[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8797) improper use of gnutls causes segfault

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#8797) improper use of gnutls causes segfault
From: hyc@symas.com
Date: Mon, 15 Jan 2018 21:02:35 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

ryan@nardis.ca wrote:
> On Mon, Jan 15, 2018 at 07:33:52PM +0000, lukas@selfnet.de wrote:
>> During initialization, libldap sets custom  gnutls mutex functions:
>> https://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=libraries/libldap/tls_g.c;h=adcb6be04076a91d3a0bf94cf8357f4e51f5b9da;hb=HEAD#l113
>>
>> PAM uses libldap via dlopen and unloads it when it's done, but openldap doesn't
>> undo gnutls_global_set_mutex, so any further calls to locking functions inside
>> openldap will segfault since these function pointers now point to nowhere since
>> openldap is unloaded.
>>
>> I encountered this issue in cups since cups uses gnutls itself for the web
>> interface and segfaults when it uses gnutls after libldap.
> 
> Thanks for this report.
> 
> This is not the first issue caused by our usage of the custom mutex
> functions; see also <https://bugs.debian.org/803197>.
> 
> Removing the custom mutex functions and (for sufficiently recent GnuTLS)
> the calls to gnutls_global_{,de}init() looks like a more and more
> attractive solution. I am not aware of anyone using OpenLDAP with GnuTLS
> on a platform for which GnuTLS lacks built-in mutex functions...

PAM should be using nss-pam-ldapd, not calling libldap directly. This is an 
architectural flaw in both GnuTLS and PAM, not an OpenLDAP bug. This ITS is 
invalid.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: Re: (ITS#8797) improper use of gnutls causes segfault
Next by Date: Re: (ITS#8797) improper use of gnutls causes segfault
Index(es):
- Chronological
- Thread