[Touch-packages] [Bug 2048092] Re: [low-priority SRU] Fix CVE-2022-0563 in source

Thu, 04 Jan 2024 10:50:30 -0800 

** Also affects: util-linux (Ubuntu Noble)
   Importance: Undecided
       Status: Fix Released

** Also affects: util-linux (Ubuntu Mantic)
   Importance: Undecided
       Status: New

** Also affects: util-linux (Ubuntu Lunar)
   Importance: Undecided
       Status: New

** Changed in: util-linux (Ubuntu Mantic)
       Status: New => Fix Released

** Changed in: util-linux (Ubuntu Lunar)
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to util-linux in Ubuntu.
https://bugs.launchpad.net/bugs/2048092

Title:
  [low-priority SRU] Fix CVE-2022-0563 in source

Status in util-linux package in Ubuntu:
  Fix Released
Status in util-linux source package in Jammy:
  In Progress
Status in util-linux source package in Lunar:
  Fix Released
Status in util-linux source package in Mantic:
  Fix Released
Status in util-linux source package in Noble:
  Fix Released

Bug description:
  [Impact]
  We did not fix this CVE in Ubuntu because we do not build the impacted 
binaries (we use --disable-chfn-chsh). However, some users are known to build 
their own binaries from this Ubuntu source and therefore could be impacted.

  [Test Plan]
  Since there is no impact to Ubuntu binaries, there is no functional change to 
verify. Regression testing using the existing build-time tests and autopkgtests 
should suffice.

  We should also verify that util-linux source builds fine w/ chfn and
  chsh enabled after applying this patch - otherwise it is really
  helping no one.

  [Where problems could occur]
  The upstream patch is clearly restricted to the chfn chsh binaries, which are 
not compiled by Ubuntu, so I don't see a risk there. I do see a risk that this 
is used as a precedent to fix other no-impact-to-Ubuntu security issues in 
other source - say, just to silence 3rd party security scanners. I do not 
intend to set such a precedent here, and suggest we consider them only on a 
case-by-case basis.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/2048092/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to