From owner-freebsd-ports-bugs@FreeBSD.ORG Mon Jan 28 21:10:01 2008 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 85B2916A41A for ; Mon, 28 Jan 2008 21:10:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 6008013C447 for ; Mon, 28 Jan 2008 21:10:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m0SLA0jH069155 for ; Mon, 28 Jan 2008 21:10:00 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m0SLA0L8069154; Mon, 28 Jan 2008 21:10:00 GMT (envelope-from gnats) Resent-Date: Mon, 28 Jan 2008 21:10:00 GMT Resent-Message-Id: <200801282110.m0SLA0L8069154@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Garrett Wollman Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8D32216A468 for ; Mon, 28 Jan 2008 21:02:24 +0000 (UTC) (envelope-from wollman@khavrinen.csail.mit.edu) Received: from khavrinen.csail.mit.edu (khavrinen.csail.mit.edu [128.30.28.20]) by mx1.freebsd.org (Postfix) with ESMTP id 6060B13C469 for ; Mon, 28 Jan 2008 21:02:24 +0000 (UTC) (envelope-from wollman@khavrinen.csail.mit.edu) Received: from khavrinen.csail.mit.edu (localhost.csail.mit.edu [127.0.0.1]) by khavrinen.csail.mit.edu (8.13.8/8.13.8) with ESMTP id m0SL2NK6092918 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL CN=khavrinen.csail.mit.edu issuer=Client+20CA) for ; Mon, 28 Jan 2008 16:02:23 -0500 (EST) (envelope-from wollman@khavrinen.csail.mit.edu) Received: (from wollman@localhost) by khavrinen.csail.mit.edu (8.13.8/8.13.8/Submit) id m0SL2NXx092917; Mon, 28 Jan 2008 16:02:23 -0500 (EST) (envelope-from wollman) Message-Id: <200801282102.m0SL2NXx092917@khavrinen.csail.mit.edu> Date: Mon, 28 Jan 2008 16:02:23 -0500 (EST) From: Garrett Wollman To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: ports/120101: security/krb5 utilities link against wrong libcom_err X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Garrett Wollman List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jan 2008 21:10:01 -0000 >Number: 120101 >Category: ports >Synopsis: security/krb5 utilities link against wrong libcom_err >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Jan 28 21:10:00 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Garrett Wollman >Release: FreeBSD 6.2-RELEASE-p3 amd64 >Organization: MIT >Environment: System: FreeBSD khavrinen.csail.mit.edu 6.2-RELEASE-p3 FreeBSD 6.2-RELEASE-p3 #3: Mon Apr 9 08:34:19 EDT 2007 root@khavrinen.csail.mit.edu:/usr/obj/usr/src/sys/KHAVRINEN amd64 >Description: krb5-1.6.3_4 builds both libraries and utilities. Among the libraries included in the port is a version of the MIT Common Error library, libcom_err. FreeBSD also includes this library as a part of the base system. It is important that the MIT Kerberos utilities, and other applications using Kerberos, link against the correct version of libcom_err. If they do not, or if they link against both com_err libraries, error messages will not be displayed correctly. >How-To-Repeat: install krb5-1.6.3_4. $ kadmin Authenticating as principal wollman/admin@MYREALM.EXAMPLE.ORG with password. Password for wollman/admin@MYREALM.EXAMPLE.ORG: kadmin: getprinc unknownprincipal get_principal: Unknown error: 43787532 while retrieving "unknownprincipal@MYREALM.EXAMPLE.ORG". $ ldd -av `type -p kadmin` /usr/local/sbin/kadmin: libkadm5clnt.so => /usr/local/lib/libkadm5clnt.so (0x800641000) libgssrpc.so => /usr/local/lib/libgssrpc.so (0x800755000) libgssapi_krb5.so => /usr/local/lib/libgssapi_krb5.so (0x800870000) libkrb5.so => /usr/local/lib/libkrb5.so (0x8009a1000) libk5crypto.so => /usr/local/lib/libk5crypto.so (0x800b43000) libcom_err.so => /usr/lib/libcom_err.so (0x800c69000) libkrb5support.so => /usr/local/lib/libkrb5support.so (0x800d6b000) libc.so.6 => /lib/libc.so.6 (0x800e73000) /usr/local/lib/libkadm5clnt.so: libgssrpc.so => /usr/local/lib/libgssrpc.so (0x800755000) libgssapi_krb5.so => /usr/local/lib/libgssapi_krb5.so (0x800870000) libkrb5.so => /usr/local/lib/libkrb5.so (0x8009a1000) libk5crypto.so => /usr/local/lib/libk5crypto.so (0x800b43000) libcom_err.so => /usr/local/lib/libcom_err.so (0x80108b000) /usr/local/lib/libgssrpc.so: libgssapi_krb5.so => /usr/local/lib/libgssapi_krb5.so (0x800870000) libkrb5.so => /usr/local/lib/libkrb5.so (0x8009a1000) libk5crypto.so => /usr/local/lib/libk5crypto.so (0x800b43000) libcom_err.so => /usr/local/lib/libcom_err.so (0x80108b000) /usr/local/lib/libgssapi_krb5.so: libkrb5.so => /usr/local/lib/libkrb5.so (0x8009a1000) libk5crypto.so => /usr/local/lib/libk5crypto.so (0x800b43000) libcom_err.so => /usr/local/lib/libcom_err.so (0x80108b000) libkrb5support.so => /usr/local/lib/libkrb5support.so (0x800d6b000) /usr/local/lib/libkrb5.so: libk5crypto.so => /usr/local/lib/libk5crypto.so (0x800b43000) libcom_err.so => /usr/local/lib/libcom_err.so (0x80108b000) libkrb5support.so => /usr/local/lib/libkrb5support.so (0x800d6b000) /usr/local/lib/libk5crypto.so: libkrb5support.so => /usr/local/lib/libkrb5support.so (0x800d6b000) /usr/local/lib/libcom_err.so: libkrb5support.so => /usr/local/lib/libkrb5support.so (0x800d6b000) Note how all of the Kerberos libraries are linked against the correct version of libcom_err.so (the one installed in /usr/local/lib), but kadmin itself links against the wrong one. >Fix: Link the Kerberos utilities against the correct library. By preference, also fix the lack of version numbering. (I think this may be "intentional" on the part of the Kerberos developers as a result of someone not understanding how shared library versioning is supposed to work.) Workaround: remove /usr/lib/libcom_err.so. >Release-Note: >Audit-Trail: >Unformatted: