Ubuntu
man-db package

Backport seccomp sandbox fixes to 18.04

Bug #1785414 reported by Colin Watson
20
This bug affects 3 people
Affects Status Importance Assigned to Milestone
man-db (Ubuntu)
Fix Released
High
Colin Watson
Bionic
Fix Released
High
Colin Watson

Bug Description

I applied several fixes to the seccomp sandbox in man-db 2.8.4, and I think they would all be worth backporting to 18.04. They're all corner cases, but at least the second and third of them turned up in an AskUbuntu post (https://askubuntu.com/questions/1039629/setting-up-man-db-crashes-system-with-bad-system-calls) and I had a fair amount of email responses to requests for details about it. Here are the details:

 * sandbox: Allow sched_setaffinity
   https://git.savannah.gnu.org/cgit/man-db.git/commit/?id=8fa6fb5eca612600b3a3d8da811f8345afec102e

   It's possible to run into this if reading xz-compressed manual pages with (e.g.) XZ_DEFAULTS=--threads=0 set in the environment.

 * sandbox: Allow some shared memory operations
   https://git.savannah.gnu.org/cgit/man-db.git/commit/?id=5e08ee9a4e563abedbdd2768c8bbfd96b57c1859

   Some unusual software that installs itself in /etc/ld.so.preload breaks man without this patch, such as the Astrill VPN.

 * sandbox: Improve ESET compatibility further
   https://git.savannah.gnu.org/cgit/man-db.git/commit/?id=7582fb9d69a126a53ee11223b12346d38c0f333a

   This is a refinement to some previous work I did to cope with ESET File Security (an antivirus program that installs itself in /etc/ld.so.preload).

[Test Case]
The first patch can be tested by recompressing a manual page using xz and setting XZ_DEFAULTS=--threads=0 before trying to read it. The other two require having Astrill or ESET installed; if this SRU is accepted I'll solicit feedback from people who do, although I think it would be sufficient for SRU purposes to just make sure that ordinary browsing of manual pages still works.

[Regression Potential]
This only adds more system calls to what the sandbox permits, so ensuring that man still works should be enough to catch all regressions.

See original description
Revision history for this message
Colin Watson (cjwatson) wrote :

These are all fixed in 2.8.4-1; cosmic has 2.8.4-2.

Changed in man-db (Ubuntu):
assignee: nobody → Colin Watson (cjwatson)
importance: Undecided → High
status: New → Fix Released
Changed in man-db (Ubuntu Bionic):
status: New → In Progress
importance: Undecided → High
assignee: nobody → Colin Watson (cjwatson)
Amr Ibrahim (amribrahim1987)
summary: - Backport seccomp sandbox fixes to 16.04
+ Backport seccomp sandbox fixes to 18.04
description: updated
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Colin, or anyone else affected,

Accepted man-db into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/man-db/2.8.3-2ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in man-db (Ubuntu Bionic):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-bionic
Revision history for this message
Simon Déziel (sdeziel) wrote :

I couldn't reproduce the problem with XZ_DEFAULTS=--threads=0 but according to [1], it requires xz-utils >= 5.2.3 and 18.04 has 5.2.2-1.3. I found no regression but I have NOT tested the ESET/VPN cases.

1: https://git.savannah.gnu.org/cgit/man-db.git/commit/?id=8fa6fb5eca612600b3a3d8da811f8345afec102e

Revision history for this message
Bernd Wagner (fjberwag) wrote :

Thanks, Colin, for providing the fixes+backport and Brian, for including them into the repository.

I hope the following serves at least as a regression test.

[Test Cases]
1) ESET NOD32 Antivirus4 4.0.90.0 with /etc/ld.so.preload (which serves to files scanning on access)
1a) man-db 2.8.3-2 and xz-utils 5.2.2-1.3 installed from stable ubuntu 18.04 distribution
1b) man-db 2.8.3-2 installed from bionic-proposed and xz-utils 5.2.2-1.3 installed from stable ubuntu 18.04 distribution
1c) man-db 2.8.3-2 installed from bionic-proposed and xz-utils 5.2.2-1.3 installed from stable ubuntu 18.04 distribution, additionally xz-utils 5.2.4 installed to /usr/local (without package)

in all cases 1x) Update of the Manual-DB e.g. by "sudo mandb -c" leads to the error messages:
...
/usr/bin/mandb: zcat < /usr/share/man/man1/lz4_decompress.1.gz: Bad system call
/usr/bin/mandb: /usr/lib/man-db/manconv -f UTF-8:ISO-8859-1 -t UTF-8//IGNORE -q: Bad system call
/usr/bin/mandb: zcat: Bad system call
...

For 1b and 1c this was also tested with XZ_DEFAULTS=--threads=0.

In all cases 1x) "man mandb" formats correctly.
(Maybe that was a problem with earlier ESET versions.)

2) ESET NOD32 Antivirus4 4.0.90.0 without /etc/ld.so.preload
2a) man-db 2.8.3-2 and xz-utils 5.2.2-1.3 installed from stable ubuntu 18.04 distribution
2b) man-db 2.8.3-2 installed from bionic-proposed and xz-utils 5.2.2-1.3 installed from stable ubuntu 18.04 distribution
2c) man-db 2.8.3-2 installed from bionic-proposed and xz-utils 5.2.2-1.3 installed from stable ubuntu 18.04 distribution, additionally xz-utils 5.2.4 installed to /usr/local (without package)

all 2x) ok für man-db generation and formatting of man pages

System Architecture:
i386
Ubuntu 18.04
Kernel Linux pc2 4.15.0-33201808301234-generic #0+mediatree+hauppauge-Ubuntu SMP Thu Aug 30 19:02:06 UTC 2018 i686 i686 i686 GNU/Linu

The mandb problem doesn't occur with my 64bit Ubuntu installation, although ESET is installed there as well!

Conclusion:
The bugfix dosn't resolve my problem, but it doesn't make things worse for me, so if it helps others...

Thanks for providing it.

Revision history for this message
Colin Watson (cjwatson) wrote :

Thanks. Sounds like I still missed something but it's at least no worse than before, so I think that's good enough for verification-done.

tags: added: verification-done verification-done-bionic
removed: verification-needed verification-needed-bionic
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package man-db - 2.8.3-2ubuntu0.1

---------------
man-db (2.8.3-2ubuntu0.1) bionic; urgency=medium

  * Backport seccomp sandbox improvements from 2.8.4 (LP: #1785414):
    - Allow sched_getaffinity, used by xz in some cases.
    - Allow some shared memory operations, required by preloaded libraries
      such as the Astrill VPN.
    - Improve ESET File Security compatibility further.

 -- Colin Watson <email address hidden> Sat, 04 Aug 2018 20:16:12 +0100

Changed in man-db (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote : Update Released

The verification of the Stable Release Update for man-db has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.