curl: Problem with chunked encoded data

Bug #1613698 reported by Joe on 2016-08-16
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
curl (Ubuntu)
Medium
Unassigned
Trusty
Medium
Graham Inggs

Bug Description

[Impact]
curl in Ubuntu 14.0.4 suffers from a bug ("Problem (2) in the Chunked-Encoded data") introduced in curl 7.35.0 (https://github.com/curl/curl/commit/345891edba32312686e18d8ff185f4476b74e417).

See the corresponding thread on the curl mailing list:
* https://curl.haxx.se/mail/lib-2014-02/0100.html
* https://curl.haxx.se/mail/lib-2014-02/0108.html

Googling for "Problem (2) in the Chunked-Encoded data" shows that this seems to be a problem for other Ubuntu users, too. For example:
* https://github.com/jackalope/jackalope-jackrabbit/issues/89#issuecomment-55084492
* https://www.mastizada.com/blog/chunked-encoded-data-error-in-php-curl-requests/
* https://bugs.php.net/bug.php?id=72131

[ test case]
* curl -v 'http://curl.haxx.se/download/'
(this might work on some configurations)

[ fix ]

The issue was fixed in curl 7.36.0 with https://github.com/curl/curl/commit/0ab97ba0090f2609760c33000181f08757336a48

If you apply that patch to curl in Ubuntu 14.04, I'm sure you'll make a lot of people happy - including me. Thanks!

[Regression Potential]
* none, fix comes from upstream, and is a fix of a bad commit

description: updated

The attachment "Patch from https://github.com/curl/curl/commit/0ab97ba0090f2609760c33000181f08757336a48" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in curl (Ubuntu):
status: New → Confirmed
Changed in curl (Ubuntu):
importance: Undecided → High

fix for the bug, uploaded on ppa:costamagnagianfranco/locutusofborg-ppa

tags: added: trusty

patches should be applied not at the bottom :) new debdiff

build ongoing ppa:costamagnagianfranco/costamagnagianfranco-ppa

Graham Inggs (ginggs) wrote :

Hi Joe, LocutusOfBorg
Please update this bug's description as per the SRU bug template.

https://wiki.ubuntu.com/StableReleaseUpdates#SRU_Bug_Template

done thanks

description: updated
Changed in curl (Ubuntu):
importance: High → Medium

lol the above links shows my ettercap ppa as "fix" just because it has a new curl

Graham Inggs (ginggs) on 2016-08-29
Changed in curl (Ubuntu):
status: Confirmed → In Progress
assignee: nobody → Graham Inggs (ginggs)
Aaron Stone (sodabrew) wrote :

Thank you Graham! Let me know if I can help the next steps in any way to publish updated packages.

Graham Inggs (ginggs) on 2016-08-30
Changed in curl (Ubuntu Trusty):
status: New → In Progress
assignee: nobody → Graham Inggs (ginggs)
Changed in curl (Ubuntu):
assignee: Graham Inggs (ginggs) → nobody
status: In Progress → Fix Released
Graham Inggs (ginggs) wrote :

@sodabrew: the update for trusty has been uploaded, once it has been accepted into trusty-proposed this bug will be updated, letting you know that you can install the update and verify that it actually fixes the bug. If verification is successful, the update will migrate to trusty-updates.

I was not able to reproduce the problem with the following test case:
curl -v 'http://curl.haxx.se/download/'

If it works for you, please let us know, otherwise let us know of a better test case if you find one.

Hello Joe, or anyone else affected,

Accepted curl into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/curl/7.35.0-1ubuntu2.9 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in curl (Ubuntu Trusty):
status: In Progress → Fix Committed
tags: added: verification-needed
Changed in curl (Ubuntu Trusty):
importance: Undecided → Medium
Joe (joe-afflerbach+ubuntu) wrote :

Using the PHP script from https://bugs.php.net/bug.php?id=72131 we were able to reproduce the bug with curl 7.35.0-1ubuntu2.8 (maybe there's a simpler way to reproduce...):

---------------------------------------------

# dpkg -l | grep curl
ii curl 7.35.0-1ubuntu2.8 amd64 command line tool for transferring data with URL syntax
ii libcurl3:amd64 7.35.0-1ubuntu2.8 amd64 easy-to-use client-side URL transfer library (OpenSSL flavour)

Joe (joe-afflerbach+ubuntu) wrote :

(Hmm, the bug tracker ate the rest of my comment?!)

# php test.php
string(2) "OK"
string(0) ""

string(2) "OK"
string(0) ""

string(2) "OK"
string(0) ""

number_format(null) called

bool(false)
string(39) "Problem (2) in the Chunked-Encoded data"

number_format(null) called

---------------------------------------------

The updated packages actually seem to fix the problem - no more "Problem (2) in the Chunked-Encoded data":

# curl http://launchpadlibrarian.net/281937790/libcurl3_7.35.0-1ubuntu2.9_amd64.deb -O

# curl http://launchpadlibrarian.net/281937786/curl_7.35.0-1ubuntu2.9_amd64.deb -O

# dpkg -i *deb
(Reading database ... 67243 files and directories currently installed.)
Preparing to unpack curl_7.35.0-1ubuntu2.9_amd64.deb ...
Unpacking curl (7.35.0-1ubuntu2.9) over (7.35.0-1ubuntu2.9) ...
Preparing to unpack libcurl3_7.35.0-1ubuntu2.9_amd64.deb ...
Unpacking libcurl3:amd64 (7.35.0-1ubuntu2.9) over (7.35.0-1ubuntu2.8) ...
Setting up libcurl3:amd64 (7.35.0-1ubuntu2.9) ...
Setting up curl (7.35.0-1ubuntu2.9) ...
Processing triggers for man-db (2.6.7.1-1ubuntu1) ...
Processing triggers for libc-bin (2.19-0ubuntu6.9) ...

# dpkg -l |grep curl
ii curl 7.35.0-1ubuntu2.9 amd64 command line tool for transferring data with URL syntax
ii libcurl3:amd64 7.35.0-1ubuntu2.9 amd64 easy-to-use client-side URL transfer library (OpenSSL flavour)

# php test.php
string(2) "OK"
string(0) ""

string(2) "OK"
string(0) ""

string(2) "OK"
string(0) ""

number_format(null) called

string(2) "OK"
string(0) ""

number_format(null) called

string(2) "OK"
string(0) ""

number_format(null) called

string(2) "OK"
string(0) ""

number_format(null) called

string(2) "OK"
string(0) ""

number_format(null) called

string(2) "OK"
string(0) ""

number_format(null) called

string(2) "OK"
string(0) ""

number_format(null) called

string(2) "OK"
string(0) ""

number_format(null) called

---------------------------------------------

Thanks everyone for the quick support!

tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package curl - 7.35.0-1ubuntu2.9

---------------
curl (7.35.0-1ubuntu2.9) trusty; urgency=medium

  [ Joe Afflerbach ]
  * debian/patches/curl-chunk-fix.patch:
    - fix problem with chunked encoded data (LP: #1613698)

 -- Gianfranco Costamagna <email address hidden> Sun, 28 Aug 2016 21:27:34 +0200

Changed in curl (Ubuntu Trusty):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for curl has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.