Re: [Bug 1955009] Re: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap

2021-12-16 Thread Sam Hartman 
> "Christian" == Christian Ehrhardt  <1955...@bugs.launchpad.net>
writes:

Christian> Reproducible in local autopkgtest

Let me make sure I'm understanding.
You are saying that  prior to penssl 3, the test works, but with
openssl3, the test fails?

What is the ssl version in the successful tests?
For example from the failing test we have:
OpenSSL: TX ver=0x303 content_type=22 (handshake/client hello)

What's the txver from that message in the successful test?
Unfortunately, EAP-TTLS is a bit sensitive to the TLS protocol version
in use for some annoying standardization reasons.

It looks like things are failing on the server side.
The autopkgtest produces the freeradius log (which is admittedly huge)
as a test artifact.
Could I get a pointer to a failing freeradius log?


I'm also going to bring this bug to the attention of Moonshot upstream.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1955009

Title:
  Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1955009/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1945795] [NEW] krb5: Fail to build against OpenSSL 3.0

2021-10-01 Thread Sam Hartman 
> "Simon" == Simon Chopin <1945...@bugs.launchpad.net> writes:
Simon> We're planning to transition to OpenSSL 3.0 for the 22.04
Simon> release, and consider this issue as blocking for this
Simon> transition.

I expect things to be fixed in Debian within the next couple of months.

I attach the upstream patch for this issue in case Ubuntu needs to move
faster than Debian.


** Patch added: "0001-Fix-softpkcs11-build-issues-with-openssl-3.0.patch"
   
https://bugs.launchpad.net/bugs/1945795/+attachment/5529874/+files/0001-Fix-softpkcs11-build-issues-with-openssl-3.0.patch

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1945795

Title:
  krb5: Fail to build against OpenSSL 3.0

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1945795/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1885024] Re: systemd patch fixes: krb5kdc.log Read-only file system

2020-06-24 Thread Sam Hartman 
This is possibly a duplicate of 
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1874915 at least if you 
are using freeipa.
As shipped, krb5-kdc does not log to /var/log, but instead logs to syslog
My position is that since krb5's systemd configuration is correct for the 
shipped configuration, if you reconfigure your krb5-kdc to log somewhere, you 
should at that point reconfigure the systemd unit to permit writing to that log.
I point to the freeipa bug because freeipa reconfigures this for you but does 
not update the systemd configuration.

** Changed in: krb5 (Ubuntu)
   Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1885024

Title:
  systemd patch fixes: krb5kdc.log Read-only file system

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1885024/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1874915] Re: krb5kdc[27833]: Couldn't open log file /var/log/krb5kdc.log: Read-only file system

2020-04-25 Thread Sam Hartman 
I'm going to push back on the reassignment to krb5.
I think this is a freeipa bug.
Kerberos's systemd service unit is correct for Kerberos.
freeipa is the one that is deciding it wants to change the Kerberos
logging configuration, and thus is the one that should adjust the
permissions.
Honestly I'd rather see this fixed by freeipa not messing around with
Kerberos configs so much, but especially not logging config.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1874915

Title:
  krb5kdc[27833]: Couldn't open log file /var/log/krb5kdc.log: Read-only
  file system

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1874915/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1817955] [NEW] Getting new "DN is out of the realm subtree" error on adding principal

2019-02-27 Thread Sam Hartman 
Yes, it is because of that change.
is the dn outside of the subtree?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1817955

Title:
  Getting new "DN is out of the realm subtree" error on adding principal

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1817955/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1817376] Re: krb5-admin-server postinst has broken debconf if RUN_KADMIND set in /etc/default/krb5-admin-server

2019-02-26 Thread Sam Hartman 
Robie any chance I could get you to sync krb5 1.17-2 from Debian
unstable to disco?
It's probably not a big deal but there's no reason not to take the fix
into Disco.

> "Robie" == Robie Basak <1817...@bugs.launchpad.net> writes:

Robie> Thanks Clark and Sam.  Ubuntu doesn't support upgrade paths
Robie> that skip LTS releases. So, ignoring EOL releases, we only
Robie> need to consider Trusty->Xenial,
Xenial-> Bionic, Bionic->Cosmic and Cosmic->Disco. If only upgrading from 
1.12 is affected,
Robie> then from Ubuntu is Trusty->Xenial the only upgrade path
Robie> affected?

yes.

Robie> If so, is it just Xenial that we need to fix?


I was working with this a bit testing the upgrade from wheezy to buster
on the Debian side.  Wheezy is the only Debian release that is vaguely
extant where this could come up.
In my testing, Debconf didn't actually remove the template on an
upgrade.
So, The two cases where I found that I could reproduce the situation
Were:

* remove krb5-admin-server on the old release and install it on the new
  release (without doing an upgrade)

* Copy in a /etc/default/krb5-admin-server from another system.

Neither of those seems serious enough to backport a fix for.  I'd rather
wait until we get a better understanding of how this gets triggered
before doing any changes to xenial.  I agree though that if we need to
change any old release xenial is the only target.

--Sam

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1817376

Title:
  krb5-admin-server postinst has broken debconf if RUN_KADMIND set in
  /etc/default/krb5-admin-server

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1817376/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1817376] Re: krb5-admin-server postinst has broken debconf if RUN_KADMIND set in /etc/default/krb5-admin-server

2019-02-22 Thread Sam Hartman 
I think this is basically only a problem on upgrade from older versions of 
krb5, in particular from prior to the 1.12 era to the current packaging.
As part of adding support for systemd units, I decided to drop support for the 
run_kadmind variable, and bungled the upgrade path.
This is an issue for upgrades from trusty or precise to anything newer if you 
are running krb5-admin-server.
There's a very simple work around: remove run_kadmind from 
/etc/default/krb5-admin-server.
I'll fix for Debian shortly.
What Ubuntu versions is this worth doing a fix for?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1817376

Title:
  krb5-admin-server postinst has broken debconf if RUN_KADMIND set in
  /etc/default/krb5-admin-server

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1817376/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1817376] Re: krb5-admin-server postinst has broken debconf if RUN_KADMIND set in /etc/default/krb5-admin-server

2019-02-22 Thread Sam Hartman 
** Changed in: krb5 (Ubuntu)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1817376

Title:
  krb5-admin-server postinst has broken debconf if RUN_KADMIND set in
  /etc/default/krb5-admin-server

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1817376/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1793594] [NEW] IAKERB-HEADER "Realm" field incorrectly encoded as OCTET STRING

2018-09-21 Thread Sam Hartman 
So, is this a spec bug or an implementation bug.
Does the current behavior cause anything to break, or is it simply that
implementations have diverged from the spec in tagging of the string.

--Sam

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1793594

Title:
  IAKERB-HEADER "Realm" field incorrectly encoded as OCTET STRING

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1793594/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1791325] Re: freeipa server needs read access /var/lib/krb5kdc

2018-09-07 Thread Sam Hartman 
*** This bug is a duplicate of bug 1772447 ***
https://bugs.launchpad.net/bugs/1772447

I agree with Russ.
On the Debian side, I would not support a change to krb5-kdc to make
/var/lib/krb5kdc world readable.
I think putting the public cert in /etc/krb5kdc is fine: I can make a
case it's configuration not state.
If you don't like that, place it somewhere else under /var/lib.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1791325

Title:
  freeipa server needs read access /var/lib/krb5kdc

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1791325/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1677881] Re: Missing dep8 tests

2018-07-06 Thread Sam Hartman 
Hi.
For whatever reason I'm not getting mail when an MP is opened in the
krb5 gitlab.
In general, i think Debian uses its BTS as  the todo system of record
moreso than gitlab MPs.  I know for myself and I suspect a lot of other
debian developers, a wishlist bug against a package would be the best
way for me to consider a patch.

That said, since  I'm also looking at launchpad, I've reviewed the MP.

Other than the license question I raised there, I think this is a great
thing to include.
I've been swamped by non-Debian life events, but I'm mostly through that
and will dedicate a day to catching up on Debian in the next couple of
weeks.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1677881

Title:
  Missing dep8 tests

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1677881/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1683237] Re: krb5-user: kinit fails for OTP user when using kdc discovery via DNS

2017-04-21 Thread Sam Hartman 
> "Joshua" == Joshua Powers  writes:

Joshua> If we want to fix this in zesty, then a release with only
Joshua> the bug fixes would be desired. That could be SRU'ed
Joshua> assuming it is not too big of a change such that it would
Joshua> limit the exposure to new issues or changes in
Joshua> features/functionality.

Hi.
I uploaded 1.15-2 to Debian experimental.
It includes two fixes to regressions from jessie (also regressions in
Ubuntu):
1) this bug -- OTP users don't work with DNS discovery

2) Another upstream issue where enhancements to the IPv6 support break
IPv4 only systems.
I haven't seen Debian reports of that issue, but code changes are
minimal and are easy to audit for impact.

I'm not volunteering to file the SRU paperwork on the Ubuntu side, but
I'm happy to provide technical assistance for anyone who wants to do
that.
I believve that a sync of 1.15-2 over 1.15-1 would be appropriate and in
terms of code change complexity would be within Ubuntu's policies.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1683237

Title:
  krb5-user: kinit fails for OTP user when using kdc discovery via DNS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1683237/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1683237] Re: krb5-user: kinit fails for OTP user when using kdc discovery via DNS

2017-04-19 Thread Sam Hartman 
> "Joshua" == Joshua Powers  writes:

Joshua> If we want to fix this in zesty, then a release with only
Joshua> the bug fixes would be desired. That could be SRU'ed
Joshua> assuming it is not too big of a change such that it would
Joshua> limit the exposure to new issues or changes in
Joshua> features/functionality.

OK, I'll look at pulling a bugfix release into experimental now.  I sure
hope stretch releases before  17.10:-)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1683237

Title:
  krb5-user: kinit fails for OTP user when using kdc discovery via DNS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1683237/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1683237] Re: krb5-user: kinit fails for OTP user when using kdc discovery via DNS

2017-04-19 Thread Sam Hartman 
I can put something in debian experimental if that makes the sync
easier.
So, you'd prefer just the Debian 1.15-1 with bug fixes rather than a
1.15.1?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1683237

Title:
  krb5-user: kinit fails for OTP user when using kdc discovery via DNS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1683237/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1683237] Re: krb5-user: kinit fails for OTP user when using kdc discovery via DNS

2017-04-17 Thread Sam Hartman 
** Bug watch added: Debian Bug tracker #856307
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856307

** Also affects: krb5 (Debian) via
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856307
   Importance: Unknown
   Status: Unknown

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1683237

Title:
  krb5-user: kinit fails for OTP user when using kdc discovery via DNS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1683237/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1643708] Re: Add SPNEGO special case for NTLMSSP+MechListMIC

2017-01-20 Thread Sam Hartman 
> "Robie" == Robie Basak <1643...@bugs.launchpad.net> writes:

Robie> @Bruce Thank you for detailing your testing. In your test
Robie> suite, do you cover any interoperability with SPNEGO but
Robie> not-Windows, whether in integration or code path coverage?
Robie> That's the use case I'm concerned about - that someone will
Robie> come along and tell us that we regressed SPNEGO against
Robie> WebSphere or something because we focused on just testing
Robie> Windows.

Hi.
As I understand it, this is a backport of an upstream change.
It's always possible there is an interop regression.
In this instance though, given where the patch comes from originally,
and that it's been in upstream releases for a while, I think you're
relatively safe.
SPNEGO interop is really hard to test though; it's not something that
you can get good coverage for without a specific interoperability lab
and careful test plans.

I don't know if upstream has done that for this patch, although I do
have high confidence that people do interop tests against the upstream
version.

So, while I think your concern is reasonable, I'd urge you to consider
that you're setting a really high bar here for backporting a patch that
an interoperability-conscious upstream has vetted.
Yes, the MIT folks have messed up interop (just as everyone else), but
they are fairly careful and conservative.

If you do want to do interop testing, the interesting cases to cover
are:

* Initiator prefers Kerberos; other side does not support it

* Acceptor prefers Kerberos, initiator does not support it

* Initiator prefers NTLM and some non-Kerberos third mechanism

* Acceptor prefers NTLM, doesn't have Kerberos, but does have some third
  mechanism

I think setting all that up is a good week's worth of work with someone
who really knows what they are doing.

--Sam

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1643708

Title:
  Add SPNEGO special case for NTLMSSP+MechListMIC

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1643708/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1644595] Re: krb5-1.13.2+dfsg-5 source contains source subject to the aladdin license

2016-11-30 Thread Sam Hartman 
As a FYI, upstream has relicensed the file under their standard license
with permission from the author.
Coming to Debian soon.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1644595

Title:
  krb5-1.13.2+dfsg-5 source contains source subject to the aladdin
  license

To manage notifications about this bug go to:
https://bugs.launchpad.net/kerberos/+bug/1644595/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1629370] Re: PKINIT fails with PKCS#11 middlware that implements PKCS#1 V2.1

2016-09-30 Thread Sam Hartman 
I've forwarded this to upstream krbdev.mit.edu #8506
I don't know if this is pkcs 11 2.10 specific or specific to the backend in 
question, but it's worth having upstream take a look.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1629370

Title:
  PKINIT fails with PKCS#11 middlware that implements PKCS#1 V2.1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1629370/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1623036] [NEW] Sync krb5 1.14.3+dfsg-2 (main) from Debian unstable (main)

2016-09-13 Thread Sam Hartman 
Public bug reported:

Please sync krb5 1.14.3+dfsg-2 (main) from Debian unstable (main)

Explanation of the Ubuntu delta and why it can be dropped:
  * Merge from Debian unstable.  Remaining changes:
- Fix uninitialized variable warning on ppc64el.

A revised version of this patch has been committed and included in the Debian 
release.
In addition, the Debian version includes a critical fix for KDCs running on 
32-bit systems.


Changelog entries since current yakkety version 1.14.3+dfsg-1ubuntu1:

krb5 (1.14.3+dfsg-2) UNRELEASED; urgency=medium

  * Fix gcc -O3, thanks Ben Kaduk/Steve Langasek, Closes: #833798
  * Fix kdb5_util create on 32-bit platforms, thanks Greg Hudson, Closes:
#834035

 -- Sam Hartman <hartm...@debian.org>  Mon, 05 Sep 2016 21:03:14 -0400

** Affects: krb5 (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1623036

Title:
  Sync krb5 1.14.3+dfsg-2 (main) from Debian unstable (main)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1623036/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1592841] Re: FTBFS on ppc64el, blocks updates of all packages depending on krb5, for example CUPS

2016-06-15 Thread Sam Hartman 
> "Till" == Till Kamppeter <1592...@bugs.launchpad.net> writes:

Till> Build the package on the system which you have at hand (amd64,
Till> i386, ...), directing the build output into a file. Search
Till> through the output to see whther there are any compiler
Till> warnings and fix them all. With that done the package should
Till> build on ppc64el.

No, that won't work.
The issue is the ppc64el compiler is behaving differently than the amd64
compiler.
The warning would be an error on any platform.
It's not an warning on amd64, nor is it a warning for ppc64el in debian.

I've spent the time I have here.  On the Debian side I'd definitely take
a patch that added extra extranious initializations to pacify the
compiler.
I recommend that approach to avoid a divergence between ubuntu and
debian.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1592841

Title:
  FTBFS on ppc64el, blocks updates of all packages depending on krb5,
  for example CUPS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1592841/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1592841] Re: FTBFS on ppc64el, blocks updates of all packages depending on krb5, for example CUPS

2016-06-15 Thread Sam Hartman 
Try this.  I've fixed the new instance of the error as well. Incremented
the version number so the patch has a different name, but you may not
want to do that if you end up uploading

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1592841

Title:
  FTBFS on ppc64el, blocks updates of all packages depending on krb5,
  for example CUPS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1592841/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1592841] Re: FTBFS on ppc64el, blocks updates of all packages depending on krb5, for example CUPS

2016-06-15 Thread Sam Hartman 
** Patch added: "krb5_1.14.2+dfsg-1ubuntu2.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1592841/+attachment/4684544/+files/krb5_1.14.2+dfsg-1ubuntu2.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1592841

Title:
  FTBFS on ppc64el, blocks updates of all packages depending on krb5,
  for example CUPS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1592841/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1592841] Re: FTBFS on ppc64el, blocks updates of all packages depending on krb5, for example CUPS

2016-06-15 Thread Sam Hartman 
I've replaced the debdiff with one that hopefully works.  I'm sorry for
spacing at the controls there.  Perhaps yearning for a simpler time:-)

** Patch added: "revised patch take 2"
   
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1592841/+attachment/4684531/+files/krb5_1.14.2+dfsg-1ubuntu1.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1592841

Title:
  FTBFS on ppc64el, blocks updates of all packages depending on krb5,
  for example CUPS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1592841/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1592841] Re: FTBFS on ppc64el, blocks updates of all packages depending on krb5, for example CUPS

2016-06-15 Thread Sam Hartman 
O, sorry.
I knew that seemed simpler than it should have been:-)
Yeah, you could stick single-debian-patch in debian/source/options and
it would work, but I'll do it right.


** Patch removed: "krb5_1.14.2+dfsg-1ubuntu1.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1592841/+attachment/4684512/+files/krb5_1.14.2+dfsg-1ubuntu1.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1592841

Title:
  FTBFS on ppc64el, blocks updates of all packages depending on krb5,
  for example CUPS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1592841/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1592841] Re: FTBFS on ppc64el, blocks updates of all packages depending on krb5, for example CUPS

2016-06-15 Thread Sam Hartman 
Can I get you to try the attached debdiff and upload if it works (I am
not an ubuntu developer).  I don't have a ppc64el test environment.
This should either work or get us much closer.

** Patch added: "krb5_1.14.2+dfsg-1ubuntu1.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1592841/+attachment/4684512/+files/krb5_1.14.2+dfsg-1ubuntu1.debdiff

** Changed in: krb5 (Ubuntu)
 Assignee: Sam Hartman (hartmans) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1592841

Title:
  FTBFS on ppc64el, blocks updates of all packages depending on krb5,
  for example CUPS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1592841/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1592841] Re: FTBFS on ppc64el, blocks updates of all packages depending on krb5, for example CUPS

2016-06-15 Thread Sam Hartman 
Looks simple; preparing fix

** Changed in: krb5 (Ubuntu)
 Assignee: (unassigned) => Sam Hartman (hartmans)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1592841

Title:
  FTBFS on ppc64el, blocks updates of all packages depending on krb5,
  for example CUPS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1592841/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1592841] [NEW] FTBFS on ppc64el, blocks updates of all packages depending on krb5, for example CUPS

2016-06-15 Thread Sam Hartman 
Include a link to the buildlog and i'll take a look.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1592841

Title:
  FTBFS on ppc64el, blocks updates of all packages depending on krb5,
  for example CUPS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1592841/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1590489] Re: Feature request: To allow Moonshot UI to also manage SAML ECP identities

2016-06-08 Thread Sam Hartman 
** Also affects: moonshot-ui
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1590489

Title:
  Feature request: To allow Moonshot UI to also manage SAML ECP
  identities

To manage notifications about this bug go to:
https://bugs.launchpad.net/moonshot-ui/+bug/1590489/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1581584] [NEW] Provide log file for krb5kdc by default

2016-05-13 Thread Sam Hartman 
I think it logs to syslog.
Are you seeing logging configuration that is failing because of the
systemd configuration, or are you saying that if the systemd
configuration is updated *and* a logging stanza is added it would log to
this file?

I would e xpect the kdc to log to /var/log/auth.log out of the box,
which I find intuitive.

--Sam

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1581584

Title:
  Provide log file for krb5kdc by default

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1581584/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1550470] [NEW] Sync krb5 1.13.2+dfsg-5 (main) from Debian unstable (main)

2016-02-26 Thread Sam Hartman 
Public bug reported:

Please sync krb5 1.13.2+dfsg-5 (main) from Debian unstable (main)

This includes a number of security updates (along with no other changes)
it would be good to pick up.

Changelog entries since current xenial version 1.13.2+dfsg-4:

krb5 (1.13.2+dfsg-5) unstable; urgency=high

  *  Security Update
  * Verify decoded kadmin C strings [CVE-2015-8629]
CVE-2015-8629: An authenticated attacker can cause kadmind to read
beyond the end of allocated memory by sending a string without a
terminating zero byte. Information leakage may be possible for an
attacker with permission to modify the database. (Closes: #813296)
  * Check for null kadm5 policy name [CVE-2015-8630]
CVE-2015-8630: An authenticated attacker with permission to modify a
principal entry can cause kadmind to dereference a null pointer by
supplying a null policy value but including KADM5_POLICY in the mask.
(Closes: #813127)
  * Fix leaks in kadmin server stubs [CVE-2015-8631]
CVE-2015-8631: An authenticated attacker can cause kadmind to leak
memory by supplying a null principal name in a request which uses one.
Repeating these requests will eventually cause kadmind to exhaust all
available memory. (Closes: #813126)


 -- Sam Hartman <hartm...@debian.org>  Tue, 23 Feb 2016 08:54:09 -0500

** Affects: krb5 (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1550470

Title:
  Sync krb5 1.13.2+dfsg-5 (main) from Debian unstable (main)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1550470/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1550470] [NEW] Sync krb5 1.13.2+dfsg-5 (main) from Debian unstable (main)

2016-02-26 Thread Sam Hartman 
Public bug reported:

Please sync krb5 1.13.2+dfsg-5 (main) from Debian unstable (main)

This includes a number of security updates (along with no other changes)
it would be good to pick up.

