[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities

2011-11-08 Thread Jason A. Donenfeld
** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2011-4124 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2011-4125 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2011-4126 -- You received this bug notification because you are a member of

[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities

2011-11-02 Thread Jason A. Donenfeld
** Attachment added: exploit PoC 2 https://bugs.launchpad.net/calibre/+bug/885027/+attachment/2583680/+files/60calibrerassaultmount.sh -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title:

[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities

2011-11-02 Thread Jason A. Donenfeld
Updated the exploit. ** Attachment added: exploit PoC 2.1 https://bugs.launchpad.net/calibre/+bug/885027/+attachment/2583746/+files/60calibrerassaultmount.sh ** Changed in: calibre Status: Fix Released = Confirmed -- You received this bug notification because you are a member of

[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities

2011-11-02 Thread Jason A. Donenfeld
There's still a symlink race condition. If at first the symlink points to /dev/something-legit or /media/something-legit, the symlink can be swapped easily by hooking into inotify's IN_ACCESS and changing what it points to just in time for mount to be called with the s ymlink pointing someplace

[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities

2011-11-03 Thread Jason A. Donenfeld
** Changed in: calibre Status: Fix Released = Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications

[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities

2011-11-03 Thread Jason A. Donenfeld
To fix races with the mount source, you should check against /dev/shm, as this is the only world-writable directory in most /dev filesystems that I know of. Or more generally, stat and check root ownership and permission on the directory of the device. (Though, you can't chdir into both.) You

Re: [Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities

2011-11-03 Thread Jason A. Donenfeld
To fix races with the mount source, you should check against /dev/shm, as this is the only world-writable directory in most /dev filesystems that I know of. Or more generally, stat and check root ownership and permission on the directory of the device. (Though, you can't chdir into both.) You

[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities

2011-11-03 Thread Jason A. Donenfeld
Kovid -- in response to #45, it does in fact work. The paths might be a little different on your distro (it's an easy exploit to modify). Here's a screencast of it in action: http://git.zx2c4.com/calibre-mount-helper- exploit/plain/70calibrerassaultmount-demo.ogv I'm glad you've restricted /dev

[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities

2011-11-04 Thread Jason A. Donenfeld
@Kovid Shucks. Just as I was beginning to make progress on .80 Calibrer! http://git.zx2c4.com/calibre-mount-helper-exploit/tree/80calibrerassaultmount.c But you still have major problems in the code -- there are still two race conditions, with the one exploited in .70 the most dangerous. Namely,

[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities

2011-11-04 Thread Jason A. Donenfeld
Unfortunately, the saga continues. Your /shm/ check doesn't do anything, because, as it turns out, because you realpath twice, I don't need to use /shm/ at all! Your code is still broken. Giving up should still be an option on the table for you. In case, however, you've become determined and still

[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities

2011-11-04 Thread Jason A. Donenfeld
Hello. I've attached a patch for you, as requested. It replaces the mount helper with the nice udisks-based script that ubuntu ships. For distributions that do not support udisks, they can add their own. Or, you can write something different. In light of this, you might consider removing the

[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities

2011-11-04 Thread Jason A. Donenfeld
@Kovid: Yet you continue to ignore some major advice about how to fix it. Have you chdir'd yet? No. Still vulnerable. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper

[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities

2011-11-04 Thread Jason A. Donenfeld
My final word is that you should give up trying to reinvent the wheel, and use a method supplied by the distro for mounting disks. It's not worth my time to play whack-a-mole here. As Dan said, Usually I get paid good money to own software this hard, and I don't think you're worth making an

[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities

2011-11-04 Thread Jason A. Donenfeld
@Dan: Right. In other words, mount /dev/sdaX to /dev/newfolder using the race condition exploited in .70-calibrer. Then build the stager in /dev/newfolder/home/username/whatever. Then use the race exploited in .80-calibrer to toggle whatever between being a symlink to /dev/sda and being the

[Bug 885027] Re: SUID Mount Helper has 5 Major Vulnerabilities

2011-11-04 Thread Jason A. Donenfeld
@Kovid Great to hear! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885027 Title: SUID Mount Helper has 5 Major Vulnerabilities To manage notifications about this bug go to:

[Bug 1047122] Re: [needs-packaging] pass: the standard unix password manager

2012-10-08 Thread Jason A. Donenfeld
Great, thanks. Are there any plans to add this to older versions of Ubuntu as well? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1047122 Title: [needs-packaging] pass: the standard unix password

[Bug 1047122] Re: [needs-packaging] pass: the standard unix password manager

2012-10-08 Thread Jason A. Donenfeld
Cool, thanks for the documentation. That's a pretty slick requestbackport tool. https://bugs.launchpad.net/bugs/1063688 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1047122 Title:

[Bug 1047122] [NEW] pass: the standard unix password manager

2012-09-06 Thread Jason A. Donenfeld
Public bug reported: Pass is a package manager that uses gpg, pwgen, and simple file system directories. It is gaining quite a bit of popularity and momentum. There is an ubuntu package on http://zx2c4.com/projects/password-store and debian rules/control ( http://git.zx2c4.com/password-

[Bug 1680811] Re: Request to add wireguard interface to interface-order

2017-04-15 Thread Jason A. Donenfeld
It might make more sense to simply switch to using openresolv, which is a proper resolvconf implementation, which doesn't rely on this silly hard-coded list. Alternatively, you could just backport features one by one from openresolv, such as '-m 0 and '-x'. But really, since openresolv has no

[Bug 1683884] [NEW] openresolv is less crippled than debian-resolvconf for security-focused configurations

2017-04-18 Thread Jason A. Donenfeld
Public bug reported: Ubuntu relies on Debian's own "resolvconf" which is vastly inferior to Openresolv and makes it impossible to securely set up DNS servers for ephemeral secure tunnel interfaces. Specifically, Debian's "resolvconf" relies on a hard coded list of interface templates. For

[Bug 1685416] Re: Virtio Fixes Not Backported --> Google Cloud Platform Drops Packets

2017-04-21 Thread Jason A. Donenfeld
** Description changed: The HWE kernel, and possibly others too, backport some virtio improvements related to setting VIRTIO_NET_HDR_F_DATA_VALID on received packets so that the CPU doesn't have to checksum packets that have already been verified by hardware. In the initial implementation

[Bug 1685416] [NEW] Virtio Fixes Not Backported --> Google Cloud Platform Drops Packets

2017-04-21 Thread Jason A. Donenfeld
Public bug reported: The HWE kernel, and possibly others too, backport some virtio improvements related to setting VIRTIO_NET_HDR_F_DATA_VALID on received packets so that the CPU doesn't have to checksum packets that have already been verified by hardware. In the initial implementation of this,

[Bug 1685522] Re: out of date snapshot

2017-04-23 Thread Jason A. Donenfeld
** Description changed: This package *MUST* be consistently sync'd against the upstream Debian package, since its version is a fastly moving *snapshot* with no security guarantees. The Debian package makes careful note of it, which is why it's pinned to sid. The WireGuard documentation

[Bug 1685522] Re: out of date snapshot

2017-04-23 Thread Jason A. Donenfeld
As discussed on IRC, the following empty package should be put into Zesty. ** Attachment added: "wireguard_0.0.20170214-1ubuntu0.17.04.tar.gz" https://bugs.launchpad.net/ubuntu/+source/wireguard/+bug/1685522/+attachment/4867059/+files/wireguard_0.0.20170214-1ubuntu0.17.04.tar.gz -- You

[Bug 1685416] Re: Virtio Fixes Not Backported --> Google Cloud Platform Drops Packets

2017-04-22 Thread Jason A. Donenfeld
** Also affects: linux-hwe (Ubuntu) Importance: Undecided Status: New ** Changed in: linux-hwe (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1685416

[Bug 1685416] Re: Virtio Fixes Not Backported --> Google Cloud Platform Drops Packets

2017-04-22 Thread Jason A. Donenfeld
No such log is necessary. You simply forgot to backport two critical patches. ** Changed in: linux (Ubuntu) Status: Incomplete => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1685522] [NEW] out of date snapshot

2017-04-22 Thread Jason A. Donenfeld
Public bug reported: This package *MUST* be consistently sync'd against the upstream Debian package, since its version is a fastly moving *snapshot* with no security guarantees. The Debian package makes careful note of it, which is why it's pinned to sid. The WireGuard documentation also is very

