Debian

Available patches from Ubuntu

To see Ubuntu differences wrt. to Debian, write down a grep-dctrl query identifying the packages you're interested in:
grep-dctrl -n -sPackage Sources.Debian
(e.g. -FPackage linux-ntfs or linux-ntfs)

Modified packages are listed below:

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: apparmor

apparmor (2.13.3-5ubuntu5) focal; urgency=medium * Don't ignore exit status in debian/rules. * Fix a Python 3.8 autoconf check. -- Matthias Klose <doko@ubuntu.com> Sun, 27 Oct 2019 16:38:00 +0200 apparmor (2.13.3-5ubuntu2) focal; urgency=medium * No-change rebuild for the perl update. -- Matthias Klose <doko@ubuntu.com> Fri, 18 Oct 2019 19:26:58 +0000 apparmor (2.13.3-5ubuntu1) eoan; urgency=medium * Merge new upstream release from Debian. Remaining changes: - Ubuntu-specific patches: + ubuntu/add-chromium-browser.patch + ubuntu/communitheme-snap-support.patch + ubuntu/mimeinfo-snap-support.patch + ubuntu/parser-conf-no-expr-simplify.patch + ubuntu/profiles-grant-access-to-systemd-resolved.patch - debian/apparmor.{install,maintscript}: feature pinning is not used in Ubuntu - debian/apparmor.preinst: remove cache files on upgrade to 2.13 - debian/apparmor-profiles.install: install Ubuntu chromium-browser profile and abstraction - debian/apparmor-profiles.lintian-overrides: update for chromium-browser profile having read access to dpkg database for lsb-release - debian/apparmor-profiles.postinst: ubuntu-browsers.d/chromium-browser abstraction if it doesn't exist - debian/control: adjust the Vcs-{Browser,Git} control fields to reflect the branch where the Ubuntu packaging is maintained. - debian/gbp.conf: use ubuntu/master as the debian-branch - debian/patches/series: comment out debian-only patches - debian/tests/control and debian/tests/compile-policy: don't test thunderbird since the Ubuntu packaging doesn't ship a profile * Drop the following patches, no longer needed: - ubuntu/dont-include-site-local-with-dovecot.patch - lp1820068.patch - upstream-commit-fix-segfault-in-overlaydirat_for_each.patch - upstream-commit-add-option-to-dump-policy-cache-with-libapparmor.patch - upstream-commit-teach-aa_policy_cache_sh-about-the-new-cache.patch - upstream-commit-fix-segfault-when-loading-policy-cache-files.patch - upstream-commit-fix-variable-name-overlap-in-merge-macro.patch * upstream-dont-allow-fontconfig-cache-write.patch: don't allow write of fontconfig cache files * upstream-tests-mult-mount-bump-size-of-created-disk.patch: regression tests/mult_mount: bump size of created disk image -- Jamie Strandboge <jamie@ubuntu.com> Mon, 09 Sep 2019 19:13:22 +0000

Modifications :
  1. Download patch debian/patches/upstream-tests-mult-mount-bump-size-of-created-disk.patch

    --- 2.13.3-5/debian/patches/upstream-tests-mult-mount-bump-size-of-created-disk.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.13.3-5ubuntu5/debian/patches/upstream-tests-mult-mount-bump-size-of-created-disk.patch 2019-09-09 19:13:22.000000000 +0000 @@ -0,0 +1,42 @@ +Origin: 515cb80901640be5a6ba87b0f89145427e592962 +Description: regression tests/mult_mount: bump size of created disk image + +commit 515cb80901640be5a6ba87b0f89145427e592962 +Author: Steve Beattie <steve.beattie@canonical.com> +Date: Tue Jun 25 17:00:12 2019 -0700 + + regression tests/mult_mount: bump size of created disk image + + The mult_mount test creates a small disk image, formats it, and mounts + it in multiple locations in preparation for the tests. However, the + created raw file (80KB) is too small to make a working file system if + 4K blocks are used by mkfs. In Ubuntu 19.10, the default was recently + changed for mkfs to default to always using 4K blocks, causing the + script to fail. + + We could force mkfs to use 1K blocks, but instead, in case some future + version of mkfs decides not to support 1K blocks at all, we bump up the + size of the disk image to 512KB; large enough to work with 4K blocks + yet small enough to be workable in small scale test environments. + + Signed-off-by: Steve Beattie <steve.beattie@canonical.com> + Acked-by: John Johansen <john.johansen@canonical.com> + Acked-by: Seth Arnold <seth.arnold@canonical.com> + Bug: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1834192 + MR: https://gitlab.com/apparmor/apparmor/merge_requests/396 + (cherry picked from commit 7c7a4bc5311d983f2c4316252b830c52a5a0930b) + Signed-off-by: Steve Beattie <steve.beattie@canonical.com> + +diff --git a/tests/regression/apparmor/mult_mount.sh b/tests/regression/apparmor/mult_mount.sh +index 2189c314..ae4749a3 100644 +--- a/tests/regression/apparmor/mult_mount.sh ++++ b/tests/regression/apparmor/mult_mount.sh +@@ -55,7 +55,7 @@ mkdirperm_fail=r + linkperm=rl + readperm=r + +-dd if=/dev/zero of=$image bs=4096 count=20 > /dev/null 2>&1 ++dd if=/dev/zero of=$image bs=4096 count=128 > /dev/null 2>&1 + mkfs.ext2 -F -m 0 -N 10 $image > /dev/null 2>&1 + + mkdir $mp1 $mp2
  2. Download patch debian/tests/compile-policy

    --- 2.13.3-5/debian/tests/compile-policy 2019-09-08 08:00:56.000000000 +0000 +++ 2.13.3-5ubuntu5/debian/tests/compile-policy 2019-09-09 19:13:22.000000000 +0000 @@ -9,7 +9,6 @@ PROFILES_NAMES="lsb_release \ usr.bin.man \ usr.bin.onioncircuits \ usr.bin.pidgin \ - usr.bin.thunderbird \ usr.bin.totem \ usr.bin.totem-previewers \ usr.lib.libreoffice.program.oosplash \
  3. Download patch debian/tests/control

    --- 2.13.3-5/debian/tests/control 2019-09-08 08:00:56.000000000 +0000 +++ 2.13.3-5ubuntu5/debian/tests/control 2019-09-09 19:13:22.000000000 +0000 @@ -1,5 +1,5 @@ Tests: compile-policy -Depends: apparmor, apparmor-profiles-extra, bind9, cups-browsed, cups-daemon, evince, haveged, kopano-dagent, kopano-server, libreoffice-common, libvirt-daemon-system, man-db, ntp, onioncircuits, tcpdump, thunderbird, tor +Depends: apparmor, apparmor-profiles-extra, bind9, cups-browsed, cups-daemon, evince, haveged, kopano-dagent, kopano-server, libreoffice-common, libvirt-daemon-system, man-db, ntp, onioncircuits, tcpdump, tor Restrictions: allow-stderr Tests: test-installed
  4. Download patch debian/apparmor.preinst

    --- 2.13.3-5/debian/apparmor.preinst 2019-09-08 08:00:56.000000000 +0000 +++ 2.13.3-5ubuntu5/debian/apparmor.preinst 2019-09-09 19:13:22.000000000 +0000 @@ -11,6 +11,9 @@ case "$1" in if [ "$1" = "upgrade" ] && dpkg --compare-versions "$2" lt-nl "2.12-4ubuntu2"; then rm -f /var/lib/apparmor/profiles/.*.md5sums fi + if [ "$1" = "upgrade" ] && dpkg --compare-versions "$2" lt-nl "2.13"; then + rm -f /etc/apparmor.d/cache/.features /etc/apparmor.d/cache/* + fi ;; *)
  5. Download patch debian/apparmor.maintscript

    --- 2.13.3-5/debian/apparmor.maintscript 2019-09-08 08:00:56.000000000 +0000 +++ 2.13.3-5ubuntu5/debian/apparmor.maintscript 2019-09-09 19:13:22.000000000 +0000 @@ -1,5 +1,6 @@ rm_conffile /etc/apparmor.d/abstractions/launchpad-integration 2.13.1-2~ rm_conffile /etc/apparmor.d/abstractions/ubuntu-sdk-base 2.8.0-0ubuntu20~ -rm_conffile /etc/apparmor/features 2.11.1-4~ +# Feature pinning is not used in Ubuntu +#rm_conffile /etc/apparmor/features 2.11.1-4~ rm_conffile /etc/apparmor/subdomain.conf 2.13.2-2~ rm_conffile /etc/init/apparmor.conf 2.11.0-11~
  6. Download patch debian/rules

    --- 2.13.3-5/debian/rules 2019-09-08 08:00:56.000000000 +0000 +++ 2.13.3-5ubuntu5/debian/rules 2019-10-27 14:17:48.000000000 +0000 @@ -28,7 +28,7 @@ override_dh_auto_build: # Build perl dh_auto_build -D libraries/libapparmor # Build pythons - set -e && for py in $(shell py3versions -s) ; do \ + set -e; for py in $(shell py3versions -s) ; do \ cp -a $(CURDIR)/libraries/libapparmor $(CURDIR)/libraries/libapparmor.$$py && \ PYTHON=/usr/bin/$$py dh_auto_configure \ -D libraries/libapparmor.$$py -- --with-python && \ @@ -61,7 +61,7 @@ ifeq (,$(filter $(DEB_HOST_ARCH_OS), kfr dh_auto_test -Dparser -- V=1 endif dh_auto_test -Dlibraries/libapparmor -- V=1 - set -e && for py in $(shell py3versions -s) ; do \ + set -e; for py in $(shell py3versions -s) ; do \ PYTHON=/usr/bin/$$py dh_auto_test \ -D libraries/libapparmor.$$py -- PYTHON=/usr/bin/$$py; \ done @@ -77,7 +77,7 @@ override_dh_auto_clean: cd $(CURDIR)/libraries/libapparmor && \ [ ! -f Makefile ] || $(MAKE) distclean # Clean up rest of build. - set -e && for i in binutils utils parser profiles changehat/mod_apparmor \ + set -e; for i in binutils utils parser profiles changehat/mod_apparmor \ changehat/pam_apparmor ; do \ [ ! -f $$i/Makefile ] || $(MAKE) -C $$i clean; \ rm -f $$i/common; \ @@ -98,7 +98,7 @@ override_dh_auto_install: DESTDIR=$(CURDIR)/debian/tmp \ install - set -e && for py in $(shell py3versions -s) ; do \ + set -e; for py in $(shell py3versions -s) ; do \ (cd utils.$$py && PYTHON=/usr/bin/$$py $(MAKE) \ DESTDIR=$(CURDIR)/debian/tmp \ install) ; \ @@ -140,7 +140,7 @@ endif -c "chmod +w SO && chrpath --delete SO && chmod -w SO" # Install python swig modules - set -e && for py in $(shell py3versions -s); do \ + set -e; for py in $(shell py3versions -s); do \ PYTHON=/usr/bin/$$py \ $(MAKE) -C libraries/libapparmor.$$py \ DESTDIR=$(CURDIR)/debian/tmp install; \ @@ -189,7 +189,7 @@ override_dh_apache2: dh_apache2 --noenable override_dh_install-indep: - set -e && for profile in $(shell grep ^etc/apparmor.d/ $(CURDIR)/debian/apparmor-profiles.install | \ + set -e; for profile in $(shell grep ^etc/apparmor.d/ $(CURDIR)/debian/apparmor-profiles.install | \ cut -d/ -f3- | grep -v /); do \ DH_AUTOSCRIPTDIR=debian/debhelper/ perl debian/debhelper/dh_apparmor --profile-name=$$profile -papparmor-profiles; \ done @@ -199,7 +199,7 @@ override_dh_install-indep: dh_install override_dh_install-arch: - set -e && for profile in lsb_release nvidia_modprobe; do \ + set -e; for profile in lsb_release nvidia_modprobe; do \ DH_AUTOSCRIPTDIR=debian/debhelper/ perl debian/debhelper/dh_apparmor --profile-name=$$profile -papparmor; \ done dh_install
  7. Download patch debian/apparmor-profiles.install

