[Touch-packages] [Bug 2043711] Re: Open3.pm tries to run code in /tmp when preconfiguring packages
This system has remained substantially vanilla since the original install - 18.04 if I remember correctly - with only LTS upgrades and I have certainly made no local changes to the packaging tools. $ which apt-extracttemplates /usr/bin/apt-extracttemplates $ debsums -s apt-utils $ That is to say that there was no output and debsums returned an exit code of 0. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to debconf in Ubuntu. https://bugs.launchpad.net/bugs/2043711 Title: Open3.pm tries to run code in /tmp when preconfiguring packages Status in debconf package in Ubuntu: New Bug description: During update of ubuntu-drivers-common: Can't exec "/tmp/ubuntu-drivers-common.config.55GJ8b": Permission denied at /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm line 178, line 1. open2: exec of /tmp/ubuntu-drivers-common.config.55GJ8b configure 1:0.9.6.2~0.22.04.4 failed: Permission denied at /usr/share/perl5/Debconf/ConfModule.pm line 59. Preconfiguring packages ... Can't exec "/tmp/ubuntu-drivers-common.config.uSPrCH": Permission denied at /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm line 178, line 1. open2: exec of /tmp/ubuntu-drivers-common.config.uSPrCH configure 1:0.9.6.2~0.22.04.4 failed: Permission denied at /usr/share/perl5/Debconf/ConfModule.pm line 59. /tmp is mounted with noexec because running code from /tmp has been a vulnerability vector for several decades, hence reporting this as a vulnerability in perl-base. This error did not appear to prevent the update of ubuntu-drivers- common and "dpkg --verify ubuntu-drivers-common" returns 0. ___ Attempting to use the package search on this form by clicking the 🔍 created a modal in which there is an error Sorry, something went wrong with your search. We've recorded what happened, and we'll fix it as soon as possible. (Error ID: OOPS-c80f71590b02908a1187b9f743c53eac) which is repeated with any attempt to search for a package. ___ Submitting this form gives an error "perl-base" does not exist in Ubuntu. Please choose a different package. If you're unsure, please select "I don't know" $ dpkg -S /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm perl-base: /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm $ dpkg -l perl-base Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-=--=> ii perl-base 5.34.0-3ubuntu1.2 amd64minimal Perl system Looks like a package to me. Nevertheless, using "Did you mean..." offers "perl". ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: perl-base 5.34.0-3ubuntu1.2 ProcVersionSignature: Ubuntu 6.5.0-1007.7-oem 6.5.3 Uname: Linux 6.5.0-1007-oem x86_64 ApportVersion: 2.20.11-0ubuntu82.5 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Thu Nov 16 10:08:48 2023 InstallationDate: Installed on 2016-04-23 (2763 days ago) InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1) ProcEnviron: TERM=rxvt PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: perl UpgradeStatus: Upgraded to jammy on 2022-08-19 (453 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/debconf/+bug/2043711/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2043711] Re: Open3.pm tries to run code in /tmp when preconfiguring packages
Ok. Then I still have absolutely no idea how/why this is happening for you, because that doesn't seem to match the code we ship. Unless you have some non-distribution version of the apt- extracttemplates program installed? (which apt-extracttemplates; sudo apt install debsums; debsums -s apt-utils) ** Changed in: debconf (Ubuntu) Status: Incomplete => New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to debconf in Ubuntu. https://bugs.launchpad.net/bugs/2043711 Title: Open3.pm tries to run code in /tmp when preconfiguring packages Status in debconf package in Ubuntu: New Bug description: During update of ubuntu-drivers-common: Can't exec "/tmp/ubuntu-drivers-common.config.55GJ8b": Permission denied at /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm line 178, line 1. open2: exec of /tmp/ubuntu-drivers-common.config.55GJ8b configure 1:0.9.6.2~0.22.04.4 failed: Permission denied at /usr/share/perl5/Debconf/ConfModule.pm line 59. Preconfiguring packages ... Can't exec "/tmp/ubuntu-drivers-common.config.uSPrCH": Permission denied at /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm line 178, line 1. open2: exec of /tmp/ubuntu-drivers-common.config.uSPrCH configure 1:0.9.6.2~0.22.04.4 failed: Permission denied at /usr/share/perl5/Debconf/ConfModule.pm line 59. /tmp is mounted with noexec because running code from /tmp has been a vulnerability vector for several decades, hence reporting this as a vulnerability in perl-base. This error did not appear to prevent the update of ubuntu-drivers- common and "dpkg --verify ubuntu-drivers-common" returns 0. ___ Attempting to use the package search on this form by clicking the 🔍 created a modal in which there is an error Sorry, something went wrong with your search. We've recorded what happened, and we'll fix it as soon as possible. (Error ID: OOPS-c80f71590b02908a1187b9f743c53eac) which is repeated with any attempt to search for a package. ___ Submitting this form gives an error "perl-base" does not exist in Ubuntu. Please choose a different package. If you're unsure, please select "I don't know" $ dpkg -S /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm perl-base: /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm $ dpkg -l perl-base Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-=--=> ii perl-base 5.34.0-3ubuntu1.2 amd64minimal Perl system Looks like a package to me. Nevertheless, using "Did you mean..." offers "perl". ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: perl-base 5.34.0-3ubuntu1.2 ProcVersionSignature: Ubuntu 6.5.0-1007.7-oem 6.5.3 Uname: Linux 6.5.0-1007-oem x86_64 ApportVersion: 2.20.11-0ubuntu82.5 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Thu Nov 16 10:08:48 2023 InstallationDate: Installed on 2016-04-23 (2763 days ago) InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1) ProcEnviron: TERM=rxvt PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: perl UpgradeStatus: Upgraded to jammy on 2022-08-19 (453 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/debconf/+bug/2043711/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2047082] Re: upgrading openssh-server failed: rescue-ssh.target is a disabled or a static unit not running, not starting it.
Fun, this isn't even reliable. The first atttempt failed: https://cockpit-logs.us-east-1.linodeobjects.com/image-refresh- logs/ubuntu-stable-20231219-223939.log I retried the build now, no package or environment changes. Only daytime and timing (race conditions). Perhaps some interaction with cloud-init? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2047082 Title: upgrading openssh-server always shows error: rescue-ssh.target is a disabled or a static unit not running, not starting it. Status in openssh package in Ubuntu: New Bug description: In our project we regularly build Ubuntu VM images for current 23.10 (stable). In https://github.com/cockpit-project/bots/issues/5691 we ran into an upgrade failure of openssh-server. It starts with the current cloud image and then apt upgrades it, with "DEBIAN_FRONTEND=noninteractive". openssh was updated a few days ago indeed: Setting up openssh-server (1:9.3p1-1ubuntu3.1) ... Creating SSH2 ECDSA key; this may take some time ... 256 SHA256:UqrRSpQNM7SIixVivYP/WwZRjt7Sv89P31W/Gxaf+Z8 root@ubuntu (ECDSA) Creating SSH2 ED25519 key; this may take some time ... 256 SHA256:hy9AEDydfnZeY9nf9P4Sb90kx39Oqr101A6tz5j4RQw root@ubuntu (ED25519) rescue-ssh.target is a disabled or a static unit not running, not starting it. Could not execute systemctl: at /usr/bin/deb-systemd-invoke line 145. dpkg: error processing package openssh-server (--configure): installed openssh-server package post-installation script subprocess returned error exit status 1 I.e. of course that security update itself [1] didn't introduce the regression, but earlier VM builds just didn't have a pending openssh update -- looks like this has been a luring upgrade trap in the release already. As a first naĂŻve reproducer I tried apt update DEBIAN_FRONTEND=noninteractive apt update openssh-server on our current VM (with the release version 1:9.3p1-1ubuntu3), and that worked fine. Same with installing all 9 available packages. rescue.target is loaded/inactive/static, as it should be. Updating without DEBIAN_FRONTEND does show me a conffile prompt about /etc/ssh/sshd_config, which is justified as we do modify the config: # Allow root login with password sed -i 's/^[# ]*PermitRootLogin .*/PermitRootLogin yes/' /etc/ssh/sshd_config # Prevent SSH from hanging for a long time when no external network access echo 'UseDNS no' >> /etc/ssh/sshd_config this also leads to a merge conflict. However, I suppose all of that is tangential to the rescue-ssh.target issue. In all my interactive upgrades, it seemed to handle that just fine: Setting up openssh-server (1:9.3p1-1ubuntu3.1) ... rescue-ssh.target is a disabled or a static unit not running, not starting it. So this seems to be related to the first-time installation of openssh- server -- it is part of the cloud image, but it does the host key generation during our image builds. So reproducing this is a bit tricky, but aside from that: Why does it even do this in the first place? # Automatically added by dh_installsystemd/13.11.6ubuntu1 if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then if [ -d /run/systemd/system ]; then systemctl --system daemon-reload >/dev/null || true if [ -n "$2" ]; then _dh_action=restart else _dh_action=start fi deb-systemd-invoke $_dh_action 'rescue-ssh.target' >/dev/null || true fi fi It feels like the postinst should *never* try to start rescue- ssh.target. That's an alternative boot mode, and should never run un multi-user.target, isn't it? [1] https://launchpad.net/ubuntu/+source/openssh/1:9.3p1-1ubuntu3.1 DistroRelease: Ubuntu 23.10 PackageVersion: openssh-server 1:9.3p1-1ubuntu3.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2047082/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2047082] Re: upgrading openssh-server failed: rescue-ssh.target is a disabled or a static unit not running, not starting it.
Argh -- I missed the alternative truth in that rescue-ssh.target shell code. So this message should pretty much *always* appear -- it's nonsense to actually try and restart rescue-ssh.target in the postinst, *always*. But it is a red herring due to the || true. The upgrade failed on something else but didn't print any error message. So there is no remaining evidence what happens. So let's dedicate this bug report to dropping that deb-system-invoke for rescue-ssh.target. ** Summary changed: - upgrading openssh-server failed: rescue-ssh.target is a disabled or a static unit not running, not starting it. + upgrading openssh-server always shows error: rescue-ssh.target is a disabled or a static unit not running, not starting it. ** Changed in: openssh (Ubuntu) Importance: Undecided => Low -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2047082 Title: upgrading openssh-server always shows error: rescue-ssh.target is a disabled or a static unit not running, not starting it. Status in openssh package in Ubuntu: New Bug description: In our project we regularly build Ubuntu VM images for current 23.10 (stable). In https://github.com/cockpit-project/bots/issues/5691 we ran into an upgrade failure of openssh-server. It starts with the current cloud image and then apt upgrades it, with "DEBIAN_FRONTEND=noninteractive". openssh was updated a few days ago indeed: Setting up openssh-server (1:9.3p1-1ubuntu3.1) ... Creating SSH2 ECDSA key; this may take some time ... 256 SHA256:UqrRSpQNM7SIixVivYP/WwZRjt7Sv89P31W/Gxaf+Z8 root@ubuntu (ECDSA) Creating SSH2 ED25519 key; this may take some time ... 256 SHA256:hy9AEDydfnZeY9nf9P4Sb90kx39Oqr101A6tz5j4RQw root@ubuntu (ED25519) rescue-ssh.target is a disabled or a static unit not running, not starting it. Could not execute systemctl: at /usr/bin/deb-systemd-invoke line 145. dpkg: error processing package openssh-server (--configure): installed openssh-server package post-installation script subprocess returned error exit status 1 I.e. of course that security update itself [1] didn't introduce the regression, but earlier VM builds just didn't have a pending openssh update -- looks like this has been a luring upgrade trap in the release already. As a first naĂŻve reproducer I tried apt update DEBIAN_FRONTEND=noninteractive apt update openssh-server on our current VM (with the release version 1:9.3p1-1ubuntu3), and that worked fine. Same with installing all 9 available packages. rescue.target is loaded/inactive/static, as it should be. Updating without DEBIAN_FRONTEND does show me a conffile prompt about /etc/ssh/sshd_config, which is justified as we do modify the config: # Allow root login with password sed -i 's/^[# ]*PermitRootLogin .*/PermitRootLogin yes/' /etc/ssh/sshd_config # Prevent SSH from hanging for a long time when no external network access echo 'UseDNS no' >> /etc/ssh/sshd_config this also leads to a merge conflict. However, I suppose all of that is tangential to the rescue-ssh.target issue. In all my interactive upgrades, it seemed to handle that just fine: Setting up openssh-server (1:9.3p1-1ubuntu3.1) ... rescue-ssh.target is a disabled or a static unit not running, not starting it. So this seems to be related to the first-time installation of openssh- server -- it is part of the cloud image, but it does the host key generation during our image builds. So reproducing this is a bit tricky, but aside from that: Why does it even do this in the first place? # Automatically added by dh_installsystemd/13.11.6ubuntu1 if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then if [ -d /run/systemd/system ]; then systemctl --system daemon-reload >/dev/null || true if [ -n "$2" ]; then _dh_action=restart else _dh_action=start fi deb-systemd-invoke $_dh_action 'rescue-ssh.target' >/dev/null || true fi fi It feels like the postinst should *never* try to start rescue- ssh.target. That's an alternative boot mode, and should never run un multi-user.target, isn't it? [1] https://launchpad.net/ubuntu/+source/openssh/1:9.3p1-1ubuntu3.1 DistroRelease: Ubuntu 23.10 PackageVersion: openssh-server 1:9.3p1-1ubuntu3.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2047082/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2047082] [NEW] upgrading openssh-server always shows error: rescue-ssh.target is a disabled or a static unit not running, not starting it.
Public bug reported: In our project we regularly build Ubuntu VM images for current 23.10 (stable). In https://github.com/cockpit-project/bots/issues/5691 we ran into an upgrade failure of openssh-server. It starts with the current cloud image and then apt upgrades it, with "DEBIAN_FRONTEND=noninteractive". openssh was updated a few days ago indeed: Setting up openssh-server (1:9.3p1-1ubuntu3.1) ... Creating SSH2 ECDSA key; this may take some time ... 256 SHA256:UqrRSpQNM7SIixVivYP/WwZRjt7Sv89P31W/Gxaf+Z8 root@ubuntu (ECDSA) Creating SSH2 ED25519 key; this may take some time ... 256 SHA256:hy9AEDydfnZeY9nf9P4Sb90kx39Oqr101A6tz5j4RQw root@ubuntu (ED25519) rescue-ssh.target is a disabled or a static unit not running, not starting it. Could not execute systemctl: at /usr/bin/deb-systemd-invoke line 145. dpkg: error processing package openssh-server (--configure): installed openssh-server package post-installation script subprocess returned error exit status 1 I.e. of course that security update itself [1] didn't introduce the regression, but earlier VM builds just didn't have a pending openssh update -- looks like this has been a luring upgrade trap in the release already. As a first naĂŻve reproducer I tried apt update DEBIAN_FRONTEND=noninteractive apt update openssh-server on our current VM (with the release version 1:9.3p1-1ubuntu3), and that worked fine. Same with installing all 9 available packages. rescue.target is loaded/inactive/static, as it should be. Updating without DEBIAN_FRONTEND does show me a conffile prompt about /etc/ssh/sshd_config, which is justified as we do modify the config: # Allow root login with password sed -i 's/^[# ]*PermitRootLogin .*/PermitRootLogin yes/' /etc/ssh/sshd_config # Prevent SSH from hanging for a long time when no external network access echo 'UseDNS no' >> /etc/ssh/sshd_config this also leads to a merge conflict. However, I suppose all of that is tangential to the rescue-ssh.target issue. In all my interactive upgrades, it seemed to handle that just fine: Setting up openssh-server (1:9.3p1-1ubuntu3.1) ... rescue-ssh.target is a disabled or a static unit not running, not starting it. So this seems to be related to the first-time installation of openssh- server -- it is part of the cloud image, but it does the host key generation during our image builds. So reproducing this is a bit tricky, but aside from that: Why does it even do this in the first place? # Automatically added by dh_installsystemd/13.11.6ubuntu1 if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then if [ -d /run/systemd/system ]; then systemctl --system daemon-reload >/dev/null || true if [ -n "$2" ]; then _dh_action=restart else _dh_action=start fi deb-systemd-invoke $_dh_action 'rescue-ssh.target' >/dev/null || true fi fi It feels like the postinst should *never* try to start rescue- ssh.target. That's an alternative boot mode, and should never run un multi-user.target, isn't it? [1] https://launchpad.net/ubuntu/+source/openssh/1:9.3p1-1ubuntu3.1 DistroRelease: Ubuntu 23.10 PackageVersion: openssh-server 1:9.3p1-1ubuntu3.1 ** Affects: openssh (Ubuntu) Importance: Low Status: New ** Tags: mantic -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2047082 Title: upgrading openssh-server always shows error: rescue-ssh.target is a disabled or a static unit not running, not starting it. Status in openssh package in Ubuntu: New Bug description: In our project we regularly build Ubuntu VM images for current 23.10 (stable). In https://github.com/cockpit-project/bots/issues/5691 we ran into an upgrade failure of openssh-server. It starts with the current cloud image and then apt upgrades it, with "DEBIAN_FRONTEND=noninteractive". openssh was updated a few days ago indeed: Setting up openssh-server (1:9.3p1-1ubuntu3.1) ... Creating SSH2 ECDSA key; this may take some time ... 256 SHA256:UqrRSpQNM7SIixVivYP/WwZRjt7Sv89P31W/Gxaf+Z8 root@ubuntu (ECDSA) Creating SSH2 ED25519 key; this may take some time ... 256 SHA256:hy9AEDydfnZeY9nf9P4Sb90kx39Oqr101A6tz5j4RQw root@ubuntu (ED25519) rescue-ssh.target is a disabled or a static unit not running, not starting it. Could not execute systemctl: at /usr/bin/deb-systemd-invoke line 145. dpkg: error processing package openssh-server (--configure): installed openssh-server package post-installation script subprocess returned error exit status 1 I.e. of course that security update itself [1] didn't introduce the regression, but earlier VM builds just didn't have a pending openssh update -- looks like this has b
[Touch-packages] [Bug 2037703] Re: dpkg-reconfigure openssh-server doesn't ask questions again
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2037703 Title: dpkg-reconfigure openssh-server doesn't ask questions again Status in openssh package in Ubuntu: New Bug description: openssh-server does provide a couple of configuration options: [~]$ sudo debconf-get-selections |grep openssh-server openssh-serveropenssh-server/listenstream-may-failerror openssh-serveropenssh-server/password-authentication boolean true openssh-serveropenssh-server/permit-root-loginboolean true I want to change those options now interactively but nothing I tried worked and showed a dialog: [~]$ sudo dpkg-reconfigure -p low openssh-server Warning: Stopping ssh.service, but it can still be activated by: ssh.socket rescue-ssh.target is a disabled or a static unit not running, not starting it. [~]$ sudo dpkg-reconfigure -p low --force --frontend dialog openssh-server Warning: Stopping ssh.service, but it can still be activated by: ssh.socket rescue-ssh.target is a disabled or a static unit not running, not starting it. But the documentation (https://manpages.debian.org/testing/debconf- doc/debconf.7.en.html#Reconfiguring_packages) does state that those commands should ask those questions again. p.s. also tried with a lxc debian-sid container and had the same problem there. ProblemType: Bug DistroRelease: Ubuntu 23.10 Package: openssh-server 1:9.3p1-1ubuntu3 ProcVersionSignature: Ubuntu 6.5.0-5.5-generic 6.5.0 Uname: Linux 6.5.0-5-generic x86_64 NonfreeKernelModules: zfs ApportVersion: 2.27.0-0ubuntu2 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Fri Sep 29 10:35:33 2023 InstallationDate: Installed on 2023-05-10 (142 days ago) InstallationMedia: Ubuntu 23.04 "Lunar Lobster" - Release amd64 (20230418) ProcEnviron: LANG=en_US.UTF-8 PATH=(custom, no user) SHELL=/usr/bin/zsh TERM=xterm-256color XDG_RUNTIME_DIR= SourcePackage: openssh UpgradeStatus: Upgraded to mantic on 2023-07-19 (71 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2037703/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2037703] Re: dpkg-reconfigure openssh-server doesn't ask questions again
We just ran into this in https://github.com/cockpit- project/bots/issues/5691 when trying to refresh our Ubuntu 23.10 mantic VM image. It starts with the current cloud image and then apt upgrades it, with "DEBIAN_FRONTEND=noninteractive". openssh was updated a few days ago indeed: Setting up openssh-server (1:9.3p1-1ubuntu3.1) ... Creating SSH2 ECDSA key; this may take some time ... 256 SHA256:UqrRSpQNM7SIixVivYP/WwZRjt7Sv89P31W/Gxaf+Z8 root@ubuntu (ECDSA) Creating SSH2 ED25519 key; this may take some time ... 256 SHA256:hy9AEDydfnZeY9nf9P4Sb90kx39Oqr101A6tz5j4RQw root@ubuntu (ED25519) rescue-ssh.target is a disabled or a static unit not running, not starting it. Could not execute systemctl: at /usr/bin/deb-systemd-invoke line 145. dpkg: error processing package openssh-server (--configure): installed openssh-server package post-installation script subprocess returned error exit status 1 I.e. of course that security update itself didn't introduce the regression, but earlier VM builds just didn't have a pending openssh update -- looks like this has been a luring upgrade trap in the release already. However, as a first naĂŻve reproducer I tried apt update DEBIAN_FRONTEND=noninteractive apt update openssh-server on our current VM (with the release version 1:9.3p1-1ubuntu3), and that worked fine. Same with installing all 9 available packages. rescue.target is loaded/inactive/static, as it should be. Updating without DEBIAN_FRONTEND does show me a conffile prompt about /etc/ssh/sshd_config, which is justified as we do modify the config: # Allow root login with password sed -i 's/^[# ]*PermitRootLogin .*/PermitRootLogin yes/' /etc/ssh/sshd_config # Prevent SSH from hanging for a long time when no external network access echo 'UseDNS no' >> /etc/ssh/sshd_config this also leads to a merge conflict. However, I suppose all of that is tangential to the rescue-ssh.target issue. In all my interactive upgrades, it seemed to handle that just fine: Setting up openssh-server (1:9.3p1-1ubuntu3.1) ... rescue-ssh.target is a disabled or a static unit not running, not starting it. So this seems to be related to the first-time installation of openssh- server -- it is part of the cloud image, but it does the host key generation during our image builds. So reproducing this is a bit tricky, but aside from that: Why does it even do this in the first place? # Automatically added by dh_installsystemd/13.11.6ubuntu1 if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then if [ -d /run/systemd/system ]; then systemctl --system daemon-reload >/dev/null || true if [ -n "$2" ]; then _dh_action=restart else _dh_action=start fi deb-systemd-invoke $_dh_action 'rescue-ssh.target' >/dev/null || true fi fi It feels like the postinst should *never* try to start rescue- ssh.target. That's an alternative boot mode, and should never run un multi-user.target, isn't it? [1] https://launchpad.net/ubuntu/+source/openssh/1:9.3p1-1ubuntu3.1 ** Bug watch added: github.com/cockpit-project/bots/issues #5691 https://github.com/cockpit-project/bots/issues/5691 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2037703 Title: dpkg-reconfigure openssh-server doesn't ask questions again Status in openssh package in Ubuntu: New Bug description: openssh-server does provide a couple of configuration options: [~]$ sudo debconf-get-selections |grep openssh-server openssh-serveropenssh-server/listenstream-may-failerror openssh-serveropenssh-server/password-authentication boolean true openssh-serveropenssh-server/permit-root-loginboolean true I want to change those options now interactively but nothing I tried worked and showed a dialog: [~]$ sudo dpkg-reconfigure -p low openssh-server Warning: Stopping ssh.service, but it can still be activated by: ssh.socket rescue-ssh.target is a disabled or a static unit not running, not starting it. [~]$ sudo dpkg-reconfigure -p low --force --frontend dialog openssh-server Warning: Stopping ssh.service, but it can still be activated by: ssh.socket rescue-ssh.target is a disabled or a static unit not running, not starting it. But the documentation (https://manpages.debian.org/testing/debconf- doc/debconf.7.en.html#Reconfiguring_packages) does state that those commands should ask those questions again. p.s. also tried with a lxc debian-sid container and had the same problem there. ProblemType: Bug DistroRelease: Ubuntu 23.10 Package: openssh-server 1:9.3p1-1ubuntu3 ProcVersionSignature: Ubuntu 6.5.0-5.5-generic 6.5.0 Uname: Lin
[Touch-packages] [Bug 2043711] Re: Open3.pm tries to run code in /tmp when preconfiguring packages
$ readlink -f /var/cache/debconf/tmp.ci /var/cache/debconf/tmp.ci -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to debconf in Ubuntu. https://bugs.launchpad.net/bugs/2043711 Title: Open3.pm tries to run code in /tmp when preconfiguring packages Status in debconf package in Ubuntu: Incomplete Bug description: During update of ubuntu-drivers-common: Can't exec "/tmp/ubuntu-drivers-common.config.55GJ8b": Permission denied at /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm line 178, line 1. open2: exec of /tmp/ubuntu-drivers-common.config.55GJ8b configure 1:0.9.6.2~0.22.04.4 failed: Permission denied at /usr/share/perl5/Debconf/ConfModule.pm line 59. Preconfiguring packages ... Can't exec "/tmp/ubuntu-drivers-common.config.uSPrCH": Permission denied at /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm line 178, line 1. open2: exec of /tmp/ubuntu-drivers-common.config.uSPrCH configure 1:0.9.6.2~0.22.04.4 failed: Permission denied at /usr/share/perl5/Debconf/ConfModule.pm line 59. /tmp is mounted with noexec because running code from /tmp has been a vulnerability vector for several decades, hence reporting this as a vulnerability in perl-base. This error did not appear to prevent the update of ubuntu-drivers- common and "dpkg --verify ubuntu-drivers-common" returns 0. ___ Attempting to use the package search on this form by clicking the 🔍 created a modal in which there is an error Sorry, something went wrong with your search. We've recorded what happened, and we'll fix it as soon as possible. (Error ID: OOPS-c80f71590b02908a1187b9f743c53eac) which is repeated with any attempt to search for a package. ___ Submitting this form gives an error "perl-base" does not exist in Ubuntu. Please choose a different package. If you're unsure, please select "I don't know" $ dpkg -S /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm perl-base: /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm $ dpkg -l perl-base Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-=--=> ii perl-base 5.34.0-3ubuntu1.2 amd64minimal Perl system Looks like a package to me. Nevertheless, using "Did you mean..." offers "perl". ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: perl-base 5.34.0-3ubuntu1.2 ProcVersionSignature: Ubuntu 6.5.0-1007.7-oem 6.5.3 Uname: Linux 6.5.0-1007-oem x86_64 ApportVersion: 2.20.11-0ubuntu82.5 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Thu Nov 16 10:08:48 2023 InstallationDate: Installed on 2016-04-23 (2763 days ago) InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1) ProcEnviron: TERM=rxvt PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: perl UpgradeStatus: Upgraded to jammy on 2022-08-19 (453 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/debconf/+bug/2043711/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
RE: security.apparmor attribute attachment not working Sorry for the current version of apparmor in Ubuntu requires a path attachment as well, you need to change the profile to (caveat untested so I may have made another mistake too) profile falkon /** xattrs=(security.apparmor=falkon) flags=(unconfined) { userns, include if exists } -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP Status in apparmor package in Ubuntu: Confirmed Status in digikam package in Ubuntu: Confirmed Status in epiphany-browser package in Ubuntu: Confirmed Status in falkon package in Ubuntu: Confirmed Status in qutebrowser package in Ubuntu: Confirmed Bug description: Hi, I run Ubuntu development branch 24.04 and I have a problem with Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get this error $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) Thanks for your help! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046844/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
Unfortunately it has to be a privileged operation, otherwise any application could set the attribute and then have access to user namespaces. The problem with unprivileged user namespaces is that it makes privileged interfaces available to the user in ways that they weren't designed for, leading to vulnerabilities. Yes it tries to mitigate and control this in some ways, but the reality is the kernel is always adding new interfaces that are privileged, so its a game of whack-a-mole. To quote Linus about adding user namespaces "it was a mistake. We're stuck with it". This is just an after the fact mitigation, and as such there is going to be a somewhat painful transition period. There is another reason to not use a single attribute as well. This is a stepping stone to bringing much tighter/finer confinement to the desktop. Having unique labels on the applications will allow us to start deploying finer controls over who can talk to who. This is really important when one of those entities have elevated privileges, which is the case for applications making use of unprivileged user namespaces. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP Status in apparmor package in Ubuntu: Confirmed Status in digikam package in Ubuntu: Confirmed Status in epiphany-browser package in Ubuntu: Confirmed Status in falkon package in Ubuntu: Confirmed Status in qutebrowser package in Ubuntu: Confirmed Bug description: Hi, I run Ubuntu development branch 24.04 and I have a problem with Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get this error $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) Thanks for your help! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046844/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1771880] Re: Seahorse unable to import pkcs12 certificates
Right, I do plan to cherry pick the gnome-keyring change at some point, I just started with gcr while waiting to see if a gnome-keyring upstream maintainer is still active to review the change -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to gcr in Ubuntu. https://bugs.launchpad.net/bugs/1771880 Title: Seahorse unable to import pkcs12 certificates Status in seahorse: New Status in gcr package in Ubuntu: Fix Committed Status in gnome-keyring package in Ubuntu: Triaged Status in seahorse package in Ubuntu: Triaged Status in gnome-keyring package in Fedora: New Status in seahorse package in Fedora: Unknown Bug description: seahorse 3.20.0-5 / gnome-keyring 3.28.0.2-1ubuntu1.18.04.1 / Ubuntu 18.04 LTS / GNOME 3.28.1 When trying to import a certificate into seahorse/gnome-keyring on Ubuntu 18.04, seahorse GUI application shows the 'import' button greyed out, while mouse hovering the "import" button shows the message "Cannot import because there are no compatible importers". This problem doesn't occur on Ubuntu 16.04 LTS (Seahorse 3.18.0), as I've just tested on my wife's laptop, but happens in my Laptop with Ubuntu 18.04 LTS (Seahorse 3.20.0-5). Because that problem, it's not possible to digitally sign documents with LibreOffice. To manage notifications about this bug go to: https://bugs.launchpad.net/seahorse/+bug/1771880/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1517030] Re: ubuntu-bug (apport-kde) crashes every time I submit a problem report
Thanks for testing. I am marking this bug as fixed. In case you can trigger this bug again, please re-open it or open a new bug report. Thanks. ** Changed in: apport (Ubuntu) Status: Incomplete => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1517030 Title: ubuntu-bug (apport-kde) crashes every time I submit a problem report Status in apport package in Ubuntu: Fix Released Bug description: Every time I run the "ubuntu-bug" program, I get a crash report about it. 1. I run (say) "ubuntu-bug muon-updater" 2. Apport window appears, "Send problem report to developers?" with info about the bug. 3. Click Send. 4. "Uploading problem information" dialog appears and disappears. 5. Launchpad website appears. I start filing in details. 6. Sometime soon, Plasma reports a crash in its system tray. A dialog appears. See my screenshot. 7. I click the "Continue" button to submit a crash bug report. The dialog disappears, but nothing else happens that I can see. ProblemType: Bug DistroRelease: Ubuntu 15.10 Package: apport-kde 2.19.1-0ubuntu5 ProcVersionSignature: Ubuntu 4.2.0-18.22-generic 4.2.3 Uname: Linux 4.2.0-18-generic x86_64 ApportVersion: 2.19.1-0ubuntu5 Architecture: amd64 CurrentDesktop: KDE Date: Tue Nov 17 07:51:26 2015 InstallationDate: Installed on 2013-08-31 (807 days ago) InstallationMedia: Ubuntu 13.04 "Raring Ringtail" - Release amd64 (20130424) PackageArchitecture: all SourcePackage: apport UpgradeStatus: Upgraded to wily on 2015-11-08 (8 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1517030/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1771880] Re: Seahorse unable to import pkcs12 certificates
Pleasure Sebastien, that's how open-source works, we help each other and all win :-). I'm glad you are picking it up at the distro level, but that gcr-3 patch alone won't fix this issue, as it only comes into play after gnome- keyring-pkcs11.so is loaded, which won't happen without the gnome- keyring patch. If you don't like deleting the "enable-in" line, maybe rather try adding "seahorse" to the list of apps on that line instead? (You only need to edit /usr/share/p11-kit/modules/gnome-keyring.module before starting seahorse, which can be done without rebuilding the .deb) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to gcr in Ubuntu. https://bugs.launchpad.net/bugs/1771880 Title: Seahorse unable to import pkcs12 certificates Status in seahorse: New Status in gcr package in Ubuntu: Fix Committed Status in gnome-keyring package in Ubuntu: Triaged Status in seahorse package in Ubuntu: Triaged Status in gnome-keyring package in Fedora: New Status in seahorse package in Fedora: Unknown Bug description: seahorse 3.20.0-5 / gnome-keyring 3.28.0.2-1ubuntu1.18.04.1 / Ubuntu 18.04 LTS / GNOME 3.28.1 When trying to import a certificate into seahorse/gnome-keyring on Ubuntu 18.04, seahorse GUI application shows the 'import' button greyed out, while mouse hovering the "import" button shows the message "Cannot import because there are no compatible importers". This problem doesn't occur on Ubuntu 16.04 LTS (Seahorse 3.18.0), as I've just tested on my wife's laptop, but happens in my Laptop with Ubuntu 18.04 LTS (Seahorse 3.20.0-5). Because that problem, it's not possible to digitally sign documents with LibreOffice. To manage notifications about this bug go to: https://bugs.launchpad.net/seahorse/+bug/1771880/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1517030] Re: ubuntu-bug (apport-kde) crashes every time I submit a problem report
