Ping? This should be a pretty quick one-line bugfix.
Since this appears to be an upstream bug, I've added krb...@mit.edu
to the CC list.
Kyle Moffett wrote:
> At src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:108, inside the
> function "krb5_ldap_get_principal()":
>
> If "is_principal_in_realm()" fails, the code does not properly initialize
> the variable "st" (IE: with KRB5_KDB_NOENTRY or something) before calling
> krb5_set_error_message().
>
> This can happen if the realm is "EXAMPLE.COM" and somebody types:
> kinit u...@exmample.com (IE: case is not quite right).
>
> As a result, the krb5_ldap_get_principal() function returns 0 but leaves
> the "client" pointer set to NULL.
>
> When it returns out to src/kdc/do_as_req.c:211, the process_as_req() code
> assumes that it succeeded, and promptly dereferences "client", causing a
> crash.
>
> The fix is to add a single line "st = KRB5_KDB_NOENTRY" into the file
> ldap_principal2.c after this line:
>
> if (is_principal_in_realm(ldap_context, searchfor) != 0) {
>
> Cheers,
> Kyle Moffett
>
> P.S: Out of curiosity, is there some reason why there are not packages
> for krb5-kdc-dbg and krb5-admin-server-dbg, etc? That would make this
> kind of troubleshooting much easier in the future.
>
> -- System Information:
> Debian Release: wheezy/sid
> APT prefers testing
> APT policy: (700, 'testing'), (600, 'unstable'), (500, 'experimental')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 2.6.38-2-amd64 (SMP w/4 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
>
> Versions of packages krb5-kdc depends on:
> ii debconf [debconf-2.0] 1.5.38 Debian configuration management
> sy
> ii krb5-config 2.2 Configuration files for Kerberos
> V
> ii krb5-user 1.9+dfsg-1+debug01 Basic programs to authenticate
> usi
> ii libc6 2.11.2-11 Embedded GNU C Library: Shared
> lib
> ii libcomerr2 1.41.12-2 common error description library
> ii libgssapi-krb5-2 1.9+dfsg-1+debug01 MIT Kerberos runtime libraries -
> k
> ii libgssrpc4 1.9+dfsg-1+debug01 MIT Kerberos runtime libraries -
> G
> ii libk5crypto3 1.9+dfsg-1+debug01 MIT Kerberos runtime libraries -
> C
> ii libkadm5clnt-mit8 1.9+dfsg-1+debug01 MIT Kerberos runtime libraries -
> A
> ii libkadm5srv-mit8 1.9+dfsg-1+debug01 MIT Kerberos runtime libraries -
> K
> ii libkdb5-5 1.9+dfsg-1+debug01 MIT Kerberos runtime libraries -
> K
> ii libkeyutils1 1.4-4 Linux Key Management Utilities
> (li
> ii libkrb5-3 1.9+dfsg-1+debug01 MIT Kerberos runtime libraries
> ii libkrb5support0 1.9+dfsg-1+debug01 MIT Kerberos runtime libraries -
> S
> ii lsb-base 3.2-27 Linux Standard Base 3.2 init
> scrip
>
> krb5-kdc recommends no packages.
>
> Versions of packages krb5-kdc suggests:
> ii krb5-admin-server 1.9+dfsg-1+debug01 MIT Kerberos master server
> (kadmin
> ii krb5-kdc-ldap 1.9+dfsg-1+debug01 MIT Kerberos key server (KDC)
> LDAP
> pn openbsd-inetd | inet- <none> (no description available)
>
> -- debconf information excluded
>
> -- System Information:
> Debian Release: wheezy/sid
> APT prefers testing
> APT policy: (700, 'testing'), (700, 'stable'), (600, 'unstable'), (500,
> 'stabl
> e-updates'), (500, 'experimental')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/bash
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
