[Desktop-packages] [Bug 1045986] Re: Ubuntu AppArmor policy is too lenient with shell scripts
The Precise Pangolin has reached end of life, so this bug will not be fixed for that release ** Changed in: firefox (Ubuntu Precise) Status: Confirmed => Won't Fix -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1045986 Title: Ubuntu AppArmor policy is too lenient with shell scripts Status in apparmor package in Ubuntu: Fix Released Status in apport package in Ubuntu: Fix Released Status in chromium-browser package in Ubuntu: Fix Released Status in cups package in Ubuntu: Confirmed Status in dhcp3 package in Ubuntu: Invalid Status in firefox package in Ubuntu: Confirmed Status in isc-dhcp package in Ubuntu: Fix Released Status in apparmor source package in Lucid: Invalid Status in apport source package in Lucid: Fix Released Status in dhcp3 source package in Lucid: Fix Released Status in isc-dhcp source package in Lucid: Invalid Status in apparmor source package in Natty: Won't Fix Status in apport source package in Natty: Won't Fix Status in dhcp3 source package in Natty: Invalid Status in isc-dhcp source package in Natty: Fix Released Status in apparmor source package in Oneiric: Fix Released Status in apport source package in Oneiric: Fix Released Status in dhcp3 source package in Oneiric: Invalid Status in isc-dhcp source package in Oneiric: Fix Released Status in apparmor source package in Precise: Fix Released Status in apport source package in Precise: Fix Released Status in chromium-browser source package in Precise: Fix Released Status in cups source package in Precise: Won't Fix Status in dhcp3 source package in Precise: Invalid Status in firefox source package in Precise: Won't Fix Status in isc-dhcp source package in Precise: Fix Released Status in apparmor source package in Quantal: Fix Released Status in apport source package in Quantal: Fix Released Status in chromium-browser source package in Quantal: Fix Released Status in cups source package in Quantal: Won't Fix Status in dhcp3 source package in Quantal: Invalid Status in firefox source package in Quantal: Won't Fix Status in isc-dhcp source package in Quantal: Fix Released Bug description: Dan Rosenberg has blogged about some AppArmor profile weaknesses in Ubuntu: http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html This bug will track the work needed to fix them. This is a continuation of bug #851986, except for PATH and shell scripts. Unfortunately, until we have proper environment filtering support in AppArmor, we will have to employ more bandaids-- specifically, either eliminating Ux/sanitized helper on shell scripts or adjusting those shell scripts to explicitly set their PATH. The good news is that environment filtering is on the AppArmor roadmap, and it something we will be targeting in the future releases. I filed bug #1045985 to more easily track the progress of that work. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1045986/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1045986] Re: Ubuntu AppArmor policy is too lenient with shell scripts
The Precise Pangolin has reached end of life, so this bug will not be fixed for that release ** Changed in: cups (Ubuntu Precise) Status: Confirmed => Won't Fix -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1045986 Title: Ubuntu AppArmor policy is too lenient with shell scripts Status in apparmor package in Ubuntu: Fix Released Status in apport package in Ubuntu: Fix Released Status in chromium-browser package in Ubuntu: Fix Released Status in cups package in Ubuntu: Confirmed Status in dhcp3 package in Ubuntu: Invalid Status in firefox package in Ubuntu: Confirmed Status in isc-dhcp package in Ubuntu: Fix Released Status in apparmor source package in Lucid: Invalid Status in apport source package in Lucid: Fix Released Status in dhcp3 source package in Lucid: Fix Released Status in isc-dhcp source package in Lucid: Invalid Status in apparmor source package in Natty: Won't Fix Status in apport source package in Natty: Won't Fix Status in dhcp3 source package in Natty: Invalid Status in isc-dhcp source package in Natty: Fix Released Status in apparmor source package in Oneiric: Fix Released Status in apport source package in Oneiric: Fix Released Status in dhcp3 source package in Oneiric: Invalid Status in isc-dhcp source package in Oneiric: Fix Released Status in apparmor source package in Precise: Fix Released Status in apport source package in Precise: Fix Released Status in chromium-browser source package in Precise: Fix Released Status in cups source package in Precise: Won't Fix Status in dhcp3 source package in Precise: Invalid Status in firefox source package in Precise: Won't Fix Status in isc-dhcp source package in Precise: Fix Released Status in apparmor source package in Quantal: Fix Released Status in apport source package in Quantal: Fix Released Status in chromium-browser source package in Quantal: Fix Released Status in cups source package in Quantal: Won't Fix Status in dhcp3 source package in Quantal: Invalid Status in firefox source package in Quantal: Won't Fix Status in isc-dhcp source package in Quantal: Fix Released Bug description: Dan Rosenberg has blogged about some AppArmor profile weaknesses in Ubuntu: http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html This bug will track the work needed to fix them. This is a continuation of bug #851986, except for PATH and shell scripts. Unfortunately, until we have proper environment filtering support in AppArmor, we will have to employ more bandaids-- specifically, either eliminating Ux/sanitized helper on shell scripts or adjusting those shell scripts to explicitly set their PATH. The good news is that environment filtering is on the AppArmor roadmap, and it something we will be targeting in the future releases. I filed bug #1045985 to more easily track the progress of that work. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1045986/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1045986] Re: Ubuntu AppArmor policy is too lenient with shell scripts
** Changed in: cups (Ubuntu Quantal) Status: Confirmed => Won't Fix ** Changed in: firefox (Ubuntu Quantal) Status: Confirmed => Won't Fix -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1045986 Title: Ubuntu AppArmor policy is too lenient with shell scripts Status in “apparmor” package in Ubuntu: Fix Released Status in “apport” package in Ubuntu: Fix Released Status in “chromium-browser” package in Ubuntu: Fix Released Status in “cups” package in Ubuntu: Confirmed Status in “dhcp3” package in Ubuntu: Invalid Status in “firefox” package in Ubuntu: Confirmed Status in “isc-dhcp” package in Ubuntu: Fix Released Status in “apparmor” source package in Lucid: Invalid Status in “apport” source package in Lucid: Fix Released Status in “dhcp3” source package in Lucid: Fix Released Status in “isc-dhcp” source package in Lucid: Invalid Status in “apparmor” source package in Natty: Won't Fix Status in “apport” source package in Natty: Won't Fix Status in “dhcp3” source package in Natty: Invalid Status in “isc-dhcp” source package in Natty: Fix Released Status in “apparmor” source package in Oneiric: Fix Released Status in “apport” source package in Oneiric: Fix Released Status in “dhcp3” source package in Oneiric: Invalid Status in “isc-dhcp” source package in Oneiric: Fix Released Status in “apparmor” source package in Precise: Fix Released Status in “apport” source package in Precise: Fix Released Status in “chromium-browser” source package in Precise: Fix Released Status in “cups” source package in Precise: Confirmed Status in “dhcp3” source package in Precise: Invalid Status in “firefox” source package in Precise: Confirmed Status in “isc-dhcp” source package in Precise: Fix Released Status in “apparmor” source package in Quantal: Fix Released Status in “apport” source package in Quantal: Fix Released Status in “chromium-browser” source package in Quantal: Fix Released Status in “cups” source package in Quantal: Won't Fix Status in “dhcp3” source package in Quantal: Invalid Status in “firefox” source package in Quantal: Won't Fix Status in “isc-dhcp” source package in Quantal: Fix Released Bug description: Dan Rosenberg has blogged about some AppArmor profile weaknesses in Ubuntu: http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html This bug will track the work needed to fix them. This is a continuation of bug #851986, except for PATH and shell scripts. Unfortunately, until we have proper environment filtering support in AppArmor, we will have to employ more bandaids-- specifically, either eliminating Ux/sanitized helper on shell scripts or adjusting those shell scripts to explicitly set their PATH. The good news is that environment filtering is on the AppArmor roadmap, and it something we will be targeting in the future releases. I filed bug #1045985 to more easily track the progress of that work. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1045986/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1045986] Re: Ubuntu AppArmor policy is too lenient with shell scripts
** Branch linked: lp:~kees/apparmor/debian -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1045986 Title: Ubuntu AppArmor policy is too lenient with shell scripts Status in “apparmor” package in Ubuntu: Fix Released Status in “apport” package in Ubuntu: Fix Released Status in “chromium-browser” package in Ubuntu: Fix Released Status in “cups” package in Ubuntu: Confirmed Status in “dhcp3” package in Ubuntu: Invalid Status in “firefox” package in Ubuntu: Confirmed Status in “isc-dhcp” package in Ubuntu: Fix Released Status in “apparmor” source package in Lucid: Invalid Status in “apport” source package in Lucid: Fix Released Status in “dhcp3” source package in Lucid: Fix Released Status in “isc-dhcp” source package in Lucid: Invalid Status in “apparmor” source package in Natty: Won't Fix Status in “apport” source package in Natty: Won't Fix Status in “dhcp3” source package in Natty: Invalid Status in “isc-dhcp” source package in Natty: Fix Released Status in “apparmor” source package in Oneiric: Fix Released Status in “apport” source package in Oneiric: Fix Released Status in “dhcp3” source package in Oneiric: Invalid Status in “isc-dhcp” source package in Oneiric: Fix Released Status in “apparmor” source package in Precise: Fix Released Status in “apport” source package in Precise: Fix Released Status in “chromium-browser” source package in Precise: Fix Released Status in “cups” source package in Precise: Confirmed Status in “dhcp3” source package in Precise: Invalid Status in “firefox” source package in Precise: Confirmed Status in “isc-dhcp” source package in Precise: Fix Released Status in “apparmor” source package in Quantal: Fix Released Status in “apport” source package in Quantal: Fix Released Status in “chromium-browser” source package in Quantal: Fix Released Status in “cups” source package in Quantal: Confirmed Status in “dhcp3” source package in Quantal: Invalid Status in “firefox” source package in Quantal: Confirmed Status in “isc-dhcp” source package in Quantal: Fix Released Bug description: Dan Rosenberg has blogged about some AppArmor profile weaknesses in Ubuntu: http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html This bug will track the work needed to fix them. This is a continuation of bug #851986, except for PATH and shell scripts. Unfortunately, until we have proper environment filtering support in AppArmor, we will have to employ more bandaids-- specifically, either eliminating Ux/sanitized helper on shell scripts or adjusting those shell scripts to explicitly set their PATH. The good news is that environment filtering is on the AppArmor roadmap, and it something we will be targeting in the future releases. I filed bug #1045985 to more easily track the progress of that work. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1045986/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1045986] Re: Ubuntu AppArmor policy is too lenient with shell scripts
This bug was fixed in the package chromium-browser - 28.0.1500.52-0ubuntu1.13.04.2 --- chromium-browser (28.0.1500.52-0ubuntu1.13.04.2) raring-security; urgency=low [Chad MILLER] * New stable release 28.0.1500.52 * New stable release 28.0.1500.45 * New stable release 27.0.1453.110: - CVE-2013-2855: Memory corruption in dev tools API. - CVE-2013-2856: Use-after-free in input handling. - CVE-2013-2857: Use-after-free in image handling. - CVE-2013-2858: Use-after-free in HTML5 Audio. - CVE-2013-2859: Cross-origin namespace pollution. - CVE-2013-2860: Use-after-free with workers accessing database APIs. - CVE-2013-2861: Use-after-free with SVG. - CVE-2013-2862: Memory corruption in Skia GPU handling. - CVE-2013-2863: Memory corruption in SSL socket handling. - CVE-2013-2864: Bad free in PDF viewer. * New stable release 27.0.1453.93: - CVE-2013-2837: Use-after-free in SVG. - CVE-2013-2838: Out-of-bounds read in v8. - CVE-2013-2839: Bad cast in clipboard handling. - CVE-2013-2840: Use-after-free in media loader. - CVE-2013-2841: Use-after-free in Pepper resource handling. - CVE-2013-2842: Use-after-free in widget handling. - CVE-2013-2843: Use-after-free in speech handling. - CVE-2013-2844: Use-after-free in style resolution. - CVE-2013-2845: Memory safety issues in Web Audio. - CVE-2013-2846: Use-after-free in media loader. - CVE-2013-2847: Use-after-free race condition with workers. - CVE-2013-2848: Possible data extraction with XSS Auditor. - CVE-2013-2849: Possible XSS with drag+drop or copy+paste. * Drop unneeded patches, safe-browsing-sigbus.patch dont-assume-cross-compile-on-arm.patch struct-siginfo.patch ld-memory-32bit.patch dlopen_sonamed_gl.patch * Temporarily disable webapps patches. * Update arm-neon patch, format-flag patch, search-credit patch, title-bar-system-default patch. * Make get-orig-source nicer. Package tarball contents from upstream correctly. * Reenable dyn-linking of major components of chromium for 32-bit machines. Fix a libdir path bug in debian/chromium-browser.sh.in . * No longer try to use system libraries. Generally, Security Team would hate bundled libraries because they provide a wide liability, but Chromium Project is pretty good about maintaining their bundled-source libraries. We can not pull cr-required lib versions forward in older Ubuntus, and we can't guarantee all the distro versions of libraries work with chromium-browser. The default security policy might be worse. Bundled libraries is less work overall. * Exclude included XDG files even if they are built. * Use NEON instructions on ARM, optionally. This might use run-time checks for hardware capability, but even if it doesn't we can add it later. * Clean up difference checks in debian/rules that make sure that all files that the build makes are used in packages, and no longer hide any, and no longer consider it an error if some are unused. Treat it as a warning, not a fatality. * Use legible shell instead of make-generated shell in setting the rpath in rules. * Add new build-dep, "chrpath". [Chris Coulson] * debian/rules: Disable tcmalloc on all component builds, not just on arm builds. chromium-browser (26.0.1410.63-0ubuntu2.13.04.2) raring-security; urgency=low * Work around SEGV on ARMHF that's caused by tcmalloc. chromium-browser (26.0.1410.63-0ubuntu2.13.04.1) raring-security; urgency=low * Work arround missing Apparmour feature. Set environment explicitly to disallow breaking out of apparmor protection. (LP: #1045986) * Use more system libraries, libxml, libjpeg, bzip2, libxslt, flac, libevent, protobuf, speex, xdg_utils, yasm, but not a few others -- in particular, - libpng causes render hangs, - sqlite causes link failures. Updating debian/rules, and dropping the removed ones from debian/control . * debian/rules: - Use actual original upstream tarball. No SVN snapshots, no gclient. - Rip out compiler-targeting. All versions should work. - Always use sandbox. It shouldn't be an option. Nothing works without it any more. * Drop build-dep on subversion. Not required with pristing orig.tar get-original-source. * Simpify debian/rules and use the built-in parameter for telling GYP config to include debug symbols. * Include upstream patch debian/patches/ld-memory-32bit.patch that makes 32 bit machines more likely to use BDF linker and include parameters that make it more memory efficient. * GCC doesn't allow -Wno-format with hardening -Werror=format-security . Add debian/patches/format-flag.patch . * Since we're Depending on xdg-settings, don't try to install one from upstream. Change debian/chromium-browser.install . * Invert sense of a quantal+ test so that we don't have to track thin
[Desktop-packages] [Bug 1045986] Re: Ubuntu AppArmor policy is too lenient with shell scripts
This bug was fixed in the package chromium-browser - 28.0.1500.52-0ubuntu1.12.04.2 --- chromium-browser (28.0.1500.52-0ubuntu1.12.04.2) precise-security; urgency=low [Chad MILLER] * New stable release 28.0.1500.52 * New stable release 28.0.1500.45 * New stable release 27.0.1453.110: - CVE-2013-2855: Memory corruption in dev tools API. - CVE-2013-2856: Use-after-free in input handling. - CVE-2013-2857: Use-after-free in image handling. - CVE-2013-2858: Use-after-free in HTML5 Audio. - CVE-2013-2859: Cross-origin namespace pollution. - CVE-2013-2860: Use-after-free with workers accessing database APIs. - CVE-2013-2861: Use-after-free with SVG. - CVE-2013-2862: Memory corruption in Skia GPU handling. - CVE-2013-2863: Memory corruption in SSL socket handling. - CVE-2013-2864: Bad free in PDF viewer. * New stable release 27.0.1453.93: - CVE-2013-2837: Use-after-free in SVG. - CVE-2013-2838: Out-of-bounds read in v8. - CVE-2013-2839: Bad cast in clipboard handling. - CVE-2013-2840: Use-after-free in media loader. - CVE-2013-2841: Use-after-free in Pepper resource handling. - CVE-2013-2842: Use-after-free in widget handling. - CVE-2013-2843: Use-after-free in speech handling. - CVE-2013-2844: Use-after-free in style resolution. - CVE-2013-2845: Memory safety issues in Web Audio. - CVE-2013-2846: Use-after-free in media loader. - CVE-2013-2847: Use-after-free race condition with workers. - CVE-2013-2848: Possible data extraction with XSS Auditor. - CVE-2013-2849: Possible XSS with drag+drop or copy+paste. * Drop unneeded patches, safe-browsing-sigbus.patch dont-assume-cross-compile-on-arm.patch struct-siginfo.patch ld-memory-32bit.patch dlopen_sonamed_gl.patch * Update arm-neon patch, format-flag patch, search-credit patch, title-bar-system-default patch. * Make get-orig-source nicer. Package tarball contents from upstream correctly. * Reenable dyn-linking of major components of chromium for 32-bit machines. Fix a libdir path bug in debian/chromium-browser.sh.in . * No longer try to use system libraries. Generally, Security Team would hate bundled libraries because they provide a wide liability, but Chromium Project is pretty good about maintaining their bundled-source libraries. We can not pull cr-required lib versions forward in older Ubuntus, and we can't guarantee all the distro versions of libraries work with chromium-browser. The default security policy might be worse. Bundled libraries is less work overall. * Exclude included XDG files even if they are built. * Use NEON instructions on ARM, optionally. This might use run-time checks for hardware capability, but even if it doesn't we can add it later. * Clean up difference checks in debian/rules that make sure that all files that the build makes are used in packages, and no longer hide any, and no longer consider it an error if some are unused. Treat it as a warning, not a fatality. * Use legible shell instead of make-generated shell in setting the rpath in rules. * Add new build-dep, "chrpath". [Chris Coulson] * debian/rules: Disable tcmalloc on all component builds, not just on arm builds. chromium-browser (26.0.1410.63-0ubuntu0.12.04.3) precise-security; urgency=low * Work around SEGV on ARMHF that's caused by tcmalloc. chromium-browser (26.0.1410.63-0ubuntu0.12.04.2) precise-security; urgency=low * Work arround missing Apparmour feature. Set environment explicitly to disallow breaking out of apparmor protection. (LP: #1045986) * Use more system libraries, libxml, libjpeg, bzip2, libxslt, flac, libevent, protobuf, speex, xdg_utils, yasm, but not a few others -- in particular, - libpng causes render hangs, - sqlite causes link failures. Updating debian/rules, and dropping the removed ones from debian/control . * debian/rules: - Use actual original upstream tarball. No SVN snapshots, no gclient. - Rip out compiler-targeting. All versions should work. - Always use sandbox. It shouldn't be an option. Nothing works without it any more. * Drop build-dep on subversion. Not required with pristing orig.tar get-original-source. * Simpify debian/rules and use the built-in parameter for telling GYP config to include debug symbols. * Include upstream patch debian/patches/ld-memory-32bit.patch that makes 32 bit machines more likely to use BDF linker and include parameters that make it more memory efficient. * GCC doesn't allow -Wno-format with hardening -Werror=format-security . Add debian/patches/format-flag.patch . * Since we're Depending on xdg-settings, don't try to install one from upstream. Change debian/chromium-browser.install . * Invert sense of a quantal+ test so that we don't have to track things forever. Name things we know a
[Desktop-packages] [Bug 1045986] Re: Ubuntu AppArmor policy is too lenient with shell scripts
This bug was fixed in the package chromium-browser - 28.0.1500.52-0ubuntu1.12.10.2 --- chromium-browser (28.0.1500.52-0ubuntu1.12.10.2) quantal-security; urgency=low [Chad MILLER] * New stable release 28.0.1500.52 * New stable release 28.0.1500.45 * New stable release 27.0.1453.110: - CVE-2013-2855: Memory corruption in dev tools API. - CVE-2013-2856: Use-after-free in input handling. - CVE-2013-2857: Use-after-free in image handling. - CVE-2013-2858: Use-after-free in HTML5 Audio. - CVE-2013-2859: Cross-origin namespace pollution. - CVE-2013-2860: Use-after-free with workers accessing database APIs. - CVE-2013-2861: Use-after-free with SVG. - CVE-2013-2862: Memory corruption in Skia GPU handling. - CVE-2013-2863: Memory corruption in SSL socket handling. - CVE-2013-2864: Bad free in PDF viewer. * New stable release 27.0.1453.93: - CVE-2013-2837: Use-after-free in SVG. - CVE-2013-2838: Out-of-bounds read in v8. - CVE-2013-2839: Bad cast in clipboard handling. - CVE-2013-2840: Use-after-free in media loader. - CVE-2013-2841: Use-after-free in Pepper resource handling. - CVE-2013-2842: Use-after-free in widget handling. - CVE-2013-2843: Use-after-free in speech handling. - CVE-2013-2844: Use-after-free in style resolution. - CVE-2013-2845: Memory safety issues in Web Audio. - CVE-2013-2846: Use-after-free in media loader. - CVE-2013-2847: Use-after-free race condition with workers. - CVE-2013-2848: Possible data extraction with XSS Auditor. - CVE-2013-2849: Possible XSS with drag+drop or copy+paste. * Drop unneeded patches, safe-browsing-sigbus.patch dont-assume-cross-compile-on-arm.patch struct-siginfo.patch ld-memory-32bit.patch dlopen_sonamed_gl.patch * Temporarily disable webapps patches. * Update arm-neon patch, format-flag patch, search-credit patch, title-bar-system-default patch. * Make get-orig-source nicer. Package tarball contents from upstream correctly. * Reenable dyn-linking of major components of chromium for 32-bit machines. Fix a libdir path bug in debian/chromium-browser.sh.in . * No longer try to use system libraries. Generally, Security Team would hate bundled libraries because they provide a wide liability, but Chromium Project is pretty good about maintaining their bundled-source libraries. We can not pull cr-required lib versions forward in older Ubuntus, and we can't guarantee all the distro versions of libraries work with chromium-browser. The default security policy might be worse. Bundled libraries is less work overall. * Exclude included XDG files even if they are built. * Use NEON instructions on ARM, optionally. This might use run-time checks for hardware capability, but even if it doesn't we can add it later. * Clean up difference checks in debian/rules that make sure that all files that the build makes are used in packages, and no longer hide any, and no longer consider it an error if some are unused. Treat it as a warning, not a fatality. * Use legible shell instead of make-generated shell in setting the rpath in rules. * Add new build-dep, "chrpath". [Chris Coulson] * debian/rules: Disable tcmalloc on all component builds, not just on arm builds. chromium-browser (26.0.1410.63-0ubuntu0.12.10.3) quantal-security; urgency=low * Work around SEGV on ARMHF that's caused by tcmalloc. chromium-browser (26.0.1410.63-0ubuntu0.12.10.2) quantal-security; urgency=low * Work arround missing Apparmour feature. Set environment explicitly to disallow breaking out of apparmor protection. (LP: #1045986) * Use more system libraries, libxml, libjpeg, bzip2, libxslt, flac, libevent, protobuf, speex, xdg_utils, yasm, but not a few others -- in particular, - libpng causes render hangs, - sqlite causes link failures. Updating debian/rules, and dropping the removed ones from debian/control . * debian/rules: - Use actual original upstream tarball. No SVN snapshots, no gclient. - Rip out compiler-targeting. All versions should work. - Always use sandbox. It shouldn't be an option. Nothing works without it any more. * Drop build-dep on subversion. Not required with pristing orig.tar get-original-source. * Simpify debian/rules and use the built-in parameter for telling GYP config to include debug symbols. * Include upstream patch debian/patches/ld-memory-32bit.patch that makes 32 bit machines more likely to use BDF linker and include parameters that make it more memory efficient. * GCC doesn't allow -Wno-format with hardening -Werror=format-security . Add debian/patches/format-flag.patch . * Since we're Depending on xdg-settings, don't try to install one from upstream. Change debian/chromium-browser.install . * Invert sense of a quantal+ test so that we don't have to track t
[Desktop-packages] [Bug 1045986] Re: Ubuntu AppArmor policy is too lenient with shell scripts
(Untargetting old EOLd releases) ** No longer affects: chromium-browser (Ubuntu Lucid) ** No longer affects: chromium-browser (Ubuntu Natty) ** No longer affects: chromium-browser (Ubuntu Oneiric) ** No longer affects: cups (Ubuntu Lucid) ** No longer affects: cups (Ubuntu Natty) ** No longer affects: cups (Ubuntu Oneiric) ** No longer affects: firefox (Ubuntu Lucid) ** No longer affects: firefox (Ubuntu Natty) ** No longer affects: firefox (Ubuntu Oneiric) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1045986 Title: Ubuntu AppArmor policy is too lenient with shell scripts Status in “apparmor” package in Ubuntu: Fix Released Status in “apport” package in Ubuntu: Fix Released Status in “chromium-browser” package in Ubuntu: Fix Committed Status in “cups” package in Ubuntu: Confirmed Status in “dhcp3” package in Ubuntu: Invalid Status in “firefox” package in Ubuntu: Confirmed Status in “isc-dhcp” package in Ubuntu: Fix Released Status in “apparmor” source package in Lucid: Invalid Status in “apport” source package in Lucid: Fix Released Status in “dhcp3” source package in Lucid: Fix Released Status in “isc-dhcp” source package in Lucid: Invalid Status in “apparmor” source package in Natty: Won't Fix Status in “apport” source package in Natty: Won't Fix Status in “dhcp3” source package in Natty: Invalid Status in “isc-dhcp” source package in Natty: Fix Released Status in “apparmor” source package in Oneiric: Fix Released Status in “apport” source package in Oneiric: Fix Released Status in “dhcp3” source package in Oneiric: Invalid Status in “isc-dhcp” source package in Oneiric: Fix Released Status in “apparmor” source package in Precise: Fix Released Status in “apport” source package in Precise: Fix Released Status in “chromium-browser” source package in Precise: Confirmed Status in “cups” source package in Precise: Confirmed Status in “dhcp3” source package in Precise: Invalid Status in “firefox” source package in Precise: Confirmed Status in “isc-dhcp” source package in Precise: Fix Released Status in “apparmor” source package in Quantal: Fix Released Status in “apport” source package in Quantal: Fix Released Status in “chromium-browser” source package in Quantal: Confirmed Status in “cups” source package in Quantal: Confirmed Status in “dhcp3” source package in Quantal: Invalid Status in “firefox” source package in Quantal: Confirmed Status in “isc-dhcp” source package in Quantal: Fix Released Bug description: Dan Rosenberg has blogged about some AppArmor profile weaknesses in Ubuntu: http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html This bug will track the work needed to fix them. This is a continuation of bug #851986, except for PATH and shell scripts. Unfortunately, until we have proper environment filtering support in AppArmor, we will have to employ more bandaids-- specifically, either eliminating Ux/sanitized helper on shell scripts or adjusting those shell scripts to explicitly set their PATH. The good news is that environment filtering is on the AppArmor roadmap, and it something we will be targeting in the future releases. I filed bug #1045985 to more easily track the progress of that work. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1045986/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1045986] Re: Ubuntu AppArmor policy is too lenient with shell scripts
** Branch linked: lp:~smoser/ubuntu/precise/isc-dhcp/precise- updates.dist -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1045986 Title: Ubuntu AppArmor policy is too lenient with shell scripts Status in “apparmor” package in Ubuntu: Fix Released Status in “apport” package in Ubuntu: Fix Released Status in “chromium-browser” package in Ubuntu: Fix Committed Status in “cups” package in Ubuntu: Confirmed Status in “dhcp3” package in Ubuntu: Invalid Status in “firefox” package in Ubuntu: Confirmed Status in “isc-dhcp” package in Ubuntu: Fix Released Status in “apparmor” source package in Lucid: Invalid Status in “apport” source package in Lucid: Fix Released Status in “chromium-browser” source package in Lucid: Confirmed Status in “cups” source package in Lucid: Confirmed Status in “dhcp3” source package in Lucid: Fix Released Status in “firefox” source package in Lucid: Confirmed Status in “isc-dhcp” source package in Lucid: Invalid Status in “apparmor” source package in Natty: Won't Fix Status in “apport” source package in Natty: Won't Fix Status in “chromium-browser” source package in Natty: Won't Fix Status in “cups” source package in Natty: Won't Fix Status in “dhcp3” source package in Natty: Invalid Status in “firefox” source package in Natty: Won't Fix Status in “isc-dhcp” source package in Natty: Fix Released Status in “apparmor” source package in Oneiric: Fix Released Status in “apport” source package in Oneiric: Fix Released Status in “chromium-browser” source package in Oneiric: Confirmed Status in “cups” source package in Oneiric: Confirmed Status in “dhcp3” source package in Oneiric: Invalid Status in “firefox” source package in Oneiric: Confirmed Status in “isc-dhcp” source package in Oneiric: Fix Released Status in “apparmor” source package in Precise: Fix Released Status in “apport” source package in Precise: Fix Released Status in “chromium-browser” source package in Precise: Confirmed Status in “cups” source package in Precise: Confirmed Status in “dhcp3” source package in Precise: Invalid Status in “firefox” source package in Precise: Confirmed Status in “isc-dhcp” source package in Precise: Fix Released Status in “apparmor” source package in Quantal: Fix Released Status in “apport” source package in Quantal: Fix Released Status in “chromium-browser” source package in Quantal: Confirmed Status in “cups” source package in Quantal: Confirmed Status in “dhcp3” source package in Quantal: Invalid Status in “firefox” source package in Quantal: Confirmed Status in “isc-dhcp” source package in Quantal: Fix Released Bug description: Dan Rosenberg has blogged about some AppArmor profile weaknesses in Ubuntu: http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html This bug will track the work needed to fix them. This is a continuation of bug #851986, except for PATH and shell scripts. Unfortunately, until we have proper environment filtering support in AppArmor, we will have to employ more bandaids-- specifically, either eliminating Ux/sanitized helper on shell scripts or adjusting those shell scripts to explicitly set their PATH. The good news is that environment filtering is on the AppArmor roadmap, and it something we will be targeting in the future releases. I filed bug #1045985 to more easily track the progress of that work. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1045986/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1045986] Re: Ubuntu AppArmor policy is too lenient with shell scripts
** Changed in: chromium-browser (Ubuntu) Status: Confirmed => Fix Committed ** Changed in: chromium-browser (Ubuntu) Assignee: (unassigned) => Chad Miller (cmiller) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1045986 Title: Ubuntu AppArmor policy is too lenient with shell scripts Status in “apparmor” package in Ubuntu: Fix Released Status in “apport” package in Ubuntu: Fix Released Status in “chromium-browser” package in Ubuntu: Fix Committed Status in “cups” package in Ubuntu: Confirmed Status in “dhcp3” package in Ubuntu: Invalid Status in “firefox” package in Ubuntu: Confirmed Status in “isc-dhcp” package in Ubuntu: Fix Released Status in “apparmor” source package in Lucid: Invalid Status in “apport” source package in Lucid: Fix Released Status in “chromium-browser” source package in Lucid: Confirmed Status in “cups” source package in Lucid: Confirmed Status in “dhcp3” source package in Lucid: Fix Released Status in “firefox” source package in Lucid: Confirmed Status in “isc-dhcp” source package in Lucid: Invalid Status in “apparmor” source package in Natty: Won't Fix Status in “apport” source package in Natty: Won't Fix Status in “chromium-browser” source package in Natty: Won't Fix Status in “cups” source package in Natty: Won't Fix Status in “dhcp3” source package in Natty: Invalid Status in “firefox” source package in Natty: Won't Fix Status in “isc-dhcp” source package in Natty: Fix Released Status in “apparmor” source package in Oneiric: Fix Released Status in “apport” source package in Oneiric: Fix Released Status in “chromium-browser” source package in Oneiric: Confirmed Status in “cups” source package in Oneiric: Confirmed Status in “dhcp3” source package in Oneiric: Invalid Status in “firefox” source package in Oneiric: Confirmed Status in “isc-dhcp” source package in Oneiric: Fix Released Status in “apparmor” source package in Precise: Fix Released Status in “apport” source package in Precise: Fix Released Status in “chromium-browser” source package in Precise: Confirmed Status in “cups” source package in Precise: Confirmed Status in “dhcp3” source package in Precise: Invalid Status in “firefox” source package in Precise: Confirmed Status in “isc-dhcp” source package in Precise: Fix Released Status in “apparmor” source package in Quantal: Fix Released Status in “apport” source package in Quantal: Fix Released Status in “chromium-browser” source package in Quantal: Confirmed Status in “cups” source package in Quantal: Confirmed Status in “dhcp3” source package in Quantal: Invalid Status in “firefox” source package in Quantal: Confirmed Status in “isc-dhcp” source package in Quantal: Fix Released Bug description: Dan Rosenberg has blogged about some AppArmor profile weaknesses in Ubuntu: http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html This bug will track the work needed to fix them. This is a continuation of bug #851986, except for PATH and shell scripts. Unfortunately, until we have proper environment filtering support in AppArmor, we will have to employ more bandaids-- specifically, either eliminating Ux/sanitized helper on shell scripts or adjusting those shell scripts to explicitly set their PATH. The good news is that environment filtering is on the AppArmor roadmap, and it something we will be targeting in the future releases. I filed bug #1045985 to more easily track the progress of that work. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1045986/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1045986] Re: Ubuntu AppArmor policy is too lenient with shell scripts
** Changed in: apparmor (Ubuntu Lucid) Status: Incomplete => Invalid -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1045986 Title: Ubuntu AppArmor policy is too lenient with shell scripts Status in “apparmor” package in Ubuntu: Fix Released Status in “apport” package in Ubuntu: Fix Released Status in “chromium-browser” package in Ubuntu: Confirmed Status in “cups” package in Ubuntu: Confirmed Status in “dhcp3” package in Ubuntu: Invalid Status in “firefox” package in Ubuntu: Confirmed Status in “isc-dhcp” package in Ubuntu: Fix Released Status in “apparmor” source package in Lucid: Invalid Status in “apport” source package in Lucid: Fix Released Status in “chromium-browser” source package in Lucid: Confirmed Status in “cups” source package in Lucid: Confirmed Status in “dhcp3” source package in Lucid: Fix Released Status in “firefox” source package in Lucid: Confirmed Status in “isc-dhcp” source package in Lucid: Invalid Status in “apparmor” source package in Natty: Won't Fix Status in “apport” source package in Natty: Won't Fix Status in “chromium-browser” source package in Natty: Won't Fix Status in “cups” source package in Natty: Won't Fix Status in “dhcp3” source package in Natty: Invalid Status in “firefox” source package in Natty: Won't Fix Status in “isc-dhcp” source package in Natty: Fix Released Status in “apparmor” source package in Oneiric: Fix Released Status in “apport” source package in Oneiric: Fix Released Status in “chromium-browser” source package in Oneiric: Confirmed Status in “cups” source package in Oneiric: Confirmed Status in “dhcp3” source package in Oneiric: Invalid Status in “firefox” source package in Oneiric: Confirmed Status in “isc-dhcp” source package in Oneiric: Fix Released Status in “apparmor” source package in Precise: Fix Released Status in “apport” source package in Precise: Fix Released Status in “chromium-browser” source package in Precise: Confirmed Status in “cups” source package in Precise: Confirmed Status in “dhcp3” source package in Precise: Invalid Status in “firefox” source package in Precise: Confirmed Status in “isc-dhcp” source package in Precise: Fix Released Status in “apparmor” source package in Quantal: Fix Released Status in “apport” source package in Quantal: Fix Released Status in “chromium-browser” source package in Quantal: Confirmed Status in “cups” source package in Quantal: Confirmed Status in “dhcp3” source package in Quantal: Invalid Status in “firefox” source package in Quantal: Confirmed Status in “isc-dhcp” source package in Quantal: Fix Released Bug description: Dan Rosenberg has blogged about some AppArmor profile weaknesses in Ubuntu: http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html This bug will track the work needed to fix them. This is a continuation of bug #851986, except for PATH and shell scripts. Unfortunately, until we have proper environment filtering support in AppArmor, we will have to employ more bandaids-- specifically, either eliminating Ux/sanitized helper on shell scripts or adjusting those shell scripts to explicitly set their PATH. The good news is that environment filtering is on the AppArmor roadmap, and it something we will be targeting in the future releases. I filed bug #1045985 to more easily track the progress of that work. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1045986/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1045986] Re: Ubuntu AppArmor policy is too lenient with shell scripts
** Changed in: apparmor (Ubuntu Lucid) Status: Invalid => Incomplete -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1045986 Title: Ubuntu AppArmor policy is too lenient with shell scripts Status in “apparmor” package in Ubuntu: Fix Released Status in “apport” package in Ubuntu: Fix Released Status in “chromium-browser” package in Ubuntu: Confirmed Status in “cups” package in Ubuntu: Confirmed Status in “dhcp3” package in Ubuntu: Invalid Status in “firefox” package in Ubuntu: Confirmed Status in “isc-dhcp” package in Ubuntu: Fix Released Status in “apparmor” source package in Lucid: Incomplete Status in “apport” source package in Lucid: Fix Released Status in “chromium-browser” source package in Lucid: Confirmed Status in “cups” source package in Lucid: Confirmed Status in “dhcp3” source package in Lucid: Fix Released Status in “firefox” source package in Lucid: Confirmed Status in “isc-dhcp” source package in Lucid: Invalid Status in “apparmor” source package in Natty: Won't Fix Status in “apport” source package in Natty: Won't Fix Status in “chromium-browser” source package in Natty: Won't Fix Status in “cups” source package in Natty: Won't Fix Status in “dhcp3” source package in Natty: Invalid Status in “firefox” source package in Natty: Won't Fix Status in “isc-dhcp” source package in Natty: Fix Released Status in “apparmor” source package in Oneiric: Fix Released Status in “apport” source package in Oneiric: Fix Released Status in “chromium-browser” source package in Oneiric: Confirmed Status in “cups” source package in Oneiric: Confirmed Status in “dhcp3” source package in Oneiric: Invalid Status in “firefox” source package in Oneiric: Confirmed Status in “isc-dhcp” source package in Oneiric: Fix Released Status in “apparmor” source package in Precise: Fix Released Status in “apport” source package in Precise: Fix Released Status in “chromium-browser” source package in Precise: Confirmed Status in “cups” source package in Precise: Confirmed Status in “dhcp3” source package in Precise: Invalid Status in “firefox” source package in Precise: Confirmed Status in “isc-dhcp” source package in Precise: Fix Released Status in “apparmor” source package in Quantal: Fix Released Status in “apport” source package in Quantal: Fix Released Status in “chromium-browser” source package in Quantal: Confirmed Status in “cups” source package in Quantal: Confirmed Status in “dhcp3” source package in Quantal: Invalid Status in “firefox” source package in Quantal: Confirmed Status in “isc-dhcp” source package in Quantal: Fix Released Bug description: Dan Rosenberg has blogged about some AppArmor profile weaknesses in Ubuntu: http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html This bug will track the work needed to fix them. This is a continuation of bug #851986, except for PATH and shell scripts. Unfortunately, until we have proper environment filtering support in AppArmor, we will have to employ more bandaids-- specifically, either eliminating Ux/sanitized helper on shell scripts or adjusting those shell scripts to explicitly set their PATH. The good news is that environment filtering is on the AppArmor roadmap, and it something we will be targeting in the future releases. I filed bug #1045985 to more easily track the progress of that work. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1045986/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1045986] Re: Ubuntu AppArmor policy is too lenient with shell scripts
** Branch linked: lp:~smoser/ubuntu/raring/isc-dhcp/nouid -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1045986 Title: Ubuntu AppArmor policy is too lenient with shell scripts Status in “apparmor” package in Ubuntu: Fix Released Status in “apport” package in Ubuntu: Fix Released Status in “chromium-browser” package in Ubuntu: Confirmed Status in “cups” package in Ubuntu: Confirmed Status in “dhcp3” package in Ubuntu: Invalid Status in “firefox” package in Ubuntu: Confirmed Status in “isc-dhcp” package in Ubuntu: Fix Released Status in “apparmor” source package in Lucid: Invalid Status in “apport” source package in Lucid: Fix Released Status in “chromium-browser” source package in Lucid: Confirmed Status in “cups” source package in Lucid: Confirmed Status in “dhcp3” source package in Lucid: Fix Released Status in “firefox” source package in Lucid: Confirmed Status in “isc-dhcp” source package in Lucid: Invalid Status in “apparmor” source package in Natty: Won't Fix Status in “apport” source package in Natty: Won't Fix Status in “chromium-browser” source package in Natty: Won't Fix Status in “cups” source package in Natty: Won't Fix Status in “dhcp3” source package in Natty: Invalid Status in “firefox” source package in Natty: Won't Fix Status in “isc-dhcp” source package in Natty: Fix Released Status in “apparmor” source package in Oneiric: Fix Released Status in “apport” source package in Oneiric: Fix Released Status in “chromium-browser” source package in Oneiric: Confirmed Status in “cups” source package in Oneiric: Confirmed Status in “dhcp3” source package in Oneiric: Invalid Status in “firefox” source package in Oneiric: Confirmed Status in “isc-dhcp” source package in Oneiric: Fix Released Status in “apparmor” source package in Precise: Fix Released Status in “apport” source package in Precise: Fix Released Status in “chromium-browser” source package in Precise: Confirmed Status in “cups” source package in Precise: Confirmed Status in “dhcp3” source package in Precise: Invalid Status in “firefox” source package in Precise: Confirmed Status in “isc-dhcp” source package in Precise: Fix Released Status in “apparmor” source package in Quantal: Fix Released Status in “apport” source package in Quantal: Fix Released Status in “chromium-browser” source package in Quantal: Confirmed Status in “cups” source package in Quantal: Confirmed Status in “dhcp3” source package in Quantal: Invalid Status in “firefox” source package in Quantal: Confirmed Status in “isc-dhcp” source package in Quantal: Fix Released Bug description: Dan Rosenberg has blogged about some AppArmor profile weaknesses in Ubuntu: http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html This bug will track the work needed to fix them. This is a continuation of bug #851986, except for PATH and shell scripts. Unfortunately, until we have proper environment filtering support in AppArmor, we will have to employ more bandaids-- specifically, either eliminating Ux/sanitized helper on shell scripts or adjusting those shell scripts to explicitly set their PATH. The good news is that environment filtering is on the AppArmor roadmap, and it something we will be targeting in the future releases. I filed bug #1045985 to more easily track the progress of that work. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1045986/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1045986] Re: Ubuntu AppArmor policy is too lenient with shell scripts
The update for this bug was included in an update to precise-security. I tested that 2.0.1-0ubuntu17.1 contains the fix for this bug and that 2.0.1-0ubuntu17.1 passes QRT. Marking 'verification-done'. ** Tags removed: verification-needed ** Tags added: verification-done -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1045986 Title: Ubuntu AppArmor policy is too lenient with shell scripts Status in “apparmor” package in Ubuntu: Fix Released Status in “apport” package in Ubuntu: Fix Released Status in “chromium-browser” package in Ubuntu: Confirmed Status in “cups” package in Ubuntu: Confirmed Status in “dhcp3” package in Ubuntu: Invalid Status in “firefox” package in Ubuntu: Confirmed Status in “isc-dhcp” package in Ubuntu: Fix Released Status in “apparmor” source package in Lucid: Invalid Status in “apport” source package in Lucid: Fix Released Status in “chromium-browser” source package in Lucid: Confirmed Status in “cups” source package in Lucid: Confirmed Status in “dhcp3” source package in Lucid: Fix Released Status in “firefox” source package in Lucid: Confirmed Status in “isc-dhcp” source package in Lucid: Invalid Status in “apparmor” source package in Natty: Won't Fix Status in “apport” source package in Natty: Won't Fix Status in “chromium-browser” source package in Natty: Won't Fix Status in “cups” source package in Natty: Won't Fix Status in “dhcp3” source package in Natty: Invalid Status in “firefox” source package in Natty: Won't Fix Status in “isc-dhcp” source package in Natty: Fix Released Status in “apparmor” source package in Oneiric: Fix Released Status in “apport” source package in Oneiric: Fix Released Status in “chromium-browser” source package in Oneiric: Confirmed Status in “cups” source package in Oneiric: Confirmed Status in “dhcp3” source package in Oneiric: Invalid Status in “firefox” source package in Oneiric: Confirmed Status in “isc-dhcp” source package in Oneiric: Fix Released Status in “apparmor” source package in Precise: Fix Released Status in “apport” source package in Precise: Fix Released Status in “chromium-browser” source package in Precise: Confirmed Status in “cups” source package in Precise: Confirmed Status in “dhcp3” source package in Precise: Invalid Status in “firefox” source package in Precise: Confirmed Status in “isc-dhcp” source package in Precise: Fix Released Status in “apparmor” source package in Quantal: Fix Released Status in “apport” source package in Quantal: Fix Released Status in “chromium-browser” source package in Quantal: Confirmed Status in “cups” source package in Quantal: Confirmed Status in “dhcp3” source package in Quantal: Invalid Status in “firefox” source package in Quantal: Confirmed Status in “isc-dhcp” source package in Quantal: Fix Released Bug description: Dan Rosenberg has blogged about some AppArmor profile weaknesses in Ubuntu: http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html This bug will track the work needed to fix them. This is a continuation of bug #851986, except for PATH and shell scripts. Unfortunately, until we have proper environment filtering support in AppArmor, we will have to employ more bandaids-- specifically, either eliminating Ux/sanitized helper on shell scripts or adjusting those shell scripts to explicitly set their PATH. The good news is that environment filtering is on the AppArmor roadmap, and it something we will be targeting in the future releases. I filed bug #1045985 to more easily track the progress of that work. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1045986/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1045986] Re: Ubuntu AppArmor policy is too lenient with shell scripts
Hello Jamie, or anyone else affected, Accepted apport into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/apport/2.0.1-0ubuntu17.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! ** Tags added: verification-needed -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1045986 Title: Ubuntu AppArmor policy is too lenient with shell scripts Status in “apparmor” package in Ubuntu: Fix Released Status in “apport” package in Ubuntu: Fix Released Status in “chromium-browser” package in Ubuntu: Confirmed Status in “cups” package in Ubuntu: Confirmed Status in “dhcp3” package in Ubuntu: Invalid Status in “firefox” package in Ubuntu: Confirmed Status in “isc-dhcp” package in Ubuntu: Fix Released Status in “apparmor” source package in Lucid: Invalid Status in “apport” source package in Lucid: Fix Released Status in “chromium-browser” source package in Lucid: Confirmed Status in “cups” source package in Lucid: Confirmed Status in “dhcp3” source package in Lucid: Fix Released Status in “firefox” source package in Lucid: Confirmed Status in “isc-dhcp” source package in Lucid: Invalid Status in “apparmor” source package in Natty: Won't Fix Status in “apport” source package in Natty: Won't Fix Status in “chromium-browser” source package in Natty: Won't Fix Status in “cups” source package in Natty: Won't Fix Status in “dhcp3” source package in Natty: Invalid Status in “firefox” source package in Natty: Won't Fix Status in “isc-dhcp” source package in Natty: Fix Released Status in “apparmor” source package in Oneiric: Fix Released Status in “apport” source package in Oneiric: Fix Released Status in “chromium-browser” source package in Oneiric: Confirmed Status in “cups” source package in Oneiric: Confirmed Status in “dhcp3” source package in Oneiric: Invalid Status in “firefox” source package in Oneiric: Confirmed Status in “isc-dhcp” source package in Oneiric: Fix Released Status in “apparmor” source package in Precise: Fix Released Status in “apport” source package in Precise: Fix Released Status in “chromium-browser” source package in Precise: Confirmed Status in “cups” source package in Precise: Confirmed Status in “dhcp3” source package in Precise: Invalid Status in “firefox” source package in Precise: Confirmed Status in “isc-dhcp” source package in Precise: Fix Released Status in “apparmor” source package in Quantal: Fix Released Status in “apport” source package in Quantal: Fix Released Status in “chromium-browser” source package in Quantal: Confirmed Status in “cups” source package in Quantal: Confirmed Status in “dhcp3” source package in Quantal: Invalid Status in “firefox” source package in Quantal: Confirmed Status in “isc-dhcp” source package in Quantal: Fix Released Bug description: Dan Rosenberg has blogged about some AppArmor profile weaknesses in Ubuntu: http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html This bug will track the work needed to fix them. This is a continuation of bug #851986, except for PATH and shell scripts. Unfortunately, until we have proper environment filtering support in AppArmor, we will have to employ more bandaids-- specifically, either eliminating Ux/sanitized helper on shell scripts or adjusting those shell scripts to explicitly set their PATH. The good news is that environment filtering is on the AppArmor roadmap, and it something we will be targeting in the future releases. I filed bug #1045985 to more easily track the progress of that work. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1045986/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1045986] Re: Ubuntu AppArmor policy is too lenient with shell scripts
** Branch linked: lp:ubuntu/oneiric-updates/apparmor -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1045986 Title: Ubuntu AppArmor policy is too lenient with shell scripts Status in “apparmor” package in Ubuntu: Fix Released Status in “apport” package in Ubuntu: Fix Released Status in “chromium-browser” package in Ubuntu: Confirmed Status in “cups” package in Ubuntu: Confirmed Status in “dhcp3” package in Ubuntu: Invalid Status in “firefox” package in Ubuntu: Confirmed Status in “isc-dhcp” package in Ubuntu: Fix Released Status in “apparmor” source package in Lucid: Invalid Status in “apport” source package in Lucid: Fix Released Status in “chromium-browser” source package in Lucid: Confirmed Status in “cups” source package in Lucid: Confirmed Status in “dhcp3” source package in Lucid: Fix Released Status in “firefox” source package in Lucid: Confirmed Status in “isc-dhcp” source package in Lucid: Invalid Status in “apparmor” source package in Natty: Won't Fix Status in “apport” source package in Natty: Won't Fix Status in “chromium-browser” source package in Natty: Won't Fix Status in “cups” source package in Natty: Won't Fix Status in “dhcp3” source package in Natty: Invalid Status in “firefox” source package in Natty: Won't Fix Status in “isc-dhcp” source package in Natty: Fix Released Status in “apparmor” source package in Oneiric: Fix Released Status in “apport” source package in Oneiric: Fix Released Status in “chromium-browser” source package in Oneiric: Confirmed Status in “cups” source package in Oneiric: Confirmed Status in “dhcp3” source package in Oneiric: Invalid Status in “firefox” source package in Oneiric: Confirmed Status in “isc-dhcp” source package in Oneiric: Fix Released Status in “apparmor” source package in Precise: Fix Released Status in “apport” source package in Precise: Fix Released Status in “chromium-browser” source package in Precise: Confirmed Status in “cups” source package in Precise: Confirmed Status in “dhcp3” source package in Precise: Invalid Status in “firefox” source package in Precise: Confirmed Status in “isc-dhcp” source package in Precise: Fix Released Status in “apparmor” source package in Quantal: Fix Released Status in “apport” source package in Quantal: Fix Released Status in “chromium-browser” source package in Quantal: Confirmed Status in “cups” source package in Quantal: Confirmed Status in “dhcp3” source package in Quantal: Invalid Status in “firefox” source package in Quantal: Confirmed Status in “isc-dhcp” source package in Quantal: Fix Released Bug description: Dan Rosenberg has blogged about some AppArmor profile weaknesses in Ubuntu: http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html This bug will track the work needed to fix them. This is a continuation of bug #851986, except for PATH and shell scripts. Unfortunately, until we have proper environment filtering support in AppArmor, we will have to employ more bandaids-- specifically, either eliminating Ux/sanitized helper on shell scripts or adjusting those shell scripts to explicitly set their PATH. The good news is that environment filtering is on the AppArmor roadmap, and it something we will be targeting in the future releases. I filed bug #1045985 to more easily track the progress of that work. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1045986/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1045986] Re: Ubuntu AppArmor policy is too lenient with shell scripts
** Branch linked: lp:ubuntu/precise-security/apparmor -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1045986 Title: Ubuntu AppArmor policy is too lenient with shell scripts Status in “apparmor” package in Ubuntu: Fix Released Status in “apport” package in Ubuntu: Fix Released Status in “chromium-browser” package in Ubuntu: Confirmed Status in “cups” package in Ubuntu: Confirmed Status in “dhcp3” package in Ubuntu: Invalid Status in “firefox” package in Ubuntu: Confirmed Status in “isc-dhcp” package in Ubuntu: Fix Released Status in “apparmor” source package in Lucid: Invalid Status in “apport” source package in Lucid: Fix Released Status in “chromium-browser” source package in Lucid: Confirmed Status in “cups” source package in Lucid: Confirmed Status in “dhcp3” source package in Lucid: Fix Released Status in “firefox” source package in Lucid: Confirmed Status in “isc-dhcp” source package in Lucid: Invalid Status in “apparmor” source package in Natty: Won't Fix Status in “apport” source package in Natty: Won't Fix Status in “chromium-browser” source package in Natty: Won't Fix Status in “cups” source package in Natty: Won't Fix Status in “dhcp3” source package in Natty: Invalid Status in “firefox” source package in Natty: Won't Fix Status in “isc-dhcp” source package in Natty: Fix Released Status in “apparmor” source package in Oneiric: Fix Released Status in “apport” source package in Oneiric: Fix Released Status in “chromium-browser” source package in Oneiric: Confirmed Status in “cups” source package in Oneiric: Confirmed Status in “dhcp3” source package in Oneiric: Invalid Status in “firefox” source package in Oneiric: Confirmed Status in “isc-dhcp” source package in Oneiric: Fix Released Status in “apparmor” source package in Precise: Fix Released Status in “apport” source package in Precise: Fix Released Status in “chromium-browser” source package in Precise: Confirmed Status in “cups” source package in Precise: Confirmed Status in “dhcp3” source package in Precise: Invalid Status in “firefox” source package in Precise: Confirmed Status in “isc-dhcp” source package in Precise: Fix Released Status in “apparmor” source package in Quantal: Fix Released Status in “apport” source package in Quantal: Fix Released Status in “chromium-browser” source package in Quantal: Confirmed Status in “cups” source package in Quantal: Confirmed Status in “dhcp3” source package in Quantal: Invalid Status in “firefox” source package in Quantal: Confirmed Status in “isc-dhcp” source package in Quantal: Fix Released Bug description: Dan Rosenberg has blogged about some AppArmor profile weaknesses in Ubuntu: http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html This bug will track the work needed to fix them. This is a continuation of bug #851986, except for PATH and shell scripts. Unfortunately, until we have proper environment filtering support in AppArmor, we will have to employ more bandaids-- specifically, either eliminating Ux/sanitized helper on shell scripts or adjusting those shell scripts to explicitly set their PATH. The good news is that environment filtering is on the AppArmor roadmap, and it something we will be targeting in the future releases. I filed bug #1045985 to more easily track the progress of that work. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1045986/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1045986] Re: Ubuntu AppArmor policy is too lenient with shell scripts
This bug was fixed in the package apparmor - 2.7.0~beta1+bzr1774-1ubuntu2.2 --- apparmor (2.7.0~beta1+bzr1774-1ubuntu2.2) oneiric-security; urgency=low * debian/patches/0001-add-chromium-browser.patch: - add various accesses for newer chromium versions (LP: #1091862) - add a child profile for xdgsettings (LP: #1045986) * debian/put-all-profiles-in-complain-mode.sh: deal with existing flags -- Jamie StrandbogeTue, 18 Dec 2012 11:53:38 -0600 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1045986 Title: Ubuntu AppArmor policy is too lenient with shell scripts Status in “apparmor” package in Ubuntu: Fix Released Status in “apport” package in Ubuntu: Fix Released Status in “chromium-browser” package in Ubuntu: Confirmed Status in “cups” package in Ubuntu: Confirmed Status in “dhcp3” package in Ubuntu: Invalid Status in “firefox” package in Ubuntu: Confirmed Status in “isc-dhcp” package in Ubuntu: Fix Released Status in “apparmor” source package in Lucid: Invalid Status in “apport” source package in Lucid: Fix Released Status in “chromium-browser” source package in Lucid: Confirmed Status in “cups” source package in Lucid: Confirmed Status in “dhcp3” source package in Lucid: Fix Released Status in “firefox” source package in Lucid: Confirmed Status in “isc-dhcp” source package in Lucid: Invalid Status in “apparmor” source package in Natty: Won't Fix Status in “apport” source package in Natty: Won't Fix Status in “chromium-browser” source package in Natty: Won't Fix Status in “cups” source package in Natty: Won't Fix Status in “dhcp3” source package in Natty: Invalid Status in “firefox” source package in Natty: Won't Fix Status in “isc-dhcp” source package in Natty: Fix Released Status in “apparmor” source package in Oneiric: Fix Released Status in “apport” source package in Oneiric: Fix Released Status in “chromium-browser” source package in Oneiric: Confirmed Status in “cups” source package in Oneiric: Confirmed Status in “dhcp3” source package in Oneiric: Invalid Status in “firefox” source package in Oneiric: Confirmed Status in “isc-dhcp” source package in Oneiric: Fix Released Status in “apparmor” source package in Precise: Fix Released Status in “apport” source package in Precise: Fix Released Status in “chromium-browser” source package in Precise: Confirmed Status in “cups” source package in Precise: Confirmed Status in “dhcp3” source package in Precise: Invalid Status in “firefox” source package in Precise: Confirmed Status in “isc-dhcp” source package in Precise: Fix Released Status in “apparmor” source package in Quantal: Fix Released Status in “apport” source package in Quantal: Fix Released Status in “chromium-browser” source package in Quantal: Confirmed Status in “cups” source package in Quantal: Confirmed Status in “dhcp3” source package in Quantal: Invalid Status in “firefox” source package in Quantal: Confirmed Status in “isc-dhcp” source package in Quantal: Fix Released Bug description: Dan Rosenberg has blogged about some AppArmor profile weaknesses in Ubuntu: http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html This bug will track the work needed to fix them. This is a continuation of bug #851986, except for PATH and shell scripts. Unfortunately, until we have proper environment filtering support in AppArmor, we will have to employ more bandaids-- specifically, either eliminating Ux/sanitized helper on shell scripts or adjusting those shell scripts to explicitly set their PATH. The good news is that environment filtering is on the AppArmor roadmap, and it something we will be targeting in the future releases. I filed bug #1045985 to more easily track the progress of that work. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1045986/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1045986] Re: Ubuntu AppArmor policy is too lenient with shell scripts
This bug was fixed in the package apparmor - 2.7.102-0ubuntu3.7 --- apparmor (2.7.102-0ubuntu3.7) precise-security; urgency=low * debian/patches/0001-add-chromium-browser.patch: - add access for newer versions of chromium (LP: #1091862) - add a child profile for xdgsettings (LP: #1045986) * debian/patches/0021-fix-racy-onexec-test.patch: fix race in onexec.sh kernel regression test -- Jamie StrandbogeWed, 19 Dec 2012 07:51:38 -0600 ** Changed in: apparmor (Ubuntu Precise) Status: Fix Committed => Fix Released ** Changed in: apparmor (Ubuntu Oneiric) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1045986 Title: Ubuntu AppArmor policy is too lenient with shell scripts Status in “apparmor” package in Ubuntu: Fix Released Status in “apport” package in Ubuntu: Fix Released Status in “chromium-browser” package in Ubuntu: Confirmed Status in “cups” package in Ubuntu: Confirmed Status in “dhcp3” package in Ubuntu: Invalid Status in “firefox” package in Ubuntu: Confirmed Status in “isc-dhcp” package in Ubuntu: Fix Released Status in “apparmor” source package in Lucid: Invalid Status in “apport” source package in Lucid: Fix Released Status in “chromium-browser” source package in Lucid: Confirmed Status in “cups” source package in Lucid: Confirmed Status in “dhcp3” source package in Lucid: Fix Released Status in “firefox” source package in Lucid: Confirmed Status in “isc-dhcp” source package in Lucid: Invalid Status in “apparmor” source package in Natty: Won't Fix Status in “apport” source package in Natty: Won't Fix Status in “chromium-browser” source package in Natty: Won't Fix Status in “cups” source package in Natty: Won't Fix Status in “dhcp3” source package in Natty: Invalid Status in “firefox” source package in Natty: Won't Fix Status in “isc-dhcp” source package in Natty: Fix Released Status in “apparmor” source package in Oneiric: Fix Released Status in “apport” source package in Oneiric: Fix Released Status in “chromium-browser” source package in Oneiric: Confirmed Status in “cups” source package in Oneiric: Confirmed Status in “dhcp3” source package in Oneiric: Invalid Status in “firefox” source package in Oneiric: Confirmed Status in “isc-dhcp” source package in Oneiric: Fix Released Status in “apparmor” source package in Precise: Fix Released Status in “apport” source package in Precise: Fix Released Status in “chromium-browser” source package in Precise: Confirmed Status in “cups” source package in Precise: Confirmed Status in “dhcp3” source package in Precise: Invalid Status in “firefox” source package in Precise: Confirmed Status in “isc-dhcp” source package in Precise: Fix Released Status in “apparmor” source package in Quantal: Fix Released Status in “apport” source package in Quantal: Fix Released Status in “chromium-browser” source package in Quantal: Confirmed Status in “cups” source package in Quantal: Confirmed Status in “dhcp3” source package in Quantal: Invalid Status in “firefox” source package in Quantal: Confirmed Status in “isc-dhcp” source package in Quantal: Fix Released Bug description: Dan Rosenberg has blogged about some AppArmor profile weaknesses in Ubuntu: http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html This bug will track the work needed to fix them. This is a continuation of bug #851986, except for PATH and shell scripts. Unfortunately, until we have proper environment filtering support in AppArmor, we will have to employ more bandaids-- specifically, either eliminating Ux/sanitized helper on shell scripts or adjusting those shell scripts to explicitly set their PATH. The good news is that environment filtering is on the AppArmor roadmap, and it something we will be targeting in the future releases. I filed bug #1045985 to more easily track the progress of that work. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1045986/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1045986] Re: Ubuntu AppArmor policy is too lenient with shell scripts
** Changed in: apparmor (Ubuntu Oneiric) Status: Triaged => Fix Committed ** Changed in: apparmor (Ubuntu Oneiric) Assignee: (unassigned) => Jamie Strandboge (jdstrand) ** Changed in: apparmor (Ubuntu Precise) Status: Triaged => Fix Committed ** Changed in: apparmor (Ubuntu Precise) Assignee: (unassigned) => Jamie Strandboge (jdstrand) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1045986 Title: Ubuntu AppArmor policy is too lenient with shell scripts Status in “apparmor” package in Ubuntu: Fix Released Status in “apport” package in Ubuntu: Fix Released Status in “chromium-browser” package in Ubuntu: Confirmed Status in “cups” package in Ubuntu: Confirmed Status in “dhcp3” package in Ubuntu: Invalid Status in “firefox” package in Ubuntu: Confirmed Status in “isc-dhcp” package in Ubuntu: Fix Released Status in “apparmor” source package in Lucid: Invalid Status in “apport” source package in Lucid: Fix Released Status in “chromium-browser” source package in Lucid: Confirmed Status in “cups” source package in Lucid: Confirmed Status in “dhcp3” source package in Lucid: Fix Released Status in “firefox” source package in Lucid: Confirmed Status in “isc-dhcp” source package in Lucid: Invalid Status in “apparmor” source package in Natty: Won't Fix Status in “apport” source package in Natty: Won't Fix Status in “chromium-browser” source package in Natty: Won't Fix Status in “cups” source package in Natty: Won't Fix Status in “dhcp3” source package in Natty: Invalid Status in “firefox” source package in Natty: Won't Fix Status in “isc-dhcp” source package in Natty: Fix Released Status in “apparmor” source package in Oneiric: Fix Committed Status in “apport” source package in Oneiric: Fix Released Status in “chromium-browser” source package in Oneiric: Confirmed Status in “cups” source package in Oneiric: Confirmed Status in “dhcp3” source package in Oneiric: Invalid Status in “firefox” source package in Oneiric: Confirmed Status in “isc-dhcp” source package in Oneiric: Fix Released Status in “apparmor” source package in Precise: Fix Committed Status in “apport” source package in Precise: Fix Released Status in “chromium-browser” source package in Precise: Confirmed Status in “cups” source package in Precise: Confirmed Status in “dhcp3” source package in Precise: Invalid Status in “firefox” source package in Precise: Confirmed Status in “isc-dhcp” source package in Precise: Fix Released Status in “apparmor” source package in Quantal: Fix Released Status in “apport” source package in Quantal: Fix Released Status in “chromium-browser” source package in Quantal: Confirmed Status in “cups” source package in Quantal: Confirmed Status in “dhcp3” source package in Quantal: Invalid Status in “firefox” source package in Quantal: Confirmed Status in “isc-dhcp” source package in Quantal: Fix Released Bug description: Dan Rosenberg has blogged about some AppArmor profile weaknesses in Ubuntu: http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html This bug will track the work needed to fix them. This is a continuation of bug #851986, except for PATH and shell scripts. Unfortunately, until we have proper environment filtering support in AppArmor, we will have to employ more bandaids-- specifically, either eliminating Ux/sanitized helper on shell scripts or adjusting those shell scripts to explicitly set their PATH. The good news is that environment filtering is on the AppArmor roadmap, and it something we will be targeting in the future releases. I filed bug #1045985 to more easily track the progress of that work. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1045986/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1045986] Re: Ubuntu AppArmor policy is too lenient with shell scripts
** Branch linked: lp:~ubuntu-core-dev/ubuntu/precise/apport/ubuntu -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1045986 Title: Ubuntu AppArmor policy is too lenient with shell scripts Status in “apparmor” package in Ubuntu: Fix Released Status in “apport” package in Ubuntu: Fix Released Status in “chromium-browser” package in Ubuntu: Confirmed Status in “cups” package in Ubuntu: Confirmed Status in “dhcp3” package in Ubuntu: Invalid Status in “firefox” package in Ubuntu: Confirmed Status in “isc-dhcp” package in Ubuntu: Fix Released Status in “apparmor” source package in Lucid: Invalid Status in “apport” source package in Lucid: Fix Released Status in “chromium-browser” source package in Lucid: Confirmed Status in “cups” source package in Lucid: Confirmed Status in “dhcp3” source package in Lucid: Fix Released Status in “firefox” source package in Lucid: Confirmed Status in “isc-dhcp” source package in Lucid: Invalid Status in “apparmor” source package in Natty: Won't Fix Status in “apport” source package in Natty: Won't Fix Status in “chromium-browser” source package in Natty: Won't Fix Status in “cups” source package in Natty: Won't Fix Status in “dhcp3” source package in Natty: Invalid Status in “firefox” source package in Natty: Won't Fix Status in “isc-dhcp” source package in Natty: Fix Released Status in “apparmor” source package in Oneiric: Triaged Status in “apport” source package in Oneiric: Fix Released Status in “chromium-browser” source package in Oneiric: Confirmed Status in “cups” source package in Oneiric: Confirmed Status in “dhcp3” source package in Oneiric: Invalid Status in “firefox” source package in Oneiric: Confirmed Status in “isc-dhcp” source package in Oneiric: Fix Released Status in “apparmor” source package in Precise: Triaged Status in “apport” source package in Precise: Fix Released Status in “chromium-browser” source package in Precise: Confirmed Status in “cups” source package in Precise: Confirmed Status in “dhcp3” source package in Precise: Invalid Status in “firefox” source package in Precise: Confirmed Status in “isc-dhcp” source package in Precise: Fix Released Status in “apparmor” source package in Quantal: Fix Released Status in “apport” source package in Quantal: Fix Released Status in “chromium-browser” source package in Quantal: Confirmed Status in “cups” source package in Quantal: Confirmed Status in “dhcp3” source package in Quantal: Invalid Status in “firefox” source package in Quantal: Confirmed Status in “isc-dhcp” source package in Quantal: Fix Released Bug description: Dan Rosenberg has blogged about some AppArmor profile weaknesses in Ubuntu: http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html This bug will track the work needed to fix them. This is a continuation of bug #851986, except for PATH and shell scripts. Unfortunately, until we have proper environment filtering support in AppArmor, we will have to employ more bandaids-- specifically, either eliminating Ux/sanitized helper on shell scripts or adjusting those shell scripts to explicitly set their PATH. The good news is that environment filtering is on the AppArmor roadmap, and it something we will be targeting in the future releases. I filed bug #1045985 to more easily track the progress of that work. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1045986/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1045986] Re: Ubuntu AppArmor policy is too lenient with shell scripts
** CVE removed: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-3570 ** CVE removed: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-3571 ** CVE removed: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-3954 ** CVE removed: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-3955 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1045986 Title: Ubuntu AppArmor policy is too lenient with shell scripts Status in “apparmor” package in Ubuntu: Fix Released Status in “apport” package in Ubuntu: Fix Released Status in “chromium-browser” package in Ubuntu: Confirmed Status in “cups” package in Ubuntu: Confirmed Status in “dhcp3” package in Ubuntu: Invalid Status in “firefox” package in Ubuntu: Confirmed Status in “isc-dhcp” package in Ubuntu: Fix Released Status in “apparmor” source package in Lucid: Invalid Status in “apport” source package in Lucid: Fix Released Status in “chromium-browser” source package in Lucid: Confirmed Status in “cups” source package in Lucid: Confirmed Status in “dhcp3” source package in Lucid: Fix Released Status in “firefox” source package in Lucid: Confirmed Status in “isc-dhcp” source package in Lucid: Invalid Status in “apparmor” source package in Natty: Won't Fix Status in “apport” source package in Natty: Won't Fix Status in “chromium-browser” source package in Natty: Won't Fix Status in “cups” source package in Natty: Won't Fix Status in “dhcp3” source package in Natty: Invalid Status in “firefox” source package in Natty: Won't Fix Status in “isc-dhcp” source package in Natty: Fix Released Status in “apparmor” source package in Oneiric: Triaged Status in “apport” source package in Oneiric: Fix Released Status in “chromium-browser” source package in Oneiric: Confirmed Status in “cups” source package in Oneiric: Confirmed Status in “dhcp3” source package in Oneiric: Invalid Status in “firefox” source package in Oneiric: Confirmed Status in “isc-dhcp” source package in Oneiric: Fix Released Status in “apparmor” source package in Precise: Triaged Status in “apport” source package in Precise: Fix Released Status in “chromium-browser” source package in Precise: Confirmed Status in “cups” source package in Precise: Confirmed Status in “dhcp3” source package in Precise: Invalid Status in “firefox” source package in Precise: Confirmed Status in “isc-dhcp” source package in Precise: Fix Released Status in “apparmor” source package in Quantal: Fix Released Status in “apport” source package in Quantal: Fix Released Status in “chromium-browser” source package in Quantal: Confirmed Status in “cups” source package in Quantal: Confirmed Status in “dhcp3” source package in Quantal: Invalid Status in “firefox” source package in Quantal: Confirmed Status in “isc-dhcp” source package in Quantal: Fix Released Bug description: Dan Rosenberg has blogged about some AppArmor profile weaknesses in Ubuntu: http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html This bug will track the work needed to fix them. This is a continuation of bug #851986, except for PATH and shell scripts. Unfortunately, until we have proper environment filtering support in AppArmor, we will have to employ more bandaids-- specifically, either eliminating Ux/sanitized helper on shell scripts or adjusting those shell scripts to explicitly set their PATH. The good news is that environment filtering is on the AppArmor roadmap, and it something we will be targeting in the future releases. I filed bug #1045985 to more easily track the progress of that work. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1045986/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1045986] Re: Ubuntu AppArmor policy is too lenient with shell scripts
This bug was fixed in the package apport - 2.0.1-0ubuntu15.1 --- apport (2.0.1-0ubuntu15.1) precise-security; urgency=low * bin/apport-bug: Explicitly set the PATH to that of ENV_SUPATH in /etc/login.defs and unset ENV and CDPATH. We need do this so that confined applications using ubuntu-browsers.d/ubuntu-integration cannot abuse the environment to escape AppArmor confinement via this script (LP: #1045986). -- Jamie StrandbogeMon, 17 Dec 2012 13:33:42 -0600 ** Changed in: apport (Ubuntu Lucid) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1045986 Title: Ubuntu AppArmor policy is too lenient with shell scripts Status in “apparmor” package in Ubuntu: Fix Released Status in “apport” package in Ubuntu: Fix Released Status in “chromium-browser” package in Ubuntu: Confirmed Status in “cups” package in Ubuntu: Confirmed Status in “dhcp3” package in Ubuntu: Invalid Status in “firefox” package in Ubuntu: Confirmed Status in “isc-dhcp” package in Ubuntu: Fix Released Status in “apparmor” source package in Lucid: Invalid Status in “apport” source package in Lucid: Fix Released Status in “chromium-browser” source package in Lucid: Confirmed Status in “cups” source package in Lucid: Confirmed Status in “dhcp3” source package in Lucid: Fix Released Status in “firefox” source package in Lucid: Confirmed Status in “isc-dhcp” source package in Lucid: Invalid Status in “apparmor” source package in Natty: Won't Fix Status in “apport” source package in Natty: Won't Fix Status in “chromium-browser” source package in Natty: Won't Fix Status in “cups” source package in Natty: Won't Fix Status in “dhcp3” source package in Natty: Invalid Status in “firefox” source package in Natty: Won't Fix Status in “isc-dhcp” source package in Natty: Fix Released Status in “apparmor” source package in Oneiric: Triaged Status in “apport” source package in Oneiric: Fix Released Status in “chromium-browser” source package in Oneiric: Confirmed Status in “cups” source package in Oneiric: Confirmed Status in “dhcp3” source package in Oneiric: Invalid Status in “firefox” source package in Oneiric: Confirmed Status in “isc-dhcp” source package in Oneiric: Fix Released Status in “apparmor” source package in Precise: Triaged Status in “apport” source package in Precise: Fix Released Status in “chromium-browser” source package in Precise: Confirmed Status in “cups” source package in Precise: Confirmed Status in “dhcp3” source package in Precise: Invalid Status in “firefox” source package in Precise: Confirmed Status in “isc-dhcp” source package in Precise: Fix Released Status in “apparmor” source package in Quantal: Fix Released Status in “apport” source package in Quantal: Fix Released Status in “chromium-browser” source package in Quantal: Confirmed Status in “cups” source package in Quantal: Confirmed Status in “dhcp3” source package in Quantal: Invalid Status in “firefox” source package in Quantal: Confirmed Status in “isc-dhcp” source package in Quantal: Fix Released Bug description: Dan Rosenberg has blogged about some AppArmor profile weaknesses in Ubuntu: http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html This bug will track the work needed to fix them. This is a continuation of bug #851986, except for PATH and shell scripts. Unfortunately, until we have proper environment filtering support in AppArmor, we will have to employ more bandaids-- specifically, either eliminating Ux/sanitized helper on shell scripts or adjusting those shell scripts to explicitly set their PATH. The good news is that environment filtering is on the AppArmor roadmap, and it something we will be targeting in the future releases. I filed bug #1045985 to more easily track the progress of that work. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1045986/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1045986] Re: Ubuntu AppArmor policy is too lenient with shell scripts
This bug was fixed in the package apport - 1.13.3-0ubuntu2.2 --- apport (1.13.3-0ubuntu2.2) lucid-security; urgency=low * bin/apport-bug: Explicitly set the PATH to that of ENV_SUPATH in /etc/login.defs and unset ENV and CDPATH. We need do this so that confined applications which use apport-bug cannot abuse the environment to escape AppArmor confinement via this script (LP: #1045986). -- Jamie StrandbogeWed, 05 Sep 2012 13:43:36 -0500 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1045986 Title: Ubuntu AppArmor policy is too lenient with shell scripts Status in “apparmor” package in Ubuntu: Fix Released Status in “apport” package in Ubuntu: Fix Released Status in “chromium-browser” package in Ubuntu: Confirmed Status in “cups” package in Ubuntu: Confirmed Status in “dhcp3” package in Ubuntu: Invalid Status in “firefox” package in Ubuntu: Confirmed Status in “isc-dhcp” package in Ubuntu: Fix Released Status in “apparmor” source package in Lucid: Invalid Status in “apport” source package in Lucid: Fix Released Status in “chromium-browser” source package in Lucid: Confirmed Status in “cups” source package in Lucid: Confirmed Status in “dhcp3” source package in Lucid: Fix Released Status in “firefox” source package in Lucid: Confirmed Status in “isc-dhcp” source package in Lucid: Invalid Status in “apparmor” source package in Natty: Won't Fix Status in “apport” source package in Natty: Won't Fix Status in “chromium-browser” source package in Natty: Won't Fix Status in “cups” source package in Natty: Won't Fix Status in “dhcp3” source package in Natty: Invalid Status in “firefox” source package in Natty: Won't Fix Status in “isc-dhcp” source package in Natty: Fix Released Status in “apparmor” source package in Oneiric: Triaged Status in “apport” source package in Oneiric: Fix Released Status in “chromium-browser” source package in Oneiric: Confirmed Status in “cups” source package in Oneiric: Confirmed Status in “dhcp3” source package in Oneiric: Invalid Status in “firefox” source package in Oneiric: Confirmed Status in “isc-dhcp” source package in Oneiric: Fix Released Status in “apparmor” source package in Precise: Triaged Status in “apport” source package in Precise: Fix Released Status in “chromium-browser” source package in Precise: Confirmed Status in “cups” source package in Precise: Confirmed Status in “dhcp3” source package in Precise: Invalid Status in “firefox” source package in Precise: Confirmed Status in “isc-dhcp” source package in Precise: Fix Released Status in “apparmor” source package in Quantal: Fix Released Status in “apport” source package in Quantal: Fix Released Status in “chromium-browser” source package in Quantal: Confirmed Status in “cups” source package in Quantal: Confirmed Status in “dhcp3” source package in Quantal: Invalid Status in “firefox” source package in Quantal: Confirmed Status in “isc-dhcp” source package in Quantal: Fix Released Bug description: Dan Rosenberg has blogged about some AppArmor profile weaknesses in Ubuntu: http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html This bug will track the work needed to fix them. This is a continuation of bug #851986, except for PATH and shell scripts. Unfortunately, until we have proper environment filtering support in AppArmor, we will have to employ more bandaids-- specifically, either eliminating Ux/sanitized helper on shell scripts or adjusting those shell scripts to explicitly set their PATH. The good news is that environment filtering is on the AppArmor roadmap, and it something we will be targeting in the future releases. I filed bug #1045985 to more easily track the progress of that work. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1045986/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1045986] Re: Ubuntu AppArmor policy is too lenient with shell scripts
This bug was fixed in the package apport - 1.23-0ubuntu4.1 --- apport (1.23-0ubuntu4.1) oneiric-security; urgency=low * bin/apport-bug: Explicitly set the PATH to that of ENV_SUPATH in /etc/login.defs and unset ENV and CDPATH. We need do this so that confined applications using ubuntu-browsers.d/ubuntu-integration cannot abuse the environment to escape AppArmor confinement via this script (LP: #1045986). -- Jamie StrandbogeWed, 05 Sep 2012 13:41:45 -0500 ** Changed in: apport (Ubuntu Oneiric) Status: Fix Committed => Fix Released ** Changed in: apport (Ubuntu Precise) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1045986 Title: Ubuntu AppArmor policy is too lenient with shell scripts Status in “apparmor” package in Ubuntu: Fix Released Status in “apport” package in Ubuntu: Fix Released Status in “chromium-browser” package in Ubuntu: Confirmed Status in “cups” package in Ubuntu: Confirmed Status in “dhcp3” package in Ubuntu: Invalid Status in “firefox” package in Ubuntu: Confirmed Status in “isc-dhcp” package in Ubuntu: Fix Released Status in “apparmor” source package in Lucid: Invalid Status in “apport” source package in Lucid: Fix Released Status in “chromium-browser” source package in Lucid: Confirmed Status in “cups” source package in Lucid: Confirmed Status in “dhcp3” source package in Lucid: Fix Released Status in “firefox” source package in Lucid: Confirmed Status in “isc-dhcp” source package in Lucid: Invalid Status in “apparmor” source package in Natty: Won't Fix Status in “apport” source package in Natty: Won't Fix Status in “chromium-browser” source package in Natty: Won't Fix Status in “cups” source package in Natty: Won't Fix Status in “dhcp3” source package in Natty: Invalid Status in “firefox” source package in Natty: Won't Fix Status in “isc-dhcp” source package in Natty: Fix Released Status in “apparmor” source package in Oneiric: Triaged Status in “apport” source package in Oneiric: Fix Released Status in “chromium-browser” source package in Oneiric: Confirmed Status in “cups” source package in Oneiric: Confirmed Status in “dhcp3” source package in Oneiric: Invalid Status in “firefox” source package in Oneiric: Confirmed Status in “isc-dhcp” source package in Oneiric: Fix Released Status in “apparmor” source package in Precise: Triaged Status in “apport” source package in Precise: Fix Released Status in “chromium-browser” source package in Precise: Confirmed Status in “cups” source package in Precise: Confirmed Status in “dhcp3” source package in Precise: Invalid Status in “firefox” source package in Precise: Confirmed Status in “isc-dhcp” source package in Precise: Fix Released Status in “apparmor” source package in Quantal: Fix Released Status in “apport” source package in Quantal: Fix Released Status in “chromium-browser” source package in Quantal: Confirmed Status in “cups” source package in Quantal: Confirmed Status in “dhcp3” source package in Quantal: Invalid Status in “firefox” source package in Quantal: Confirmed Status in “isc-dhcp” source package in Quantal: Fix Released Bug description: Dan Rosenberg has blogged about some AppArmor profile weaknesses in Ubuntu: http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html This bug will track the work needed to fix them. This is a continuation of bug #851986, except for PATH and shell scripts. Unfortunately, until we have proper environment filtering support in AppArmor, we will have to employ more bandaids-- specifically, either eliminating Ux/sanitized helper on shell scripts or adjusting those shell scripts to explicitly set their PATH. The good news is that environment filtering is on the AppArmor roadmap, and it something we will be targeting in the future releases. I filed bug #1045985 to more easily track the progress of that work. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1045986/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1045986] Re: Ubuntu AppArmor policy is too lenient with shell scripts
** Changed in: apparmor (Ubuntu Natty) Status: Triaged => Won't Fix ** Changed in: apport (Ubuntu Natty) Status: Fix Committed => Won't Fix ** Changed in: chromium-browser (Ubuntu Natty) Status: Confirmed => Won't Fix ** Changed in: cups (Ubuntu Natty) Status: Confirmed => Won't Fix ** Changed in: firefox (Ubuntu Natty) Status: Confirmed => Won't Fix -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1045986 Title: Ubuntu AppArmor policy is too lenient with shell scripts Status in “apparmor” package in Ubuntu: Fix Released Status in “apport” package in Ubuntu: Fix Released Status in “chromium-browser” package in Ubuntu: Confirmed Status in “cups” package in Ubuntu: Confirmed Status in “dhcp3” package in Ubuntu: Invalid Status in “firefox” package in Ubuntu: Confirmed Status in “isc-dhcp” package in Ubuntu: Fix Released Status in “apparmor” source package in Lucid: Invalid Status in “apport” source package in Lucid: Fix Committed Status in “chromium-browser” source package in Lucid: Confirmed Status in “cups” source package in Lucid: Confirmed Status in “dhcp3” source package in Lucid: Fix Released Status in “firefox” source package in Lucid: Confirmed Status in “isc-dhcp” source package in Lucid: Invalid Status in “apparmor” source package in Natty: Won't Fix Status in “apport” source package in Natty: Won't Fix Status in “chromium-browser” source package in Natty: Won't Fix Status in “cups” source package in Natty: Won't Fix Status in “dhcp3” source package in Natty: Invalid Status in “firefox” source package in Natty: Won't Fix Status in “isc-dhcp” source package in Natty: Fix Released Status in “apparmor” source package in Oneiric: Triaged Status in “apport” source package in Oneiric: Fix Committed Status in “chromium-browser” source package in Oneiric: Confirmed Status in “cups” source package in Oneiric: Confirmed Status in “dhcp3” source package in Oneiric: Invalid Status in “firefox” source package in Oneiric: Confirmed Status in “isc-dhcp” source package in Oneiric: Fix Released Status in “apparmor” source package in Precise: Triaged Status in “apport” source package in Precise: Fix Committed Status in “chromium-browser” source package in Precise: Confirmed Status in “cups” source package in Precise: Confirmed Status in “dhcp3” source package in Precise: Invalid Status in “firefox” source package in Precise: Confirmed Status in “isc-dhcp” source package in Precise: Fix Released Status in “apparmor” source package in Quantal: Fix Released Status in “apport” source package in Quantal: Fix Released Status in “chromium-browser” source package in Quantal: Confirmed Status in “cups” source package in Quantal: Confirmed Status in “dhcp3” source package in Quantal: Invalid Status in “firefox” source package in Quantal: Confirmed Status in “isc-dhcp” source package in Quantal: Fix Released Bug description: Dan Rosenberg has blogged about some AppArmor profile weaknesses in Ubuntu: http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html This bug will track the work needed to fix them. This is a continuation of bug #851986, except for PATH and shell scripts. Unfortunately, until we have proper environment filtering support in AppArmor, we will have to employ more bandaids-- specifically, either eliminating Ux/sanitized helper on shell scripts or adjusting those shell scripts to explicitly set their PATH. The good news is that environment filtering is on the AppArmor roadmap, and it something we will be targeting in the future releases. I filed bug #1045985 to more easily track the progress of that work. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1045986/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1045986] Re: Ubuntu AppArmor policy is too lenient with shell scripts
** Changed in: cups (Ubuntu Lucid) Assignee: Rev. Wm. DOC Holliday (r37u2a49ci) => (unassigned) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1045986 Title: Ubuntu AppArmor policy is too lenient with shell scripts Status in “apparmor” package in Ubuntu: Fix Released Status in “apport” package in Ubuntu: Fix Released Status in “chromium-browser” package in Ubuntu: Confirmed Status in “cups” package in Ubuntu: Confirmed Status in “dhcp3” package in Ubuntu: Invalid Status in “firefox” package in Ubuntu: Confirmed Status in “isc-dhcp” package in Ubuntu: Fix Released Status in “apparmor” source package in Lucid: Invalid Status in “apport” source package in Lucid: Fix Committed Status in “chromium-browser” source package in Lucid: Confirmed Status in “cups” source package in Lucid: Confirmed Status in “dhcp3” source package in Lucid: Fix Released Status in “firefox” source package in Lucid: Confirmed Status in “isc-dhcp” source package in Lucid: Invalid Status in “apparmor” source package in Natty: Triaged Status in “apport” source package in Natty: Fix Committed Status in “chromium-browser” source package in Natty: Confirmed Status in “cups” source package in Natty: Confirmed Status in “dhcp3” source package in Natty: Invalid Status in “firefox” source package in Natty: Confirmed Status in “isc-dhcp” source package in Natty: Fix Released Status in “apparmor” source package in Oneiric: Triaged Status in “apport” source package in Oneiric: Fix Committed Status in “chromium-browser” source package in Oneiric: Confirmed Status in “cups” source package in Oneiric: Confirmed Status in “dhcp3” source package in Oneiric: Invalid Status in “firefox” source package in Oneiric: Confirmed Status in “isc-dhcp” source package in Oneiric: Fix Released Status in “apparmor” source package in Precise: Triaged Status in “apport” source package in Precise: Fix Committed Status in “chromium-browser” source package in Precise: Confirmed Status in “cups” source package in Precise: Confirmed Status in “dhcp3” source package in Precise: Invalid Status in “firefox” source package in Precise: Confirmed Status in “isc-dhcp” source package in Precise: Fix Released Status in “apparmor” source package in Quantal: Fix Released Status in “apport” source package in Quantal: Fix Released Status in “chromium-browser” source package in Quantal: Confirmed Status in “cups” source package in Quantal: Confirmed Status in “dhcp3” source package in Quantal: Invalid Status in “firefox” source package in Quantal: Confirmed Status in “isc-dhcp” source package in Quantal: Fix Released Bug description: Dan Rosenberg has blogged about some AppArmor profile weaknesses in Ubuntu: http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html This bug will track the work needed to fix them. This is a continuation of bug #851986, except for PATH and shell scripts. Unfortunately, until we have proper environment filtering support in AppArmor, we will have to employ more bandaids-- specifically, either eliminating Ux/sanitized helper on shell scripts or adjusting those shell scripts to explicitly set their PATH. The good news is that environment filtering is on the AppArmor roadmap, and it something we will be targeting in the future releases. I filed bug #1045985 to more easily track the progress of that work. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1045986/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1045986] Re: Ubuntu AppArmor policy is too lenient with shell scripts
** Changed in: cups (Ubuntu Lucid) Assignee: (unassigned) => Rev. Wm. DOC Holliday (r37u2a49ci) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1045986 Title: Ubuntu AppArmor policy is too lenient with shell scripts Status in “apparmor” package in Ubuntu: Fix Released Status in “apport” package in Ubuntu: Fix Released Status in “chromium-browser” package in Ubuntu: Confirmed Status in “cups” package in Ubuntu: Confirmed Status in “dhcp3” package in Ubuntu: Invalid Status in “firefox” package in Ubuntu: Confirmed Status in “isc-dhcp” package in Ubuntu: Fix Released Status in “apparmor” source package in Lucid: Invalid Status in “apport” source package in Lucid: Fix Committed Status in “chromium-browser” source package in Lucid: Confirmed Status in “cups” source package in Lucid: Confirmed Status in “dhcp3” source package in Lucid: Fix Released Status in “firefox” source package in Lucid: Confirmed Status in “isc-dhcp” source package in Lucid: Invalid Status in “apparmor” source package in Natty: Triaged Status in “apport” source package in Natty: Fix Committed Status in “chromium-browser” source package in Natty: Confirmed Status in “cups” source package in Natty: Confirmed Status in “dhcp3” source package in Natty: Invalid Status in “firefox” source package in Natty: Confirmed Status in “isc-dhcp” source package in Natty: Fix Released Status in “apparmor” source package in Oneiric: Triaged Status in “apport” source package in Oneiric: Fix Committed Status in “chromium-browser” source package in Oneiric: Confirmed Status in “cups” source package in Oneiric: Confirmed Status in “dhcp3” source package in Oneiric: Invalid Status in “firefox” source package in Oneiric: Confirmed Status in “isc-dhcp” source package in Oneiric: Fix Released Status in “apparmor” source package in Precise: Triaged Status in “apport” source package in Precise: Fix Committed Status in “chromium-browser” source package in Precise: Confirmed Status in “cups” source package in Precise: Confirmed Status in “dhcp3” source package in Precise: Invalid Status in “firefox” source package in Precise: Confirmed Status in “isc-dhcp” source package in Precise: Fix Released Status in “apparmor” source package in Quantal: Fix Released Status in “apport” source package in Quantal: Fix Released Status in “chromium-browser” source package in Quantal: Confirmed Status in “cups” source package in Quantal: Confirmed Status in “dhcp3” source package in Quantal: Invalid Status in “firefox” source package in Quantal: Confirmed Status in “isc-dhcp” source package in Quantal: Fix Released Bug description: Dan Rosenberg has blogged about some AppArmor profile weaknesses in Ubuntu: http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html This bug will track the work needed to fix them. This is a continuation of bug #851986, except for PATH and shell scripts. Unfortunately, until we have proper environment filtering support in AppArmor, we will have to employ more bandaids-- specifically, either eliminating Ux/sanitized helper on shell scripts or adjusting those shell scripts to explicitly set their PATH. The good news is that environment filtering is on the AppArmor roadmap, and it something we will be targeting in the future releases. I filed bug #1045985 to more easily track the progress of that work. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1045986/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1045986] Re: Ubuntu AppArmor policy is too lenient with shell scripts
** Branch linked: lp:ubuntu/lucid-security/dhcp3 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1045986 Title: Ubuntu AppArmor policy is too lenient with shell scripts Status in “apparmor” package in Ubuntu: Fix Released Status in “apport” package in Ubuntu: Fix Released Status in “chromium-browser” package in Ubuntu: Confirmed Status in “cups” package in Ubuntu: Confirmed Status in “dhcp3” package in Ubuntu: Invalid Status in “firefox” package in Ubuntu: Confirmed Status in “isc-dhcp” package in Ubuntu: Fix Released Status in “apparmor” source package in Lucid: Invalid Status in “apport” source package in Lucid: Fix Committed Status in “chromium-browser” source package in Lucid: Confirmed Status in “cups” source package in Lucid: Confirmed Status in “dhcp3” source package in Lucid: Fix Released Status in “firefox” source package in Lucid: Confirmed Status in “isc-dhcp” source package in Lucid: Invalid Status in “apparmor” source package in Natty: Triaged Status in “apport” source package in Natty: Fix Committed Status in “chromium-browser” source package in Natty: Confirmed Status in “cups” source package in Natty: Confirmed Status in “dhcp3” source package in Natty: Invalid Status in “firefox” source package in Natty: Confirmed Status in “isc-dhcp” source package in Natty: Fix Released Status in “apparmor” source package in Oneiric: Triaged Status in “apport” source package in Oneiric: Fix Committed Status in “chromium-browser” source package in Oneiric: Confirmed Status in “cups” source package in Oneiric: Confirmed Status in “dhcp3” source package in Oneiric: Invalid Status in “firefox” source package in Oneiric: Confirmed Status in “isc-dhcp” source package in Oneiric: Fix Released Status in “apparmor” source package in Precise: Triaged Status in “apport” source package in Precise: Fix Committed Status in “chromium-browser” source package in Precise: Confirmed Status in “cups” source package in Precise: Confirmed Status in “dhcp3” source package in Precise: Invalid Status in “firefox” source package in Precise: Confirmed Status in “isc-dhcp” source package in Precise: Fix Released Status in “apparmor” source package in Quantal: Fix Released Status in “apport” source package in Quantal: Fix Released Status in “chromium-browser” source package in Quantal: Confirmed Status in “cups” source package in Quantal: Confirmed Status in “dhcp3” source package in Quantal: Invalid Status in “firefox” source package in Quantal: Confirmed Status in “isc-dhcp” source package in Quantal: Fix Released Bug description: Dan Rosenberg has blogged about some AppArmor profile weaknesses in Ubuntu: http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html This bug will track the work needed to fix them. This is a continuation of bug #851986, except for PATH and shell scripts. Unfortunately, until we have proper environment filtering support in AppArmor, we will have to employ more bandaids-- specifically, either eliminating Ux/sanitized helper on shell scripts or adjusting those shell scripts to explicitly set their PATH. The good news is that environment filtering is on the AppArmor roadmap, and it something we will be targeting in the future releases. I filed bug #1045985 to more easily track the progress of that work. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1045986/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1045986] Re: Ubuntu AppArmor policy is too lenient with shell scripts
This bug was fixed in the package dhcp3 - 3.1.3-2ubuntu3.4 --- dhcp3 (3.1.3-2ubuntu3.4) lucid-security; urgency=low * debian/dhclient-script.linux: Explicitly set the PATH to that of ENV_SUPATH in /etc/login.defs and unset various other variables. We need to do this so /sbin/dhclient cannot abuse the environment to escape AppArmor confinement via this script. Don't worry about debian/dhclient-script.udeb or debian/dhclient-script.kfreebsd since AppArmor isn't used in these environments. - LP: #1045986 * debian/patches/adjust-configure-for-linux3.dpatch: default to linux-2.2 for 3.0+ kernels -- Jamie StrandbogeWed, 05 Sep 2012 10:58:55 -0500 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1045986 Title: Ubuntu AppArmor policy is too lenient with shell scripts Status in “apparmor” package in Ubuntu: Fix Released Status in “apport” package in Ubuntu: Fix Released Status in “chromium-browser” package in Ubuntu: Confirmed Status in “cups” package in Ubuntu: Confirmed Status in “dhcp3” package in Ubuntu: Invalid Status in “firefox” package in Ubuntu: Confirmed Status in “isc-dhcp” package in Ubuntu: Fix Released Status in “apparmor” source package in Lucid: Invalid Status in “apport” source package in Lucid: Fix Committed Status in “chromium-browser” source package in Lucid: Confirmed Status in “cups” source package in Lucid: Confirmed Status in “dhcp3” source package in Lucid: Fix Released Status in “firefox” source package in Lucid: Confirmed Status in “isc-dhcp” source package in Lucid: Invalid Status in “apparmor” source package in Natty: Triaged Status in “apport” source package in Natty: Fix Committed Status in “chromium-browser” source package in Natty: Confirmed Status in “cups” source package in Natty: Confirmed Status in “dhcp3” source package in Natty: Invalid Status in “firefox” source package in Natty: Confirmed Status in “isc-dhcp” source package in Natty: Fix Released Status in “apparmor” source package in Oneiric: Triaged Status in “apport” source package in Oneiric: Fix Committed Status in “chromium-browser” source package in Oneiric: Confirmed Status in “cups” source package in Oneiric: Confirmed Status in “dhcp3” source package in Oneiric: Invalid Status in “firefox” source package in Oneiric: Confirmed Status in “isc-dhcp” source package in Oneiric: Fix Released Status in “apparmor” source package in Precise: Triaged Status in “apport” source package in Precise: Fix Committed Status in “chromium-browser” source package in Precise: Confirmed Status in “cups” source package in Precise: Confirmed Status in “dhcp3” source package in Precise: Invalid Status in “firefox” source package in Precise: Confirmed Status in “isc-dhcp” source package in Precise: Fix Released Status in “apparmor” source package in Quantal: Fix Released Status in “apport” source package in Quantal: Fix Released Status in “chromium-browser” source package in Quantal: Confirmed Status in “cups” source package in Quantal: Confirmed Status in “dhcp3” source package in Quantal: Invalid Status in “firefox” source package in Quantal: Confirmed Status in “isc-dhcp” source package in Quantal: Fix Released Bug description: Dan Rosenberg has blogged about some AppArmor profile weaknesses in Ubuntu: http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html This bug will track the work needed to fix them. This is a continuation of bug #851986, except for PATH and shell scripts. Unfortunately, until we have proper environment filtering support in AppArmor, we will have to employ more bandaids-- specifically, either eliminating Ux/sanitized helper on shell scripts or adjusting those shell scripts to explicitly set their PATH. The good news is that environment filtering is on the AppArmor roadmap, and it something we will be targeting in the future releases. I filed bug #1045985 to more easily track the progress of that work. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1045986/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1045986] Re: Ubuntu AppArmor policy is too lenient with shell scripts
This bug was fixed in the package isc-dhcp - 4.1.ESV-R4-0ubuntu5.5 --- isc-dhcp (4.1.ESV-R4-0ubuntu5.5) precise-security; urgency=low [ Jamie Strandboge ] * debian/dhclient-script.linux: Explicitly set the PATH to that of ENV_SUPATH in /etc/login.defs and unset various other variables. We need to do this so /sbin/dhclient cannot abuse the environment to escape AppArmor confinement via this script. Don't worry about debian/dhclient-script.linux.udeb or debian/dhclient-script.kfreebsd* since AppArmor isn't used in these environments. - LP: #1045986 [ Marc Deslauriers ] * SECURITY UPDATE: denial of service via ipv6 lease expiration time reduction - debian/patches/CVE-2012-3955.patch: properly handle time reduction in server/dhcpv6.c, server/mdb6.c. - CVE-2012-3955 -- Marc DeslauriersFri, 14 Sep 2012 12:58:33 -0400 ** Changed in: isc-dhcp (Ubuntu Natty) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1045986 Title: Ubuntu AppArmor policy is too lenient with shell scripts Status in “apparmor” package in Ubuntu: Fix Released Status in “apport” package in Ubuntu: Fix Released Status in “chromium-browser” package in Ubuntu: Confirmed Status in “cups” package in Ubuntu: Confirmed Status in “dhcp3” package in Ubuntu: Invalid Status in “firefox” package in Ubuntu: Confirmed Status in “isc-dhcp” package in Ubuntu: Fix Released Status in “apparmor” source package in Lucid: Invalid Status in “apport” source package in Lucid: Fix Committed Status in “chromium-browser” source package in Lucid: Confirmed Status in “cups” source package in Lucid: Confirmed Status in “dhcp3” source package in Lucid: Fix Released Status in “firefox” source package in Lucid: Confirmed Status in “isc-dhcp” source package in Lucid: Invalid Status in “apparmor” source package in Natty: Triaged Status in “apport” source package in Natty: Fix Committed Status in “chromium-browser” source package in Natty: Confirmed Status in “cups” source package in Natty: Confirmed Status in “dhcp3” source package in Natty: Invalid Status in “firefox” source package in Natty: Confirmed Status in “isc-dhcp” source package in Natty: Fix Released Status in “apparmor” source package in Oneiric: Triaged Status in “apport” source package in Oneiric: Fix Committed Status in “chromium-browser” source package in Oneiric: Confirmed Status in “cups” source package in Oneiric: Confirmed Status in “dhcp3” source package in Oneiric: Invalid Status in “firefox” source package in Oneiric: Confirmed Status in “isc-dhcp” source package in Oneiric: Fix Released Status in “apparmor” source package in Precise: Triaged Status in “apport” source package in Precise: Fix Committed Status in “chromium-browser” source package in Precise: Confirmed Status in “cups” source package in Precise: Confirmed Status in “dhcp3” source package in Precise: Invalid Status in “firefox” source package in Precise: Confirmed Status in “isc-dhcp” source package in Precise: Fix Released Status in “apparmor” source package in Quantal: Fix Released Status in “apport” source package in Quantal: Fix Released Status in “chromium-browser” source package in Quantal: Confirmed Status in “cups” source package in Quantal: Confirmed Status in “dhcp3” source package in Quantal: Invalid Status in “firefox” source package in Quantal: Confirmed Status in “isc-dhcp” source package in Quantal: Fix Released Bug description: Dan Rosenberg has blogged about some AppArmor profile weaknesses in Ubuntu: http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html This bug will track the work needed to fix them. This is a continuation of bug #851986, except for PATH and shell scripts. Unfortunately, until we have proper environment filtering support in AppArmor, we will have to employ more bandaids-- specifically, either eliminating Ux/sanitized helper on shell scripts or adjusting those shell scripts to explicitly set their PATH. The good news is that environment filtering is on the AppArmor roadmap, and it something we will be targeting in the future releases. I filed bug #1045985 to more easily track the progress of that work. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1045986/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1045986] Re: Ubuntu AppArmor policy is too lenient with shell scripts
This bug was fixed in the package isc-dhcp - 4.1.1-P1-15ubuntu9.6 --- isc-dhcp (4.1.1-P1-15ubuntu9.6) natty-security; urgency=low [ Jamie Strandboge ] * debian/dhclient-script.linux: Explicitly set the PATH to that of ENV_SUPATH in /etc/login.defs and unset various other variables. We need to do this so /sbin/dhclient cannot abuse the environment to escape AppArmor confinement via this script. Don't worry about debian/dhclient-script.linux.udeb or debian/dhclient-script.kfreebsd* since AppArmor isn't used in these environments. - LP: #1045986 [ Marc Deslauriers ] * SECURITY UPDATE: denial of service via ipv6 lease expiration time reduction - debian/patches/CVE-2012-3955.patch: properly handle time reduction in server/dhcpv6.c, server/mdb6.c. - CVE-2012-3955 -- Marc DeslauriersFri, 14 Sep 2012 13:04:46 -0400 ** Changed in: dhcp3 (Ubuntu Lucid) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1045986 Title: Ubuntu AppArmor policy is too lenient with shell scripts Status in “apparmor” package in Ubuntu: Fix Released Status in “apport” package in Ubuntu: Fix Released Status in “chromium-browser” package in Ubuntu: Confirmed Status in “cups” package in Ubuntu: Confirmed Status in “dhcp3” package in Ubuntu: Invalid Status in “firefox” package in Ubuntu: Confirmed Status in “isc-dhcp” package in Ubuntu: Fix Released Status in “apparmor” source package in Lucid: Invalid Status in “apport” source package in Lucid: Fix Committed Status in “chromium-browser” source package in Lucid: Confirmed Status in “cups” source package in Lucid: Confirmed Status in “dhcp3” source package in Lucid: Fix Released Status in “firefox” source package in Lucid: Confirmed Status in “isc-dhcp” source package in Lucid: Invalid Status in “apparmor” source package in Natty: Triaged Status in “apport” source package in Natty: Fix Committed Status in “chromium-browser” source package in Natty: Confirmed Status in “cups” source package in Natty: Confirmed Status in “dhcp3” source package in Natty: Invalid Status in “firefox” source package in Natty: Confirmed Status in “isc-dhcp” source package in Natty: Fix Released Status in “apparmor” source package in Oneiric: Triaged Status in “apport” source package in Oneiric: Fix Committed Status in “chromium-browser” source package in Oneiric: Confirmed Status in “cups” source package in Oneiric: Confirmed Status in “dhcp3” source package in Oneiric: Invalid Status in “firefox” source package in Oneiric: Confirmed Status in “isc-dhcp” source package in Oneiric: Fix Released Status in “apparmor” source package in Precise: Triaged Status in “apport” source package in Precise: Fix Committed Status in “chromium-browser” source package in Precise: Confirmed Status in “cups” source package in Precise: Confirmed Status in “dhcp3” source package in Precise: Invalid Status in “firefox” source package in Precise: Confirmed Status in “isc-dhcp” source package in Precise: Fix Released Status in “apparmor” source package in Quantal: Fix Released Status in “apport” source package in Quantal: Fix Released Status in “chromium-browser” source package in Quantal: Confirmed Status in “cups” source package in Quantal: Confirmed Status in “dhcp3” source package in Quantal: Invalid Status in “firefox” source package in Quantal: Confirmed Status in “isc-dhcp” source package in Quantal: Fix Released Bug description: Dan Rosenberg has blogged about some AppArmor profile weaknesses in Ubuntu: http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html This bug will track the work needed to fix them. This is a continuation of bug #851986, except for PATH and shell scripts. Unfortunately, until we have proper environment filtering support in AppArmor, we will have to employ more bandaids-- specifically, either eliminating Ux/sanitized helper on shell scripts or adjusting those shell scripts to explicitly set their PATH. The good news is that environment filtering is on the AppArmor roadmap, and it something we will be targeting in the future releases. I filed bug #1045985 to more easily track the progress of that work. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1045986/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1045986] Re: Ubuntu AppArmor policy is too lenient with shell scripts
This bug was fixed in the package isc-dhcp - 4.1.1-P1-17ubuntu10.5 --- isc-dhcp (4.1.1-P1-17ubuntu10.5) oneiric-security; urgency=low [ Jamie Strandboge ] * debian/dhclient-script.linux: Explicitly set the PATH to that of ENV_SUPATH in /etc/login.defs and unset various other variables. We need to do this so /sbin/dhclient cannot abuse the environment to escape AppArmor confinement via this script. Don't worry about debian/dhclient-script.linux.udeb or debian/dhclient-script.kfreebsd* since AppArmor isn't used in these environments. - LP: #1045986 [ Marc Deslauriers ] * SECURITY UPDATE: denial of service via ipv6 lease expiration time reduction - debian/patches/CVE-2012-3955.patch: properly handle time reduction in server/dhcpv6.c, server/mdb6.c. - CVE-2012-3955 -- Marc DeslauriersFri, 14 Sep 2012 13:02:05 -0400 ** Changed in: isc-dhcp (Ubuntu Oneiric) Status: Fix Committed => Fix Released ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-3955 ** Changed in: isc-dhcp (Ubuntu Precise) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1045986 Title: Ubuntu AppArmor policy is too lenient with shell scripts Status in “apparmor” package in Ubuntu: Fix Released Status in “apport” package in Ubuntu: Fix Released Status in “chromium-browser” package in Ubuntu: Confirmed Status in “cups” package in Ubuntu: Confirmed Status in “dhcp3” package in Ubuntu: Invalid Status in “firefox” package in Ubuntu: Confirmed Status in “isc-dhcp” package in Ubuntu: Fix Released Status in “apparmor” source package in Lucid: Invalid Status in “apport” source package in Lucid: Fix Committed Status in “chromium-browser” source package in Lucid: Confirmed Status in “cups” source package in Lucid: Confirmed Status in “dhcp3” source package in Lucid: Fix Released Status in “firefox” source package in Lucid: Confirmed Status in “isc-dhcp” source package in Lucid: Invalid Status in “apparmor” source package in Natty: Triaged Status in “apport” source package in Natty: Fix Committed Status in “chromium-browser” source package in Natty: Confirmed Status in “cups” source package in Natty: Confirmed Status in “dhcp3” source package in Natty: Invalid Status in “firefox” source package in Natty: Confirmed Status in “isc-dhcp” source package in Natty: Fix Released Status in “apparmor” source package in Oneiric: Triaged Status in “apport” source package in Oneiric: Fix Committed Status in “chromium-browser” source package in Oneiric: Confirmed Status in “cups” source package in Oneiric: Confirmed Status in “dhcp3” source package in Oneiric: Invalid Status in “firefox” source package in Oneiric: Confirmed Status in “isc-dhcp” source package in Oneiric: Fix Released Status in “apparmor” source package in Precise: Triaged Status in “apport” source package in Precise: Fix Committed Status in “chromium-browser” source package in Precise: Confirmed Status in “cups” source package in Precise: Confirmed Status in “dhcp3” source package in Precise: Invalid Status in “firefox” source package in Precise: Confirmed Status in “isc-dhcp” source package in Precise: Fix Released Status in “apparmor” source package in Quantal: Fix Released Status in “apport” source package in Quantal: Fix Released Status in “chromium-browser” source package in Quantal: Confirmed Status in “cups” source package in Quantal: Confirmed Status in “dhcp3” source package in Quantal: Invalid Status in “firefox” source package in Quantal: Confirmed Status in “isc-dhcp” source package in Quantal: Fix Released Bug description: Dan Rosenberg has blogged about some AppArmor profile weaknesses in Ubuntu: http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html This bug will track the work needed to fix them. This is a continuation of bug #851986, except for PATH and shell scripts. Unfortunately, until we have proper environment filtering support in AppArmor, we will have to employ more bandaids-- specifically, either eliminating Ux/sanitized helper on shell scripts or adjusting those shell scripts to explicitly set their PATH. The good news is that environment filtering is on the AppArmor roadmap, and it something we will be targeting in the future releases. I filed bug #1045985 to more easily track the progress of that work. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1045986/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1045986] Re: Ubuntu AppArmor policy is too lenient with shell scripts
** Branch linked: lp:ubuntu/apparmor -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1045986 Title: Ubuntu AppArmor policy is too lenient with shell scripts Status in “apparmor” package in Ubuntu: Fix Released Status in “apport” package in Ubuntu: Fix Released Status in “chromium-browser” package in Ubuntu: Confirmed Status in “cups” package in Ubuntu: Confirmed Status in “dhcp3” package in Ubuntu: Invalid Status in “firefox” package in Ubuntu: Confirmed Status in “isc-dhcp” package in Ubuntu: Fix Released Status in “apparmor” source package in Lucid: Invalid Status in “apport” source package in Lucid: Fix Committed Status in “chromium-browser” source package in Lucid: Confirmed Status in “cups” source package in Lucid: Confirmed Status in “dhcp3” source package in Lucid: Fix Committed Status in “firefox” source package in Lucid: Confirmed Status in “isc-dhcp” source package in Lucid: Invalid Status in “apparmor” source package in Natty: Triaged Status in “apport” source package in Natty: Fix Committed Status in “chromium-browser” source package in Natty: Confirmed Status in “cups” source package in Natty: Confirmed Status in “dhcp3” source package in Natty: Invalid Status in “firefox” source package in Natty: Confirmed Status in “isc-dhcp” source package in Natty: Fix Committed Status in “apparmor” source package in Oneiric: Triaged Status in “apport” source package in Oneiric: Fix Committed Status in “chromium-browser” source package in Oneiric: Confirmed Status in “cups” source package in Oneiric: Confirmed Status in “dhcp3” source package in Oneiric: Invalid Status in “firefox” source package in Oneiric: Confirmed Status in “isc-dhcp” source package in Oneiric: Fix Committed Status in “apparmor” source package in Precise: Triaged Status in “apport” source package in Precise: Fix Committed Status in “chromium-browser” source package in Precise: Confirmed Status in “cups” source package in Precise: Confirmed Status in “dhcp3” source package in Precise: Invalid Status in “firefox” source package in Precise: Confirmed Status in “isc-dhcp” source package in Precise: Fix Committed Status in “apparmor” source package in Quantal: Fix Released Status in “apport” source package in Quantal: Fix Released Status in “chromium-browser” source package in Quantal: Confirmed Status in “cups” source package in Quantal: Confirmed Status in “dhcp3” source package in Quantal: Invalid Status in “firefox” source package in Quantal: Confirmed Status in “isc-dhcp” source package in Quantal: Fix Released Bug description: Dan Rosenberg has blogged about some AppArmor profile weaknesses in Ubuntu: http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html This bug will track the work needed to fix them. This is a continuation of bug #851986, except for PATH and shell scripts. Unfortunately, until we have proper environment filtering support in AppArmor, we will have to employ more bandaids-- specifically, either eliminating Ux/sanitized helper on shell scripts or adjusting those shell scripts to explicitly set their PATH. The good news is that environment filtering is on the AppArmor roadmap, and it something we will be targeting in the future releases. I filed bug #1045985 to more easily track the progress of that work. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1045986/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1045986] Re: Ubuntu AppArmor policy is too lenient with shell scripts
This bug was fixed in the package apparmor - 2.8.0-0ubuntu3 --- apparmor (2.8.0-0ubuntu3) quantal; urgency=low * remove 0010-lp972367.patch and 0012-lp964510.patch which should have been dropped in 2.8.0-0ubuntu1 since they are included upstream * debian/patches/0001-add-chromium-browser.patch: - add a couple of small accesses - add a child profile for xdgsettings (LP: #1045986) -- Jamie StrandbogeMon, 17 Sep 2012 08:26:46 -0500 ** Changed in: apparmor (Ubuntu Quantal) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1045986 Title: Ubuntu AppArmor policy is too lenient with shell scripts Status in “apparmor” package in Ubuntu: Fix Released Status in “apport” package in Ubuntu: Fix Released Status in “chromium-browser” package in Ubuntu: Confirmed Status in “cups” package in Ubuntu: Confirmed Status in “dhcp3” package in Ubuntu: Invalid Status in “firefox” package in Ubuntu: Confirmed Status in “isc-dhcp” package in Ubuntu: Fix Released Status in “apparmor” source package in Lucid: Invalid Status in “apport” source package in Lucid: Fix Committed Status in “chromium-browser” source package in Lucid: Confirmed Status in “cups” source package in Lucid: Confirmed Status in “dhcp3” source package in Lucid: Fix Committed Status in “firefox” source package in Lucid: Confirmed Status in “isc-dhcp” source package in Lucid: Invalid Status in “apparmor” source package in Natty: Triaged Status in “apport” source package in Natty: Fix Committed Status in “chromium-browser” source package in Natty: Confirmed Status in “cups” source package in Natty: Confirmed Status in “dhcp3” source package in Natty: Invalid Status in “firefox” source package in Natty: Confirmed Status in “isc-dhcp” source package in Natty: Fix Committed Status in “apparmor” source package in Oneiric: Triaged Status in “apport” source package in Oneiric: Fix Committed Status in “chromium-browser” source package in Oneiric: Confirmed Status in “cups” source package in Oneiric: Confirmed Status in “dhcp3” source package in Oneiric: Invalid Status in “firefox” source package in Oneiric: Confirmed Status in “isc-dhcp” source package in Oneiric: Fix Committed Status in “apparmor” source package in Precise: Triaged Status in “apport” source package in Precise: Fix Committed Status in “chromium-browser” source package in Precise: Confirmed Status in “cups” source package in Precise: Confirmed Status in “dhcp3” source package in Precise: Invalid Status in “firefox” source package in Precise: Confirmed Status in “isc-dhcp” source package in Precise: Fix Committed Status in “apparmor” source package in Quantal: Fix Released Status in “apport” source package in Quantal: Fix Released Status in “chromium-browser” source package in Quantal: Confirmed Status in “cups” source package in Quantal: Confirmed Status in “dhcp3” source package in Quantal: Invalid Status in “firefox” source package in Quantal: Confirmed Status in “isc-dhcp” source package in Quantal: Fix Released Bug description: Dan Rosenberg has blogged about some AppArmor profile weaknesses in Ubuntu: http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html This bug will track the work needed to fix them. This is a continuation of bug #851986, except for PATH and shell scripts. Unfortunately, until we have proper environment filtering support in AppArmor, we will have to employ more bandaids-- specifically, either eliminating Ux/sanitized helper on shell scripts or adjusting those shell scripts to explicitly set their PATH. The good news is that environment filtering is on the AppArmor roadmap, and it something we will be targeting in the future releases. I filed bug #1045985 to more easily track the progress of that work. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1045986/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1045986] Re: Ubuntu AppArmor policy is too lenient with shell scripts
** Changed in: apparmor (Ubuntu Quantal) Status: Triaged => In Progress ** Changed in: apparmor (Ubuntu Quantal) Assignee: (unassigned) => Jamie Strandboge (jdstrand) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1045986 Title: Ubuntu AppArmor policy is too lenient with shell scripts Status in “apparmor” package in Ubuntu: In Progress Status in “apport” package in Ubuntu: Fix Released Status in “chromium-browser” package in Ubuntu: Confirmed Status in “cups” package in Ubuntu: Confirmed Status in “dhcp3” package in Ubuntu: Invalid Status in “firefox” package in Ubuntu: Confirmed Status in “isc-dhcp” package in Ubuntu: Fix Released Status in “apparmor” source package in Lucid: Invalid Status in “apport” source package in Lucid: Fix Committed Status in “chromium-browser” source package in Lucid: Confirmed Status in “cups” source package in Lucid: Confirmed Status in “dhcp3” source package in Lucid: Fix Committed Status in “firefox” source package in Lucid: Confirmed Status in “isc-dhcp” source package in Lucid: Invalid Status in “apparmor” source package in Natty: Triaged Status in “apport” source package in Natty: Fix Committed Status in “chromium-browser” source package in Natty: Confirmed Status in “cups” source package in Natty: Confirmed Status in “dhcp3” source package in Natty: Invalid Status in “firefox” source package in Natty: Confirmed Status in “isc-dhcp” source package in Natty: Fix Committed Status in “apparmor” source package in Oneiric: Triaged Status in “apport” source package in Oneiric: Fix Committed Status in “chromium-browser” source package in Oneiric: Confirmed Status in “cups” source package in Oneiric: Confirmed Status in “dhcp3” source package in Oneiric: Invalid Status in “firefox” source package in Oneiric: Confirmed Status in “isc-dhcp” source package in Oneiric: Fix Committed Status in “apparmor” source package in Precise: Triaged Status in “apport” source package in Precise: Fix Committed Status in “chromium-browser” source package in Precise: Confirmed Status in “cups” source package in Precise: Confirmed Status in “dhcp3” source package in Precise: Invalid Status in “firefox” source package in Precise: Confirmed Status in “isc-dhcp” source package in Precise: Fix Committed Status in “apparmor” source package in Quantal: In Progress Status in “apport” source package in Quantal: Fix Released Status in “chromium-browser” source package in Quantal: Confirmed Status in “cups” source package in Quantal: Confirmed Status in “dhcp3” source package in Quantal: Invalid Status in “firefox” source package in Quantal: Confirmed Status in “isc-dhcp” source package in Quantal: Fix Released Bug description: Dan Rosenberg has blogged about some AppArmor profile weaknesses in Ubuntu: http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html This bug will track the work needed to fix them. This is a continuation of bug #851986, except for PATH and shell scripts. Unfortunately, until we have proper environment filtering support in AppArmor, we will have to employ more bandaids-- specifically, either eliminating Ux/sanitized helper on shell scripts or adjusting those shell scripts to explicitly set their PATH. The good news is that environment filtering is on the AppArmor roadmap, and it something we will be targeting in the future releases. I filed bug #1045985 to more easily track the progress of that work. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1045986/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1045986] Re: Ubuntu AppArmor policy is too lenient with shell scripts
This bug was fixed in the package isc-dhcp - 4.2.4-1ubuntu7 --- isc-dhcp (4.2.4-1ubuntu7) quantal-proposed; urgency=low * debian/dhclient-script.linux: Explicitly set the PATH to that of ENV_SUPATH in /etc/login.defs and unset various other variables. We need to do this so /sbin/dhclient cannot abuse the environment to escape AppArmor confinement via this script. This can be removed once AppArmor supports environment filtering (LP: 1045985). Don't worry about debian/dhclient-script.linux.udeb or debian/dhclient-script.kfreebsd* since AppArmor isn't used in these environments. - LP: #1045986 isc-dhcp (4.2.4-1ubuntu6) quantal-proposed; urgency=low * SECURITY UPDATE: denial of service via unexpected client identifiers - debian/patches/CVE-2012-3570.patch: validate MAC length in includes/dhcpd.h, server/dhcpv6.c. - CVE-2012-3570 * SECURITY UPDATE: denial of service via malformed client identifiers - debian/patches/CVE-2012-3571.patch: validate packets in common/options.c, includes/dhcpd.h. - CVE-2012-3571 * SECURITY UPDATE: denial of service via memory leaks - debian/patches/CVE-2012-3954.patch: properly manage memory in common/options.c and server/dhcpv6.c. - CVE-2012-3954 -- Jamie StrandbogeWed, 05 Sep 2012 08:59:49 -0500 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1045986 Title: Ubuntu AppArmor policy is too lenient with shell scripts Status in “apparmor” package in Ubuntu: Triaged Status in “apport” package in Ubuntu: Fix Released Status in “chromium-browser” package in Ubuntu: Confirmed Status in “cups” package in Ubuntu: Confirmed Status in “dhcp3” package in Ubuntu: Invalid Status in “firefox” package in Ubuntu: Confirmed Status in “isc-dhcp” package in Ubuntu: Fix Released Status in “apparmor” source package in Lucid: Invalid Status in “apport” source package in Lucid: Fix Committed Status in “chromium-browser” source package in Lucid: Confirmed Status in “cups” source package in Lucid: Confirmed Status in “dhcp3” source package in Lucid: Fix Committed Status in “firefox” source package in Lucid: Confirmed Status in “isc-dhcp” source package in Lucid: Invalid Status in “apparmor” source package in Natty: Triaged Status in “apport” source package in Natty: Fix Committed Status in “chromium-browser” source package in Natty: Confirmed Status in “cups” source package in Natty: Confirmed Status in “dhcp3” source package in Natty: Invalid Status in “firefox” source package in Natty: Confirmed Status in “isc-dhcp” source package in Natty: Fix Committed Status in “apparmor” source package in Oneiric: Triaged Status in “apport” source package in Oneiric: Fix Committed Status in “chromium-browser” source package in Oneiric: Confirmed Status in “cups” source package in Oneiric: Confirmed Status in “dhcp3” source package in Oneiric: Invalid Status in “firefox” source package in Oneiric: Confirmed Status in “isc-dhcp” source package in Oneiric: Fix Committed Status in “apparmor” source package in Precise: Triaged Status in “apport” source package in Precise: Fix Committed Status in “chromium-browser” source package in Precise: Confirmed Status in “cups” source package in Precise: Confirmed Status in “dhcp3” source package in Precise: Invalid Status in “firefox” source package in Precise: Confirmed Status in “isc-dhcp” source package in Precise: Fix Committed Status in “apparmor” source package in Quantal: Triaged Status in “apport” source package in Quantal: Fix Released Status in “chromium-browser” source package in Quantal: Confirmed Status in “cups” source package in Quantal: Confirmed Status in “dhcp3” source package in Quantal: Invalid Status in “firefox” source package in Quantal: Confirmed Status in “isc-dhcp” source package in Quantal: Fix Released Bug description: Dan Rosenberg has blogged about some AppArmor profile weaknesses in Ubuntu: http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html This bug will track the work needed to fix them. This is a continuation of bug #851986, except for PATH and shell scripts. Unfortunately, until we have proper environment filtering support in AppArmor, we will have to employ more bandaids-- specifically, either eliminating Ux/sanitized helper on shell scripts or adjusting those shell scripts to explicitly set their PATH. The good news is that environment filtering is on the AppArmor roadmap, and it something we will be targeting in the future releases. I filed bug #1045985 to more easily track the progress of that work. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1045986/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-
[Desktop-packages] [Bug 1045986] Re: Ubuntu AppArmor policy is too lenient with shell scripts
This bug was fixed in the package apport - 2.5.1-0ubuntu7 --- apport (2.5.1-0ubuntu7) quantal-proposed; urgency=low * bin/apport-bug: Explicitly set the PATH to that of ENV_SUPATH in /etc/login.defs and unset ENV and CDPATH. We need do this so that confined applications using ubuntu-browsers.d/ubuntu-integration cannot abuse the environment to escape AppArmor confinement via this script (LP: #1045986). This can be removed once AppArmor supports environment filtering (LP: 1045985) apport (2.5.1-0ubuntu6) quantal; urgency=low * data/general/ubuntu.py: handle the case where a log file is compressed when reviewing package installation failures (LP: #917903) apport (2.5.1-0ubuntu5) quantal; urgency=low * Use Python string rather than QString, LP: #1028984 -- Jamie StrandbogeWed, 05 Sep 2012 08:38:23 -0500 ** Changed in: apport (Ubuntu Quantal) Status: Fix Committed => Fix Released ** Changed in: isc-dhcp (Ubuntu Quantal) Status: Fix Committed => Fix Released ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-3570 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-3571 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-3954 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1045986 Title: Ubuntu AppArmor policy is too lenient with shell scripts Status in “apparmor” package in Ubuntu: Triaged Status in “apport” package in Ubuntu: Fix Released Status in “chromium-browser” package in Ubuntu: Confirmed Status in “cups” package in Ubuntu: Confirmed Status in “dhcp3” package in Ubuntu: Invalid Status in “firefox” package in Ubuntu: Confirmed Status in “isc-dhcp” package in Ubuntu: Fix Released Status in “apparmor” source package in Lucid: Invalid Status in “apport” source package in Lucid: Fix Committed Status in “chromium-browser” source package in Lucid: Confirmed Status in “cups” source package in Lucid: Confirmed Status in “dhcp3” source package in Lucid: Fix Committed Status in “firefox” source package in Lucid: Confirmed Status in “isc-dhcp” source package in Lucid: Invalid Status in “apparmor” source package in Natty: Triaged Status in “apport” source package in Natty: Fix Committed Status in “chromium-browser” source package in Natty: Confirmed Status in “cups” source package in Natty: Confirmed Status in “dhcp3” source package in Natty: Invalid Status in “firefox” source package in Natty: Confirmed Status in “isc-dhcp” source package in Natty: Fix Committed Status in “apparmor” source package in Oneiric: Triaged Status in “apport” source package in Oneiric: Fix Committed Status in “chromium-browser” source package in Oneiric: Confirmed Status in “cups” source package in Oneiric: Confirmed Status in “dhcp3” source package in Oneiric: Invalid Status in “firefox” source package in Oneiric: Confirmed Status in “isc-dhcp” source package in Oneiric: Fix Committed Status in “apparmor” source package in Precise: Triaged Status in “apport” source package in Precise: Fix Committed Status in “chromium-browser” source package in Precise: Confirmed Status in “cups” source package in Precise: Confirmed Status in “dhcp3” source package in Precise: Invalid Status in “firefox” source package in Precise: Confirmed Status in “isc-dhcp” source package in Precise: Fix Committed Status in “apparmor” source package in Quantal: Triaged Status in “apport” source package in Quantal: Fix Released Status in “chromium-browser” source package in Quantal: Confirmed Status in “cups” source package in Quantal: Confirmed Status in “dhcp3” source package in Quantal: Invalid Status in “firefox” source package in Quantal: Confirmed Status in “isc-dhcp” source package in Quantal: Fix Released Bug description: Dan Rosenberg has blogged about some AppArmor profile weaknesses in Ubuntu: http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html This bug will track the work needed to fix them. This is a continuation of bug #851986, except for PATH and shell scripts. Unfortunately, until we have proper environment filtering support in AppArmor, we will have to employ more bandaids-- specifically, either eliminating Ux/sanitized helper on shell scripts or adjusting those shell scripts to explicitly set their PATH. The good news is that environment filtering is on the AppArmor roadmap, and it something we will be targeting in the future releases. I filed bug #1045985 to more easily track the progress of that work. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1045986/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-
[Desktop-packages] [Bug 1045986] Re: Ubuntu AppArmor policy is too lenient with shell scripts
** Branch linked: lp:ubuntu/quantal-proposed/apport -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1045986 Title: Ubuntu AppArmor policy is too lenient with shell scripts Status in “apparmor” package in Ubuntu: Triaged Status in “apport” package in Ubuntu: Fix Committed Status in “chromium-browser” package in Ubuntu: Confirmed Status in “cups” package in Ubuntu: Confirmed Status in “dhcp3” package in Ubuntu: Invalid Status in “firefox” package in Ubuntu: Confirmed Status in “isc-dhcp” package in Ubuntu: Fix Committed Status in “apparmor” source package in Lucid: Invalid Status in “apport” source package in Lucid: Fix Committed Status in “chromium-browser” source package in Lucid: Confirmed Status in “cups” source package in Lucid: Confirmed Status in “dhcp3” source package in Lucid: Fix Committed Status in “firefox” source package in Lucid: Confirmed Status in “isc-dhcp” source package in Lucid: Invalid Status in “apparmor” source package in Natty: Triaged Status in “apport” source package in Natty: Fix Committed Status in “chromium-browser” source package in Natty: Confirmed Status in “cups” source package in Natty: Confirmed Status in “dhcp3” source package in Natty: Invalid Status in “firefox” source package in Natty: Confirmed Status in “isc-dhcp” source package in Natty: Fix Committed Status in “apparmor” source package in Oneiric: Triaged Status in “apport” source package in Oneiric: Fix Committed Status in “chromium-browser” source package in Oneiric: Confirmed Status in “cups” source package in Oneiric: Confirmed Status in “dhcp3” source package in Oneiric: Invalid Status in “firefox” source package in Oneiric: Confirmed Status in “isc-dhcp” source package in Oneiric: Fix Committed Status in “apparmor” source package in Precise: Triaged Status in “apport” source package in Precise: Fix Committed Status in “chromium-browser” source package in Precise: Confirmed Status in “cups” source package in Precise: Confirmed Status in “dhcp3” source package in Precise: Invalid Status in “firefox” source package in Precise: Confirmed Status in “isc-dhcp” source package in Precise: Fix Committed Status in “apparmor” source package in Quantal: Triaged Status in “apport” source package in Quantal: Fix Committed Status in “chromium-browser” source package in Quantal: Confirmed Status in “cups” source package in Quantal: Confirmed Status in “dhcp3” source package in Quantal: Invalid Status in “firefox” source package in Quantal: Confirmed Status in “isc-dhcp” source package in Quantal: Fix Committed Bug description: Dan Rosenberg has blogged about some AppArmor profile weaknesses in Ubuntu: http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html This bug will track the work needed to fix them. This is a continuation of bug #851986, except for PATH and shell scripts. Unfortunately, until we have proper environment filtering support in AppArmor, we will have to employ more bandaids-- specifically, either eliminating Ux/sanitized helper on shell scripts or adjusting those shell scripts to explicitly set their PATH. The good news is that environment filtering is on the AppArmor roadmap, and it something we will be targeting in the future releases. I filed bug #1045985 to more easily track the progress of that work. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1045986/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1045986] Re: Ubuntu AppArmor policy is too lenient with shell scripts
** Branch linked: lp:ubuntu/quantal-proposed/isc-dhcp -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1045986 Title: Ubuntu AppArmor policy is too lenient with shell scripts Status in “apparmor” package in Ubuntu: Triaged Status in “apport” package in Ubuntu: Fix Committed Status in “chromium-browser” package in Ubuntu: Confirmed Status in “cups” package in Ubuntu: Confirmed Status in “dhcp3” package in Ubuntu: Invalid Status in “firefox” package in Ubuntu: Confirmed Status in “isc-dhcp” package in Ubuntu: Fix Committed Status in “apparmor” source package in Lucid: Invalid Status in “apport” source package in Lucid: Fix Committed Status in “chromium-browser” source package in Lucid: Confirmed Status in “cups” source package in Lucid: Confirmed Status in “dhcp3” source package in Lucid: Fix Committed Status in “firefox” source package in Lucid: Confirmed Status in “isc-dhcp” source package in Lucid: Invalid Status in “apparmor” source package in Natty: Triaged Status in “apport” source package in Natty: Fix Committed Status in “chromium-browser” source package in Natty: Confirmed Status in “cups” source package in Natty: Confirmed Status in “dhcp3” source package in Natty: Invalid Status in “firefox” source package in Natty: Confirmed Status in “isc-dhcp” source package in Natty: Fix Committed Status in “apparmor” source package in Oneiric: Triaged Status in “apport” source package in Oneiric: Fix Committed Status in “chromium-browser” source package in Oneiric: Confirmed Status in “cups” source package in Oneiric: Confirmed Status in “dhcp3” source package in Oneiric: Invalid Status in “firefox” source package in Oneiric: Confirmed Status in “isc-dhcp” source package in Oneiric: Fix Committed Status in “apparmor” source package in Precise: Triaged Status in “apport” source package in Precise: Fix Committed Status in “chromium-browser” source package in Precise: Confirmed Status in “cups” source package in Precise: Confirmed Status in “dhcp3” source package in Precise: Invalid Status in “firefox” source package in Precise: Confirmed Status in “isc-dhcp” source package in Precise: Fix Committed Status in “apparmor” source package in Quantal: Triaged Status in “apport” source package in Quantal: Fix Committed Status in “chromium-browser” source package in Quantal: Confirmed Status in “cups” source package in Quantal: Confirmed Status in “dhcp3” source package in Quantal: Invalid Status in “firefox” source package in Quantal: Confirmed Status in “isc-dhcp” source package in Quantal: Fix Committed Bug description: Dan Rosenberg has blogged about some AppArmor profile weaknesses in Ubuntu: http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html This bug will track the work needed to fix them. This is a continuation of bug #851986, except for PATH and shell scripts. Unfortunately, until we have proper environment filtering support in AppArmor, we will have to employ more bandaids-- specifically, either eliminating Ux/sanitized helper on shell scripts or adjusting those shell scripts to explicitly set their PATH. The good news is that environment filtering is on the AppArmor roadmap, and it something we will be targeting in the future releases. I filed bug #1045985 to more easily track the progress of that work. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1045986/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1045986] Re: Ubuntu AppArmor policy is too lenient with shell scripts
apport has been uploaded to the security PPA. ** Changed in: apport (Ubuntu Quantal) Status: In Progress => Fix Committed ** Changed in: apport (Ubuntu Lucid) Status: In Progress => Fix Committed ** Changed in: apport (Ubuntu Natty) Status: In Progress => Fix Committed ** Changed in: apport (Ubuntu Oneiric) Status: In Progress => Fix Committed ** Changed in: apport (Ubuntu Precise) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1045986 Title: Ubuntu AppArmor policy is too lenient with shell scripts Status in “apparmor” package in Ubuntu: Triaged Status in “apport” package in Ubuntu: Fix Committed Status in “chromium-browser” package in Ubuntu: Confirmed Status in “cups” package in Ubuntu: Confirmed Status in “dhcp3” package in Ubuntu: Invalid Status in “firefox” package in Ubuntu: Confirmed Status in “isc-dhcp” package in Ubuntu: Fix Committed Status in “apparmor” source package in Lucid: Invalid Status in “apport” source package in Lucid: Fix Committed Status in “chromium-browser” source package in Lucid: Confirmed Status in “cups” source package in Lucid: Confirmed Status in “dhcp3” source package in Lucid: Fix Committed Status in “firefox” source package in Lucid: Confirmed Status in “isc-dhcp” source package in Lucid: Invalid Status in “apparmor” source package in Natty: Triaged Status in “apport” source package in Natty: Fix Committed Status in “chromium-browser” source package in Natty: Confirmed Status in “cups” source package in Natty: Confirmed Status in “dhcp3” source package in Natty: Invalid Status in “firefox” source package in Natty: Confirmed Status in “isc-dhcp” source package in Natty: Fix Committed Status in “apparmor” source package in Oneiric: Triaged Status in “apport” source package in Oneiric: Fix Committed Status in “chromium-browser” source package in Oneiric: Confirmed Status in “cups” source package in Oneiric: Confirmed Status in “dhcp3” source package in Oneiric: Invalid Status in “firefox” source package in Oneiric: Confirmed Status in “isc-dhcp” source package in Oneiric: Fix Committed Status in “apparmor” source package in Precise: Triaged Status in “apport” source package in Precise: Fix Committed Status in “chromium-browser” source package in Precise: Confirmed Status in “cups” source package in Precise: Confirmed Status in “dhcp3” source package in Precise: Invalid Status in “firefox” source package in Precise: Confirmed Status in “isc-dhcp” source package in Precise: Fix Committed Status in “apparmor” source package in Quantal: Triaged Status in “apport” source package in Quantal: Fix Committed Status in “chromium-browser” source package in Quantal: Confirmed Status in “cups” source package in Quantal: Confirmed Status in “dhcp3” source package in Quantal: Invalid Status in “firefox” source package in Quantal: Confirmed Status in “isc-dhcp” source package in Quantal: Fix Committed Bug description: Dan Rosenberg has blogged about some AppArmor profile weaknesses in Ubuntu: http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html This bug will track the work needed to fix them. This is a continuation of bug #851986, except for PATH and shell scripts. Unfortunately, until we have proper environment filtering support in AppArmor, we will have to employ more bandaids-- specifically, either eliminating Ux/sanitized helper on shell scripts or adjusting those shell scripts to explicitly set their PATH. The good news is that environment filtering is on the AppArmor roadmap, and it something we will be targeting in the future releases. I filed bug #1045985 to more easily track the progress of that work. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1045986/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1045986] Re: Ubuntu AppArmor policy is too lenient with shell scripts
While the ubuntu-integration abstraction doesn't exist in 10.04 LTS, the firefox profile has a Ux rule for apport-bug. ** Changed in: apport (Ubuntu Lucid) Status: Triaged => In Progress ** Changed in: apport (Ubuntu Lucid) Assignee: (unassigned) => Jamie Strandboge (jdstrand) ** Changed in: apport (Ubuntu Natty) Status: Triaged => In Progress ** Changed in: apport (Ubuntu Natty) Assignee: (unassigned) => Jamie Strandboge (jdstrand) ** Changed in: apport (Ubuntu Oneiric) Status: Triaged => In Progress ** Changed in: apport (Ubuntu Oneiric) Assignee: (unassigned) => Jamie Strandboge (jdstrand) ** Changed in: apport (Ubuntu Precise) Status: Triaged => In Progress ** Changed in: apport (Ubuntu Precise) Assignee: (unassigned) => Jamie Strandboge (jdstrand) ** Changed in: apport (Ubuntu Quantal) Status: Fix Committed => In Progress -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1045986 Title: Ubuntu AppArmor policy is too lenient with shell scripts Status in “apparmor” package in Ubuntu: Triaged Status in “apport” package in Ubuntu: In Progress Status in “chromium-browser” package in Ubuntu: Confirmed Status in “cups” package in Ubuntu: Confirmed Status in “dhcp3” package in Ubuntu: Invalid Status in “firefox” package in Ubuntu: Confirmed Status in “isc-dhcp” package in Ubuntu: Fix Committed Status in “apparmor” source package in Lucid: Invalid Status in “apport” source package in Lucid: In Progress Status in “chromium-browser” source package in Lucid: Confirmed Status in “cups” source package in Lucid: Confirmed Status in “dhcp3” source package in Lucid: Fix Committed Status in “firefox” source package in Lucid: Confirmed Status in “isc-dhcp” source package in Lucid: Invalid Status in “apparmor” source package in Natty: Triaged Status in “apport” source package in Natty: In Progress Status in “chromium-browser” source package in Natty: Confirmed Status in “cups” source package in Natty: Confirmed Status in “dhcp3” source package in Natty: Invalid Status in “firefox” source package in Natty: Confirmed Status in “isc-dhcp” source package in Natty: Fix Committed Status in “apparmor” source package in Oneiric: Triaged Status in “apport” source package in Oneiric: In Progress Status in “chromium-browser” source package in Oneiric: Confirmed Status in “cups” source package in Oneiric: Confirmed Status in “dhcp3” source package in Oneiric: Invalid Status in “firefox” source package in Oneiric: Confirmed Status in “isc-dhcp” source package in Oneiric: Fix Committed Status in “apparmor” source package in Precise: Triaged Status in “apport” source package in Precise: In Progress Status in “chromium-browser” source package in Precise: Confirmed Status in “cups” source package in Precise: Confirmed Status in “dhcp3” source package in Precise: Invalid Status in “firefox” source package in Precise: Confirmed Status in “isc-dhcp” source package in Precise: Fix Committed Status in “apparmor” source package in Quantal: Triaged Status in “apport” source package in Quantal: In Progress Status in “chromium-browser” source package in Quantal: Confirmed Status in “cups” source package in Quantal: Confirmed Status in “dhcp3” source package in Quantal: Invalid Status in “firefox” source package in Quantal: Confirmed Status in “isc-dhcp” source package in Quantal: Fix Committed Bug description: Dan Rosenberg has blogged about some AppArmor profile weaknesses in Ubuntu: http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html This bug will track the work needed to fix them. This is a continuation of bug #851986, except for PATH and shell scripts. Unfortunately, until we have proper environment filtering support in AppArmor, we will have to employ more bandaids-- specifically, either eliminating Ux/sanitized helper on shell scripts or adjusting those shell scripts to explicitly set their PATH. The good news is that environment filtering is on the AppArmor roadmap, and it something we will be targeting in the future releases. I filed bug #1045985 to more easily track the progress of that work. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1045986/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1045986] Re: Ubuntu AppArmor policy is too lenient with shell scripts
isc-dhcp and dhcp3 have been uploaded to the security PPA. ** Changed in: isc-dhcp (Ubuntu Natty) Status: Triaged => Fix Committed ** Changed in: isc-dhcp (Ubuntu Natty) Importance: Undecided => High ** Changed in: isc-dhcp (Ubuntu Oneiric) Status: Triaged => Fix Committed ** Changed in: isc-dhcp (Ubuntu Oneiric) Importance: Undecided => High ** Changed in: isc-dhcp (Ubuntu Precise) Status: Triaged => Fix Committed ** Changed in: isc-dhcp (Ubuntu Precise) Importance: Undecided => High ** Changed in: dhcp3 (Ubuntu Lucid) Status: Triaged => Fix Committed ** Changed in: dhcp3 (Ubuntu Lucid) Assignee: (unassigned) => Jamie Strandboge (jdstrand) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1045986 Title: Ubuntu AppArmor policy is too lenient with shell scripts Status in “apparmor” package in Ubuntu: Triaged Status in “apport” package in Ubuntu: Fix Committed Status in “chromium-browser” package in Ubuntu: Confirmed Status in “cups” package in Ubuntu: Confirmed Status in “dhcp3” package in Ubuntu: Invalid Status in “firefox” package in Ubuntu: Confirmed Status in “isc-dhcp” package in Ubuntu: Fix Committed Status in “apparmor” source package in Lucid: Invalid Status in “apport” source package in Lucid: Triaged Status in “chromium-browser” source package in Lucid: Confirmed Status in “cups” source package in Lucid: Confirmed Status in “dhcp3” source package in Lucid: Fix Committed Status in “firefox” source package in Lucid: Confirmed Status in “isc-dhcp” source package in Lucid: Invalid Status in “apparmor” source package in Natty: Triaged Status in “apport” source package in Natty: Triaged Status in “chromium-browser” source package in Natty: Confirmed Status in “cups” source package in Natty: Confirmed Status in “dhcp3” source package in Natty: Invalid Status in “firefox” source package in Natty: Confirmed Status in “isc-dhcp” source package in Natty: Fix Committed Status in “apparmor” source package in Oneiric: Triaged Status in “apport” source package in Oneiric: Triaged Status in “chromium-browser” source package in Oneiric: Confirmed Status in “cups” source package in Oneiric: Confirmed Status in “dhcp3” source package in Oneiric: Invalid Status in “firefox” source package in Oneiric: Confirmed Status in “isc-dhcp” source package in Oneiric: Fix Committed Status in “apparmor” source package in Precise: Triaged Status in “apport” source package in Precise: Triaged Status in “chromium-browser” source package in Precise: Confirmed Status in “cups” source package in Precise: Confirmed Status in “dhcp3” source package in Precise: Invalid Status in “firefox” source package in Precise: Confirmed Status in “isc-dhcp” source package in Precise: Fix Committed Status in “apparmor” source package in Quantal: Triaged Status in “apport” source package in Quantal: Fix Committed Status in “chromium-browser” source package in Quantal: Confirmed Status in “cups” source package in Quantal: Confirmed Status in “dhcp3” source package in Quantal: Invalid Status in “firefox” source package in Quantal: Confirmed Status in “isc-dhcp” source package in Quantal: Fix Committed Bug description: Dan Rosenberg has blogged about some AppArmor profile weaknesses in Ubuntu: http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html This bug will track the work needed to fix them. This is a continuation of bug #851986, except for PATH and shell scripts. Unfortunately, until we have proper environment filtering support in AppArmor, we will have to employ more bandaids-- specifically, either eliminating Ux/sanitized helper on shell scripts or adjusting those shell scripts to explicitly set their PATH. The good news is that environment filtering is on the AppArmor roadmap, and it something we will be targeting in the future releases. I filed bug #1045985 to more easily track the progress of that work. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1045986/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1045986] Re: Ubuntu AppArmor policy is too lenient with shell scripts
Thanks Jamie; do you have a pointer to the apport patch, or can attach it here? I'd like to apply it to trunk as well (or make it suitable for that). -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1045986 Title: Ubuntu AppArmor policy is too lenient with shell scripts Status in “apparmor” package in Ubuntu: Triaged Status in “apport” package in Ubuntu: Fix Committed Status in “chromium-browser” package in Ubuntu: Confirmed Status in “cups” package in Ubuntu: Confirmed Status in “dhcp3” package in Ubuntu: Invalid Status in “firefox” package in Ubuntu: Confirmed Status in “isc-dhcp” package in Ubuntu: Fix Committed Status in “apparmor” source package in Lucid: Invalid Status in “apport” source package in Lucid: Triaged Status in “chromium-browser” source package in Lucid: Confirmed Status in “cups” source package in Lucid: Confirmed Status in “dhcp3” source package in Lucid: Triaged Status in “firefox” source package in Lucid: Confirmed Status in “isc-dhcp” source package in Lucid: Invalid Status in “apparmor” source package in Natty: Triaged Status in “apport” source package in Natty: Triaged Status in “chromium-browser” source package in Natty: Confirmed Status in “cups” source package in Natty: Confirmed Status in “dhcp3” source package in Natty: Invalid Status in “firefox” source package in Natty: Confirmed Status in “isc-dhcp” source package in Natty: Triaged Status in “apparmor” source package in Oneiric: Triaged Status in “apport” source package in Oneiric: Triaged Status in “chromium-browser” source package in Oneiric: Confirmed Status in “cups” source package in Oneiric: Confirmed Status in “dhcp3” source package in Oneiric: Invalid Status in “firefox” source package in Oneiric: Confirmed Status in “isc-dhcp” source package in Oneiric: Triaged Status in “apparmor” source package in Precise: Triaged Status in “apport” source package in Precise: Triaged Status in “chromium-browser” source package in Precise: Confirmed Status in “cups” source package in Precise: Confirmed Status in “dhcp3” source package in Precise: Invalid Status in “firefox” source package in Precise: Confirmed Status in “isc-dhcp” source package in Precise: Triaged Status in “apparmor” source package in Quantal: Triaged Status in “apport” source package in Quantal: Fix Committed Status in “chromium-browser” source package in Quantal: Confirmed Status in “cups” source package in Quantal: Confirmed Status in “dhcp3” source package in Quantal: Invalid Status in “firefox” source package in Quantal: Confirmed Status in “isc-dhcp” source package in Quantal: Fix Committed Bug description: Dan Rosenberg has blogged about some AppArmor profile weaknesses in Ubuntu: http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html This bug will track the work needed to fix them. This is a continuation of bug #851986, except for PATH and shell scripts. Unfortunately, until we have proper environment filtering support in AppArmor, we will have to employ more bandaids-- specifically, either eliminating Ux/sanitized helper on shell scripts or adjusting those shell scripts to explicitly set their PATH. The good news is that environment filtering is on the AppArmor roadmap, and it something we will be targeting in the future releases. I filed bug #1045985 to more easily track the progress of that work. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1045986/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1045986] Re: Ubuntu AppArmor policy is too lenient with shell scripts
Ok, both apport and isc-dhcp needed to be respun. Both are uploaded and sitting in unapproved. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1045986 Title: Ubuntu AppArmor policy is too lenient with shell scripts Status in “apparmor” package in Ubuntu: Triaged Status in “apport” package in Ubuntu: Fix Committed Status in “chromium-browser” package in Ubuntu: Confirmed Status in “cups” package in Ubuntu: Confirmed Status in “dhcp3” package in Ubuntu: Invalid Status in “firefox” package in Ubuntu: Confirmed Status in “isc-dhcp” package in Ubuntu: Fix Committed Status in “apparmor” source package in Lucid: Invalid Status in “apport” source package in Lucid: Triaged Status in “chromium-browser” source package in Lucid: Confirmed Status in “cups” source package in Lucid: Confirmed Status in “dhcp3” source package in Lucid: Triaged Status in “firefox” source package in Lucid: Confirmed Status in “isc-dhcp” source package in Lucid: Invalid Status in “apparmor” source package in Natty: Triaged Status in “apport” source package in Natty: Triaged Status in “chromium-browser” source package in Natty: Confirmed Status in “cups” source package in Natty: Confirmed Status in “dhcp3” source package in Natty: Invalid Status in “firefox” source package in Natty: Confirmed Status in “isc-dhcp” source package in Natty: Triaged Status in “apparmor” source package in Oneiric: Triaged Status in “apport” source package in Oneiric: Triaged Status in “chromium-browser” source package in Oneiric: Confirmed Status in “cups” source package in Oneiric: Confirmed Status in “dhcp3” source package in Oneiric: Invalid Status in “firefox” source package in Oneiric: Confirmed Status in “isc-dhcp” source package in Oneiric: Triaged Status in “apparmor” source package in Precise: Triaged Status in “apport” source package in Precise: Triaged Status in “chromium-browser” source package in Precise: Confirmed Status in “cups” source package in Precise: Confirmed Status in “dhcp3” source package in Precise: Invalid Status in “firefox” source package in Precise: Confirmed Status in “isc-dhcp” source package in Precise: Triaged Status in “apparmor” source package in Quantal: Triaged Status in “apport” source package in Quantal: Fix Committed Status in “chromium-browser” source package in Quantal: Confirmed Status in “cups” source package in Quantal: Confirmed Status in “dhcp3” source package in Quantal: Invalid Status in “firefox” source package in Quantal: Confirmed Status in “isc-dhcp” source package in Quantal: Fix Committed Bug description: Dan Rosenberg has blogged about some AppArmor profile weaknesses in Ubuntu: http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html This bug will track the work needed to fix them. This is a continuation of bug #851986, except for PATH and shell scripts. Unfortunately, until we have proper environment filtering support in AppArmor, we will have to employ more bandaids-- specifically, either eliminating Ux/sanitized helper on shell scripts or adjusting those shell scripts to explicitly set their PATH. The good news is that environment filtering is on the AppArmor roadmap, and it something we will be targeting in the future releases. I filed bug #1045985 to more easily track the progress of that work. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1045986/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1045986] Re: Ubuntu AppArmor policy is too lenient with shell scripts
I need to respin isc-dhcp on quantal since 4.2.4-1ubuntu6 was already there. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1045986 Title: Ubuntu AppArmor policy is too lenient with shell scripts Status in “apparmor” package in Ubuntu: Triaged Status in “apport” package in Ubuntu: Fix Committed Status in “chromium-browser” package in Ubuntu: Confirmed Status in “cups” package in Ubuntu: Confirmed Status in “dhcp3” package in Ubuntu: Invalid Status in “firefox” package in Ubuntu: Confirmed Status in “isc-dhcp” package in Ubuntu: Fix Committed Status in “apparmor” source package in Lucid: Invalid Status in “apport” source package in Lucid: Triaged Status in “chromium-browser” source package in Lucid: Confirmed Status in “cups” source package in Lucid: Confirmed Status in “dhcp3” source package in Lucid: Triaged Status in “firefox” source package in Lucid: Confirmed Status in “isc-dhcp” source package in Lucid: Invalid Status in “apparmor” source package in Natty: Triaged Status in “apport” source package in Natty: Triaged Status in “chromium-browser” source package in Natty: Confirmed Status in “cups” source package in Natty: Confirmed Status in “dhcp3” source package in Natty: Invalid Status in “firefox” source package in Natty: Confirmed Status in “isc-dhcp” source package in Natty: Triaged Status in “apparmor” source package in Oneiric: Triaged Status in “apport” source package in Oneiric: Triaged Status in “chromium-browser” source package in Oneiric: Confirmed Status in “cups” source package in Oneiric: Confirmed Status in “dhcp3” source package in Oneiric: Invalid Status in “firefox” source package in Oneiric: Confirmed Status in “isc-dhcp” source package in Oneiric: Triaged Status in “apparmor” source package in Precise: Triaged Status in “apport” source package in Precise: Triaged Status in “chromium-browser” source package in Precise: Confirmed Status in “cups” source package in Precise: Confirmed Status in “dhcp3” source package in Precise: Invalid Status in “firefox” source package in Precise: Confirmed Status in “isc-dhcp” source package in Precise: Triaged Status in “apparmor” source package in Quantal: Triaged Status in “apport” source package in Quantal: Fix Committed Status in “chromium-browser” source package in Quantal: Confirmed Status in “cups” source package in Quantal: Confirmed Status in “dhcp3” source package in Quantal: Invalid Status in “firefox” source package in Quantal: Confirmed Status in “isc-dhcp” source package in Quantal: Fix Committed Bug description: Dan Rosenberg has blogged about some AppArmor profile weaknesses in Ubuntu: http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html This bug will track the work needed to fix them. This is a continuation of bug #851986, except for PATH and shell scripts. Unfortunately, until we have proper environment filtering support in AppArmor, we will have to employ more bandaids-- specifically, either eliminating Ux/sanitized helper on shell scripts or adjusting those shell scripts to explicitly set their PATH. The good news is that environment filtering is on the AppArmor roadmap, and it something we will be targeting in the future releases. I filed bug #1045985 to more easily track the progress of that work. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1045986/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1045986] Re: Ubuntu AppArmor policy is too lenient with shell scripts
isc-dhcp uploaded to quantal-proposed. ** Changed in: isc-dhcp (Ubuntu Quantal) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1045986 Title: Ubuntu AppArmor policy is too lenient with shell scripts Status in “apparmor” package in Ubuntu: Triaged Status in “apport” package in Ubuntu: Fix Committed Status in “chromium-browser” package in Ubuntu: Confirmed Status in “cups” package in Ubuntu: Confirmed Status in “dhcp3” package in Ubuntu: Invalid Status in “firefox” package in Ubuntu: Confirmed Status in “isc-dhcp” package in Ubuntu: Fix Committed Status in “apparmor” source package in Lucid: Invalid Status in “apport” source package in Lucid: Triaged Status in “chromium-browser” source package in Lucid: Confirmed Status in “cups” source package in Lucid: Confirmed Status in “dhcp3” source package in Lucid: Triaged Status in “firefox” source package in Lucid: Confirmed Status in “isc-dhcp” source package in Lucid: Invalid Status in “apparmor” source package in Natty: Triaged Status in “apport” source package in Natty: Triaged Status in “chromium-browser” source package in Natty: Confirmed Status in “cups” source package in Natty: Confirmed Status in “dhcp3” source package in Natty: Invalid Status in “firefox” source package in Natty: Confirmed Status in “isc-dhcp” source package in Natty: Triaged Status in “apparmor” source package in Oneiric: Triaged Status in “apport” source package in Oneiric: Triaged Status in “chromium-browser” source package in Oneiric: Confirmed Status in “cups” source package in Oneiric: Confirmed Status in “dhcp3” source package in Oneiric: Invalid Status in “firefox” source package in Oneiric: Confirmed Status in “isc-dhcp” source package in Oneiric: Triaged Status in “apparmor” source package in Precise: Triaged Status in “apport” source package in Precise: Triaged Status in “chromium-browser” source package in Precise: Confirmed Status in “cups” source package in Precise: Confirmed Status in “dhcp3” source package in Precise: Invalid Status in “firefox” source package in Precise: Confirmed Status in “isc-dhcp” source package in Precise: Triaged Status in “apparmor” source package in Quantal: Triaged Status in “apport” source package in Quantal: Fix Committed Status in “chromium-browser” source package in Quantal: Confirmed Status in “cups” source package in Quantal: Confirmed Status in “dhcp3” source package in Quantal: Invalid Status in “firefox” source package in Quantal: Confirmed Status in “isc-dhcp” source package in Quantal: Fix Committed Bug description: Dan Rosenberg has blogged about some AppArmor profile weaknesses in Ubuntu: http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html This bug will track the work needed to fix them. This is a continuation of bug #851986, except for PATH and shell scripts. Unfortunately, until we have proper environment filtering support in AppArmor, we will have to employ more bandaids-- specifically, either eliminating Ux/sanitized helper on shell scripts or adjusting those shell scripts to explicitly set their PATH. The good news is that environment filtering is on the AppArmor roadmap, and it something we will be targeting in the future releases. I filed bug #1045985 to more easily track the progress of that work. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1045986/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1045986] Re: Ubuntu AppArmor policy is too lenient with shell scripts
An updated apport is in quantal-proposed. ** Changed in: apport (Ubuntu Quantal) Status: Triaged => In Progress ** Changed in: apport (Ubuntu Quantal) Assignee: (unassigned) => Jamie Strandboge (jdstrand) ** Changed in: apport (Ubuntu Quantal) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1045986 Title: Ubuntu AppArmor policy is too lenient with shell scripts Status in “apparmor” package in Ubuntu: Triaged Status in “apport” package in Ubuntu: Fix Committed Status in “chromium-browser” package in Ubuntu: Confirmed Status in “cups” package in Ubuntu: Confirmed Status in “dhcp3” package in Ubuntu: Invalid Status in “firefox” package in Ubuntu: Confirmed Status in “isc-dhcp” package in Ubuntu: Fix Committed Status in “apparmor” source package in Lucid: Invalid Status in “apport” source package in Lucid: Triaged Status in “chromium-browser” source package in Lucid: Confirmed Status in “cups” source package in Lucid: Confirmed Status in “dhcp3” source package in Lucid: Triaged Status in “firefox” source package in Lucid: Confirmed Status in “isc-dhcp” source package in Lucid: Invalid Status in “apparmor” source package in Natty: Triaged Status in “apport” source package in Natty: Triaged Status in “chromium-browser” source package in Natty: Confirmed Status in “cups” source package in Natty: Confirmed Status in “dhcp3” source package in Natty: Invalid Status in “firefox” source package in Natty: Confirmed Status in “isc-dhcp” source package in Natty: Triaged Status in “apparmor” source package in Oneiric: Triaged Status in “apport” source package in Oneiric: Triaged Status in “chromium-browser” source package in Oneiric: Confirmed Status in “cups” source package in Oneiric: Confirmed Status in “dhcp3” source package in Oneiric: Invalid Status in “firefox” source package in Oneiric: Confirmed Status in “isc-dhcp” source package in Oneiric: Triaged Status in “apparmor” source package in Precise: Triaged Status in “apport” source package in Precise: Triaged Status in “chromium-browser” source package in Precise: Confirmed Status in “cups” source package in Precise: Confirmed Status in “dhcp3” source package in Precise: Invalid Status in “firefox” source package in Precise: Confirmed Status in “isc-dhcp” source package in Precise: Triaged Status in “apparmor” source package in Quantal: Triaged Status in “apport” source package in Quantal: Fix Committed Status in “chromium-browser” source package in Quantal: Confirmed Status in “cups” source package in Quantal: Confirmed Status in “dhcp3” source package in Quantal: Invalid Status in “firefox” source package in Quantal: Confirmed Status in “isc-dhcp” source package in Quantal: Fix Committed Bug description: Dan Rosenberg has blogged about some AppArmor profile weaknesses in Ubuntu: http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html This bug will track the work needed to fix them. This is a continuation of bug #851986, except for PATH and shell scripts. Unfortunately, until we have proper environment filtering support in AppArmor, we will have to employ more bandaids-- specifically, either eliminating Ux/sanitized helper on shell scripts or adjusting those shell scripts to explicitly set their PATH. The good news is that environment filtering is on the AppArmor roadmap, and it something we will be targeting in the future releases. I filed bug #1045985 to more easily track the progress of that work. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1045986/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1045986] Re: Ubuntu AppArmor policy is too lenient with shell scripts
pitti, any idea how to improve the situation with CUPS? -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1045986 Title: Ubuntu AppArmor policy is too lenient with shell scripts Status in “apparmor” package in Ubuntu: Triaged Status in “apport” package in Ubuntu: Triaged Status in “chromium-browser” package in Ubuntu: Confirmed Status in “cups” package in Ubuntu: Confirmed Status in “dhcp3” package in Ubuntu: Invalid Status in “firefox” package in Ubuntu: Confirmed Status in “isc-dhcp” package in Ubuntu: In Progress Status in “apparmor” source package in Lucid: Invalid Status in “apport” source package in Lucid: Triaged Status in “chromium-browser” source package in Lucid: Confirmed Status in “cups” source package in Lucid: Confirmed Status in “dhcp3” source package in Lucid: Triaged Status in “firefox” source package in Lucid: Confirmed Status in “isc-dhcp” source package in Lucid: Invalid Status in “apparmor” source package in Natty: Triaged Status in “apport” source package in Natty: Triaged Status in “chromium-browser” source package in Natty: Confirmed Status in “cups” source package in Natty: Confirmed Status in “dhcp3” source package in Natty: Invalid Status in “firefox” source package in Natty: Confirmed Status in “isc-dhcp” source package in Natty: Triaged Status in “apparmor” source package in Oneiric: Triaged Status in “apport” source package in Oneiric: Triaged Status in “chromium-browser” source package in Oneiric: Confirmed Status in “cups” source package in Oneiric: Confirmed Status in “dhcp3” source package in Oneiric: Invalid Status in “firefox” source package in Oneiric: Confirmed Status in “isc-dhcp” source package in Oneiric: Triaged Status in “apparmor” source package in Precise: Triaged Status in “apport” source package in Precise: Triaged Status in “chromium-browser” source package in Precise: Confirmed Status in “cups” source package in Precise: Confirmed Status in “dhcp3” source package in Precise: Invalid Status in “firefox” source package in Precise: Confirmed Status in “isc-dhcp” source package in Precise: Triaged Status in “apparmor” source package in Quantal: Triaged Status in “apport” source package in Quantal: Triaged Status in “chromium-browser” source package in Quantal: Confirmed Status in “cups” source package in Quantal: Confirmed Status in “dhcp3” source package in Quantal: Invalid Status in “firefox” source package in Quantal: Confirmed Status in “isc-dhcp” source package in Quantal: In Progress Bug description: Dan Rosenberg has blogged about some AppArmor profile weaknesses in Ubuntu: http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html This bug will track the work needed to fix them. This is a continuation of bug #851986, except for PATH and shell scripts. Unfortunately, until we have proper environment filtering support in AppArmor, we will have to employ more bandaids-- specifically, either eliminating Ux/sanitized helper on shell scripts or adjusting those shell scripts to explicitly set their PATH. The good news is that environment filtering is on the AppArmor roadmap, and it something we will be targeting in the future releases. I filed bug #1045985 to more easily track the progress of that work. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1045986/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1045986] Re: Ubuntu AppArmor policy is too lenient with shell scripts
** Changed in: isc-dhcp (Ubuntu Quantal) Status: Triaged => In Progress -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1045986 Title: Ubuntu AppArmor policy is too lenient with shell scripts Status in “apparmor” package in Ubuntu: Triaged Status in “apport” package in Ubuntu: Triaged Status in “chromium-browser” package in Ubuntu: Confirmed Status in “cups” package in Ubuntu: Confirmed Status in “dhcp3” package in Ubuntu: Invalid Status in “firefox” package in Ubuntu: Confirmed Status in “isc-dhcp” package in Ubuntu: In Progress Status in “apparmor” source package in Lucid: Invalid Status in “apport” source package in Lucid: Triaged Status in “chromium-browser” source package in Lucid: Confirmed Status in “cups” source package in Lucid: Confirmed Status in “dhcp3” source package in Lucid: Triaged Status in “firefox” source package in Lucid: Confirmed Status in “isc-dhcp” source package in Lucid: Invalid Status in “apparmor” source package in Natty: Triaged Status in “apport” source package in Natty: Triaged Status in “chromium-browser” source package in Natty: Confirmed Status in “cups” source package in Natty: Confirmed Status in “dhcp3” source package in Natty: Invalid Status in “firefox” source package in Natty: Confirmed Status in “isc-dhcp” source package in Natty: Triaged Status in “apparmor” source package in Oneiric: Triaged Status in “apport” source package in Oneiric: Triaged Status in “chromium-browser” source package in Oneiric: Confirmed Status in “cups” source package in Oneiric: Confirmed Status in “dhcp3” source package in Oneiric: Invalid Status in “firefox” source package in Oneiric: Confirmed Status in “isc-dhcp” source package in Oneiric: Triaged Status in “apparmor” source package in Precise: Triaged Status in “apport” source package in Precise: Triaged Status in “chromium-browser” source package in Precise: Confirmed Status in “cups” source package in Precise: Confirmed Status in “dhcp3” source package in Precise: Invalid Status in “firefox” source package in Precise: Confirmed Status in “isc-dhcp” source package in Precise: Triaged Status in “apparmor” source package in Quantal: Triaged Status in “apport” source package in Quantal: Triaged Status in “chromium-browser” source package in Quantal: Confirmed Status in “cups” source package in Quantal: Confirmed Status in “dhcp3” source package in Quantal: Invalid Status in “firefox” source package in Quantal: Confirmed Status in “isc-dhcp” source package in Quantal: In Progress Bug description: Dan Rosenberg has blogged about some AppArmor profile weaknesses in Ubuntu: http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html This bug will track the work needed to fix them. This is a continuation of bug #851986, except for PATH and shell scripts. Unfortunately, until we have proper environment filtering support in AppArmor, we will have to employ more bandaids-- specifically, either eliminating Ux/sanitized helper on shell scripts or adjusting those shell scripts to explicitly set their PATH. The good news is that environment filtering is on the AppArmor roadmap, and it something we will be targeting in the future releases. I filed bug #1045985 to more easily track the progress of that work. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1045986/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1045986] Re: Ubuntu AppArmor policy is too lenient with shell scripts
** Also affects: dhcp3 (Ubuntu Quantal) Importance: High Status: Triaged ** Also affects: firefox (Ubuntu Quantal) Importance: Undecided Status: Confirmed ** Also affects: apport (Ubuntu Quantal) Importance: Undecided Status: Triaged ** Also affects: apparmor (Ubuntu Quantal) Importance: Undecided Status: Triaged ** Also affects: cups (Ubuntu Quantal) Importance: Undecided Status: Confirmed ** Also affects: chromium-browser (Ubuntu Quantal) Importance: Undecided Status: Confirmed ** Also affects: isc-dhcp (Ubuntu Quantal) Importance: High Status: Triaged ** Also affects: dhcp3 (Ubuntu Precise) Importance: Undecided Status: New ** Also affects: firefox (Ubuntu Precise) Importance: Undecided Status: New ** Also affects: apport (Ubuntu Precise) Importance: Undecided Status: New ** Also affects: apparmor (Ubuntu Precise) Importance: Undecided Status: New ** Also affects: cups (Ubuntu Precise) Importance: Undecided Status: New ** Also affects: chromium-browser (Ubuntu Precise) Importance: Undecided Status: New ** Also affects: isc-dhcp (Ubuntu Precise) Importance: Undecided Status: New ** Also affects: dhcp3 (Ubuntu Oneiric) Importance: Undecided Status: New ** Also affects: firefox (Ubuntu Oneiric) Importance: Undecided Status: New ** Also affects: apport (Ubuntu Oneiric) Importance: Undecided Status: New ** Also affects: apparmor (Ubuntu Oneiric) Importance: Undecided Status: New ** Also affects: cups (Ubuntu Oneiric) Importance: Undecided Status: New ** Also affects: chromium-browser (Ubuntu Oneiric) Importance: Undecided Status: New ** Also affects: isc-dhcp (Ubuntu Oneiric) Importance: Undecided Status: New ** Also affects: dhcp3 (Ubuntu Natty) Importance: Undecided Status: New ** Also affects: firefox (Ubuntu Natty) Importance: Undecided Status: New ** Also affects: apport (Ubuntu Natty) Importance: Undecided Status: New ** Also affects: apparmor (Ubuntu Natty) Importance: Undecided Status: New ** Also affects: cups (Ubuntu Natty) Importance: Undecided Status: New ** Also affects: chromium-browser (Ubuntu Natty) Importance: Undecided Status: New ** Also affects: isc-dhcp (Ubuntu Natty) Importance: Undecided Status: New ** Also affects: dhcp3 (Ubuntu Lucid) Importance: Undecided Status: New ** Also affects: firefox (Ubuntu Lucid) Importance: Undecided Status: New ** Also affects: apport (Ubuntu Lucid) Importance: Undecided Status: New ** Also affects: apparmor (Ubuntu Lucid) Importance: Undecided Status: New ** Also affects: cups (Ubuntu Lucid) Importance: Undecided Status: New ** Also affects: chromium-browser (Ubuntu Lucid) Importance: Undecided Status: New ** Also affects: isc-dhcp (Ubuntu Lucid) Importance: Undecided Status: New ** Changed in: isc-dhcp (Ubuntu Natty) Status: New => Triaged ** Changed in: isc-dhcp (Ubuntu Natty) Assignee: (unassigned) => Jamie Strandboge (jdstrand) ** Changed in: isc-dhcp (Ubuntu Oneiric) Status: New => Triaged ** Changed in: isc-dhcp (Ubuntu Oneiric) Assignee: (unassigned) => Jamie Strandboge (jdstrand) ** Changed in: isc-dhcp (Ubuntu Precise) Status: New => Triaged ** Changed in: isc-dhcp (Ubuntu Precise) Assignee: (unassigned) => Jamie Strandboge (jdstrand) ** Changed in: isc-dhcp (Ubuntu Quantal) Assignee: (unassigned) => Jamie Strandboge (jdstrand) ** Changed in: isc-dhcp (Ubuntu Lucid) Status: New => Invalid ** Changed in: dhcp3 (Ubuntu Natty) Status: New => Invalid ** Changed in: dhcp3 (Ubuntu Oneiric) Status: New => Invalid ** Changed in: dhcp3 (Ubuntu Precise) Status: New => Invalid ** Changed in: dhcp3 (Ubuntu Quantal) Status: Triaged => Invalid ** Changed in: dhcp3 (Ubuntu Lucid) Importance: Undecided => High ** Changed in: dhcp3 (Ubuntu Lucid) Status: New => Triaged ** Changed in: dhcp3 (Ubuntu Quantal) Importance: High => Undecided ** Changed in: apport (Ubuntu Lucid) Status: New => Triaged ** Changed in: apport (Ubuntu Natty) Status: New => Triaged ** Changed in: apport (Ubuntu Oneiric) Status: New => Triaged ** Changed in: apport (Ubuntu Precise) Status: New => Triaged ** Changed in: apparmor (Ubuntu Lucid) Status: New => Invalid ** Changed in: apparmor (Ubuntu Natty) Status: New => Triaged ** Changed in: apparmor (Ubuntu Oneiric) Status: New => Triaged ** Changed in: apparmor (Ubuntu Precise) Status: New => Triaged ** Changed in: chromium-browser (Ubuntu Lucid) Status: New => Confirmed ** Changed in: chromium-browser (Ubuntu Natty) Status: New => Confirmed ** Changed in: chromium-browser (Ubuntu
[Desktop-packages] [Bug 1045986] Re: Ubuntu AppArmor policy is too lenient with shell scripts
** Description changed: - Placeholder description. Dan Rosenberg is planning to blog about some - AppArmor profile weaknesses in Ubuntu. This bug will track the work - needed to fix it. + Dan Rosenberg has blogged about some AppArmor profile weaknesses in Ubuntu: + http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html - This is a continuation of bug #851986, except for PATH and shell - scripts. Unfortunately, until we have proper environment filtering - support in AppArmor, we will have to employ more bandaids-- - specifically, either eliminating Ux/sanitized helper on shell scripts or - adjusting those shell scripts to explicitly set their PATH. The good - news is that environment filtering is on the AppArmor roadmap, and it - something we will be targeting in the future releases. I filed bug - #1045985 to more easily track the progress of that work. + This bug will track the work needed to fix it. This is a continuation of + bug #851986, except for PATH and shell scripts. Unfortunately, until we + have proper environment filtering support in AppArmor, we will have to + employ more bandaids-- specifically, either eliminating Ux/sanitized + helper on shell scripts or adjusting those shell scripts to explicitly + set their PATH. The good news is that environment filtering is on the + AppArmor roadmap, and it something we will be targeting in the future + releases. I filed bug #1045985 to more easily track the progress of that + work. ** Visibility changed to: Public ** Description changed: Dan Rosenberg has blogged about some AppArmor profile weaknesses in Ubuntu: http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html - This bug will track the work needed to fix it. This is a continuation of - bug #851986, except for PATH and shell scripts. Unfortunately, until we - have proper environment filtering support in AppArmor, we will have to - employ more bandaids-- specifically, either eliminating Ux/sanitized + This bug will track the work needed to fix them. This is a continuation + of bug #851986, except for PATH and shell scripts. Unfortunately, until + we have proper environment filtering support in AppArmor, we will have + to employ more bandaids-- specifically, either eliminating Ux/sanitized helper on shell scripts or adjusting those shell scripts to explicitly set their PATH. The good news is that environment filtering is on the AppArmor roadmap, and it something we will be targeting in the future releases. I filed bug #1045985 to more easily track the progress of that work. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1045986 Title: Ubuntu AppArmor policy is too lenient with shell scripts Status in “apparmor” package in Ubuntu: Triaged Status in “apport” package in Ubuntu: Triaged Status in “chromium-browser” package in Ubuntu: Confirmed Status in “cups” package in Ubuntu: Confirmed Status in “dhcp3” package in Ubuntu: Triaged Status in “firefox” package in Ubuntu: Confirmed Status in “isc-dhcp” package in Ubuntu: Triaged Bug description: Dan Rosenberg has blogged about some AppArmor profile weaknesses in Ubuntu: http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html This bug will track the work needed to fix them. This is a continuation of bug #851986, except for PATH and shell scripts. Unfortunately, until we have proper environment filtering support in AppArmor, we will have to employ more bandaids-- specifically, either eliminating Ux/sanitized helper on shell scripts or adjusting those shell scripts to explicitly set their PATH. The good news is that environment filtering is on the AppArmor roadmap, and it something we will be targeting in the future releases. I filed bug #1045985 to more easily track the progress of that work. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1045986/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp