Package: libkrb53
Version: 1.4.3-5
Severity: important
Tags: patch
The function krb5_gss_canonicalize_name() is defined in
src/lib/gssapi/krb5/canon_name.c. It takes a gss_OID as its third
parameter ("mech_type"). Some programs (such as racoon of
ipsec-tools) like to call this function with GSS_C_NO_OID, which is
actually a NULL pointer.
However, the function as defined immediately dereferences the pointer
with the g_OID_equal() function. This segfaults any program using the
library. That's bad.
I see two ways that this could be resolved. i'm providing very simple
(but untested) patches for both of them -- these patches should not
both be applied, of course!
0) Return GSS_S_BAD_MECH when mech_type == GSS_C_NO_OID (this is the
rude way, though much less rude than the current segfault)
--- krb5-1.4.3.clean/src/lib/gssapi/krb5/canon_name.c 2002-07-01
16:48:34.000000000 -0400
+++ krb5-1.4.3/src/lib/gssapi/krb5/canon_name.c 2006-02-08 00:41:00.000000000
-0500
@@ -34,8 +34,9 @@
const gss_OID mech_type,
gss_name_t *output_name)
{
- if (!g_OID_equal(gss_mech_krb5, mech_type) &&
- !g_OID_equal(gss_mech_krb5_old, mech_type)) {
+ if ((GSS_C_NO_OID == mech_type) || (
+ !g_OID_equal(gss_mech_krb5, mech_type) &&
+ !g_OID_equal(gss_mech_krb5_old, mech_type))) {
*minor_status = 0;
return(GSS_S_BAD_MECH);
}
1) Since this gssapi module only supports a single non-deprecated
mechanism (gss_mech_krb5), default to that if GSS_C_NO_OID is
passed in. (this is the polite way, and possibly more in line
with the default behavior of, say, gss_import_name).
--- krb5-1.4.3.clean/src/lib/gssapi/krb5/canon_name.c 2002-07-01
16:48:34.000000000 -0400
+++ krb5-1.4.3/src/lib/gssapi/krb5/canon_name.c 2006-02-08 00:43:33.000000000
-0500
@@ -34,6 +34,9 @@
const gss_OID mech_type,
gss_name_t *output_name)
{
+ /* default to using the standard krb5 mechanism type: */
+ if (GSS_C_NO_OID == mech_type) mech_type = gss_mech_krb5;
+
if (!g_OID_equal(gss_mech_krb5, mech_type) &&
!g_OID_equal(gss_mech_krb5_old, mech_type)) {
*minor_status = 0;
But at least one of these fixes needs to be applied. segfaulting in a
library function given semi-reasonable input is pretty bad. This
appears to be a problem in version 1.3.6 (sarge) as well. I'd
personally prefer what i'm calling the "polite" fix, because it
comes closer to following Postel's Law.
A third option might be to change the #definition of g_OID_equal (in
src/lib/gssapi/generic/gssapiP_generic.h) to test for GSS_C_NO_OID as
a special case first to avoid dereferencing the NULL pointer ever in
that macro.
Note that this is not a newly-discovered bug. It was reported at
least back in April 2004 [0], and was brought up again in December
2005 [1], without any followup that i can see.
Let me know if i can provide more information to help resolve this
problem. And thanks, as always, for your work in keeping this
important piece of infrastructure running in debian.
Regards,
--dkg
[0] http://mailman.mit.edu/pipermail/kerberos/2004-April/005125.html
[1] http://www.mail-archive.com/[email protected]/msg09580.html
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (700, 'testing'), (700, 'stable'), (600, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-1-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Versions of packages libkrb53 depends on:
ii libc6 2.3.5-8 GNU C Library: Shared libraries an
ii libcomerr2 1.38+1.39-WIP-2005.12.31-1 common error description library
libkrb53 recommends no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
