libgssapi-krb5-2: segfault when mechglue loops endlessly on call to gss_add_cred_from

Marking confirmed because I started tracking this down based on a report to the Moonshot project from Rhys Smith which ended up being this issue.

How about grabbing this commit from browserid:

commit e51f544e6c0b92c88163d1b0f4ae110869abf070
Author: Luke Howard <email address hidden>
Date: Thu Oct 24 18:10:24 2013 -0700

    add gss_{acquire,add}_cred_from

>>>>> "Luke" == Luke Howard <email address hidden> writes:

    Luke> How about grabbing this commit from browserid: commit
    Luke> e51f544e6c0b92c88163d1b0f4ae110869abf070 Author: Luke Howard
    Luke> <email address hidden> Date: Thu Oct 24 18:10:24 2013 -0700

That's something to consider for the specific case of moonshot.
However, the krb5 behavior is clearly broken, and I'd like to see
Ubuntu pick up the Debian patch.

I've built the linked branch in ppa:hartmans/ubuntu-fixes for trusty.
With these packages installed and the attached radsec.conf installed as /usr/local/etc/radsec.conf, then gss-server starts correctly as expected.
Without radsec.conf installed it prints an error about being unable to acquire credentials, which is also correct given that none of the available mechanisms can initialize as a server.

Once this gets picked up for utopic I'll look into what I need to do to put together an SRU template.
The patch is trivial and obviously an improvement over the existing code; it's also very unlikely the patch would have unintended side effects.

Here's the patch from debian krb5 1.12.1+dfsg-2

The attachment "0014-Do-not-loop-on-add_cred_from-and-other-new-methods.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

For reference here is the debian changelog in which this bug was fixed:

krb5 (1.12.1+dfsg-2) unstable; urgency=low

  [ Jelmer Vernooij ]
  * Non-maintainer upload.
  * Provide -L and -I flags from krb5-config. Closes: #730837
  * Ship krb5-config.mit binary in krb5-multidev., Closes: #745322
  * Provide -L and -I flags from pkg-config files. Closes: #750041

  [ Sam Hartman ]
  * Include upstream patch to load gss mechanisms from /etc/gss/mech.d,
    Closes: #673680
  * Sysconfdir explicitly set to /etc
  * Include ubuntu change to permit libverto-libevent1 (not currently
    built in Debian) as an alternative for the KDC. For now just
    reduces diff with Ubuntu. Next libverto upload will probably start
    building that for Debian too.
  * Do not cause endless loop when a mechanism fails to include
    gss_add_cred_from or other new methods (upstream #7926)
  * Include /etc/gss/mech.d/README
  * Low urgency to give extra time in unstable
  * Update symbols for gss_indicate_mechs

 -- Sam Hartman <> Wed, 04 Jun 2014 12:09:56 -0400

With the upload of krb5 1.12.1+dfsg-3ubuntu1 to utopic, this is fixed in utopic. Any additional help I can provide getting this into trusty?

Hello Sam, or anyone else affected,

Accepted krb5 into trusty-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/krb5/1.12+dfsg-2ubuntu5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

I enabled proposed, confirmed that as I described in the initial test case gss-server segfaults with 1.12+dfsg-2ubuntu4. Then I installed libgssapi-krb5-2 from trusty-proposed. That pulled in most of the other krb5 packages as I'd expect all version 1.12+dfsg-2ubuntu5.
I ran gss-server and it worked fine. That is, ubuntu5 fixes my problem.

This bug was fixed in the package krb5 - 1.12+dfsg-2ubuntu5

---------------
krb5 (1.12+dfsg-2ubuntu5) trusty; urgency=low

  * Use ADD_METHOD_NOLOOP rather than ADD_METHOD for new GSS-API entry
    points, avoids infinite recursive loop when a mechanism doesn't
    provide an entry point and does include calls back into the mechglue
    (LP: #1326500)
  * Make libkadm5srv-mit8 be arch: any multi-arch: same to work around
    upgrade bug (LP: #1334052)
  * Use tailq macros to work around GCC 4.8 optimizer bug and prevent
    infinite loop for database propagation (LP: #1347147)
 -- Sam Hartman <email address hidden> Wed, 30 Jul 2014 21:06:49 -0400

The verification of the Stable Release Update for krb5 has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.