libgssapi-krb5-2: segfault when mechglue loops endlessly on call to gss_add_cred_from
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| krb5 (Ubuntu) |
High
|
Unassigned | ||
| Trusty |
High
|
Unassigned |
Bug Description
There's a bug fixed in krb5 1.12.1+dfsg-2 (just uploaded to Debian) where if a gss-api mechanism is dynamically loaded, and that mechanism uses symbols from libgssapi_krb5, and doesn't provide certain optional entry points added in krb5 1.12, then calling one of those entry points will cause the mechglue to call itself. This results in an endless loop and the process eventually crashes on stack exhaustion.
Unfortunately, one of the entry points, gss_add_cred_from is going to get called quite commonly.
So, this means that if you're using Ubuntu to develop a GSS-API mechanism or are installing a third party gss-api mechanism, things are going to crash, mostly whenever anyone tries to use gss-api as a server, regardless of whether they intended to use your application.
I'd like to see this fixed in trusty, so I'm giving a detailed repro below. Patch against trusty coming shortly.
Apologies that the repro is a bit involved; there's not a mechanism packaged in Ubuntu that easily exhibits this. However, you really ought to be able to use Ubuntu to develop a GSS mechanism without crashing all your gss apps.
On a stock trusty system, first install the attached mech file as /usr/etc/gss/mech (yes that's /usr/etc, not /etc) and then run the following:
sudo add-apt-repository ppa:moonshot/daily
sudo apt-get update
4 sudo apt-get install bzr libkrb5-dev libradsec-dev libssl-dev libjansson-dev autoconf automake libtool build-essential
bzr branch -r739 lp:moonshot
cd moonshot/
autoreconf -i
./configure --without-opensaml --without-
make -j3
sudo make install
sudo apt-get install krb5-gss-samples
gss-server host@localhost
This will segfault
Sam Hartman (hartmans) wrote : | #2 |
Luke Howard (lukeh-padl) wrote : Re: [Bug 1326500] libgssapi-krb5-2: segfault when mechglue loops endlessly on call to gss_add_cred_from | #3 |
How about grabbing this commit from browserid:
commit e51f544e6c0b92c
Author: Luke Howard <email address hidden>
Date: Thu Oct 24 18:10:24 2013 -0700
add gss_{acquire,
Sam Hartman (hartmans) wrote : | #4 |
>>>>> "Luke" == Luke Howard <email address hidden> writes:
Luke> How about grabbing this commit from browserid: commit
Luke> e51f544e6c0b92c
Luke> <email address hidden> Date: Thu Oct 24 18:10:24 2013 -0700
That's something to consider for the specific case of moonshot.
However, the krb5 behavior is clearly broken, and I'd like to see
Ubuntu pick up the Debian patch.
Sam Hartman (hartmans) wrote : | #5 |
I've built the linked branch in ppa:hartmans/
With these packages installed and the attached radsec.conf installed as /usr/local/
Without radsec.conf installed it prints an error about being unable to acquire credentials, which is also correct given that none of the available mechanisms can initialize as a server.
Once this gets picked up for utopic I'll look into what I need to do to put together an SRU template.
The patch is trivial and obviously an improvement over the existing code; it's also very unlikely the patch would have unintended side effects.
Sam Hartman (hartmans) wrote : | #6 |
Here's the patch from debian krb5 1.12.1+dfsg-2
tags: | added: patch |
The attachment "0014-Do-
[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]
tags: | added: trusty |
Brian Murray (brian-murray) wrote : | #8 |
For reference here is the debian changelog in which this bug was fixed:
krb5 (1.12.1+dfsg-2) unstable; urgency=low
[ Jelmer Vernooij ]
* Non-maintainer upload.
* Provide -L and -I flags from krb5-config. Closes: #730837
* Ship krb5-config.mit binary in krb5-multidev., Closes: #745322
* Provide -L and -I flags from pkg-config files. Closes: #750041
[ Sam Hartman ]
* Include upstream patch to load gss mechanisms from /etc/gss/mech.d,
Closes: #673680
* Sysconfdir explicitly set to /etc
* Include ubuntu change to permit libverto-libevent1 (not currently
built in Debian) as an alternative for the KDC. For now just
reduces diff with Ubuntu. Next libverto upload will probably start
building that for Debian too.
* Do not cause endless loop when a mechanism fails to include
gss_
* Include /etc/gss/
* Low urgency to give extra time in unstable
* Update symbols for gss_indicate_mechs
-- Sam Hartman <> Wed, 04 Jun 2014 12:09:56 -0400
Changed in krb5 (Ubuntu): | |
status: | Confirmed → Triaged |
Changed in krb5 (Ubuntu Trusty): | |
status: | New → Triaged |
milestone: | none → ubuntu-14.04.1 |
importance: | Undecided → High |
Changed in krb5 (Ubuntu): | |
importance: | Undecided → High |
Sam Hartman (hartmans) wrote : | #9 |
With the upload of krb5 1.12.1+
Changed in krb5 (Ubuntu): | |
status: | Triaged → Fix Released |
Hello Sam, or anyone else affected,
Accepted krb5 into trusty-proposed. The package will build now and be available at http://
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-
Further information regarding the verification process can be found at https:/
Changed in krb5 (Ubuntu Trusty): | |
status: | Triaged → Fix Committed |
tags: | added: verification-needed |
Sam Hartman (hartmans) wrote : | #11 |
I enabled proposed, confirmed that as I described in the initial test case gss-server segfaults with 1.12+dfsg-2ubuntu4. Then I installed libgssapi-krb5-2 from trusty-proposed. That pulled in most of the other krb5 packages as I'd expect all version 1.12+dfsg-2ubuntu5.
I ran gss-server and it worked fine. That is, ubuntu5 fixes my problem.
tags: |
added: verification-done removed: verification-needed |
Launchpad Janitor (janitor) wrote : | #12 |
This bug was fixed in the package krb5 - 1.12+dfsg-2ubuntu5
---------------
krb5 (1.12+dfsg-
* Use ADD_METHOD_NOLOOP rather than ADD_METHOD for new GSS-API entry
points, avoids infinite recursive loop when a mechanism doesn't
provide an entry point and does include calls back into the mechglue
(LP: #1326500)
* Make libkadm5srv-mit8 be arch: any multi-arch: same to work around
upgrade bug (LP: #1334052)
* Use tailq macros to work around GCC 4.8 optimizer bug and prevent
infinite loop for database propagation (LP: #1347147)
-- Sam Hartman <email address hidden> Wed, 30 Jul 2014 21:06:49 -0400
Changed in krb5 (Ubuntu Trusty): | |
status: | Fix Committed → Fix Released |
The verification of the Stable Release Update for krb5 has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.
Marking confirmed because I started tracking this down based on a report to the Moonshot project from Rhys Smith which ended up being this issue.