[Bug 1683947] Re: ubuntu 4.8 kernel, virtio_net error causes NAT packets to be lost

2017-04-24 Thread Jason A. Donenfeld
Hey Jay, I found this same issue here -- https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1685416 -- when debugging WireGuard issues on GCE. I'm curious how you found it and what your debugging was like. Do you work for Google and could debug their virtio implementation? I spent a really long

[Bug 1685416] Re: Virtio Fixes Not Backported --> Google Cloud Platform Drops Packets

2017-04-24 Thread Jason A. Donenfeld
Hi Stefan -- thanks for taking ownership of this bug. Could you give a rough timeline on when you expect to roll out the next kernel update that contains these commits? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1685522] Re: out of date snapshot

2017-04-24 Thread Jason A. Donenfeld
[Impact] * After discussion on IRC with the release team, it seems clear that this package should have stayed in Debian sid and not migrated into a stable release of Ubuntu. This sentiment is reflected in the original Debian bug report about such. * Thus, rather than keep a rolling package

[Bug 1685522] Re: out of date snapshot

2017-04-24 Thread Jason A. Donenfeld
This appears to have been added to the queue and is now waiting for approval: https://launchpad.net/ubuntu/zesty/+queue?queue_state=1_text=wireguard -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1685522] Re: out of date snapshot

2017-04-24 Thread Jason A. Donenfeld
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1685522 Title: out of date snapshot To manage notifications about this bug go to:

[Bug 1685522] Re: out of date snapshot

2017-04-24 Thread Jason A. Donenfeld
The uploaded package is wrong. This tarball contains actual minimal contents, as it should be. ** Attachment added: "wireguard_0.0.20170214-1ubuntu0.17.04.1.tar.gz"

[Bug 1685522] Re: out of date snapshot

2017-04-24 Thread Jason A. Donenfeld
Using the .deb builds provided on https://launchpad.net/ubuntu/+source/wireguard/0.0.20170214-1ubuntu0.17.04.1/+build/12474101 , I can confirm that the packages work exactly as intended. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1685522] Re: out of date snapshot

2017-04-25 Thread Jason A. Donenfeld
I have performed testing with four separate VMs: 1. A fresh install of the -proposed package on a minimal server. 2. An update from the previous package to the -proposed package on a minimal server. 3. A fresh install of the -proposed package on a desktop with many packages. 4. An update from

[Bug 1413440] Re: USB stops working after a while (xhci_hcd 0000:00:14.0: Timeout while waiting for setup device command)

2017-05-19 Thread Jason A. Donenfeld
I'm having this issue on kernel 4.11.1. [48112.422418] [ cut here ] [48112.422441] WARNING: CPU: 0 PID: 14420 at drivers/usb/host/xhci-ring.c:1390 handle_cmd_completion+0xb17/0xc00 [xhci_hcd] [48112.422446] Modules linked in: xt_hashlimit ip6_udp_tunnel udp_tunnel rfcomm

[Bug 1685522] Re: out of date snapshot

2017-05-01 Thread Jason A. Donenfeld
Any update on this SRU? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1685522 Title: out of date snapshot To manage notifications about this bug go to:

[Bug 1842447] Re: Kernel Panic with linux-image-4.15.0-60-generic when specifying nameserver in docker-compose

2019-09-06 Thread Jason A. Donenfeld
It's possible this same issue is responsible for this crash in WireGuard: https://lists.zx2c4.com/pipermail/wireguard/2019-September/004495.html -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1842447

[Bug 1685522] Re: out of date snapshot

2019-09-08 Thread Jason A. Donenfeld
Hey apw and adconrad -- a long time ago (2.5 years) we decided to keep WireGuard from migrating into Ubuntu. There's been tons of progress since then. It's now in the progress of migrating down into Debian testing and stable. I think it's time we let it migrate into Ubuntu too. Is there anything

[Bug 1685522] Re: out of date snapshot

2019-09-08 Thread Jason A. Donenfeld
** No longer affects: wireguard (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1685522 Title: out of date snapshot To manage notifications about this bug go to:

