Bug#428057: marked as done (dpkg allows installation of broken .deb files)

Debian Bug Tracking System Sun, 03 Mar 2019 18:49:16 -0800

Your message dated Mon, 4 Mar 2019 03:43:23 +0100
with message-id <[email protected]>
and subject line Re: Bug#178735: dpkg: broken debs can easily be installed
has caused the Debian Bug report #178735,
regarding dpkg allows installation of broken .deb files
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
178735: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=178735
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: dpkg
Version: 1.13.25
Severity: grave


Hello,

during a class explaining to the participants how important the
consistent state of a system is, dpkg happily installed a broken
Debian package, which was corrupted during transmission from a
mirror. Attached is a type script of the installation, the corrupt
package in question can be downloaded from http://scratch.spiney.org/
for further investigation (the file with the .ok extension is the same
file without the corruption).

Basically this seems to be the same as #178735 which is over 4 years old
and is still not fixed, hence I submit a new bugreport with severity
grave.

Kind regards
WK

etch:/home# dpkg -i mysql-server-5.0_5.0.32-7etch1_i386.deb
Selecting previously deselected package mysql-server-5.0.
(Reading database ... 18792 files and directories currently installed.)
Unpacking mysql-server-5.0 (from mysql-server-5.0_5.0.32-7etch1_i386.deb) ...
Setting up mysql-server-5.0 (5.0.32-7etch1) ...
chown: cannot access `/usr/share/mysql': No such file or directory
chown: cannot access `/var/run/mysqld': No such file or directory

etch:/home# dpkg -c mysql-server-5.0_5.0.32-7etch1_i386.deb
drwxr-xr-x root/root         0 2007-03-18 22:05 ./
drwxr-xr-x root/root         0 2007-03-18 22:05 ./etc/
drwxr-xr-x root/root         0 2007-03-18 22:05 ./etc/init.d/
-rwxr-xr-x root/root      1931 2007-03-18 21:51 ./etc/init.d/mysql-ndb-mgm
-rwxr-xr-x root/root      2547 2007-03-18 21:51 ./etc/init.d/mysql-ndb
-rwxr-xr-x root/root      6127 2007-03-18 21:51 ./etc/init.d/mysql
drwxr-xr-x root/root         0 2007-03-18 22:05 ./etc/logrotate.d/
-rw-r--r-- root/root       869 2007-03-18 22:05 ./etc/logrotate.d/mysql-server
drwxr-xr-x root/root         0 2007-03-18 22:05 ./etc/mysql/
-rwxr-xr-x root/root      1114 2007-03-18 22:05 ./etc/mysql/debian-start
drwxr-xr-x root/root         0 2007-03-18 22:05 ./etc/logcheck/
drwxr-xr-x root/root         0 2007-03-18 22:05 
./etc/logcheck/ignore.d.workstation/
-rw-r--r-- root/root      2244 2007-03-18 22:05 
./etc/logcheck/ignore.d.workstation/mysql-server-5_0
drwxr-xr-x root/root         0 2007-03-18 22:05 ./etc/logcheck/ignore.d.server/
-rw-r--r-- root/root      2244 2007-03-18 22:05 
./etc/logcheck/ignore.d.server/mysql-server-5_0
drwxr-xr-x root/root         0 2007-03-18 22:05 
./etc/logcheck/ignore.d.paranoid/
-rw-r--r-- root/root       889 2007-03-18 22:05 
./etc/logcheck/ignore.d.paranoid/mysql-server-5_0
drwxr-xr-x root/root         0 2007-03-18 22:05 ./usr/
drwxr-xr-x root/root         0 2007-03-18 22:05 ./usr/bin/
-rwxr-xr-x root/root   1258556 2007-03-18 22:05 ./usr/bin/comp_err
-rwxr-xr-x root/root      7576 2007-03-18 22:05 ./usr/bin/innochecksum
-rwxr-xr-x root/root      1462 2007-03-18 22:05 ./usr/bin/msql2mysql
-rwxr-xr-x root/root   1586012 2007-03-18 22:05 ./usr/bin/myisamchk
-rwxr-xr-x root/root   1481596 2007-03-18 22:05 ./usr/bin/myisamlog
-rwxr-xr-x root/root   1503132 2007-03-18 22:05 ./usr/bin/myisampack
-rwxr-xr-x root/root   1259068 2007-03-18 22:05 ./usr/bin/my_print_defaults
-rwxr-xr-x root/root     85796 2007-03-18 22:05 ./usr/bin/mysqlbinlog
-rwxr-xr-x root/root      3098 2007-03-18 22:05 
./usr/bin/mysql_convert_table_format
-rwxr-xr-x root/root     35544 2007-03-18 22:05 
./usr/bin/mysql_create_system_tables
-rwxr-xr-x root/root     23232 2007-03-18 22:05 ./usr/bin/mysqld_multi
-rwxr-xr-x root/root     12991 2007-03-18 22:05 ./usr/bin/mysqld_safe
-rwxr-xr-x root/root      5357 2007-03-18 22:05 
./usr/bin/mysql_fix_privilege_tables
-rwxr-xr-x root/root     33225 2007-03-18 22:05 ./usr/bin/mysqlhotcopy
-rwxr-xr-x root/root      8922 2007-03-18 22:05 ./usr/bin/mysql_install_db
-rwxr-xr-x root/root      6308 2007-03-18 22:05 
./usr/bin/mysql_secure_installation
-rwxr-xr-x root/root     17446 2007-03-18 22:05 ./usr/bin/mysql_setpermission
-rwxr-xr-x root/root    116892 2007-03-18 22:05 ./usr/bin/mysqltest
-rwxr-xr-x root/root   1245256 2007-03-18 22:05 ./usr/bin/mysql_tzinfo_to_sql
-rwxr-xr-x root/root     15756 2007-03-18 22:05 ./usr/bin/mysql_upgrade
-rwxr-xr-x root/root      5386 2007-03-18 22:05 ./usr/bin/mysql_upgrade_shell
-rwxr-xr-x root/root      3118 2007-03-18 22:05 ./usr/bin/mysql_zap
-rwxr-xr-x root/root   1451036 2007-03-18 22:05 ./usr/bin/ndb_config
-rwxr-xr-x root/root   1908828 2007-03-18 22:05 ./usr/bin/ndb_delete_all
-rwxr-xr-x root/root   1908604 2007-03-18 22:05 ./usr/bin/ndb_desc
-rwxr-xr-x root/root   1906172 2007-03-18 22:05 ./usr/bin/ndb_drop_index
-rwxr-xr-x root/root   1906204 2007-03-18 22:05 ./usr/bin/ndb_drop_table
-rwxr-xr-x root/root      2455 2007-03-18 22:05 ./usr/bin/ndb_error_reporter
-rwxr-xr-x root/root   1430844 2007-03-18 22:05 ./usr/bin/ndb_mgm
-rwxr-xr-x root/root   1954236 2007-03-18 22:05 ./usr/bin/ndb_restore
-rwxr-xr-x root/root   1913084 2007-03-18 22:05 ./usr/bin/ndb_select_all
-rwxr-xr-x root/root   1908668 2007-03-18 22:05 ./usr/bin/ndb_select_count
-rwxr-xr-x root/root   1908700 2007-03-18 22:05 ./usr/bin/ndb_show_tables
-rwxr-xr-x root/root     10793 2007-03-18 22:05 ./usr/bin/ndb_size
-rwxr-xr-x root/root     13440 2007-03-18 22:05 ./usr/bin/ndb_test_platform
-rwxr-xr-x root/root   1910140 2007-03-18 22:05 ./usr/bin/ndb_waiter
-rwxr-xr-x root/root   1272220 2007-03-18 22:05 ./usr/bin/perror
-rwxr-xr-x root/root   1253532 2007-03-18 22:05 ./usr/bin/replace
tar: Skipping to next header
tar: Error exit delayed from previous errors
dpkg-deb: subprocess tar returned error exit status 2
etch:/home#

--- End Message ---

--- Begin Message ---

Hi!

On Tue, 2003-01-28 at 10:31:49 +0800, Dan Jacobson wrote:
> Package: dpkg
> Version: 1.10.9
> Severity: normal
> File: /usr/bin/dpkg

> I had an easy time installing this
> 
> # dpkg -i mplayer-k6_0.90rc3-0.0_i386.deb 
> Selecting previously deselected package mplayer-k6.
> (Reading database ... 170217 files and directories currently installed.)
> Unpacking mplayer-k6 (from mplayer-k6_0.90rc3-0.0_i386.deb) ...
> Setting up mplayer-k6 (0.90rc3-0.0) ...
> 
> even though
> $ dpkg -c mplayer-k6_0.90rc3-0.0_i386.deb|grep -v /$|wc -l
> tar: Skipping to next header
> tar: Archive contains obsolescent base-64 headers
> tar: Error exit delayed from previous errors
> dpkg-deb: subprocess tar returned error exit status 2
>      42 #taking out dirs
> $ wc -l md5sums 
>      53  md5sums
> 
> i.e. the md5sums weren't even apparently done, or if they were then
> missing files aren't causes for error. i.e. bad md sum will be caught
> but missing files wont?
> Anyway, I'm startled how easy it is to only install 3/4 of a .deb and
> dpkg doesn't prevent it!
> 
> Perhaps I corrupted my copy of this file, I will retry later, but that's not 
> the point.

No, the file was generated with a tar version that was creating base64
fields in the tar entries, and dpkg was not supporting those.

The parsing of tar archives has since been made more robust and
strict, and this should not happen anymore. I modiyfied an existing
.deb to convert its size field into the obsolete base64 format (and
updating its checksum to make it valid), and also damaged one of the
entries by tweaking its chekcsum so it would not validate. This is the
resulting .deb:

  ,---
  $ dpkg-deb -c fbset_2.1-30_amd64.deb
  drwxr-xr-x root/root         0 2017-11-12 00:29 ./
  drwxr-xr-x root/root         0 2017-11-12 00:29 ./bin/
  tar: Archive contains obsolescent base-64 headers
  -rwxr-xr-x root/root     14328 2017-11-12 00:29 ./bin/con2fbmap
  […]
  drwxr-xr-x root/root         0 2017-11-12 00:29 ./usr/share/doc/fbset/
  tar: Skipping to next header
  -rw-r--r-- root/root      1776 1999-01-17 20:15 
./usr/share/doc/fbset/GetVideoMode.c.gz
  […]
  -rw-r--r-- root/root      1827 2017-11-12 00:29 
./usr/share/man/man5/fb.modes.5.gz
  tar: Exiting with failure status due to previous errors
  dpkg-deb: error: tar subprocess returned error exit status 2
  `---

This then generates the following error during installation:

  ,---
  $ sudo dpkg  -i fbset_2.1-30_amd64.deb
  (Reading database ... 286793 files and directories currently installed.)
  Preparing to unpack fbset_2.1-30_amd64.deb ...
  Unpacking fbset (2.1-30) over (2.1-30) ...
  dpkg: error processing archive fbset_2.1-30_amd64.deb (--install):
   corrupted filesystem tarfile in package archive: invalid tar header size 
field (Numerical result out of range)
  dpkg-deb: error: paste subprocess was killed by signal (Broken pipe)
  Errors were encountered while processing:
   fbset_2.1-30_amd64.deb
  `---

So this problem reported is fixed. But during the testing of this I
found a couple of problems (a double free, and some confusing error
messages which I'll be fixing for 1.19.6.

In any case, I'm closing this report as solved now.

Thanks,
Guillem

--- End Message ---

Bug#428057: marked as done (dpkg allows installation of broken .deb files)

Reply via email to