This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- xenial' to 'verification-done-xenial'. If the problem still exists, change the tag 'verification-needed-xenial' to 'verification-failed- xenial'.
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-xenial -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1816756 Title: squashfs hardening Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: Fix Committed Status in linux source package in Bionic: Fix Committed Bug description: [Impact] There are a number of recent squashfs hardening fixes in the upstream kernel. They don't have CVE number assigned but it would be good to backport the fixes to harden our kernel against malicious squashfs images. They would harden Ubuntu kernels against potentially malicious snaps. The changes are: * https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=01cfb7937a9af2abb1136c7e89fbf3fd92952956 * https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/id=d512584780d3e6a7cacb2f482834849453d444a1 * https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cdbb65c4c7ead680ebe54f4f0d486e2847a500ea * https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=71755ee5350b63fb1f283de8561cdb61b47f4d1d * https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a3f94cb99a854fa381fe7fadd97c4f61633717a5 [Test Case] Unfortunately, we don't have access to the reproducers and I'm unaware of any regression tests for the squashfs kernel driver. It is very important that we don't regress snap usage in Ubuntu. In previous squashfs/snap testing, we've noticed that large snaps, such as chromium and libreoffice, do a good job of exercising the squashfs code. It should be sufficient if we make sure those snaps continue to install and work correctly. $ sudo snap install chromium $ sudo snap install libreoffice $ chromium < ensure you can browse to various websites > $ libreoffice < ensure you can create, save, open documents > [ Regression Potential ] Fairly low. The patches are intended to catch corrupted and/or malicious squashfs images. They should not affect well formed squashfs images. These patches are already present in the Cosmic (and Disco) kernel with no known bug reports despite a considerable number of Cosmic users exercising these changes via snaps. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1816756/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