    --- 2.13.3-5/debian/apparmor-profiles.install 2019-09-08 08:00:56.000000000 +0000 +++ 2.13.3-5ubuntu5/debian/apparmor-profiles.install 2019-09-09 19:13:22.000000000 +0000 @@ -1,8 +1,12 @@ +# Install Ubuntu-specific chromium-browser abstraction +debian/profiles/chromium-browser usr/share/apparmor/extra-profiles/abstractions/ubuntu-browsers.d/ etc/apparmor.d/apache2.d/phpsysinfo etc/apparmor.d/bin.ping etc/apparmor.d/sbin.klogd etc/apparmor.d/sbin.syslog-ng etc/apparmor.d/sbin.syslogd +# Install Ubuntu-specific chromium-browser profile +etc/apparmor.d/usr.bin.chromium-browser etc/apparmor.d/usr.lib.dovecot.anvil /usr/share/apparmor/extra-profiles/ etc/apparmor.d/usr.lib.dovecot.auth /usr/share/apparmor/extra-profiles/ etc/apparmor.d/usr.lib.dovecot.config /usr/share/apparmor/extra-profiles/
  8. Download patch debian/patches/ubuntu/mimeinfo-snap-support.patch

    --- 2.13.3-5/debian/patches/ubuntu/mimeinfo-snap-support.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.13.3-5ubuntu5/debian/patches/ubuntu/mimeinfo-snap-support.patch 2019-02-26 19:55:55.000000000 +0000 @@ -0,0 +1,21 @@ +Author: Jamie Strandboge <jamie@canonical.com> +Description: allow reading /var/lib/snapd/desktop/applications/*.desktop and + /var/lib/snapd/desktop/applications/mimeinfo.cache +Bug-Ubuntu: https://launchpad.net/bugs/1712039 +Forwarded: no + +Index: apparmor-2.13.2/profiles/apparmor.d/abstractions/freedesktop.org +=================================================================== +--- apparmor-2.13.2.orig/profiles/apparmor.d/abstractions/freedesktop.org ++++ apparmor-2.13.2/profiles/apparmor.d/abstractions/freedesktop.org +@@ -18,6 +18,10 @@ + /snap/communitheme/*/share/icons/ r, + /snap/communitheme/*/share/icons/** r, + ++ # mimeinfo and desktop files for snaps ++ /var/lib/snapd/desktop/applications/mimeinfo.cache r, ++ /var/lib/snapd/desktop/applications/{,*.desktop} r, ++ + # this should probably go elsewhere + @{system_share_dirs}/mime/** r, +
  9. Download patch debian/control

    --- 2.13.3-5/debian/control 2019-09-08 08:00:56.000000000 +0000 +++ 2.13.3-5ubuntu5/debian/control 2019-09-09 19:13:22.000000000 +0000 @@ -1,5 +1,6 @@ Source: apparmor -Maintainer: Debian AppArmor Team <pkg-apparmor-team@lists.alioth.debian.org> +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> +XSBC-Original-Maintainer: Debian AppArmor Team <pkg-apparmor-team@lists.alioth.debian.org> Uploaders: intrigeri <intrigeri@debian.org> Section: admin Priority: optional @@ -23,8 +24,8 @@ Build-Depends: apache2-dev, python3-all-dev, swig Standards-Version: 4.4.0 -Vcs-Browser: https://salsa.debian.org/apparmor-team/apparmor/tree/debian/master -Vcs-Git: https://salsa.debian.org/apparmor-team/apparmor.git -b debian/master +Vcs-Browser: https://salsa.debian.org/apparmor-team/apparmor/tree/ubuntu/master +Vcs-Git: https://salsa.debian.org/apparmor-team/apparmor.git -b ubuntu/master Homepage: http://apparmor.net/ Rules-Requires-Root: no
  10. Download patch debian/apparmor-profiles.lintian-overrides

    --- 2.13.3-5/debian/apparmor-profiles.lintian-overrides 2019-09-08 08:00:56.000000000 +0000 +++ 2.13.3-5ubuntu5/debian/apparmor-profiles.lintian-overrides 2019-09-09 19:13:22.000000000 +0000 @@ -8,3 +8,7 @@ apparmor-profiles binary: package-contai # If phpsysinfo uses that database directly, then it's a bug in phpsysinfo, # and this AppArmor profile can't do much about it. apparmor-profiles binary: uses-dpkg-database-directly etc/apparmor.d/apache2.d/phpsysinfo + +# False positive: this merely grants lsb-release as called by chromium-browser +# read access to the dpkg database via dpkg-query +apparmor-profiles: uses-dpkg-database-directly etc/apparmor.d/usr.bin.chromium-browser
  11. Download patch debian/patches/ubuntu/profiles-grant-access-to-systemd-resolved.patch

