Package: libc-client2002edebian
Version: 7:2002edebian1-13.1
Severity: important
Tags: patch
Hi!
The function kerberos_server_valid() does not release some of the kerberos
structures after
checking /etc/krb5.keytab and therefore the lib keeps an open file handle to
/etc/krb5.keytab.
Kerberos tools like kadmin or ktutil are unable to gain a F_WRLCK unless
another process has
still an open file handle.
In the current case libc-client2002edebian is used by php5-imap. So if theres a
running apache
process that includes php5 with enabled imap support, changes to
/etc/krb5.keytab are impossible.
Soenke
-- System Information:
Debian Release: 4.0
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
--- uw-imap-2002edebian1.ORIGINAL/src/osdep/unix/kerb_mit.c 2003-03-05 06:05:24.000000000 +0100
+++ uw-imap-2002edebian1/src/osdep/unix/kerb_mit.c 2008-05-16 16:24:07.000000000 +0200
@@ -42,7 +42,10 @@
/* get default keytab */
if (!krb5_kt_default (ctx,&kt)) {
/* can do server if have good keytab */
- if (!krb5_kt_start_seq_get (ctx,kt,&csr)) ret = LONGT;
+ if (!krb5_kt_start_seq_get (ctx,kt,&csr)) {
+ ret = LONGT;
+ krb5_kt_end_seq_get (ctx,kt,&csr);
+ }
krb5_kt_close (ctx,kt); /* finished with keytab */
}
krb5_free_context (ctx); /* finished with context */
