From wollman@khavrinen.csail.mit.edu  Mon Jan 28 21:02:24 2008
Return-Path: <wollman@khavrinen.csail.mit.edu>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 8D32216A468
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 28 Jan 2008 21:02:24 +0000 (UTC)
	(envelope-from wollman@khavrinen.csail.mit.edu)
Received: from khavrinen.csail.mit.edu (khavrinen.csail.mit.edu [128.30.28.20])
	by mx1.freebsd.org (Postfix) with ESMTP id 6060B13C469
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 28 Jan 2008 21:02:24 +0000 (UTC)
	(envelope-from wollman@khavrinen.csail.mit.edu)
Received: from khavrinen.csail.mit.edu (localhost.csail.mit.edu [127.0.0.1])
	by khavrinen.csail.mit.edu (8.13.8/8.13.8) with ESMTP id m0SL2NK6092918
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256
	verify=FAIL CN=khavrinen.csail.mit.edu issuer=Client+20CA)
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 28 Jan 2008 16:02:23 -0500 (EST)
	(envelope-from wollman@khavrinen.csail.mit.edu)
Received: (from wollman@localhost)
	by khavrinen.csail.mit.edu (8.13.8/8.13.8/Submit) id m0SL2NXx092917;
	Mon, 28 Jan 2008 16:02:23 -0500 (EST)
	(envelope-from wollman)
Message-Id: <200801282102.m0SL2NXx092917@khavrinen.csail.mit.edu>
Date: Mon, 28 Jan 2008 16:02:23 -0500 (EST)
From: Garrett Wollman <wollman@khavrinen.csail.mit.edu>
Reply-To: Garrett Wollman <wollman@khavrinen.csail.mit.edu>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: security/krb5 utilities link against wrong libcom_err
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         120101
>Category:       ports
>Synopsis:       security/krb5 utilities link against wrong libcom_err
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    cy
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jan 28 21:10:00 UTC 2008
>Closed-Date:    
>Last-Modified:  Wed Sep 28 05:10:13 UTC 2011
>Originator:     Garrett Wollman
>Release:        FreeBSD 6.2-RELEASE-p3 amd64
>Organization:
MIT
>Environment:
System: FreeBSD khavrinen.csail.mit.edu 6.2-RELEASE-p3 FreeBSD 6.2-RELEASE-p3 #3: Mon Apr 9 08:34:19 EDT 2007 root@khavrinen.csail.mit.edu:/usr/obj/usr/src/sys/KHAVRINEN amd64

>Description:

	krb5-1.6.3_4 builds both libraries and utilities.  Among the
	libraries included in the port is a version of the MIT Common
	Error library, libcom_err.  FreeBSD also includes this library
	as a part of the base system.  It is important that the MIT
	Kerberos utilities, and other applications using Kerberos,
	link against the correct version of libcom_err.  If they do
	not, or if they link against both com_err libraries, error
	messages will not be displayed correctly.

>How-To-Repeat:

	install krb5-1.6.3_4.
$ kadmin
Authenticating as principal wollman/admin@MYREALM.EXAMPLE.ORG with password.
Password for wollman/admin@MYREALM.EXAMPLE.ORG: 
kadmin:  getprinc unknownprincipal
get_principal: Unknown error: 43787532 while retrieving "unknownprincipal@MYREALM.EXAMPLE.ORG".

$ ldd -av `type -p kadmin`
/usr/local/sbin/kadmin:
        libkadm5clnt.so => /usr/local/lib/libkadm5clnt.so (0x800641000)
        libgssrpc.so => /usr/local/lib/libgssrpc.so (0x800755000)
        libgssapi_krb5.so => /usr/local/lib/libgssapi_krb5.so (0x800870000)
        libkrb5.so => /usr/local/lib/libkrb5.so (0x8009a1000)
        libk5crypto.so => /usr/local/lib/libk5crypto.so (0x800b43000)
        libcom_err.so => /usr/lib/libcom_err.so (0x800c69000)
        libkrb5support.so => /usr/local/lib/libkrb5support.so (0x800d6b000)
        libc.so.6 => /lib/libc.so.6 (0x800e73000)
/usr/local/lib/libkadm5clnt.so:
        libgssrpc.so => /usr/local/lib/libgssrpc.so (0x800755000)
        libgssapi_krb5.so => /usr/local/lib/libgssapi_krb5.so (0x800870000)
        libkrb5.so => /usr/local/lib/libkrb5.so (0x8009a1000)
        libk5crypto.so => /usr/local/lib/libk5crypto.so (0x800b43000)
        libcom_err.so => /usr/local/lib/libcom_err.so (0x80108b000)
/usr/local/lib/libgssrpc.so:
        libgssapi_krb5.so => /usr/local/lib/libgssapi_krb5.so (0x800870000)
        libkrb5.so => /usr/local/lib/libkrb5.so (0x8009a1000)
        libk5crypto.so => /usr/local/lib/libk5crypto.so (0x800b43000)
        libcom_err.so => /usr/local/lib/libcom_err.so (0x80108b000)
/usr/local/lib/libgssapi_krb5.so:
        libkrb5.so => /usr/local/lib/libkrb5.so (0x8009a1000)
        libk5crypto.so => /usr/local/lib/libk5crypto.so (0x800b43000)
        libcom_err.so => /usr/local/lib/libcom_err.so (0x80108b000)
        libkrb5support.so => /usr/local/lib/libkrb5support.so (0x800d6b000)
/usr/local/lib/libkrb5.so:
        libk5crypto.so => /usr/local/lib/libk5crypto.so (0x800b43000)
        libcom_err.so => /usr/local/lib/libcom_err.so (0x80108b000)
        libkrb5support.so => /usr/local/lib/libkrb5support.so (0x800d6b000)
/usr/local/lib/libk5crypto.so:
        libkrb5support.so => /usr/local/lib/libkrb5support.so (0x800d6b000)
/usr/local/lib/libcom_err.so:
        libkrb5support.so => /usr/local/lib/libkrb5support.so (0x800d6b000)

