many applications fail, general protection with LDAPS in libgcrypt on 11.10

Bug #874307 reported by Simon Fraser on 2011-10-14
20
This bug affects 3 people
Affects Status Importance Assigned to Milestone
libgcrypt11 (Ubuntu)
Undecided
Unassigned

Bug Description

If I configure nsswitch.conf to use ldap, and have an ldaps uri in /etc/ldap.conf, then libgcrypt segfaults for any application that requires it:

Oct 14 15:37:05 ubu101751 kernel: [ 4195.439082] login[1025] general protection ip:b7b9fbad sp:bfffc568 error:0 in libgcrypt.so.11.7.0[b7b75000+82000]
Oct 14 15:37:05 ubu101751 kernel: [ 4195.439747] init: tty2 main process (1025) killed by SEGV signal
Oct 14 15:37:05 ubu101751 kernel: [ 4195.439794] init: tty2 main process ended, respawning

Oct 14 15:40:24 ubu101751 sudo: Libgcrypt warning: missing initialization - please fix the application
Oct 14 15:40:48 ubu101751 kernel: [ 4417.796815] xterm[22965] general protection ip:b7299bad sp:bfffd254 error:0 in libgcrypt.so.11.7.0[b726f000+82000]
Oct 14 15:40:49 ubu101751 kernel: [ 4418.664457] xterm[22970] general protection ip:b7299bad sp:bfffd254 error:0 in libgcrypt.so.11.7.0[b726f000+82000]

Turning the encryption off in the ldap connection (ie, replacing ldaps:// with ldap://) causes the problem to stop.

$ lsb_release -rd
Description: Ubuntu 11.10
Release: 11.10
$ apt-cache policy libgcrypt11
libgcrypt11:
  Installed: 1.5.0-1
  Candidate: 1.5.0-1
  Version table:
 *** 1.5.0-1 0
        500 http://gb.archive.ubuntu.com/ubuntu/ oneiric/main i386 Packages
        100 /var/lib/dpkg/status

ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: libgcrypt11 1.5.0-1
ProcVersionSignature: Ubuntu 3.0.0-12.20-generic-pae 3.0.4
Uname: Linux 3.0.0-12-generic-pae i686
ApportVersion: 1.23-0ubuntu3
Architecture: i386
Date: Fri Oct 14 15:57:02 2011
InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" - Release i386 (20101007)
ProcEnviron:
 PATH=(custom, user)
 LANG=en_GB.UTF-8
 SHELL=/bin/bash
SourcePackage: libgcrypt11
UpgradeStatus: Upgraded to oneiric on 2011-10-14 (0 days ago)

Revision history for this message
Simon Fraser (simonfr) wrote :
Revision history for this message
Andreas Metzler (k-launchpad-downhill-at-eu-org) wrote :

Do you have a rather modern CPU with support for AES-NI? (grep -i aes /proc/cpuinfo) If that was the case this might be the same issue as http://bugs.debian.org/643336 (Which is still unresolved.)

Revision history for this message
Simon Fraser (simonfr) wrote :

The 'aes' flag is there, so it might well be. Apologies for not spotting the other bug report.

Revision history for this message
Simon Fraser (simonfr) wrote :

Incidentally, I think this is the reason my upgrade from 11.04 to 11.10 had problems, too - 16 packages produced errors when doing things like 'addgroup', and I had to remove ldap from nsswitch.conf to finish the upgrade.

Revision history for this message
Fridtjof Busse (fbusse-deactivatedaccount-deactivatedaccount) wrote :

Is there a workaround for this problem? Right now, oneiric i386 is completly broken for us (we deploy several dozen desktops).
x86_64 seems to work, but poses different problems with plugins, migration etc.
And yes, we need LDAP authentication.

Revision history for this message
Fridtjof Busse (fbusse-deactivatedaccount-deactivatedaccount) wrote :

Clarification: We need LDAPS authentication.

Revision history for this message
Simon Fraser (simonfr) wrote :

I've not investigated a workaround for this, as it happened on a test upgrade, and we're still using 10.04 LTS on production machines here. Sorry.

Revision history for this message
Simon Fraser (simonfr) wrote :

Fridtjof: Found a workaround. It's to remove libnss-ldap and use libnss-ldapd instead. This appears to be related to the privileges libgcrypt ends up with, causing it to fail with direct connections. The daemon supplied with libnss-ldapd (and libpam-ldapd) doesn't drop these privileges. Still should be regarded as a bug with libgcrypt, though.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in libgcrypt11 (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.