No -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1517030 Title: ubuntu-bug (apport-kde) crashes every time I submit a problem report Status in apport package in Ubuntu: Incomplete Bug description: Every time I run the "ubuntu-bug" program, I get a crash report about it. 1. I run (say) "ubuntu-bug muon-updater" 2. Apport window appears, "Send problem report to developers?" with info about the bug. 3. Click Send. 4. "Uploading problem information" dialog appears and disappears. 5. Launchpad website appears. I start filing in details. 6. Sometime soon, Plasma reports a crash in its system tray. A dialog appears. See my screenshot. 7. I click the "Continue" button to submit a crash bug report. The dialog disappears, but nothing else happens that I can see. ProblemType: Bug DistroRelease: Ubuntu 15.10 Package: apport-kde 2.19.1-0ubuntu5 ProcVersionSignature: Ubuntu 4.2.0-18.22-generic 4.2.3 Uname: Linux 4.2.0-18-generic x86_64 ApportVersion: 2.19.1-0ubuntu5 Architecture: amd64 CurrentDesktop: KDE Date: Tue Nov 17 07:51:26 2015 InstallationDate: Installed on 2013-08-31 (807 days ago) InstallationMedia: Ubuntu 13.04 "Raring Ringtail" - Release amd64 (20130424) PackageArchitecture: all SourcePackage: apport UpgradeStatus: Upgraded to wily on 2015-11-08 (8 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1517030/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2043711] Re: Open3.pm tries to run code in /tmp when preconfiguring packages
Thanks, this definitely does point at debconf. However: > Preconfiguring packages ... This line is from /usr/sbin/dpkg-preconfigure, which is called via /etc/apt/apt.conf.d/70debconf. > Can't exec "/tmp/cryptsetup-initramfs.config.UaZ02N": Permission denied at /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm line 178, line 1. This line shows a path which is NOT where /usr/sbin/dpkg-preconfigure unpacks the configure script. It uses a hard-coded path of /var/cache/debconf/tmp.ci: my $tempdir='/var/cache/debconf/tmp.ci'; [...] if (system("apt-extracttemplates", "--tempdir", $tempdir, @collect) != 0) { [...] What does `readlink -f /var/cache/debconf/tmp.ci` return on your system? ** Changed in: debconf (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to debconf in Ubuntu. https://bugs.launchpad.net/bugs/2043711 Title: Open3.pm tries to run code in /tmp when preconfiguring packages Status in debconf package in Ubuntu: Incomplete Bug description: During update of ubuntu-drivers-common: Can't exec "/tmp/ubuntu-drivers-common.config.55GJ8b": Permission denied at /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm line 178, line 1. open2: exec of /tmp/ubuntu-drivers-common.config.55GJ8b configure 1:0.9.6.2~0.22.04.4 failed: Permission denied at /usr/share/perl5/Debconf/ConfModule.pm line 59. Preconfiguring packages ... Can't exec "/tmp/ubuntu-drivers-common.config.uSPrCH": Permission denied at /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm line 178, line 1. open2: exec of /tmp/ubuntu-drivers-common.config.uSPrCH configure 1:0.9.6.2~0.22.04.4 failed: Permission denied at /usr/share/perl5/Debconf/ConfModule.pm line 59. /tmp is mounted with noexec because running code from /tmp has been a vulnerability vector for several decades, hence reporting this as a vulnerability in perl-base. This error did not appear to prevent the update of ubuntu-drivers- common and "dpkg --verify ubuntu-drivers-common" returns 0. ___ Attempting to use the package search on this form by clicking the 🔍 created a modal in which there is an error Sorry, something went wrong with your search. We've recorded what happened, and we'll fix it as soon as possible. (Error ID: OOPS-c80f71590b02908a1187b9f743c53eac) which is repeated with any attempt to search for a package. ___ Submitting this form gives an error "perl-base" does not exist in Ubuntu. Please choose a different package. If you're unsure, please select "I don't know" $ dpkg -S /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm perl-base: /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm $ dpkg -l perl-base Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-=--=> ii perl-base 5.34.0-3ubuntu1.2 amd64minimal Perl system Looks like a package to me. Nevertheless, using "Did you mean..." offers "perl". ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: perl-base 5.34.0-3ubuntu1.2 ProcVersionSignature: Ubuntu 6.5.0-1007.7-oem 6.5.3 Uname: Linux 6.5.0-1007-oem x86_64 ApportVersion: 2.20.11-0ubuntu82.5 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Thu Nov 16 10:08:48 2023 InstallationDate: Installed on 2016-04-23 (2763 days ago) InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1) ProcEnviron: TERM=rxvt PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: perl UpgradeStatus: Upgraded to jammy on 2022-08-19 (453 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/debconf/+bug/2043711/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
I can't seem to get the xattr solution to work. I'm trying it on a normal binary and it's failing like so: # Contents of /etc/apparmor.d/falkon abi , include profile falkon xattrs=(security.apparmor=falkon) flags=(unconfined) { userns, include if exists } # setfattr command user@user-standardpc:/usr/bin$ sudo setfattr -n security.apparmor -v falkon /usr/bin/falkon # make sure the attribute is set user@user-standardpc:/usr/bin$ getfattr -n security.apparmor /usr/bin/falkon getfattr: Removing leading '/' from absolute path names # file: usr/bin/falkon security.apparmor="falkon" # attempt to launch user@user-standardpc:/usr/bin$ /usr/bin/falkon [3967:3967:1220/095728.818079:FATAL:credentials.cc(125)] Check failed: . : Permission denied (13) Trace/breakpoint trap (core dumped) #checking the logs user@user-standardpc:/usr/bin$ journalctl -n100 ... Dec 20 09:57:28 user-standardpc kernel: audit: type=1400 audit(1703084248.814:826): apparmor="DENIED" operation="userns_create" class="namespace" info="User namespace creation restricted" error=-13 profile="unconfined" pid=3967 comm="falkon" requested="userns_create" denied="userns_create" Dec 20 09:57:37 user-standardpc kernel: traps: falkon[3967] trap int3 ip:7f3ae85d7b13 sp:7ffe61e8b700 error:0 in libQt5WebEngineCore.so.5.15.15[7f3ae63b4000+6931000] ... The solution that involves spelling out the absolute path to the file does work. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP Status in apparmor package in Ubuntu: Confirmed Status in digikam package in Ubuntu: Confirmed Status in epiphany-browser package in Ubuntu: Confirmed Status in falkon package in Ubuntu: Confirmed Status in qutebrowser package in Ubuntu: Confirmed Bug description: Hi, I run Ubuntu development branch 24.04 and I have a problem with Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get this error $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) Thanks for your help! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046844/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
How acceptable or possible would a solution be that had one universal "allowUserNamespaces" attribute in an AppArmor config that could then simply be set on whatever files one wanted to enable the features on? That would support all third-party apps that a user deemed worthy without needing much effort to enable but without allowing programs to enable it themselves without root privileges, if I'm understanding correctly. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP Status in apparmor package in Ubuntu: Confirmed Status in digikam package in Ubuntu: Confirmed Status in epiphany-browser package in Ubuntu: Confirmed Status in falkon package in Ubuntu: Confirmed Status in qutebrowser package in Ubuntu: Confirmed Bug description: Hi, I run Ubuntu development branch 24.04 and I have a problem with Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get this error $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) Thanks for your help! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046844/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
Hi, I'm on Ubuntu 23.10 using Brave browser SNAP and I still face the issue (cannot open links in evince -using Brave browser snap). Here are the versions: ```console ❯ apt list --installed | rg 'evince|apparmor' apparmor/mantic,now 4.0.0~alpha2-0ubuntu5 amd64 [installed,automatic] evince-common/mantic,mantic,now 45.0-1 all [installed,automatic] evince/mantic,now 45.0-1 amd64 [installed] libapparmor1/mantic,now 4.0.0~alpha2-0ubuntu5 amd64 [installed,automatic] ``` Brave Browser 120.1.61.101 `journalctl -f` log: ```console Dec 20 12:18:37 laptop kernel: audit: type=1400 audit(1703071117.044:3565): apparmor="DENIED" operation="open" class="file" profile="/usr/bin/evince//snap_browsers" name="/proc/cgroups" pid=1351803 comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Dec 20 12:18:37 laptop brave_brave.desktop[1351803]: internal error, please report: running "brave" failed: open /snap/brave/323/meta/snap.yaml: permission denied Dec 20 12:18:37 laptop kernel: audit: type=1400 audit(1703071117.052:3566): apparmor="DENIED" operation="open" class="file" profile="/usr/bin/evince//snap_browsers" name="/snap/brave/323/meta/snap.yaml" pid=1351803 comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 ``` I see the following in `/etc/apparmor.d/usr.bin.evince` with all includes commented, including `snap_browsers` line. Is that normal? Thanks ``` │ File: /etc/apparmor.d/usr.bin.evince │ Size: 11.5 KB ───┼ 1 │ # vim:syntax=apparmor 2 │ 3 │ # evince is not written with application confinement in mind and is designed to 4 │ # operate within a trusted desktop session where anything running within the 5 │ # user's session is trusted. That said, evince will often process untrusted 6 │ # input (PDFs, images, etc). Ideally evince would be written in such a way that 7 │ # image processing is separate from the main process and that processing 8 │ # happens in a restrictive sandbox, but unfortunately that is not currently the 9 │ # case. Because evince will process untrusted input, this profile aims to 10 │ # provide some hardening, but considering evince's design and other factors such 11 │ # as X, gsettings, accessibility, translations, DBus session and system 12 │ # services, etc, complete confinement is not possible. 13 │ 14 │ #include 15 │ 16 │ /usr/bin/evince { 17 │ #include 18 │ #include 19 │ #include 20 │ #include 21 │ #include 22 │ #include 23 │ #include 24 │ 25 │ #include 26 │ #include 27 │ #include 28 │ #include 29 │ #include 30 │ 31 │ # allow evince to spawn browsers distributed as snaps (LP: #1794064) 32 │ #include if exists 33 │ 34 │ # For now, let evince talk to any session services over dbus. We can 35 │ # blacklist any problematic ones (but note, evince uses libsecret :\) 36 │ #include 37 │ 38 │ #include 39 │ dbus (receive) bus=system, ``` -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1794064 Title: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap Status in apparmor package in Ubuntu: Fix Released Status in evince package in Ubuntu: Fix Released Status in apparmor source package in Jammy: Fix Released Status in evince source package in Jammy: Fix Released Status in apparmor source package in Lunar: Fix Released Status in evince source package in Lunar: Fix Released Status in apparmor package in Debian: Fix Released Status in evince package in Debian: Confirmed Bug description: [Impact] * Users cannot open a hyperlink in a PDF opened with evince when the default browser is a snap. * The fix creates a snap_browsers abstraction on AppArmor which can be used in a transition for when the browser is executed. The snap_browsers abstraction provides the minimal amount of permissions required to execute a browser provided through snaps. This is a workaround since AppArmor currently does not provide mediation/filtering on enhanced environment variables. [Test Plan] * Make sure the default browser is provided through the snap store. * Open a PDF that contains a hyperlink using evince and click on the URL. * The browser should open the requested URL. [Where problems could occur] * If the browser or snap core update to have new requirements for opening a browser, then the current policy could become obsolete and will need to be updated again. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-pac
[Touch-packages] [Bug 2029010] Re: dummy sound on huawei mate d15 laptop
I also made a mistake with a person who can help with this problem https://github.com/codepayne/linux-sound-huawei/issues/27 ** Bug watch added: github.com/codepayne/linux-sound-huawei/issues #27 https://github.com/codepayne/linux-sound-huawei/issues/27 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to alsa-driver in Ubuntu. https://bugs.launchpad.net/bugs/2029010 Title: dummy sound on huawei mate d15 laptop Status in Linux: Confirmed Status in alsa-driver package in Ubuntu: New Status in alsa-ucm-conf package in Ubuntu: New Status in firmware-sof package in Ubuntu: New Status in linux package in Ubuntu: New Bug description: I tried different options, but I couldn't raise the sound. saber716rus@saber716rus-BOM-WXX9 ~> cat /etc/os-release NAME="Green Linux" VERSION="21.2 (Victoria)" ID=linuxmint ID_LIKE="ubuntu debian" PRETTY_NAME="Green Linux 21.2.0 Pro (Cubic 2023-06-14 22:01)" VERSION_ID="21" HOME_URL="https://greenlinux.ru/"; SUPPORT_URL="https://forum.linuxmint.su/"; BUG_REPORT_URL="http://linuxmint-troubleshooting-guide.readthedocs.io/ru/latest/"; PRIVACY_POLICY_URL="https://greenlinux.ru/"; VERSION_CODENAME=victoria UBUNTU_CODENAME=jammy saber716rus@saber716rus-BOM-WXX9 ~ [1]> cat /proc/asound/cards 0 [Generic]: HDA-Intel - HD-Audio Generic HD-Audio Generic at 0xd03c irq 80 1 [acp]: acp - acp HUAWEI-BOM_WXX9-M1010-BOM_WXX9_PCB_B2 saber716rus@saber716rus-BOM-WXX9 ~> To manage notifications about this bug go to: https://bugs.launchpad.net/linux/+bug/2029010/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1771880] Re: Seahorse unable to import pkcs12 certificates
