does not notice "Deleted" versions when accepting uploads which leads to corrupted md5 cache

Bug #174038 reported by Kees Cook on 2007-12-04
14
Affects Status Importance Assigned to Milestone
Launchpad itself
High
Unassigned
dpkg (Ubuntu)
Undecided
Unassigned
mobile-application-service (Ubuntu)
Undecided
Unassigned
mobile-player (Ubuntu)
Undecided
Unassigned

Bug Description

I found 3 debs where the Packages file has the wrong md5sum:

0bdf7ed88b22958cd4459de8da83b2be mobile-application-service_0.9-5_amd64.deb
1115b720725289492aa80ffc5e070768 mobile-application-service_0.9-5_i386.deb
9aacf50bcd17a38edad5c7447dda275a mobile-player_0.4_all.deb

The packages files (gutsy) read:

Filename: pool/universe/m/mobile-application-service/mobile-application-service_0.9-5_amd64.deb
MD5sum: 5965e136ae26ccf30a9973d9ceb5aabb

Filename: pool/universe/m/mobile-application-service/mobile-application-service_0.9-5_i386.deb
MD5sum: 65cfb924a6651c8493e062d581b2c826

Filename: pool/universe/m/mobile-player/mobile-player_0.4_all.deb
MD5sum: feb9bf9d580deff47cf331fb0eae2a32

11:56 < cprov> kees: the file in disk matches what we've got from the builder
11:57 < kees> so the Packages file is wrong somehow?
11:57 < cprov> kees: yes ...

Celso Providelo (cprov) on 2007-12-06
Changed in soyuz:
assignee: nobody → cprov
milestone: none → 1.1.12
status: New → Triaged
Changed in soyuz:
milestone: 1.1.12 → 1.2.1
Celso Providelo (cprov) wrote :

I'm marking it as 'won't fix' because there is nothing we can do about this problem right now, either it get fixed by a new upload or we have to spend time investigating why a-f caches are corrupted.

Changed in soyuz:
status: Triaged → Won't Fix
William Grant (wgrant) wrote :

Shouldn't you be debugging (with high priority) an issue that creates broken indices, particularly as the md5sums provide the only form of security?

this sounds like throwing security out the window, because you can't be bothered to fix it. Ouch.

How are we sure that the rest of them are right? This would tend to cause apt to fall over, if the md5sum is wrong, and bugs to get filed on the affected packages - where this is actually a launchpad bug. I'm not sure that's overly sensible.

Celso Providelo (cprov) wrote :

Michael,

Can you help us to debug the current a-f caches used in drescher and find 'if' and 'why' they got corrupted. I can copy the caches to another machine in DC (they have 2.3G in total).

Thanks in advance.

Malcolm Scott (malcscott) wrote :

I note that debmirror will refuse to update a mirror in this situation, so no mirrors using debmirror will update until this is fixed.

If you run debmirror with --ignore-small-errors it will complete.

Michael,

I've re-generated a-f caches in dogfood (took around 4 hours) and it fixed the problem, see http://archive.dogfood.launchpad.net/ubuntu/dists/hardy/

I don't think this is the only solution available, but it's nice to have it as an alternative.

Chris Clonch (cacack) wrote :

Any resolution on the horizon?

I get this while using debmirror to create a local, private mirror for my company. Using the --ignore-small-errors allowed me to complete the mirror, but the security issues by not checking the md5's leaves me with a bad taste in my mouth.

Malcolm Scott (malcscott) wrote :

Indeed, I feel it would look very unprofessional to say the least if Hardy were to be released in a state in which it cannot be securely mirrored. Surely it is a simple matter for the right person to fix this?

Kees Cook (kees) on 2008-04-21
Changed in dpkg:
status: New → Invalid
Changed in soyuz:
status: Won't Fix → Confirmed
Kees Cook (kees) wrote :

I've uploaded no-change version-bumps for the two source packages. This likely won't fix Gutsy's mirroring, but it will be okay Hardy. Soyuz still needs to be fixed (or rather, the caches regenerated), so I've re-opened that part of the bug.

Scott Kitterman (kitterman) wrote :

motu-release ack.

Changed in mobile-application-service:
status: New → Confirmed
Changed in mobile-player:
status: New → Confirmed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mobile-player - 0.4ubuntu1

---------------
mobile-player (0.4ubuntu1) hardy; urgency=low

  * No-change version bump to work around LP: #174038.

 -- Kees Cook <email address hidden> Mon, 21 Apr 2008 14:13:47 -0700

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mobile-application-service - 0.9-6

---------------
mobile-application-service (0.9-6) hardy; urgency=low

  * No-change version-bump to work around LP: #174038.

 -- Kees Cook <email address hidden> Mon, 21 Apr 2008 14:14:29 -0700

Changed in mobile-application-service:
status: Confirmed → Fix Released
Changed in mobile-player:
status: Confirmed → Fix Released
Kees Cook (kees) on 2009-03-26
summary: - bad md5sum in Packages file
+ does not notice "Deleted" versions when accepting uploads which leads to
+ corrupted md5 cache
Celso Providelo (cprov) wrote :

Part of the problem will be fixed by bug #300533 (the package indexes will contain correct checksums). However we should spot conflicting binary versions earlier and refuse to publish them in binary-upload-time (resulting in explicit failed-to-upload builds)

Changed in soyuz:
importance: Undecided → High
milestone: 1.2.1 → pending
status: Confirmed → Triaged
Curtis Hovey (sinzui) on 2010-06-01
Changed in soyuz:
assignee: Celso Providelo (cprov) → nobody
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers