Bug#1017867: libapache2-mod-auth-gssapi: Undefined behaviour when compiled with OpenSSL 3 library

Stefan Fleischmann Sun, 21 Aug 2022 12:24:15 -0700

Package: libapache2-mod-auth-gssapi
Version: 1.6.3-1+b1
Severity: important
Tags: patch


Dear Maintainer,

the package produces undefined behavior when compiled with OpenSSL 3
(instead of OpenSSL 1.1). The bug has been noticed and fixed upstream,
see: https://github.com/gssapi/mod_auth_gssapi/pull/256

I'm not qualified to say if this results in a security vulnerability,
but the results I see look suspicious imho.

I noticed this when testing installation of the latest FreeIPA release
on Ubuntu 22.04 and Debian. After successful installation I could not
log in to the web UI. The Apache error log showed lines like these:

 [client X.X.X.X:39170] KRB5CCNAME file (/run/ipa/ccaches/myuser@EXA) lookup 
failed!, referer: https://ldap-jammy.biophysics.kth.se/ipa/ui/
 [client X.X.X.X:39170] KRB5CCNAME file (/run/ipa/ccaches/myuser@EXA) lookup 
failed!, referer: https://ldap-jammy.biophysics.kth.se/ipa/ui/
 [client X.X.X.X:39170] KRB5CCNAME file (/run/ipa/ccaches/myuser@EXA:12:29:50 
+000) lookup failed!, referer: https://ldap-jammy.biophysics.kth.se/ipa/ui/
 [client X.X.X.X:39170] KRB5CCNAME file (/run/ipa/ccaches/myuser@EXA) lookup 
failed!, referer: https://ldap-jammy.biophysics.kth.se/ipa/ui/

Note the mangled KRB5CCNAME file name that contains parts of seemingly
random other strings. I've also seen for example:

 /run/ipa/ccaches/myuser@EXA\x95\xaa\xa6\t\x80 D\n\xef\xe2\xde\xf6\xa2\xce
 /run/ipa/ccaches/myuser@EXAMozilla/5.0 (X
 /run/ipa/ccaches/myuser@EXAa/session/logi

Valid filenames look like this:
 /run/ipa/ccaches/myu...@example.org-tBzEry
 /run/ipa/ccaches/myu...@example.org-3wYfMK

I've confirmed that the merge request mentioned above (#256) fixes the
problem at least to the point where the logs look okay and I can log in
to the web UI.

Best regards,
Stefan

-- System Information:
Debian Release: bookworm/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 5.4.0-100-generic (SMP w/20 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libapache2-mod-auth-gssapi depends on:
ii  apache2-bin [apache2-api-20120211]  2.4.54-2
ii  libc6                               2.34-3
ii  libgssapi-krb5-2                    1.20-1
ii  libssl3                             3.0.5-2

libapache2-mod-auth-gssapi recommends no packages.

libapache2-mod-auth-gssapi suggests no packages.

-- no debconf information

Bug#1017867: libapache2-mod-auth-gssapi: Undefined behaviour when compiled with OpenSSL 3 library

Reply via email to