Ubuntu
util-linux package

[low-priority SRU] Fix CVE-2022-0563 in source

Bug #2048092 reported by dann frazier
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
util-linux (Ubuntu)
Fix Released
Undecided
Unassigned
Jammy
Fix Committed
Undecided
dann frazier
Lunar
Fix Released
Undecided
Unassigned
Mantic
Fix Released
Undecided
Unassigned
Noble
Fix Released
Undecided
Unassigned

Bug Description

[Impact]
We did not fix this CVE in Ubuntu because we do not build the impacted binaries (we use --disable-chfn-chsh). However, some users are known to build their own binaries from this Ubuntu source and therefore could be impacted.

[Test Plan]
Since there is no impact to Ubuntu binaries, there is no functional change to verify. Regression testing using the existing build-time tests and autopkgtests should suffice.

We should also verify that util-linux source builds fine w/ chfn and chsh enabled after applying this patch - otherwise it is really helping no one.

[Where problems could occur]
The upstream patch is clearly restricted to the chfn chsh binaries, which are not compiled by Ubuntu, so I don't see a risk there. I do see a risk that this is used as a precedent to fix other no-impact-to-Ubuntu security issues in other source - say, just to silence 3rd party security scanners. I do not intend to set such a precedent here, and suggest we consider them only on a case-by-case basis.

dann frazier (dannf)
Changed in util-linux (Ubuntu):
status: New → Fix Released
tags: added: block-proposed-jammy
Changed in util-linux (Ubuntu Jammy):
status: New → In Progress
assignee: nobody → dann frazier (dannf)
dann frazier (dannf)
Changed in util-linux (Ubuntu Mantic):
status: New → Fix Released
Changed in util-linux (Ubuntu Lunar):
status: New → Fix Released
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

> However, some users are known to build their own binaries from this Ubuntu source and therefore could be
> impacted.

Do you know of users rebuilding specifically util-linux and enabling those tools? What was it about this specific CVE and specifically util-linux that caught your attention and made you want to propose this SRU?

I see the patches only affect the binaries we don't ship, but have you also made sure that no other tools or files from the package include the affected code in their build?

Revision history for this message
dann frazier (dannf) wrote :

@ahasenack - thanks for asking these questions.

I do know of a user rebuilding jammy's util-linux. The build recipe I've seen installs these binaries. I don't know the risk that they might become setuid. This CVE I noticed as being fixed in a later version of util-linux, but not in jammy. I then looked it up in our CVE tracker and saw why we had chosen not to patch it.

To verify that the code inside is not used, I used inotifywait during the build to watch for processes opening these .c files. Each file is opened exactly twice - both times during the dh-autoreconf phase, where it collects a checksum before and after using md5sum. Neither file is opened again.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I'll also note that the patch actually disables `libreadline` support in chfn/chsh, so whoever was rebuilding these from source will get this change in behavior. But that's how upstream decided to handle this going forward.

Changed in util-linux (Ubuntu Jammy):
status: In Progress → Fix Committed
Revision history for this message
Andreas Hasenack (ahasenack) wrote : Please test proposed package

Hello dann, or anyone else affected,

Accepted util-linux into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/util-linux/2.37.2-4ubuntu3.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (util-linux/2.37.2-4ubuntu3.2)

All autopkgtests for the newly accepted util-linux (2.37.2-4ubuntu3.2) for jammy have finished running.
The following regressions have been reported in tests triggered by the package:

cmake-extras/1.6-1 (armhf)
livecd-rootfs/2.765.34 (amd64)
udisks2/2.9.4-1ubuntu2 (arm64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/jammy/update_excuses.html#util-linux

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
dann frazier (dannf) wrote :

The remaining autopkgtest failures are due to the following unrelated bugs:

cmake-extras/armhf: bug 2052360
livecd-rootfs/amd64: bug 2045586

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.