Package: libapache2-mod-auth-kerb Version: 5.4-2.3 Severity: grave Tags: patch upstream
Hi, After upgrading to buster, mod_auth_kerb keeps on crashing Apache (thus the grave severity), after printing double free or corruption (out) This is indeed a use-after-free; verify_krb5_user gets in a keytab as a parameter, and chooses to deallocate it even though the parent expects to keep using it. I don't know why this didn't trigger as often in stretch, although we've certainly seen mod_auth_kerb segfaults there as well (especially with outdated keytabs). The patch is trivial and can be found in upstream's bug tracker; just don't deallocate the keytab in verify_krb5_user(): https://sourceforge.net/p/modauthkerb/bugs/61/ This is not a leak, since the parent closes it inself, in all paths. I've verified that it applies in Debian (just some changed line numbers) and fixes the issue. Please consider for a buster point release, in addition to unstable. It makes mod_auth_kerb borderline unusable. -- System Information: Debian Release: 10.0 APT prefers testing-debug APT policy: (500, 'testing-debug'), (500, 'proposed-updates'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.1.11 (SMP w/40 CPU cores) Kernel taint flags: TAINT_OOT_MODULE Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8), LANGUAGE=en_NO:en_US:en_GB:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages libapache2-mod-auth-kerb depends on: ii apache2-bin [apache2-api-20120211] 2.4.38-3 ii krb5-config 2.6 ii libc6 2.28-10 pn libcomerr2 <none> ii libgssapi-krb5-2 1.17-3 ii libk5crypto3 1.17-3 ii libkrb5-3 1.17-3 libapache2-mod-auth-kerb recommends no packages. libapache2-mod-auth-kerb suggests no packages.