[Bug 2064751] Re: [SRU] revert security-regression in Focal's libcrypto++
Andreas asked that I re-verify that Ubuntu Security wishes to make this change through SRU. We do. Since the regression was inherited from sid, it feels most appropriate to SRU a change into -updates. Also, since a working 5.6 patch for CVE-2019-14318 does not exist we do not have a fix for the security pocket. This SRU needs a sponsor. ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-14318 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064751 Title: [SRU] revert security-regression in Focal's libcrypto++ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/2064751/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064751] Re: [SRU] revert security-regression in Focal's libcrypto++
Marking this as invalid, since devel is not affected. Only focal is affected. ** Package changed: libcrypto++ (Ubuntu) => ubuntu ** Changed in: ubuntu Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064751 Title: [SRU] revert security-regression in Focal's libcrypto++ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/2064751/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 129133] Re: mc uses predictable temp directory path
Sounds good! The impact does sound low. Mostly I recommend CVEs if you want to make sure that downstreams apply a security patch. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/129133 Title: mc uses predictable temp directory path To manage notifications about this bug go to: https://bugs.launchpad.net/mc/+bug/129133/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 129133] Re: mc uses predictable temp directory path
Hi @zyw o/ _If_ your project wants, I'm happy to assign and publish a CVE for this. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/129133 Title: mc uses predictable temp directory path To manage notifications about this bug go to: https://bugs.launchpad.net/mc/+bug/129133/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2065738] Re: Leaks wireguard keys
*** This bug is a duplicate of bug 1987842 *** https://bugs.launchpad.net/bugs/1987842 Please refer to this issue as CVE-2022-4968. Marking this bug as a duplicate to https://bugs.launchpad.net/netplan/+bug/1987842 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-4968 ** Information type changed from Private Security to Public Security ** This bug has been marked a duplicate of bug 1987842 wireguard: netdev file can leak private key -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2065738 Title: Leaks wireguard keys To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/netplan.io/+bug/2065738/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2066372] Re: Ubuntu 22.04 LTS - swaylock -v 1.5 - lock screen bypasses
Focal (20.04) and Jammy (22.04) swaylock versions are affected https://ubuntu.com/security/CVE-2022-26530 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-26530 ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2066372 Title: Ubuntu 22.04 LTS - swaylock -v 1.5 - lock screen bypasses To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/swayidle/+bug/2066372/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046084] Re: HID gamepad not working when paired with blueman on bluez 5.68-0ubuntu1.1
*** This bug is a duplicate of bug 2045931 *** https://bugs.launchpad.net/bugs/2045931 Ack, thanks for the explanation. ** Tags added: regression-security regression-update -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046084 Title: HID gamepad not working when paired with blueman on bluez 5.68-0ubuntu1.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/blueman/+bug/2046084/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046116] Re: bluetooth device connected but not recognised as output device
@vorlon answered why in https://bugs.launchpad.net/ubuntu/+source/blueman/+bug/2046084/comments/7 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046116 Title: bluetooth device connected but not recognised as output device To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bluez/+bug/2046116/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064966] Re: "accept_source_route" enabled by default in 24.04
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064966 Title: "accept_source_route" enabled by default in 24.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/2064966/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046116] Re: bluetooth device connected but not recognised as output device
@vanvugt, @vorlon, why is this marked as a regression? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046116 Title: bluetooth device connected but not recognised as output device To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bluez/+bug/2046116/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2046084] Re: HID gamepad not working when paired with blueman on bluez 5.68-0ubuntu1.1
*** This bug is a duplicate of bug 2045931 *** https://bugs.launchpad.net/bugs/2045931 This is not a security regression. This is upstreams fix to prevent https://github.com/skysafe/reblog/blob/main/cve-2024-0230/README.md If you wish to to enable legacy devices (and the vulnerability) with the most recent version of BlueZ set `ClassicBondedOnly=false` in `/etc/bluetooth/input.conf`, and then run `systemctl restart bluetooth`. Removing regression tags and marking as a duplicate of https://bugs.launchpad.net/ubuntu/+source/bluez/+bug/2045931 ** This bug has been marked a duplicate of bug 2045931 ps3 sixasis controller request pin to connect to bt ** Tags removed: regression-security regression-update -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2046084 Title: HID gamepad not working when paired with blueman on bluez 5.68-0ubuntu1.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/blueman/+bug/2046084/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064751] Re: [SRU] revert security-regression in Focal's libcrypto++
** Description changed: [ Impact ] Focal's libcrypto++ 5.6.4-9 regresses elliptic curve generation. Uploading this version from Debian appears to have been a mistake. This is a security regression, but was not published through the security pocket. As far as I am aware, Debian only packaged 5.6.4-9 in sid. Buster's latest version is 5.6.4-8: the version immediately before the regression. This version includes an _incomplete_ security patch for CVE-2019-14318 which breaks elliptic curve arithmetic. - https://github.com/weidai11/cryptopp/issues/869 states that this 5.6 security patch is incomplete. - https://github.com/weidai11/cryptopp/issues/994#issuecomment-752399981 states that the 2019 patch (which 5.6 and 8.3.0 received) has a regression. See https://github.com/weidai11/cryptopp/issues/1269 and LP#2060564 for a deeper exploration of this Ubuntu Focal issue. - The root cause of LP#1893934 appears to be caused by this regression. As - reported on the urbackup forums, rolling back to the previous version - solves this crash. + The root cause of LP#1893934 appears to be caused by this regression. + - As reported on the urbackup forums, rolling back to the previous + version solves this crash. - https://forums.urbackup.org/t/urbackupsrv-crashes-on-ubuntu-20-04/ [ Test Plan ] 1. To test the regression: Compile and use @ekera[@]github.com's PoC (attached as main.cpp): ``` $ g++ main.cpp -lcryptopp -o test $ ./test ``` The PoC will report `X is *NOT* as expected.` on miscomputations. See https://github.com/weidai11/cryptopp/issues/1269 Both Bionic 18.04.06 (libcrypto++ version 5.6.4-8) and Jammy 22.04.04 (libcrypto++ version 8.6.0-2ubuntu1) had the expected result. Focal fails - with 5.6.4-8. Rolling back the version allows the PoC test to past. + with 5.6.4-8. Rolling back the version allows the PoC test to past. Using + a version built with the attached debdiff also passes the PoC. 2. Package tests: All package build tests pass regardless of the regression. Checking that new failures do not occur is a sanity test. To test builtin tests run: `cd /usr/share/crypto++ && cryptest v` X. Note: Unfortunately there are no autopkgtests. `reverse-depends -r focal src:libcrypto++` includes five, possibly minor, reverse dependencies. libcrypto++ is mostly used as a dependency outside of the Ubuntu Archive. i.e., we have low visibility on how this package is used. I am hoping that the PoC and built in tests are enough to prove the sanity of this security regression SRU. [ Other Info ] A big thank you to Martin Ekerå (@ekera[@]github.com) for identifying this issue and writing a thorough bug report and PoC on GitHub \o/ This is my first SRU. I need a sponsor and help tagging on LP. I have performed the Test Plan. The fix solely involves on removing a d/patch file. Removing the patch causes the following (expected) symbol changes in ./usr/lib/x86_64-linux-gnu/libcrypto++.so.6.0.0: ``` +CryptoPP::ProjectivePoint::~ProjectivePoint() W +std::vector >::~vector() W +void std::vector >::_M_realloc_insert(__gnu_cxx::__normal_iterator > >, CryptoPP::ProjectivePoint const&) W ``` [ Where problems could occur ] Two systems both using software based on the regressed version of Crypto++ *could possibly* communicate through incorrectly generated keys together. This seems unlikely and, if it is even possible, we should discourage or even break the use of miscalculated elliptic curves. A regression in reverting the regressed patch is possible. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064751 Title: [SRU] revert security-regression in Focal's libcrypto++ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libcrypto++/+bug/2064751/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064751] Re: [SRU] revert security-regression in Focal's libcrypto++
** Description changed: [ Impact ] Focal's libcrypto++ 5.6.4-9 regresses elliptic curve generation. Uploading this version from Debian appears to have been a mistake. This is a security regression, but was not published through the security pocket. As far as I am aware, Debian only packaged 5.6.4-9 in sid. Buster's latest version is 5.6.4-8: the version immediately before the regression. This version includes an _incomplete_ security patch for CVE-2019-14318 which breaks elliptic curve arithmetic. - - https://github.com/weidai11/cryptopp/issues/869 states that this 5.6 -security patch is incomplete. - - https://github.com/weidai11/cryptopp/issues/994#issuecomment-752399981 -states that the 2019 patch (which 5.6 and 8.3.0 received) has a -regression. + - https://github.com/weidai11/cryptopp/issues/869 states that this 5.6 + security patch is incomplete. + - https://github.com/weidai11/cryptopp/issues/994#issuecomment-752399981 + states that the 2019 patch (which 5.6 and 8.3.0 received) has a + regression. See https://github.com/weidai11/cryptopp/issues/1269 and LP#2060564 for a deeper exploration of this Ubuntu Focal issue. The root cause of LP#1893934 appears to be caused by this regression. As reported on the urbackup forums, rolling back to the previous version solves this crash. - - https://forums.urbackup.org/t/urbackupsrv-crashes-on-ubuntu-20-04/ + - https://forums.urbackup.org/t/urbackupsrv-crashes-on-ubuntu-20-04/ [ Test Plan ] 1. To test the regression: - Compile and use @ek...@github.com's PoC (attached as main.cpp): + Compile and use @ekera[@]github.com's PoC (attached as main.cpp): ``` $ g++ main.cpp -lcryptopp -o test $ ./test ``` The PoC will report `X is *NOT* as expected.` on miscomputations. See https://github.com/weidai11/cryptopp/issues/1269 Both Bionic 18.04.06 (libcrypto++ version 5.6.4-8) and Jammy 22.04.04 (libcrypto++ version 8.6.0-2ubuntu1) had the expected result. Focal fails with 5.6.4-8. Rolling back the version allows the PoC test to past. 2. Package tests: All package build tests pass regardless of the regression. Checking that new failures do not occur is a sanity test. To test builtin tests run: `cd /usr/share/crypto++ && cryptest v` X. Note: Unfortunately there are no autopkgtests. `reverse-depends -r focal src:libcrypto++` includes five, possibly minor, reverse dependencies. libcrypto++ is mostly used as a dependency outside of the Ubuntu Archive. i.e., we have low visibility on how this package is used. - I am hoping that the PoC built in tests are enough to prove the sanity of - this security regression SRU. + I am hoping that the PoC and built in tests are enough to prove the sanity + of this security regression SRU. [ Other Info ] - - A big thank you to Martin Ekerå (@ek...@github.com) for identifying this + + A big thank you to Martin Ekerå (@ekera[@]github.com) for identifying this issue and writing a thorough bug report and PoC on GitHub \o/ This is my first SRU. I need a sponsor and help tagging on LP. I have performed the Test Plan. The fix solely involves on removing a d/patch file. Removing the patch causes the following (expected) symbol changes in ./usr/lib/x86_64-linux-gnu/libcrypto++.so.6.0.0: ``` +CryptoPP::ProjectivePoint::~ProjectivePoint() W +std::vector >::~vector() W +void std::vector >::_M_realloc_insert(__gnu_cxx::__normal_iterator > >, CryptoPP::ProjectivePoint const&) W ``` [ Where problems could occur ] Two systems both using software based on the regressed version of Crypto++ *could possibly* communicate through incorrectly generated keys together. This seems unlikely and, if it is even possible, we should discourage or even break the use of miscalculated elliptic curves. A regression in reverting the regressed patch is possible. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064751 Title: [SRU] revert security-regression in Focal's libcrypto++ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libcrypto++/+bug/2064751/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064751] [NEW] [SRU] revert security-regression in Focal's libcrypto++
Public bug reported: [ Impact ] Focal's libcrypto++ 5.6.4-9 regresses elliptic curve generation. Uploading this version from Debian appears to have been a mistake. This is a security regression, but was not published through the security pocket. As far as I am aware, Debian only packaged 5.6.4-9 in sid. Buster's latest version is 5.6.4-8: the version immediately before the regression. This version includes an _incomplete_ security patch for CVE-2019-14318 which breaks elliptic curve arithmetic. - https://github.com/weidai11/cryptopp/issues/869 states that this 5.6 security patch is incomplete. - https://github.com/weidai11/cryptopp/issues/994#issuecomment-752399981 states that the 2019 patch (which 5.6 and 8.3.0 received) has a regression. See https://github.com/weidai11/cryptopp/issues/1269 and LP#2060564 for a deeper exploration of this Ubuntu Focal issue. The root cause of LP#1893934 appears to be caused by this regression. As reported on the urbackup forums, rolling back to the previous version solves this crash. - https://forums.urbackup.org/t/urbackupsrv-crashes-on-ubuntu-20-04/ [ Test Plan ] 1. To test the regression: Compile and use @ek...@github.com's PoC (attached as main.cpp): ``` $ g++ main.cpp -lcryptopp -o test $ ./test ``` The PoC will report `X is *NOT* as expected.` on miscomputations. See https://github.com/weidai11/cryptopp/issues/1269 Both Bionic 18.04.06 (libcrypto++ version 5.6.4-8) and Jammy 22.04.04 (libcrypto++ version 8.6.0-2ubuntu1) had the expected result. Focal fails with 5.6.4-8. Rolling back the version allows the PoC test to past. 2. Package tests: All package build tests pass regardless of the regression. Checking that new failures do not occur is a sanity test. To test builtin tests run: `cd /usr/share/crypto++ && cryptest v` X. Note: Unfortunately there are no autopkgtests. `reverse-depends -r focal src:libcrypto++` includes five, possibly minor, reverse dependencies. libcrypto++ is mostly used as a dependency outside of the Ubuntu Archive. i.e., we have low visibility on how this package is used. I am hoping that the PoC built in tests are enough to prove the sanity of this security regression SRU. [ Other Info ] A big thank you to Martin Ekerå (@ek...@github.com) for identifying this issue and writing a thorough bug report and PoC on GitHub \o/ This is my first SRU. I need a sponsor and help tagging on LP. I have performed the Test Plan. The fix solely involves on removing a d/patch file. Removing the patch causes the following (expected) symbol changes in ./usr/lib/x86_64-linux-gnu/libcrypto++.so.6.0.0: ``` +CryptoPP::ProjectivePoint::~ProjectivePoint() W +std::vector >::~vector() W +void std::vector >::_M_realloc_insert(__gnu_cxx::__normal_iterator > >, CryptoPP::ProjectivePoint const&) W ``` [ Where problems could occur ] Two systems both using software based on the regressed version of Crypto++ *could possibly* communicate through incorrectly generated keys together. This seems unlikely and, if it is even possible, we should discourage or even break the use of miscalculated elliptic curves. A regression in reverting the regressed patch is possible. ** Affects: libcrypto++ (Ubuntu) Importance: Undecided Status: New ** Affects: libcrypto++ (Ubuntu Focal) Importance: Undecided Status: New ** Tags: regression-update -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064751 Title: [SRU] revert security-regression in Focal's libcrypto++ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libcrypto++/+bug/2064751/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064751] Re: [SRU] revert security-regression in Focal's libcrypto++
** Attachment added: "main.cpp" https://bugs.launchpad.net/ubuntu/+source/libcrypto++/+bug/2064751/+attachment/5774479/+files/main.cpp -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064751 Title: [SRU] revert security-regression in Focal's libcrypto++ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libcrypto++/+bug/2064751/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2064751] Re: [SRU] revert security-regression in Focal's libcrypto++
** Patch added: "libcrypto++_5.6.4-9ubuntu1.debdiff" https://bugs.launchpad.net/ubuntu/+source/libcrypto++/+bug/2064751/+attachment/5774481/+files/libcrypto++_5.6.4-9ubuntu1.debdiff ** Also affects: libcrypto++ (Ubuntu Focal) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2064751 Title: [SRU] revert security-regression in Focal's libcrypto++ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libcrypto++/+bug/2064751/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2040137] Re: exposing the EFI shell in Secure Boot mode can lead to security bypass
This has been addressed in the LXD snaps 5.21/stable (https://github.com/canonical/lxd-pkg-snap/commit/764ee08b) and 5.0/edge (https://github.com/canonical/lxd-pkg-snap/commit/bfe4270e). All LXD software before version 4 are not affected. Jammy, Mantic, and Noble do not have debs. Focal's deb is a snap installer. If LP is meant to track affected debs, all tagged LXD releases are invalid. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2040137 Title: exposing the EFI shell in Secure Boot mode can lead to security bypass To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/2040137/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2062667] Re: Fails on (and should be removed from) raspi desktop
This impacts all arm64 installs, not just raspberry pi. The MIR for qrtr and protection-domain-mapper [0] was requested late in the Mantic cycle and was only approved by Security since it was promised to only be used for x13s hardware enablement. Hopefully Qualcomm IPC is only enabled for x13s kernels. As noted in the qrtr MIR: > We should be cautious of IPC routers running root permissions. Similar code > has > enabled vendor backdoors [1]. Furthermore, qrtr has nearly no documentation and has no inline code comments [2]. Please remove this from the mantic and noble's ubuntu-meta package. [0] https://bugs.launchpad.net/ubuntu/+source/qrtr/+bug/2038942 [1] https://redmine.replicant.us/projects/replicant/wiki/samsunggalaxybackdoor [2] https://github.com/linux-msm/qrtr -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2062667 Title: Fails on (and should be removed from) raspi desktop To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/protection-domain-mapper/+bug/2062667/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1990655] Re: MIR: libgit2, http-parser
http-parser has been deprecated [0] for llhttp [1] in libgit2 \o/ [0] https://github.com/libgit2/libgit2/issues/6074 [1] https://github.com/libgit2/libgit2/pull/6713 ** Bug watch added: github.com/libgit2/libgit2/issues #6074 https://github.com/libgit2/libgit2/issues/6074 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1990655 Title: MIR: libgit2, http-parser To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/http-parser/+bug/1990655/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2063160] Re: Security Update required
Thank you! This was mistriaged as not affecting Ubuntu, which has been corrected: https://git.launchpad.net/ubuntu-cve- tracker/commit/?id=83e00d6f10a8f7a234751a97f87a62c88d0143cb I have messaged Debian Security to track this as well. ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-28184 ** Information type changed from Private Security to Public Security ** Changed in: weasyprint (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2063160 Title: Security Update required To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/weasyprint/+bug/2063160/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2063014] Re: CVE-2023-50246 and CVE-2023-50268
** Changed in: jq (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2063014 Title: CVE-2023-50246 and CVE-2023-50268 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/jq/+bug/2063014/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2063014] Re: CVE-2023-50246 and CVE-2023-50268
CVE-2023-50246 only affects jq >= 1.7 until 1.7.1. That issue was introduced with cf4b48c7ba30cb30e116b523cff036ea481459f6. Mantic (23.10) has jq version 1.6-3 and Noble (24.04) has 1.7.1-3build1. This is why unaffected versions are labeled as "Not vulnerable (code not present)" on https://ubuntu.com/security/CVE-2023-50246 CVE-2023-50268 has the same story. The break appears to be 680baeffeb7983e7570b5e68db07fe47f94db8c7 which was introduced in 1.7 and fixed in 1.7.1. https://ubuntu.com/security/CVE-2023-50268 ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2063014 Title: CVE-2023-50246 and CVE-2023-50268 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/jq/+bug/2063014/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2004516] Re: [MIR] libyuv (transitive dependency of libheif)
I reviewed libyuv 0.0~git202401110.af6ac82-1 as checked into noble. This shouldn't be considered a full audit but rather a quick gauge of maintainability. libyuv is an open source project that includes YUV scaling and conversion functionality. - CVE History: - none - open bug reports are not a security concern - https://bugs.chromium.org/p/libyuv/issues/list - Build-Depends? - googletest build depend - pre/post inst/rm scripts? - none - init scripts? - none - systemd units? - none - dbus services? - none - setuid binaries? - none - binaries in PATH? - from libyuv-utils - ./usr/bin/yuvconstants - ./usr/bin/yuvconvert - sudo fragments? - none - polkit files? - none - udev rules? - none - unit tests / autopkgtests? - from d/rules, it appears all tests on armel s390x powerpc ppc64 and sparc64 are disabled - on amd64, 40 disabled tests - 256 counts of -Wstringop-overflow in build logs due to tests - more bugs in test possible, see coverity section - rather thorough testing otherwise - cron jobs? - none - Build logs: - missing man pages for binaries - 256 counts of -Wstringop-overflow due to tests - Processes spawned? - only in python, and in a script for maintaining upstream deps - not relevant - Memory management? - tests cause string overflows with memtest - just a bug, not a security concern - see coverity section - moderate memcpy use outside of tests - looks okay - File IO? - c++ fopen use appears safe - ignoring python upstream maintenance helper scripts - Logging? - no logging outside of python - Python uses logging.debug and logging.error - Environment variable usage? - only used for tests - Use of privileged functions? - none - Use of cryptography / random number sources etc? - none - Use of temp files? - none - Use of networking? - none - Use of PolicyKit? - none - Any significant cppcheck results? - not a concern - Any significant Coverity results? - non-security bug reported - https://bugs.chromium.org/p/libyuv/issues/detail?id=979 - many more non-relevant issues in tests - ignoring - upstream should improve unit tests. - ./tools_libyuv/ seems dangerous, but appears to only be for upstream maintenance - okay - unchecked return in ./util/yuconvert.cc:243 - report of uninitialized scalar variabile in ./util/yuconvert.cc seems difficult to trigger - MJpegDecoder::MJpegDecoder() does not initialize buf_vec_.pos - this is set early in MJpegDecoder::LoadFrame(), so probably *fine* - Any significant shellcheck results? - none - Any significant bandit results? - none - only in irrelevant source code maintenance scripts This was an expedited and less thorough review. Security team ACK for promoting foot to main. ** Changed in: libyuv (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2004516 Title: [MIR] libyuv (transitive dependency of libheif) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libyuv/+bug/2004516/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2061750] Re: [MIR] python-s3transfer as indirect dependency of simplestreams (simplestreams -> python-boto3 -> python-s3transfer)
** Tags added: sec-4083 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2061750 Title: [MIR] python-s3transfer as indirect dependency of simplestreams (simplestreams -> python-boto3 -> python-s3transfer) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-s3transfer/+bug/2061750/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2061751] Re: [MIR] python-botocore as indirect dependency of simplestreams (simplestreams -> python-boto3 -> python-s3transfer -> python-botocore)
** Tags added: sec-4084 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2061751 Title: [MIR] python-botocore as indirect dependency of simplestreams (simplestreams -> python-boto3 -> python-s3transfer -> python- botocore) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-botocore/+bug/2061751/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2061217] Re: [MIR] python-boto3 as a dependency of simplestreams
** Tags added: sec-4082 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2061217 Title: [MIR] python-boto3 as a dependency of simplestreams To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-boto3/+bug/2061217/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2061217] Re: [MIR] python-boto3 as a dependency of simplestreams
Hello, the MIR process says any MIRs assigned to the security team after the Beta Freeze deadline need to be discussed with the Director of Security Engineering: For a MIR to be considered for a release, it must be assigned to the Security team (by the MIR team) before Beta Freeze. This does not guarantee that a security review can be completed by Final Release. Ask the director of Security for exceptions. https://github.com/canonical/ubuntu-mir?tab=readme-ov-file#security- reviews Please find a few minutes on Alex Burrage's calendar and schedule a meeting. Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2061217 Title: [MIR] python-boto3 as a dependency of simplestreams To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-boto3/+bug/2061217/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2060564] Re: miscomputation of ECP::ScalarMultiply() using 5.6.4-9
There is a strong chance that https://bugs.launchpad.net/ubuntu/+source/libcrypto++/+bug/1893934 is related to the incomplete CVE-2019-14318 patch regression. I plan to propose an SRU to effectively downgrade this regressed package to 5.6.4-8. Please see https://github.com/weidai11/cryptopp/issues/1269 for more details. ** Bug watch added: github.com/weidai11/cryptopp/issues #1269 https://github.com/weidai11/cryptopp/issues/1269 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2060564 Title: miscomputation of ECP::ScalarMultiply() using 5.6.4-9 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libcrypto++/+bug/2060564/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2004516] Re: [MIR] libyuv (transitive dependency of libheif)
When is Security review absolutely needed by? Is April 17th, the day before Final Freeze okay? Would that give Foundation's enough time to promote to main? There may not be enough time for Security to complete a review by Final Freeze, but we are looking for someone to take this asap. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2004516 Title: [MIR] libyuv (transitive dependency of libheif) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libyuv/+bug/2004516/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2030880] Re: [MIR] libemail-mime-perl (libmail-dmarc-perl dependency)
Setting to In Progress per https://bugs.launchpad.net/ubuntu/+source/libmail-dmarc- perl/+bug/2023971/comments/28 ** Changed in: libemail-mime-perl (Ubuntu) Status: Won't Fix => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2030880 Title: [MIR] libemail-mime-perl (libmail-dmarc-perl dependency) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2004516] Re: [MIR] libyuv (transitive dependency of libheif)
** Tags added: sec-4053 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2004516 Title: [MIR] libyuv (transitive dependency of libheif) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libyuv/+bug/2004516/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2060035] Re: [MIR] msgraph
** Tags added: sec-4054 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2060035 Title: [MIR] msgraph To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/msgraph/+bug/2060035/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2060564] Re: miscomputation of ECP::ScalarMultiply() using 5.6.4-9
Debian `libcrypto++` 5.6.4-9 introduced a security patch for CVE-2019-14318. According to a post in 2019 , https://github.com/weidai11/cryptopp/issues/869, the CVE-2019-14318 patch for 5.6.4 was incomplete. A comment in a later 2020 issue mentions that the 2019 8.3 patch was broken: https://github.com/weidai11/cryptopp/issues/994#issuecomment-752399981 Debian's 5.6.4-9 uses the 2019 patch which likely contains a regression. It does not appear that a fully working fix for CVE-2019-14318 in 5.6.4 was made. ** Bug watch added: github.com/weidai11/cryptopp/issues #869 https://github.com/weidai11/cryptopp/issues/869 ** Bug watch added: github.com/weidai11/cryptopp/issues #994 https://github.com/weidai11/cryptopp/issues/994 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-14318 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2060564 Title: miscomputation of ECP::ScalarMultiply() using 5.6.4-9 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libcrypto++/+bug/2060564/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2060564] Re: miscomputation of ECP::ScalarMultiply() using 5.6.4-9
With fresh amd64 VMs using the latest Ubuntu point releases, I was able to reproduce your report on Ubuntu Focal 20.04.06 (`libcrypto++` version 5.6.4-9build1). Both Bionic 18.04.06 (`libcrypto++` version 5.6.4-8) and Jammy 22.04.04 (`libcrypto++` version 8.6.0-2ubuntu1) had the expected result. Also on Ubuntu Focal 20.04.04, I installed [Debian's `libcrypto++` version 5.6.4-9](https://snapshot.debian.org/package/libcrypto++/5.6.4-9/) directly. This version also has the error. Debian's `libcrypto++` version immediately prior [5.6.4-8](https://snapshot.debian.org/package/libcrypto++/5.6.4-8/) is not affected. The Debian version afterwards, [5.6.4-10](https://snapshot.debian.org/package/libcrypto++/5.6.4-10/), is affected, but [6.1.0-1](https://snapshot.debian.org/package/libcrypto++/6.1.0-1/) is not. So, the issue is only known to affect packages based on Debian `libcrypto++` 5.6.4-9 and 5.6.4-10. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2060564 Title: miscomputation of ECP::ScalarMultiply() using 5.6.4-9 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libcrypto++/+bug/2060564/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2060564] [NEW] miscomputation of ECP::ScalarMultiply() using 5.6.4-9
*** This bug is a security vulnerability ***
Public security bug reported:
This issue was reported to the Security team over email and originally
posted to https://github.com/weidai11/cryptopp/issues/1269
> I typically never use Crypto++, but I had to yesterday, and I then
> experienced a strange behavior that I felt I had to somehow report. Having
> read your [security
> policy](https://github.com/weidai11/cryptopp/security/policy), I decided that
> the appropriate course of action was to open an issue here.
>
> ### Background
>
> I used the default Crypto++ package provided by [Ubuntu 20.04.6 LTS (Focal
> Fossa)](https://releases.ubuntu.com/focal/) running on a computer with a
> 64-bit Intel CPU.
>
> More specifically, Crypto++ was installed on the machine via `apt` as follows:
>
> ```
> $ sudo apt update && sudo apt upgrade
> (..)
> $ sudo apt install libcrypto++-dev
> (..)
> libcrypto++-dev is already the newest version (5.6.4-9build1).
> ```
>
> The package version 5.6.4 leads me to think that it installs the (old) v5.6.4
> release of Crypto++ from [this GitHub
> repository](https://github.com/weidai11/cryptopp), although it is not
> entirely clear from the metadata for the package.
> ### The issue
>
> When using Crypto++ as provided by the above package, it seems
> `ECP::ScalarMultiply()` may miscompute. Specifically, it seems to miscompute
> if the scalar is on [2, 32), i.e. of bit length less than or equal to 5. This
> would appear to be related to the difference in behavior induced by the
> branching on [this
> line](https://github.com/weidai11/cryptopp/blob/782057f5f18fbdad2bd2b291fb1ec558a8ab8225/ecp.cpp#L387)
> in the source code for Crypto++.
>
> To exemplify, I obtain the below result:
>
> ```
> Q1.x =
> 33306590390930540189669946118275349837741820479536661896440526521039379673897.
> Q1.y =
> 51671163428562425671907826722938384860953039014408454870632045822359784767650.
>
> >> Q1 is *NOT* as expected.
> >> Q1 is *NOT* on E.
>
> Q2.x =
> 33898744863829483362161709717034397769364896634277352921440311777960767108802.
> Q2.y =
> 23483645583050324501141112153509270605088748325709409281081826839369927198174.
>
> >> Q2 is as expected.
> >> Q2 is on E.
>
> >> T1 is equal to T2 for d = 1.
> >> T1 is *NOT* equal to T2 for d = 2.
> >> T1 is *NOT* equal to T2 for d = 3.
> >> T1 is *NOT* equal to T2 for d = 4.
> >> T1 is *NOT* equal to T2 for d = 5.
> >> T1 is *NOT* equal to T2 for d = 6.
> >> T1 is *NOT* equal to T2 for d = 7.
> >> T1 is *NOT* equal to T2 for d = 8.
> >> T1 is *NOT* equal to T2 for d = 9.
> >> T1 is *NOT* equal to T2 for d = 10.
> >> T1 is *NOT* equal to T2 for d = 11.
> >> T1 is *NOT* equal to T2 for d = 12.
> >> T1 is *NOT* equal to T2 for d = 13.
> >> T1 is *NOT* equal to T2 for d = 14.
> >> T1 is *NOT* equal to T2 for d = 15.
> >> T1 is *NOT* equal to T2 for d = 16.
> >> T1 is *NOT* equal to T2 for d = 17.
> >> T1 is *NOT* equal to T2 for d = 18.
> >> T1 is *NOT* equal to T2 for d = 19.
> >> T1 is *NOT* equal to T2 for d = 20.
> >> T1 is *NOT* equal to T2 for d = 21.
> >> T1 is *NOT* equal to T2 for d = 22.
> >> T1 is *NOT* equal to T2 for d = 23.
> >> T1 is *NOT* equal to T2 for d = 24.
> >> T1 is *NOT* equal to T2 for d = 25.
> >> T1 is *NOT* equal to T2 for d = 26.
> >> T1 is *NOT* equal to T2 for d = 27.
> >> T1 is *NOT* equal to T2 for d = 28.
> >> T1 is *NOT* equal to T2 for d = 29.
> >> T1 is *NOT* equal to T2 for d = 30.
> >> T1 is *NOT* equal to T2 for d = 31.
> >> T1 is equal to T2 for d = 32.
> >> T1 is equal to T2 for d = 33.
> >> T1 is equal to T2 for d = 34.
>
> >> T1 is equal to T2 for d =
> >> 4838386420901692723041175965060989195194280026704430236348655611663611748562.
> ```
>
> The source code in `main.cpp` is as follows:
>
> ```c++
> #include
>
> using std::cout;
> using std::endl;
>
> #include "cryptopp/ecp.h"
>
> using CryptoPP::Integer;
> using CryptoPP::ECPPoint;
> using CryptoPP::ECP;
>
> int main() {
> const Integer
> p("68563679381982577622739666783671143994995151030968464702867583019834252739659");
>
> const Integer
> a("38340410290425650555291103033366954895786709470949111520317038818740559472271");
> const Integer
> b("61862461829344747002414367293848044144907923329445405487651446734863421214369");
>
> const ECP E = ECP(p, a, b);
>
> const Integer
> q("17140919845495644405684916695917785998672015991198074381415721324869292128811");
>
> /* Note: The curve E has order r = 2^2 * q where q is prime. */
>
> const Integer
> x("49783729659862894673603312242618433622969024866008586212478256625771510792958");
> const Integer
> y("18916745246771588809190938755787142016135405279727789454979776401687407939506");
>
> const ECPPoint P = ECP::Point(x, y);
>
> /* Note: The point P is on E and of order r so it generates all of E. */
>
> /* Note: Let us now compute the point Q = [4] P of prime order q. */
>
> const Integer
>
[Bug 2054127] Re: grub-efi crashes upon `exit`
A fix has been released to Noble proposed and the CVE has been published. https://launchpad.net/ubuntu/+source/grub2/2.12-1ubuntu7 ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2054127 Title: grub-efi crashes upon `exit` To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2-unsigned/+bug/2054127/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2048781] Re: [MIR] authd
I believe this issue can be set to In Progress and is ready for promotion to main. @didrocks, @slyon: please ping me if anything is needed from Security. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2048781 Title: [MIR] authd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/authd/+bug/2048781/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2048781] Re: [MIR] authd
I am posting this Security MIR on behalf of Sudhakar Verma (@sudhackar) since he is out of the office. --- I reviewed authd 0.2.1 as checked into noble. This shouldn't be considered a full audit but rather a quick gauge of maintainability. authd is a service that builds cloud based authentication and MFA from clouds such as Open ID connect or Microsoft Azure / Entra ID. This is also a framework that will help create authentication broker services. - CVE History - no CVE found - Build-Depends - pam related libraries - libpam0g-dev - language runtimes - golang-go - dh-cargo - jq - protobuf-compiler - pre/post inst/rm scripts - add/remove authd to /etc/nsswitch.conf - init scripts - No - systemd units - Creates 'authd.service' - which is expected since this is a service to manage the authentication with a daemon - dbus services - No - setuid binaries - No - binaries in PATH - /usr/sbin/authd - sudo fragments - No - polkit files - No - udev rules - No - unit tests / autopkgtests - unit tests and autopkgtests are there and working quite fine - cron jobs - No - Build logs - some warnings from tests and autopkgtests but nothing major - Processes spawned - gpasswd is spawned to manage user - groups associations. The path seems to be hardcoded - Memory management - code is mostly go - some glue for handling native libs in rust and C but no problems seen there. The tests cover the cases well. - File IO - the daemon relies on a database file, config files and files related to user accounts - like /etc/group. The config files could be based in user's home, /etc - nothing concerning. Seems safe. - Logging - logrus is used - under vendor. Seems safe. - Environment variable usage - Used to enable debugging, PAM specific glue, DBUS etc. Seems safe. - Use of privileged functions - No - Use of cryptography / random number sources etc - RNG - uses crypto/rand from stdlib which is a CSPRNG. Seems safe. - Cryptography - Uses RSA from crypto/rsa - PKCS #1 and RFC 8017 for PAM side encryption. Seems safe. - Hashing - Only uses sha512 from crypto/sha512. Seems safe. - Use of temp files - only while testing. Seems safe. - Use of networking - All networking is done through unix sockets within PAM. Seems safe. - Use of WebKit - No. - Use of PolicyKit - No. - Any significant cppcheck results - No - Any significant Coverity results - No - Any significant shellcheck results - No. authd only has scripts which are used during building. - Any significant bandit results - No - Any significant govulncheck results - No - Any significant Semgrep results - go.grpc.security.grpc-server-insecure-connection - The connection is through a unix socket, so it's only accessible locally and is within PAM, so we are protected by the pam stack as well. - go.lang.security.audit.dangerous-exec-command - The command is static - 'gpasswd' as defined in defaultOptions, so this is an FP. authd is a daemon that implements managing user authentication and related services like MFA. It can be used to integrate with different auth providers with our own brokers by exposing a dbus interface. It maintains a database at runtime locally to handle user accounts. It also exposes NSS and PAM services over grpc. What this basically means is - authd is a complex project that talks to various services and exposes a few of its own - its stateful and is a daemon. It also handles authentication - one of the key foundation to security of a system. However the project looks good in terms of maintainability. There re plenty of integration, unit and end to end tests. The project is well documented, and is well maintained. The history looks clean and the maintainers are easy to approach and talk to. Security team ACK for promoting authd to main. ** Changed in: authd (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2048781 Title: [MIR] authd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/authd/+bug/2048781/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2051850] Re: [MIR] trace-cmd
I reviewed trace-cmd 3.2-1 as checked into noble. This shouldn't be considered a full audit but rather a quick gauge of maintainability. > TRACE-CMD: The front-end application to Ftrace. The back-end application to KernelShark. - CVE History - none - Build-Depends - most are for docs - libtrace* mirs are ack'd - note the d/control suggestion for installing kernelshark - trace-cmd is the backend for kernelshark - https://git.kernel.org/pub/scm/utils/trace-cmd/kernel-shark.git/ - pre/post inst/rm scripts - none - init scripts - none - systemd units - none - dbus services - none - setuid binaries - none - binaries in PATH - root owned ./usr/bin/trace-cmd - sudo fragments - none - polkit files - none - udev rules - none - cron jobs - none - unit tests / autopkgtests - needs tests, see MIR team's requirements - Build logs - -Walloc-size-larger-than= - -Wformat-overflow= - -Wunused-result - please do not use in production environments - Processes spawned - moderate use, as expected by nature of program - root user privileges are expected when using this tool - checked uses and attempts looks okay - in traceinput.c, regexec() is controlled by root unprivileged user - note that arbitrary commands can be specified to run based on tracing triggers - Memory management - extremely heavy use - this code is unlikely safe to be used in production. this is meant for development. - we should never suggest usecases that input is untrusted - e.g., network traffic from untrusted sources - File IO - heavy use - Logging - some use of tracecmd_debug(), mostly perror() - Environment variable usage - TRACECMD_PLUGIN_DIR, HOME, USER, LOGNAME, PATH - mostly used to run commands as another user - Use of privileged functions - setuid, setgid, ioctl, initgroups - used to run arbitrary commands as an abitrary user by record_trace_command() - ioctl used to get the local context id of a vm socket - hardcoded to use Linux Kernel constant 0x7b9 +1 - see https://github.com/mdlayher/vsock/blob/main/fd_linux.go and past ioctl_linux.go iteration - Use of cryptography / random number sources etc - none - Use of temp files - safe use of mkstemp - Use of networking - yes, heavy socket use - Use of WebKit - none - Use of PolicyKit - none - Any significant cppcheck and Coverity results - many results, most are likely false-positives - potential memory leaks caused by jumps - treating these as bugs in a _development tool_ - this is not meant for _production_ - checked OOB reports are false-positives - Any significant shellcheck results - none - Any significant bandit results - none - Any significant govulncheck results - none - Any significant Semgrep results - none - noisy rule complains about strtok v. strtok_r - see tracecmd/trace-cmd.c:53 - proper use is understood Security is content to review this as a _development tool_. Extreme caution should be taken if used in production. Security team ACK for promoting trace-cmd to main. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2051850 Title: [MIR] trace-cmd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/trace-cmd/+bug/2051850/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2051916] Re: [MIR] promote libtraceevent as a trace-cmd dependency
I reviewed libtraceevent 1:1.8.2-1 as checked into noble. This shouldn't be considered a full audit but rather a quick gauge of maintainability. > libtraceevent - Linux kernel trace event library - CVE History: - none - Build-Depends? - nothing concerning - most dependencies are for building documentation - pre/post inst/rm scripts? - none - init scripts? - none - systemd units? - none - dbus services? - none - setuid binaries? - none - binaries in PATH? - none - sudo fragments? - none - polkit files? - none - udev rules? - none - cron jobs? - none - unit tests / autopkgtests? - in progress by owning team - Build logs: - missing MAN pages - documentation warnings make build logs noisy - W: libtraceevent source: build-depends-on-obsolete-package Build-Depends: pkg-config => pkgconf - Processes spawned? - ./src/parse-filter.c runs regexec - this is a library, secure implementation depends on downstream projects - Memory management? - heavy use - care seems to be taken - as a root process, bugs are unlikely to cause vulnerabilities - this is a library, secure implementation depends on downstream projects - File IO? - load_plugin() from ./src/event-plugin.c use dlopen - security depends on how downstream projects load plugins - assume plugins are root - Logging? - contains error handling messages - mostly in ./src/parse-filter.c - Environment variable usage? - TRACEEVENT_PLUGIN_DIR - HOME - Use of privileged functions? - none - Use of cryptography / random number sources etc? - none - Use of temp files? - none - Use of networking? - minimal use in ./src/event-parse.c - Use of WebKit? - none - Use of PolicyKit? - none - Any significant cppcheck and Coverityresults? - false positives - these looked relevant at first glance, but not after analysis - Any significant shellcheck results? - none, all reports are for manpages/tests/building - Any significant bandit results? - none Security team ACK for promoting libtraceevent to main. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2051916 Title: [MIR] promote libtraceevent as a trace-cmd dependency To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libtraceevent/+bug/2051916/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2030880] Re: [MIR] libemail-mime-perl (libmail-dmarc-perl dependency)
Per MIR Team's #3 requirement, the described issue was patched on May 20th 2020 (although the GH bug remains open). There are three commits: a fix, a test, and documentation. These landed in upstream version 1.947. Please see https://github.com/rjbs/Email- MIME/issues/66#issuecomment-2019041975 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2030880 Title: [MIR] libemail-mime-perl (libmail-dmarc-perl dependency) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libemail-mime-perl/+bug/2030880/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2059048] [NEW] adduser allows no password when PAM's pwquality is restrictively set
Public bug reported: If pam_pwqaulity is restrictively set a user can still be created by adduser without a password. e.g., ``` eslerm@mino:~$ cat /etc/pam.d/common-password |grep pwquality password requisite pam_pwquality.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root eslerm@mino:~$ sudo adduser bar info: Adding user `bar' ... info: Selecting UID/GID from range 1000 to 5 ... info: Adding new group `bar' (1002) ... info: Adding new user `bar' (1002) with group `bar (1002)' ... info: Creating home directory `/home/bar' ... info: Copying files from `/etc/skel' ... New password: BAD PASSWORD: The password contains less than 1 digits New password: BAD PASSWORD: The password contains less than 1 digits New password: BAD PASSWORD: The password contains less than 1 digits passwd: Have exhausted maximum number of retries for service passwd: password unchanged Try again? [y/N] N Changing the user information for bar Enter the new value, or press ENTER for the default Full Name []: Room Number []: Work Phone []: Home Phone []: Other []: Is the information correct? [Y/n] info: Adding new user `bar' to supplemental / extra groups `users' ... info: Adding user `bar' to group `users' ... eslerm@mino:~$ sudo cat /etc/shadow|grep bar bar:!:19802:0:9:7::: ``` This was raised as an issue to the Security team. Foundations suggested to file a bug. This is possibly only a feature request. If this behavior is unexpected by the maintainers, it is likely a security issue. I am leaning towards this being a feature request and not marking the bug for Public/Private Security. ** Affects: adduser (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2059048 Title: adduser allows no password when PAM's pwquality is restrictively set To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/2059048/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2059049] [NEW] adduser allows no password when PAM's pwquality is restrictively set
Public bug reported: If pam_pwqaulity is restrictively set a user can still be created by adduser without a password. e.g., ``` eslerm@mino:~$ cat /etc/pam.d/common-password |grep pwquality password requisite pam_pwquality.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root eslerm@mino:~$ sudo adduser bar info: Adding user `bar' ... info: Selecting UID/GID from range 1000 to 5 ... info: Adding new group `bar' (1002) ... info: Adding new user `bar' (1002) with group `bar (1002)' ... info: Creating home directory `/home/bar' ... info: Copying files from `/etc/skel' ... New password: BAD PASSWORD: The password contains less than 1 digits New password: BAD PASSWORD: The password contains less than 1 digits New password: BAD PASSWORD: The password contains less than 1 digits passwd: Have exhausted maximum number of retries for service passwd: password unchanged Try again? [y/N] N Changing the user information for bar Enter the new value, or press ENTER for the default Full Name []: Room Number []: Work Phone []: Home Phone []: Other []: Is the information correct? [Y/n] info: Adding new user `bar' to supplemental / extra groups `users' ... info: Adding user `bar' to group `users' ... eslerm@mino:~$ sudo cat /etc/shadow|grep bar bar:!:19802:0:9:7::: ``` This was raised as an issue to the Security team. Foundations suggested to file a bug. This is possibly only a feature request. If this behavior is unexpected by the maintainers, it is likely a security issue. I am leaning towards this being a feature request and not marking the bug for Public/Private Security. ** Affects: adduser (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2059049 Title: adduser allows no password when PAM's pwquality is restrictively set To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/2059049/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2054480] Re: [MIR] nbd-client
Thanks Wouter It appears nbd-client existed in main at some point http://old- releases.ubuntu.com/ubuntu/pool/main/n/nbd/ (thanks Seth). Between this MIR and tree's LP#2056099 I am concerned that Security is being bypassed as NN approaches. That's not to say anything is wrong with how nbd-client uses ioctl, but we haven't looked. Security is not asking to review this for NN, just flagging for MIR Team discussion. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2054480 Title: [MIR] nbd-client To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nbd/+bug/2054480/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2056099] Re: [MIR] tree
Security is not asking to review this for NN, but this might have odd code. ``` /* Should probably use strdup(), but we like our xmalloc() */ #define scopy(x)strcpy(xmalloc(strlen(x)+1),(x)) ``` -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2056099 Title: [MIR] tree To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tree/+bug/2056099/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2054480] Re: [MIR] nbd-client
Was -server code ever reviewed by a MIR? The client contains many ioctl calls. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2054480 Title: [MIR] nbd-client To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nbd/+bug/2054480/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2052652] Re: [MIR] gnome-snapshot
There are unnecessary crates being vendored. I filed an upstream issue: https://gitlab.gnome.org/GNOME/snapshot/-/issues/137 This causes a bandwidth strain on mirrors or wherever the source package is needed. To be clear, this is not a Security issue and does not impact Security's review (since owning team is responsible for maintaining security of vendored packages). This pattern has been raised as a MIR issue: https://github.com/canonical/ubuntu-mir/issues/51 ** Bug watch added: gitlab.gnome.org/GNOME/snapshot/-/issues #137 https://gitlab.gnome.org/GNOME/snapshot/-/issues/137 ** Bug watch added: github.com/canonical/ubuntu-mir/issues #51 https://github.com/canonical/ubuntu-mir/issues/51 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2052652 Title: [MIR] gnome-snapshot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-snapshot/+bug/2052652/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1977614] Re: [MIR] fdk-aac-free
The upstream chain for fdk-aac-free is precarious. The Debian package fdk-aac-free watches https://gitlab.freedesktop.org/wtaymans/fdk-aac-stripped/ This version specifically removes the HE (High Efficiency) and HEv2 profiles which have patent concerns (see README.fedora). This version does not regularly sync from upstream: https://sourceforge.net/projects/opencore-amr/ Note that https://github.com/mstorsjo/fdk-aac is a downstream of Fraunhofer's code distributed on https://android.googlesource.com/platform/external/aac Jorge has reported a potential vulnerability to https://github.com/mstorsjo/fdk-aac/issues/167 and to Android's VRP. Android responded saying that they require a PoC and directed Jorge to https://bughunters.google.com/learn/invalid-reports/android- platform/5148417640366080/bugs-with-negligible-security- impact#unreachable-bugs fdk-aac-free is not being maintained by syncing with upstream which may contain security patches. Reporting issues about fdk-aac has so far been fruitless. Security could conclude our MIR now, but I suggest that fdk-aac-free is reviewed next cycle if the owning team plans to work with fdk-aac-free. Note that Fedora is also invested in fdk-aac-free and may share concerns if made aware. Side note: iiuc, the advantage of fdk-aac is that it works well on low resource systems, like cell phones and possibly for remote desktop. This advantage may not exist if HE profiles are stripped. If that is the case, there are aac alternatives. ** Bug watch added: github.com/mstorsjo/fdk-aac/issues #167 https://github.com/mstorsjo/fdk-aac/issues/167 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1977614 Title: [MIR] fdk-aac-free To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/fdk-aac-free/+bug/1977614/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2015538] Re: [MIR] dbus-broker
Thank you @seb128. I was asked to get your feedback before completing the Security review. Get well soon! Security team ACK for promoting dbus-broker to main, under the condition that src:dbus' binary packages are split as described by @paelzer in comment #19. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2015538 Title: [MIR] dbus-broker To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dbus-broker/+bug/2015538/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2052809] Re: [MIR] bpftrace
I reviewed bpftrace 0.20.1 as checked into noble. This shouldn't be considered a full audit but rather a quick gauge of maintainability. > bpftrace is a high-level tracing language for Linux enhanced Berkeley Packet Filter (eBPF) available in recent Linux kernels (4.x). bpftrace uses LLVM as a backend to compile scripts to BPF-bytecode and makes use of BCC for interacting with the Linux BPF system, as well as existing Linux tracing capabilities: kernel dynamic tracing (kprobes), user-level dynamic tracing (uprobes), and tracepoints. The bpftrace language is inspired by awk and C, and predecessor tracers such as DTrace and SystemTap. bpftrace was created by Alastair Robertson. - CVE History: - none - Build-Depends? - nothing concerning - except what MIR Team mentions (libcereal-dev) - pre/post inst/rm scripts? - none - init scripts? - none - systemd units? - none - dbus services? - none - setuid binaries? - none - binaries in PATH? - ./usr/bin/bpftrace - ./usr/bin/bpftrace-aotrt - ./usr/sbin/*.bt - these are bpftrace tools/examples - they are based on bcc code included in bpfcc-tools - sudo fragments? - none - polkit files? - none - udev rules? - none - unit tests / autopkgtests? - none ! - the ./usr/sbin/*.bt files would make excellent test cases though ! - cron jobs? - none - Build logs: - warning building bpftrace(8) man page - other binaries missing man pages - -Wmaybe-uninitialized - source: superfluous-file-pattern - Processes spawned? - can run modprobe kheaders - exec rm -rf temp dir - execve and exec_system expected for tracing - ./src/bpftrace.cpp line 666 o.o - Memory management? - relatively light, mostly sprintf and memcpy - see comments in bpftrace.cpp's perf_event_printer() - memory use is carefully thought out - File IO? - opens /sys/kernel/kheaders.tar.xz (module must be loaded) - files, descriptors, pipes, and pcap used for tracing - Logging? - extremely heavy use, as expected for tracing - Environment variable usage? - mostly BPFTRACE_ variables - Use of privileged functions? - ./src/attached_probe.cpp uses ioctl twice - Use of cryptography / random number sources etc? - none - Use of temp files? - yes, to load kheaders - temp path is predictable, `// already unpacked` - potentially, an unprivileged attacker could exploit this when a root user runs bpftrace and loads Kernel Headers - Resolved quickly by upstream! CVE-2024-2313 - Use of networking? - moderate use - potential danger for crafted input - Use of WebKit? - none - Use of PolicyKit? - none - Any significant cppcheck results? - none, besides tests and scripts - Any significant Coverity results? - appear to be false positives - Any significant shellcheck results? - none, besides tests, scripts, and CI - Any significant bandit results? - none Running bpftrace without root privilege results in 'ERROR: bpftrace currently only supports running as the root user.' :) In most cases a bug in bpftrace will not cause a loss of security; root already has complete control. Giving access to bpftrace to an unprivileged user, telnet, etc would not be a vulnerability in bpftrace. Running dangerous BPF code is not the fault of bpftrace. Attacks based on parsing untrusted data, such as network traffic, is a threat. This package is for performing inherently dangerous wizardry. This review expects that developers will want to use these tools and that system administrators will make wise choices. Binaries from bpfcc-tools, libbpfcc, and bpftrace have redundant functions. Please consder which binaries should be made default. In particular, most bpftrace binaries are merely examples. CONFIG_IKHEADERS=m is already available \o/ Recent breaking change to `args` in v19.0 (Noble has 20.1, Jammy has 14.0). https://github.com/bpftrace/bpftrace/pull/2578 In code comments should be reviewed upstream: `// FIXME when iovisor/bcc#2064 is merged` - https://github.com/bpftrace/bpftrace/issues/3061 Upstream was extraordinarily quick at addressing a potential security which was reported to them \o/ - CVE-2024-2313 Security team ACK for promoting bpftrace to main. ** Changed in: bpftrace (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2052809 Title: [MIR] bpftrace To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bpftrace/+bug/2052809/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2052809] Re: [MIR] bpftrace
Assigning to Security early, so that this is not blocked for 24.04. After Feature Freeze, if the MIR Team has requirements for a package, but is reasonably sure that the owning-team will accomplish them, please assign MIRs to the Security team immediately. ** Changed in: bpftrace (Ubuntu) Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security) ** Bug watch added: github.com/bpftrace/bpftrace/issues #3061 https://github.com/bpftrace/bpftrace/issues/3061 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-2313 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2052809 Title: [MIR] bpftrace To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bpftrace/+bug/2052809/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2052813] Re: [MIR] bpfcc
I reviewed bpfcc 0.29.1+ds-1ubuntu2 as checked into noble. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
- CVE History
- no CVEs tracked in UCT, initially
- searching for "bcc" CVEs finds false-positives
- Build-Depends
- nothing concerning
- pre/post inst/rm scripts
- typical dh_python3 for python3-bpfcc
- init scripts
- none
- systemd units
- none
- dbus services
- none
- setuid binaries
- none
- binaries in PATH
- numerous. +220.
- sudo fragments
- none
- polkit files
- none
- udev rules
- none
- unit tests / autopkgtests
- some added
- cron jobs
- none
- Build logs
- hardening-no-pie is not a concern in this case
- manual page warnings
- W: libbpfcc: package-name-doesnt-match-sonames libbcc-bpf0 libbcc0
- Processes spawned
- popen use looks okay
- system("clear") is fine
- memleak.c uses fork, etc
- Memory management
- extremely heavy use
- in context, I am not concerned with occult practices in this package
- File IO
- heavy use
- Logging
- extremely heavy use
- Environment variable usage
- none
- Use of privileged functions
- Security's MIR tooling finds many false-positives
- vmlinux headers are fine
- Use of cryptography / random number sources etc
- none
- vminux*.h sets certificate configs
- Use of temp files
- tmp race conditions possibly allow unauthenticated users to control
unpacked kernel headers
- Resolved quickly by upstream! CVE-2024-2314
- see related issue in bpftrace MIR (LP#2052809)
- Use of networking
- heavy use
- Use of WebKit
- none
- Use of PolicyKit
- none
- Any significant cppcheck and Covreity results
- bugs found (memory leaks etc), but not concerned about these being
vulnerabilities in context
- parsing untrusted data (e.g., network traffic) could possibly lead to
exploitation
- coverity.txt attached
- Any significant shellcheck results
- not concerning
- Any significant bandit results
- none
- subprocess calls cannot be controlled without root access
- Any significant govulncheck results
- none
- Any significant Semgrep results
- none
- complaints about system() and strtok excused in context
There is 986,872 loc. Security's review is limited.
As with bpftrace, these are admin tools which require root access. It is
unlikely that most bugs in bpfcc would cause a loss of security and
become a vulnerability; root already has control. Parsing untrusted data
with a root process can lead to trouble. This review expects that
developers will want to use these tools and that system administrators
will make wise choices.
Some binaries do not work out of box. This needs testings. e.g.,
/usr/sbin/tcptop-bpfcc from bpfcc-tools does not work, but
/usr/sbin/tcptop from libbpfcc does.
Binaries from bpfcc-tools, libbpfcc, and bpftrace have redundant
functions. Please consider which binaries should be made default. In
particular, most bpftrace binaries are merely examples.
The bcc snap is published by Canonical and should be updated. See
./snap/README.md
Upstream was extraordinarily quick at addressing a potential security issue
which was reported to them \o/
- CVE-2024-2314
Security team ACK for promoting bpfcc to main. Note that Security's ACK
is for all packages generated by the bpfcc source package, the MIR
Team's ACK may only be for a subset of binary packages.
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-2314
** Changed in: bpfcc (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2052813
Title:
[MIR] bpfcc
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bpfcc/+bug/2052813/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2015538] Re: [MIR] dbus-broker
@seb128, could you please review the recent discussion? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2015538 Title: [MIR] dbus-broker To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dbus-broker/+bug/2015538/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2024284] Re: SEGV vulnerability in command-line parser
Apologize for not responding earlier! This slipped through my emails. > I know Canonical is also Root CNA, why are you redirecting to another CNA? Canonical is a CNA, not a Root CNA. I don't see how an _unprivileged_ attacker could leverage this bug to be a vulnerability. A clear proof of concept example would help demonstrate that this bug can become an exploit. Making issue public, since the GitHub issue is public https://github.com/rwpenney/cryptmount/issues/1 ** Bug watch added: github.com/rwpenney/cryptmount/issues #1 https://github.com/rwpenney/cryptmount/issues/1 ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2024284 Title: SEGV vulnerability in command-line parser To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cryptmount/+bug/2024284/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1231178] Re: Altec Lansing speakers remote control not working
** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1231178 Title: Altec Lansing speakers remote control not working To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1231178/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 927225] Re: Yukon Optima 88E8059 fails to come up as a network interface when system is powered on without AC or network cable
** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/927225 Title: Yukon Optima 88E8059 fails to come up as a network interface when system is powered on without AC or network cable To manage notifications about this bug go to: https://bugs.launchpad.net/linux/+bug/927225/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1884207] Re: Wifi Enterprice Login Page does not appear at connect
** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1884207 Title: Wifi Enterprice Login Page does not appear at connect To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1884207/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1696859] Re: package linux-image-4.10.0-22-generic (not installed) failed to install/upgrade: subprocess new pre-installation script returned error exit status 128
** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1696859 Title: package linux-image-4.10.0-22-generic (not installed) failed to install/upgrade: subprocess new pre-installation script returned error exit status 128 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1696859/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1919150] Re: My keyboard stop working
** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1919150 Title: My keyboard stop working To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1919150/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1904391] Re: Touchpad and Keyboard not detectable in the new kernel
** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1904391 Title: Touchpad and Keyboard not detectable in the new kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1904391/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2051850] Re: [MIR] trace-cmd
** Tags added: sec-3932 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2051850 Title: [MIR] trace-cmd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/trace-cmd/+bug/2051850/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2051916] Re: [MIR] promote libtraceevent as a trace-cmd dependency
** Tags added: sec-3931 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2051916 Title: [MIR] promote libtraceevent as a trace-cmd dependency To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libtraceevent/+bug/2051916/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2052813] Re: [MIR] bpfcc
Some of the bpf tools do not work on mantic. e.g. `/usr/sbin/tcptop-bpfcc` from `bpfcc-tools` does not work, but `/usr/sbin/tcptop` from `libbpfcc` does (on mantic) Kernel configs and pahole version used to build mantic's kernel should be okay https://github.com/iovisor/bcc/tree/master/libbpf-tools ? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2052813 Title: [MIR] bpfcc To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bpfcc/+bug/2052813/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2052652] Re: [MIR] gnome-snapshot
** Changed in: gnome-snapshot (Ubuntu) Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security) ** Tags added: sec-3916 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2052652 Title: [MIR] gnome-snapshot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-snapshot/+bug/2052652/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2048781] Re: [MIR] authd
A centralized vendor-linter is the best longterm option. Toolchains needs more resources before they can provide a solution (FR-6859). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2048781 Title: [MIR] authd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/authd/+bug/2048781/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2052813] Re: [MIR] bpfcc
Máté, could you please see if the rational can be broadened for FO147? I suspect that libbpf-tools is also important. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2052813 Title: [MIR] bpfcc To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bpfcc/+bug/2052813/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2052813] Re: [MIR] bpfcc
Promoting bpfcc-tools and bpftrace is driving promotion of bpfcc based on FO147. Also, bpftrace's /usr/sbin/*.bt files re-implement bpfcc-tools with bpftrace. Assigning to Security for MIR, with root-use scope kept in mind. Only code for libbpfcc and bpfcc-tools will be reviewed. ** Changed in: bpfcc (Ubuntu) Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2052813 Title: [MIR] bpfcc To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bpfcc/+bug/2052813/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2052809] Re: [MIR] bpftrace
** Tags added: sec-3898 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2052809 Title: [MIR] bpftrace To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bpftrace/+bug/2052809/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2052813] Re: [MIR] bpfcc
** Tags added: sec-3897 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2052813 Title: [MIR] bpfcc To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bpfcc/+bug/2052813/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2048781] Re: [MIR] authd
Thanks @didrocks! I added a comment to the upstream cargo issue based on advice from toolchains and ~Rust [0]. This issue is also raised in ubuntu-mir [1]. I'll mention this at the next MIR meeting. [0] https://github.com/rust-lang/cargo/issues/11929#issuecomment-1960081509 [1] https://github.com/canonical/ubuntu-mir/issues/35 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2048781 Title: [MIR] authd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/authd/+bug/2048781/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
