libgssapi-krb5-2: segfault when mechglue loops endlessly on call to gss_add_cred_from

Bug #1326500 reported by Sam Hartman on 2014-06-04
This bug affects 1 person
Affects Status Importance Assigned to Milestone
krb5 (Ubuntu)

Bug Description

There's a bug fixed in krb5 1.12.1+dfsg-2 (just uploaded to Debian) where if a gss-api mechanism is dynamically loaded, and that mechanism uses symbols from libgssapi_krb5, and doesn't provide certain optional entry points added in krb5 1.12, then calling one of those entry points will cause the mechglue to call itself. This results in an endless loop and the process eventually crashes on stack exhaustion.
Unfortunately, one of the entry points, gss_add_cred_from is going to get called quite commonly.
So, this means that if you're using Ubuntu to develop a GSS-API mechanism or are installing a third party gss-api mechanism, things are going to crash, mostly whenever anyone tries to use gss-api as a server, regardless of whether they intended to use your application.

I'd like to see this fixed in trusty, so I'm giving a detailed repro below. Patch against trusty coming shortly.
Apologies that the repro is a bit involved; there's not a mechanism packaged in Ubuntu that easily exhibits this. However, you really ought to be able to use Ubuntu to develop a GSS mechanism without crashing all your gss apps.

On a stock trusty system, first install the attached mech file as /usr/etc/gss/mech (yes that's /usr/etc, not /etc) and then run the following:

  sudo add-apt-repository ppa:moonshot/daily
  sudo apt-get update
    4 sudo apt-get install bzr libkrb5-dev libradsec-dev libssl-dev libjansson-dev autoconf automake libtool build-essential
  bzr branch -r739 lp:moonshot
  cd moonshot/
  autoreconf -i
  ./configure --without-opensaml --without-shibresolver
  make -j3
  sudo make install
  sudo apt-get install krb5-gss-samples
  gss-server host@localhost

This will segfault

Sam Hartman (hartmans) wrote :
Changed in krb5 (Ubuntu):
status: New → Confirmed
Sam Hartman (hartmans) wrote :

Marking confirmed because I started tracking this down based on a report to the Moonshot project from Rhys Smith which ended up being this issue.

How about grabbing this commit from browserid:

commit e51f544e6c0b92c88163d1b0f4ae110869abf070
Author: Luke Howard <email address hidden>
Date: Thu Oct 24 18:10:24 2013 -0700

    add gss_{acquire,add}_cred_from

Sam Hartman (hartmans) wrote :

>>>>> "Luke" == Luke Howard <email address hidden> writes:

    Luke> How about grabbing this commit from browserid: commit
    Luke> e51f544e6c0b92c88163d1b0f4ae110869abf070 Author: Luke Howard
    Luke> <email address hidden> Date: Thu Oct 24 18:10:24 2013 -0700

That's something to consider for the specific case of moonshot.
However, the krb5 behavior is clearly broken, and I'd like to see
Ubuntu pick up the Debian patch.

Sam Hartman (hartmans) wrote :

I've built the linked branch in ppa:hartmans/ubuntu-fixes for trusty.
With these packages installed and the attached radsec.conf installed as /usr/local/etc/radsec.conf, then gss-server starts correctly as expected.
Without radsec.conf installed it prints an error about being unable to acquire credentials, which is also correct given that none of the available mechanisms can initialize as a server.

Once this gets picked up for utopic I'll look into what I need to do to put together an SRU template.
The patch is trivial and obviously an improvement over the existing code; it's also very unlikely the patch would have unintended side effects.

Sam Hartman (hartmans) wrote :

Here's the patch from debian krb5 1.12.1+dfsg-2

tags: added: patch

The attachment "0014-Do-not-loop-on-add_cred_from-and-other-new-methods.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: trusty
Brian Murray (brian-murray) wrote :

For reference here is the debian changelog in which this bug was fixed:

krb5 (1.12.1+dfsg-2) unstable; urgency=low

  [ Jelmer Vernooij ]
  * Non-maintainer upload.
  * Provide -L and -I flags from krb5-config. Closes: #730837
  * Ship binary in krb5-multidev., Closes: #745322
  * Provide -L and -I flags from pkg-config files. Closes: #750041

  [ Sam Hartman ]
  * Include upstream patch to load gss mechanisms from /etc/gss/mech.d,
    Closes: #673680
  * Sysconfdir explicitly set to /etc
  * Include ubuntu change to permit libverto-libevent1 (not currently
    built in Debian) as an alternative for the KDC. For now just
    reduces diff with Ubuntu. Next libverto upload will probably start
    building that for Debian too.
  * Do not cause endless loop when a mechanism fails to include
    gss_add_cred_from or other new methods (upstream #7926)
  * Include /etc/gss/mech.d/README
  * Low urgency to give extra time in unstable
  * Update symbols for gss_indicate_mechs

 -- Sam Hartman <> Wed, 04 Jun 2014 12:09:56 -0400

Changed in krb5 (Ubuntu):
status: Confirmed → Triaged
Changed in krb5 (Ubuntu Trusty):
status: New → Triaged
milestone: none → ubuntu-14.04.1
importance: Undecided → High
Changed in krb5 (Ubuntu):
importance: Undecided → High
Sam Hartman (hartmans) wrote :

With the upload of krb5 1.12.1+dfsg-3ubuntu1 to utopic, this is fixed in utopic. Any additional help I can provide getting this into trusty?

Changed in krb5 (Ubuntu):
status: Triaged → Fix Released

Hello Sam, or anyone else affected,

Accepted krb5 into trusty-proposed. The package will build now and be available at in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at . Thank you in advance!

Changed in krb5 (Ubuntu Trusty):
status: Triaged → Fix Committed
tags: added: verification-needed
Sam Hartman (hartmans) wrote :

I enabled proposed, confirmed that as I described in the initial test case gss-server segfaults with 1.12+dfsg-2ubuntu4. Then I installed libgssapi-krb5-2 from trusty-proposed. That pulled in most of the other krb5 packages as I'd expect all version 1.12+dfsg-2ubuntu5.
I ran gss-server and it worked fine. That is, ubuntu5 fixes my problem.

Sam Hartman (hartmans) on 2014-10-02
tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package krb5 - 1.12+dfsg-2ubuntu5

krb5 (1.12+dfsg-2ubuntu5) trusty; urgency=low

  * Use ADD_METHOD_NOLOOP rather than ADD_METHOD for new GSS-API entry
    points, avoids infinite recursive loop when a mechanism doesn't
    provide an entry point and does include calls back into the mechglue
    (LP: #1326500)
  * Make libkadm5srv-mit8 be arch: any multi-arch: same to work around
    upgrade bug (LP: #1334052)
  * Use tailq macros to work around GCC 4.8 optimizer bug and prevent
    infinite loop for database propagation (LP: #1347147)
 -- Sam Hartman <email address hidden> Wed, 30 Jul 2014 21:06:49 -0400

Changed in krb5 (Ubuntu Trusty):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for krb5 has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers