Hide Forgot
Description of problem: mailx defines a function send, which probably sends an email. The problem is that, when non-glibc nss modules are in use (like nss_ldap), the dynamic symbol lookup resolves send calls to the function in /bin/mail, not the syscall. This leads to a segfault, but only when USER is not set. Version-Release number of selected component (if applicable): mailx-8.1.1-31 How reproducible: Completely Steps to Reproduce: 1. Set up an ldap auth client 2. Log in as an ldap-authenticated user and unset USER 3. Try to send mail using /bin/mail Actual results: Segmentation fault Expected results: mail sent Additional info:
Here's the last bits of output when run with LD_DEBUG=bindings: 5199: binding file /lib/libresolv.so.2 to /lib/tls/libc.so.6: normal symbol `connect' [GLIBC_2.0] 5199: binding file /lib/libresolv.so.2 to mail: normal symbol `send' [GLIBC_2.0] 5199: binding file mail to /lib/tls/libc.so.6: normal symbol `fflush' [GLIBC_2.0] Segmentation fault (core dumped) And here's a backtrace: Core was generated by `/bin/mail -s test broken root@localhost'. Program terminated with signal 11, Segmentation fault. <snip> #0 0x0804ebe1 in setinput (mp=0x4) at fio.c:245 245 if (fseek(itf, (long)positionof(mp->m_block, mp->m_offset), 0) < 0) { (gdb) bt #0 0x0804ebe1 in setinput (mp=0x4) at fio.c:245 #1 0x08054587 in send (mp=0x4, obuf=0xbfffb360, doign=0x2c, prefix=0x0) at send.c:87 #2 0x009e1615 in send_dg (statp=0x266e40, buf=0xbfffb360 "w\210\001", buflen=44, ansp=0xbfffb340, anssizp=0xbfffb344, terrno=0xbfffb304, ns=0, v_circuit=0x0, gotsomewhere=0xbfffb300, anscp=0xbfffb8f0) at res_send.c:961 #3 0x009e0d95 in __libc_res_nsend (statp=0x266e40, buf=0xbfffb360 "w\210\001", buflen=44, ans=0xbfffb4c0 "", anssiz=1024, ansp=0xbfffb8f0) at res_send.c:595 #4 0x009dfcda in __libc_res_nquery (statp=0x266e40, name=0xbfffb8f4 "163.59.16.172.in-addr.arpa", class=1, type=12, answer=0xbfffb4c0 "", anslen=0, answerp=0x0) at res_query.c:154 #5 0x00988424 in _nss_dns_gethostbyaddr_r (addr=0xbfffbe14, len=4, af=2, result=0xbfffbdf0, buffer=0x8b1ebb8 "\177", buflen=0, errnop=0xb75e44e0, h_errnop=0xbfffbdd4) at nss_dns/dns-host.c:338 #6 0x0021fbbd in __gethostbyaddr_r (addr=0xbfffbe14, len=4, type=2, resbuf=0xbfffbdf0, buffer=0x8b1ebb8 "\177", buflen=1024, result=0xbfffbdd0, h_errnop=0xbfffbdd4) at getXXbyYY_r.c:216 #7 0x00294047 in ldap_pvt_gethostbyaddr_a () from /lib/libnss_ldap.so.2 #8 0x00290df1 in ldap_host_connected_to () from /lib/libnss_ldap.so.2 ---Type <return> to continue, or q <return> to quit--- #9 0x002866d9 in ldap_int_open_connection () from /lib/libnss_ldap.so.2 #10 0x0028e84b in ldap_new_connection () from /lib/libnss_ldap.so.2 #11 0x00286031 in ldap_open_defconn () from /lib/libnss_ldap.so.2 #12 0x0028e47e in ldap_send_initial_request () from /lib/libnss_ldap.so.2 #13 0x0028c0b8 in ldap_sasl_bind () from /lib/libnss_ldap.so.2 #14 0x0028ca5c in ldap_simple_bind () from /lib/libnss_ldap.so.2 #15 0x0027d555 in do_bind (ld=0x8b1e390, timelimit=0, dn=0x41c5c4 "cn=Administrator,cn=users,dc=redhat,dc=gss", pw=0x0, with_sasl=0) at ldap-nss.c:1410 #16 0x0027d16f in do_open () at ldap-nss.c:1248 #17 0x0027e39a in _nss_ldap_search_s (args=0xbfffc930, filterprot=0x427940 "(&(objectclass=User)(msSFU30UidNumber=%d))", sel=LM_PASSWD, sizelimit=1, res=0xbfffc8e0) at ldap-nss.c:2285 #18 0x0027e904 in _nss_ldap_getbyname (args=0xbfffc930, result=0x0, buffer=0x0, buflen=0, errnop=0x0, filterprot=0x0, sel=LM_PASSWD, parser=0) at ldap-nss.c:2635 #19 0x0027f84b in _nss_ldap_getpwuid_r (uid=0, result=0x0, buffer=0x0, buflen=0, errnop=0x0) at ldap-pwd.c:207 #20 0x001d8a32 in __getpwuid_r (uid=26006, resbuf=0x265ffc, buffer=0x8b13108 "wnn", buflen=1024, result=0xbfffc998) ---Type <return> to continue, or q <return> to quit--- at getXXbyYY_r.c:216 #21 0x001d83c1 in getpwuid (uid=26006) at getXXbyYY.c:108 #22 0x0804f3f1 in getname (uid=0) at getname.c:60 #23 0x0804f8df in username () at v7.local.c:101 #24 0x080557b5 in tinit () at temp.c:88 #25 0x08051c39 in main (argc=4, argv=0x0) at main.c:236 #26 0x0014579d in __libc_start_main (main=0x8051900 <main>, argc=4, ubp_av=0xbfffcb44, init=0x8056198 <__libc_csu_init>, fini=0x4, rtld_fini=0xbfffcb44, stack_end=0xbfffcb3c) at ../sysdeps/generic/libc-start.c:205 #27 0x080499d1 in _start () at ../sysdeps/i386/elf/start.S:102
Created attachment 104847 [details] add "hidden" visibility attribute to /bin/mail send() function This patch prevents nss functions from binding to /bin/mail's send function when non-glibc nss modules are in use.
*** Bug 137951 has been marked as a duplicate of this bug. ***
*** Bug 74261 has been marked as a duplicate of this bug. ***
Please advise when will we see a mailx rpm in the ES 2.1 errata released ? Thanks, a paying custonmer.
Please add gary.morgan@airnz.co.nz to the CC list, thanks.
The RHBA-2005-181 erratum that fixes this issue is now tested.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2005-181.html