[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#453241: still broken (and partly openssh's fault)

Russ Allbery wrote:
> I spent an hour this evening tracking this down.  The problem is that
> Heimdal isn't using symbol versioning in its shared libraries.
> libpam-heimdal therefore binds to unversioned symbols, which works fine if
> the calling program doesn't load any other Kerberos library.  However,
> OpenSSH is linked with MIT Kerberos, and therefore at run time the
> unversioned libpam-heimdal symbols are bound to the MIT Kerberos version
> of libkrb5 which is already loaded in memory and chaos ensues.  valgrind
> was the debugging tool that finally gave me the necessary clue.  The
> segfault kept showing up with backtraces inside libkrb5.3.3 instead of
> libkrb5.24.0.0.
>   
Can I please confirm what version of Heimdal you are using? The initial
bug report seemed to quote the old version in testing, but here you seem
to indicate the latest version in unstable. I just want to make sure.

As far as I can tell, all exported symbols from libkrb5.24.0.0 use
HEIMDAL_KRB5_1.0 for the versioned symbol name.

objdump -T libkrb5.so.24.0.0

...

0001d180 g    DF .text  0000003e  HEIMDAL_KRB5_1.0 krb5_config_vget_string_default

00047140 g    DF .text  00000034  HEIMDAL_KRB5_1.0 krb5_rd_req_out_get_ticket

00028130 g    DF .text  00000074  HEIMDAL_KRB5_1.0 krb5_digest_free

0004cc30 g    DF .text  000000c6  HEIMDAL_KRB5_1.0 krb5_storage_emem

0004b100 g    DF .text  00000037  HEIMDAL_KRB5_1.0 _krb5_get_int

0002c5b0 g    DF .text  0000022e  HEIMDAL_KRB5_1.0 krb5_get_credentials_with_flags

0001ca10 g    DF .text  00000038  HEIMDAL_KRB5_1.0 krb5_encode_EncTGSRepPart

0001eba0 g    DF .text  0000007e  HEIMDAL_KRB5_1.0 krb5_prepend_config_files_default

0001a530 g    DF .text  000000f5  HEIMDAL_KRB5_1.0 krb5_cc_retrieve_cred

0001cfe0 g    DF .text  00000034  HEIMDAL_KRB5_1.0 krb5_config_get_time

0002dfa0 g    DF .text  00000208  HEIMDAL_KRB5_1.0 _krb5_get_host_realm_int

0004b9c0 g    DF .text  0000009f  HEIMDAL_KRB5_1.0 krb5_ret_times

000165c0 g    DF .text  00000033  HEIMDAL_KRB5_1.0 krb5_sockaddr_uninteresting

0002fd00 g    DF .text  00000080  HEIMDAL_KRB5_1.0 krb5_get_in_tkt_with_keytab

00017d30 g    DF .text  00000039  HEIMDAL_KRB5_1.0 krb5_address_compare

0003d950 g    DF .text  00000038  HEIMDAL_KRB5_1.0 krb5_c_enctype_compare

0001e7d0 g    DF .text  00000139  HEIMDAL_KRB5_1.0 krb5_get_default_in_tkt_etypes

000450d0 g    DF .text  00000021  HEIMDAL_KRB5_1.0 krb5_unparse_name_fixed_short


If OpenSSH is linked against MIT Kerberos, like you say, then simply
proving that the segfault occurs inside MIT Kerberos is insufficient,
unfortunately, because we have to expect OpenSSH may call MIT Kerberos
functions at some point.
> This is a bug in the Debian Heimdal packages, I believe.  They used to use
> symbol versioning precisely because of this problem; see Bug#205592 which
> was closed in 0.6-4.  It looks like that was lost or dropped somewhere
> along the way.
>   
The symbol versioning was moved to the upstream code; I don't guarantee
that they got it right, but I want some evidence before I forward this
upstream.

It occurred to me that the stack trace is probably in the Debian bug
report, I will check that now.

Brian May
Reply to: