Russ Allbery wrote: > I spent an hour this evening tracking this down. The problem is that > Heimdal isn't using symbol versioning in its shared libraries. > libpam-heimdal therefore binds to unversioned symbols, which works fine if > the calling program doesn't load any other Kerberos library. However, > OpenSSH is linked with MIT Kerberos, and therefore at run time the > unversioned libpam-heimdal symbols are bound to the MIT Kerberos version > of libkrb5 which is already loaded in memory and chaos ensues. valgrind > was the debugging tool that finally gave me the necessary clue. The > segfault kept showing up with backtraces inside libkrb5.3.3 instead of > libkrb5.24.0.0. > Can I please confirm what version of Heimdal you are using? The initial bug report seemed to quote the old version in testing, but here you seem to indicate the latest version in unstable. I just want to make sure.
As far as I can tell, all exported symbols from libkrb5.24.0.0 use HEIMDAL_KRB5_1.0 for the versioned symbol name. objdump -T libkrb5.so.24.0.0 ... 0001d180 g DF .text 0000003e HEIMDAL_KRB5_1.0 krb5_config_vget_string_default 00047140 g DF .text 00000034 HEIMDAL_KRB5_1.0 krb5_rd_req_out_get_ticket 00028130 g DF .text 00000074 HEIMDAL_KRB5_1.0 krb5_digest_free 0004cc30 g DF .text 000000c6 HEIMDAL_KRB5_1.0 krb5_storage_emem 0004b100 g DF .text 00000037 HEIMDAL_KRB5_1.0 _krb5_get_int 0002c5b0 g DF .text 0000022e HEIMDAL_KRB5_1.0 krb5_get_credentials_with_flags 0001ca10 g DF .text 00000038 HEIMDAL_KRB5_1.0 krb5_encode_EncTGSRepPart 0001eba0 g DF .text 0000007e HEIMDAL_KRB5_1.0 krb5_prepend_config_files_default 0001a530 g DF .text 000000f5 HEIMDAL_KRB5_1.0 krb5_cc_retrieve_cred 0001cfe0 g DF .text 00000034 HEIMDAL_KRB5_1.0 krb5_config_get_time 0002dfa0 g DF .text 00000208 HEIMDAL_KRB5_1.0 _krb5_get_host_realm_int 0004b9c0 g DF .text 0000009f HEIMDAL_KRB5_1.0 krb5_ret_times 000165c0 g DF .text 00000033 HEIMDAL_KRB5_1.0 krb5_sockaddr_uninteresting 0002fd00 g DF .text 00000080 HEIMDAL_KRB5_1.0 krb5_get_in_tkt_with_keytab 00017d30 g DF .text 00000039 HEIMDAL_KRB5_1.0 krb5_address_compare 0003d950 g DF .text 00000038 HEIMDAL_KRB5_1.0 krb5_c_enctype_compare 0001e7d0 g DF .text 00000139 HEIMDAL_KRB5_1.0 krb5_get_default_in_tkt_etypes 000450d0 g DF .text 00000021 HEIMDAL_KRB5_1.0 krb5_unparse_name_fixed_short If OpenSSH is linked against MIT Kerberos, like you say, then simply proving that the segfault occurs inside MIT Kerberos is insufficient, unfortunately, because we have to expect OpenSSH may call MIT Kerberos functions at some point. > This is a bug in the Debian Heimdal packages, I believe. They used to use > symbol versioning precisely because of this problem; see Bug#205592 which > was closed in 0.6-4. It looks like that was lost or dropped somewhere > along the way. > The symbol versioning was moved to the upstream code; I don't guarantee that they got it right, but I want some evidence before I forward this upstream. It occurred to me that the stack trace is probably in the Debian bug report, I will check that now. Brian May -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
