Debian Bug report logs - #778375
apt-transport-https: segfaults

Package: apt-transport-https; Maintainer for apt-transport-https is APT Development Team <deity@lists.debian.org>; Source for apt-transport-https is src:apt (PTS, buildd, popcon).

Reported by: Kurt Roeckx <kurt@roeckx.be>

Date: Sat, 14 Feb 2015 09:48:01 UTC

Severity: serious

Tags: patch

Found in version apt/1.0.9.6

Fixed in version apt/1.0.9.7

Done: Michael Vogt <mvo@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#778375; Package apt-transport-https. (Sat, 14 Feb 2015 09:48:06 GMT) (full text, mbox, link).

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
New Bug report received and forwarded. Copy sent to APT Development Team <deity@lists.debian.org>. (Sat, 14 Feb 2015 09:48:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: apt-transport-https
Version: 1.0.9.6
Severity: serious

Hi,

When I try to download something over https apt just segfaults:
https[7809]: segfault at 69 ip 00007f523b8cbb03 sp 00007fff432589e0 error 4 in https[7f523b8c0000+12000]


Kurt

Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#778375; Package apt-transport-https. (Sun, 15 Feb 2015 20:21:04 GMT) (full text, mbox, link).

Acknowledgement sent to Tomasz Buchert <tomasz.buchert@inria.fr>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. (Sun, 15 Feb 2015 20:21:04 GMT) (full text, mbox, link).

Message #10 received at 778375@bugs.debian.org (full text, mbox, reply):

On 14/02/15 10:44, Kurt Roeckx wrote:
> Package: apt-transport-https
> Version: 1.0.9.6
> Severity: serious
>
> Hi,
>
> When I try to download something over https apt just segfaults:
> https[7809]: segfault at 69 ip 00007f523b8cbb03 sp 00007fff432589e0 error 4 in https[7f523b8c0000+12000]
>
>
> Kurt
>

Hi Kurt,
I cannot reproduce it:

$ LC_ALL=C sudo apt-get install cowsay
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  cowsay
0 upgraded, 1 newly installed, 0 to remove and 3 not upgraded.
Need to get 20.0 kB of archives.
After this operation, 92.2 kB of additional disk space will be used.
Get:1 https://ftp-stud.hs-esslingen.de/debian/ testing/main cowsay all 3.03+dfsg1-10 [20.0 kB]
Fetched 20.0 kB in 0s (65.9 kB/s)
[... other standard things ...]

Cheers,
Tomasz

Acknowledgement sent to Julian Andres Klode <jak@debian.org>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. (Sun, 15 Feb 2015 20:27:05 GMT) (full text, mbox, link).

Message #15 received at 778375@bugs.debian.org (full text, mbox, reply):

Control: tag -1 unreproducible

On Sun, Feb 15, 2015 at 09:19:29PM +0100, Tomasz Buchert wrote:
> On 14/02/15 10:44, Kurt Roeckx wrote:
> > Package: apt-transport-https
> > Version: 1.0.9.6
> > Severity: serious
> >
> > Hi,
> >
> > When I try to download something over https apt just segfaults:
> > https[7809]: segfault at 69 ip 00007f523b8cbb03 sp 00007fff432589e0 error 4 in https[7f523b8c0000+12000]
> >
> >
> > Kurt
> >
> 
> Hi Kurt,
> I cannot reproduce it:
> 
> $ LC_ALL=C sudo apt-get install cowsay
> Reading package lists... Done
> Building dependency tree
> Reading state information... Done
> The following NEW packages will be installed:
>   cowsay
> 0 upgraded, 1 newly installed, 0 to remove and 3 not upgraded.
> Need to get 20.0 kB of archives.
> After this operation, 92.2 kB of additional disk space will be used.
> Get:1 https://ftp-stud.hs-esslingen.de/debian/ testing/main cowsay all 3.03+dfsg1-10 [20.0 kB]
> Fetched 20.0 kB in 0s (65.9 kB/s)
> [... other standard things ...]

Me neither (before and after a complete dist-upgrade today).

Kurt:  Are you up-to-date and could you recompile APT with debugging options
and run that to get a backtrace? 

-- 
Julian Andres Klode  - Debian Developer, Ubuntu Member

See http://wiki.debian.org/JulianAndresKlode and http://jak-linux.org/.

Be friendly, do not top-post, and follow RFC 1855 "Netiquette".
    - If you don't I might ignore you.

Added tag(s) unreproducible. Request was from Julian Andres Klode <jak@debian.org> to 778375-submit@bugs.debian.org. (Sun, 15 Feb 2015 20:27:05 GMT) (full text, mbox, link).

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. (Sun, 15 Feb 2015 21:27:05 GMT) (full text, mbox, link).

Message #22 received at 778375@bugs.debian.org (full text, mbox, reply):

On Sun, Feb 15, 2015 at 09:19:29PM +0100, Tomasz Buchert wrote:
> On 14/02/15 10:44, Kurt Roeckx wrote:
> > Package: apt-transport-https
> > Version: 1.0.9.6
> > Severity: serious
> >
> > Hi,
> >
> > When I try to download something over https apt just segfaults:
> > https[7809]: segfault at 69 ip 00007f523b8cbb03 sp 00007fff432589e0 error 4 in https[7f523b8c0000+12000]
> >
> >
> > Kurt
> >
> 
> Hi Kurt,
> I cannot reproduce it:

Can you try adding this to your sources.list?
deb https://dl.bintray.com/sbt/debian /

And then apt-get install -d sbt


Kurt

Message #27 received at 778375@bugs.debian.org (full text, mbox, reply):

On 15/02/15 22:22, Kurt Roeckx wrote:
> [...]
>
> Can you try adding this to your sources.list?
> deb https://dl.bintray.com/sbt/debian /
>
> And then apt-get install -d sbt
>
>
> Kurt
>

Okay, I get a segfault too now:
[  153.995036] https[2667]: segfault at 69 ip 00007f41539d7b03 sp 00007fffa171dbb0 error 4 in https[7f41539cc000+12000]

Tomasz

Message #32 received at 778375@bugs.debian.org (full text, mbox, reply):

On 15/02/15 23:16, Tomasz Buchert wrote:
> [...]
>
> Okay, I get a segfault too now:
> [  153.995036] https[2667]: segfault at 69 ip 00007f41539d7b03 sp 00007fffa171dbb0 error 4 in https[7f41539cc000+12000]
>
> Tomasz
>

Hi again,
I've recompiled apt-transport-https with debugging symbols and
derandomized positions of code sections (via echo 0 | sudo tee
/proc/sys/kernel/randomize_va_space).  I got this:

[  510.536222] https[2990]: segfault at 69 ip 000055555555fb03 sp 00007fffffffdbf0 error 4 in https[555555554000+12000]

and then, via gdb:

(gdb) list *0x000055555555fb03
0x55555555fb03 is in ServerState::HeaderLine(std::string) (/tmp/apt-1.0.9.6/methods/server.cc:120).
115	   // Parse off any trailing spaces between the : and the next word.
116	   string::size_type Pos2 = Pos;
117	   while (Pos2 < Line.length() && isspace(Line[Pos2]) != 0)
118	      Pos2++;
119
120	   string Tag = string(Line,0,Pos);
121	   string Val = string(Line,Pos2);
122
123	   if (stringcasecmp(Tag.c_str(),Tag.c_str()+4,"HTTP") == 0)
124	   {

So there is an issue with parsing of HTTP headers or something like
that around server.cc:120.  Unfortunately, I don't have much time to
dig more at the moment. Hope this helps.

Tomasz

Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#778375; Package apt-transport-https. (Mon, 16 Feb 2015 00:21:04 GMT) (full text, mbox, link).

Acknowledgement sent to Tomasz Buchert <tomasz.buchert@inria.fr>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. (Mon, 16 Feb 2015 00:21:04 GMT) (full text, mbox, link).

Message #37 received at 778375@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On 15/02/15 23:55, Tomasz Buchert wrote:
>
> [...]

(@Julian: sorry for not CCing you before)

Hi again,
I couldn't fall asleep, so there you go:

The tricky HTTPS server returns this line: "HTTP/1.1 302". Note that
there is no "explanation" for the status code 302 (it should be
"Found"). Anyway, this is fine, the code seems to be prepared for
that case: elements is set to 3 in server.cc:128.

However, Owner is NULL (I don't know why, I don't know the code, but
it is) so Owner->Debug fails in server.cc:132.

The attached patch checks whether Owner is NULL before dereferencing
it. This fixes this problem for me, but somebody who knows what Owner
is should make sure that it makes sense.  Feel free to adjust the
patch to your needs, it's in public domain.

Cheers,
Tomasz

[0001-simple-fix.patch (text/x-diff, attachment)]

Added tag(s) patch. Request was from Niels Thykier <niels@thykier.net> to control@bugs.debian.org. (Thu, 19 Feb 2015 07:51:14 GMT) (full text, mbox, link).

Removed tag(s) unreproducible. Request was from Niels Thykier <niels@thykier.net> to control@bugs.debian.org. (Thu, 19 Feb 2015 07:51:19 GMT) (full text, mbox, link).

Reply sent to Michael Vogt <mvo@debian.org>:
You have taken responsibility. (Mon, 23 Feb 2015 12:21:06 GMT) (full text, mbox, link).

Notification sent to Kurt Roeckx <kurt@roeckx.be>:
Bug acknowledged by developer. (Mon, 23 Feb 2015 12:21:06 GMT) (full text, mbox, link).

Message #46 received at 778375-close@bugs.debian.org (full text, mbox, reply):

Source: apt
Source-Version: 1.0.9.7

We believe that the bug you reported is fixed in the latest version of
apt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 778375@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Vogt <mvo@debian.org> (supplier of updated apt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 23 Feb 2015 12:54:03 +0100
Source: apt
Binary: apt libapt-pkg4.12 libapt-inst1.5 apt-doc libapt-pkg-dev libapt-pkg-doc apt-utils apt-transport-https
Architecture: source all amd64
Version: 1.0.9.7
Distribution: unstable
Urgency: medium
Maintainer: APT Development Team <deity@lists.debian.org>
Changed-By: Michael Vogt <mvo@debian.org>
Description:
 apt        - commandline package manager
 apt-doc    - documentation for APT
 apt-transport-https - https download transport for APT
 apt-utils  - package management related utility programs
 libapt-inst1.5 - deb package format runtime library
 libapt-pkg-dev - development files for APT's libapt-pkg and libapt-inst
 libapt-pkg-doc - documentation for APT development
 libapt-pkg4.12 - package management runtime library
Closes: 778375
Changes:
 apt (1.0.9.7) unstable; urgency=medium
 .
   [ Tomasz Buchert ]
   * Fix crash in the apt-transport-https when Owner is NULL (Closes: #778375)
Checksums-Sha1:
 799ea1120ccf593814b4b4769f1bf560fee99980 2353 apt_1.0.9.7.dsc
 9f1d5b918c20f11b3cc3bdee6f4c937f333f00c4 1822076 apt_1.0.9.7.tar.xz
 99e71201e297e14958a33f5a9144237921dbd722 302496 apt-doc_1.0.9.7_all.deb
 26ad710b1eb3c05cf4f89860977b4293f7b5d228 781864 libapt-pkg-doc_1.0.9.7_all.deb
 56f413bb2ea6a0fed48d9a06f35cdf147b0a61a9 789702 libapt-pkg4.12_1.0.9.7_amd64.deb
 da6b047db34f2315d3decef041413689278074c7 168154 libapt-inst1.5_1.0.9.7_amd64.deb
 5856a222f11650c1ff97f90a699b3aaa67ea44ab 1107900 apt_1.0.9.7_amd64.deb
 2bda7a17da7faa5505c4b66f0a4b769e8e42a00f 193208 libapt-pkg-dev_1.0.9.7_amd64.deb
 728d6e4e0056d9c60f0bbd1c430ac4f24927f227 367854 apt-utils_1.0.9.7_amd64.deb
 b742f6707e5b88286d771cf63d16c452531e7161 136458 apt-transport-https_1.0.9.7_amd64.deb
Checksums-Sha256:
 102f131511c0727ceab90c170c1265fbc8db1fcc146adef893af20a61492da90 2353 apt_1.0.9.7.dsc
 a412a14e1493bc65e6235e99f963d526dfd5cf691d1962295697a693d7bbc7a3 1822076 apt_1.0.9.7.tar.xz
 0553f9af7f213e0d77991d54c0e10b194554144db5b982971d6028ae98e5a224 302496 apt-doc_1.0.9.7_all.deb
 6e846e18c38fc7ec2b164d56c9f695e0f54102362f5317c3c033c7c624ab17df 781864 libapt-pkg-doc_1.0.9.7_all.deb
 75decb8add87d985229a4de9cde74e5aea1b2e4fc023ad231ee3ed08ac9755e1 789702 libapt-pkg4.12_1.0.9.7_amd64.deb
 17006e81250a6b9ad3bfbe08b7d4c80b14916c5d9b11c7f0423bc85c6dbf5b3c 168154 libapt-inst1.5_1.0.9.7_amd64.deb
 4447e06e7b7ec049a00d1bfed9b6356479cc2e8b237a3b635f0c7a1bd581eb45 1107900 apt_1.0.9.7_amd64.deb
 10a4c0b8e8ae81f4919d7ce71125e319ec1f360f347e6e7b1e362c2f48a6d858 193208 libapt-pkg-dev_1.0.9.7_amd64.deb
 7c637f81a7cc192345ae1da92b96bee4ca6871b885a240d2bcbb10d9830a88e6 367854 apt-utils_1.0.9.7_amd64.deb
 be1dea27607e1703744064f0d6ec8934d75245e10b05efba6d67361addebaa87 136458 apt-transport-https_1.0.9.7_amd64.deb
Files:
 fa001eaeb25f595fd9f15d4cc587db43 2353 admin important apt_1.0.9.7.dsc
 d1d25c65b2bb563e120ff31d5006c132 1822076 admin important apt_1.0.9.7.tar.xz
 c51f30a0f90a8e4d1dc7ee40a5833c8d 302496 doc optional apt-doc_1.0.9.7_all.deb
 b1c64aeeb7446b3723456c2878fd9bb4 781864 doc optional libapt-pkg-doc_1.0.9.7_all.deb
 2f7507a0a921a0b0a301dc966b6317e4 789702 libs important libapt-pkg4.12_1.0.9.7_amd64.deb
 4ed390be81c0784a80b466bfb96f0ef8 168154 libs important libapt-inst1.5_1.0.9.7_amd64.deb
 371a765e97d89d7bd49763558b64d28c 1107900 admin important apt_1.0.9.7_amd64.deb
 8f9f60d5bfa2a5cd38a771f7f42f879b 193208 libdevel optional libapt-pkg-dev_1.0.9.7_amd64.deb
 58618ed8c6fab9044ae0d04fdd662eb3 367854 admin important apt-utils_1.0.9.7_amd64.deb
 03c6715433b71c2e5dc2f8820d958433 136458 admin optional apt-transport-https_1.0.9.7_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJU6xl7AAoJEJjKuzq9TKWeQDMP/3cRYOL2ZFRBDcCy+MiQIwtR
iduGAo8OpunAM60wBGIilW+XNwWY8A4PPaa6OEWSwKyaIWHnGM4nVCk7HjrNjbS8
TOwoL/b18wpn201phfX6580q15tLw3eikJhb+SPIxUs/US7Zr0n9e+72syLLh6ak
OPoZCC07myAjZwMqYkT1lLPPkntG3mI0HzoF2ryXHZNjXfcFEc5Nql+VSpJtKK7k
fbZntowO2xWQ2nWQdtdalP0M6AI4t0ps+GPt4rdefpAfIQxoRa3g04XxSuhReY2S
vo8xMsRZx87guQmA3MxKYJmCM2fMVmbnBCi57dP48ik2NE2T+JYxA/yHRnf3mp4x
ysiKcyCeRX408LMOTeMVzk0GcmVfLKKoT3YZQCQf2qZcraWedAcj5ni8WTjIx5hj
W5abTNAlIqf37dc/2WGBsCKpwqfJLy21WDNXqZcb7hb4YsnZvAbu6hB09gC4/r8h
99moq4hZKm5T2bw3MEsV4oMxJr+LI2mCElXY3ZHBbZJ4XlkN7plSbObd3mUCAAIy
oNCt0IA3EczJypTm0mLQisi3XnCPnaNmUHVOcVGwnNwWEk01Iq+Qg3Hjzx342vDo
RKzxU1E57JGHqegQmqt/QXgCrGHVr2GL6oHWddx0qQhdt3dfj0SXZQL2Nf7G08Hg
5lyWvPZE5yOcezM5XU9f
=/KhS
-----END PGP SIGNATURE-----

Acknowledgement sent to David Kalnischkies <david@kalnischkies.de>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. (Mon, 23 Feb 2015 12:30:05 GMT) (full text, mbox, link).

Message #51 received at 778375@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Mon, Feb 16, 2015 at 01:16:19AM +0100, Tomasz Buchert wrote:
> The tricky HTTPS server returns this line: "HTTP/1.1 302". Note that
> there is no "explanation" for the status code 302 (it should be
> "Found"). Anyway, this is fine, the code seems to be prepared for
> that case: elements is set to 3 in server.cc:128.

apt is since 0.8.0~pre2 (23 Aug 2010). I think back then it was also
a sourceforge server triggering this. Note that this is a violation of
the HTTP1.1 spec (see rfc7230 section 3.1.2) which allows for an empty
reason-phrase, but the space before that is non-optional.

> However, Owner is NULL (I don't know why, I don't know the code, but
> it is) so Owner->Debug fails in server.cc:132.
> 
> The attached patch checks whether Owner is NULL before dereferencing
> it. This fixes this problem for me, but somebody who knows what Owner
> is should make sure that it makes sense.  Feel free to adjust the
> patch to your needs, it's in public domain.

<rambling>
That is a good catch! 'Owner' refers here to the ServerMethod owning the
ServerState (that was a very helpful explanation, wasn't it? ;) ).

It boils down to this: In Sep 2013 I wanted to fix some bugs in https by
using less curl and more of our own http code. For this I invented
a bunch of Server classes as parents for http and https – in handsight,
I really should have used another name, but well, anyway – expect that
both were completely different in their implementation.

Somehow I managed to pull it of anyway with the result that they share
most of their State parsing/tracking which is quite helpful. It also
means through that the actual Methods using the State are still very
different so getting a common interface for them was hard. Somewhere
down that line I took a shortcut giving the HttpsState a NULL for its
owner as it 'never' really needed it and can hence be fixed 'later'
correctly, right?

Fast forward one and a half years and the 'never' as well as the 'later'
is spoiled. Its a bit ironic that a debug message does this to me…
</rambling>

The proposed patch works just fine as the other users for 'Owner'
aren't used by https and for http its always properly set (and nobody
dies if a debug message isn't shown even if requested) and at that point
in the release I guess everyone will be happy about a one-line fix.
(Michael is uploading it any minute now)

Attached is my fullblown 'proper' patch with a testcase I am going to
apply to our /experimental branch for comparison in the meantime.

Best regards

David Kalnischkies

[apt-778375-server-has-no-reason-phrase.patch (text/x-diff, attachment)]

[signature.asc (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 29 Mar 2015 07:29:08 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Jan 4 04:17:45 2018; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Debian Bug report logs - #778375 apt-transport-https: segfaults

Debian Bug report logs - #778375
apt-transport-https: segfaults