Bug 19552

Summary: Wget segfault while trying to continue a download and partial file get truncated
Product: Mageia Reporter: Raphael Gertz <mageia>
Component: RPM PackagesAssignee: All Packagers <pkg-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: critical    
Priority: Normal CC: fundawang, luigiwalser, marja11, matteo.pasotti, pterjan, security, thierry.vignaud, zen25000
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: wget-1.18-2.mga6.src.rpm CVE:
Status comment:
Attachments: History of package install

Description Raphael Gertz 2016-10-08 13:01:52 CEST 
Description of problem:
Wget segfault when trying to continue a file.

Version-Release number of selected component (if applicable):
wget-1.18-2.mga6

How reproducible:
Always

[rapsys@akasha partial]$ sudo wget http://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/cauldron/x86_64/media/core/release/chromium-browser-stable-53.0.2785.143-1.mga6.x86_64.rpm   
--2016-10-08 12:49:32--  http://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/cauldron/x86_64/media/core/release/chromium-browser-stable-53.0.2785.143-1.mga6.x86_64.rpm
Résolution de distrib-coffee.ipsl.jussieu.fr (distrib-coffee.ipsl.jussieu.fr)⦠134.157.176.20
Connexion à distrib-coffee.ipsl.jussieu.fr (distrib-coffee.ipsl.jussieu.fr)|134.157.176.20|:80⦠connecté.
requête HTTP transmise, en attente de la réponse⦠200 OK
Taille : 51961062 (50M) [text/plain]
Sauvegarde en : « chromium-browser-stable-53.0.2785.143-1.mga6.x86_64.rpm »

chromium-browser-stable-53.0.2785.143-1.mga6.x86_64.rpm                           2%[===>                                                                                                                                                                                                       ]   1,11M   218KB/s    eta 4m 12s ^C
[rapsys@akasha partial]$ ll
-rw-r--r-- 1 root root 1175443 oct.   8 12:49 chromium-browser-stable-53.0.2785.143-1.mga6.x86_64.rpm
[rapsys@akasha partial]$ sudo gdb wget 
GNU gdb (GDB) 7.11.1-12.mga6 (Mageia release 6)
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-mageia-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from wget...Reading symbols from /usr/lib/debug/usr/bin/wget.debug...done.
done.
(gdb) set args -c http://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/cauldron/x86_64/media/core/release/chromium-browser-stable-53.0.2785.143-1.mga6.x86_64.rpm
(gdb) run
Starting program: /usr/bin/wget -c http://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/cauldron/x86_64/media/core/release/chromium-browser-stable-53.0.2785.143-1.mga6.x86_64.rpm
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
--2016-10-08 12:51:12--  http://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/cauldron/x86_64/media/core/release/chromium-browser-stable-53.0.2785.143-1.mga6.x86_64.rpm
Résolution de distrib-coffee.ipsl.jussieu.fr (distrib-coffee.ipsl.jussieu.fr)⦠134.157.176.20
Connexion à distrib-coffee.ipsl.jussieu.fr (distrib-coffee.ipsl.jussieu.fr)|134.157.176.20|:80⦠connecté.
requête HTTP transmise, en attente de la réponse⦠206 Partial Content
Taille : 51961062 (50M), 50785619 (48M) restant [text/plain]
Sauvegarde en : « chromium-browser-stable-53.0.2785.143-1.mga6.x86_64.rpm »

chromium-browser-stable-53.0.2785.143-1.mga6.x86_64.rpm                             2%[++++                                                                                                                                                                                                       ]   1,12M  --.-KB/s               
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff6cdd72a in __GI__IO_fwrite (buf=buf@entry=0x67d670, size=size@entry=1, count=count@entry=1054, fp=0x677d90) at iofwrite.c:41
41        _IO_acquire_lock (fp);
Missing separate debuginfos, use: debuginfo-install lib64idn11-1.33-1.mga6.x86_64 lib64nss-mdns2-0.10-16.mga6.x86_64 lib64openssl1.0.0-1.0.2j-1.mga6.x86_64 lib64pcre1-8.39-1.mga6.x86_64 lib64zlib1-1.2.8-10.mga6.x86_64
(gdb) bt
#0  0x00007ffff6cdd72a in __GI__IO_fwrite (buf=buf@entry=0x67d670, size=size@entry=1, count=count@entry=1054, fp=0x677d90) at iofwrite.c:41
#1  0x0000000000429ba6 in write_data (written=<synthetic pointer>, skip=<synthetic pointer>, bufsize=1054, 
    buf=0x67d670 "\373\067\363\037\215\252\025\356\354\275\323\365\206>=\n\335\343\032\f\032v\250\211n\352\352\256\320\n\026r\230AD\277\244\377\321\312\322\026\016ݺ\022G\177p\361\332\344\313z(\177S\371\r\261\260\330\312È\337\026d\250B\371\344.\250\036\254\351\340v\245\322A\310o\245l\274\340Nzt)\005\270\352\317\b:\213\242\362\242\035'\017\r\204yÖª5y>H\365\245GG\346,.\243EÍR\300\254p\313v\246T@Åf\207\240\200\315s\335\345B\202\347\334}B=\201\343!\350\060\271\230>\303\360\t1\344\346\302\205\070`+\205L\374MH\347U\337\n\243\021\264\225\036\\\317\330oe\275\t\023Zb\341R\274c\367J"..., out2=0x0, out=0x677d90) at retr.c:168
#2  fd_read_body (downloaded_filename=<optimized out>, fd=fd@entry=3, out=out@entry=0x677d90, toread=50785619, startpos=<optimized out>, qtyread=qtyread@entry=0x7fffffffdf70, qtywritten=0x7fffffffdf20, elapsed=0x7fffffffdf78, flags=1, out2=0x0) at retr.c:386
#3  0x000000000041a410 in read_response_body (hs=hs@entry=0x7fffffffdf20, sock=sock@entry=3, fp=fp@entry=0x677d90, contlen=contlen@entry=50785619, contrange=contrange@entry=1175443, chunked_transfer_encoding=chunked_transfer_encoding@entry=false, 
    url=0x6775b0 "http://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/cauldron/x86_64/media/core/release/chromium-browser-stable-53.0.2785.143-1.mga6.x86_64.rpm", warc_timestamp_str=0x7fffffffdb70 "\001", warc_request_uuid=0x7fffffffdbb0 "`%\002\367\377\177", warc_ip=0x0, type=0x67d110 "text/plain", 
    statcode=206, head=0x67cde0 "HTTP/1.1 206 Partial Content\r\nDate: Sat, 08 Oct 2016 10:51:12 GMT\r\nServer: Apache/2.2.14 (Mandriva Linux/PREFORK-1.6mdv2010.0)\r\nLast-Modified: Fri, 30 Sep 2016 07:15:53 GMT\r\nETag: \"27d808df-318dce6-53"...) at http.c:1685
#4  0x000000000041fc47 in gethttp (u=u@entry=0x677150, hs=hs@entry=0x7fffffffdf20, dt=dt@entry=0x7fffffffe270, proxy=proxy@entry=0x0, iri=iri@entry=0x6774c0, count=count@entry=1) at http.c:3773
#5  0x000000000042018d in http_loop (u=u@entry=0x677150, original_url=original_url@entry=0x677150, newloc=newloc@entry=0x7fffffffe190, local_file=local_file@entry=0x7fffffffe198, referer=referer@entry=0x0, dt=dt@entry=0x7fffffffe270, proxy=0x0, iri=0x6774c0) at http.c:3991
#6  0x000000000042a66a in retrieve_url (orig_parsed=orig_parsed@entry=0x677150, origurl=origurl@entry=0x6771e0 "http://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/cauldron/x86_64/media/core/release/chromium-browser-stable-53.0.2785.143-1.mga6.x86_64.rpm", file=file@entry=0x7fffffffe278, 
    newloc=newloc@entry=0x7fffffffe280, refurl=refurl@entry=0x0, dt=dt@entry=0x7fffffffe270, recursive=false, iri=0x6774c0, register_status=true) at retr.c:817
#7  0x0000000000406eb2 in main (argc=<optimized out>, argv=<optimized out>) at main.c:1964
(gdb) quit
A debugging session is active.

        Inferior 1 [process 662] will be killed.

Quit anyway? (y or n) y
[rapsys@akasha partial]$ ll
total 0
-rw-r--r-- 1 root root 0 oct.   8 12:51 chromium-browser-stable-53.0.2785.143-1.mga6.x86_64.rpm
[rapsys@akasha partial]$ 
[rapsys@akasha partial]$ df -h .
Sys. de fichiers Taille Utilisé Dispo Uti% Monté sur
/dev/sda3          100G     78G   22G  79% /
[rapsys@akasha partial]$ mount | grep ' / '
/dev/sda3 on / type btrfs (rw,relatime,ssd,space_cache,subvolid=5,subvol=/)

Steps to Reproduce:
1. Download a big file: wget url
2. Make it stop halfway somewhere: Ctrl+c
3. Try to continue download: wget -c url
4. Crash: by itself :p
Comment 1 Raphael Gertz 2016-10-08 13:02:59 CEST 
This seems related to recent glibc update, it was working before.
(but I don't know where to find old version so I can't revert to try)
Comment 2 Raphael Gertz 2016-10-08 13:28:32 CEST 
Barjac (on irc) made me try a rebuilded version, segfaulted too :
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff6ad872a in __GI__IO_fwrite (buf=0x67d670, size=1, count=1055, fp=0x677d90) at iofwrite.c:41
41        _IO_acquire_lock (fp);
(gdb) bt
#0  0x00007ffff6ad872a in __GI__IO_fwrite (buf=0x67d670, size=1, count=1055, fp=0x677d90) at iofwrite.c:41
#1  0x0000000000429c86 in fd_read_body ()
#2  0x000000000041a4f0 in read_response_body ()
#3  0x000000000041fd27 in gethttp ()
#4  0x000000000042026d in http_loop ()
#5  0x000000000042a74a in retrieve_url ()
#6  0x0000000000406f92 in main ()
Comment 3 Raphael Gertz 2016-10-08 13:40:48 CEST 
Created attachment 8508 [details]
History of package install
Comment 4 Raphael Gertz 2016-10-08 13:56:08 CEST 
[13:52] <barjac-pi2>    rapsys core dumps with glibc-2.22.20 on system last updated on Sept 18th
[13:53] <barjac-pi2> rapsys, So I guess it's not so recent an issue :(
Comment 5 Barry Jackson 2016-10-08 15:54:29 CEST 
Confirmed this bug in two cauldron x86_64 systems.

Resuming is working correctly in Mageia 5 with:
wget-1.15-5.mga5
glibc-2.20-23.mga5

CC: (none) => zen25000

Comment 6 Barry Jackson 2016-10-08 16:18:01 CEST 
It was the last security patch from opensuse that broke it:

revision 1020975:  rediff patch from opensuse to fix CVE-2016-7098

Building and installing the previous svn revision without the patch fixes this bug.

Adding Luigi in cc.

CC: (none) => luigiwalser

Comment 7 Marja Van Waes 2016-10-09 10:14:21 CEST 
(In reply to Barry Jackson from comment #6)
> It was the last security patch from opensuse that broke it:
> 
> revision 1020975:  rediff patch from opensuse to fix CVE-2016-7098
> 
> Building and installing the previous svn revision without the patch fixes
> this bug.
> 

So we'll still a better patch for CVE-2016-7098  ( http://lwn.net/Vulnerabilities/700395/ ) ..or can is it OK to drop it?

Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => fundawang, marja11, matteo.pasotti, pterjan, security, thierry.vignaud
Assignee: bugsquad => pkg-bugs

Comment 8 Marja Van Waes 2016-10-09 10:15:08 CEST 
s/still/need/
Comment 9 Marja Van Waes 2016-10-09 10:15:46 CEST 
and s/can//   ... I'll go have coffee :-(
Comment 10 Pascal Terjan 2016-10-09 13:02:28 CEST 
Patch looks obviously wrong (replacing *fp = fopen with fp = fopen), trying to fix it

-          *fp = fopen (hs->local_file, "ab");
+          if (hs->temporary)
+           fp = fdopen (open (hs->local_file, O_BINARY | O_CREAT | O_TRUNC | O_WRONLY, S_IRUSR | S_IWUSR), "wb");
+          else
+           fp = fopen (hs->local_file, "wb");
Comment 11 Pascal Terjan 2016-10-09 13:06:27 CEST 
Fixed in wget-1.18-3.mga6
Comment 12 Pascal Terjan 2016-10-09 13:07:30 CEST 
Closing

Status: NEW => RESOLVED
Resolution: (none) => FIXED