Bug 1093927
| Summary: | Mirrors contain broken thunderbird.i686 0:24.5.0-1.fc19 | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Claude Frantz <Claude.Frantz> |
| Component: | thunderbird | Assignee: | Martin Stransky <stransky> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 19 | CC: | adav84, amreg.redhat, andrew, bougler, customercare, fdor6, gecko-bugs-nobody, idonaldson0, stransky, vernonjvs |
| Target Milestone: | --- | Flags: | fdor6:
needinfo?
|
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-05-05 09:57:36 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Claude Frantz
2014-05-03 11:57:10 UTC
same here: Abhängigkeiten aufgelöst ======================================================================================================================== Package Arch Version Paketquelle Größe ======================================================================================================================== Aktualisieren: thunderbird i686 24.5.0-1.fc19 updates 15 M Transaktionsübersicht ======================================================================================================================== Aktualisieren 1 Paket Gesamte Downloadgröße: 15 M Is this ok [y/d/N]: y Downloading packages: thunderbird-24.5.0-1.fc19.i686.rpm | 15 MB 00:00:25 Running transaction check Running transaction test Transaction test succeeded Running transaction Aktualisieren : thunderbird-24.5.0-1.fc19.i686 1/2 Error unpacking rpm package thunderbird-24.5.0-1.fc19.i686 error: unpacking of archive failed on file /usr/lib/thunderbird/langpacks/langpack-si.org.xpi;53650cc3: cpio: read Überprüfung läuft: thunderbird-24.5.0-1.fc19.i686 1/2 thunderbird-24.4.0-1.fc19.i686 was supposed to be removed but is not! Überprüfung läuft: thunderbird-24.4.0-1.fc19.i686 2/2 Fehlgeschlagen: thunderbird.i686 0:24.4.0-1.fc19 thunderbird.i686 0:24.5.0-1.fc19 Same here as well. Unfortunately, this bug renders thunderbird unusable $ thunderbird (process:6267): GLib-CRITICAL **: g_slice_set_config: assertion `sys_page_size == 0' failed Error: Platform version '24.4.0' is not compatible with minVersion >= 24.5.0 maxVersion <= 24.5.0 > error: unpacking of archive failed on
> file /usr/lib/thunderbird/langpacks/langpack-
> si.org.xpi;53650cc3: cpio: read
A corrupted package has been pushed to the mirrors:
$ rpm -Kv thunderbird-24.5.0-1.fc19.i686.rpm
thunderbird-24.5.0-1.fc19.i686.rpm:
Header V3 RSA/SHA256 Signature, key ID fb4b18e6: NOKEY
Header SHA1 digest: OK (dde21ed383e5eca5d85cad68ec3e189d3dcfd80d)
V3 RSA/SHA256 Signature, key ID fb4b18e6: BAD
MD5 digest: BAD Expected(db58f29a674c9ac24d39cd7247c481a4) != (8b50ee8e3ba29c5434cb9204a804da41)
Same here. Big question is why yum/rpm did not check the MD5 status before trying to install ? I ended up with a non working thunderbird ... I had to find an old thunderbird-24.4.0-1.fc19.i686.rpm in a yum cache so I could get my previous version of thunderbird working again. Are the old package updates available somewhere so we can go back in these sort of cases ? Question #1: I think Comment 4 has got the key point: If MD5 is incorrect, why is the package installed? The installer should detect the bad MD5, and refuse to install it. Question #2: If the file is corrupt, why the public/private key security system doesn't detect it? Question #3: Is the corrupted file an attack? Has the file been modified to cause damage and/or to stole data and/or to control/spy the updated machines? (In reply to Terry Barnaby from comment #4) > Same here. > Big question is why yum/rpm did not check the MD5 status before trying to > install ? I ended up with a non working thunderbird ... > I had to find an old thunderbird-24.4.0-1.fc19.i686.rpm in a yum cache so I > could get my previous version of thunderbird working again. Could you put thunderbird-24.4.0-1.fc19.i686.rpm somewhere and explain the steps you used to get thunderbird working again? Thanks > Are the old > package updates available somewhere so we can go back in these sort of cases > ? I put the one I used at: http://www.beam.org.uk/files/share/thunderbird-24.4.0-1.fc19.i686.rpm I would have thought these old update packages would be available on a backup repository somewhere ? To install all I did (from the directory where thunderbird-24.4.0-1.fc19.i686.rpm is): rpm -e thunderbird yum install thunderbird-24.4.0-1.fc19.i686.rpm ("yum remove thunderbird"; probably would have been better than "rpm -e thunderbird") For subsequent updates I am using: "yum update --exclude=thunderbird" For Comment 7 : The official list of built packages for thunderbird seems to be at: http://koji.fedoraproject.org/koji/packageinfo?packageID=39 Click on link "thunderbird-24.4.0-1.fc19" and then, at the "RPM > i686" section, click on "download", which is the following link: http://kojipkgs.fedoraproject.org//packages/thunderbird/24.4.0/1.fc19/i686/thunderbird-24.4.0-1.fc19.i686.rpm To install the downloaded file: yum remove thunderbird yum install /your_path_to_the_file/thunderbird-24.4.0-1.fc19.i686.rpm And, as Comment 8 has explained, use "--exclude=thunderbird" option when updating with yum (at least until fedora releases a new working version). Thanks very much Terry and Fdor! I too wonder what's the point of having MD5 checksums and transaction "verifying" if yum simply writes over the intact files and also whether this could be an attack or something. The problem is with Fedora mirror infrastructure. If you download the package directly from koji (http://koji.fedoraproject.org/koji/buildinfo?buildID=513840) the MD5 check-sum is correct: $ rpm -Kv thunderbird-24.5.0-1.fc19.i686.rpm thunderbird-24.5.0-1.fc19.i686.rpm: Header SHA1 digest: OK (dde21ed383e5eca5d85cad68ec3e189d3dcfd80d) MD5 digest: OK (db58f29a674c9ac24d39cd7247c481a4) You can install the package directly from koji by: #rpm -Uhv http://kojipkgs.fedoraproject.org//packages/thunderbird/24.5.0/1.fc19/i686/thunderbird-24.5.0-1.fc19.i686.rpm IT has to be resolved by Fedora rel-eng team, not by developers. Please follow rel-eng ticket at https://fedorahosted.org/rel-eng/ticket/5898 *** Bug 1094028 has been marked as a duplicate of this bug. *** *** Bug 1094430 has been marked as a duplicate of this bug. *** Still waiting for answers to the questions posted at Comment 6 . More specifically: - Why yum didn't detect the bad MD5? - Why the public/private key system didn't detect the corrupted file? - Was the corrupted file an attack? What were the effects of the partially installed file? I have looked at https://fedorahosted.org/rel-eng/ticket/5898 and see no answers. I have looked at https://bugzilla.redhat.com/show_bug.cgi?id=1094846 and see no answers. Has it been investigated? Is it being investigated? Is it going to be investigated? |