Hello Julian, or anyone else affected, Accepted apt into noble-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apt/2.8.3 in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- noble to verification-done-noble. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-noble. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: apt (Ubuntu Noble) Status: New => Fix Committed ** Tags added: verification-needed-noble -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/2083697 Title: distribution-gpg-keys-copr crashes Launchpad/apt-ftparchive Status in apt package in Ubuntu: Fix Released Status in distribution-gpg-keys package in Ubuntu: Fix Released Status in apt source package in Focal: Fix Committed Status in apt source package in Jammy: Fix Committed Status in apt source package in Noble: Fix Committed Status in apt source package in Oracular: Fix Committed Status in distribution-gpg-keys source package in Oracular: Fix Released Bug description: [Impact] apt-ftparchive used a custom tree data structure and statically sized buffers, causing 1. buffer overflows in the statically sized buffers 2. exponential complexity on insertion as the per-directory binary trees were unbalanced (and debs are sorted, so they _always_ cause exponential complexity, building a linked list), causing contents generation to take hours instead of seconds. 3. stack overflow by recursion when trying to generate Contents for oracular with distribution-gpg-keys-copr included (as we are recursing the tree on the stack, we were over 30k stack frames deep at a cursory check of distribution-gpg-keys-copr alone). This can lead to crashes and hence denial of service in apt-ftparchive when generating Contents files. The denial of service is not of significant concern, as it only affects a single repository and owners of repositories must have reasonable trust in the packages in said repositories, otherwise they would not be accepting them and plan to offer them to clients. An easier and more worthwhile denial of service can be achieved using zip bombs, that is, compressing multiple TBs of zeroes inside the deb, leading apt-ftparchive to spend hours in the Contents generation decompressing and ignoring the file data at probably 100% CPU usage. This does not affect the apt library, nor does it affect other bits of apt-ftparchive outside the contents generation. Hence we see the value of this mainly in functional terms, both making it significant faster and able to work with many files in the same directory, or deep file paths, in the first place. [Test Plan] The autopkgtests should prevent any regressions. We have added additional checks for apt-ftparchive contents, checking deep directories and directories with many files with valgrind. These also in particular check the correctness of the output of the Contents file generation. The directory with many files did not cause a crash previously locally, it's unclear how to exactly reproduce the launchpad side; it probably needs the exact same set of debs as the Ubuntu archive. [Where problems could occur] We have rewritten the Contents file generation, removing the broken custom search tree in favor of a simple std::set of (path, package) pairs (where paths and packages are allocated in larger blocks for memory efficiency). One notable change in behavior is that the list of packages is now sorted. It should be considered a bug that the list of packages was not ordered before, but it is a change in behavior. [Other information] Be advised that this is hard to review as a diff, given that it removes the old implementation and adds the new one but keeps the function names. Particularly GenContents::Print() diff is sadly broken up into multiple chunks. It may be more suitable to just look at the new GenContents::Print() instead. We have increased the size of the memory pools from 40960 byte to 4 MiB and added an abort() if we were to run out of memory there, so there still is a limit for path and package names, we do not anticipate reaching that though. A simple change to apt-pkg/pkgcachegen.cc is included to pacify valgrind as needed for the stronger valgrind testing integration that is used to verify no buffer overflows in the test-apt-ftparchive- corner-cases test, as otherwise the other test using valgrind would fail. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/2083697/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
