Ubuntu

libpam-heimdal does not work on Maverick and Natty

Reported by Neal H. Walfield on 2010-10-19
36
This bug affects 5 people
Affects Status Importance Assigned to Milestone
heimdal (Ubuntu)
High
Unassigned
Maverick
High
Steve Langasek
Natty
High
Steve Langasek
libpam-heimdal (Ubuntu)
Undecided
Unassigned
Maverick
Undecided
Steve Langasek
Natty
Undecided
Steve Langasek

Bug Description

SRU justification:

libpam-heimdal was inadvertently dropped from maverick and natty due to the merging of the source package into libpam-krb5. An attempt was made to correct this by copying the lucid version of the package back over to {maverick,natty}-updates, but the heimdal library sonames have changed between lucid and maverick, with the result that these packages are uninstallable.

Risk of regression: None. The package is currently not installable, so cannot regress.

Test case:
1. Try to install libpam-heimdal from the -updates pocket with "apt-get install libpam-heimdal". Confirm that it fails due to unsatisfiable dependencies.
2. enable -proposed.
3. Try to install again. Confirm that it installs successfully.

Binary package hint: libpam-heimdal

I just upgraded to Ubuntu 10.10 from 10.04 and I almost was not able to log in anymore. Looking at /var/log/auth.log, I see:

Oct 19 16:06:32 maurice sshd[3856]: PAM unable to dlopen(/lib/security/pam_krb5.so): /usr/lib/libhx509.so.4: undefined symbol: oid_id_pkcs3_rc2_cbc
Oct 19 16:07:27 maurice login[2970]: PAM unable to dlopen(/lib/security/pam_krb5.so): /usr/lib/libhx509.so.4: undefined symbol: oid_id_pkcs3_rc2_cbc

Relevant packages are:

ii libhx509-4-heimdal 1.2.e1.dfsg.1-1ubuntu1
ii libpam-heimdal 3.15-2ubuntu1

This problem appears similar to that described in bug #597427, which was fixed by rebuilding the package against the latest version of the library.

I rebuilt the Lucid package (http://packages.ubuntu.com/de/source/lucid/libpam-heimdal) as follows:

wget http://archive.ubuntu.com/ubuntu/pool/universe/libp/libpam-heimdal/libpam-heimdal_3.15-2ubuntu1.dsc
wget http://archive.ubuntu.com/ubuntu/pool/universe/libp/libpam-heimdal/libpam-heimdal_3.15.orig.tar.gz
wget http://archive.ubuntu.com/ubuntu/pool/universe/libp/libpam-heimdal/libpam-heimdal_3.15-2ubuntu1.diff.gz
dpkg-source -x libpam-heimdal_3.15-2ubuntu1.dsc
cd libpam-heimdal-3.15/
dpkg-buildpackage -us -uc -rfakeroot
cd ..
sudo dpkg -i libpam-heimdal_3.15-2ubuntu1_i386.deb

Now I can login using Kerberos.

Marc Deslauriers (mdeslaur) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find.

security vulnerability: yes → no
visibility: private → public

Thanks for the provided solution, Neal, we had the same problem on our own systems doing an upgrade.
I'm searching for some details about the problem. Is there an official bug opened somewhere? I would follow the developments... an eventual upgrade would lead to a massive disaster on our network.

Regards.

spidernik84,

I observed that Ubuntu was being increasingly buggy with each release and have since moved all my Ubuntu boxes to Debian.

spidernik84 (alexander-rilik) wrote :

Well, it's definitely becoming more complex and introducing a lot of bleeding-edge stuff like plymouth, upstart and so on. From complexity comes instability, sometimes.

Unfortunately we can't move an entire userbase to a new platform, so we're still hoping for the bugs to decrease in time :(

Jonathan Davies (jpds) on 2011-05-04
Changed in libpam-heimdal (Ubuntu):
status: New → Triaged
importance: Undecided → High
milestone: none → maverick-updates
summary: - Need rebuild for 10.10
+ libpam-heimdal does not work on Maverick

<sigh />
The symbol mentioned in the original error message (oid_id_pkcs3_rc2_cbc) comes from libasn1.so.8. The actual cause of this problem is that that symbol, along with several others, were renamed (a backward-incompatible ABI change) without a corresponding change in soname. Since libkrb5.so.25 depends (indirectly) on this library, this means that _any_ package built against Heimdal on a Lucid system will fail to work on Maverick or Natty. The actual problem is in heimdal itself; libpam-heimdal just happens to be an example of such a package that is still present after a Lucid system is upgraded, because it does not (yet) appear in Maverick or Natty.

Jeffrey Hutzelman (jhutz) wrote :

It's been suggested that I point out the only viable solution here is to reintroduce the missing symbols in libasn1.so.8. While it would have been reasonable to bump the soname version before releasing the backward-incompatible library in the first place, the only way now to fix the problem without creating new problems for more recently built binary packages is to release a libasn1-8-heimdal in which libasn1.so.8 contains both old and new symbols.

Jeffrey Hutzelman (jhutz) wrote :

As noted, this is really due to a backward-incompatible ABI change in libasn1-8-heimdal

affects: libpam-heimdal (Ubuntu) → heimdal (Ubuntu)
Peter Matulis (petermatulis) wrote :

There are now packages for Maverick and Natty (from Lucid).

Peter Matulis (petermatulis) wrote :

The Maverick and Natty packages do not install correctly. There are dependency problems.

On Natty:

$ sudo apt-get install libpam-heimdal
Reading package lists... Done
Building dependency tree
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 libpam-heimdal : Depends: libkrb5-25-heimdal but it is not installable
E: Broken packages

$ aptitude search libkrb5
i A libkrb5-26-heimdal

same dependency problem for me on natty

this problem can be worked around by
apt-get source libpam-heimdal
cd libpam-heimdal-3.15
debuild

So a simple rebuild (and maybe a build-depend?) should solve the problem. Why should it take more than a month since the first report?

Peter Matulis (petermatulis) wrote :

Heimdal has been promoted to main for Oneiric which will allow libpam-heimdal to be built again but we still need an SRU for both Natty and Maverick. Can someone create a task for these 2 releases please?

Steve Langasek (vorlon) on 2011-08-26
Changed in heimdal (Ubuntu Maverick):
status: New → In Progress
Changed in heimdal (Ubuntu Natty):
status: New → In Progress
Changed in heimdal (Ubuntu Maverick):
importance: Undecided → High
Changed in heimdal (Ubuntu Natty):
importance: Undecided → High
Changed in heimdal (Ubuntu Maverick):
assignee: nobody → Steve Langasek (vorlon)
Changed in heimdal (Ubuntu Natty):
assignee: nobody → Steve Langasek (vorlon)
Changed in heimdal (Ubuntu):
status: Triaged → Invalid
Steve Langasek (vorlon) on 2011-08-26
description: updated
Peter Matulis (petermatulis) wrote :

Cannot test as the -proposed package is not yet available.

Hello Neal, or anyone else affected,

Accepted libpam-heimdal into maverick-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

tags: added: verification-needed
Changed in libpam-heimdal (Ubuntu):
status: New → Fix Released
Changed in libpam-heimdal (Ubuntu Maverick):
status: New → Fix Committed
Changed in libpam-heimdal (Ubuntu Natty):
status: New → Fix Committed
Changed in libpam-heimdal (Ubuntu Maverick):
assignee: nobody → Steve Langasek (vorlon)
Changed in libpam-heimdal (Ubuntu Natty):
assignee: nobody → Steve Langasek (vorlon)

Nope, it doesn't work.

$ apt-cache policy libpam-heimdal

libpam-heimdal:
  Installed: (none)
  Candidate: 3.15-2ubuntu1
  Version table:
     3.15-2ubuntu2 0
        400 http://archive.ubuntu.com/ubuntu/ maverick-proposed/universe amd64 Packages
     3.15-2ubuntu1 0
        900 http://ca.archive.ubuntu.com/ubuntu/ maverick-updates/universe amd64 Packages

$ sudo apt-get install libpam-heimdal

Reading package lists... Done
Building dependency tree
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 libpam-heimdal : Depends: libkrb5-25-heimdal but it is not installable
E: Broken packages
==

This is what is currently in the archives:

libkrb5-26-heimdal

See my comment of 2011-06-20.

summary: - libpam-heimdal does not work on Maverick
+ libpam-heimdal does not work on Maverick and Natty
Steve Langasek (vorlon) wrote :

Peter,

Your apt-cache policy shows you do not have -proposed configured to install by default.

libpam-heimdal:
  Installed: (none)
  Candidate: 3.15-2ubuntu1
  Version table:
     3.15-2ubuntu2 0
        400 http://archive.ubuntu.com/ubuntu/ maverick-proposed/universe amd64 Packages
     3.15-2ubuntu1 0
        900 http://ca.archive.ubuntu.com/ubuntu/ maverick-updates/universe amd64 Packages

The candidate package should be 3.15-2ubuntu2, not 3.15-2ubuntu1. You will either need to adjust your /etc/apt/preferences, or install with 'apt-get install libpam-heimdal=3.15-2ubuntu2' for testing.

Peter Matulis (petermatulis) wrote :

My apologies; it does work. Confirmed on Maverick!

Steve Langasek (vorlon) wrote :

Thanks for the test. Could you also test that it installs/works ok on natty (by manually enabling maverick-proposed in the sources.list for natty), just to be sure?

Martin Pitt (pitti) wrote :

Thanks for testing!

tags: added: verification-done
removed: verification-needed
Peter Matulis (petermatulis) wrote :

@Steve

Yes, doing that works too. Confirmed on Natty!

Will we be getting the Natty packages soon?

On Wed, Aug 31, 2011 at 05:59:50PM -0000, Peter Matulis wrote:
> Yes, doing that works too. Confirmed on Natty!

> Will we be getting the Natty packages soon?

We'll just pocket-copy the package to natty for publishing - no need to
rebuild the same package twice.

--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
<email address hidden> <email address hidden>

Clint Byrum (clint-fewbar) wrote :

Excerpts from Peter Matulis's message of Wed Aug 31 17:59:50 UTC 2011:
> @Steve
>
> Yes, doing that works too. Confirmed on Natty!
>
> Will we be getting the Natty packages soon?
>

Peter normally we need to leave it in -proposed for 7 days before we
release these.

I'll ask another SRU team member to agree with me here, but I think we
can waive the usual wait for regressions since this package was completely
non-installable before.

Martin? Chris? Thoughts?

Steve Langasek (vorlon) wrote :

On Wed, Aug 31, 2011 at 09:57:04PM -0000, Clint Byrum wrote:
> Excerpts from Peter Matulis's message of Wed Aug 31 17:59:50 UTC 2011:
> > @Steve

> > Yes, doing that works too. Confirmed on Natty!

> > Will we be getting the Natty packages soon?

> Peter normally we need to leave it in -proposed for 7 days before we
> release these.

> I'll ask another SRU team member to agree with me here, but I think we
> can waive the usual wait for regressions since this package was completely
> non-installable before.

I would agree that we could waive the waiting period in this case, but
perhaps you wanted an SRU team member who wasn't also the uploader :)

--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
<email address hidden> <email address hidden>

Martin Pitt (pitti) wrote :

I agree, in this case there is zero regression potential.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libpam-heimdal - 3.15-2ubuntu2

---------------
libpam-heimdal (3.15-2ubuntu2) maverick-proposed; urgency=low

  * No-change rebuild to pick up current heimdal libraries in maverick and
    natty. LP: #663319
 -- Steve Langasek <email address hidden> Fri, 26 Aug 2011 12:21:14 -0700

Changed in libpam-heimdal (Ubuntu Maverick):
status: Fix Committed → Fix Released
Martin Pitt (pitti) wrote :

maverick-proposed -> natty-updates requires cocoplum access, I'll do that in 35 minutes when maverick-updates has published and LP stops complaining.

Martin Pitt (pitti) wrote :

Copied to natty-updates.

Changed in libpam-heimdal (Ubuntu Natty):
status: Fix Committed → Fix Released
Steve Langasek (vorlon) on 2012-03-14
Changed in heimdal (Ubuntu Maverick):
status: In Progress → Invalid
Changed in heimdal (Ubuntu Natty):
status: In Progress → Invalid
Jeffrey Hutzelman (jhutz) wrote :

That's all very nice, but what about the underlying problem?
The problem is not fixed; it is merely masked. See my comments #6, 7, 8.

Steve Langasek (vorlon) wrote :

We are not going to retroactively go back and change the soname of libasn1.so.8 in SRU for 10.10 and 11.04, and the only package that seems to be affected by this ABI change is an obsolete version of another library from heimdal itself. We could add a Breaks: from the new libasn1-8-heimdal to the old libhx509-4-heimdal, but this wouldn't make anything depending on libhx509-4-heimdal work, it would just force its removal from the system - and possibly in a way that makes upgrades more difficult.

So what do you suggest be changed in heimdal here?

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers