Bug 215443

Summary: CVE-2006-5989 mod_auth_kerb segfault with FC6 client
Product: [Fedora] Fedora Reporter: Dax Kelson <dkelson>
Component: mod_auth_kerbAssignee: Joe Orton <jorton>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 5CC: emcnabb, nalin, security-response-team
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,source=bugzilla,reported=20060915,public=20061113
Fixed In Version: 5.3-2.fc5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-05-23 12:39:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dax Kelson 2006-11-13 23:18:08 UTC
Description of problem:
I'm seeing a Apache segfault problem on two servers that cropped up once
I upgraded my desktop to Fedora Core v6. The segfault occurs 80% of the time
when it tries to auth me. This setup has been working for over a year with no
problems until I upgraded my desktop to FC6. My co-worker running FC5 continues
to work fine (as do Windows clients).

Fedora Core v6 ships and uses MIT kerberos v1.5 (my guess is the MIT kerb
version is relevant).

The two servers I'm using are:

* Fedora Core v4
+ mit krb 1.4.2
+ Apache httpd-2.0.54
+ mod_auth_krb 5.2 (I've tried 5.0 and 5.1 as well)

* Debian Sarge
+ mit krb 1.3
+ Apache 2.0.54
+ mod_auth_krb 5.0-rc6

On the Fedora server I was able to get this backtrace:
(gdb) bt full
#0  0x00dda402 in __kernel_vsyscall ()
No symbol table info available.
#1  0x00ac6f90 in raise () from /lib/libc.so.6
No symbol table info available.
#2  0x00ac8678 in abort () from /lib/libc.so.6
No symbol table info available.
#3  0x00afc230 in __libc_message () from /lib/libc.so.6
No symbol table info available.
#4  0x00b04d0d in realloc () from /lib/libc.so.6
No symbol table info available.
#5  0x0038a2dd in decode_MechTypeList (
    p=0x99f1242
"\006\t*\206H\202�\022\001\002\002�\202\002\031\004\202\002\025`\202\002\021\006\t*\206H\206�\022\001\002\002\001",
len=11, data=0xa0c37b8, 
    size=0xbfd3e014) at spnegokrb5/asn1_MechTypeList.c:61
        ret = 18
        reallen = 29
        l = 7
        e = Variable "e" is not available.
(gdb) 

Also, in the Apache error_log, the following appears:

