[Pkg-freeipa-devel] Bug#1017867: libapache2-mod-auth-gssapi: Undefined behaviour when compiled with OpenSSL 3 library
Stefan Fleischmann
sfle at kth.se
Sun Aug 21 20:12:45 BST 2022
Package: libapache2-mod-auth-gssapi
Version: 1.6.3-1+b1
Severity: important
Tags: patch
Dear Maintainer,
the package produces undefined behavior when compiled with OpenSSL 3
(instead of OpenSSL 1.1). The bug has been noticed and fixed upstream,
see: https://github.com/gssapi/mod_auth_gssapi/pull/256
I'm not qualified to say if this results in a security vulnerability,
but the results I see look suspicious imho.
I noticed this when testing installation of the latest FreeIPA release
on Ubuntu 22.04 and Debian. After successful installation I could not
log in to the web UI. The Apache error log showed lines like these:
[client X.X.X.X:39170] KRB5CCNAME file (/run/ipa/ccaches/myuser at EXA) lookup failed!, referer: https://ldap-jammy.biophysics.kth.se/ipa/ui/
[client X.X.X.X:39170] KRB5CCNAME file (/run/ipa/ccaches/myuser at EXA) lookup failed!, referer: https://ldap-jammy.biophysics.kth.se/ipa/ui/
[client X.X.X.X:39170] KRB5CCNAME file (/run/ipa/ccaches/myuser at EXA:12:29:50 +000) lookup failed!, referer: https://ldap-jammy.biophysics.kth.se/ipa/ui/
[client X.X.X.X:39170] KRB5CCNAME file (/run/ipa/ccaches/myuser at EXA) lookup failed!, referer: https://ldap-jammy.biophysics.kth.se/ipa/ui/
Note the mangled KRB5CCNAME file name that contains parts of seemingly
random other strings. I've also seen for example:
/run/ipa/ccaches/myuser at EXA\x95\xaa\xa6\t\x80 D\n\xef\xe2\xde\xf6\xa2\xce
/run/ipa/ccaches/myuser at EXAMozilla/5.0 (X
/run/ipa/ccaches/myuser at EXAa/session/logi
Valid filenames look like this:
/run/ipa/ccaches/myuser at EXAMPLE.ORG-tBzEry
/run/ipa/ccaches/myuser at EXAMPLE.ORG-3wYfMK
I've confirmed that the merge request mentioned above (#256) fixes the
problem at least to the point where the logs look okay and I can log in
to the web UI.
Best regards,
Stefan
-- System Information:
Debian Release: bookworm/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 5.4.0-100-generic (SMP w/20 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages libapache2-mod-auth-gssapi depends on:
ii apache2-bin [apache2-api-20120211] 2.4.54-2
ii libc6 2.34-3
ii libgssapi-krb5-2 1.20-1
ii libssl3 3.0.5-2
libapache2-mod-auth-gssapi recommends no packages.
libapache2-mod-auth-gssapi suggests no packages.
-- no debconf information
More information about the Pkg-freeipa-devel
mailing list