Bug 31352 - Segfault in k5key_chk / krb5_free_keyblock_contents
Segfault in k5key_chk / krb5_free_keyblock_contents
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: LDAP
UCS 3.1
Other Linux
: P5 normal (vote)
: UCS 3.1-1-errata
Assigned To: Arvid Requate
Philipp Hahn
:
Depends on: 28166
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-13 23:09 CEST by Arvid Requate
Modified: 2013-05-17 13:02 CEST (History)
5 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2013-05-13 23:09:14 CEST
A segfault of slapd was reported via Ticket#: 2013051321001107, and the gdb backtrace shows that it happens in the same line as in Bug 28166, but under different circumstances. After calculating the Kerberos key from the password we should check the return code of krb5_string_to_key_salt before trying anything else, especially before trying to free the pointer to the result key structure.

+++ This bug was initially created as a clone of Bug #28166 +++
Comment 1 Arvid Requate univentionstaff 2013-05-14 12:10:49 CEST
Error checking and log messages have been added. Package is built in scope errata3.1-1, test with i386 was successfull:
* normal slapd bins operations with 'userPassword: {K5KEY}'
* Test of logging and avoided crash by an artificially patched k5pwd.c, simulating a non-zero return code of krb5_string_to_key_salt.

Advisory: 2013-05-14-openldap.yaml
Comment 2 Arvid Requate univentionstaff 2013-05-14 14:47:03 CEST
Addition: At ldap/debug/level !=0 the following messages get logged:

=============================================================================
Feb 23 19:36:43 master10 slapd[31129]: conn=1001 op=0: k5pwd: k5key_chk:
krb5_string_to_key_salt failed for: user1@ARUCS31I0.QA.
Feb 23 19:36:43 master10 slapd[31129]: conn=1001 op=0: k5pwd: k5key_chk:
error_string: The password is not encoded as UTF-8 (ret=-969269754).
Feb 23 19:36:43 master10 slapd[31129]: OVER: rs->sr_err != LDAP_SUCCESS on
"uid=user1,cn=users,dc=arucs31i0,dc=qa" ERR: 0x31
=============================================================================
Comment 3 Stefan Gohmann univentionstaff 2013-05-14 22:00:41 CEST
I've also built it for UCS 3.1-2.
Comment 4 Philipp Hahn univentionstaff 2013-05-16 15:18:36 CEST
FAIL: find ucs_3.1-0-errata3.1-? ucs_3.1-0-ucs3.1-? -name \*2.4.31\*
    errata3.1-1: 2.4.31-1.82.201305141904
    errata3.1-2: 2.4.31-1.82.201305141904 <<<< does not match YAML: should be 0, because 3.1-2 is not yet released!
    ucs3.1-2:    2.4.31-1.83.201305142158

OK: amd64 + i386

ucr set ldap/debug/level=1

OK: 3.1-1 → errata-3.1-1 → 3.1-2
cat >>/etc/apt/sources.list <<'APT'
deb http://omar.knut.univention.de/build2 ucs_3.1-0-errata3.1-1/all/
deb http://omar.knut.univention.de/build2 ucs_3.1-0-errata3.1-1/$(ARCH)/
APT
aptitude update
aptitude install '?source-package(openldap)?installed'
cat >>/etc/apt/sources.list <<'APT'
deb http://omar.knut.univention.de/build2 ucs_3.1-0-ucs3.1-2/all/
deb http://omar.knut.univention.de/build2 ucs_3.1-0-ucs3.1-2/$(ARCH)/
APT
aptitude update
aptitude install '?source-package(openldap)?installed'

OK: 3.1-1 → 3.1-2

FIXED: changelog-3.1-2.tex
FIXED: 2013-05-14-openldap.yaml
  trun/k/c/ated


?: Bug could not be reproduced with neither original version from 3.1-1 nor with the fixed version.

OK: slapd works

#!/bin/sh
univention-ldapsearch -xLLLb uid=phahn,cn=users,dc=phahn,dc=qa userPassword krb5Key sambaNTPassword
ldapmodify -D cn=admin,dc=phahn,dc=qa -y /etc/ldap.secret <<__LDIF__
dn: uid=phahn,cn=users,dc=phahn,dc=qa
changetype: modify
replace: userPassword
userPassword: {K5KEY}
__LDIF__
univention-ldapsearch -xLLLb uid=phahn,cn=users,dc=phahn,dc=qa userPassword krb5Key sambaNTPassword
ldapsearch -xLLLD uid=phahn,cn=users,dc=phahn,dc=qa -w '!Q"W§1q2w3' uid=phahn

#!/usr/bin/python2.6
# vim:set fileencoding=UTF-8:
import ldap
import logging
import sys
logging.basicConfig(stream=sys.stderr, level=logging.DEBUG)
l = ldap.initialize('ldap://127.0.0.1:7389')
username = "uid=phahn,cn=users,dc=phahn,dc=qa"
for password in (
        '!Q"W§1q2w3',
        u'!Q"W§1q2w3',
        '!Q"W§1q2w3'.decode('UTF-8'),
        '!Q"W\2471q2w3',
        ):
        try:
                print len(password),
                l.simple_bind_s(username, password)
                print "OK"
        except ldap.INVALID_CREDENTIALS, ex:
                print ex
Comment 5 Arvid Requate univentionstaff 2013-05-17 11:10:31 CEST
Packages removed from errata3.1-2 (seems to have been a typo in the original email regarding the new procedure).
Comment 6 Philipp Hahn univentionstaff 2013-05-17 11:54:56 CEST
OK:
$ find ucs_3.1-0-errata3.1-? ucs_3.1-0-ucs3.1-? -name \*openldap\*ucs_3.1-0-errata3.1-1/amd64/openldap_2.4.31-1.82.201305141904_amd64.changes
ucs_3.1-0-errata3.1-1/source/openldap_2.4.31-1.82.201305141904.diff.gz
ucs_3.1-0-errata3.1-1/source/openldap_2.4.31.orig.tar.gz
ucs_3.1-0-errata3.1-1/source/openldap_2.4.31-1.82.201305141904_i386.changes
ucs_3.1-0-errata3.1-1/source/openldap_2.4.31-1.82.201305141904.dsc
ucs_3.1-0-ucs3.1-2/amd64/openldap_2.4.31-1.83.201305142158_amd64.changes
ucs_3.1-0-ucs3.1-2/source/openldap_2.4.31.orig.tar.gz
ucs_3.1-0-ucs3.1-2/source/openldap_2.4.31-1.83.201305142158.diff.gz
ucs_3.1-0-ucs3.1-2/source/openldap_2.4.31-1.83.201305142158.dsc
ucs_3.1-0-ucs3.1-2/source/openldap_2.4.31-1.83.201305142158_i386.changes

OK: /usr/sbin/announce_errata -n 2013-05-14-openldap.yaml
Comment 7 Janek Walkenhorst univentionstaff 2013-05-17 13:02:37 CEST
http://errata.univention.de/ucs/3.1/98.html