IPA modules are not resigned after dh_strip

Bug #2012745 reported by Dylan Aïssi
This bug affects 2 people
Affects Status Importance Assigned to Milestone
libcamera (Debian)
Fix Released
libcamera (Ubuntu)
Fix Released

Bug Description

[ Reason ]
Open source IPA (Image Processing Algorithms) modules are signed at build time allowing them to be trusted. However, IPA binaries are modified by dh_strip invalidating the signatures. Thus IPA modules provided in the package are not trusted anymore and need to be re-signed after the dh_strip step. This fix is applied in 0.0.4-3.

[ Impact ]
Not resigning IPA modules will make them untrusted, they will be isolated inside a Sandbox environment with restricted access to the system (like any closed-source module). Provided IPA modules won't work as expected.

[ Risks ]
The risk is low since we only regenerate signatures after dh_strip, i.e. /usr/lib/*/libcamera/ipa_.so.sign files.

Tags: patch
Dylan Aïssi (daissi)
Changed in libcamera (Ubuntu):
status: New → Confirmed
milestone: none → ubuntu-23.04
Revision history for this message
Dylan Aïssi (daissi) wrote :

Attached a debdiff

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "libcamera_0.0.4-3ubuntu1.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Revision history for this message
Jeremy Bícha (jbicha) wrote :

Thank you for helping to make Ubuntu better!

I adjusted the debian/changelog a little and uploaded. I have unsubscribed ubuntu-sponsors. Feel free to resubscribe if you have something else that needs to be sponsored.

Changed in libcamera (Ubuntu):
status: Confirmed → Fix Committed
Changed in libcamera (Debian):
status: Unknown → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libcamera - 0.0.4-3ubuntu1

libcamera (0.0.4-3ubuntu1) lunar; urgency=medium

  * Resynchronize on Debian (LP: #2012745), remaining changes:
    - debian/control:
      + don't use liblttng-ust-dev on i386
    - debian/tests/control:
      + use the upstream tests as autopkgtests
    - Fix static order init problems when building under LTO (LP: #2009824)

libcamera (0.0.4-3) experimental; urgency=medium

  [ George Kiagiadakis ]
  * Add rule to re-sign the IPA modules after dh_strip

  [ Andrej Shadura ]
  * Use the DEB_HOST_GNU_TYPE for the build directory

 -- Dylan Aïssi <email address hidden> Fri, 24 Mar 2023 16:48:02 +0100

Changed in libcamera (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.