[Touch-packages] [Bug 2043711] Re: Open3.pm tries to run code in /tmp when preconfiguring packages
This system has remained substantially vanilla since the original install - 18.04 if I remember correctly - with only LTS upgrades and I have certainly made no local changes to the packaging tools. $ which apt-extracttemplates /usr/bin/apt-extracttemplates $ debsums -s apt-utils $ That is to say that there was no output and debsums returned an exit code of 0. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to debconf in Ubuntu. https://bugs.launchpad.net/bugs/2043711 Title: Open3.pm tries to run code in /tmp when preconfiguring packages Status in debconf package in Ubuntu: New Bug description: During update of ubuntu-drivers-common: Can't exec "/tmp/ubuntu-drivers-common.config.55GJ8b": Permission denied at /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm line 178, line 1. open2: exec of /tmp/ubuntu-drivers-common.config.55GJ8b configure 1:0.9.6.2~0.22.04.4 failed: Permission denied at /usr/share/perl5/Debconf/ConfModule.pm line 59. Preconfiguring packages ... Can't exec "/tmp/ubuntu-drivers-common.config.uSPrCH": Permission denied at /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm line 178, line 1. open2: exec of /tmp/ubuntu-drivers-common.config.uSPrCH configure 1:0.9.6.2~0.22.04.4 failed: Permission denied at /usr/share/perl5/Debconf/ConfModule.pm line 59. /tmp is mounted with noexec because running code from /tmp has been a vulnerability vector for several decades, hence reporting this as a vulnerability in perl-base. This error did not appear to prevent the update of ubuntu-drivers- common and "dpkg --verify ubuntu-drivers-common" returns 0. ___ Attempting to use the package search on this form by clicking the 🔍 created a modal in which there is an error Sorry, something went wrong with your search. We've recorded what happened, and we'll fix it as soon as possible. (Error ID: OOPS-c80f71590b02908a1187b9f743c53eac) which is repeated with any attempt to search for a package. ___ Submitting this form gives an error "perl-base" does not exist in Ubuntu. Please choose a different package. If you're unsure, please select "I don't know" $ dpkg -S /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm perl-base: /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm $ dpkg -l perl-base Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-=--=> ii perl-base 5.34.0-3ubuntu1.2 amd64minimal Perl system Looks like a package to me. Nevertheless, using "Did you mean..." offers "perl". ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: perl-base 5.34.0-3ubuntu1.2 ProcVersionSignature: Ubuntu 6.5.0-1007.7-oem 6.5.3 Uname: Linux 6.5.0-1007-oem x86_64 ApportVersion: 2.20.11-0ubuntu82.5 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Thu Nov 16 10:08:48 2023 InstallationDate: Installed on 2016-04-23 (2763 days ago) InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1) ProcEnviron: TERM=rxvt PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: perl UpgradeStatus: Upgraded to jammy on 2022-08-19 (453 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/debconf/+bug/2043711/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2043711] Re: Open3.pm tries to run code in /tmp when preconfiguring packages
Ok. Then I still have absolutely no idea how/why this is happening for you, because that doesn't seem to match the code we ship. Unless you have some non-distribution version of the apt- extracttemplates program installed? (which apt-extracttemplates; sudo apt install debsums; debsums -s apt-utils) ** Changed in: debconf (Ubuntu) Status: Incomplete => New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to debconf in Ubuntu. https://bugs.launchpad.net/bugs/2043711 Title: Open3.pm tries to run code in /tmp when preconfiguring packages Status in debconf package in Ubuntu: New Bug description: During update of ubuntu-drivers-common: Can't exec "/tmp/ubuntu-drivers-common.config.55GJ8b": Permission denied at /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm line 178, line 1. open2: exec of /tmp/ubuntu-drivers-common.config.55GJ8b configure 1:0.9.6.2~0.22.04.4 failed: Permission denied at /usr/share/perl5/Debconf/ConfModule.pm line 59. Preconfiguring packages ... Can't exec "/tmp/ubuntu-drivers-common.config.uSPrCH": Permission denied at /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm line 178, line 1. open2: exec of /tmp/ubuntu-drivers-common.config.uSPrCH configure 1:0.9.6.2~0.22.04.4 failed: Permission denied at /usr/share/perl5/Debconf/ConfModule.pm line 59. /tmp is mounted with noexec because running code from /tmp has been a vulnerability vector for several decades, hence reporting this as a vulnerability in perl-base. This error did not appear to prevent the update of ubuntu-drivers- common and "dpkg --verify ubuntu-drivers-common" returns 0. ___ Attempting to use the package search on this form by clicking the 🔍 created a modal in which there is an error Sorry, something went wrong with your search. We've recorded what happened, and we'll fix it as soon as possible. (Error ID: OOPS-c80f71590b02908a1187b9f743c53eac) which is repeated with any attempt to search for a package. ___ Submitting this form gives an error "perl-base" does not exist in Ubuntu. Please choose a different package. If you're unsure, please select "I don't know" $ dpkg -S /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm perl-base: /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm $ dpkg -l perl-base Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-=--=> ii perl-base 5.34.0-3ubuntu1.2 amd64minimal Perl system Looks like a package to me. Nevertheless, using "Did you mean..." offers "perl". ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: perl-base 5.34.0-3ubuntu1.2 ProcVersionSignature: Ubuntu 6.5.0-1007.7-oem 6.5.3 Uname: Linux 6.5.0-1007-oem x86_64 ApportVersion: 2.20.11-0ubuntu82.5 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Thu Nov 16 10:08:48 2023 InstallationDate: Installed on 2016-04-23 (2763 days ago) InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1) ProcEnviron: TERM=rxvt PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: perl UpgradeStatus: Upgraded to jammy on 2022-08-19 (453 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/debconf/+bug/2043711/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2047082] Re: upgrading openssh-server failed: rescue-ssh.target is a disabled or a static unit not running, not starting it.
Fun, this isn't even reliable. The first atttempt failed: https://cockpit-logs.us-east-1.linodeobjects.com/image-refresh- logs/ubuntu-stable-20231219-223939.log I retried the build now, no package or environment changes. Only daytime and timing (race conditions). Perhaps some interaction with cloud-init? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2047082 Title: upgrading openssh-server always shows error: rescue-ssh.target is a disabled or a static unit not running, not starting it. Status in openssh package in Ubuntu: New Bug description: In our project we regularly build Ubuntu VM images for current 23.10 (stable). In https://github.com/cockpit-project/bots/issues/5691 we ran into an upgrade failure of openssh-server. It starts with the current cloud image and then apt upgrades it, with "DEBIAN_FRONTEND=noninteractive". openssh was updated a few days ago indeed: Setting up openssh-server (1:9.3p1-1ubuntu3.1) ... Creating SSH2 ECDSA key; this may take some time ... 256 SHA256:UqrRSpQNM7SIixVivYP/WwZRjt7Sv89P31W/Gxaf+Z8 root@ubuntu (ECDSA) Creating SSH2 ED25519 key; this may take some time ... 256 SHA256:hy9AEDydfnZeY9nf9P4Sb90kx39Oqr101A6tz5j4RQw root@ubuntu (ED25519) rescue-ssh.target is a disabled or a static unit not running, not starting it. Could not execute systemctl: at /usr/bin/deb-systemd-invoke line 145. dpkg: error processing package openssh-server (--configure): installed openssh-server package post-installation script subprocess returned error exit status 1 I.e. of course that security update itself [1] didn't introduce the regression, but earlier VM builds just didn't have a pending openssh update -- looks like this has been a luring upgrade trap in the release already. As a first naĂŻve reproducer I tried apt update DEBIAN_FRONTEND=noninteractive apt update openssh-server on our current VM (with the release version 1:9.3p1-1ubuntu3), and that worked fine. Same with installing all 9 available packages. rescue.target is loaded/inactive/static, as it should be. Updating without DEBIAN_FRONTEND does show me a conffile prompt about /etc/ssh/sshd_config, which is justified as we do modify the config: # Allow root login with password sed -i 's/^[# ]*PermitRootLogin .*/PermitRootLogin yes/' /etc/ssh/sshd_config # Prevent SSH from hanging for a long time when no external network access echo 'UseDNS no' >> /etc/ssh/sshd_config this also leads to a merge conflict. However, I suppose all of that is tangential to the rescue-ssh.target issue. In all my interactive upgrades, it seemed to handle that just fine: Setting up openssh-server (1:9.3p1-1ubuntu3.1) ... rescue-ssh.target is a disabled or a static unit not running, not starting it. So this seems to be related to the first-time installation of openssh- server -- it is part of the cloud image, but it does the host key generation during our image builds. So reproducing this is a bit tricky, but aside from that: Why does it even do this in the first place? # Automatically added by dh_installsystemd/13.11.6ubuntu1 if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then if [ -d /run/systemd/system ]; then systemctl --system daemon-reload >/dev/null || true if [ -n "$2" ]; then _dh_action=restart else _dh_action=start fi deb-systemd-invoke $_dh_action 'rescue-ssh.target' >/dev/null || true fi fi It feels like the postinst should *never* try to start rescue- ssh.target. That's an alternative boot mode, and should never run un multi-user.target, isn't it? [1] https://launchpad.net/ubuntu/+source/openssh/1:9.3p1-1ubuntu3.1 DistroRelease: Ubuntu 23.10 PackageVersion: openssh-server 1:9.3p1-1ubuntu3.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2047082/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2047082] Re: upgrading openssh-server failed: rescue-ssh.target is a disabled or a static unit not running, not starting it.
Argh -- I missed the alternative truth in that rescue-ssh.target shell code. So this message should pretty much *always* appear -- it's nonsense to actually try and restart rescue-ssh.target in the postinst, *always*. But it is a red herring due to the || true. The upgrade failed on something else but didn't print any error message. So there is no remaining evidence what happens. So let's dedicate this bug report to dropping that deb-system-invoke for rescue-ssh.target. ** Summary changed: - upgrading openssh-server failed: rescue-ssh.target is a disabled or a static unit not running, not starting it. + upgrading openssh-server always shows error: rescue-ssh.target is a disabled or a static unit not running, not starting it. ** Changed in: openssh (Ubuntu) Importance: Undecided => Low -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2047082 Title: upgrading openssh-server always shows error: rescue-ssh.target is a disabled or a static unit not running, not starting it. Status in openssh package in Ubuntu: New Bug description: In our project we regularly build Ubuntu VM images for current 23.10 (stable). In https://github.com/cockpit-project/bots/issues/5691 we ran into an upgrade failure of openssh-server. It starts with the current cloud image and then apt upgrades it, with "DEBIAN_FRONTEND=noninteractive". openssh was updated a few days ago indeed: Setting up openssh-server (1:9.3p1-1ubuntu3.1) ... Creating SSH2 ECDSA key; this may take some time ... 256 SHA256:UqrRSpQNM7SIixVivYP/WwZRjt7Sv89P31W/Gxaf+Z8 root@ubuntu (ECDSA) Creating SSH2 ED25519 key; this may take some time ... 256 SHA256:hy9AEDydfnZeY9nf9P4Sb90kx39Oqr101A6tz5j4RQw root@ubuntu (ED25519) rescue-ssh.target is a disabled or a static unit not running, not starting it. Could not execute systemctl: at /usr/bin/deb-systemd-invoke line 145. dpkg: error processing package openssh-server (--configure): installed openssh-server package post-installation script subprocess returned error exit status 1 I.e. of course that security update itself [1] didn't introduce the regression, but earlier VM builds just didn't have a pending openssh update -- looks like this has been a luring upgrade trap in the release already. As a first naĂŻve reproducer I tried apt update DEBIAN_FRONTEND=noninteractive apt update openssh-server on our current VM (with the release version 1:9.3p1-1ubuntu3), and that worked fine. Same with installing all 9 available packages. rescue.target is loaded/inactive/static, as it should be. Updating without DEBIAN_FRONTEND does show me a conffile prompt about /etc/ssh/sshd_config, which is justified as we do modify the config: # Allow root login with password sed -i 's/^[# ]*PermitRootLogin .*/PermitRootLogin yes/' /etc/ssh/sshd_config # Prevent SSH from hanging for a long time when no external network access echo 'UseDNS no' >> /etc/ssh/sshd_config this also leads to a merge conflict. However, I suppose all of that is tangential to the rescue-ssh.target issue. In all my interactive upgrades, it seemed to handle that just fine: Setting up openssh-server (1:9.3p1-1ubuntu3.1) ... rescue-ssh.target is a disabled or a static unit not running, not starting it. So this seems to be related to the first-time installation of openssh- server -- it is part of the cloud image, but it does the host key generation during our image builds. So reproducing this is a bit tricky, but aside from that: Why does it even do this in the first place? # Automatically added by dh_installsystemd/13.11.6ubuntu1 if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then if [ -d /run/systemd/system ]; then systemctl --system daemon-reload >/dev/null || true if [ -n "$2" ]; then _dh_action=restart else _dh_action=start fi deb-systemd-invoke $_dh_action 'rescue-ssh.target' >/dev/null || true fi fi It feels like the postinst should *never* try to start rescue- ssh.target. That's an alternative boot mode, and should never run un multi-user.target, isn't it? [1] https://launchpad.net/ubuntu/+source/openssh/1:9.3p1-1ubuntu3.1 DistroRelease: Ubuntu 23.10 PackageVersion: openssh-server 1:9.3p1-1ubuntu3.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2047082/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2047082] [NEW] upgrading openssh-server always shows error: rescue-ssh.target is a disabled or a static unit not running, not starting it.
