ports/119546: net/nss_ldap makes /usr/bin/ssh dump core in getpwuid()

Jonathan Lennox lennox at cs.columbia.edu
Thu Jan 10 22:40:01 UTC 2008 

>Number:         119546
>Category:       ports
>Synopsis:       net/nss_ldap makes /usr/bin/ssh dump core in getpwuid()
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jan 10 22:40:00 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Jonathan Lennox
>Release:        FreeBSD 5.5-RELEASE-p17 i386
>Organization:
Columbia University
>Environment:
System: FreeBSD cnr.cs.columbia.edu 5.5-RELEASE-p17 FreeBSD 5.5-RELEASE-p17 #24: Thu Dec 27 22:31:38 EST 2007 lennox at cnr.cs.columbia.edu:/usr/obj/usr/src/sys/CNR i386


	
>Description:

If the net/nss_ldap port is installed and configured to use TLS,
/usr/bin/ssh dumps core when it calls getpwuid().

This appears to happen because /usr/bin/ssh is linked with
/lib/libcrypto.so.3, whereas nss_ldap.so is linked with
/usr/local/lib/libcrypto.so.4.  Thus, when nss_ldap opens a TLS connection
(which invokes functions in libcrypto), the incorrect version of the
function is called.

cnr $ ldd /usr/local/lib/nss_ldap.so.1
/usr/local/lib/nss_ldap.so.1:
        libldap-2.3.so.2 => /usr/local/lib/libldap-2.3.so.2 (0x88192000)
        liblber-2.3.so.2 => /usr/local/lib/liblber-2.3.so.2 (0x881ca000)
        libsasl2.so.2 => /usr/local/lib/libsasl2.so.2 (0x881d6000)
        libssl.so.4 => /usr/local/lib/libssl.so.4 (0x881ed000)
        libcrypto.so.4 => /usr/local/lib/libcrypto.so.4 (0x8822e000)
cnr $ ldd /usr/bin/ssh
/usr/bin/ssh:
        libssh.so.2 => /usr/lib/libssh.so.2 (0x88097000)
        libutil.so.4 => /lib/libutil.so.4 (0x880c9000)
        libz.so.2 => /lib/libz.so.2 (0x880d6000)
        libgssapi.so.7 => /usr/lib/libgssapi.so.7 (0x880e7000)
        libkrb5.so.7 => /usr/lib/libkrb5.so.7 (0x880f7000)
        libasn1.so.7 => /usr/lib/libasn1.so.7 (0x88135000)
        libcom_err.so.2 => /usr/lib/libcom_err.so.2 (0x8815b000)
        libmd.so.2 => /lib/libmd.so.2 (0x8815d000)
        libroken.so.7 => /usr/lib/libroken.so.7 (0x8816b000)
        libcrypt.so.2 => /lib/libcrypt.so.2 (0x8817a000)
        libcrypto.so.3 => /lib/libcrypto.so.3 (0x88193000)
        libc.so.5 => /lib/libc.so.5 (0x882a4000)


/usr/sbin/sshd also dumps core when ldap is enabled, for the same reason,
but that appears to be due to security/pam_ldap, not net/nss_ldap.

>How-To-Repeat:

cnr $ gdb /usr/bin/ssh
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd"...(no debugging symbols found)...
(gdb) run
Starting program: /usr/bin/ssh
(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x883573a0 in strcmp () from /lib/libc.so.5
(gdb) bt
#0  0x883573a0 in strcmp () from /lib/libc.so.5
#1  0x88243839 in OBJ_NAME_new_index () from /lib/libcrypto.so.3
#2  0x8826c4c6 in lh_doall_arg () from /lib/libcrypto.so.3
#3  0x8826c046 in lh_insert () from /lib/libcrypto.so.3
#4  0x88243a16 in OBJ_NAME_add () from /lib/libcrypto.so.3
#5  0x8823fb8f in EVP_add_cipher () from /lib/libcrypto.so.3
#6  0x88441ea5 in SSL_library_init () from /usr/local/lib/libssl.so.4
#7  0x00000000 in ?? ()
#8  0x00000000 in ?? ()
#9  0x00000282 in ?? ()
#10 0x883e78c8 in __JCR_LIST__ () from /usr/local/lib/libldap-2.3.so.2
#11 0x080621c0 in ?? ()
#12 0x883dcf0e in ldap_pvt_tls_init () from /usr/local/lib/libldap-2.3.so.2
#13 0x883df366 in ldap_int_tls_start () from /usr/local/lib/libldap-2.3.so.2
#14 0x883b946c in ldap_int_open_connection () from /usr/local/lib/libldap-2.3.so.2
#15 0x883cd8fb in ldap_new_connection () from /usr/local/lib/libldap-2.3.so.2
#16 0x883b8cb1 in ldap_open_defconn () from /usr/local/lib/libldap-2.3.so.2
#17 0x883cd25b in ldap_send_initial_request () from /usr/local/lib/libldap-2.3.so.2
#18 0x883c23cb in ldap_sasl_bind () from /usr/local/lib/libldap-2.3.so.2
#19 0x883c2d25 in ldap_simple_bind () from /usr/local/lib/libldap-2.3.so.2
#20 0x8839808d in _nss_ldap_close () from /usr/X11R6/lib/nss_ldap.so.1
#21 0x88397e2e in _nss_ldap_close () from /usr/X11R6/lib/nss_ldap.so.1
#22 0x88398db7 in _nss_ldap_ent_context_release () from /usr/X11R6/lib/nss_ldap.so.1
#23 0x88399889 in _nss_ldap_search_s () from /usr/X11R6/lib/nss_ldap.so.1
#24 0x8839a00d in _nss_ldap_getbyname () from /usr/X11R6/lib/nss_ldap.so.1
#25 0x8839b5f0 in _nss_ldap_getpwuid_r () from /usr/X11R6/lib/nss_ldap.so.1
#26 0x882dfad1 in __nss_compat_getpwuid_r () from /lib/libc.so.5
#27 0x8834771b in nsdispatch () from /lib/libc.so.5
#28 0x8831d765 in getpwuid_r () from /lib/libc.so.5
#29 0x8831d999 in getpwuid_r () from /lib/libc.so.5
#30 0x8831d88b in getpwuid_r () from /lib/libc.so.5
#31 0x8831da37 in getpwuid () from /lib/libc.so.5

>Fix:

As a workaround, the versions of ssh and sshd from the
security/openssh-portable port can be installed, as they link with
libcrypto.so.4.


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list