Bug#928039: sudo: segfault/core dump after a plugin init fails
Package: sudo Version: 1.8.19p1-2.1 Severity: important Tags: patch Dear Maintainer, When sssd is in use, and a configured I/O plugin fails to initialize, sudo segfaults/dumps core with a use-after-free and/or double-free violation. This is caused by sudo_sss_close() being called multiple times (via various code paths, e.g. sudoers_policy_check -> sudoers_policy_main -> sudo_sss_close; or policy_check -> sudo_fatalx_nodebug_v1 -> do_cleanup -> sudoers_cleanup), which frees nss->handle but does not set the pointer to NULL. Output is as follows: $ sudo -i sudo: error initializing I/O plugin ngcp_plugin *** Error in `sudo': double free or corruption (!prev): 0x560e35fda750 *** === Backtrace: = /lib/x86_64-linux-gnu/libc.so.6(+0x70bfb)[0x7f1d2fc15bfb] /lib/x86_64-linux-gnu/libc.so.6(+0x76fc6)[0x7f1d2fc1bfc6] /lib/x86_64-linux-gnu/libc.so.6(+0x7780e)[0x7f1d2fc1c80e] /usr/lib/sudo/sudoers.so(+0x20bcd)[0x7f1d2e090bcd] /usr/lib/sudo/sudoers.so(+0x1a7f6)[0x7f1d2e08a7f6] /usr/lib/sudo/libsudo_util.so.0(+0x4e6d)[0x7f1d3014ce6d] /usr/lib/sudo/libsudo_util.so.0(sudo_fatalx_nodebug_v1+0xa3)[0x7f1d3014d2b3] sudo(+0x5521)[0x560e345f6521] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7f1d2fbc52e1] sudo(+0x671a)[0x560e345f771a] Valgrind reports: # valgrind ./sudo -i ==45182== Memcheck, a memory error detector ==45182== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==45182== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for copyright info ==45182== Command: ./sudo -i ==45182== sudo: error initializing I/O plugin ngcp_plugin ==45182== Invalid read of size 8 ==45182==at 0x6F36BBB: sudo_sss_close (sssd.c:482) ==45182==by 0x6F307F5: sudoers_cleanup (sudoers.c:1193) ==45182==by 0x548FE6C: do_cleanup (fatal.c:61) ==45182==by 0x54902B2: sudo_fatalx_nodebug_v1 (fatal.c:86) ==45182==by 0x10D520: policy_check (sudo.c:1333) ==45182==by 0x10D520: main (sudo.c:261) ==45182== Address 0x6328aa0 is 32 bytes inside a block of size 80 free'd ==45182==at 0x4C2CDDB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==45182==by 0x6F36BCC: sudo_sss_close (sssd.c:483) ==45182==by 0x6F3282A: sudoers_policy_main (sudoers.c:528) ==45182==by 0x6F2B9EE: sudoers_policy_check (policy.c:754) ==45182==by 0x10CED1: policy_check (sudo.c:1337) ==45182==by 0x10CED1: main (sudo.c:261) ==45182== Block was alloc'd at ==45182==at 0x4C2BBAF: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==45182==by 0x6F36C50: sudo_sss_open (sssd.c:388) ==45182==by 0x6F3108B: sudoers_policy_init (sudoers.c:192) ==45182==by 0x6F2BEC6: sudoers_policy_open (policy.c:679) ==45182==by 0x10D073: policy_open (sudo.c:1283) ==45182==by 0x10D073: main (sudo.c:225) ==45182== ==45182== Invalid read of size 1 ==45182==at 0x4015571: _dl_close (dl-close.c:817) ==45182==by 0x400F643: _dl_catch_error (dl-error.c:187) ==45182==by 0x56A0530: _dlerror_run (dlerror.c:163) ==45182==by 0x569FFDE: dlclose (dlclose.c:46) ==45182==by 0x6F36BC3: sudo_sss_close (sssd.c:482) ==45182==by 0x6F307F5: sudoers_cleanup (sudoers.c:1193) ==45182==by 0x548FE6C: do_cleanup (fatal.c:61) ==45182==by 0x54902B2: sudo_fatalx_nodebug_v1 (fatal.c:86) ==45182==by 0x10D520: policy_check (sudo.c:1333) ==45182==by 0x10D520: main (sudo.c:261) ==45182== Address 0x6328f54 is 980 bytes inside a block of size 1,209 free'd ==45182==at 0x4C2CDDB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==45182==by 0x4014D95: _dl_close_worker (dl-close.c:747) ==45182==by 0x401558D: _dl_close (dl-close.c:840) ==45182==by 0x400F643: _dl_catch_error (dl-error.c:187) ==45182==by 0x56A0530: _dlerror_run (dlerror.c:163) ==45182==by 0x569FFDE: dlclose (dlclose.c:46) ==45182==by 0x6F36BC3: sudo_sss_close (sssd.c:482) ==45182==by 0x6F3282A: sudoers_policy_main (sudoers.c:528) ==45182==by 0x6F2B9EE: sudoers_policy_check (policy.c:754) ==45182==by 0x10CED1: policy_check (sudo.c:1337) ==45182==by 0x10CED1: main (sudo.c:261) ==45182== Block was alloc'd at ==45182==at 0x4C2DBC5: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==45182==by 