Thanks Damjan for the investigation work and the fixes, I've cherrypicked the gcr fix and uploaded to Debian now (which will sync to Ubuntu later today). I would prefer to see an upstream review for the keyring change before distro patching that one since the situation there is a bit more complicated ** Also affects: gcr (Ubuntu) Importance: Undecided Status: New ** Changed in: gcr (Ubuntu) Importance: Undecided => High ** Changed in: gcr (Ubuntu) Status: New => Fix Committed ** Changed in: gcr (Ubuntu) Assignee: (unassigned) => Sebastien Bacher (seb128) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to gcr in Ubuntu. https://bugs.launchpad.net/bugs/1771880 Title: Seahorse unable to import pkcs12 certificates Status in seahorse: New Status in gcr package in Ubuntu: Fix Committed Status in gnome-keyring package in Ubuntu: Triaged Status in seahorse package in Ubuntu: Triaged Status in gnome-keyring package in Fedora: New Status in seahorse package in Fedora: Unknown Bug description: seahorse 3.20.0-5 / gnome-keyring 3.28.0.2-1ubuntu1.18.04.1 / Ubuntu 18.04 LTS / GNOME 3.28.1 When trying to import a certificate into seahorse/gnome-keyring on Ubuntu 18.04, seahorse GUI application shows the 'import' button greyed out, while mouse hovering the "import" button shows the message "Cannot import because there are no compatible importers". This problem doesn't occur on Ubuntu 16.04 LTS (Seahorse 3.18.0), as I've just tested on my wife's laptop, but happens in my Laptop with Ubuntu 18.04 LTS (Seahorse 3.20.0-5). Because that problem, it's not possible to digitally sign documents with LibreOffice. To manage notifications about this bug go to: https://bugs.launchpad.net/seahorse/+bug/1771880/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2047023] [NEW] Qt app crashed after upgrading Qt5 libraries to 5.15.10+dfsg-5build1
Public bug reported: After upgrading Qt5 libraries to 5.15.10+dfsg-5build1, several Qt5 applications (including lxqt-panel and goldendict) crashed, leaving a "*** buffer overflow detected ***: terminated" message in console. It seems that the crashed applications all used the QSettings. The following sample code will crash with 5.15.10+dfsg-5build1, but not with 5.15.10+dfsg-5 #include int main(int argc, char *argv[]) { QSettings s("/tmp/a.ini", QSettings::IniFormat); s.setValue("a", 123); s.sync(); return 0; } ** Affects: qtbase-opensource-src (Ubuntu) Importance: Undecided Status: New ** Description changed: - After upgrading Qt libraries to 5.15.10+dfsg-5build1, several Qt + After upgrading Qt5 libraries to 5.15.10+dfsg-5build1, several Qt5 applications (including lxqt-panel and goldendict) crashed, leaving a "*** buffer overflow detected ***: terminated" message in console. It seems that the crashed applications all used the QSettings. The following sample code will crash with 5.15.10+dfsg-5build1, but not with 5.15.10+dfsg-5 #include int main(int argc, char *argv[]) { - QSettings s("/tmp/a.ini", QSettings::IniFormat); - s.setValue("a", 123); - s.sync(); - return 0; + QSettings s("/tmp/a.ini", QSettings::IniFormat); + s.setValue("a", 123); + s.sync(); + return 0; } -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to qtbase-opensource-src in Ubuntu. https://bugs.launchpad.net/bugs/2047023 Title: Qt app crashed after upgrading Qt5 libraries to 5.15.10+dfsg-5build1 Status in qtbase-opensource-src package in Ubuntu: New Bug description: After upgrading Qt5 libraries to 5.15.10+dfsg-5build1, several Qt5 applications (including lxqt-panel and goldendict) crashed, leaving a "*** buffer overflow detected ***: terminated" message in console. It seems that the crashed applications all used the QSettings. The following sample code will crash with 5.15.10+dfsg-5build1, but not with 5.15.10+dfsg-5 #include int main(int argc, char *argv[]) { QSettings s("/tmp/a.ini", QSettings::IniFormat); s.setValue("a", 123); s.sync(); return 0; } To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/qtbase-opensource-src/+bug/2047023/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2047008] Re: [SRU] Add Telit FN990 compositions
The verified log is attached. ** Attachment added: "modemmanager_1.20.0-1~ubuntu22.04.3_verified.log" https://bugs.launchpad.net/oem-priority/+bug/2047008/+attachment/5730937/+files/modemmanager_1.20.0-1~ubuntu22.04.3_verified.log -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to modemmanager in Ubuntu. https://bugs.launchpad.net/bugs/2047008 Title: [SRU] Add Telit FN990 compositions Status in OEM Priority Project: New Status in modemmanager package in Ubuntu: New Bug description: [SRU] Add Telit FN990 compositions [ Impact ] The modemmanager v1.20.0 doesn't have Telit FN990 compositions. It works with compatibility mode. (lp: #2046699) [ Test Plan ] Under Jammy environment, check modemmanager can identify Telit FN990 modem correctly. [ Where problems could occur ] The Telit FN990 compositions is upstreamed to modemmanager v1.20.6 https://gitlab.freedesktop.org/mobile-broadband/ModemManager/-/commit/b68a1bb8474991a72cf988e8e24ba6549f1cf9c2 Noble and Mantic already working with modemmanager v1.20.6. The target platform modem function works well on Mantic. The change parts just only add VID/PIDs for Telit's FN990 modems under the Telit plugin. [ Other Info ] N/A To manage notifications about this bug go to: https://bugs.launchpad.net/oem-priority/+bug/2047008/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2047008] Re: [SRU] Add Telit FN990 compositions
The debdiff is attached. ** Patch added: "modemmanager_1.20.0-1~ubuntu22.04.3.debdiff" https://bugs.launchpad.net/oem-priority/+bug/2047008/+attachment/5730935/+files/modemmanager_1.20.0-1~ubuntu22.04.3.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to modemmanager in Ubuntu. https://bugs.launchpad.net/bugs/2047008 Title: [SRU] Add Telit FN990 compositions Status in OEM Priority Project: New Status in modemmanager package in Ubuntu: New Bug description: [SRU] Add Telit FN990 compositions [ Impact ] The modemmanager v1.20.0 doesn't have Telit FN990 compositions. It works with compatibility mode. (lp: #2046699) [ Test Plan ] Under Jammy environment, check modemmanager can identify Telit FN990 modem correctly. [ Where problems could occur ] The Telit FN990 compositions is upstreamed to modemmanager v1.20.6 https://gitlab.freedesktop.org/mobile-broadband/ModemManager/-/commit/b68a1bb8474991a72cf988e8e24ba6549f1cf9c2 Noble and Mantic already working with modemmanager v1.20.6. The target platform modem function works well on Mantic. The change parts just only add VID/PIDs for Telit's FN990 modems under the Telit plugin. [ Other Info ] N/A To manage notifications about this bug go to: https://bugs.launchpad.net/oem-priority/+bug/2047008/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp