Bug 1044739

Summary: krb5_copy_context seg faults
Product: Red Hat Enterprise Linux 7 Reporter: John Dennis <jdennis>
Component: krb5Assignee: Nalin Dahyabhai <nalin>
Status: CLOSED CURRENTRELEASE QA Contact: Patrik Kis <pkis>
Severity: high Docs Contact:
Priority: high    
Version: 7.0CC: dpal, dspurek, jdennis, ksrot, nalin, nathaniel, pkis, riehecky
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: krb5-1.11.3-40.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1044735 Environment:
Last Closed: 2014-06-13 10:41:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1044735    
Bug Blocks: 1044748    

Description John Dennis 2013-12-18 21:51:35 UTC 
+++ This bug was initially created as a clone of Bug #1044735 +++

This was originally seen while debugging a problem in FreeRADIUS. Upstream FreeRADIUS developer Arran Cudbard-Bell has posted 3 pull requests to fix the issue.

https://github.com/krb5/krb5/pull/36
https://github.com/krb5/krb5/pull/37
https://github.com/krb5/krb5/pull/38

I combined these into a single patch and built and tested for F20. Everything seems to work. It seems like a pretty obvious bug in the krb5 libs.

This is an important patch to get in otherwise the radius server will segfault if it attempts to perform authentication via kerberos.

I've attached the patch.

--- Additional comment from John Dennis on 2013-12-18 16:49:51 EST ---

diff --git a/krb5.spec b/krb5.spec
index 41c70d3..dd85f23 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -113,6 +113,7 @@ Patch140: krb5-CVE-2013-1417.patch
 Patch141: krb5-1.11.3-client-loop.patch
 Patch142: krb5-master-keyring-offsets.patch
 Patch143: krb5-master-keyring-expiration.patch
+Patch144: krb5-copy-ctx.patch
 
 # Patches for otp plugin backport
 Patch201: krb5-1.11.2-keycheck.patch
@@ -365,6 +366,7 @@ ln -s NOTICE LICENSE
 %patch141 -p1 -b .client-loop
 %patch142 -p1 -b .keyring-offsets
 %patch143 -p1 -b .keyring-expiration
+%patch144 -p1 -b .copy-ctx
 
 %patch201 -p1 -b .keycheck
 %patch202 -p1 -b .otp
Comment 4 Nalin Dahyabhai 2013-12-19 16:38:37 UTC 
John, I'm trying to pull in the fixes as they landed in upstream, so they don't look exactly the same as what's in the mentioned pull requests (not the etypes list part, anyway).  If you have a chance, can you give krb5-1.11.3-40.el7 a quick run on your test setup?
Comment 5 John Dennis 2013-12-19 20:58:36 UTC 
re comment #4

My test environment was actually an F20 system. A quick look at the updates in Koji suggests that krb5-libs-1.11.3-38.fc20.x86_64 has the same fix as krb5-1.11.3-40.el7 based on the changlog. Assuming both packages have the same patch then a quick test on F20 suggests we're good.
Comment 6 Nalin Dahyabhai 2013-12-19 22:23:43 UTC 
Yes, they have the same patch.  Thanks!
Comment 17 Ludek Smid 2014-06-13 10:41:25 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.