ship enforcing apparmor profile for evince

Bug #382913 reported by Jamie Strandboge on 2009-06-02
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
evince (Ubuntu)
Wishlist
Jamie Strandboge

Bug Description

Binary package hint: evince

evince should be protected with an enforcing apparmor profile.

Related branches

Changed in evince (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → Wishlist
milestone: none → karmic-alpha-6
status: New → Triaged
Sebastien Bacher (seb128) wrote :

Could you describe what is the issue exactly and what you want to change?

Jamie Strandboge (jdstrand) wrote :

Well, this was more of a placeholder bug for me, which is why I assigned it to myself, but the basic idea is that evince uses poppler and various image libraries to process potentially untrusted input. There have been a lot of security vulnerabilities in these libraries (especially poppler), so providing an apparmor profile to confine evince (like we do with CUPS, dhclient3 and others) is highly desirable. This was identified as an important application to confine at UDS Karmic and a profile has been in development for a while (http://bazaar.launchpad.net/~ubuntu-core-dev/apparmor/profiles-devel/annotate/head%3A/usr.bin.evince).

Sebastien: I will of course work with you in terms of deployment and it is possible that the profile will be opt-in only, just as we plan to do with firefox-3.5. I'll be sure to talk to you more when I am ready to start packaging the profile.

Changed in evince (Ubuntu):
status: Triaged → In Progress
Changed in evince (Ubuntu):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package evince - 2.27.90-0ubuntu2

---------------
evince (2.27.90-0ubuntu2) karmic; urgency=low

  * add enforcing AppArmor profile (LP: #382913)
    - add debian/evince.dirs: create etc/apparmor.d/abstractions directory
    - add debian/evince.postinst: reload AppArmor profile
    - add debian/evince.postrm: cleanup apparmor force-complain and disable
      directories
    - add debian/apparmor-profile
    - debian/rules: install apparmor-profile and abstraction
    - add debian/README.Debian
    - debian/control: Suggests apparmor

 -- Jamie Strandboge <email address hidden> Wed, 12 Aug 2009 11:44:58 -0500

Changed in evince (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers