Segmentation fault on tar_extract_all in 14.04/1.2.20-3

Bug #1315742 reported by TimJ
46
This bug affects 8 people
Affects Status Importance Assigned to Milestone
trusty-backports
Undecided
Unassigned
libtar (Debian)
Fix Released
Unknown
libtar (Ubuntu)
Undecided
Magnus Holmgren
Trusty
High
Brian Murray

Bug Description

[Test Case]
1) Download the sample program from comment #7
2) Compile the program (gcc foo.c -ltar -o foo
3) Run ./foo <any-tarfile>

Using the version of libtar from Trusty (1.2.20-3) the foo program will crash. Using the version of libtar from trusty-proposed (1.2.20-3ubuntu0.1) it should not.

Description: Ubuntu 14.04 LTS
Release: 14.04

libtar0:
  Installed: 1.2.19-1 (working)
  Candidate: 1.2.20-3 (segfaults)

I stumbled over this bug when trying to use Stopmotion. It segfaulted when trying to load a project file.
I debugged it and ended up at 'tar_extract_all'.
Stopmotion worked well again when I downgraded libtar to 1.2.19-1 from saucy.

Revision history for this message
Magnus Holmgren (holmgren) wrote :

Funny; after three months, this bug was reported to both Debian and Ubuntu almost simultaneously. It should be fixed in 1.2.20-4 in Debian; hopefully someone will pull it from there.

Changed in libtar (Ubuntu):
assignee: nobody → Magnus Holmgren (holmgren)
status: New → Fix Committed
Changed in libtar (Debian):
status: Unknown → Fix Released
Changed in libtar (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Jose Luis Rivero (j-rivero) wrote :

Thanks for patch. I can see the version patched in Ubuntu Utopic but the bug is still present in the current version of Trusty (1.2.20-3):

 - http://packages.ubuntu.com/trusty/libtar0

Is there anything that stop the inclussion of the fix into the Trusty distribution?
Thanks.

tags: added: trusty
Revision history for this message
Felix Geyer (debfx) wrote :

Seems like a good candidate for a stable release update, not for backports.

Changed in trusty-backports:
status: New → Invalid
Revision history for this message
Tully (tully.foote) wrote :

As the current released version is crashing it does suggest it warrants a release into the regular repos.

What's the correct way to reopen this for trusty since it looks like all Affected elements are closed at the moment?

Revision history for this message
Jose Luis Rivero (j-rivero) wrote :

I've created a new bug to handle the process of backporting the fix:
https://bugs.launchpad.net/ubuntu/+source/libtar/+bug/1319809

Changed in libtar (Ubuntu Trusty):
status: New → Triaged
importance: Undecided → High
Revision history for this message
Brian Murray (brian-murray) wrote :

As a part of the Stable Release Update process (https://wiki.ubuntu.com/StableReleaseUpdates#Procedure) this bug will need a test case so we can be verify that the bug is in fact fixed by the new version of the package. Could someone please provide a test case?

Revision history for this message
Jose Luis Rivero (j-rivero) wrote :

Thanks Brian, I've wrote a small testing case that should segfault with current libtar 1.2.20-3 but should work with the patch 1.2.20-4

 - Compile: gcc foo.c -ltar -o foo
 - Run ./foo <any_tarfile>

It will uncompress the contents in the /tmp directory.
Let me know if you need anything else.

Revision history for this message
Jose Luis Rivero (j-rivero) wrote :

We successfully aplied the following patch to generate an own version (1.2.20-4~osrf1) that fixes the problem.

Revision history for this message
Brian Murray (brian-murray) wrote :

I've uploaded the Utopic version of libtar to the Trusty proposed queue for review by an SRU team member.

Changed in libtar (Ubuntu Trusty):
status: Triaged → In Progress
assignee: nobody → Brian Murray (brian-murray)
description: updated
Revision history for this message
Colin Watson (cjwatson) wrote : Please test proposed package

Hello TimJ, or anyone else affected,

Accepted libtar into trusty-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/libtar/1.2.20-3ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in libtar (Ubuntu Trusty):
status: In Progress → Fix Committed
tags: added: verification-needed
Revision history for this message
Jose Luis Rivero (j-rivero) wrote :

I tested the new package for the amd64 arch and it fixes the bug for me.
Thanks Brian, Collin.

tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libtar - 1.2.20-3ubuntu0.1

---------------
libtar (1.2.20-3ubuntu0.1) trusty-proposed; urgency=high

  [ Magnus Holmgren ]
  * no_maxpathlen.patch: Half of the part of the patch modifying
    compat/dirname.c was missing, causing libtar's dirname to always
    return NULL (except in special circumstances). Actually make it work
    (Closes: #745352). (The reason that libtar doesn't use libc's
    dirname() and basename() on some or most platforms is that the code
    doesn't work with destructive versions of these functions). (LP: #1315742)
 -- Brian Murray <email address hidden> Thu, 19 Jun 2014 11:44:33 -0700

Changed in libtar (Ubuntu Trusty):
status: Fix Committed → Fix Released
Revision history for this message
Scott Kitterman (kitterman) wrote : Update Released

The verification of the Stable Release Update for libtar has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.