segmentation fault when opening fd

Bug #1907676 reported by Marc Deslauriers on 2020-12-10
280
This bug affects 3 people
Affects Status Importance Assigned to Milestone
python-apt (Debian)
Fix Released
Unknown
python-apt (Ubuntu)
High
Unassigned
Xenial
High
Unassigned
Bionic
High
Unassigned
Focal
High
Unassigned
Groovy
High
Unassigned

Bug Description

[Impact]

USN-4668-1 introduced a regression in python-apt when using certain APIs with a file handle.

[Test case]

# Landscape scenario:
1) On the Landscape server, create a package profile that installs a single package, 'hello' is enough.
2) On the Landscape server, apply the package profile to a client
3) On the Landscape client, verify that there is no segfault message on '/var/log/kern.log'
4) On the Landscape server, verify that the activity to apply the package profile ends with success.

Step 3) would show a segfault and step 4), the activity would stay 'In Progress' forever.

# dak scenario:
dak crashes with a segmentation fault in python3-apt when processing
uploads or processing the NEW queue on ftp-master; and also on my
playground server (used to generate the backtrace).

[Where problems could occurs]

[Other info]

See Debian bug:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977000

Fix:
https://salsa.debian.org/apt-team/python-apt/-/commit/3d9af5f196ad6a6c6973ac699a15888d21a9bb52

Eric Desrochers (slashd) wrote :

The current situation of python-apt is somewhat critical as no packages can be pushed via Landscape to machines at the moment. This is causing landscape-package-changer to segfault as follows:

[apport-retrace]
Core was generated by `/usr/bin/python3 /usr/bin/landscape-package-changer --quiet'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 ararchive_new (type=0x7f652626e0a0 <PyDebFile_Type>, args=<optimized out>, kwds=<optimized out>)
at python/arfile.cc:438

This seems to be a fix candidate:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977000
https://salsa.debian.org/apt-team/python-apt/-/commit/3d9af5f196ad6a6c6973ac699a15888d21a9bb52

- Eric

tags: added: seg sts
Changed in python-apt (Ubuntu Groovy):
importance: Undecided → High
Changed in python-apt (Ubuntu Focal):
importance: Undecided → High
Changed in python-apt (Ubuntu Xenial):
importance: Undecided → High
Changed in python-apt (Ubuntu):
importance: Undecided → High
Changed in python-apt (Ubuntu Bionic):
importance: Undecided → Critical
importance: Critical → High
David Negreira (dnegreira) wrote :

Hello,

I have tested with the test package 1.6.5ubuntu0.4+testpkg20201220b1 provided by ~slashd on his ppa[1] on bionic with all updates applied and this fixes the segmentation fault issue.

Steps to test:
1) On the LDS server, create a package profile that installs a single package, 'hello' is enough.
2) On the LDS server, apply the package profile to a client
3) On the LDS client, verify that there is no segfault message on '/var/log/kern.log'
4) On the LDS server, verify that the activity to apply the package profile ends with success.

Before ~slashd fix, step 3) would show a segfault and step 4), the activity would stay 'In Progress' forever.

[1] https://launchpad.net/~slashd/+archive/ubuntu/sruverif

Eric Desrochers (slashd) on 2020-12-20
description: updated
Julian Andres Klode (juliank) wrote :

Yes the security team has the packages ready to go out for a week now essentially.

Eric Desrochers (slashd) wrote :

This package is 'native' and I don't want for instance to introduce 'quilt' before talking to the maintainer.

@julian, how do you want to proceed to fix this bug in python-apt ?

- Eric

description: updated
Julian Andres Klode (juliank) wrote :

They prepared the updates on the same day as the fix (well the full regression fix with the follow-up commits) but did not roll out the fix so far because only dak reported a regression and codesearch did not yield any other users of that interface.

Julian Andres Klode (juliank) wrote :

Eric, the updates are built ready in the security team PPA since Dec 10 and only need to be released. I've subscribed security team, but you might want to talk to them directly.

Eric Desrochers (slashd) wrote :

@julian, thanks for the quick reply. Will do.

Changed in python-apt (Ubuntu):
status: New → Fix Released
description: updated
Eric Desrochers (slashd) wrote :

This is fixed in active development release (hirsute):

python-apt (2.1.7) unstable; urgency=medium

  * SECURITY UPDATE: various memory and file descriptor leaks (LP: #1899193)
    - python/arfile.cc, python/generic.h, python/tag.cc, python/tarfile.cc:
      fix file descriptor and memory leaks
    - python/apt_instmodule.cc, python/apt_instmodule.h, python/arfile.h:
      Avoid reference cycle with control,data members in apt_inst.DebFile
      objects
    - tests/test_cve_2020_27351.py: Test cases for DebFile (others not easily
      testable)
  * Regression fixes for the updates merged too:
    - arfile.cc: Fix segmentation fault when opening fd, track lifetime correctly
      (Closes: #977000)
    - arfile: Regression: Collect file<->deb/ar reference cycles

Marc Deslauriers (mdeslaur) wrote :

There are updates for this issue built in the security team PPA here:

https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages

David Negreira (dnegreira) wrote :

I have run tests on Xenial, Bionic and Focal, exactly the same as on comment #2, this time with the packages from the ubuntu-security-proposed PPA show on comment #9 and I can confirm that this fixes the issues as well.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-apt - 2.1.3ubuntu1.3

---------------
python-apt (2.1.3ubuntu1.3) groovy-security; urgency=medium

  * REGRESSION UPDATE: Passing a file descriptor to apt_inst.ArFile or
    apt_inst.DebFile caused a segmentation fault (LP: #1907676)
    - python/arfile.cc: Fix segmentation fault when opening fd, track
      lifetime correctly

 -- Marc Deslauriers <email address hidden> Thu, 10 Dec 2020 09:43:25 -0500

Changed in python-apt (Ubuntu Groovy):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-apt - 1.1.0~beta1ubuntu0.16.04.11

---------------
python-apt (1.1.0~beta1ubuntu0.16.04.11) xenial-security; urgency=medium

  * REGRESSION UPDATE: Passing a file descriptor to apt_inst.ArFile or
    apt_inst.DebFile caused a segmentation fault (LP: #1907676)
    - python/arfile.cc: Fix segmentation fault when opening fd, track
      lifetime correctly

 -- Marc Deslauriers <email address hidden> Thu, 10 Dec 2020 09:48:37 -0500

Changed in python-apt (Ubuntu Xenial):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-apt - 1.6.5ubuntu0.5

---------------
python-apt (1.6.5ubuntu0.5) bionic-security; urgency=medium

  * REGRESSION UPDATE: Passing a file descriptor to apt_inst.ArFile or
    apt_inst.DebFile caused a segmentation fault (LP: #1907676)
    - python/arfile.cc: Fix segmentation fault when opening fd, track
      lifetime correctly

 -- Marc Deslauriers <email address hidden> Thu, 10 Dec 2020 09:48:08 -0500

Changed in python-apt (Ubuntu Bionic):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-apt - 2.0.0ubuntu0.20.04.3

---------------
python-apt (2.0.0ubuntu0.20.04.3) focal-security; urgency=medium

  * REGRESSION UPDATE: Passing a file descriptor to apt_inst.ArFile or
    apt_inst.DebFile caused a segmentation fault (LP: #1907676)
    - python/arfile.cc: Fix segmentation fault when opening fd, track
      lifetime correctly

 -- Marc Deslauriers <email address hidden> Thu, 10 Dec 2020 09:46:50 -0500

Changed in python-apt (Ubuntu Focal):
status: New → Fix Released
Changed in python-apt (Debian):
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.