[Bug 1737441] Re: /usr/bin/unattended-upgrade:11:__GI___libc_free:operator:__gnu_cxx::new_allocator:std::allocator_traits:std::__cxx11::basic_string
Test case for xenial / trusty ** Attachment added: "testcase.py" https://bugs.launchpad.net/ubuntu/+source/unattended-upgrades/+bug/1737441/+attachment/5161874/+files/testcase.py ** Changed in: python-apt (Ubuntu Xenial) Status: Triaged => In Progress ** Summary changed: - /usr/bin/unattended-upgrade:11:__GI___libc_free:operator:__gnu_cxx::new_allocator:std::allocator_traits:std::__cxx11::basic_string + python-apt crashes if objects of one cache are passed to depcache belonging to another cache -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1737441 Title: python-apt crashes if objects of one cache are passed to depcache belonging to another cache To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-apt/+bug/1737441/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1737441] Re: /usr/bin/unattended-upgrade:11:__GI___libc_free:operator:__gnu_cxx::new_allocator:std::allocator_traits:std::__cxx11::basic_string
** Description changed: + [Impact] + Some applications, like unattended-upgrades or update-manager, reopen the apt cache. They also keep around old apt.Package objects however, and operate on them after reopening. Under the hood, this means that apt_pkg.Package objects belonging to an old cache are passed to a new cache. + + APT relies on the ID of the package (it's position in the cache) for + it's operation. So if a package has ID 0 in the old cache, and a + different package has ID 0 in the new cache, performing operations on + the old package would perform it on the new package. If the old + package's ID is out of bounds in the new cache, the behavior is + undefined - it's an out of bounds array access. + + [Test case] + The attached test case has a list of packages 0-9, a-z; stores the package "z" into a variable, then reopens the cache. It then marks z for deletion. This either segfaults or does nothing; when it should mark z for deletion. + + More test cases like this are in the autopkgtest. + + [Regression potential] + The initial fix introduced bug 1780099, there might be similar bugs lurking. However, these bugs would have been undefined behavior before and might have caused segmentation faults or did the wrong thing. It seems likely that any regression cannot possibly be worse than the current state. + + The Ubuntu Error Tracker has been receiving reports about a problem regarding unattended-upgrades. This problem was most recently seen with package version 0.98ubuntu1, the problem page at https://errors.ubuntu.com/problem/727153285ba3335a07f801a298a3d94cbe6ba05d contains more details, including versions of packages affected, stacktrace or traceback, and individual crash reports. If you do not have access to the Ubuntu Error Tracker and are a software developer, you can request it at http://forms.canonical.com/reports/. ** Description changed: [Impact] Some applications, like unattended-upgrades or update-manager, reopen the apt cache. They also keep around old apt.Package objects however, and operate on them after reopening. Under the hood, this means that apt_pkg.Package objects belonging to an old cache are passed to a new cache. APT relies on the ID of the package (it's position in the cache) for it's operation. So if a package has ID 0 in the old cache, and a different package has ID 0 in the new cache, performing operations on the old package would perform it on the new package. If the old package's ID is out of bounds in the new cache, the behavior is undefined - it's an out of bounds array access. [Test case] The attached test case has a list of packages 0-9, a-z; stores the package "z" into a variable, then reopens the cache. It then marks z for deletion. This either segfaults or does nothing; when it should mark z for deletion. More test cases like this are in the autopkgtest. [Regression potential] The initial fix introduced bug 1780099, there might be similar bugs lurking. However, these bugs would have been undefined behavior before and might have caused segmentation faults or did the wrong thing. It seems likely that any regression cannot possibly be worse than the current state. - + [Original bug report] The Ubuntu Error Tracker has been receiving reports about a problem regarding unattended-upgrades. This problem was most recently seen with package version 0.98ubuntu1, the problem page at https://errors.ubuntu.com/problem/727153285ba3335a07f801a298a3d94cbe6ba05d contains more details, including versions of packages affected, stacktrace or traceback, and individual crash reports. If you do not have access to the Ubuntu Error Tracker and are a software developer, you can request it at http://forms.canonical.com/reports/. ** Also affects: python-apt (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: unattended-upgrades (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: python-apt (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: unattended-upgrades (Ubuntu Trusty) Importance: Undecided Status: New ** Changed in: python-apt (Ubuntu Xenial) Status: New => Triaged ** Changed in: unattended-upgrades (Ubuntu Trusty) Status: New => Won't Fix ** Changed in: unattended-upgrades (Ubuntu Xenial) Status: New => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1737441 Title: /usr/bin/unattended- upgrade:11:__GI___libc_free:operator:__gnu_cxx::new_allocator:std::allocator_traits:std::__cxx11::basic_string To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-apt/+bug/1737441/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1737441] Re: /usr/bin/unattended-upgrade:11:__GI___libc_free:operator:__gnu_cxx::new_allocator:std::allocator_traits:std::__cxx11::basic_string
This bug was fixed in the package unattended-upgrades - 1.1ubuntu1 --- unattended-upgrades (1.1ubuntu1) bionic; urgency=medium * Merge from Debian unstable (LP: #1764797) - Remaining changes: - unattended-upgrades: Do not automatically upgrade the development release of Ubuntu unless Unattended-Upgrade::DevRelease is true. - Dropped changes, included in Debian: - Rename d/NEWS.Debian to d/NEWS to have it shipped - Fix typo in NEWS file - d/rules: Exclude mypy cache from source package. unattended-upgrades (1.1) unstable; urgency=medium [ cgail914 ] * Update 50unattended-upgrades.Raspbian added a semi-column sign on line 86 to facilitate uncommenting the line for users and not end up with an error message when running unattended-upgrades. And make the whole file consistent. [ Tobias Bannert ] * completed german translation [ Simon McVittie ] * d/rules: Exclude mypy cache from source package. [ Julian Andres Klode ] * Do not reuse old apt.Version objects after reopening cache (LP: #1737441) [ Balint Reczey ] * Rename d/NEWS.Debian to d/NEWS to have it shipped * Fix typo in NEWS file * Add missing semicolon to commented-out Remove-Unused-Kernel-Packages option * Set UnattendedUpgradesCache.allowed_origins before calling apt.Cache.__init__() * Find package candidates to adjust sweeping through all packages only once. Later reuse the list candidates and filter out packages installed in the meantime. Thanks to Julian Andres Klode for the original patch * Use updated python-apt in upgrade-between-snapshots test * upgrade-between-snapshots: Mount /proc, too, in the chroot. Also clean up chroot properly on exit. * upgrade-between-snapshots: Use http_proxy environment variable in chroot, too * upgrade-between-snapshots: Remove packages installed as the side-effect of updating apt and python-apt * Ignore errors from compiling backported packages * Make is_autoremove_valid() nondestructive. Also fix autoremoval of packages when one package can't be removed and keeps back other package removals due to missing cache.clear() * Fix tracking removed packages * Suggest default-mta | mail-transport-agent to keep Lintian happy [ Michael Vogt ] * unattanded-upgrades: refactor get_candidates_to_adjust() to adjust_candidates() -- Balint Reczey Tue, 17 Apr 2018 16:53:30 +0200 ** Changed in: unattended-upgrades (Ubuntu Bionic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1737441 Title: /usr/bin/unattended- upgrade:11:__GI___libc_free:operator:__gnu_cxx::new_allocator:std::allocator_traits:std::__cxx11::basic_string To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-apt/+bug/1737441/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1737441] Re: /usr/bin/unattended-upgrade:11:__GI___libc_free:operator:__gnu_cxx::new_allocator:std::allocator_traits:std::__cxx11::basic_string
** Changed in: unattended-upgrades (Ubuntu Bionic) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1737441 Title: /usr/bin/unattended- upgrade:11:__GI___libc_free:operator:__gnu_cxx::new_allocator:std::allocator_traits:std::__cxx11::basic_string To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-apt/+bug/1737441/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1737441] Re: /usr/bin/unattended-upgrade:11:__GI___libc_free:operator:__gnu_cxx::new_allocator:std::allocator_traits:std::__cxx11::basic_string
This bug was fixed in the package python-apt - 1.6.0~rc2ubuntu2 --- python-apt (1.6.0~rc2ubuntu2) bionic; urgency=medium * apt/auth.py: Protect against race with gpg when removing tmpdir (Closes: #871585) * Document Architecture: all handling in Package.{fullname,architecture()} (Closes: #863193) * python/tag.cc: Fix invalid read in TagFileNext * Raise ValueError if objects passed to DepCache are from different cache (LP: #1737441) -- Julian Andres Klode Thu, 12 Apr 2018 11:22:27 +0200 ** Changed in: python-apt (Ubuntu Bionic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1737441 Title: /usr/bin/unattended- upgrade:11:__GI___libc_free:operator:__gnu_cxx::new_allocator:std::allocator_traits:std::__cxx11::basic_string To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-apt/+bug/1737441/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1737441] Re: /usr/bin/unattended-upgrade:11:__GI___libc_free:operator:__gnu_cxx::new_allocator:std::allocator_traits:std::__cxx11::basic_string
