[Touch-packages] [Bug 2103663] Re: set -x in apparmor.postinst

2025-03-26 Thread Alex Murray
Thanks for the heads up @ahasenack - I will prepare a fix and upload it shortly. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2103663 Title: set -x in apparmor.postinst

[Touch-packages] [Bug 2103663] Re: set -x in apparmor.postinst

2025-03-19 Thread Alex Murray
Fix uploaded in https://launchpad.net/ubuntu/+source/apparmor/4.1.0~beta5-0ubuntu10 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2103663 Title: set -x in apparmor.posti

[Touch-packages] [Bug 2099811] Re: Os-prober segmentation fault one message for each partition on same PC

2025-03-06 Thread Alex Murray
Ah thank for noticing that John, it entirely slipped by me - so in that case I don't think this is the appropriate fix - the AppArmor team has worked hard to remove the busybox and other similar profiles that allowed this bypass so I don't think we should do the same for os- prober. Instead, since

[Touch-packages] [Bug 2098808] Re: Gtk-Message: 16:47:23.002: Not loading module "atk-bridge": The functionality is provided by GTK natively. Please try to not load it.

2025-02-28 Thread Alex Murray
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privile

[Touch-packages] [Bug 2096327] Re: apport cannot upload blobs to launchpad - X-Launchpad-Blob-Token missing from http response -> "assert ticket"

2025-01-29 Thread Alex Murray
This is seen in errors.ubuntu.com: https://errors.ubuntu.com/problem/221009027abdbea786d6cc51847568a98d8c1f7d -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/2096327 Title:

[Touch-packages] [Bug 2090887] Re: apport hookutils.py only captures first word per line for KernLog

2024-12-09 Thread Alex Murray
Oooh nice use of non-capturing group - LGTM! -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apport in Ubuntu. https://bugs.launchpad.net/bugs/2090887 Title: apport hookutils.py only captures first word per line for KernLog

[Touch-packages] [Bug 2090887] Re: apport hookutils.py only captures first word per line for KernLog

2024-12-08 Thread Alex Murray
Thanks Bryce - no worries - but just wondering if you tested the patch? Since when I was investigating this I noticed the following in the API documentation for re.findall(): The result depends on the number of capturing groups in the pattern. If there are no groups, return a list of strings match

[Touch-packages] [Bug 2090887] Re: apport hook source_apparmor.py shows only one word per line

2024-12-04 Thread Alex Murray
And if we add the same snippet to source_apparmor.py so we can run it directly then we also don't reproduce this: root@sec-noble-amd64:/usr/share/apport/package-hooks# tail source_apparmor.py -n6 if __name__ == '__main__': report = {} add_info(report, None) for key in report:

[Touch-packages] [Bug 2090887] Re: apport hook source_apparmor.py shows only one word per line

2024-12-04 Thread Alex Murray
However if I just run the code from the apparmor apport hook on that system then it doesn't reproduce: root@sec-noble-amd64:/usr/share/apport/package-hooks# python3 Python 3.12.3 (main, Sep 11 2024, 14:17:37) [GCC 13.2.0] on linux Type "help", "copyright", "credits" or "license" for more informati

[Touch-packages] [Bug 2090887] Re: apport hook source_apparmor.py shows only one word per line

2024-12-04 Thread Alex Murray
In a fresh noble LXD VM I can reproduce this: apt install mysql-server apparmor ubuntu-bug mysql-server Then View the report and it has: == KernLog = apparmor AppArmor AppArmor audit( AppArmor AppArmor AppArmor AppArmor security selinux security security security

[Touch-packages] [Bug 2059852] Re: Invalid free called during libfreetype FT_Done_Glyph

2024-12-03 Thread Alex Murray
I think perhaps the best way forward here would be for Canonical to assign a CVE for this issue if it looks like a real vulnerability and then we can proceed with a fix. I will enquire internally. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, whic

[Touch-packages] [Bug 1727202] Re: [17.10 regression] AppArmor ntp denial: Failed name lookup - disconnected path

2024-12-03 Thread Alex Murray
** Changed in: openntpd (Ubuntu) Status: Incomplete => Won't Fix -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1727202 Title: [17.10 regression] AppArmor ntp denial: F

[Touch-packages] [Bug 2089937] Re: Wi-Fi intermittently disconnects

2024-12-03 Thread Alex Murray
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privile

[Touch-packages] [Bug 1957024] Re: pam-mkhomedir does not honor private home directories

2024-11-19 Thread Alex Murray
Thanks for the detailed analysis @pponnuvel - I have reverted this now for pam in plucky in 1.5.3-7ubuntu4 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pam in Ubuntu. https://bugs.launchpad.net/bugs/1957024 Title: pam-mk

[Touch-packages] [Bug 1957024] Re: pam-mkhomedir does not honor private home directories

2024-11-10 Thread Alex Murray
The risk of immediate regression is low since this is only used for new user accounts - but since the change is to a conffile there is always a bit more risk due to interactions with dpkg etc. But that would be a discussion to have with the SRU team. -- You received this bug notification because

[Touch-packages] [Bug 1957024] Re: pam-mkhomedir does not honor private home directories

2024-11-06 Thread Alex Murray
@pponnuvel - I am in the middle of uploading this for plucky :) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pam in Ubuntu. https://bugs.launchpad.net/bugs/1957024 Title: pam-mkhomedir does not honor private home directo

[Touch-packages] [Bug 2075246] Re: Apparmor is preventing konsole from running many commands

2024-10-20 Thread Alex Murray
It looks like you are using the snap version of konsole - which seems to have strict confinement in place so its not surprising you are seeing such issues. I see there is a version with classic confinement in the candidate channel - can you please try the following and see if it fixes the issue:

[Touch-packages] [Bug 2075246] Re: Apparmor is preventing konsole from running many commands

2024-10-20 Thread Alex Murray
This is not an issue in apparmor itself, so I am closing this bug as invalid since it is an issue in the konsole snap in the snap store. ** Changed in: apparmor (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Touch seeded packages,

[Touch-packages] [Bug 2083435] Re: AppArmor 4.1.0-beta1 contains an ABI break for aa_log_record

2024-10-02 Thread Alex Murray
I typod the magic LP bug reference in the changelog but this was upload to oracular earlier and just moved into -proposed: apparmor (4.1.0~beta1-0ubuntu3) oracular; urgency=medium * Add patch from upstream to fix unintentional ABI break (LP :#2083435) - d/p/u/fix-abi-break-record-for-aa-log-r

[Touch-packages] [Bug 2056555] Re: Allow bitbake to create user namespace

2024-08-14 Thread Alex Murray
FWIW I don't think this proposed profile should be shipped upstream or in Ubuntu for bitbake - it allows any file anywhere on the filesystem under a path bitbake/bin/bitbake to use unprivileged user namespaces - ie. if I was a malware author I would have my malware create a second stage malware fil

[Touch-packages] [Bug 2056696] Re: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors

2024-08-07 Thread Alex Murray
** Changed in: snapd Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2056696 Title: All Snaps are denied the ability to use DBus

[Touch-packages] [Bug 2063271] Re: Illegal opcode in libssl

2024-04-23 Thread Alex Murray
Thanks for reporting this issue - but it is strange since this update has been published since 2024-02-27 and this is the first such report of any issues. Also given this update has been available for nearly 2 months it is surprising you are seeing errors from it so much later - I wonder if instea

[Touch-packages] [Bug 2061191]

2024-04-19 Thread Alex Murray
Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is availabl

[Touch-packages] [Bug 2061856]

2024-04-19 Thread Alex Murray
Thanks for taking the time to report this bug and helping to make Ubuntu better. Your bug report is more likely to get attention if it is made in English, since this is the language understood by the majority of Ubuntu developers. Additionally, please only mark a bug as "security" if it shows evid

[Touch-packages] [Bug 2061856] Re: gnome terminal

2024-04-19 Thread Alex Murray
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privile

[Touch-packages] [Bug 2062440] Re: A few days ago I realized that the time was four hours behind despite it being automatic with the correct time zone.

2024-04-19 Thread Alex Murray
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privile

[Touch-packages] [Bug 2059417] Re: Sync xz-utils 5.6.1-1 (main) from Debian unstable (main)

2024-03-29 Thread Alex Murray
Given this has been reverted in Debian, it should not be synced into Ubuntu. ** Changed in: xz-utils (Ubuntu) Status: New => Won't Fix -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to xz-utils in Ubuntu. https://bugs.la

[Touch-packages] [Bug 2056696] Re: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors

2024-03-20 Thread Alex Murray
Ok whilst I still can't see the /StatusNotifierItem object listed via d-feet I can reproduce the denials when launching element-desktop so I have added some additional changes to the aforementioned PR which resolve these as well. With all the changes from that PR in place all of these mentioned den

[Touch-packages] [Bug 2056696] Re: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors

2024-03-20 Thread Alex Murray
The subsequent error is: Main script file /usr/lib/x86_64-linux- gnu/calamares/modules/automirror/main.py for python job automirror raised an exception. Is there any way I can debug this further? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, wh

[Touch-packages] [Bug 2056696] Re: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors

2024-03-20 Thread Alex Murray
Ah although it seems I can reboot the VM at this point and whilst Calamares appeared to run again again in the rebooted vm if I choose Install Calamares closes and I see the installed kubuntu environment - weird Anyway I think I will be able to use this to debug the original issue further - wi

[Touch-packages] [Bug 2056696] Re: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors

2024-03-20 Thread Alex Murray
Yes I hit that exact issue in Calamares but after fixing it I then hit another similar crash in a different script in calamares - will see if I can reproduce and provide you with details. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subs

[Touch-packages] [Bug 2056696] Re: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors

2024-03-19 Thread Alex Murray
So I installed kubuntu-desktop on an up-to-date noble VM and then after logging into the kubuntu session I was able to reproduce the issue for Notifications but I couldn't see anything owning the /StatusNotifierItem dbus path. For notifications I submitted https://github.com/snapcore/snapd/pull/13

[Touch-packages] [Bug 2058329] [NEW] Update apparmor to 4.0.0-beta3 in noble

2024-03-18 Thread Alex Murray
Public bug reported: Latest upstream release https://gitlab.com/apparmor/apparmor/-/releases/v4.0.0-beta3 Contains only bug fixes since 4.0.0-beta2 which is currently in noble- proposed thus does not require a FFe. ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New --

[Touch-packages] [Bug 2056696] Re: All Snaps are denied the ability to use DBus for notifications and apptray indicators in KDE-based flavors

2024-03-14 Thread Alex Murray
> Log: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="ListActivatableNames" mask="send" name="org.freedesktop.DBus" pid=2950 label="snap.element-desktop.element-desktop" peer_label="unconfined" This is provided by

[Touch-packages] [Bug 2056496] Re: [FFe] AppArmor 4.0-beta2 + prompting support for noble

2024-03-12 Thread Alex Murray
Uploaded to noble-proposed yesterday https://launchpad.net/ubuntu/+source/apparmor/4.0.0~beta2-0ubuntu3 ** Changed in: apparmor (Ubuntu) Status: Triaged => Fix Committed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to

[Touch-packages] [Bug 2054924] Re: color emoji are broken with fontconfig 2.15

2024-03-06 Thread Alex Murray
As per https://gitlab.freedesktop.org/fontconfig/fontconfig/-/issues/409#note_2298588 this can also be fixed by adding an additional rule to /etc/fonts/conf.d/70-no-bitmaps.conf of the form: false ** Bug watch added: gitlab.freedesktop.org/fontconfig/fontconfig/-/issues #409 https://gitlab.fre

[Touch-packages] [Bug 2051540] Re: ufw ftbfs with Python 3.12 as default

2024-02-07 Thread Alex Murray
Both deb8 tests already declares a Depends on python3-distutils - and we can see that the current test runs all used the 3.11 based python3-distutils - do we need a no-change-rebuild of python3-stdlib- extensions so that it builds against python 3.12? -- You received this bug notification because

[Touch-packages] [Bug 2051540] Re: ufw ftbfs with Python 3.12 as default

2024-01-30 Thread Alex Murray
** Also affects: ufw Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/2051540 Title: ufw ftbfs with Python 3.12 as default Status in

[Touch-packages] [Bug 2029464] Re: A stack overflow in GNU Tar

2023-12-05 Thread Alex Murray
Actually I just got it working - no need to send PoC @kerneldude - I made my own. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to tar in Ubuntu. https://bugs.launchpad.net/bugs/2029464 Title: A stack overflow in GNU Tar St

[Touch-packages] [Bug 2029464] Re: A stack overflow in GNU Tar

2023-12-05 Thread Alex Murray
So I managed to create a tar file with an extended attribute name of length of ~ 36 bytes long (the largest I can do without exceeding the existing check on maximum extended header lengths it seems) but this is not able to trigger the vuln - so if you are able to share your PoC that would be gr

