Bug#158117: apt: missing Label field in Release file causes apt-cache policy to output garbage

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#158117: apt: missing Label field in Release file causes apt-cache policy to output garbage
From: Marc Haber <mh+debian-bugs@zugschlus.de>
Date: Sun, 25 Aug 2002 14:58:20 +0200
Message-id: <[🔎] E17iwyC-00044c-00@paola.int.toplink-plannet.de>
Reply-to: Marc Haber <mh+debian-bugs@zugschlus.de>, 158117@bugs.debian.org

Package: apt
Version: 0.5.4
Severity: normal

Note: This might be a potential buffer overflow, and raise a possible
security problem since apt is usually executed as root. I don't know
enough about that stuff, so I won't make the bug a high priority bug.

See this typescript:
[4/4]haber@paola:~$ cat /etc/apt/sources.list 
deb http://debian.toplink-plannet.de/debian/ woody main
[5/5]haber@paola:~$ sudo apt-get update
0% [Working]
Hit http://debian.toplink-plannet.de woody/main Packages
Hit http://debian.toplink-plannet.de woody/main Release
66% [Working]
Reading Package Lists... 0%
Reading Package Lists... Done
Building Dependency Tree... 0%
Building Dependency Tree... Done^
[6/6]haber@paola:~$ apt-cache policy
Package Files:
 100 /var/lib/dpkg/status
     release a=now
 500 http://debian.toplink-plannet.de woody/main Packages
     release v=3.0,o=Debian,a=stable,l=Debian,c=main
     origin debian.toplink-plannet.de
Pinned Packages:
[7/7]haber@paola:~$ 

This looks fine, when only the debian archive is used. I am currently
experiementing with my own distribution. Now let's bring my own
(wrong) Release files into the game:

[7/7]haber@paola:~$ cat /etc/apt/sources.list 
deb http://debian.toplink-plannet.de/debian/ woody main
deb http://debian.toplink-plannet.de/debian/ tpl/woody main
[8/8]haber@paola:~$ sudo apt-get update
0% [Working]
Hit http://debian.toplink-plannet.de woody/main Packages
Hit http://debian.toplink-plannet.de woody/main Release
Get:1 http://debian.toplink-plannet.de tpl/woody/main Packages [5249B]
[1 Packages 3594/5249B 68%]
Get:2 http://debian.toplink-plannet.de tpl/woody/main Release [62B]
99% [Working]
99% [1 Packages gzip 0]
100% [Working]
Fetched 5311B in 0s (153kB/s)
Reading Package Lists... 0%
Reading Package Lists... Done
Building Dependency Tree... 0%
Building Dependency Tree... Done
[9/9]haber@paola:~$ apt-cache policy
Package Files:
 100 /var/lib/dpkg/status
     release a=now
 500 http://debian.toplink-plannet.de tpl/woody/main Packages
>     release o=tpl,a=woody,l=Üvþ<98>^D,c=main
     origin debian.toplink-plannet.de
 500 http://debian.toplink-plannet.de woody/main Packages
     release v=3.0,o=Debian,a=stable,l=Debian,c=main
     origin debian.toplink-plannet.de
Pinned Packages:
[10/10]haber@paola:~$ 

Please notice the garbage in the l=field for tpl/woody/main, line
marked ">"

The Release file for tpl/dooy is wrong:

[10/10]haber@paola:~$ cat /var/lib/apt/lists/debian.toplink-plannet.de_debian_dissts_tpl_woody_main_binary-i386_Release 
Archive: woody
Component: main
Architecture: i386
Origin: tpl
[11/11]haber@paola:~$ 

but apt-cache should notice that.

Greetings
Marc

-- System Information
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux paola 2.4.19-paola #1 Wed Aug 7 08:54:32 UTC 2002 i686
Locale: LANG=C, LC_CTYPE=de_DE

Versions of packages apt depends on:
ii  libc6                        2.2.5-10    GNU C Library: Shared libraries an
ii  libstdc++2.10-glibc2.2       1:2.95.4-11 The GNU stdc++ library

Reply to:

Prev by Date: Bug#158092: apt-get mishandles /var/lib/dpkg/status with bufffer aligned EOF
Next by Date: Bug#158118: apt: doesn't properly handle Release files that show up on already-known distribution
Previous by thread: Bug#158092: apt-get mishandles /var/lib/dpkg/status with bufffer aligned EOF
Next by thread: Bug#158118: apt: doesn't properly handle Release files that show up on already-known distribution
Index(es):
- Date
- Thread