Bug 729044 - Debuginfo package issues in krb5
Summary: Debuginfo package issues in krb5
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: krb5
Version: 6.1
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Nalin Dahyabhai
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks: 727919
TreeView+ depends on / blocked
 
Reported: 2011-08-08 15:20 UTC by Karel Klíč
Modified: 2013-03-03 23:03 UTC (History)
4 users (show)

Fixed In Version: krb5-1.9-17.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-12-06 17:37:06 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1707 normal SHIPPED_LIVE krb5 bug fix update 2011-12-06 01:02:29 UTC

Description Karel Klíč 2011-08-08 15:20:56 UTC
Several problems related to debuginfo were found in the krb5-1.9-9.el6_1.1 package. These issues might affect crash analysis done by Automatic Bug Reporting Tool and its retrace server, and also prevent proper debugging of crashes via GDB.

Debuginfo missing for binaries
------------------------------
A debuginfo file for a binary is not present in the debuginfo package. This might be caused by:
 - binary being compiled without debugging information
 - debugging information being removed from the binary by a build script
 - rpmbuild failing to extract debugging information from a binary in a buildroot because of permissions (eg. suid binaries, binaries without executable flag set)

affected binary: /usr/bin/ksu
affected package: krb5-workstation-1.9-9.el6_1.1.i686
binary contains debug sections (debuginfo script failed to find/strip it)
affected binary file mode: 104755

This issue can be investigated by using eu-readelf tool from the elfutils package. Use `eu-readelf --notes /path/to/binary` to get build ID of a binary. Then check that the debuginfo package does not contain /usr/lib/debug/.build-id/<aa>/<bbbbbbbb>, where <aa> are the first two chars of the build ID, and <bbbbbbbb> is the rest of it. It should be a symlink pointing back to the binary.

Source file missing in debuginfo package
----------------------------------------
Multiple source files that were used by the compiler to generate a binary are missing from the debuginfo package. This is usually caused by the build script creating temporary source files during the build and deleting them after usage, or by moving source files between directories. Missing source files in debuginfo packages make debugging of crashes more difficult.

debuginfo package: krb5-debuginfo-1.9-9.el6_1.1.i686
  debuginfo file: /usr/lib/debug/usr/sbin/kdb5_ldap_util.debug
    missing source: /usr/src/debug/krb5-1.9/src/plugins/kdb/ldap/ldap_util/y.tab.c
  debuginfo file: /usr/lib/debug/usr/bin/kadmin.debug
    missing source: /usr/src/debug/krb5-1.9/src/kadmin/cli/y.tab.c
  debuginfo file: /usr/lib/debug/usr/sbin/kadmin.local.debug
    missing source: /usr/src/debug/krb5-1.9/src/kadmin/cli/y.tab.c
  debuginfo file: /usr/lib/debug/usr/sbin/kdb5_util.debug
    missing source: /usr/src/debug/krb5-1.9/src/kadmin/cli/y.tab.c

Please consider changing the package build script (if that is the cause of this issue) to keep the source files on their compilation place, so rpmbuild can find them when generating debuginfo package.

(This bug was detected and filed by a script.)

Comment 2 Nalin Dahyabhai 2011-08-08 15:37:49 UTC
(In reply to comment #0)
> Several problems related to debuginfo were found in the krb5-1.9-9.el6_1.1
> package. These issues might affect crash analysis done by Automatic Bug
> Reporting Tool and its retrace server, and also prevent proper debugging of
> crashes via GDB.
> 
> Debuginfo missing for binaries
> ------------------------------
> A debuginfo file for a binary is not present in the debuginfo package. This
> might be caused by:
>  - binary being compiled without debugging information
>  - debugging information being removed from the binary by a build script
>  - rpmbuild failing to extract debugging information from a binary in a
> buildroot because of permissions (eg. suid binaries, binaries without
> executable flag set)
> 
> affected binary: /usr/bin/ksu
> affected package: krb5-workstation-1.9-9.el6_1.1.i686
> binary contains debug sections (debuginfo script failed to find/strip it)
> affected binary file mode: 104755
> 
> This issue can be investigated by using eu-readelf tool from the elfutils
> package. Use `eu-readelf --notes /path/to/binary` to get build ID of a binary.
> Then check that the debuginfo package does not contain
> /usr/lib/debug/.build-id/<aa>/<bbbbbbbb>, where <aa> are the first two chars of
> the build ID, and <bbbbbbbb> is the rest of it. It should be a symlink pointing
> back to the binary.

What exactly are you asking me to do here?  Make the binary not setuid?

Comment 3 Karel Klíč 2011-08-08 15:59:45 UTC
Yes, a solution is to make the binary not setuid in the build root (in the build script or %compile section of the spec file), and set the setuid flag only in the %files section. This way the debug sections can be properly extracted into debuginfo package.

Thanks.

Comment 4 Nalin Dahyabhai 2011-08-08 21:48:26 UTC
That sounds like a workaround for a problem with how we're doing the buildroot policy, but it's doable.

Comment 10 errata-xmlrpc 2011-12-06 17:37:06 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1707.html


Note You need to log in before you can comment on or make changes to this bug.