[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1018832: apt: hardcoded tagfile size limit

Package: apt
Version: 2.5.2
Severity: normal

apt contains an arbitrary hardcoded limit on the size of tagfiles:

    bool pkgTagFile::Resize()
    {
       // fail is the buffer grows too big
       if(d->Size > 1024*1024+1)
          return false;
    
       return Resize(d->Size * 2);
    }

I wrote the following quick test script before finding this limit:

    $ cat t.py
    #! /usr/bin/python3
    
    from argparse import ArgumentParser
    import tempfile
    
    import apt_pkg
    
    apt_pkg.init()
    
    parser = ArgumentParser()
    parser.add_argument("length", type=int)
    args = parser.parse_args()
    
    with tempfile.TemporaryFile() as f:
        f.write(b"Format: 1.8\nChanges:\n ")
        f.write(b"x" * args.length)
        f.write(b"\n")
        f.seek(0)
        list(apt_pkg.TagFile(f, bytes=True))
    $ ./t.py 1048677
    $ ./t.py 1048678
    Traceback (most recent call last):
      File "/home/cjwatson/./t.py", line 19, in <module>
        list(apt_pkg.TagFile(f, bytes=True))
    apt_pkg.Error: E:Unable to parse package file  (1)

(I'm not sure exactly why the threshold is 1024*1024+102; presumably the
resize steps don't quite take us through exact powers of two.)

We actually encountered this in practice.  Somebody uploaded a kernel
package to Launchpad with a ~2.4 MiB .changes file, mostly consisting of
a probably-autogenerated changelog with lots of commit messages, and the
upload failed due to this.

I think I'd prefer this *not* to be configurable, to minimize situations
where tag files can be parsed in some environments but not others.  I
don't know whether it's possible to reasonably avoid having an arbitrary
limit at all.  Even if not, 1 MiB seems pretty small compared to memory
sizes these days; perhaps this could be raised?

-- System Information:
Debian Release: bookworm/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
merged-usr: no
Architecture: amd64 (x86_64)

Kernel: Linux 5.15.0-41-generic (SMP w/4 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_FIRMWARE_WORKAROUND, TAINT_OOT_MODULE, TAINT_LIVEPATCH
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /bin/dash
Init: unable to detect

Versions of packages apt depends on:
ii  adduser                 3.127
ii  debian-archive-keyring  2021.1.1
ii  gpgv                    2.2.35-3
ii  libapt-pkg6.0           2.5.2
ii  libc6                   2.34-4
ii  libgcc-s1               12.2.0-1
ii  libgnutls30             3.7.7-2
ii  libseccomp2             2.5.4-1+b1
ii  libstdc++6              12.2.0-1
ii  libsystemd0             251.4-1

Versions of packages apt recommends:
ii  ca-certificates  20211016

Versions of packages apt suggests:
pn  apt-doc                      <none>
pn  aptitude | synaptic | wajig  <none>
ii  dpkg-dev                     1.21.9
ii  gnupg                        2.2.35-3
ii  gnupg1                       1.4.23-1.1+b1
ii  gnupg2                       2.2.35-3
ii  powermgmt-base               1.37

-- no debconf information

Thanks,

-- 
Colin Watson                                       [cjwatson@debian.org]
Reply to: