@ahasenack - thanks for asking these questions. I do know of a user rebuilding jammy's util-linux. The build recipe I've seen installs these binaries. I don't know the risk that they might become setuid. This CVE I noticed as being fixed in a later version of util-linux, but not in jammy. I then looked it up in our CVE tracker and saw why we had chosen not to patch it.
To verify that the code inside is not used, I used inotifywait during the build to watch for processes opening these .c files. Each file is opened exactly twice - both times during the dh-autoreconf phase, where it collects a checksum before and after using md5sum. Neither file is opened again. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to util-linux in Ubuntu. https://bugs.launchpad.net/bugs/2048092 Title: [low-priority SRU] Fix CVE-2022-0563 in source Status in util-linux package in Ubuntu: Fix Released Status in util-linux source package in Jammy: In Progress Status in util-linux source package in Lunar: Fix Released Status in util-linux source package in Mantic: Fix Released Status in util-linux source package in Noble: Fix Released Bug description: [Impact] We did not fix this CVE in Ubuntu because we do not build the impacted binaries (we use --disable-chfn-chsh). However, some users are known to build their own binaries from this Ubuntu source and therefore could be impacted. [Test Plan] Since there is no impact to Ubuntu binaries, there is no functional change to verify. Regression testing using the existing build-time tests and autopkgtests should suffice. We should also verify that util-linux source builds fine w/ chfn and chsh enabled after applying this patch - otherwise it is really helping no one. [Where problems could occur] The upstream patch is clearly restricted to the chfn chsh binaries, which are not compiled by Ubuntu, so I don't see a risk there. I do see a risk that this is used as a precedent to fix other no-impact-to-Ubuntu security issues in other source - say, just to silence 3rd party security scanners. I do not intend to set such a precedent here, and suggest we consider them only on a case-by-case basis. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/2048092/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