[Bug 1844521] Re: DEP8 test reaches out to demo.wireguard.com

2019-09-24 Thread Jason A. Donenfeld
In lieu of Debian changing something, I'd suggest replacing this package with the one we actually develop specifically for Ubuntu: https://launchpad.net/~wireguard/+archive/ubuntu/wireguard Could you take care of importing 0.0.20190913 (or newer, depending on when you read this) from there? --

[Bug 1855096] Re: iptables-restore: invalid option -- 'w'

2019-12-04 Thread Jason A. Donenfeld
I'll have a new snapshot out today to rectify this problem. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1855096 Title: iptables-restore: invalid option -- 'w' To manage notifications about this

[Bug 1856539] Re: wireguard package doesn't work on ubuntu eon

2019-12-16 Thread Jason A. Donenfeld
Run `sudo modprobe wireguard`, and then after run `dmesg`, and paste the output of your dmesg. Most likely you need to do some sort of dkms rebuilding. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1847478] Re: wireguard crashes system shortly after wg-quick down wg0

2019-10-09 Thread Jason A. Donenfeld
Most likely this is related to an invocation to `ip rule` that's being made, not WireGuard. Take a look at this mailing list post: https://lists.zx2c4.com/pipermail/wireguard/2019-October/004588.html -- You received this bug notification because you are a member of Ubuntu Bugs, which is

[Bug 1847478] Re: wireguard crashes system shortly after wg-quick down wg0

2019-10-09 Thread Jason A. Donenfeld
Yep, confirmed that Eoan is broken. Here's reproduction steps: root@scw-competent-dirac:~# uname -a Linux scw-competent-dirac 5.3.0-13-generic #14-Ubuntu SMP Tue Sep 24 02:46:08 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux root@scw-competent-dirac:~# ip netns add crash root@scw-competent-dirac:~# ip

[Bug 1847478] Re: wireguard crashes system shortly after wg-quick down wg0

2019-10-09 Thread Jason A. Donenfeld
Here's a one liner that *doesn't require root* that you can use to test whether the kernel fix has landed: unshare -rUn sh -c 'ip link add dummy1 type dummy && ip link set dummy1 up && ip -6 route add default dev dummy1 && ip -6 rule add table main suppress_prefixlength 0 && ping -f 1234::1'

[Bug 1847478] Re: eoan kernel does not contain "ipv6: do not free rt if FIB_LOOKUP_NOREF is set on suppress rule"

2019-10-09 Thread Jason A. Donenfeld
** Summary changed: - wireguard crashes system shortly after wg-quick down wg0 + eoan kernel does not contain "ipv6: do not free rt if FIB_LOOKUP_NOREF is set on suppress rule" ** Package changed: wireguard (Ubuntu) => linux-meta (Ubuntu) -- You received this bug notification because you are

[Bug 1855096] Re: iptables-restore: invalid option -- 'w'

2019-12-05 Thread Jason A. Donenfeld
Fixed here: https://lists.zx2c4.com/pipermail/wireguard/2019-December/004675.html ** Changed in: wireguard (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1851295] Re: dkms error with wireguard on upgrafe to 19.10

2020-02-07 Thread Jason A. Donenfeld
Consult /var/lib/dkms/wireguard/0.0.20190913/build/make.log for more information. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1851295 Title: dkms error with wireguard on upgrafe to 19.10 To

[Bug 1854225] Re: Kernel oops and system lock up when invoking wg-quick up

2020-02-07 Thread Jason A. Donenfeld
Doesn't look like a WireGuard bug. ** Package changed: wireguard (Ubuntu) => linux (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854225 Title: Kernel oops and system lock up when

[Bug 1856539] Re: wireguard package doesn't work on ubuntu eon

2020-02-07 Thread Jason A. Donenfeld
[ 15.589541] module: x86/modules: Skipping invalid relocation target, existing value is nonzero for type 1, loc f4677a21, val c1171b82 Looks like a dkms issue? Thankfully we won't need that for 20.04 and also earlier kernels once things are backported. I'll reassign this to the

[Bug 1858807] Re: Wireguard install fails on 19.10

2020-02-07 Thread Jason A. Donenfeld
The kernel team can backport things need be. ** Package changed: wireguard (Ubuntu) => linux (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1858807 Title: Wireguard install fails on 19.10

[Bug 1851295] Re: dkms error with wireguard on upgrafe to 19.10

2020-02-07 Thread Jason A. Donenfeld
Seems dkms related. ** Package changed: wireguard (Ubuntu) => linux (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1851295 Title: dkms error with wireguard on upgrafe to 19.10 To manage

[Bug 1862413] Re: wireguard-dkms 0.0.20190913-1ubuntu1: wireguard kernel module failed to build

2020-02-14 Thread Jason A. Donenfeld
The latest version is v0.0.20200214. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1862413 Title: wireguard-dkms 0.0.20190913-1ubuntu1: wireguard kernel module failed to build To manage

[Bug 1862413] Re: wireguard-dkms 0.0.20190913-1ubuntu1: wireguard kernel module failed to build

2020-02-19 Thread Jason A. Donenfeld
The Ubuntu kernel team seems to be behind in deploying a fix for this. In the interim you can solve this by using the WireGuard project's PPA, which now has backports for 19.10. Run this command to fix your issue: sudo add-apt-repository ppa:wireguard/wireguard && sudo apt-get update && sudo

[Bug 1856539] Re: wireguard package doesn't work on ubuntu eon

2020-02-19 Thread Jason A. Donenfeld
The Ubuntu kernel team seems to be behind in deploying a fix for this. In the interim you can solve this by using the WireGuard project's PPA, which now has backports for 19.10. Run this command to fix your issue: sudo add-apt-repository ppa:wireguard/wireguard && sudo apt-get update && sudo

[Bug 1862413] Re: wireguard-dkms 0.0.20190913-1ubuntu1: wireguard kernel module failed to build

2020-02-14 Thread Jason A. Donenfeld
Go to www.wireguard.com/install/ , find the links for Ubuntu and Debian, and press the "out of date" button. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1862413 Title: wireguard-dkms

[Bug 1854225] Re: Kernel oops and system lock up when invoking wg-quick up

2020-01-21 Thread Jason A. Donenfeld
Thanks for the bug report. That kern.log is useful. The relevant part is reproduced below in this comment. Looks like wg-quick(8) invokes sysctl(8), which then uses /proc/sys/, and somehow invokes a null pointer dereference while holding a spinlock, leading to that lock being hit by other cores,

[Bug 1858807] Re: Wireguard install fails on 19.10

2020-01-21 Thread Jason A. Donenfeld
This is fixed upstream, but the Ubuntu package is old. Maybe somebody can do something about this. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1858807 Title: Wireguard install fails on 19.10 To

[Bug 1873288] Re: wireguard-tools should NOT recommend wireguard-dkms

2020-04-16 Thread Jason A. Donenfeld
The wireguard virtual package should imply "modules|dkms", and in general the order for the recommends here should change to "modules|dkms". Additionally, the dkms module should skip kernels that already have wireguard. We fixed this in Debian two ways, here: 1.

[Bug 1873288] Re: wireguard-tools should NOT recommend wireguard-dkms

2020-04-17 Thread Jason A. Donenfeld
Ah, looks like I can't. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1873288 Title: wireguard-tools should NOT recommend wireguard-dkms To manage notifications about this bug go to:

[Bug 1873288] Re: wireguard-tools should NOT recommend wireguard-dkms

2020-04-17 Thread Jason A. Donenfeld
Reopening this until we have some conclusion on (2) and (3) of #9. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1873288 Title: wireguard-tools should NOT recommend wireguard-dkms To manage

[Bug 1873288] Re: wireguard-tools should NOT recommend wireguard-dkms

2020-04-16 Thread Jason A. Donenfeld
> The wireguard{,-dkms,-tools} versions do not align: wireguard-dkms is newer. Maybe that's not relevant but I thought I'd mention it. This part doesn't matter. They're separate packages with separate releases and don't need to align. https://git.zx2c4.com/wireguard-linux-compat/refs/

[Bug 1873288] Re: wireguard-tools should NOT recommend wireguard-dkms

2020-04-16 Thread Jason A. Donenfeld
Okay something is very amiss, and at this point a member of Canonical's kernel team is going to have to check. I downloaded the latest one from the mirrors: https://mirrors.edge.kernel.org/ubuntu/pool/main/l/linux-meta/linux- image-generic_5.4.0.24.29_amd64.deb This has: Provides:

[Bug 1873288] Re: wireguard-tools should NOT recommend wireguard-dkms

2020-04-16 Thread Jason A. Donenfeld
To add to the list above of debian things: 3. https://salsa.debian.org/debian/wireguard/-/commit/b536ea7e12ee259e5d16e7e66a7b921837223023 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1873288 Title:

[Bug 1873288] Re: wireguard-tools should NOT recommend wireguard-dkms

2020-04-16 Thread Jason A. Donenfeld
I've let people know in #ubuntu-kernel, so hopefully Canonical will take a look. To recap for whoever inherits this bug, the following things need to be done: 1. Add back the "Provides: wireguard-modules" in linux-image-generic. This is really important. It used to be there but has strangely been

[Bug 1873288] Re: wireguard-tools should NOT recommend wireguard-dkms

2020-04-16 Thread Jason A. Donenfeld
The kernel package has a "Provides: wireguard-modules", as wireguard- modules is a virtual. At least that's how it's supposed to work. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1873288 Title:

[Bug 1873288] Re: wireguard-tools should NOT recommend wireguard-dkms

2020-04-16 Thread Jason A. Donenfeld
> Actually, it looks like it was dropped intentionally here by apw: > https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/focal/commit/debian?h=master-next=95b5fab11fa1e681a3adaba4f669efef8a18fd70 > But maybe it never got added to the meta as the commit message describes? Actually,

[Bug 1873288] Re: wireguard-tools should NOT recommend wireguard-dkms

2020-04-16 Thread Jason A. Donenfeld
> linux-image-generic only ships the vmlinuz so I believe that's why it doesn't directly "Provides: wireguard-modules". This is missing from linux-modules-5.4.0-XX-generic though which outta have it because does provides the .ko Not sure this logic holds, considering that has Provides for other

[Bug 1873288] Re: wireguard-tools should NOT recommend wireguard-dkms

2020-04-16 Thread Jason A. Donenfeld
Actually, it looks like it was dropped intentionally here by apw: https://git.launchpad.net/~ubuntu- kernel/ubuntu/+source/linux/+git/focal/commit/debian?h=master- next=95b5fab11fa1e681a3adaba4f669efef8a18fd70 But maybe it never got added to the meta as the commit message describes? -- You

[Bug 1873288] Re: wireguard-tools should NOT recommend wireguard-dkms

2020-04-17 Thread Jason A. Donenfeld
Simon - to keep you updated on the bug you reported, this fixes issue (1), as described in comment #9: https://git.launchpad.net/~ubuntu- kernel/ubuntu/+source/linux- meta/+git/focal/commit/?id=204fb3b2ae6b0c8c41c339f47949b45d571c4953 We'll keep this open until there's a decision/fix on (2) and

[Bug 1873288] Re: wireguard-tools should NOT recommend wireguard-dkms

2020-04-30 Thread Jason A. Donenfeld
Looks like it's still in -proposed, not -updates: zx2c4@thinkpad ~ $ curl -s http://archive.ubuntu.com/ubuntu/dists/focal-proposed/main/binary-amd64/Packages.xz | unxz | grep -B11 Provides:.*wireguard | grep ^Package: Package: linux-image-aws Package: linux-image-azure Package: linux-image-gcp

[Bug 1873288] Re: wireguard-tools should NOT recommend wireguard-dkms

2020-04-30 Thread Jason A. Donenfeld
All set now! zx2c4@thinkpad ~ $ curl -s http://archive.ubuntu.com/ubuntu/dists/focal-updates/main/binary-amd64/Packages.xz | unxz | grep -B11 Provides:.*wireguard | grep ^Package: Package: linux-image-aws Package: linux-image-azure Package: linux-image-gcp Package: linux-image-generic Package:

[Bug 1879952] Re: wireguard-dkms 1.0.20200429-2~19.10: wireguard kernel module failed to build

2020-05-21 Thread Jason A. Donenfeld
Looks like your wireguard-dkms package is out of date. This is apw's area. I'll add him to the bug. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1879952 Title: wireguard-dkms 1.0.20200429-2~19.10:

[Bug 1892798] Re: eliminating resolvconf/openresolv dependencies

2020-08-25 Thread Jason A. Donenfeld
Thanks for bringing this to my attention. I believe your assessment is correct. Do you know which Ubuntu first started using resolved? How far back do we need to make changes? There are two facets of this: 1) The Ubuntu systemd package should install the resolvconf compatibility symlink. I have

[Bug 1892798] Re: systemd package missing resolvconf(8) compatibility symlink, and a Provides: resolvconf

2020-08-25 Thread Jason A. Donenfeld
By the way, Arch manages the possibility of openresolv colliding with systemd's resolvconf by providing a package called "systemd-resolvconf": https://www.archlinux.org/packages/core/x86_64/systemd-resolvconf/ https://github.com/archlinux/svntogit-

[Bug 1892798] Re: eliminating resolvconf/openresolv dependencies

2020-08-25 Thread Jason A. Donenfeld
> wireguard package => please feed DNS data direct to systemd-resolved using either dbus or the cli. Absolutely not. We're not going to add vendor-specific hacks for broken distros that are unable to include the standard interface for this kind of thing, resolvconf(8). This is a pretty clear case

[Bug 1892798] Re: systemd package missing resolvconf(8) compatibility symlink, and a Provides: resolvconf

2020-08-26 Thread Jason A. Donenfeld
** Changed in: wireguard (Ubuntu) Status: Incomplete => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1892798 Title: systemd package missing resolvconf(8) compatibility symlink,

[Bug 1892798] Re: systemd package missing resolvconf(8) compatibility symlink, and a Provides: resolvconf

2020-08-26 Thread Jason A. Donenfeld
Your four appended comments are super full of just plain wrong information. I'll try to unpack these all piecemeal: > Ubuntu/Debian has never used openresolv This is not the case. Ubuntu and Debian have provided openresolv for a very long time, and resolvconf has mostly been an unmaintained

[Bug 1896777] Re: wireguard-dkms 1.0.20200611-1ubuntu1~16.04.1: wireguard kernel module failed to build

2020-09-23 Thread Jason A. Donenfeld
You forgot to update your system. apt update && apt upgrade ** Changed in: wireguard-linux-compat (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1896777 Title:

[Bug 1890201] Re: Depends on wireguard-modules | wireguard-dkms are inverted

2020-08-04 Thread Jason A. Donenfeld
The real issue here is that Andy forgot to add `Provides: wireguard- modules` to the linux-meta-oem package, and maybe some others here: - https://lists.zx2c4.com/pipermail/wireguard/2020-August/005743.html - https://lists.zx2c4.com/pipermail/wireguard/2020-August/005746.html -

[Bug 1890201] Re: Depends on wireguard-modules | wireguard-dkms are inverted

2020-08-04 Thread Jason A. Donenfeld
Super! Sounds like a big improvement. Thanks for rolling this out so quickly. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1890201 Title: Depends on wireguard-modules | wireguard-dkms are inverted

[Bug 1890286] Re: ansi escape sequence injection in add-apt-repository

2020-08-12 Thread Jason A. Donenfeld
I'm not convinced that really cuts it. Namely, from the diff: -print(" %s" % (info["description"] or "")) +# strip ANSI escape sequences +description = re.sub(r"(\x9B|\x1B\[)[0-?]*[ -/]*[@-~]", + "", info["description"] or "") + +print("

[Bug 1890286] Re: ansi escape sequence injection in add-apt-repository

2020-08-12 Thread Jason A. Donenfeld
You might be right that the remaining ones that slip through your regex are mere "nuisance"s. But you know how those things go - one man's nuisance is another man's vuln. Some of those, anyhow, are implemented by the Linux console driver. Why not just take the tried and true "safe" route, as

[Bug 1890201] Re: Depends on wireguard-modules | wireguard-dkms are inverted

2020-08-04 Thread Jason A. Donenfeld
Great that this is going through the various levels of approval for SRU, but I do hope the actual bug -- Provides: being missing -- is fixed with this same level of urgency. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1890286] [NEW] ansi escape sequence injection in add-apt-repository

2020-08-04 Thread Jason A. Donenfeld
*** This bug is a security vulnerability *** Public security bug reported: This was reported to oss-security and to secur...@ubuntu.com, but I figure I should make a real bug report, as otherwise it'll probably be missed. Original post from https://www.openwall.com/lists/oss-

[Bug 1890286] Re: ansi escape sequence injection into add-apt-repository

2020-08-04 Thread Jason A. Donenfeld
Looks like this has come up before in other utilities and was fixed, such as https://bugs.launchpad.net/ubuntu/+source/base- files/+bug/1649352 . ** Summary changed: - ansi escape sequence injection into add-apt-repository + ansi escape sequence injection in add-apt-repository -- You received

[Bug 1861284] Re: Build and ship a signed wireguard.ko

2020-06-25 Thread Jason A. Donenfeld
** Tags added: verification-needed-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1861284 Title: Build and ship a signed wireguard.ko To manage notifications about this bug go to:

[Bug 725126]

2020-06-20 Thread Jason A. Donenfeld
Tracking the new bug here now: https://sourceware.org/bugzilla/show_bug.cgi?id=26141 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/725126 Title: gas may assemble b to locally-defined, preemptible

[Bug 725126]

2020-06-19 Thread Jason A. Donenfeld
This problem still exists on binutils 2.33 when -fvisibility=hidden is passed to cflags. I imagine this is so due to some conflicting code where the forced B.W is only generated for static functions, since non- static ones will be relocated differently, but then because of -fvisibility=hidden,

[Bug 1906947] Re: package wireguard-dkms 1.0.20201112-1~20.04.1 failed to install/upgrade: installed wireguard-dkms package post-installation script subprocess returned error exit status 10

2020-12-05 Thread Jason A. Donenfeld
apw - I'll leave this to you. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906947 Title: package wireguard-dkms 1.0.20201112-1~20.04.1 failed to install/upgrade: installed wireguard-dkms

[Bug 1907996] Re: Wireguard-tools misses some bash completion

2020-12-13 Thread Jason A. Donenfeld
Thank you for the report. Fixed upstream now: https://git.zx2c4.com /wireguard-tools/commit/?id=7e506135f7da13cc13b51f2d0db47da364b2de7b This will trickle down to Ubuntu whenever I make a release upstream and then Debian and Ubuntu do their thing. ** Changed in: wireguard (Ubuntu) Status:

[Bug 1910404] Re: wireguard-dkms 1.0.20201112-1~16.04.1 failed to build

2021-01-06 Thread Jason A. Donenfeld
> Building initial module for 4.4.0-31-generic That doesn't look like a recent kernel. Purge old kernels. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1910404 Title: wireguard-dkms

[Bug 1910404] Re: wireguard-dkms 1.0.20201112-1~16.04.1 failed to build

2021-01-06 Thread Jason A. Donenfeld
** Changed in: wireguard-linux-compat (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1910404 Title: wireguard-dkms 1.0.20201112-1~16.04.1 failed to build To

[Bug 1915304] Re: linux-stable v4.14.217 causes skb_mark_not_on_list() build failure

2021-02-10 Thread Jason A. Donenfeld
This was fixed in the latest upstream wireguard-linux-compat release on Jan 24. ** Changed in: wireguard-linux-compat (Ubuntu) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1915304] Re: linux-stable v4.14.217 causes skb_mark_not_on_list() build failure

2021-02-11 Thread Jason A. Donenfeld
Due to inconsistent use of ubuntu-specific identifiers and complexity introduced HWE and such, wireguard-linux-compat develops against the latest kernels for each of the Ubuntu releases -- listed on https://www.wireguard.com/build-status/ , ctrl+F for ubuntu. This already amounts to ~7 kernels. So

[Bug 1915304] Re: linux-stable v4.14.217 causes skb_mark_not_on_list() build failure

2021-02-24 Thread Jason A. Donenfeld
I wish you'd not waste time on this downstream stuff. wireguard-linux- compat v1.0.20210219 has the proper fix (along with other important fixes). Simply import the package from debian and be done with it. -- You received this bug notification because you are a member of Ubuntu Bugs, which is