*** glibc detected *** /usr/sbin/httpd: realloc(): invalid pointer:
0x09a30958 ***
======= Backtrace: =========
/lib/libc.so.6(__libc_realloc+0x2e9)[0xb04d0d]
/etc/httpd/modules/mod_auth_kerb.so(decode_MechTypeList+0xe0)[0x38a2dd]
/etc/httpd/modules/mod_auth_kerb.so(decode_NegTokenInit+0x336)[0x389867]
/etc/httpd/modules/mod_auth_kerb.so(gss_accept_sec_context_spnego
+0xd9)[0x386783]
/etc/httpd/modules/mod_auth_kerb.so[0x38b342]
/etc/httpd/modules/mod_auth_kerb.so[0x38bd8b]
/usr/sbin/httpd(ap_run_check_user_id+0x41)[0x4b4ee6]
/usr/sbin/httpd(ap_process_request_internal+0x216)[0x4b64fe]
/usr/sbin/httpd(ap_process_request+0x161)[0x499d5b]
/usr/sbin/httpd[0x494683]
/usr/sbin/httpd(ap_run_process_connection+0x41)[0x4a7a2b]
/usr/sbin/httpd(ap_process_connection+0x51)[0x4a7d60]
/usr/sbin/httpd[0x49acfe]
/usr/sbin/httpd[0x49afba]
/usr/sbin/httpd(ap_mpm_run+0xa0a)[0x49baab]
/usr/sbin/httpd(main+0x5cb)[0x4a277e]
/lib/libc.so.6(__libc_start_main+0xdf)[0xab3d7f]
/usr/sbin/httpd[0x494151]
======= Memory map: ========
00111000-00119000 r-xp 00000000 fd:00 406642     /lib/librt-2.3.6.so
00119000-0011a000 r-xp 00007000 fd:00 406642     /lib/librt-2.3.6.so
0011a000-0011b000 rwxp 00008000 fd:00 406642     /lib/librt-2.3.6.so
0011b000-00125000 rwxp 0011b000 00:00 0 
00125000-00148000 r-xp 00000000 fd:00 406455     /lib/libm-2.3.6.so
00148000-00149000 r-xp 00022000 fd:00 406455     /lib/libm-2.3.6.so
00149000-0014a000 rwxp 00023000 fd:00 406455     /lib/libm-2.3.6.so
0014a000-0014c000 r-xp 00000000 fd:00 406547     /lib/libcom_err.so.2.1
0014c000-0014d000 rwxp 00001000 fd:00 406547     /lib/libcom_err.so.2.1
0014d000-0014f000 r-xp 00000000 fd:00 520978     /usr/lib/libkrb5support.so.0.0
0014f000-00150000 rwxp 00002000 fd:00 520978     /usr/lib/libkrb5support.so.0.0
00150000-00151000 r-xp 00000000 fd:00 1123514   
/usr/lib/httpd/modules/mod_auth_anon.so
00151000-00152000 rwxp 00001000 fd:00 1123514   
/usr/lib/httpd/modules/mod_auth_anon.so
00152000-00154000 r-xp 00000000 fd:00 1123515   
/usr/lib/httpd/modules/mod_auth_dbm.so
00154000-00155000 rwxp 00001000 fd:00 1123515   
/usr/lib/httpd/modules/mod_auth_dbm.so
00155000-0015a000 r-xp 00000000 fd:00 1126672   
/usr/lib/httpd/modules/mod_log_config.so
0015a000-0015b000 rwxp 00004000 fd:00 1126672   
/usr/lib/httpd/modules/mod_log_config.so
0015b000-0015d000 r-xp 00000000 fd:00 520756     /usr/lib/libpcreposix.so.0.0.0
0015d000-0015e000 rwxp 00001000 fd:00 520756     /usr/lib/libpcreposix.so.0.0.0
0015e000-00163000 r-xp 00000000 fd:00 406602     /lib/libcrypt-2.3.6.so
00163000-00164000 r-xp 00004000 fd:00 406602     /lib/libcrypt-2.3.6.so
00164000-00165000 rwxp 00005000 fd:00 406602     /lib/libcrypt-2.3.6.so
00165000-0018c000 rwxp 00165000 00:00 0 
0018c000-0019a000 r-xp 00000000 fd:00 406641     /lib/libpthread-2.3.6.so
0019a000-0019b000 r-xp 0000d000 fd:00 406641     /lib/libpthread-2.3.6.so
0019b000-0019c000 rwxp 0000e000 fd:00 406641     /lib/libpthread-2.3.6.so
0019c000-0019e000 rwxp 0019c000 00:00 0 
0019e000-001b3000 r-xp 00000000 fd:00 1034753    /usr/lib/libsasl2.so.2.0.20
001b3000-001b4000 rwxp 00015000 fd:00 1034753    /usr/lib/libsasl2.so.2.0.20
001b4000-001c6000 r-xp 00000000 fd:00 1033124    /usr/lib/libz.so.1.2.2.2
001c6000-001c7000 rwxp 00011000 fd:00 1033124    /usr/lib/libz.so.1.2.2.2
001c7000-001c8000 r-xp 00000000 fd:00 1126432    /usr/lib/httpd/modules/mod_logio.so
001c8000-001c9000 rwxp 00001000 fd:00 1126432    /usr/lib/httpd/modules/mod_logio.so
001c9000-001ca000 r-xp 00000000 fd:00 1126665    /usr/lib/httpd/modules/mod_env.so
001ca000-001cb000 rwxp 00001000 fd:00 1126665    /usr/lib/httpd/modules/mod_env.so
001cb000-001cd000 r-xp 00000000 fd:00 1123520   
/usr/lib/httpd/modules/mod_cern_meta.so
001cd000-001ce000 rwxp 00001000 fd:00 1123520   
/usr/lib/httpd/modules/mod_cern_meta.so
001ce000-001d0000 r-xp 00000000 fd:00 1126666   
/usr/lib/httpd/modules/mod_expires.so
001d0000-001d1000 rwxp 00001000 fd:00 1126666   
/usr/lib/httpd/modules/mod_expires.so
001d1000-001d4000 r-xp 00000000 fd:00 1126668   
/usr/lib/httpd/modules/mod_headers.so
001d4000-001d5000 rwxp 00002000 fd:00 1126668   
/usr/lib/httpd/modules/mod_headers.so
001d5000-001d7000 r-xp 00000000 fd:00 1126688   
/usr/lib/httpd/modules/mod_usertrack.so
001d7000-001d8000 rwxp 00001000 fd:00 1126688   
/usr/lib/httpd/modules/mod_usertrack.so
001d8000-001da000 r-xp 00000000 fd:00 1126683   
/usr/lib/httpd/modules/mod_setenvif.so
001da000-001db000 rwxp 00001000 fd:00 1126683   
/usr/lib/httpd/modules/mod_setenvif.so
001db000-001dd000 r-xp 00000000 fd:00 406476     /lib/libdl-2.3.6.so
001dd000-001de000 r-xp 00001000 fd:00 406476     /lib/libdl-2.3.6.so
001de000-001df000 rwxp 00002000 fd:00 406476     /lib/libdl-2.3.6.so
001df000-002d7000 r-xp 00000000 fd:00 406573     /lib/libcrypto.so.0.9.7f
002d7000-002e9000 rwxp 000f8000 fd:00 406573     /lib/libcrypto.so.0.9.7f
002e9000-002ec000 rwxp 002e9000 00:00 0 
002ec000-002ef000 r-xp 00000000 fd:00 1126675    /usr/lib/httpd/modules/mod_mime.so
002ef000-002f0000 rwxp 00003000 fd:00 1126675    /usr/lib/httpd/modules/mod_mime.so
002f0000-00305000 r-xp 00000000 fd:00 1126334    /usr/lib/httpd/modules/mod_dav.so
00305000-00306000 rwxp 00014000 fd:00 1126334    /usr/lib/httpd/modules/mod_dav.so
00306000-00307000 r-xp 00000000 fd:00 1123512    /usr/lib/httpd/modules/mod_asis.so
00307000-00308000 rwxp 00000000 fd:00 1123512    /usr/lib/httpd/modules/mod_asis.so
00308000-0030a000 r-xp 00000000 fd:00 1126478    /usr/lib/httpd/modules/mod_dir.so
0030a000-0030b000 rwxp 00001000 fd:00 1126478    /usr/lib/httpd/modules/mod_dir.so
0030b000-0030d000 r-xp 00000000 fd:00 1126684   
/usr/lib/httpd/modules/mod_speling.so
0030d000-0030e000 rwxp 00001000 fd:00 1126684   
/usr/lib/httpd/modules/mod_speling.so
0030e000-0030f000 r-xp 00000000 fd:00 521574     /usr/lib/libpspell.so.15.0.3
0030f000-00310000 rwxp 00000000 fd:00 521574     /usr/lib/libpspell.so.15.0.3
00310000-00333000 r-xp 00000000 fd:00 521434     /usr/lib/libk5crypto.so.3.0
00333000-00334000 rwxp 00023000 fd:00 521434     /usr/lib/libk5crypto.so.3.0
00334000-0033e000 r-xp 00000000 fd:00 1126445   
/usr/lib/httpd/modules/mod_dav_fs.so
0033e000-0033f000 rwxp 0000a000 fd:00 1126445   
/usr/lib/httpd/modules/mod_dav_fs.so
0033f000-00341000 r-xp 00000000 fd:00 1126450   
/usr/lib/httpd/modules/mod_userdir.so
00341000-00342000 rwxp 00001000 fd:00 1126450   
/usr/lib/httpd/modules/mod_userdir.so
00342000-00344000 r-xp 00000000 fd:00 1123511    /usr/lib/httpd/modules/mod_alias.so
00344000-00345000 rwxp 00002000 fd:00 1123511    /usr/lib/httpd/modules/mod_alias.so
00345000-00353000 r-xp 00000000 fd:00 1126682   
/usr/lib/httpd/modules/mod_rewrite.so
00353000-00354000 rwxp 0000d000 fd:00 1126682   
/usr/lib/httpd/modules/mod_rewrite.so
00354000-0035d000 r-xp 00000000 fd:00 1126678    /usr/lib/httpd/modules/mod_proxy.so
0035d000-0035e000 rwxp 00008000 fd:00 1126678    /usr/lib/httpd/modules/mod_proxy.so
0035e000-00363000 r-xp 00000000 fd:00 1126681   
/usr/lib/httpd/modules/mod_proxy_http.so
00363000-00364000 rwxp 00004000 fd:00 1126681   
/usr/lib/httpd/modules/mod_proxy_http.so
00364000-0036a000 r-xp 00000000 fd:00 1123519    /usr/lib/httpd/modules/mod_cache.so
0036a000-0036b000 rwxp 00005000 fd:00 1123519    /usr/lib/httpd/modules/mod_cache.so
0036b000-0036e000 r-xp 00000000 fd:00 1126664   
/usr/lib/httpd/modules/mod_disk_cache.so
0036e000-0036f000 rwxp 00003000 fd:00 1126664   
/usr/lib/httpd/modules/mod_disk_cache.so
0036f000-00371000 r-xp 00000000 fd:00 1126426   
/usr/lib/httpd/modules/mod_file_cache.so
00371000-00372000 rwxp 00001000 fd:00 1126426   
/usr/lib/httpd/modules/mod_file_cache.so
00372000-00377000 r-xp 00000000 fd:00 1126674   
/usr/lib/httpd/modules/mod_mem_cache.so
00377000-00378000 rwxp 00004000 fd:00 1126674   
/usr/lib/httpd/modules/mod_mem_cache.so
00378000-0037d000 r-xp 00000000 fd:00 1123861    /usr/lib/httpd/modules/mod_cgi.so
0037d000-0037e000 rwxp 00004000 fd:00 1123861    /usr/lib/httpd/modules/mod_cgi.so
00380000-00382000 r-xp 00000000 fd:00 1123513    /usr/lib/httpd/modules/mod_auth.so
00382000-00383000 rwxp 00001000 fd:00 1123513    /usr/lib/httpd/modules/mod_auth.so
00383000-0038f000 r-xp 00000000 fd:00 1122139   
/usr/lib/httpd/modules/mod_auth_kerb.so
0038f000-00390000 rwxp 0000b000 fd:00 1122139   
/usr/lib/httpd/modules/mod_auth_kerb.so
00391000-003b4000 r-xp 00000000 fd:00 1033311    /usr/lib/libapr-0.so.0.9.6
003b4000-003b5000 rwxp 00022000 fd:00 1033311    /usr/lib/libapr-0.so.0.9.6
003b5000-003b6000 rwxp 003b5000 00:00 0 
003b6000-003b9000 r-xp 00000000 fd:00 1122141   
/usr/lib/httpd/modules/mod_auth_mysql.so
003b9000-003ba000 rwxp 00002000 fd:00 1122141   
/usr/lib/httpd/modules/mod_auth_mysql.so
003ba000-003cb000 r-xp 00000000 fd:00 406609     /lib/libnsl-2.3.6.so
003cb000-003cc000 r-xp 00010000 fd:00 406609     /lib/libnsl-2.3.6.so
003cc000-003cd000 rwxp 00011000 fd:00 406609     /lib/libnsl-2.3.6.so
003cd000-003cf000 rwxp 003cd000 00:00 0 
003cf000-003d3000 r-xp 00000000 fd:00 1123953   
/usr/lib/httpd/modules/mod_auth_pgsql.so
003d3000-003d4000 rwxp 00004000 fd:00 1123953   
/usr/lib/httpd/modules/mod_auth_pgsql.so
003d4000-003d6000 rwxp 003d4000 00:00 0 
003d6000-003f4000 r-xp 00000000 fd:00 1037261    /usr/lib/libpq.so.4.0
003f4000-003f5000 rwxp 0001e000 fd:00 1037261    /usr/lib/libpq.so.4.0
003f5000-003f7000 r-xp 00000000 fd:00 406610     /lib/libutil-2.3.6.so
003f7000-003f8000 r-xp 00001000 fd:00 406610     /lib/libutil-2.3.6.so
003f8000-003f9000 rwxp 00002000 fd:00 406610     /lib/libutil-2.3.6.so
003f9000-00427000 r-xp 00000000 fd:00 1037074    /usr/lib/libidn.so.11.5.8
00427000-00429000 rwxp 0002d000 fd:00 1037074    /usr/lib/libidn.so.11.5.8
00429000-00432000 r-xp 00000000 fd:00 406490     /lib/libgcc_s-4.0.2-20051126.so.1
00432000-00433000 rwxp 00009000 fd:00 406490     /lib/libgcc_s-4.0.2-20051126.so.1
00433000-00444000 r-xp 00000000 fd:00 1122372   
/usr/lib/httpd/modules/mod_python.so
00444000-00447000 rwxp 00011000 fd:00 1122372   
/usr/lib/httpd/modules/mod_python.so
0044a000-0047b000 r-xp 00000000 fd:00 520288     /usr/lib/libgmp.so.3.3.3
0047b000-0047c000 rwxp 00031000 fd:00 520288     /usr/lib/libgmp.so.3.3.3
0047c000-00482000 r-xp 00000000 fd:00 521258     /usr/lib/libnal.so.1.0.1
00482000-00483000 rwxp 00005000 fd:00 521258     /usr/lib/libnal.so.1.0.1
00485000-004c9000 r-xp 00000000 fd:00 1033156    /usr/sbin/httpd
004c9000-004cb000 rwxp 00044000 fd:00 1033156    /usr/sbin/httpd
004cb000-004ce000 rwxp 004cb000 00:00 0 
004ce000-004f5000 r-xp 00000000 fd:00 1124313    /usr/lib/httpd/modules/mod_ssl.so
004f5000-004f7000 rwxp 00026000 fd:00 1124313    /usr/lib/httpd/modules/mod_ssl.so
004f7000-004f9000 rwxp 004f7000 00:00 0 
004fc000-00502000 r-xp 00000000 fd:00 1123517   
/usr/lib/httpd/modules/mod_auth_ldap.so
00502000-00503000 rwxp 00005000 fd:00 1123517   
/usr/lib/httpd/modules/mod_auth_ldap.so
00503000-00508000 r-xp 00000000 fd:00 1037682    /usr/lib/libsvn_fs-1.so.0.0.0
00508000-00509000 rwxp 00004000 fd:00 1037682    /usr/lib/libsvn_fs-1.so.0.0.0
00509000-0050c000 r-xp 00000000 fd:00 1124692   
/usr/lib/httpd/modules/mod_authz_svn.so
0050c000-0050d000 rwxp 00002000 fd:00 1124692   
/usr/lib/httpd/modules/mod_authz_svn.so
0050d000-00514000 r-xp 00000000 fd:00 487928     /usr/lib/php/modules/bcmath.so
00514000-00515000 rwxp 00007000 fd:00 487928     /usr/lib/php/modules/bcmath.so
00515000-00518000 r-xp 00000000 fd:00 520749     /usr/lib/libpanel.so.5.4
00518000-00519000 rwxp 00002000 fd:00 520749     /usr/lib/libpanel.so.5.4
00519000-0051a000 r-xp 00000000 fd:00 1123510   
/usr/lib/httpd/modules/mod_actions.so
0051a000-0051b000 rwxp 00001000 fd:00 1123510   
/usr/lib/httpd/modules/mod_actions.so
0051b000-00536000 r-xp 00000000 fd:00 1126331   
/usr/lib/httpd/modules/mod_dav_svn.so
00536000-00537000 rwxp 0001b000 fd:00 1126331   
/usr/lib/httpd/modules/mod_dav_svn.so
00537000-00552000 r-xp 00000000 fd:00 1038517    /usr/lib/libsvn_repos-1.so.0.0.0
00552000-00553000 rwxp 0001b000 fd:00 1038517    /usr/lib/libsvn_repos-1.so.0.0.0
00553000-00559000 r-xp 00000000 fd:00 487694     /usr/lib/php/modules/pdo_mysql.so
00559000-0055a000 rwxp 00005000 fd:00 487694     /usr/lib/php/modules/pdo_mysql.so
0055b000-00562000 r-xp 00000000 fd:00 1123516   
/usr/lib/httpd/modules/mod_auth_digest.so
00562000-00563000 rwxp 00006000 fd:00 1123516   
/usr/lib/httpd/modules/mod_auth_digest.so
00563000-0057d000 r-xp 00000000 fd:00 1037847    /usr/lib/libsvn_fs_fs-1.so.0.0.0
0057d000-0057e000 rwxp 0001a000 fd:00 1037847    /usr/lib/libsvn_fs_fs-1.so.0.0.0
0057e000-00583000 r-xp 00000000 fd:00 487723     /usr/lib/php/modules/pdo_odbc.so
00583000-00584000 rwxp 00004000 fd:00 487723     /usr/lib/php/modules/pdo_odbc.so
00586000-005b9000 r-xp 00000000 fd:00 1028817    /usr/lib/libcurl.so.3.0.0
005b9000-005ba000 rwxp 00033000 fd:00 1028817    /usr/lib/libcurl.so.3.0.0
005ba000-005c7000 r-xp 00000000 fd:00 521555     /usr/lib/libmagic.so.1.0.0
005c7000-005c8000 rwxp 0000d000 fd:00 521555     /usr/lib/libmagic.so.1.0.0
005c9000-005cb000 r-xp 00000000 fd:00 1126689   
/usr/lib/httpd/modules/mod_vhost_alias.so
005cb000-005cc000 rwxp 00001000 fd:00 1126689   
/usr/lib/httpd/modules/mod_vhost_alias.so
005cc000-005f3000 r-xp 00000000 fd:00 1038950    /usr/lib/libsvn_subr-1.so.0.0.0
005f3000-005f5000 rwxp 00026000 fd:00 1038950    /usr/lib/libsvn_subr-1.so.0.0.0
005f5000-00616000 r-xp 00000000 fd:00 487936     /usr/lib/php/modules/dom.so
00616000-00618000 rwxp 00021000 fd:00 487936     /usr/lib/php/modules/dom.so
00619000-00622000 r-xp 00000000 fd:00 1126428   
/usr/lib/httpd/modules/mod_include.so
00622000-00623000 rwxp 00008000 fd:00 1126428   
/usr/lib/httpd/modules/mod_include.so
00623000-00649000 r-xp 00000000 fd:00 1037751    /usr/lib/libsvn_fs_base-1.so.0.0.0
00649000-0064a000 rwxp 00026000 fd:00 1037751    /usr/lib/libsvn_fs_base-1.so.0.0.0
0064a000-0066d000 r-xp 00000000 fd:00 1033064    /usr/lib/libpng12.so.0.1.2.8
0066d000-0066e000 rwxp 00023000 fd:00 1033064    /usr/lib/libpng12.so.0.1.2.8
0066e000-00676000 r-xp 00000000 fd:00 406669     /lib/libpam.so.0.79
00676000-00677000 rwxp 00007000 fd:00 406669     /lib/libpam.so.0.79
00678000-00682000 r-xp 00000000 fd:00 1126671    /usr/lib/httpd/modules/mod_ldap.so
00682000-00683000 rwxp 00009000 fd:00 1126671    /usr/lib/httpd/modules/mod_ldap.so
00683000-00689000 r-xp 00000000 fd:00 487934     /usr/lib/php/modules/pdo_pgsql.so
00689000-0068a000 rwxp 00005000 fd:00 487934     /usr/lib/php/modules/pdo_pgsql.so
0068a000-006bd000 r-xp 00000000 fd:00 1122138    /usr/lib/httpd/modules/mod_perl.so
006bd000-006bf000 rwxp 00033000 fd:00 1122138    /usr/lib/httpd/modules/mod_perl.so
006bf000-006d5000 r-xp 00000000 fd:00 487931     /usr/lib/php/modules/imap.so
006d5000-006d6000 rwxp 00016000 fd:00 487931     /usr/lib/php/modules/imap.so
006d6000-006d9000 r-xp 00000000 fd:00 520766     /usr/lib/libgpg-error.so.0.1.3
006d9000-006da000 rwxp 00002000 fd:00 520766     /usr/lib/libgpg-error.so.0.1.3
006db000-006e8000 r-xp 00000000 fd:00 1037084    /usr/lib/liblber-2.2.so.7.0.22
006e8000-006e9000 rwxp 0000c000 fd:00 1037084    /usr/lib/liblber-2.2.so.7.0.22
006ec000-006ef000 r-xp 00000000 fd:00 487726     /usr/lib/php/modules/fileinfo.so
006ef000-006f0000 rwxp 00002000 fd:00 487726     /usr/lib/php/modules/fileinfo.so
006f0000-00721000 r-xp 00000000 fd:00 487930     /usr/lib/php/modules/gd.so
00721000-00741000 rwxp 00030000 fd:00 487930     /usr/lib/php/modules/gd.so
00741000-00755000 rwxp 00741000 00:00 0 
00755000-0075a000 r-xp 00000000 fd:00 487927     /usr/lib/php/modules/pdo_sqlite.so
0075a000-0075b000 rwxp 00004000 fd:00 487927     /usr/lib/php/modules/pdo_sqlite.so
0075b000-00847000 r-xp 00000000 fd:00 406454     /lib/tls/i686/libdb-4.3.so
00847000-0084a000 rwxp 000eb000 fd:00 406454     /lib/tls/i686/libdb-4.3.so
0084a000-00868000 r-xp 00000000 fd:00 1036777    /usr/lib/libjpeg.so.62.0.0
00868000-00869000 rwxp 0001d000 fd:00 1036777    /usr/lib/libjpeg.so.62.0.0
00869000-00878000 r-xp 00000000 fd:00 406651     /lib/libaudit.so.0.0.0
00878000-0087a000 rwxp 0000e000 fd:00 406651     /lib/libaudit.so.0.0.0
0087a000-0087f000 r-xp 00000000 fd:00 487697     /usr/lib/php/modules/xmlreader.so
0087f000-00880000 rwxp 00005000 fd:00 487697     /usr/lib/php/modules/xmlreader.so
00880000-00883000 r-xp 00000000 fd:00 1034055    /usr/lib/libdistcache.so.1.0.1
00883000-00884000 rwxp 00002000 fd:00 1034055    /usr/lib/libdistcache.so.1.0.1
00884000-0088e000 r-xp 00000000 fd:00 487721     /usr/lib/php/modules/ldap.so
0088e000-0088f000 rwxp 00009000 fd:00 487721     /usr/lib/php/modules/ldap.so
0088f000-00895000 r-xp 00000000 fd:00 487712     /usr/lib/php/modules/snmp.so
00895000-00896000 rwxp 00005000 fd:00 487712     /usr/lib/php/modules/snmp.so
00897000-00898000 r-xp 00000000 fd:00 1126686   
/usr/lib/httpd/modules/mod_suexec.so
00898000-00899000 rwxp 00000000 fd:00 1126686   
/usr/lib/httpd/modules/mod_suexec.so
00899000-008b0000 r-xp 00000000 fd:00 487691     /usr/lib/php/modules/mysqli.so
008b0000-008b2000 rwxp 00017000 fd:00 487691     /usr/lib/php/modules/mysqli.so
008b2000-008c3000 r-xp 00000000 fd:00 487932     /usr/lib/php/modules/ncurses.so
008c3000-008c5000 rwxp 00010000 fd:00 487932     /usr/lib/php/modules/ncurses.so
008c5000-008d4000 r-xp 00000000 fd:00 487933     /usr/lib/php/modules/odbc.so
008d4000-008d5000 rwxp 0000e000 fd:00 487933     /usr/lib/php/modules/odbc.so
008db000-008ec000 r-xp 00000000 fd:00 406671     /lib/libpcre.so.0.0.1
008ec000-008ed000 rwxp 00010000 fd:00 406671     /lib/libpcre.so.0.0.1
008ed000-00900000 r-xp 00000000 fd:00 487915     /usr/lib/php/modules/pdo.so
00900000-00902000 rwxp 00012000 fd:00 487915     /usr/lib/php/modules/pdo.so
00902000-00919000 r-xp 00000000 fd:00 487935     /usr/lib/php/modules/pgsql.so
00919000-0091a000 rwxp 00017000 fd:00 487935     /usr/lib/php/modules/pgsql.so
0091a000-00921000 r-xp 00000000 fd:00 1036514    /usr/lib/libpopt.so.0.0.0
00921000-00922000 rwxp 00006000 fd:00 1036514    /usr/lib/libpopt.so.0.0.0
00926000-00928000 r-xp 00000000 fd:00 1121815   
/usr/lib/httpd/modules/mod_access.so
00928000-00929000 rwxp 00001000 fd:00 1121815   
/usr/lib/httpd/modules/mod_access.so
00929000-00930000 r-xp 00000000 fd:00 1028600    /usr/lib/libwrap.so.0.7.6
00930000-00931000 rwxp 00007000 fd:00 1028600    /usr/lib/libwrap.so.0.7.6
00931000-00938000 r-xp 00000000 fd:00 487937     /usr/lib/php/modules/xmlwriter.so
00938000-00939000 rwxp 00007000 fd:00 487937     /usr/lib/php/modules/xmlwriter.so
00939000-00940000 r-xp 00000000 fd:00 1126677   
/usr/lib/httpd/modules/mod_negotiation.so
00940000-00941000 rwxp 00006000 fd:00 1126677   
/usr/lib/httpd/modules/mod_negotiation.so
00941000-00947000 r-xp 00000000 fd:00 487938     /usr/lib/php/modules/xsl.so
00947000-00948000 rwxp 00005000 fd:00 487938     /usr/lib/php/modules/xsl.so
00950000-00952000 r-xp 00000000 fd:00 1126679   
/usr/lib/httpd/modules/mod_proxy_connect.so
00952000-00953000 rwxp 00001000 fd:00 1126679   
/usr/lib/httpd/modules/mod_proxy_connect.so
0095b000-0096a000 r-xp 00000000 fd:00 406499     /lib/libresolv-2.3.6.so
0096a000-0096b000 r-xp 0000e000 fd:00 406499     /lib/libresolv-2.3.6.so
0096b000-0096c000 rwxp 0000f000 fd:00 406499     /lib/libresolv-2.3.6.so
0096c000-0096e000 rwxp 0096c000 00:00 0 
0096e000-009cf000 r-xp 00000000 fd:00 520242     /usr/lib/libfreetype.so.6.3.7
009cf000-009d6000 rwxp 00061000 fd:00 520242     /usr/lib/libfreetype.so.6.3.7
009db000-009ee000 r-xp 00000000 fd:00 1035922    /usr/lib/libaprutil-0.so.0.9.6
009ee000-009ef000 rwxp 00013000 fd:00 1035922    /usr/lib/libaprutil-0.so.0.9.6
009ef000-00a8e000 r-xp 00000000 fd:00 1036350    /usr/lib/libaspell.so.15.0.3
00a8e000-00a93000 rwxp 0009f000 fd:00 1036350    /usr/lib/libaspell.so.15.0.3
00a93000-00a94000 rwxp 00a93000 00:00 0 
00a94000-00a9d000 r-xp 00000000 fd:00 406648     /lib/libnss_files-2.3.6.so
00a9d000-00a9e000 r-xp 00008000 fd:00 406648     /lib/libnss_files-2.3.6.so
00a9e000-00a9f000 rwxp 00009000 fd:00 406648     /lib/libnss_files-2.3.6.so
00a9f000-00bc2000 r-xp 00000000 fd:00 406444     /lib/libc-2.3.6.so
00bc2000-00bc4000 r-xp 00122000 fd:00 406444     /lib/libc-2.3.6.so
00bc4000-00bc6000 rwxp 00124000 fd:00 406444     /lib/libc-2.3.6.so
00bc6000-00bc8000 rwxp 00bc6000 00:00 0 
00bcd000-00bd0000 r-xp 00000000 fd:00 1126447   
/usr/lib/httpd/modules/mod_deflate.so
00bd0000-00bd1000 rwxp 00003000 fd:00 1126447   
/usr/lib/httpd/modules/mod_deflate.so
00bdb000-00bf2000 r-xp 00000000 fd:00 521436     /usr/lib/libgssapi_krb5.so.2.2
00bf2000-00bf3000 rwxp 00016000 fd:00 521436     /usr/lib/libgssapi_krb5.so.2.2
00bf3000-00c05000 r-xp 00000000 fd:00 521444     /usr/lib/libelf-0.108.so
00c05000-00c06000 rwxp 00012000 fd:00 521444     /usr/lib/libelf-0.108.so
00c06000-00c16000 r-xp 00000000 fd:00 406629     /lib/libselinux.so.1
00c16000-00c17000 rwxp 00010000 fd:00 406629     /lib/libselinux.so.1
00c22000-00c56000 r-xp 00000000 fd:00 1032449    /usr/lib/libldap-2.2.so.7.0.22
00c56000-00c58000 rwxp 00033000 fd:00 1032449    /usr/lib/libldap-2.2.so.7.0.22
00c58000-00c71000 r-xp 00000000 fd:00 521440     /usr/lib/libneon.so.24.0.7
00c71000-00c72000 rwxp 00019000 fd:00 521440     /usr/lib/libneon.so.24.0.7
00c72000-00c86000 r-xp 00000000 fd:00 487700     /usr/lib/php/modules/xmlrpc.so
00c86000-00c87000 rwxp 00014000 fd:00 487700     /usr/lib/php/modules/xmlrpc.so
00c8b000-00c90000 r-xp 00000000 fd:00 1126676   
/usr/lib/httpd/modules/mod_mime_magic.so
00c90000-00c91000 rwxp 00004000 fd:00 1126676   
/usr/lib/httpd/modules/mod_mime_magic.so
00c91000-00ca1000 r-xp 00000000 fd:00 521209     /usr/lib/libexslt.so.0.8.12
00ca1000-00ca2000 rwxp 0000f000 fd:00 521209     /usr/lib/libexslt.so.0.8.12
00cbc000-00cc7000 r-xp 00000000 fd:00 487715     /usr/lib/php/modules/mysql.so
00cc7000-00cc8000 rwxp 0000b000 fd:00 487715     /usr/lib/php/modules/mysql.so
00cd6000-00ce1000 r-xp 00000000 fd:00 487929     /usr/lib/php/modules/dba.so
00ce1000-00ce2000 rwxp 0000b000 fd:00 487929     /usr/lib/php/modules/dba.so
00ced000-00cf4000 r-xp 00000000 fd:00 1126680   
/usr/lib/httpd/modules/mod_proxy_ftp.so
00cf4000-00cf5000 rwxp 00007000 fd:00 1126680   
/usr/lib/httpd/modules/mod_proxy_ftp.so
00d24000-00d59000 r-xp 00000000 fd:00 406596     /lib/libssl.so.0.9.7f
00d59000-00d5c000 rwxp 00035000 fd:00 406596     /lib/libssl.so.0.9.7f
00d64000-00dd3000 r-xp 00000000 fd:00 521435     /usr/lib/libkrb5.so.3.2
00dd3000-00dd6000 rwxp 0006e000 fd:00 521435     /usr/lib/libkrb5.so.3.2
00dda000-00ddb000 r-xp 00dda000 00:00 0          [vdso]
00ddb000-00df5000 r-xp 00000000 fd:00 406419     /lib/ld-2.3.6.so
00df5000-00df6000 r-xp 00019000 fd:00 406419     /lib/ld-2.3.6.so
00df6000-00df7000 rwxp 0001a000 fd:00 406419     /lib/ld-2.3.6.so
00dfd000-00e05000 r-xp 00000000 fd:00 1035244    /usr/lib/libsvn_delta-1.so.0.0.0
00e05000-00e06000 rwxp 00007000 fd:00 1035244    /usr/lib/libsvn_delta-1.so.0.0.0
00e10000-00e13000 r-xp 00000000 fd:00 1126670    /usr/lib/httpd/modules/mod_info.so
00e13000-00e14000 rwxp 00002000 fd:00 1126670    /usr/lib/httpd/modules/mod_info.so
00e44000-00e55000 r-xp 00000000 fd:00 521441     /usr/lib/libbz2.so.1.0.2
00e55000-00e56000 rwxp 00010000 fd:00 521441     /usr/lib/libbz2.so.1.0.2
00e60000-00e64000 r-xp 00000000 fd:00 1126685   
/usr/lib/httpd/modules/mod_status.so
00e64000-00e65000 rwxp 00004000 fd:00 1126685   
/usr/lib/httpd/modules/mod_status.so
00e65000-00f3a000 r-xp 00000000 fd:00 1035739    /usr/lib/libstdc++.so.6.0.7
00f3a000-00f3f000 rwxp 000d5000 fd:00 1035739    /usr/lib/libstdc++.so.6.0.7
00f3f000-00f44000 rwxp 00f3f000 00:00 0 
00f50000-00f57000 r-xp 00000000 fd:00 1123518   
/usr/lib/httpd/modules/mod_autoindex.so
00f57000-00f58000 rwxp 00006000 fd:00 1123518   
/usr/lib/httpd/modules/mod_autoindex.so
00f5b000-00f78000 r-xp 00000000 fd:00 521429     /usr/lib/libexpat.so.0.5.0
00f78000-00f7a000 rwxp 0001c000 fd:00 521429     /usr/lib/libexpat.so.0.5.0
00f7a000-00fc5000 r-xp 00000000 fd:00 1123509   
/usr/lib/mysql/libmysqlclient.so.14.0.0
00fc5000-010b6000 rwxp 0004a000 fd:00 1123509   
/usr/lib/mysql/libmysqlclient.so.14.0.0
010b6000-010b9000 rwxp 010b6000 00:00 0 
010b9000-0111d000 r-xp 00000000 fd:00 1037775    /usr/lib/libodbc.so.1.0.0
0111d000-01122000 rwxp 00063000 fd:00 1037775    /usr/lib/libodbc.so.1.0.0
01122000-0115d000 r-xp 00000000 fd:00 1033278    /usr/lib/libodbcpsql.so.2.0.0
0115d000-0115e000 rwxp 0003b000 fd:00 1033278    /usr/lib/libodbcpsql.so.2.0.0
0115e000-01191000 rwxp 0115e000 00:00 0 
0132b000-0143e000 r-xp 00000000 fd:00 1034209    /usr/lib/libxml2.so.2.6.20
0143e000-01446000 rwxp 00113000 fd:00 1034209    /usr/lib/libxml2.so.2.6.20
01446000-01447000 rwxp 01446000 00:00 0 
029bc000-02aa5000 r-xp 00000000 fd:00 521264     /usr/lib/libpython2.4.so.1.0
02aa5000-02acc000 rwxp 000e9000 fd:00 521264     /usr/lib/libpython2.4.so.1.0
02acc000-02acf000 rwxp 02acc000 00:00 0 
02f68000-03028000 r-xp 00000000 fd:00 521563     /usr/lib/libc-client.so.0
03028000-0302c000 rwxp 000c0000 fd:00 521563     /usr/lib/libc-client.so.0
031ab000-031fe000 r-xp 00000000 fd:00 1028521    /usr/lib/libsqlite3.so.0.8.6
031fe000-03200000 rwxp 00052000 fd:00 1028521    /usr/lib/libsqlite3.so.0.8.6
0369e000-036d0000 r-xp 00000000 fd:00 1035157    /usr/lib/libxslt.so.1.1.14
036d0000-036d1000 rwxp 00032000 fd:00 1035157    /usr/lib/libxslt.so.1.1.14
0374d000-03794000 r-xp 00000000 fd:00 1035779    /usr/lib/libgcrypt.so.11.2.0
03794000-03799000 rwxp 00047000 fd:00 1035779    /usr/lib/libgcrypt.so.11.2.0
03dfd000-040c0000 r-xp 00000000 fd:00 1121816    /usr/lib/httpd/modules/libphp5.so
040c0000-0411b000 rwxp 002c3000 fd:00 1121816    /usr/lib/httpd/modules/libphp5.so
0411b000-04123000 rwxp 0411b000 00:00 0 
04316000-04454000 r-xp 00000000 fd:00 1064885   
/usr/lib/perl5/5.8.6/i386-linux-thread-multi/CORE/libperl.so
04454000-0445f000 rwxp 0013d000 fd:00 1064885   
/usr/lib/perl5/5.8.6/i386-linux-thread-multi/CORE/libperl.so
0445f000-04461000 rwxp 0445f000 00:00 0 
04a26000-04ba4000 r-xp 00000000 fd:00 487718     /usr/lib/php/modules/mbstring.so
04ba4000-04bc7000 rwxp 0017e000 fd:00 487718     /usr/lib/php/modules/mbstring.so
055d0000-05619000 r-xp 00000000 fd:00 487703     /usr/lib/php/modules/soap.so
05619000-0561b000 rwxp 00049000 fd:00 487703     /usr/lib/php/modules/soap.so
057c7000-0580e000 r-xp 00000000 fd:00 521439     /usr/lib/libbeecrypt.so.6.4.0
0580e000-05811000 rwxp 00046000 fd:00 521439     /usr/lib/libbeecrypt.so.6.4.0
05ce6000-05d3f000 r-xp 00000000 fd:00 1035668    /usr/lib/librpm-4.4.so
05d3f000-05d42000 rwxp 00058000 fd:00 1035668    /usr/lib/librpm-4.4.so
05d42000-05d75000 rwxp 05d42000 00:00 0 
05d7e000-05def000 r-xp 00000000 fd:00 521443     /usr/lib/librpmio-4.4.so
05def000-05df2000 rwxp 00070000 fd:00 521443     /usr/lib/librpmio-4.4.so
05df2000-05e15000 rwxp 05df2000 00:00 0 
05f0d000-05f98000 r-xp 00000000 fd:00 1034490    /usr/lib/libnetsnmp.so.5.2.1
05f98000-05f9b000 rwxp 0008b000 fd:00 1034490    /usr/lib/libnetsnmp.so.5.2.1
05f9b000-05fb9000 rwxp 05f9b000 00:00 0 
06640000-06748000 r-xp 00000000 fd:00 521445     /usr/lib/librpmdb-4.4.so
06748000-0674c000 rwxp 00107000 fd:00 521445     /usr/lib/librpmdb-4.4.so
0674c000-0674d000 rwxp 0674c000 00:00 0 
07efc000-07f3a000 r-xp 00000000 fd:00 1029815    /usr/lib/libncurses.so.5.4
07f3a000-07f42000 rwxp 0003e000 fd:00 1029815    /usr/lib/libncurses.so.5.4
07f42000-07f43000 rwxp 07f42000 00:00 0 
0964a000-0a15d000 rw-p 0964a000 00:00 0          [heap]
b7c4a000-b7c58000 rw-s 00000000 00:08 41094714   /dev/zero (deleted)
b7c58000-b7cd6000 rw-s 00000000 00:08 41094712   /dev/zero (deleted)
b7cd6000-b7d58000 rw-p b7cd6000 00:00 0 
b7d58000-b7f58000 r--p 00000000 fd:00 1028513    /usr/lib/locale/locale-archive
b7f58000-b7f8d000 r--s 00000000 fd:03 1056645    /var/db/nscd/group
b7f8d000-b7f94000 rw-p b7f8d000 00:00 0 
b7f97000-b7f9e000 r--s 00000000 fd:00 1126662    /usr/lib/gconv/gconv-modules.cache
b7f9e000-b7fb7000 rw-s 00000000 00:08 41094704   /dev/zero (deleted)
bfd2c000-bfd42000 rw-p bfd2c000 00:00 0          [stack]
=====================================

Another time I saw:

(gdb) bt full
#0  0x00b01ed8 in _int_free () from /lib/libc.so.6
No symbol table info available.
#1  0x00b0272b in free () from /lib/libc.so.6
No symbol table info available.
#2  0x00bec4d6 in krb5_gss_release_cred (minor_status=0xbfd3e588,
cred_handle=0xbfd3e574) at rel_cred.c:73
        _r2 = Variable "_r2" is not available.

Comment 3 Josh Bressers 2006-11-20 16:15:56 UTC
More information regarding this flaw (including the patch) can be found in bug
206736

Comment 4 Josh Bressers 2006-11-20 18:49:10 UTC
I presume this also affects FC5.

Comment 5 Dax Kelson 2006-11-22 17:50:23 UTC
I tested the patch on my servers and no more segfault. Thanks very much.

Note that the author of mod_auth_kerb just released v5.3 that includes the patch.

Errata RPMs will be issued for RHEL4,FC5 and FC6?

Comment 6 Joe Orton 2006-11-28 15:23:50 UTC
The bug is specific to the SPNEGO code included in mod_auth_kerb, and affects:

- RHEL4
- FC5 (and earlier in Legacy)

Note that the FC6 mod_auth_kerb uses the SPNEGO handling in the system
Kerberos/GSSAPI libraries, the bundled code is not used, and so is not affected
by this issue.

Comment 7 Joe Orton 2006-11-28 15:29:11 UTC
Clearing security-sensitive bit since this is disclosed publically already.

Comment 8 Fedora Update System 2006-11-29 12:25:37 UTC
mod_auth_kerb-5.3-2.fc5 has been pushed for fc5, which should resolve this issue.  If these problems are still present in this version, then please make note of it in this bug report.