group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1816756] Re: squashfs hardening

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Tyler Hicks <tyhicks@xxxxxxxxxxxxx>
Date: Wed, 20 Feb 2019 13:38:56 -0000
Reply-to: Bug 1816756 <1816756@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Bionic: https://lists.ubuntu.com/archives/kernel-team/2019-February/098532.html
Xenial: https://lists.ubuntu.com/archives/kernel-team/2019-February/098538.html

** Also affects: linux (Ubuntu Bionic)
   Importance: Undecided
       Status: New

** Also affects: linux (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Changed in: linux (Ubuntu Xenial)
   Importance: Undecided => Medium

** Changed in: linux (Ubuntu Bionic)
   Importance: Undecided => Medium

** Changed in: linux (Ubuntu Xenial)
     Assignee: (unassigned) => Paolo Pisati (p-pisati)

** Changed in: linux (Ubuntu Bionic)
     Assignee: (unassigned) => Paolo Pisati (p-pisati)

** Changed in: linux (Ubuntu Xenial)
       Status: New => In Progress

** Changed in: linux (Ubuntu Bionic)
       Status: New => In Progress

** Changed in: linux (Ubuntu)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1816756

Title:
  squashfs hardening

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Xenial:
  In Progress
Status in linux source package in Bionic:
  In Progress

Bug description:
  [Impact]

  There are a number of recent squashfs hardening fixes in the upstream
  kernel. They don't have CVE number assigned but it would be good to
  backport the fixes to harden our kernel against malicious squashfs
  images. They would harden Ubuntu kernels against potentially malicious
  snaps.

  The changes are:

  * https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=01cfb7937a9af2abb1136c7e89fbf3fd92952956
  * https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/id=d512584780d3e6a7cacb2f482834849453d444a1
  * https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cdbb65c4c7ead680ebe54f4f0d486e2847a500ea
  * https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=71755ee5350b63fb1f283de8561cdb61b47f4d1d
  * https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a3f94cb99a854fa381fe7fadd97c4f61633717a5

  [Test Case]

  Unfortunately, we don't have access to the reproducers and I'm unaware
  of any regression tests for the squashfs kernel driver. It is very
  important that we don't regress snap usage in Ubuntu. In previous
  squashfs/snap testing, we've noticed that large snaps, such as
  chromium and libreoffice, do a good job of exercising the squashfs
  code. It should be sufficient if we make sure those snaps continue to
  install and work correctly.

  $ sudo snap install chromium
  $ sudo snap install libreoffice
  $ chromium
  < ensure you can browse to various websites >
  $ libreoffice
  < ensure you can create, save, open documents >

  [ Regression Potential ]

  Fairly low. The patches are intended to catch corrupted and/or
  malicious squashfs images. They should not affect well formed squashfs
  images. These patches are already present in the Cosmic (and Disco)
  kernel with no known bug reports despite a considerable number of
  Cosmic users exercising these changes via snaps.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1816756/+subscriptions