This bug was fixed in the package apt - 2.8.3
---------------
apt (2.8.3) noble; urgency=medium
* Revert increased key size requirements from 2.8.0-2.8.2 (LP: #2073126)
- Revert "Only install 00-temporary-rsa1024 for >=2.7.6 and improve comment"
- Revert "Only warn about <rsa2048 when upgrading from 2.7.x to 2.8.x"
- Revert rsa1024 to warnings again
This leaves the mechanisms in place and no longer warns about NIST curves.
* Fix keeping back removals of obsolete packages; and return an error if
ResolveByKeep() is unsuccessful (LP: #2078720)
* Fix buffer overflow, stack overflow, exponential complexity in
apt-ftparchive Contents generation (LP: #2083697)
- ftparchive: Mystrdup: Add safety check and bump buffer size
- ftparchive: contents: Avoid exponential complexity and overflows
- test framework: Improve valgrind support
- test: Check that apt-ftparchive handles deep paths
- Workaround valgrind "invalid read" in ExtractTar::Go by moving large
buffer from stack to heap. The large buffer triggered some bugs in
valgrind stack clash protection handling.
apt (2.8.2) noble; urgency=medium
* Only install 00-temporary-rsa1024 for >=2.7.6 and improve comment
(follow-up for LP: #2073126)
apt (2.8.1) noble; urgency=medium
* Only revoke weak RSA keys for now, add 'next' and 'future' levels
(backported from 2.9.7)
Note that the changes to warn about keys not matching the future level
in the --audit level are not fully included, as the --audit feature
has not yet been backported. (LP: #2073126)
* Introduce further mitigation on upgrades from 2.7.x to allow these
systems to continue using rsa1024 repositories with warnings
until the 24.04.2 point release (LP: #2073126)
apt (2.8.0) noble; urgency=medium
[ Julian Andres Klode ]
* Revert "Temporarily downgrade key assertions to "soon worthless""
We temporarily downgraded the errors to warnings to give the
launchpad PPAs time to be fixed, but warnings are not safe:
Untrusted keys could be hiding on your system, but just not
used at the moment. Hence revert this so we get the errors we
want. (LP: #2060721)
* Branch off the stable 2.8.y branch for noble:
- CI: Test in ubuntu:noble images for 2.8.y
- debian/gbp.conf: Point at the 2.8.y branch
[ David Kalnischkies ]
* Test suite fixes:
- Avoid subshell hiding failure report from testfilestats
- Ignore umask of leftover diff_Index in failed pdiff test
* Documentation translation fixes:
- Fix and unfuzzy previous VCG/Graphviz URI change
-- Julian Andres Klode <juli...@ubuntu.com> Tue, 22 Oct 2024 15:02:22
+0200
** Changed in: apt (Ubuntu Noble)
Status: Fix Committed => Fix Released
** Changed in: apt (Ubuntu Jammy)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/2083697
Title:
distribution-gpg-keys-copr crashes Launchpad/apt-ftparchive
Status in apt package in Ubuntu:
Fix Released
Status in distribution-gpg-keys package in Ubuntu:
Fix Released
Status in apt source package in Focal:
Fix Released
Status in apt source package in Jammy:
Fix Released
Status in apt source package in Noble:
Fix Released
Status in apt source package in Oracular:
Fix Released
Status in distribution-gpg-keys source package in Oracular:
Fix Released
Bug description:
[Impact]
apt-ftparchive used a custom tree data structure and statically sized
buffers, causing
1. buffer overflows in the statically sized buffers
2. exponential complexity on insertion as the per-directory binary trees were
unbalanced (and debs are sorted, so they _always_ cause exponential complexity,
building a linked list), causing contents generation to take hours instead of
seconds.
3. stack overflow by recursion when trying to generate Contents for oracular
with distribution-gpg-keys-copr included (as we are recursing the tree on the
stack, we were over 30k stack frames deep at a cursory check of
distribution-gpg-keys-copr alone).
This can lead to crashes and hence denial of service in apt-ftparchive
when generating Contents files. The denial of service is not of
significant concern, as it only affects a single repository and owners
of repositories must have reasonable trust in the packages in said
repositories, otherwise they would not be accepting them and plan to
offer them to clients. An easier and more worthwhile denial of service
can be achieved using zip bombs, that is, compressing multiple TBs of
zeroes inside the deb, leading apt-ftparchive to spend hours in the
Contents generation decompressing and ignoring the file data at
probably 100% CPU usage.
This does not affect the apt library, nor does it affect other bits of
apt-ftparchive outside the contents generation.
Hence we see the value of this mainly in functional terms, both making
it significant faster and able to work with many files in the same
directory, or deep file paths, in the first place.
[Test Plan]
The autopkgtests should prevent any regressions. We have added additional
checks for apt-ftparchive contents, checking deep directories and directories
with many files with valgrind. These also in particular check the correctness
of the output of the Contents file generation.
The directory with many files did not cause a crash previously
locally, it's unclear how to exactly reproduce the launchpad side; it
probably needs the exact same set of debs as the Ubuntu archive.
[Where problems could occur]
We have rewritten the Contents file generation, removing the broken custom
search tree in favor of a simple std::set of (path, package) pairs (where paths
and packages are allocated in larger blocks for memory efficiency).
One notable change in behavior is that the list of packages is now
sorted. It should be considered a bug that the list of packages was
not ordered before, but it is a change in behavior.
[Other information]
Be advised that this is hard to review as a diff, given that it removes the
old
implementation and adds the new one but keeps the function names.
Particularly GenContents::Print() diff is sadly broken up into multiple chunks.
It may be more suitable to just look at the new GenContents::Print() instead.
We have increased the size of the memory pools from 40960 byte to 4
MiB and added an abort() if we were to run out of memory there, so
there still is a limit for path and package names, we do not
anticipate reaching that though.
A simple change to apt-pkg/pkgcachegen.cc is included to pacify
valgrind as needed for the stronger valgrind testing integration that
is used to verify no buffer overflows in the test-apt-ftparchive-
corner-cases test, as otherwise the other test using valgrind would
fail.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/2083697/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
