Debian Bug report logs -
#480432
libkrb53: ret_flags check at g_accept_sec_context.c:248 looks wrong
Reported by: Bryan Kadzban <debbugs@kdzbn.homelinux.net>
Date: Fri, 9 May 2008 23:45:02 UTC
Severity: normal
Tags: patch
Found in version krb5/1.6.dfsg.3~beta1-4
Fixed in version 1.6.dfsg.3-1
Done: Bryan Kadzban <debbugs@kdzbn.homelinux.net>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to
debian-bugs-dist@lists.debian.org, debbugs@kdzbn.homelinux.net, Sam Hartman <hartmans@debian.org>:
Bug#480432; Package
libkrb53.
Full text and
rfc822 format available.
Acknowledgement sent to
Bryan Kadzban <debbugs@kdzbn.homelinux.net>:
New Bug report received and forwarded. Copy sent to
debbugs@kdzbn.homelinux.net, Sam Hartman <hartmans@debian.org>.
Full text and
rfc822 format available.
Message #5 received at submit@bugs.debian.org (full text, mbox):
Package: libkrb53
Version: 1.6.dfsg.3~beta1-4
Severity: normal
Tags: patch
The check "(ret_flags && GSS_C_DELEG_FLAG)" looks extremely wrong.
GSS_C_DELEG_FLAGS is a bitmask, and should not be logically compared
against anything (since it will always be logical true). ret_flags is a
pointer, and its value should not be bitwise compared against anything,
either.
Proposed fix: do two checks. First check whether ret_flags is non-NULL
(ret_flags on its own), then check whether the pointed-to value has the
GSS_C_DELEG_FLAG bit turned on.
A patch to make this change is attached. (It was generated from a
libkrb53 tree that already had the rest of the Debian patches applied.)
*** krb5-fix-comparison.patch
Don't do a logical AND between a pointer and a bitmask. Check the
pointer first, and do a bitwise AND between the pointer's value (if
the pointer is non-NULL) and the bitmask instead.
diff -ur a/src/lib/gssapi/mechglue/g_accept_sec_context.c b/src/lib/gssapi/mechglue/g_accept_sec_context.c
--- a/src/lib/gssapi/mechglue/g_accept_sec_context.c 2007-10-01 22:43:12.000000000 -0400
+++ b/src/lib/gssapi/mechglue/g_accept_sec_context.c 2008-05-09 14:10:23.000000000 -0400
@@ -245,7 +245,7 @@
}
/* Ensure we're returning correct creds format */
- if ((ret_flags && GSS_C_DELEG_FLAG) &&
+ if (ret_flags && ((*ret_flags) & GSS_C_DELEG_FLAG) &&
tmp_d_cred != GSS_C_NO_CREDENTIAL) {
gss_union_cred_t d_u_cred = NULL;
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.22-3-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash
Versions of packages libkrb53 depends on:
ii libc6 2.7-10 GNU C Library: Shared libraries
ii libcomerr2 1.40.8-2 common error description library
ii libkeyutils1 1.2-7 Linux Key Management Utilities (li
libkrb53 recommends no packages.
-- no debconf information
Information forwarded to
debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#480432; Package
libkrb53.
Full text and
rfc822 format available.
Acknowledgement sent to
Russ Allbery <rra@debian.org>:
Extra info received and forwarded to list. Copy sent to
Sam Hartman <hartmans@debian.org>.
Full text and
rfc822 format available.
Message #10 received at 480432@bugs.debian.org (full text, mbox):
Bryan Kadzban <debbugs@kdzbn.homelinux.net> writes:
> The check "(ret_flags && GSS_C_DELEG_FLAG)" looks extremely wrong.
> GSS_C_DELEG_FLAGS is a bitmask, and should not be logically compared
> against anything (since it will always be logical true). ret_flags is a
> pointer, and its value should not be bitwise compared against anything,
> either.
Thanks! I'm checking with upstream just to be sure, but this looks
correct to me.
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Information forwarded to
debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#480432; Package
libkrb53.
Full text and
rfc822 format available.
Acknowledgement sent to
Bryan Kadzban <debbugs@kdzbn.homelinux.net>:
Extra info received and forwarded to list. Copy sent to
Sam Hartman <hartmans@debian.org>.
Full text and
rfc822 format available.
Message #15 received at 480432@bugs.debian.org (full text, mbox):
Russ Allbery wrote:
> Bryan Kadzban <debbugs@kdzbn.homelinux.net> writes:
>
>> The check "(ret_flags && GSS_C_DELEG_FLAG)" looks extremely wrong.
>> GSS_C_DELEG_FLAGS is a bitmask, and should not be logically
>> compared against anything (since it will always be logical true).
>> ret_flags is a pointer, and its value should not be bitwise
>> compared against anything, either.
>
> Thanks! I'm checking with upstream just to be sure, but this looks
> correct to me.
After some looking at the upstream bug database, this appears to be the
same as their bug #5802:
http://krbdev.mit.edu/rt/Ticket/Display.html?id=5802
and that page says the bug was fixed in 1.6.3. And indeed, the source
for 1.6.3 (from upstream) handles the flags differently: it passes the
address of a local variable to the mechanism-specific accept_sec_context
function, then copies it back to the address that the user passed in if
non-NULL. It also uses the local variable in the bitfield comparison.
So upgrading to upstream version 1.6.3 (or adopting this part of the
code, at least) should fix this as well.
Information forwarded to
debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#480432; Package
libkrb53.
Full text and
rfc822 format available.
Acknowledgement sent to
Russ Allbery <rra@debian.org>:
Extra info received and forwarded to list. Copy sent to
Sam Hartman <hartmans@debian.org>.
Full text and
rfc822 format available.
Message #20 received at 480432@bugs.debian.org (full text, mbox):
Bryan Kadzban <debbugs@kdzbn.homelinux.net> writes:
> After some looking at the upstream bug database, this appears to be the
> same as their bug #5802:
>
> http://krbdev.mit.edu/rt/Ticket/Display.html?id=5802
>
> and that page says the bug was fixed in 1.6.3. And indeed, the source
> for 1.6.3 (from upstream) handles the flags differently: it passes the
> address of a local variable to the mechanism-specific accept_sec_context
> function, then copies it back to the address that the user passed in if
> non-NULL. It also uses the local variable in the bitfield comparison.
>
> So upgrading to upstream version 1.6.3 (or adopting this part of the
> code, at least) should fix this as well.
Oh, in that case, it should already be fixed; 1.6.3 is already in Debian
unstable.
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Reply sent to
Bryan Kadzban <debbugs@kdzbn.homelinux.net>:
You have taken responsibility.
Full text and
rfc822 format available.
Notification sent to
Bryan Kadzban <debbugs@kdzbn.homelinux.net>:
Bug acknowledged by developer.
Full text and
rfc822 format available.
Message #25 received at 480432-done@bugs.debian.org (full text, mbox):
Version: 1.6.dfsg.3-1
Russ Allbery wrote:
> Bryan Kadzban <debbugs@kdzbn.homelinux.net> writes:
>
>> So upgrading to upstream version 1.6.3 (or adopting this part of the
>> code, at least) should fix this as well.
>
> Oh, in that case, it should already be fixed; 1.6.3 is already in Debian
> unstable.
...You're right. I've just pulled the source for libkrb53 in unstable,
and it is fixed in that version. (That's what I get for only checking
the version from testing.)
So never mind; this isn't actually a problem. Thanks!
Bug archived.
Request was from
Debbugs Internal Request <owner@bugs.debian.org>
to
internal_control@bugs.debian.org.
(Sun, 08 Jun 2008 07:28:52 GMT)
Full text and
rfc822 format available.
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Feb 9 19:28:13 2010;
Machine Name:
busoni.debian.org
Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.