Ubuntu
debsums package

libpam0g & libpam-modules fail integrity check with debsums

Bug #776030 reported by Todd A. Jacobs on 2011-05-03

274

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	debsums (Debian)	Fix Released	Unknown	debbugs #616066
	debsums (Ubuntu)	Fix Released	Medium	Stéphane Graber

Bug Description

$ lsb_release -rd
Description: Ubuntu 11.04
Release: 11.04

$ apt-cache policy libpam0g libpam-modules
libpam0g:
  Installed: 1.1.2-2ubuntu8
  Candidate: 1.1.2-2ubuntu8
  Version table:
*** 1.1.2-2ubuntu8 0
        500 http://us.archive.ubuntu.com/ubuntu/ natty/main amd64 Packages
        100 /var/lib/dpkg/status
libpam-modules:
  Installed: 1.1.2-2ubuntu8
  Candidate: 1.1.2-2ubuntu8
  Version table:
*** 1.1.2-2ubuntu8 0
        500 http://us.archive.ubuntu.com/ubuntu/ natty/main amd64 Packages
        100 /var/lib/dpkg/status

The libpam0g and libpam-modules packages fail validation with debsums. The packages are validated as follows:

$ sudo debsums -a libpam0g libpam-modules | fgrep FAILED
/lib/x86_64-linux-gnu/libpam.so.0.82.3 /lib/x86_64-linux-gnu/libpam_misc.so.0.82.0 /lib/x86_64-linux-gnu/libpamc.so.0.82.1 /usr/share/doc/libpam0g/changelog.Debian.gz /lib/x86_64-linux-gnu/security/pam_access.so /lib/x86_64-linux-gnu/security/pam_debug.so /lib/x86_64-linux-gnu/security/pam_deny.so /lib/x86_64-linux-gnu/security/pam_echo.so /lib/x86_64-linux-gnu/security/pam_env.so /lib/x86_64-linux-gnu/security/pam_exec.so /lib/x86_64-linux-gnu/security/pam_faildelay.so /lib/x86_64-linux-gnu/security/pam_filter.so /lib/x86_64-linux-gnu/security/pam_ftp.so /lib/x86_64-linux-gnu/security/pam_group.so /lib/x86_64-linux-gnu/security/pam_issue.so /lib/x86_64-linux-gnu/security/pam_keyinit.so /lib/x86_64-linux-gnu/security/pam_lastlog.so /lib/x86_64-linux-gnu/security/pam_limits.so /lib/x86_64-linux-gnu/security/pam_listfile.so /lib/x86_64-linux-gnu/security/pam_localuser.so /lib/x86_64-linux-gnu/security/pam_loginuid.so /lib/x86_64-linux-gnu/security/pam_mail.so /lib/x86_64-linux-gnu/security/pam_mkhomedir.so /lib/x86_64-linux-gnu/security/pam_motd.so /lib/x86_64-linux-gnu/security/pam_namespace.so /lib/x86_64-linux-gnu/security/pam_nologin.so /lib/x86_64-linux-gnu/security/pam_permit.so /lib/x86_64-linux-gnu/security/pam_pwhistory.so /lib/x86_64-linux-gnu/security/pam_rhosts.so /lib/x86_64-linux-gnu/security/pam_rootok.so /lib/x86_64-linux-gnu/security/pam_securetty.so /lib/x86_64-linux-gnu/security/pam_selinux.so /lib/x86_64-linux-gnu/security/pam_sepermit.so /lib/x86_64-linux-gnu/security/pam_shells.so /lib/x86_64-linux-gnu/security/pam_stress.so /lib/x86_64-linux-gnu/security/pam_succeed_if.so /lib/x86_64-linux-gnu/security/pam_tally.so /lib/x86_64-linux-gnu/security/pam_tally2.so /lib/x86_64-linux-gnu/security/pam_time.so /lib/x86_64-linux-gnu/security/pam_timestamp.so /lib/x86_64-linux-gnu/security/pam_umask.so /lib/x86_64-linux-gnu/security/pam_unix.so /lib/x86_64-linux-gnu/security/pam_userdb.so /lib/x86_64-linux-gnu/security/pam_warn.so /lib/x86_64-linux-gnu/security/pam_wheel.so /lib/x86_64-linux-gnu/security/pam_xauth.so /usr/share/doc/libpam-modules/changelog.Debian.gz FAILED
FAILED
FAILED
FAILED
FAILED
FAILED
FAILED
FAILED
FAILED
FAILED
FAILED
FAILED
FAILED
FAILED
FAILED
FAILED
FAILED
FAILED
FAILED
FAILED
FAILED
FAILED
FAILED
FAILED
FAILED
FAILED
FAILED
FAILED
FAILED
FAILED
FAILED
FAILED
FAILED
FAILED
FAILED
FAILED
FAILED
FAILED
FAILED
FAILED
FAILED
FAILED
FAILED
FAILED
FAILED
FAILED
FAILED

The packages continue to fail validation even after being reinstalled with "sudo aptitude reinstall libpam0g libpam-modules" and rechecked. The likeliest reason for the failure is invalid MD5 sums included in the deb files; because of the critical security nature of these files, ensuring the accuracy of the MD5 sums being shipped with the packages is essential.

ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: libpam-modules 1.1.2-2ubuntu8
ProcVersionSignature: Ubuntu 2.6.38-8.42-generic 2.6.38.2
Uname: Linux 2.6.38-8-generic x86_64
NonfreeKernelModules: nvidia
Architecture: amd64
Date: Mon May 2 17:28:37 2011
EcryptfsInUse: Yes
InstallationMedia: Ubuntu 11.04 "Natty Narwhal" - Beta amd64 (20110330)
ProcEnviron:
LANGUAGE=en_US:en
PATH=(custom, user)
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: pam
UpgradeStatus: No upgrade log present (probably fresh install)

Tags:

Related branches

lp:ubuntu/oneiric/debsums

Revision history for this message

Todd A. Jacobs (codegnome) wrote on 2011-05-03:

Dependencies.txt Edit (644 bytes, text/plain; charset="utf-8")

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2011-05-04:

I'm getting:

debsums: no md5sums for libpam0g
debsums: no md5sums for libpam-modules

and I have libpam0g:amd64.md5sums and libpam-modules:amd64.md5sums in /var/lib/dpkg/info...

Could this be multiarch related?

visibility:	private → public
Changed in pam (Ubuntu):
status:	New → Confirmed

Revision history for this message

Todd A. Jacobs (codegnome) wrote on 2011-05-04:

It certainly could be. This succeeds:

md5sum -c /var/lib/dpkg/info/libpam0g:amd64.md5sums
md5sum -c /var/lib/dpkg/info/libpam-modules:amd64.md5sums

However, assuming that the md5sums are valid, it still seems like it would be bad policy to have two packages out of thousands that do not verify with debsums. My personal opinion is that the problem should be fixed in the pam packages, but I'm not sure what the relevant policy is.

So, should debsums get a bug for not handling a special edge case, or should the pam packages be modified to work properly with debsums?

Revision history for this message

Steve Langasek (vorlon) wrote on 2011-05-04:

This needs to be fixed in debsums, which has to be fixed to use dpkg-query to find the path to the .md5sums metadata instead of walking /var/lib/dpkg/info directly. (It's always been incorrect for debsums to hard-code these paths to the files; now it's incorrect and broken, as a result of multiarch.)

affects:	pam (Ubuntu) → debsums (Ubuntu)
Changed in debsums (Ubuntu):
assignee:	nobody → Steve Langasek (vorlon)
importance:	Undecided → Medium
status:	Confirmed → Triaged

Revision history for this message

Stéphane Graber (stgraber) wrote on 2011-06-27:

bug616066.diff Edit (860 bytes, text/plain)

I just wrote and submitted a patch to the Debian BTS to stop using the hardcoded md5sums path in debsums.

I also attach it here. I think we can wait a bit to see if this gets in Debian quickly and if not, then apply it in Ubuntu to fix this bug.

Bug Watch Updater (bug-watch-updater) on 2011-06-27

Changed in debsums (Debian):
status:	Unknown → New

Revision history for this message

Steve Langasek (vorlon) wrote on 2011-06-27:

Patch looks sane to me, giving this back to you for upload :-)

Changed in debsums (Ubuntu):
assignee:	Steve Langasek (vorlon) → Stéphane Graber (stgraber)

Brian Murray (brian-murray) on 2011-06-27

tags:

added: patch

Revision history for this message

Launchpad Janitor (janitor) wrote on 2011-06-28:

This bug was fixed in the package debsums - 2.0.48+nmu3ubuntu1

---------------
debsums (2.0.48+nmu3ubuntu1) oneiric; urgency=low

* Patch debsums to use dpkg-query to get md5sums location (LP: #776030)
-- Stephane Graber <email address hidden> Tue, 28 Jun 2011 12:06:26 +0100

Changed in debsums (Ubuntu):
status:	Triaged → Fix Released

Revision history for this message

Anders Kaseorg (andersk) wrote on 2011-06-29:

This caused an outrageous 40000% performance regression in the debsums apt hook (/etc/apt/apt.conf.d/90debsums), such that now it takes several minutes to install anything with apt.

Before:
$ sudo time /usr/bin/debsums --generate=nocheck -sp /var/cache/apt/archives
0.35user 0.02system 0:00.48elapsed 75%CPU (0avgtext+0avgdata 45360maxresident)k
160inputs+896outputs (0major+37865minor)pagefaults 0swaps

After:
$ sudo time /usr/bin/debsums --generate=nocheck -sp /var/cache/apt/archives
148.48user 17.81system 2:57.33elapsed 93%CPU (0avgtext+0avgdata 45904maxresident)k
0inputs+0outputs (0major+9347058minor)pagefaults 0swaps

Bug Watch Updater (bug-watch-updater) on 2011-08-30