Ubuntu
whoopsie package

use the size of the data when determining the server response

Bug #1914481 reported by Brian Murray
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
whoopsie (Ubuntu)
Fix Released
Medium
Brian Murray
Focal
Fix Released
Medium
Brian Murray
Groovy
Fix Released
Medium
Brian Murray
Hirsute
Fix Released
Medium
Brian Murray

Bug Description

[Note]
This SRU has been built in a security-only PPA and should be released to both -updates and -security.

[Impact]
whoopsie's server_response code is using "g_string_append" instead of "g_string_append_len" which has the knock on effect of sending too much data to its "handle_response". This ends up being a problem if the daisy servers are running on Ubuntu 18.04 instead of Ubuntu 16.04.

Here's an example when using whoopsie on groovy to send a crash to a bionic daisy server:

[15:35:30] Sent; server replied with: No error
[15:35:30] Response code: 200
[15:35:30] Initial response data is: 2bbb776e-64e6-11eb-a8d6-00163eddedf4 OOPSID
0

[15:35:30] Got command: OOPSID

We can see a fair number of extra characters (\n0\n\n) after the OOSID command. This becomes more problematic when daisy requests a core dump from the client as the CORE command won't match and the client will never send the core dump.

[Test Case]
Setup a Bionic version of the Error Tracker:
0) modify /etc/hosts so daisy.staging.ubuntu.com points to the IP of the apache server for daisy
1) sudo service stop whoopsie
2) sudo CRASH_DB_URL=https://daisy.staging.ubuntu.com whoopsie -f
3) Run test/submit-crash test-crashes/hirsute/amd64/_bin_cat.2001.crash
4) check the whoopsie log file for "Got command: OOPSID" and extra data.

With the version of whoopsie from -proposed this will not happen. Additionally, a regression test should be run against the staging version of the error tracker by removing the entry from /etc/hosts for the daisy.staging server. After confirming that one test crash works one should also send a python crash, and an end of life release crash as those all generate different response codes from the server.

[Regression Potential]
The code being changed is clearly wrong and doesn't confirm to the curl API https://curl.se/libcurl/c/CURLOPT_WRITEFUNCTION.html. Additionallly, this is similar to the code before r707 of daisy which introduced this change so there is little chance of regression. That being said we are running a regression test to ensure whoopsie works with servers running Ubuntu 16.04.

See original description

Related branches

lp:whoopsie
Revision history for this message
Brian Murray (brian-murray) wrote :

This is the result of the following merge:

https://bazaar.launchpad.net/~daisy-pluckers/whoopsie/trunk/revision/707

So affects Ubuntu 20.04 LTS and later releases.

Changed in whoopsie (Ubuntu Hirsute):
assignee: nobody → Brian Murray (brian-murray)
status: New → Triaged
importance: Undecided → Medium
tags: added: fr-1101
summary: - stop assuming curl's data is null-terminated
+ use the size of the data when determing the server response
Revision history for this message
Launchpad Janitor (janitor) wrote : Re: use the size of the data when determing the server response

This bug was fixed in the package whoopsie - 0.2.75

---------------
whoopsie (0.2.75) hirsute; urgency=medium

  * src/whoopsie.c: modify server_response() so that it does not incorrectly
    assume that data is null-terminated and actually use the size of the data.
    (LP: #1914481)

 -- Brian Murray <email address hidden> Wed, 03 Feb 2021 15:46:59 -0800

Changed in whoopsie (Ubuntu Hirsute):
status: Triaged → Fix Released
Revision history for this message
Steve Beattie (sbeattie) wrote :

For fixing this via an SRU for focal and groovy, the Ubuntu Security team is okay with the result of this going to the security pocket, assuming the update is built in a ppa where only security updates are enabled.

Thanks!

Brian Murray (brian-murray)
description: updated
Brian Murray (brian-murray)
description: updated
summary: - use the size of the data when determing the server response
+ use the size of the data when determining the server response
Brian Murray (brian-murray)
Changed in whoopsie (Ubuntu Groovy):
assignee: nobody → Brian Murray (brian-murray)
Changed in whoopsie (Ubuntu Focal):
assignee: nobody → Brian Murray (brian-murray)
Changed in whoopsie (Ubuntu Groovy):
status: New → In Progress
Changed in whoopsie (Ubuntu Focal):
status: New → In Progress
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Please test proposed package

Hello Brian, or anyone else affected,

Accepted whoopsie into groovy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/whoopsie/0.2.72.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-groovy to verification-done-groovy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-groovy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in whoopsie (Ubuntu Groovy):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-groovy
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello Brian, or anyone else affected,

Accepted whoopsie into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/whoopsie/0.2.69ubuntu0.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in whoopsie (Ubuntu Focal):
status: In Progress → Fix Committed
tags: added: verification-needed-focal
description: updated
Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (whoopsie/0.2.72.2)

All autopkgtests for the newly accepted whoopsie (0.2.72.2) for groovy have finished running.
The following regressions have been reported in tests triggered by the package:

apport/2.20.11-0ubuntu50.5 (amd64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/groovy/update_excuses.html#whoopsie

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Brian Murray (brian-murray) wrote :

Focal recreation of the failure:

root@clean-focal-amd64:~# test/submit-crash test-crashes/hirsute/amd64/_usr_bin_apport-cli.2001.crash
Submitting test-crashes/hirsute/amd64/_usr_bin_apport-cli.2001.crash ...
NULL, Ubuntu 21.04, /usr/bin/apport-cli
root@clean-focal-amd64:~# apt-cache policy whoopsie
whoopsie:
  Installed: 0.2.69ubuntu0.2
...
[11:04:01] Parsing /var/crash/_usr_bin_apport-cli.2001.crash.
[11:04:01] Uploading /var/crash/_usr_bin_apport-cli.2001.crash.
[11:04:01] Sent; server replied with: No error
[11:04:01] Response code: 200
[11:04:01] Got command: OOPSID
0

Verification of the fix:
root@clean-focal-amd64:~# apt-cache policy whoopsie
whoopsie:
  Installed: 0.2.69ubuntu0.3
root@clean-focal-amd64:~# test/submit-crash test-crashes/hirsute/amd64/_usr_bin_apport-cli.2001.crash
Submitting test-crashes/hirsute/amd64/_usr_bin_apport-cli.2001.crash ...
e603db9e-6b09-11eb-aff9-00163ed65bda, Ubuntu 21.04, /usr/bin/apport-cli
[11:06:22] Parsing /var/crash/_usr_bin_apport-cli.2001.crash.
[11:06:22] Uploading /var/crash/_usr_bin_apport-cli.2001.crash.
[11:06:22] Sent; server replied with: No error
[11:06:22] Response code: 200
[11:06:22] Reported OOPS ID e603db9e-6b09-11eb-aff9-00163ed65bda

Additional test using production error tracker:
bdmurray@clean-focal-amd64:~$ sudo CRASH_DB_URL=https://daisy.ubuntu.com whoopsie -f
[11:07:37] Using lock path: /var/lock/whoopsie/lock
[11:07:37] The default IPv4 route is: /org/freedesktop/NetworkManager/ActiveConnection/1
[11:07:37] Not a paid data plan: /org/freedesktop/NetworkManager/ActiveConnection/1
[11:07:37] Found usable connection: /org/freedesktop/NetworkManager/ActiveConnection/1
[11:07:41] Parsing /var/crash/_usr_bin_apport-cli.2001.crash.
[11:07:41] Uploading /var/crash/_usr_bin_apport-cli.2001.crash.
[11:07:55] Sent; server replied with: No error
[11:07:55] Response code: 200
[11:07:55] Reported OOPS ID 1b83dec2-6b0a-11eb-8f66-fa163e6cac46

tags: added: verification-done-focal
removed: verification-needed-focal
Revision history for this message
Brian Murray (brian-murray) wrote :

Groovy recreation of the issue:

 $ apt-cache policy whoopsie
whoopsie:
  Installed: 0.2.72.1
root@clean-groovy-amd64:~# sudo CRASH_DB_URL=https://daisy.staging.ubuntu.com whoopsie -f
[11:18:23] Using lock path: /var/lock/whoopsie/lock
[11:18:23] The default IPv4 route is: /org/freedesktop/NetworkManager/ActiveConnection/1
[11:18:23] Not a paid data plan: /org/freedesktop/NetworkManager/ActiveConnection/1
[11:18:23] Found usable connection: /org/freedesktop/NetworkManager/ActiveConnection/1
[11:18:23] Parsing /var/crash/_bin_cat.2001.crash.
[11:18:23] Uploading /var/crash/_bin_cat.2001.crash.
[11:18:24] Sent; server replied with: No error
[11:18:24] Response code: 200
[11:18:24] Got command: CORE
0

---
Verification of the fix:
root@clean-groovy-amd64:~# apt-cache policy whoopsie
whoopsie:
  Installed: 0.2.72.2
[11:23:08] Parsing /var/crash/_bin_cat.2001.crash.
[11:23:08] Uploading /var/crash/_bin_cat.2001.crash.
[11:23:08] Sent; server replied with: No error
[11:23:08] Response code: 200
[11:23:08] Reported OOPS ID 3ddb1a5e-6b0c-11eb-aff9-00163ed65bda
[11:23:13] Sent; server replied with: No error
[11:23:13] Response code: 200

Testing that it still works with production:
root@clean-groovy-amd64:~# sudo CRASH_DB_URL=https://daisy.ubuntu.com whoopsie -f
[11:23:55] Using lock path: /var/lock/whoopsie/lock
[11:23:55] The default IPv4 route is: /org/freedesktop/NetworkManager/ActiveConnection/1
[11:23:55] Not a paid data plan: /org/freedesktop/NetworkManager/ActiveConnection/1
[11:23:55] Found usable connection: /org/freedesktop/NetworkManager/ActiveConnection/1
[11:23:59] Parsing /var/crash/_bin_cat.2001.crash.
[11:23:59] Uploading /var/crash/_bin_cat.2001.crash.
[11:24:10] Sent; server replied with: No error
[11:24:10] Response code: 200
[11:24:10] Reported OOPS ID 6252751c-6b0c-11eb-98c2-fa163e983629
[11:24:13] Sent; server replied with: No error
[11:24:13] Response code: 200

tags: added: verification-done verification-done-groovy
removed: verification-needed verification-needed-groovy
Mathew Hodson (mhodson)
Changed in whoopsie (Ubuntu Focal):
importance: Undecided → Medium
Changed in whoopsie (Ubuntu Groovy):
importance: Undecided → Medium
Revision history for this message
Chris Halse Rogers (raof) wrote : Update Released

The verification of the Stable Release Update for whoopsie has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package whoopsie - 0.2.72.2

---------------
whoopsie (0.2.72.2) groovy; urgency=medium

  * src/whoopsie.c: modify server_response() so that it does not incorrectly
    assume that data is null-terminated and actually use the size of the data.
    (LP: #1914481)

 -- Brian Murray <email address hidden> Thu, 04 Feb 2021 18:30:37 -0800

Changed in whoopsie (Ubuntu Groovy):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package whoopsie - 0.2.69ubuntu0.3

---------------
whoopsie (0.2.69ubuntu0.3) focal; urgency=medium

  * src/whoopsie.c: modify server_response() so that it does not incorrectly
    assume that data is null-terminated and actually use the size of the data.
    (LP: #1914481)

 -- Brian Murray <email address hidden> Thu, 04 Feb 2021 18:37:17 -0800

Changed in whoopsie (Ubuntu Focal):
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.