[Aptitude-devel] Bug#792601: aptitude: newline in user tags breaks pkgstates file
Badalisc
badalisc7 at thewayofunix.org
Thu Jul 16 14:39:07 UTC 2015
Package: aptitude
Version: 0.6.11-1+b1
Severity: normal
Dear Maintainer,
I know that whitespaces other than space itself are very unlikely to be
used in user tags, but aptitude silently accepts any of them even though
they are not handled correctly.
With newlines you can do a little injection:
# aptitude search '^coreutils$'
i coreutils - GNU core utilities
# aptitude add-user-tag $'\nState:3' coreutils
# aptitude search '^coreutils$'
id coreutils - GNU core utilities
(now it is marked for removal)
Or you can make aptitude unusable:
# aptitude add-user-tag $'foo bar\n' coreutils
# aptitude install bash
[ ERR] Reading extended state information
[ ERR] Initializing package states
[ ERR] Initializing package states
E: Unterminated '"' in the user-tags list of the package coreutils.
[ ERR] Reading extended state information
[ ERR] Initializing package states
[ ERR] Initializing package states
E: Unterminated '"' in the user-tags list of the package coreutils.
Also, other whitespaces like tab are treated differently from normal spaces:
# aptitude add-user-tag 'foo bar' coreutils
(adds the single tag 'foo bar')
# aptitude remove-user-tag 'foo bar' coreutils
(removes it)
# aptitude add-user-tag $'foo\tbar' coreutils
(adds two tags, 'foo' and 'bar')
# aptitude remove-user-tag $'foo\hbar' coreutils
(no effect)
# aptitude remove-user-tag bar coreutils
(now only 'foo' is left)
Given pkgstates' email header-like format and the csv-like format for
the subfields, perhaps the sensible solution for the newline problem
would be to just forbid newline in tags.
About the other problem, I noticed that tags not containing at least one
space (x20), double quote or backslash are never written in quoted form,
but if they contain other whitespaces they probably should.
(an empty string as a tag name is also accepted and written unquoted
which has no effect)
-- Package-specific info:
Terminal: xterm
$DISPLAY not set.
which aptitude: /usr/bin/aptitude
aptitude version information:
aptitude 0.6.11 compiled at Nov 8 2014 13:34:39
Compiler: g++ 4.9.1
Compiled against:
apt version 4.12.0
NCurses version 5.9
libsigc++ version: 2.4.0
Gtk+ support disabled.
Qt support disabled.
Current library versions:
NCurses version: ncurses 5.9.20140913
cwidget version: 0.5.17
Apt version: 4.12.0
aptitude linkage:
linux-vdso.so.1 (0x00007ffe5afd8000)
libapt-pkg.so.4.12 => /usr/lib/x86_64-linux-gnu/libapt-pkg.so.4.12
(0x00007f2b6b1c4000)
libncursesw.so.5 => /lib/x86_64-linux-gnu/libncursesw.so.5
(0x00007f2b6af8e000)
libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 (0x00007f2b6ad64000)
libsigc-2.0.so.0 => /usr/lib/x86_64-linux-gnu/libsigc-2.0.so.0
(0x00007f2b6ab5e000)
libcwidget.so.3 => /usr/lib/x86_64-linux-gnu/libcwidget.so.3
(0x00007f2b6a848000)
libsqlite3.so.0 => /usr/lib/x86_64-linux-gnu/libsqlite3.so.0
(0x00007f2b6a57f000)
libboost_iostreams.so.1.55.0 =>
/usr/lib/x86_64-linux-gnu/libboost_iostreams.so.1.55.0 (0x00007f2b6a367000)
libxapian.so.22 => /usr/lib/libxapian.so.22 (0x00007f2b69f56000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0
(0x00007f2b69d39000)
libstdc++.so.6 => /usr/lib/x86_64-linux-gnu/libstdc++.so.6
(0x00007f2b69a2e000)
libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f2b6972d000)
libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007f2b69517000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f2b6916e000)
libutil.so.1 => /lib/x86_64-linux-gnu/libutil.so.1 (0x00007f2b68f6b000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f2b68d67000)
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f2b68b4c000)
libbz2.so.1.0 => /lib/x86_64-linux-gnu/libbz2.so.1.0 (0x00007f2b6893c000)
liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007f2b68719000)
librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007f2b68511000)
libuuid.so.1 => /lib/x86_64-linux-gnu/libuuid.so.1 (0x00007f2b6830c000)
/lib64/ld-linux-x86-64.so.2 (0x00007f2b6bb86000)
-- System Information:
Debian Release: 8.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages aptitude depends on:
ii aptitude-common 0.6.11-1
ii libapt-pkg4.12 1.0.9.8
ii libboost-iostreams1.55.0 1.55.0+dfsg-3
ii libc6 2.19-18
ii libcwidget3 0.5.17-2
ii libgcc1 1:4.9.2-10
ii libncursesw5 5.9+20140913-1+b1
ii libsigc++-2.0-0c2a 2.4.0-1
ii libsqlite3-0 3.8.7.1-1+deb8u1
ii libstdc++6 4.9.2-10
ii libtinfo5 5.9+20140913-1+b1
ii libxapian22 1.2.19-1
Versions of packages aptitude recommends:
pn aptitude-doc-en | aptitude-doc <none>
pn libparse-debianchangelog-perl <none>
ii sensible-utils 0.0.9
Versions of packages aptitude suggests:
pn apt-xapian-index <none>
pn debtags <none>
ii tasksel 3.31+deb8u1
-- no debconf information
More information about the Aptitude-devel
mailing list