[Aptitude-devel] Bug#792601: aptitude: newline in user tags breaks pkgstates file

Badalisc badalisc7 at thewayofunix.org
Thu Jul 16 14:39:07 UTC 2015 

Package: aptitude
Version: 0.6.11-1+b1
Severity: normal

Dear Maintainer,

I know that whitespaces other than space itself are very unlikely to be 
used in user tags, but aptitude silently accepts any of them even though 
they are not handled correctly.

With newlines you can do a little injection:

# aptitude search '^coreutils$'
i   coreutils                       - GNU core utilities
# aptitude add-user-tag $'\nState:3' coreutils
# aptitude search '^coreutils$'
id  coreutils                       - GNU core utilities
     (now it is marked for removal)

Or you can make aptitude unusable:

# aptitude add-user-tag $'foo bar\n' coreutils
# aptitude install bash
[ ERR] Reading extended state information
[ ERR] Initializing package states
[ ERR] Initializing package states
E: Unterminated '"' in the user-tags list of the package coreutils.
[ ERR] Reading extended state information
[ ERR] Initializing package states
[ ERR] Initializing package states
E: Unterminated '"' in the user-tags list of the package coreutils.

Also, other whitespaces like tab are treated differently from normal spaces:

# aptitude add-user-tag 'foo bar' coreutils
     (adds the single tag 'foo bar')
# aptitude remove-user-tag 'foo bar' coreutils
     (removes it)

# aptitude add-user-tag $'foo\tbar' coreutils
     (adds two tags, 'foo' and 'bar')
# aptitude remove-user-tag $'foo\hbar' coreutils
     (no effect)
# aptitude remove-user-tag bar coreutils
     (now only 'foo' is left)

Given pkgstates' email header-like format and the csv-like format for 
the subfields, perhaps the sensible solution for the newline problem 
would be to just forbid newline in tags.

About the other problem, I noticed that tags not containing at least one 
space (x20), double quote or backslash are never written in quoted form, 
but if they contain other whitespaces they probably should.
(an empty string as a tag name is also accepted and written unquoted 
which has no effect)

-- Package-specific info:
Terminal: xterm
$DISPLAY not set.
which aptitude: /usr/bin/aptitude

aptitude version information:
aptitude 0.6.11 compiled at Nov  8 2014 13:34:39
Compiler: g++ 4.9.1
Compiled against:
   apt version 4.12.0
   NCurses version 5.9
   libsigc++ version: 2.4.0
   Gtk+ support disabled.
   Qt support disabled.

Current library versions:
   NCurses version: ncurses 5.9.20140913
   cwidget version: 0.5.17
   Apt version: 4.12.0

aptitude linkage:
	linux-vdso.so.1 (0x00007ffe5afd8000)
	libapt-pkg.so.4.12 => /usr/lib/x86_64-linux-gnu/libapt-pkg.so.4.12 
(0x00007f2b6b1c4000)
	libncursesw.so.5 => /lib/x86_64-linux-gnu/libncursesw.so.5 
(0x00007f2b6af8e000)
	libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 (0x00007f2b6ad64000)
	libsigc-2.0.so.0 => /usr/lib/x86_64-linux-gnu/libsigc-2.0.so.0 
(0x00007f2b6ab5e000)
	libcwidget.so.3 => /usr/lib/x86_64-linux-gnu/libcwidget.so.3 
(0x00007f2b6a848000)
	libsqlite3.so.0 => /usr/lib/x86_64-linux-gnu/libsqlite3.so.0 
(0x00007f2b6a57f000)
	libboost_iostreams.so.1.55.0 => 
/usr/lib/x86_64-linux-gnu/libboost_iostreams.so.1.55.0 (0x00007f2b6a367000)
	libxapian.so.22 => /usr/lib/libxapian.so.22 (0x00007f2b69f56000)
	libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 
(0x00007f2b69d39000)
	libstdc++.so.6 => /usr/lib/x86_64-linux-gnu/libstdc++.so.6 
(0x00007f2b69a2e000)
	libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f2b6972d000)
	libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007f2b69517000)
	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f2b6916e000)
	libutil.so.1 => /lib/x86_64-linux-gnu/libutil.so.1 (0x00007f2b68f6b000)
	libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f2b68d67000)
	libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f2b68b4c000)
	libbz2.so.1.0 => /lib/x86_64-linux-gnu/libbz2.so.1.0 (0x00007f2b6893c000)
	liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007f2b68719000)
	librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007f2b68511000)
	libuuid.so.1 => /lib/x86_64-linux-gnu/libuuid.so.1 (0x00007f2b6830c000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f2b6bb86000)

-- System Information:
Debian Release: 8.1
   APT prefers stable-updates
   APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages aptitude depends on:
ii  aptitude-common           0.6.11-1
ii  libapt-pkg4.12            1.0.9.8
ii  libboost-iostreams1.55.0  1.55.0+dfsg-3
ii  libc6                     2.19-18
ii  libcwidget3               0.5.17-2
ii  libgcc1                   1:4.9.2-10
ii  libncursesw5              5.9+20140913-1+b1
ii  libsigc++-2.0-0c2a        2.4.0-1
ii  libsqlite3-0              3.8.7.1-1+deb8u1
ii  libstdc++6                4.9.2-10
ii  libtinfo5                 5.9+20140913-1+b1
ii  libxapian22               1.2.19-1

Versions of packages aptitude recommends:
pn  aptitude-doc-en | aptitude-doc  <none>
pn  libparse-debianchangelog-perl   <none>
ii  sensible-utils                  0.0.9

Versions of packages aptitude suggests:
pn  apt-xapian-index  <none>
pn  debtags           <none>
ii  tasksel           3.31+deb8u1

-- no debconf information

More information about the Aptitude-devel mailing list