Bug 663403

Summary: unescaped '&', '<', '>' in updateinfo.xml and failing yum-security plugin
Product: Red Hat Satellite 5 Reporter: Martin Poole <mpoole>
Component: ServerAssignee: Tomas Lestach <tlestach>
Status: CLOSED ERRATA QA Contact: Šimon Lukašík <slukasik>
Severity: high Docs Contact:
Priority: urgent    
Version: 540CC: alexsa, bnater, brunowolff, cperry, gbock, james.antill, jhutar, slukasik, syeghiay, tlestach, uwe.menges, xdmoon, ysm-si
Target Milestone: ---Keywords: Regression
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause updateinfo.xml not escaped Consequence client yum failed, when updateinfo.xml contains (unescaped) '&', '<', '>' Fix updateinfo.info gets correctly escaped Result client yum doesn't fail
Story Points: ---
Clone Of: 462374 Environment:
Last Closed: 2011-03-17 14:10:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 470142    
Bug Blocks: 646488    
Attachments:
Description Flags
spacewalk-java-1.2.39-fix-updateinfoxml.patch none

Comment 1 Martin Poole 2010-12-15 17:29:10 UTC
This is a regression of the fixes applied to all other V5.x satellite, looks like something wasn't applied to HEAD.

Comment 2 Martin Poole 2010-12-15 17:32:28 UTC
Current fail is being triggered by incorrect encoding of subject of BZ481706

 "SELinux is preventing automount (automount_t) "signal" to <Unknown> (mount_t)."

Comment 3 James Antill 2010-12-15 19:12:02 UTC
Could this be what is triggering: bug 663378 ?

Comment 6 James Antill 2010-12-17 06:02:42 UTC
*** Bug 663786 has been marked as a duplicate of this bug. ***

Comment 7 YS 2010-12-17 15:09:06 UTC
If I close the pirut pop-up window (having the error traceback) and by hand apply "yum update" under root - this works. But the next day pirut produces the same error. Any idea how to make pirut working again?

Comment 8 James Antill 2010-12-17 15:59:24 UTC
YS, pirut needs a working updateinfo yum doesn't (unless you specify --security or use update-minimal).

Comment 9 YS 2010-12-17 16:25:27 UTC
If I close the pirut pop-up window (having the error traceback) and by hand apply "yum update" under root - this works. But the next day pirut produces the same error. Any idea how to make pirut working again?

Comment 10 YS 2010-12-17 16:28:07 UTC
James, so how can I get/tune updateinfo for purit locally? Does the satellite server needs to be updated or another solution?

Comment 11 James Antill 2011-01-03 16:43:05 UTC
*** Bug 666073 has been marked as a duplicate of this bug. ***

Comment 12 James Antill 2011-01-03 16:47:23 UTC
YS, satellite needs to be fixed to generate good updateinfo ... there isn't much that you can easily do from the client (it might be possible to do a plugin which made yum think there was no updateinfo).

Comment 17 James Antill 2011-01-06 15:12:31 UTC
*** Bug 660303 has been marked as a duplicate of this bug. ***

Comment 19 Xixi 2011-01-07 21:34:32 UTC
Created attachment 472301 [details]
spacewalk-java-1.2.39-fix-updateinfoxml.patch

In the meantime customer submitted a proposed fix for java code (thanks!) which looks sane to me...

Comment 20 Tomas Lestach 2011-01-10 16:27:42 UTC
We agreed we do not want to use the patch attached in Comment#19.

Fixing the issue by using XMLSerializer for the UpdateInfoWriter.
spacewalk.git: 27348921f2fa804d578038a38e56e39ad5c9ea8a

Comment 24 Greg Bock 2011-01-10 23:16:56 UTC
Patch from comment #19 was only intended as a temporary workaround. Changes from spacewalk.git: 27348921f2fa804d578038a38e56e39ad5c9ea8a appear to be working fine.

Comment 26 Xixi 2011-02-07 20:51:22 UTC
Sample traceback for this bug looks like the following:

[root@dep ~]# yum list-security
Loaded plugins: rhnplugin, security
Traceback (most recent call last):
File "/usr/bin/yum", line 29, in ?
yummain.user_main(sys.argv[1:], exit_code=True)
File "/usr/share/yum-cli/yummain.py", line 309, in user_main
errcode = main(args)
File "/usr/share/yum-cli/yummain.py", line 178, in main
result, resultmsgs = base.doCommands()
File "/usr/share/yum-cli/cli.py", line 349, in doCommands
return self.yum_cli_commands[self.basecmd].doCommand(self, self.basecmd, self.extcmds)
File "/usr/lib/yum-plugins/security.py", line 203, in doCommand
md_info = ysp_gen_metadata(self.repos.listEnabled())
File "/usr/lib/yum-plugins/security.py", line 76, in ysp_gen_metadata
md_info.add(repo)
File "/usr/lib/python2.4/site-packages/yum/update_md.py", line 376, in add
for event, elem in iterparse(infile):
File "<string>", line 64, in __iter__
SyntaxError: mismatched tag: line 240, column 1388

Comment 32 Tomas Lestach 2011-02-14 15:16:59 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause
updateinfo.xml not escaped

Consequence
client yum failed, when updateinfo.xml contains (unescaped)  '&', '<', '>'

Fix
updateinfo.info gets correctly escaped

Result
client yum doesn't fail

Comment 33 Šimon Lukašík 2011-02-28 07:55:07 UTC
Taking QA contact.

Comment 35 Šimon Lukašík 2011-03-02 14:48:20 UTC
Changing to VERIFIED:

Testing procedure:
Automated test.

Verified against:
spacewalk-java-1.2.39-37

Comment 37 errata-xmlrpc 2011-03-17 14:10:47 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0362.html

Comment 38 brunowolff 2011-06-01 21:39:39 UTC
Guys,

I update my satellite server but my rhel5 clients persists to fail when I run yum list-security, like reported on comment #26.  

My satellite is satellite-embedded-oracle-5.4.0 on RHEL 5.5 

uname -r
2.6.18-238.12.1.el5

rpm -qa | grep spacewalk-java
spacewalk-java-lib-1.2.39-45.el5sat
spacewalk-java-config-1.2.39-45.el5sat
spacewalk-java-1.2.39-45.el5sat
spacewalk-java-oracle-1.2.39-45.el5sa

Thanks for any help

Comment 39 Šimon Lukašík 2011-06-02 06:25:46 UTC
Bruno, 

I cannot see the problem on my setup. Could you please remove affected
updateinfo file? And then wait for Satellite to regenerate a fresh one?

The updateinfo.xml is located on the client in:

    /var/cache/yum/<channel>/updateinfo.xml.gz

On the Satellite it is located in:

    /var/cache/rhn/repodata/<channel>/updateinfo.xml.gz

If the problem persist even with a freshly generated updateinfo, please open
a new ticket with a detailed description, or consult with support.

Thank You.

Comment 40 brunowolff 2011-06-02 21:58:44 UTC
Simon, just to you know... After recreate the updateinfo file on my satellite server and my rhel client, the message changed 

Traceback (most recent call last):
  File "/usr/bin/yum", line 29, in ?
    yummain.user_main(sys.argv[1:], exit_code=True)
  File "/usr/share/yum-cli/yummain.py", line 309, in user_main
    errcode = main(args)
  File "/usr/share/yum-cli/yummain.py", line 178, in main
    result, resultmsgs = base.doCommands()
  File "/usr/share/yum-cli/cli.py", line 349, in doCommands
    return self.yum_cli_commands[self.basecmd].doCommand(self, self.basecmd, self.extcmds)
  File "/usr/lib/yum-plugins/security.py", line 203, in doCommand
    md_info = ysp_gen_metadata(self.repos.listEnabled())
  File "/usr/lib/yum-plugins/security.py", line 76, in ysp_gen_metadata
    md_info.add(repo)
  File "/usr/lib/python2.4/site-packages/yum/update_md.py", line 424, in add
    for event, elem in iterparse(infile):
  File "<string>", line 64, in __iter__
SyntaxError: not well-formed (invalid token): line 98, column 28

As you advised me, I'm going to open a new ticket. 

Thanks a lot.

Comment 41 Jan Pazdziora 2012-03-22 15:49:13 UTC
*** Bug 695699 has been marked as a duplicate of this bug. ***