Package: krb5-kdc-ldap
Severity: normal
Tags: patch
Subject: krb5-kdc: kdb_ldap plugin crashes during kinit "user@DOMAIn" with
wrong case for "DOMAIn"
Package: krb5-kdc
Version: 1.9+dfsg-1+debug01
Severity: normal
At src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:108, inside the
function "krb5_ldap_get_principal()":
If "is_principal_in_realm()" fails, the code does not properly initialize
the variable "st" (IE: with KRB5_KDB_NOENTRY or something) before calling
krb5_set_error_message().
This can happen if the realm is "EXAMPLE.COM" and somebody types:
kinit u...@exmample.com (IE: case is not quite right).
As a result, the krb5_ldap_get_principal() function returns 0 but leaves
the "client" pointer set to NULL.
When it returns out to src/kdc/do_as_req.c:211, the process_as_req() code
assumes that it succeeded, and promptly dereferences "client", causing a
crash.
The fix is to add a single line "st = KRB5_KDB_NOENTRY" into the file
ldap_principal2.c after this line:
if (is_principal_in_realm(ldap_context, searchfor) != 0) {
Cheers,
Kyle Moffett
P.S: Out of curiousity, is there some reason why there are not packages
for krb5-kdc-dbg and krb5-admin-server-dbg, etc? That would make this
kind of troubleshooting much easier in the future.
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (700, 'testing'), (600, 'unstable'), (500, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.38-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages krb5-kdc depends on:
ii debconf [debconf-2.0] 1.5.38 Debian configuration management sy
ii krb5-config 2.2 Configuration files for Kerberos V
ii krb5-user 1.9+dfsg-1+debug01 Basic programs to authenticate usi
ii libc6 2.11.2-11 Embedded GNU C Library: Shared lib
ii libcomerr2 1.41.12-2 common error description library
ii libgssapi-krb5-2 1.9+dfsg-1+debug01 MIT Kerberos runtime libraries - k
ii libgssrpc4 1.9+dfsg-1+debug01 MIT Kerberos runtime libraries - G
ii libk5crypto3 1.9+dfsg-1+debug01 MIT Kerberos runtime libraries - C
ii libkadm5clnt-mit8 1.9+dfsg-1+debug01 MIT Kerberos runtime libraries - A
ii libkadm5srv-mit8 1.9+dfsg-1+debug01 MIT Kerberos runtime libraries - K
ii libkdb5-5 1.9+dfsg-1+debug01 MIT Kerberos runtime libraries - K
ii libkeyutils1 1.4-4 Linux Key Management Utilities (li
ii libkrb5-3 1.9+dfsg-1+debug01 MIT Kerberos runtime libraries
ii libkrb5support0 1.9+dfsg-1+debug01 MIT Kerberos runtime libraries - S
ii lsb-base 3.2-27 Linux Standard Base 3.2 init scrip
krb5-kdc recommends no packages.
Versions of packages krb5-kdc suggests:
ii krb5-admin-server 1.9+dfsg-1+debug01 MIT Kerberos master server (kadmin
ii krb5-kdc-ldap 1.9+dfsg-1+debug01 MIT Kerberos key server (KDC) LDAP
pn openbsd-inetd | inet- <none> (no description available)
-- debconf information excluded
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (700, 'testing'), (700, 'stable'), (600, 'unstable'), (500,
'stable-updates'), (500, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
