Bug#714086: heimdal-kdc: ipropd-master writes to random filenames in the root directory
Control: tags -1 + patch Hi, Thanks for the workaround, we also needed it. I studied the releated source files, it is caused by a use-after-free in ipropd_master.c Upstream fixed it in https://github.com/heimdal/heimdal/commit/eface6d31f8fd7c02eb0c6bc7e9d76efc0247b9c . I patched the wheezy source package with this, it solves the problem, defaults to /var/lib/heimdal-kdc/slaves-stats . By looking at jessie's package that should not be affected by this bug. Dancsa signature.asc Description: OpenPGP digital signature
Bug#714086: heimdal-kdc: ipropd-master writes to random filenames in the root directory
Sorry, forgot to attach.
On 2014-08-26 13:37, GALAMBOS Daniel wrote:
. I patched the wheezy source package with this, it solves the problem,
Description: use-after-free error causes random file under /
ipropd-master creates files with random filenames under the root
if the slave-status file's path is not passed to the program due bugous
default guessing.
Upstream commited this patch as eface6d31f8fd7c02eb0c6bc7e9d76efc0247b9c
Bug-Debian: https://bugs.debian.org/714086
---
Origin: upstream,
https://github.com/heimdal/heimdal/commit/eface6d31f8fd7c02eb0c6bc7e9d76efc0247b9c
Bug-Debian: https://bugs.debian.org/714086
Forwarded: not-needed
Last-Update: 2014-08-26
--- heimdal-1.6~git20120403+dfsg1.orig/lib/kadm5/ipropd_master.c
+++ heimdal-1.6~git20120403+dfsg1/lib/kadm5/ipropd_master.c
@@ -622,26 +622,28 @@ static FILE *
open_stats(krb5_context context)
{
char *statfile = NULL;
-const char *fn;
-int ret;
+const char *fn = NULL;
+FILE *out = NULL;
+/*
+ * krb5_config_get_string_default() returs default value as-is,
+ * delay free() of statfile until we're done with fn.
+ */
if (slave_stats_file)
fn = slave_stats_file;
-else {
- ret = asprintf(statfile, %s/slaves-stats, hdb_db_dir(context));
- if (ret == -1)
- return NULL;
+else if (asprintf(statfile, %s/slaves-stats, hdb_db_dir(context)) != -1
+ statfile != NULL)
fn = krb5_config_get_string_default(context,
NULL,
statfile,
kdc,
iprop-stats,
NULL);
+if (fn != NULL)
+ out = fopen(fn, w);
+if (statfile != NULL)
free(statfile);
-}
-if (fn == NULL)
- return NULL;
-return fopen(fn, w);
+return out;
}
static void
signature.asc
Description: OpenPGP digital signature
Bug#714086: heimdal-kdc: ipropd-master writes to random filenames in the root directory
Package: heimdal-kdc Version: 1.6~git20120403+dfsg1-2 Severity: normal After upgrading to wheezy, I noticed that /var/lib/heimdal-kdc/slave-stats was no longer being updated by ipropd-master. Tracing revealed that the information was now being written to random looking 4-character file names in the current directory (/) of the process, resulting in file names like: root@matterhorn:~# ls -lAtr / total 132 drwxr-xr-x 2 root root 4096 Sep 16 2008 selinux drwxr-xr-x 2 root root 4096 Jun 18 2010 mnt drwx-- 2 root root 16384 Jun 29 2010 lost+found drwxr-xr-x 4 root root 4096 Jun 29 2010 media lrwxrwxrwx 1 root root11 Jun 29 2010 cdrom - media/cdrom drwxr-xr-x 2 root root 4096 Jun 29 2010 srv drwxr-xr-x 2 root root 4096 Jun 29 2010 opt drwxr-xr-x 2 root root 4096 Jun 29 2010 old drwxr-xr-x 2 root root 4096 Jun 29 2010 home drwxr-xr-x 2 root root 4096 Jun 29 2010 afs drwxr-xr-x 8 root root 4096 Jan 25 16:54 root drwxr-xr-x 10 root root 4096 Jun 24 12:04 usr drwxr-xr-x 2 root root 4096 Jun 24 12:04 lib64 drwxr-xr-x 13 root root 12288 Jun 24 12:13 lib drwxr-xr-x 2 root root 4096 Jun 24 12:13 bin drwxr-xr-x 2 root root 12288 Jun 24 12:13 sbin lrwxrwxrwx 1 root root26 Jun 24 12:14 vmlinuz - boot/vmlinuz-3.2.0-4-amd64 lrwxrwxrwx 1 root root30 Jun 24 12:14 initrd.img - /boot/initrd.img-3.2.0-4-amd64 -rw-r--r-- 1 root root 118 Jun 24 12:19 -rw-r--r-- 1 root root35 Jun 24 13:40 dr-xr-xr-x 96 root root 0 Jun 24 13:41 proc drwxr-xr-x 13 root root 0 Jun 24 13:41 sys drwxr-xr-x 12 root root 4096 Jun 24 13:41 var drwxr-xr-x 16 root root 3280 Jun 24 13:41 dev -rw-r--r-- 1 root root 118 Jun 24 13:42 ?+X? -rw-r--r-- 1 root root 258 Jun 24 13:47 ?X? drwxr-xr-x 3 root root 4096 Jun 24 14:12 boot -rw-r--r-- 1 root root 258 Jun 24 16:17 ?7X? -rw-r--r-- 1 root root 258 Jun 24 16:19 ?@X? -rw-r--r-- 1 root root35 Jun 24 16:54 ?OX? drwxr-xr-x 77 root root 4096 Jun 25 09:23 etc drwxr-xr-x 17 root root 660 Jun 25 13:00 run drwxrwxrwt 2 root root 4096 Jun 25 15:50 tmp Setting the path to the slave status file explicitly, via MASTER_PARAMS in /etc/default/heimdal-kdc, is a way to work around the problem. It does look like the filename is not properly initialized, unless explicitly set. Thanks, Arne Nordmark -- System Information: Debian Release: 7.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages heimdal-kdc depends on: ii debconf [debconf-2.0] 1.5.49 ii heimdal-clients 1.6~git20120403+dfsg1-2 ii krb5-config 2.3 ii libasn1-8-heimdal 1.6~git20120403+dfsg1-2 ii libc6 2.13-38 ii libcap-ng00.6.6-2 ii libdb5.1 5.1.29-5 ii libedit2 2.11-20080614-5 ii libgssapi3-heimdal1.6~git20120403+dfsg1-2 ii libhcrypto4-heimdal 1.6~git20120403+dfsg1-2 ii libhdb9-heimdal 1.6~git20120403+dfsg1-2 ii libkadm5srv8-heimdal 1.6~git20120403+dfsg1-2 ii libkdc2-heimdal 1.6~git20120403+dfsg1-2 ii libkrb5-26-heimdal1.6~git20120403+dfsg1-2 ii libroken18-heimdal1.6~git20120403+dfsg1-2 ii libsl0-heimdal1.6~git20120403+dfsg1-2 ii openbsd-inetd [inet-superserver] 0.20091229-2 Versions of packages heimdal-kdc recommends: ii logrotate 3.8.1-4 Versions of packages heimdal-kdc suggests: pn heimdal-docs none -- Configuration Files: /etc/default/heimdal-kdc changed: KDC_ENABLED=yes KDC_PARAMS=--config-file=/etc/heimdal-kdc/kdc.conf KPASSWDD_ENABLED=yes KPASSWDD_PARAMS= MASTER_ENABLED=yes MASTER_PARAMS='--slave-stats-file=/var/lib/heimdal-kdc/slave-stats' SLAVE_ENABLED=no SLAVE_PARAMS= -- debconf information excluded -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
