On Wed, Mar 29, 2023 at 03:40:21AM +0200, Vincent Lefevre wrote:
> On 2023-03-28 20:37:56 -0300, Antonio Terceiro wrote:
> > Still, I see no evidence that this is caused by the Ruby interpreter.
> > For example apt-listbugs uses a SOAP library that is severely
> > unmaintained upstream and has been on life support for some time now. It
> > could be that library that is doing crazy things when the server does
> > not reply in exactly the way it expects.
>
> Note that in both failures, a line of the source, e.g.
>
> /usr/lib/ruby/3.0.0/uri/generic.rb
>
> or
>
> /usr/lib/ruby/3.0.0/bundler/vendor/uri/lib/uri/generic.rb
>
> for " # returns password\n" in my case in 2022, and
>
> /usr/lib/ruby/vendor_ruby/aptlistbugs/logic.rb
>
> for " if /proxy_detect='(.*)'/ =~ `apt-config \#{@apt_conf} shell
> proxy_detect acquire::http::proxy-auto-detect`\n"
> in the other case a few days ago, is regarded by the Ruby interpreter
> as a String. Has any .rb library, even if severely buggy, the power
> to do that?
From what I can tell, the only dependency of apt-listbugs that calls
\.default on anything is ruby-soap4r:
/usr/share/rubygems-integration/all/gems/soap4r-ruby1.9-2.0.5/lib/soap/mapping/factory.rb
344- return nil
345- end
346: if !obj.default.nil? or
347- (obj.respond_to?(:default_proc) and obj.default_proc)
348- return nil
/usr/share/rubygems-integration/all/gems/soap4r-ruby1.9-2.0.5/lib/soap/mapping/rubytypeFactory.rb
114- param.add("item", elem)
115- end
116: param.add('default', Mapping._obj2soap(obj.default, map))
117- addiv2soapattr(param, obj, map)
118- when ::Regexp
--
300- end
301- if node.key?('default')
302: obj.default = Mapping._soap2obj(node['default'], map)
303- end
304- when TYPE_REGEXP
One think that could be happening is that soap4r is being fooled into
opening local files and that is triggered by some (corrupt?) response
from the server.
If anyone can still see this bug, it would be nice to configure
apt-listbugs in debug mode, e.g. setting
DPkg::Pre-Install-Pkgs {"/usr/bin/apt-listbugs -d apt";};
in /etc/apt/apt.conf.d/10apt-listbugs (i.e. adding the `-d` option), so
that when it happens we have a trace of the requests/reponses.
> Otherwise, could it be that apt-listbugs invokes the `default' method
> of some object obtained by SOAP, but this would mean that the server
> sends some part of .rb code as a String object in some cases? (This
> seems rather unlikely, and that could imply a security issue on the
> client side, if the client doesn't check what it receives.)
This is unlikely since debbugs is written in Perl. There is probably not
even Ruby installed in the server.
> IMHO, this looks like some kind of pointer corruption.
Could be this as well.
signature.asc
Description: PGP signature
