[Bug 1150737] Please test proposed package
Brian Murray
brian at ubuntu.com
Wed Jul 22 15:47:34 UTC 2015
Hello Kevin, or anyone else affected,
Accepted live-build into trusty-proposed. The package will build now and
be available at https://launchpad.net/ubuntu/+source/live-
build/3.0~a57-1ubuntu11.2 in a few hours, and then in the -proposed
repository.
Please help us by testing this new package. See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to
enable and use -proposed. Your feedback will aid us getting this update
out to other Ubuntu users.
If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed. In either case, details of your testing will help
us make a better decision.
Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in
advance!
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to live-build in Ubuntu.
https://bugs.launchpad.net/bugs/1150737
Title:
live-build causes installation old /sbin/initctl and start-stop-daemon
to be installed in Cloud Images
Status in live-build package in Ubuntu:
Fix Released
Status in live-build source package in Trusty:
Fix Committed
Status in live-build source package in Vivid:
Fix Committed
Status in live-build package in Debian:
Fix Released
Bug description:
[ SRU Info ]
See bug #1363519
[ Original Report ]
I've encountered at least five different Amazon AMIs which all fail debsums right out of the box. The offending binaries are upstart: /sbin/initctl and dpkg: /sbin/start-stop-daemon. Both are handy locations to drop a rootkit. Most prominently, the banner-choice for the GUI AWS console wizard in us-east-1 is ami-3fec7956, which seems to be created by Canonical (ami-3fec7956 099720109477/ubuntu/images/ebs/ubuntu-precise-12.04-amd64-server-20130124).
us-east-1: ami-3fec7956, ami-de0d9eb7
us-west-1: ami-b81230fd
us-west-2: ami-da1810ae
ap-northeast-1: ami-77cf4976
I analyzed only initctl, as it was the first to trip my alarms. In
the following examples, the left side is the one from the upstart
package version dpkg claims to have installed, the right is the one
actually on the system.
* A side-by-side hex/ascii of the diff : http://pastebin.com/raw.php?i=JGN1rMC5
* The same, with some color: http://cl.ly/image/2x2l3S1j1f38
* A side-by-side comparison of objdump --disassemble-all: http://pastebin.com/raw.php?i=5ppcJG2H
* The same, with some color: http://cl.ly/image/2d0w1I3W083x
The file size is the same, but clearly it is not the one from the
package. objdump interpreted this delta as having a mov instruction,
then executing a conditional jump. This "looks" scary, but I'm no
expert. This may be only a side-effect of trying to disassemble code.
This is either malicious, or a totally benign mistake, but in either
case, Canonical should not be distributing AMIs which cannot pass
rudimentary integrity checks.
To reproduce, simply start an AWS instance with one of these AMIs,
install debsums, and run something like:
for PKG in `dpkg --get-selections | awk '{print $1}'`; do echo ${PKG}:
>> failsums; debsums $PKG | grep FAILED >> failsums; done
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/live-build/+bug/1150737/+subscriptions
More information about the foundations-bugs
mailing list