Ubuntu
libpam-krb5 package

libpam-krb5 segfaults consistently after upgrade to 12.04

Bug #998525 reported by Matthew Rossmiller
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
libpam-krb5 (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

After update, all users of libpam-krb5 (login, gdm, etc) fail with a segfault in pam_krb5.so as logged in syslog below:

May 12 09:36:14 peregrine kernel: [ 125.678116] login[2003]: segfault at 8 ip 006739ad sp bfc09cd0 error 4 in pam_krb5.so[66e000+c000]

downloaded latest git source for libpam-krb5 and confirmed problem appears to exist there as well:

matt@peregrine:~/foo/pam-krb5$ make check
make tests/fakepam/libfakepam.a tests/tap/libtap.a tests/runtests tests/module/alt-auth-t tests/module/bad-authtok-t tests/module/basic-t tests/module/cache-cleanup-t tests/module/cache-t tests/module/expired-t tests/module/no-cache-t tests/module/password-t tests/module/realm-t tests/module/stacked-t tests/pam-util/args-t tests/pam-util/fakepam-t tests/pam-util/logging-t tests/pam-util/options-t tests/pam-util/vector-t tests/portable/asprintf-t tests/portable/mkstemp-t tests/portable/snprintf-t tests/portable/strlcat-t tests/portable/strlcpy-t tests/portable/strndup-t
make[1]: Entering directory `/home/matt/foo/pam-krb5'
make[1]: `tests/tap/libtap.a' is up to date.
make[1]: `tests/runtests' is up to date.
make[1]: `tests/module/alt-auth-t' is up to date.
make[1]: `tests/module/bad-authtok-t' is up to date.
make[1]: `tests/module/basic-t' is up to date.
make[1]: `tests/module/cache-cleanup-t' is up to date.
make[1]: `tests/module/cache-t' is up to date.
make[1]: `tests/module/expired-t' is up to date.
make[1]: `tests/module/no-cache-t' is up to date.
make[1]: `tests/module/password-t' is up to date.
make[1]: `tests/module/realm-t' is up to date.
make[1]: `tests/module/stacked-t' is up to date.
make[1]: `tests/pam-util/args-t' is up to date.
make[1]: `tests/pam-util/fakepam-t' is up to date.
make[1]: `tests/pam-util/logging-t' is up to date.
make[1]: `tests/pam-util/options-t' is up to date.
make[1]: `tests/pam-util/vector-t' is up to date.
make[1]: `tests/portable/asprintf-t' is up to date.
make[1]: `tests/portable/mkstemp-t' is up to date.
make[1]: `tests/portable/snprintf-t' is up to date.
make[1]: `tests/portable/strlcat-t' is up to date.
make[1]: `tests/portable/strlcpy-t' is up to date.
make[1]: `tests/portable/strndup-t' is up to date.
make[1]: Leaving directory `/home/matt/foo/pam-krb5'
make check-local
make[1]: Entering directory `/home/matt/foo/pam-krb5'
cd tests && ./runtests /home/matt/foo/pam-krb5/tests/TESTS

Running all tests listed in TESTS. If any tests fail, run the failing
test program with runtests -o to see more details.

module/alt-auth.........skipped (Kerberos tests not configured)
module/bad-authtok......skipped (Kerberos tests not configured)
module/basic............ABORTED (killed by signal 11, core dumped)
module/cache............skipped (Kerberos tests not configured)
module/cache-cleanup....skipped (Kerberos tests not configured)
module/expired..........skipped (Kerberos tests not configured)
module/no-cache.........skipped (Kerberos tests not configured)
module/password.........skipped (Kerberos tests not configured)
module/realm............skipped (Kerberos tests not configured)
module/stacked..........skipped (Kerberos tests not configured)
pam-util/args...........MISSED 2-11; FAILED 1 (killed by signal 11, core dumped)
pam-util/fakepam........ok
pam-util/logging........MISSED 3-27; FAILED 1-2 (killed by signal 11, core dumped)
pam-util/options........ABORTED (cannot create PAM argument struct: Success)
pam-util/vector.........ok
portable/asprintf.......ok
portable/mkstemp........ok
portable/snprintf.......ok
portable/strlcat........ok
portable/strlcpy........ok
portable/strndup........ok

Failed Set Fail/Total (%) Skip Stat Failing Tests
-------------------------- -------------- ---- ---- ------------------------
module/basic 0/0 0% 0 -- aborted
pam-util/args 11/11 100% 0 -- 1-11
pam-util/logging 27/27 100% 0 -- 1-27
pam-util/options 0/0 0% 0 1 aborted

Aborted 2 test sets, passed 1200/1238 tests, 9 tests skipped.
Files=21, Tests=1238, 1.10 seconds (0.00 usr + 0.00 sys = 0.00 CPU)
make[1]: *** [check-local] Error 1
make[1]: Leaving directory `/home/matt/foo/pam-krb5'
make: *** [check-am] Error 2

workaround:

 boot to recovery, (need a root passwd)
apt-get remove libpam-krb5

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: libpam-krb5 (not installed)
ProcVersionSignature: Ubuntu 3.2.0-24.37-generic 3.2.14
Uname: Linux 3.2.0-24-generic i686
NonfreeKernelModules: nvidia
ApportVersion: 2.0.1-0ubuntu7
Architecture: i386
Date: Sat May 12 14:54:16 2012
ProcEnviron:
 SHELL=/bin/bash
 PATH=(custom, user)
 LANG=en_US.UTF-8
 LANGUAGE=en_US:en
SourcePackage: libpam-krb5
UpgradeStatus: Upgraded to precise on 2012-05-12 (0 days ago)

Revision history for this message
Russ Allbery (rra-debian) wrote :

krb5_init_context is failing. Does running kinit from the command-line work, or does it fail as well?

(pam-krb5 should not segfault when krb5_init_context fails, but it's just a NULL pointer dereference on a local configuration or library error, so it's not a particularly major bug. However, I will try to fix that on the next release.)

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in libpam-krb5 (Ubuntu):
status: New → Confirmed
Revision history for this message
Alex Mandel (wildintellect) wrote :

I believe I'm having this issue, though ssh auth via krb5 works, pam based auth in postgres fails with this error.

kernel: [68673.518855] postgres[7268]: segfault at 8 ip b4c859ad sp bfd183f0 error 4 in pam_krb5.so[b4c80000+c000]

Revision history for this message
Russ Allbery (rra-debian) wrote :

As mentioned in the reply to the original report, while I'll fix the segfault in the next release, all that's going to do is cause pam-krb5 to always fail instead of segfault. If you're having the same problem, it's because your local Kerberos configuration is invalid. You need to figure out what's broken (probably, given the symptoms you report, a krb5.conf file that isn't readable by PostgreSQL) and correct that locally on your system.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libpam-krb5 - 4.6-1

---------------
libpam-krb5 (4.6-1) unstable; urgency=low

  * New upstream release.
    - New anon_fast option to attempt anonymous authentication and use
      those credentials to provide FAST armor. (Closes: #626509)
    - New user_realm option to set the realm for unqualified user
      principals without changing the default realm for all other
      operations.
    - New no_prompt option to suppress PAM prompting in favor of letting
      the Kerberos library handle it. (Closes: #626506)
    - New silent option that duplicates the behavior of PAM_SILENT.
    - New trace option for preliminary support of Kerberos trace logging.
    - Fix the doubled colon in password prompts from Heimdal.
    - Preserve the realm of the authentication identity when forming an
      alt_auth_map identity.
    - Allow the alt_auth_map format to contain a realm to force all mapped
      principals to be in that realm.
    - Avoid a NULL pointer dereference if krb5_init_context fails.
      (LP: #998525)
    - Close memory leaks in search_k5login and alt_auth_map.
    - Suppress bogus error messages about the realm option.
    - Retry authentication under try_first_pass for several other error
      conditions.
  * Regenerate the Autotools build system with dh-autoreconf.
  * Add krb5-config to Build-Depends so that the test programs don't abort
    with errors about not having a Kerberos configuration.
  * Switch to xz compression for the upstream and Debian tarballs.
  * Enable parallel builds.
  * Update standards version to 3.9.3 (no changes required).

 -- Russ Allbery <email address hidden> Sat, 02 Jun 2012 19:20:27 -0700

Changed in libpam-krb5 (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.