[Touch-packages] [Bug 2029464] Re: A stack overflow in GNU Tar

2023-12-04 Thread Alex Murray
@kerneldude - any chance you could share your poc (perhaps email it to secur...@ubuntu.com rather than post it publicly here)? I have tried creating one via the following but I hit the CLI args limit before I can get an xattr key long enough: touch bar tar --pax-option SCHILY.xattr.user.$(python3

[Touch-packages] [Bug 2029464] Re: A stack overflow in GNU Tar

2023-11-30 Thread Alex Murray
Excellent - thanks for letting us know. So since a CVE has already been assigned then we won't assign an additional one. I'll add the details to our CVE tracker. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to tar in Ubuntu. h

[Touch-packages] [Bug 2029464] Re: A stack overflow in GNU Tar

2023-11-29 Thread Alex Murray
@kerneldude - do you know if MITRE ever assigned a CVE for this? ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to tar in Ubuntu. https://bugs.launchpad.net/b

[Touch-packages] [Bug 2044625] Re: package libgdk-pixbuf-2.0-0:amd64 2.42.10+dfsg-1build1 failed to install/upgrade: зацикливание триггеров, отмена работы

2023-11-29 Thread Alex Murray
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privile

[Touch-packages] [Bug 2043711] Re: Open3.pm tries to run code in /tmp when updating ubuntu-drivers-common

2023-11-19 Thread Alex Murray
I am struggling to see the vulnerability here still - the path used in this case is /tmp/ubuntu-drivers-common.config.55GJ8b appears to have a randomly generated suffix and so couldn't have been guessed beforehand nor preseeded with other contents by a local attacker - so the only way then that I c

[Touch-packages] [Bug 2040484] Re: ubuntu_seccomp pseudo-syscall fails on s390

2023-10-25 Thread Alex Murray
Adding a task against libseccomp until we know more about where the bug lies. ** Also affects: libseccomp (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubun

[Touch-packages] [Bug 2039589] Re: Nwidia driver Ubuntu bug

2023-10-17 Thread Alex Murray
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privile

[Touch-packages] [Bug 2036128] Re: [FFe] enable unprivileged user namespace restrictions by default for mantic

2023-09-22 Thread Alex Murray
As discussed with the wider security team, we have decided not to push ahead with this change for mantic and instead will look to enable it very early in the 24.04 devel cycle . Marking as invalid and unsubscribing the release team. ** Changed in: apparmor (Ubuntu) Status: New => Won't Fix

[Touch-packages] [Bug 2036698] Re: Unprivileged user namespace restrictions break various third-party applications

2023-09-20 Thread Alex Murray
** Changed in: apparmor (Ubuntu) Assignee: (unassigned) => Alex Murray (alexmurray) ** Changed in: apparmor (Ubuntu) Importance: Undecided => High ** Changed in: apparmor (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member

[Touch-packages] [Bug 2036698] [NEW] Unprivileged user namespace restrictions break various third-party applications

2023-09-20 Thread Alex Murray
Public bug reported: Similar to https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2035315 the proposed unprivileged user namespace restrictions feature of apparmor in mantic breaks various third-party applications that use unprivileged userns for sandboxing themselves. These include: - Bra

[Touch-packages] [Bug 2036128] Re: [FFe] enable unprivileged user namespace restrictions by default for mantic

2023-09-18 Thread Alex Murray
** Changed in: apparmor (Ubuntu) Status: Incomplete => New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2036128 Title: [FFe] enable unprivileged user namespace r

[Touch-packages] [Bug 2036128] Re: [FFe] enable unprivileged user namespace restrictions by default for mantic

2023-09-18 Thread Alex Murray
@vorlon - the FFe you approved was to upload a whole new release apparmor-4.0.0~alpha2 with supporting infrastructure for this feature, but crucially it did not enable it at that time (as we wanted more time to add additional profiles for all the packages in the archive so that when then feature ge

[Touch-packages] [Bug 2036128] Re: [FFe] enable unprivileged user namespace restrictions by default for mantic

2023-09-18 Thread Alex Murray
FYI I redid this change again on top of the fix from https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/2036302 and have uploaded it to the aforementioned PPA (debdiff is almost identical, except for the different context in debian/changelog) ** Patch added: "apparmor_4.0.0~alpha2-0ubuntu5.debdiff

[Touch-packages] [Bug 2035315] Re: Unprivileged user namespace restrictions break various applications

2023-09-17 Thread Alex Murray
As seen in https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2036302 it turns out the lxc package already shipped a profile in /etc/apparmor.d/usr.bin.lxc-create - so this profile itself needs to be updated to add the userns permission and declare the new ABI in lxc in mantic. ** Also affect

[Touch-packages] [Bug 2036302] Re: apparmor 4.0.0~alpha2-0ubuntu3 ships same file as liblxc-common

2023-09-17 Thread Alex Murray
Uploaded in apparmor 4.0.0~alpha2-0ubuntu4 - currently waiting to build etc - https://launchpad.net/ubuntu/mantic/+queue?queue_state=3&queue_text=apparmor ** Changed in: apparmor (Ubuntu) Status: Triaged => Fix Committed -- You received this bug notification because you are a member of Ub

[Touch-packages] [Bug 2036302] Re: apparmor 4.0.0~alpha2-0ubuntu3 ships same file as liblxc-common

2023-09-17 Thread Alex Murray
Apologies for this - I am working on an update now to resolve it. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/2036302 Title: apparmor 4.0.0~alpha2-0ubuntu3 ships same file

[Touch-packages] [Bug 2036128] Re: [FFe] enable unprivileged user namespace restrictions by default for mantic

2023-09-17 Thread Alex Murray
@sil2100 - apologies, I think I wasn't clear - for the actual enablement to take effect, this FFe does require the new kernel - BUT I added some fallback logic to detect if the kernel doesn't support the required feature so that the sysctl gets disabled in that case when the apparmor service is sta

[Touch-packages] [Bug 2036128] Re: [FFe] enable unprivileged user namespace restrictions by default for mantic

2023-09-15 Thread Alex Murray
I have uploaded this new version to https://launchpad.net/~alexmurray/+archive/ubuntu/lp2036128 and so it should be built soon (from which the build log will be available). Please let me know if any other information is required. -- You received this bug notification because you are a member of U

[Touch-packages] [Bug 2036128] Re: [FFe] enable unprivileged user namespace restrictions by default for mantic

2023-09-15 Thread Alex Murray
apt log when installing new apparmor packages ** Description changed: As per https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace- restrictions-via-apparmor-in-ubuntu-23-10/37626, unprivileged user namespace restrictions for Ubuntu 23.10 are to be enabled by default via a sysct

[Touch-packages] [Bug 2036128] Re: [FFe] enable unprivileged user namespace restrictions by default for mantic

2023-09-15 Thread Alex Murray
Proposed changes for FFe to enable the sysctl by default but add fallback logic to disable it if the system doesn't provide all the required features. ** Patch added: "apparmor_4.0.0~alpha2-0ubuntu4.debdiff" https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2036128/+attachment/5701125/+f

[Touch-packages] [Bug 2036128] [NEW] [FFe] enable unprivileged user namespace restrictions by default for mantic

2023-09-14 Thread Alex Murray
Public bug reported: As per https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace- restrictions-via-apparmor-in-ubuntu-23-10/37626, unprivileged user namespace restrictions for Ubuntu 23.10 are to be enabled by default via a sysctl.d conf file in apparmor. In https://bugs.launchpad.net/

[Touch-packages] [Bug 2035315] [NEW] Unprivileged user namespace restrictions break various applications

2023-09-13 Thread Alex Murray
) Importance: High Assignee: Alex Murray (alexmurray) Status: Confirmed ** Changed in: apparmor (Ubuntu) Assignee: (unassigned) => Alex Murray (alexmurray) ** Changed in: apparmor (Ubuntu) Importance: Undecided => High ** Changed in: apparmor (Ubuntu) Statu

[Touch-packages] [Bug 2034449] Re: IP phising

2023-09-05 Thread Alex Murray
Thank you for using Ubuntu and taking the time to report a bug. Your report should contain, at a minimum, the following information so we can better find the source of the bug and work to resolve it. Submitting the bug about the proper source package is essential. For help see https://wiki.ubuntu.

[Touch-packages] [Bug 2034133] Re: i cant update ubuntu

2023-09-05 Thread Alex Murray
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privile

[Touch-packages] [Bug 2026227] [NEW] Backport 4.0 ABI for AppArmor 3 in mantic

2023-07-05 Thread Alex Murray
lt;(aa-features-abi -x) f17b0a97806d733b5b884d8a1c2fea37 /etc/apparmor.d/abi/4.0 f17b0a97806d733b5b884d8a1c2fea37 /dev/fd/63 ** Affects: apparmor (Ubuntu) Importance: Undecided Assignee: Alex Murray (alexmurray) Status: New ** Affects: apparmor (Ubuntu Mantic) Impo

[Touch-packages] [Bug 2024637] Re: apparmor.service tries to load snapd generated apparmor profiles but fails

2023-06-29 Thread Alex Murray
** Patch added: "bionic debdiff with corrected version number" https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2024637/+attachment/5682930/+files/apparmor_2.12-4ubuntu5.3.debdiff ** Patch removed: "debdiff for bionic" https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2024637/

[Touch-packages] [Bug 2024637] Re: apparmor.service tries to load snapd generated apparmor profiles but fails

2023-06-29 Thread Alex Murray
It turns out there was already an upload of apparmor 2.12-4ubuntu5.2 to bionic-proposed that got rejected (https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1703821/comments/15), so this update will instead need to skip this version number and use 2.12-4ubuntu5.3 instead. -- You received th

[Touch-packages] [Bug 2024637] Re: apparmor.service tries to load snapd generated apparmor profiles but fails

2023-06-29 Thread Alex Murray
Importance: Undecided => High ** Changed in: apparmor (Ubuntu Xenial) Assignee: (unassigned) => Alex Murray (alexmurray) ** Changed in: apparmor (Ubuntu Bionic) Assignee: (unassigned) => Alex Murray (alexmurray) ** Changed in: apparmor (Ubuntu Xenial) Status: New => I

[Touch-packages] [Bug 2024637] Re: apparmor.service tries to load snapd generated apparmor profiles but fails

2023-06-29 Thread Alex Murray
** Patch added: "debdiff for bionic" https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2024637/+attachment/5682828/+files/apparmor_2.12-4ubuntu5.2.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in U

[Touch-packages] [Bug 2024637] Re: apparmor.service tries to load snapd generated apparmor profiles but fails

2023-06-22 Thread Alex Murray
A possible fix on the snapd side is being prepared in tandem in https://github.com/snapcore/snapd/pull/12909 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2024637 Title:

[Touch-packages] [Bug 2024637] Re: apparmor.service tries to load snapd generated apparmor profiles but fails

2023-06-22 Thread Alex Murray
** Also affects: snapd (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2024637 Title: apparmor.service tries to load s

[Touch-packages] [Bug 2024637] Re: apparmor.service tries to load snapd generated apparmor profiles but fails

2023-06-22 Thread Alex Murray
** Also affects: apparmor (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: apparmor (Ubuntu Bionic) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to appar

[Touch-packages] [Bug 2024637] [NEW] apparmor.service tries to load snapd generated apparmor profiles but fails

2023-06-22 Thread Alex Murray
Public bug reported: As of snapd 2.60, when installed as a snap, snapd includes its own vendored apparmor_parser and configuration. As such, it generates profiles using newer apparmor features than the system installed apparmor may support. This is seen as a failure to load the apparmor.service a

[Touch-packages] [Bug 1899218] Re: Incorrect warning from apparmor_parser on force complained profiles

2023-03-28 Thread Alex Murray
This bug is fixed and the behaviour you are seeing is expected - ie. it is expected that AppArmor prints a warning about forcing complain mode for the usr.sbin.sssd profile and that it then also prints a warning about caching being disabled for that due to it being in force complain mode. This is e

[Touch-packages] [Bug 1994146] Re: [SRU] apparmor - Focal, Jammy

2022-10-27 Thread Alex Murray
These have now been uploaded to -proposed and are sitting in UNAPPROVED: https://launchpad.net/ubuntu/jammy/+queue?queue_state=1&queue_text=apparmor https://launchpad.net/ubuntu/focal/+queue?queue_state=1&queue_text=apparmor ** Changed in: apparmor (Ubuntu Focal) Status: Confirmed => In Pr

[Touch-packages] [Bug 1992930] Re: chromium won't launch at menu when installed; lubuntu kinetic

