Bug 174876
| Summary: | libkrb5.so from mit-krb5 1.4.1 frees invalid ccache | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Fredrik Tolf <fredrik> | ||||
| Component: | krb5 | Assignee: | Nalin Dahyabhai <nalin> | ||||
| Status: | CLOSED INSUFFICIENT_DATA | QA Contact: | Brian Brock <bbrock> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 4 | ||||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2008-03-10 01:15:53 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Created attachment 121793 [details]
Patch to fix the bug
This patch fixes the bug. If there are no plans to upgrade Kerberos from 1.4.1
in a near future, at least a new release of 1.4.1 should be made with this
patch applied.
Apply with -p1 in the src directory.
This report targets the FC3 or FC4 products, which have now been EOL'd. Could you please check that it still applies to a current Fedora release, and either update the target product or close it ? Thanks. Fedora Core 4 is no longer maintained. Setting status to "INSUFFICIENT_DATA". If you can reproduce this bug in the current Fedora release, please reopen this bug and assign it to the corresponding Fedora version. |
There is a bug in the FILE ccache implementation of MIT Kerberos 5 1.4.1 that frees the wrong ccache every now and then. Especially in ksu, this behavior is reproducable every time. The bug is in the dereference() function in src/lib/krb5/ccache/cc_file.c, where there is a line like this: for (fccsp = &fccs; *fccsp == NULL; fccsp = &(*fccsp)->next) Obviously, the loop condition is not supposed to be "*fccsp == NULL", but rather "*fccsp != NULL". This bug causes a lot of trouble: 1. When using ksu, the target cc is freed when the source cc is supposed to be freed, which causes two subissues: a. No target cc's are unlinked when ksu exits, which means that cc's will keep piling up in /tmp. b. The source cc will remain open in ksu and its child processes, quite possibly read locked, which means that any process trying to write lock the cc (for example when requesting a new ticket) will sleep until ksu exits. This is also an information leak, since ksu's child processes will have access to the source cc. 2. It obviously causes a high probability of programs using more than one fcc at a time crashing. For example, when patching screen for Kerberos cc duplication (<http://www.dolda2000.com/~fredrik/patches/>), screen will crash periodically. 3. It might be a security risk, since ksu is suid root (and maybe certain network servers will be affected as well), and its memory is being corrupted. I don't know if it's exploitable, but there's nothing that says it isn't, either. FC should either patch this bug or update to a later version of Kerberos (the bug is fixed in 1.4.3, I don't know about 1.4.2).