This bug was fixed in the package cups - 1.4.4-6ubuntu2.3
---
cups (1.4.4-6ubuntu2.3) maverick-security; urgency=low
* ubuntu-upstart.dpatch: update to explicitly load the AppArmor profile
to avoid race condition where cups could load before AppArmor and run
unconfined (LP:
** Tags added: apparmor
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/690040
Title:
no longer confined by AppArmor
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
** Branch linked: lp:~pitti/cups/debian-trunk
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/690040
Title:
no longer confined by AppArmor
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
** Changed in: cups (Ubuntu Maverick)
Assignee: Martin Pitt (pitti) = Jamie Strandboge (jdstrand)
** Changed in: cups (Ubuntu Maverick)
Status: Triaged = In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Changed in: cups (Ubuntu Maverick)
Importance: Undecided = High
** Changed in: cups (Ubuntu Natty)
Importance: Undecided = High
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/690040
Title:
I have uploaded an updated package using the attached debdiff to the
security PPA.
** Changed in: cups (Ubuntu Maverick)
Status: In Progress = Fix Committed
** Patch added: cups_1.4.4-6ubuntu2.3.debdiff
** Branch linked: lp:debian/sid/cups
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/690040
Title:
no longer confined by AppArmor
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
This bug was fixed in the package cups - 1.4.5-1ubuntu5
---
cups (1.4.5-1ubuntu5) natty; urgency=low
* Use AppArmor profile loading helper (LP: #690040):
- debian/patches/ubuntu-upstart.dpatch: load profile.
- debian/control: Depend on upstart.
-- Kees Cook k...@ubuntu.com
** Branch linked: lp:ubuntu/cups
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/690040
Title:
no longer confined by AppArmor
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
Helper script for upstart is now bug 692801.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/690040
Title:
no longer confined by AppArmor
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
** Changed in: cups (Ubuntu Natty)
Milestone: None = natty-alpha-2
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/690040
Title:
no longer confined by AppArmor
--
ubuntu-bugs mailing list
Kees,
thanks for pointing out. I guess for maverick we won't get around adding
these extra calls to the upstart script, but this is really expensive
(it starts a big perl process for each of those). For natty, is it
planned to move apparmor to an upstart job, so that jobs can just wait
for it to
Perl? What? No, it should just use the logic all the other services do.
For example:
pre-start script
[ -d /sys/module/apparmor ] || exit 0
[ -x /sbin/apparmor_parser ] || exit 0
/sbin/apparmor_parser -r -W /etc/apparmor.d/usr.sbin.avahi-daemon || true
end script
There will be a
Sorry, it should also include a test for being enabled (this is missing
from avahi, but is what others are using aa-status for).
read profile /sys/kernel/security/apparmor/profiles || true
[ -z $profile ] exit 0 # quit if disabled
--
You received this bug notification because you are a member
(Or not, since this is early-boot and there may be no profiles loaded
yet, so we should skip that test.)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/690040
Title:
no longer confined by AppArmor
** Also affects: cups (Ubuntu Maverick)
Importance: Undecided
Status: New
** Also affects: cups (Ubuntu Natty)
Importance: Undecided
Status: New
** This bug has been flagged as a security vulnerability
--
You received this bug notification because you are a member of
This is a race between /etc/init/cups and /etc/init.d/apparmor.
/etc/init/cups should include a stanza to load the AppArmor profile like
all the other /etc/init services that have AppArmor profiles.
$ sudo aa-status
...
1 processes are unconfined but have a profile defined.
/usr/sbin/cupsd
Workaround: sudo service cups restart
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/690040
Title:
no longer confined by AppArmor
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
** Changed in: cups (Ubuntu Maverick)
Assignee: (unassigned) = Martin Pitt (pitti)
** Changed in: cups (Ubuntu Natty)
Assignee: (unassigned) = Martin Pitt (pitti)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
19 matches
Mail list logo