2022-10-16 Thread Alex Murray
This current bug looks like LP: #1991691 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1992930 Title: chromium won't launch at menu when installed; lubuntu kinetic Stat

[Touch-packages] [Bug 1992580] Re: i915 DG1 fails to load

2022-10-12 Thread Alex Murray
*** This bug is a duplicate of bug 1991704 *** https://bugs.launchpad.net/bugs/1991704 ** This bug has been marked a duplicate of bug 1991704 Kinetic kernels 5.19.0-18/19-generic won't boot on Intel 11th/12th gen -- You received this bug notification because you are a member of Ubuntu Tou

[Touch-packages] [Bug 1992430] Re: Snap based apps crash after 5.19.0-18->5.19.0-19 kernel upgrade

2022-10-11 Thread Alex Murray
*** This bug is a duplicate of bug 1991691 *** https://bugs.launchpad.net/bugs/1991691 ** This bug has been marked a duplicate of bug 1991691 cannot change mount namespace -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed t

[Touch-packages] [Bug 1810241] Re: NULL dereference when decompressing specially crafted archives

2022-09-26 Thread Alex Murray
Thanks I have updated the status of this CVE in the Ubuntu CVE tracker. ** Changed in: tar (Ubuntu) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to tar in Ubuntu. https://bugs.launchpad.

[Touch-packages] [Bug 1989309] Re: [FFe] apparmor 3.1.1 upstream release

2022-09-21 Thread Alex Murray
** Description changed: - Placeholder for preparation of AppArmor 3.1.1 for kinetic. + AppArmor 3.1.1 is the latest upstream version of the apparmor userspace + tooling. + + This includes a large number of bug fixes since the 3.0.7 release which + is currently in kinetic, as well as various clean

[Touch-packages] [Bug 1989309] Re: [FFe] apparmor 3.1.1 upstream release

2022-09-21 Thread Alex Murray
** Attachment added: "apparmor-3.0.7-to-3.1.1-git-log.log" https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1989309/+attachment/5617640/+files/apparmor-3.0.7-to-3.1.1-git-log.log ** Description changed: AppArmor 3.1.1 is the latest upstream version of the apparmor userspace tooling

[Touch-packages] [Bug 1990064] Re: unconfined profile denies userns_create for chromium based processes

2022-09-18 Thread Alex Murray
This sounds like a kernel regression. The commit you link to is for SELinux, which is not enabled by default in Ubuntu, so I doubt it is that specifically - instead I suspect this is due to the following commit: https://git.launchpad.net/~ubuntu- kernel/ubuntu/+source/linux/+git/kinetic/commit/?h=

[Touch-packages] [Bug 1989309] [NEW] [FFe] apparmor 3.1.1 upstream release

2022-09-11 Thread Alex Murray
Public bug reported: Placeholder for preparation of AppArmor 3.1.1 for kinetic. ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New ** Summary changed: - [FFe] apparmor 3.1.0 upstream release + [FFe] apparmor 3.1.1 upstream release -- You received this bug notificati

[Touch-packages] [Bug 1972654] Re: [security review] Sync policykit-1 0.120-6 (main) from Debian experimental

2022-09-02 Thread Alex Murray
> I do not intend to take further action to modify those packages. If it is a > blocker for Ubuntu > that they are fixed, then someone from Ubuntu will need to do that work. Given the relationship between the packages has now changed - ie. polkitd-pkla is not mutually exclusive from the javascri

[Touch-packages] [Bug 283115] Re: Gimp: toolbox windows can't be minimized

2022-07-22 Thread Alex Murray
** Changed in: gimp (Ubuntu) Status: Fix Released => Invalid -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to gtk+2.0 in Ubuntu. https://bugs.launchpad.net/bugs/283115 Title: Gimp: toolbox windows can't be minimized

[Touch-packages] [Bug 1969896] Re: Evince Document Viewer(42.0) does not remember last page in 22.04 and opens in a tiny window when launched

2022-06-17 Thread Alex Murray
Kinetic) Importance: High Status: Confirmed ** Changed in: apparmor (Ubuntu Kinetic) Status: Confirmed => In Progress ** Changed in: apparmor (Ubuntu Jammy) Status: New => In Progress ** Changed in: apparmor (Ubuntu Kinetic) Assignee: (unassigned) => Al

[Touch-packages] [Bug 1969896] Re: Evince Document Viewer(42.0) does not remember last page in 22.04 and opens in a tiny window when launched

2022-06-14 Thread Alex Murray
FYI I have sent a MR to the upstream AppArmor project to remove this dbus deny rule from the exo-open abstraction: https://gitlab.com/apparmor/apparmor/-/merge_requests/884 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to appar

[Touch-packages] [Bug 1978042] Re: adduser doesn't support extrausers for group management

2022-06-08 Thread Alex Murray
This looks like a duplicate of LP: #1959375 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to adduser in Ubuntu. https://bugs.launchpad.net/bugs/1978042 Title: adduser doesn't support extrausers for group management Status i

[Touch-packages] [Bug 1977710] Re: /etc/adduser.conf.dpkg-save created by postinst since 3.121ubuntu1

2022-06-07 Thread Alex Murray
>From what I can see of this postinst this looks to be a bug from adduser in debian itself - and would appear to come from https://salsa.debian.org/debian/adduser/-/blob/master/debian/postinst#L33 - ie. if the default value is unchanged then an /etc/adduser.conf.dpkg- save is always generated when

[Touch-packages] [Bug 1871148] Re: services start before apparmor profiles are loaded

2022-05-23 Thread Alex Murray
@mardy I thought we had snapd.apparmor specifically to avoid this scenario but I can't see that service mentioned at all in systemd- analyze plot... -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://b

[Touch-packages] [Bug 1975407] Re: pulseaudio is getting crashed

2022-05-22 Thread Alex Murray
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privile

[Touch-packages] [Bug 1975408] Re: Performance is much worse than expected (Normal friendly behaviors)

2022-05-22 Thread Alex Murray
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privile

[Touch-packages] [Bug 1975381] Re: firewall gets disabled

2022-05-22 Thread Alex Murray
Thank you for taking the time to report this bug and helping to make Ubuntu better. Unfortunately we can't fix it, because your description didn't include enough information. You may find it helpful to read 'How to report bugs effectively' http://www.chiark.greenend.org.uk/~sgtatham/bugs.html. We'd

[Touch-packages] [Bug 1973654] Re: Using debian-installer on a server with a Let's Encrypt cert dies

2022-05-16 Thread Alex Murray
I believe this is caused by debootstrap - it only uses packages from the release pocket (and this is frozen from the time Ubuntu 20.04 LTS was originally released). This is a known issue https://askubuntu.com/questions/744684/latest-security-updates-with- debootstrap but I am not sure if there is m

[Touch-packages] [Bug 1971288] Re: Merge libseccomp from Debian unstable for kinetic

2022-05-03 Thread Alex Murray
ges: - Update autopkgtests to use syscalls from 5.16-rc1 -- Alex Murray Thu, 24 Feb 2022 09:53:35 +1030 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1971288/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post

[Touch-packages] [Bug 1968397]

2022-04-10 Thread Alex Murray
Thank you for using Ubuntu and taking the time to report a bug. Your report should contain, at a minimum, the following information so we can better find the source of the bug and work to resolve it. Submitting the bug about the proper source package is essential. For help see https://wiki.ubuntu.

[Touch-packages] [Bug 1968397] Re: bootloader

2022-04-10 Thread Alex Murray
Thank you for taking the time to report this bug and helping to make Ubuntu better. Unfortunately we can't fix it, because your description didn't include enough information. You may find it helpful to read 'How to report bugs effectively' http://www.chiark.greenend.org.uk/~sgtatham/bugs.html. We'd

[Touch-packages] [Bug 1968402] Re: Ubuntu 20.04.3 boots to black screen, no TTY available

2022-04-10 Thread Alex Murray
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privile

[Touch-packages] [Bug 1452115] Re: Python interpreter binary is not compiled as PIE

2022-04-04 Thread Alex Murray
Nice - thanks @sdeziel -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to python2.7 in Ubuntu. https://bugs.launchpad.net/bugs/1452115 Title: Python interpreter binary is not compiled as PIE Status in Python: New Status in

[Touch-packages] [Bug 1452115] Re: Python interpreter binary is not compiled as PIE

2022-03-24 Thread Alex Murray
Thanks @doko :) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to python2.7 in Ubuntu. https://bugs.launchpad.net/bugs/1452115 Title: Python interpreter binary is not compiled as PIE Status in Python: New Status in python2

  1   2   3   4   >