Ubuntu
smart package

smart does not gracefully handle invalid Releases/Packages files

Bug #855887 reported by Joseph Salisbury
36
This bug affects 7 people
Affects Status Importance Assigned to Milestone
Smart Package Manager
New
Undecided
Unassigned
smart (Ubuntu)
Confirmed
Medium
Unassigned
Nominated for Lucid by Jonathan Davies
Nominated for Oneiric by Jonathan Davies

Bug Description

The Landscape Client, which uses smart, fails with the following error at times:

error: Channel 'lucid-updates - main restricted universe multiverse' signed with unknown key

This causes the Landscape Client to break package related operations, with messages such as these in package-reporter.log:

2011-09-20 10:32:12,428 WARNING [MainThread] '/usr/lib/landscape/smart-update'
exited with status 1 (error: Channel 'stable - main' signed with unknown key

This issue is not restricted to a particular mirror/proxy/package repository.

This issue can be worked around using:

$ sudo rm -vrf /var/lib/smart/*
$ sudo /usr/share/smart/smart update

The issue appears to be that smart does not verify if the file it has downloaded is a valid Releases{.gpg} file and caches it regardless. Once this is placed in /var/lib/smart/channels/ - this is not removed unless it is rm -f'ed.

APT verifies that a Release/Package file is valid by seeing if it can be RFC822 parsed. It will simply discard and delete that which cannot be parsed. This is the code it uses for this:

$ bzr diff -r 2125..2127 http://bzr.debian.org/bzr/apt/apt/debian-sid | less

Attached is an example of a corrupted smart directory where:

- var/lib/smart/channels/aptsync-55bfeb83793f2e1e1f12f59e614ddaa1%%http:__gb.archive.ubuntu.com_ubuntu_dists_lucid_Release.gpg

Is an HTML redirect page which has been cached.

Joseph Salisbury (jsalisbury)
Changed in smart (Ubuntu):
status: New → Confirmed
Revision history for this message
Jonathan Davies (jpds) wrote :
Anders F Björklund (afb)
summary: - smart does not gracefully handle Releases/Packages files
+ smart does not gracefully handle invalid Releases/Packages files
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

There is a smart package currently in {lucid,maverick,natty}-proposed that catches http error codes. One such case was a 401 error (unauthorized), which was also being downloaded as a Release file.

You nominated this bug for oneiric, are you sure it happens there as well? I ask because the fix which was backported to lucid, maverick and natty is already present in oneiric.

Revision history for this message
Jonathan Davies (jpds) wrote :

We have reason to believe that this bug is unrelated to proxy/authorization 401 errors, as some of the people affected are not behind a proxy.

What we are requesting is that smart verifies that what it has downloaded is sane, and an expected result; just as APT does.

I have not tested this in oneiric (though the only difference in the related code appears to have been the trustdb additions in 1.4).

Brian Murray (brian-murray)
Changed in smart (Ubuntu):
importance: Undecided → Medium
Revision history for this message
Damiön la Bagh (kat-amsterdam) wrote :

This happens on a Fresh install of 10.04.4 with a fresh install of smart.
Since it's not recommended to upgrade to 12.04.0 until 12.04.1 this should really be fixed.

command was

sudo smart --gui update
sudo smart --gui upgrade

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.