Bug 729044 - Debuginfo package issues in krb5
Debuginfo package issues in krb5
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: krb5 (Show other bugs)
6.1
All Linux
medium Severity medium
: rc
: ---
Assigned To: Nalin Dahyabhai
BaseOS QE Security Team
:
Depends On:
Blocks: 727919
  Show dependency treegraph
 
Reported: 2011-08-08 11:20 EDT by Karel Klíč
Modified: 2013-03-03 18:03 EST (History)
4 users (show)

See Also:
Fixed In Version: krb5-1.9-17.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-12-06 12:37:06 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Karel Klíč 2011-08-08 11:20:56 EDT
Several problems related to debuginfo were found in the krb5-1.9-9.el6_1.1 package. These issues might affect crash analysis done by Automatic Bug Reporting Tool and its retrace server, and also prevent proper debugging of crashes via GDB.

Debuginfo missing for binaries
------------------------------
A debuginfo file for a binary is not present in the debuginfo package. This might be caused by:
 - binary being compiled without debugging information
 - debugging information being removed from the binary by a build script
 - rpmbuild failing to extract debugging information from a binary in a buildroot because of permissions (eg. suid binaries, binaries without executable flag set)

affected binary: /usr/bin/ksu
affected package: krb5-workstation-1.9-9.el6_1.1.i686
binary contains debug sections (debuginfo script failed to find/strip it)
affected binary file mode: 104755

This issue can be investigated by using eu-readelf tool from the elfutils package. Use `eu-readelf --notes /path/to/binary` to get build ID of a binary. Then check that the debuginfo package does not contain /usr/lib/debug/.build-id/<aa>/<bbbbbbbb>, where <aa> are the first two chars of the build ID, and <bbbbbbbb> is the rest of it. It should be a symlink pointing back to the binary.

Source file missing in debuginfo package
----------------------------------------
Multiple source files that were used by the compiler to generate a binary are missing from the debuginfo package. This is usually caused by the build script creating temporary source files during the build and deleting them after usage, or by moving source files between directories. Missing source files in debuginfo packages make debugging of crashes more difficult.

debuginfo package: krb5-debuginfo-1.9-9.el6_1.1.i686
  debuginfo file: /usr/lib/debug/usr/sbin/kdb5_ldap_util.debug
    missing source: /usr/src/debug/krb5-1.9/src/plugins/kdb/ldap/ldap_util/y.tab.c
  debuginfo file: /usr/lib/debug/usr/bin/kadmin.debug
    missing source: /usr/src/debug/krb5-1.9/src/kadmin/cli/y.tab.c
  debuginfo file: /usr/lib/debug/usr/sbin/kadmin.local.debug
    missing source: /usr/src/debug/krb5-1.9/src/kadmin/cli/y.tab.c
  debuginfo file: /usr/lib/debug/usr/sbin/kdb5_util.debug
    missing source: /usr/src/debug/krb5-1.9/src/kadmin/cli/y.tab.c

Please consider changing the package build script (if that is the cause of this issue) to keep the source files on their compilation place, so rpmbuild can find them when generating debuginfo package.

(This bug was detected and filed by a script.)
Comment 2 Nalin Dahyabhai 2011-08-08 11:37:49 EDT
(In reply to comment #0)
> Several problems related to debuginfo were found in the krb5-1.9-9.el6_1.1
> package. These issues might affect crash analysis done by Automatic Bug
> Reporting Tool and its retrace server, and also prevent proper debugging of
> crashes via GDB.
> 
> Debuginfo missing for binaries
> ------------------------------
> A debuginfo file for a binary is not present in the debuginfo package. This
> might be caused by:
>  - binary being compiled without debugging information
>  - debugging information being removed from the binary by a build script
>  - rpmbuild failing to extract debugging information from a binary in a
> buildroot because of permissions (eg. suid binaries, binaries without
> executable flag set)
> 
> affected binary: /usr/bin/ksu
> affected package: krb5-workstation-1.9-9.el6_1.1.i686
> binary contains debug sections (debuginfo script failed to find/strip it)
> affected binary file mode: 104755
> 
> This issue can be investigated by using eu-readelf tool from the elfutils
> package. Use `eu-readelf --notes /path/to/binary` to get build ID of a binary.
> Then check that the debuginfo package does not contain
> /usr/lib/debug/.build-id/<aa>/<bbbbbbbb>, where <aa> are the first two chars of
> the build ID, and <bbbbbbbb> is the rest of it. It should be a symlink pointing
> back to the binary.

What exactly are you asking me to do here?  Make the binary not setuid?
Comment 3 Karel Klíč 2011-08-08 11:59:45 EDT
Yes, a solution is to make the binary not setuid in the build root (in the build script or %compile section of the spec file), and set the setuid flag only in the %files section. This way the debug sections can be properly extracted into debuginfo package.

Thanks.
Comment 4 Nalin Dahyabhai 2011-08-08 17:48:26 EDT
That sounds like a workaround for a problem with how we're doing the buildroot policy, but it's doable.
Comment 10 errata-xmlrpc 2011-12-06 12:37:06 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1707.html

Note You need to log in before you can comment on or make changes to this bug.