Regression: Latest apt security update returns Hash Sum mismatch for file: URI:s

Note that this also fixes a segfault due to a broken FileFD::ReadOnlyGzip in this particular apt version.

Had this problem, too, and was analysing since two days for the root of the problem.

I applied the patch for trusty, built the package and the HashSum Mismatch messages were gone. I will do deeper tests tomorrow.

Thanks for the patch.

Status changed to 'Confirmed' because the bug affects multiple users.

Thanks a lot Stefan (comment #4) for confirming that the patch works and I'm very sorry for this regression.

I created a PPA with the fix. It can be added via:
$ sudo apt-add-repository ppa:mvo/lp1371058

It contains packages for apt with the debdiff attached here applied. So if you are running into this issue you
can install the fix right away. There will be a regular update with the fix available soon too.

Hi Michael,

- Updated apt from ppa mvo/lp1371058
- Did a new 14.04 64bit installation with our repository and with apt 1.0.1ubuntu2.4~ppa1
- Installation succeeded
- apt-get update && apt-get dist-upgrade succeeded, too

Thanks!

Hi,

Tried the lucid and precise packages from the ppa:

1. Copied the packages from the ppa to our local mirror
2. Cleaned /var/lib/apt/lists and /var/lib/apt/lists/partial
3. ran apt-get update
4. ran apt-get dist-upgrade
5. ran apt-get update

Work on both lucid and precise. On precise I have also tried skipping step 2. and that works too.

Thanks for a quick response and fix! With 1000+ servers that is really appreciated :-)

Thanks for testing these updates, I will be releasing them on tuesday after they have been through our QA process.

This bug was fixed in the package apt - 0.8.16~exp12ubuntu10.20.1

---------------
apt (0.8.16~exp12ubuntu10.20.1) precise-security; urgency=low

  * SECURITY UPDATE:
    - fix potential buffer overflow, thanks to the
      Google Security Team (CVE-2014-6273)
  * Fix regression in 0.9.7.9+deb7u3 when file:/// sources
    are used and those are on a different partition than
    the apt state directoryo (LP: #1371058)
  * Revert FileFd::ReadOnlyGzip change
  * Fix regression when Dir::state::lists is set to a relative path
  * Fix regression when cdrom: sources got rewriten by apt-cdrom add
 -- Michael Vogt <email address hidden> Tue, 23 Sep 2014 09:02:26 +0200

This bug was fixed in the package apt - 0.7.25.3ubuntu9.17.1

---------------
apt (0.7.25.3ubuntu9.17.1) lucid-security; urgency=low

  * SECURITY UPDATE:
    - fix potential buffer overflow, thanks to the
      Google Security Team (CVE-2014-6273)
  * Fix regression from the previous upload when file:/// sources
    are used and those are on a different partition than
    the apt state directory (LP: #1371058)
  * Fix regression when Dir::state::lists is set to a relative path
  * Fix regression when cdrom: sources got rewriten by apt-cdrom add
 -- Michael Vogt <email address hidden> Tue, 23 Sep 2014 08:58:49 +0200

This was fixed in apt 1.0.9.1ubuntu1, and thus has been addressed for utopic and vivid, so closing.

Thanks.