lib/57406: base libkrb5.so links against base sqlite3 but is exposed to pkgsrc sqlite3 via heimdal builtin

To: lib-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: lib/57406: base libkrb5.so links against base sqlite3 but is exposed to pkgsrc sqlite3 via heimdal builtin
From: campbell+netbsd%mumble.net@localhost
Date: Sat, 13 May 2023 14:25:00 +0000 (UTC)

>Number:         57406
>Category:       lib
>Synopsis:       base libkrb5.so links against base sqlite3 but is exposed to pkgsrc sqlite3 via heimdal builtin
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat May 13 14:25:00 +0000 2023
>Originator:     Taylor R Campbell
>Release:        8, 9, 10, current
>Organization:
The NetKRB5D Foundation
>Environment:
>Description:
Since 2017, we've linked Heimdal's libkrb5.so against libsqlite3.so, presumably in order to support the sqlite credential cache option of Heimdal:

http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/external/bsd/heimdal/lib/libkrb5/Makefile?rev=1.11&content-type=text/x-cvsweb-markup&only_with_tag=MAIN

This pulls in the base libsqlite3.so.  Base sqlite3 often lags behind pkgsrc by a lot, so pkgsrc avoids it.  But pkgsrc packages that use Kerberos for authentication will often use base libkrb5.so via mk/krb5.buildlink.mk and security/heimdal/builtin.mk.  Any such packages that also use sqlite3 are likely to have colliding sqlite3 libraries in the address space.  This appears to happen in practice with devel/subversion-base.
>How-To-Repeat:
pkg_add subversion-base
ldd /usr/pkg/bin/svn

Here's a list from my 2022Q4 bulk build of packages that might be affected because they (a) have something that links against libkrb5.so in base, and (b) depend on databases/sqlite3 in pkgsrc (though I haven't confirmed with ldd that any of these other than subversion-base have binaries or libraries that actually pull in both base and pkgsrc libsqlite3):

audio/forked-daapd
audio/glyr
audio/musicpd
audio/pragha
chat/jabberd2
chat/profanity
databases/libzdb
databases/sqlrelay-sqlite
devel/subversion-base
games/etlegacy
games/etlegacy-server
games/minetest
geography/gdal-lib
geography/libspatialite
geography/proj
geography/viking
graphics/vtk
lang/konoha
mail/evolution-data-server
multimedia/mediatomb
net/grilo-plugins
net/ntopng
news/newsbeuter
x11/qt5-qtbase
>Fix:
Yes, please!

An easy workaround would be to disable the sqlite credential cache in base.  I'm not sure how important this option is.  Users who want it could then install security/heimdal from pkgsrc instead -- but that wouldn't work for default binary packages of anything that uses libkrb5.so to get at the sqlite credential cache, if, e.g., kinit used it for some reason.

(Not actually sure how to use the sqlite credential cache; kinit on netbsd-9 does not appear to create this format by default.)

Prev by Date: PR/57307 CVS commit: [netbsd-9] src/sys/ufs/ffs
Next by Date: Re: kern/15688 (p_stats->p_cru.ru_utime.tv_sec may become negative)
Previous by Thread: PR/57307 CVS commit: [netbsd-9] src/sys/ufs/ffs
Next by Thread: Re: lib/57406: base libkrb5.so links against base sqlite3 but is exposed to pkgsrc sqlite3 via heimdal builtin
Indexes:

Home | Main Index | Thread Index | Old Index