> However, some users are known to build their own binaries from this Ubuntu > source and therefore could be > impacted.
Do you know of users rebuilding specifically util-linux and enabling those tools? What was it about this specific CVE and specifically util- linux that caught your attention and made you want to propose this SRU? I see the patches only affect the binaries we don't ship, but have you also made sure that no other tools or files from the package include the affected code in their build? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to util-linux in Ubuntu. https://bugs.launchpad.net/bugs/2048092 Title: [low-priority SRU] Fix CVE-2022-0563 in source Status in util-linux package in Ubuntu: Fix Released Status in util-linux source package in Jammy: In Progress Status in util-linux source package in Lunar: Fix Released Status in util-linux source package in Mantic: Fix Released Status in util-linux source package in Noble: Fix Released Bug description: [Impact] We did not fix this CVE in Ubuntu because we do not build the impacted binaries (we use --disable-chfn-chsh). However, some users are known to build their own binaries from this Ubuntu source and therefore could be impacted. [Test Plan] Since there is no impact to Ubuntu binaries, there is no functional change to verify. Regression testing using the existing build-time tests and autopkgtests should suffice. We should also verify that util-linux source builds fine w/ chfn and chsh enabled after applying this patch - otherwise it is really helping no one. [Where problems could occur] The upstream patch is clearly restricted to the chfn chsh binaries, which are not compiled by Ubuntu, so I don't see a risk there. I do see a risk that this is used as a precedent to fix other no-impact-to-Ubuntu security issues in other source - say, just to silence 3rd party security scanners. I do not intend to set such a precedent here, and suggest we consider them only on a case-by-case basis. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/2048092/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
