[SRU] Unescaped left brace in regex is deprecated

Bug #1538284 reported by Laurent Declercq on 2016-01-26
138
This bug affects 29 people
Affects Status Importance Assigned to Milestone
pam (Debian)
Fix Released
Unknown
pam (Ubuntu)
Medium
Unassigned
Trusty
Undecided
Unassigned
Xenial
Medium
Seyeong Kim
Artful
Medium
Seyeong Kim

Bug Description

[Impact]

When installing postgresql, many warning msgs are raised
Please refer to Original Description

## Corrections
In trusty, escaping is missing but not the same symptom. NOT AFFECTED TO TRUSTY

[Test Case]

1. create ubuntu instance
2. apt install postgresql

[Regression Potentials]
This change is quite small(just escaping), and it is not code changes but getenv script which made by debian. so risk is minimal in my opinion.

[Other info]

Debian Bugs:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=810873
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815595

[Original Description]

When installing postgresql on Ubuntu 16.04 (xenial), the following warning are raised:

Unescaped left brace in regex is deprecated, passed through in regex; marked by <-- HERE in m/(?<!\\)\${ <-- HERE ([^}]+)}/ at /usr/sbin/pam_getenv line 78.
Unescaped left brace in regex is deprecated, passed through in regex; marked by <-- HERE in m/(?<!\\)\${ <-- HERE ([^}]+)}/ at /usr/sbin/pam_getenv line 78.
Unescaped left brace in regex is deprecated, passed through in regex; marked by <-- HERE in m/(?<!\\)\${ <-- HERE ([^}]+)}/ at /usr/sbin/pam_getenv line 78.
Unescaped left brace in regex is deprecated, passed through in regex; marked by <-- HERE in m/(?<!\\)\${ <-- HERE ([^}]+)}/ at /usr/sbin/pam_getenv line 78.
Unescaped left brace in regex is deprecated, passed through in regex; marked by <-- HERE in m/(?<!\\)\${ <-- HERE ([^}]+)}/ at /usr/sbin/pam_getenv line 78.
Unescaped left brace in regex is deprecated, passed through in regex; marked by <-- HERE in m/(?<!\\)\${ <-- HERE ([^}]+)}/ at /usr/sbin/pam_getenv line 78.
Unescaped left brace in regex is deprecated, passed through in regex; marked by <-- HERE in m/(?<!\\)\${ <-- HERE ([^}]+)}/ at /usr/sbin/pam_getenv line 78.
Unescaped left brace in regex is deprecated, passed through in regex; marked by <-- HERE in m/(?<!\\)\${ <-- HERE ([^}]+)}/ at /usr/sbin/pam_getenv line 78.
Unescaped left brace in regex is deprecated, passed through in regex; marked by <-- HERE in m/(?<!\\)\${ <-- HERE ([^}]+)}/ at /usr/sbin/pam_getenv line 78.
Unescaped left brace in regex is deprecated, passed through in regex; marked by <-- HERE in m/(?<!\\)\${ <-- HERE ([^}]+)}/ at /usr/sbin/pam_getenv line 78.
Unescaped left brace in regex is deprecated, passed through in regex; marked by <-- HERE in m/(?<!\\)\${ <-- HERE ([^}]+)}/ at /usr/sbin/pam_getenv line 78.
Unescaped left brace in regex is deprecated, passed through in regex; marked by <-- HERE in m/(?<!\\)\${ <-- HERE ([^}]+)}/ at /usr/sbin/pam_getenv line 78.
Unescaped left brace in regex is deprecated, passed through in regex; marked by <-- HERE in m/(?<!\\)\${ <-- HERE ([^}]+)}/ at /usr/sbin/pam_getenv line 78.
Unescaped left brace in regex is deprecated, passed through in regex; marked by <-- HERE in m/(?<!\\)\${ <-- HERE ([^}]+)}/ at /usr/sbin/pam_getenv line 78.
Unescaped left brace in regex is deprecated, passed through in regex; marked by <-- HERE in m/(?<!\\)\${ <-- HERE ([^}]+)}/ at /usr/sbin/pam_getenv line 78.

This is due to the fact that unescaped brace are deprecated in Perl 5.22.

# rmadison perl
 perl | 5.18.2-2ubuntu1.3 | trusty-updates # NOT AFFECTED
 perl | 5.22.1-9ubuntu0.2 | xenial-updates
 perl | 5.26.0-8ubuntu1 | artful
 perl | 5.26.1-5 | bionic

Info:

root@xenial:/var/log/imscp# lsb_release
No LSB modules are available.
root@xenial:/var/log/imscp# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu Xenial Xerus (development branch)
Release: 16.04
Codename: xenial

Howto reproduce:

aptitude install postgresql

Laurent Declercq (l-declercq) wrote :

Wrong package reported. The right package is libpam-runtime

root@xenial:/usr/local/src/imscp# LANG=C aptitude show libpam-runtime
Package: libpam-runtime
State: installed
Automatically installed: no
Multi-Arch: foreign
Version: 1.1.8-3.1ubuntu3
Priority: required
Section: admin
Maintainer: Ubuntu Developers <email address hidden>
Architecture: all
Uncompressed Size: 307 k
Depends: debconf (>= 0.5) | debconf-2.0, debconf (>= 1.5.19) | cdebconf, libpam-modules (>= 1.0.1-6)
Conflicts: libpam0g-util
Replaces: libpam0g-dev, libpam0g-util, libpam0g-dev:i386
Provides: libpam-runtime:i386 (= 1.1.8-3.1ubuntu3)
Description: Runtime support for the PAM library
 Contains configuration files and directories required for authentication to work on Debian systems. This package is required on almost all installations.
Homepage: http://pam.sourceforge.net/

tags: added: libpam-runtime
no longer affects: postgresql-9.5 (Ubuntu)
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in pam (Ubuntu):
status: New → Confirmed
tags: added: xenial
Changed in pam (Ubuntu):
importance: Undecided → Medium
tags: added: rls-x-incoming
Chris Sharp (chrissharp123) wrote :
Uqbar (uqbar) wrote :

1. The bug is still here as of today, triggered by a fresh new install of postgresql-9.6
2. The site packages.ubuntu.org says that there is no package in Ubuntu (Xenial) containing such a file!

Yurx Cherio (cherio-e) wrote :

I confirm that installing postgresql-9.6 still produces multiple messages on a freshly updated 16.04 server instance.

This is also happening with postgresql-9.5 on 16.10 (9.5.5-0ubuntu0.16.10).

Changed in pam (Debian):
status: Unknown → Fix Released
Uqbar (uqbar) wrote :

... and it's also happening with postgresql-10.0!

Uqbar (uqbar) wrote :

I have fixed the problem with an editor and have manually added the escape where required.
There seems to be a fix on Debian since January 2017.
This is 16.04 that'd be an LTS.
What's the reason for holding this change (someone else did) back?

Launchpad Janitor (janitor) wrote :
Download full text (5.7 KiB)

This bug was fixed in the package pam - 1.1.8-3.6ubuntu1

---------------
pam (1.1.8-3.6ubuntu1) bionic; urgency=medium

  * Merge with Debian unstable.
    - Fixes unescaped brace in pam_getenv regex. LP: #1538284.
    - Fixes pam_namespace defaults for compatibility with dash. LP: #1081323.
  * Remaining changes:
    - debian/control: have libpam-modules recommend update-motd package
    - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
      not present there or in /etc/security/pam_env.conf. (should send to
      Debian).
    - debian/libpam0g.postinst: only ask questions during update-manager when
      there are non-default services running.
    - debian/libpam0g.postinst: check if gdm is actually running before
      trying to reload it.
    - debian/libpam0g.postinst: the init script for 'samba' is now named
      'smbd' in Ubuntu, so fix the restart handling.
    - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
      initialise RLIMIT_NICE rather than relying on the kernel limits.
    - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
      Deprecate pam_unix's explicit "usergroups" option and instead read it
      from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
      there. This restores compatibility with the pre-PAM behaviour of login.
    - debian/patches-applied/pam_motd-legal-notice: display the contents of
      /etc/legal once, then set a flag in the user's homedir to prevent
      showing it again.
    - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
      for update-motd, with some best practices and notes of explanation.
    - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
      to update-motd(5)
    - debian/local/common-session{,-noninteractive}: Enable pam_umask by
      default, now that the umask setting is gone from /etc/profile.
    - debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
    - debian/patches-applied/extrausers.patch: Add a pam_extrausers module
      that is basically just a copy of pam_unix but looks at
      /var/lib/extrausers/{group,passwd,shadow} instead of /etc/
    - debian/libpam-modules-bin.install: install the helper binaries for
      pam_extrausers to /sbin
    - debian/rules: Make pam_extrausers_chkpwd sguid shadow
    - pam-configs/mkhomedir: Added a config for pam_mkhomedir, disabled
      by default.
    - don't notify about xdm restarts during a release-upgrade
    - debian/patches-applied/cve-2015-3238.patch: removed manpage changes
      so they don't get regenerated during build and cause a multiarch
      installation issue.
  * Dropped changes, included in Debian:
    - Build-depend on libfl-dev.
    - debian/patches-applied/pam-limits-nofile-fd-setsize-cap: cap the default
      soft nofile limit read from pid 1 to FD_SETSIZE.
  * Fix references to /var/run in update-motd.5. LP: #1571864
  * Fix service restart handling to integrate with systemd instead of
    upstart.

pam (1.1.8-3.6) unstable; urgency=medium

  * Non-maintainer upload.
  * cve-2015-3238.patch: Add the changes in the generated pam_exec.8
    and pam_unix.8 in addi...

Read more...

Changed in pam (Ubuntu):
status: Confirmed → Fix Released
Seyeong Kim (xtrusia) on 2018-04-06
description: updated
tags: added: sts sts-sru-needed
summary: - Unescaped left brace in regex is deprecated
+ [SRU] Unescaped left brace in regex is deprecated
description: updated
Seyeong Kim (xtrusia) wrote :
Seyeong Kim (xtrusia) wrote :
Seyeong Kim (xtrusia) on 2018-04-06
Changed in pam (Ubuntu Trusty):
status: New → Won't Fix
Changed in pam (Ubuntu Xenial):
status: New → In Progress
Changed in pam (Ubuntu Artful):
status: New → In Progress
Changed in pam (Ubuntu Xenial):
assignee: nobody → Seyeong Kim (xtrusia)
Changed in pam (Ubuntu Artful):
assignee: nobody → Seyeong Kim (xtrusia)
Eric Desrochers (slashd) on 2018-04-06
description: updated
Eric Desrochers (slashd) on 2018-04-06
description: updated
Changed in pam (Ubuntu Xenial):
importance: Undecided → Medium
Changed in pam (Ubuntu Artful):
importance: Undecided → Medium
description: updated
Eric Desrochers (slashd) wrote :

Sponsored for Xenial, it is now waiting for approval by SRU team.

Eric Desrochers (slashd) wrote :

Sponsored for Artful, it is now waiting for approval by SRU team.

Note:
I had to modify the version[1] for Xenial & Artful found in both original .debdiff in favour of the .1 annotation, since both versions were already existing in the Primary Archive for Ubuntu[2]

[1] Modified version:
From "1.1.8-3.2ubuntu3" to "1.1.8-3.2ubuntu2.1"
From "1.1.8-3.2ubuntu4" to "1.1.8-3.2ubuntu3.1"

[2] Already existing version:
https://launchpad.net/ubuntu/+source/pam/1.1.8-3.2ubuntu3
https://launchpad.net/ubuntu/+source/pam/1.1.8-3.2ubuntu4

I also modified to d/changelog in favour of the debian changelog entry which I think is more explanatory.

- Eric

Łukasz Zemczak (sil2100) wrote :

Normally I would be weary about accepting such an SRU, as the user impact of this bug - at least per the provided description - seems to be purely cosmetic? Does this have any actual side effects? Every SRU introduces some regression risk, even if the change itself is small. Normally we'd want to wait for some more fixes to be batched together.

But seeing the number of affected people and various comments from reporters + the fact that we did not have a pam SRU so far for both xenial and artful, I will accept it as is.

Changed in pam (Ubuntu Artful):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-artful

Hello Laurent, or anyone else affected,

Accepted pam into artful-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/pam/1.1.8-3.2ubuntu3.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-artful to verification-done-artful. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-artful. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in pam (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed-xenial
Łukasz Zemczak (sil2100) wrote :

Hello Laurent, or anyone else affected,

Accepted pam into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/pam/1.1.8-3.2ubuntu2.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Seyeong Kim (xtrusia) wrote :

Hello, Thanks for your cooperation.

Tested on Xenial

1. create xenial instance
2. add proposed repository
3. apt install libpam-runtime
4. apt install postgresql

warnings are gone.

Thanks!

dpkg -l | grep pam
ii libpam-modules:amd64 1.1.8-3.2ubuntu2 amd64 Pluggable Authentication Modules for PAM
ii libpam-modules-bin 1.1.8-3.2ubuntu2 amd64 Pluggable Authentication Modules for PAM - helper binaries
ii libpam-runtime 1.1.8-3.2ubuntu2.1 all Runtime support for the PAM library
ii libpam-systemd:amd64 229-4ubuntu21.1 amd64 system and service manager - PAM module
ii libpam0g:amd64 1.1.8-3.2ubuntu2 amd64 Pluggable Authentication Modules library

tags: added: verification-done-xenial
removed: verification-needed-xenial
Seyeong Kim (xtrusia) wrote :

Hello,

Tested on artful

1. create artful instance
2. add proposed repository
3. apt install libpam-runtime
4. apt install p ostgresql

warnings are gone

Thanks!

dpkg -l | grep pam
ii libpam-cap:amd64 1:2.25-1.1 amd64 POSIX 1003.1e capabilities (PAM module)
ii libpam-modules:amd64 1.1.8-3.2ubuntu3 amd64 Pluggable Authentication Modules for PAM
ii libpam-modules-bin 1.1.8-3.2ubuntu3 amd64 Pluggable Authentication Modules for PAM - helper binaries
ii libpam-runtime 1.1.8-3.2ubuntu3.1 all Runtime support for the PAM library
ii libpam-systemd:amd64 234-2ubuntu12.1 amd64 system and service manager - PAM module
ii libpam0g:amd64 1.1.8-3.2ubuntu3 amd64 Pluggable Authentication Modules library

tags: added: verification-done-artful
removed: verification-needed-artful
Eric Desrochers (slashd) wrote :

@Seyeong Kim (xtrusia)

I just notice a few DEP-8 failures.
Please look here: https://people.canonical.com/~ubuntu-archive/pending-sru.html
and try to identify what's going on and take appropriate actions/justifications/... for each.

- Eric

Eric Desrochers (slashd) wrote :

# Autopkgtest failure for Xenial

Most of the failure are gone now just by restarting the test once again.

Only one left[1] but as you can notice, the failure seems to be there for quite some time.
Last "pass" autopkgtest was in 2016-09-29 19:51:37 UTC.

I quiclky look and haven't seen any bug about it. Ideally this should be fixed, but considering it is like this for quite some time, for now, I think it is safe to say this failure can be ignore.

Note: This only clear the way for Xenial ... Artful still need investigation.

[1] - http://autopkgtest.ubuntu.com/packages/p/postgresql-9.5/xenial/armhf

Eric Desrochers (slashd) wrote :

# Autopkgtest failure for Xenial (Part 2)

There is no "not ok" tests. The failure seems to be the result of netstat command output:

(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)

run-testsuite FAIL stderr: (Not all processes could be identified, non-owned process info

Eric Desrochers (slashd) wrote :

Even though "pgsql-9.5" debian/tests/control clearly mentioned that it must be run as root.

#postgresql-9.5-9.5.12/debian/tests/control
...
Restrictions: needs-root
..

Anyway that is another topic, but again that should be enough in term of justification for releasing pam for Xenial.

Łukasz Zemczak (sil2100) wrote :

Confirmed that the kopanocore tests are broken in the -updates pocket - hinting those in.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pam - 1.1.8-3.2ubuntu3.1

---------------
pam (1.1.8-3.2ubuntu3.1) artful; urgency=medium

  * d/local/pam_getenv:
    - Fix "Unescaped left brace in regex" with Perl 5.22. (LP: #1538284)

 -- Seyeong Kim <email address hidden> Thu, 05 Apr 2018 18:21:32 -0700

Changed in pam (Ubuntu Artful):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for pam has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pam - 1.1.8-3.2ubuntu2.1

---------------
pam (1.1.8-3.2ubuntu2.1) xenial; urgency=medium

  * d/local/pam_getenv:
    - Fix "Unescaped left brace in regex" with Perl 5.22. (LP: #1538284)

 -- Seyeong Kim <email address hidden> Thu, 05 Apr 2018 17:33:57 -0700

Changed in pam (Ubuntu Xenial):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.