Debian Bug report logs -
#313081
find -follow: infinite loop with symlinks to ./
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Andreas Metzler <ametzler@debian.org>:
Bug#313081; Package findutils.
(full text, mbox, link).
Acknowledgement sent to "Huang, Zhangrong" <hzhrong@gmail.com>:
New Bug report received and forwarded. Copy sent to Andreas Metzler <ametzler@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: findutils
Version: 4.2.20-2
Severity: normal
I set-up a local deb repository for myself, wrote a simple script to
generate the Packages file, say
$ cat update-here
dpkg-scanpackages . /dev/null > Packages
gzip -f Packages
Now I upgrade findutils to 4.2.20-2, when I run this script,
$ sh update-here
seems find is trying to eat up all of my memory and swap, then the system is
becoming not useable.
PS: dpkg-scanpackages comes from dpkg-dev.
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.11-1-686
Locale: LANG=zh_CN.UTF-8, LC_CTYPE=zh_CN.UTF-8 (charmap=UTF-8)
Versions of packages findutils depends on:
ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an
-- no debconf information
Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#313081; Package findutils.
(full text, mbox, link).
Acknowledgement sent to Andreas Metzler <ametzler@debian.org>:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #10 received at 313081@bugs.debian.org (full text, mbox, reply):
On 2005-06-11 "Huang, Zhangrong" <hzhrong@gmail.com> wrote:
> Package: findutils
> Version: 4.2.20-2
> Severity: normal
> I set-up a local deb repository for myself, wrote a simple script to
> generate the Packages file, say
> $ cat update-here
> dpkg-scanpackages . /dev/null > Packages
> gzip -f Packages
> Now I upgrade findutils to 4.2.20-2, when I run this script,
> $ sh update-here
> seems find is trying to eat up all of my memory and swap, then the system is
> becoming not useable.
> PS: dpkg-scanpackages comes from dpkg-dev.
Hello,
can you find out what is eating up all your memory (with ps, top,
whatever)? dpkg-scanpackages will simply invoke
find ./ -follow -name '*.deb' -print
does this command trigger the strange behavior on your system?
BTW what filesystem are you using?
cu andreas
--
"See, I told you they'd listen to Reason," [SPOILER] Svfurlr fnlf,
fuhggvat qbja gur juveyvat tha.
Neal Stephenson in "Snow Crash"
http://downhill.aus.cc/
Tags added: moreinfo
Request was from Andreas Metzler <ametzler@downhill.aus.cc>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Andreas Metzler <ametzler@debian.org>:
Bug#313081; Package findutils.
(full text, mbox, link).
Acknowledgement sent to "Huang, Zhangrong" <hzhrong@gmail.com>:
Extra info received and forwarded to list. Copy sent to Andreas Metzler <ametzler@debian.org>.
(full text, mbox, link).
Message #17 received at 313081@bugs.debian.org (full text, mbox, reply):
Hi,
I think I knew the reason now.
On 6/12/05, Andreas Metzler <ametzler@debian.org> wrote:
>
> Hello,
> can you find out what is eating up all your memory (with ps, top,
> whatever)? dpkg-scanpackages will simply invoke
>
> find ./ -follow -name '*.deb' -print
>
> does this command trigger the strange behavior on your system?
Yes, it is.
Forgot to show you the deb repository directory struct, there are some
dirs linked to ./,
$ pwd
/var/cache/apt-build/repository
$ ls -l dists
lrwxrwxrwx 1 root src 1 2004-06-03 00:54 dists -> .
$ ls -l main
lrwxrwxrwx 1 root src 1 2004-06-03 00:54 main -> .
$ ls -l stable
lrwxrwxrwx 1 root src 1 2004-06-03 00:54 stable -> .
Command
find ./ -name '*.deb' -print
works fine, but if I add the '-follow' parameter, it happens again.
So, It's a bug of find, if a directory contains a sub-directory linked to ./,
find ./ -follow will be going to infinite loop.
That's why find eat up all my memory.
Version 4.1.20-6 has no this problem, so I fallback to.
Could you please have a look at it?
Thanks.
>
> BTW what filesystem are you using?
> cu andreas
> --
>
Tags added: confirmed
Request was from Andreas Metzler <ametzler@downhill.aus.cc>
to control@bugs.debian.org.
(full text, mbox, link).
Tags removed: moreinfo
Request was from Andreas Metzler <ametzler@downhill.aus.cc>
to control@bugs.debian.org.
(full text, mbox, link).
Changed Bug title.
Request was from Andreas Metzler <ametzler@downhill.aus.cc>
to control@bugs.debian.org.
(full text, mbox, link).
Severity set to `serious'.
Request was from Andreas Metzler <ametzler@downhill.aus.cc>
to control@bugs.debian.org.
(full text, mbox, link).
Message sent on to "Huang, Zhangrong" <hzhrong@gmail.com>:
Bug#313081.
(full text, mbox, link).
Message #30 received at 313081-submitter@bugs.debian.org (full text, mbox, reply):
URL:
<http://savannah.gnu.org/bugs/?func=detailitem&item_id=13381>
Summary: infinite loop with -follow.
Project: findutils
Submitted by: ametzler
Submitted on: Son 12.06.2005 um 17:17
Category: find
Severity: 3 - Normal
Item Group: None
Status: None
Privacy: Public
Assigned to: None
Originator Name:
Originator Email:
Open/Closed: Open
Release: None
Fixed Release: None
_______________________________________________________
Details:
Hello,
this was found by Zhangrong Huang in http://bugs.debian.org/313081
mkdir testingfindagain
ln -s . testingfindagain/symlink
now
find testingfindagain -follow
will generate an endless loop. (For testing I suggest piping into head -c 200,
otherwise you might trigger OOM)
This was introduced between 4.2.18 and 4.2.19 (when changing find.c from r1.72
to r1.73). 4.2.x up to 4.2.18 will output this and exit:
find: Symbolic link `testingfindagain/symlink' is
part of a loop in the directory hierarchy; we have already visited the
directory to which it points.
testingfindagain
testingfindagain/symlink
cu andreas
_______________________________________________________
Carbon-Copy List:
CC Address | Comment
------------------------------------+-----------------------------
313081-submitter@bugs.debian.org | original bugsubmitter
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/bugs/?func=detailitem&item_id=13381>
_______________________________________________
Nachricht geschickt von/durch Savannah
http://savannah.gnu.org/
Message sent on to "Huang, Zhangrong" <hzhrong@gmail.com>:
Bug#313081.
(full text, mbox, link).
Message #33 received at 313081-submitter@bugs.debian.org (full text, mbox, reply):
Update of bug #13381 (project findutils):
Severity: 3 - Normal => 6 - Security
Status: None => Fixed
Assigned to: None => jay
_______________________________________________________
Follow-up Comment #1:
NB: THIS BUG IS A SECURITY HOLE (denial of "updatedb" service by users,
possibly denial of service to security checks based on find). Please note the
list of affected versions of findutils.
The problem was introduced because safely_chdir() in find.c now sometimes
avoids needing to stat the destination directory, and so stat_buf was left
unpopulated. This problem is fixed by the attached patch, which has been
committed into the development code. The scope of the security problem
extends only to the indefinite loop, the problem does not result in users
being able to persuade find to process parts of the filesystem that should be
excluded.
Having said this, this bug only occurs if the "-L" option was used, which
normally should not be the case with any security checks - because they should
not follow symbolic links, in general.
The next release of findutils will include this fix. The NEWS file will
outline the severity of the problem.
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/bugs/?func=detailitem&item_id=13381>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
Message sent on to "Huang, Zhangrong" <hzhrong@gmail.com>:
Bug#313081.
(full text, mbox, link).
Message #36 received at 313081-submitter@bugs.debian.org (full text, mbox, reply):
Update of bug #13381 (project findutils):
Open/Closed: Open => Closed
Release: None => 4.2.19
Fixed Release: None => 4.2.22
_______________________________________________________
Follow-up Comment #2:
You can download a release of findutils in which this problem is
fixed from ftp://alpha.gnu.org/gnu/findutils.
The releases on alpha.gnu.org are for testing purposes, so please
take the time to download the release and verify that your
problem has been solved. Once the release has been sufficiently
tested, it can be uploaded to ftp.gnu.org for everybody to use it.
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/bugs/?func=detailitem&item_id=13381>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
Tags added: security
Request was from Don Armstrong <don@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Reply sent to Andreas Metzler <ametzler@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to "Huang, Zhangrong" <hzhrong@gmail.com>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #43 received at 313081-close@bugs.debian.org (full text, mbox, reply):
Source: findutils
Source-Version: 4.2.22-1
We believe that the bug you reported is fixed in the latest version of
findutils, which is due to be installed in the Debian FTP archive:
findutils_4.2.22-1.diff.gz
to pool/main/f/findutils/findutils_4.2.22-1.diff.gz
findutils_4.2.22-1.dsc
to pool/main/f/findutils/findutils_4.2.22-1.dsc
findutils_4.2.22-1_i386.deb
to pool/main/f/findutils/findutils_4.2.22-1_i386.deb
findutils_4.2.22.orig.tar.gz
to pool/main/f/findutils/findutils_4.2.22.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 313081@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Metzler <ametzler@debian.org> (supplier of updated findutils package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 13 Jun 2005 19:39:46 +0200
Source: findutils
Binary: findutils
Architecture: source i386
Version: 4.2.22-1
Distribution: unstable
Urgency: low
Maintainer: Andreas Metzler <ametzler@debian.org>
Changed-By: Andreas Metzler <ametzler@debian.org>
Description:
findutils - utilities for finding files--find, xargs, and locate
Closes: 208307 301934 311384 312760 312761 313081
Changes:
findutils (4.2.22-1) unstable; urgency=low
.
* New upstream version
- fixes infinite loop of "find -follow" on trees with symlinks to ./.
(Closes: #313081)
- better documentation for %k and %d printf directives. (Closes: #208307)
- find filters out non-printable characters (which could mess up the
terminal) when printing the output to a console. (Closes: #311384)
- Typo fixes. (Closes: #301934, #312760, #312761) (Thanks, A Costa.)
Files:
84b082128b8f4b109efed4749d7d322e 662 base required findutils_4.2.22-1.dsc
81ef043fbc9203f03225d0dc7f6cb2ec 972905 base required findutils_4.2.22.orig.tar.gz
8612990949c3c1e82ea102cf856059ab 12261 base required findutils_4.2.22-1.diff.gz
df01940ef18ccd6996366396b1b26b7b 304976 base required findutils_4.2.22-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFCrdHJHTOcZYuNdmMRAoe1AJ43bqjSDvNOFYEWrqGFMxmoh/fdMgCeO46A
NvtVymuuVlQJXpfkZnHYAU4=
=T/Ar
-----END PGP SIGNATURE-----
Message sent on to "Huang, Zhangrong" <hzhrong@gmail.com>:
Bug#313081.
(full text, mbox, link).
Message #46 received at 313081-submitter@bugs.debian.org (full text, mbox, reply):
Follow-up Comment #3, bug #13381 (project findutils):
Followup - this isn't a denial of updatedb service because updatedb does not
use -follow or -L. However, the problem is significant from a security
perspective in other contexts.
Once again, -L should not be used in security-sensitive environments in any
case.
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/bugs/?func=detailitem&item_id=13381>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
Tags added: fixed-upstream
Request was from bts-link-upstream@lists.alioth.debian.org
to control@bugs.debian.org.
(full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 26 Jun 2007 18:20:45 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Dec 23 16:45:07 2023;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.