new libseccomp 2.4 (in proposed) makes rebuilds need but not generate a dependency to 2.4
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libseccomp (Ubuntu) |
Won't Fix
|
Critical
|
Unassigned | ||
qemu (Ubuntu) |
Invalid
|
Medium
|
Christian Ehrhardt | ||
Disco |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
* Just as of yesterday we have a new libseccomp in all releases.
This brings some new code and features which might impact packages.
For qemu being one of the few that is not so much a problem in many
cases. Prior to Disco we didn't have code in qemu using the new
libseccomp bits. In Eoan we can assume that libseccomp 2.4 (being
release level) will be installed.
But in Disco people might have installed and not updated libseccomp
but install/upgrade to a qemu that was built against that new
libseccomp. Due to that qemu will get a runtime dependency that is
not picked up automatically - this would break all qemu execution
being blocked by a failure to install seccomp filters.
* To fix that we will add an explicit versioned dependency to qemu to
make sure the rebuild will ensure that the right library version is
available.
* This is needed for qemu-system* which all depend on qemu-system-
common so to avoid too much noise changing all qemu-system* packages
the dependency it added there.
[Test Case]
* ensure that the qemu install will ensure that libseccomp2 (>= 2.4.1)
is also installed (not staying on 2.3)
* Then install qemu and run
$ qemu-system-x86_64 -enable-kvm -nographic -nodefaults -sandbox on,obsolete=
which should not trigger this (when fixed)
error: internal error: process exited while connecting to monitor: 2019-05-
[Regression Potential]
* Well, the regressions might be triggered by pushing the new
libseccomp, not by this dependency fixup. The security Team has
checked and this seems to be the only affected code in the archive.
So libseccomp was pushed to fix CVEs. I have thought if it is a
regression that users of qemu will now be forced to use the newer
libseccomp, but since it would be unusable without that is no
important argument. And it is strongly recommended to upgrade for
security reasons as well.
[Other Info]
* n/a
---
It started with some of my usual KVM checks and found them failing on Disco with:
error: internal error: process exited while connecting to monitor: 2019-05-
I realized it works on X/B/C/E but not in a D container
It worked ~4 weeks ago.
This test can be simplified to one command:
$ qemu-system-x86_64 -enable-kvm -nographic -nodefaults -sandbox on,obsolete=
With strace I found different behavior:
Good:
[pid 3487] 0.000000 seccomp(
[pid 3487] 0.003136 seccomp(
[pid 3487] 0.000250 seccomp(
Bad:
[pid 484] 0.000000 seccomp(
[pid 484] 0.002680 seccomp(
[pid 484] 0.000088 seccomp(
The difference seems to come from being built against seccomp as in Disco (2.3.3-3ubuntu2 = good) or Disco-proposed ( = bad).
The dependency on the built package stayed
libseccomp2 (>= 2.3.0)
It did not pick up 2.4 via e.g. shlibs.
If I install libseccomp2 2.4 from -proposed the issue is gone.
Strace now looks like:
[pid 1788] 0.000000 seccomp(
[pid 1788] 0.004167 seccomp(
[pid 1788] 0.000098 seccomp(
[pid 1788] 0.000054 seccomp(
[pid 1788] 0.000061 seccomp(
[pid 1788] 0.001477 seccomp(
This is in all releases proposed to fix CVE-2019-9893
I was just ?lucky? to pick it up with my qemu build in the PPA that has proposed enabled.
Now there might be some toolchain detail to this as well.
As I built qemu for B/C as well and they built against the proposed 2.4 versions as well.
But in B/C things work with new qemu builds and old libseccomp2 installed.
Eoan on the other hand works by having libseccomp2 2.4.1-0ubuntu0.
But that "luck" of B/C working might be specific to Qemus code, other rebuilds against the new libseccomp2 might fail as well in B/C and further. Shlibs detection is based on these symbols but my new qemu build is not calling these so it dependency stays at 2.3.
Until a simpler testcase is found, I have set up two new PPAs:
https:/
https:/
In comment #5 I debugged the case and found the new "dependency"
As a summary:
- the libseccomp-dev 2.4 headers being installed at build time
- code can detect now the availability of SCMP_ACT_
- code might decide to use SCMP_ACT_
- if code runs without libseccomp2 2.4 installed it breaks
### some related Build logs ###
Cosmic rebuild against 2.4, not affected by the issue
https:/
Disco rebuild against 2.4, affected by the issue
https:/
Disco build against 2.3 (working)
https:/
Task for now is:
- Critical (for the chance of breaking a potentially arbitrary amount of SRUs that were built against it in proposed)
- Assigned to ubuntu-security as they are driving the libseccomp update
We need to understand it more to then re-triage severity and potential actions.