SRU: Bootable buildd images boot vulnerable kernels

Bug #1891061 reported by Cody Shepherd on 2020-08-10
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
livecd-rootfs (Ubuntu)
Undecided
Unassigned
Xenial
Undecided
Unassigned
Bionic
Undecided
Unassigned
Focal
Undecided
Unassigned

Bug Description

[Impact]

 * Bootable buildd images are currently built from the -release pocket only,
   leaving them vulnerable to issues fixed by -updates and/or -security.

 * MP: #387164 [1] should be backported to ensure updated packages are used
   when building the bootable buildd images.

[Test Case]

 * Inspect package manifest for bootable buildd images; verify outdated versions
   of packages

[Regression Potential]

 * updated packages could break current assumptions for bootable buildd images, and cause
   boot or runtime failures, though this has not been seen in testing.

1. https://code.launchpad.net/~codyshepherd/livecd-rootfs/+git/livecd-rootfs/+merge/387164

Related branches

Hello Cody, or anyone else affected,

Accepted livecd-rootfs into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/livecd-rootfs/2.664.5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in livecd-rootfs (Ubuntu Focal):
status: New → Fix Committed
tags: added: verification-needed verification-needed-focal
Cody Shepherd (codyshepherd) wrote :

I've verified that this is fixed for Focal by:

* Building the livecd-rootfs 2.664.5 source package in a private ppa
* Building the focal buildd image with the cpc-buildd livefs, with the above private-ppa as an extra archive
* Booting the resulting disk-linux-virtual.img in Multipass with libvirt as the local driver, and verifying that a) the running kernel was updated (5.4.0-42.46-generic in this case), and b) -updates and -security were enabled in the apt sources.list

Thanks!

tags: added: verification-done-focal
removed: verification-needed verification-needed-focal
Changed in livecd-rootfs (Ubuntu):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package livecd-rootfs - 2.664.5

---------------
livecd-rootfs (2.664.5) focal; urgency=medium

  [ Robert C Jennings ]
  * Handle seeded lxd snap with channel name for ubuntu-cpc:minimized
    (LP: #1889470)

  [ Cody Shepherd ]
  * Add dist-upgrade to bootable-buildd hook to ensure the built image
    doesn't contain vulnerable kernels or other packages. LP: #1891061.
  * Don't explicitly install grub-efi-amd64-signed, it's a dependency of
    shim-signed.

 -- Steve Langasek <email address hidden> Tue, 04 Aug 2020 12:39:27 -0700

Changed in livecd-rootfs (Ubuntu Focal):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for livecd-rootfs has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package livecd-rootfs - 2.525.47

---------------
livecd-rootfs (2.525.47) bionic; urgency=medium

  * Apparently the lxd appliance needs to use a custom track (4.0) and since
    model assertions do not accept track names in required-snaps, we need to do
    this by hand during build. (LP: #1891505)

 -- Łukasz 'sil2100' Zemczak <email address hidden> Wed, 12 Aug 2020 15:58:19 +0200

Changed in livecd-rootfs (Ubuntu Bionic):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers