Bug 153930 - krb5 ftp client segfaults with out of order options in ~/.netrc
krb5 ftp client segfaults with out of order options in ~/.netrc
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: krb5 (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Brian Brock
Depends On:
  Show dependency treegraph
Reported: 2005-04-05 17:34 EDT by Stephen Gardner
Modified: 2012-06-20 11:53 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-06-20 11:53:22 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
gdb output of segfault (981 bytes, text/plain)
2005-04-05 19:07 EDT, Stephen Gardner
no flags Details

  None (edit)
Description Stephen Gardner 2005-04-05 17:34:55 EDT
Description of problem:
When valid authentication options are put into ~/.netrc in the wrong order the
krb5 ftp client segfaults. In comparison the non-krb5 ftp client returns an
error message.

Version-Release number of selected component (if applicable):
RHEL4-AS-U0 (i386, x86_64) with
krb5-workstation-1.3.4-9 and -10

RHEL3-AS-U4 (i386) with

How reproducible:
Always (as root and non-root user)

Steps to Reproduce:
1. create ~/.netrc file containing
machine ftp.redhat.com
password root@
login anonymous

2. /usr/kerberos/bin/ftp ftp.redhat.com
Actual results:
[root@server1 ~]# /usr/kerberos/bin/ftp ftp.redhat.com
Connected to ftp.redhat.com.
220 Red Hat FTP server ready. All transfers are logged. (FTP)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Segmentation fault

Expected results:
NOTE: expected results output taken from non-krb5'd ftp client

[root@server1 ~]# /usr/bin/ftp ftp.redhat.com
Connected to ftp.redhat.com (
220 Red Hat FTP server ready. All transfers are logged. (FTP)
Error: `password' must follow `login' in .netrc

Additional info:
Regarding the expected behaviour the GNU inetutils v1.4.2 client (on a non-RHEL
system) re-orders the options (putting login before password) automatically when
parsing ~/.netrc.
Comment 1 Stephen Gardner 2005-04-05 19:07:23 EDT
Created attachment 112739 [details]
gdb output of segfault
Comment 2 Stephen Gardner 2005-04-05 19:10:05 EDT
The problem occurs with or without the "login" line present in the ~/.netrc file.

I note that the problem may be in the .netrc parsing code in 
src/appl/gssftp/ruserpass.c  of the krb5 package and that the file hasn't
changed even in the latest RAWHIDE krb5 SRPM and likely still exists.

I've attached (Comment #1) the output from gdb (based on rpmbuild of
krb5-1.3.4-12.src.rpm from ftp.redhat.com).

I'm not a programmer and therefore cannot offer a patch but whilst reading
through the code I would also draw your attention to another small section in 
ruserpass.c  which might be classed as a potential security vulnerability

ruserpass.c - line 136

        hdir = getenv("HOME");
        if (hdir == NULL)
                hdir = ".";
        (void) sprintf(buf, "%s/.netrc", hdir);  
        cfile = fopen(buf, "r");

If I read it correctly this will set the directory for the location of .netrc to
be "." if the HOME envirnoment variable doesn't exist (or is set to NULL).
Having any app (especially one that will likely be run by root) include "." as a
fallback directory for a config file (in this case a config file that allows the
declaration of macros which operation on remote servers) might be worth removing
/ modifying.
Comment 3 Jiri Pallich 2012-06-20 11:53:22 EDT
Thank you for submitting this issue for consideration in Red Hat Enterprise Linux. The release for which you requested us to review is now End of Life. 
Please See https://access.redhat.com/support/policy/updates/errata/

If you would like Red Hat to re-consider your feature request for an active release, please re-open the request via appropriate support channels and provide additional supporting details about the importance of this issue.

Note You need to log in before you can comment on or make changes to this bug.