Changelog entries since current xenial version 1.13.2+dfsg-4:

krb5 (1.13.2+dfsg-5) unstable; urgency=high

  *  Security Update
  * Verify decoded kadmin C strings [CVE-2015-8629]
CVE-2015-8629: An authenticated attacker can cause kadmind to read
beyond the end of allocated memory by sending a string without a
terminating zero byte. Information leakage may be possible for an
attacker with permission to modify the database. (Closes: #813296)
  * Check for null kadm5 policy name [CVE-2015-8630]
CVE-2015-8630: An authenticated attacker with permission to modify a
principal entry can cause kadmind to dereference a null pointer by
supplying a null policy value but including KADM5_POLICY in the mask.
(Closes: #813127)
  * Fix leaks in kadmin server stubs [CVE-2015-8631]
CVE-2015-8631: An authenticated attacker can cause kadmind to leak
memory by supplying a null principal name in a request which uses one.
Repeating these requests will eventually cause kadmind to exhaust all
available memory. (Closes: #813126)


 -- Sam Hartman <hartm...@debian.org>  Tue, 23 Feb 2016 08:54:09 -0500

** Affects: krb5 (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1550470

Title:
  Sync krb5 1.13.2+dfsg-5 (main) from Debian unstable (main)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1550470/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1438483] [NEW] Sync moonshot-gss-eap 0.9.2-3+deb8u1 (universe) from Debian unstable (main)

2015-03-30 Thread Sam Hartman 
Public bug reported:

Please sync moonshot-gss-eap 0.9.2-3+deb8u1 (universe) from Debian
unstable (main)

This version addresses two critical problems which will effect ubuntu users.
-These are not filed in launchpad, but were debian bugs.
The first is that if an application using moonshot-gss-eap deletes a security 
context (read closes a session) all uses of openssl in the same process break.

The second is that there's a parsing bug that prevents credentials issued by 
the world's only production Moonshot service (JISC Assent) from being used.
While Ubuntu users are free to set up their own moonshot services, we know that 
several sites in the target customer base of JISC Assent do use Ubuntu and we'd 
like moonshot-gss-eap in Ubuntu to work for them.

I've included a debdiff to illustrate that the changes are small and
well-contained.

Changelog entries since current vivid version 0.9.2-3:

moonshot-gss-eap (0.9.2-3+deb8u1) unstable; urgency=medium

  * Incorporate upstream deltas:
  - 6dbf073: Allow white space in CA certificates, Closes: #781312
  - 90f04c98: Don't shut down openssl on last context deletion,
Closes: #781311

 -- Sam Hartman hartm...@debian.org  Fri, 27 Mar 2015 08:16:18 -0400

diff --git a/debian/changelog b/debian/changelog
index 5aa07bc..3027275 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+moonshot-gss-eap (0.9.2-3+deb8u1) unstable; urgency=medium
+
+  * Incorporate upstream deltas:
+  - 6dbf073: Allow white space in CA certificates, Closes: #781312
+  - 90f04c98: Don't shut down openssl on last context deletion,
+Closes: #781311
+
+ -- Sam Hartman hartm...@debian.org  Fri, 27 Mar 2015 08:16:18 -0400
+
 moonshot-gss-eap (0.9.2-3) unstable; urgency=medium
 
   * Review security of libeap/wpa_supplicant and send mail to security
diff --git a/libeap/src/crypto/tls_openssl.c b/libeap/src/crypto/tls_openssl.c
index c0a40f9..d155c09 100644
--- a/libeap/src/crypto/tls_openssl.c
+++ b/libeap/src/crypto/tls_openssl.c
@@ -767,13 +767,7 @@ void tls_deinit(void *ssl_ctx)
 
tls_openssl_ref_count--;
if (tls_openssl_ref_count == 0) {
-#ifndef OPENSSL_NO_ENGINE
-   ENGINE_cleanup();
-#endif /* OPENSSL_NO_ENGINE */
-   CRYPTO_cleanup_all_ex_data();
ERR_remove_state(0);
-   ERR_free_strings();
-   EVP_cleanup();
os_free(tls_global);
tls_global = NULL;
}
diff --git a/mech_eap/util_base64.c b/mech_eap/util_base64.c
index aaa1ea8..0ec1cdc 100644
--- a/mech_eap/util_base64.c
+++ b/mech_eap/util_base64.c
@@ -124,9 +124,15 @@ base64Decode(const char *str, void *data)
 q = data;
 p = str;
 
-while (*p  *p  (*p == '=' || strchr(base64_chars, *p))) {
-   unsigned int val = token_decode(p);
-   unsigned int marker = (val  24)  0xff;
+while (*p  (*p == '=' || strchr(base64_chars, *p) || isspace(*p))) {
+   unsigned int val; 
+   unsigned int marker; 
+   if (isspace(*p)) {
+p++;
+continue;
+}
+val = token_decode(p);
+marker = (val  24)  0xff;
if (val == DECODE_ERROR)
return -1;
*q++ = (val  16)  0xff;
@@ -135,8 +141,6 @@ base64Decode(const char *str, void *data)
if (marker  1)
*q++ = val  0xff;
p += 4;
-   if (*p == '\n')
-   p++;
 }
 return q - (unsigned char *) data;
 }
diff --git a/mech_eap/util_moonshot.c b/mech_eap/util_moonshot.c
index ce05322..68537a3 100644
--- a/mech_eap/util_moonshot.c
+++ b/mech_eap/util_moonshot.c
@@ -241,8 +241,7 @@ libMoonshotResolveInitiatorCred(OM_uint32 *minor,
 
 blobLength = base64Decode(caCertificate, blobData);
 
-if ((blobLength = 0) ||
-(blobLength  maxLength - 2)) {
+if (blobLength = 0) {
 major = GSS_S_DEFECTIVE_CREDENTIAL;
 *minor = GSSEAP_BAD_CACERTIFICATE;
 GSSEAP_FREE(blobData);

** Affects: moonshot-gss-eap (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1438483

Title:
  Sync moonshot-gss-eap 0.9.2-3+deb8u1 (universe) from Debian unstable
  (main)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/moonshot-gss-eap/+bug/1438483/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1334052] Re: package libkadm5srv-mit8 1.10.1+dfsg-6.1ubuntu1 failed to install/upgrade: libkadm5srv-mit8:all 1.12+dfsg-2ubuntu4 (Multi-Arch: no) kann nicht zusammen mit libkadm5srv-mit8 insta

2014-10-06 Thread Sam Hartman 
To test:

Install precise.
On precise, enable multiple architectures (say amd64 and i386)
install libkadm5srv-mit8.

Update your sources.list to trusty, try installing libkadm5srv-mit8.
I'd expect that to fail.

Update your sources.list to also include trusty-proposed.
Upgrade libkadm5srv-mit8; I'd expect that to succeed.

I've phrased that in terms of manually changing sources.list rather than
using the release upgrader, because I don't know how to do a release
upgrade with proposed enabled.  If there's an easy way to do that, then
I'd expect the following to work:

Install precise including both amd64 and i386 and install
libkadm5srv-mit8.
Do a release upgrade.
I'd expect it to fail.

Install precise including both amd64 and i386.  Install
libkadm5srv-mit8.  Do a release upgrade to trusty with proposed enabled.
I'd expect that to succeed.

--Sam

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1334052

Title:
  package libkadm5srv-mit8 1.10.1+dfsg-6.1ubuntu1 failed to
  install/upgrade: libkadm5srv-mit8:all 1.12+dfsg-2ubuntu4 (Multi-Arch:
  no) kann nicht zusammen mit libkadm5srv-mit8 installiert werden,
  welches mehrere installierte Instanzen hat

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1334052/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

Re: [Bug 1334052] Re: package libkadm5srv-mit8 1.10.1+dfsg-6.1ubuntu1 failed to install/upgrade: libkadm5srv-mit8:all 1.12+dfsg-2ubuntu4 (Multi-Arch: no) kann nicht zusammen mit libkadm5srv-mit8 insta

2014-10-06 Thread Sam Hartman 
To test:

Install precise.
On precise, enable multiple architectures (say amd64 and i386)
install libkadm5srv-mit8.

Update your sources.list to trusty, try installing libkadm5srv-mit8.
I'd expect that to fail.

Update your sources.list to also include trusty-proposed.
Upgrade libkadm5srv-mit8; I'd expect that to succeed.

I've phrased that in terms of manually changing sources.list rather than
using the release upgrader, because I don't know how to do a release
upgrade with proposed enabled.  If there's an easy way to do that, then
I'd expect the following to work:

Install precise including both amd64 and i386 and install
libkadm5srv-mit8.
Do a release upgrade.
I'd expect it to fail.

Install precise including both amd64 and i386.  Install
libkadm5srv-mit8.  Do a release upgrade to trusty with proposed enabled.
I'd expect that to succeed.

--Sam

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1334052

Title:
  package libkadm5srv-mit8 1.10.1+dfsg-6.1ubuntu1 failed to
  install/upgrade: libkadm5srv-mit8:all 1.12+dfsg-2ubuntu4 (Multi-Arch:
  no) kann nicht zusammen mit libkadm5srv-mit8 installiert werden,
  welches mehrere installierte Instanzen hat

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1334052/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1326500] Re: libgssapi-krb5-2: segfault when mechglue loops endlessly on call to gss_add_cred_from

2014-10-02 Thread Sam Hartman 
I enabled proposed, confirmed that as I described in the initial test case 
gss-server segfaults with 1.12+dfsg-2ubuntu4.  Then I installed 
libgssapi-krb5-2 from trusty-proposed.  That pulled in most of the other krb5 
packages as I'd expect all version 1.12+dfsg-2ubuntu5.
I ran gss-server and it worked fine.  That is, ubuntu5 fixes my problem.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1326500

Title:
  libgssapi-krb5-2: segfault when mechglue loops endlessly on call to
  gss_add_cred_from

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1326500/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1326500] Re: libgssapi-krb5-2: segfault when mechglue loops endlessly on call to gss_add_cred_from

2014-10-02 Thread Sam Hartman 
** Tags removed: verification-needed
** Tags added: verification-done

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1326500

Title:
  libgssapi-krb5-2: segfault when mechglue loops endlessly on call to
  gss_add_cred_from

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1326500/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1326500] Re: libgssapi-krb5-2: segfault when mechglue loops endlessly on call to gss_add_cred_from

2014-10-02 Thread Sam Hartman 
I enabled proposed, confirmed that as I described in the initial test case 
gss-server segfaults with 1.12+dfsg-2ubuntu4.  Then I installed 
libgssapi-krb5-2 from trusty-proposed.  That pulled in most of the other krb5 
packages as I'd expect all version 1.12+dfsg-2ubuntu5.
I ran gss-server and it worked fine.  That is, ubuntu5 fixes my problem.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1326500

Title:
  libgssapi-krb5-2: segfault when mechglue loops endlessly on call to
  gss_add_cred_from

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1326500/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1326500] Re: libgssapi-krb5-2: segfault when mechglue loops endlessly on call to gss_add_cred_from

2014-10-02 Thread Sam Hartman 
** Tags removed: verification-needed
** Tags added: verification-done

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1326500

Title:
  libgssapi-krb5-2: segfault when mechglue loops endlessly on call to
  gss_add_cred_from

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1326500/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1347147] Re: krb5 database operations enter infinite loop

2014-10-01 Thread Sam Hartman 
 Iain == Iain Lane i...@orangesquash.org.uk writes:

Iain Thanks Sam, I've uploaded krb5.  ** Changed in: krb5 (Ubuntu
Iain Trusty) Status: Triaged = In Progress

Hi.
I haven't seen this hit proposed yet.
Is that expected?  What is the next step?

