Bug#290907: marked as done (apt-get can't handle a very-large dependency list)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Wed, 12 Aug 2015 23:56:03 +0200
with message-id <20150812215603.GA28197@crossbow>
and subject line Re: apt-get can't handle a very-large dependency list
has caused the Debian Bug report #290907,
regarding apt-get can't handle a very-large dependency list
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
290907: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=290907
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: <submit@bugs.debian.org>
• Subject: apt-get can't handle a very-large dependency list
• From: "Marcel Toele" <mtoele@kern.nl>
• Date: Mon, 17 Jan 2005 18:26:43 +0100 (CET)
• Message-id: <34519.217.170.42.254.1105982803.squirrel@webmail.kern.nl>
• Reply-to: mtoele@kern.nl

Package: apt
Version: 0.5.27

A bug presently in apt-get prevents the usage of apt in combination with
very-large dependency list. This is due to a fixed maximum default length
when creating pkgTagFile objects. (currently 32k).

Below is the output of a testrun with a Packages file containing a package
with 10000 dependencies.

dyn82:~# apt-get update
Hit http://workstation01.intra.krnl.nl sarge-2005-01-01/main Packages
Ign http://workstation01.intra.krnl.nl sarge-2005-01-01/main Release
Reading Package Lists... Error!
E: Unable to parse package file
/var/lib/apt/lists/workstation01.intra.krnl.nl_bootstrap-wrapped_dists_sarge-2005-01-01_main_binary-i386_Packages(1)
E: The package lists or status file could not be parsed or opened.

A patch that will initialize all pkgTagFile objects with the proper size
(from the FileFd) is included below. The patch is compatible with both
0.5.27 and 0.6.25.

############### BEGIN PATCH ################
diff -ru apt-0.5.27.orig/apt-inst/deb/dpkgdb.cc
apt-0.5.27/apt-inst/deb/dpkgdb.cc
--- apt-0.5.27.orig/apt-inst/deb/dpkgdb.cc      2004-01-07
21:39:37.000000000 +0100
+++ apt-0.5.27/apt-inst/deb/dpkgdb.cc   2005-01-17 16:46:40.397977118 +0100
@@ -419,7 +419,7 @@
 bool debDpkgDB::ReadConfFiles()
 {
    FileFd File(_config->FindFile("Dir::State::status"),FileFd::ReadOnly);
-   pkgTagFile Tags(&File);
+   pkgTagFile Tags(&File,File.Size()+256); //XXX
    if (_error->PendingError() == true)
       return false;

diff -ru apt-0.5.27.orig/apt-pkg/policy.cc apt-0.5.27/apt-pkg/policy.cc
--- apt-0.5.27.orig/apt-pkg/policy.cc   2003-08-12 02:17:37.000000000 +0200
+++ apt-0.5.27/apt-pkg/policy.cc        2005-01-17 16:46:40.397977118 +0100
@@ -257,7 +257,7 @@
       return true;

    FileFd Fd(File,FileFd::ReadOnly);
-   pkgTagFile TF(&Fd);
+   pkgTagFile TF(&Fd,Fd.Size()+256);//XXX
    if (_error->PendingError() == true)
       return false;

iff -ru apt-0.5.27.orig/cmdline/apt-sortpkgs.cc
apt-0.5.27/cmdline/apt-sortpkgs.cc
--- apt-0.5.27.orig/cmdline/apt-sortpkgs.cc     2003-01-11
08:18:44.000000000 +0100
+++ apt-0.5.27/cmdline/apt-sortpkgs.cc  2005-01-17 16:46:40.398977012 +0100
@@ -62,7 +62,7 @@
 bool DoIt(string InFile)
 {
    FileFd Fd(InFile,FileFd::ReadOnly);
-   pkgTagFile Tags(&Fd);
+   pkgTagFile Tags(&Fd,Fd.Size()+256);//XXX
    if (_error->PendingError() == true)
       return false;

diff -ru apt-0.5.27.orig/cmdline/indexcopy.cc apt-0.5.27/cmdline/indexcopy.cc
--- apt-0.5.27.orig/cmdline/indexcopy.cc        2002-03-26
08:38:58.000000000 +0100
+++ apt-0.5.27/cmdline/indexcopy.cc     2005-01-17 16:46:40.398977012 +0100
@@ -110,7 +110,7 @@

         Pkg.Seek(0);
       }
-      pkgTagFile Parser(&Pkg);
+      pkgTagFile Parser(&Pkg,Pkg.Size()+256); //XXX
       if (_error->PendingError() == true)
         return false;

diff -ru apt-0.5.27.orig/ftparchive/writer.cc apt-0.5.27/ftparchive/writer.cc
--- apt-0.5.27.orig/ftparchive/writer.cc        2004-03-24
02:40:43.000000000 +0100
+++ apt-0.5.27/ftparchive/writer.cc     2005-01-17 16:46:40.399976907 +0100
@@ -760,7 +760,7 @@

    // No auto-close FD
    FileFd Fd(CompFd,false);
-   pkgTagFile Tags(&Fd);
+   pkgTagFile Tags(&Fd,Fd.Size()+256); //XXX
    if (_error->PendingError() == true)
    {
       Pkgs.CloseOld(CompFd,Proc);
########### END PATCH ##############

Marcel Toele

--- End Message ---

--- Begin Message ---

• To: 290907-done@bugs.debian.org
• Subject: Re: apt-get can't handle a very-large dependency list
• From: David Kalnischkies <david@kalnischkies.de>
• Date: Wed, 12 Aug 2015 23:56:03 +0200
• Message-id: <20150812215603.GA28197@crossbow>
• In-reply-to: <34519.217.170.42.254.1105982803.squirrel@webmail.kern.nl>
• References: <34519.217.170.42.254.1105982803.squirrel@webmail.kern.nl>

On Mon, Jan 17, 2005 at 06:26:43PM +0100, Marcel Toele wrote:
> A bug presently in apt-get prevents the usage of apt in combination with
> very-large dependency list. This is due to a fixed maximum default length
> when creating pkgTagFile objects. (currently 32k).

Actually, the limit is 1 MB for a single section, so the information
about a single version can't be bigger than 1 MB in size.

We could increase this to like 2 MB, but that just means the limit is
2 MB… we can't remove the limit entirely through as this is used to
parse potentially untrusted data, so a bad file could have an 'endless'
section which would eat up all of memory resulting in a deny of service
on the host…

So, this is basically unfixable. And truth be told, it seems unlikely
that a "real" package hits this 1 MB limit (I think back than this bug
was reported the limit was lower, like 32k lower) even if this is
probably going to be famous last words, aka: closing.


Best regards

David Kalnischkies

Attachment: signature.asc
Description: Digital signature

--- End Message ---