Known vulnerability in Mint Mate "Live" installer

[fossilised]

Version information for versions I have installed or have media to install, I don't actually need any help. I suppose this is feedback prior to divorce.
ubiquity 22.04.16+mint11 cdrom://Linux Mint 21.2 _Victoria_ - Release amd64 20230711

I have Linux Mint installed on 2 PC's and at some point approx 12 hours after installing Victoria 21.2 , my machine crashed, not sure why, not terribly surprising. I can't login at the moment and will probably reinstall something to fix it. I'm using a "live" usb VERSION="21 (Vanessa)" at the moment (also infected) to recover logs, other files and to write this. While reading the install logs for clues and not for the first time noticed this, sample copied and pasted from install log or syslog. Journalctl provided a lot of information immediately after crash but that is currently not available as I've been locked out:
Output copied from syslog while running on "live usb-cdrom" correct date not set: downloaded mirror AARNet 18/12/23

Dec 18 20:08:00 mint dbus-daemon[1526]: dbus[1526]: Unknown username "whoopsie" in message bus configuration file.
From stable installations syslog, same output on dmesg:
Dec 19 07:13:28 viki dbus-daemon[831]: Unknown username "whoopsie" in message bus configuration file.
Dec 19 07:13:28 viki dbus-daemon[831]: Unknown group "power" in message bus configuration file.
Many more references to this in syslog, dmesg, journalctl etc among copious output of gtk-xxx is depreciated.

I can see that an updated whoopsie version 0.2.77 , 23 jammy is available in the mint repository but not marked as installed on my machines and still error messaging on the one I have that is still running and present on this machine with the ISO I downloaded on 18/12/2023.
There is no argument that unknown users and or groups are vulnerabilities and can contribute to instability, considering that it is supposed to be a crash reporting utility "isn't it ironic".
This bug was also present on a previously installed version Mint Mate Victoria 21.2 that I had. The only thread about this vulnerability in the forum here had been closed when I looking for information about 6 months ago. (nothing to see here).
On the Ubuntu forums they are taking the issue more seriously. Published on 9 July 2019, copied from https://ubuntu.com/security/CVE-2019-11476

An integer overflow in whoopsie before versions 0.2.52.5ubuntu0.1, 0.2.62ubuntu0.1, 0.2.64ubuntu0.1, 0.2.66, results in an out-of-bounds write to a heap allocated buffer when processing large crash dumps. This results in a crash or possible code-execution in the context of the whoopsie process.

Cvss 3 Severity Score 7.8 this is a "high" score

My question or 3 questions are:
Why can files classed as malicious with ambiguous version information still be downloaded hidden inside distributions from Mint's repository's and mirrors?
Why hasn't it been patched or updated?
Why weren't we better informed?

I do know that I gave no specified "informed consent" for any application with Trojan like behavior, to gather any data from my computers and deliver it to a third party, illegal under Australian law, just ask Google.
I can't find any mention of which version of whoopsie is installed in Linux Mint distributions and no indication within synaptic or elsewhere, that it ever has been. That makes finding the installed files and uninstalling them time consuming and difficult.
Needed info may be available on Ubuntu forums, no useful information exists here.
I do like Mint Mate and have used it since changing over from Debian Stretch to Ulyana some time ago, using Vanessa for most of that time. Almost trouble free until upgrading to Victoria, now lots of depreciated gtk stuff filling logs and making it difficult to scrape useful information, same as Debian lol. .
Another observation: When my system crashed all that was left on my desktop was a Calamares dot desktop Debian installer, that wasn't previously there. Twice happened immediately after critical system crashes. I'm not jumping to any conclusion yet whether either of these applications played any role in these crashes or whether it is coincidental, does seem fairly opportunistic (sus) to me.

In conclusion, first a big thank you to Optus for not providing NBN again and to Victoria or really more to Vanessa good while she lasted, a real alternative to microstuff, had some good times together and finally, just my opinion but Mate is Gnome and Gnome is depreciated.

[AZgl1800]

1st question.

did you do a crc checksum on the ISO ?

if not, it might well be damaged.

[Twin_P3aks]

SOLUTION: - see
https://gist.github.com/leaguecodeuk/a2 ... a5302a820d

Synopsis:
find dbus related conf files that contain 'whoopsie':
# locate dbus | xargs grep -s 'whoopsie'

edit: (vi or nano or..)
# vi /usr/share/dbus-1/system.d/org.freedesktop.NetworkManager.conf

Must delete the following lines (NOTE: NetworkManager will fail if you add 'comment' (#) symbols to the beginning of a line):
<policy user="whoopsie">
<allow send_destination="org.freedesktop.NetworkManager"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.DBus.Introspectable"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.DBus.Properties"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.Connection.Active"/>
<allow send_destination="org.freedesktop.NetworkManager"
send_interface="org.freedesktop.NetworkManager.Device"/>
</policy>

NOTES: another, similar message in syslog:
"dbus-daemon[1603]: Unknown group "power" in message bus configuration file"
I suspect that creating the group "power" would resolve this.

Else, its origin can be similarly located:
# locate dbus | xargs grep -s power
(RESULT) /etc/dbus-1/system.d/org.freedesktop.thermald.conf: <policy group="power">

[sylvain1_]

Is this issue present in non-MATE versions?

The original poster asked several questions that have not been answered. Why is this appearing in linux mint iso images when it has been discovered long ago?

[xenopeek]

This board has user support forums - for Linux Mint users to help each other with problems on or questions about Linux Mint. It is not an issue tracker or where one would disclose security vulnerabilities. The Suggestions & Feedback forum, which is in the Chat category, is for feedback. As noted in the forum rules, it is not for support questions. The Main Edition Support and Debian Edition Support forums are for that.

As for the original topic:

1. whoopsie is not installed on Linux Mint 21.3 by default. AFAIK it's the same on earlier 21.x versions.
2. whoopsie is not available from the Linux Mint repository: http://packages.linuxmint.com/search.ph ... d=whoopsie.
3. If you would install whoopsie it comes from the Ubuntu 22.04 package base and has version 0.2.77 there. You can run apt policy whoopsie to confirm.
4. The file /usr/share/dbus-1/system.d/org.freedesktop.NetworkManager.conf that has the configuration for whoopsie comes from the network-manager package which again comes from the Ubuntu 22.04 package base repository. dpkg -S org.freedesktop.NetworkManager.conf and apt policy network-manager to confirm.
5. The dbus-daemon[1526]: dbus[1526]: Unknown username "whoopsie" in message bus configuration file. message is an info message, not a warning or error. Simply DBus reporting that a configuration file has a user/group that's not currently configured on the system, for troubleshooting. To confirm run journalctl -b -o json-full or journalctl -b -o verbose to show the full journal messages for the current boot, search for whoopsie and you can find the priority for this message is 6 (info).
6. The Provide-access-to-some-of-NM-s-interfaces-to-whoopsie.patch.txt patch file in the network-manager source for Ubuntu 22.04 explains why the whoopsie configuration is here:

   Code: Select all

   From: Mathieu Trudel-Lapierre <email>
   Date: Thu, 12 May 2016 22:25:32 +0800
   Subject: Provide access to some of NM's interfaces to whoopsie.
   
   Whoopsie is the crash database reporting daemon. It needs access to some of
   the information NM keeps about devices to avoid sending data over the network
   when connected to 3G or other systems that are potentially billable.
   ---
    src/core/org.freedesktop.NetworkManager.conf | 13 +++++++++++++
    1 file changed, 13 insertions(+)
   
   diff --git a/src/core/org.freedesktop.NetworkManager.conf b/src/core/org.freedesktop.NetworkManager.conf
   index 5c2af2e..f56c7fb 100644
   --- a/src/core/org.freedesktop.NetworkManager.conf
   +++ b/src/core/org.freedesktop.NetworkManager.conf
   @@ -37,6 +37,19 @@
            <allow own="org.freedesktop.NetworkManager.dnsmasq"/>
            <allow send_destination="org.freedesktop.NetworkManager.dnsmasq"/>
        </policy>
   +    <policy user="whoopsie">
   +            <allow send_destination="org.freedesktop.NetworkManager"/>
   +            <allow send_destination="org.freedesktop.NetworkManager"
   +                   send_interface="org.freedesktop.DBus.Introspectable"/>
   +            <allow send_destination="org.freedesktop.NetworkManager"
   +                   send_interface="org.freedesktop.DBus.Properties"/>
   +            <allow send_destination="org.freedesktop.NetworkManager"
   +                   send_interface="org.freedesktop.NetworkManager"/>
   +            <allow send_destination="org.freedesktop.NetworkManager"
   +                   send_interface="org.freedesktop.NetworkManager.Connection.Active"/>
   +            <allow send_destination="org.freedesktop.NetworkManager"
   +                   send_interface="org.freedesktop.NetworkManager.Device"/>
   +    </policy>
        <policy context="default">
            <deny own="org.freedesktop.NetworkManager"/>
   

7. A suggestion was made https://bugs.launchpad.net/ubuntu/+sour ... ug/1008213 to split out the whoopsie configuration from the network-manager file into its own file and install that with whoopsie, so the whoopsie configuration is only present when whoopsie is installed (but regardless of whether network-manager is actually installed…) and so this "Unknown username" info message isn't shown. It has not been implemented.
8. whoopsie is installed by default on Ubuntu 22.04 but users can and do remove it. For example because they never want to send crash reports to Ubuntu. I'm not a security researcher so I can't say but if you know that removing whoopsie leads to a security issue in network-manager please report it responsibly to the Ubuntu Security team.