| 2017-05-15 20:17:18 |
Seth Forshee |
bug |
|
|
added bug |
| 2017-05-15 20:17:30 |
Seth Forshee |
nominated for series |
|
Ubuntu Zesty |
|
| 2017-05-15 20:17:30 |
Seth Forshee |
bug task added |
|
linux (Ubuntu Zesty) |
|
| 2017-05-15 20:17:30 |
Seth Forshee |
nominated for series |
|
Ubuntu Xenial |
|
| 2017-05-15 20:17:30 |
Seth Forshee |
bug task added |
|
linux (Ubuntu Xenial) |
|
| 2017-05-15 20:17:37 |
Seth Forshee |
linux (Ubuntu): status |
In Progress |
Fix Committed |
|
| 2017-05-15 20:17:47 |
Seth Forshee |
linux (Ubuntu Xenial): importance |
Undecided |
High |
|
| 2017-05-15 20:17:47 |
Seth Forshee |
linux (Ubuntu Xenial): status |
New |
In Progress |
|
| 2017-05-15 20:17:47 |
Seth Forshee |
linux (Ubuntu Xenial): assignee |
|
Seth Forshee (sforshee) |
|
| 2017-05-15 20:18:02 |
Seth Forshee |
linux (Ubuntu Zesty): importance |
Undecided |
High |
|
| 2017-05-15 20:18:02 |
Seth Forshee |
linux (Ubuntu Zesty): status |
New |
In Progress |
|
| 2017-05-15 20:18:02 |
Seth Forshee |
linux (Ubuntu Zesty): assignee |
|
Seth Forshee (sforshee) |
|
| 2017-05-15 20:32:49 |
Seth Forshee |
description |
The exclusion to module signing is broken in xenial, zesty, and artful. In xenial the mechanism will never sign any staging modules, not even those in the signature-inclusion whitelist. In zesty and artful all staging drivers are signed.
There are two problems, both related to the signature-inclusion whitelist handling. First, the path to the file is relative to where make was invoked, which only works when the source and build directories are the same (which is not the case for package builds). In xenial this means that the condition to signing always evaluates such that staging modules are not signed. However zesty and artful contain an additional check for the existence of that file which results in signing staging modules when it is not found.
The second problem is that signature-inclusion contains only the module name for staging drivers which should be signed. However the grep statement which matches against that file uses the full path to the install location of the module, which will never match. |
SRU Justification
Impact: The exclusion of staging drivers from module signing and associated whitelisting are broken in xenial and zesty. In xenial even whitelisted modules aren't signed; in zesty all staging modules are signed.
Fix: Fix two implementation bugs, the first of which looks for the signature-inclusion file in the wrong location, and the second of which uses the full path to match against modules in signature-inclusion rather than just the module name.
Regression Potential: The fix is simple and trivially tested, so no regressions are expected.
---
The exclusion to module signing is broken in xenial, zesty, and artful. In xenial the mechanism will never sign any staging modules, not even those in the signature-inclusion whitelist. In zesty and artful all staging drivers are signed.
There are two problems, both related to the signature-inclusion whitelist handling. First, the path to the file is relative to where make was invoked, which only works when the source and build directories are the same (which is not the case for package builds). In xenial this means that the condition to signing always evaluates such that staging modules are not signed. However zesty and artful contain an additional check for the existence of that file which results in signing staging modules when it is not found.
The second problem is that signature-inclusion contains only the module name for staging drivers which should be signed. However the grep statement which matches against that file uses the full path to the install location of the module, which will never match. |
|
| 2017-05-15 20:33:07 |
Seth Forshee |
description |
SRU Justification
Impact: The exclusion of staging drivers from module signing and associated whitelisting are broken in xenial and zesty. In xenial even whitelisted modules aren't signed; in zesty all staging modules are signed.
Fix: Fix two implementation bugs, the first of which looks for the signature-inclusion file in the wrong location, and the second of which uses the full path to match against modules in signature-inclusion rather than just the module name.
Regression Potential: The fix is simple and trivially tested, so no regressions are expected.
---
The exclusion to module signing is broken in xenial, zesty, and artful. In xenial the mechanism will never sign any staging modules, not even those in the signature-inclusion whitelist. In zesty and artful all staging drivers are signed.
There are two problems, both related to the signature-inclusion whitelist handling. First, the path to the file is relative to where make was invoked, which only works when the source and build directories are the same (which is not the case for package builds). In xenial this means that the condition to signing always evaluates such that staging modules are not signed. However zesty and artful contain an additional check for the existence of that file which results in signing staging modules when it is not found.
The second problem is that signature-inclusion contains only the module name for staging drivers which should be signed. However the grep statement which matches against that file uses the full path to the install location of the module, which will never match. |
SRU Justification
Impact: The exclusion of staging drivers from module signing and associated whitelisting are broken in xenial and zesty. In xenial even whitelisted modules aren't signed; in zesty all staging modules are signed.
Fix: Fix two implementation bugs, the first of which looks for the signature-inclusion file in the wrong location, and the second of which uses the full path to match against modules in signature-inclusion rather than just the module name.
Regression Potential: The fix is simple and trivial to test, so no regressions are expected.
---
The exclusion to module signing is broken in xenial, zesty, and artful. In xenial the mechanism will never sign any staging modules, not even those in the signature-inclusion whitelist. In zesty and artful all staging drivers are signed.
There are two problems, both related to the signature-inclusion whitelist handling. First, the path to the file is relative to where make was invoked, which only works when the source and build directories are the same (which is not the case for package builds). In xenial this means that the condition to signing always evaluates such that staging modules are not signed. However zesty and artful contain an additional check for the existence of that file which results in signing staging modules when it is not found.
The second problem is that signature-inclusion contains only the module name for staging drivers which should be signed. However the grep statement which matches against that file uses the full path to the install location of the module, which will never match. |
|
| 2017-06-08 13:21:49 |
Kleber Sacilotto de Souza |
linux (Ubuntu Xenial): status |
In Progress |
Fix Committed |
|
| 2017-06-09 09:10:42 |
Stefan Bader |
linux (Ubuntu Zesty): status |
In Progress |
Fix Committed |
|
| 2017-06-14 09:09:42 |
Kleber Sacilotto de Souza |
tags |
|
verification-needed-xenial |
|
| 2017-06-14 09:15:46 |
Kleber Sacilotto de Souza |
tags |
verification-needed-xenial |
verification-needed-xenial verification-needed-zesty |
|
| 2017-06-28 16:35:34 |
Launchpad Janitor |
linux (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
| 2017-06-28 16:35:34 |
Launchpad Janitor |
cve linked |
|
2017-1000364 |
|
| 2017-06-28 16:35:34 |
Launchpad Janitor |
cve linked |
|
2017-8890 |
|
| 2017-06-28 16:35:34 |
Launchpad Janitor |
cve linked |
|
2017-9074 |
|
| 2017-06-28 16:35:34 |
Launchpad Janitor |
cve linked |
|
2017-9075 |
|
| 2017-06-28 16:35:34 |
Launchpad Janitor |
cve linked |
|
2017-9076 |
|
| 2017-06-28 16:35:34 |
Launchpad Janitor |
cve linked |
|
2017-9077 |
|
| 2017-06-28 16:35:34 |
Launchpad Janitor |
cve linked |
|
2017-9242 |
|
| 2017-06-29 07:17:58 |
Launchpad Janitor |
linux (Ubuntu Zesty): status |
Fix Committed |
Fix Released |
|
| 2017-06-29 07:17:58 |
Launchpad Janitor |
cve linked |
|
2017-100363 |
|
| 2017-06-30 17:19:06 |
Launchpad Janitor |
linux (Ubuntu): status |
Fix Committed |
Fix Released |
|