    --- 2.13.3-5/debian/patches/ubuntu/profiles-grant-access-to-systemd-resolved.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.13.3-5ubuntu5/debian/patches/ubuntu/profiles-grant-access-to-systemd-resolved.patch 2019-02-26 20:27:19.000000000 +0000 @@ -0,0 +1,59 @@ +From: Tyler Hicks <tyhicks@canonical.com> +Date: Mon, 29 Jan 2018 12:45:10 +0000 +Subject: profiles: Grant access to systemd-resolved in the nameservice + abstraction + +https://launchpad.net/bugs/1598759 + +Profiles that rely on the nameservice abstraction are experiencing +denials on systems configured to use systemd-resolved via the +libnss-resolve plugin. + +libnss-resolve talks to systemd-resolved over D-Bus and this patch +attempts to only grant access to the safe members of the D-Bus API. + +Special considerations need to be made when applying this patch to most +Linux distributions as many of them do not have the ability to perform +fine-grained AppArmor mediation of D-Bus traffic. In those cases, any +users of the nameservice abstraction (such as tcpdump or ntpd) will have +full access to the D-Bus system bus once this change is applied to the +nameservice abstraction. + +Signed-off-by: Tyler Hicks <tyhicks@canonical.com> +Acked-by: Seth Arnold <seth.arnold@canonical.com> +Forwarded: https://lists.ubuntu.com/archives/apparmor/2016-October/010130.html +Bug: https://launchpad.net/bugs/1598759 +--- + profiles/apparmor.d/abstractions/nameservice | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/profiles/apparmor.d/abstractions/nameservice b/profiles/apparmor.d/abstractions/nameservice +index e6dcb76..6e678fb 100644 +--- a/profiles/apparmor.d/abstractions/nameservice ++++ b/profiles/apparmor.d/abstractions/nameservice +@@ -87,6 +87,25 @@ + # kerberos + #include <abstractions/kerberosclient> + ++ # resolve ++ # ++ # Allow access to the safe members of the systemd-resolved D-Bus API: ++ # ++ # https://www.freedesktop.org/wiki/Software/systemd/resolved/ ++ # ++ # This API may be used directly over the D-Bus system bus or it may be used ++ # indirectly via the nss-resolve plugin: ++ # ++ # https://www.freedesktop.org/software/systemd/man/nss-resolve.html ++ # ++ #include <abstractions/dbus-strict> ++ dbus send ++ bus=system ++ path="/org/freedesktop/resolve1" ++ interface="org.freedesktop.resolve1.Manager" ++ member="Resolve{Address,Hostname,Record,Service}" ++ peer=(name="org.freedesktop.resolve1"), ++ + # TCP/UDP network access + network inet stream, + network inet6 stream,
  12. Download patch debian/patches/ubuntu/parser-conf-no-expr-simplify.patch

    --- 2.13.3-5/debian/patches/ubuntu/parser-conf-no-expr-simplify.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.13.3-5ubuntu5/debian/patches/ubuntu/parser-conf-no-expr-simplify.patch 2019-02-26 22:00:56.000000000 +0000 @@ -0,0 +1,22 @@ +Author: Jamie Strandboge <jamie@canonical.com> +Description: disable expr tree simplification to greatly speed up armhf. We + might consider making this change armhf specific and/or limiting it to only + the snapd policy in the future. +Bug-Ubuntu: https://launchpad.net/bugs/1383858 + +Index: apparmor-2.13.2/parser/parser.conf +=================================================================== +--- apparmor-2.13.2.orig/parser/parser.conf ++++ apparmor-2.13.2/parser/parser.conf +@@ -52,6 +52,11 @@ + + ## Turn off expr tree simplification + #Optimize=no-expr-simplify ++# ++# Ubuntu LP: #1383858 - expr tree simplification is too slow for some policy on ++# 32bit ARM, so disable it for now. When the parser supports it, make this ++# specific to the snapd policy ++Optimize=no-expr-simplify + + ## Turn off DFA minimization + #Optimize=no-minimize
  13. Download patch debian/patches/ubuntu/add-chromium-browser.patch
  14. Download patch debian/patches/ubuntu/communitheme-snap-support.patch