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1347147

Title:
  krb5 database operations enter infinite loop

To manage notifications about this bug go to:
https://bugs.launchpad.net/gcc/+bug/1347147/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

Re: [Bug 1347147] Re: krb5 database operations enter infinite loop

2014-10-01 Thread Sam Hartman 
 Iain == Iain Lane i...@orangesquash.org.uk writes:

Iain Thanks Sam, I've uploaded krb5.  ** Changed in: krb5 (Ubuntu
Iain Trusty) Status: Triaged = In Progress

Hi.
I haven't seen this hit proposed yet.
Is that expected?  What is the next step?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1347147

Title:
  krb5 database operations enter infinite loop

To manage notifications about this bug go to:
https://bugs.launchpad.net/gcc/+bug/1347147/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1363980] Re: kadmin.local in wrong package

2014-09-04 Thread Sam Hartman 
Hi.  Here's the rationale behind the krb5-kdc krb5-kadmin-server split.
The krb5-kdc package includes the things you'd need on a traditional slave KDC. 
 One of the key things about a slave KDC is that the database is read-only.  
The slave is not making any changes to the database, locally or otherwise.
So, kadmin.local does not belong on a slave KDC.
However krb5-admin-server includes the stuff you need for a master KDC: local 
administration tools, the admin server, etc.
I'd be interested in documentation/description suggestions if this could be 
made more clear.

However, I would not support changing the binary location in Debian.

** Changed in: krb5 (Ubuntu)
   Status: New = Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1363980

Title:
  kadmin.local in wrong package

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1363980/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1363980] Re: kadmin.local in wrong package

2014-09-04 Thread Sam Hartman 
Hi.  Here's the rationale behind the krb5-kdc krb5-kadmin-server split.
The krb5-kdc package includes the things you'd need on a traditional slave KDC. 
 One of the key things about a slave KDC is that the database is read-only.  
The slave is not making any changes to the database, locally or otherwise.
So, kadmin.local does not belong on a slave KDC.
However krb5-admin-server includes the stuff you need for a master KDC: local 
administration tools, the admin server, etc.
I'd be interested in documentation/description suggestions if this could be 
made more clear.

However, I would not support changing the binary location in Debian.

** Changed in: krb5 (Ubuntu)
   Status: New = Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1363980

Title:
  kadmin.local in wrong package

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1363980/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1347147] Re: krb5 database operations enter infinite loop

2014-08-12 Thread Sam Hartman 
Here's an ubdated debdiff that includes the security update applied to
trusty.  I'm still waiting for a sponsor for this.

** Patch removed: debdiff between current trusty and linked branch
   
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1347147/+attachment/4166949/+files/krb5-trusty-stable.debdiff

** Patch added: Debdiff of lp:~hartmans/ubuntu/trusty/krb5/gss-infinite-loop
   
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1347147/+attachment/4175346/+files/krb5_1.12%2Bdfsg-2ubuntu5.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1347147

Title:
  krb5 database operations enter infinite loop

To manage notifications about this bug go to:
https://bugs.launchpad.net/gcc/+bug/1347147/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

Re: [Bug 1347147] Re: krb5 database operations enter infinite loop

2014-08-12 Thread Sam Hartman 
 Robie == Robie Basak 1347...@bugs.launchpad.net writes:

Robie Thanks Sam. I'm sorry I can't sponsor krb5, only triage the
Robie bug and guide it through to sponsorship. It looks like you
Robie know what you're doing here, so I guess we'll just need to
Robie wait for a sponsor to look at it. I can see that it's in the
Robie queue and working its way up.

Actually, your reassurance that we've done the right things process wise
is really helpful.
I've been involved in Debian for over 10 years but haven't done a huge
bunch of stuff with Ubuntu so I'm mostly just reading the wikis and
trying to figure it out:-)

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1347147

Title:
  krb5 database operations enter infinite loop

To manage notifications about this bug go to:
https://bugs.launchpad.net/gcc/+bug/1347147/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1347147] Re: krb5 database operations enter infinite loop

2014-08-12 Thread Sam Hartman 
Here's an ubdated debdiff that includes the security update applied to
trusty.  I'm still waiting for a sponsor for this.

** Patch removed: debdiff between current trusty and linked branch
   
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1347147/+attachment/4166949/+files/krb5-trusty-stable.debdiff

** Patch added: Debdiff of lp:~hartmans/ubuntu/trusty/krb5/gss-infinite-loop
   
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1347147/+attachment/4175346/+files/krb5_1.12%2Bdfsg-2ubuntu5.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1347147

Title:
  krb5 database operations enter infinite loop

To manage notifications about this bug go to:
https://bugs.launchpad.net/gcc/+bug/1347147/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1347147] Re: krb5 database operations enter infinite loop

2014-08-12 Thread Sam Hartman 
 Robie == Robie Basak 1347...@bugs.launchpad.net writes:

Robie Thanks Sam. I'm sorry I can't sponsor krb5, only triage the
Robie bug and guide it through to sponsorship. It looks like you
Robie know what you're doing here, so I guess we'll just need to
Robie wait for a sponsor to look at it. I can see that it's in the
Robie queue and working its way up.

Actually, your reassurance that we've done the right things process wise
is really helpful.
I've been involved in Debian for over 10 years but haven't done a huge
bunch of stuff with Ubuntu so I'm mostly just reading the wikis and
trying to figure it out:-)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1347147

Title:
  krb5 database operations enter infinite loop

To manage notifications about this bug go to:
https://bugs.launchpad.net/gcc/+bug/1347147/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1354714] Re: buffer overrun in kadmind with ldap backend

2014-08-09 Thread Sam Hartman 
This is fixed in Debian in 1.12.1+dfsg-87, currently in unstable.  The
only change between -6 (utopic) and -7 is the fix to this bug.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1354714

Title:
  buffer overrun in kadmind with ldap backend

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1354714/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1354714] [NEW] buffer overrun in kadmind with ldap backend

2014-08-09 Thread Sam Hartman 
*** This bug is a security vulnerability ***

Public security bug reported:

Fix LDAP key data segmentation [CVE-2014-4345]

For principal entries having keys with multiple kvnos (due to use of
-keepold), the LDAP KDB module makes an attempt to store all the keys
having the same kvno into a single krbPrincipalKey attribute value.
There is a fencepost error in the loop, causing currkvno to be set to
the just-processed value instead of the next kvno.  As a result, the
second and all following groups of multiple keys by kvno are each
stored in two krbPrincipalKey attribute values.  Fix the loop to use
the correct kvno value.

CVE-2014-4345:

In MIT krb5, when kadmind is configured to use LDAP for the KDC
database, an authenticated remote attacker can cause it to perform an
out-of-bounds write (buffer overrun) by performing multiple cpw
-keepold operations.  An off-by-one error while copying key
information to the new database entry results in keys sharing a common
kvno being written to different array buckets, in an array whose size
is determined by the number of kvnos present.  After sufficient
iterations, the extra writes extend past the end of the
(NULL-terminated) array.  The NULL terminator is always written after
the end of the loop, so no out-of-bounds data is read, it is only
written.

Historically, it has been possible to convert an out-of-bounds write
into remote code execution in some cases, though the necessary
exploits must be tailored to the individual application and are
usually quite complicated.  Depending on the allocated length of the
array, an out-of-bounds write may also cause a segmentation fault
and/or application crash.

CVSSv2 Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C

** Affects: krb5 (Ubuntu)
 Importance: Undecided
 Status: New

** Affects: krb5 (Debian)
 Importance: Unknown
 Status: Unknown

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-4345

** Bug watch added: Debian Bug tracker #757416
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=757416

** Also affects: krb5 (Debian) via
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=757416
   Importance: Unknown
   Status: Unknown

** Information type changed from Public to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1354714

Title:
  buffer overrun in kadmind with ldap backend

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1354714/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1354714] [NEW] buffer overrun in kadmind with ldap backend

2014-08-09 Thread Sam Hartman 
*** This bug is a security vulnerability ***

Public security bug reported:

Fix LDAP key data segmentation [CVE-2014-4345]

For principal entries having keys with multiple kvnos (due to use of
-keepold), the LDAP KDB module makes an attempt to store all the keys
having the same kvno into a single krbPrincipalKey attribute value.
There is a fencepost error in the loop, causing currkvno to be set to
the just-processed value instead of the next kvno.  As a result, the
second and all following groups of multiple keys by kvno are each
stored in two krbPrincipalKey attribute values.  Fix the loop to use
the correct kvno value.

CVE-2014-4345:

In MIT krb5, when kadmind is configured to use LDAP for the KDC
database, an authenticated remote attacker can cause it to perform an
out-of-bounds write (buffer overrun) by performing multiple cpw
-keepold operations.  An off-by-one error while copying key
information to the new database entry results in keys sharing a common
kvno being written to different array buckets, in an array whose size
is determined by the number of kvnos present.  After sufficient
iterations, the extra writes extend past the end of the
(NULL-terminated) array.  The NULL terminator is always written after
the end of the loop, so no out-of-bounds data is read, it is only
written.

Historically, it has been possible to convert an out-of-bounds write
into remote code execution in some cases, though the necessary
exploits must be tailored to the individual application and are
usually quite complicated.  Depending on the allocated length of the
array, an out-of-bounds write may also cause a segmentation fault
and/or application crash.

CVSSv2 Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C

** Affects: krb5 (Ubuntu)
 Importance: Undecided
 Status: New

** Affects: krb5 (Debian)
 Importance: Unknown
 Status: Unknown

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-4345

** Bug watch added: Debian Bug tracker #757416
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=757416

** Also affects: krb5 (Debian) via
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=757416
   Importance: Unknown
   Status: Unknown

** Information type changed from Public to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1354714

Title:
  buffer overrun in kadmind with ldap backend

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1354714/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1354714] Re: buffer overrun in kadmind with ldap backend

2014-08-09 Thread Sam Hartman 
This is fixed in Debian in 1.12.1+dfsg-87, currently in unstable.  The
only change between -6 (utopic) and -7 is the fix to this bug.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1354714

Title:
  buffer overrun in kadmind with ldap backend

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1354714/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1352438] [NEW] Sync krb5 1.12.1+dfsg-6 (main) from Debian unstable (main)

2014-08-04 Thread Sam Hartman 
Public bug reported:

Please sync krb5 1.12.1+dfsg-6 (main) from Debian unstable (main)

Explanation of the Ubuntu delta and why it can be dropped:
  * Merge from Debian unstable.  Remaining changes:
- debian/rules: force -O2 to work around build failure with -O3
  on ppc64el (see

The reason the package does not build with -O3 is that at -O3 gcc detects some 
potentially uninitialized variables.
Gcc seems to be incorrect about this, but I've included 
debian-local/0018-Quick-and-dirty-fix-to-building-O3.patch
to initialize these variables.
With this patch the package builds -O3 and so the delta can be dropped.

I'd like to get the changes into utopic to fix LP: 1347147 and to
include the CVE fixes.


Changelog entries since current utopic version 1.12.1+dfsg-3ubuntu1:

krb5 (1.12.1+dfsg-6) unstable; urgency=medium

  [ Benjamin Kaduk ]
  * Apply upstream's patch to switch to TAILQ macros instead of CIRCLEQ macros,
to work around an issue with certain gcc versions.  This is expected to
resolve Ubuntu bug (LP: #1347147).

  [ Sam Hartman ]
  * Include a quick and dirty patch so we build cleanly with -O3 fixing
incorrect may be uninitialized warnings.

 -- Benjamin Kaduk ka...@mit.edu  Tue, 29 Jul 2014 17:05:37 -0400

krb5 (1.12.1+dfsg-5) unstable; urgency=high

  * Apply upstream patches for CVE-2014-4343, CVE-2014-4344, Closes: #755520,
Closes: #755521

 -- Benjamin Kaduk ka...@mit.edu  Mon, 21 Jul 2014 17:27:10 -0400

krb5 (1.12.1+dfsg-4) unstable; urgency=high

  * Apply upstream patch for CVE-2014-4341, CVE-2014-4342, Closes: #753624,
Closes: #753625

 -- Benjamin Kaduk ka...@mit.edu  Fri, 11 Jul 2014 13:43:19 -0400

** Affects: krb5 (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1352438

Title:
  Sync krb5 1.12.1+dfsg-6 (main) from Debian unstable (main)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1352438/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1347147] Re: krb5 database operations enter infinite loop

2014-08-04 Thread Sam Hartman 
I've request a krb5 sync from debian unstable in
https://bugs.launchpad.net/bugs/1352438 that should fix this issue and
include some needed security fixes in utopic.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1347147

Title:
  krb5 database operations enter infinite loop

To manage notifications about this bug go to:
https://bugs.launchpad.net/gcc/+bug/1347147/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1352438] [NEW] Sync krb5 1.12.1+dfsg-6 (main) from Debian unstable (main)

2014-08-04 Thread Sam Hartman 
Public bug reported:

Please sync krb5 1.12.1+dfsg-6 (main) from Debian unstable (main)

Explanation of the Ubuntu delta and why it can be dropped:
  * Merge from Debian unstable.  Remaining changes:
- debian/rules: force -O2 to work around build failure with -O3
  on ppc64el (see

The reason the package does not build with -O3 is that at -O3 gcc detects some 
potentially uninitialized variables.
Gcc seems to be incorrect about this, but I've included 
debian-local/0018-Quick-and-dirty-fix-to-building-O3.patch
to initialize these variables.
With this patch the package builds -O3 and so the delta can be dropped.

I'd like to get the changes into utopic to fix LP: 1347147 and to
include the CVE fixes.


Changelog entries since current utopic version 1.12.1+dfsg-3ubuntu1:

krb5 (1.12.1+dfsg-6) unstable; urgency=medium

  [ Benjamin Kaduk ]
  * Apply upstream's patch to switch to TAILQ macros instead of CIRCLEQ macros,
to work around an issue with certain gcc versions.  This is expected to
resolve Ubuntu bug (LP: #1347147).

  [ Sam Hartman ]
  * Include a quick and dirty patch so we build cleanly with -O3 fixing
incorrect may be uninitialized warnings.

 -- Benjamin Kaduk ka...@mit.edu  Tue, 29 Jul 2014 17:05:37 -0400

krb5 (1.12.1+dfsg-5) unstable; urgency=high

  * Apply upstream patches for CVE-2014-4343, CVE-2014-4344, Closes: #755520,
Closes: #755521

 -- Benjamin Kaduk ka...@mit.edu  Mon, 21 Jul 2014 17:27:10 -0400

krb5 (1.12.1+dfsg-4) unstable; urgency=high

  * Apply upstream patch for CVE-2014-4341, CVE-2014-4342, Closes: #753624,
Closes: #753625

 -- Benjamin Kaduk ka...@mit.edu  Fri, 11 Jul 2014 13:43:19 -0400

** Affects: krb5 (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1352438

Title:
  Sync krb5 1.12.1+dfsg-6 (main) from Debian unstable (main)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1352438/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1347147] Re: krb5 database operations enter infinite loop

2014-08-04 Thread Sam Hartman 
I've request a krb5 sync from debian unstable in
https://bugs.launchpad.net/bugs/1352438 that should fix this issue and
include some needed security fixes in utopic.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1347147

Title:
  krb5 database operations enter infinite loop

To manage notifications about this bug go to:
https://bugs.launchpad.net/gcc/+bug/1347147/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1347147] Re: krb5 database operations enter infinite loop

2014-07-31 Thread Sam Hartman 
** Description changed:

- In some conditions, propagating a kerberos database to a slave KDC server can 
stall.
+ In some conditions, propagating a kerberos database to a slave KDC server or 
performing other database operations can stall.  As we've investigated the 
issue, it looks like a database with more than a few hundred principals is very 
likely to run into this issue.
  This is due to a misoptimization by gcc 4.8 of the CIRCLEQ famliy of macros, 
apparently due to overzealous strict aliasing deductions.
  
  One case of this stall is reported at
  http://mailman.mit.edu/pipermail/kerberos/2014-July/020007.html (and the
  rest of the thread), and there is an entry in the upstream bugtracker at
  http://krbdev.mit.edu/rt/Ticket/Display.html?id=7860 .
  
  gcc 4.9 (as used in Debian unstable at present) is not believed to
  induce this problem.  Upstream has patched their code to use the TAILQ
  family of macros instead, as a workaround, but that workaround has not
  yet appeared in an upstream release:
  https://github.com/krb5/krb5/commit/26d8744129
  
+ A branch is linked including  this upstream work around and two other
+ patches to bugs already nominated for trusty applied to the krb5 in
+ trusty.  We believe the impact is significant because this is likely to
+ be a problem for sites with a large database running trusty.  The
+ regression potential is very small.  The upstream work around changes
+ from one family of queue macros that are stable and well-tested to
+ another.
+ 
+ For utopic, the simplest fix is to rebuild krb5 with the compiler
+ currently in utopic.  An alternative is to request that the Debian
+ maintainers (both monitoring this bug for such a request) upload the
+ upstream work around to Debian and sync that.  You could do an ubuntu-
+ specific upload but it seems undesirable to introduce a change between
+ Ubuntu and Debian when all the right parties are happy to avoid it.
+ 
  Because of the different compiler versions used on Debian and Ubuntu, I
  am filing this as an Ubuntu-specific bug.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1347147

Title:
  krb5 database operations enter infinite loop

To manage notifications about this bug go to:
https://bugs.launchpad.net/gcc/+bug/1347147/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1347147] Review of Bug 1347147 for nomination for a fix for trusty krb5

2014-07-31 Thread Sam Hartman 
hi.
If I'm understanding the SRU procedure correctly,
I think we need to get someone to review the referenced bug for
inclusion in trusty.

https://bugs.launchpad.net/gcc/+bug/1347147

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1347147

Title:
  krb5 database operations enter infinite loop

To manage notifications about this bug go to:
https://bugs.launchpad.net/gcc/+bug/1347147/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

Re: [Bug 1347147] Review of Bug 1347147 for nomination for a fix for trusty krb5

2014-07-31 Thread Sam Hartman 
 Sam == Sam Hartman hartm...@debian.org writes:

Sam hi.  If I'm understanding the SRU procedure correctly, I think
Sam we need to get someone to review the referenced bug for
Sam inclusion in trusty.

Sorry, launchpad strips more mail headers than I thought it did.
That was sent to ubuntu-bugcontrol, cc'd to the bug.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1347147

Title:
  krb5 database operations enter infinite loop

To manage notifications about this bug go to:
https://bugs.launchpad.net/gcc/+bug/1347147/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1347147] Re: krb5 database operations enter infinite loop

2014-07-31 Thread Sam Hartman 
debdiff included

** Patch added: debdiff between current trusty and linked branch
   
https://bugs.launchpad.net/gcc/+bug/1347147/+attachment/4166949/+files/krb5-trusty-stable.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1347147

Title:
  krb5 database operations enter infinite loop

To manage notifications about this bug go to:
https://bugs.launchpad.net/gcc/+bug/1347147/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1347147] Re: krb5 database operations enter infinite loop

2014-07-31 Thread Sam Hartman 
** Description changed:

- In some conditions, propagating a kerberos database to a slave KDC server can 
stall.
+ In some conditions, propagating a kerberos database to a slave KDC server or 
performing other database operations can stall.  As we've investigated the 
issue, it looks like a database with more than a few hundred principals is very 
likely to run into this issue.
  This is due to a misoptimization by gcc 4.8 of the CIRCLEQ famliy of macros, 
apparently due to overzealous strict aliasing deductions.
  
  One case of this stall is reported at
  http://mailman.mit.edu/pipermail/kerberos/2014-July/020007.html (and the
  rest of the thread), and there is an entry in the upstream bugtracker at
  http://krbdev.mit.edu/rt/Ticket/Display.html?id=7860 .
  
  gcc 4.9 (as used in Debian unstable at present) is not believed to
  induce this problem.  Upstream has patched their code to use the TAILQ
  family of macros instead, as a workaround, but that workaround has not
  yet appeared in an upstream release:
  https://github.com/krb5/krb5/commit/26d8744129
  
+ A branch is linked including  this upstream work around and two other
+ patches to bugs already nominated for trusty applied to the krb5 in
+ trusty.  We believe the impact is significant because this is likely to
+ be a problem for sites with a large database running trusty.  The
+ regression potential is very small.  The upstream work around changes
+ from one family of queue macros that are stable and well-tested to
+ another.
+ 
+ For utopic, the simplest fix is to rebuild krb5 with the compiler
+ currently in utopic.  An alternative is to request that the Debian
+ maintainers (both monitoring this bug for such a request) upload the
+ upstream work around to Debian and sync that.  You could do an ubuntu-
+ specific upload but it seems undesirable to introduce a change between
+ Ubuntu and Debian when all the right parties are happy to avoid it.
+ 
  Because of the different compiler versions used on Debian and Ubuntu, I
  am filing this as an Ubuntu-specific bug.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1347147

Title:
  krb5 database operations enter infinite loop

To manage notifications about this bug go to:
https://bugs.launchpad.net/gcc/+bug/1347147/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1347147] Review of Bug 1347147 for nomination for a fix for trusty krb5

2014-07-31 Thread Sam Hartman 
hi.
If I'm understanding the SRU procedure correctly,
I think we need to get someone to review the referenced bug for
inclusion in trusty.

https://bugs.launchpad.net/gcc/+bug/1347147

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1347147

Title:
  krb5 database operations enter infinite loop

To manage notifications about this bug go to:
https://bugs.launchpad.net/gcc/+bug/1347147/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1347147] Review of Bug 1347147 for nomination for a fix for trusty krb5

2014-07-31 Thread Sam Hartman 
 Sam == Sam Hartman hartm...@debian.org writes:

Sam hi.  If I'm understanding the SRU procedure correctly, I think
Sam we need to get someone to review the referenced bug for
Sam inclusion in trusty.

Sorry, launchpad strips more mail headers than I thought it did.
That was sent to ubuntu-bugcontrol, cc'd to the bug.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1347147

Title:
  krb5 database operations enter infinite loop

To manage notifications about this bug go to:
https://bugs.launchpad.net/gcc/+bug/1347147/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1347147] Re: krb5 database operations enter infinite loop

2014-07-31 Thread Sam Hartman 
debdiff included

** Patch added: debdiff between current trusty and linked branch
   
https://bugs.launchpad.net/gcc/+bug/1347147/+attachment/4166949/+files/krb5-trusty-stable.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1347147

Title:
  krb5 database operations enter infinite loop

To manage notifications about this bug go to:
https://bugs.launchpad.net/gcc/+bug/1347147/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1347147] Re: krb5 database propagation enters infinite loop

2014-07-30 Thread Sam Hartman 
I'm happy to upload a new krb5 to debian so you can sync it if you want
that approach.
I'm also happy if Ubuntu wants to go with a binary rebuild of krb5.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1347147

Title:
  krb5 database propagation enters infinite loop

To manage notifications about this bug go to:
https://bugs.launchpad.net/gcc/+bug/1347147/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

Re: [Bug 1347147] Re: krb5 database propagation enters infinite loop

2014-07-30 Thread Sam Hartman 
Please see https://launchpad.net/~hartmans/+archive/ubuntu/krb5  for
trusty packages that should fix the problem.

Can I get confirmation from Tom or someone else that without these
packages trusty fails the reproduce test in comment #1 and with them, it
succeeds the test proposed in comment #1?

I'm updating a branch I have for proposed trustry krb5 updates
(lp:~hartmans/ubuntu/trusty/krb5/gss-infinite-loop) to include this
patch.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1347147

Title:
  krb5 database propagation enters infinite loop

To manage notifications about this bug go to:
https://bugs.launchpad.net/gcc/+bug/1347147/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

Re: [Bug 1347147] Re: krb5 database propagation enters infinite loop

2014-07-30 Thread Sam Hartman 
I'm sorry, can I get someone to test the packages at
https://launchpad.net/~hartmans/+archive/ubuntu/ubuntu-fixes
not  the URI I gave in the previous message.
I pulled the wrong PPA off my home page.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1347147

Title:
  krb5 database propagation enters infinite loop

To manage notifications about this bug go to:
https://bugs.launchpad.net/gcc/+bug/1347147/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

Re: [Bug 1347147] Re: krb5 database propagation enters infinite loop

2014-07-30 Thread Sam Hartman 
I'm happy to upload a new krb5 to debian so you can sync it if you want
that approach.
I'm also happy if Ubuntu wants to go with a binary rebuild of krb5.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1347147

Title:
  krb5 database propagation enters infinite loop

To manage notifications about this bug go to:
https://bugs.launchpad.net/gcc/+bug/1347147/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1347147] Re: krb5 database propagation enters infinite loop

2014-07-30 Thread Sam Hartman 
Please see https://launchpad.net/~hartmans/+archive/ubuntu/krb5  for
trusty packages that should fix the problem.

Can I get confirmation from Tom or someone else that without these
packages trusty fails the reproduce test in comment #1 and with them, it
succeeds the test proposed in comment #1?

I'm updating a branch I have for proposed trustry krb5 updates
(lp:~hartmans/ubuntu/trusty/krb5/gss-infinite-loop) to include this
patch.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1347147

Title:
  krb5 database propagation enters infinite loop

To manage notifications about this bug go to:
https://bugs.launchpad.net/gcc/+bug/1347147/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1347147] Re: krb5 database propagation enters infinite loop

2014-07-30 Thread Sam Hartman 
I'm sorry, can I get someone to test the packages at
https://launchpad.net/~hartmans/+archive/ubuntu/ubuntu-fixes
not  the URI I gave in the previous message.
I pulled the wrong PPA off my home page.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1347147

Title:
  krb5 database propagation enters infinite loop

To manage notifications about this bug go to:
https://bugs.launchpad.net/gcc/+bug/1347147/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1326500] Re: libgssapi-krb5-2: segfault when mechglue loops endlessly on call to gss_add_cred_from

2014-07-17 Thread Sam Hartman 
With the upload of krb5 1.12.1+dfsg-3ubuntu1 to utopic, this is fixed in
utopic.  Any additional help I can provide getting this into trusty?

** Changed in: krb5 (Ubuntu)
   Status: Triaged = Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1326500

Title:
  libgssapi-krb5-2: segfault when mechglue loops endlessly on call to
  gss_add_cred_from

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1326500/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1326500] Re: libgssapi-krb5-2: segfault when mechglue loops endlessly on call to gss_add_cred_from

2014-07-17 Thread Sam Hartman 
With the upload of krb5 1.12.1+dfsg-3ubuntu1 to utopic, this is fixed in
utopic.  Any additional help I can provide getting this into trusty?

** Changed in: krb5 (Ubuntu)
   Status: Triaged = Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1326500

Title:
  libgssapi-krb5-2: segfault when mechglue loops endlessly on call to
  gss_add_cred_from

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1326500/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1334052] Re: package libkadm5srv-mit8 1.10.1+dfsg-6.1ubuntu1 failed to install/upgrade: libkadm5srv-mit8:all 1.12+dfsg-2ubuntu4 (Multi-Arch: no) kann nicht zusammen mit libkadm5srv-mit8 insta

2014-06-24 Thread Sam Hartman 
Since I'd really like to see  the gss infinite loop patch into trusty
I'm going to update the branch for that to also include this fix and
build packages.
Expect a branch link in a few minutes.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1334052

Title:
  package libkadm5srv-mit8 1.10.1+dfsg-6.1ubuntu1 failed to
  install/upgrade: libkadm5srv-mit8:all 1.12+dfsg-2ubuntu4 (Multi-Arch:
  no) kann nicht zusammen mit libkadm5srv-mit8 installiert werden,
  welches mehrere installierte Instanzen hat

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1334052/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1334052] Re: package libkadm5srv-mit8 1.10.1+dfsg-6.1ubuntu1 failed to install/upgrade: libkadm5srv-mit8:all 1.12+dfsg-2ubuntu4 (Multi-Arch: no) kann nicht zusammen mit libkadm5srv-mit8 installie

2014-06-24 Thread Sam Hartman 
See https://launchpad.net/~hartmans/+archive/ubuntu-fixes packages
building.  I had to upload with a different version number on the branch
because that ppa already had  a krb5 build.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1334052

Title:
  package libkadm5srv-mit8 1.10.1+dfsg-6.1ubuntu1 failed to
  install/upgrade: libkadm5srv-mit8:all 1.12+dfsg-2ubuntu4 (Multi-Arch:
  no) kann nicht zusammen mit libkadm5srv-mit8 installiert werden,
  welches mehrere installierte Instanzen hat

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1334052/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

Re: [Bug 1334052] Re: package libkadm5srv-mit8 1.10.1+dfsg-6.1ubuntu1 failed to install/upgrade: libkadm5srv-mit8:all 1.12+dfsg-2ubuntu4 (Multi-Arch: no) kann nicht zusammen mit libkadm5srv-mit8 insta

2014-06-24 Thread Sam Hartman 
Since I'd really like to see  the gss infinite loop patch into trusty
I'm going to update the branch for that to also include this fix and
build packages.
Expect a branch link in a few minutes.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1334052

Title:
  package libkadm5srv-mit8 1.10.1+dfsg-6.1ubuntu1 failed to
  install/upgrade: libkadm5srv-mit8:all 1.12+dfsg-2ubuntu4 (Multi-Arch:
  no) kann nicht zusammen mit libkadm5srv-mit8 installiert werden,
  welches mehrere installierte Instanzen hat

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1334052/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1334052] Re: package libkadm5srv-mit8 1.10.1+dfsg-6.1ubuntu1 failed to install/upgrade: libkadm5srv-mit8:all 1.12+dfsg-2ubuntu4 (Multi-Arch: no) kann nicht zusammen mit libkadm5srv-mit8 installie

2014-06-24 Thread Sam Hartman 
See https://launchpad.net/~hartmans/+archive/ubuntu-fixes packages
building.  I had to upload with a different version number on the branch
because that ppa already had  a krb5 build.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1334052

Title:
  package libkadm5srv-mit8 1.10.1+dfsg-6.1ubuntu1 failed to
  install/upgrade: libkadm5srv-mit8:all 1.12+dfsg-2ubuntu4 (Multi-Arch:
  no) kann nicht zusammen mit libkadm5srv-mit8 installiert werden,
  welches mehrere installierte Instanzen hat

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1334052/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1332985] Re: Add the krb5-send-pr command to the ubuntu package

2014-06-22 Thread Sam Hartman 
** Changed in: krb5 (Ubuntu)
   Status: New = Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1332985

Title:
  Add the krb5-send-pr command to the ubuntu package

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1332985/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1332985] Re: Add the krb5-send-pr command to the ubuntu package

2014-06-22 Thread Sam Hartman 
** Changed in: krb5 (Ubuntu)
   Status: New = Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1332985

Title:
  Add the krb5-send-pr command to the ubuntu package

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1332985/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1326500] [NEW] libgssapi-krb5-2: segfault when mechglue loops endlessly on call to gss_add_cred_from

2014-06-04 Thread Sam Hartman 
Public bug reported:

There's a bug fixed in krb5 1.12.1+dfsg-2 (just uploaded to Debian) where if a 
gss-api mechanism is dynamically loaded, and that mechanism uses symbols from 
libgssapi_krb5, and doesn't provide certain optional entry points added in krb5 
1.12, then calling one of those entry points will cause the mechglue to call 
itself.  This results in an endless loop and the process eventually crashes on 
stack exhaustion.
Unfortunately, one of the entry points, gss_add_cred_from is going to get 
called quite commonly.
So, this means that if you're using Ubuntu to develop a GSS-API mechanism or 
are installing a third party gss-api mechanism, things are going to crash, 
mostly whenever anyone tries to use gss-api as a server, regardless of whether 
they intended to use your application.

I'd like to see this fixed in trusty, so I'm giving a detailed repro below.  
Patch against trusty coming shortly.
Apologies that the repro is a bit involved; there's not a mechanism packaged in 
Ubuntu that easily exhibits this.  However, you really ought to be able to use 
Ubuntu to develop a GSS mechanism without crashing all your gss apps.

On a stock trusty system, first install the attached mech file as
/usr/etc/gss/mech (yes that's /usr/etc, not /etc) and then run the
following:

  sudo add-apt-repository  ppa:moonshot/daily
  sudo apt-get update
4  sudo apt-get  install bzr libkrb5-dev libradsec-dev   libssl-dev 
libjansson-dev autoconf automake libtool  build-essential
  bzr branch -r739 lp:moonshot
  cd moonshot/
  autoreconf  -i
  ./configure --without-opensaml --without-shibresolver
  make -j3
  sudo make install
  sudo apt-get install krb5-gss-samples
  gss-server host@localhost

This will segfault

** Affects: krb5 (Ubuntu)
 Importance: Undecided
 Status: Confirmed

** Attachment added: file to install as /usr/etc/gss/mech
   https://bugs.launchpad.net/bugs/1326500/+attachment/4125454/+files/mech

** Changed in: krb5 (Ubuntu)
   Status: New = Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1326500

Title:
  libgssapi-krb5-2: segfault when mechglue loops endlessly on call to
  gss_add_cred_from

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1326500/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1326500] Re: libgssapi-krb5-2: segfault when mechglue loops endlessly on call to gss_add_cred_from

2014-06-04 Thread Sam Hartman 
Marking confirmed because I started tracking this down based on a report
to the Moonshot project from Rhys Smith which ended up being this issue.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1326500

Title:
  libgssapi-krb5-2: segfault when mechglue loops endlessly on call to
  gss_add_cred_from

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1326500/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

Re: [Bug 1326500] libgssapi-krb5-2: segfault when mechglue loops endlessly on call to gss_add_cred_from

2014-06-04 Thread Sam Hartman 
 Luke == Luke Howard lu...@padl.com writes:

Luke How about grabbing this commit from browserid: commit
Luke e51f544e6c0b92c88163d1b0f4ae110869abf070 Author: Luke Howard
Luke lu...@padl.com Date: Thu Oct 24 18:10:24 2013 -0700

That's something to consider for the specific case of moonshot.
However, the krb5 behavior is clearly broken, and   I'd like to see
Ubuntu pick up the Debian patch.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1326500

Title:
  libgssapi-krb5-2: segfault when mechglue loops endlessly on call to
  gss_add_cred_from

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1326500/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1326500] Re: libgssapi-krb5-2: segfault when mechglue loops endlessly on call to gss_add_cred_from

2014-06-04 Thread Sam Hartman 
I've built the linked branch in ppa:hartmans/ubuntu-fixes for trusty.
With these packages installed and the attached radsec.conf installed as 
/usr/local/etc/radsec.conf, then gss-server starts correctly as expected.
Without radsec.conf installed it prints an error about being unable to acquire 
credentials, which is also correct given that none of the available mechanisms 
can initialize as a server.

Once this gets picked up for utopic I'll look into what I need to do to put 
together an SRU template.
The patch is trivial and obviously an improvement over the existing code; it's 
also very unlikely the patch would have unintended side effects.

** Attachment added: install as /usr/local/etc/radsec.conf to reproduce fix
   
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1326500/+attachment/4125521/+files/radsec.conf

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1326500

Title:
  libgssapi-krb5-2: segfault when mechglue loops endlessly on call to
  gss_add_cred_from

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1326500/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1326500] Re: libgssapi-krb5-2: segfault when mechglue loops endlessly on call to gss_add_cred_from

2014-06-04 Thread Sam Hartman 
Here's the patch from debian krb5 1.12.1+dfsg-2

** Patch added: 0014-Do-not-loop-on-add_cred_from-and-other-new-methods.patch
   
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1326500/+attachment/4125522/+files/0014-Do-not-loop-on-add_cred_from-and-other-new-methods.patch

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1326500

Title:
  libgssapi-krb5-2: segfault when mechglue loops endlessly on call to
  gss_add_cred_from

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1326500/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1326500] Re: libgssapi-krb5-2: segfault when mechglue loops endlessly on call to gss_add_cred_from

2014-06-04 Thread Sam Hartman 
Marking confirmed because I started tracking this down based on a report
to the Moonshot project from Rhys Smith which ended up being this issue.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1326500

Title:
  libgssapi-krb5-2: segfault when mechglue loops endlessly on call to
  gss_add_cred_from

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1326500/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1326500] [NEW] libgssapi-krb5-2: segfault when mechglue loops endlessly on call to gss_add_cred_from

2014-06-04 Thread Sam Hartman 
Public bug reported:

There's a bug fixed in krb5 1.12.1+dfsg-2 (just uploaded to Debian) where if a 
gss-api mechanism is dynamically loaded, and that mechanism uses symbols from 
libgssapi_krb5, and doesn't provide certain optional entry points added in krb5 
1.12, then calling one of those entry points will cause the mechglue to call 
itself.  This results in an endless loop and the process eventually crashes on 
stack exhaustion.
Unfortunately, one of the entry points, gss_add_cred_from is going to get 
called quite commonly.
So, this means that if you're using Ubuntu to develop a GSS-API mechanism or 
are installing a third party gss-api mechanism, things are going to crash, 
mostly whenever anyone tries to use gss-api as a server, regardless of whether 
they intended to use your application.

I'd like to see this fixed in trusty, so I'm giving a detailed repro below.  
Patch against trusty coming shortly.
Apologies that the repro is a bit involved; there's not a mechanism packaged in 
Ubuntu that easily exhibits this.  However, you really ought to be able to use 
Ubuntu to develop a GSS mechanism without crashing all your gss apps.

On a stock trusty system, first install the attached mech file as
/usr/etc/gss/mech (yes that's /usr/etc, not /etc) and then run the
following:

  sudo add-apt-repository  ppa:moonshot/daily
  sudo apt-get update
4  sudo apt-get  install bzr libkrb5-dev libradsec-dev   libssl-dev 
libjansson-dev autoconf automake libtool  build-essential
  bzr branch -r739 lp:moonshot
  cd moonshot/
  autoreconf  -i
  ./configure --without-opensaml --without-shibresolver
  make -j3
  sudo make install
  sudo apt-get install krb5-gss-samples
  gss-server host@localhost

This will segfault

** Affects: krb5 (Ubuntu)
 Importance: Undecided
 Status: Confirmed

** Attachment added: file to install as /usr/etc/gss/mech
   https://bugs.launchpad.net/bugs/1326500/+attachment/4125454/+files/mech

** Changed in: krb5 (Ubuntu)
   Status: New = Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1326500

Title:
  libgssapi-krb5-2: segfault when mechglue loops endlessly on call to
  gss_add_cred_from

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1326500/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1326500] libgssapi-krb5-2: segfault when mechglue loops endlessly on call to gss_add_cred_from

2014-06-04 Thread Sam Hartman 
 Luke == Luke Howard lu...@padl.com writes:

Luke How about grabbing this commit from browserid: commit
Luke e51f544e6c0b92c88163d1b0f4ae110869abf070 Author: Luke Howard
Luke lu...@padl.com Date: Thu Oct 24 18:10:24 2013 -0700

That's something to consider for the specific case of moonshot.
However, the krb5 behavior is clearly broken, and   I'd like to see
Ubuntu pick up the Debian patch.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1326500

Title:
  libgssapi-krb5-2: segfault when mechglue loops endlessly on call to
  gss_add_cred_from

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1326500/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1326500] Re: libgssapi-krb5-2: segfault when mechglue loops endlessly on call to gss_add_cred_from

2014-06-04 Thread Sam Hartman 
Here's the patch from debian krb5 1.12.1+dfsg-2

** Patch added: 0014-Do-not-loop-on-add_cred_from-and-other-new-methods.patch
   
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1326500/+attachment/4125522/+files/0014-Do-not-loop-on-add_cred_from-and-other-new-methods.patch

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1326500

Title:
  libgssapi-krb5-2: segfault when mechglue loops endlessly on call to
  gss_add_cred_from

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1326500/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1326500] Re: libgssapi-krb5-2: segfault when mechglue loops endlessly on call to gss_add_cred_from

2014-06-04 Thread Sam Hartman 
I've built the linked branch in ppa:hartmans/ubuntu-fixes for trusty.
With these packages installed and the attached radsec.conf installed as 
/usr/local/etc/radsec.conf, then gss-server starts correctly as expected.
Without radsec.conf installed it prints an error about being unable to acquire 
credentials, which is also correct given that none of the available mechanisms 
can initialize as a server.

Once this gets picked up for utopic I'll look into what I need to do to put 
together an SRU template.
The patch is trivial and obviously an improvement over the existing code; it's 
also very unlikely the patch would have unintended side effects.

** Attachment added: install as /usr/local/etc/radsec.conf to reproduce fix
   
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1326500/+attachment/4125521/+files/radsec.conf

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1326500

Title:
  libgssapi-krb5-2: segfault when mechglue loops endlessly on call to
  gss_add_cred_from

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1326500/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1304403] Re: Precise to Trusty - all of main - fails: Broken transition from libkadm5srv-mit8 to libkadm5srv-mit9

2014-04-09 Thread Sam Hartman 
 Martin == Martin Pitt martin.p...@ubuntu.com writes:


No complains at all.
I was just hoping to learn from you guys.
I actually probably want this delta for  wheezy-jessie.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1304403

Title:
  Precise to Trusty - all of main - fails: Broken transition from
  libkadm5srv-mit8 to libkadm5srv-mit9

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1304403/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

Re: [Bug 1304403] Re: Precise to Trusty - all of main - fails: Broken transition from libkadm5srv-mit8 to libkadm5srv-mit9

2014-04-09 Thread Sam Hartman 
 Martin == Martin Pitt martin.p...@ubuntu.com writes:


No complains at all.
I was just hoping to learn from you guys.
I actually probably want this delta for  wheezy-jessie.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1304403

Title:
  Precise to Trusty - all of main - fails: Broken transition from
  libkadm5srv-mit8 to libkadm5srv-mit9

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1304403/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1304403] Re: Precise to Trusty - all of main - fails: Broken transition from libkadm5srv-mit8 to libkadm5srv-mit9

2014-04-08 Thread Sam Hartman 
Not criticising here, but asking.
At a level deeper than it causes apt to work correctly, why is adding
replaces  a reasonable fix?
Nothing in libkdb5-7 actually replases libkadm5-mit8

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1304403

Title:
  Precise to Trusty - all of main - fails: Broken transition from
  libkadm5srv-mit8 to libkadm5srv-mit9

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1304403/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

Re: [Bug 1304403] Re: Precise to Trusty - all of main - fails: Broken transition from libkadm5srv-mit8 to libkadm5srv-mit9

2014-04-08 Thread Sam Hartman 
Not criticising here, but asking.
At a level deeper than it causes apt to work correctly, why is adding
replaces  a reasonable fix?
Nothing in libkdb5-7 actually replases libkadm5-mit8

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1304403

Title:
  Precise to Trusty - all of main - fails: Broken transition from
  libkadm5srv-mit8 to libkadm5srv-mit9

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1304403/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1231459] Re: Inconsistency detected by ld.so: dl-close.c: 759: _dl_close: Assertion `map-l_init_called' failed!

2013-10-08 Thread Sam Hartman 
 Stefan == Stefan Paetow stefan.pae...@diamond.ac.uk writes:

Stefan Ok, I've reinstalled the moonshot libraries, the error has
Stefan gone away and there are no more segfaults.

OK.
So, if I'm understanding correctly the libgssapi-krb5-2 from my PPA did
fix the problem.
There was a segfault introduced by an update at the same time that was
unrelated to the ppa change.

If that's all correct, I think we have a solution to the precise
problem.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1231459

Title:
  Inconsistency detected by ld.so: dl-close.c: 759: _dl_close: Assertion
  `map-l_init_called' failed!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1231459/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

Re: [Bug 1231459] Re: Inconsistency detected by ld.so: dl-close.c: 759: _dl_close: Assertion `map-l_init_called' failed!

2013-10-08 Thread Sam Hartman 
 Stefan == Stefan Paetow stefan.pae...@diamond.ac.uk writes:

Stefan Ok, I've reinstalled the moonshot libraries, the error has
Stefan gone away and there are no more segfaults.

OK.
So, if I'm understanding correctly the libgssapi-krb5-2 from my PPA did
fix the problem.
There was a segfault introduced by an update at the same time that was
unrelated to the ppa change.

If that's all correct, I think we have a solution to the precise
problem.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1231459

Title:
  Inconsistency detected by ld.so: dl-close.c: 759: _dl_close: Assertion
  `map-l_init_called' failed!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1231459/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1231459] Re: Inconsistency detected by ld.so: dl-close.c: 759: _dl_close: Assertion `map-l_init_called' failed!

2013-10-07 Thread Sam Hartman 
Did you update moonshot-gs-eap?,
There's a bad version the produce is that

Stefan Paetow stefan.pae...@diamond.ac.uk wrote:
Sam, I now get a segfault in gss-server:

Reading symbols from /usr/bin/gss-server...(no debugging symbols
found)...done.
(gdb) set args -verbose host@localhost
(gdb) run
Starting program: /usr/bin/gss-server -verbose host@localhost
[Thread debugging using libthread_db enabled]
Using host libthread_db library
/lib/x86_64-linux-gnu/libthread_db.so.1.

Program received signal SIGSEGV, Segmentation fault.
0x0001f136 in ?? ()
(gdb) bt
#0  0x0001f136 in ?? ()
#1  0x77bae8a1 in ?? () from
/usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2
#2  0x77baaaee in gss_add_cred () from
/usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2
#3  0x77bab187 in gss_acquire_cred () from
/usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2
#4  0x77bca624 in ?? () from
/usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2
#5  0x77bcadc8 in ?? () from
/usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2
#6  0x77baabc3 in gss_add_cred () from
/usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2
#7  0x77bab187 in gss_acquire_cred () from
/usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2
#8  0x0040182e in ?? ()
#9  0x777fe76d in __libc_start_main () from
/lib/x86_64-linux-gnu/libc.so.6
#10 0x00401ad1 in ?? ()
#11 0x7fffe6c8 in ?? ()
#12 0x001c in ?? ()
#13 0x0003 in ?? ()
#14 0x7fffe90a in ?? ()
#15 0x7fffe91e in ?? ()
#16 0x7fffe927 in ?? ()
#17 0x in ?? ()
(gdb) quit
A debugging session is active.

Inferior 1 [process 1550] will be killed.

-- 
You received this bug notification because you are a member of Moonshot
Drivers, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1231459

Title:
 Inconsistency detected by ld.so: dl-close.c: 759: _dl_close: Assertion
  `map-l_init_called' failed!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1231459/+subscriptions

-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1231459

Title:
  Inconsistency detected by ld.so: dl-close.c: 759: _dl_close: Assertion
  `map-l_init_called' failed!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1231459/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

Re: [Bug 1231459] Re: Inconsistency detected by ld.so: dl-close.c: 759: _dl_close: Assertion `map-l_init_called' failed!

2013-10-07 Thread Sam Hartman 
OK, that's probably the cause of the segfault.
I've deleted the broken packages from our debian and ubuntu archives.
Unfortunately getting fixed packages to reappear is a bit annoying at
the moment.
The packages in
http://repository.project-moonshot.org/debian-moonshot/pool/main/m/moonshot-gss-eap
now sholud be OK.
In particular the deb from April.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1231459

Title:
  Inconsistency detected by ld.so: dl-close.c: 759: _dl_close: Assertion
  `map-l_init_called' failed!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1231459/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

Re: [Bug 1231459] Re: Inconsistency detected by ld.so: dl-close.c: 759: _dl_close: Assertion `map-l_init_called' failed!

2013-10-07 Thread Sam Hartman 
Did you update moonshot-gs-eap?,
There's a bad version the produce is that

Stefan Paetow stefan.pae...@diamond.ac.uk wrote:
Sam, I now get a segfault in gss-server:

Reading symbols from /usr/bin/gss-server...(no debugging symbols
found)...done.
(gdb) set args -verbose host@localhost
(gdb) run
Starting program: /usr/bin/gss-server -verbose host@localhost
[Thread debugging using libthread_db enabled]
Using host libthread_db library
/lib/x86_64-linux-gnu/libthread_db.so.1.

Program received signal SIGSEGV, Segmentation fault.
0x0001f136 in ?? ()
(gdb) bt
#0  0x0001f136 in ?? ()
#1  0x77bae8a1 in ?? () from
/usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2
#2  0x77baaaee in gss_add_cred () from
/usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2
#3  0x77bab187 in gss_acquire_cred () from
/usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2
#4  0x77bca624 in ?? () from
/usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2
#5  0x77bcadc8 in ?? () from
/usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2
#6  0x77baabc3 in gss_add_cred () from
/usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2
#7  0x77bab187 in gss_acquire_cred () from
/usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2
#8  0x0040182e in ?? ()
#9  0x777fe76d in __libc_start_main () from
/lib/x86_64-linux-gnu/libc.so.6
#10 0x00401ad1 in ?? ()
#11 0x7fffe6c8 in ?? ()
#12 0x001c in ?? ()
#13 0x0003 in ?? ()
#14 0x7fffe90a in ?? ()
#15 0x7fffe91e in ?? ()
#16 0x7fffe927 in ?? ()
#17 0x in ?? ()
(gdb) quit
A debugging session is active.

Inferior 1 [process 1550] will be killed.

-- 
You received this bug notification because you are a member of Moonshot
Drivers, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1231459

Title:
 Inconsistency detected by ld.so: dl-close.c: 759: _dl_close: Assertion
  `map-l_init_called' failed!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1231459/+subscriptions

-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1231459

Title:
  Inconsistency detected by ld.so: dl-close.c: 759: _dl_close: Assertion
  `map-l_init_called' failed!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1231459/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1231459] Re: Inconsistency detected by ld.so: dl-close.c: 759: _dl_close: Assertion `map-l_init_called' failed!

2013-10-07 Thread Sam Hartman 
OK, that's probably the cause of the segfault.
I've deleted the broken packages from our debian and ubuntu archives.
Unfortunately getting fixed packages to reappear is a bit annoying at
the moment.
The packages in
http://repository.project-moonshot.org/debian-moonshot/pool/main/m/moonshot-gss-eap
now sholud be OK.
In particular the deb from April.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1231459

Title:
  Inconsistency detected by ld.so: dl-close.c: 759: _dl_close: Assertion
  `map-l_init_called' failed!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1231459/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1231459] Re: Inconsistency detected by ld.so: dl-close.c: 759: _dl_close: Assertion `map-l_init_called' failed!

2013-10-05 Thread Sam Hartman 
Stefan, I've prepared packages that should fix the problem available at 
https://launchpad.net/~hartmans/+archive/ubuntu-fixes 
that page includes instructions on how to add the archive to your system.  
After you do that please update at least libgssapi-krb5-2 and let us know 
whether it fixes the problem.

Ubuntu review team, it turns out that the debian/saucy patch does not
apply to precise.  I've linked a branch of a proposed precise package.
Let me know if there's anything else I can do to assist the process.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1231459

Title:
  Inconsistency detected by ld.so: dl-close.c: 759: _dl_close: Assertion
  `map-l_init_called' failed!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1231459/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1231459] Re: Inconsistency detected by ld.so: dl-close.c: 759: _dl_close: Assertion `map-l_init_called' failed!

2013-10-05 Thread Sam Hartman 
Stefan, I've prepared packages that should fix the problem available at 
https://launchpad.net/~hartmans/+archive/ubuntu-fixes 
that page includes instructions on how to add the archive to your system.  
After you do that please update at least libgssapi-krb5-2 and let us know 
whether it fixes the problem.

Ubuntu review team, it turns out that the debian/saucy patch does not
apply to precise.  I've linked a branch of a proposed precise package.
Let me know if there's anything else I can do to assist the process.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1231459

Title:
  Inconsistency detected by ld.so: dl-close.c: 759: _dl_close: Assertion
  `map-l_init_called' failed!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1231459/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1231459] Re: Inconsistency detected by ld.so: dl-close.c: 759: _dl_close: Assertion `map-l_init_called' failed!

2013-09-26 Thread Sam Hartman 
Hi.  What's going on here is that it seems there are cases where on
process exit, ld.so will destruct the plugins before it destructs the
dlopening library.  So it sets m_inited to 0.  But as part of its
finalizer the library tries to clean up its resources, and dlcloses the
plugins.  Getting you this crash.  For Debian I've decided to leak the
library resource.

** Patch added: 0006-gssapi-never-unload-mechanisms.patch
   
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1231459/+attachment/3842357/+files/0006-gssapi-never-unload-mechanisms.patch

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1231459

Title:
  Inconsistency detected by ld.so: dl-close.c: 759: _dl_close: Assertion
  `map-l_init_called' failed!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1231459/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1231459] Re: Inconsistency detected by ld.so: dl-close.c: 759: _dl_close: Assertion `map-l_init_called' failed!

2013-09-26 Thread Sam Hartman 
Hi.  What's going on here is that it seems there are cases where on
process exit, ld.so will destruct the plugins before it destructs the
dlopening library.  So it sets m_inited to 0.  But as part of its
finalizer the library tries to clean up its resources, and dlcloses the
plugins.  Getting you this crash.  For Debian I've decided to leak the
library resource.

** Patch added: 0006-gssapi-never-unload-mechanisms.patch
   
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1231459/+attachment/3842357/+files/0006-gssapi-never-unload-mechanisms.patch

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1231459

Title:
  Inconsistency detected by ld.so: dl-close.c: 759: _dl_close: Assertion
  `map-l_init_called' failed!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1231459/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

  1   2   3   >