Ubuntu

Stack smashing in aptitude on safe-upgrade

Reported by Reiger on 2009-12-22
90
This bug affects 27 people
Affects Status Importance Assigned to Milestone
aptitude (Ubuntu)
High
Unassigned

Bug Description

Binary package hint: aptitude

Latest update of the system causes aptitude to crash on safe-upgrade (FWIW it does the same on install); apparently a protection against stack smashing kicks in and terminates the application.

The error message spit out:

*** stack smashing detected ***: aptitude terminated
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xf2cf58]
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x0)[0xf2cf10]
aptitude[0x812ae58]
aptitude[0x812b837]
aptitude[0x814293a]
aptitude[0x805e4d7]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe6)[0xe62b66]
aptitude[0x805c691]
======= Memory map: ========
00110000-001c9000 r-xp 00000000 08:05 4035 /usr/lib/libcwidget.so.3.0.0
001c9000-001ca000 ---p 000b9000 08:05 4035 /usr/lib/libcwidget.so.3.0.0
001ca000-001cd000 r--p 000b9000 08:05 4035 /usr/lib/libcwidget.so.3.0.0
001cd000-001ce000 rw-p 000bc000 08:05 4035 /usr/lib/libcwidget.so.3.0.0
001ce000-0023d000 r-xp 00000000 08:05 4048 /usr/lib/libept.so.0.5.29
0023d000-0023e000 r--p 0006e000 08:05 4048 /usr/lib/libept.so.0.5.29
0023e000-0023f000 rw-p 0006f000 08:05 4048 /usr/lib/libept.so.0.5.29

Which appears to refer to a TLS/SSL encryption library and FWIW the latest upgrade I did, included what looks like an https library for aptitude/apt: apt-transport-https.

On the other hand the same bug does not manifest itself when using apt; i.e. apt install and apt upgrade continue to function normally; which suggest that it is not the libraries themselves that are at fault.

ProblemType: Bug
Architecture: i386
Date: Wed Dec 23 00:11:09 2009
DistroRelease: Ubuntu 10.04
Package: aptitude 0.4.11.11-1ubuntu6
ProcEnviron:
 LANGUAGE=
 PATH=(custom, no user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
ProcVersionSignature: Ubuntu 2.6.32-8.12-generic
SourcePackage: aptitude
Tags: lucid
Uname: Linux 2.6.32-8-generic i686

Related branches

Reiger (jm-ouwerkerk) wrote :
Reiger (jm-ouwerkerk) wrote :

Forgot to mention: aptitude --version info:

aptitude 0.4.11.11 compiled at Sep 28 2009 12:52:07
Compiler: g++ 4.4.1
Compiled against:
  apt version 4.8.1
  NCurses version 5.7
  libsigc++ version: 2.0.18
  Ept support enabled.

Current library versions:
  NCurses version: ncurses 5.7.20090803
  cwidget version: 0.5.13
  Apt version: 4.8.0

Reiger (jm-ouwerkerk) wrote :
Download full text (12.2 KiB)

Further testing (trying to purge packages with aptitude):

sudo aptitude
*** glibc detected *** aptitude: free(): invalid pointer: 0xb39032b8 ***
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6[0x62af81]
/lib/tls/i686/cmov/libc.so.6[0x62c7d0]
/lib/tls/i686/cmov/libc.so.6(cfree+0x6d)[0x62f81d]
/usr/lib/libstdc++.so.6(_ZdlPv+0x21)[0x4dc311]
/usr/lib/libstdc++.so.6(_ZdaPv+0x1d)[0x4dc36d]
/usr/lib/libapt-pkg-libc6.10-6.so.4.8(_ZN12pkgOrderList8CheckDepEN8pkgCache11DepIteratorE+0x142)[0x18bc12]
/usr/lib/libapt-pkg-libc6.10-6.so.4.8(_ZN12pkgOrderList9DepRemoveEN8pkgCache11DepIteratorE+0xb6)[0x18cf56]
/usr/lib/libapt-pkg-libc6.10-6.so.4.8(_ZN12pkgOrderList10VisitRDepsEMS_FbN8pkgCache11DepIteratorEENS0_11PkgIteratorE+0x61)[0x18b721]
/usr/lib/libapt-pkg-libc6.10-6.so.4.8(_ZN12pkgOrderList9VisitNodeEN8pkgCache11PkgIteratorE+0x71f)[0x18cd4f]
/usr/lib/libapt-pkg-libc6.10-6.so.4.8(_ZN12pkgOrderList5DoRunEv+0xd5)[0x18df25]
/usr/lib/libapt-pkg-libc6.10-6.so.4.8(_ZN12pkgOrderList11OrderUnpackEPSs+0x142)[0x18e562]
/usr/lib/libapt-pkg-libc6.10-6.so.4.8(_ZN17pkgPackageManager12OrderInstallEv+0x29a)[0x1955aa]
/usr/lib/libapt-pkg-libc6.10-6.so.4.8(_ZN17pkgPackageManager9DoInstallEi+0x21)[0x192881]
aptitude[0x8180352]
aptitude[0x8180882]
aptitude[0x810d30c]
aptitude[0x808cdcb]
/usr/lib/libcwidget.so.3(_ZN7cwidget8toplevel8mainloopEi+0x1f1)[0x9eb121]
aptitude[0x80f1113]
aptitude[0x805e67b]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe6)[0x5d6b66]
aptitude[0x805c691]
======= Memory map: ========
00110000-00125000 r-xp 00000000 08:05 40553 /lib/tls/i686/cmov/libpthread-2.10.2.so
00125000-00126000 r--p 00014000 08:05 40553 /lib/tls/i686/cmov/libpthread-2.10.2.so
0012600...

Benjamin Drung (bdrung) wrote :

I experience this bug with pbuilder. Every lucid build fails due to this bug. Log attached.

Changed in aptitude (Ubuntu):
status: New → Confirmed
Bryce Harrington (bryce) wrote :

I've been able to reproduce this in my lucid pbuilder environment, both amd64 and i386 arch's.

*** stack smashing detected ***: aptitude terminated
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xf71eef58]
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x0)[0xf71eef10]
aptitude[0x812ae58]
aptitude[0x812b837]
aptitude[0x811de59]
aptitude[0x805f2af]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe6)[0xf7124b66]
aptitude[0x805c691]

Changed in aptitude (Ubuntu):
importance: Undecided → High
milestone: none → lucid-alpha-2
Kees Cook (kees) wrote :

I'm not able to reproduce this yet; what command lines in particular are crashing, and can you enable apport and try to catch the overflow?

Benjamin Drung (bdrung) wrote :

It started with the pbuilder update today or yesterday. So run

sudo pbuilder update
sudo pbuilder build foobar.dsc

(replace foobar by any source package)

Mahesh Asolkar (asolkar) wrote :

Attaching aptitude log just as a data point.

Kees Cook (kees) wrote :

I suspect the recent apt upload, even though the crash appears in aptitude...

#0 0x00007ffff5f264c5 in *__GI_raise (sig=<value optimized out>)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1 0x00007ffff5f29f60 in *__GI_abort () at abort.c:92
#2 0x00007ffff5f5eca7 in __libc_message (do_abort=<value optimized out>,
    fmt=<value optimized out>) at ../sysdeps/unix/sysv/linux/libc_fatal.c:189
#3 0x00007ffff5feae67 in *__GI___fortify_fail (
    msg=0x7ffff6029552 "stack smashing detected") at fortify_fail.c:32
#4 0x00007ffff5feae30 in __stack_chk_fail () at stack_chk_fail.c:29
#5 0x00000000004e858a in cmdline_show_preview (
    as_upgrade=<value optimized out>, to_install=<value optimized out>,
    to_hold=<value optimized out>, to_remove=<value optimized out>,
    showvers=<value optimized out>, showdeps=<value optimized out>,
    showsize=false, showwhy=false, verbose=0) at cmdline_prompt.cc:917
#6 0x00000000004e8df0 in cmdline_do_prompt (
    as_upgrade=<value optimized out>, to_install=<value optimized out>,
    to_hold=<value optimized out>, to_remove=<value optimized out>,
    to_purge=<value optimized out>, showvers=<value optimized out>,
    showdeps=false, showsize=false, showwhy=false, always_prompt=false,
    verbose=0, assume_yes=false, force_no_change=false, policy=...,
    arch_only=false) at cmdline_prompt.cc:1089
#7 0x00000000005019fe in cmdline_upgrade (argc=<value optimized out>,
    argv=<value optimized out>, status_fname=0x0,
    simulate=<value optimized out>, no_new_installs=<value optimized out>,
    assume_yes=<value optimized out>, download_only=false, showvers=false,
    showdeps=false, showsize=<value optimized out>,
    showwhy=<value optimized out>, user_tags=..., visual_preview=false,
    always_prompt=<value optimized out>, arch_only=<value optimized out>,
    queue_only=false, verbose=0) at cmdline_upgrade.cc:157
#8 0x000000000041b1f6 in main (argc=2, argv=0x7fffffffe7a8) at main.cc:661

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package aptitude - 0.4.11.11-1ubuntu7

---------------
aptitude (0.4.11.11-1ubuntu7) lucid; urgency=low

  * No-change rebuild to handle libapt ABI changes (LP: #499631).
 -- Kees Cook <email address hidden> Tue, 22 Dec 2009 23:17:50 -0800

Changed in aptitude (Ubuntu):
status: Confirmed → Fix Released
Untitled No. 4 (untitled-no4) wrote :

Works for me after getting aptitude (0.4.11.11-1ubuntu7)

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers