.1. [48112.422418] [ cut here ] [48112.422441] WARNING: CPU: 0 PID: 14420 at drivers/usb/host/xhci-ring.c:1390 handle_cmd_completion+0xb17/0xc00 [xhci_hcd] [48112.422446] Modules linked in: xt_hashlimit ip6_udp_tunnel udp_tunnel rfcomm pl2303 hid_lenovo bnep cdc_mbim cdc_ncm qcserial cdc_wdm usb_wwan usbnet usbserial mii uvcvideo videobuf2_vmalloc videobuf2_memops [48112.422480] xhci_hcd :00:14.0: Timeout while waiting for setup device command [48112.422481] videobuf2_v4l2 videobuf2_core cdc_acm videodev btusb btintel usbhid bluetooth af_packet nf_conntrack_ipv4 nf_defrag_ipv4 iptable_filter xt_hl nf_conntrack_ipv6 nf_defrag_ipv6 xt_multiport 8021q xt_conntrack nf_conntrack ip6table_filter ip6_tables algif_skcipher joydev mousedev snd_hda_codec_realtek snd_hda_codec_generic arc4 iwlmvm mac80211 rtsx_pci_sdmmc mmc_core intel_rapl iosf_mbi x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm iwlwifi snd_hda_intel ahci irqbypass snd_hda_codec crc32_pclmul snd_hwdep xhci_pci xhci_hcd libahci crc32c_intel snd_hda_core mei_me cfg80211 usbcore snd_pcm rtsx_pci ie31200_edac input_leds mfd_core e1000e libata usb_common mei snd_timer psmouse edac_core intel_pch_thermal thinkpad_acpi snd soundcore led_class rfkill tpm_tis tpm_tis_core evdev [48112.422556] tpm sch_fq_codel [48112.422565] CPU: 0 PID: 14420 Comm: kworker/0:7 Tainted: PW O 4.11.1-gentoo #1 [48112.422567] Hardware name: LENOVO 20ENCTO1WW/20ENCTO1WW, BIOS N1EET65W (1.38 ) 02/09/2017 [48112.422577] Workqueue: events xhci_handle_command_timeout [xhci_hcd] [48112.422580] Call Trace: [48112.422583] [48112.422589] ? dump_stack+0x46/0x5e [48112.422595] ? __warn+0xb9/0xe0 [48112.422603] ? handle_cmd_completion+0xb17/0xc00 [xhci_hcd] [48112.422609] ? try_to_wake_up+0x22e/0x390 [48112.422617] ? xhci_irq+0x38f/0x1460 [xhci_hcd] [48112.422624] ? run_timer_softirq.part.2+0x4c/0xa0 [48112.422629] ? expire_timers+0x6e/0xe0 [48112.422634] ? __handle_irq_event_percpu+0x36/0x190 [48112.422637] ? handle_irq_event_percpu+0x1b/0x50 [48112.422640] ? handle_irq_event+0x22/0x40 [48112.422644] ? handle_edge_irq+0x65/0x120 [48112.422649] ? handle_irq+0x11/0x20 [48112.422653] ? do_IRQ+0x3c/0xc0 [48112.422658] ? common_interrupt+0x7f/0x7f [48112.422660] [48112.422664] ? _raw_spin_unlock_irqrestore+0x5/0x10 [48112.422671] ? xhci_handle_command_timeout+0xf4/0x1b0 [xhci_hcd] [48112.422684] ? process_one_work+0x1d9/0x450 [48112.422689] ? worker_thread+0x42/0x4b0 [48112.422695] ? process_one_work+0x450/0x450 [48112.422698] ? kthread+0x112/0x130 [48112.422702] ? kthread_create_on_node+0x40/0x40 [48112.422705] ? ret_from_fork+0x23/0x30 [48112.422709] ---[ end trace eb9505885b6e349e ]--- [48113.446247] xhci_hcd :00:14.0: xHCI host not responding to stop endpoint command. [48113.446250] xhci_hcd :00:14.0: Assuming host is dying, halting host. [48113.446348] xhci_hcd :00:14.0: HC died; cleaning up -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1413440 Title: USB stops working after a while (xhci_hcd :00:14.0: Timeout while waiting for setup device command) To manage notifications about this bug go to: https://bugs.launchpad.net/system76/+bug/1413440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1047122] Re: [needs-packaging] pass: the standard unix password manager
Great, thanks. Are there any plans to add this to older versions of Ubuntu as well? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1047122 Title: [needs-packaging] pass: the standard unix password manager To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/1047122/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1047122] Re: [needs-packaging] pass: the standard unix password manager
Cool, thanks for the documentation. That's a pretty slick requestbackport tool. https://bugs.launchpad.net/bugs/1063688 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1047122 Title: [needs-packaging] pass: the standard unix password manager To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/1047122/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1047122] [NEW] pass: the standard unix password manager
Public bug reported: Pass is a package manager that uses gpg, pwgen, and simple file system directories. It is gaining quite a bit of popularity and momentum. There is an ubuntu package on http://zx2c4.com/projects/password-store and debian rules/control ( http://git.zx2c4.com/password- store/tree/debian/control ) inside the git repository. Please add this to ubuntu's repositories. ** Affects: ubuntu Importance: Undecided Status: New ** Tags: needs-packaging -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1047122 Title: pass: the standard unix password manager To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/1047122/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
My final word is that you should give up trying to reinvent the wheel, and use a method supplied by the distro for mounting disks. It's not worth my time to play whack-a-mole here. As Dan said, "Usually I get paid good money to own software this hard, and I don't think you're worth making an exception." Indeed. The solution is easy and obvious, but it involves backing away from stubbornness and accepting that the distro-supplied tools handle mounting inline with distro policy, and it isn't your place to reinvent things. Take a look at Gentoo Mike's post from a while back -- it's dead on. Besides, you haven't even begun to address issues #1-#3. I believe this discussion is over. Goodbye Kovid. I wish you well with Calibre and that you can restore the security confidence of your users. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
@Dan: Right. In other words, mount /dev/sdaX to /dev/newfolder using the race condition exploited in .70-calibrer. Then build the stager in /dev/newfolder/home/username/whatever. Then use the race exploited in .80-calibrer to toggle whatever between being a symlink to /dev/sda and being the stager. The tricks are endless. OKAY GOODBYE BUGREPORT. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
@Kovid Great to hear! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2011-4124 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2011-4125 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2011-4126 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
** Attachment added: "exploit PoC 2" https://bugs.launchpad.net/calibre/+bug/885027/+attachment/2583680/+files/60calibrerassaultmount.sh -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
Updated the exploit. ** Attachment added: "exploit PoC 2.1" https://bugs.launchpad.net/calibre/+bug/885027/+attachment/2583746/+files/60calibrerassaultmount.sh ** Changed in: calibre Status: Fix Released => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
There's still a symlink race condition. If at first the symlink points to /dev/something-legit or /media/something-legit, the symlink can be swapped easily by hooking into inotify's IN_ACCESS and changing what it points to just in time for mount to be called with the s ymlink pointing someplace naughty. An example of the technique is presented here: http://www.exploit-db.com/exploits/17932/ . So, the vulnerability still stands. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
** Changed in: calibre Status: Fix Released => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
"To fix races with the mount source, you should check against /dev/shm, as this is the only world-writable directory in most /dev filesystems that I know of." Or more generally, stat and check root ownership and permission on the directory of the device. (Though, you can't chdir into both.) You additionally could make sure it is a block device. You could also check to see if the block device is removable / matches the identifier of supported ebook readers / something else. You could even go a step further and not call out to mount as an external program, but make the syscalls yourself, dealing with the handfuls of new problems you'll have and various mtab issues and who knows what else. (Of course, at this point, you might as well just be using pmount/udisks/microsoftwindows/whatever.) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
"To fix races with the mount source, you should check against /dev/shm, as this is the only world-writable directory in most /dev filesystems that I know of." Or more generally, stat and check root ownership and permission on the directory of the device. (Though, you can't chdir into both.) You additionally could make sure it is a block device. You could also check to see if the block device is removable / matches the identifier of supported ebook readers / something else. You could even go a step further and not call out to mount as an external program, but make the syscalls yourself, dealing with the handfuls of new problems you'll have and various mtab issues and who knows what else. (Of course, at this point, you might as well just be using pmount/udisks/microsoftwindows/whatever.) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
Kovid -- in response to #45, it does in fact work. The paths might be a little different on your distro (it's an easy exploit to modify). Here's a screencast of it in action: http://git.zx2c4.com/calibre-mount-helper- exploit/plain/70calibrerassaultmount-demo.ogv I'm glad you've restricted /dev to block devices only. Standby and I will update the exploit for this latest fix of yours. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
@Kovid Shucks. Just as I was beginning to make progress on .80 Calibrer! http://git.zx2c4.com/calibre-mount-helper-exploit/tree/80calibrerassaultmount.c But you still have major problems in the code -- there are still two race conditions, with the one exploited in .70 the most dangerous. Namely, it's still possible to mount over any directory on the system. To fix this, you need to chdir(realpath) and then stat(".") to ensure root ownership, and then from that point on, only refer to the directory by "." -- making this change will be a significant leap forward. Check out Dan's comment for more details. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
Unfortunately, the saga continues. Your /shm/ check doesn't do anything, because, as it turns out, because you realpath twice, I don't need to use /shm/ at all! Your code is still broken. Giving up should still be an option on the table for you. In case, however, you've become determined and still want to fix things, I've traced through the code for your recent commit showing you where and how things are broken. /tmp/burrito is a file argv[2] = /tmp/burrito 332 if (strncmp(action, "mount", 5) == 0) { 333 dev = realpath(argv[2], NULL); dev = /tmp/burrito 334 if (dev == NULL) { 335 fprintf(stderr, "Failed to resolve device node.\n"); 336 exit(EXIT_FAILURE); 337 } 339 check_dev(dev); 239 void check_dev(const char *dev) { dev = /tmp/burrito 240 char buffer[PATH_MAX+1]; 241 struct stat file_info; 242 243 if (dev == NULL || strlen(dev) < strlen(DEV)) { 244 fprintf(stderr, "Invalid arguments\n"); 245 exit(EXIT_FAILURE); 246 } JUST BEFORE this next line, we modify /tmp/burrito so that it points to /dev/sda /tmp/burrito = -->/dev/sda 247 248 if (realpath(dev, buffer) == NULL) { 249 fprintf(stderr, "Unable to resolve dev path\n"); 250 exit(EXIT_FAILURE); 251 } buffer = /dev/sda 252 253 if (strncmp(DEV, buffer, strlen(DEV)) != 0) { 254 fprintf(stderr, "Trying to operate on a dev node not under /dev\n"); 255 exit(EXIT_FAILURE); 256 } this last block passes! 257 258 if (stat(dev, &file_info) != 0) { 259 fprintf(stderr, "stat call on dev node failed\n"); 260 exit(EXIT_FAILURE); 261 } 262 263 if (strstr(dev, "/shm/") != NULL) { 264 fprintf(stderr, "naughty, naughty!\n"); 265 exit(EXIT_FAILURE); 266 } dev doesnt contain /shm/, since it's /tmp/burrito 267 268 if (!S_ISBLK(file_info.st_mode)) { 269 fprintf(stderr, "dev node is not a block device\n"); 270 exit(EXIT_FAILURE); 271 } stat follows the link, so it sees /dev/sda which is a block device, so this passes 272 273 } :-) As well, the problem presented in .70-Calibrer HAS NOT BEEN FIXED. You can still mount over /etc/pam.d or wherever due to the still existing race there. Implement the chdir logic that I've outlined above. Then, just after this code block, change /tmp/burrito to point to anything -- any file image at all. No shm needed :-). ** Changed in: calibre Status: Fix Released => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
Hello. I've attached a patch for you, as requested. It replaces the mount helper with the nice udisks-based script that ubuntu ships. For distributions that do not support udisks, they can add their own. Or, you can write something different. In light of this, you might consider removing the following text from your website: "Please do not use your distribution provided calibre package, as those are often buggy/outdated. Instead use the Binary install described below." Goodbye. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities
@Kovid: Yet you continue to ignore some major advice about how to fix it. Have you chdir'd yet? No. Still vulnerable. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/calibre/+bug/885027/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1855096] Re: iptables-restore: invalid option -- 'w'
I'll have a new snapshot out today to rectify this problem. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1855096 Title: iptables-restore: invalid option -- 'w' To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wireguard/+bug/1855096/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1855096] Re: iptables-restore: invalid option -- 'w'
Fixed here: https://lists.zx2c4.com/pipermail/wireguard/2019-December/004675.html ** Changed in: wireguard (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1855096 Title: iptables-restore: invalid option -- 'w' To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wireguard/+bug/1855096/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1862413] Re: wireguard-dkms 0.0.20190913-1ubuntu1: wireguard kernel module failed to build
The latest version is v0.0.20200214. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1862413 Title: wireguard-dkms 0.0.20190913-1ubuntu1: wireguard kernel module failed to build To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wireguard/+bug/1862413/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1862413] Re: wireguard-dkms 0.0.20190913-1ubuntu1: wireguard kernel module failed to build
Go to www.wireguard.com/install/ , find the links for Ubuntu and Debian, and press the "out of date" button. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1862413 Title: wireguard-dkms 0.0.20190913-1ubuntu1: wireguard kernel module failed to build To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wireguard/+bug/1862413/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1892798] Re: eliminating resolvconf/openresolv dependencies
> wireguard package => please feed DNS data direct to systemd-resolved using either dbus or the cli. Absolutely not. We're not going to add vendor-specific hacks for broken distros that are unable to include the standard interface for this kind of thing, resolvconf(8). This is a pretty clear case of downstream being broken. > Unfortunately systemd's resolved's resolvctl is not compatible with Debian's/Ubuntu's historical resolvconf. First of all, we're not talking about systemd's resolvectl. We're talking about systemd's resolvconf compatibility symlink which provides the same interface as openresolv or the debian resolvconf monster. With that clarified, if you still think there's a problem due to Debian's resolvconf using an interface prefix list, I think you're incorrect there too. Firstly, openresolv doesn't act that way, and things work fine. Secondly, systems that have moved to systemd-resolved (that is, Ubuntu itself) have in the process _broken_ resolvconf anyway. Replacing broken resolvconf with one that is less broken -- even if it doesn't do priority interface prefixes -- is still a marked improvement. And thirdly, every script I've seen that uses resolvconf actually continues to work fine with systemd's compatibility symlink of resolvconf; if any you see don't, why not fix them? So, in other words, I don't think you've presented a very compelling argument at all. I can't see any correct technical reasoning in what you wrote. It seems like adding the resolvconf compatibility symlink is a marked improvement over the current broken status quo. ** Summary changed: - eliminating resolvconf/openresolv dependencies + systemd package missing resolvconf(8) compatibility symlink, and a Provides: resolvconf -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1892798 Title: systemd package missing resolvconf(8) compatibility symlink, and a Provides: resolvconf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1892798/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1892798] Re: systemd package missing resolvconf(8) compatibility symlink, and a Provides: resolvconf
By the way, Arch manages the possibility of openresolv colliding with systemd's resolvconf by providing a package called "systemd-resolvconf": https://www.archlinux.org/packages/core/x86_64/systemd-resolvconf/ https://github.com/archlinux/svntogit- packages/blob/packages/systemd/trunk/PKGBUILD#L239-L251 This seems like a perfectly reasonable way to accomplish this. Simply package the symlink in a separate package, and then the "Recommends:" for wireguard just includes systemd-resolvconf in the list alongside openresolv and resolvconf. That seems like an exceedingly reasonable way of going about things. Why not just do the same thing here? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1892798 Title: systemd package missing resolvconf(8) compatibility symlink, and a Provides: resolvconf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1892798/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1892798] Re: systemd package missing resolvconf(8) compatibility symlink, and a Provides: resolvconf
** Changed in: wireguard (Ubuntu) Status: Incomplete => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1892798 Title: systemd package missing resolvconf(8) compatibility symlink, and a Provides: resolvconf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1892798/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1892798] Re: systemd package missing resolvconf(8) compatibility symlink, and a Provides: resolvconf
Your four appended comments are super full of just plain wrong information. I'll try to unpack these all piecemeal: > Ubuntu/Debian has never used openresolv This is not the case. Ubuntu and Debian have provided openresolv for a very long time, and resolvconf has mostly been an unmaintained mess. Most users who do DNS stuff wind up switching from resolvconf to openresolv if their OS comes preinstalled with resolvconf, and you'll find a lot of blogs advocating that too. Openresolv has definitely been part of the Debian/Ubuntu verse for a long time. > and yes systemd-resolved had a contribution to have openresolv compatible input interface. "had a contribution" what? Lennart wrote that code. It wasn't just some random third party contribution that got accidentally merged or something. The maintainer of the project wrote it and merged it. Why did he do that? Because resolvconf(8) is the standard stack-agnostic CLI interface for managing DNS on Linux. It's not some "legacy" thing or a "compatibility" thing, but a standard thing. Ensuring that systemd provides that was important for systemd to be able to become a drop in replacement for standard uniform resolver infra. > I am not asking for wireguard to implement any legacy/compat interfaces, but use directly systemd-resolved standard interface which has abi guarantees. Wha?! You've got it all backwards here. WireGuard uses resolvconf(8), because that's the standard Linux mechanism for managing DNS resolution. It will *not* use some specific backend, or write support for 20 different backends, because the resolvconf(8) is a successful abstraction over these so that application writers need not include a massive list of various things to try. So no, sorry, asking an upstream to implement some random newfangled thing isn't going to fly: Linux has a standard interface already for this kind of thing, which systemd implements because systemd is a caring citizen in the Linux-verse, and you're just crippling your users by *not* providing this standard interface. Please quit trying to introduce more fragmentation and shoving the burden of that upstream to application writers, in order to support your OS. Rather, play nicely with others, and provide the standard interfaces. Two of your upstreams are working together for this -- systemd provides a resolvconf(8), and wireguard uses a resolvconf(8). But for some bad reason you want to take away the standard link between the two and instead impose vendor-specific things on upstreams. This is a waste of everybody's time and makes code harder to maintain. > There is a lot more things and options one can provide to systemd-resolved > via native API that is impossible to specify via openresolv or > compat-openresolv. So what? resolvconf(8) provides a good acceptable abstraction for most use cases, which is why application writers use it. If somebody needs to dip down below the abstraction, so be it, but that's mostly not the case, and it certainly isn't the case here. > I do not wish to ship any openresolv/resolvconf/compat symlinks at all going > forward. Please, stop adding fragmentation. You're doing a disservice to both your users and your upstreams. The result is that things will stop working on Ubuntu, or you'll convince a few upstreams to incorporate brain damaged Ubuntu-specific hacks, as is commonly the case. Don't do this. > Integration with resolvconf _without_ using .$suffix of where the DNS > information is originating is incorrect integration on Debian/Ubuntu, because > of how resolvconf is shipped and configured on Debian/Ubuntu and used by > other packages. > > Arch used to use openresolv, openresolv compat was added to systemd-resolved, > and yes hence they were able to switch to systemd-resolved providing > openresolv symlink / compat / integration. Either by default, or as an option. > > That is not possible for Debian/Ubuntu because of more than three dozen of > packaging & hooks, calling resolvconf with .$suffix notation. Your reasoning here doesn't make sense. If you're removing resolvconf(8), all packages and hooks will stop working. If you're replacing broken Debian resolvconf(8) with compliant openresolv or systemd-resolvconf, it's either the same exact situation, or it's a situation that's slightly less bad. And, fixing the .$suffix notation seems a lot easier than refactoring everything anyway. Either way, you might have to do work. But, seeing as openresolv is *already* something available to users and *already* something that users use frequently, why not ship systemd-resolvconf too? Stop trying to gimp your users. > Please see previous bugs about this, trying to identify, enumerate and fix all of those usecases. The bugs that I've seen always seem like the crumby Debian resolvconf has big issues, since that's basically unmaintained and poorly specified. Usually people switch to openresolv and everything works fine. Instead, here, you could switch to sys
[Bug 1950317] Re: [MIR] Wireguard
I agree that's pretty weird. And especially for wg(8), that's not just a configuration tool; that's the low level inspection tool. Netplan can configure IP addresses; are you going to move ip(8) out of main too? If ip(8) is in main, then wg(8) should be in main. Netplan doesn't replace the low level inspection tools. It's a high level thing. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1950317 Title: [MIR] Wireguard To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wireguard/+bug/1950317/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1892798] Re: systemd package missing resolvconf(8) compatibility symlink, and a Provides: resolvconf
I think he meant to post this on https://bugs.launchpad.net/ubuntu/+source/wireguard/+bug/1950317 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1892798 Title: systemd package missing resolvconf(8) compatibility symlink, and a Provides: resolvconf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1892798/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1950317] Re: [MIR] Wireguard
Glad to hear the result. Thanks for working through this and hearing me out on IRC as well. With regards to the TODO: > I suggest the server team to reach out to @unit193 as the MOTU who maintained Unit193 is really top-notch and knows the project well, is an active participant with upstream, and generally is pretty on top of things. I don't know whether MIRing this means some sort of hand off involved, but I'd say that to the extent you can keep him in the fold, it's some nice expertise to keep around. > - does NOT have a test suite that runs at build time, we should add at least > the trivial autopkgtest generating and checking keys, as suggested > - does NOT have a non-trivial test suite that runs as autopkgtest, we should > integrate more testing (LP: #1952102) as suggested by adding the new "vpn" > test and/or copying the non-trivial autopkgtest from wireguard-linux-compat Let me know if you guys need help scripting these up. Indeed taking the wireguard-linux-compat case is probably a good place to start. But if you want something more elaborate and need a hand, just poke me on IRC. > + wireguard-dkms: recommended by wireguard-tools, it's part of the same > source >package, but we probably want to drop that, as we have the WireGuard > modules >in the kernel. Or at least we'd want to change Recommends: wireguard-dkms > to >Suggests: wireguard-dkms (LP: #1873288) I'd suggest you sync up with @apw about this. He was involved in some of the earlier discussions about this. And @unit193 too. Details are a bit fuzzy to me, but I think there's something interesting happening with the `wireguard` metapackage pulling in `wireguard-tools` and a `wireguard-modules` virtual package. That `wireguard-modules` virtual package is then satisfied by wireguard-dkms, wireguard-linux-compat, and the various Canonical kernel packages. Or something like that. I don't see a need for this to change. But... > recommended by wireguard-tools, it's part of the same source package This part confused me. Many many eons ago, WireGuard was one repo, with src/* having dkms kernel sources and src/tools/* containing the tools package. For a long long time now, this has been split up. But I wonder if the wireguard-tools package still has something left over from the days when dkms was mixed with it? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1950317 Title: [MIR] Wireguard To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wireguard/+bug/1950317/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs