[SRU] Fix segfault in systemdunitdependency probe
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| openscap (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
| Focal |
In Progress
|
Undecided
|
Unassigned | ||
| Jammy |
In Progress
|
Undecided
|
Unassigned | ||
| Mantic |
Fix Released
|
Undecided
|
Unassigned | ||
| Noble |
Fix Released
|
Undecided
|
Unassigned | ||
Bug Description
[ Impact ]
* This issue causes a crash in openscap when there's a circular dependency in systemd services, and currently affects both Ubuntu 20.04 and 22.04. openscap on Ubuntu 23.10 and 24.04 already contain this fix.
* This indirectly is affecting the usage of USG (Ubuntu Security Guide) for CIS auditing in systems with ceph-mds. See LP: #2060345.
* This issue was reported to upstream here: https:/
[ Test Plan ]
* There are a few ways to reproduce this issue, as you can see some notes on LP: #2060345.
But for simplicity, the easiest way to reproduce this issue is to run the following commands.
On Ubuntu 20.04:
```
$ oscap oval eval --id "oval:ssg-
Definition oval:ssg-
Evaluation done.
$ sudo apt install ceph-mds
$ oscap oval eval --id "oval:ssg-
W: oscap: Can't receive message: 103, Software caused connection abort.
W: oscap: Can't receive message: 103, Software caused connection abort.
OpenSCAP Error: Probe with PID=1522 has been killed with signal 11 [../../
Probe with PID=1522 has core dumped. [../../
Item corresponding to object 'oval:ssg-
Probe with PID=1531 has been killed with signal 11 [../../
Probe with PID=1531 has core dumped. [../../
Item corresponding to object 'oval:ssg-
$ sudo apt install libopenscap8=
$ oscap oval eval --id "oval:ssg-
Definition oval:ssg-
Evaluation done.
```
On Ubuntu 22.04:
```
$ oscap oval eval --id "oval:ssg-
Definition oval:ssg-
Evaluation done.
$ sudo apt install ceph-mds
$ oscap oval eval --id "oval:ssg-
W: oscap: Can't receive message: 103, Software caused connection abort.
W: oscap: Can't receive message: 103, Software caused connection abort.
OpenSCAP Error: Probe with PID=1421 has been killed with signal 11 [../../
Probe with PID=1421 has core dumped. [../../
Item corresponding to object 'oval:ssg-
Probe with PID=1431 has been killed with signal 11 [../../
Probe with PID=1431 has core dumped. [../../
Item corresponding to object 'oval:ssg-
$ sudo apt install libopenscap8=
$ oscap oval eval --id "oval:ssg-
Definition oval:ssg-
Evaluation done.
```
* The other tests we will do is to run full usg fix and audit and report if the output is as expected.
[ Where problems could occur ]
* This fix was never backported to version 1.2 in upstream git repo, but was applied to openscap 1.2 in
RHEL-based distros, it is unclear if the backport ever created another issue with the
systemdunitd
for example.
[ Other Info ]
* This issue affects both Ubuntu 20.04 and 22.04.
* Another way to mitigate this issue would be altering systemd services to not have a circular dependency. This can get tricky and might require a lot of change.
| Eduardo Barretto (ebarretto) wrote | #1 |
| Eduardo Barretto (ebarretto) wrote | #2 |
| description: | updated |
| description: | updated |
| Eduardo Barretto (ebarretto) wrote | #6 |
| Eduardo Barretto (ebarretto) wrote | #7 |
| Changed in openscap (Ubuntu Mantic): | |
| status: | New → Fix Released |
| Changed in openscap (Ubuntu Noble): | |
| status: | New → Fix Released |
| description: | updated |
| Marc Deslauriers (mdeslaur) wrote | #8 |
| Changed in openscap (Ubuntu Focal): | |
| status: | New → In Progress |
| Changed in openscap (Ubuntu Jammy): | |
| status: | New → In Progress |
ACK on the debdiffs. Uploaded for processing by the SRU team. Thanks!