Note how all of the Kerberos libraries are linked against the correct
version of libcom_err.so (the one installed in /usr/local/lib), but
kadmin itself links against the wrong one.

>Fix:

	Link the Kerberos utilities against the correct library.  By
	preference, also fix the lack of version numbering.  (I think
	this may be "intentional" on the part of the Kerberos
	developers as a result of someone not understanding how
	shared library versioning is supposed to work.)

	Workaround: remove /usr/lib/libcom_err.so.
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->cy 
Responsible-Changed-By: edwin 
Responsible-Changed-When: Mon Jan 28 21:10:07 UTC 2008 
Responsible-Changed-Why:  
Over to maintainer (via the GNATS Auto Assign Tool) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=120101 
State-Changed-From-To: open->feedback 
State-Changed-By: cy 
State-Changed-When: Fri Nov 5 04:11:27 UTC 2010 
State-Changed-Why:  
Requested $KRB5_HOME. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=120101 
State-Changed-From-To: feedback->closed 
State-Changed-By: eadler 
State-Changed-When: Sat Sep 24 18:11:21 UTC 2011 
State-Changed-Why:  
feedback timeout, if this is still an issue please reply and we can 
re-open it 

http://www.freebsd.org/cgi/query-pr.cgi?pr=120101 

From: Garrett Wollman <wollman@csail.mit.edu>
To: freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: ports/120101: security/krb5 utilities link against wrong libcom_err
Date: Mon, 26 Sep 2011 11:45:56 -0400

 <<On Sat, 24 Sep 2011 18:11:21 GMT, eadler@FreeBSD.org said:
 
 > feedback timeout, if this is still an issue please reply and we can
 > re-open it
 
 So far as I know, no fix has ever been attempted.  With krb5-1.9.1_1
 installed:
 
 $ ldd /usr/local/bin/kinit
 /usr/local/bin/kinit:
         libkadm5srv_mit.so => /usr/local/lib/libkadm5srv_mit.so (0x80064b000)
         libkdb5.so => /usr/local/lib/libkdb5.so (0x800767000)
         libgssrpc.so => /usr/local/lib/libgssrpc.so (0x800878000)
         libgssapi_krb5.so => /usr/local/lib/libgssapi_krb5.so (0x800994000)
         libkrb5.so => /usr/local/lib/libkrb5.so (0x800ad4000)
         libk5crypto.so => /usr/local/lib/libk5crypto.so (0x800ca6000)
         libcom_err.so => /usr/local/lib/libcom_err.so (0x800dd1000)
         libkrb5support.so => /usr/local/lib/libkrb5support.so (0x800ed4000)
         libc.so.7 => /lib/libc.so.7 (0x800fdc000)
 
 Note how all of the libraries that come with this package are
 unversioned, so (in the standard configuration[1]) the runtime linker
 will always prefer the leftover "system" libcom_err.so.  (The base
 system build always includes libcom_err.so even when the base Heimdal
 is disabled.  Thus, I only notice this when I upgrade the base system
 and forget to delete /usr/lib/libcom_err.so before rebooting.)
 
 The MIT libcom_err.so needs to be fixed to include a versioned SONAME
 which is distinct from the one used by the base system, since the two
 do not implement the same ABI.
 
 -GAWollman
 
 [1] In the standard configuration, /lib and /usr/lib always precede
 /usr/local/lib in ld-elf.so's dependent library search order.  Our
 dynamic linker only searches the RPATH specified in the executable
 if the default search path fails.  This is arguably a bug in our
 dynamic linker, but it is a bug that usually has better behavior for
 users than the "correct" way.
 
State-Changed-From-To: closed->open 
State-Changed-By: cy 
State-Changed-When: Wed Sep 28 05:09:36 UTC 2011 
State-Changed-Why:  
Feedback received, problem still exists. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=120101 
>Unformatted:
