Bug#512410: openssh-server: sshd segfaults (suppose libc or libpam-mount related)
reassign 512410 libkrb5-3
# double-free triggered in externally-accessible services is always
# potentially a security issue
severity 512410 serious
tags 512410 security
found 512410 libkrb5-3/1.10.1+dfsg-1
"Livingston, John A" <firstname.lastname@example.org> writes:
> On Jun 6, 2012, at 5:40 PM, Russ Allbery wrote:
>> Aha! Do you have the keytab PAM option set either in the PAM
>> configuration or in krb5.conf?
> I don't believe we do, unless it's getting called subtly from something
> else. Below is our regular krb5.conf in case it's helpful. Our PAM setup
> uses the standard Debian pam-auth-update lines for use with Kerberos,
> plenty of invocations of "pam_krb5.so minimum_uid=1000", but no use of
> the keytab option. Our host entries live in the default
> /etc/krb5.keytab, I don't think we've had a reason to use keytab.
Indeed, you don't.
I am therefore confused as to how you're encountering this, since pam-krb5
only calls krb5_verify_init_creds in one place, and in that one place the
server argument is NULL unless the keytab PAM option or krb5.conf
configuration option is defined. But, nonetheless, that seems to be the
issue. Maybe something internal to the Kerberos library is calling
krb5_verify_init_creds with a non-NULL principal? But if so, I'm not
seeing it anywhere in the source.
In any event, I'll reassign this to libkrb5-3, which needs a patch before
the wheezy release. (Upstream already fixed this in the development
Russ Allbery (email@example.com) <http://www.eyrie.org/~eagle/>