[Touch-packages] [Bug 1994146] Re: [SRU] apparmor - Focal, Jammy
Chris, I added the missing SRU information on the bugs that were missing. > The packaging itself looks sane, but my understanding is that this adds > new classes of apparmor denials, and *particularly* it appears that this > might cause existing apparmor profiles to deny application behaviour > that is currently allowed (which is why the ABI patches are > backported?). Exactly. > There don't seem to be any explicit tests in the test > cases to verify that existing behaviour is preserved, though? That would > seem to be necessary. I created this MR on QRT to add this test case: https://code.launchpad.net/~georgiag/qa-regression-testing/+git/qa-regression-testing/+merge/433546 They are based on the Test Plan of Bug #1728130 The test added passes. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1994146 Title: [SRU] apparmor - Focal, Jammy Status in apparmor package in Ubuntu: Confirmed Status in apparmor source package in Focal: In Progress Status in apparmor source package in Jammy: Incomplete Bug description: [ Impact ] This is a SRU proposal for apparmor in Focal and Jammy. For focal, we want to SRU fixes for Bug 1964636 which introduces the capability upstream patches. We are also fixing Bug 1728130 and Bug 1993353 which are introducing full backport of abi from apparmor-3.0 and support for POSIX message queue rules, which are both a request from Honeywell. Note that specifically for message queue rules, we are overriding the abi behavior. Message queue mediation is not a part of the 2.13 abi we are pinning. Honeywell has a kernel that has message queue mediation, but their policy does not contain an abi specified, so when we pin the abi for a kernel that does not mediate message queue, it will break Honeywell's AppArmor policies. So we are making an exception: when abi is not specified in the policy, and the policy contain mqueue rules, we are enforcing mqueue rules. When the policy does not contain mqueue rules, then they are not being enforced. This is so we do not break Honeywell policies and we also are not breaking policies that were developed when there was no mqueue or abi support. For jammy, we are SRUing fixes for Bug 1993353 which adds message queue rules support. [ Test Plan ] This has been extensively tested by using QA Regression Tests[1] for AppArmor. All tests have passed and demonstrated AppArmor to be working as expected. We are also adding regression tests for message queue rules[2] which guarantees it is working as expected. [1] https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py [2] https://gitlab.com/apparmor/apparmor/-/merge_requests/858 [ Where problems could occur ] The message queue rules support could cause issues for AppArmor policies that were developed before there was support for mqueues, that's why we are also backporting abi support and pinning the abi on parser.conf on focal. Jammy already has the abi pinned for a kernel that does not have support for mqueue mediation. [ Other Info ] The patches for both focal and jammy can be found at: https://launchpad.net/~georgiag/+archive/ubuntu/mqueue-sru/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1994146/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1728130] Re: Policy needs improved feature versioning to ensure it is correctly being applied
** Merge proposal linked: https://code.launchpad.net/~georgiag/qa-regression-testing/+git/qa-regression-testing/+merge/433546 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1728130 Title: Policy needs improved feature versioning to ensure it is correctly being applied Status in apparmor package in Ubuntu: New Bug description: [ Impact ] Currently allows pinning a single feature abi or running in a developer mode where the full abi available of the current kernel is enforced. However this can result in breaking applications in undesirable ways. If an application is shipped with its own policy, that policy might be different than the pinned feature abi, which can either result in denials because features the policy was not developed for are being enforced. If the feature version is not pinned then the most recent kernel abi is taken and applied to policy, which has not been updated. This can result in denials for userspace effectively breaking userspace. This is less than ideal for most users as it leads to a bad experience than they have not opted into and can lead to them disabling security protections. [ Test Plan ] The test can be done with several features. Here we are using mqueue as an example. Verify that the kernel that has mqueue mediation support: root@ubuntu:~# [ -e /sys/kernel/security/apparmor/features/ipc/posix_mqueue ] && echo "supports mqueue" supports mqueue cd /tmp pull-ppa-source --ppa georgiag/mqueue-sru apparmor focal cd apparmor-2.13.3/tests/regression/apparmor/ USE_SYSTEM=1 make Using the parser from the mqueue-sru PPA, load the profile. echo " abi , include /tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_rcv { include /tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_snd ux, } " | apparmor_parser -q -r Run the test, which should fail. ./posix_mq_rcv -c ./posix_mq_snd FAIL - could not open mq: Permission denied Now use an abi that does not have mqueue. This simulates a scenario where a policy was developed before mqueue support was added, so posix message queues should be allowed by default. echo " abi , include /tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_rcv { include /tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_snd ux, } " | apparmor_parser -q -r Run the test again, it should pass. ./posix_mq_rcv -c ./posix_mq_snd PASS [ Where problems could occur ] ABI pinning forces policies that don't have abi specified in their profile to use the ABI pinned in parser.conf. When the ABI is pinned and the user is trying to use mediation that is not in the pinned ABI, they might be confused why it is always being allowed. This can be circumvented by specifying the correct abi in the profile. [ Other Info ] The patches for focal (apparmor-2.13) can be found at: https://launchpad.net/~georgiag/+archive/ubuntu/mqueue-sru/ apparmor-3.0 already has this feature. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1728130/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1994146] Re: [SRU] apparmor - Focal, Jammy
** Merge proposal linked: https://code.launchpad.net/~georgiag/qa-regression-testing/+git/qa-regression-testing/+merge/433546 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1994146 Title: [SRU] apparmor - Focal, Jammy Status in apparmor package in Ubuntu: Confirmed Status in apparmor source package in Focal: In Progress Status in apparmor source package in Jammy: Incomplete Bug description: [ Impact ] This is a SRU proposal for apparmor in Focal and Jammy. For focal, we want to SRU fixes for Bug 1964636 which introduces the capability upstream patches. We are also fixing Bug 1728130 and Bug 1993353 which are introducing full backport of abi from apparmor-3.0 and support for POSIX message queue rules, which are both a request from Honeywell. Note that specifically for message queue rules, we are overriding the abi behavior. Message queue mediation is not a part of the 2.13 abi we are pinning. Honeywell has a kernel that has message queue mediation, but their policy does not contain an abi specified, so when we pin the abi for a kernel that does not mediate message queue, it will break Honeywell's AppArmor policies. So we are making an exception: when abi is not specified in the policy, and the policy contain mqueue rules, we are enforcing mqueue rules. When the policy does not contain mqueue rules, then they are not being enforced. This is so we do not break Honeywell policies and we also are not breaking policies that were developed when there was no mqueue or abi support. For jammy, we are SRUing fixes for Bug 1993353 which adds message queue rules support. [ Test Plan ] This has been extensively tested by using QA Regression Tests[1] for AppArmor. All tests have passed and demonstrated AppArmor to be working as expected. We are also adding regression tests for message queue rules[2] which guarantees it is working as expected. [1] https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py [2] https://gitlab.com/apparmor/apparmor/-/merge_requests/858 [ Where problems could occur ] The message queue rules support could cause issues for AppArmor policies that were developed before there was support for mqueues, that's why we are also backporting abi support and pinning the abi on parser.conf on focal. Jammy already has the abi pinned for a kernel that does not have support for mqueue mediation. [ Other Info ] The patches for both focal and jammy can be found at: https://launchpad.net/~georgiag/+archive/ubuntu/mqueue-sru/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1994146/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1997579] Re: [Ubuntu22.04] systemd-coredump package not installable via apt install when only OpenSSL 3.0 is available on the system (s390x)
Btw. before you retry, you may fix the broken packaging state of your system with: sudo apt-get -y -f install and then: sudo apt update ... -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1997579 Title: [Ubuntu22.04] systemd-coredump package not installable via apt install when only OpenSSL 3.0 is available on the system (s390x) Status in Ubuntu on IBM z Systems: Incomplete Status in systemd package in Ubuntu: Incomplete Bug description: ---Problem Description--- Summary === IBM z16 LPAR (s390x architecture) OS: Ubuntu 20.04.1 LTS (jammy jellyfish) on 5.15.0-53-generic, openssl3.0.2-0ubuntu1.7 s390x systemd249.11-0ubuntu3.6 s390x The problem is immediately reproducible. Details === We fail to install the systemd-coredump package on a system where only OpenSSL 3.0.2 is available. Terminal output === # apt info systemd-coredump Package: systemd-coredump Version: 249.11-0ubuntu3.6 Priority: optional Section: universe/admin Source: systemd Origin: Ubuntu Maintainer: Ubuntu Developers Original-Maintainer: Debian systemd Maintainers Bugs: https://bugs.launchpad.net/ubuntu/+filebug Installed-Size: 337 kB Provides: core-dump-handler Depends: libc6 (>= 2.34), libdw1 (>= 0.158), libelf1 (>= 0.144), systemd (= 249.11-0ubuntu3.6), adduser Conflicts: core-dump-handler Replaces: core-dump-handler Homepage: https://www.freedesktop.org/wiki/Software/systemd Download-Size: 56.6 kB APT-Sources: http://ports.ubuntu.com/ubuntu-ports jammy-updates/universe s390x Packages Description: tools for storing and retrieving coredumps This package provides systemd tools for storing and retrieving coredumps: * systemd-coredump * coredumpctl N: There is 1 additional record. Please use the '-a' switch to see it # apt-get install systemd-coredump Reading package lists... Done Building dependency tree... Done Reading state information... Done You might want to run 'apt --fix-broken install' to correct these. The following packages have unmet dependencies: apport : Conflicts: core-dump-handler libep11 : Depends: libssl1.0.0 but it is not installable or libssl1.1 but it is not installable systemd-coredump : Depends: libdw1 (>= 0.158) but it is not going to be installed Conflicts: core-dump-handler E: Unmet dependencies. Try 'apt --fix-broken install' with no packages (or specify a solution). Contact Information = christian.r...@de.ibm.com ---uname output--- Linux system 5.15.0-53-generic #59-Ubuntu SMP Mon Oct 17 18:54:41 UTC 2022 s390x s390x s390x GNU/Linux Machine Type = IBM Type: 3931 Model: 704 A01 ---Debugger--- A debugger is not configured ---Steps to Reproduce--- 1.) Configure the apt repos as shown in the attached sources.list file and run apt-get update 2.) Run: apt install systemd-coredump There is no package install available working with openssl version 3.0.N alone i.e. when openssl 1.0 or 1.1 are _NOT_ installed Userspace tool common name: coredumpctl The userspace tool has the following bit modes: 64-bit Userspace rpm: systemd-coredump Userspace tool obtained from project website: na *Additional Instructions for christian.r...@de.ibm.com: -Attach ltrace and strace of userspace application. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1997579/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1997579] Re: [Ubuntu22.04] systemd-coredump package not installable via apt install when only OpenSSL 3.0 is available on the system (s390x)
** Also affects: ubuntu-z-systems Importance: Undecided Status: New ** Also affects: systemd (Ubuntu) Importance: Undecided Status: New ** No longer affects: linux (Ubuntu) ** Changed in: ubuntu-z-systems Assignee: (unassigned) => Skipper Bug Screeners (skipper-screen-team) ** Changed in: ubuntu-z-systems Importance: Undecided => High ** Changed in: ubuntu-z-systems Status: New => Incomplete ** Changed in: systemd (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1997579 Title: [Ubuntu22.04] systemd-coredump package not installable via apt install when only OpenSSL 3.0 is available on the system (s390x) Status in Ubuntu on IBM z Systems: Incomplete Status in systemd package in Ubuntu: Incomplete Bug description: ---Problem Description--- Summary === IBM z16 LPAR (s390x architecture) OS: Ubuntu 20.04.1 LTS (jammy jellyfish) on 5.15.0-53-generic, openssl3.0.2-0ubuntu1.7 s390x systemd249.11-0ubuntu3.6 s390x The problem is immediately reproducible. Details === We fail to install the systemd-coredump package on a system where only OpenSSL 3.0.2 is available. Terminal output === # apt info systemd-coredump Package: systemd-coredump Version: 249.11-0ubuntu3.6 Priority: optional Section: universe/admin Source: systemd Origin: Ubuntu Maintainer: Ubuntu Developers Original-Maintainer: Debian systemd Maintainers Bugs: https://bugs.launchpad.net/ubuntu/+filebug Installed-Size: 337 kB Provides: core-dump-handler Depends: libc6 (>= 2.34), libdw1 (>= 0.158), libelf1 (>= 0.144), systemd (= 249.11-0ubuntu3.6), adduser Conflicts: core-dump-handler Replaces: core-dump-handler Homepage: https://www.freedesktop.org/wiki/Software/systemd Download-Size: 56.6 kB APT-Sources: http://ports.ubuntu.com/ubuntu-ports jammy-updates/universe s390x Packages Description: tools for storing and retrieving coredumps This package provides systemd tools for storing and retrieving coredumps: * systemd-coredump * coredumpctl N: There is 1 additional record. Please use the '-a' switch to see it # apt-get install systemd-coredump Reading package lists... Done Building dependency tree... Done Reading state information... Done You might want to run 'apt --fix-broken install' to correct these. The following packages have unmet dependencies: apport : Conflicts: core-dump-handler libep11 : Depends: libssl1.0.0 but it is not installable or libssl1.1 but it is not installable systemd-coredump : Depends: libdw1 (>= 0.158) but it is not going to be installed Conflicts: core-dump-handler E: Unmet dependencies. Try 'apt --fix-broken install' with no packages (or specify a solution). Contact Information = christian.r...@de.ibm.com ---uname output--- Linux system 5.15.0-53-generic #59-Ubuntu SMP Mon Oct 17 18:54:41 UTC 2022 s390x s390x s390x GNU/Linux Machine Type = IBM Type: 3931 Model: 704 A01 ---Debugger--- A debugger is not configured ---Steps to Reproduce--- 1.) Configure the apt repos as shown in the attached sources.list file and run apt-get update 2.) Run: apt install systemd-coredump There is no package install available working with openssl version 3.0.N alone i.e. when openssl 1.0 or 1.1 are _NOT_ installed Userspace tool common name: coredumpctl The userspace tool has the following bit modes: 64-bit Userspace rpm: systemd-coredump Userspace tool obtained from project website: na *Additional Instructions for christian.r...@de.ibm.com: -Attach ltrace and strace of userspace application. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1997579/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1993572] Re: samba profile: missing rule for mkdir /var/cache/samba/printing
** Merge proposal linked: https://code.launchpad.net/~ahasenack/ubuntu/+source/apparmor/+git/apparmor/+merge/433541 ** Merge proposal linked: https://code.launchpad.net/~ahasenack/ubuntu/+source/apparmor/+git/apparmor/+merge/433542 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1993572 Title: samba profile: missing rule for mkdir /var/cache/samba/printing Status in apparmor package in Ubuntu: In Progress Status in apparmor source package in Kinetic: In Progress Bug description: [ Impact ] Users who chose to: a) install apparmor-profiles (a package with extra optional apparmor profiles, including samba) b) change the samba related profiles from complain (the default) to enforce mode will find out that sharing a printing in samba and using it won't work. In by itself this is *definitely* not worth an SRU for apparmor, which impacts all users of Ubuntu (because it's installed everywhere). But, if apparmor is to be updated for another more important reason, then this fix could be bundled together with it. Therefore I'm adding the block-proposed-kinetic tag to this bug. [ Test Plan ] sudo apt install apparmor-profiles apparmor-utils apparmor-profiles-extra sudo apt install samba smbclient cups cups-client Set a password for the samba "root" user: printf "root\nroot\n" | sudo smbpasswd -a root Create a fake printer: sudo lpadmin -p testprinter -E -v /dev/null Check it's there: sudo lpstat -l -p testprinter Probe it via samba: rpcclient -Uroot%root localhost -c 'getprinter testprinter 2' (some printer related output, or even an error, doesn't matter) Check dmesg and look for an apparmor ALLOWED message: [497031.827841] audit: type=1400 audit(1669215188.733:555): apparmor="ALLOWED" operation="mkdir" class="file" namespace="root//lxd-l-samba-apparmor_" profile="samba-rpcd-spoolss" name="/var/cache/samba/printing/" pid=388168 comm="rpcd_spoolss" requested_mask="c" denied_mask="c" fsuid=100 ouid=100 With the updated package, there should be no apparmor message for samba-rpcd-spoolss. NOTE: since, for this test, we are not switching the apparmor profile to enforce mode, this means that the mkdir attempted by rpcd_spoolss will succeed, and if you try the rpcclient command one more time, there will be no further apparmor messages about it in the logs. [ Where problems could occur ] This change is adding an apparmor rule to a samba-related apparmor profile. Without this rule (and with the apparmor profile in confine mode), then printing does not work, so regressing that aspect of it is hard. Maybe some exotic future security vulnerability could take advantage of this new apparmor rule which allows writing to (and therefore deleting from) /var/cache/samba/printing. What's more likely perhaps (but still rare) is that an apparmor upgrade, which triggers all apparmor profiles to be reloaded, would find some error in an existing profile and fail to load it, and perhaps stop loading all other profiles after that, perhaps leaving the system without confinement. But this should be caught by the upgrade process since postinst would exit non-zero (hopefully). [ Other Info ] Not at this time. [Original Description] After the fix for bug #1990692, one more rule is needed it seems. I put all samba profiles in enforce mode, and when I ran that final rpcclient command, got an error and an apparmor denied message: Prep: sudo apt install apparmor-profiles apparmor-utils apparmor-profiles-extra sudo apt install samba smbclient cups cups-client Set a password for the samba "root" user: printf "root\nroot\n" | sudo smbpasswd -a root Create a fake printer: sudo lpadmin -p testprinter -E -v /dev/null Check it's there: sudo lpstat -l -p testprinter $ rpcclient -Uroot%root localhost -c 'getprinter testprinter 2' cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe spoolss failed with error NT_STATUS_CONNECTION_DISCONNECTED do_cmd: Could not initialise spoolss. Error was NT_STATUS_CONNECTION_DISCONNECTED [qua out 19 14:42:36 2022] audit: type=1400 audit(1666201357.627:342): apparmor="DENIED" operation="mkdir" class="file" namespace="root//lxd- k-samba-apparmor_" profile="samba-rpcd- spoolss" name="/var/cache/samba/printing/" pid=129107 comm="rpcd_spoolss" requested_mask="c" denied_mask="c" fsuid=100 ouid=100 And indeed, that directory wasn't created: $ l /var/cache/samba/printing ls: cannot access '/var/cache/samba/printing': No such file or directory $ l /var/cache/samba/ total 16K drwxr-xr-x 1 root root 48 Oct 19 17:42 . drwxr-xr-x 1 root root 170 Oct 19 17:41 .. -rw-r--r-- 1 root root 166 Oct 19 17:42 browse.dat -rw-r--r-- 1 root root 8.7K Oct 19 17:42 smbprofile.tdb To manage
[Touch-packages] [Bug 1993572] Re: samba profile: missing rule for mkdir /var/cache/samba/printing
** Description changed: [ Impact ] Users who chose to: a) install apparmor-profiles (a package with extra optional apparmor profiles, including samba) b) change the samba related profiles from complain (the default) to enforce mode will find out that sharing a printing in samba and using it won't work. In by itself this is *definitely* not worth an SRU for apparmor, which impacts all users of Ubuntu (because it's installed everywhere). But, if apparmor is to be updated for another more important reason, then this fix could be bundled together with it. Therefore I'm adding the block- proposed-kinetic tag to this bug. - [ Test Plan ] sudo apt install apparmor-profiles apparmor-utils apparmor-profiles-extra sudo apt install samba smbclient cups cups-client Set a password for the samba "root" user: printf "root\nroot\n" | sudo smbpasswd -a root Create a fake printer: sudo lpadmin -p testprinter -E -v /dev/null Check it's there: sudo lpstat -l -p testprinter - $ rpcclient -Uroot%root localhost -c 'getprinter testprinter 2' + Probe it via samba: + rpcclient -Uroot%root localhost -c 'getprinter testprinter 2' (some printer related output) Check dmesg and look for an apparmor ALLOWED message: [497031.827841] audit: type=1400 audit(1669215188.733:555): apparmor="ALLOWED" operation="mkdir" class="file" namespace="root//lxd-l-samba-apparmor_" profile="samba-rpcd-spoolss" name="/var/cache/samba/printing/" pid=388168 comm="rpcd_spoolss" requested_mask="c" denied_mask="c" fsuid=100 ouid=100 - - With the updated package, there should be no apparmor message for samba-rpcd-spoolss. - + With the updated package, there should be no apparmor message for samba- + rpcd-spoolss. [ Where problems could occur ] This change is adding an apparmor rule to a samba-related apparmor profile. Without this rule (and with the apparmor profile in confine mode), then printing does not work, so regressing that aspect of it is hard. Maybe some exotic future security vulnerability could take advantage of this new apparmor rule which allows writing to (and therefore deleting from) /var/cache/samba/printing. What's more likely perhaps (but still rare) is that an apparmor upgrade, which triggers all apparmor profiles to be reloaded, would find some error in an existing profile and fail to load it, and perhaps stop loading all other profiles after that, perhaps leaving the system without confinement. But this should be caught by the upgrade process since postinst would exit non-zero (hopefully). - [ Other Info ] Not at this time. [Original Description] After the fix for bug #1990692, one more rule is needed it seems. I put all samba profiles in enforce mode, and when I ran that final rpcclient command, got an error and an apparmor denied message: Prep: sudo apt install apparmor-profiles apparmor-utils apparmor-profiles-extra sudo apt install samba smbclient cups cups-client Set a password for the samba "root" user: printf "root\nroot\n" | sudo smbpasswd -a root Create a fake printer: sudo lpadmin -p testprinter -E -v /dev/null Check it's there: sudo lpstat -l -p testprinter $ rpcclient -Uroot%root localhost -c 'getprinter testprinter 2' cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe spoolss failed with error NT_STATUS_CONNECTION_DISCONNECTED do_cmd: Could not initialise spoolss. Error was NT_STATUS_CONNECTION_DISCONNECTED [qua out 19 14:42:36 2022] audit: type=1400 audit(1666201357.627:342): apparmor="DENIED" operation="mkdir" class="file" namespace="root//lxd-k- samba-apparmor_" profile="samba-rpcd-spoolss" name="/var/cache/samba/printing/" pid=129107 comm="rpcd_spoolss" requested_mask="c" denied_mask="c" fsuid=100 ouid=100 And indeed, that directory wasn't created: $ l /var/cache/samba/printing ls: cannot access '/var/cache/samba/printing': No such file or directory $ l /var/cache/samba/ total 16K drwxr-xr-x 1 root root 48 Oct 19 17:42 . drwxr-xr-x 1 root root 170 Oct 19 17:41 .. -rw-r--r-- 1 root root 166 Oct 19 17:42 browse.dat -rw-r--r-- 1 root root 8.7K Oct 19 17:42 smbprofile.tdb ** Description changed: [ Impact ] Users who chose to: a) install apparmor-profiles (a package with extra optional apparmor profiles, including samba) b) change the samba related profiles from complain (the default) to enforce mode will find out that sharing a printing in samba and using it won't work. In by itself this is *definitely* not worth an SRU for apparmor, which impacts all users of Ubuntu (because it's installed everywhere). But, if apparmor is to be updated for another more important reason, then this fix could be bundled together with it. Therefore I'm adding the block- proposed-kinetic tag to this bug. [ Test Plan ] sudo apt install
[Touch-packages] [Bug 1993572] Re: samba profile: missing rule for mkdir /var/cache/samba/printing
** Description changed: + [ Impact ] + + Users who chose to: + + a) install apparmor-profiles (a package with extra optional apparmor + profiles, including samba) + + b) change the samba related profiles from complain (the default) to + enforce mode + + will find out that sharing a printing in samba and using it won't work. + + In by itself this is *definitely* not worth an SRU for apparmor, which + impacts all users of Ubuntu (because it's installed everywhere). But, if + apparmor is to be updated for another more important reason, then this + fix could be bundled together with it. Therefore I'm adding the block- + proposed-kinetic tag to this bug. + + + [ Test Plan ] + + sudo apt install apparmor-profiles apparmor-utils apparmor-profiles-extra + sudo apt install samba smbclient cups cups-client + + Set a password for the samba "root" user: + printf "root\nroot\n" | sudo smbpasswd -a root + + Create a fake printer: + sudo lpadmin -p testprinter -E -v /dev/null + + Check it's there: + sudo lpstat -l -p testprinter + + $ rpcclient -Uroot%root localhost -c 'getprinter testprinter 2' + (some printer related output) + + Check dmesg and look for an apparmor ALLOWED message: + [497031.827841] audit: type=1400 audit(1669215188.733:555): apparmor="ALLOWED" operation="mkdir" class="file" namespace="root//lxd-l-samba-apparmor_" profile="samba-rpcd-spoolss" name="/var/cache/samba/printing/" pid=388168 comm="rpcd_spoolss" requested_mask="c" denied_mask="c" fsuid=100 ouid=100 + + + With the updated package, there should be no apparmor message for samba-rpcd-spoolss. + + + [ Where problems could occur ] + + This change is adding an apparmor rule to a samba-related apparmor + profile. Without this rule (and with the apparmor profile in confine + mode), then printing does not work, so regressing that aspect of it is + hard. + + Maybe some exotic future security vulnerability could take advantage of + this new apparmor rule which allows writing to (and therefore deleting + from) /var/cache/samba/printing. + + What's more likely perhaps (but still rare) is that an apparmor upgrade, + which triggers all apparmor profiles to be reloaded, would find some + error in an existing profile and fail to load it, and perhaps stop + loading all other profiles after that, perhaps leaving the system + without confinement. But this should be caught by the upgrade process + since postinst would exit non-zero (hopefully). + + + [ Other Info ] + Not at this time. + + [Original Description] + After the fix for bug #1990692, one more rule is needed it seems. I put all samba profiles in enforce mode, and when I ran that final rpcclient command, got an error and an apparmor denied message: Prep: sudo apt install apparmor-profiles apparmor-utils apparmor-profiles-extra sudo apt install samba smbclient cups cups-client Set a password for the samba "root" user: printf "root\nroot\n" | sudo smbpasswd -a root Create a fake printer: sudo lpadmin -p testprinter -E -v /dev/null Check it's there: sudo lpstat -l -p testprinter $ rpcclient -Uroot%root localhost -c 'getprinter testprinter 2' cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe spoolss failed with error NT_STATUS_CONNECTION_DISCONNECTED do_cmd: Could not initialise spoolss. Error was NT_STATUS_CONNECTION_DISCONNECTED [qua out 19 14:42:36 2022] audit: type=1400 audit(1666201357.627:342): apparmor="DENIED" operation="mkdir" class="file" namespace="root//lxd-k- samba-apparmor_" profile="samba-rpcd-spoolss" name="/var/cache/samba/printing/" pid=129107 comm="rpcd_spoolss" requested_mask="c" denied_mask="c" fsuid=100 ouid=100 And indeed, that directory wasn't created: $ l /var/cache/samba/printing ls: cannot access '/var/cache/samba/printing': No such file or directory $ l /var/cache/samba/ total 16K drwxr-xr-x 1 root root 48 Oct 19 17:42 . drwxr-xr-x 1 root root 170 Oct 19 17:41 .. -rw-r--r-- 1 root root 166 Oct 19 17:42 browse.dat -rw-r--r-- 1 root root 8.7K Oct 19 17:42 smbprofile.tdb -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1993572 Title: samba profile: missing rule for mkdir /var/cache/samba/printing Status in apparmor package in Ubuntu: In Progress Status in apparmor source package in Kinetic: In Progress Bug description: [ Impact ] Users who chose to: a) install apparmor-profiles (a package with extra optional apparmor profiles, including samba) b) change the samba related profiles from complain (the default) to enforce mode will find out that sharing a printing in samba and using it won't work. In by itself this is *definitely* not worth an SRU for apparmor, which impacts all users of Ubuntu (because it's installed everywhere). But, if apparmor is to be updated for another more important reason,
[Touch-packages] [Bug 1964636] Re: Incorrect handling of apparmor `bpf` capability
Description updated with the SRU template information. ** Description changed: - We've recently noticed a lot of the LXD CI jobs failing because of - apparmor related snapd issues. + [ Impact ] - The way this usually manifests is: - - lxc launch images:ubuntu/20.04 c1 - - lxc exec c1 -- apt install snapd - - lxc exec c1 -- snap install distrobuilder --edge --classic - - lxc exec c1 -- distrobuilder + The apparmor_parser before the 3.0 release would build its capability list from the installed kernel headers. The apparmor_parser was built against a kernel without support for cap 'bpf' + This was fixed in 3.0 by having a static caps list (with full mapping info) and the dynamic auto-generated list (against the kernel headers) that is used to check that the static list has not become stale. In addition the parser can pull kernel supported caps straight from the apparmor kernel module (it will however be missing the mapping info). + Backporting the patches from 3.0 fixes the issue. - This all works as expected, `systemctl --failed` is clean and `apparmor_status` gets me: - ``` - 0 loaded units listed. - root@v1:~# lxc exec c1 -- apparmor_status - apparmor module is loaded. - 11 profiles are loaded. - 10 profiles are in enforce mode. -/usr/lib/NetworkManager/nm-dhcp-client.action -/usr/lib/NetworkManager/nm-dhcp-helper -/usr/lib/connman/scripts/dhclient-script -/usr/lib/snapd/snap-confine -/usr/lib/snapd/snap-confine//mount-namespace-capture-helper -/{,usr/}sbin/dhclient -lsb_release -nvidia_modprobe -nvidia_modprobe//kmod -snap-update-ns.distrobuilder - 1 profiles are in complain mode. -snap.distrobuilder.distrobuilder - 0 processes have profiles defined. - 0 processes are in enforce mode. - 0 processes are in complain mode. - 0 processes are unconfined but have a profile defined. - ``` + [ Test Plan ] - Now to break things: - - lxc restart c1 - - lxc exec c1 -- distrobuilder + Before the fix, the following profile fails loading: - ``` - root@v1:~# lxc exec c1 -- distrobuilder - cannot change profile for the next exec call: No such file or directory - ``` + # echo "profile foo { capability bpf, }" | apparmor_parser -Q + AppArmor parser error, in stdin line 1: Invalid capability bpf. + # echo $? + 1 - Looking around, we see: - ``` - root@c1:~# find /var/lib/snapd/apparmor/ - /var/lib/snapd/apparmor/ - /var/lib/snapd/apparmor/snap-confine - /var/lib/snapd/apparmor/snap-confine/cap-bpf - /var/lib/snapd/apparmor/profiles - /var/lib/snapd/apparmor/profiles/snap.distrobuilder.distrobuilder - /var/lib/snapd/apparmor/profiles/snap-update-ns.distrobuilder - /var/lib/snapd/apparmor/profiles/snap-confine.snapd.14978 - root@c1:~# cat /var/lib/snapd/apparmor/snap-confine/cap-bpf + After the fix, it works as expected: - capability bpf, - root@c1:~# systemctl --failed - UNIT LOAD ACTIVE SUBDESCRIPTION - ● snapd.apparmor.service loaded failed failed Load AppArmor profiles managed internally by snapd + # echo "profile foo { capability bpf, }" | apparmor_parser -Q + # echo $? + 0 - LOAD = Reflects whether the unit definition was properly loaded. - ACTIVE = The high-level unit activation state, i.e. generalization of SUB. - SUB= The low-level unit activation state, values depend on unit type. + [ Where problems could occur ] - 1 loaded units listed. - ``` + With these changes, the parser can change its behavior based on a few things. + 1. the kernel its built against. This would not change behavior when run in a container vs at system level. - The error listed is: - ``` - Mar 11 19:54:58 c1 systemd[1]: Starting Load AppArmor profiles managed internally by snapd... - Mar 11 19:54:58 c1 snapd-apparmor[163]: /usr/lib/snapd/snapd-apparmor: 47: ns_stacked: not found - Mar 11 19:54:58 c1 snapd-apparmor[163]: /usr/lib/snapd/snapd-apparmor: 48: ns_name: not found - Mar 11 19:54:58 c1 snapd-apparmor[172]: AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap-confine.snapd.14978 in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. - Mar 11 19:54:58 c1 systemd[1]: snapd.apparmor.service: Main process exited, code=exited, st - ``` + 2. If a feature-file is specified, via --features-file, --policy- + features, or --kernel-features. This allows overriding the normal policy + and kernel examination that the parser does when compiling policy. - One can workaround it with: - ``` - > /var/lib/snapd/apparmor/snap-confine/cap-bpf - systemctl restart snapd.apparmor.service - ``` + 3. If /sys/kernel/security/apparmor/features is not available. The + parser will fallback to an old set of features available in a kernel + before the kernel module started exporting what the kernel module + supports on the running kernel. + [ Other Info ] - Now for the bits I didn't quite figure out: - - Why does snapd think that the parser supports `bpf`
[Touch-packages] [Bug 1993572] Re: samba profile: missing rule for mkdir /var/cache/samba/printing
** Changed in: apparmor (Ubuntu Kinetic) Importance: Undecided => Critical ** Changed in: apparmor (Ubuntu Kinetic) Importance: Critical => Undecided ** Changed in: apparmor (Ubuntu Kinetic) Status: New => In Progress ** Changed in: apparmor (Ubuntu Kinetic) Importance: Undecided => Wishlist ** Changed in: apparmor (Ubuntu Kinetic) Importance: Wishlist => Low ** Changed in: apparmor (Ubuntu) Importance: Undecided => Low ** Changed in: apparmor (Ubuntu Kinetic) Assignee: (unassigned) => Andreas Hasenack (ahasenack) ** Tags added: block-proposed-kinetic -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1993572 Title: samba profile: missing rule for mkdir /var/cache/samba/printing Status in apparmor package in Ubuntu: In Progress Status in apparmor source package in Kinetic: In Progress Bug description: After the fix for bug #1990692, one more rule is needed it seems. I put all samba profiles in enforce mode, and when I ran that final rpcclient command, got an error and an apparmor denied message: Prep: sudo apt install apparmor-profiles apparmor-utils apparmor-profiles-extra sudo apt install samba smbclient cups cups-client Set a password for the samba "root" user: printf "root\nroot\n" | sudo smbpasswd -a root Create a fake printer: sudo lpadmin -p testprinter -E -v /dev/null Check it's there: sudo lpstat -l -p testprinter $ rpcclient -Uroot%root localhost -c 'getprinter testprinter 2' cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe spoolss failed with error NT_STATUS_CONNECTION_DISCONNECTED do_cmd: Could not initialise spoolss. Error was NT_STATUS_CONNECTION_DISCONNECTED [qua out 19 14:42:36 2022] audit: type=1400 audit(1666201357.627:342): apparmor="DENIED" operation="mkdir" class="file" namespace="root//lxd- k-samba-apparmor_" profile="samba-rpcd- spoolss" name="/var/cache/samba/printing/" pid=129107 comm="rpcd_spoolss" requested_mask="c" denied_mask="c" fsuid=100 ouid=100 And indeed, that directory wasn't created: $ l /var/cache/samba/printing ls: cannot access '/var/cache/samba/printing': No such file or directory $ l /var/cache/samba/ total 16K drwxr-xr-x 1 root root 48 Oct 19 17:42 . drwxr-xr-x 1 root root 170 Oct 19 17:41 .. -rw-r--r-- 1 root root 166 Oct 19 17:42 browse.dat -rw-r--r-- 1 root root 8.7K Oct 19 17:42 smbprofile.tdb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1993572/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1993572] Re: samba profile: missing rule for mkdir /var/cache/samba/printing
** Changed in: apparmor (Ubuntu) Assignee: (unassigned) => Andreas Hasenack (ahasenack) ** Changed in: apparmor (Ubuntu) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1993572 Title: samba profile: missing rule for mkdir /var/cache/samba/printing Status in apparmor package in Ubuntu: In Progress Status in apparmor source package in Kinetic: New Bug description: After the fix for bug #1990692, one more rule is needed it seems. I put all samba profiles in enforce mode, and when I ran that final rpcclient command, got an error and an apparmor denied message: Prep: sudo apt install apparmor-profiles apparmor-utils apparmor-profiles-extra sudo apt install samba smbclient cups cups-client Set a password for the samba "root" user: printf "root\nroot\n" | sudo smbpasswd -a root Create a fake printer: sudo lpadmin -p testprinter -E -v /dev/null Check it's there: sudo lpstat -l -p testprinter $ rpcclient -Uroot%root localhost -c 'getprinter testprinter 2' cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe spoolss failed with error NT_STATUS_CONNECTION_DISCONNECTED do_cmd: Could not initialise spoolss. Error was NT_STATUS_CONNECTION_DISCONNECTED [qua out 19 14:42:36 2022] audit: type=1400 audit(1666201357.627:342): apparmor="DENIED" operation="mkdir" class="file" namespace="root//lxd- k-samba-apparmor_" profile="samba-rpcd- spoolss" name="/var/cache/samba/printing/" pid=129107 comm="rpcd_spoolss" requested_mask="c" denied_mask="c" fsuid=100 ouid=100 And indeed, that directory wasn't created: $ l /var/cache/samba/printing ls: cannot access '/var/cache/samba/printing': No such file or directory $ l /var/cache/samba/ total 16K drwxr-xr-x 1 root root 48 Oct 19 17:42 . drwxr-xr-x 1 root root 170 Oct 19 17:41 .. -rw-r--r-- 1 root root 166 Oct 19 17:42 browse.dat -rw-r--r-- 1 root root 8.7K Oct 19 17:42 smbprofile.tdb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1993572/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1995260] Re: dnsmasq focal 2.80 NODATA instead of NXDOMAIN bug
** Description changed: [SRU] [ Impact ] - Sometimes dnsmasq is incorrectly is returning NODATA instead of - NXDOMAIN. This can lead to erroneous actions by clients who need to - determine whether a domain name exists or not. + Sometimes dnsmasq is incorrectly returning NODATA instead of NXDOMAIN. + This can lead to erroneous actions by clients who need to determine + whether a domain name exists or not. [ Test Plan ] In a focal VM, install dnsmasq (apt install dnsmasq-base) if it wasn't installed yet. - - #0 Disabling systemd-resolved service and enabling resolution through dnsmasq. + #0 Disabling systemd-resolved service and enabling resolution through + dnsmasq. # systemctl disable --now systemd-resolved.service # rm -f /etc/resolv.conf # cat > /etc/resolv.conf << __EOF__ nameserver 8.8.8.8 __EOF__ # systemctl start dnsmasq.service - #1 Bad case # for i in srv txt a a txt srv; do host -t $i test.foo. 127.0.0.1 | tail -n 1; done Host test.foo. not found: 3(NXDOMAIN) Host test.foo. not found: 3(NXDOMAIN) Host test.foo. not found: 3(NXDOMAIN) test.foo has no A record Host test.foo. not found: 3(NXDOMAIN) test.foo has no A record test.foo has no TXT record test.foo has no SRV record #2 Good case #2.1 Installing new package # ls -1 *.deb dnsmasq-utils_2.80-1.1ubuntu1.6_amd64.deb dnsmasq-base_2.80-1.1ubuntu1.6_amd64.deb dnsmasq_2.80-1.1ubuntu1.6_all.deb # dpkg -i *.deb (Reading database ... 32073 files and directories currently installed.) Preparing to unpack dnsmasq-base_2.80-1.1ubuntu1.6_amd64.deb ... Unpacking dnsmasq-base (2.80-1.1ubuntu1.6) over (2.80-1.1ubuntu1.5) ... Selecting previously unselected package dnsmasq-utils. Preparing to unpack dnsmasq-utils_2.80-1.1ubuntu1.6_amd64.deb ... Unpacking dnsmasq-utils (2.80-1.1ubuntu1.6) ... Preparing to unpack dnsmasq_2.80-1.1ubuntu1.6_all.deb ... Unpacking dnsmasq (2.80-1.1ubuntu1.6) over (2.80-1.1ubuntu1.5) ... Setting up dnsmasq-base (2.80-1.1ubuntu1.6) ... Setting up dnsmasq-utils (2.80-1.1ubuntu1.6) ... Setting up dnsmasq (2.80-1.1ubuntu1.6) ... Processing triggers for dbus (1.12.16-2ubuntu2.3) ... Processing triggers for man-db (2.9.1-1) ... Processing triggers for systemd (245.4-4ubuntu3.18) ... - # dpkg -l | grep dnsmasq ii dnsmasq2.80-1.1ubuntu1.6 all Small caching DNS proxy and DHCP/TFTP server ii dnsmasq-base 2.80-1.1ubuntu1.6 amd64 Small caching DNS proxy and DHCP/TFTP server ii dnsmasq-utils 2.80-1.1ubuntu1.6 amd64 Utilities for manipulating DHCP leases #2.2 Testing OK # for i in srv txt a a txt srv; do host -t $i test.foo. 127.0.0.1 | tail -n 1; done Host test.foo. not found: 3(NXDOMAIN) Host test.foo. not found: 3(NXDOMAIN) Host test.foo. not found: 3(NXDOMAIN) Host test.foo. not found: 3(NXDOMAIN) Host test.foo. not found: 3(NXDOMAIN) Host test.foo. not found: 3(NXDOMAIN) Host test.foo. not found: 3(NXDOMAIN) Host test.foo. not found: 3(NXDOMAIN) [ Where problems could occur ] - It correctly changes the program's behaviour in this kind of situation, - so users that didn't recognize this as an error can see an increment in - their dns cached records, so, in the end, it's not a problem. + It changes the program's behaviour by classifying as NXDOMAIN what used to be NODATA in some situations, so if a user had a workaround for this (in the form of a script or other kind of automatization) it will probably start to malfunction. + + The last rebuilding of the package for Focal was in May, so if any new dependencies or libs have been upgraded on this Ubuntu series this can impact the new rebuild. [ Other Info ] The patch is applied upstream and originated from a bug filed on Fedora side: https://bugzilla.redhat.com/show_bug.cgi?id=1674067 [Original Report] --- We upgraded our openstack containers which host dnsmasq services from bionic to focal. With this we got an update of dnsmasq from 2.79 to 2.80 which introduced a bug in our setup where dnsmasq returns NODATA instead of NXDOMAIN. This is already fixed upstream with the following commit [1]. The Ubuntu dnsmasq 2.80 package should get a backport with a release for the focal packages which includes this bug fix. [1] https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=162e5e0062ce923c494cc64282f293f0ed64fc10 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to dnsmasq in Ubuntu. https://bugs.launchpad.net/bugs/1995260 Title: dnsmasq focal 2.80 NODATA instead of NXDOMAIN bug Status in dnsmasq package in Ubuntu: Fix Released Status in dnsmasq source package in Focal: In Progress Bug description:
[Touch-packages] [Bug 1867204] Re: /usr/share/apport/whoopsie-upload-all:FileNotFoundError:/usr/share/apport/whoopsie-upload-all@170:collect_info:process_report
** Also affects: apport (Ubuntu Bionic) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1867204 Title: /usr/share/apport/whoopsie-upload- all:FileNotFoundError:/usr/share/apport/whoopsie-upload- all@170:collect_info:process_report Status in Apport: Fix Released Status in apport package in Ubuntu: Fix Released Status in apport source package in Bionic: New Status in apport source package in Focal: Fix Released Bug description: [Impact] The Ubuntu Error Tracker has been receiving reports about a problem regarding apport. This problem was most recently seen with package version 2.20.11-0ubuntu19, the problem page at https://errors.ubuntu.com/problem/7a3912ff155870bdb23500abfa48a21a6cb07171 contains more details, including versions of packages affected, stacktrace or traceback, and individual crash reports. If you do not have access to the Ubuntu Error Tracker and are a software developer, you can request it at http://forms.canonical.com/reports/. There were 1301 crashes reported in the last month for this bug, which makes it to number 3 of the apport bug list (despite Ubuntu 22.04 already being fixed and only older releases are still affected). [Test Plan] Check that the fixed version does not appear on https://errors.ubuntu.com/problem/3adc63930455e99063ec1f77bf461d975492e9b4. [Where problems could occur] Worst case - in any part of the bug reporting/collection procedure, since that is what's changing. [Other info] Due to the huge amount of broken autopkgtest tests, the diff for the SRUs are bigger than desired. The individual commits in https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/apport/ are probably easier to review. * jammy SRU: https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/apport/log/?h=1fa042cc27714c407494b3d6dfd0730bb984f3eb * focal SRU: https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/apport/log/?h=eaa92037c7dfba621719c6f81fd75f6a09e90881 To manage notifications about this bug go to: https://bugs.launchpad.net/apport/+bug/1867204/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1979211] Re: /usr/share/apport/apport:AttributeError:/usr/share/apport/apport@531:parse_arguments:print_usage:_print_message
** Also affects: apport (Ubuntu Bionic) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1979211 Title: /usr/share/apport/apport:AttributeError:/usr/share/apport/apport@531:parse_arguments:print_usage:_print_message Status in Apport: Fix Released Status in apport package in Ubuntu: Fix Released Status in apport source package in Bionic: New Status in apport source package in Focal: Fix Released Status in apport source package in Impish: Won't Fix Status in apport source package in Jammy: Fix Released Bug description: Impact -- As it can be seen in https://errors.ubuntu.com/problem/e714f8181c0785693f3a66969c594a3b19bcab2b there are thousands of crashes of this type (and multiple duplicate bug reports for it). Instead of apport logging a failure in /var/log/apport.log, it crashes. Fixing this bug also fixes the issue with logging failures in the socket path (for handling crashes in containers). Test Case - There should be no instances of https://errors.ubuntu.com/problem/e714f8181c0785693f3a66969c594a3b19bcab2b for the fixed version. Where problems could occur -- The apport binary is called by the kernel when a process crashes. Worst case scenarios include breaking the apport binary and no problem report is generated any more (or apport uses too much resources). Since all the desired logs are now logged, it could increase the amount of logs that are written (apport has some flood detection in case a process dies constantly). Original Description The Ubuntu Error Tracker has been receiving reports about a problem regarding apport. This problem was most recently seen with package version 2.20.11-0ubuntu82.1, the problem page at https://errors.ubuntu.com/problem/e714f8181c0785693f3a66969c594a3b19bcab2b contains more details, including versions of packages affected, stacktrace or traceback, and individual crash reports. If you do not have access to the Ubuntu Error Tracker and are a software developer, you can request it at http://forms.canonical.com/reports/. Traceback (most recent call last): File "/usr/share/apport/apport", line 531, in options = parse_arguments() File "/usr/share/apport/apport", line 463, in parse_arguments parser.print_usage() File "/usr/lib/python3.10/argparse.py", line 2562, in print_usage self._print_message(self.format_usage(), file) File "/usr/lib/python3.10/argparse.py", line 2573, in _print_message file.write(message) AttributeError: 'NoneType' object has no attribute 'write' This bug can be reproduced by configuring the previously supported parameters to Apport and then let a process crash (e.g. call divide- by-zero): ``` echo "|/usr/share/apport/apport %p %s %c %d %P %E" | sudo tee /proc/sys/kernel/core_pattern ``` So this bug is a regression of commit c320e910a516 ("Switch to using non-positional arguments") which is a fix for CVE-2022-28658 and CVE-2021-3899. To manage notifications about this bug go to: https://bugs.launchpad.net/apport/+bug/1979211/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1986521] Re: ssh client spins if output fd closed
I've posted a PPA with the patch to fix this issue here: https://launchpad.net/~bryce/+archive/ubuntu/openssh-sru-lp1986521 This can be installed via: $ sudo add-apt-repository -yus ppa:bryce/openssh-sru-lp1986521 $ sudo apt-get install openssh Can you please upgrade to this and verify it fixes the reported issue? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1986521 Title: ssh client spins if output fd closed Status in portable OpenSSH: Unknown Status in openssh package in Ubuntu: Fix Released Status in openssh source package in Jammy: Triaged Bug description: The OpenSSH package 8.9p1 as shipped with U22.04 (8.9p1-3) suffers from the bug described at https://bugzilla.mindrot.org/show_bug.cgi?id=3411 and https://bugzilla.mindrot.org/show_bug.cgi?id=3405 A command such as "xterm -e 'ssh -f remote.host sleep 60'" will pop up an xterm, ask for whatever authentication is needed, close the xterm, and leave the ssh client spinning consuming CPU time for 60 seconds before it exits. It should leave the ssh client idle for 60 seconds. Many uses of ssh to launch graphical applications will be caught by this bug. This is fixed in OpenSSH 9.0p1 as the first bugfix listed in its release notes at https://www.openssh.com/txt/release-9.0 To manage notifications about this bug go to: https://bugs.launchpad.net/openssh/+bug/1986521/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1988730] Re: package libsasl2-modules provides only unsafe SASL bind mechanims
** Changed in: cyrus-sasl2 (Ubuntu Jammy) Assignee: (unassigned) => Andreas Hasenack (ahasenack) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu. https://bugs.launchpad.net/bugs/1988730 Title: package libsasl2-modules provides only unsafe SASL bind mechanims Status in cyrus-sasl2 package in Ubuntu: Fix Released Status in cyrus-sasl2 source package in Jammy: Triaged Bug description: Current Cyrus libsasl2 packaging (Ubuntu Jammy) distributes SASL bind mechanims into different packages. Plained and shared secret mechanisms are provided by package libsasl2-modules: /usr/lib/x86_64-linux-gnu/sasl2/libanonymous.so /usr/lib/x86_64-linux-gnu/sasl2/libanonymous.so.2 /usr/lib/x86_64-linux-gnu/sasl2/libanonymous.so.2.0.25 /usr/lib/x86_64-linux-gnu/sasl2/libcrammd5.so /usr/lib/x86_64-linux-gnu/sasl2/libcrammd5.so.2 /usr/lib/x86_64-linux-gnu/sasl2/libcrammd5.so.2.0.25 /usr/lib/x86_64-linux-gnu/sasl2/libdigestmd5.so /usr/lib/x86_64-linux-gnu/sasl2/libdigestmd5.so.2 /usr/lib/x86_64-linux-gnu/sasl2/libdigestmd5.so.2.0.25 /usr/lib/x86_64-linux-gnu/sasl2/liblogin.so /usr/lib/x86_64-linux-gnu/sasl2/liblogin.so.2 /usr/lib/x86_64-linux-gnu/sasl2/liblogin.so.2.0.25 /usr/lib/x86_64-linux-gnu/sasl2/libntlm.so /usr/lib/x86_64-linux-gnu/sasl2/libntlm.so.2 /usr/lib/x86_64-linux-gnu/sasl2/libntlm.so.2.0.25 /usr/lib/x86_64-linux-gnu/sasl2/libplain.so /usr/lib/x86_64-linux-gnu/sasl2/libplain.so.2 /usr/lib/x86_64-linux-gnu/sasl2/libplain.so.2.0.25 The "safest" mechanism in this list is DIGEST-MD5, which is marked as obsolete by IANA and regarded as unsafe by IETF. Current safest standard mechanisms are SCRAM based (RFC7677). All SCRAM family SASL mechanisms of Cyrus SASL are provided by Ubuntu package libsasl2-modules-gssapi-mit: /usr/lib/x86_64-linux-gnu/sasl2/libscram.so /usr/lib/x86_64-linux-gnu/sasl2/libscram.so.2 /usr/lib/x86_64-linux-gnu/sasl2/libscram.so.2.0.25 But the focus of this package is GSSAPI and GS2 SASL mechanism, which have nothing to do with SCRAM. In addition, this package conflicts with package libsasl2-modules-gssapi-heimdal. System administrators have to choose one package for support of GSSAPI or GSS-SPEGNO. If they prefer Heimdal there is no safe SASL shared secret mechanism available anymore on the server/workstation. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1988730/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1989467] Re: Several autopkgtest failures on Ubuntu 22.04 and older
** Also affects: apport (Ubuntu Bionic) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1989467 Title: Several autopkgtest failures on Ubuntu 22.04 and older Status in apport package in Ubuntu: Fix Released Status in apport source package in Bionic: New Status in apport source package in Focal: Fix Released Status in apport source package in Jammy: Fix Released Bug description: [Impact] All autopkgtest fail on Ubuntu 22.04 (jammy) and older: https://autopkgtest.ubuntu.com/packages/apport This leads to not detecting regressions from security updates. [Test Plan] Check that the autopkgtest succeed all architectures (except for i386). [Where problems could occur] The test cases are only part of the apport source package and are not copied in any binary packages. Changes to the test will only affect the package build and test execution. [Other info] Due to the huge amount of broken autopkgtest tests, the diff for the SRUs are bigger than desired. The individual commits in https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/apport/ are probably easier to review. * jammy SRU: https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/apport/log/?h=1fa042cc27714c407494b3d6dfd0730bb984f3eb * focal SRU: https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/apport/log/?h=eaa92037c7dfba621719c6f81fd75f6a09e90881 [Details] Following test cases fail: * backend_apt_dpkg: ** test_get_dependencies (armhf) ** test_get_source_tree_sandbox (arm64, armhf, ppc64el) ** test_install_old_packages (arm64, armhf, ppc64el) ** test_install_package_from_a_ppa (arm64, armhf, ppc64el) ** test_install_packages_dependencies (arm64, armhf, ppc64el) ** test_install_packages_from_launchpad (arm64, armhf, ppc64el) ** test_install_packages_permanent_sandbox (arm64, armhf, ppc64el) ** test_install_packages_permanent_sandbox_repack (arm64, armhf, ppc64el) ** test_install_packages_unversioned (arm64, armhf, ppc64el) ** test_install_packages_versioned (arm64, armhf, ppc64el) * hookutils: ** test_module_license_evaluation (armhf) * python_crashes: ** test_dbus_service_timeout_running (armhf) ** test_dbus_service_unknown_wrongbus_notrunning (armhf) * report: ** test_add_gdb_info_abort (armhf) ** test_add_gdb_info_script (armhf) ** test_add_zz_parse_segv_details (arm64, armhf, ppc64el, s390x) * signal_crashes: ** test_core_dump_packaged (armhf, ppc64el, s390x) ** test_core_dump_unpackaged (armhf) ** test_core_file_injection (armhf) ** test_crash_system_slice (amd64, ppc64el, s390x) ** test_empty_core_dump (follow-up failure for test_crash_system_slice) ** test_flood_limit (follow-up failure for test_crash_system_slice) ** test_ignore (follow-up failure for test_crash_system_slice) ** test_ignore_sigquit (follow-up failure for test_crash_system_slice) * ui: ** test_run_crash_kernel (arm64, s390x) ** test_run_update_report_different_binary_source (armhf) ** test_run_report_bug_kernel_thread (armhf) * ui_gtk: ** test_kerneloops_nodetails (armhf) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1989467/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1982487] Re: apport fails with PermissionError for dump mode 2 in containers
** Also affects: apport (Ubuntu Bionic) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1982487 Title: apport fails with PermissionError for dump mode 2 in containers Status in Apport: Fix Released Status in apport package in Ubuntu: Fix Released Status in apport source package in Bionic: New Status in apport source package in Focal: Fix Released Status in apport source package in Jammy: Fix Released Bug description: [Impact] Apport will fail for processes with dump mode 2 inside of containers. [Test plan] Run following testcase script inside a LXC container: ``` #!/bin/sh sudo rm -rf /var/crash/* /var/log/apport.log sudo -u mail sh -c "ping 127.0.0.1 > /dev/null" & sleep 0.3 killall -11 ping sleep 0.3 cat /var/log/apport.log ``` apport.log for the affected version: ``` ERROR: apport (pid 6452) Thu Jul 21 12:59:45 2022: called for pid 6449, signal 11, core limit 0, dump mode 2 ERROR: apport (pid 6452) Thu Jul 21 12:59:45 2022: not creating core for pid with dump mode of 2 ERROR: apport (pid 6452) Thu Jul 21 12:59:45 2022: Unhandled exception: Traceback (most recent call last): File "/usr/lib/python3/dist-packages/apport/report.py", line 681, in add_proc_info self["ExecutablePath"] = _read_proc_link( File "/usr/lib/python3/dist-packages/apport/report.py", line 92, in _read_proc_link return os.readlink(path, dir_fd=dir_fd) PermissionError: [Errno 13] Permission denied: 'exe' During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/share/apport/apport", line 862, in info.add_proc_info(proc_pid_fd=proc_pid_fd) File "/usr/lib/python3/dist-packages/apport/report.py", line 686, in add_proc_info raise ValueError("not accessible") ValueError: not accessible ERROR: apport (pid 6452) Thu Jul 21 12:59:45 2022: pid: 6452, uid: 0, gid: 0, euid: 8, egid: 8 ERROR: apport (pid 6452) Thu Jul 21 12:59:45 2022: environment: environ({'LANG': 'C.UTF-8', 'PATH': '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin', 'LISTEN_PID': '6452', 'LISTEN_FDS': '1', 'LISTEN_FDNAMES': 'connection', 'INVOCATION_ID': '1352c67b4a21480a9b35db8012dafb42', 'JOURNAL_STREAM': '8:29587491', 'SYSTEMD_EXEC_PID': '6452'}) ``` The apport log should not show a Traceback. [Where problems could occur] The apport binary is called by the kernel when a process crashes. Worst case scenarios include breaking the apport binary and no problem report is generated any more (or apport uses too much resources). Users will see problems reports inside the container which cause additional load or disk usage. The fix is accompanied by a test case (run in autopkgtest). [Other Info] The autopkgtest for armhf are run inside a LXC container and some test cases like test_crash_setuid_drop trigger this bug. Due to the huge amount of broken autopkgtest tests, the diff for the SRUs are bigger than desired. The individual commits in https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/apport/ are probably easier to review. * jammy SRU: https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/apport/log/?h=1fa042cc27714c407494b3d6dfd0730bb984f3eb * focal SRU: https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/apport/log/?h=eaa92037c7dfba621719c6f81fd75f6a09e90881 To manage notifications about this bug go to: https://bugs.launchpad.net/apport/+bug/1982487/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1982555] Re: core dump file empty inside container
** Also affects: apport (Ubuntu Bionic) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1982555 Title: core dump file empty inside container Status in Apport: Fix Released Status in apport package in Ubuntu: Fix Released Status in apport source package in Bionic: New Status in apport source package in Focal: Fix Released Status in apport source package in Jammy: Fix Released Bug description: [Impact] Apport will write an empty core dump file inside of containers. [Test plan] Run following testcase script inside a LXC container: ``` rm -f /var/lib/apport/coredump/* ulimit -c 100 sleep 86400 & killall -3 sleep ``` Apport will write a core dump into /var/lib/apport/coredump, but this core dump is empty: ``` $ stat /var/lib/apport/coredump/core._usr_bin_sleep.* File: /var/lib/apport/coredump/core._usr_bin_sleep.0.44f483a1-e487-44b3-88d1-805d1026f31d.9059.34839819 Size: 0 Blocks: 0 IO Block: 4096 regular empty file Device: fd00h/64768d Inode: 120848663 Links: 1 Access: (0400/-r) Uid: (0/root) Gid: (0/root) Access: 2022-07-22 07:54:48.838682067 + Modify: 2022-07-22 07:54:48.838682067 + Change: 2022-07-22 07:54:48.838682067 + Birth: 2022-07-22 07:54:48.838682067 + ``` This file should not be empty. [Where problems could occur] The apport binary is called by the kernel when a process crashes. Worst case scenarios include breaking the apport binary and no problem report is generated any more (or apport uses too much resources). Users will see problems reports inside the container which cause additional load or disk usage. The fix is accompanied by a test case. [Other Info] The autopkgtest for armhf are run inside a LXC container and the test case test_core_dump_packaged_sigquit triggers this bug. Due to the huge amount of broken autopkgtest tests, the diff for the SRUs are bigger than desired. The individual commits in https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/apport/ are probably easier to review. * jammy SRU: https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/apport/log/?h=1fa042cc27714c407494b3d6dfd0730bb984f3eb * focal SRU: https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/apport/log/?h=eaa92037c7dfba621719c6f81fd75f6a09e90881 To manage notifications about this bug go to: https://bugs.launchpad.net/apport/+bug/1982555/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1997569] Re: Merge alsa-utils 1.2.7 from Debian unstable
** Patch added: "ubuntu-to-ubuntu.diff" https://bugs.launchpad.net/ubuntu/+source/alsa-utils/+bug/1997569/+attachment/5632336/+files/ubuntu-to-ubuntu.diff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to alsa-utils in Ubuntu. https://bugs.launchpad.net/bugs/1997569 Title: Merge alsa-utils 1.2.7 from Debian unstable Status in alsa-utils package in Ubuntu: Confirmed Bug description: Please merge alsa-utils 1.2.7 from Debian unstable. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/alsa-utils/+bug/1997569/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1997569] Re: Merge alsa-utils 1.2.7 from Debian unstable
** Patch added: "debian-to-ubuntu.diff" https://bugs.launchpad.net/ubuntu/+source/alsa-utils/+bug/1997569/+attachment/5632335/+files/debian-to-ubuntu.diff ** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to alsa-utils in Ubuntu. https://bugs.launchpad.net/bugs/1997569 Title: Merge alsa-utils 1.2.7 from Debian unstable Status in alsa-utils package in Ubuntu: Confirmed Bug description: Please merge alsa-utils 1.2.7 from Debian unstable. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/alsa-utils/+bug/1997569/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1997569] [NEW] Merge alsa-utils 1.2.7 from Debian unstable
Public bug reported: Please merge alsa-utils 1.2.7 from Debian unstable. ** Affects: alsa-utils (Ubuntu) Importance: Undecided Status: Confirmed ** Tags: patch -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to alsa-utils in Ubuntu. https://bugs.launchpad.net/bugs/1997569 Title: Merge alsa-utils 1.2.7 from Debian unstable Status in alsa-utils package in Ubuntu: Confirmed Bug description: Please merge alsa-utils 1.2.7 from Debian unstable. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/alsa-utils/+bug/1997569/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1988364] Re: Missing the A2DP profile and defaults to low quality
Thanks, good to know :) At least you are listening :P Do you know about any updates on this topic? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to bluez in Ubuntu. https://bugs.launchpad.net/bugs/1988364 Title: Missing the A2DP profile and defaults to low quality Status in Bluez Utilities: Fix Released Status in bluez package in Ubuntu: Fix Released Bug description: Sony WH-1000XM4 missing the A2DP profile and defaults to low quality https://github.com/bluez/bluez/issues/313 To manage notifications about this bug go to: https://bugs.launchpad.net/bluez/+bug/1988364/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1993572] Re: samba profile: missing rule for mkdir /var/cache/samba/printing
** Also affects: apparmor (Ubuntu Kinetic) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1993572 Title: samba profile: missing rule for mkdir /var/cache/samba/printing Status in apparmor package in Ubuntu: New Status in apparmor source package in Kinetic: New Bug description: After the fix for bug #1990692, one more rule is needed it seems. I put all samba profiles in enforce mode, and when I ran that final rpcclient command, got an error and an apparmor denied message: Prep: sudo apt install apparmor-profiles apparmor-utils apparmor-profiles-extra sudo apt install samba smbclient cups cups-client Set a password for the samba "root" user: printf "root\nroot\n" | sudo smbpasswd -a root Create a fake printer: sudo lpadmin -p testprinter -E -v /dev/null Check it's there: sudo lpstat -l -p testprinter $ rpcclient -Uroot%root localhost -c 'getprinter testprinter 2' cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe spoolss failed with error NT_STATUS_CONNECTION_DISCONNECTED do_cmd: Could not initialise spoolss. Error was NT_STATUS_CONNECTION_DISCONNECTED [qua out 19 14:42:36 2022] audit: type=1400 audit(1666201357.627:342): apparmor="DENIED" operation="mkdir" class="file" namespace="root//lxd- k-samba-apparmor_" profile="samba-rpcd- spoolss" name="/var/cache/samba/printing/" pid=129107 comm="rpcd_spoolss" requested_mask="c" denied_mask="c" fsuid=100 ouid=100 And indeed, that directory wasn't created: $ l /var/cache/samba/printing ls: cannot access '/var/cache/samba/printing': No such file or directory $ l /var/cache/samba/ total 16K drwxr-xr-x 1 root root 48 Oct 19 17:42 . drwxr-xr-x 1 root root 170 Oct 19 17:41 .. -rw-r--r-- 1 root root 166 Oct 19 17:42 browse.dat -rw-r--r-- 1 root root 8.7K Oct 19 17:42 smbprofile.tdb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1993572/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1994146] Re: [SRU] apparmor - Focal, Jammy
Is this also contemplating https://bugs.launchpad.net/ubuntu/jammy/+source/apparmor/+bug/1979879 for jammy? I'll try to take a look -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1994146 Title: [SRU] apparmor - Focal, Jammy Status in apparmor package in Ubuntu: Confirmed Status in apparmor source package in Focal: In Progress Status in apparmor source package in Jammy: Incomplete Bug description: [ Impact ] This is a SRU proposal for apparmor in Focal and Jammy. For focal, we want to SRU fixes for Bug 1964636 which introduces the capability upstream patches. We are also fixing Bug 1728130 and Bug 1993353 which are introducing full backport of abi from apparmor-3.0 and support for POSIX message queue rules, which are both a request from Honeywell. Note that specifically for message queue rules, we are overriding the abi behavior. Message queue mediation is not a part of the 2.13 abi we are pinning. Honeywell has a kernel that has message queue mediation, but their policy does not contain an abi specified, so when we pin the abi for a kernel that does not mediate message queue, it will break Honeywell's AppArmor policies. So we are making an exception: when abi is not specified in the policy, and the policy contain mqueue rules, we are enforcing mqueue rules. When the policy does not contain mqueue rules, then they are not being enforced. This is so we do not break Honeywell policies and we also are not breaking policies that were developed when there was no mqueue or abi support. For jammy, we are SRUing fixes for Bug 1993353 which adds message queue rules support. [ Test Plan ] This has been extensively tested by using QA Regression Tests[1] for AppArmor. All tests have passed and demonstrated AppArmor to be working as expected. We are also adding regression tests for message queue rules[2] which guarantees it is working as expected. [1] https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py [2] https://gitlab.com/apparmor/apparmor/-/merge_requests/858 [ Where problems could occur ] The message queue rules support could cause issues for AppArmor policies that were developed before there was support for mqueues, that's why we are also backporting abi support and pinning the abi on parser.conf on focal. Jammy already has the abi pinned for a kernel that does not have support for mqueue mediation. [ Other Info ] The patches for both focal and jammy can be found at: https://launchpad.net/~georgiag/+archive/ubuntu/mqueue-sru/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1994146/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1997278] Re: Merge tiff 4.4.0-5 (main) from Debian unstable (main)
I adjusted your changelog entry to include the remaining differences in the changelog message. I think that makes things more clear to the next person who will work on merging new versions. I did a second upload because we accidentally missed the symbols file update when we manually merged later. I am unsubscribing ubuntu-sponsors now because I have uploaded this to Ubuntu. Feel free to resubscribe if you have something else that needs to be sponsored. I saw that you opened a Debian bug for the security patch. Could you forward the patch there too? ** Changed in: tiff (Ubuntu) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to tiff in Ubuntu. https://bugs.launchpad.net/bugs/1997278 Title: Merge tiff 4.4.0-5 (main) from Debian unstable (main) Status in tiff package in Ubuntu: Fix Committed Bug description: Please merge tiff 4.4.0-5 (main) from Debian unstable (main) Changelog entries since current kinetic version 4.4.0-4ubuntu3: tiff (4.4.0-5) unstable; urgency=high * Backport security fix for CVE-2022-3597, CVE-2022-3626 and CVE-2022-3627, out of bounds write and denial of service via a crafted TIFF file. * Backport security fix for CVE-2022-3570, multiple heap buffer overflows via crafted TIFF file. * Backport security fix for CVE-2022-3599, denial-of-service via a crafted TIFF file. * Backport security fix for CVE-2022-3598, denial-of-service via a crafted TIFF file (closes: #1022555). -- Laszlo Boszormenyi (GCS) Sun, 23 Oct 2022 22:38:15 +0200 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/1997278/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1728130] Re: Policy needs improved feature versioning to ensure it is correctly being applied
Chris, I updated the description with the SRU template information. The test plan shows this does what we need: 1. feature is in kernel, abi set in policy is kernel, and policy does not have permission: execution fails with permission denied. 2. abi set in policy does not contain feature, and policy does not have permission: execution is allowed. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1728130 Title: Policy needs improved feature versioning to ensure it is correctly being applied Status in apparmor package in Ubuntu: New Bug description: [ Impact ] Currently allows pinning a single feature abi or running in a developer mode where the full abi available of the current kernel is enforced. However this can result in breaking applications in undesirable ways. If an application is shipped with its own policy, that policy might be different than the pinned feature abi, which can either result in denials because features the policy was not developed for are being enforced. If the feature version is not pinned then the most recent kernel abi is taken and applied to policy, which has not been updated. This can result in denials for userspace effectively breaking userspace. This is less than ideal for most users as it leads to a bad experience than they have not opted into and can lead to them disabling security protections. [ Test Plan ] The test can be done with several features. Here we are using mqueue as an example. Verify that the kernel that has mqueue mediation support: root@ubuntu:~# [ -e /sys/kernel/security/apparmor/features/ipc/posix_mqueue ] && echo "supports mqueue" supports mqueue cd /tmp pull-ppa-source --ppa georgiag/mqueue-sru apparmor focal cd apparmor-2.13.3/tests/regression/apparmor/ USE_SYSTEM=1 make Using the parser from the mqueue-sru PPA, load the profile. echo " abi , include /tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_rcv { include /tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_snd ux, } " | apparmor_parser -q -r Run the test, which should fail. ./posix_mq_rcv -c ./posix_mq_snd FAIL - could not open mq: Permission denied Now use an abi that does not have mqueue. This simulates a scenario where a policy was developed before mqueue support was added, so posix message queues should be allowed by default. echo " abi , include /tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_rcv { include /tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_snd ux, } " | apparmor_parser -q -r Run the test again, it should pass. ./posix_mq_rcv -c ./posix_mq_snd PASS [ Where problems could occur ] ABI pinning forces policies that don't have abi specified in their profile to use the ABI pinned in parser.conf. When the ABI is pinned and the user is trying to use mediation that is not in the pinned ABI, they might be confused why it is always being allowed. This can be circumvented by specifying the correct abi in the profile. [ Other Info ] The patches for focal (apparmor-2.13) can be found at: https://launchpad.net/~georgiag/+archive/ubuntu/mqueue-sru/ apparmor-3.0 already has this feature. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1728130/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1728130] Re: Policy needs improved feature versioning to ensure it is correctly being applied
** Description changed: + [ Impact ] + Currently allows pinning a single feature abi or running in a developer mode where the full abi available of the current kernel is enforced. However this can result in breaking applications in undesirable ways. If an application is shipped with its own policy, that policy might be different than the pinned feature abi, which can either result in denials because features the policy was not developed for are being enforced. If the feature version is not pinned then the most recent kernel abi is taken and applied to policy, which has not been updated. This can result in denials for userspace effectively breaking userspace. This is less than ideal for most users as it leads to a bad experience than they have not opted into and can lead to them disabling security protections. + + [ Test Plan ] + + The test can be done with several features. Here we are using mqueue as an example. + Verify that the kernel that has mqueue mediation support: + root@ubuntu:~# [ -e /sys/kernel/security/apparmor/features/ipc/posix_mqueue ] && echo "supports mqueue" + supports mqueue + + cd /tmp + pull-ppa-source --ppa georgiag/mqueue-sru apparmor focal + cd apparmor-2.13.3/tests/regression/apparmor/ + USE_SYSTEM=1 make + + Using the parser from the mqueue-sru PPA, load the profile. + echo " + abi , + include + /tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_rcv { + include + /tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_snd ux, + } + " | apparmor_parser -q -r + + Run the test, which should fail. + ./posix_mq_rcv -c ./posix_mq_snd + FAIL - could not open mq: Permission denied + + Now use an abi that does not have mqueue. This simulates a scenario + where a policy was developed before mqueue support was added, so posix + message queues should be allowed by default. + + echo " + abi , + include + /tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_rcv { + include + /tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_snd ux, + } + " | apparmor_parser -q -r + + Run the test again, it should pass. + ./posix_mq_rcv -c ./posix_mq_snd + PASS + + [ Where problems could occur ] + + ABI pinning forces policies that don't have abi specified in their + profile to use the ABI pinned in parser.conf. When the ABI is pinned and + the user is trying to use mediation that is not in the pinned ABI, they + might be confused why it is always being allowed. This can be + circumvented by specifying the correct abi in the profile. + + [ Other Info ] + + The patches for focal (apparmor-2.13) can be found at: + https://launchpad.net/~georgiag/+archive/ubuntu/mqueue-sru/ + apparmor-3.0 already has this feature. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1728130 Title: Policy needs improved feature versioning to ensure it is correctly being applied Status in apparmor package in Ubuntu: New Bug description: [ Impact ] Currently allows pinning a single feature abi or running in a developer mode where the full abi available of the current kernel is enforced. However this can result in breaking applications in undesirable ways. If an application is shipped with its own policy, that policy might be different than the pinned feature abi, which can either result in denials because features the policy was not developed for are being enforced. If the feature version is not pinned then the most recent kernel abi is taken and applied to policy, which has not been updated. This can result in denials for userspace effectively breaking userspace. This is less than ideal for most users as it leads to a bad experience than they have not opted into and can lead to them disabling security protections. [ Test Plan ] The test can be done with several features. Here we are using mqueue as an example. Verify that the kernel that has mqueue mediation support: root@ubuntu:~# [ -e /sys/kernel/security/apparmor/features/ipc/posix_mqueue ] && echo "supports mqueue" supports mqueue cd /tmp pull-ppa-source --ppa georgiag/mqueue-sru apparmor focal cd apparmor-2.13.3/tests/regression/apparmor/ USE_SYSTEM=1 make Using the parser from the mqueue-sru PPA, load the profile. echo " abi , include /tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_rcv { include /tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_snd ux, } " | apparmor_parser -q -r Run the test, which should fail. ./posix_mq_rcv -c ./posix_mq_snd FAIL - could not open mq: Permission denied Now use an abi that does not have mqueue. This simulates a scenario where a policy was developed before mqueue support was added, so posix message queues should be allowed by default. echo " abi , include /tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_rcv {
[Touch-packages] [Bug 1997338] Re: libdbus-1-3 uninstallable on autopkgtest
** Changed in: dbus (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to dbus in Ubuntu. https://bugs.launchpad.net/bugs/1997338 Title: libdbus-1-3 uninstallable on autopkgtest Status in dbus package in Ubuntu: Fix Released Bug description: https://autopkgtest.ubuntu.com/results/autopkgtest- lunar/lunar/i386/v/vlc/20221121_104906_b4207@/log.gz Starting pkgProblemResolver with broken count: 9 Starting 2 pkgProblemResolver with broken count: 9 Investigating (0) libvlccore9:i386 < none -> 3.0.17.4-5 @un puN Ib > Broken libvlccore9:i386 Depends on libdbus-1-3:i386 < none | 1.14.0-2ubuntu2 @un uH > (>= 1.9.14) Considering libdbus-1-3:i386 0 as a solution to libvlccore9:i386 32 Considering libdbus-1-3:i386 0 as a solution to libvlccore9:i386 32 Investigating (0) libqt5dbus5:i386 < none -> 5.15.6+dfsg-1 @un puN Ib > Broken libqt5dbus5:i386 Depends on libdbus-1-3:i386 < none | 1.14.0-2ubuntu2 @un uH > (>= 1.9.14) Considering libdbus-1-3:i386 0 as a solution to libqt5dbus5:i386 4 Considering libdbus-1-3:i386 0 as a solution to libqt5dbus5:i386 4 Investigating (0) libpulse0:i386 < none -> 1:16.1+dfsg1-1ubuntu3 @un puN Ib > Broken libpulse0:i386 Depends on libdbus-1-3:i386 < none | 1.14.0-2ubuntu2 @un uH > (>= 1.9.14) Considering libdbus-1-3:i386 0 as a solution to libpulse0:i386 4 Considering libdbus-1-3:i386 0 as a solution to libpulse0:i386 4 Investigating (0) libavahi-client3:i386 < none -> 0.8-6ubuntu1 @un puN Ib > Broken libavahi-client3:i386 Depends on libdbus-1-3:i386 < none | 1.14.0-2ubuntu2 @un uH > (>= 1.9.14) Considering libdbus-1-3:i386 0 as a solution to libavahi-client3:i386 2 Considering libdbus-1-3:i386 0 as a solution to libavahi-client3:i386 2 Investigating (0) libatspi2.0-0:i386 < none -> 2.46.0-3 @un puN Ib > Broken libatspi2.0-0:i386 Depends on libdbus-1-3:i386 < none | 1.14.0-2ubuntu2 @un uH > (>= 1.9.14) Considering libdbus-1-3:i386 0 as a solution to libatspi2.0-0:i386 0 Considering libdbus-1-3:i386 0 as a solution to libatspi2.0-0:i386 0 Investigating (0) vlc-plugin-base:i386 < none -> 3.0.17.4-5 @un puN Ib > Broken vlc-plugin-base:i386 Depends on libdbus-1-3:i386 < none | 1.14.0-2ubuntu2 @un uH > (>= 1.9.14) Considering libdbus-1-3:i386 0 as a solution to vlc-plugin-base:i386 0 Considering libdbus-1-3:i386 0 as a solution to vlc-plugin-base:i386 0 Investigating (0) libfluidsynth3:i386 < none -> 2.2.8-1 @un puN Ib > Broken libfluidsynth3:i386 Depends on libdbus-1-3:i386 < none | 1.14.0-2ubuntu2 @un uH > (>= 1.9.14) Considering libdbus-1-3:i386 0 as a solution to libfluidsynth3:i386 0 Considering libdbus-1-3:i386 0 as a solution to libfluidsynth3:i386 0 Investigating (0) libatk-bridge2.0-0:i386 < none -> 2.46.0-3 @un puN Ib > Broken libatk-bridge2.0-0:i386 Depends on libdbus-1-3:i386 < none | 1.14.0-2ubuntu2 @un uH > (>= 1.9.14) Considering libdbus-1-3:i386 0 as a solution to libatk-bridge2.0-0:i386 0 Considering libdbus-1-3:i386 0 as a solution to libatk-bridge2.0-0:i386 0 Investigating (0) libdebuginfod1:i386 < none -> 0.187-4 @un puN Ib > Broken libdebuginfod1:i386 Depends on libcurl3-gnutls:i386 < none | 7.85.0-1 @un uH > (>= 7.28.0) Considering libcurl3-gnutls:i386 0 as a solution to libdebuginfod1:i386 0 Considering libcurl3-gnutls:i386 0 as a solution to libdebuginfod1:i386 0 Done Some packages could not be installed. This may mean that you have requested an impossible situation or if you are using the unstable distribution that some required packages have not yet been created or been moved out of Incoming. The following information may help to resolve the situation: The following packages have unmet dependencies: libatk-bridge2.0-0:i386 : Depends: libdbus-1-3:i386 (>= 1.9.14) but it is not going to be installed libatspi2.0-0:i386 : Depends: libdbus-1-3:i386 (>= 1.9.14) but it is not going to be installed libavahi-client3:i386 : Depends: libdbus-1-3:i386 (>= 1.9.14) but it is not going to be installed libdebuginfod1:i386 : Depends: libcurl3-gnutls:i386 (>= 7.28.0) but it is not going to be installed libfluidsynth3:i386 : Depends: libdbus-1-3:i386 (>= 1.9.14) but it is not going to be installed libpulse0:i386 : Depends: libdbus-1-3:i386 (>= 1.9.14) but it is not going to be installed libqt5dbus5:i386 : Depends: libdbus-1-3:i386 (>= 1.9.14) but it is not going to be installed libvlccore9:i386 : Depends: libdbus-1-3:i386 (>= 1.9.14) but it is not going to be installed vlc-plugin-base:i386 : Depends: libdbus-1-3:i386 (>= 1.9.14) but it is not going to be installed E: Unable to correct problems, you have held broken packages. autopkgtest: WARNING: Test dependencies are unsatisfiable - calling apt install on test deps directly for further data about failing dependencies in test logs
[Touch-packages] [Bug 1947800] Re: /usr/share/apport/whoopsie-upload-all:zlib.error:/usr/share/apport/whoopsie-upload-all@196:collect_info:process_report:add_gdb_info:gdb_command:write:read:readinto:r
** Description changed: + [ Impact ] + The Ubuntu Error Tracker has been receiving reports about a problem regarding apport. This problem was most recently seen with package version 2.20.11-0ubuntu70, the problem page at https://errors.ubuntu.com/problem/7120f8aebdf09e9dca39196d035eec234071e800 contains more details, including versions of packages affected, stacktrace or traceback, and individual crash reports. If you do not have access to the Ubuntu Error Tracker and are a software developer, you can request it at http://forms.canonical.com/reports/. Traceback (most recent call last): File "/usr/share/apport/whoopsie-upload-all", line 196, in stamps = collect_info() File "/usr/share/apport/whoopsie-upload-all", line 146, in collect_info res = process_report(r) File "/usr/share/apport/whoopsie-upload-all", line 103, in process_report r.add_gdb_info() File "/usr/lib/python3/dist-packages/apport/report.py", line 786, in add_gdb_info gdb_cmd, environ = self.gdb_command(rootdir, gdb_sandbox) File "/usr/lib/python3/dist-packages/apport/report.py", line 1706, in gdb_command self['CoreDump'].write(f) File "/usr/lib/python3/dist-packages/problem_report.py", line 75, in write block = gz.read(1048576) File "/usr/lib/python3.9/gzip.py", line 300, in read return self._buffer.read(size) File "/usr/lib/python3.9/_compression.py", line 68, in readinto data = self.read(len(byte_view)) File "/usr/lib/python3.9/gzip.py", line 495, in read uncompress = self._decompressor.decompress(buf, size) zlib.error: Error -3 while decompressing data: invalid code lengths set Report for 20.04 (focal): https://errors.ubuntu.com/problem/fff3109d511a7db05ec5526679b8d8608a143932 + + [ Test plan ] + + Check that the fixed version does not appear on + https://errors.ubuntu.com/problem/fff3109d511a7db05ec5526679b8d8608a143932 + + [Where problems could occur] + + Worst case - in any part of the bug reporting/collection procedure, + since that is what's changing. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1947800 Title: /usr/share/apport/whoopsie-upload- all:zlib.error:/usr/share/apport/whoopsie-upload- all@196:collect_info:process_report:add_gdb_info:gdb_command:write:read:readinto:read Status in Apport: Fix Released Status in apport package in Ubuntu: Fix Released Status in apport source package in Focal: New Status in apport source package in Impish: Won't Fix Status in apport source package in Jammy: Fix Released Bug description: [ Impact ] The Ubuntu Error Tracker has been receiving reports about a problem regarding apport. This problem was most recently seen with package version 2.20.11-0ubuntu70, the problem page at https://errors.ubuntu.com/problem/7120f8aebdf09e9dca39196d035eec234071e800 contains more details, including versions of packages affected, stacktrace or traceback, and individual crash reports. If you do not have access to the Ubuntu Error Tracker and are a software developer, you can request it at http://forms.canonical.com/reports/. Traceback (most recent call last): File "/usr/share/apport/whoopsie-upload-all", line 196, in stamps = collect_info() File "/usr/share/apport/whoopsie-upload-all", line 146, in collect_info res = process_report(r) File "/usr/share/apport/whoopsie-upload-all", line 103, in process_report r.add_gdb_info() File "/usr/lib/python3/dist-packages/apport/report.py", line 786, in add_gdb_info gdb_cmd, environ = self.gdb_command(rootdir, gdb_sandbox) File "/usr/lib/python3/dist-packages/apport/report.py", line 1706, in gdb_command self['CoreDump'].write(f) File "/usr/lib/python3/dist-packages/problem_report.py", line 75, in write block = gz.read(1048576) File "/usr/lib/python3.9/gzip.py", line 300, in read return self._buffer.read(size) File "/usr/lib/python3.9/_compression.py", line 68, in readinto data = self.read(len(byte_view)) File "/usr/lib/python3.9/gzip.py", line 495, in read uncompress = self._decompressor.decompress(buf, size) zlib.error: Error -3 while decompressing data: invalid code lengths set Report for 20.04 (focal): https://errors.ubuntu.com/problem/fff3109d511a7db05ec5526679b8d8608a143932 [ Test plan ] Check that the fixed version does not appear on https://errors.ubuntu.com/problem/fff3109d511a7db05ec5526679b8d8608a143932 [Where problems could occur] Worst case - in any part of the bug reporting/collection procedure, since that is what's changing. To manage notifications about this bug go to: https://bugs.launchpad.net/apport/+bug/1947800/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe :
[Touch-packages] [Bug 1947800] Re: /usr/share/apport/whoopsie-upload-all:zlib.error:/usr/share/apport/whoopsie-upload-all@196:collect_info:process_report:add_gdb_info:gdb_command:write:read:readinto:r
** Changed in: apport (Ubuntu Focal) Status: Fix Committed => New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1947800 Title: /usr/share/apport/whoopsie-upload- all:zlib.error:/usr/share/apport/whoopsie-upload- all@196:collect_info:process_report:add_gdb_info:gdb_command:write:read:readinto:read Status in Apport: Fix Released Status in apport package in Ubuntu: Fix Released Status in apport source package in Focal: New Status in apport source package in Impish: Won't Fix Status in apport source package in Jammy: Fix Released Bug description: The Ubuntu Error Tracker has been receiving reports about a problem regarding apport. This problem was most recently seen with package version 2.20.11-0ubuntu70, the problem page at https://errors.ubuntu.com/problem/7120f8aebdf09e9dca39196d035eec234071e800 contains more details, including versions of packages affected, stacktrace or traceback, and individual crash reports. If you do not have access to the Ubuntu Error Tracker and are a software developer, you can request it at http://forms.canonical.com/reports/. Traceback (most recent call last): File "/usr/share/apport/whoopsie-upload-all", line 196, in stamps = collect_info() File "/usr/share/apport/whoopsie-upload-all", line 146, in collect_info res = process_report(r) File "/usr/share/apport/whoopsie-upload-all", line 103, in process_report r.add_gdb_info() File "/usr/lib/python3/dist-packages/apport/report.py", line 786, in add_gdb_info gdb_cmd, environ = self.gdb_command(rootdir, gdb_sandbox) File "/usr/lib/python3/dist-packages/apport/report.py", line 1706, in gdb_command self['CoreDump'].write(f) File "/usr/lib/python3/dist-packages/problem_report.py", line 75, in write block = gz.read(1048576) File "/usr/lib/python3.9/gzip.py", line 300, in read return self._buffer.read(size) File "/usr/lib/python3.9/_compression.py", line 68, in readinto data = self.read(len(byte_view)) File "/usr/lib/python3.9/gzip.py", line 495, in read uncompress = self._decompressor.decompress(buf, size) zlib.error: Error -3 while decompressing data: invalid code lengths set Report for 20.04 (focal): https://errors.ubuntu.com/problem/fff3109d511a7db05ec5526679b8d8608a143932 To manage notifications about this bug go to: https://bugs.launchpad.net/apport/+bug/1947800/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1889443] Re: "ValueError: ['separator'] has no binary content" when running `apport-unpack /var/crash/...`
** Description changed: + [ Impact ] + + Extracting a crash file will always fail in case the crash report was + processed. + + [ Test plan ] + + 1. Create crash (e.g. with divide-by-zero): + ``` + sudo apt install chaos-marmosets + divide-by-zero + ``` + 2. Click on "show details" in Apport crash UI, then close it + 3. exract crash report: + ``` + tmpdir=$(mktemp -d) + apport-unpack /var/crash/_usr_bin_divide-by-zero.1000.crash "$tmpdir" + rm -rf "$tmpdir" + ``` + + The extraction should work and not print a stack trace. + + [ Original report ] + The crash file I'm using is as-produced by the system (on groovy), and appears to have an empty value for separator: $ grep separator /var/crash/_usr_bin_neomutt.1000.crash separator: Traceback (most recent call last): - File "/usr/bin/apport-unpack", line 77, in - pr.extract_keys(f, bin_keys, dir) - File "/usr/lib/python3/dist-packages/problem_report.py", line 269, in extract_keys - raise ValueError('%s has no binary content' % + File "/usr/bin/apport-unpack", line 77, in + pr.extract_keys(f, bin_keys, dir) + File "/usr/lib/python3/dist-packages/problem_report.py", line 269, in extract_keys + raise ValueError('%s has no binary content' % ValueError: ['separator'] has no binary content ProblemType: Bug DistroRelease: Ubuntu 20.10 Package: apport 2.20.11-0ubuntu42 ProcVersionSignature: Ubuntu 5.4.0-37.41-generic 5.4.41 Uname: Linux 5.4.0-37-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair nvidia_modeset nvidia ApportVersion: 2.20.11-0ubuntu42 Architecture: amd64 CasperMD5CheckResult: skip CrashReports: 640:1000:117:1620030:2020-07-29 12:16:57.045274496 -0400:2020-07-29 12:19:15.559243636 -0400:/var/crash/_usr_bin_neomutt.1000.crash 640:1000:117:4399480:2020-07-23 10:30:21.433552906 -0400:2020-07-23 10:30:18.921508067 -0400:/var/crash/_usr_bin_pavucontrol.1000.crash 640:1000:117:29909:2020-07-29 12:19:15.603244279 -0400:2020-07-29 12:19:15.603244279 -0400:/var/crash/_usr_bin_apport-unpack.1000.crash CurrentDesktop: i3 Date: Wed Jul 29 12:22:54 2020 InstallationDate: Installed on 2019-05-07 (448 days ago) InstallationMedia: Ubuntu 18.04.2 LTS "Bionic Beaver" - Release amd64 (20190210) PackageArchitecture: all SourcePackage: apport UpgradeStatus: Upgraded to groovy on 2020-06-22 (37 days ago) ** Description changed: [ Impact ] Extracting a crash file will always fail in case the crash report was processed. [ Test plan ] 1. Create crash (e.g. with divide-by-zero): ``` sudo apt install chaos-marmosets divide-by-zero ``` 2. Click on "show details" in Apport crash UI, then close it 3. exract crash report: ``` tmpdir=$(mktemp -d) apport-unpack /var/crash/_usr_bin_divide-by-zero.1000.crash "$tmpdir" rm -rf "$tmpdir" ``` The extraction should work and not print a stack trace. + + [ Where problems could occur ] + + The change touches the problem report reading code which is used in + several places. This could cause regressions in reading the problem + report. [ Original report ] The crash file I'm using is as-produced by the system (on groovy), and appears to have an empty value for separator: $ grep separator /var/crash/_usr_bin_neomutt.1000.crash separator: Traceback (most recent call last): File "/usr/bin/apport-unpack", line 77, in pr.extract_keys(f, bin_keys, dir) File "/usr/lib/python3/dist-packages/problem_report.py", line 269, in extract_keys raise ValueError('%s has no binary content' % ValueError: ['separator'] has no binary content ProblemType: Bug DistroRelease: Ubuntu 20.10 Package: apport 2.20.11-0ubuntu42 ProcVersionSignature: Ubuntu 5.4.0-37.41-generic 5.4.41 Uname: Linux 5.4.0-37-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair nvidia_modeset nvidia ApportVersion: 2.20.11-0ubuntu42 Architecture: amd64 CasperMD5CheckResult: skip CrashReports: 640:1000:117:1620030:2020-07-29 12:16:57.045274496 -0400:2020-07-29 12:19:15.559243636 -0400:/var/crash/_usr_bin_neomutt.1000.crash 640:1000:117:4399480:2020-07-23 10:30:21.433552906 -0400:2020-07-23 10:30:18.921508067 -0400:/var/crash/_usr_bin_pavucontrol.1000.crash 640:1000:117:29909:2020-07-29 12:19:15.603244279 -0400:2020-07-29 12:19:15.603244279 -0400:/var/crash/_usr_bin_apport-unpack.1000.crash CurrentDesktop: i3 Date: Wed Jul 29 12:22:54 2020 InstallationDate: Installed on 2019-05-07 (448 days ago) InstallationMedia: Ubuntu 18.04.2 LTS "Bionic Beaver" - Release amd64 (20190210) PackageArchitecture: all SourcePackage: apport UpgradeStatus: Upgraded to groovy on 2020-06-22 (37 days ago) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1889443 Title: "ValueError: ['separator'] has no binary
[Touch-packages] [Bug 1967965] Re: apport-kde: "Other problem" and "Display" options are swapped
** Description changed: - [Testcase] + [ Impact ] + + Due to this bug, users on KDE have hard times to report generic problems + against Ubuntu. + + [ Testcase ] 1. Run: /usr/share/apport/apport-kde -f 2. Select "Display (X.org)" and click OK 3. Then a window asking "What display problem do you observe?" should be presented. - [Original report] + [ Where problems could occur ] + + Since this fix enables users to properly report generic problems, it can + reveal bugs in the later stage. + + [ Other Info ] + + Since this fix touched the KDE part, the SRU will also enable the KDE UI + tests again and repair them to make them run. + + [ Original report ] When attempting to report https://bugs.launchpad.net/ubuntu/+source/xorg/+bug/1967963 I was unable to use `ubuntu-bug firefox`, so I just ran `ubuntu-bug`. However doing so gave me a menu with unrelated option (as expected) and an "Other problem..." option. I assumed this was for generic other bugs, as I think is reasonable; however, it brings me to a menu that only makes sense for display-related bugs. I think this text should be changed to note that; perhaps "Other display problem...". ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: apport 2.20.11-0ubuntu80 ProcVersionSignature: Ubuntu 5.15.0-23.23-generic 5.15.27 Uname: Linux 5.15.0-23-generic x86_64 ApportVersion: 2.20.11-0ubuntu80 Architecture: amd64 CasperMD5CheckResult: pass CrashReports: 640:1000:124:13488049:2022-03-30 13:20:08.905176436 -0500:2022-03-30 13:20:07.977480154 -0500:/var/crash/_usr_bin_telegram-desktop.1000.crash 640:0:124:755694:2022-03-30 13:17:26.598466630 -0500:2022-03-30 13:17:26.258453989 -0500:/var/crash/_usr_libexec_udisks2_udisksd.0.crash CurrentDesktop: KDE Date: Tue Apr 5 19:58:56 2022 InstallationDate: Installed on 2022-03-30 (6 days ago) InstallationMedia: Kubuntu 22.04 LTS "Jammy Jellyfish" - Beta amd64 (20220329.1) PackageArchitecture: all ProcEnviron: PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/usr/bin/zsh SourcePackage: apport UpgradeStatus: No upgrade log present (probably fresh install) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1967965 Title: apport-kde: "Other problem" and "Display" options are swapped Status in Apport: Fix Released Status in apport package in Ubuntu: Fix Released Status in apport source package in Focal: Confirmed Status in apport source package in Jammy: Confirmed Bug description: [ Impact ] Due to this bug, users on KDE have hard times to report generic problems against Ubuntu. [ Testcase ] 1. Run: /usr/share/apport/apport-kde -f 2. Select "Display (X.org)" and click OK 3. Then a window asking "What display problem do you observe?" should be presented. [ Where problems could occur ] Since this fix enables users to properly report generic problems, it can reveal bugs in the later stage. [ Other Info ] Since this fix touched the KDE part, the SRU will also enable the KDE UI tests again and repair them to make them run. [ Original report ] When attempting to report https://bugs.launchpad.net/ubuntu/+source/xorg/+bug/1967963 I was unable to use `ubuntu-bug firefox`, so I just ran `ubuntu-bug`. However doing so gave me a menu with unrelated option (as expected) and an "Other problem..." option. I assumed this was for generic other bugs, as I think is reasonable; however, it brings me to a menu that only makes sense for display-related bugs. I think this text should be changed to note that; perhaps "Other display problem...". ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: apport 2.20.11-0ubuntu80 ProcVersionSignature: Ubuntu 5.15.0-23.23-generic 5.15.27 Uname: Linux 5.15.0-23-generic x86_64 ApportVersion: 2.20.11-0ubuntu80 Architecture: amd64 CasperMD5CheckResult: pass CrashReports: 640:1000:124:13488049:2022-03-30 13:20:08.905176436 -0500:2022-03-30 13:20:07.977480154 -0500:/var/crash/_usr_bin_telegram-desktop.1000.crash 640:0:124:755694:2022-03-30 13:17:26.598466630 -0500:2022-03-30 13:17:26.258453989 -0500:/var/crash/_usr_libexec_udisks2_udisksd.0.crash CurrentDesktop: KDE Date: Tue Apr 5 19:58:56 2022 InstallationDate: Installed on 2022-03-30 (6 days ago) InstallationMedia: Kubuntu 22.04 LTS "Jammy Jellyfish" - Beta amd64 (20220329.1) PackageArchitecture: all ProcEnviron: PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/usr/bin/zsh SourcePackage: apport UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/apport/+bug/1967965/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe :
[Touch-packages] [Bug 1997553] Re: network-manager fails to trigger dispatcher scripts with action dhcp4-change when dhcp lease is renewed
** Description changed: We rely on network-manager dispatcher scripts on our desktop and laptop computers. The dispatcher scripts are used to update DNS records with nsupdate when the dhcp lease is renewed. With jammy this is not working anymore. It seems that dispatcher scripts are run only when the interface comes up (with action 'up') and with the initial dhcp lease (with action 'dhcp4-change'), but when the lease is renewed, the dispatcher scripts are not run with any action. The only action the dispatcher scripts are run regularly with is 'connectivity- change', which seems to occur twice in a row every few hours. I have made a simple script to log how the dispatcher scripts are run: - /etc/NetworkManager/dispatcher.d/99-test: + /etc/NetworkManager/dispatcher.d/99-test: #!/bin/bash PATH='/bin:/sbin:/usr/bin:/usr/sbin' echo $(date) 0: $0 IFACE: $1 ACTION: $2 >> /tmp/nm.log + This script proves that action 'dhcp4-change' only occurs when I + manually restart NetworkManager.service or unplug and replug the + ethernet cable. - This script proves that action 'dhcp4-change' only occurs when I manually restart NetworkManager.service or unplug and replug the ethernet cable. + + network-manager version: 1.36.6-0ubuntu2 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1997553 Title: network-manager fails to trigger dispatcher scripts with action dhcp4-change when dhcp lease is renewed Status in network-manager package in Ubuntu: Confirmed Bug description: We rely on network-manager dispatcher scripts on our desktop and laptop computers. The dispatcher scripts are used to update DNS records with nsupdate when the dhcp lease is renewed. With jammy this is not working anymore. It seems that dispatcher scripts are run only when the interface comes up (with action 'up') and with the initial dhcp lease (with action 'dhcp4-change'), but when the lease is renewed, the dispatcher scripts are not run with any action. The only action the dispatcher scripts are run regularly with is 'connectivity-change', which seems to occur twice in a row every few hours. I have made a simple script to log how the dispatcher scripts are run: /etc/NetworkManager/dispatcher.d/99-test: #!/bin/bash PATH='/bin:/sbin:/usr/bin:/usr/sbin' echo $(date) 0: $0 IFACE: $1 ACTION: $2 >> /tmp/nm.log This script proves that action 'dhcp4-change' only occurs when I manually restart NetworkManager.service or unplug and replug the ethernet cable. network-manager version: 1.36.6-0ubuntu2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1997553/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1964828] Re: /usr/share/apport/general-hooks/ubuntu.py crashed: KeyError: 'CasperMD5json'
** Changed in: apport (Ubuntu Focal) Status: Fix Committed => New ** Changed in: apport (Ubuntu Jammy) Status: Fix Committed => New ** Tags added: foundations-todo ** Changed in: apport (Ubuntu) Assignee: (unassigned) => Benjamin Drung (bdrung) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1964828 Title: /usr/share/apport/general-hooks/ubuntu.py crashed: KeyError: 'CasperMD5json' Status in apport package in Ubuntu: Fix Released Status in apport source package in Focal: New Status in apport source package in Jammy: New Bug description: [Impact] If the user reports a bug and rejects to enter the root password for collecting information (like the CasperMD5json), the Ubuntu add_info hook will fail with a stack trace. The remaining code for collecting more information is not executed. So the resulting bug reports will be less helpful. The check_for_disk_error call is not reached and therefore skipped. [Test Plan] 1. Launch the Ubuntu installer (i.e. ubuntu-22.04-desktop-amd64.iso) 2. Select "Try Ubuntu" 3. Open a terminal 4. Run: ubuntu-bug -f 5. Select "installer" and click on OK 6. Click on "abort" when ask for the password 7. The terminal should not show a stacktrace [Where problems could occur] The changed code is the Ubuntu add_info hook. So this hook could fail due to a regression or reveal bugs in the later code path. The later code path could cause more more load on the users machine (but only when the user wants to report the issue). Apport will catch failing add_info hooks and store the failure in the report. [Orinial report] ERROR: hook /usr/share/apport/general-hooks/ubuntu.py crashed: Traceback (most recent call last): File "/usr/lib/python3/dist-packages/apport/report.py", line 228, in _run_hook symb['add_info'](report, ui) File "/usr/share/apport/general-hooks/ubuntu.py", line 81, in add_info apport.hookutils.attach_casper_md5check(report, File "/usr/lib/python3/dist-packages/apport/hookutils.py", line 1016, in attach_casper_md5check check = json.loads(report['CasperMD5json']) File "/usr/lib/python3.10/collections/__init__.py", line 1102, in __getitem__ raise KeyError(key) KeyError: 'CasperMD5json' kubuntu@kubuntu:~$ Gtk-Message: 21:22:43.923: Failed to load module "colorreload-gtk-module" ATTENTION: default value of option mesa_glthread overridden by environment. ATTENTION: default value of option mesa_glthread overridden by environment. ATTENTION: default value of option mesa_glthread overridden by environment. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: ubiquity 22.04.7 ProcVersionSignature: Ubuntu 5.15.0-22.22-generic 5.15.19 Uname: Linux 5.15.0-22-generic x86_64 ApportVersion: 2.20.11-0ubuntu79 Architecture: amd64 CasperVersion: 1.467 CurrentDesktop: KDE Date: Mon Mar 14 21:22:23 2022 InstallCmdLine: BOOT_IMAGE=/casper/vmlinuz file=/cdrom/preseed/kubuntu.seed maybe-ubiquity quiet splash --- LiveMediaBuild: Kubuntu 22.04 LTS "Jammy Jellyfish" - Alpha amd64 (20220314) SourcePackage: ubiquity UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1964828/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1947425] Re: Use of deprecated 'imp' module
** Description changed: Impact -- The deprecation warning is just a warning, but it clutters the output and can lead to misattributions in case something does not work as expected. Test Case - - 1. Execute following command: + 1. apt install apport + 2. Execute following command: python3 -Wonce -c "import apport.report" - 2. There should be no output. + 3. There should be no output. Where problems could occur -- Except for changes to the test cases, _check_interpreted is the only consumer for the changed code. Breakage in this code paths can lead to wrongly assume that the crashing Python code is an interpreted script or not. This can lead to reports that have only ExecutablePath set (and not InterpreterPath). Original Description Code using apport/report.py will see the following warning: $ python3 -Wonce -c "import apport.report" /usr/lib/python3/dist-packages/apport/report.py:13 /usr/lib/python3/dist-packages/apport/report.py:13: DeprecationWarning: the imp module is deprecated in favour of importlib; see the module's documentation for alternative uses import fnmatch, glob, traceback, errno, sys, atexit, locale, imp, stat The 'imp' module is slated for removal in Python 3.12. https://github.com/python/cpython/blob/main/Lib/imp.py#L31 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1947425 Title: Use of deprecated 'imp' module Status in Apport: Fix Released Status in apport package in Ubuntu: Fix Released Status in apport source package in Jammy: New Bug description: Impact -- The deprecation warning is just a warning, but it clutters the output and can lead to misattributions in case something does not work as expected. Test Case - 1. apt install apport 2. Execute following command: python3 -Wonce -c "import apport.report" 3. There should be no output. Where problems could occur -- Except for changes to the test cases, _check_interpreted is the only consumer for the changed code. Breakage in this code paths can lead to wrongly assume that the crashing Python code is an interpreted script or not. This can lead to reports that have only ExecutablePath set (and not InterpreterPath). Original Description Code using apport/report.py will see the following warning: $ python3 -Wonce -c "import apport.report" /usr/lib/python3/dist-packages/apport/report.py:13 /usr/lib/python3/dist-packages/apport/report.py:13: DeprecationWarning: the imp module is deprecated in favour of importlib; see the module's documentation for alternative uses import fnmatch, glob, traceback, errno, sys, atexit, locale, imp, stat The 'imp' module is slated for removal in Python 3.12. https://github.com/python/cpython/blob/main/Lib/imp.py#L31 To manage notifications about this bug go to: https://bugs.launchpad.net/apport/+bug/1947425/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1997553] Re: network-manager fails to trigger dispatcher scripts with action dhcp4-change when dhcp lease is renewed
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: network-manager (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1997553 Title: network-manager fails to trigger dispatcher scripts with action dhcp4-change when dhcp lease is renewed Status in network-manager package in Ubuntu: Confirmed Bug description: We rely on network-manager dispatcher scripts on our desktop and laptop computers. The dispatcher scripts are used to update DNS records with nsupdate when the dhcp lease is renewed. With jammy this is not working anymore. It seems that dispatcher scripts are run only when the interface comes up (with action 'up') and with the initial dhcp lease (with action 'dhcp4-change'), but when the lease is renewed, the dispatcher scripts are not run with any action. The only action the dispatcher scripts are run regularly with is 'connectivity-change', which seems to occur twice in a row every few hours. I have made a simple script to log how the dispatcher scripts are run: /etc/NetworkManager/dispatcher.d/99-test: #!/bin/bash PATH='/bin:/sbin:/usr/bin:/usr/sbin' echo $(date) 0: $0 IFACE: $1 ACTION: $2 >> /tmp/nm.log This script proves that action 'dhcp4-change' only occurs when I manually restart NetworkManager.service or unplug and replug the ethernet cable. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1997553/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1997553] [NEW] network-manager fails to trigger dispatcher scripts with action dhcp4-change when dhcp lease is renewed
Public bug reported: We rely on network-manager dispatcher scripts on our desktop and laptop computers. The dispatcher scripts are used to update DNS records with nsupdate when the dhcp lease is renewed. With jammy this is not working anymore. It seems that dispatcher scripts are run only when the interface comes up (with action 'up') and with the initial dhcp lease (with action 'dhcp4-change'), but when the lease is renewed, the dispatcher scripts are not run with any action. The only action the dispatcher scripts are run regularly with is 'connectivity- change', which seems to occur twice in a row every few hours. I have made a simple script to log how the dispatcher scripts are run: /etc/NetworkManager/dispatcher.d/99-test: #!/bin/bash PATH='/bin:/sbin:/usr/bin:/usr/sbin' echo $(date) 0: $0 IFACE: $1 ACTION: $2 >> /tmp/nm.log This script proves that action 'dhcp4-change' only occurs when I manually restart NetworkManager.service or unplug and replug the ethernet cable. ** Affects: network-manager (Ubuntu) Importance: Undecided Status: Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1997553 Title: network-manager fails to trigger dispatcher scripts with action dhcp4-change when dhcp lease is renewed Status in network-manager package in Ubuntu: Confirmed Bug description: We rely on network-manager dispatcher scripts on our desktop and laptop computers. The dispatcher scripts are used to update DNS records with nsupdate when the dhcp lease is renewed. With jammy this is not working anymore. It seems that dispatcher scripts are run only when the interface comes up (with action 'up') and with the initial dhcp lease (with action 'dhcp4-change'), but when the lease is renewed, the dispatcher scripts are not run with any action. The only action the dispatcher scripts are run regularly with is 'connectivity-change', which seems to occur twice in a row every few hours. I have made a simple script to log how the dispatcher scripts are run: /etc/NetworkManager/dispatcher.d/99-test: #!/bin/bash PATH='/bin:/sbin:/usr/bin:/usr/sbin' echo $(date) 0: $0 IFACE: $1 ACTION: $2 >> /tmp/nm.log This script proves that action 'dhcp4-change' only occurs when I manually restart NetworkManager.service or unplug and replug the ethernet cable. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1997553/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1979211] Re: /usr/share/apport/apport:AttributeError:/usr/share/apport/apport@531:parse_arguments:print_usage:_print_message
This crash has been fixed as drive-by fix for bug #1982555 in apport 2.20.11-0ubuntu27.25 (focal) and apport 2.20.11-0ubuntu82.2 (jammy). ** Changed in: apport (Ubuntu Focal) Status: Fix Committed => Fix Released ** Changed in: apport (Ubuntu Jammy) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1979211 Title: /usr/share/apport/apport:AttributeError:/usr/share/apport/apport@531:parse_arguments:print_usage:_print_message Status in Apport: Fix Released Status in apport package in Ubuntu: Fix Released Status in apport source package in Focal: Fix Released Status in apport source package in Impish: Won't Fix Status in apport source package in Jammy: Fix Released Bug description: Impact -- As it can be seen in https://errors.ubuntu.com/problem/e714f8181c0785693f3a66969c594a3b19bcab2b there are thousands of crashes of this type (and multiple duplicate bug reports for it). Instead of apport logging a failure in /var/log/apport.log, it crashes. Fixing this bug also fixes the issue with logging failures in the socket path (for handling crashes in containers). Test Case - There should be no instances of https://errors.ubuntu.com/problem/e714f8181c0785693f3a66969c594a3b19bcab2b for the fixed version. Where problems could occur -- The apport binary is called by the kernel when a process crashes. Worst case scenarios include breaking the apport binary and no problem report is generated any more (or apport uses too much resources). Since all the desired logs are now logged, it could increase the amount of logs that are written (apport has some flood detection in case a process dies constantly). Original Description The Ubuntu Error Tracker has been receiving reports about a problem regarding apport. This problem was most recently seen with package version 2.20.11-0ubuntu82.1, the problem page at https://errors.ubuntu.com/problem/e714f8181c0785693f3a66969c594a3b19bcab2b contains more details, including versions of packages affected, stacktrace or traceback, and individual crash reports. If you do not have access to the Ubuntu Error Tracker and are a software developer, you can request it at http://forms.canonical.com/reports/. Traceback (most recent call last): File "/usr/share/apport/apport", line 531, in options = parse_arguments() File "/usr/share/apport/apport", line 463, in parse_arguments parser.print_usage() File "/usr/lib/python3.10/argparse.py", line 2562, in print_usage self._print_message(self.format_usage(), file) File "/usr/lib/python3.10/argparse.py", line 2573, in _print_message file.write(message) AttributeError: 'NoneType' object has no attribute 'write' This bug can be reproduced by configuring the previously supported parameters to Apport and then let a process crash (e.g. call divide- by-zero): ``` echo "|/usr/share/apport/apport %p %s %c %d %P %E" | sudo tee /proc/sys/kernel/core_pattern ``` So this bug is a regression of commit c320e910a516 ("Switch to using non-positional arguments") which is a fix for CVE-2022-28658 and CVE-2021-3899. To manage notifications about this bug go to: https://bugs.launchpad.net/apport/+bug/1979211/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1996705] Re: many xruns independently of soundcard and latency
I've updated to latest version. It didn't changed. Lenovo warns about Bios update and charging management on the model page: "Please update your BIOS to the latest version, as Lenovo has released critical BIOS updates for selected ThinkPad systems to prevent charging issues with some USB-C power device configurations." https://pcsupport.lenovo.com/ch/fr/products/laptops-and- netbooks/thinkpad-p-series- laptops/thinkpad-p15s-gen-2-type-20w6-20w7/downloads/driver- list/component?name=BIOS -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to jackd2 in Ubuntu. https://bugs.launchpad.net/bugs/1996705 Title: many xruns independently of soundcard and latency Status in jackd2 package in Ubuntu: Invalid Bug description: Hi, xruns occur (1-3 every 8-15 seconds) happens with any soundcard, at any latency stops when power supply is unplugged To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/jackd2/+bug/1996705/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1997542] [NEW] DNS fails with "Using degraded feature set" in logs until resolved is restarted
Public bug reported: This issue in systemd-resolved which is part of Ubuntu 22.04 causes syslog to be flooded causing periodic storage writes (power overhead). It is reported here: https://github.com/systemd/systemd/issues/13432 . There is no resolution yet. Hence, filing this bug. ** Affects: systemd (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1997542 Title: DNS fails with "Using degraded feature set" in logs until resolved is restarted Status in systemd package in Ubuntu: New Bug description: This issue in systemd-resolved which is part of Ubuntu 22.04 causes syslog to be flooded causing periodic storage writes (power overhead). It is reported here: https://github.com/systemd/systemd/issues/13432 . There is no resolution yet. Hence, filing this bug. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1997542/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1997093] Re: bash 5.2 regression too-aggressive optimizing of forks in an `eval' command inside a (command) subshell
https://git.savannah.gnu.org/cgit/bash.git/commit/?h=devel=94d25f57f124a9b2268a3af0a0915871032f426e ** Summary changed: - bash 5.2 regression in optimize_connection_fork + bash 5.2 regression too-aggressive optimizing of forks in an `eval' command inside a (command) subshell -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to bash in Ubuntu. https://bugs.launchpad.net/bugs/1997093 Title: bash 5.2 regression too-aggressive optimizing of forks in an `eval' command inside a (command) subshell Status in bash package in Ubuntu: New Status in ovn package in Ubuntu: New Bug description: OVN makes use of GNU autotest for its testsuite. This in turn is a heavy user of bash. For some reason, when the 'ovn-controller incremental processing' test is executed using bash 5.2 on Debian experimental or Ubuntu Kinetic/Lunar, the `eval` [0] in the `counter_delta_` function misinterprets successful execution of commands [1], leading to a false negative for the 'ovn-controller incremental processing' test [2]. Backporting the bash 5.1 package from Jammy, or compiling bash 5.1 from upstream sources and rerunning the test makes it succeed. This does come across as a regression in bash. 0: https://github.com/ovn-org/ovn/blob/a042aa23e79a0d36f1ce7b0ccfcf0a5995b045cd/tests/ovn-performance.at#L116 1: https://github.com/ovn-org/ovn/blob/a042aa23e79a0d36f1ce7b0ccfcf0a5995b045cd/tests/ovn-performance.at#L479 2: https://github.com/ovn-org/ovn/blob/a042aa23e79a0d36f1ce7b0ccfcf0a5995b045cd/tests/ovn-performance.at#L227 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1997093/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1867204] Re: /usr/share/apport/whoopsie-upload-all:FileNotFoundError:/usr/share/apport/whoopsie-upload-all@170:collect_info:process_report
** Tags removed: foundations-todo -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1867204 Title: /usr/share/apport/whoopsie-upload- all:FileNotFoundError:/usr/share/apport/whoopsie-upload- all@170:collect_info:process_report Status in Apport: Fix Released Status in apport package in Ubuntu: Fix Released Status in apport source package in Focal: Fix Released Bug description: [Impact] The Ubuntu Error Tracker has been receiving reports about a problem regarding apport. This problem was most recently seen with package version 2.20.11-0ubuntu19, the problem page at https://errors.ubuntu.com/problem/7a3912ff155870bdb23500abfa48a21a6cb07171 contains more details, including versions of packages affected, stacktrace or traceback, and individual crash reports. If you do not have access to the Ubuntu Error Tracker and are a software developer, you can request it at http://forms.canonical.com/reports/. There were 1301 crashes reported in the last month for this bug, which makes it to number 3 of the apport bug list (despite Ubuntu 22.04 already being fixed and only older releases are still affected). [Test Plan] Check that the fixed version does not appear on https://errors.ubuntu.com/problem/3adc63930455e99063ec1f77bf461d975492e9b4. [Where problems could occur] Worst case - in any part of the bug reporting/collection procedure, since that is what's changing. [Other info] Due to the huge amount of broken autopkgtest tests, the diff for the SRUs are bigger than desired. The individual commits in https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/apport/ are probably easier to review. * jammy SRU: https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/apport/log/?h=1fa042cc27714c407494b3d6dfd0730bb984f3eb * focal SRU: https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/apport/log/?h=eaa92037c7dfba621719c6f81fd75f6a09e90881 To manage notifications about this bug go to: https://bugs.launchpad.net/apport/+bug/1867204/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1962454] Re: Oops pages show wrong time window in JournalErrors
** Tags removed: foundations-todo -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1962454 Title: Oops pages show wrong time window in JournalErrors Status in Apport: Fix Released Status in apport package in Ubuntu: Fix Released Status in apport source package in Focal: Fix Released Status in apport source package in Jammy: Fix Released Bug description: [Impact] Oops pages show wrong time window in JournalErrors. For example, I just experienced a crash at: Feb 28 17:31:12 And the JournalErrors entries are: Feb 28 17:31:30 - Feb 28 17:31:41 So don't relate to the crash. [Test Plan] 1. Find a recent crash report from a relevant Ubuntu release on https://errors.ubuntu.com/ If you're looking at https://errors.ubuntu.com/problem/SOMETHING then scroll down and pick a relevant instance from the Occurrences list. 2. Now you're on a page starting with https://errors.ubuntu.com/oops/ look at ApportVersion and verify that apport is a recent enough version to contain the proposed fix. If not then go to step 1. 3. Verify the Date field falls within the time range of the JournalErrors entries. Step 3 might fail in the case of there being no system log entries from around the time of the crash. That does not necessarily mean the test plan has failed. Go to step 1 and pick a different crash. Prior to the fix you would almost never find oops pages that would pass the test. After the fix you should find many/most oops pages do pass the test. [Where problems could occur] Worst case - in any part of the bug reporting/collection procedure, since that is what's changing. [Other Info] Due to the huge amount of broken autopkgtest tests, the diff for the SRUs are bigger than desired. The individual commits in https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/apport/ are probably easier to review. * jammy SRU: https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/apport/log/?h=1fa042cc27714c407494b3d6dfd0730bb984f3eb * focal SRU: https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/apport/log/?h=eaa92037c7dfba621719c6f81fd75f6a09e90881 To manage notifications about this bug go to: https://bugs.launchpad.net/apport/+bug/1962454/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1982551] Re: Print is failed via USB
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: cups (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1982551 Title: Print is failed via USB Status in cups package in Ubuntu: Confirmed Bug description: Phenomenon: After installing the driver (such as RICOH IM C6000 PS) via USB protocol, it can be printed at the first time, but after the second or multiple times, the job will be canceled. Comment: 1.Wait a few minutes and the job still won't be printed. 2.After unplugging in and plugging in the USB cable, the job can be printed 3.The problem does not occur via network printing. 4.Other systems (such as Windows, Mac OS) do not have this problem. Our analysis: 1.We think that part of the data was lost via USB transmission 2.In CUPS ErrorLog, the job has been delivered completely. (refer to error_log->[Job 313]) D [21/Jul/2022:15:21:17 +0800] [Job 313] Starting renderer with command: \"printf \"%%!PS-Adobe-3.0 D [21/Jul/2022:15:21:17 +0800] [Job 313] Title: (/home/rits/文档/17540黑白-2017.doc) D [21/Jul/2022:15:21:17 +0800] [Job 313] %% D [21/Jul/2022:15:21:17 +0800] [Job 313] %%\\n/lppswd()def\\n/usrcode()def\\n/sppswd()def\\nmark\\n/usrcode where{pop}{/usrcode()def}ifelse\\n(rits) usrcode (20`date +%y%m%d%R | sed \'s/://\'`) {setuserinfo} stopped\\ncleartomark\\nmark {\\n<<\\n /JobType 0\\n /JobInfo <<\\n /UserID (rits)\\n /Time (20`date +%y%m%d%R | sed \'s/://\'`)\\n /HostLoginName (rits)\\n /HostName (rits-OptiPlex-3010)\\n >>\\n>> /RDeviceProcSet /ProcSet findresource /SetJobType get exec\\n}stopped cleartomark\\nmark{\\nuserdict /RPS_BPdict 2 dict put\\nuserdict /RPS_BPdict get begin /RPS_BP_MEDIAPOSITION null def end\\n} stopped cleartomark\\nmark{\\nuserdict /RPS_BPdict get begin\\n/RPS_BP_MEDIATYPE (Auto) def end\\n} stopped cleartomark\\nmark{\\n<<\\n/BannerPageMode false\\n/MediaPosition null\\n/MediaType null\\n>>\\n/RDeviceProcSet\\n/ProcSet findresource\\n/SetBannerPage get exec\\n} stopped cleartomark\\n\"; cat;\" D [21/Jul/2022:15:21:17 +0800] [Job 313] Starting process \"kid3\" (generation 1) D [21/Jul/2022:15:21:17 +0800] [Job 313] Starting process \"kid4\" (generation 2) D [21/Jul/2022:15:21:17 +0800] [Job 313] Starting process \"renderer\" (generation 2) D [21/Jul/2022:15:21:17 +0800] [Job 313] JCL: \033%-12345X@PJL D [21/Jul/2022:15:21:17 +0800] [Job 313] I [21/Jul/2022:15:21:25 +0800] [Job 313] Job completed. 3.However, I found an error on USB Request Block (URB) with Wireshark on Ubuntu 18.04 [Error: undefined; Off fendingCommand: BPdict Flushing: rest of job (to end of file) will be ignored] appeared at [URB BULK IN] (refer to usb2.pcapng, snapshot.pn) 4.We extracted the accepted data on the printer side, the data is really lost. (refer to prt00016.prn, prt00013.prn is the data of normal print) Description: Ubuntu 18.04.5 LTS Release: 18.04 CUPS 2.2.7 ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: cups 2.2.7-1ubuntu2.9 ProcVersionSignature: Ubuntu 5.4.0-122.138~18.04.1-generic 5.4.192 Uname: Linux 5.4.0-122-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.28 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Fri Jul 22 15:43:30 2022 InstallationDate: Installed on 2022-07-05 (16 days ago) InstallationMedia: Ubuntu 18.04.5 LTS "Bionic Beaver" - Release amd64 (20200806.1) MachineType: Dell Inc. OptiPlex 3010 Papersize: a4 ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.4.0-122-generic root=UUID=72470cc0-4db9-4b77-b9de-77d32b61feb5 ro quiet splash vt.handoff=1 SourcePackage: cups UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 09/16/2013 dmi.bios.vendor: Dell Inc. dmi.bios.version: A11 dmi.board.name: 042P49 dmi.board.vendor: Dell Inc. dmi.board.version: A02 dmi.chassis.type: 6 dmi.chassis.vendor: Dell Inc. dmi.modalias: dmi:bvnDellInc.:bvrA11:bd09/16/2013:svnDellInc.:pnOptiPlex3010:pvr01:rvnDellInc.:rn042P49:rvrA02:cvnDellInc.:ct6:cvr: dmi.product.name: OptiPlex 3010 dmi.product.version: 01 dmi.sys.vendor: Dell Inc. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1982551/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1997533] [NEW] flac 1.4.2+ds-2 in lunar proposed does not build on i386 - missing pandoc build dep
Public bug reported: flac 1.4.2+ds-2 in lunar proposed does not build on i386 - missing pandoc build dep which is not built in Ubuntu for i386 https://launchpad.net/ubuntu/+source/flac/1.4.2+ds-2/+build/24644410 Change made in flac (1.4.1-1) "Replace docbook-to-man with pandoc as B-D" This prevents migration of flac (if/once tests succeed), and will block migration of packages that now build in proposed and depend on the bumped libs in flac 1.4 (libflac++10 and libflac12) https://people.canonical.com/~ubuntu-archive/proposed- migration/update_excuses.html#flac e.g.amongst several others so far https://people.canonical.com/~ubuntu-archive/proposed- migration/update_excuses.html#kwave ** Affects: flac (Ubuntu) Importance: Undecided Status: New ** Tags: lunar ** Description changed: flac 1.4.2+ds-2 in lunar proposed does not build on i386 - missing pandoc build dep which is not built in Ubuntu for i386 https://launchpad.net/ubuntu/+source/flac/1.4.2+ds-2/+build/24644410 Change made in flac (1.4.1-1) "Replace docbook-to-man with pandoc as B-D" This prevents migration of flac (if/once tests succeed), and will block migration of packages that now build in proposed and depend on the bumped libs in flac 1.4 (libflac++10 and libflac12) https://people.canonical.com/~ubuntu-archive/proposed- migration/update_excuses.html#flac + + e.g.amongst several others so far + + https://people.canonical.com/~ubuntu-archive/proposed- + migration/update_excuses.html#kwave ** Tags added: lunar -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to flac in Ubuntu. https://bugs.launchpad.net/bugs/1997533 Title: flac 1.4.2+ds-2 in lunar proposed does not build on i386 - missing pandoc build dep Status in flac package in Ubuntu: New Bug description: flac 1.4.2+ds-2 in lunar proposed does not build on i386 - missing pandoc build dep which is not built in Ubuntu for i386 https://launchpad.net/ubuntu/+source/flac/1.4.2+ds-2/+build/24644410 Change made in flac (1.4.1-1) "Replace docbook-to-man with pandoc as B-D" This prevents migration of flac (if/once tests succeed), and will block migration of packages that now build in proposed and depend on the bumped libs in flac 1.4 (libflac++10 and libflac12) https://people.canonical.com/~ubuntu-archive/proposed- migration/update_excuses.html#flac e.g.amongst several others so far https://people.canonical.com/~ubuntu-archive/proposed- migration/update_excuses.html#kwave To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flac/+bug/1997533/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp