apw's reasoning is correct.
I do wonder, though, if at some point we can start looking into sunsetting the
dkms package entirely and the wireguard-linux-compat backport with it. It's
been mainlined for a good deal of time now. We'd have to do some analysis of
which kernels people run Ubuntu
> I was pointed at the existing debian bug requesting to drop the
wireguard-dkms package
The place where we still want wireguard-dkms, though, is for when people
are running Ubuntu on strange kernels that might not have it out of the
box. These are, of course, becoming increasingly rare. Probably
Glad to hear the result. Thanks for working through this and hearing me
out on IRC as well.
With regards to the TODO:
> I suggest the server team to reach out to @unit193 as the MOTU who
maintained
Unit193 is really top-notch and knows the project well, is an active
participant with upstream,
I think he meant to post this on
https://bugs.launchpad.net/ubuntu/+source/wireguard/+bug/1950317
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1892798
Title:
systemd package missing resolvconf(8)
I agree that's pretty weird. And especially for wg(8), that's not just a
configuration tool; that's the low level inspection tool. Netplan can
configure IP addresses; are you going to move ip(8) out of main too? If
ip(8) is in main, then wg(8) should be in main. Netplan doesn't replace
the low
I wish you'd not waste time on this downstream stuff. wireguard-linux-
compat v1.0.20210219 has the proper fix (along with other important
fixes). Simply import the package from debian and be done with it.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
Due to inconsistent use of ubuntu-specific identifiers and complexity
introduced HWE and such, wireguard-linux-compat develops against the
latest kernels for each of the Ubuntu releases -- listed on
https://www.wireguard.com/build-status/ , ctrl+F for ubuntu. This
already amounts to ~7 kernels. So
This was fixed in the latest upstream wireguard-linux-compat release on
Jan 24.
** Changed in: wireguard-linux-compat (Ubuntu)
Status: Triaged => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
> Building initial module for 4.4.0-31-generic
That doesn't look like a recent kernel.
Purge old kernels.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1910404
Title:
wireguard-dkms
** Changed in: wireguard-linux-compat (Ubuntu)
Status: New => Invalid
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1910404
Title:
wireguard-dkms 1.0.20201112-1~16.04.1 failed to build
To
Thank you for the report. Fixed upstream now: https://git.zx2c4.com
/wireguard-tools/commit/?id=7e506135f7da13cc13b51f2d0db47da364b2de7b
This will trickle down to Ubuntu whenever I make a release upstream and
then Debian and Ubuntu do their thing.
** Changed in: wireguard (Ubuntu)
Status:
apw - I'll leave this to you.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1906947
Title:
package wireguard-dkms 1.0.20201112-1~20.04.1 failed to
install/upgrade: installed wireguard-dkms
You forgot to update your system.
apt update && apt upgrade
** Changed in: wireguard-linux-compat (Ubuntu)
Status: New => Invalid
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1896777
Title:
Your four appended comments are super full of just plain wrong
information. I'll try to unpack these all piecemeal:
> Ubuntu/Debian has never used openresolv
This is not the case. Ubuntu and Debian have provided openresolv for a
very long time, and resolvconf has mostly been an unmaintained
** Changed in: wireguard (Ubuntu)
Status: Incomplete => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1892798
Title:
systemd package missing resolvconf(8) compatibility symlink,
By the way, Arch manages the possibility of openresolv colliding with
systemd's resolvconf by providing a package called "systemd-resolvconf":
https://www.archlinux.org/packages/core/x86_64/systemd-resolvconf/
https://github.com/archlinux/svntogit-
> wireguard package => please feed DNS data direct to systemd-resolved
using either dbus or the cli.
Absolutely not. We're not going to add vendor-specific hacks for broken
distros that are unable to include the standard interface for this kind
of thing, resolvconf(8). This is a pretty clear case
Thanks for bringing this to my attention. I believe your assessment is
correct. Do you know which Ubuntu first started using resolved? How far
back do we need to make changes?
There are two facets of this:
1) The Ubuntu systemd package should install the resolvconf
compatibility symlink. I have
You might be right that the remaining ones that slip through your regex
are mere "nuisance"s. But you know how those things go - one man's
nuisance is another man's vuln. Some of those, anyhow, are implemented
by the Linux console driver.
Why not just take the tried and true "safe" route, as
I'm not convinced that really cuts it. Namely, from the diff:
-print(" %s" % (info["description"] or ""))
+# strip ANSI escape sequences
+description = re.sub(r"(\x9B|\x1B\[)[0-?]*[ -/]*[@-~]",
+ "", info["description"] or "")
+
+print("
Super! Sounds like a big improvement. Thanks for rolling this out so
quickly.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1890201
Title:
Depends on wireguard-modules | wireguard-dkms are inverted
Great that this is going through the various levels of approval for SRU,
but I do hope the actual bug -- Provides: being missing -- is fixed with
this same level of urgency.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
*** This bug is a security vulnerability ***
Public security bug reported:
This was reported to oss-security and to secur...@ubuntu.com, but I
figure I should make a real bug report, as otherwise it'll probably be
missed. Original post from https://www.openwall.com/lists/oss-
Looks like this has come up before in other utilities and was fixed,
such as https://bugs.launchpad.net/ubuntu/+source/base-
files/+bug/1649352 .
** Summary changed:
- ansi escape sequence injection into add-apt-repository
+ ansi escape sequence injection in add-apt-repository
--
You received
The real issue here is that Andy forgot to add `Provides: wireguard-
modules` to the linux-meta-oem package, and maybe some others here:
- https://lists.zx2c4.com/pipermail/wireguard/2020-August/005743.html
- https://lists.zx2c4.com/pipermail/wireguard/2020-August/005746.html
-
** Tags added: verification-needed-xenial
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1861284
Title:
Build and ship a signed wireguard.ko
To manage notifications about this bug go to:
Tracking the new bug here now:
https://sourceware.org/bugzilla/show_bug.cgi?id=26141
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/725126
Title:
gas may assemble b to locally-defined, preemptible
This problem still exists on binutils 2.33 when -fvisibility=hidden is
passed to cflags. I imagine this is so due to some conflicting code
where the forced B.W is only generated for static functions, since non-
static ones will be relocated differently, but then because of
-fvisibility=hidden,
Looks like your wireguard-dkms package is out of date. This is apw's
area. I'll add him to the bug.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1879952
Title:
wireguard-dkms 1.0.20200429-2~19.10:
All set now!
zx2c4@thinkpad ~ $ curl -s
http://archive.ubuntu.com/ubuntu/dists/focal-updates/main/binary-amd64/Packages.xz
| unxz | grep -B11 Provides:.*wireguard | grep ^Package:
Package: linux-image-aws
Package: linux-image-azure
Package: linux-image-gcp
Package: linux-image-generic
Package:
Looks like it's still in -proposed, not -updates:
zx2c4@thinkpad ~ $ curl -s
http://archive.ubuntu.com/ubuntu/dists/focal-proposed/main/binary-amd64/Packages.xz
| unxz | grep -B11 Provides:.*wireguard | grep ^Package:
Package: linux-image-aws
Package: linux-image-azure
Package: linux-image-gcp
Reopening this until we have some conclusion on (2) and (3) of #9.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1873288
Title:
wireguard-tools should NOT recommend wireguard-dkms
To manage
Ah, looks like I can't.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1873288
Title:
wireguard-tools should NOT recommend wireguard-dkms
To manage notifications about this bug go to:
Simon - to keep you updated on the bug you reported, this fixes issue
(1), as described in comment #9: https://git.launchpad.net/~ubuntu-
kernel/ubuntu/+source/linux-
meta/+git/focal/commit/?id=204fb3b2ae6b0c8c41c339f47949b45d571c4953
We'll keep this open until there's a decision/fix on (2) and
> Actually, it looks like it was dropped intentionally here by apw:
> https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/focal/commit/debian?h=master-next=95b5fab11fa1e681a3adaba4f669efef8a18fd70
> But maybe it never got added to the meta as the commit message describes?
Actually,
> linux-image-generic only ships the vmlinuz so I believe that's why it
doesn't directly "Provides: wireguard-modules". This is missing from
linux-modules-5.4.0-XX-generic though which outta have it because does
provides the .ko
Not sure this logic holds, considering that has Provides for other
Actually, it looks like it was dropped intentionally here by apw:
https://git.launchpad.net/~ubuntu-
kernel/ubuntu/+source/linux/+git/focal/commit/debian?h=master-
next=95b5fab11fa1e681a3adaba4f669efef8a18fd70
But maybe it never got added to the meta as the commit message
describes?
--
You
I've let people know in #ubuntu-kernel, so hopefully Canonical will take
a look. To recap for whoever inherits this bug, the following things
need to be done:
1. Add back the "Provides: wireguard-modules" in linux-image-generic.
This is really important. It used to be there but has strangely been
Okay something is very amiss, and at this point a member of Canonical's
kernel team is going to have to check. I downloaded the latest one from
the mirrors:
https://mirrors.edge.kernel.org/ubuntu/pool/main/l/linux-meta/linux-
image-generic_5.4.0.24.29_amd64.deb
This has:
Provides:
> The wireguard{,-dkms,-tools} versions do not align: wireguard-dkms is
newer. Maybe that's not relevant but I thought I'd mention it.
This part doesn't matter. They're separate packages with separate releases and
don't need to align.
https://git.zx2c4.com/wireguard-linux-compat/refs/
To add to the list above of debian things:
3.
https://salsa.debian.org/debian/wireguard/-/commit/b536ea7e12ee259e5d16e7e66a7b921837223023
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1873288
Title:
The kernel package has a "Provides: wireguard-modules", as wireguard-
modules is a virtual.
At least that's how it's supposed to work.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1873288
Title:
The wireguard virtual package should imply "modules|dkms", and in
general the order for the recommends here should change to
"modules|dkms". Additionally, the dkms module should skip kernels that
already have wireguard. We fixed this in Debian two ways, here:
1.
The Ubuntu kernel team seems to be behind in deploying a fix for this.
In the interim you can solve this by using the WireGuard project's PPA,
which now has backports for 19.10. Run this command to fix your issue:
sudo add-apt-repository ppa:wireguard/wireguard && sudo apt-get update
&& sudo
The Ubuntu kernel team seems to be behind in deploying a fix for this.
In the interim you can solve this by using the WireGuard project's PPA,
which now has backports for 19.10. Run this command to fix your issue:
sudo add-apt-repository ppa:wireguard/wireguard && sudo apt-get update
&& sudo
Go to www.wireguard.com/install/ , find the links for Ubuntu and Debian,
and press the "out of date" button.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1862413
Title:
wireguard-dkms
The latest version is v0.0.20200214.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1862413
Title:
wireguard-dkms 0.0.20190913-1ubuntu1: wireguard kernel module failed
to build
To manage
Seems dkms related.
** Package changed: wireguard (Ubuntu) => linux (Ubuntu)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1851295
Title:
dkms error with wireguard on upgrafe to 19.10
To manage
The kernel team can backport things need be.
** Package changed: wireguard (Ubuntu) => linux (Ubuntu)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1858807
Title:
Wireguard install fails on 19.10
Doesn't look like a WireGuard bug.
** Package changed: wireguard (Ubuntu) => linux (Ubuntu)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1854225
Title:
Kernel oops and system lock up when
[ 15.589541] module: x86/modules: Skipping invalid relocation target,
existing value is nonzero for type 1, loc f4677a21, val
c1171b82
Looks like a dkms issue? Thankfully we won't need that for 20.04 and
also earlier kernels once things are backported. I'll reassign this to
the
Consult /var/lib/dkms/wireguard/0.0.20190913/build/make.log for more
information.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1851295
Title:
dkms error with wireguard on upgrafe to 19.10
To
This is fixed upstream, but the Ubuntu package is old. Maybe somebody
can do something about this.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1858807
Title:
Wireguard install fails on 19.10
To
Thanks for the bug report. That kern.log is useful. The relevant part is
reproduced below in this comment. Looks like wg-quick(8) invokes
sysctl(8), which then uses /proc/sys/, and somehow invokes a null
pointer dereference while holding a spinlock, leading to that lock being
hit by other cores,
Run `sudo modprobe wireguard`, and then after run `dmesg`, and paste the
output of your dmesg.
Most likely you need to do some sort of dkms rebuilding.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Fixed here:
https://lists.zx2c4.com/pipermail/wireguard/2019-December/004675.html
** Changed in: wireguard (Ubuntu)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
I'll have a new snapshot out today to rectify this problem.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1855096
Title:
iptables-restore: invalid option -- 'w'
To manage notifications about this
** Summary changed:
- wireguard crashes system shortly after wg-quick down wg0
+ eoan kernel does not contain "ipv6: do not free rt if FIB_LOOKUP_NOREF is set
on suppress rule"
** Package changed: wireguard (Ubuntu) => linux-meta (Ubuntu)
--
You received this bug notification because you are
Here's a one liner that *doesn't require root* that you can use to test
whether the kernel fix has landed:
unshare -rUn sh -c 'ip link add dummy1 type dummy && ip link set
dummy1 up && ip -6 route add default dev dummy1 && ip -6 rule add table
main suppress_prefixlength 0 && ping -f 1234::1'
Yep, confirmed that Eoan is broken. Here's reproduction steps:
root@scw-competent-dirac:~# uname -a
Linux scw-competent-dirac 5.3.0-13-generic #14-Ubuntu SMP Tue Sep 24 02:46:08
UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
root@scw-competent-dirac:~# ip netns add crash
root@scw-competent-dirac:~# ip
Most likely this is related to an invocation to `ip rule` that's being
made, not WireGuard. Take a look at this mailing list post:
https://lists.zx2c4.com/pipermail/wireguard/2019-October/004588.html
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
In lieu of Debian changing something, I'd suggest replacing this package
with the one we actually develop specifically for Ubuntu:
https://launchpad.net/~wireguard/+archive/ubuntu/wireguard
Could you take care of importing 0.0.20190913 (or newer, depending on
when you read this) from there?
--
** No longer affects: wireguard (Ubuntu)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1685522
Title:
out of date snapshot
To manage notifications about this bug go to:
Hey apw and adconrad -- a long time ago (2.5 years) we decided to keep
WireGuard from migrating into Ubuntu. There's been tons of progress
since then. It's now in the progress of migrating down into Debian
testing and stable. I think it's time we let it migrate into Ubuntu too.
Is there anything
It's possible this same issue is responsible for this crash in
WireGuard:
https://lists.zx2c4.com/pipermail/wireguard/2019-September/004495.html
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1842447
I'm having this issue on kernel 4.11.1.
[48112.422418] [ cut here ]
[48112.422441] WARNING: CPU: 0 PID: 14420 at drivers/usb/host/xhci-ring.c:1390
handle_cmd_completion+0xb17/0xc00 [xhci_hcd]
[48112.422446] Modules linked in: xt_hashlimit ip6_udp_tunnel udp_tunnel rfcomm
Any update on this SRU?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1685522
Title:
out of date snapshot
To manage notifications about this bug go to:
I have performed testing with four separate VMs:
1. A fresh install of the -proposed package on a minimal server.
2. An update from the previous package to the -proposed package on a minimal
server.
3. A fresh install of the -proposed package on a desktop with many packages.
4. An update from
Using the .deb builds provided on
https://launchpad.net/ubuntu/+source/wireguard/0.0.20170214-1ubuntu0.17.04.1/+build/12474101
, I can confirm that the packages work exactly as intended.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
The uploaded package is wrong. This tarball contains actual minimal
contents, as it should be.
** Attachment added: "wireguard_0.0.20170214-1ubuntu0.17.04.1.tar.gz"
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1685522
Title:
out of date snapshot
To manage notifications about this bug go to:
[Impact]
* After discussion on IRC with the release team, it seems clear that this
package should have stayed in Debian sid and not migrated into a stable release
of Ubuntu. This sentiment is reflected in the original Debian bug report about
such.
* Thus, rather than keep a rolling package
Hey Jay,
I found this same issue here --
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1685416 -- when
debugging WireGuard issues on GCE. I'm curious how you found it and what
your debugging was like. Do you work for Google and could debug their
virtio implementation? I spent a really long
This appears to have been added to the queue and is now waiting for
approval:
https://launchpad.net/ubuntu/zesty/+queue?queue_state=1_text=wireguard
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Hi Stefan -- thanks for taking ownership of this bug. Could you give a
rough timeline on when you expect to roll out the next kernel update
that contains these commits?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
As discussed on IRC, the following empty package should be put into
Zesty.
** Attachment added: "wireguard_0.0.20170214-1ubuntu0.17.04.tar.gz"
https://bugs.launchpad.net/ubuntu/+source/wireguard/+bug/1685522/+attachment/4867059/+files/wireguard_0.0.20170214-1ubuntu0.17.04.tar.gz
--
You
** Description changed:
This package *MUST* be consistently sync'd against the upstream Debian
package, since its version is a fastly moving *snapshot* with no
security guarantees. The Debian package makes careful note of it, which
is why it's pinned to sid. The WireGuard documentation
Public bug reported:
This package *MUST* be consistently sync'd against the upstream Debian
package, since its version is a fastly moving *snapshot* with no
security guarantees. The Debian package makes careful note of it, which
is why it's pinned to sid. The WireGuard documentation also is very
** Also affects: linux-hwe (Ubuntu)
Importance: Undecided
Status: New
** Changed in: linux-hwe (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1685416
No such log is necessary. You simply forgot to backport two critical
patches.
** Changed in: linux (Ubuntu)
Status: Incomplete => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Description changed:
The HWE kernel, and possibly others too, backport some virtio
improvements related to setting VIRTIO_NET_HDR_F_DATA_VALID on received
packets so that the CPU doesn't have to checksum packets that have
already been verified by hardware. In the initial implementation
Public bug reported:
The HWE kernel, and possibly others too, backport some virtio
improvements related to setting VIRTIO_NET_HDR_F_DATA_VALID on received
packets so that the CPU doesn't have to checksum packets that have
already been verified by hardware. In the initial implementation of
this,
Public bug reported:
Ubuntu relies on Debian's own "resolvconf" which is vastly inferior to
Openresolv and makes it impossible to securely set up DNS servers for
ephemeral secure tunnel interfaces.
Specifically, Debian's "resolvconf" relies on a hard coded list of
interface templates. For
It might make more sense to simply switch to using openresolv, which is
a proper resolvconf implementation, which doesn't rely on this silly
hard-coded list. Alternatively, you could just backport features one by
one from openresolv, such as '-m 0 and '-x'.
But really, since openresolv has no
Great, thanks.
Are there any plans to add this to older versions of Ubuntu as well?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1047122
Title:
[needs-packaging] pass: the standard unix password
Cool, thanks for the documentation. That's a pretty slick
requestbackport tool.
https://bugs.launchpad.net/bugs/1063688
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1047122
Title:
Public bug reported:
Pass is a package manager that uses gpg, pwgen, and simple file system
directories. It is gaining quite a bit of popularity and momentum. There
is an ubuntu package on http://zx2c4.com/projects/password-store and
debian rules/control ( http://git.zx2c4.com/password-
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2011-4124
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2011-4125
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2011-4126
--
You received this bug notification because you are a member of
@Kovid
Shucks. Just as I was beginning to make progress on .80 Calibrer!
http://git.zx2c4.com/calibre-mount-helper-exploit/tree/80calibrerassaultmount.c
But you still have major problems in the code -- there are still two
race conditions, with the one exploited in .70 the most dangerous.
Namely,
Unfortunately, the saga continues. Your /shm/ check doesn't do anything,
because, as it turns out, because you realpath twice, I don't need to
use /shm/ at all! Your code is still broken. Giving up should still be
an option on the table for you. In case, however, you've become
determined and still
Hello. I've attached a patch for you, as requested. It replaces the
mount helper with the nice udisks-based script that ubuntu ships. For
distributions that do not support udisks, they can add their own. Or,
you can write something different. In light of this, you might consider
removing the
@Kovid:
Yet you continue to ignore some major advice about how to fix it. Have
you chdir'd yet? No. Still vulnerable.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/885027
Title:
SUID Mount Helper
My final word is that you should give up trying to reinvent the wheel,
and use a method supplied by the distro for mounting disks. It's not
worth my time to play whack-a-mole here. As Dan said, Usually I get
paid good money to own software this hard, and I don't think you're
worth making an
@Dan:
Right.
In other words, mount /dev/sdaX to /dev/newfolder using the race
condition exploited in .70-calibrer. Then build the stager in
/dev/newfolder/home/username/whatever. Then use the race exploited in
.80-calibrer to toggle whatever between being a symlink to /dev/sda and
being the
@Kovid
Great to hear!
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/885027
Title:
SUID Mount Helper has 5 Major Vulnerabilities
To manage notifications about this bug go to:
** Changed in: calibre
Status: Fix Released = Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/885027
Title:
SUID Mount Helper has 5 Major Vulnerabilities
To manage notifications
To fix races with the mount source, you should check against
/dev/shm, as this is the only world-writable directory in most /dev
filesystems that I know of.
Or more generally, stat and check root ownership and permission on the
directory of the device. (Though, you can't chdir into both.)
You
To fix races with the mount source, you should check against
/dev/shm, as this is the only world-writable directory in most /dev
filesystems that I know of.
Or more generally, stat and check root ownership and permission on the
directory of the device. (Though, you can't chdir into both.)
You
Kovid -- in response to #45, it does in fact work. The paths might be a
little different on your distro (it's an easy exploit to modify). Here's
a screencast of it in action: http://git.zx2c4.com/calibre-mount-helper-
exploit/plain/70calibrerassaultmount-demo.ogv
I'm glad you've restricted /dev
** Attachment added: exploit PoC 2
https://bugs.launchpad.net/calibre/+bug/885027/+attachment/2583680/+files/60calibrerassaultmount.sh
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/885027
Title:
1 - 100 of 102 matches
Mail list logo
