gnome-software crashes in as_app_parse_desktop_file

Bug #1744941 reported by Marco Trevisan (Treviño) on 2018-01-23
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
appstream-glib (Ubuntu)
High
Marco Trevisan (Treviño)
Xenial
High
Marco Trevisan (Treviño)
Artful
High
Unassigned
Bionic
High
Marco Trevisan (Treviño)

Bug Description

[ Impact ]

Malformed .desktop files might causes crashes because
the returned list is NULL.

[ Test case ]
 - Download and copy in one of your XDG_DATA_DIRS (i.e. ~/.local/share/applications)
   this .desktop file:
   https://github.com/hughsie/appstream-glib/files/1656100/org.gnome.frogr.desktop.gz
 - Run gnome-software it must not crash.

[ Regression potential ]

Missing metadata from .desktop files, but really this is just a null-checks fix, so not really anything might go worse.

----

See more at upstream bug: https://github.com/hughsie/appstream-glib/pull/221

This affects all the releases since xenial.

The attachment "Debdiff for xenial package" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Matthias Klumpp (ximion) wrote :

Wrong project, this is not in AppStream, but appstream-glib (thanks for the patch though! :-) )

affects: appstream (Ubuntu) → appstream-glib (Ubuntu)
Iain Lane (laney) wrote :

Thanks.

Please could you make the bug description SRU compliant?

For B we should probably fix this by taking the whole new point release.

Changed in appstream-glib (Ubuntu Xenial):
importance: Undecided → High
Changed in appstream-glib (Ubuntu Artful):
importance: Undecided → High
description: updated
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package appstream-glib - 0.7.7-1

---------------
appstream-glib (0.7.7-1) unstable; urgency=medium

  [ Matthias Klumpp ]
  * New upstream version: 0.7.7
  * Update Vcs-* URLs for switch to Salsa
  * d/libappstream-glib8.symbols: Update symbols
  * Switch to dh compat level 11
  * d/copyright: Use secure URLs

  [ Iain Lane ]
  * New upstream version: 0.7.6
    - Builds properly (Closes: #890893)
    - Add support for release types
    - Do not deference invalid lists when parsing invalid desktop files (LP:
      #1744941)
    - Fix an invalid read when using as_app_parse_data() from Python
    - Never include '&' in attribute values
    - Add as_app_parse_data()
    - Add as_store_get_apps_by_provide()
    - Add more GObject Introspection annotations for Python
    - Support OARS v1.1 additions
    - Use pngquant to make the application icons take up less space
  * Fix meson options to drop 'enable', following upstream.
  * debian/control: Bump json-glib version, following upstream.
  * debian/libappstream-glib8.symbols: New symbols for these releases.

 -- Matthias Klumpp <email address hidden> Thu, 15 Mar 2018 08:34:36 +0100

Changed in appstream-glib (Ubuntu Bionic):
status: In Progress → Fix Released
Iain Lane (laney) wrote :

seb poked me about this, and now it is uploaded for xenial, thanks!

Changed in appstream-glib (Ubuntu Xenial):
status: New → In Progress
assignee: nobody → Marco Trevisan (Treviño) (3v1n0)
Andronux (andronuxx27) on 2018-04-11
Changed in appstream-glib (Ubuntu Artful):
status: New → Confirmed
Łukasz Zemczak (sil2100) wrote :

Does this bug indeed also affect artful? If that's the case then we'd need it prepared and uploaded for artful before getting the xenial one accepted.

On Thu, Apr 12, 2018 at 09:29:47AM -0000, Łukasz Zemczak wrote:
> Does this bug indeed also affect artful? If that's the case then we'd
> need it prepared and uploaded for artful before getting the xenial one
> accepted.

Is this policy? If so, it's not one I'm aware of - can you clarify
please?

My understanding of the position was that you have to make sure a proper
package upgrade path is maintained, basically that the versions go in
the right direction and that the package is upgradable. Apart from that
I thought it was at the discretion of the uploader exactly which
releases they wanted to fix. Is that wrong?

Cheers,

--
Iain Lane [ <email address hidden> ]
Debian Developer [ <email address hidden> ]
Ubuntu Developer [ <email address hidden> ]

Robie Basak (racb) wrote :

> Malformed .desktop files might causes crashes...

Does it actually cause crashes for Xenial users in practice? If not, what's the justification for SRUing it?

> Is this policy?

I'm not sure. Perhaps we should clarify it on a mailing list and then document the answer, because it's something that I think comes up fairly regularly.

Simon Quigley (tsimonq2) wrote :

Unsubscribing sponsors as there's nothing left to sponsor.

Artful is also EOL.

Ping, Iain and Robie.

Changed in appstream-glib (Ubuntu Artful):
status: Confirmed → Won't Fix

> Does it actually cause crashes for Xenial users in practice? If not, what's the justification for SRUing it?

Yes indeed, if they had installed any custom .desktop file around. And that might happen.
It's not xenial issue per se, but there are scenarios where this happens (like my install).

Or well any snap could for example ship a wrong .desktop file and make gnome-software not to work...

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers