Bug#934043: marked as done (segfaults with use-after-free when using KrbServiceName Any)
Your message dated Sat, 09 Nov 2019 20:35:04 + with message-id and subject line Bug#934043: fixed in libapache-mod-auth-kerb 5.4-2.4~deb10u1 has caused the Debian Bug report #934043, regarding segfaults with use-after-free when using KrbServiceName Any to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 934043: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934043 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: libapache2-mod-auth-kerb Version: 5.4-2.3 Severity: grave Tags: patch upstream Hi, After upgrading to buster, mod_auth_kerb keeps on crashing Apache (thus the grave severity), after printing double free or corruption (out) This is indeed a use-after-free; verify_krb5_user gets in a keytab as a parameter, and chooses to deallocate it even though the parent expects to keep using it. I don't know why this didn't trigger as often in stretch, although we've certainly seen mod_auth_kerb segfaults there as well (especially with outdated keytabs). The patch is trivial and can be found in upstream's bug tracker; just don't deallocate the keytab in verify_krb5_user(): https://sourceforge.net/p/modauthkerb/bugs/61/ This is not a leak, since the parent closes it inself, in all paths. I've verified that it applies in Debian (just some changed line numbers) and fixes the issue. Please consider for a buster point release, in addition to unstable. It makes mod_auth_kerb borderline unusable. -- System Information: Debian Release: 10.0 APT prefers testing-debug APT policy: (500, 'testing-debug'), (500, 'proposed-updates'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.1.11 (SMP w/40 CPU cores) Kernel taint flags: TAINT_OOT_MODULE Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8), LANGUAGE=en_NO:en_US:en_GB:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages libapache2-mod-auth-kerb depends on: ii apache2-bin [apache2-api-20120211] 2.4.38-3 ii krb5-config 2.6 ii libc6 2.28-10 pn libcomerr2 ii libgssapi-krb5-21.17-3 ii libk5crypto31.17-3 ii libkrb5-3 1.17-3 libapache2-mod-auth-kerb recommends no packages. libapache2-mod-auth-kerb suggests no packages. --- End Message --- --- Begin Message --- Source: libapache-mod-auth-kerb Source-Version: 5.4-2.4~deb10u1 We believe that the bug you reported is fixed in the latest version of libapache-mod-auth-kerb, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 934...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Paul Wise (supplier of updated libapache-mod-auth-kerb package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sun, 27 Oct 2019 13:58:04 +0800 Source: libapache-mod-auth-kerb Architecture: source Version: 5.4-2.4~deb10u1 Distribution: buster Urgency: medium Maintainer: Ghe Rivero Changed-By: Paul Wise Closes: 934043 Changes: libapache-mod-auth-kerb (5.4-2.4~deb10u1) buster; urgency=medium . * Rebuild for buster . libapache-mod-auth-kerb (5.4-2.4) unstable; urgency=medium . * Non-maintainer upload. * Apply patch from upstream issue tracker to fix crash (Closes: #934043) Checksums-Sha1: 8cf6b1e0ea6c21f5c3e384118bc8b46d5407014f 1881 libapache-mod-auth-kerb_5.4-2.4~deb10u1.dsc 0d9f4c45c7d9289380dc5db0f3ec9a33fd36f307 51231 libapache-mod-auth-kerb_5.4-2.4~deb10u1.diff.gz c20360cc9eeff357932c3fa9b89567785c158ebd 7002 libapache-mod-auth-kerb_5.4-2.4~deb10u1_amd64.buildinfo Checksums-Sha256: bec82352aaa830f19ab4e60e7fd228b1dabb73bc6d06181c5bf498b7157ce856 1881 libapache-mod-auth-kerb_5.4-2.4~deb10u1.dsc 277ed7a264c281a5266453c8525a830c1aebdb928c48cd267a679fe5d662b994 51231 libapache-mod-auth-kerb_5.4-2.4~deb10u1.diff.gz 9f8fceda02483eae3742b065d4fed4cb6572684362e69217bbc63ce081045575 7002 libapache-mod-auth-kerb_5.4-2.4~deb10u1_amd64.buildinfo Files: 5b4681cd754932cb4730a32913094162 1881 net
Bug#934043: marked as done (segfaults with use-after-free when using KrbServiceName Any)
Your message dated Mon, 21 Oct 2019 03:34:18 + with message-id and subject line Bug#934043: fixed in libapache-mod-auth-kerb 5.4-2.4 has caused the Debian Bug report #934043, regarding segfaults with use-after-free when using KrbServiceName Any to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 934043: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934043 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: libapache2-mod-auth-kerb Version: 5.4-2.3 Severity: grave Tags: patch upstream Hi, After upgrading to buster, mod_auth_kerb keeps on crashing Apache (thus the grave severity), after printing double free or corruption (out) This is indeed a use-after-free; verify_krb5_user gets in a keytab as a parameter, and chooses to deallocate it even though the parent expects to keep using it. I don't know why this didn't trigger as often in stretch, although we've certainly seen mod_auth_kerb segfaults there as well (especially with outdated keytabs). The patch is trivial and can be found in upstream's bug tracker; just don't deallocate the keytab in verify_krb5_user(): https://sourceforge.net/p/modauthkerb/bugs/61/ This is not a leak, since the parent closes it inself, in all paths. I've verified that it applies in Debian (just some changed line numbers) and fixes the issue. Please consider for a buster point release, in addition to unstable. It makes mod_auth_kerb borderline unusable. -- System Information: Debian Release: 10.0 APT prefers testing-debug APT policy: (500, 'testing-debug'), (500, 'proposed-updates'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.1.11 (SMP w/40 CPU cores) Kernel taint flags: TAINT_OOT_MODULE Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8), LANGUAGE=en_NO:en_US:en_GB:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages libapache2-mod-auth-kerb depends on: ii apache2-bin [apache2-api-20120211] 2.4.38-3 ii krb5-config 2.6 ii libc6 2.28-10 pn libcomerr2 ii libgssapi-krb5-21.17-3 ii libk5crypto31.17-3 ii libkrb5-3 1.17-3 libapache2-mod-auth-kerb recommends no packages. libapache2-mod-auth-kerb suggests no packages. --- End Message --- --- Begin Message --- Source: libapache-mod-auth-kerb Source-Version: 5.4-2.4 We believe that the bug you reported is fixed in the latest version of libapache-mod-auth-kerb, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 934...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Paul Wise (supplier of updated libapache-mod-auth-kerb package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 21 Oct 2019 11:15:20 +0800 Source: libapache-mod-auth-kerb Architecture: source Version: 5.4-2.4 Distribution: unstable Urgency: medium Maintainer: Ghe Rivero Changed-By: Paul Wise Closes: 934043 Changes: libapache-mod-auth-kerb (5.4-2.4) unstable; urgency=medium . * Non-maintainer upload. * Apply patch from upstream issue tracker to fix crash (Closes: #934043) Checksums-Sha1: 7b3723f8f82f95dd2e537d2467477df7c961a134 1849 libapache-mod-auth-kerb_5.4-2.4.dsc da1c7affa7dac60fe0c2b73a8828a96b0f6ba828 51186 libapache-mod-auth-kerb_5.4-2.4.diff.gz Checksums-Sha256: 4e523b4c2cfe2f26de5632e5d21c352a05da0cfa5aa595fec6463087ccc30f72 1849 libapache-mod-auth-kerb_5.4-2.4.dsc 3ce8109d98d7f8c42bfd1a98ec0ff356c50697f64c454f53bc48002075fb7f0d 51186 libapache-mod-auth-kerb_5.4-2.4.diff.gz Files: 8812316d5029c3e18ba8252c783b0941 1849 net optional libapache-mod-auth-kerb_5.4-2.4.dsc 1f7027a166038100f81ee1465096c663 51186 net optional libapache-mod-auth-kerb_5.4-2.4.diff.gz -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEYQsotVz8/kXqG1Y7MRa6Xp/6aaMFAl2tI5QACgkQMRa6Xp/6 aaOgFw/7BlSkWFZGxV1hgMbaSz//DdfLaR+wcGgFoG0/Psyx8i1b+1Wp5lWrl6Rw zLdHdSD96emHsnGRZaycL0GdvRw+Szk50tlpcGZaoepP9W1Wx2ERj3e4xljrSURs
