Univention Bugzilla – Bug 31352
Segfault in k5key_chk / krb5_free_keyblock_contents
Last modified: 2013-05-17 13:02:37 CEST
A segfault of slapd was reported via Ticket#: 2013051321001107, and the gdb backtrace shows that it happens in the same line as in Bug 28166, but under different circumstances. After calculating the Kerberos key from the password we should check the return code of krb5_string_to_key_salt before trying anything else, especially before trying to free the pointer to the result key structure. +++ This bug was initially created as a clone of Bug #28166 +++
Error checking and log messages have been added. Package is built in scope errata3.1-1, test with i386 was successfull: * normal slapd bins operations with 'userPassword: {K5KEY}' * Test of logging and avoided crash by an artificially patched k5pwd.c, simulating a non-zero return code of krb5_string_to_key_salt. Advisory: 2013-05-14-openldap.yaml
Addition: At ldap/debug/level !=0 the following messages get logged: ============================================================================= Feb 23 19:36:43 master10 slapd[31129]: conn=1001 op=0: k5pwd: k5key_chk: krb5_string_to_key_salt failed for: user1@ARUCS31I0.QA. Feb 23 19:36:43 master10 slapd[31129]: conn=1001 op=0: k5pwd: k5key_chk: error_string: The password is not encoded as UTF-8 (ret=-969269754). Feb 23 19:36:43 master10 slapd[31129]: OVER: rs->sr_err != LDAP_SUCCESS on "uid=user1,cn=users,dc=arucs31i0,dc=qa" ERR: 0x31 =============================================================================
I've also built it for UCS 3.1-2.
FAIL: find ucs_3.1-0-errata3.1-? ucs_3.1-0-ucs3.1-? -name \*2.4.31\* errata3.1-1: 2.4.31-1.82.201305141904 errata3.1-2: 2.4.31-1.82.201305141904 <<<< does not match YAML: should be 0, because 3.1-2 is not yet released! ucs3.1-2: 2.4.31-1.83.201305142158 OK: amd64 + i386 ucr set ldap/debug/level=1 OK: 3.1-1 → errata-3.1-1 → 3.1-2 cat >>/etc/apt/sources.list <<'APT' deb http://omar.knut.univention.de/build2 ucs_3.1-0-errata3.1-1/all/ deb http://omar.knut.univention.de/build2 ucs_3.1-0-errata3.1-1/$(ARCH)/ APT aptitude update aptitude install '?source-package(openldap)?installed' cat >>/etc/apt/sources.list <<'APT' deb http://omar.knut.univention.de/build2 ucs_3.1-0-ucs3.1-2/all/ deb http://omar.knut.univention.de/build2 ucs_3.1-0-ucs3.1-2/$(ARCH)/ APT aptitude update aptitude install '?source-package(openldap)?installed' OK: 3.1-1 → 3.1-2 FIXED: changelog-3.1-2.tex FIXED: 2013-05-14-openldap.yaml trun/k/c/ated ?: Bug could not be reproduced with neither original version from 3.1-1 nor with the fixed version. OK: slapd works #!/bin/sh univention-ldapsearch -xLLLb uid=phahn,cn=users,dc=phahn,dc=qa userPassword krb5Key sambaNTPassword ldapmodify -D cn=admin,dc=phahn,dc=qa -y /etc/ldap.secret <<__LDIF__ dn: uid=phahn,cn=users,dc=phahn,dc=qa changetype: modify replace: userPassword userPassword: {K5KEY} __LDIF__ univention-ldapsearch -xLLLb uid=phahn,cn=users,dc=phahn,dc=qa userPassword krb5Key sambaNTPassword ldapsearch -xLLLD uid=phahn,cn=users,dc=phahn,dc=qa -w '!Q"W§1q2w3' uid=phahn #!/usr/bin/python2.6 # vim:set fileencoding=UTF-8: import ldap import logging import sys logging.basicConfig(stream=sys.stderr, level=logging.DEBUG) l = ldap.initialize('ldap://127.0.0.1:7389') username = "uid=phahn,cn=users,dc=phahn,dc=qa" for password in ( '!Q"W§1q2w3', u'!Q"W§1q2w3', '!Q"W§1q2w3'.decode('UTF-8'), '!Q"W\2471q2w3', ): try: print len(password), l.simple_bind_s(username, password) print "OK" except ldap.INVALID_CREDENTIALS, ex: print ex
Packages removed from errata3.1-2 (seems to have been a typo in the original email regarding the new procedure).
OK: $ find ucs_3.1-0-errata3.1-? ucs_3.1-0-ucs3.1-? -name \*openldap\*ucs_3.1-0-errata3.1-1/amd64/openldap_2.4.31-1.82.201305141904_amd64.changes ucs_3.1-0-errata3.1-1/source/openldap_2.4.31-1.82.201305141904.diff.gz ucs_3.1-0-errata3.1-1/source/openldap_2.4.31.orig.tar.gz ucs_3.1-0-errata3.1-1/source/openldap_2.4.31-1.82.201305141904_i386.changes ucs_3.1-0-errata3.1-1/source/openldap_2.4.31-1.82.201305141904.dsc ucs_3.1-0-ucs3.1-2/amd64/openldap_2.4.31-1.83.201305142158_amd64.changes ucs_3.1-0-ucs3.1-2/source/openldap_2.4.31.orig.tar.gz ucs_3.1-0-ucs3.1-2/source/openldap_2.4.31-1.83.201305142158.diff.gz ucs_3.1-0-ucs3.1-2/source/openldap_2.4.31-1.83.201305142158.dsc ucs_3.1-0-ucs3.1-2/source/openldap_2.4.31-1.83.201305142158_i386.changes OK: /usr/sbin/announce_errata -n 2013-05-14-openldap.yaml
http://errata.univention.de/ucs/3.1/98.html