[Bug 2048092] Please test proposed package
Andreas Hasenack
2048092 at bugs.launchpad.net
Thu Jan 18 21:05:30 UTC 2024
Hello dann, or anyone else affected,
Accepted util-linux into jammy-proposed. The package will build now and
be available at https://launchpad.net/ubuntu/+source/util-
linux/2.37.2-4ubuntu3.2 in a few hours, and then in the -proposed
repository.
Please help us by testing this new package. See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed. Your feedback will aid us getting this
update out to other Ubuntu users.
If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
jammy to verification-done-jammy. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-jammy. In either case, without details of your testing we will
not be able to proceed.
Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in
advance for helping!
N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to util-linux in Ubuntu.
https://bugs.launchpad.net/bugs/2048092
Title:
[low-priority SRU] Fix CVE-2022-0563 in source
Status in util-linux package in Ubuntu:
Fix Released
Status in util-linux source package in Jammy:
Fix Committed
Status in util-linux source package in Lunar:
Fix Released
Status in util-linux source package in Mantic:
Fix Released
Status in util-linux source package in Noble:
Fix Released
Bug description:
[Impact]
We did not fix this CVE in Ubuntu because we do not build the impacted binaries (we use --disable-chfn-chsh). However, some users are known to build their own binaries from this Ubuntu source and therefore could be impacted.
[Test Plan]
Since there is no impact to Ubuntu binaries, there is no functional change to verify. Regression testing using the existing build-time tests and autopkgtests should suffice.
We should also verify that util-linux source builds fine w/ chfn and
chsh enabled after applying this patch - otherwise it is really
helping no one.
[Where problems could occur]
The upstream patch is clearly restricted to the chfn chsh binaries, which are not compiled by Ubuntu, so I don't see a risk there. I do see a risk that this is used as a precedent to fix other no-impact-to-Ubuntu security issues in other source - say, just to silence 3rd party security scanners. I do not intend to set such a precedent here, and suggest we consider them only on a case-by-case basis.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/2048092/+subscriptions
More information about the foundations-bugs
mailing list