Public bug reported: In our project we regularly build Ubuntu VM images for current 23.10 (stable). In https://github.com/cockpit-project/bots/issues/5691 we ran into an upgrade failure of openssh-server. It starts with the current cloud image and then apt upgrades it, with "DEBIAN_FRONTEND=noninteractive". openssh was updated a few days ago indeed: Setting up openssh-server (1:9.3p1-1ubuntu3.1) ... Creating SSH2 ECDSA key; this may take some time ... 256 SHA256:UqrRSpQNM7SIixVivYP/WwZRjt7Sv89P31W/Gxaf+Z8 root@ubuntu (ECDSA) Creating SSH2 ED25519 key; this may take some time ... 256 SHA256:hy9AEDydfnZeY9nf9P4Sb90kx39Oqr101A6tz5j4RQw root@ubuntu (ED25519) rescue-ssh.target is a disabled or a static unit not running, not starting it. Could not execute systemctl: at /usr/bin/deb-systemd-invoke line 145. dpkg: error processing package openssh-server (--configure): installed openssh-server package post-installation script subprocess returned error exit status 1 I.e. of course that security update itself [1] didn't introduce the regression, but earlier VM builds just didn't have a pending openssh update -- looks like this has been a luring upgrade trap in the release already. As a first naĂŻve reproducer I tried apt update DEBIAN_FRONTEND=noninteractive apt update openssh-server on our current VM (with the release version 1:9.3p1-1ubuntu3), and that worked fine. Same with installing all 9 available packages. rescue.target is loaded/inactive/static, as it should be. Updating without DEBIAN_FRONTEND does show me a conffile prompt about /etc/ssh/sshd_config, which is justified as we do modify the config: # Allow root login with password sed -i 's/^[# ]*PermitRootLogin .*/PermitRootLogin yes/' /etc/ssh/sshd_config # Prevent SSH from hanging for a long time when no external network access echo 'UseDNS no' >> /etc/ssh/sshd_config this also leads to a merge conflict. However, I suppose all of that is tangential to the rescue-ssh.target issue. In all my interactive upgrades, it seemed to handle that just fine: Setting up openssh-server (1:9.3p1-1ubuntu3.1) ... rescue-ssh.target is a disabled or a static unit not running, not starting it. So this seems to be related to the first-time installation of openssh- server -- it is part of the cloud image, but it does the host key generation during our image builds. So reproducing this is a bit tricky, but aside from that: Why does it even do this in the first place? # Automatically added by dh_installsystemd/13.11.6ubuntu1 if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then if [ -d /run/systemd/system ]; then systemctl --system daemon-reload >/dev/null || true if [ -n "$2" ]; then _dh_action=restart else _dh_action=start fi deb-systemd-invoke $_dh_action 'rescue-ssh.target' >/dev/null || true fi fi It feels like the postinst should *never* try to start rescue- ssh.target. That's an alternative boot mode, and should never run un multi-user.target, isn't it? [1] https://launchpad.net/ubuntu/+source/openssh/1:9.3p1-1ubuntu3.1 DistroRelease: Ubuntu 23.10 PackageVersion: openssh-server 1:9.3p1-1ubuntu3.1 ** Affects: openssh (Ubuntu) Importance: Low Status: New ** Tags: mantic -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2047082 Title: upgrading openssh-server always shows error: rescue-ssh.target is a disabled or a static unit not running, not starting it. Status in openssh package in Ubuntu: New Bug description: In our project we regularly build Ubuntu VM images for current 23.10 (stable). In https://github.com/cockpit-project/bots/issues/5691 we ran into an upgrade failure of openssh-server. It starts with the current cloud image and then apt upgrades it, with "DEBIAN_FRONTEND=noninteractive". openssh was updated a few days ago indeed: Setting up openssh-server (1:9.3p1-1ubuntu3.1) ... Creating SSH2 ECDSA key; this may take some time ... 256 SHA256:UqrRSpQNM7SIixVivYP/WwZRjt7Sv89P31W/Gxaf+Z8 root@ubuntu (ECDSA) Creating SSH2 ED25519 key; this may take some time ... 256 SHA256:hy9AEDydfnZeY9nf9P4Sb90kx39Oqr101A6tz5j4RQw root@ubuntu (ED25519) rescue-ssh.target is a disabled or a static unit not running, not starting it. Could not execute systemctl: at /usr/bin/deb-systemd-invoke line 145. dpkg: error processing package openssh-server (--configure): installed openssh-server package post-installation script subprocess returned error exit status 1 I.e. of course that security update itself [1] didn't introduce the regression, but earlier VM builds just didn't have a pending openssh update -- looks like this has b
[Touch-packages] [Bug 2037703] Re: dpkg-reconfigure openssh-server doesn't ask questions again
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2037703 Title: dpkg-reconfigure openssh-server doesn't ask questions again Status in openssh package in Ubuntu: New Bug description: openssh-server does provide a couple of configuration options: [~]$ sudo debconf-get-selections |grep openssh-server openssh-serveropenssh-server/listenstream-may-failerror openssh-serveropenssh-server/password-authentication boolean true openssh-serveropenssh-server/permit-root-loginboolean true I want to change those options now interactively but nothing I tried worked and showed a dialog: [~]$ sudo dpkg-reconfigure -p low openssh-server Warning: Stopping ssh.service, but it can still be activated by: ssh.socket rescue-ssh.target is a disabled or a static unit not running, not starting it. [~]$ sudo dpkg-reconfigure -p low --force --frontend dialog openssh-server Warning: Stopping ssh.service, but it can still be activated by: ssh.socket rescue-ssh.target is a disabled or a static unit not running, not starting it. But the documentation (https://manpages.debian.org/testing/debconf- doc/debconf.7.en.html#Reconfiguring_packages) does state that those commands should ask those questions again. p.s. also tried with a lxc debian-sid container and had the same problem there. ProblemType: Bug DistroRelease: Ubuntu 23.10 Package: openssh-server 1:9.3p1-1ubuntu3 ProcVersionSignature: Ubuntu 6.5.0-5.5-generic 6.5.0 Uname: Linux 6.5.0-5-generic x86_64 NonfreeKernelModules: zfs ApportVersion: 2.27.0-0ubuntu2 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Fri Sep 29 10:35:33 2023 InstallationDate: Installed on 2023-05-10 (142 days ago) InstallationMedia: Ubuntu 23.04 "Lunar Lobster" - Release amd64 (20230418) ProcEnviron: LANG=en_US.UTF-8 PATH=(custom, no user) SHELL=/usr/bin/zsh TERM=xterm-256color XDG_RUNTIME_DIR= SourcePackage: openssh UpgradeStatus: Upgraded to mantic on 2023-07-19 (71 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2037703/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2037703] Re: dpkg-reconfigure openssh-server doesn't ask questions again
We just ran into this in https://github.com/cockpit- project/bots/issues/5691 when trying to refresh our Ubuntu 23.10 mantic VM image. It starts with the current cloud image and then apt upgrades it, with "DEBIAN_FRONTEND=noninteractive". openssh was updated a few days ago indeed: Setting up openssh-server (1:9.3p1-1ubuntu3.1) ... Creating SSH2 ECDSA key; this may take some time ... 256 SHA256:UqrRSpQNM7SIixVivYP/WwZRjt7Sv89P31W/Gxaf+Z8 root@ubuntu (ECDSA) Creating SSH2 ED25519 key; this may take some time ... 256 SHA256:hy9AEDydfnZeY9nf9P4Sb90kx39Oqr101A6tz5j4RQw root@ubuntu (ED25519) rescue-ssh.target is a disabled or a static unit not running, not starting it. Could not execute systemctl: at /usr/bin/deb-systemd-invoke line 145. dpkg: error processing package openssh-server (--configure): installed openssh-server package post-installation script subprocess returned error exit status 1 I.e. of course that security update itself didn't introduce the regression, but earlier VM builds just didn't have a pending openssh update -- looks like this has been a luring upgrade trap in the release already. However, as a first naĂŻve reproducer I tried apt update DEBIAN_FRONTEND=noninteractive apt update openssh-server on our current VM (with the release version 1:9.3p1-1ubuntu3), and that worked fine. Same with installing all 9 available packages. rescue.target is loaded/inactive/static, as it should be. Updating without DEBIAN_FRONTEND does show me a conffile prompt about /etc/ssh/sshd_config, which is justified as we do modify the config: # Allow root login with password sed -i 's/^[# ]*PermitRootLogin .*/PermitRootLogin yes/' /etc/ssh/sshd_config # Prevent SSH from hanging for a long time when no external network access echo 'UseDNS no' >> /etc/ssh/sshd_config this also leads to a merge conflict. However, I suppose all of that is tangential to the rescue-ssh.target issue. In all my interactive upgrades, it seemed to handle that just fine: Setting up openssh-server (1:9.3p1-1ubuntu3.1) ... rescue-ssh.target is a disabled or a static unit not running, not starting it. So this seems to be related to the first-time installation of openssh- server -- it is part of the cloud image, but it does the host key generation during our image builds. So reproducing this is a bit tricky, but aside from that: Why does it even do this in the first place? # Automatically added by dh_installsystemd/13.11.6ubuntu1 if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then if [ -d /run/systemd/system ]; then systemctl --system daemon-reload >/dev/null || true if [ -n "$2" ]; then _dh_action=restart else _dh_action=start fi deb-systemd-invoke $_dh_action 'rescue-ssh.target' >/dev/null || true fi fi It feels like the postinst should *never* try to start rescue- ssh.target. That's an alternative boot mode, and should never run un multi-user.target, isn't it? [1] https://launchpad.net/ubuntu/+source/openssh/1:9.3p1-1ubuntu3.1 ** Bug watch added: github.com/cockpit-project/bots/issues #5691 https://github.com/cockpit-project/bots/issues/5691 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/2037703 Title: dpkg-reconfigure openssh-server doesn't ask questions again Status in openssh package in Ubuntu: New Bug description: openssh-server does provide a couple of configuration options: [~]$ sudo debconf-get-selections |grep openssh-server openssh-serveropenssh-server/listenstream-may-failerror openssh-serveropenssh-server/password-authentication boolean true openssh-serveropenssh-server/permit-root-loginboolean true I want to change those options now interactively but nothing I tried worked and showed a dialog: [~]$ sudo dpkg-reconfigure -p low openssh-server Warning: Stopping ssh.service, but it can still be activated by: ssh.socket rescue-ssh.target is a disabled or a static unit not running, not starting it. [~]$ sudo dpkg-reconfigure -p low --force --frontend dialog openssh-server Warning: Stopping ssh.service, but it can still be activated by: ssh.socket rescue-ssh.target is a disabled or a static unit not running, not starting it. But the documentation (https://manpages.debian.org/testing/debconf- doc/debconf.7.en.html#Reconfiguring_packages) does state that those commands should ask those questions again. p.s. also tried with a lxc debian-sid container and had the same problem there. ProblemType: Bug DistroRelease: Ubuntu 23.10 Package: openssh-server 1:9.3p1-1ubuntu3 ProcVersionSignature: Ubuntu 6.5.0-5.5-generic 6.5.0 Uname: Lin
[Touch-packages] [Bug 2043711] Re: Open3.pm tries to run code in /tmp when preconfiguring packages
$ readlink -f /var/cache/debconf/tmp.ci /var/cache/debconf/tmp.ci -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to debconf in Ubuntu. https://bugs.launchpad.net/bugs/2043711 Title: Open3.pm tries to run code in /tmp when preconfiguring packages Status in debconf package in Ubuntu: Incomplete Bug description: During update of ubuntu-drivers-common: Can't exec "/tmp/ubuntu-drivers-common.config.55GJ8b": Permission denied at /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm line 178, line 1. open2: exec of /tmp/ubuntu-drivers-common.config.55GJ8b configure 1:0.9.6.2~0.22.04.4 failed: Permission denied at /usr/share/perl5/Debconf/ConfModule.pm line 59. Preconfiguring packages ... Can't exec "/tmp/ubuntu-drivers-common.config.uSPrCH": Permission denied at /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm line 178, line 1. open2: exec of /tmp/ubuntu-drivers-common.config.uSPrCH configure 1:0.9.6.2~0.22.04.4 failed: Permission denied at /usr/share/perl5/Debconf/ConfModule.pm line 59. /tmp is mounted with noexec because running code from /tmp has been a vulnerability vector for several decades, hence reporting this as a vulnerability in perl-base. This error did not appear to prevent the update of ubuntu-drivers- common and "dpkg --verify ubuntu-drivers-common" returns 0. ___ Attempting to use the package search on this form by clicking the 🔍 created a modal in which there is an error Sorry, something went wrong with your search. We've recorded what happened, and we'll fix it as soon as possible. (Error ID: OOPS-c80f71590b02908a1187b9f743c53eac) which is repeated with any attempt to search for a package. ___ Submitting this form gives an error "perl-base" does not exist in Ubuntu. Please choose a different package. If you're unsure, please select "I don't know" $ dpkg -S /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm perl-base: /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm $ dpkg -l perl-base Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==-=--=> ii perl-base 5.34.0-3ubuntu1.2 amd64minimal Perl system Looks like a package to me. Nevertheless, using "Did you mean..." offers "perl". ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: perl-base 5.34.0-3ubuntu1.2 ProcVersionSignature: Ubuntu 6.5.0-1007.7-oem 6.5.3 Uname: Linux 6.5.0-1007-oem x86_64 ApportVersion: 2.20.11-0ubuntu82.5 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Thu Nov 16 10:08:48 2023 InstallationDate: Installed on 2016-04-23 (2763 days ago) InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1) ProcEnviron: TERM=rxvt PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: perl UpgradeStatus: Upgraded to jammy on 2022-08-19 (453 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/debconf/+bug/2043711/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
RE: security.apparmor attribute attachment not working
Sorry for the current version of apparmor in Ubuntu requires a path
attachment as well, you need to change the profile to (caveat untested
so I may have made another mistake too)
profile falkon /** xattrs=(security.apparmor=falkon) flags=(unconfined) {
userns,
include if exists
}
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation restrictions cause many applications
to crash with SIGTRAP
Status in apparmor package in Ubuntu:
Confirmed
Status in digikam package in Ubuntu:
Confirmed
Status in epiphany-browser package in Ubuntu:
Confirmed
Status in falkon package in Ubuntu:
Confirmed
Status in qutebrowser package in Ubuntu:
Confirmed
Bug description:
Hi, I run Ubuntu development branch 24.04 and I have a problem with
Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get
this error
$ epiphany
bwrap: Creating new namespace failed: Permission denied
** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch
dbus-proxy: Le processus fils s’est terminé avec le code 1
Trappe pour point d'arrĂŞt et de trace (core dumped)
$ epiphany
bwrap: Creating new namespace failed: Permission denied
** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch
dbus-proxy: Le processus fils s’est terminé avec le code 1
Trappe pour point d'arrĂŞt et de trace (core dumped)
Thanks for your help!
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046844/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
Unfortunately it has to be a privileged operation, otherwise any application could set the attribute and then have access to user namespaces. The problem with unprivileged user namespaces is that it makes privileged interfaces available to the user in ways that they weren't designed for, leading to vulnerabilities. Yes it tries to mitigate and control this in some ways, but the reality is the kernel is always adding new interfaces that are privileged, so its a game of whack-a-mole. To quote Linus about adding user namespaces "it was a mistake. We're stuck with it". This is just an after the fact mitigation, and as such there is going to be a somewhat painful transition period. There is another reason to not use a single attribute as well. This is a stepping stone to bringing much tighter/finer confinement to the desktop. Having unique labels on the applications will allow us to start deploying finer controls over who can talk to who. This is really important when one of those entities have elevated privileges, which is the case for applications making use of unprivileged user namespaces. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP Status in apparmor package in Ubuntu: Confirmed Status in digikam package in Ubuntu: Confirmed Status in epiphany-browser package in Ubuntu: Confirmed Status in falkon package in Ubuntu: Confirmed Status in qutebrowser package in Ubuntu: Confirmed Bug description: Hi, I run Ubuntu development branch 24.04 and I have a problem with Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get this error $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) Thanks for your help! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046844/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1771880] Re: Seahorse unable to import pkcs12 certificates
Right, I do plan to cherry pick the gnome-keyring change at some point, I just started with gcr while waiting to see if a gnome-keyring upstream maintainer is still active to review the change -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to gcr in Ubuntu. https://bugs.launchpad.net/bugs/1771880 Title: Seahorse unable to import pkcs12 certificates Status in seahorse: New Status in gcr package in Ubuntu: Fix Committed Status in gnome-keyring package in Ubuntu: Triaged Status in seahorse package in Ubuntu: Triaged Status in gnome-keyring package in Fedora: New Status in seahorse package in Fedora: Unknown Bug description: seahorse 3.20.0-5 / gnome-keyring 3.28.0.2-1ubuntu1.18.04.1 / Ubuntu 18.04 LTS / GNOME 3.28.1 When trying to import a certificate into seahorse/gnome-keyring on Ubuntu 18.04, seahorse GUI application shows the 'import' button greyed out, while mouse hovering the "import" button shows the message "Cannot import because there are no compatible importers". This problem doesn't occur on Ubuntu 16.04 LTS (Seahorse 3.18.0), as I've just tested on my wife's laptop, but happens in my Laptop with Ubuntu 18.04 LTS (Seahorse 3.20.0-5). Because that problem, it's not possible to digitally sign documents with LibreOffice. To manage notifications about this bug go to: https://bugs.launchpad.net/seahorse/+bug/1771880/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1517030] Re: ubuntu-bug (apport-kde) crashes every time I submit a problem report
Thanks for testing. I am marking this bug as fixed. In case you can trigger this bug again, please re-open it or open a new bug report. Thanks. ** Changed in: apport (Ubuntu) Status: Incomplete => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1517030 Title: ubuntu-bug (apport-kde) crashes every time I submit a problem report Status in apport package in Ubuntu: Fix Released Bug description: Every time I run the "ubuntu-bug" program, I get a crash report about it. 1. I run (say) "ubuntu-bug muon-updater" 2. Apport window appears, "Send problem report to developers?" with info about the bug. 3. Click Send. 4. "Uploading problem information" dialog appears and disappears. 5. Launchpad website appears. I start filing in details. 6. Sometime soon, Plasma reports a crash in its system tray. A dialog appears. See my screenshot. 7. I click the "Continue" button to submit a crash bug report. The dialog disappears, but nothing else happens that I can see. ProblemType: Bug DistroRelease: Ubuntu 15.10 Package: apport-kde 2.19.1-0ubuntu5 ProcVersionSignature: Ubuntu 4.2.0-18.22-generic 4.2.3 Uname: Linux 4.2.0-18-generic x86_64 ApportVersion: 2.19.1-0ubuntu5 Architecture: amd64 CurrentDesktop: KDE Date: Tue Nov 17 07:51:26 2015 InstallationDate: Installed on 2013-08-31 (807 days ago) InstallationMedia: Ubuntu 13.04 "Raring Ringtail" - Release amd64 (20130424) PackageArchitecture: all SourcePackage: apport UpgradeStatus: Upgraded to wily on 2015-11-08 (8 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1517030/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1771880] Re: Seahorse unable to import pkcs12 certificates
Pleasure Sebastien, that's how open-source works, we help each other and all win :-). I'm glad you are picking it up at the distro level, but that gcr-3 patch alone won't fix this issue, as it only comes into play after gnome- keyring-pkcs11.so is loaded, which won't happen without the gnome- keyring patch. If you don't like deleting the "enable-in" line, maybe rather try adding "seahorse" to the list of apps on that line instead? (You only need to edit /usr/share/p11-kit/modules/gnome-keyring.module before starting seahorse, which can be done without rebuilding the .deb) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to gcr in Ubuntu. https://bugs.launchpad.net/bugs/1771880 Title: Seahorse unable to import pkcs12 certificates Status in seahorse: New Status in gcr package in Ubuntu: Fix Committed Status in gnome-keyring package in Ubuntu: Triaged Status in seahorse package in Ubuntu: Triaged Status in gnome-keyring package in Fedora: New Status in seahorse package in Fedora: Unknown Bug description: seahorse 3.20.0-5 / gnome-keyring 3.28.0.2-1ubuntu1.18.04.1 / Ubuntu 18.04 LTS / GNOME 3.28.1 When trying to import a certificate into seahorse/gnome-keyring on Ubuntu 18.04, seahorse GUI application shows the 'import' button greyed out, while mouse hovering the "import" button shows the message "Cannot import because there are no compatible importers". This problem doesn't occur on Ubuntu 16.04 LTS (Seahorse 3.18.0), as I've just tested on my wife's laptop, but happens in my Laptop with Ubuntu 18.04 LTS (Seahorse 3.20.0-5). Because that problem, it's not possible to digitally sign documents with LibreOffice. To manage notifications about this bug go to: https://bugs.launchpad.net/seahorse/+bug/1771880/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1517030] Re: ubuntu-bug (apport-kde) crashes every time I submit a problem report
No -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/1517030 Title: ubuntu-bug (apport-kde) crashes every time I submit a problem report Status in apport package in Ubuntu: Incomplete Bug description: Every time I run the "ubuntu-bug" program, I get a crash report about it. 1. I run (say) "ubuntu-bug muon-updater" 2. Apport window appears, "Send problem report to developers?" with info about the bug. 3. Click Send. 4. "Uploading problem information" dialog appears and disappears. 5. Launchpad website appears. I start filing in details. 6. Sometime soon, Plasma reports a crash in its system tray. A dialog appears. See my screenshot. 7. I click the "Continue" button to submit a crash bug report. The dialog disappears, but nothing else happens that I can see. ProblemType: Bug DistroRelease: Ubuntu 15.10 Package: apport-kde 2.19.1-0ubuntu5 ProcVersionSignature: Ubuntu 4.2.0-18.22-generic 4.2.3 Uname: Linux 4.2.0-18-generic x86_64 ApportVersion: 2.19.1-0ubuntu5 Architecture: amd64 CurrentDesktop: KDE Date: Tue Nov 17 07:51:26 2015 InstallationDate: Installed on 2013-08-31 (807 days ago) InstallationMedia: Ubuntu 13.04 "Raring Ringtail" - Release amd64 (20130424) PackageArchitecture: all SourcePackage: apport UpgradeStatus: Upgraded to wily on 2015-11-08 (8 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1517030/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2043711] Re: Open3.pm tries to run code in /tmp when preconfiguring packages
Thanks, this definitely does point at debconf. However:
> Preconfiguring packages ...
This line is from /usr/sbin/dpkg-preconfigure, which is called via
/etc/apt/apt.conf.d/70debconf.
> Can't exec "/tmp/cryptsetup-initramfs.config.UaZ02N": Permission
denied at /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm line 178,
line 1.
This line shows a path which is NOT where /usr/sbin/dpkg-preconfigure
unpacks the configure script. It uses a hard-coded path of
/var/cache/debconf/tmp.ci:
my $tempdir='/var/cache/debconf/tmp.ci';
[...]
if (system("apt-extracttemplates", "--tempdir",
$tempdir, @collect) != 0) {
[...]
What does `readlink -f /var/cache/debconf/tmp.ci` return on your system?
** Changed in: debconf (Ubuntu)
Status: New => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to debconf in Ubuntu.
https://bugs.launchpad.net/bugs/2043711
Title:
Open3.pm tries to run code in /tmp when preconfiguring packages
Status in debconf package in Ubuntu:
Incomplete
Bug description:
During update of ubuntu-drivers-common:
Can't exec "/tmp/ubuntu-drivers-common.config.55GJ8b": Permission denied at
/usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm line 178, line 1.
open2: exec of /tmp/ubuntu-drivers-common.config.55GJ8b configure
1:0.9.6.2~0.22.04.4 failed: Permission
denied at /usr/share/perl5/Debconf/ConfModule.pm line 59.
Preconfiguring packages ...
Can't exec "/tmp/ubuntu-drivers-common.config.uSPrCH": Permission denied at
/usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm line 178, line 1.
open2: exec of /tmp/ubuntu-drivers-common.config.uSPrCH configure
1:0.9.6.2~0.22.04.4 failed: Permission
denied at /usr/share/perl5/Debconf/ConfModule.pm line 59.
/tmp is mounted with noexec because running code from /tmp has been a
vulnerability vector for several decades, hence reporting this as a
vulnerability in perl-base.
This error did not appear to prevent the update of ubuntu-drivers-
common and "dpkg --verify ubuntu-drivers-common" returns 0.
___
Attempting to use the package search on this form by clicking the 🔍
created a modal in which there is an error
Sorry, something went wrong with your search. We've recorded what
happened, and we'll fix it as soon as possible. (Error ID:
OOPS-c80f71590b02908a1187b9f743c53eac)
which is repeated with any attempt to search for a package.
___
Submitting this form gives an error
"perl-base" does not exist in Ubuntu. Please choose a different
package. If you're unsure, please select "I don't know"
$ dpkg -S /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm
perl-base: /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm
$ dpkg -l perl-base
Desired=Unknown/Install/Remove/Purge/Hold
|
Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==-=--=>
ii perl-base 5.34.0-3ubuntu1.2 amd64minimal Perl system
Looks like a package to me. Nevertheless, using "Did you mean..."
offers "perl".
ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: perl-base 5.34.0-3ubuntu1.2
ProcVersionSignature: Ubuntu 6.5.0-1007.7-oem 6.5.3
Uname: Linux 6.5.0-1007-oem x86_64
ApportVersion: 2.20.11-0ubuntu82.5
Architecture: amd64
CasperMD5CheckResult: unknown
CurrentDesktop: ubuntu:GNOME
Date: Thu Nov 16 10:08:48 2023
InstallationDate: Installed on 2016-04-23 (2763 days ago)
InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64
(20160420.1)
ProcEnviron:
TERM=rxvt
PATH=(custom, no user)
XDG_RUNTIME_DIR=
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: perl
UpgradeStatus: Upgraded to jammy on 2022-08-19 (453 days ago)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/debconf/+bug/2043711/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
I can't seem to get the xattr solution to work. I'm trying it on a
normal binary and it's failing like so:
# Contents of /etc/apparmor.d/falkon
abi ,
include
profile falkon xattrs=(security.apparmor=falkon) flags=(unconfined) {
userns,
include if exists
}
# setfattr command
user@user-standardpc:/usr/bin$ sudo setfattr -n security.apparmor -v falkon
/usr/bin/falkon
# make sure the attribute is set
user@user-standardpc:/usr/bin$ getfattr -n security.apparmor /usr/bin/falkon
getfattr: Removing leading '/' from absolute path names
# file: usr/bin/falkon
security.apparmor="falkon"
# attempt to launch
user@user-standardpc:/usr/bin$ /usr/bin/falkon
[3967:3967:1220/095728.818079:FATAL:credentials.cc(125)] Check failed: . :
Permission denied (13)
Trace/breakpoint trap (core dumped)
#checking the logs
user@user-standardpc:/usr/bin$ journalctl -n100
...
Dec 20 09:57:28 user-standardpc kernel: audit: type=1400
audit(1703084248.814:826): apparmor="DENIED" operation="userns_create"
class="namespace" info="User namespace creation restricted" error=-13
profile="unconfined" pid=3967 comm="falkon" requested="userns_create"
denied="userns_create"
Dec 20 09:57:37 user-standardpc kernel: traps: falkon[3967] trap int3
ip:7f3ae85d7b13 sp:7ffe61e8b700 error:0 in
libQt5WebEngineCore.so.5.15.15[7f3ae63b4000+6931000]
...
The solution that involves spelling out the absolute path to the file
does work.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2046844
Title:
AppArmor user namespace creation restrictions cause many applications
to crash with SIGTRAP
Status in apparmor package in Ubuntu:
Confirmed
Status in digikam package in Ubuntu:
Confirmed
Status in epiphany-browser package in Ubuntu:
Confirmed
Status in falkon package in Ubuntu:
Confirmed
Status in qutebrowser package in Ubuntu:
Confirmed
Bug description:
Hi, I run Ubuntu development branch 24.04 and I have a problem with
Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get
this error
$ epiphany
bwrap: Creating new namespace failed: Permission denied
** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch
dbus-proxy: Le processus fils s’est terminé avec le code 1
Trappe pour point d'arrĂŞt et de trace (core dumped)
$ epiphany
bwrap: Creating new namespace failed: Permission denied
** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch
dbus-proxy: Le processus fils s’est terminé avec le code 1
Trappe pour point d'arrĂŞt et de trace (core dumped)
Thanks for your help!
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046844/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2046844] Re: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP
How acceptable or possible would a solution be that had one universal "allowUserNamespaces" attribute in an AppArmor config that could then simply be set on whatever files one wanted to enable the features on? That would support all third-party apps that a user deemed worthy without needing much effort to enable but without allowing programs to enable it themselves without root privileges, if I'm understanding correctly. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2046844 Title: AppArmor user namespace creation restrictions cause many applications to crash with SIGTRAP Status in apparmor package in Ubuntu: Confirmed Status in digikam package in Ubuntu: Confirmed Status in epiphany-browser package in Ubuntu: Confirmed Status in falkon package in Ubuntu: Confirmed Status in qutebrowser package in Ubuntu: Confirmed Bug description: Hi, I run Ubuntu development branch 24.04 and I have a problem with Epiphany browser 45.1-1 (Gnome Web): program doesn't launch, and I get this error $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:12085): ERROR **: 14:44:35.023: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) $ epiphany bwrap: Creating new namespace failed: Permission denied ** (epiphany:30878): ERROR **: 22:22:26.926: Failed to fully launch dbus-proxy: Le processus fils s’est terminé avec le code 1 Trappe pour point d'arrêt et de trace (core dumped) Thanks for your help! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046844/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1794064] Re: Clicking a hyperlink in a PDF fails to open it if the default browser is a snap
Hi, I'm on Ubuntu 23.10 using Brave browser SNAP and I still face the
issue (cannot open links in evince -using Brave browser snap).
Here are the versions:
```console
❯ apt list --installed | rg 'evince|apparmor'
apparmor/mantic,now 4.0.0~alpha2-0ubuntu5 amd64 [installed,automatic]
evince-common/mantic,mantic,now 45.0-1 all [installed,automatic]
evince/mantic,now 45.0-1 amd64 [installed]
libapparmor1/mantic,now 4.0.0~alpha2-0ubuntu5 amd64 [installed,automatic]
```
Brave Browser 120.1.61.101
`journalctl -f` log:
```console
Dec 20 12:18:37 laptop kernel: audit: type=1400 audit(1703071117.044:3565):
apparmor="DENIED" operation="open" class="file"
profile="/usr/bin/evince//snap_browsers" name="/proc/cgroups" pid=1351803
comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Dec 20 12:18:37 laptop brave_brave.desktop[1351803]: internal error, please
report: running "brave" failed: open /snap/brave/323/meta/snap.yaml: permission
denied
Dec 20 12:18:37 laptop kernel: audit: type=1400 audit(1703071117.052:3566):
apparmor="DENIED" operation="open" class="file"
profile="/usr/bin/evince//snap_browsers" name="/snap/brave/323/meta/snap.yaml"
pid=1351803 comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
```
I see the following in `/etc/apparmor.d/usr.bin.evince` with all
includes commented, including `snap_browsers` line. Is that normal?
Thanks
```
│ File: /etc/apparmor.d/usr.bin.evince
│ Size: 11.5 KB
───┼
1 │ # vim:syntax=apparmor
2 │
3 │ # evince is not written with application confinement in mind and is
designed to
4 │ # operate within a trusted desktop session where anything running
within the
5 │ # user's session is trusted. That said, evince will often process
untrusted
6 │ # input (PDFs, images, etc). Ideally evince would be written in such a
way that
7 │ # image processing is separate from the main process and that
processing
8 │ # happens in a restrictive sandbox, but unfortunately that is not
currently the
9 │ # case. Because evince will process untrusted input, this profile aims
to
10 │ # provide some hardening, but considering evince's design and other
factors such
11 │ # as X, gsettings, accessibility, translations, DBus session and system
12 │ # services, etc, complete confinement is not possible.
13 │
14 │ #include
15 │
16 │ /usr/bin/evince {
17 │ #include
18 │ #include
19 │ #include
20 │ #include
21 │ #include
22 │ #include
23 │ #include
24 │
25 │ #include
26 │ #include
27 │ #include
28 │ #include
29 │ #include
30 │
31 │ # allow evince to spawn browsers distributed as snaps (LP: #1794064)
32 │ #include if exists
33 │
34 │ # For now, let evince talk to any session services over dbus. We can
35 │ # blacklist any problematic ones (but note, evince uses libsecret :\)
36 │ #include
37 │
38 │ #include
39 │ dbus (receive) bus=system,
```
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1794064
Title:
Clicking a hyperlink in a PDF fails to open it if the default browser
is a snap
Status in apparmor package in Ubuntu:
Fix Released
Status in evince package in Ubuntu:
Fix Released
Status in apparmor source package in Jammy:
Fix Released
Status in evince source package in Jammy:
Fix Released
Status in apparmor source package in Lunar:
Fix Released
Status in evince source package in Lunar:
Fix Released
Status in apparmor package in Debian:
Fix Released
Status in evince package in Debian:
Confirmed
Bug description:
[Impact]
* Users cannot open a hyperlink in a PDF opened with evince when the default
browser is a snap.
* The fix creates a snap_browsers abstraction on AppArmor which can be used
in a transition for when the browser is executed. The snap_browsers abstraction
provides the minimal amount of permissions required to execute a browser
provided through snaps. This is a workaround since AppArmor currently does not
provide mediation/filtering on enhanced environment variables.
[Test Plan]
* Make sure the default browser is provided through the snap store.
* Open a PDF that contains a hyperlink using evince and click on the URL.
* The browser should open the requested URL.
[Where problems could occur]
* If the browser or snap core update to have new requirements for
opening a browser, then the current policy could become obsolete and
will need to be updated again.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1794064/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-pac
[Touch-packages] [Bug 2029010] Re: dummy sound on huawei mate d15 laptop
I also made a mistake with a person who can help with this problem https://github.com/codepayne/linux-sound-huawei/issues/27 ** Bug watch added: github.com/codepayne/linux-sound-huawei/issues #27 https://github.com/codepayne/linux-sound-huawei/issues/27 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to alsa-driver in Ubuntu. https://bugs.launchpad.net/bugs/2029010 Title: dummy sound on huawei mate d15 laptop Status in Linux: Confirmed Status in alsa-driver package in Ubuntu: New Status in alsa-ucm-conf package in Ubuntu: New Status in firmware-sof package in Ubuntu: New Status in linux package in Ubuntu: New Bug description: I tried different options, but I couldn't raise the sound. saber716rus@saber716rus-BOM-WXX9 ~> cat /etc/os-release NAME="Green Linux" VERSION="21.2 (Victoria)" ID=linuxmint ID_LIKE="ubuntu debian" PRETTY_NAME="Green Linux 21.2.0 Pro (Cubic 2023-06-14 22:01)" VERSION_ID="21" HOME_URL="https://greenlinux.ru/"; SUPPORT_URL="https://forum.linuxmint.su/"; BUG_REPORT_URL="http://linuxmint-troubleshooting-guide.readthedocs.io/ru/latest/"; PRIVACY_POLICY_URL="https://greenlinux.ru/"; VERSION_CODENAME=victoria UBUNTU_CODENAME=jammy saber716rus@saber716rus-BOM-WXX9 ~ [1]> cat /proc/asound/cards 0 [Generic]: HDA-Intel - HD-Audio Generic HD-Audio Generic at 0xd03c irq 80 1 [acp]: acp - acp HUAWEI-BOM_WXX9-M1010-BOM_WXX9_PCB_B2 saber716rus@saber716rus-BOM-WXX9 ~> To manage notifications about this bug go to: https://bugs.launchpad.net/linux/+bug/2029010/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1771880] Re: Seahorse unable to import pkcs12 certificates
Thanks Damjan for the investigation work and the fixes, I've cherrypicked the gcr fix and uploaded to Debian now (which will sync to Ubuntu later today). I would prefer to see an upstream review for the keyring change before distro patching that one since the situation there is a bit more complicated ** Also affects: gcr (Ubuntu) Importance: Undecided Status: New ** Changed in: gcr (Ubuntu) Importance: Undecided => High ** Changed in: gcr (Ubuntu) Status: New => Fix Committed ** Changed in: gcr (Ubuntu) Assignee: (unassigned) => Sebastien Bacher (seb128) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to gcr in Ubuntu. https://bugs.launchpad.net/bugs/1771880 Title: Seahorse unable to import pkcs12 certificates Status in seahorse: New Status in gcr package in Ubuntu: Fix Committed Status in gnome-keyring package in Ubuntu: Triaged Status in seahorse package in Ubuntu: Triaged Status in gnome-keyring package in Fedora: New Status in seahorse package in Fedora: Unknown Bug description: seahorse 3.20.0-5 / gnome-keyring 3.28.0.2-1ubuntu1.18.04.1 / Ubuntu 18.04 LTS / GNOME 3.28.1 When trying to import a certificate into seahorse/gnome-keyring on Ubuntu 18.04, seahorse GUI application shows the 'import' button greyed out, while mouse hovering the "import" button shows the message "Cannot import because there are no compatible importers". This problem doesn't occur on Ubuntu 16.04 LTS (Seahorse 3.18.0), as I've just tested on my wife's laptop, but happens in my Laptop with Ubuntu 18.04 LTS (Seahorse 3.20.0-5). Because that problem, it's not possible to digitally sign documents with LibreOffice. To manage notifications about this bug go to: https://bugs.launchpad.net/seahorse/+bug/1771880/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2047023] [NEW] Qt app crashed after upgrading Qt5 libraries to 5.15.10+dfsg-5build1
Public bug reported:
After upgrading Qt5 libraries to 5.15.10+dfsg-5build1, several Qt5
applications (including lxqt-panel and goldendict) crashed, leaving a
"*** buffer overflow detected ***: terminated" message in console.
It seems that the crashed applications all used the QSettings. The
following sample code will crash with 5.15.10+dfsg-5build1, but not with
5.15.10+dfsg-5
#include
int main(int argc, char *argv[])
{
QSettings s("/tmp/a.ini", QSettings::IniFormat);
s.setValue("a", 123);
s.sync();
return 0;
}
** Affects: qtbase-opensource-src (Ubuntu)
Importance: Undecided
Status: New
** Description changed:
- After upgrading Qt libraries to 5.15.10+dfsg-5build1, several Qt
+ After upgrading Qt5 libraries to 5.15.10+dfsg-5build1, several Qt5
applications (including lxqt-panel and goldendict) crashed, leaving a
"*** buffer overflow detected ***: terminated" message in console.
It seems that the crashed applications all used the QSettings. The
following sample code will crash with 5.15.10+dfsg-5build1, but not with
5.15.10+dfsg-5
#include
int main(int argc, char *argv[])
{
- QSettings s("/tmp/a.ini", QSettings::IniFormat);
- s.setValue("a", 123);
- s.sync();
- return 0;
+ QSettings s("/tmp/a.ini", QSettings::IniFormat);
+ s.setValue("a", 123);
+ s.sync();
+ return 0;
}
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to qtbase-opensource-src in
Ubuntu.
https://bugs.launchpad.net/bugs/2047023
Title:
Qt app crashed after upgrading Qt5 libraries to 5.15.10+dfsg-5build1
Status in qtbase-opensource-src package in Ubuntu:
New
Bug description:
After upgrading Qt5 libraries to 5.15.10+dfsg-5build1, several Qt5
applications (including lxqt-panel and goldendict) crashed, leaving a
"*** buffer overflow detected ***: terminated" message in console.
It seems that the crashed applications all used the QSettings. The
following sample code will crash with 5.15.10+dfsg-5build1, but not
with 5.15.10+dfsg-5
#include
int main(int argc, char *argv[])
{
QSettings s("/tmp/a.ini", QSettings::IniFormat);
s.setValue("a", 123);
s.sync();
return 0;
}
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/qtbase-opensource-src/+bug/2047023/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2047008] Re: [SRU] Add Telit FN990 compositions
The verified log is attached. ** Attachment added: "modemmanager_1.20.0-1~ubuntu22.04.3_verified.log" https://bugs.launchpad.net/oem-priority/+bug/2047008/+attachment/5730937/+files/modemmanager_1.20.0-1~ubuntu22.04.3_verified.log -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to modemmanager in Ubuntu. https://bugs.launchpad.net/bugs/2047008 Title: [SRU] Add Telit FN990 compositions Status in OEM Priority Project: New Status in modemmanager package in Ubuntu: New Bug description: [SRU] Add Telit FN990 compositions [ Impact ] The modemmanager v1.20.0 doesn't have Telit FN990 compositions. It works with compatibility mode. (lp: #2046699) [ Test Plan ] Under Jammy environment, check modemmanager can identify Telit FN990 modem correctly. [ Where problems could occur ] The Telit FN990 compositions is upstreamed to modemmanager v1.20.6 https://gitlab.freedesktop.org/mobile-broadband/ModemManager/-/commit/b68a1bb8474991a72cf988e8e24ba6549f1cf9c2 Noble and Mantic already working with modemmanager v1.20.6. The target platform modem function works well on Mantic. The change parts just only add VID/PIDs for Telit's FN990 modems under the Telit plugin. [ Other Info ] N/A To manage notifications about this bug go to: https://bugs.launchpad.net/oem-priority/+bug/2047008/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2047008] Re: [SRU] Add Telit FN990 compositions
The debdiff is attached. ** Patch added: "modemmanager_1.20.0-1~ubuntu22.04.3.debdiff" https://bugs.launchpad.net/oem-priority/+bug/2047008/+attachment/5730935/+files/modemmanager_1.20.0-1~ubuntu22.04.3.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to modemmanager in Ubuntu. https://bugs.launchpad.net/bugs/2047008 Title: [SRU] Add Telit FN990 compositions Status in OEM Priority Project: New Status in modemmanager package in Ubuntu: New Bug description: [SRU] Add Telit FN990 compositions [ Impact ] The modemmanager v1.20.0 doesn't have Telit FN990 compositions. It works with compatibility mode. (lp: #2046699) [ Test Plan ] Under Jammy environment, check modemmanager can identify Telit FN990 modem correctly. [ Where problems could occur ] The Telit FN990 compositions is upstreamed to modemmanager v1.20.6 https://gitlab.freedesktop.org/mobile-broadband/ModemManager/-/commit/b68a1bb8474991a72cf988e8e24ba6549f1cf9c2 Noble and Mantic already working with modemmanager v1.20.6. The target platform modem function works well on Mantic. The change parts just only add VID/PIDs for Telit's FN990 modems under the Telit plugin. [ Other Info ] N/A To manage notifications about this bug go to: https://bugs.launchpad.net/oem-priority/+bug/2047008/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
