Your message dated Thu, 19 Dec 2024 00:03:34 +0100 with message-id <zjuntomhiak5pvtnb64dffhjbaboq7xh4uykyl65izctvgnhtf@k3h5e2iplnw4> and subject line Re: Bug#1090754: apt: Apt does not always validate the Packages file on local file repositories has caused the Debian Bug report #1090754, regarding apt: Apt does not always validate the Packages file on local file repositories to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1090754: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1090754 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: apt: Apt does not always validate the Packages file on local file repositories
- From: yogg <debbug@x-net.at>
- Date: Wed, 18 Dec 2024 19:30:02 +0100
- Message-id: <[🔎] 173454660251.41718.1264269386541522311.reportbug@ft-laptop01>
Package: apt Version: 2.6.1 Severity: important Tags: d-i X-Debbugs-Cc: debbug@x-net.at Dear Maintainer, I tried to setup a local file repository. After this worked I tried to bypass some of the security measures and realized that I can modify the "Packages" file without an error. I also tested the same on a remote http repository where this problem does not occur. I think this happens because apt does not use the same caching methods if it works with an lokal in filesystem repository (but this is maybe wrong). I have written a test script which shows the problem. Be warned, the script runs "apt update", "apt install" and modifies the sources listi of the system (root is needed). At the end the script should clean up everything, but I have not tested the scipt on other systems. This is maybe also important for the debian installer team. It could possible to abuse this problem on the DVD installer if the same filesystem repository approach is used. -- Package-specific info: -- apt-config dump -- APT ""; APT::Architecture "amd64"; APT::Build-Essential ""; APT::Build-Essential:: "build-essential"; APT::Install-Recommends "true"; APT::Install-Suggests "0"; APT::Sandbox ""; APT::Sandbox::User "_apt"; APT::Authentication ""; APT::Authentication::TrustCDROM "true"; APT::NeverAutoRemove ""; APT::NeverAutoRemove:: "^firmware-linux.*"; APT::NeverAutoRemove:: "^linux-firmware$"; APT::NeverAutoRemove:: "^linux-image-[a-z0-9]*$"; APT::NeverAutoRemove:: "^linux-image-[a-z0-9]*-[a-z0-9]*$"; APT::VersionedKernelPackages ""; APT::VersionedKernelPackages:: "linux-.*"; APT::VersionedKernelPackages:: "kfreebsd-.*"; APT::VersionedKernelPackages:: "gnumach-.*"; APT::VersionedKernelPackages:: ".*-modules"; APT::VersionedKernelPackages:: ".*-kernel"; APT::Never-MarkAuto-Sections ""; APT::Never-MarkAuto-Sections:: "metapackages"; APT::Never-MarkAuto-Sections:: "tasks"; APT::Move-Autobit-Sections ""; APT::Move-Autobit-Sections:: "oldlibs"; APT::Update ""; APT::Update::Post-Invoke-Success ""; APT::Update::Post-Invoke-Success:: "if /usr/bin/test -w /var/lib/command-not-found/ -a -e /usr/lib/cnf-update-db; then /usr/lib/cnf-update-db > /dev/null; fi"; APT::Architectures ""; APT::Architectures:: "amd64"; APT::Compressor ""; APT::Compressor::. ""; APT::Compressor::.::Name "."; APT::Compressor::.::Extension ""; APT::Compressor::.::Binary ""; APT::Compressor::.::Cost "0"; APT::Compressor::zstd ""; APT::Compressor::zstd::Name "zstd"; APT::Compressor::zstd::Extension ".zst"; APT::Compressor::zstd::Binary "zstd"; APT::Compressor::zstd::Cost "60"; APT::Compressor::zstd::CompressArg ""; APT::Compressor::zstd::CompressArg:: "-19"; APT::Compressor::zstd::UncompressArg ""; APT::Compressor::zstd::UncompressArg:: "-d"; APT::Compressor::lz4 ""; APT::Compressor::lz4::Name "lz4"; APT::Compressor::lz4::Extension ".lz4"; APT::Compressor::lz4::Binary "lz4"; APT::Compressor::lz4::Cost "50"; APT::Compressor::lz4::CompressArg ""; APT::Compressor::lz4::CompressArg:: "-1"; APT::Compressor::lz4::UncompressArg ""; APT::Compressor::lz4::UncompressArg:: "-d"; APT::Compressor::gzip ""; APT::Compressor::gzip::Name "gzip"; APT::Compressor::gzip::Extension ".gz"; APT::Compressor::gzip::Binary "gzip"; APT::Compressor::gzip::Cost "100"; APT::Compressor::gzip::CompressArg ""; APT::Compressor::gzip::CompressArg:: "-6n"; APT::Compressor::gzip::UncompressArg ""; APT::Compressor::gzip::UncompressArg:: "-d"; APT::Compressor::xz ""; APT::Compressor::xz::Name "xz"; APT::Compressor::xz::Extension ".xz"; APT::Compressor::xz::Binary "xz"; APT::Compressor::xz::Cost "200"; APT::Compressor::xz::CompressArg ""; APT::Compressor::xz::CompressArg:: "-6"; APT::Compressor::xz::UncompressArg ""; APT::Compressor::xz::UncompressArg:: "-d"; APT::Compressor::bzip2 ""; APT::Compressor::bzip2::Name "bzip2"; APT::Compressor::bzip2::Extension ".bz2"; APT::Compressor::bzip2::Binary "bzip2"; APT::Compressor::bzip2::Cost "300"; APT::Compressor::bzip2::CompressArg ""; APT::Compressor::bzip2::CompressArg:: "-6"; APT::Compressor::bzip2::UncompressArg ""; APT::Compressor::bzip2::UncompressArg:: "-d"; APT::Compressor::lzma ""; APT::Compressor::lzma::Name "lzma"; APT::Compressor::lzma::Extension ".lzma"; APT::Compressor::lzma::Binary "xz"; APT::Compressor::lzma::Cost "400"; APT::Compressor::lzma::CompressArg ""; APT::Compressor::lzma::CompressArg:: "--format=lzma"; APT::Compressor::lzma::CompressArg:: "-6"; APT::Compressor::lzma::UncompressArg ""; APT::Compressor::lzma::UncompressArg:: "--format=lzma"; APT::Compressor::lzma::UncompressArg:: "-d"; Dir "/"; Dir::State "var/lib/apt"; Dir::State::lists "lists/"; Dir::State::cdroms "cdroms.list"; Dir::State::extended_states "extended_states"; Dir::State::status "/var/lib/dpkg/status"; Dir::Cache "var/cache/apt"; Dir::Cache::archives "archives/"; Dir::Cache::srcpkgcache "srcpkgcache.bin"; Dir::Cache::pkgcache "pkgcache.bin"; Dir::Etc "etc/apt"; Dir::Etc::sourcelist "sources.list"; Dir::Etc::sourceparts "sources.list.d"; Dir::Etc::main "apt.conf"; Dir::Etc::netrc "auth.conf"; Dir::Etc::netrcparts "auth.conf.d"; Dir::Etc::parts "apt.conf.d"; Dir::Etc::preferences "preferences"; Dir::Etc::preferencesparts "preferences.d"; Dir::Etc::trusted "trusted.gpg"; Dir::Etc::trustedparts "trusted.gpg.d"; Dir::Etc::apt-listchanges-main "listchanges.conf"; Dir::Etc::apt-listchanges-parts "listchanges.conf.d"; Dir::Etc::apt-file-main "apt-file.conf"; Dir::Bin ""; Dir::Bin::methods "/usr/lib/apt/methods"; Dir::Bin::solvers ""; Dir::Bin::solvers:: "/usr/lib/apt/solvers"; Dir::Bin::planners ""; Dir::Bin::planners:: "/usr/lib/apt/planners"; Dir::Bin::dpkg "/usr/bin/dpkg"; Dir::Bin::gzip "/bin/gzip"; Dir::Bin::bzip2 "/bin/bzip2"; Dir::Bin::xz "/usr/bin/xz"; Dir::Bin::lz4 "/usr/bin/lz4"; Dir::Bin::zstd "/usr/bin/zstd"; Dir::Bin::lzma "/usr/bin/xz"; Dir::Media ""; Dir::Media::MountPath "/media/cdrom"; Dir::Log "var/log/apt"; Dir::Log::Terminal "term.log"; Dir::Log::History "history.log"; Dir::Log::Planner "eipp.log.xz"; Dir::Ignore-Files-Silently ""; Dir::Ignore-Files-Silently:: "~$"; Dir::Ignore-Files-Silently:: "\.disabled$"; Dir::Ignore-Files-Silently:: "\.bak$"; Dir::Ignore-Files-Silently:: "\.dpkg-[a-z]+$"; Dir::Ignore-Files-Silently:: "\.ucf-[a-z]+$"; Dir::Ignore-Files-Silently:: "\.save$"; Dir::Ignore-Files-Silently:: "\.orig$"; Dir::Ignore-Files-Silently:: "\.distUpgrade$"; Acquire ""; Acquire::AllowInsecureRepositories "0"; Acquire::AllowWeakRepositories "0"; Acquire::AllowDowngradeToInsecureRepositories "0"; Acquire::cdrom ""; Acquire::cdrom::mount "/media/cdrom"; Acquire::IndexTargets ""; Acquire::IndexTargets::deb ""; Acquire::IndexTargets::deb::Packages ""; Acquire::IndexTargets::deb::Packages::MetaKey "$(COMPONENT)/binary-$(ARCHITECTURE)/Packages"; Acquire::IndexTargets::deb::Packages::flatMetaKey "Packages"; Acquire::IndexTargets::deb::Packages::ShortDescription "Packages"; Acquire::IndexTargets::deb::Packages::Description "$(RELEASE)/$(COMPONENT) $(ARCHITECTURE) Packages"; Acquire::IndexTargets::deb::Packages::flatDescription "$(RELEASE) Packages"; Acquire::IndexTargets::deb::Packages::Optional "0"; Acquire::IndexTargets::deb::Translations ""; Acquire::IndexTargets::deb::Translations::MetaKey "$(COMPONENT)/i18n/Translation-$(LANGUAGE)"; Acquire::IndexTargets::deb::Translations::flatMetaKey "$(LANGUAGE)"; Acquire::IndexTargets::deb::Translations::ShortDescription "Translation-$(LANGUAGE)"; Acquire::IndexTargets::deb::Translations::Description "$(RELEASE)/$(COMPONENT) Translation-$(LANGUAGE)"; Acquire::IndexTargets::deb::Translations::flatDescription "$(RELEASE) Translation-$(LANGUAGE)"; Acquire::IndexTargets::deb::Contents-deb ""; Acquire::IndexTargets::deb::Contents-deb::MetaKey "$(COMPONENT)/Contents-$(ARCHITECTURE)"; Acquire::IndexTargets::deb::Contents-deb::ShortDescription "Contents-$(ARCHITECTURE)"; Acquire::IndexTargets::deb::Contents-deb::Description "$(RELEASE)/$(COMPONENT) $(ARCHITECTURE) Contents (deb)"; Acquire::IndexTargets::deb::Contents-deb::flatMetaKey "Contents-$(ARCHITECTURE)"; Acquire::IndexTargets::deb::Contents-deb::flatDescription "$(RELEASE) Contents (deb)"; Acquire::IndexTargets::deb::Contents-deb::PDiffs "true"; Acquire::IndexTargets::deb::Contents-deb::KeepCompressed "true"; Acquire::IndexTargets::deb::Contents-udeb ""; Acquire::IndexTargets::deb::Contents-udeb::MetaKey "$(COMPONENT)/Contents-udeb-$(ARCHITECTURE)"; Acquire::IndexTargets::deb::Contents-udeb::ShortDescription "Contents-udeb-$(ARCHITECTURE)"; Acquire::IndexTargets::deb::Contents-udeb::Description "$(RELEASE)/$(COMPONENT) $(ARCHITECTURE) Contents (udeb)"; Acquire::IndexTargets::deb::Contents-udeb::flatMetaKey "Contents-udeb-$(ARCHITECTURE)"; Acquire::IndexTargets::deb::Contents-udeb::flatDescription "$(RELEASE) Contents (udeb)"; Acquire::IndexTargets::deb::Contents-udeb::KeepCompressed "true"; Acquire::IndexTargets::deb::Contents-udeb::PDiffs "true"; Acquire::IndexTargets::deb::Contents-udeb::DefaultEnabled "false"; Acquire::IndexTargets::deb::Contents-deb-legacy ""; Acquire::IndexTargets::deb::Contents-deb-legacy::MetaKey "Contents-$(ARCHITECTURE)"; Acquire::IndexTargets::deb::Contents-deb-legacy::ShortDescription "Contents-$(ARCHITECTURE)"; Acquire::IndexTargets::deb::Contents-deb-legacy::Description "$(RELEASE) $(ARCHITECTURE) Contents (deb)"; Acquire::IndexTargets::deb::Contents-deb-legacy::PDiffs "true"; Acquire::IndexTargets::deb::Contents-deb-legacy::KeepCompressed "true"; Acquire::IndexTargets::deb::Contents-deb-legacy::Fallback-Of "Contents-deb"; Acquire::IndexTargets::deb::Contents-deb-legacy::Identifier "Contents-deb"; Acquire::IndexTargets::deb::CNF ""; Acquire::IndexTargets::deb::CNF::MetaKey "$(COMPONENT)/cnf/Commands-$(NATIVE_ARCHITECTURE)"; Acquire::IndexTargets::deb::CNF::ShortDescription "Commands-$(NATIVE_ARCHITECTURE)"; Acquire::IndexTargets::deb::CNF::Description "$(RELEASE)/$(COMPONENT) $(NATIVE_ARCHITECTURE) c-n-f Metadata"; Acquire::IndexTargets::deb::CNF::DefaultEnabled "no"; Acquire::IndexTargets::deb-src ""; Acquire::IndexTargets::deb-src::Sources ""; Acquire::IndexTargets::deb-src::Sources::MetaKey "$(COMPONENT)/source/Sources"; Acquire::IndexTargets::deb-src::Sources::flatMetaKey "Sources"; Acquire::IndexTargets::deb-src::Sources::ShortDescription "Sources"; Acquire::IndexTargets::deb-src::Sources::Description "$(RELEASE)/$(COMPONENT) Sources"; Acquire::IndexTargets::deb-src::Sources::flatDescription "$(RELEASE) Sources"; Acquire::IndexTargets::deb-src::Sources::Optional "0"; Acquire::IndexTargets::deb-src::Contents-dsc ""; Acquire::IndexTargets::deb-src::Contents-dsc::MetaKey "$(COMPONENT)/Contents-source"; Acquire::IndexTargets::deb-src::Contents-dsc::ShortDescription "Contents-source"; Acquire::IndexTargets::deb-src::Contents-dsc::Description "$(RELEASE)/$(COMPONENT) source Contents (dsc)"; Acquire::IndexTargets::deb-src::Contents-dsc::flatMetaKey "Contents-source"; Acquire::IndexTargets::deb-src::Contents-dsc::flatDescription "$(RELEASE) Contents (dsc)"; Acquire::IndexTargets::deb-src::Contents-dsc::PDiffs "true"; Acquire::IndexTargets::deb-src::Contents-dsc::KeepCompressed "true"; Acquire::IndexTargets::deb-src::Contents-dsc::DefaultEnabled "false"; Acquire::Changelogs ""; Acquire::Changelogs::URI ""; Acquire::Changelogs::URI::Origin ""; Acquire::Changelogs::URI::Origin::Debian "https://metadata.ftp-master.debian.org/changelogs/@CHANGEPATH@_changelog";; Acquire::Changelogs::URI::Origin::Ubuntu "https://changelogs.ubuntu.com/changelogs/pool/@CHANGEPATH@/changelog";; Acquire::Changelogs::AlwaysOnline ""; Acquire::Changelogs::AlwaysOnline::Origin ""; Acquire::Changelogs::AlwaysOnline::Origin::Ubuntu "1"; Acquire::Languages ""; Acquire::Languages:: "en"; Acquire::Languages:: "none"; Acquire::Languages:: "de"; Acquire::CompressionTypes ""; Acquire::CompressionTypes::xz "xz"; Acquire::CompressionTypes::bz2 "bzip2"; Acquire::CompressionTypes::lzma "lzma"; Acquire::CompressionTypes::gz "gzip"; Acquire::CompressionTypes::lz4 "lz4"; Acquire::CompressionTypes::zst "zstd"; DPkg ""; DPkg::Path "/usr/sbin:/usr/bin:/sbin:/bin"; DPkg::Pre-Install-Pkgs ""; DPkg::Pre-Install-Pkgs:: "/usr/bin/apt-listchanges --apt || test $? -lt 10"; DPkg::Pre-Install-Pkgs:: "/usr/sbin/dpkg-preconfigure --apt || true"; DPkg::Tools ""; DPkg::Tools::Options ""; DPkg::Tools::Options::/usr/bin/apt-listchanges ""; DPkg::Tools::Options::/usr/bin/apt-listchanges::Version "2"; DPkg::Tools::Options::/usr/bin/apt-listchanges::InfoFD "20"; apt-file ""; apt-file::Index-Names "deb"; apt-file::Parser ""; apt-file::Parser::Check-For-Description-Header "false"; Unattended-Upgrade ""; Unattended-Upgrade::Origins-Pattern ""; Unattended-Upgrade::Origins-Pattern:: "origin=Debian,codename=${distro_codename},label=Debian"; Unattended-Upgrade::Origins-Pattern:: "origin=Debian,codename=${distro_codename},label=Debian-Security"; Unattended-Upgrade::Origins-Pattern:: "origin=Debian,codename=${distro_codename}-security,label=Debian-Security"; Binary "apt-config"; Binary::apt ""; Binary::apt::APT ""; Binary::apt::APT::Color "1"; Binary::apt::APT::Cache ""; Binary::apt::APT::Cache::Show ""; Binary::apt::APT::Cache::Show::Version "2"; Binary::apt::APT::Cache::AllVersions "0"; Binary::apt::APT::Cache::ShowVirtuals "1"; Binary::apt::APT::Cache::Search ""; Binary::apt::APT::Cache::Search::Version "2"; Binary::apt::APT::Cache::ShowDependencyType "1"; Binary::apt::APT::Cache::ShowVersion "1"; Binary::apt::APT::Get ""; Binary::apt::APT::Get::Upgrade-Allow-New "1"; Binary::apt::APT::Get::Update ""; Binary::apt::APT::Get::Update::InteractiveReleaseInfoChanges "1"; Binary::apt::APT::Cmd ""; Binary::apt::APT::Cmd::Show-Update-Stats "1"; Binary::apt::APT::Cmd::Pattern-Only "1"; Binary::apt::APT::Keep-Downloaded-Packages "0"; Binary::apt::DPkg ""; Binary::apt::DPkg::Progress-Fancy "1"; Binary::apt::DPkg::Lock ""; Binary::apt::DPkg::Lock::Timeout "-1"; CommandLine ""; CommandLine::AsString "apt-config dump"; -- (no /etc/apt/preferences present) -- -- (no /etc/apt/preferences.d/* present) -- -- /etc/apt/sources.list -- #deb cdrom:[Debian GNU/Linux 12.0.0 _Bookworm_ - Official amd64 NETINST with firmware 20230610-10:21]/ bookworm main non-free-firmware deb http://deb.debian.org/debian/ bookworm main non-free-firmware deb-src http://deb.debian.org/debian/ bookworm main non-free-firmware deb http://security.debian.org/debian-security bookworm-security main non-free-firmware deb-src http://security.debian.org/debian-security bookworm-security main non-free-firmware # bookworm-updates, to get updates before a point release is made; # see https://www.debian.org/doc/manuals/debian-reference/ch02.en.html#_updates_and_backports deb http://deb.debian.org/debian/ bookworm-updates main non-free-firmware deb-src http://deb.debian.org/debian/ bookworm-updates main non-free-firmware # This system was installed using small removable media # (e.g. netinst, live or single CD). The matching "deb cdrom" # entries were disabled at the end of the installation process. # For information about how to configure apt package sources, # see the sources.list(5) manual. -- (no /etc/apt/sources.list.d/* present) -- -- System Information: Debian Release: 12.8 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-28-amd64 (SMP w/4 CPU threads; PREEMPT) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=de_AT.UTF-8, LC_CTYPE=de_AT.UTF-8 (charmap=UTF-8), LANGUAGE=de_AT:de Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages apt depends on: ii adduser 3.134 ii debian-archive-keyring 2023.3+deb12u1 ii gpgv 2.2.40-1.1 ii libapt-pkg6.0 2.6.1 ii libc6 2.36-9+deb12u9 ii libgcc-s1 12.2.0-14 ii libgnutls30 3.7.9-2+deb12u3 ii libseccomp2 2.5.4-1+deb12u1 ii libstdc++6 12.2.0-14 ii libsystemd0 252.31-1~deb12u1 Versions of packages apt recommends: ii ca-certificates 20230311 Versions of packages apt suggests: pn apt-doc <none> ii aptitude 0.8.13-5 ii dpkg-dev 1.21.22 ii gnupg 2.2.40-1.1 ii powermgmt-base 1.37 ii synaptic 0.91.3 -- no debconf informationAttachment: apt_bugtest.tgz
Description: application/gzip
--- End Message ---
--- Begin Message ---
- To: 1090754-done@bugs.debian.org
- Subject: Re: Bug#1090754: apt: Apt does not always validate the Packages file on local file repositories
- From: David Kalnischkies <david@kalnischkies.de>
- Date: Thu, 19 Dec 2024 00:03:34 +0100
- Message-id: <zjuntomhiak5pvtnb64dffhjbaboq7xh4uykyl65izctvgnhtf@k3h5e2iplnw4>
- In-reply-to: <[🔎] pwskatl5h5ucfhsowgqvtx5rw2wwgyqlean6udta5entewjnl2@yhie65flhgwy>
- References: <[🔎] 173454660251.41718.1264269386541522311.reportbug@ft-laptop01> <[🔎] 173454660251.41718.1264269386541522311.reportbug@ft-laptop01> <[🔎] pwskatl5h5ucfhsowgqvtx5rw2wwgyqlean6udta5entewjnl2@yhie65flhgwy>
Am Wed, Dec 18, 2024 at 11:54:46PM +0100, schrieb David Kalnischkies: > So, closing as not a bug but working as intended. I have a script that reminds we if it looks like I talked about an attachment, but the mail doesn't have one. Perhaps I should finally extend that script to deal with another rather silly mistake……… Best regards David KalnischkiesAttachment: signature.asc
Description: PGP signature
--- End Message ---