[Bug 2048092] Autopkgtest regression report (util-linux/2.37.2-4ubuntu3.2)

Ubuntu SRU Bot 2048092 at bugs.launchpad.net
Fri Jan 19 07:06:54 UTC 2024 

All autopkgtests for the newly accepted util-linux (2.37.2-4ubuntu3.2) for jammy have finished running.
The following regressions have been reported in tests triggered by the package:

cmake-extras/1.6-1 (armhf)
livecd-rootfs/2.765.34 (amd64)
udisks2/2.9.4-1ubuntu2 (arm64)


Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-
migration/jammy/update_excuses.html#util-linux

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to util-linux in Ubuntu.
https://bugs.launchpad.net/bugs/2048092

Title:
  [low-priority SRU] Fix CVE-2022-0563 in source

Status in util-linux package in Ubuntu:
  Fix Released
Status in util-linux source package in Jammy:
  Fix Committed
Status in util-linux source package in Lunar:
  Fix Released
Status in util-linux source package in Mantic:
  Fix Released
Status in util-linux source package in Noble:
  Fix Released

Bug description:
  [Impact]
  We did not fix this CVE in Ubuntu because we do not build the impacted binaries (we use --disable-chfn-chsh). However, some users are known to build their own binaries from this Ubuntu source and therefore could be impacted.

  [Test Plan]
  Since there is no impact to Ubuntu binaries, there is no functional change to verify. Regression testing using the existing build-time tests and autopkgtests should suffice.

  We should also verify that util-linux source builds fine w/ chfn and
  chsh enabled after applying this patch - otherwise it is really
  helping no one.

  [Where problems could occur]
  The upstream patch is clearly restricted to the chfn chsh binaries, which are not compiled by Ubuntu, so I don't see a risk there. I do see a risk that this is used as a precedent to fix other no-impact-to-Ubuntu security issues in other source - say, just to silence 3rd party security scanners. I do not intend to set such a precedent here, and suggest we consider them only on a case-by-case basis.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/2048092/+subscriptions

More information about the foundations-bugs mailing list