Package: apt Version: 2.5.2 Severity: normal apt contains an arbitrary hardcoded limit on the size of tagfiles:
bool pkgTagFile::Resize() { // fail is the buffer grows too big if(d->Size > 1024*1024+1) return false; return Resize(d->Size * 2); } I wrote the following quick test script before finding this limit: $ cat t.py #! /usr/bin/python3 from argparse import ArgumentParser import tempfile import apt_pkg apt_pkg.init() parser = ArgumentParser() parser.add_argument("length", type=int) args = parser.parse_args() with tempfile.TemporaryFile() as f: f.write(b"Format: 1.8\nChanges:\n ") f.write(b"x" * args.length) f.write(b"\n") f.seek(0) list(apt_pkg.TagFile(f, bytes=True)) $ ./t.py 1048677 $ ./t.py 1048678 Traceback (most recent call last): File "/home/cjwatson/./t.py", line 19, in <module> list(apt_pkg.TagFile(f, bytes=True)) apt_pkg.Error: E:Unable to parse package file (1) (I'm not sure exactly why the threshold is 1024*1024+102; presumably the resize steps don't quite take us through exact powers of two.) We actually encountered this in practice. Somebody uploaded a kernel package to Launchpad with a ~2.4 MiB .changes file, mostly consisting of a probably-autogenerated changelog with lots of commit messages, and the upload failed due to this. I think I'd prefer this *not* to be configurable, to minimize situations where tag files can be parsed in some environments but not others. I don't know whether it's possible to reasonably avoid having an arbitrary limit at all. Even if not, 1 MiB seems pretty small compared to memory sizes these days; perhaps this could be raised? -- System Information: Debian Release: bookworm/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') merged-usr: no Architecture: amd64 (x86_64) Kernel: Linux 5.15.0-41-generic (SMP w/4 CPU threads) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_FIRMWARE_WORKAROUND, TAINT_OOT_MODULE, TAINT_LIVEPATCH Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en Shell: /bin/sh linked to /bin/dash Init: unable to detect Versions of packages apt depends on: ii adduser 3.127 ii debian-archive-keyring 2021.1.1 ii gpgv 2.2.35-3 ii libapt-pkg6.0 2.5.2 ii libc6 2.34-4 ii libgcc-s1 12.2.0-1 ii libgnutls30 3.7.7-2 ii libseccomp2 2.5.4-1+b1 ii libstdc++6 12.2.0-1 ii libsystemd0 251.4-1 Versions of packages apt recommends: ii ca-certificates 20211016 Versions of packages apt suggests: pn apt-doc <none> pn aptitude | synaptic | wajig <none> ii dpkg-dev 1.21.9 ii gnupg 2.2.35-3 ii gnupg1 1.4.23-1.1+b1 ii gnupg2 2.2.35-3 ii powermgmt-base 1.37 -- no debconf information Thanks, -- Colin Watson [cjwat...@debian.org]