Ubuntu
apt package

build-depends keeps OR flag if end of or group is ignored

Bug #1694697 reported by Julian Andres Klode
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apt (Ubuntu)
Fix Released
High
Unassigned
Trusty
New
Undecided
Unassigned
Xenial
Fix Released
Undecided
Unassigned
Yakkety
Won't Fix
Undecided
Unassigned
Zesty
Fix Released
Undecided
Unassigned

Bug Description

[Impact]
If the last alternative(s) of an Or group is ignored, because it does
not match an architecture list, we would end up keeping the or flag,
effectively making the next AND an OR.

For example, when parsing (on amd64):

    debhelper (>= 9), libnacl-dev [amd64] | libnacl-dev [i386]
 => debhelper (>= 9), libnacl-dev |

Which can cause python-apt and apt-get build-dep to crash.

Even worse:

     debhelper (>= 9), libnacl-dev [amd64] | libnacl-dev [i386], foobar
  => debhelper (>= 9), libnacl-dev [amd64] | foobar

[Test case]
On amd64:

cat > segv.dsc << EOF
Format: 3.0 (native)
Source: foobar
Binary: foobar
Architecture: all
Version: 1
Maintainer: Joe Sixpack <email address hidden>
Build-Depends: build-essential [amd64] | build-essential [fancy]
Standards-Version: 3.9.8
EOF
cat > failure.dsc << EOF
Format: 3.0 (native)
Source: foobar
Binary: foobar
Architecture: all
Version: 1
Maintainer: Joe Sixpack <email address hidden>
Build-Depends: build-essential [amd64] | build-essential [fancy], a-non-existing-package
Standards-Version: 3.9.8
EOF

(1) apt-get build-dep -s ./segv.dsc should succeed instead of crash
(2) apt-get build-dep -s ./failure.dsc should complain about "Depends: a-non-existing-package but it is not installable" instead of succeeding.

This is the same test as run by CI and autopkgtests, so if they pass the tests passed. You can also run apt-get build-dep -s dq for a real life example that should not segfault.

[Regression Potential]
apt-get build-dep and friends can now fail where they succeeded previously for packages that employ architecture-limited alternatives in their build depends, as in the second example given above, because now additional packages need to be installed (which is correct, though).

[Other info]
By setting the previous alternatives Or flag to the current Or flag
if the current alternative is ignored, we solve the issue.

See original description
Julian Andres Klode (juliank)
Changed in apt (Ubuntu):
status: New → In Progress
importance: Undecided → High
Revision history for this message
Julian Andres Klode (juliank) wrote :

This also causes crashes in python-apt due to a off-by-one error in size checking there, see 1694702

description: updated
Julian Andres Klode (juliank)
Changed in apt (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Julian Andres Klode (juliank) wrote :

Fixed in upstream release 1.4.5. Now we only need to wait for it to sync :)

description: updated
description: updated
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 1.4.5

---------------
apt (1.4.5) unstable; urgency=medium

  * Fix parsing of or groups in build-deps with ignored packages (LP: #1694697)

 -- Julian Andres Klode <email address hidden> Wed, 31 May 2017 14:52:25 +0200

Changed in apt (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Julian Andres Klode (juliank) wrote :

This affects all active releases AFAICT, so we should issue SRUs for these. It's questionable how to test the pre-1.1 release in trusty, though - they do not support build-dep from a file, so the test will be more complex - maybe it's not really worth it.

Julian Andres Klode (juliank)
Changed in apt (Ubuntu Zesty):
status: New → In Progress
Changed in apt (Ubuntu Yakkety):
status: New → In Progress
Changed in apt (Ubuntu Xenial):
status: New → In Progress
Revision history for this message
Adam Conrad (adconrad) wrote : Please test proposed package

Hello Julian, or anyone else affected,

Accepted apt into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apt/1.2.24 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in apt (Ubuntu Yakkety):
status: In Progress → Won't Fix
Changed in apt (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-xenial
Revision history for this message
Adam Conrad (adconrad) wrote :

Hello Julian, or anyone else affected,

Accepted apt into zesty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apt/1.4.6~17.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in apt (Ubuntu Zesty):
status: In Progress → Fix Committed
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

Using:
ii apt 1.2.24 amd64 commandline package manager

And executing:
(1) apt-get build-dep -s ./segv.dsc should succeed instead of crash
(2) apt-get build-dep -s ./failure.dsc should complain about "Depends: a-non-existing-package but it is not installable" instead of succeeding.

I correctly get success for positive test case (1) and an error for the negative test case (2).

tags: added: verification-done verification-done-xenial
removed: verification-needed verification-needed-xenial
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

Using:
ii apt 1.4.6~17.04.1 amd64

# apt-get build-dep -s ./segv.dsc
Note, using file './segv.dsc' to get the build dependencies
Reading package lists... Done
Building dependency tree
Reading state information... Done
Segmentation fault (core dumped)

So zesty build is b0rked?

tags: added: verification-failed-zesty
Revision history for this message
Julian Andres Klode (juliank) wrote :

I'd say you forgot to upgrade libapt-pkg5.0 - the test is run in CI and autopkgtest too, so it's highly unlikely to not work.

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

Ah, i did not upgrade libapt-pkg5.0 as i wanted to leave some packages for the auto-upgrader test case.

Upgrading those two:
ii libapt-inst2.0:amd64 1.4.6~17.04.1 amd64 deb package format runtime library
ii libapt-pkg5.0:amd64 1.4.6~17.04.1 amd64 package management runtime library

I now get on zesty, no segfault for case #1 & error message for case #2, as expected.

tags: added: verification-done-zesty
removed: verification-failed-zesty
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 1.2.24

---------------
apt (1.2.24) xenial; urgency=medium

  * Microrelease covering fixes of 1.4.6
  * Fix parsing of or groups in build-deps with ignored packages (LP: #1694697)
  * apt.systemd.daily: Use unattended-ugrade --download-only if available.
    Instead of passing -d, which enables a debugging mode; check if
    unattended-upgrade supports an option --download-only (which is yet
    to be implemented) and use that (Closes: #863859)

apt (1.2.23) xenial; urgency=medium

  * Microrelease covering fixes of 1.4.4

  [ Alan Jenkins ]
  * apt.systemd.daily: fix error from locking code (Closes: #862567)

apt (1.2.22) xenial; urgency=medium

  [ Julian Andres Klode ]
  * Run unattended-upgrade -d in download part
  * apt.systemd.daily: Add locking
  * Split apt-daily timer into two (LP: #1686470)

  [ Matt Kraai ]
  * bash-completion: Fix spelling of autoclean (Closes: #861846)

apt (1.2.21) xenial; urgency=medium

  * Microrelease covering fixes of 1.4 and 1.4.1

  [ Julian Andres Klode ]
  * Ignore \.ucf-[a-z]+$ like we do for \.dpkg-[a-z]+$
  * systemd: Rework timing and add After=network-online (was LP #1615482)

  [ David Kalnischkies ]
  * Fix and avoid quoting in CommandLine::AsString (LP: #1672710)

  [ Unit 193 ]
  * apt-ftparchive: Support '.ddeb' dbgsym packages

 -- Julian Andres Klode <email address hidden> Mon, 19 Jun 2017 13:58:04 +0200

Changed in apt (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
Adam Conrad (adconrad) wrote : Update Released

The verification of the Stable Release Update for apt has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 1.4.6~17.04.1

---------------
apt (1.4.6~17.04.1) zesty; urgency=medium

  * apt.systemd.daily: Do not pass -d to unattended-upgrade for the download
  job. This actually enables debugging. Instead check if unattended-upgrade
  supports an option --download-only (which is yet to be implemented) and use
  that (Closes: #863859)

apt (1.4.5) unstable; urgency=medium

  * Fix parsing of or groups in build-deps with ignored packages (LP: #1694697)

apt (1.4.4) unstable; urgency=medium

  [ Alan Jenkins ]
  * apt.systemd.daily: fix error from locking code (Closes: #862567)

apt (1.4.3) unstable; urgency=medium

  [ Julian Andres Klode ]
  * Do not try to (re)start timers outside 'apt' package (Closes: #862001)

  [ Miroslav Kure ]
  * Updated Czech translation of apt (Closes: #861943)

apt (1.4.2) unstable; urgency=medium

  [ Julian Andres Klode ]
  * Run unattended-upgrade -d in download part
  * apt.systemd.daily: Add locking
  * Split apt-daily timer into two (LP: #1686470)

  [ Matt Kraai ]
  * bash-completion: Fix spelling of autoclean (Closes: #861846)

apt (1.4.1) unstable; urgency=medium

  [ Julian Andres Klode ]
  * systemd: Rework timing and add After=network-online (LP: #1615482)
  * debian/rules: Actually invoke dh_clean in override_dh_clean

  [ Unit 193 ]
  * apt-ftparchive: Support '.ddeb' dbgsym packages

 -- Julian Andres Klode <email address hidden> Thu, 01 Jun 2017 10:50:26 +0200

Changed in apt (Ubuntu Zesty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.