    --- 2.13.3-5/debian/patches/ubuntu/communitheme-snap-support.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.13.3-5ubuntu5/debian/patches/ubuntu/communitheme-snap-support.patch 2019-02-26 19:46:14.000000000 +0000 @@ -0,0 +1,36 @@ +From: Didier Roche <didier.roche@canonical.com> +Date: Wed, 11 Apr 2018 10:25:10 +0000 +Subject: add communitheme snap support +Bug-Ubuntu: https://launchpad.net/bugs/1762983 + +Forwarded: no +Index: apparmor-2.13.2/profiles/apparmor.d/abstractions/freedesktop.org +=================================================================== +--- apparmor-2.13.2.orig/profiles/apparmor.d/abstractions/freedesktop.org ++++ apparmor-2.13.2/profiles/apparmor.d/abstractions/freedesktop.org +@@ -14,6 +14,10 @@ + @{system_share_dirs}/icons/{**,} r, + @{system_share_dirs}/pixmaps/{**,} r, + ++ # communitheme snap ++ /snap/communitheme/*/share/icons/ r, ++ /snap/communitheme/*/share/icons/** r, ++ + # this should probably go elsewhere + @{system_share_dirs}/mime/** r, + +Index: apparmor-2.13.2/profiles/apparmor.d/abstractions/gnome +=================================================================== +--- apparmor-2.13.2.orig/profiles/apparmor.d/abstractions/gnome ++++ apparmor-2.13.2/profiles/apparmor.d/abstractions/gnome +@@ -27,6 +27,10 @@ + /usr/share/themes/ r, + /usr/share/themes/** r, + ++ # communitheme snap ++ /snap/communitheme/*/share/themes/ r, ++ /snap/communitheme/*/share/themes/** r, ++ + # for gnome 1 applications + /etc/orbitrc r, +
  15. Download patch debian/patches/series

    --- 2.13.3-5/debian/patches/series 2019-09-08 08:00:56.000000000 +0000 +++ 2.13.3-5ubuntu5/debian/patches/series 2019-10-27 14:30:47.000000000 +0000 @@ -16,6 +16,14 @@ debian/Enable-writing-cache.patch debian/Make-the-systemd-unit-a-no-op-in-containers-with-no-inter.patch debian/smbd-include-snippet-generated-at-runtime.patch debian/dont-include-site-local-with-dovecot.patch -debian-only/pin-feature-set.patch -debian-only/aa-notify-point-to-Debian-documentation.patch -debian-only/Document-which-AppArmor-features-are-not-supported-on-Deb.patch +#debian-only/pin-feature-set.patch +#debian-only/aa-notify-point-to-Debian-documentation.patch +#debian-only/Document-which-AppArmor-features-are-not-supported-on-Deb.patch +ubuntu/add-chromium-browser.patch +ubuntu/communitheme-snap-support.patch +ubuntu/mimeinfo-snap-support.patch +ubuntu/profiles-grant-access-to-systemd-resolved.patch +ubuntu/parser-conf-no-expr-simplify.patch +upstream-dont-allow-fontconfig-cache-write.patch +upstream-tests-mult-mount-bump-size-of-created-disk.patch +python3.8-ac.diff
  16. Download patch debian/patches/upstream-dont-allow-fontconfig-cache-write.patch

    --- 2.13.3-5/debian/patches/upstream-dont-allow-fontconfig-cache-write.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.13.3-5ubuntu5/debian/patches/upstream-dont-allow-fontconfig-cache-write.patch 2019-09-09 19:13:22.000000000 +0000 @@ -0,0 +1,32 @@ +Origin: https://gitlab.com/apparmor/apparmor/merge_requests/420 +Description: abstractions/fonts: don't allow write of fontconfig cache files + +commit c5968c70d0f1bd3da9ed1a19b5a79748adbfd566 +Author: Jamie Strandboge <jamie@ubuntu.com> +Date: Mon Sep 9 15:48:05 2019 -0500 + + abstractions/fonts: don't allow write of fontconfig cache files + + 879531b36ec3dfc7f9b72475c68c30e4f4b7b6af changed access for + @{HOME}/.{,cache/}fontconfig/** to include 'w'rite. Fontconfig has been + a source of CVEs. Confined applications should absolutely have read + access, but write access could lead to breaking out of the sandbox if a + confined application can write a malformed font cache file since + unconfined applications could then pick them up and be controlled via + the malformed cache. The breakout is dependent on the fontconfig + vulnerability, but this is the sort of thing AppArmor is meant to help + guard against. + +diff --git a/profiles/apparmor.d/abstractions/fonts b/profiles/apparmor.d/abstractions/fonts +index 56185846..2cf6bfe2 100644 +--- a/profiles/apparmor.d/abstractions/fonts ++++ b/profiles/apparmor.d/abstractions/fonts +@@ -45,7 +45,7 @@ + owner @{HOME}/.local/share/fonts/** r, + owner @{HOME}/.fonts.cache-2 mr, + owner @{HOME}/.{,cache/}fontconfig/ rw, +- owner @{HOME}/.{,cache/}fontconfig/** mrwl, ++ owner @{HOME}/.{,cache/}fontconfig/** mrl, + owner @{HOME}/.fonts.conf.d/ r, + owner @{HOME}/.fonts.conf.d/** r, + owner @{HOME}/.config/fontconfig/ r,
  17. Download patch debian/patches/python3.8-ac.diff

    --- 2.13.3-5/debian/patches/python3.8-ac.diff 1970-01-01 00:00:00.000000000 +0000 +++ 2.13.3-5ubuntu5/debian/patches/python3.8-ac.diff 2019-10-27 14:38:00.000000000 +0000 @@ -0,0 +1,20 @@ +--- a/libraries/libapparmor/m4/ac_python_devel.m4 ++++ b/libraries/libapparmor/m4/ac_python_devel.m4 +@@ -139,7 +139,7 @@ sys.stdout.write('%s\n' % distutils.sysc + if test -z "$PYTHON_EXTRA_LIBS"; then + PYTHON_EXTRA_LIBS=`$PYTHON -c "import sys; import distutils.sysconfig; \ + conf = distutils.sysconfig.get_config_var; \ +-sys.stdout.write('%s %s\n' % (conf('LOCALMODLIBS'), conf('LIBS')))"` ++sys.stdout.write('%s %s %s\n' % (conf('BLDLIBRARY'), conf('LOCALMODLIBS'), conf('LIBS')))"` + fi + AC_MSG_RESULT([$PYTHON_EXTRA_LIBS]) + AC_SUBST(PYTHON_EXTRA_LIBS) +@@ -164,7 +164,7 @@ sys.stdout.write('%s\n' % conf('LINKFORS + # save current global flags + ac_save_LIBS="$LIBS" + ac_save_CPPFLAGS="$CPPFLAGS" +- LIBS="$ac_save_LIBS $PYTHON_LDFLAGS" ++ LIBS="$ac_save_LIBS $PYTHON_LDFLAGS $PYTHON_EXTRA_LIBS" + CPPFLAGS="$ac_save_CPPFLAGS $PYTHON_CPPFLAGS" + AC_TRY_LINK([ + #include <Python.h>
  18. Download patch debian/gbp.conf

    --- 2.13.3-5/debian/gbp.conf 2019-09-08 08:00:56.000000000 +0000 +++ 2.13.3-5ubuntu5/debian/gbp.conf 2019-09-09 19:13:22.000000000 +0000 @@ -1,6 +1,6 @@ [DEFAULT] pristine-tar = True -debian-branch = debian/master +debian-branch = ubuntu/master upstream-branch = upstream/latest upstream-vcs-tag = v%(version)s patch-numbers = False
  19. Download patch debian/apparmor-profiles.postinst

    --- 2.13.3-5/debian/apparmor-profiles.postinst 2019-09-08 08:00:56.000000000 +0000 +++ 2.13.3-5ubuntu5/debian/apparmor-profiles.postinst 2019-09-09 19:13:22.000000000 +0000 @@ -20,6 +20,14 @@ set -e # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. +case "$1" in + configure) + if [ ! -e /etc/apparmor.d/abstractions/ubuntu-browsers.d/chromium-browser ]; then + cp /usr/share/apparmor/extra-profiles/abstractions/ubuntu-browsers.d/chromium-browser /etc/apparmor.d/abstractions/ubuntu-browsers.d || true + fi + ;; +esac + #DEBHELPER# exit 0
  20. Download patch debian/apparmor.install

    --- 2.13.3-5/debian/apparmor.install 2019-09-08 08:00:56.000000000 +0000 +++ 2.13.3-5ubuntu5/debian/apparmor.install 2019-09-09 19:13:22.000000000 +0000 @@ -1,5 +1,6 @@ debian/apport/source_apparmor.py /usr/share/apport/package-hooks/ -debian/features /usr/share/apparmor-features/ +# Feature pinning is not used in Ubuntu +#debian/features /usr/share/apparmor-features/ debian/lib/apparmor/profile-load /lib/apparmor/ etc/apparmor.d/abstractions/* etc/apparmor.d/local/README

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: libgtk2-perl

libgtk2-perl (2:1.24993-1ubuntu2) focal; urgency=medium * No-change rebuild for the perl update. -- Matthias Klose <doko@ubuntu.com> Sat, 19 Oct 2019 10:47:51 +0000 libgtk2-perl (2:1.24993-1ubuntu1) eoan; urgency=medium * Sync with Debian. Remaining change: - Add new_gdk_pixbuf.patch: + Skip a test that is made invalid by the new gdk-pixbuf (the library errors out directly now on invalid xpm data) -- Jeremy Bicha <jbicha@ubuntu.com> Mon, 16 Sep 2019 20:49:59 -0400

Modifications :
  1. Download patch debian/control

    --- 2:1.24993-1/debian/control 2019-09-16 13:56:26.000000000 +0000 +++ 2:1.24993-1ubuntu2/debian/control 2019-09-17 00:48:31.000000000 +0000 @@ -1,5 +1,6 @@ Source: libgtk2-perl -Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org> +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> +XSBC-Original-Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org> Uploaders: gregor herrmann <gregoa@debian.org>, Salvatore Bonaccorso <carnil@debian.org>, intrigeri <intrigeri@debian.org>
  2. Download patch debian/patches/new_gdk_pixbuf.patch

    --- 2:1.24993-1/debian/patches/new_gdk_pixbuf.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2:1.24993-1ubuntu2/debian/patches/new_gdk_pixbuf.patch 2019-09-17 00:48:31.000000000 +0000 @@ -0,0 +1,23 @@ +# Description: skip a test that is made invalid by the new gdk-pixbuf +# Upstream: https://gitlab.gnome.org/GNOME/perl-gtk2/issues/3 +# +Index: libgtk2-perl-1.24992/t/GdkPixbuf.t +=================================================================== +--- libgtk2-perl-1.24992.orig/t/GdkPixbuf.t ++++ libgtk2-perl-1.24992/t/GdkPixbuf.t +@@ -123,9 +123,12 @@ my $log = Glib::Log->set_handler ('GdkPi + $pixbuf = Gtk2::Gdk::Pixbuf->new_from_xpm_data (@test_xpm[0..2]); + ok (! defined ($pixbuf), "Don't crash on broken pixmap data"); + $pixbuf = Gtk2::Gdk::Pixbuf->new_from_xpm_data (@test_xpm[0..5]); +-ok (defined $pixbuf, "Don't crash on partial pixmap data"); +-Glib::Log->remove_handler ('GdkPixbuf', $log); +- ++SKIP: { ++ skip 'new gdk-pixbuf error out on invalid xpm', 1; ++ ++ ok (defined $pixbuf, "Don't crash on partial pixmap data"); ++ Glib::Log->remove_handler ('GdkPixbuf', $log); ++} + + # raw pixel values to make the xpm above + my $rawdata = pack 'C*',
  3. Download patch debian/patches/series

    --- 2:1.24993-1/debian/patches/series 2019-09-16 13:56:26.000000000 +0000 +++ 2:1.24993-1ubuntu2/debian/patches/series 2019-09-17 00:48:31.000000000 +0000 @@ -1,3 +1,4 @@ 30-disable_libgtk_version_check.patch fix-typo.patch Add-debug-output-in-test-that-failed-on-powerpc-t-GdkPixb.patch +new_gdk_pixbuf.patch
  1. apparmor
  2. libgtk2-perl