Ubuntu
linux-signed package

vmlinuz is world-readable

Bug #1843327 reported by Thadeu Lima de Souza Cascardo on 2019-09-09

This bug affects 2 people

	Status	Importance	Assigned to
linux-signed (Ubuntu)	Fix Released	Undecided	Unassigned
Xenial	Invalid	Undecided	Unassigned
Bionic	Fix Released	Medium	Thadeu Lima de Souza Cascardo
Disco	Fix Released	Medium	Thadeu Lima de Souza Cascardo
linux-signed-hwe (Ubuntu)	Fix Released	Undecided	Unassigned
Xenial	Fix Released	Undecided	Unassigned
Bionic	Fix Released	Undecided	Kleber Sacilotto de Souza
Disco	Invalid	Undecided	Unassigned

Bug Description

[Impact]
ppc64el vmlinuz is world-readable, possibly impacting security on that platform.

[Test case]
Verify vmlinuz is not world-readable after the fix.

[Regression potential]
File permissions may be wrong, possibly allowing attack.

--------------------------------------------------------------------------

  ======================================================================
  FAIL: test_096_boot_symbols_unreadable (__main__.KernelSecurityTest)
  kernel addresses in /boot are not world readable
  ----------------------------------------------------------------------
  Traceback (most recent call last):
    File "./test-kernel-security.py", line 1438, in test_096_boot_symbols_unreadable
      self.assertEqual(os.stat(name).st_mode & mask, expected, '%s is world readable' % (name))
  AssertionError: /boot/vmlinux-4.15.0-62-generic is world readable

----------------------------------------------------------------------
Ran 125 tests in 31.183s

FAILED (failures=1)

This currently affects ppc64el.

Thadeu Lima de Souza Cascardo (cascardo) on 2019-09-09

Changed in linux-signed (Ubuntu Disco):
importance:	Undecided → Medium
Changed in linux-signed (Ubuntu Bionic):
importance:	Undecided → Medium
Changed in linux-signed (Ubuntu Disco):
status:	New → In Progress
Changed in linux-signed (Ubuntu Bionic):
status:	New → In Progress
Changed in linux-signed (Ubuntu Disco):
assignee:	nobody → Thadeu Lima de Souza Cascardo (cascardo)
Changed in linux-signed (Ubuntu Bionic):
assignee:	nobody → Thadeu Lima de Souza Cascardo (cascardo)

Kleber Sacilotto de Souza (kleber-souza) on 2019-09-27

Changed in linux-signed (Ubuntu Bionic):
status:	In Progress → Fix Committed
Changed in linux-signed (Ubuntu Disco):
status:	In Progress → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2019-09-27:

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in linux-signed (Ubuntu):
status:	New → Confirmed

Kleber Sacilotto de Souza (kleber-souza) on 2019-09-27

Changed in linux-signed (Ubuntu):
status:	Confirmed → Fix Released

Revision history for this message

Ubuntu SRU Bot (ubuntu-sru-bot) wrote on 2019-10-02: Autopkgtest regression report (linux-signed/4.15.0-66.75)

All autopkgtests for the newly accepted linux-signed (4.15.0-66.75) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

zfs-linux/unknown (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#linux-signed

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message

Launchpad Janitor (janitor) wrote on 2019-10-04:

This bug was fixed in the package linux-signed - 5.0.0-31.33

---------------
linux-signed (5.0.0-31.33) disco; urgency=medium

* Master version: 5.0.0-31.33

* vmlinuz is world-readable (LP: #1843327)
- fix vmlinuz-* permissions for opal signed kernels

linux-signed (5.0.0-30.32) disco; urgency=medium

* Master version: 5.0.0-30.32

-- Khalid Elmously <email address hidden> Mon, 30 Sep 2019 14:38:03 -0400

Changed in linux-signed (Ubuntu Disco):
status:	Fix Committed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2019-10-21:

This bug was fixed in the package linux-signed - 4.15.0-66.75

---------------
linux-signed (4.15.0-66.75) bionic; urgency=medium

* Master version: 4.15.0-66.75

* vmlinuz is world-readable (LP: #1843327)
- fix vmlinuz-* permissions for opal signed kernels

-- Khalid Elmously <email address hidden> Mon, 30 Sep 2019 23:05:58 -0400

Changed in linux-signed (Ubuntu Bionic):
status:	Fix Committed → Fix Released

Revision history for this message

Po-Hsu Lin (cypressyew) wrote on 2019-11-06:

This failure still can be found on B-hwe 5.0 PowerPC:
https://bugs.launchpad.net/ubuntu-kernel-tests/+bug/1851488

Kleber Sacilotto de Souza (kleber-souza) on 2019-11-28

Changed in linux-signed-hwe (Ubuntu):
status:	New → Fix Released
Changed in linux-signed-hwe (Ubuntu Disco):
status:	New → Invalid
Changed in linux-signed-hwe (Ubuntu Bionic):
status:	New → Confirmed
assignee:	nobody → Kleber Sacilotto de Souza (kleber-souza)

Kleber Sacilotto de Souza (kleber-souza) on 2019-11-28

Changed in linux-signed-hwe (Ubuntu Xenial):
status:	New → In Progress
Changed in linux-signed-hwe (Ubuntu Bionic):
status:	Confirmed → In Progress
Changed in linux-signed (Ubuntu Xenial):
status:	New → Invalid

Khaled El Mously (kmously) on 2019-11-29

Changed in linux-signed-hwe (Ubuntu Xenial):
status:	In Progress → Fix Committed
Changed in linux-signed-hwe (Ubuntu Bionic):
status:	In Progress → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2020-01-06:

This bug was fixed in the package linux-signed-hwe - 4.15.0-74.83~16.04.1

---------------
linux-signed-hwe (4.15.0-74.83~16.04.1) xenial; urgency=medium

* Master version: 4.15.0-74.83~16.04.1

linux-signed-hwe (4.15.0-73.82~16.04.1) xenial; urgency=medium

* Master version: 4.15.0-73.82~16.04.1

* vmlinuz is world-readable (LP: #1843327)
- fix vmlinuz-* permissions for opal signed kernels

-- Khalid Elmously <email address hidden> Tue, 17 Dec 2019 23:49:07 -0500

Changed in linux-signed-hwe (Ubuntu Xenial):
status:	Fix Committed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2020-01-16:

This bug was fixed in the package linux-signed-hwe - 5.3.0-26.28~18.04.1

---------------
linux-signed-hwe (5.3.0-26.28~18.04.1) bionic; urgency=medium

* Master version: 5.3.0-26.28~18.04.1

linux-signed-hwe (5.3.0-25.27~18.04.2) bionic; urgency=medium

* Master version: 5.3.0-25.27~18.04.2
* Bump upload number.

linux-signed-hwe (5.3.0-25.27~18.04.1) bionic; urgency=medium

* Master version: 5.3.0-25.27~18.04.1

* vmlinuz is world-readable (LP: #1843327)
- fix vmlinuz-* permissions for opal signed kernels

* Miscellaneous Ubuntu changes
- [Packaging] Rolling hwe-edge into hwe

-- Kleber Sacilotto de Souza <email address hidden> Wed, 18 Dec 2019 16:20:33 +0100

Changed in linux-signed-hwe (Ubuntu Bionic):
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

Bug #1845634

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulinux-signed package

vmlinuz is world-readable

Bug Description

Duplicates of this bug

Other bug subscribers

Remote bug watches

Ubuntu
linux-signed package