Bug#1018832: apt: hardcoded tagfile size limit
Package: apt
Version: 2.5.2
Severity: normal
apt contains an arbitrary hardcoded limit on the size of tagfiles:
bool pkgTagFile::Resize()
{
// fail is the buffer grows too big
if(d->Size > 1024*1024+1)
return false;
return Resize(d->Size * 2);
}
I wrote the following quick test script before finding this limit:
$ cat t.py
#! /usr/bin/python3
from argparse import ArgumentParser
import tempfile
import apt_pkg
apt_pkg.init()
parser = ArgumentParser()
parser.add_argument("length", type=int)
args = parser.parse_args()
with tempfile.TemporaryFile() as f:
f.write(b"Format: 1.8\nChanges:\n ")
f.write(b"x" * args.length)
f.write(b"\n")
f.seek(0)
list(apt_pkg.TagFile(f, bytes=True))
$ ./t.py 1048677
$ ./t.py 1048678
Traceback (most recent call last):
File "/home/cjwatson/./t.py", line 19, in <module>
list(apt_pkg.TagFile(f, bytes=True))
apt_pkg.Error: E:Unable to parse package file (1)
(I'm not sure exactly why the threshold is 1024*1024+102; presumably the
resize steps don't quite take us through exact powers of two.)
We actually encountered this in practice. Somebody uploaded a kernel
package to Launchpad with a ~2.4 MiB .changes file, mostly consisting of
a probably-autogenerated changelog with lots of commit messages, and the
upload failed due to this.
I think I'd prefer this *not* to be configurable, to minimize situations
where tag files can be parsed in some environments but not others. I
don't know whether it's possible to reasonably avoid having an arbitrary
limit at all. Even if not, 1 MiB seems pretty small compared to memory
sizes these days; perhaps this could be raised?
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
merged-usr: no
Architecture: amd64 (x86_64)
Kernel: Linux 5.15.0-41-generic (SMP w/4 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_FIRMWARE_WORKAROUND, TAINT_OOT_MODULE, TAINT_LIVEPATCH
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /bin/dash
Init: unable to detect
Versions of packages apt depends on:
ii adduser 3.127
ii debian-archive-keyring 2021.1.1
ii gpgv 2.2.35-3
ii libapt-pkg6.0 2.5.2
ii libc6 2.34-4
ii libgcc-s1 12.2.0-1
ii libgnutls30 3.7.7-2
ii libseccomp2 2.5.4-1+b1
ii libstdc++6 12.2.0-1
ii libsystemd0 251.4-1
Versions of packages apt recommends:
ii ca-certificates 20211016
Versions of packages apt suggests:
pn apt-doc <none>
pn aptitude | synaptic | wajig <none>
ii dpkg-dev 1.21.9
ii gnupg 2.2.35-3
ii gnupg1 1.4.23-1.1+b1
ii gnupg2 2.2.35-3
ii powermgmt-base 1.37
-- no debconf information
Thanks,
--
Colin Watson [cjwatson@debian.org]
Reply to: