[Bug 1785414] Update Released

Brian Murray brian at ubuntu.com
Tue Oct 23 20:23:48 UTC 2018 

The verification of the Stable Release Update for man-db has completed
successfully and the package has now been released to -updates.
Subsequently, the Ubuntu Stable Release Updates Team is being
unsubscribed and will not receive messages about this bug report.  In
the event that you encounter a regression using the package from
-updates please report a new bug using ubuntu-bug and tag the bug report
regression-update so we can easily find any regressions.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to man-db in Ubuntu.
https://bugs.launchpad.net/bugs/1785414

Title:
  Backport seccomp sandbox fixes to 18.04

Status in man-db package in Ubuntu:
  Fix Released
Status in man-db source package in Bionic:
  Fix Released

Bug description:
  I applied several fixes to the seccomp sandbox in man-db 2.8.4, and I
  think they would all be worth backporting to 18.04.  They're all
  corner cases, but at least the second and third of them turned up in
  an AskUbuntu post (https://askubuntu.com/questions/1039629/setting-up-
  man-db-crashes-system-with-bad-system-calls) and I had a fair amount
  of email responses to requests for details about it.  Here are the
  details:

   * sandbox: Allow sched_setaffinity
     https://git.savannah.gnu.org/cgit/man-db.git/commit/?id=8fa6fb5eca612600b3a3d8da811f8345afec102e

     It's possible to run into this if reading xz-compressed manual
  pages with (e.g.) XZ_DEFAULTS=--threads=0 set in the environment.

   * sandbox: Allow some shared memory operations
     https://git.savannah.gnu.org/cgit/man-db.git/commit/?id=5e08ee9a4e563abedbdd2768c8bbfd96b57c1859

     Some unusual software that installs itself in /etc/ld.so.preload
  breaks man without this patch, such as the Astrill VPN.

   * sandbox: Improve ESET compatibility further
     https://git.savannah.gnu.org/cgit/man-db.git/commit/?id=7582fb9d69a126a53ee11223b12346d38c0f333a

     This is a refinement to some previous work I did to cope with ESET
  File Security (an antivirus program that installs itself in
  /etc/ld.so.preload).

  [Test Case]
  The first patch can be tested by recompressing a manual page using xz and setting XZ_DEFAULTS=--threads=0 before trying to read it.  The other two require having Astrill or ESET installed; if this SRU is accepted I'll solicit feedback from people who do, although I think it would be sufficient for SRU purposes to just make sure that ordinary browsing of manual pages still works.

  [Regression Potential]
  This only adds more system calls to what the sandbox permits, so ensuring that man still works should be enough to catch all regressions.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/man-db/+bug/1785414/+subscriptions

More information about the foundations-bugs mailing list