Ubuntu
brltty package

Braille display inoperable in GUI since polkit-update

Bug #1782320 reported by Frans-Willem Post
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
brltty (Ubuntu)
Fix Released
High
Unassigned
Bionic
Fix Released
High
Sebastien Bacher

Bug Description

* Impact

Since the fix for CVE-2018-1116 in policykit-1 the braille display doesn't work in graphical UIs

* Test case
Log into an Ubuntu/GNOME session and activate the braille display

* Regression potential
The braille display should keep working on the command line and in graphical sessions

------------------

$ lsb_release -rd
Description: Ubuntu 18.04 LTS
Release: 18.04

$ apt-cache policy brltty
brltty:
  Installed: 5.5-4ubuntu2
  Candidate: 5.5-4ubuntu2
  Version table:
 *** 5.5-4ubuntu2 500
        500 http://nl.archive.ubuntu.com/ubuntu bionic/main amd64 Packages
        100 /var/lib/dpkg/status

$ apt-cache policy policykit-1-gnome
policykit-1-gnome:
  Installed: (none)
  Candidate: 0.105-6ubuntu2
  Version table:
     0.105-6ubuntu2 500
        500 http://nl.archive.ubuntu.com/ubuntu bionic/main amd64 Packages

Expected behavior:
After a system upgrade, the braille display should function as before the upgrade.

Actual behavior:
Since the upgrade, the braille display only works in console mode (Ctrl+Alt+F3, -F4, etc.)
In GUI mode, the display reads "Screen not in text mode".
Restarting Orca (screenreader) has no effect. Restarting the system has no effect.

This is the upgrade command, taken from /var/log/apt/history.log:
Start-Date: 2018-07-17 07:47:02
Commandline: /usr/bin/unattended-upgrade
Upgrade: libpolkit-gobject-1-0:amd64 (0.105-20, 0.105-20ubuntu0.18.04.1), libpolkit-agent-1-0:amd64 (0.105-20, 0.105-20ubuntu0.18.04.1), libpolkit-backend-1-0:amd64 (0.105-20, 0.105-20ubuntu0.18.04.1), policykit-1:amd64 (0.105-20, 0.105-20ubuntu0.18.04.1), gir1.2-polkit-1.0:amd64 (0.105-20, 0.105-20ubuntu0.18.04.1)
End-Date: 2018-07-17 07:47:04

These are the error messages taken from /var/log/syslog:
Jul 18 10:55:34 WaanzinsPC2 brltty[2635]: polkit_authority_check_authorization_sync error 11: Resource temporarily unavailable.
Jul 18 10:55:34 WaanzinsPC2 brltty[2635]: brltty: polkit_authority_check_authorization_sync error 11: Resource temporarily unavailable.
Jul 18 10:55:34 WaanzinsPC2 brltty[2635]: BrlAPI connection fd=22 accepted: local <unnamed>
Jul 18 10:55:34 WaanzinsPC2 brltty[2635]: brltty: BrlAPI connection fd=22 accepted: local <unnamed>
Jul 18 10:55:34 WaanzinsPC2 brltty[2635]: polkit_authority_check_authorization_sync error 11: Resource temporarily unavailable.
Jul 18 10:55:34 WaanzinsPC2 brltty[2635]: brltty: polkit_authority_check_authorization_sync error 11: Resource temporarily unavailable.
Jul 18 10:55:34 WaanzinsPC2 brltty[2635]: BrlAPI connection fd=22 accepted: local <unnamed>
Jul 18 10:55:34 WaanzinsPC2 brltty[2635]: brltty: BrlAPI connection fd=22 accepted: local <unnamed>
Jul 18 10:55:34 WaanzinsPC2 brltty[2635]: polkit_authority_check_authorization_sync error 11: Resource temporarily unavailable.
Jul 18 10:55:34 WaanzinsPC2 brltty[2635]: brltty: polkit_authority_check_authorization_sync error 11: Resource temporarily unavailable.
Jul 18 10:55:34 WaanzinsPC2 brltty[2635]: BrlAPI connection fd=22 accepted: local <unnamed>
Jul 18 10:55:34 WaanzinsPC2 brltty[2635]: brltty: BrlAPI connection fd=22 accepted: local <unnamed>
Jul 18 10:55:34 WaanzinsPC2 brltty[2635]: polkit_authority_check_authorization_sync error 11: Resource temporarily unavailable.
Jul 18 10:55:34 WaanzinsPC2 brltty[2635]: brltty: polkit_authority_check_authorization_sync error 11: Resource temporarily unavailable.

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: brltty 5.5-4ubuntu2
ProcVersionSignature: Ubuntu 4.15.0-20.21-generic 4.15.17
Uname: Linux 4.15.0-20-generic x86_64
ApportVersion: 2.20.9-0ubuntu7.2
Architecture: amd64
Date: Wed Jul 18 11:03:27 2018
ExecutablePath: /bin/brltty
InstallationDate: Installed on 2018-05-15 (63 days ago)
InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180426)
LocalLibraries: /usr/local/lib/libgpg-error.so.0.24.2 /usr/local/lib/libgcrypt.so.20.2.2
SourcePackage: brltty
UpgradeStatus: No upgrade log present (probably fresh install)
mtime.conffile..etc.brltty.conf: 2018-05-16T09:36:35.497752

See original description

CVE References

Revision history for this message
Frans-Willem Post (fwiep) wrote :
Revision history for this message
Frans-Willem Post (fwiep) wrote :

Have just replayed the upgrade in a VirtualBox VM using a clean install of Ubuntu 18.04.

Before the upgrade (of policy-kit), the braille display works (both output and input).

After the upgrade and reboot, the same errors appear in /var/log/syslog:

Jul 18 11:49:43 test-VirtualBox brltty[409]: BrlAPI connection fd=27 accepted: local <unnamed>
Jul 18 11:49:43 test-VirtualBox brltty[409]: brltty: BrlAPI connection fd=27 accepted: local <unnamed>
Jul 18 11:49:43 test-VirtualBox brltty[409]: polkit_authority_check_authorization_sync error 11: Resource temporarily unavailable.
Jul 18 11:49:43 test-VirtualBox brltty[409]: brltty: polkit_authority_check_authorization_sync error 11: Resource temporarily unavailable.
Jul 18 11:49:43 test-VirtualBox brltty[409]: BrlAPI connection fd=27 accepted: local <unnamed>
Jul 18 11:49:43 test-VirtualBox brltty[409]: brltty: BrlAPI connection fd=27 accepted: local <unnamed>
Jul 18 11:49:43 test-VirtualBox brltty[409]: polkit_authority_check_authorization_sync error 11: Resource temporarily unavailable.
Jul 18 11:49:43 test-VirtualBox brltty[409]: brltty: polkit_authority_check_authorization_sync error 11: Resource temporarily unavailable.
Jul 18 11:49:43 test-VirtualBox brltty[409]: BrlAPI connection fd=27 accepted: local <unnamed>
Jul 18 11:49:43 test-VirtualBox brltty[409]: brltty: BrlAPI connection fd=27 accepted: local <unnamed>
Jul 18 11:49:43 test-VirtualBox brltty[409]: polkit_authority_check_authorization_sync error 11: Resource temporarily unavailable.
Jul 18 11:49:43 test-VirtualBox brltty[409]: brltty: polkit_authority_check_authorization_sync error 11: Resource temporarily unavailable.
Jul 18 11:49:43 test-VirtualBox brltty[409]: BrlAPI connection fd=27 accepted: local <unnamed>
Jul 18 11:49:43 test-VirtualBox brltty[409]: brltty: BrlAPI connection fd=27 accepted: local <unnamed>
Jul 18 11:49:43 test-VirtualBox brltty[409]: polkit_authority_check_authorization_sync error 11: Resource temporarily unavailable.
Jul 18 11:49:43 test-VirtualBox brltty[409]: brltty: polkit_authority_check_authorization_sync error 11: Resource temporarily unavailable.

Revision history for this message
Frans-Willem Post (fwiep) wrote :

Thanks to a member of the BrlTTY mailing list, my problem is solved. It seems that the default authorization of BrltTTY under Ubuntu was no longer working. Providing it with a dummy key-file was enough to get it back to work - instantly.

The display came back to life immediately after these steps:
- edit /etc/brltty.conf, uncomment the line "api-parameters Auth=keyfile:/etc/brlapi.key"
- sudo touch /etc/brlapi.key
- sudo chmod 0644 /etc/brlapi.key

For me, the issue is solved.

Revision history for this message
Samuel thibault (samuel-thibault) wrote :

Well, this is not a real solution, we need to fix polkit, otherwise all users will have the same issue, and we don't want to make them all revert back to file-based authentication.

Revision history for this message
Samuel thibault (samuel-thibault) wrote :

This seems to be an issue within policykit itself. Printing the actual error shows:

GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: process with PID 12570 has been replaced

From reading the source code, it seems that policykit is checking the start time of the program and finds a mismatch. It happens that orca is run as a Python script, so I thought that might be due to the script startup procedure, but starting a C brlapi client gives the same issue. At any rate, really looks like not an issue in brltty itself.

affects: brltty (Ubuntu) → policykit-1 (Ubuntu)
Revision history for this message
Samuel thibault (samuel-thibault) wrote :

Note: to reproduce the issue, one just needs to install an Ubuntu 18.04 system, start brltty by hand as root with:

  sudo brltty -b no

then try to connect to it as normal logged-in user through brlapi:

  python3
  >>> import brlapi
  >>> b = brlapi.Connection()

which shouldn't raise an exception. Logs can be seen in /var/log/syslog (unfortunately the current package source code only prints errno instead of the GError).

Revision history for this message
Samuel thibault (samuel-thibault) wrote :

I can confirm the same issue on Debian: upgrading from version 0.105-20 to version 0.105-21 brings the same issue.

Revision history for this message
Samuel thibault (samuel-thibault) wrote :

This is most probably due to the introduction of Fix-CVE-2018-1116-Trusting-client-supplied-UID.patch

Revision history for this message
Samuel thibault (samuel-thibault) wrote :

Yes, disabling that patch fixes the issue.

Revision history for this message
Samuel thibault (samuel-thibault) wrote :

From the upstream policykit bug entry, it is actually a misuse of the policykit API from brltty. I have uploaded a fix in Debian's brltty 5.6-5.

Ubuntu should definitely include the policykit-fix patch contained in that 5.6-5 version as an update to ubuntu 18.04, otherwise all blind users will have the issue, thus unable to use the graphical desktop.

affects: policykit-1 (Ubuntu) → brltty (Ubuntu)
Changed in brltty (Ubuntu):
status: New → Confirmed
Sebastien Bacher (seb128)
Changed in brltty (Ubuntu):
status: Confirmed → Fix Committed
importance: Undecided → High
description: updated
Revision history for this message
Brian Murray (brian-murray) wrote :

This is not yet fixed in cosmic as version 5.6-5ubuntu1 is still in -proposed.

Sebastien Bacher (seb128)
Changed in brltty (Ubuntu Bionic):
importance: Undecided → High
assignee: nobody → Sebastien Bacher (seb128)
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Frans-Willem, or anyone else affected,

Accepted brltty into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/brltty/5.5-4ubuntu2.0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in brltty (Ubuntu Bionic):
status: New → Fix Committed
tags: added: verification-needed verification-needed-bionic
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package brltty - 5.6-5ubuntu1

---------------
brltty (5.6-5ubuntu1) cosmic; urgency=medium

  * Merged fixes from Debian, including the patch to work with the
    current polkit version (lp: #1782320)

brltty (5.6-5) unstable; urgency=medium

  * patches/atspi2-shutdown: Automatically shut down brltty on session shut
    down.
  * control: Bump Standards-Version to 4.1.5 (no changes).
  * control: Mark python-brlapi and python3-brlapi Multi-Arch: same.
  * patches/policykit-fix: Fix polkit authentication (Closes: #905058).

 -- Sebastien Bacher <email address hidden> Wed, 29 Aug 2018 09:46:17 +0200

Changed in brltty (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Frans-Willem Post (fwiep) wrote :

Have tested the brltty package in bionic-proposed as instructed in comment #12: v5.5-4ubuntu2.0.1

It works as expected.

After commenting out the "api-parameters Auth=keyfile" line in brltty.conf and restarting the machine (just to be sure), my braille display works completely in both text console as in my GUI desktop.

Thanks for fixing this!

Revision history for this message
Sebastien Bacher (seb128) wrote :

thanks for testing!

tags: added: verification-done verification-done-bionic
removed: verification-needed verification-needed-bionic
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package brltty - 5.5-4ubuntu2.0.1

---------------
brltty (5.5-4ubuntu2.0.1) bionic; urgency=medium

  * debian/patches/policykit-fix:
    - backport fix for polkit authentication following CVE-2018-1116
      (lp: #1782320)

 -- Sebastien Bacher <email address hidden> Wed, 29 Aug 2018 09:57:52 +0200

Changed in brltty (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
Chris Halse Rogers (raof) wrote : Update Released

The verification of the Stable Release Update for brltty has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.