[Bug 346386] Re: [MASTER] Update fails with invalid package files with "Encountered a section with no Package: header"

Julian Andres Klode juliank at ubuntu.com
Thu Jul 7 13:50:12 UTC 2011 

There are no security implications here. A malicious transparent proxy
can send any data it want, but it cannot send any signed repository
data. So if the proxy were to send malicious package information, the
packages would not be marked as trusted and the user would be warned
about it. If a proxy is sending invalid files, those files are rejected
at some stage in the process.  In short, no security problems for APT.

If other programs try to parse APT-internal files themselves, they may
have problems, but such use of the files is in no way supported and the
contents of /var/lib/apt/lists are implementation-internal files, not
meant for public use. I am not aware of any programs having problems
with this.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/346386

Title:
  [MASTER] Update fails with invalid package files with "Encountered a
  section with no Package: header"

Status in “apt” package in Ubuntu:
  Fix Released
Status in “apt” source package in Natty:
  Fix Released
Status in “apt” package in Debian:
  Fix Released

Bug description:
  Binary package hint: adept-updater

  Pertinent data printed when attempting to run Updater as follows:

  An unresolvable problem occurred while initializing the package
  information.

  Please report this bug against the 'update-manager' package and
  include the following error message:

  'E:Encountered a section with no Package: header, E:Problem with
  MergeList /var/lib/apt/lists/us.archive.ubuntu
  .com_ubuntu_dists_intrepid_universe_binary-amd64_Packages, E:The
  package lists or status file could not be parsed or opened.'

  WORKAROUND:
  Remove problematic files from /var/lib/apt/lists/ and rerun apt-get update.

  In the event that one is connected to a network with a proxy server
  that returns html pages (like a web page requesting you to login) and
  not package list files.   Those html files will get downloaded to
  /var/lib/apt/lists/ and prevent someone from using a package manager
  until the problem html pages are removed.

  TEST CASE:
  1) Ensure /etc/apt/sources.list points to archive.ubuntu.com
  2) Setup proxy server to block access to archive.ubuntu.com and return something like http://people.canonical.com/~brian/tmp/not-packages.html
  3) Execute 'sudo apt-get update' in a terminal
  4) Observe the following:
  'E: Encountered a section with no Package: header
   E: Problem with MergeList /var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_natty_main_binary-amd64_Packages
   E: The package lists or status file could not be parsed or opened.'
  5) Try 'apt-cache policy apt' and be sad that it doesn't work
  6) run 'sudo rm /var/lib/apt/lists/*Packages' to clear the error.

  With the proposed package installed repeat steps 1 to 3.
  4) Observe the following:
  ''Get:1 http://archive.ubuntu.com oneiric InRelease [189 B]
  Ign http://archive.ubuntu.com oneiric InRelease
  E: GPG error: http://archive.ubuntu.com oneiric InRelease: The following signatures were invalid: NODATA 1 NODATA 2'
  5) Try 'apt-cache policy apt' and be happy that it works

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/346386/+subscriptions

More information about the foundations-bugs mailing list