Bug 663403 - unescaped '&', '<', '>' in updateinfo.xml and failing yum-security plugin
unescaped '&', '<', '>' in updateinfo.xml and failing yum-security plugin
Status: CLOSED ERRATA
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Server (Show other bugs)
540
All Linux
urgent Severity high
: ---
: ---
Assigned To: Tomas Lestach
Šimon Lukašík
: Regression
: 660303 663786 666073 695699 (view as bug list)
Depends On: 470142
Blocks: sat54-errata
  Show dependency treegraph
 
Reported: 2010-12-15 12:25 EST by Martin Poole
Modified: 2014-01-21 01:20 EST (History)
13 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause updateinfo.xml not escaped Consequence client yum failed, when updateinfo.xml contains (unescaped) '&', '<', '>' Fix updateinfo.info gets correctly escaped Result client yum doesn't fail
Story Points: ---
Clone Of: 462374
Environment:
Last Closed: 2011-03-17 10:10:47 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
spacewalk-java-1.2.39-fix-updateinfoxml.patch (1.99 KB, patch)
2011-01-07 16:34 EST, Xixi
no flags Details | Diff

  None (edit)
Comment 1 Martin Poole 2010-12-15 12:29:10 EST
This is a regression of the fixes applied to all other V5.x satellite, looks like something wasn't applied to HEAD.
Comment 2 Martin Poole 2010-12-15 12:32:28 EST
Current fail is being triggered by incorrect encoding of subject of BZ481706

 "SELinux is preventing automount (automount_t) "signal" to <Unknown> (mount_t)."
Comment 3 James Antill 2010-12-15 14:12:02 EST
Could this be what is triggering: bug 663378 ?
Comment 6 James Antill 2010-12-17 01:02:42 EST
*** Bug 663786 has been marked as a duplicate of this bug. ***
Comment 7 YS 2010-12-17 10:09:06 EST
If I close the pirut pop-up window (having the error traceback) and by hand apply "yum update" under root - this works. But the next day pirut produces the same error. Any idea how to make pirut working again?
Comment 8 James Antill 2010-12-17 10:59:24 EST
YS, pirut needs a working updateinfo yum doesn't (unless you specify --security or use update-minimal).
Comment 9 YS 2010-12-17 11:25:27 EST
If I close the pirut pop-up window (having the error traceback) and by hand apply "yum update" under root - this works. But the next day pirut produces the same error. Any idea how to make pirut working again?
Comment 10 YS 2010-12-17 11:28:07 EST
James, so how can I get/tune updateinfo for purit locally? Does the satellite server needs to be updated or another solution?
Comment 11 James Antill 2011-01-03 11:43:05 EST
*** Bug 666073 has been marked as a duplicate of this bug. ***
Comment 12 James Antill 2011-01-03 11:47:23 EST
YS, satellite needs to be fixed to generate good updateinfo ... there isn't much that you can easily do from the client (it might be possible to do a plugin which made yum think there was no updateinfo).
Comment 17 James Antill 2011-01-06 10:12:31 EST
*** Bug 660303 has been marked as a duplicate of this bug. ***
Comment 19 Xixi 2011-01-07 16:34:32 EST
Created attachment 472301 [details]
spacewalk-java-1.2.39-fix-updateinfoxml.patch

In the meantime customer submitted a proposed fix for java code (thanks!) which looks sane to me...
Comment 20 Tomas Lestach 2011-01-10 11:27:42 EST
We agreed we do not want to use the patch attached in Comment#19.

Fixing the issue by using XMLSerializer for the UpdateInfoWriter.
spacewalk.git: 27348921f2fa804d578038a38e56e39ad5c9ea8a
Comment 24 Greg Bock 2011-01-10 18:16:56 EST
Patch from comment #19 was only intended as a temporary workaround. Changes from spacewalk.git: 27348921f2fa804d578038a38e56e39ad5c9ea8a appear to be working fine.
Comment 26 Xixi 2011-02-07 15:51:22 EST
Sample traceback for this bug looks like the following:

[root@dep ~]# yum list-security
Loaded plugins: rhnplugin, security
Traceback (most recent call last):
File "/usr/bin/yum", line 29, in ?
yummain.user_main(sys.argv[1:], exit_code=True)
File "/usr/share/yum-cli/yummain.py", line 309, in user_main
errcode = main(args)
File "/usr/share/yum-cli/yummain.py", line 178, in main
result, resultmsgs = base.doCommands()
File "/usr/share/yum-cli/cli.py", line 349, in doCommands
return self.yum_cli_commands[self.basecmd].doCommand(self, self.basecmd, self.extcmds)
File "/usr/lib/yum-plugins/security.py", line 203, in doCommand
md_info = ysp_gen_metadata(self.repos.listEnabled())
File "/usr/lib/yum-plugins/security.py", line 76, in ysp_gen_metadata
md_info.add(repo)
File "/usr/lib/python2.4/site-packages/yum/update_md.py", line 376, in add
for event, elem in iterparse(infile):
File "<string>", line 64, in __iter__
SyntaxError: mismatched tag: line 240, column 1388
Comment 32 Tomas Lestach 2011-02-14 10:16:59 EST
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause
updateinfo.xml not escaped

Consequence
client yum failed, when updateinfo.xml contains (unescaped)  '&', '<', '>'

Fix
updateinfo.info gets correctly escaped

Result
client yum doesn't fail
Comment 33 Šimon Lukašík 2011-02-28 02:55:07 EST
Taking QA contact.
Comment 35 Šimon Lukašík 2011-03-02 09:48:20 EST
Changing to VERIFIED:

Testing procedure:
Automated test.

Verified against:
spacewalk-java-1.2.39-37
Comment 37 errata-xmlrpc 2011-03-17 10:10:47 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0362.html
Comment 38 brunowolff 2011-06-01 17:39:39 EDT
Guys,

I update my satellite server but my rhel5 clients persists to fail when I run yum list-security, like reported on comment #26.  

My satellite is satellite-embedded-oracle-5.4.0 on RHEL 5.5 

uname -r
2.6.18-238.12.1.el5

rpm -qa | grep spacewalk-java
spacewalk-java-lib-1.2.39-45.el5sat
spacewalk-java-config-1.2.39-45.el5sat
spacewalk-java-1.2.39-45.el5sat
spacewalk-java-oracle-1.2.39-45.el5sa

Thanks for any help
Comment 39 Šimon Lukašík 2011-06-02 02:25:46 EDT
Bruno, 

I cannot see the problem on my setup. Could you please remove affected
updateinfo file? And then wait for Satellite to regenerate a fresh one?

The updateinfo.xml is located on the client in:

    /var/cache/yum/<channel>/updateinfo.xml.gz

On the Satellite it is located in:

    /var/cache/rhn/repodata/<channel>/updateinfo.xml.gz

If the problem persist even with a freshly generated updateinfo, please open
a new ticket with a detailed description, or consult with support.

Thank You.
Comment 40 brunowolff 2011-06-02 17:58:44 EDT
Simon, just to you know... After recreate the updateinfo file on my satellite server and my rhel client, the message changed 

Traceback (most recent call last):
  File "/usr/bin/yum", line 29, in ?
    yummain.user_main(sys.argv[1:], exit_code=True)
  File "/usr/share/yum-cli/yummain.py", line 309, in user_main
    errcode = main(args)
  File "/usr/share/yum-cli/yummain.py", line 178, in main
    result, resultmsgs = base.doCommands()
  File "/usr/share/yum-cli/cli.py", line 349, in doCommands
    return self.yum_cli_commands[self.basecmd].doCommand(self, self.basecmd, self.extcmds)
  File "/usr/lib/yum-plugins/security.py", line 203, in doCommand
    md_info = ysp_gen_metadata(self.repos.listEnabled())
  File "/usr/lib/yum-plugins/security.py", line 76, in ysp_gen_metadata
    md_info.add(repo)
  File "/usr/lib/python2.4/site-packages/yum/update_md.py", line 424, in add
    for event, elem in iterparse(infile):
  File "<string>", line 64, in __iter__
SyntaxError: not well-formed (invalid token): line 98, column 28

As you advised me, I'm going to open a new ticket. 

Thanks a lot.
Comment 41 Jan Pazdziora 2012-03-22 11:49:13 EDT
*** Bug 695699 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.