Ubuntu
apt package

Long passwords for authenticated repositories not handled well

Bug #1065429 reported by Michael Vogt
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apt (Ubuntu)
Fix Released
Medium
Unassigned
Precise
Fix Released
Medium
Unassigned

Bug Description

If there is a repository that needs authentication with a long password or username (>64 chars) this is not handled well in apt. It will simply cut it off and the authentication will fail with a error from the server instead of indicating that the password is too long.

The maximum size of the user/password needs to be increased and a proper error message on overflow needs to be given.

To test this we need a repository with a long username/password.

= Test Case =
We'll use a pretend repository without any packages at murraytwins.com
1) Add the following line to /etc/apt/sources.list:
deb http://murraytwins.com/repository precise multiverse
2) Add the following line (yes, it's all one line) to /etc/apt/auth.conf (likely a new file)
machine murraytwins.com/repository/ login mrzx4l98d4tp89jab6giohdrjqysbyjs4npz2ccq25kvjmf5h8u4cmidcko7s4tfr6ur1teuv4ju1af-bp8wz2-hwbqs6tox1bv6csee9psn5309v7488f3dugifm692db2xfq8n1fsz7l87835tr0q36m2p3ftwpoqoy6 password password
3) Run apt-get update
4) Observe a 401 for murraytwins.com:
W: Failed to fetch http://murraytwins.com/repository/dists/precise/multiverse/binary-amd64/Packages 401 Authorization Required

With the version of the package from -proposed you'll receive a 404 instead of a 401.

See original description
Michael Vogt (mvo)
Changed in apt (Ubuntu):
status: New → Fix Released
importance: Undecided → Medium
Changed in apt (Ubuntu Precise):
status: New → In Progress
importance: Undecided → Medium
Brian Murray (brian-murray)
description: updated
Revision history for this message
Brian Murray (brian-murray) wrote :

To be clear it was fixed with this upload to quantal:

This bug was fixed in the package apt - 0.9.7.5ubuntu1

---------------
apt (0.9.7.5ubuntu1) quantal; urgency=low

  [ Michael Vogt ]
  * merged latest fixes from the debian-sid branch

  [ TJ ]
  * apt-pkg/contrib/netrc.cc:
    - increase LOGINSIZE/PASSWORDSIZE limits and add proper error
      if the limits are reached (LP: #1008289)

Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Michael, or anyone else affected,

Accepted apt into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/apt/0.8.16~exp12ubuntu10.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in apt (Ubuntu Precise):
status: In Progress → Fix Committed
tags: added: verification-needed
Revision history for this message
C de-Avillez (hggdh2) wrote :

Tested on Precise. Without the updated apt, I see:

W: Failed to fetch http://murraytwins.com/repository/dists/precise/multiverse/binary-amd64/Packages 401 Unauthorized
W: Failed to fetch http://murraytwins.com/repository/dists/precise/multiverse/binary-i386/Packages 401 Unauthorized
E: Some index files failed to download. They have been ignored, or old ones used instead.

With the updated apt I see:

W: Failed to fetch http://murraytwins.com/repository/dists/precise/multiverse/binary-amd64/Packages 404 Not Found

W: Failed to fetch http://murraytwins.com/repository/dists/precise/multiverse/binary-i386/Packages 404 Not Found

E: Some index files failed to download. They have been ignored, or old ones used instead.
ubuntu@clean-precise-server-amd64:~$ dpkg -l apt\*
ii apt 0.8.16~exp12ubuntu10 commandline package manager
ii apt-transport-https 0.8.16~exp12ubuntu10 https download transport for APT
ii apt-utils 0.8.16~exp12ubuntu10 package managment related utility programs
ii apt-xapian-index 0.44ubuntu5 maintenance and search tools for a Xapian index of Debia

Tagging verification-done

tags: added: verification-done
removed: verification-needed
Revision history for this message
Adam Conrad (adconrad) wrote :

Hello Michael, or anyone else affected,

Accepted apt into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/apt/0.8.16~exp12ubuntu10.5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: removed: verification-done
tags: added: verification-needed
Revision history for this message
C de-Avillez (hggdh2) wrote :

verified that apt 0.8.16~exp12ubuntu10.5 returns a 404 on too long password:

W: Failed to fetch http://murraytwins.com/repository/dists/precise/multiverse/binary-amd64/Packages 404 Not Found

W: Failed to fetch http://murraytwins.com/repository/dists/precise/multiverse/binary-i386/Packages 404 Not Found

E: Some index files failed to download. They have been ignored, or old ones used instead.

tags: added: precise verification-done
removed: verification-needed
Revision history for this message
Adam Conrad (adconrad) wrote : Update Released

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 0.8.16~exp12ubuntu10.5

---------------
apt (0.8.16~exp12ubuntu10.5) precise-proposed; urgency=low

  * apt-pkg/pkgcachegen.cc:
    - Fix crash if the cache is remapped while writing a Provides version
      (LP: #1066445).

apt (0.8.16~exp12ubuntu10.4) precise-proposed; urgency=low

  [ David Kalnischkies ]
  * apt-pkg/packagemanager.cc:
    - do not run into loop on new-pre-depends-breaks (Closes: #673536)
      LP: #1050791
  * apt-pkg/cachefile.cc:
    - clean up lost atomic cachefiles with 'clean' (Closes: #650513)
      LP: #1050779

  [ TJ ]
  * apt-pkg/contrib/netrc.cc:
    - increase LOGINSIZE/PASSWORDSIZE limits and add proper error
      if the limits are reached (LP: #1065429)

  [ Michael Vogt ]
  * lp:~mvo/apt/lp346386-precise:
    - fail gracefully when a InRelease file is not valid, e.g. behind
      paywalls (LP: #346386)
 -- Colin Watson <email address hidden> Mon, 15 Oct 2012 05:42:45 +0100

Changed in apt (Ubuntu Precise):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.