Bug 31352 – Segfault in k5key_chk / krb5_free_keyblock_contents

Bug 31352 - Segfault in k5key_chk / krb5_free_keyblock_contents


Summary:	Segfault in k5key_chk / krb5_free_keyblock_contents

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	LDAP
Version:	UCS 3.1
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 3.1-1-errata
Assigned To:	Arvid Requate
QA Contact:	Philipp Hahn

URL:
Keywords:

Depends on:	28166
Blocks:
	Show dependency tree / graph

Reported:	2013-05-13 23:09 CEST by Arvid Requate
Modified:	2013-05-17 13:02 CEST (History)
CC List:	5 users (show)

See Also:
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2013-05-13 23:09:14 CEST

A segfault of slapd was reported via Ticket#: 2013051321001107, and the gdb backtrace shows that it happens in the same line as in Bug 28166, but under different circumstances. After calculating the Kerberos key from the password we should check the return code of krb5_string_to_key_salt before trying anything else, especially before trying to free the pointer to the result key structure.

+++ This bug was initially created as a clone of Bug #28166 +++

Comment 1 Arvid Requate

2013-05-14 12:10:49 CEST

Error checking and log messages have been added. Package is built in scope errata3.1-1, test with i386 was successfull:
* normal slapd bins operations with 'userPassword: {K5KEY}'
* Test of logging and avoided crash by an artificially patched k5pwd.c, simulating a non-zero return code of krb5_string_to_key_salt.

Advisory: 2013-05-14-openldap.yaml

Comment 2 Arvid Requate

2013-05-14 14:47:03 CEST

Addition: At ldap/debug/level !=0 the following messages get logged:

=============================================================================
Feb 23 19:36:43 master10 slapd[31129]: conn=1001 op=0: k5pwd: k5key_chk:
krb5_string_to_key_salt failed for: user1@ARUCS31I0.QA.
Feb 23 19:36:43 master10 slapd[31129]: conn=1001 op=0: k5pwd: k5key_chk:
error_string: The password is not encoded as UTF-8 (ret=-969269754).
Feb 23 19:36:43 master10 slapd[31129]: OVER: rs->sr_err != LDAP_SUCCESS on
"uid=user1,cn=users,dc=arucs31i0,dc=qa" ERR: 0x31
=============================================================================

Comment 3 Stefan Gohmann

2013-05-14 22:00:41 CEST

I've also built it for UCS 3.1-2.

Comment 4 Philipp Hahn

2013-05-16 15:18:36 CEST

FAIL: find ucs_3.1-0-errata3.1-? ucs_3.1-0-ucs3.1-? -name \*2.4.31\*
    errata3.1-1: 2.4.31-1.82.201305141904
    errata3.1-2: 2.4.31-1.82.201305141904 <<<< does not match YAML: should be 0, because 3.1-2 is not yet released!
    ucs3.1-2:    2.4.31-1.83.201305142158

OK: amd64 + i386

ucr set ldap/debug/level=1

OK: 3.1-1 → errata-3.1-1 → 3.1-2
cat >>/etc/apt/sources.list <<'APT'
deb http://omar.knut.univention.de/build2 ucs_3.1-0-errata3.1-1/all/
deb http://omar.knut.univention.de/build2 ucs_3.1-0-errata3.1-1/$(ARCH)/
APT
aptitude update
aptitude install '?source-package(openldap)?installed'
cat >>/etc/apt/sources.list <<'APT'
deb http://omar.knut.univention.de/build2 ucs_3.1-0-ucs3.1-2/all/
deb http://omar.knut.univention.de/build2 ucs_3.1-0-ucs3.1-2/$(ARCH)/
APT
aptitude update
aptitude install '?source-package(openldap)?installed'

OK: 3.1-1 → 3.1-2

FIXED: changelog-3.1-2.tex
FIXED: 2013-05-14-openldap.yaml
  trun/k/c/ated


?: Bug could not be reproduced with neither original version from 3.1-1 nor with the fixed version.

OK: slapd works

#!/bin/sh
univention-ldapsearch -xLLLb uid=phahn,cn=users,dc=phahn,dc=qa userPassword krb5Key sambaNTPassword
ldapmodify -D cn=admin,dc=phahn,dc=qa -y /etc/ldap.secret <<__LDIF__
dn: uid=phahn,cn=users,dc=phahn,dc=qa
changetype: modify
replace: userPassword
userPassword: {K5KEY}
__LDIF__
univention-ldapsearch -xLLLb uid=phahn,cn=users,dc=phahn,dc=qa userPassword krb5Key sambaNTPassword
ldapsearch -xLLLD uid=phahn,cn=users,dc=phahn,dc=qa -w '!Q"W§1q2w3' uid=phahn

#!/usr/bin/python2.6
# vim:set fileencoding=UTF-8:
import ldap
import logging
import sys
logging.basicConfig(stream=sys.stderr, level=logging.DEBUG)
l = ldap.initialize('ldap://127.0.0.1:7389')
username = "uid=phahn,cn=users,dc=phahn,dc=qa"
for password in (
        '!Q"W§1q2w3',
        u'!Q"W§1q2w3',
        '!Q"W§1q2w3'.decode('UTF-8'),
        '!Q"W\2471q2w3',
        ):
        try:
                print len(password),
                l.simple_bind_s(username, password)
                print "OK"
        except ldap.INVALID_CREDENTIALS, ex:
                print ex

Comment 5 Arvid Requate

2013-05-17 11:10:31 CEST

Packages removed from errata3.1-2 (seems to have been a typo in the original email regarding the new procedure).

Comment 6 Philipp Hahn

2013-05-17 11:54:56 CEST

OK:
$ find ucs_3.1-0-errata3.1-? ucs_3.1-0-ucs3.1-? -name \*openldap\*ucs_3.1-0-errata3.1-1/amd64/openldap_2.4.31-1.82.201305141904_amd64.changes
ucs_3.1-0-errata3.1-1/source/openldap_2.4.31-1.82.201305141904.diff.gz
ucs_3.1-0-errata3.1-1/source/openldap_2.4.31.orig.tar.gz
ucs_3.1-0-errata3.1-1/source/openldap_2.4.31-1.82.201305141904_i386.changes
ucs_3.1-0-errata3.1-1/source/openldap_2.4.31-1.82.201305141904.dsc
ucs_3.1-0-ucs3.1-2/amd64/openldap_2.4.31-1.83.201305142158_amd64.changes
ucs_3.1-0-ucs3.1-2/source/openldap_2.4.31.orig.tar.gz
ucs_3.1-0-ucs3.1-2/source/openldap_2.4.31-1.83.201305142158.diff.gz
ucs_3.1-0-ucs3.1-2/source/openldap_2.4.31-1.83.201305142158.dsc
ucs_3.1-0-ucs3.1-2/source/openldap_2.4.31-1.83.201305142158_i386.changes

OK: /usr/sbin/announce_errata -n 2013-05-14-openldap.yaml

Comment 7 Janek Walkenhorst

2013-05-17 13:02:37 CEST

http://errata.univention.de/ucs/3.1/98.html