[Bug 2027620] Re: DOTNET_ROOT is unnecessarily set
Launchpad Bug Tracker
2027620 at bugs.launchpad.net
Thu Aug 10 18:28:13 UTC 2023
This bug was fixed in the package dotnet7 - 7.0.110-0ubuntu1~22.04.1
---------------
dotnet7 (7.0.110-0ubuntu1~22.04.1) jammy-security; urgency=medium
* New upstream release.
* SECURITY UPDATE: remote code exection
- CVE-2023-35390: When running certain dotnet commands(e.g. dotnet help
add), dotnet attempts to locate and initiate a new process using
cmd.exe. However, it prioritizes searching for cmd.exe in the current
working directory (CWD) before checking other locations. This can
potentially lead to the execution of malicious code.
* SECURITY UPDATE: denial of service
- CVE-2023-38178: ASP.NET Kestrel stream flow control issue causing a
leak. A malicious QUIC client, that fires off many unidirectional
streams with closed writing sides. This will bypass the HTTP/3 stream
limit and Kestrel cannot keep up with stream processing.
* SECURITY UPDATE: denial of service
- CVE-2023-38180: Kestrel vulnerability to slow read attacks.
[ Dominik Viererbe ]
* d/README.source: updated content
* added support documentation
* added end of life process documentation
* general overhaul
* d/dotnet.sh.in: DOTNET_ROOT was unnecessarily set (LP: #2027620)
* d/t/essential-binaries-and-config-files-should-be-present:
remove check if DOTNET_ROOT is set
* d/watch
* updated matching-pattern to only match 6.0.1XX releases
* d/watch file will fail now deliberately. See comment in d/watch
for more information
* unify d/repack-dotnet-tarball.sh into d/build-dotnet-tarball.sh and
updated command line interface
-- Ian Constantin <ian.constantin at canonical.com> Wed, 02 Aug 2023
21:51:14 +0300
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to dotnet6 in Ubuntu.
https://bugs.launchpad.net/bugs/2027620
Title:
DOTNET_ROOT is unnecessarily set
Status in dotnet6 package in Ubuntu:
Fix Released
Status in dotnet7 package in Ubuntu:
Fix Released
Status in dotnet6 source package in Jammy:
Fix Released
Status in dotnet7 source package in Jammy:
Fix Released
Status in dotnet6 source package in Kinetic:
Won't Fix
Status in dotnet7 source package in Kinetic:
Won't Fix
Status in dotnet6 source package in Lunar:
Fix Released
Status in dotnet7 source package in Lunar:
Fix Released
Status in dotnet6 source package in Mantic:
Fix Released
Status in dotnet7 source package in Mantic:
Fix Released
Bug description:
This is what I see on my machine.
```
rich at vancouver:~$ dotnet --version
7.0.109
rich at vancouver:~$ cat /etc/os-release | head -n 1
PRETTY_NAME="Ubuntu 22.04.2 LTS"
rich at vancouver:~$ export | grep DOTNET
declare -x DOTNET_BUNDLE_EXTRACT_BASE_DIR="/home/rich/.cache/dotnet_bundle_extract"
declare -x DOTNET_ROOT="/usr/lib/dotnet"
rich at vancouver:~$ dotnet --info | grep ROOT
DOTNET_ROOT [/usr/lib/dotnet]
rich at vancouver:~$ cat /etc/dotnet/install_location
/usr/lib/dotnet
```
I am surprised to see `DOTNET_ROOT` set. The value in
`/etc/dotnet/install_location` is set to the same value and should be
doing the same job. The `/etc/dotnet` configuration is intended for
the global install and `DOTNET_ROOT` is intended for developers.
Please re-consider (not) setting `DOTNET_ROOT`.
Separately, is there a reason why `DOTNET_BUNDLE_EXTRACT_BASE_DIR` is
set?
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dotnet6/+bug/2027620/+subscriptions
More information about the foundations-bugs
mailing list