Debian Bug report logs - #930072
dctrl-tools: join-dctrl segfaults

Reply or subscribe to this bug.

Display info messages

Message #5 received at [email protected] (full text, mbox, reply):

From: Guillem Jover <[email protected]>

To: [email protected]

Subject: dctrl-tools: join-dctrl segfaults

Date: Thu, 6 Jun 2019 16:04:39 +0200

[Message part 1 (text/plain, inline)]

Package: dctrl-tools
Version: 2.24-3
Severity: serious

Hi!

The join-dctrl command segfaults with the attached files.

  ,---
  $ join-dctrl Packages-A Packages-B
  Segmentation fault (core dumped)
  `---

Thanks,
Guillem

[Packages-A (text/plain, attachment)]

[Packages-B (text/plain, attachment)]

Message #10 received at [email protected] (full text, mbox, reply):

From: Peter Pentchev <[email protected]>

To: Guillem Jover <[email protected]>

Cc: [email protected]

Subject: Re: dctrl-tools: join-dctrl segfaults

Date: Wed, 12 Jun 2019 23:35:44 +0300

[Message part 1 (text/plain, inline)]

On Thu, Jun 06, 2019 at 04:04:39PM +0200, Guillem Jover wrote:
> Package: dctrl-tools
> Version: 2.24-3
> Severity: serious
> 
> Hi!
> 
> The join-dctrl command segfaults with the attached files.
> 
>   ,---
>   $ join-dctrl Packages-A Packages-B
>   Segmentation fault (core dumped)

Hi,

From what I think I see, I believe that this is less wrong behavior
and more lack of error detection and proper error messages.
The manual page states that some field joining options must be
specified - some combination of -j, -1, and -2. A command like:

  join-dctrl -j Package Packages-A Packages-B

...produces some output for the aaa package that is common to
both files. I tried playing with -1 and -2, but I couldn't quite
find a combination that would produce a result and not segfault.

So I believe that the real bug here is lack of input checking and
not completely clear error messages (invoking join-dctrl as
"join-dctrl -1 Packages -2 Packages Packages-A Packages-B"
produces a somewhat cryptic "the join field of the second file has
already been specified" error message). I could try to look at
the code some more and try my hand at input sanitization in
the next couple of days.

G'luck,
Peter

-- 
Peter Pentchev  roam@{ringlet.net,debian.org,FreeBSD.org} [email protected]
PGP key:        http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115  C354 651E EFB0 2527 DF13

[signature.asc (application/pgp-signature, inline)]

Message #15 received at [email protected] (full text, mbox, reply):

From: Rhonda D'Vine <[email protected]>

To: Peter Pentchev <[email protected]>, [email protected], Guillem Jover <[email protected]>

Cc: [email protected]

Subject: Re: Bug#930072: dctrl-tools: join-dctrl segfaults

Date: Fri, 14 Jun 2019 12:17:27 +0200

severity 930072 important
thanks

   Hi,

On 6/12/19 10:35 PM, Peter Pentchev wrote:
> On Thu, Jun 06, 2019 at 04:04:39PM +0200, Guillem Jover wrote:
>> Package: dctrl-tools
>> Version: 2.24-3
>> Severity: serious
>>
>> Hi!
>>
>> The join-dctrl command segfaults with the attached files.
>>
>>   ,---
>>   $ join-dctrl Packages-A Packages-B
>>   Segmentation fault (core dumped)
> 
> Hi,
> 
> From what I think I see, I believe that this is less wrong behavior
> and more lack of error detection and proper error messages.
> The manual page states that some field joining options must be
> specified - some combination of -j, -1, and -2. A command like:

 I have to agree with Peter here.  While I don't disagree with that it
is a bug that needs to get addressed, it doesn't fall under the category
of release-critical because the manpage states that a join field must be
specified.

 So long,
Rhonda

Message #22 received at [email protected] (full text, mbox, reply):

From: Guillem Jover <[email protected]>

To: Rhonda D'Vine <[email protected]>

Cc: Peter Pentchev <[email protected]>, [email protected]

Subject: Re: Bug#930072: dctrl-tools: join-dctrl segfaults

Date: Fri, 14 Jun 2019 14:45:48 +0200

Hi!

On Fri, 2019-06-14 at 12:17:27 +0200, Rhonda D'Vine wrote:
> severity 930072 important
> thanks

> On 6/12/19 10:35 PM, Peter Pentchev wrote:
> > On Thu, Jun 06, 2019 at 04:04:39PM +0200, Guillem Jover wrote:
> >> Package: dctrl-tools
> >> Version: 2.24-3
> >> Severity: serious

> >> The join-dctrl command segfaults with the attached files.
> >>
> >>   ,---
> >>   $ join-dctrl Packages-A Packages-B
> >>   Segmentation fault (core dumped)

> > From what I think I see, I believe that this is less wrong behavior
> > and more lack of error detection and proper error messages.
> > The manual page states that some field joining options must be
> > specified - some combination of -j, -1, and -2. A command like:
> 
>  I have to agree with Peter here.  While I don't disagree with that it
> is a bug that needs to get addressed, it doesn't fall under the category
> of release-critical because the manpage states that a join field must be
> specified.

Right, sorry, I think I tried with -1, -2 but the segfaults threw me
away. So, it also states that -1 and -2 can be used instead of -j, and
each of these segfault when used standalone, or just do not work
(depending on the order!) at all when used together:

  ,---
  $ join-dctrl -1Package Packages-A Packages-B
  Segmentation fault (core dumped)
  $ $ join-dctrl -2Package Packages-A Packages-B
  Segmentation fault (core dumped)
  $ join-dctrl -1Package -2Package Packages-A Packages-B
  join-dctrl: the join field of the second file has already been specified.
  $ join-dctrl -2Package -1Package Packages-A Packages-B
  Package: aaa
  Version: 1.0
  Package: aaa
  Version: 1.1
  `---

So, it only works when -2 goes before -1. It all feels at least
extremely user unfriendly, and a bit serious to me TBH. :) But I'm not
a regular user of this command, just thought I needed it for some task,
but that ended up not being the case. :) But I think I'd probably given
up anyway and write something using libdpkg-perl, given the hurdles.

Thanks,
Guillem

Send a report that this bug log contains spam.