Date: Mon, 28 Jan 2008 16:02:23 -0500 (EST) From: Garrett Wollman <wollman@khavrinen.csail.mit.edu> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/120101: security/krb5 utilities link against wrong libcom_err Message-ID: <200801282102.m0SL2NXx092917@khavrinen.csail.mit.edu> Resent-Message-ID: <200801282110.m0SLA0L8069154@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 120101
>Category: ports
>Synopsis: security/krb5 utilities link against wrong libcom_err
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Jan 28 21:10:00 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Garrett Wollman
>Release: FreeBSD 6.2-RELEASE-p3 amd64
>Organization:
MIT
>Environment:
System: FreeBSD khavrinen.csail.mit.edu 6.2-RELEASE-p3 FreeBSD 6.2-RELEASE-p3 #3: Mon Apr 9 08:34:19 EDT 2007 root@khavrinen.csail.mit.edu:/usr/obj/usr/src/sys/KHAVRINEN amd64
>Description:
krb5-1.6.3_4 builds both libraries and utilities. Among the
libraries included in the port is a version of the MIT Common
Error library, libcom_err. FreeBSD also includes this library
as a part of the base system. It is important that the MIT
Kerberos utilities, and other applications using Kerberos,
link against the correct version of libcom_err. If they do
not, or if they link against both com_err libraries, error
messages will not be displayed correctly.
>How-To-Repeat:
install krb5-1.6.3_4.
$ kadmin
Authenticating as principal wollman/admin@MYREALM.EXAMPLE.ORG with password.
Password for wollman/admin@MYREALM.EXAMPLE.ORG:
kadmin: getprinc unknownprincipal
get_principal: Unknown error: 43787532 while retrieving "unknownprincipal@MYREALM.EXAMPLE.ORG".
$ ldd -av `type -p kadmin`
/usr/local/sbin/kadmin:
libkadm5clnt.so => /usr/local/lib/libkadm5clnt.so (0x800641000)
libgssrpc.so => /usr/local/lib/libgssrpc.so (0x800755000)
libgssapi_krb5.so => /usr/local/lib/libgssapi_krb5.so (0x800870000)
libkrb5.so => /usr/local/lib/libkrb5.so (0x8009a1000)
libk5crypto.so => /usr/local/lib/libk5crypto.so (0x800b43000)
libcom_err.so => /usr/lib/libcom_err.so (0x800c69000)
libkrb5support.so => /usr/local/lib/libkrb5support.so (0x800d6b000)
libc.so.6 => /lib/libc.so.6 (0x800e73000)
/usr/local/lib/libkadm5clnt.so:
libgssrpc.so => /usr/local/lib/libgssrpc.so (0x800755000)
libgssapi_krb5.so => /usr/local/lib/libgssapi_krb5.so (0x800870000)
libkrb5.so => /usr/local/lib/libkrb5.so (0x8009a1000)
libk5crypto.so => /usr/local/lib/libk5crypto.so (0x800b43000)
libcom_err.so => /usr/local/lib/libcom_err.so (0x80108b000)
/usr/local/lib/libgssrpc.so:
libgssapi_krb5.so => /usr/local/lib/libgssapi_krb5.so (0x800870000)
libkrb5.so => /usr/local/lib/libkrb5.so (0x8009a1000)
libk5crypto.so => /usr/local/lib/libk5crypto.so (0x800b43000)
libcom_err.so => /usr/local/lib/libcom_err.so (0x80108b000)
/usr/local/lib/libgssapi_krb5.so:
libkrb5.so => /usr/local/lib/libkrb5.so (0x8009a1000)
libk5crypto.so => /usr/local/lib/libk5crypto.so (0x800b43000)
libcom_err.so => /usr/local/lib/libcom_err.so (0x80108b000)
libkrb5support.so => /usr/local/lib/libkrb5support.so (0x800d6b000)
/usr/local/lib/libkrb5.so:
libk5crypto.so => /usr/local/lib/libk5crypto.so (0x800b43000)
libcom_err.so => /usr/local/lib/libcom_err.so (0x80108b000)
libkrb5support.so => /usr/local/lib/libkrb5support.so (0x800d6b000)
/usr/local/lib/libk5crypto.so:
libkrb5support.so => /usr/local/lib/libkrb5support.so (0x800d6b000)
/usr/local/lib/libcom_err.so:
libkrb5support.so => /usr/local/lib/libkrb5support.so (0x800d6b000)
Note how all of the Kerberos libraries are linked against the correct
version of libcom_err.so (the one installed in /usr/local/lib), but
kadmin itself links against the wrong one.
>Fix:
Link the Kerberos utilities against the correct library. By
preference, also fix the lack of version numbering. (I think
this may be "intentional" on the part of the Kerberos
developers as a result of someone not understanding how
shared library versioning is supposed to work.)
Workaround: remove /usr/lib/libcom_err.so.
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200801282102.m0SL2NXx092917>