Ubuntu
dotnet7 package

DOTNET_ROOT is unnecessarily set

Bug #2027620 reported by Richard Lander
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
dotnet6 (Ubuntu)
Fix Released
Undecided
Dominik Viererbe
Jammy
Fix Released
Undecided
Dominik Viererbe
Kinetic
Won't Fix
Undecided
Dominik Viererbe
Lunar
Fix Released
Undecided
Dominik Viererbe
Mantic
Fix Released
Undecided
Dominik Viererbe
dotnet7 (Ubuntu)
Fix Released
Undecided
Dominik Viererbe
Jammy
Fix Released
Undecided
Dominik Viererbe
Kinetic
Won't Fix
Undecided
Dominik Viererbe
Lunar
Fix Released
Undecided
Dominik Viererbe
Mantic
Fix Released
Undecided
Dominik Viererbe

Bug Description

This is what I see on my machine.

```
rich@vancouver:~$ dotnet --version
7.0.109
rich@vancouver:~$ cat /etc/os-release | head -n 1
PRETTY_NAME="Ubuntu 22.04.2 LTS"
rich@vancouver:~$ export | grep DOTNET
declare -x DOTNET_BUNDLE_EXTRACT_BASE_DIR="/home/rich/.cache/dotnet_bundle_extract"
declare -x DOTNET_ROOT="/usr/lib/dotnet"
rich@vancouver:~$ dotnet --info | grep ROOT
  DOTNET_ROOT [/usr/lib/dotnet]
rich@vancouver:~$ cat /etc/dotnet/install_location
/usr/lib/dotnet
```

I am surprised to see `DOTNET_ROOT` set. The value in `/etc/dotnet/install_location` is set to the same value and should be doing the same job. The `/etc/dotnet` configuration is intended for the global install and `DOTNET_ROOT` is intended for developers.

Please re-consider (not) setting `DOTNET_ROOT`.

Separately, is there a reason why `DOTNET_BUNDLE_EXTRACT_BASE_DIR` is set?

Revision history for this message
C de-Avillez (hggdh2) wrote :

corrected package from dotnet6 to dotnet7.

affects: dotnet6 (Ubuntu) → dotnet7 (Ubuntu)
Revision history for this message
Dominik Viererbe (dviererbe) wrote :

Hello Richard, thanks for reporting this!

I will investigate if we need this, but to me it looks like an remnant we no longer need.

This also affects dotnet6.

Changed in dotnet7 (Ubuntu):
status: New → Confirmed
Changed in dotnet6 (Ubuntu):
status: New → Confirmed
Changed in dotnet7 (Ubuntu Lunar):
status: New → Confirmed
Changed in dotnet7 (Ubuntu Kinetic):
status: New → Confirmed
Changed in dotnet7 (Ubuntu Jammy):
status: New → Confirmed
Changed in dotnet6 (Ubuntu Lunar):
status: New → Confirmed
Changed in dotnet6 (Ubuntu Kinetic):
status: New → Confirmed
Changed in dotnet6 (Ubuntu Jammy):
status: New → Confirmed
assignee: nobody → Dominik Viererbe (dviererbe)
Changed in dotnet6 (Ubuntu Kinetic):
assignee: nobody → Dominik Viererbe (dviererbe)
Changed in dotnet6 (Ubuntu Lunar):
assignee: nobody → Dominik Viererbe (dviererbe)
Changed in dotnet6 (Ubuntu Mantic):
assignee: nobody → Dominik Viererbe (dviererbe)
Changed in dotnet7 (Ubuntu Mantic):
assignee: nobody → Dominik Viererbe (dviererbe)
Changed in dotnet7 (Ubuntu Lunar):
assignee: nobody → Dominik Viererbe (dviererbe)
Changed in dotnet7 (Ubuntu Kinetic):
assignee: nobody → Dominik Viererbe (dviererbe)
Changed in dotnet7 (Ubuntu Jammy):
assignee: nobody → Dominik Viererbe (dviererbe)
Dominik Viererbe (dviererbe)
tags: added: foundations-todo
Dominik Viererbe (dviererbe)
tags: removed: foundations-todo
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dotnet6 - 6.0.120-0ubuntu2

---------------
dotnet6 (6.0.120-0ubuntu2) mantic; urgency=medium

  * d/README.source: updated content
    * added support documentation
    * added end of life process documentation
    * general overhaul
  * d/dotnet.sh.in: DOTNET_ROOT was unnecessarily set (LP: #2027620)
  * d/t/essential-binaries-and-config-files-should-be-present:
    remove check if DOTNET_ROOT is set
  * d/watch
    * updated matching-pattern to only match 6.0.1XX releases
    * d/watch file will fail now deliberately. See comment in d/watch
      for more information
  * unify d/repack-dotnet-tarball.sh into d/build-dotnet-tarball.sh and
    updated command line interface

 -- Dominik Viererbe <email address hidden> Thu, 27 Jul 2023 14:19:58 +0300

Changed in dotnet6 (Ubuntu Mantic):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dotnet7 - 7.0.109-0ubuntu2

---------------
dotnet7 (7.0.109-0ubuntu2) mantic; urgency=medium

  * d/README.source: updated content
    * replaced .NET 6 references (LP: #2009864)
    * added support documentation
    * added end of life process documentation
    * general overhaul
  * d/dotnet.sh.in: DOTNET_ROOT was unnecessarily set (LP: #2027620)
  * d/t/essential-binaries-and-config-files-should-be-present:
    remove check if DOTNET_ROOT is set
  * d/watch
    * updated matching-pattern to only match 7.0.1XX releases
    * d/watch file will fail now deliberately. See comment in d/watch
      for more information
  * unify d/repack-dotnet-tarball.sh into d/build-dotnet-tarball.sh and
    updated command line interface

 -- Dominik Viererbe <email address hidden> Wed, 26 Jul 2023 23:11:29 +0300

Changed in dotnet7 (Ubuntu Mantic):
status: Confirmed → Fix Released
Revision history for this message
Dominik Viererbe (dviererbe) wrote :

Kinetic is End of Life. I actually don't know why I added a kinetic tracker in the first place.

Changed in dotnet7 (Ubuntu Kinetic):
status: Confirmed → Won't Fix
Changed in dotnet6 (Ubuntu Kinetic):
status: Confirmed → Won't Fix
Revision history for this message
Dominik Viererbe (dviererbe) wrote :

The fix will be released for lunar and jammy with the next micro release.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dotnet6 - 6.0.121-0ubuntu1~23.04.1

---------------
dotnet6 (6.0.121-0ubuntu1~23.04.1) lunar-security; urgency=medium

  * New upstream release.
  * SECURITY UPDATE: remote code exection
    - CVE-2023-35390: When running some dotnet commands(e.g. dotnet help
      add), dotnet attempts to locate and initiate a new process using
      cmd.exe. However, it prioritizes searching for cmd.exe in the current
      working directory (CWD) before checking other locations. This can
      potentially lead to the execution of malicious code.
  * SECURITY UPDATE: denial of service
    - CVE-2023-38178: ASP.NET Kestrel stream flow control issue causing a
      leak. A malicious QUIC client, that fires off many unidirectional
      streams with closed writing sides. This will bypass the HTTP/3 stream
      limit and Kestrel cannot keep up with stream processing.
  * SECURITY UPDATE: denial of service
    - CVE-2023-38180: Kestrel vulnerability to slow read attacks

  [ Dominik Viererbe ]
  * d/README.source: updated content
    * added support documentation
    * added end of life process documentation
    * general overhaul
  * d/dotnet.sh.in: DOTNET_ROOT was unnecessarily set (LP: #2027620)
  * d/t/essential-binaries-and-config-files-should-be-present:
    remove check if DOTNET_ROOT is set
  * d/watch
    * updated matching-pattern to only match 6.0.1XX releases
    * d/watch file will fail now deliberately. See comment in d/watch
      for more information
  * unify d/repack-dotnet-tarball.sh into d/build-dotnet-tarball.sh and
    updated command line interface

 -- Nishit Majithia <email address hidden> Wed, 02 Aug 2023 13:15:33 +0530

Changed in dotnet6 (Ubuntu Lunar):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dotnet7 - 7.0.110-0ubuntu1~23.04.1

---------------
dotnet7 (7.0.110-0ubuntu1~23.04.1) lunar-security; urgency=medium

  * New upstream release.
  * SECURITY UPDATE: remote code exection
    - CVE-2023-35390: When running certain dotnet commands(e.g. dotnet help
      add), dotnet attempts to locate and initiate a new process using
      cmd.exe. However, it prioritizes searching for cmd.exe in the current
      working directory (CWD) before checking other locations. This can
      potentially lead to the execution of malicious code.
  * SECURITY UPDATE: denial of service
    - CVE-2023-38178: ASP.NET Kestrel stream flow control issue causing a
      leak. A malicious QUIC client, that fires off many unidirectional
      streams with closed writing sides. This will bypass the HTTP/3 stream
      limit and Kestrel cannot keep up with stream processing.
  * SECURITY UPDATE: denial of service
    - CVE-2023-38180: Kestrel vulnerability to slow read attacks.

  [ Dominik Viererbe ]
  * d/README.source: updated content
    * added support documentation
    * added end of life process documentation
    * general overhaul
  * d/dotnet.sh.in: DOTNET_ROOT was unnecessarily set (LP: #2027620)
  * d/t/essential-binaries-and-config-files-should-be-present:
    remove check if DOTNET_ROOT is set
  * d/watch
    * updated matching-pattern to only match 6.0.1XX releases
    * d/watch file will fail now deliberately. See comment in d/watch
      for more information
  * unify d/repack-dotnet-tarball.sh into d/build-dotnet-tarball.sh and
    updated command line interface

 -- Ian Constantin <email address hidden> Wed, 02 Aug 2023 21:08:44 +0300

Changed in dotnet7 (Ubuntu Lunar):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dotnet6 - 6.0.121-0ubuntu1~22.04.1

---------------
dotnet6 (6.0.121-0ubuntu1~22.04.1) jammy-security; urgency=medium

  * New upstream release.
  * SECURITY UPDATE: remote code exection
    - CVE-2023-35390: When running some dotnet commands(e.g. dotnet help
      add), dotnet attempts to locate and initiate a new process using
      cmd.exe. However, it prioritizes searching for cmd.exe in the current
      working directory (CWD) before checking other locations. This can
      potentially lead to the execution of malicious code.
  * SECURITY UPDATE: denial of service
    - CVE-2023-38178: ASP.NET Kestrel stream flow control issue causing a
      leak. A malicious QUIC client, that fires off many unidirectional
      streams with closed writing sides. This will bypass the HTTP/3 stream
      limit and Kestrel cannot keep up with stream processing.
  * SECURITY UPDATE: denial of service
    - CVE-2023-38180: Kestrel vulnerability to slow read attacks

  [ Dominik Viererbe ]
  * d/README.source: updated content
    * added support documentation
    * added end of life process documentation
    * general overhaul
  * d/dotnet.sh.in: DOTNET_ROOT was unnecessarily set (LP: #2027620)
  * d/t/essential-binaries-and-config-files-should-be-present:
    remove check if DOTNET_ROOT is set
  * d/watch
    * updated matching-pattern to only match 6.0.1XX releases
    * d/watch file will fail now deliberately. See comment in d/watch
      for more information
  * unify d/repack-dotnet-tarball.sh into d/build-dotnet-tarball.sh and
    updated command line interface

 -- Nishit Majithia <email address hidden> Wed, 02 Aug 2023 10:42:58 +0530

Changed in dotnet6 (Ubuntu Jammy):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dotnet7 - 7.0.110-0ubuntu1~22.04.1

---------------
dotnet7 (7.0.110-0ubuntu1~22.04.1) jammy-security; urgency=medium

  * New upstream release.
  * SECURITY UPDATE: remote code exection
    - CVE-2023-35390: When running certain dotnet commands(e.g. dotnet help
      add), dotnet attempts to locate and initiate a new process using
      cmd.exe. However, it prioritizes searching for cmd.exe in the current
      working directory (CWD) before checking other locations. This can
      potentially lead to the execution of malicious code.
  * SECURITY UPDATE: denial of service
    - CVE-2023-38178: ASP.NET Kestrel stream flow control issue causing a
      leak. A malicious QUIC client, that fires off many unidirectional
      streams with closed writing sides. This will bypass the HTTP/3 stream
      limit and Kestrel cannot keep up with stream processing.
  * SECURITY UPDATE: denial of service
    - CVE-2023-38180: Kestrel vulnerability to slow read attacks.

  [ Dominik Viererbe ]
  * d/README.source: updated content
    * added support documentation
    * added end of life process documentation
    * general overhaul
  * d/dotnet.sh.in: DOTNET_ROOT was unnecessarily set (LP: #2027620)
  * d/t/essential-binaries-and-config-files-should-be-present:
    remove check if DOTNET_ROOT is set
  * d/watch
    * updated matching-pattern to only match 6.0.1XX releases
    * d/watch file will fail now deliberately. See comment in d/watch
      for more information
  * unify d/repack-dotnet-tarball.sh into d/build-dotnet-tarball.sh and
    updated command line interface

 -- Ian Constantin <email address hidden> Wed, 02 Aug 2023 21:51:14 +0300

Changed in dotnet7 (Ubuntu Jammy):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.