Re: Bug#453241: still broken (and partly openssh's fault)
Russ Allbery wrote:
> I spent an hour this evening tracking this down. The problem is that
> Heimdal isn't using symbol versioning in its shared libraries.
> libpam-heimdal therefore binds to unversioned symbols, which works fine if
> the calling program doesn't load any other Kerberos library. However,
> OpenSSH is linked with MIT Kerberos, and therefore at run time the
> unversioned libpam-heimdal symbols are bound to the MIT Kerberos version
> of libkrb5 which is already loaded in memory and chaos ensues. valgrind
> was the debugging tool that finally gave me the necessary clue. The
> segfault kept showing up with backtraces inside libkrb5.3.3 instead of
> libkrb5.24.0.0.
>
Can I please confirm what version of Heimdal you are using? The initial
bug report seemed to quote the old version in testing, but here you seem
to indicate the latest version in unstable. I just want to make sure.
As far as I can tell, all exported symbols from libkrb5.24.0.0 use
HEIMDAL_KRB5_1.0 for the versioned symbol name.
objdump -T libkrb5.so.24.0.0
...
0001d180 g DF .text 0000003e HEIMDAL_KRB5_1.0 krb5_config_vget_string_default
00047140 g DF .text 00000034 HEIMDAL_KRB5_1.0 krb5_rd_req_out_get_ticket
00028130 g DF .text 00000074 HEIMDAL_KRB5_1.0 krb5_digest_free
0004cc30 g DF .text 000000c6 HEIMDAL_KRB5_1.0 krb5_storage_emem
0004b100 g DF .text 00000037 HEIMDAL_KRB5_1.0 _krb5_get_int
0002c5b0 g DF .text 0000022e HEIMDAL_KRB5_1.0 krb5_get_credentials_with_flags
0001ca10 g DF .text 00000038 HEIMDAL_KRB5_1.0 krb5_encode_EncTGSRepPart
0001eba0 g DF .text 0000007e HEIMDAL_KRB5_1.0 krb5_prepend_config_files_default
0001a530 g DF .text 000000f5 HEIMDAL_KRB5_1.0 krb5_cc_retrieve_cred
0001cfe0 g DF .text 00000034 HEIMDAL_KRB5_1.0 krb5_config_get_time
0002dfa0 g DF .text 00000208 HEIMDAL_KRB5_1.0 _krb5_get_host_realm_int
0004b9c0 g DF .text 0000009f HEIMDAL_KRB5_1.0 krb5_ret_times
000165c0 g DF .text 00000033 HEIMDAL_KRB5_1.0 krb5_sockaddr_uninteresting
0002fd00 g DF .text 00000080 HEIMDAL_KRB5_1.0 krb5_get_in_tkt_with_keytab
00017d30 g DF .text 00000039 HEIMDAL_KRB5_1.0 krb5_address_compare
0003d950 g DF .text 00000038 HEIMDAL_KRB5_1.0 krb5_c_enctype_compare
0001e7d0 g DF .text 00000139 HEIMDAL_KRB5_1.0 krb5_get_default_in_tkt_etypes
000450d0 g DF .text 00000021 HEIMDAL_KRB5_1.0 krb5_unparse_name_fixed_short
If OpenSSH is linked against MIT Kerberos, like you say, then simply
proving that the segfault occurs inside MIT Kerberos is insufficient,
unfortunately, because we have to expect OpenSSH may call MIT Kerberos
functions at some point.
> This is a bug in the Debian Heimdal packages, I believe. They used to use
> symbol versioning precisely because of this problem; see Bug#205592 which
> was closed in 0.6-4. It looks like that was lost or dropped somewhere
> along the way.
>
The symbol versioning was moved to the upstream code; I don't guarantee
that they got it right, but I want some evidence before I forward this
upstream.
It occurred to me that the stack trace is probably in the Debian bug
report, I will check that now.
Brian May
Reply to: