729044 – Debuginfo package issues in krb5

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 729044 - Debuginfo package issues in krb5

Summary: Debuginfo package issues in krb5

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	krb5
Sub Component:
Version:	6.1
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Nalin Dahyabhai
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	727919
TreeView+	depends on / blocked

Reported:	2011-08-08 15:20 UTC by Karel Klíč
Modified:	2013-03-03 23:03 UTC (History)
CC List:	4 users (show)
Fixed In Version:	krb5-1.9-17.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-12-06 17:37:06 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2011:1707	0	normal	SHIPPED_LIVE	krb5 bug fix update	2011-12-06 01:02:29 UTC

Description Karel Klíč 2011-08-08 15:20:56 UTC

Several problems related to debuginfo were found in the krb5-1.9-9.el6_1.1 package. These issues might affect crash analysis done by Automatic Bug Reporting Tool and its retrace server, and also prevent proper debugging of crashes via GDB.

Debuginfo missing for binaries
------------------------------
A debuginfo file for a binary is not present in the debuginfo package. This might be caused by:
 - binary being compiled without debugging information
 - debugging information being removed from the binary by a build script
 - rpmbuild failing to extract debugging information from a binary in a buildroot because of permissions (eg. suid binaries, binaries without executable flag set)

affected binary: /usr/bin/ksu
affected package: krb5-workstation-1.9-9.el6_1.1.i686
binary contains debug sections (debuginfo script failed to find/strip it)
affected binary file mode: 104755

This issue can be investigated by using eu-readelf tool from the elfutils package. Use `eu-readelf --notes /path/to/binary` to get build ID of a binary. Then check that the debuginfo package does not contain /usr/lib/debug/.build-id/<aa>/<bbbbbbbb>, where <aa> are the first two chars of the build ID, and <bbbbbbbb> is the rest of it. It should be a symlink pointing back to the binary.

Source file missing in debuginfo package
----------------------------------------
Multiple source files that were used by the compiler to generate a binary are missing from the debuginfo package. This is usually caused by the build script creating temporary source files during the build and deleting them after usage, or by moving source files between directories. Missing source files in debuginfo packages make debugging of crashes more difficult.

debuginfo package: krb5-debuginfo-1.9-9.el6_1.1.i686
  debuginfo file: /usr/lib/debug/usr/sbin/kdb5_ldap_util.debug
    missing source: /usr/src/debug/krb5-1.9/src/plugins/kdb/ldap/ldap_util/y.tab.c
  debuginfo file: /usr/lib/debug/usr/bin/kadmin.debug
    missing source: /usr/src/debug/krb5-1.9/src/kadmin/cli/y.tab.c
  debuginfo file: /usr/lib/debug/usr/sbin/kadmin.local.debug
    missing source: /usr/src/debug/krb5-1.9/src/kadmin/cli/y.tab.c
  debuginfo file: /usr/lib/debug/usr/sbin/kdb5_util.debug
    missing source: /usr/src/debug/krb5-1.9/src/kadmin/cli/y.tab.c

Please consider changing the package build script (if that is the cause of this issue) to keep the source files on their compilation place, so rpmbuild can find them when generating debuginfo package.

(This bug was detected and filed by a script.)

Comment 2 Nalin Dahyabhai 2011-08-08 15:37:49 UTC

(In reply to comment #0)
> Several problems related to debuginfo were found in the krb5-1.9-9.el6_1.1
> package. These issues might affect crash analysis done by Automatic Bug
> Reporting Tool and its retrace server, and also prevent proper debugging of
> crashes via GDB.
> 
> Debuginfo missing for binaries
> ------------------------------
> A debuginfo file for a binary is not present in the debuginfo package. This
> might be caused by:
>  - binary being compiled without debugging information
>  - debugging information being removed from the binary by a build script
>  - rpmbuild failing to extract debugging information from a binary in a
> buildroot because of permissions (eg. suid binaries, binaries without
> executable flag set)
> 
> affected binary: /usr/bin/ksu
> affected package: krb5-workstation-1.9-9.el6_1.1.i686
> binary contains debug sections (debuginfo script failed to find/strip it)
> affected binary file mode: 104755
> 
> This issue can be investigated by using eu-readelf tool from the elfutils
> package. Use `eu-readelf --notes /path/to/binary` to get build ID of a binary.
> Then check that the debuginfo package does not contain
> /usr/lib/debug/.build-id/<aa>/<bbbbbbbb>, where <aa> are the first two chars of
> the build ID, and <bbbbbbbb> is the rest of it. It should be a symlink pointing
> back to the binary.

What exactly are you asking me to do here?  Make the binary not setuid?

Comment 3 Karel Klíč 2011-08-08 15:59:45 UTC

Yes, a solution is to make the binary not setuid in the build root (in the build script or %compile section of the spec file), and set the setuid flag only in the %files section. This way the debug sections can be properly extracted into debuginfo package.

Thanks.

Comment 4 Nalin Dahyabhai 2011-08-08 21:48:26 UTC

That sounds like a workaround for a problem with how we're doing the buildroot policy, but it's doable.

Comment 10 errata-xmlrpc 2011-12-06 17:37:06 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1707.html

Note You need to log in before you can comment on or make changes to this bug.