This bug was fixed in the package evince - 48.1-3ubuntu2
---------------
evince (48.1-3ubuntu2) questing; urgency=medium
* d/apparmor-profile: Update env exec rule for new coreutil paths
(LP: #2123870)
* d/rules: specify -std=gnu17 to fix FTBFS (LP: #2125693)
evince (48.1-3ubuntu1) questing; urgency=medium
* Merge with debian. Remaining changes:
- Add patch to change display name to Evince
evince (48.1-3) unstable; urgency=medium
* Team upload
* d/apparmor-profile: Allow running either Papers or Evince for
print preview.
Upstream GTK 3 uses evince-previewer for print preview functionality,
but if the papers package is installed (by default it is not),
Debian's GTK 3 prefers to use that. papers-previewer already has a
restrictive AppArmor profile based on the one for evince-previewer,
so allow running either one. Otherwise, print preview will not work
if papers happens to be installed. (Closes: #1109826)
evince (48.1-2) unstable; urgency=medium
* Team upload
* Mention #1109382 in previous changelog entry
* d/p/EvWindow-fix-launching-fullscreen-actions-from-popover.patch:
Add proposed patch from upstream MR evince!728 to fix entry to
fullscreen or presentation mode via the menu.
This fixes an intermittent but frequent bug seen when testing
presentation mode, where the popover menu remains visible (but
unresponsive) after presentation mode is entered. (Closes: #1109381)
evince (48.1-1) unstable; urgency=medium
* Team upload
* New upstream bugfix release
- Stop working around a GTK scaling bug when using a sufficiently recent
GTK where the bug is fixed, to avoid double-scaling causing
presentation mode to display the PDF too small
(evince#1600 upstream, Closes: #1093497)
- Ensure that the application ID matches the .desktop filename, so that
Wayland compositors can always match the window to its icon; previously
this was correct for the main app but not for the previewer
(evince!725 upstream, Closes: #1023928)
- Make sure the caret colour is visible against the document background
colour, even if viewing a light-background document under a
dark system theme
(evince#2093 upstream)
- Always make annotation popup windows opaque, even if the annotation
highlight colour is semi-transparent
(evince#1399 upstream)
- Guard against integer overflow when allocating memory on a per-page
basis
(evince#2094 upstream; probably redundant because GLib already has a
similar check, but harmless)
- Avoid deprecated syntax in Appstream metadata
- Translation updates
* d/patches: Update to upstream git commit 48.1-4-g440ab79d8 from
gnome-48 branch
- Fix a crash in accessibility code by guarding against
ev_page_cache_get_text() returning NULL
(evince!681 upstream)
- Avoid an XML metacharacter in the Hindi translation causing the
Appstream metadata to become corrupted with recent gettext
(Infrastructure/damned-lies#655 upstream, Closes: #1109382)
- Translation updates
* d/control: Remove Suggests: unrar.
evince has used libarchive instead since Debian 10 or earlier.
Thanks to Adrian Bunk (Closes: #1065399)
-- Ryan Lee <[email protected]> Fri, 19 Sep 2025 13:07:27 -0700
** Changed in: evince (Ubuntu)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to evince in Ubuntu.
https://bugs.launchpad.net/bugs/2123870
Title:
apparmor several profiles incompatible with new coreutils scheme
Status in akonadi package in Ubuntu:
Fix Released
Status in apparmor package in Ubuntu:
Fix Released
Status in cups package in Ubuntu:
In Progress
Status in cups-browsed package in Ubuntu:
Fix Released
Status in evince package in Ubuntu:
Fix Released
Status in isc-dhcp package in Ubuntu:
Confirmed
Status in libvirt package in Ubuntu:
Fix Released
Status in pollinate package in Ubuntu:
Fix Released
Status in snapd package in Ubuntu:
In Progress
Status in surf package in Ubuntu:
Fix Released
Status in ubuntu-advantage-tools package in Ubuntu:
Fix Committed
Bug description:
apparmor:5.0.0~alpha1-0ubuntu1 profiles have rules for gnu-coreutils
binaries are incompatible with gnu-coreutils v. 9.5-1ubuntu2 released
on May 08, 2025. Minimally this looks to affect wg-quick profile.
But there may be other profiles that are affected.
gnu-coreutils delivers new symlinks for /usr/bin/cat, /usr/bin/readlink and
105 other utilities in /usr/bin which point to /usr/bin/gnu<toolname>. Apparmor
resolves the symlink to the real target path which then breaks any apparmor
profile which referenced the format /usr/bin or /usr/sbin utility name.
The result is many DENIED operations for any symlinked gnu-coreutils command.
This bug appears to affect any apparmor profile in Ubuntu questing which
happens to set file-based mediation rules for any of the symlinked utilities
below:
Any profile which has specific file rules related to these utilities will
likely have DENIED messages in Ubuntu questing of the format:
pe=1400 audit(1757953283.765:489): apparmor="DENIED" operation="open"
class="file" profile="wg-quick" name="/usr/bin/gnusort" pid=2480
comm="wg-quick" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
2025-09-15T16:19:31.167181+00:00 cloudinit-0915-154438fmhi6o5j kernel: audit:
type=1400 audit(1757953171.165:461): apparmor="DENIED" operation="open"
class="file" profile="wg-quick"
name="/usr/bin/gnucat" pid=2254 comm="wg-quick" requested_mask="r"
denied_mask="r" fsuid=0 ouid=0
2025-09-15T15:55:20.116047+00:00 cloudinit-0915-154438fmhi6o5j kernel:
audit: type=1400 audit(1757951720.114:447): apparmor="DENIED"
operation="open" class="file" profile="wg-quick"
name="/usr/bin/gnureadlink" pid=1977 comm="wg-quick"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Symlinked utilities due to gnu-coreutils:
/usr/bin/arch
/usr/bin/b2sum
/usr/bin/base32
/usr/bin/base64
/usr/bin/basename
/usr/bin/basenc
/usr/bin/cat
/usr/bin/chcon
/usr/bin/chgrp
/usr/bin/chmod
/usr/bin/chown
/usr/bin/cksum
/usr/bin/comm
/usr/bin/cp
/usr/bin/csplit
/usr/bin/cut
/usr/bin/date
/usr/bin/dd
/usr/bin/df
/usr/bin/dir
/usr/bin/dircolors
/usr/bin/dirname
/usr/bin/du
/usr/bin/echo
/usr/bin/env
/usr/bin/expand
/usr/bin/expr
/usr/bin/factor
/usr/bin/false
/usr/bin/fmt
/usr/bin/fold
/usr/bin/groups
/usr/bin/head
/usr/bin/hostid
/usr/bin/id
/usr/bin/install
/usr/bin/join
/usr/bin/link
/usr/bin/ln
/usr/bin/logname
/usr/bin/ls
/usr/bin/md5sum
/usr/bin/mkdir
/usr/bin/mkfifo
/usr/bin/mknod
/usr/bin/mktemp
/usr/bin/mv
/usr/bin/nice
/usr/bin/nl
/usr/bin/nohup
/usr/bin/nproc
/usr/bin/numfmt
/usr/bin/od
/usr/bin/paste
/usr/bin/pathchk
/usr/bin/pinky
/usr/bin/pr
/usr/bin/printenv
/usr/bin/printf
/usr/bin/ptx
/usr/bin/pwd
/usr/bin/readlink
/usr/bin/realpath
/usr/bin/rm
/usr/bin/rmdir
/usr/bin/runcon
/usr/bin/seq
/usr/bin/sha1sum
/usr/bin/sha224sum
/usr/bin/sha256sum
/usr/bin/sha384sum
/usr/bin/sha512sum
/usr/bin/shred
/usr/bin/shuf
/usr/bin/sleep
/usr/bin/sort
/usr/bin/split
/usr/bin/stat
/usr/bin/stdbuf
/usr/bin/stty
/usr/bin/sum
/usr/bin/sync
/usr/bin/tac
/usr/bin/tail
/usr/bin/tee
/usr/bin/test
/usr/bin/timeout
/usr/bin/touch
/usr/bin/tr
/usr/bin/true
/usr/bin/truncate
/usr/bin/tsort
/usr/bin/tty
/usr/bin/uname
/usr/bin/unexpand
/usr/bin/uniq
/usr/bin/unlink
/usr/bin/users
/usr/bin/vdir
/usr/bin/wc
/usr/bin/who
/usr/bin/whoami
/usr/bin/yes
/usr/sbin/chroot
### steps to reproduce
lxc launch ubuntu-daily:questing --vm kvm-q
lxc exec kvm-q bash
apt-get update --yes
apt-get install wireguard-tools --yes
modprobe wireguard
su - ubuntu
umask 077
wg genkey > wg0.key
wg pubkey < wg0.key > wg0.pub
<CTRL-D>
root@kvm-q:~# KEY=`cat /home/ubuntu/wg0.key`
root@kvm-q:~# PUBKEY=`cat /home/ubuntu/wg0.pub`
root@kvm-q:~# cat > /etc/wireguard/wg0.conf <<EOF
[Interface]
Address = 192.168.254.1/32
ListenPort = 51820
PrivateKey = ${KEY}
[Peer]
PublicKey = ${PUBKEY}
AllowedIPs = 192.168.254.2/32
EOF
systemctl restart wg-quick@wg
echo $?
journalctl -u [email protected]
```
Sep 15 17:49:19 kvm-q systemd[1]: Starting [email protected] - WireGuard
via wg-quick(8) for wg...
Sep 15 17:49:19 kvm-q wg-quick[1574]: /usr/bin/wg-quick: line 11:
/usr/bin/readlink: Permission denied
Sep 15 17:49:19 kvm-q systemd[1]: [email protected]: Main process exited,
code=exited, status=126/n/a
Sep 15 17:49:19 kvm-q systemd[1]: [email protected]: Failed with result
'exit-code'.
Sep 15 17:49:19 kvm-q systemd[1]: Failed to start [email protected] -
WireGuard via wg-quick(8) for wg.
```
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/akonadi/+bug/2123870/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