** Changed in: unattended-upgrades (Ubuntu Bionic) Status: Triaged => In Progress ** Changed in: python-apt (Ubuntu Bionic) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1737441 Title: /usr/bin/unattended- upgrade:11:__GI___libc_free:operator:__gnu_cxx::new_allocator:std::allocator_traits:std::__cxx11::basic_string To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-apt/+bug/1737441/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1737441] Re: /usr/bin/unattended-upgrade:11:__GI___libc_free:operator:__gnu_cxx::new_allocator:std::allocator_traits:std::__cxx11::basic_string
This is a problem in unattended-upgrades reusing apt.Version objects after reopening the cache. python-apt does not verify that objects like versions passed to apt_pkg.DepCache belong to the same cache. Hence we get out of bounds writes and memory corruption if these reference cache objects with IDs outside of the cache range (like dependency 1024 in a cache with 100 dependencies), or, maybe even worse, we mark the wrong things (like set the candidate for an entirely different package). Hence this was not detected. I added checks to python-apt now to detect this situation where possible, and will release that shortly. ** Changed in: unattended-upgrades (Ubuntu Bionic) Status: Invalid => Triaged -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1737441 Title: /usr/bin/unattended- upgrade:11:__GI___libc_free:operator:__gnu_cxx::new_allocator:std::allocator_traits:std::__cxx11::basic_string To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-apt/+bug/1737441/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1737441] Re: /usr/bin/unattended-upgrade:11:__GI___libc_free:operator:__gnu_cxx::new_allocator:std::allocator_traits:std::__cxx11::basic_string
** Changed in: python-apt (Ubuntu Bionic) Status: Confirmed => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1737441 Title: /usr/bin/unattended- upgrade:11:__GI___libc_free:operator:__gnu_cxx::new_allocator:std::allocator_traits:std::__cxx11::basic_string To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-apt/+bug/1737441/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1737441] Re: /usr/bin/unattended-upgrade:11:__GI___libc_free:operator:__gnu_cxx::new_allocator:std::allocator_traits:std::__cxx11::basic_string
** Tags added: id-5a8ef5f4d8bb16ec254dc10f -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1737441 Title: /usr/bin/unattended- upgrade:11:__GI___libc_free:operator:__gnu_cxx::new_allocator:std::allocator_traits:std::__cxx11::basic_string To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-apt/+bug/1737441/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1737441] Re: /usr/bin/unattended-upgrade:11:__GI___libc_free:operator:__gnu_cxx::new_allocator:std::allocator_traits:std::__cxx11::basic_string
** Also affects: python-apt (Ubuntu Bionic) Importance: Undecided Status: Confirmed ** Also affects: unattended-upgrades (Ubuntu Bionic) Importance: Undecided Status: Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1737441 Title: /usr/bin/unattended- upgrade:11:__GI___libc_free:operator:__gnu_cxx::new_allocator:std::allocator_traits:std::__cxx11::basic_string To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-apt/+bug/1737441/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1737441] Re: /usr/bin/unattended-upgrade:11:__GI___libc_free:operator:__gnu_cxx::new_allocator:std::allocator_traits:std::__cxx11::basic_string
There are a few other crashes in apt reported for u-u at errors.ubuntu.com, they may be hold more useful information. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1737441 Title: /usr/bin/unattended- upgrade:11:__GI___libc_free:operator:__gnu_cxx::new_allocator:std::allocator_traits:std::__cxx11::basic_string To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-apt/+bug/1737441/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1737441] Re: /usr/bin/unattended-upgrade:11:__GI___libc_free:operator:__gnu_cxx::new_allocator:std::allocator_traits:std::__cxx11::basic_string
I'm not sure what's going on here. Maybe it's deleting the cachefile twice somehow. It's just straight-forward destructors. Very odd. ** Changed in: python-apt (Ubuntu) Status: New => Triaged ** Changed in: python-apt (Ubuntu) Status: Triaged => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1737441 Title: /usr/bin/unattended- upgrade:11:__GI___libc_free:operator:__gnu_cxx::new_allocator:std::allocator_traits:std::__cxx11::basic_string To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-apt/+bug/1737441/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1737441] Re: /usr/bin/unattended-upgrade:11:__GI___libc_free:operator:__gnu_cxx::new_allocator:std::allocator_traits:std::__cxx11::basic_string
** Also affects: python-apt (Ubuntu) Importance: Undecided Status: New ** Changed in: unattended-upgrades (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1737441 Title: /usr/bin/unattended- upgrade:11:__GI___libc_free:operator:__gnu_cxx::new_allocator:std::allocator_traits:std::__cxx11::basic_string To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-apt/+bug/1737441/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs