Bug 740764

Summary: zypper proxy problem: Could not resolve host
Product: [openSUSE] openSUSE 12.1 Reporter: Giuseppe Roberti <g.roberti>
Component: libzyppAssignee: E-mail List <zypp-maintainers>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Critical    
Priority: P5 - None CC: mukul
Version: Final   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: maint:released:sle11-sp2:47764
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Deadline: 2012-04-26   

Description Giuseppe Roberti 2012-01-11 12:51:25 UTC 
Created attachment 470696 [details]
zypper.log

Hi there.
I'm trying to use zypper to upgrade my fresh OpenSUSE 12.1 installation.
I have configured the proxy using YaST2 and everything works fine but zypper.



I got this error:
linux-x8eg:~ # zypper refresh
Retrieving repository 'PK_TMP_DIR' metadata [done]
Retrieving repository 'Updates for openSUSE 12.1 12.1-1.4' metadata [|]
Download (curl) error for 'http://download.opensuse.org/update/12.1/repodata/repomd.xml':
Error code: Connection failed
Error message: Could not resolve host: download.opensuse.org (Could not contact DNS servers)

Abort, retry, ignore? [a/r/i/?] (a): 



And here the output for curl download.opensuse.org:
linux-x8eg:~ # curl download.opensuse.org
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
 <head>
  <title>Index of /</title>
  <link rel="stylesheet" href="http://static.opensuse.org/css/mirrorbrain.css" type="text/css" />
 </head>
 <body>
<h1>Index of /</h1>
<pre><img src="/icons/blank.gif" alt="Icon " /> <a href="?C=N;O=D">Name</a>                    <a href="?C=M;O=A">Last modified</a>      <a href="?C=S;O=A">Size</a>  <hr /><img src="/icons/folder.png" alt="[DIR]" /> <a href="debug/">debug/</a>                  23-Sep-2010 12:21    -   
<img src="/icons/folder.png" alt="[DIR]" /> <a href="distribution/">distribution/</a>           16-Nov-2011 16:52    -   
<img src="/icons/folder.png" alt="[DIR]" /> <a href="factory-snapshot/">factory-snapshot/</a>       29-Oct-2009 08:16    -   
<img src="/icons/folder.png" alt="[DIR]" /> <a href="factory-tested/">factory-tested/</a>         29-Oct-2009 08:16    -   
<img src="/icons/folder.png" alt="[DIR]" /> <a href="factory/">factory/</a>                18-Oct-2008 11:30    -   
<img src="/icons/folder.png" alt="[DIR]" /> <a href="projects/">projects/</a>               05-Nov-2010 15:55    -   
<img src="/icons/folder.png" alt="[DIR]" /> <a href="repositories/">repositories/</a>           20-Dec-2011 18:31    -   
<img src="/icons/folder.png" alt="[DIR]" /> <a href="source/">source/</a>                 01-Oct-2010 11:26    -   
<img src="/icons/folder.png" alt="[DIR]" /> <a href="update/">update/</a>                 13-Dec-2011 18:25    -   
<hr /></pre>
<address>Apache/2.2.12 (Linux/SUSE) Server at download.opensuse.org Port 80</address>
<br/><address><a href="http://mirrorbrain.org/">MirrorBrain</a> powered by <a href="http://httpd.apache.org/">Apache</a></address>
</body></html>



I have attached zypper.log

Regards
Comment 1 Michael Andres 2012-01-13 17:08:21 UTC 
Does the situation change, if special chars in proxy username and passwd are properly encoded in /etc/sysconfig/proxy?

E.g '@'=>'%40' (http://www.blooberry.com/indexdot/html/topics/urlencoding.htm)
Comment 2 Michael Andres 2012-01-16 11:23:08 UTC 
1.) From the security point of view, /etc/sysconfig/proxy should not contain proxy 'username:password' embedded in the URL, as the file is world-readable.
The YaST proxy module e.g. would move 'username:password' to ~root/curlrc (read only for root).

2.) However, if 'username:password' are embedded in the proxy URL in /etc/sysconfig/proxy (http://user:pass@host:port), any special chars occurring in username:password (e.g. a '@') must be %-escaped.


According to the log it looks like the not escaped '\@' in your proxy-username
causes the error ('\@' escape does not work here, needs to be '%40').

Preferred solution would be of course using the yast proxy module to define the
proxy settings.



3.) But there is also a bug in libzypps way of  handling a correctly escaped 'username:password' in a /etc/sysconfig/proxy URL. libzypp will pass the embeded credentials to libcurl, and at the same time try to pass matching credentials found in ~/.curlrc too. This might confuse curl.

This is fixed in libzyp-10.3.6. Embedded credentials will be preferred, .curlrc will be considered only if URL has no credentials embedded.
Comment 3 Michael Andres 2012-01-31 15:11:13 UTC 
*** Bug 731909 has been marked as a duplicate of this bug. ***
Comment 4 Swamp Workflow Management 2012-03-29 10:30:53 UTC 
The SWAMPID for this issue is 46449.
This issue was rated as low.
Please submit fixed packages until 2012-04-26.
Also create a patchinfo file using this link:
https://swamp.suse.de/webswamp/wf/46449
Comment 5 Swamp Workflow Management 2012-06-05 16:09:26 UTC 
openSUSE-RU-2012:0696-1: An update that has 6 recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 679322,710269,716972,719690,740764,749418
CVE References: 
Sources used:
openSUSE 11.4 (src):    libqdialogsolver1-1.3.0-11.2, libsatsolver-0.16.3-28.1, libzypp-8.13.5-15.1, libzypp-bindings-0.5.9-9.1, libzypp-testsuite-tools-4.2.11-9.1, zypper-1.5.9-12.1
Comment 6 Swamp Workflow Management 2012-07-04 01:01:01 UTC 
Update released for: libzypp, libzypp-debuginfo, libzypp-debugsource, libzypp-devel, zypper, zypper-debuginfo, zypper-debugsource, zypper-log
Products:
SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP2 (i386, x86_64)
SLE-SDK 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP2 (i386, x86_64)