Bug#1020424: krb5: Versioned dependencies are needed in order to avoid version skew

Sam Morris Wed, 21 Sep 2022 07:39:14 -0700

Source: krb5
Version: 1.20-1
Severity: normal
X-Debbugs-Cc: s...@robots.org.uk


When using a container image that has an older version of some of the
binary packages from krb5 in it, installing krb5-user results in binary
packages being installed that are a mix of the newer and older version.

The practical problem with this is:

    $ podman run -ti docker.io/library/r-base:latest bash -l 

.. at this time, the following packages are installed (i.e., they're
part of the container image).

    ii  libgssapi-krb5-2:amd64 1.19.2-2+b2  amd64        MIT Kerberos runtime 
libraries - krb5 GSS-API Mechanism
    ii  libk5crypto3:amd64     1.19.2-2+b2  amd64        MIT Kerberos runtime 
libraries - Crypto Library
    ii  libkrb5-3:amd64        1.19.2-2+b2  amd64        MIT Kerberos runtime 
libraries
    ii  libkrb5support0:amd64  1.19.2-2+b2  amd64        MIT Kerberos runtime 
libraries - Support library

Now, I'll install kinit and try to use it:

    root@d6ed10d8dfac:/# apt -qq update && apt install krb5-user
    [...]

    root@d6ed10d8dfac:/# kinit u...@example.com
    kinit: Random number generator could not be seeded while getting initial 
credentials

This error message comes from libk5crypto.so.3. At this point,
libk5crypto3 is still at the old version, other binary packages have
been upgraded:

    ii  krb5-user                1.20-1       amd64        basic programs to 
authenticate using MIT Kerberos
    ii  libgssapi-krb5-2:amd64   1.20-1       amd64        MIT Kerberos runtime 
libraries - krb5 GSS-API Mechanism
    ii  libgssrpc4:amd64         1.20-1       amd64        MIT Kerberos runtime 
libraries - GSS enabled ONCRPC
    ii  libk5crypto3:amd64       1.19.2-2+b2  amd64        MIT Kerberos runtime 
libraries - Crypto Library
    ii  libkadm5clnt-mit12:amd64 1.20-1       amd64        MIT Kerberos runtime 
libraries - Administration Clients
    ii  libkadm5srv-mit12:amd64  1.20-1       amd64        MIT Kerberos runtime 
libraries - KDC and Admin Server
    ii  libkdb5-10:amd64         1.20-1       amd64        MIT Kerberos runtime 
libraries - Kerberos database
    ii  libkrb5-3:amd64          1.20-1       amd64        MIT Kerberos runtime 
libraries
    ii  libkrb5support0:amd64    1.20-1       amd64        MIT Kerberos runtime 
libraries - Support library

After 'apt-get install libk5crypto3', version 1.20-1 is installed & the
kinit command works.

I think this is related to the removal of the embedded PRNG in 1.19 and
earlier versions. The code from 1.20 is calling
krb5_c_random_make_octets (which is provided by libk5crypto3) in a way
that the older implementation isn't happy with, and it throws this
error.

Maybe there's a missing Breaks or Conflicts somewhere; or maybe
versioned dependencies need to be added somewhere to ensure that all the
binary packages from krb5 are upgraded in lockstep.

-- System Information:
Debian Release: 11.5
  APT prefers stable-updates
  APT policy: (570, 'stable-updates'), (570, 'stable-security'), (570, 
'stable-debug'), (570, 'stable'), (550, 'testing-debug'), (550, 'testing'), 
(530, 'unstable-debug'), (530, 'unstable'), (1, 'experimental-debug'), (1, 
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.18.0-3-amd64 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_USER, TAINT_DIE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Permissive - Policy name: default

Bug#1020424: krb5: Versioned dependencies are needed in order to avoid version skew

Reply via email to