Regression: Latest apt security update returns Hash Sum mismatch for file: URI:s

Bug #1371058 reported by Björn Torkelsson on 2014-09-18
286
This bug affects 6 people
Affects Status Importance Assigned to Milestone
apt (Debian)
Fix Released
Unknown
apt (Ubuntu)
Critical
Michael Vogt
Lucid
Undecided
Marc Deslauriers
Precise
Undecided
Marc Deslauriers
Trusty
Undecided
Marc Deslauriers
Utopic
Critical
Michael Vogt

Bug Description

When running 'apt-get update' on Ubuntu Lucid using 0.7.25.3ubuntu9.16 I get Hash Sum mismatch when using file: URI:s.

First time running apt-get update after cleaning /var/lib/dpkg/lists/ and /var/lib/dpkg/lists/partial it works. However the second time I get:

root@crepes:/etc/apt# apt-get update
Ign file:/mirrors/ubuntu/ubuntu/ lucid-security/main Translation-en_DK
Ign file:/mirrors/ubuntu/ubuntu/ lucid-security/restricted Translation-en_DK
Ign file:/mirrors/ubuntu/ubuntu/ lucid-security/universe Translation-en_DK
Ign file:/mirrors/ubuntu/ubuntu/ lucid-security/multiverse Translation-en_DK
Get:1 file: lucid-security Release.gpg [198B]
Get:2 file: lucid-security Release [57,3kB]
Hit http://security.ubuntu.com lucid-security Release.gpg
Ign http://security.ubuntu.com/ubuntu/ lucid-security/main Translation-en_DK
Ign http://security.ubuntu.com/ubuntu/ lucid-security/restricted Translation-en_DK
Ign http://security.ubuntu.com/ubuntu/ lucid-security/universe Translation-en_DK
Ign http://security.ubuntu.com/ubuntu/ lucid-security/multiverse Translation-en_DK
Hit http://security.ubuntu.com lucid-security Release
Hit http://security.ubuntu.com lucid-security/main Packages
Hit http://security.ubuntu.com lucid-security/restricted Packages
Hit http://security.ubuntu.com lucid-security/universe Packages
Hit http://security.ubuntu.com lucid-security/multiverse Packages
W: Failed to fetch file:/mirrors/ubuntu/ubuntu/dists/lucid-security/main/binary-amd64/Packages.bz2 Hash Sum mismatch

W: Failed to fetch file:/mirrors/ubuntu/ubuntu/dists/lucid-security/restricted/binary-amd64/Packages.bz2 Hash Sum mismatch

W: Failed to fetch file:/mirrors/ubuntu/ubuntu/dists/lucid-security/universe/binary-amd64/Packages.bz2 Hash Sum mismatch

W: Failed to fetch file:/mirrors/ubuntu/ubuntu/dists/lucid-security/multiverse/binary-amd64/Packages.bz2 Hash Sum mismatch

E: Some index files failed to download, they have been ignored, or old ones used instead.

Runnng apt-get -o Acquire::CompressionTypes::Order="gz" changing to bz2 every second it works.

Reverting back to 0.7.25.3ubuntu9.15 it works.

And, of course, it works if only using http: URI:s.

Looks like a regression in 0.7.25.3ubuntu9.16

Michael Vogt (mvo) on 2014-09-18
Changed in apt (Ubuntu):
assignee: nobody → Michael Vogt (mvo)
importance: Undecided → Critical
status: New → In Progress
Michael Vogt (mvo) on 2014-09-18
summary: - Latest apt returns Hash Sum mismatch for file: URI:s
+ Regression: Latest apt security update returns Hash Sum mismatch for
+ file: URI:s
Michael Vogt (mvo) wrote :
Michael Vogt (mvo) wrote :
Michael Vogt (mvo) wrote :

Note that this also fixes a segfault due to a broken FileFD::ReadOnlyGzip in this particular apt version.

Changed in apt (Debian):
status: Unknown → New
tags: added: patch
Stefan (steffel) wrote :

Had this problem, too, and was analysing since two days for the root of the problem.

I applied the patch for trusty, built the package and the HashSum Mismatch messages were gone. I will do deeper tests tomorrow.

Thanks for the patch.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apt (Ubuntu Lucid):
status: New → Confirmed
Changed in apt (Ubuntu Precise):
status: New → Confirmed
Changed in apt (Ubuntu Trusty):
status: New → Confirmed
Changed in apt (Ubuntu Lucid):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in apt (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in apt (Ubuntu Trusty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Michael Vogt (mvo) wrote :

Thanks a lot Stefan (comment #4) for confirming that the patch works and I'm very sorry for this regression.

I created a PPA with the fix. It can be added via:
$ sudo apt-add-repository ppa:mvo/lp1371058

It contains packages for apt with the debdiff attached here applied. So if you are running into this issue you
can install the fix right away. There will be a regular update with the fix available soon too.

Stefan (steffel) wrote :

Hi Michael,

- Updated apt from ppa mvo/lp1371058
- Did a new 14.04 64bit installation with our repository and with apt 1.0.1ubuntu2.4~ppa1
- Installation succeeded
- apt-get update && apt-get dist-upgrade succeeded, too

Thanks!

Björn Torkelsson (torkel) wrote :

Hi,

Tried the lucid and precise packages from the ppa:

1. Copied the packages from the ppa to our local mirror
2. Cleaned /var/lib/apt/lists and /var/lib/apt/lists/partial
3. ran apt-get update
4. ran apt-get dist-upgrade
5. ran apt-get update

Work on both lucid and precise. On precise I have also tried skipping step 2. and that works too.

Thanks for a quick response and fix! With 1000+ servers that is really appreciated :-)

Marc Deslauriers (mdeslaur) wrote :

Thanks for testing these updates, I will be releasing them on tuesday after they have been through our QA process.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 0.8.16~exp12ubuntu10.20.1

---------------
apt (0.8.16~exp12ubuntu10.20.1) precise-security; urgency=low

  * SECURITY UPDATE:
    - fix potential buffer overflow, thanks to the
      Google Security Team (CVE-2014-6273)
  * Fix regression in 0.9.7.9+deb7u3 when file:/// sources
    are used and those are on a different partition than
    the apt state directoryo (LP: #1371058)
  * Revert FileFd::ReadOnlyGzip change
  * Fix regression when Dir::state::lists is set to a relative path
  * Fix regression when cdrom: sources got rewriten by apt-cdrom add
 -- Michael Vogt <email address hidden> Tue, 23 Sep 2014 09:02:26 +0200

Changed in apt (Ubuntu Precise):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 0.7.25.3ubuntu9.17.1

---------------
apt (0.7.25.3ubuntu9.17.1) lucid-security; urgency=low

  * SECURITY UPDATE:
    - fix potential buffer overflow, thanks to the
      Google Security Team (CVE-2014-6273)
  * Fix regression from the previous upload when file:/// sources
    are used and those are on a different partition than
    the apt state directory (LP: #1371058)
  * Fix regression when Dir::state::lists is set to a relative path
  * Fix regression when cdrom: sources got rewriten by apt-cdrom add
 -- Michael Vogt <email address hidden> Tue, 23 Sep 2014 08:58:49 +0200

Changed in apt (Ubuntu Lucid):
status: Confirmed → Fix Released
Changed in apt (Ubuntu Trusty):
status: Confirmed → Fix Released
Changed in apt (Debian):
status: New → Fix Released
tags: added: lucid regression-update
tags: added: amd64
information type: Public → Public Security
Steve Beattie (sbeattie) wrote :

This was fixed in apt 1.0.9.1ubuntu1, and thus has been addressed for utopic and vivid, so closing.

Thanks.

Changed in apt (Ubuntu):
status: In Progress → Fix Released
Changed in apt (Ubuntu Utopic):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.