** CVE removed: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-1252
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1642386
Title:
At least one invalid signature was encountered.
To manage
This bug was fixed in the package apt - 1.2.18
---
apt (1.2.18) xenial; urgency=high
* SECURITY UPDATE: gpgv: Check for errors when splitting files (CVE-2016-1252)
Thanks to Jann Horn, Google Project Zero for reporting the issue
(LP: #1647467)
* gpgv: Flush the files
Thanks Julian!
I tested the apt 1.2.18 packages and found the results far more
pleasing:
...
Fetched 1,688 kB in 2s (685 kB/s)
Reading package lists... Done
W: http://mirrors.kernel.org/ubuntu/dists/xenial/InRelease: The key(s) in the
keyring /etc/apt/trusted.gpg.d/ddebs.gpg
Hello Seth, or anyone else affected,
Accepted apt into xenial-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/apt/1.2.18 in a few
hours, and then in the -proposed repository.
Please help us by testing this new package. See
** Description changed:
+ [Summary]
+
+ A regression in apt in Xenial 1.2.15 causes "apt-get update" to fail
+ with "At least one invalid signature was encountered." if there are
+ files in /etc/apt/trusted.gpg.d/ that are not readable by the _apt user.
+
+ This has the consequence of getting
Notably the first commit just causes the thing to fail silently, the
second one makes apt forward the warning on an update.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1642386
Title:
At least one
Uploaded 1.2.17 to xenial-proposed
apt (1.2.17) xenial; urgency=medium
[ David Kalnischkies ]
* apt-key: warn instead of fail on unreadable keyrings (LP: #1642386)
* show apt-key warnings in apt update (Closes: 834973)
[ Julian Andres Klode ]
* test-releasefile-verification:
>You can fix your permissions on your trusted.gpg and trusted.gpg.d
files in /etc/apt, so that the files are world-readable (chmod ugo+r
/etc/apt/trusted.gpg /etc/apt/trusted.gpg.d -R) [or give access to root
and _apt via acls].
That has been successful for me.
--
You received this bug
Thanks for verifying. I should have the final update ready within the
next 16-48 hours.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1642386
Title:
At least one invalid signature was encountered.
Julian, I modified the script.sh to include the following line:
sudo LD_LIBRARY_PATH=$PWD/build/bin/ ./build/bin/apt-get update -o
Dir::Bin::Apt-Key="$PWD/build/bin/apt-key" -o
Dir::Bin::Methods="$PWD/build/bin/methods/" 2>&1 | tee update.log
When run from remotes/julian/for-1.2/apt-key I get
Julian, looks like you win this year's remote-debugging-via-crystal-ball
award!
$ find /etc/apt -ls | grep sarnold
2572875 4 -rw--- 1 sarnold sarnold 1740 Mar 23 2016
/etc/apt/trusted.gpg.d/ddebs.gpg
Well done :D
Thanks
--
You received this bug notification because you
But of course: If you safely want to get apt 1.2.17 via apt 1.2.15, you
have to have correct permissions first - otherwise your old apt won't
see the new apt.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
You can fix your permissions on your trusted.gpg and trusted.gpg.d files
in /etc/apt, so that the files are world-readable (chmod ugo+r
/etc/apt/trusted.gpg /etc/apt/trusted.gpg.d -R) [or give access to root
and _apt via acls].
You don't have to do that, though - it will start "working" again in
Is there something we Xenial users need to do to resolve this?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1642386
Title:
At least one invalid signature was encountered.
To manage notifications
OK, the reason this happens is that some of your key files are not
readable (I'm not sure, but it might be running as _apt). The commit
mentioned introduced a regresssion in that it does not ignore failures
from unreadable key files.
This was fixed in 1.3~rc3 in commit
Ah, apt-key explains it. We did not catch that in the bisect correctly,
as I forgot to specify -o Dir::Bin::apt-key=$PWD/build/bin/apt-key :/
This means it is a regression introduced in:
commit b515fe3a0012c1f155dbf6a4199e919fec102578
Author: David Kalnischkies
Date:
Julian, thanks for your patience. I'm not able to offer a shell on the
affected machine, so debugging this is just going to have to go at a
snail's pace.
I read strace and ltrace logs from both 1.2.12-ish and 1.2.15 apt
packages and narrowed it down to /usr/bin/apt-key.
When I use the
Yeah, valgrind is a bit noisy always because we are building the cache
in memory before (1) writing it to the disk and the write includes
unused regions and (2) we are hashing the entire thing before writing
it, including the uninitialised bytes. So that means while we do have a
few uninitialized
Turns out the valgrind messages aren't regressions either.
Here's the older apt packages again which seemed to work okay:
==25043==
==25043== HEAP SUMMARY:
==25043== in use at exit: 13,118,211 bytes in 170,033 blocks
==25043== total heap usage: 626,066 allocs, 456,033 frees, 69,255,845
On a whim I ran apt-get update through valgrind:
==22064==
==22064== HEAP SUMMARY:
==22064== in use at exit: 695,606 bytes in 7,018 blocks
==22064== total heap usage: 67,584 allocs, 60,566 frees, 18,503,180 bytes
allocated
==22064==
==22064== LEAK SUMMARY:
==22064==definitely lost: 0
I reinstalled the latest xenial packages:
ii apt 1.2.15 amd64commandline
package manager
ii apt-transport-https 1.2.15 amd64https download
transport for APT
ii libapt-inst2.0:amd64 1.2.15 amd64deb
The files in partial/ don't look too damning:
root@hunt:/var/lib/apt/lists/partial# file *
ftp.debian.org_debian_dists_jessie-updates_contrib_source_Sources:
empty
ftp.debian.org_debian_dists_wheezy-updates_contrib_source_Sources:
empty
Based on the funny git results, I re-installed the packages:
3243aa899fcf2f09b910b7429eeae6205a71c379a45c0e8e31723836bb094163
apt_1.2.12~ubuntu16.04.1_amd64.deb
5b9a82b1dc1f82fc3655038336d099410d643d5188629aba475050d7f9bd99c3
apt-transport-https_1.2.12~ubuntu16.04.1_amd64.deb
What we see from your debug output is that gpgv is not returning any
sensible information:
Summary:
Good:
Bad:
Worthless:
SoonWorthless:
NoPubKey:
You could try running apt-key verify manually on a few InRelease files (like
apt-key verify
First thanks for the files. Unfortunately, I can't reproduce it with the
files either. It must be a fairly system-specific bug.
> HEAD is now at 235347e... Release 1.2.12
> $ make fast
> [... with errors]
Whoa, if it happens with the 1.2.12 checkout too, then something else
seems wrong. I picked
I'm skeptical of the git bisect results:
$ git checkout cde5b485c9cdf0bfd5b6ea8e4973abe378270e60^
Previous HEAD position was cde5b48... fail instead of segfault on unreadable
config files
HEAD is now at 235347e... Release 1.2.12
$ make fast
Compiling cachefile.cc to
And the results of git bisect, thanks for the excellent instruction and
script!
cde5b485c9cdf0bfd5b6ea8e4973abe378270e60 is the first bad commit
commit cde5b485c9cdf0bfd5b6ea8e4973abe378270e60
Author: David Kalnischkies
Date: Fri May 20 09:37:24 2016 +0200
fail
Tarball of /etc/apt and /var/lib/apt
** Attachment added: "Tarball of /etc/apt and /var/lib/apt"
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1642386/+attachment/4778362/+files/apt-etc-and-var.tar.xz
--
You received this bug notification because you are a member of Ubuntu
Bugs, which
393c61b8e29bd1923a5fe8abf4690c24e7f498aa8a4f5954a6a87da7d05a0bef apt-
etc-and-var.tar.xz
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1642386
Title:
At least one invalid signature was
sarnold@hunt:/var/lib/apt$ sudo mv lists lists.old
sarnold@hunt:/var/lib/apt$ sudo apt-get update
Get:1 http://mirrors.kernel.org/ubuntu xenial InRelease [247 kB]
Get:2 http://mirrors.kernel.org/ubuntu xenial-updates InRelease [95.7 kB]
Get:3
apt-get update -o Debug::Acquire::gpgv=1
** Attachment added: "apt-get update -o Debug::Acquire::gpgv=1"
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1642386/+attachment/4778350/+files/debug-gpgv
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
Oh, you may also want to try moving lists/ out of the way and running
apt update again.
And perhaps send me a tarball of /var/lib/apt and /etc/apt - then I
might have luck reproducing it.
If you want to, you could try bisecting this in the apt git repo,
starting with
git bisect start
git bisect
Your coworker seems to have caught a crash in appstream, BTW, not in
apt. Not sure why the files fail their hashes or have no sections in
them, though.
** Changed in: apt (Ubuntu)
Assignee: (unassigned) => Julian Andres Klode (juliank)
--
You received this bug notification because you are
** Changed in: apt (Ubuntu)
Importance: Undecided => High
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1642386
Title:
At least one invalid signature was encountered.
To manage notifications
It works perfectly fine for me. Can you re-run this with:
-o Debug::Acquire::gpgv=1
** Changed in: apt (Ubuntu)
Status: New => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
I was too hasty -- apt appears to still function (e.g. apt-get install
expat, apt-get purge expat, installed an expat from the -updates pocket
and removed it again). It's just insanely ugly warnings on the apt-get
update step, and maybe(?) new lists can't be downloaded.
Anyway it's more nuanced
The full run, showing apt working a few seconds before it fails, and no
errors in dmesg.
** Attachment added: "terminal-log"
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1642386/+attachment/4778315/+files/terminal-log
--
You received this bug notification because you are a member of
37 matches
Mail list logo