Bug#351877: marked as done (libkrb53: krb5_gss_canonicalize_name doesn't cleanly handle mech_type = GSS_C_NO_OID)

Wed, 22 Feb 2006 00:18:44 -0800 

Your message dated Tue, 21 Feb 2006 23:47:10 -0800
with message-id <[EMAIL PROTECTED]>
and subject line Bug#351877: fixed in krb5 1.4.3-6
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message --- 
Package: libkrb53
Version: 1.4.3-5
Severity: important
Tags: patch

The function krb5_gss_canonicalize_name() is defined in
src/lib/gssapi/krb5/canon_name.c.  It takes a gss_OID as its third
parameter ("mech_type").  Some programs (such as racoon of
ipsec-tools) like to call this function with GSS_C_NO_OID, which is
actually a NULL pointer.

However, the function as defined immediately dereferences the pointer
with the g_OID_equal() function.  This segfaults any program using the
library.  That's bad.

I see two ways that this could be resolved.  i'm providing very simple
(but untested) patches for both of them -- these patches should not
both be applied, of course!

 0) Return GSS_S_BAD_MECH when mech_type == GSS_C_NO_OID (this is the
    rude way, though much less rude than the current segfault)

--- krb5-1.4.3.clean/src/lib/gssapi/krb5/canon_name.c   2002-07-01 
16:48:34.000000000 -0400
+++ krb5-1.4.3/src/lib/gssapi/krb5/canon_name.c 2006-02-08 00:41:00.000000000 
-0500
@@ -34,8 +34,9 @@
                                     const gss_OID mech_type,
                                     gss_name_t *output_name)
 {
-    if (!g_OID_equal(gss_mech_krb5, mech_type) &&
-       !g_OID_equal(gss_mech_krb5_old, mech_type)) {
+    if ((GSS_C_NO_OID == mech_type) || (
+       !g_OID_equal(gss_mech_krb5, mech_type) &&
+       !g_OID_equal(gss_mech_krb5_old, mech_type))) {
        *minor_status = 0;
        return(GSS_S_BAD_MECH);
     }





 1) Since this gssapi module only supports a single non-deprecated
    mechanism (gss_mech_krb5), default to that if GSS_C_NO_OID is
    passed in.  (this is the polite way, and possibly more in line
    with the default behavior of, say, gss_import_name).

--- krb5-1.4.3.clean/src/lib/gssapi/krb5/canon_name.c   2002-07-01 
16:48:34.000000000 -0400
+++ krb5-1.4.3/src/lib/gssapi/krb5/canon_name.c 2006-02-08 00:43:33.000000000 
-0500
@@ -34,6 +34,9 @@
                                     const gss_OID mech_type,
                                     gss_name_t *output_name)
 {
+    /* default to using the standard krb5 mechanism type: */
+    if (GSS_C_NO_OID == mech_type) mech_type = gss_mech_krb5;
+
     if (!g_OID_equal(gss_mech_krb5, mech_type) &&
        !g_OID_equal(gss_mech_krb5_old, mech_type)) {
        *minor_status = 0;



But at least one of these fixes needs to be applied.  segfaulting in a
library function given semi-reasonable input is pretty bad.  This
appears to be a problem in version 1.3.6 (sarge) as well.  I'd
personally prefer what i'm calling the "polite" fix, because it
comes closer to following Postel's Law.

A third option might be to change the #definition of g_OID_equal (in
src/lib/gssapi/generic/gssapiP_generic.h) to test for GSS_C_NO_OID as
a special case first to avoid dereferencing the NULL pointer ever in
that macro.

Note that this is not a newly-discovered bug.  It was reported at
least back in April 2004 [0], and was brought up again in December
2005 [1], without any followup that i can see.

Let me know if i can provide more information to help resolve this
problem.  And thanks, as always, for your work in keeping this
important piece of infrastructure running in debian.

Regards,

        --dkg


[0] http://mailman.mit.edu/pipermail/kerberos/2004-April/005125.html
[1] http://www.mail-archive.com/[email protected]/msg09580.html


-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (700, 'testing'), (700, 'stable'), (600, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-1-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages libkrb53 depends on:
ii  libc6         2.3.5-8                    GNU C Library: Shared libraries an
ii  libcomerr2    1.38+1.39-WIP-2005.12.31-1 common error description library

libkrb53 recommends no packages.

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: krb5
Source-Version: 1.4.3-6

We believe that the bug you reported is fixed in the latest version of
krb5, which is due to be installed in the Debian FTP archive:

krb5-admin-server_1.4.3-6_i386.deb
  to pool/main/k/krb5/krb5-admin-server_1.4.3-6_i386.deb
krb5-clients_1.4.3-6_i386.deb
  to pool/main/k/krb5/krb5-clients_1.4.3-6_i386.deb
krb5-doc_1.4.3-6_all.deb
  to pool/main/k/krb5/krb5-doc_1.4.3-6_all.deb
krb5-ftpd_1.4.3-6_i386.deb
  to pool/main/k/krb5/krb5-ftpd_1.4.3-6_i386.deb
krb5-kdc_1.4.3-6_i386.deb
  to pool/main/k/krb5/krb5-kdc_1.4.3-6_i386.deb
krb5-rsh-server_1.4.3-6_i386.deb
  to pool/main/k/krb5/krb5-rsh-server_1.4.3-6_i386.deb
krb5-telnetd_1.4.3-6_i386.deb
  to pool/main/k/krb5/krb5-telnetd_1.4.3-6_i386.deb
krb5-user_1.4.3-6_i386.deb
  to pool/main/k/krb5/krb5-user_1.4.3-6_i386.deb
krb5_1.4.3-6.diff.gz
  to pool/main/k/krb5/krb5_1.4.3-6.diff.gz
krb5_1.4.3-6.dsc
  to pool/main/k/krb5/krb5_1.4.3-6.dsc
libkadm55_1.4.3-6_i386.deb
  to pool/main/k/krb5/libkadm55_1.4.3-6_i386.deb
libkrb5-dev_1.4.3-6_i386.deb
  to pool/main/k/krb5/libkrb5-dev_1.4.3-6_i386.deb
libkrb53_1.4.3-6_i386.deb
  to pool/main/k/krb5/libkrb53_1.4.3-6_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Russ Allbery <[EMAIL PROTECTED]> (supplier of updated krb5 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 21 Feb 2006 23:25:34 -0800
Source: krb5
Binary: krb5-doc libkrb5-dev krb5-rsh-server krb5-user krb5-ftpd libkadm55 
libkrb53 krb5-clients krb5-telnetd krb5-kdc krb5-admin-server
Architecture: source i386 all
Version: 1.4.3-6
Distribution: unstable
Urgency: low
Maintainer: Sam Hartman <[EMAIL PROTECTED]>
Changed-By: Russ Allbery <[EMAIL PROTECTED]>
Description: 
 krb5-admin-server - MIT Kerberos master server (kadmind)
 krb5-clients - Secure replacements for ftp, telnet and rsh using MIT Kerberos
 krb5-doc   - Documentation for MIT Kerberos
 krb5-ftpd  - Secure FTP server supporting MIT Kerberos
 krb5-kdc   - MIT Kerberos key server (KDC)
 krb5-rsh-server - Secure replacements for rshd and rlogind using MIT Kerberos
 krb5-telnetd - Secure telnet server supporting MIT Kerberos
 krb5-user  - Basic programs to authenticate using MIT Kerberos
 libkadm55  - MIT Kerberos administration runtime libraries
 libkrb5-dev - Headers and development libraries for MIT Kerberos
 libkrb53   - MIT Kerberos runtime libraries
Closes: 347643 350041 351877
Changes: 
 krb5 (1.4.3-6) unstable; urgency=low
 .
   * Assume krb5 in krb5_gss_canonicalize_name if the null mechanism is
     passed in.  Fixes a segfault in racoon from ipsec-tools.  Thanks,
     Daniel Kahn Gillmor.  (Closes: #351877)
   * v5passwdd is gone, so remove the debconf template, the prompts, and
     the code to start and stop it from the init script.  Thanks, Greg
     Folkert.
   * Fix incorrect option names in krb5.conf(5).  Thanks, Martin v.
     Loewis.  (Closes: #347643)
   * Translation updates.
     - Danish, thanks Claus Hindsgaul.  (Closes: #350041)
Files: 
 5c5888c4b134b8f53dc8a890511a8a59 830 net standard krb5_1.4.3-6.dsc
 36c8d7550fd7817847f95faa6dbacc6e 1448736 net standard krb5_1.4.3-6.diff.gz
 e12117bf0914dc30a5c1703a78fa3bd1 852580 doc optional krb5-doc_1.4.3-6_all.deb
 221ba47484c39aa5c2b0f3833844830e 173680 libs optional 
libkadm55_1.4.3-6_i386.deb
 ec9eeb20ed02a1826b87de685d546cea 404550 libs standard libkrb53_1.4.3-6_i386.deb
 997de78151895c568fa21915d652228b 121562 net optional krb5-user_1.4.3-6_i386.deb
 07ce3cf05be4feaf826928347c4f65ae 194376 net optional 
krb5-clients_1.4.3-6_i386.deb
 e44149309f91ec4e320b22586b33e55f 78236 net optional 
krb5-rsh-server_1.4.3-6_i386.deb
 bfdc36f0e2daf84f1dd393f5891d082a 55520 net extra krb5-ftpd_1.4.3-6_i386.deb
 bd93bf9b1bb923f74f1566ad337bf28a 60704 net extra krb5-telnetd_1.4.3-6_i386.deb
 b5d90940fe3f161c550fa68451b78d9b 126132 net optional krb5-kdc_1.4.3-6_i386.deb
 b622170a0cd9645497b32b1190fa3409 73334 net optional 
krb5-admin-server_1.4.3-6_i386.deb
 18d902f009bca023b0bfea870da4297f 680802 libdevel extra 
libkrb5-dev_1.4.3-6_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFD/BT6+YXjQAr8dHYRAtuVAJ9jlrYND0AiapZ1VMFJg9l+xB9grACguNHB
u81umd/tRA62dEi6aLKu0ZA=
=eKEh
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to