search

openSUSE / libsolv

Library for solving packages and reading repositories
http://en.opensuse.org/openSUSE:Libzypp_satsolver
Other
524 stars 153 forks source link

Malformed repodata don't produce meaningful error messages #413

Open lukash opened 3 years ago

lukash commented 3 years ago

Original report: https://bugzilla.redhat.com/show_bug.cgi?id=1862204

Malformed repository: https://drive.google.com/file/d/1YHWJhhFFQPYfJ_bSEauF2Adzo040uKeL/view?usp=sharing

The repository, when loaded with dnf, doesn't raise an error when loaded the first time, but fails to load the second time. Arguably dnf just eats the error messages from libsolv and its messages are bad as well, but according to the debugging the reporter has done (I haven't tried to get to the exact libsolv error myself), libsolv doesn't properly report the malformed xml errors either.

The issue with the repodata is it's missing the outer xml tags, e.g. other.xml - malformed repo:

<package nevra="kernel-core-0:5.3.7-301.fc31.x86_64" type="rpm">
  <version epoch="0" ver="5.3.7" rel="301.fc31"/>
</package>

Valid other.xml for the repo:

<?xml version="1.0" encoding="UTF-8"?>
<otherdata xmlns="http://linux.duke.edu/metadata/other" packages="1">
<package pkgid="f0509e333636e5c34726c8a2b8260bf88fe0a35b95cae6dda62191fee1be4c6a" name="kernel-core" arch="x86_64">
  <version epoch="0" ver="5.3.7" rel="301.fc31"/>
  <changelog author="Justin M. Forbes &lt;jforbes@fedoraproject.org&gt;" date="1570104000">- Fix CVE-2019-17052 CVE-2019-17053 CVE-2019-17054 CVE-2019-17055 CVE-2019-17056
  (rhbz 1758239 1758240 1758242 1758243 1758245 1758246 1758248 1758249 1758256 1758257)</changelog>
  <!-- ... changelog entries ommited for brevity -->
</package>
</otherdata>
lukash commented 3 years ago

I should also note the repo appeared to load fine on the first dnf run and failed to load on the subsequent ones. Details are in the bugzilla. I've also tried the repomdxml2solv tool, but it's giving me some binary garbage on the output and exits with 0, seems to be quirky. I'm not having much time for this but hopefully it's enough for you to have a look.

kontura commented 3 years ago

Just a quick note. I think you have to pipe the output of repomdxml2solv to dumpsolv to get readable output. It seems to work fine for me even with the snippet without outer xml tags.

lukash commented 3 years ago

@kontura thanks, I've missed that. Yeah thinking about it the issue isn't likely that straightforward, but there must be another problem with the repodata causing this. As a side note, libsolv shouldn't be working with broken xml contents outright, as ultimately it can lead to all kinds of cryptic errors.