Bug#809838: marked as done ([apt] Download size check overflow)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Thu, 7 Jan 2016 14:04:27 +0100
with message-id <20160107130427.GA3049@crossbow>
and subject line Re: Bug#809838: [apt] Download size check overflow
has caused the Debian Bug report #809838,
regarding [apt] Download size check overflow
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
809838: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=809838
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: <submit@bugs.debian.org>
• Subject: [apt] Download size check overflow
• From: Daniel Hornung <daniel.hornung@ds.mpg.de>
• Date: Mon, 4 Jan 2016 16:52:04 +0100
• Message-id: <[🔎] 1717725.YeKpiW6mGO@tiersen>

Package: apt
Version: 1.1.5
Severity: normal

--- Please enter the report below this line. ---

After a few weeks without updates, running `apt-get dist-upgrade` failed with 
the following massage:

[...]
724 upgraded, 0 newly installed, 0 to remove and 187 not upgraded.
18446744072246931048,2832346728
How odd... The sizes didn't match, email apt@packages.debian.org
Need to get 18.4 EB of archives.
After this operation, 77.8 MB of additional disk space will be used.
E: You don't have enough free space in /var/cache/apt/archives/.
[...]

Upgrading all texlive-* packages and then trying again worked.  This looks 
suspiciously like a 32bit overflow (log2(2832346728) ~ 31.4, 18.4EB ~ 2^64B), 
combined with casting to 64bit later in the process, also the upgrade download 
size was something below 2GB _after_ upgrading the texlive packages manually.

--- System information. ---
Architecture: amd64
Kernel:       Linux 4.2.0-1-amd64

Debian Release: stretch/sid
  500 testing         www.deb-multimedia.org 
  500 testing         security.debian.org 
  500 testing         ftp5.gwdg.de 
  500 stretch         neurodebian.ovgu.de 
  500 data            neurodebian.ovgu.de 

--- Package information. ---
Depends                       (Version) | Installed
=======================================-+-=============
libapt-pkg4.12             (>= 1.0.9.6) | 1.0.9.10
libc6                         (>= 2.15) | 
libgcc1                    (>= 1:4.1.1) | 
libstdc++6                     (>= 4.9) | 
debian-archive-keyring                  | 
gnupg                                   | 


Package's Recommends field is empty.

Suggests         (Version) | Installed
==========================-+-============
aptitude                   | 0.6.11-1+b1
 OR synaptic               | 0.82
 OR wajig                  | 
dpkg-dev       (>= 1.17.2) | 1.18.4
apt-doc                    | 
python-apt                 | 1.1.0~beta1



--- Output from package bug script ---
-- 
Max-Planck-Institute for Dynamics and Self-Organization
Research Group Biomedical Physics

Am Fassberg 17
D-37077 Goettingen
(+49) 551 5176 373

You can obtain my public key 0xF197B128 from all keyservers, e.g. pgp.mit.edu
Fingerprint: 9698 BDD4 71CC 1274 B7E2  2049 1EDD 012D F197 B128

Attachment: signature.asc
Description: This is a digitally signed message part.

--- End Message ---

--- Begin Message ---

• To: Daniel Hornung <daniel.hornung@ds.mpg.de>
• Cc: 809838-done@bugs.debian.org
• Subject: Re: Bug#809838: [apt] Download size check overflow
• From: David Kalnischkies <david@kalnischkies.de>
• Date: Thu, 7 Jan 2016 14:04:27 +0100
• Message-id: <20160107130427.GA3049@crossbow>
• In-reply-to: <[🔎] 3844937.UP0crZt6fT@tiersen>
• References: <[🔎] 1717725.YeKpiW6mGO@tiersen> <[🔎] 20160104211304.GA27457@crossbow> <[🔎] 3844937.UP0crZt6fT@tiersen>

Version: 1.1.4

On Tue, Jan 05, 2016 at 09:15:00AM +0100, Daniel Hornung wrote:
> On Monday 04 January 2016 22:13:05 David Kalnischkies wrote:
> > On Mon, Jan 04, 2016 at 04:52:04PM +0100, Daniel Hornung wrote:
> > > Package: apt
> > > Version: 1.1.5
> > > Severity: normal
> > 
> > Are you sure about he used version? There was a bug regarding the
> > calculation of the sizes – but it was fixed by 1.1.4.
> > 
> > I am asking specifically as the list of upgraded packages is long and:
> > > Depends                       (Version) | Installed
> > > =======================================-+-=============
> > > libapt-pkg4.12             (>= 1.0.9.6) | 1.0.9.10
> > 
> > This should be libapt-pkg5.0 in the 1.1.x series of apt which suggests
> > to me that the report was made from a machine (running Debian stable)
> > which isn't the machine the bug was observed on (as the report claims
> > to be against a Debian testing/unstable verion).
> 
> Yes, a very good observation.  The bug was on testing indeed, but I reported 
> it after successfully running the dist-upgrade.  Checking apt/history.log 
> showed that the problem was with 1.1.3 as suspected, but when reporting, apt 
> was at 1.1.5 already:
> 
> Upgrade: [...] apt:amd64 (1.1.3, 1.1.5), [...]
> 
> So this bug report can probably be closed for good, if the problem was fixed 
> in 1.1.4.


Great! The relevant changelog for history purposes was:

apt (1.1.4) unstable; urgency=medium

  [ Julian Andres Klode ]
[…]
  * Avoid overflow when summing up file sizes
[…]
 -- Julian Andres Klode <jak@debian.org>  Mon, 07 Dec 2015 15:31:31 +0100


Best regards

David Kalnischkies

Attachment: signature.asc
Description: PGP signature

--- End Message ---