0x400B215: _dl_new_object (dl-object.c:75) ==45182==by 0x400587C: _dl_map_object_from_fd (dl-load.c:1000) ==45182==by 0x400874B: _dl_map_object (dl-load.c:2470) ==45182==by 0x4013B13: dl_open_worker (dl-open.c:237) ==45182==by 0x400F643: _dl_catch_error (dl-error.c:187) ==45182==by 0x4013608: _dl_open (dl-open.c:660) ==45182==by 0x569FEE8: dlopen_doit (dlopen.c:66) ==45182==by 0x400F643: _dl_catch_error (dl-error.c:187) ==45182==by 0x56A0530: _dlerror_run (dlerror.c:163) ==45182==by 0x569FF81: dlopen@@GLIBC_2.2.5 (dlopen.c:87) ==45182==by 0x6F36C6D: sudo_sss_open (sssd.c:395) ==45182== ... Patch is as follows: --- sudo-1.8.19p1.orig/plugins/sudoers/sssd.c +++ sudo-1.8.19p1/plugins/sudoers/sssd.c @@ -48
Bug#654781: iceweasel: Certain plugins (e.g. Flash) fail to work when Iceweasel is started from within Icedove
Package: iceweasel Version: 10.0~b2-1 Severity: important Tags: patch Dear Maintainer, When I follow a web link in Icedove and Iceweasel isn't running yet, Iceweasel will start and load the requested page. However, this instance of Iceweasel will then have a non-functional Flash plugin. Loading a page with an embedded Flash element (in any window, any tab) will cause Iceweasel to freeze up for >30 seconds and finally proceed loading the page without showing the Flash element. This also happens after closing Icedove. Closing Iceweasel, restarting it manually (e.g. from the menu) and reloading the same page (then, even if it's loaded by following the link in Icedove, just like before) results in a working Flash once again. My version of Icedove is 3.1.16-1. This bug is a result of library interference between Icedove and Iceweasel, so I'm not sure if it should be reported for Icedove instead. However, since I'm seeing the effect in Iceweasel, I'm reporting it here for now. Also, this isn't specific to Flash, other plugins are likely to be affected as well. It's caused by Icedove setting LD_LIBRARY_PATH to its own directory in /usr/lib/icedove/run-mozilla.sh and not clearing the variable when launching external programs. Since Iceweasel partially uses libraries with the same names, it ends up loading the wrong ones (the ones from the Icedove directory) which causes the symptoms. Workaround for me is to edit /usr/lib/iceweasel/iceweasel and add "export LD_LIBRARY_PATH=" as first executed line. Alternatively, Icedove could clear this variable before launching other programs. -- Package-specific info: -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.1.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash Versions of packages iceweasel depends on: ii debianutils 4.1 ii fontconfig 2.8.0-3 ii libc6 2.13-24 ii libgdk-pixbuf2.0-0 2.24.0-2 ii libglib2.0-02.30.2-4 ii libgtk2.0-0 2.24.8-2 ii libnspr4-0d 4.8.9-1 ii libstdc++6 4.6.2-9 ii procps 1:3.3.1-1 ii xulrunner-10.0 10.0~b2-1 iceweasel recommends no packages. Versions of packages iceweasel suggests: ii libgssapi-krb5-21.10+dfsg~alpha2-1 ii mathematica-fonts [ttf-mathematica4.1] 13 ii mozplugger ii ttf-lyx 2.0.2-1 ii ttf-mathematica4.1 13 ii xfonts-mathml 4 Versions of packages xulrunner-10.0 depends on: ii libasound21.0.24.1-4 ii libatk1.0-0 2.2.0-2 ii libbz2-1.01.0.6-1 ii libc6 2.13-24 ii libcairo2 1.10.2-6.2 ii libdbus-1-3 1.4.16-1 ii libdbus-glib-1-2 0.98-1 ii libevent-2.0-52.0.16-stable-1 ii libfontconfig12.8.0-3 ii libfreetype6 2.4.8-1 ii libgcc1 1:4.6.2-9 ii libgdk-pixbuf2.0-02.24.0-2 ii libglib2.0-0 2.30.2-4 ii libgtk2.0-0 2.24.8-2 ii libhunspell-1.3-0 1.3.2-4 ii libjpeg8 8c-2 ii libmozjs10d 10.0~b2-1 ii libnotify40.7.4-1 ii libnspr4-0d 4.8.9-1 ii libnss3-1d3.13.1.with.ckbi.1.88-1 ii libpango1.0-0 1.29.4-2 ii libpixman-1-0 0.24.0-1 ii libreadline6 6.2-8 ii libsqlite3-0 3.7.9-2 ii libstartup-notification0 0.12-1 ii libstdc++64.6.2-9 ii libvpx0 0.9.7.p1-2 ii libx11-6 2:1.4.4-4 ii libxext6 2:1.3.0-3 ii libxrender1 1:0.9.6-2 ii libxt61:1.1.1-2 ii zlib1g1:1.2.3.4.dfsg-3 Versions of packages xulrunner-10.0 suggests: ii libcanberra0 0.28-3 ii libgnomeui-0 2.24.5-2 -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org