Package: sudo Version: 1.8.9p5 raub@testfirewall:~$ sudo pwd sudo: LDAP Config Summary sudo: =================== sudo: uri ldap://kdc.domain.com ldap://kdc2.domain.com sudo: ldap_version 3 sudo: sudoers_base ou=SUDOers,dc=domain,dc=com sudo: binddn (anonymous) sudo: bindpw (anonymous) sudo: bind_timelimit 3 sudo: timelimit 3 sudo: deref 0 sudo: ssl start_tls sudo: tls_cacertfile /etc/ssl/certs/ca-certificates.crt sudo: use_sasl yes sudo: sasl_auth_id (NONE) sudo: rootuse_sasl -1 sudo: rootsasl_auth_id (NONE) sudo: sasl_secprops (NONE) sudo: krb5_ccname FILE:/tmp/host.tkt sudo: =================== sudo: ldap_set_option: debug -> 0 sudo: ldap_set_option: tls_cacertfile -> /etc/ssl/certs/ca-certificates.crt sudo: ldap_set_option: tls_cacert -> /etc/ssl/certs/ca-certificates.crt sudo: ldap_initialize(ld, ldap://kdc.domain.com ldap://kdc2.domain.com) sudo: ldap_set_option: ldap_version -> 3 sudo: ldap_set_option: timelimit -> 3 sudo: ldap_set_option(LDAP_OPT_TIMEOUT, 3) sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 3) sudo: ldap_start_tls_s() ok sudo: sudo_ldap_sasl_interact: SASL_CB_USER Segmentation fault (core dumped)
raub@testfirewall:~$ >From syslog: Jun 5 15:16:26 testfirewall kernel: [2068248.457275] sudo[22925]: segfault at 0 ip 00007f2feb02692a sp 00007ffff55073b8 error 4 in libc-2.19.so[7f2feaf9d000+1bc000] That affects both local and network users. Now, if I disable ldap for sudoers in /etc/nsswitch.conf, # sudoers: files ldap sudoers: files Notes: 1) Originally reported on 2014-06-06 in https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1327268. I have a feeling they will only do something after *their* upstream (debian) do it. 2) Moved upstream to debian. 3) Todd C. Miller (he who wrote the package) has released source code in June with patched code. See the sudo mailing list for when I reported the issue, tested the patch, and Todd reported the patch applied to the source code. In other words, the upstream source code should be patched. 4) If anyone wants to be lazy, here is the patch as applied to http://ftp.de.debian.org/debian/pool/main/s/sudo/sudo_1.8.9p5.orig.tar.gz diff -u sudo-1.8.9p5/plugins/sudoers/ldap.c ldap.c --- sudo-1.8.9p5/plugins/sudoers/ldap.c 2014-01-07 13:08:54.000000000 -0500 +++ ldap.c 2014-08-05 10:31:26.028023778 -0400 @@ -2405,10 +2405,11 @@ rc = ldap_sasl_interactive_bind_s(ld, ldap_conf.binddn, "GSSAPI", NULL, NULL, LDAP_SASL_QUIET, sudo_ldap_sasl_interact, auth_id); if (new_ccname != NULL) { - rc = sudo_set_krb5_ccache_name(old_ccname, NULL); + rc = sudo_set_krb5_ccache_name(old_ccname ? old_ccname : "", NULL); if (rc == 0) { sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO, - "restore ccache name %s -> %s", new_ccname, old_ccname); + "restore ccache name %s -> %s", new_ccname,az + old_ccname ? old_ccname : "(none)"); } else { sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO, "gss_krb5_ccache_name() failed: %d", rc); -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
