Ubuntu
dotnet6 package

Backport 6.0.108 to jammy

Bug #1983380 reported by Łukasz Zemczak
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
dotnet6 (Ubuntu)
Invalid
Undecided
Unassigned
Jammy
Fix Released
High
Unassigned

Bug Description

[Impact]

We want to do an initial bootstrapping of the dotnet6 packages for jammy. It is beneficial for our latest LTS users to have access to the latest .NET stack, so the .NET team is working with the security and SRU teams on getting latest versions backported to 22.04. The initial bootstrapping is always a bit complicated, so we want to start off by doing a backport of 6.0.107 using the bootstrapping PPA. Later uploads will not require such special setup.

We did the 6.0.107 bootstrap and it looked fine, so now re-using the same bug we want to update to 6.0.108. So the initial upload to jammy-updates will be 108.

The .NET, security and SRU teams will cooperate on creating a SRU exception for these packages, with special rules tailored towards the needs of this project - with an extensive test story and steps necessary for the SRU to proceed.

[Test Case]

As this is the initial bootstrapping, we want the package to build successfully in jammy-proposed (potentially using the bootstrap archive). The packages should be installable on jammy and some basic dogfooding testing should be performed:

#0.Install dotnet: apt install dotnet6

#0.1. Check installation : dpkg -l | grep 'NET\|asp’

#1. Basic check commands: donet —info, dotnet —version, dotnet sdk check

      $ dotnet —info

      #Expected output is:
      # .NET SDK (reflecting any global.json):
      # Version: 6.0.107
      # Commit: bc11e04aea
      #
      # Runtime Environment:
      # OS Name: ubuntu
      # OS Version: 22.04
      # OS Platform: Linux
      # RID: ubuntu.22.04-x64
      # Base Path: /usr/lib/dotnet/dotnet6-6.0.107/sdk/6.0.107/
      #
      # global.json file:
      # Not found
      #
      # Host:
      # Version: 6.0.7
      # Architecture: x64
      # Commit: 0ec02c8c96
      #
      # .NET SDKs installed:
      # 6.0.107 [/usr/lib/dotnet/dotnet6-6.0.107/sdk]
      #
      # .NET runtimes installed:
      # Microsoft.AspNetCore.App 6.0.7 [/usr/lib/dotnet/dotnet6-6.0.107/shared/Microsoft.AspNetCore.App]
      # Microsoft.NETCore.App 6.0.7 [/usr/lib/dotnet/dotnet6-6.0.107/shared/Microsoft.NETCore.App]

      $ dotnet --version

      #Expected output is:
      # 6.0.107

      $ dotnet sdk check

      # Expected output is:
      # .NET SDKs:
      # Version Status
      # ------------------------
      # 6.0.107 Up to date.
      #
      # Try out the newest .NET SDK features with .NET 7.0.100-preview.6.22352.1.
      #
      # .NET Runtimes:
      # Name Version Status
      # ------------------------------------------------------
      # Microsoft.AspNetCore.App 6.0.7 Up to date.
      # Microsoft.NETCore.App 6.0.7 Up to date.

#2. Checking console, solution and project commands

#2.1. Creating console: dotnet new console

        $ dotnet new console --name Testing

        #Expected output is :
        # The template "Console App" was created successfully.

        # Processing post-creation actions...
        # Running 'dotnet restore' on /root/Testing/Testing.csproj...
        # Determining projects to restore...
        # Restored /root/Testing/Testing.csproj (in 88 ms).
        # Restore succeeded.

        $ cd Testing/

#2.2. Creating solution: dotnet new sln

        $ dotnet new sln

        #Expected output is:
        # The template "Solution File" was created successfully.

#2.3. Adding project to the solution: dotnet sln <sln_file> add <csproj_file>

        $ dotnet sln Testing.sln add Testing.csproj

        #Expected output is:
        # Project `Testing.csproj` added to the solution.

#2.4. Building solution: dotnet build <sln_file>

        $ dotnet build Testing.sln

        #Expected output is:
        # Microsoft (R) Build Engine version 17.0.0+c9eb9dd64 for .NET
        # Copyright (C) Microsoft Corporation. All rights reserved.
        #
        # Determining projects to restore...
        # All projects are up-to-date for restore.
        # Testing -> /root/Testing/bin/Debug/net6.0/Testing.dll
        #
        # Build succeeded.
        # 0 Warning(s)
        # 0 Error(s)

#2.5. Running solution: bin/Debug/net6.0/<sln_name>

        $ bin/Debug/net6.0/Testing

        #Expected output is:
        # Hello, World!

#2.6. Project that use a nuget package: dotnet add <csproj_file> package <nuget_package>

        #Changing Program.Cs

        $ cat <<EOF >Program.cs
          using System;
          using System.Collections.Generic;
          using System.Linq;
          using System.Text;
          using System.Threading.Tasks;
          using Google.Apis;

          namespace TestProject
          {
          class Program
          {
          static void Main(string[] args)
          {
          Stack<int> myStack = new Stack<int>();
          var th = new Thread(()=>WaitAndPrint(myStack));
          th.Start();
          Console.WriteLine("Me first!");
          myStack.Push(1);
          Console.WriteLine("Finished tasks: {0}", myStack.Count);
          Thread.Sleep(1000);
          Console.WriteLine("Finished tasks: {0}", myStack.Count);
          }

          private static void WaitAndPrint(Stack<int> myStack){
                  Thread.Sleep(1000);
                  Console.WriteLine("Me second!");
                  myStack.Push(2);
          }
          }

          }

          EOF

        $ dotnet add Testing.csproj package Google.Apis

        #Expected output is:
        # Determining projects to restore...
        # Writing /tmp/tmp6RP8i6.tmp
        #info : Adding PackageReference for package 'Google.Apis' into project 'Testing.csproj'.
        #info : GET https://api.nuget.org/v3/registration5-gz-semver2/google.apis/index.json
        #info : OK https://api.nuget.org/v3/registration5-gz-semver2/google.apis/index.json 221ms
        #info : Restoring packages for /root/Testing/Testing.csproj...
        #info : Package 'Google.Apis' is compatible with all the specified frameworks in project 'Testing.csproj'.
        #info : PackageReference for package 'Google.Apis' version '1.57.0' added to file '/root/Testing/Testing.csproj'.
        #info : Committing restore...
        #info : Writing assets file to disk. Path: /root/Testing/obj/project.assets.json
        #log : Restored /root/Testing/Testing.csproj (in 94 ms).

#2.7. Running project

        $ dotnet run

        #Expected output is:
        # Me first!
        # Finished tasks: 1
        # Me second!
        # Finished tasks: 2

#2.8. Removing nuget package

        $ dotnet remove Testing.csproj package Google.Apis

        #Expected output is:
        # info : Removing PackageReference for package 'Google.Apis' from project 'Testing.csproj'.

        #Checking removing is OK:

        $ dotnet run

        #Expected output is:
        # /root/Testing/Program.cs(7,7): error CS0246: The type or namespace name 'Google' could not be found (are you missing a using directive or an assembly
        # reference?) [/root/Testing/Testing.csproj]
        #
        # The build failed. Fix the build errors and run again.

[Regression Potential]

No regression potential as these packages do not exist and/or do not replace any existing packages in 22.04. Proper regression potential mitigation will be in place for the next uploads.

See original description

CVE References

Łukasz Zemczak (sil2100)
Changed in dotnet6 (Ubuntu Jammy):
status: New → Triaged
importance: Undecided → High
Changed in dotnet6 (Ubuntu):
status: New → Invalid
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Please test proposed package

Hello Łukasz, or anyone else affected,

Accepted dotnet6 into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/dotnet6/6.0.107-0ubuntu2~22.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in dotnet6 (Ubuntu Jammy):
status: Triaged → Fix Committed
tags: added: verification-needed verification-needed-jammy
Revision history for this message
Miriam España Acebal (mirespace) wrote (last edit ): Re: Backport 6.0.107 to jammy

Checked the tests steps on Jammy... all OK.

Thanks to Jesús Soto for the sln and package tests.

description: updated
Miriam España Acebal (mirespace)
tags: added: verification-done verification-done-jammy
removed: verification-needed verification-needed-jammy
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Repurposed this bug for 108!

summary: - Backport 6.0.107 to jammy
+ Backport 6.0.108 to jammy
description: updated
description: updated
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Please test proposed package

Hello Łukasz, or anyone else affected,

Accepted dotnet6 into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/dotnet6/6.0.108-0ubuntu1~22.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

tags: added: verification-needed verification-needed-jammy
removed: verification-done verification-done-jammy
Revision history for this message
Miriam España Acebal (mirespace) wrote (last edit ):
Download full text (13.9 KiB)

Verification done... all OK:

#0. Installation:

root@Jdotnet1983380:~# apt install dotnet6
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  aspnetcore-runtime-6.0 aspnetcore-targeting-pack-6.0 dotnet-apphost-pack-6.0 dotnet-host dotnet-hostfxr-6.0 dotnet-runtime-6.0
  dotnet-sdk-6.0 dotnet-targeting-pack-6.0 dotnet-templates-6.0 liblttng-ust-common1 liblttng-ust-ctl5 liblttng-ust1 libunwind-13
  netstandard-targeting-pack-2.1
The following NEW packages will be installed:
  aspnetcore-runtime-6.0 aspnetcore-targeting-pack-6.0 dotnet-apphost-pack-6.0 dotnet-host dotnet-hostfxr-6.0 dotnet-runtime-6.0
  dotnet-sdk-6.0 dotnet-targeting-pack-6.0 dotnet-templates-6.0 dotnet6 liblttng-ust-common1 liblttng-ust-ctl5 liblttng-ust1 libunwind-13
  netstandard-targeting-pack-2.1
0 upgraded, 15 newly installed, 0 to remove and 1 not upgraded.
Need to get 124 MB of archives.
After this operation, 454 MB of additional disk space will be used.
Do you want to continue? [Y/n]
Get:1 http://archive.ubuntu.com/ubuntu jammy-proposed/universe amd64 dotnet-host amd64 6.0.108-0ubuntu1~22.04.1 [156 kB]
Get:2 http://archive.ubuntu.com/ubuntu jammy-proposed/universe amd64 dotnet-hostfxr-6.0 amd64 6.0.108-0ubuntu1~22.04.1 [154 kB]
Get:3 http://archive.ubuntu.com/ubuntu jammy/main amd64 libunwind-13 amd64 1:13.0.1-2ubuntu2 [20.8 kB]
Get:4 http://archive.ubuntu.com/ubuntu jammy/main amd64 liblttng-ust-common1 amd64 2.13.1-1ubuntu1 [27.1 kB]
Get:5 http://archive.ubuntu.com/ubuntu jammy/main amd64 liblttng-ust-ctl5 amd64 2.13.1-1ubuntu1 [77.9 kB]
Get:6 http://archive.ubuntu.com/ubuntu jammy/main amd64 liblttng-ust1 amd64 2.13.1-1ubuntu1 [190 kB]
Get:7 http://archive.ubuntu.com/ubuntu jammy-proposed/universe amd64 dotnet-runtime-6.0 amd64 6.0.108-0ubuntu1~22.04.1 [23.7 MB]
Get:8 http://archive.ubuntu.com/ubuntu jammy-proposed/universe amd64 aspnetcore-runtime-6.0 amd64 6.0.108-0ubuntu1~22.04.1 [8090 kB]
Get:9 http://archive.ubuntu.com/ubuntu jammy-proposed/universe amd64 aspnetcore-targeting-pack-6.0 amd64 6.0.108-0ubuntu1~22.04.1 [1445 kB]
Get:10 http://archive.ubuntu.com/ubuntu jammy-proposed/universe amd64 dotnet-apphost-pack-6.0 amd64 6.0.108-0ubuntu1~22.04.1 [3735 kB]
Get:11 http://archive.ubuntu.com/ubuntu jammy-proposed/universe amd64 dotnet-targeting-pack-6.0 amd64 6.0.108-0ubuntu1~22.04.1 [2238 kB]
Get:12 http://archive.ubuntu.com/ubuntu jammy-proposed/universe amd64 dotnet-templates-6.0 amd64 6.0.108-0ubuntu1~22.04.1 [2545 kB]
Get:13 http://archive.ubuntu.com/ubuntu jammy-proposed/universe amd64 netstandard-targeting-pack-2.1 amd64 6.0.108-0ubuntu1~22.04.1 [1399 kB]
Get:14 http://archive.ubuntu.com/ubuntu jammy-proposed/universe amd64 dotnet-sdk-6.0 amd64 6.0.108-0ubuntu1~22.04.1 [80.2 MB]
Get:15 http://archive.ubuntu.com/ubuntu jammy-proposed/universe amd64 dotnet6 amd64 6.0.108-0ubuntu1~22.04.1 [20.5 kB]
Fetched 124 MB in 10s (11.9 MB/s)
Selecting previously unselected package dotnet-host.
(Reading database ... 33911 files and dir...

tags: added: verification-done verification-done-jammy
removed: verification-needed verification-needed-jammy
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Thank you for the verification, Miriam! As this is the first jammy-updates upload + a security fix, I'll be releasing it without any aging (and we'll craft an minor-release exception for this package shortly anyway).

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dotnet6 - 6.0.108-0ubuntu1~22.04.1

---------------
dotnet6 (6.0.108-0ubuntu1~22.04.1) jammy; urgency=medium

  * Backport to jammy (LP: #1983380).
  * New upstream release.
  * SECURITY UPDATE
    - CVE-2022-34716: External Entity Injection during XML signature
      verification

dotnet6 (6.0.107-0ubuntu2~22.04.1) jammy; urgency=medium

  * Backport 6.0.107 to jammy (LP: #1983380).
  * d/control: for jammy, tweak the libicu dependency of dotnet-runtime-6.0
    to libicu70.

dotnet6 (6.0.107-0ubuntu2) kinetic; urgency=medium

  * d/copyright: Removing references to licenses for excluded
    libunwind vendorized code.
  * d/dotnet-host.bash-completion.in: Fixed path.
  * d/s/lintian-overrides: Fixing new format for lintian output.
    Added some new overrides for code shipped in the new tarball.

  [ Jesús Soto ]
  * d/copyright: Added vendorized libunwind code to Files-Excludes.

 -- Miriam España Acebal <email address hidden> Thu, 04 Aug 2022 11:08:25 +0200

Changed in dotnet6 (Ubuntu Jammy):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for dotnet6 has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Miriam España Acebal (mirespace) wrote :

Thanks Łukasz!!

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.