NetBSD Problem Report #57406
From www@netbsd.org Sat May 13 14:24:39 2023
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 8EF931A923C
for <gnats-bugs@gnats.NetBSD.org>; Sat, 13 May 2023 14:24:39 +0000 (UTC)
Message-Id: <20230513142437.BC7AF1A923D@mollari.NetBSD.org>
Date: Sat, 13 May 2023 14:24:37 +0000 (UTC)
From: campbell+netbsd@mumble.net
Reply-To: campbell+netbsd@mumble.net
To: gnats-bugs@NetBSD.org
Subject: base libkrb5.so links against base sqlite3 but is exposed to pkgsrc sqlite3 via heimdal builtin
X-Send-Pr-Version: www-1.0
>Number: 57406
>Category: lib
>Synopsis: base libkrb5.so links against base sqlite3 but is exposed to pkgsrc sqlite3 via heimdal builtin
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: lib-bug-people
>State: needs-pullups
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sat May 13 14:25:00 +0000 2023
>Closed-Date:
>Last-Modified: Tue Oct 17 11:25:25 +0000 2023
>Originator: Taylor R Campbell
>Release: 8, 9, 10, current
>Organization:
The NetKRB5D Foundation
>Environment:
>Description:
Since 2017, we've linked Heimdal's libkrb5.so against libsqlite3.so, presumably in order to support the sqlite credential cache option of Heimdal:
http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/external/bsd/heimdal/lib/libkrb5/Makefile?rev=1.11&content-type=text/x-cvsweb-markup&only_with_tag=MAIN
This pulls in the base libsqlite3.so. Base sqlite3 often lags behind pkgsrc by a lot, so pkgsrc avoids it. But pkgsrc packages that use Kerberos for authentication will often use base libkrb5.so via mk/krb5.buildlink.mk and security/heimdal/builtin.mk. Any such packages that also use sqlite3 are likely to have colliding sqlite3 libraries in the address space. This appears to happen in practice with devel/subversion-base.
>How-To-Repeat:
pkg_add subversion-base
ldd /usr/pkg/bin/svn
Here's a list from my 2022Q4 bulk build of packages that might be affected because they (a) have something that links against libkrb5.so in base, and (b) depend on databases/sqlite3 in pkgsrc (though I haven't confirmed with ldd that any of these other than subversion-base have binaries or libraries that actually pull in both base and pkgsrc libsqlite3):
audio/forked-daapd
audio/glyr
audio/musicpd
audio/pragha
chat/jabberd2
chat/profanity
databases/libzdb
databases/sqlrelay-sqlite
devel/subversion-base
games/etlegacy
games/etlegacy-server
games/minetest
geography/gdal-lib
geography/libspatialite
geography/proj
geography/viking
graphics/vtk
lang/konoha
mail/evolution-data-server
multimedia/mediatomb
net/grilo-plugins
net/ntopng
news/newsbeuter
x11/qt5-qtbase
>Fix:
Yes, please!
An easy workaround would be to disable the sqlite credential cache in base. I'm not sure how important this option is. Users who want it could then install security/heimdal from pkgsrc instead -- but that wouldn't work for default binary packages of anything that uses libkrb5.so to get at the sqlite credential cache, if, e.g., kinit used it for some reason.
(Not actually sure how to use the sqlite credential cache; kinit on netbsd-9 does not appear to create this format by default.)
>Release-Note:
>Audit-Trail:
From: Taylor R Campbell <riastradh@NetBSD.org>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: lib/57406: base libkrb5.so links against base sqlite3 but is exposed to pkgsrc sqlite3 via heimdal builtin
Date: Sun, 28 May 2023 23:27:39 +0000
We could build Heimdal with an internal statically linked sqlite3.
This wouldn't publish any of sqlite3's symbols in the dynamic library,
so it wouldn't affect any downstream users of libkrb5.so.
Kind of unfortunate that it would probably inflate libhdb.so by about
20x for what is really a pretty trivial file format, but probably
better than mysterious runtime crashes later.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/57406 CVS commit: src/crypto/external/bsd/heimdal
Date: Wed, 11 Oct 2023 12:34:43 +0000
Module Name: src
Committed By: riastradh
Date: Wed Oct 11 12:34:42 UTC 2023
Modified Files:
src/crypto/external/bsd/heimdal: Makefile.inc
src/crypto/external/bsd/heimdal/include: config.h
src/crypto/external/bsd/heimdal/lib/libhdb: Makefile
src/crypto/external/bsd/heimdal/lib/libkrb5: Makefile
Log Message:
heimdal: Disable sqlite3 credential cache (SCC).
SCC is not usable in Heimdal 7.8.0, and this brings a dependency on
libsqlite3 into libkrb5 and therefore libgssapi, which is problematic
downstream applications that have sqlite3 from pkgsrc or statically
built in.
SCC will undergo substantial revision in the next Heimdal version
(https://github.com/heimdal/heimdal/pull/1143). We can revisit later
how to deal with this -- perhaps by symbol-renaming a copy of sqlite3
in Heimdal as it looks like upstream intends to do.
PR lib/57406
XXX pullup-10
To generate a diff of this commit:
cvs rdiff -u -r1.8 -r1.9 src/crypto/external/bsd/heimdal/Makefile.inc
cvs rdiff -u -r1.11 -r1.12 src/crypto/external/bsd/heimdal/include/config.h
cvs rdiff -u -r1.5 -r1.6 src/crypto/external/bsd/heimdal/lib/libhdb/Makefile
cvs rdiff -u -r1.15 -r1.16 \
src/crypto/external/bsd/heimdal/lib/libkrb5/Makefile
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/57406 CVS commit: src/share/mk
Date: Wed, 11 Oct 2023 14:08:17 +0000
Module Name: src
Committed By: riastradh
Date: Wed Oct 11 14:08:17 UTC 2023
Modified Files:
src/share/mk: bsd.prog.mk
Log Message:
bsd.prog.mk: krb5 stuff no longer needs to link against sqlite3.
(Why is this here? Seems like it should be a .mk fragment under
crypto/external/bsd/heimdal -- that way I would have found it for the
previous commit.)
PR lib/57406
XXX pullup-10
To generate a diff of this commit:
cvs rdiff -u -r1.345 -r1.346 src/share/mk/bsd.prog.mk
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/57406 CVS commit: src
Date: Wed, 11 Oct 2023 14:08:26 +0000
Module Name: src
Committed By: riastradh
Date: Wed Oct 11 14:08:26 UTC 2023
Modified Files:
src/crypto/external/bsd/heimdal: Makefile.inc
src/share/mk: bsd.prog.mk
Log Message:
heimdal: No need for -lm, was only added for -lsqlite3.
PR lib/57406
XXX pullup-10
To generate a diff of this commit:
cvs rdiff -u -r1.9 -r1.10 src/crypto/external/bsd/heimdal/Makefile.inc
cvs rdiff -u -r1.346 -r1.347 src/share/mk/bsd.prog.mk
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/57406 CVS commit: src/crypto/external/bsd/heimdal
Date: Thu, 12 Oct 2023 17:18:39 +0000
Module Name: src
Committed By: riastradh
Date: Thu Oct 12 17:18:39 UTC 2023
Modified Files:
src/crypto/external/bsd/heimdal: Makefile.inc
src/crypto/external/bsd/heimdal/libexec/digest-service: Makefile
src/crypto/external/bsd/heimdal/libexec/hpropd: Makefile
src/crypto/external/bsd/heimdal/libexec/ipropd-master: Makefile
src/crypto/external/bsd/heimdal/libexec/ipropd-slave: Makefile
src/crypto/external/bsd/heimdal/libexec/kadmind: Makefile
src/crypto/external/bsd/heimdal/libexec/kpasswdd: Makefile
src/crypto/external/bsd/heimdal/sbin/hprop: Makefile
src/crypto/external/bsd/heimdal/sbin/iprop-log: Makefile
src/crypto/external/bsd/heimdal/sbin/kadmin: Makefile
src/crypto/external/bsd/heimdal/sbin/kdc: Makefile
src/crypto/external/bsd/heimdal/sbin/kstash: Makefile
Log Message:
heimdal: Make sure whatever uses libhdb also gets libsqlite3 & libm.
Loose ends for static builds in the fix for PR lib/57406.
XXX pullup-10
To generate a diff of this commit:
cvs rdiff -u -r1.10 -r1.11 src/crypto/external/bsd/heimdal/Makefile.inc
cvs rdiff -u -r1.5 -r1.6 \
src/crypto/external/bsd/heimdal/libexec/digest-service/Makefile
cvs rdiff -u -r1.5 -r1.6 \
src/crypto/external/bsd/heimdal/libexec/hpropd/Makefile
cvs rdiff -u -r1.5 -r1.6 \
src/crypto/external/bsd/heimdal/libexec/ipropd-master/Makefile
cvs rdiff -u -r1.5 -r1.6 \
src/crypto/external/bsd/heimdal/libexec/ipropd-slave/Makefile
cvs rdiff -u -r1.7 -r1.8 \
src/crypto/external/bsd/heimdal/libexec/kadmind/Makefile
cvs rdiff -u -r1.5 -r1.6 \
src/crypto/external/bsd/heimdal/libexec/kpasswdd/Makefile
cvs rdiff -u -r1.5 -r1.6 src/crypto/external/bsd/heimdal/sbin/hprop/Makefile
cvs rdiff -u -r1.5 -r1.6 \
src/crypto/external/bsd/heimdal/sbin/iprop-log/Makefile
cvs rdiff -u -r1.6 -r1.7 src/crypto/external/bsd/heimdal/sbin/kadmin/Makefile
cvs rdiff -u -r1.5 -r1.6 src/crypto/external/bsd/heimdal/sbin/kdc/Makefile
cvs rdiff -u -r1.5 -r1.6 src/crypto/external/bsd/heimdal/sbin/kstash/Makefile
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/57406 CVS commit: [netbsd-10] src
Date: Sat, 14 Oct 2023 06:56:36 +0000
Module Name: src
Committed By: martin
Date: Sat Oct 14 06:56:36 UTC 2023
Modified Files:
src/crypto/external/bsd/heimdal [netbsd-10]: Makefile.inc
src/crypto/external/bsd/heimdal/include [netbsd-10]: config.h
src/crypto/external/bsd/heimdal/lib/libhdb [netbsd-10]: Makefile
src/crypto/external/bsd/heimdal/lib/libkrb5 [netbsd-10]: Makefile
src/crypto/external/bsd/heimdal/libexec/digest-service [netbsd-10]:
Makefile
src/crypto/external/bsd/heimdal/libexec/hpropd [netbsd-10]: Makefile
src/crypto/external/bsd/heimdal/libexec/ipropd-master [netbsd-10]:
Makefile
src/crypto/external/bsd/heimdal/libexec/ipropd-slave [netbsd-10]:
Makefile
src/crypto/external/bsd/heimdal/libexec/kadmind [netbsd-10]: Makefile
src/crypto/external/bsd/heimdal/libexec/kpasswdd [netbsd-10]: Makefile
src/crypto/external/bsd/heimdal/sbin/hprop [netbsd-10]: Makefile
src/crypto/external/bsd/heimdal/sbin/iprop-log [netbsd-10]: Makefile
src/crypto/external/bsd/heimdal/sbin/kadmin [netbsd-10]: Makefile
src/crypto/external/bsd/heimdal/sbin/kdc [netbsd-10]: Makefile
src/crypto/external/bsd/heimdal/sbin/kstash [netbsd-10]: Makefile
src/share/mk [netbsd-10]: bsd.prog.mk
Log Message:
Pull up following revision(s) (requested by riastradh in ticket #412):
share/mk/bsd.prog.mk: revision 1.346
crypto/external/bsd/heimdal/sbin/kstash/Makefile: revision 1.6
share/mk/bsd.prog.mk: revision 1.347
crypto/external/bsd/heimdal/sbin/hprop/Makefile: revision 1.6
crypto/external/bsd/heimdal/sbin/kdc/Makefile: revision 1.6
crypto/external/bsd/heimdal/sbin/iprop-log/Makefile: revision 1.6
crypto/external/bsd/heimdal/lib/libkrb5/Makefile: revision 1.16
crypto/external/bsd/heimdal/libexec/digest-service/Makefile: revision 1.6
crypto/external/bsd/heimdal/Makefile.inc: revision 1.10
crypto/external/bsd/heimdal/Makefile.inc: revision 1.11
crypto/external/bsd/heimdal/Makefile.inc: revision 1.9
crypto/external/bsd/heimdal/libexec/kadmind/Makefile: revision 1.8
crypto/external/bsd/heimdal/lib/libhdb/Makefile: revision 1.6
crypto/external/bsd/heimdal/include/config.h: revision 1.12
crypto/external/bsd/heimdal/libexec/hpropd/Makefile: revision 1.6
crypto/external/bsd/heimdal/libexec/ipropd-slave/Makefile: revision 1.6
crypto/external/bsd/heimdal/libexec/ipropd-master/Makefile: revision 1.6
crypto/external/bsd/heimdal/libexec/kpasswdd/Makefile: revision 1.6
crypto/external/bsd/heimdal/sbin/kadmin/Makefile: revision 1.7
heimdal: Disable sqlite3 credential cache (SCC).
SCC is not usable in Heimdal 7.8.0, and this brings a dependency on
libsqlite3 into libkrb5 and therefore libgssapi, which is problematic
downstream applications that have sqlite3 from pkgsrc or statically
built in.
SCC will undergo substantial revision in the next Heimdal version
https://github.com/heimdal/heimdal/pull/1143. We can revisit later
how to deal with this -- perhaps by symbol-renaming a copy of sqlite3
in Heimdal as it looks like upstream intends to do.
PR lib/57406
bsd.prog.mk: krb5 stuff no longer needs to link against sqlite3.
(Why is this here? Seems like it should be a .mk fragment under
crypto/external/bsd/heimdal -- that way I would have found it for the
previous commit.)
PR lib/57406
heimdal: No need for -lm, was only added for -lsqlite3.
PR lib/57406
heimdal: Make sure whatever uses libhdb also gets libsqlite3 & libm.
Loose ends for static builds in the fix for PR lib/57406.
To generate a diff of this commit:
cvs rdiff -u -r1.6.6.1 -r1.6.6.2 src/crypto/external/bsd/heimdal/Makefile.inc
cvs rdiff -u -r1.10.8.1 -r1.10.8.2 \
src/crypto/external/bsd/heimdal/include/config.h
cvs rdiff -u -r1.4.22.1 -r1.4.22.2 \
src/crypto/external/bsd/heimdal/lib/libhdb/Makefile
cvs rdiff -u -r1.11.22.1 -r1.11.22.2 \
src/crypto/external/bsd/heimdal/lib/libkrb5/Makefile
cvs rdiff -u -r1.2.56.1 -r1.2.56.2 \
src/crypto/external/bsd/heimdal/libexec/digest-service/Makefile
cvs rdiff -u -r1.2.56.1 -r1.2.56.2 \
src/crypto/external/bsd/heimdal/libexec/hpropd/Makefile
cvs rdiff -u -r1.2.56.1 -r1.2.56.2 \
src/crypto/external/bsd/heimdal/libexec/ipropd-master/Makefile
cvs rdiff -u -r1.2.56.1 -r1.2.56.2 \
src/crypto/external/bsd/heimdal/libexec/ipropd-slave/Makefile
cvs rdiff -u -r1.2.56.1 -r1.2.56.2 \
src/crypto/external/bsd/heimdal/libexec/kadmind/Makefile
cvs rdiff -u -r1.2.56.1 -r1.2.56.2 \
src/crypto/external/bsd/heimdal/libexec/kpasswdd/Makefile
cvs rdiff -u -r1.2.56.1 -r1.2.56.2 \
src/crypto/external/bsd/heimdal/sbin/hprop/Makefile
cvs rdiff -u -r1.2.56.1 -r1.2.56.2 \
src/crypto/external/bsd/heimdal/sbin/iprop-log/Makefile
cvs rdiff -u -r1.3.22.1 -r1.3.22.2 \
src/crypto/external/bsd/heimdal/sbin/kadmin/Makefile
cvs rdiff -u -r1.2.56.1 -r1.2.56.2 \
src/crypto/external/bsd/heimdal/sbin/kdc/Makefile
cvs rdiff -u -r1.2.56.1 -r1.2.56.2 \
src/crypto/external/bsd/heimdal/sbin/kstash/Makefile
cvs rdiff -u -r1.341.2.1 -r1.341.2.2 src/share/mk/bsd.prog.mk
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->needs-pullups
State-Changed-By: riastradh@NetBSD.org
State-Changed-When: Tue, 17 Oct 2023 11:25:25 +0000
State-Changed-Why:
committed to HEAD
pulled up to 10
may need pullup to 9
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2023
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home