SRU: Bootable buildd images boot vulnerable kernels
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | livecd-rootfs (Ubuntu) |
Undecided
|
Unassigned | ||
| | Xenial |
Undecided
|
Unassigned | ||
| | Bionic |
Undecided
|
Unassigned | ||
| | Focal |
Undecided
|
Unassigned | ||
Bug Description
[Impact]
* Bootable buildd images are currently built from the -release pocket only,
leaving them vulnerable to issues fixed by -updates and/or -security.
* MP: #387164 [1] should be backported to ensure updated packages are used
when building the bootable buildd images.
[Test Case]
* Inspect package manifest for bootable buildd images; verify outdated versions
of packages
[Regression Potential]
* updated packages could break current assumptions for bootable buildd images, and cause
boot or runtime failures, though this has not been seen in testing.
1. https:/
Related branches
- David Krauser (community): Approve on 2020-07-09
- Ubuntu Core Development Team: Pending requested 2020-07-09
-
Diff: 28 lines (+4/-2)2 files modifiedlive-build/buildd/hooks/02-disk-image-uefi.binary (+1/-2)
live-build/buildd/hooks/52-linux-virtual-image.binary (+3/-0)
- David Krauser (community): Approve on 2020-07-09
- Ubuntu Core Development Team: Pending requested 2020-07-09
-
Diff: 28 lines (+4/-2)2 files modifiedlive-build/buildd/hooks/02-disk-image-uefi.binary (+1/-2)
live-build/buildd/hooks/52-linux-virtual-image.binary (+3/-0)
- Steve Langasek: Needs Information on 2020-08-04
- David Krauser (community): Approve on 2020-07-09
-
Diff: 28 lines (+4/-2)2 files modifiedlive-build/buildd/hooks/02-disk-image-uefi.binary (+1/-2)
live-build/buildd/hooks/52-linux-virtual-image.binary (+3/-0)
- Steve Langasek: Approve on 2020-10-06
-
Diff: 397 lines (+290/-18)11 files modifieddebian/changelog (+6/-0)
dev/null (+0/-13)
live-build/auto/config (+5/-1)
live-build/buildd/hooks/00-mirror.binary (+1/-1)
live-build/buildd/hooks/02-disk-image-uefi.binary (+162/-0)
live-build/buildd/hooks/48-policy-rc-d.binary (+18/-0)
live-build/buildd/hooks/49-empty-resolv-conf.binary (+3/-0)
live-build/buildd/hooks/52-linux-virtual-image.binary (+80/-0)
live-build/buildd/includes.chroot/etc/hostname (+1/-1)
live-build/buildd/includes.chroot/etc/hosts (+2/-2)
live-build/buildd/includes.chroot/etc/network/interfaces (+12/-0)
| Changed in livecd-rootfs (Ubuntu Focal): | |
| status: | New → Fix Committed |
| tags: | added: verification-needed verification-needed-focal |
| Cody Shepherd (codyshepherd) wrote : | #2 |
I've verified that this is fixed for Focal by:
* Building the livecd-rootfs 2.664.5 source package in a private ppa
* Building the focal buildd image with the cpc-buildd livefs, with the above private-ppa as an extra archive
* Booting the resulting disk-linux-
Thanks!
| tags: |
added: verification-done-focal removed: verification-needed verification-needed-focal |
| Changed in livecd-rootfs (Ubuntu): | |
| status: | New → Fix Released |
| Launchpad Janitor (janitor) wrote : | #3 |
This bug was fixed in the package livecd-rootfs - 2.664.5
---------------
livecd-rootfs (2.664.5) focal; urgency=medium
[ Robert C Jennings ]
* Handle seeded lxd snap with channel name for ubuntu-
(LP: #1889470)
[ Cody Shepherd ]
* Add dist-upgrade to bootable-buildd hook to ensure the built image
doesn't contain vulnerable kernels or other packages. LP: #1891061.
* Don't explicitly install grub-efi-
shim-signed.
-- Steve Langasek <email address hidden> Tue, 04 Aug 2020 12:39:27 -0700
| Changed in livecd-rootfs (Ubuntu Focal): | |
| status: | Fix Committed → Fix Released |
The verification of the Stable Release Update for livecd-rootfs has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.
| Launchpad Janitor (janitor) wrote : | #5 |
This bug was fixed in the package livecd-rootfs - 2.525.47
---------------
livecd-rootfs (2.525.47) bionic; urgency=medium
* Apparently the lxd appliance needs to use a custom track (4.0) and since
model assertions do not accept track names in required-snaps, we need to do
this by hand during build. (LP: #1891505)
-- Łukasz 'sil2100' Zemczak <email address hidden> Wed, 12 Aug 2020 15:58:19 +0200
| Changed in livecd-rootfs (Ubuntu Bionic): | |
| status: | New → Fix Released |
Hello Cody, or anyone else affected,
Accepted livecd-rootfs into focal-proposed. The package will build now and be available at https:/
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-
Further information regarding the verification process can be found at https:/
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.