Bug#1058904: marked as done (python3-apt: apt_pkg.TagFile segfaults on files with comments)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Thu, 21 Dec 2023 15:20:03 +0000
with message-id <E1rGKqB-008oSR-HW@fasolo.debian.org>
and subject line Bug#1058904: fixed in python-apt 2.7.3
has caused the Debian Bug report #1058904,
regarding python3-apt: apt_pkg.TagFile segfaults on files with comments
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1058904: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1058904
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: python3-apt: apt_pkg.TagFile segfaults on files with comments
• From: Stuart Prescott <stuart@debian.org>
• Date: Mon, 18 Dec 2023 15:18:57 +1100
• Message-id: <[🔎] 170287313765.2607495.8106446403559928772.reportbug@simurgh.nanonanonano.net>

Package: python3-apt
Version: 2.7.2
Severity: serious
X-Debbugs-Cc: stuart@debian.org

Dear Maintainer,

With the upgrade to python3-apt 2.7.2, CI for python-debian started
failing for both python3.11 and python3.12. The particular test where
the segfault is found feeds apt_pkg.TagFile data that contains comments
in the form permitted by Policy for source package control files.

https://salsa.debian.org/stuart/python-debian/-/blob/master/tests/test_deb822.py?ref_type=heads#L1279

Previous versions raised apt_pkg.Error for erronous data.

They key feature of the data that is causing the segfault is the
inclusion of a comment in a multiline field.

While users of python-debian's deb822 wrappers are encouraged to not use
apt_pkg.TagFile for anything other than archive-generated files such as
the Sources and Packages files, there are legacy users and
out-of-archive users that could be doing so. Unparsable data should also
not segfault the interpreter but generate an exception.

regards
Stuart


Steps to reproduce (output below are for git HEAD with a slightly
rearranged directory structure; current version in sid does the same):

$ debcheckout python-debian
$ cd python-debian
$ python3.11 -m pytest -k test_iter_paragraphs_comments_use_apt_pkg
============================================== test session starts ==============================================
platform linux -- Python 3.11.7, pytest-7.4.3, pluggy-1.3.0 -- /usr/bin/python3.11
cachedir: .pytest_cache
rootdir: /tmp/pkgs/python-debian
configfile: pyproject.toml
testpaths: src, tests
plugins: cov-4.1.0
collected 295 items / 294 deselected / 1 selected

tests/test_deb822.py::TestDeb822::test_iter_paragraphs_comments_use_apt_pkg Fatal Python error: Segmentation fault

Current thread 0x00007f97ca55a040 (most recent call first):
File "/tmp/pkgs/python-debian/src/debian/deb822.py", line 740 in iter_paragraphs
File "/tmp/pkgs/python-debian/tests/test_deb822.py", line 1297 in test_iter_paragraphs_comments_use_apt_pkg
File "/usr/lib/python3/dist-packages/_pytest/python.py", line 194 in pytest_pyfunc_call
File "/usr/lib/python3/dist-packages/pluggy/_callers.py", line 77 in _multicall
File "/usr/lib/python3/dist-packages/pluggy/_manager.py", line 115 in _hookexec
File "/usr/lib/python3/dist-packages/pluggy/_hooks.py", line 493 in __call__
File "/usr/lib/python3/dist-packages/_pytest/python.py", line 1792 in runtest
File "/usr/lib/python3/dist-packages/_pytest/runner.py", line 169 in pytest_runtest_call
File "/usr/lib/python3/dist-packages/pluggy/_callers.py", line 77 in _multicall
File "/usr/lib/python3/dist-packages/pluggy/_manager.py", line 115 in _hookexec
File "/usr/lib/python3/dist-packages/pluggy/_hooks.py", line 493 in __call__
File "/usr/lib/python3/dist-packages/_pytest/runner.py", line 262 in <lambda>
File "/usr/lib/python3/dist-packages/_pytest/runner.py", line 341 in from_call
File "/usr/lib/python3/dist-packages/_pytest/runner.py", line 261 in call_runtest_hook
File "/usr/lib/python3/dist-packages/_pytest/runner.py", line 222 in call_and_report
File "/usr/lib/python3/dist-packages/_pytest/runner.py", line 133 in runtestprotocol
File "/usr/lib/python3/dist-packages/_pytest/runner.py", line 114 in pytest_runtest_protocol
File "/usr/lib/python3/dist-packages/pluggy/_callers.py", line 77 in _multicall
File "/usr/lib/python3/dist-packages/pluggy/_manager.py", line 115 in _hookexec
File "/usr/lib/python3/dist-packages/pluggy/_hooks.py", line 493 in __call__
File "/usr/lib/python3/dist-packages/_pytest/main.py", line 350 in pytest_runtestloop
File "/usr/lib/python3/dist-packages/pluggy/_callers.py", line 77 in _multicall
File "/usr/lib/python3/dist-packages/pluggy/_manager.py", line 115 in _hookexec
File "/usr/lib/python3/dist-packages/pluggy/_hooks.py", line 493 in __call__
File "/usr/lib/python3/dist-packages/_pytest/main.py", line 325 in _main
File "/usr/lib/python3/dist-packages/_pytest/main.py", line 271 in wrap_session
File "/usr/lib/python3/dist-packages/_pytest/main.py", line 318 in pytest_cmdline_main
File "/usr/lib/python3/dist-packages/pluggy/_callers.py", line 77 in _multicall
File "/usr/lib/python3/dist-packages/pluggy/_manager.py", line 115 in _hookexec
File "/usr/lib/python3/dist-packages/pluggy/_hooks.py", line 493 in __call__
File "/usr/lib/python3/dist-packages/_pytest/config/__init__.py", line 169 in main
File "/usr/lib/python3/dist-packages/_pytest/config/__init__.py", line 192 in console_main
File "/usr/lib/python3/dist-packages/pytest/__main__.py", line 5 in <module>
File "<frozen runpy>", line 88 in _run_code
File "<frozen runpy>", line 198 in _run_module_as_main


Or a minimal example directly with apt_pkg:
$ echo "Source: foo
Build-Depends: debhelper,
# quux,
 python" > data
$ python3 -c "import apt_pkg; [p for p in apt_pkg.TagFile(open('data', 'rt'))]"
Segmentation fault (core dumped)

--- End Message ---

--- Begin Message ---

• To: 1058904-close@bugs.debian.org
• Subject: Bug#1058904: fixed in python-apt 2.7.3
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Thu, 21 Dec 2023 15:20:03 +0000
• Message-id: <E1rGKqB-008oSR-HW@fasolo.debian.org>
• Reply-to: Julian Andres Klode <jak@debian.org>

Source: python-apt
Source-Version: 2.7.3
Done: Julian Andres Klode <jak@debian.org>

We believe that the bug you reported is fixed in the latest version of
python-apt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1058904@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Julian Andres Klode <jak@debian.org> (supplier of updated python-apt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 21 Dec 2023 16:00:06 +0100
Source: python-apt
Architecture: source
Version: 2.7.3
Distribution: unstable
Urgency: medium
Maintainer: APT Development Team <deity@lists.debian.org>
Changed-By: Julian Andres Klode <jak@debian.org>
Closes: 1058657 1058904
Changes:
 python-apt (2.7.3) unstable; urgency=medium
 .
   * Handle null pointer deference in error handler (Closes: #1058904)
   * Actually register apt_pkg.Warning object
   * apt_inst: Import apt_pkg.Warning and export it again (Closes: #1058657)
   * d/tests/control: Add allow-stderr Restriction
Checksums-Sha1:
 806bd78bcaf7bd830b3a06dfa72e32daa24c6059 2366 python-apt_2.7.3.dsc
 781d6a3a149009e51c4c839668ff16c368ed2d04 352868 python-apt_2.7.3.tar.xz
 0021290f6be83797803d804d2762631f6f21baac 9643 python-apt_2.7.3_source.buildinfo
Checksums-Sha256:
 86e9adf38a5633878cdaf91f3237b0ff3f71965f7cb9904bcee20bdefd28bace 2366 python-apt_2.7.3.dsc
 775e90648db9db5746cf0f9d03562af8861f3c98084e4edd459ea4aba46720f8 352868 python-apt_2.7.3.tar.xz
 0d0e26cb895a88e2ba576c0f02d1629ad78a241f8b387cf1cdfc2c5a57d5cb8d 9643 python-apt_2.7.3_source.buildinfo
Files:
 9630f522a848ce0087092149b3bfcf86 2366 python optional python-apt_2.7.3.dsc
 9cbe2cf6fb11e9694bd2bbf67765edb5 352868 python optional python-apt_2.7.3.tar.xz
 8ce33bb0abbc6bbe99e523c999717cf3 9643 python optional python-apt_2.7.3_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJDBAEBCgAtFiEEruHIqqrwt2hAGcVGAhs2G2sDGwAFAmWEVBQPHGpha0BkZWJp
YW4ub3JnAAoJEAIbNhtrAxsAlfUP/0Fkx42pKY/fRz84ZKy0KVXl3UhiBMFB92Eh
blsvKzadVa3TeBynfxZ8S5k5Ir94Zeokg29z1vLcO9uFsMQKgKvtHo+ln0H7o/PO
DV40UoRzsGHe4Bm5u51VDA33wGg+kpX68tQBWOkGqZUskrj3XaWhtpgcX4kaErdk
jC49VnL7JjSpWkRNwUClOxKUB9BLzToE1p3XYl297vCZeIwbYepenyvM+AsNhnRU
BnCjoRCprO7i1aJbcxrb4Dgd3aozdfr3aMF/wPWP/g/eSAtc9ExCJ5AP1gxZdPm/
/ZBhS4hyw4DpRuRzgLIOphtOnLIWfLA8dw5j+hGUTmxCNW7zCmUW6jUrKTCjwwkz
w/4VENx06ttUCbt4BzUzVgdVACYNoSC2M/Neu+gNHhPRAeuIkW72EHlWnRjsucPS
fHOLZhpn364kbCGDY2FXUTuC7qoCnXXaNG9GnoyJuRwVkah3/5VeXWSZK501/FWm
PF3YLSkEjUwqkQ71qr2l1mXvb+ZBK8I2BIxUXB/rbNw7ohl1fU5PsRIOW+ZDndk4
9EWc1xss2qH7tLbcZIXR9jfMm7Er+HmMZMMda8tFNMlDndr5fjuBmXYbKtGPrAUY
fY/aIfY6+itJMROoTpyxkANahRIYjiYP54nnP3LZZ9SHm9Mn9qQaHsry5OSvXXjx
xPtkxoNe
=Gdro
-----END PGP SIGNATURE-----

--- End Message ---