[Bug 2048092] Re: [low-priority SRU] Fix CVE-2022-0563 in source

Andreas Hasenack 2048092 at bugs.launchpad.net
Thu Jan 11 21:33:13 UTC 2024 

> However, some users are known to build their own binaries from this Ubuntu source and therefore could be 
> impacted.

Do you know of users rebuilding specifically util-linux and enabling
those tools? What was it about this specific CVE and specifically util-
linux that caught your attention and made you want to propose this SRU?

I see the patches only affect the binaries we don't ship, but have you
also made sure that no other tools or files from the package include the
affected code in their build?

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to util-linux in Ubuntu.
https://bugs.launchpad.net/bugs/2048092

Title:
  [low-priority SRU] Fix CVE-2022-0563 in source

Status in util-linux package in Ubuntu:
  Fix Released
Status in util-linux source package in Jammy:
  In Progress
Status in util-linux source package in Lunar:
  Fix Released
Status in util-linux source package in Mantic:
  Fix Released
Status in util-linux source package in Noble:
  Fix Released

Bug description:
  [Impact]
  We did not fix this CVE in Ubuntu because we do not build the impacted binaries (we use --disable-chfn-chsh). However, some users are known to build their own binaries from this Ubuntu source and therefore could be impacted.

  [Test Plan]
  Since there is no impact to Ubuntu binaries, there is no functional change to verify. Regression testing using the existing build-time tests and autopkgtests should suffice.

  We should also verify that util-linux source builds fine w/ chfn and
  chsh enabled after applying this patch - otherwise it is really
  helping no one.

  [Where problems could occur]
  The upstream patch is clearly restricted to the chfn chsh binaries, which are not compiled by Ubuntu, so I don't see a risk there. I do see a risk that this is used as a precedent to fix other no-impact-to-Ubuntu security issues in other source - say, just to silence 3rd party security scanners. I do not intend to set such a precedent here, and suggest we consider them only on a case-by-case basis.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/2048092/+subscriptions

More information about the foundations-bugs mailing list