uninitialized variable in wbinfo_group.pl causes false authentication results

Bug #908908 reported by Brandt B
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
squid (Ubuntu)
Expired
Medium
Unassigned

Bug Description

I am using squid version 2.7.STABLE7 with users authenticating via an ActiveDirectory (AD). I am using the wbinfo_group.pl helper script for checking group memberships. After a while internet access is denied at random for some users. In the squid log I see

Use of uninitialized value in concatenation (.) or string at /usr/lib/squid/wbinfo_group.pl line 67, <STDIN> line 1.

this message repeats from time to time, with "line 1" increasing. As described in http://www.linuxquestions.org/questions/linux-server-73/squid-ntlm-authentication-only-first-logon-is-authenticated-723587/ I explicitly set the variable $ans. After that I get some errors about

Character in 'c' format wrapped in pack at /usr/lib/squid/wbinfo_group.pl line 92, <STDIN> line 1.

So I changed the function call

pack("c",hex($1))

to

pack("C",hex($1))

everywhere in the script. Since then everything is running smoothly. No more random errors. I have attached a diff file with the changes.

I am running Ubuntu 10.04.3 LTS
squid version 2.7.STABLE7

If you need any more information I am happy to provide it.

Thanks for your efforts

B. Brandt

Tags: patch
Revision history for this message
Brandt B (benedikt-benbra) wrote :
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "patching unitialized variable and pack function call" of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-reviewers team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Dave Walker (davewalker)
Changed in squid (Ubuntu):
importance: Undecided → Medium
Revision history for this message
Brandt B (benedikt-benbra) wrote :

Looks like I am the only impacted by this bug ^^. Anyways I just wanted to confirm that this bug is still present in Xenial 16.04.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Hi,
(late) thank you for your report Brandt!

Maybe setting squid up with users authenticating via an ActiveDirectory is just a super rare case.
I checked the package and the file comes from upstream as-is no delta by Ubuntu or Debian.

Also your change seems to have been adopted.
In recent versions there only are:
/usr/lib/squid/ext_wbinfo_group_acl
/usr/lib/squid3/ext_wbinfo_group_acl

And they both have the change you suggested.

The same even is true for Trusty which only has:
/usr/lib/squid3/ext_wbinfo_group_acl

trusty$ find /usr -name '*wbinfo*'
/usr/lib/squid3/ext_wbinfo_group_acl
/usr/share/man/man8/ext_wbinfo_group_acl.8.gz

I wonder if you /usr/lib/squid/wbinfo_group.pl might be generated or taken over from an old version of your system?

Changed in squid (Ubuntu):
status: New → Incomplete
Revision history for this message
Brandt B (benedikt-benbra) wrote :

Hi Christian

Thanks so much for your reply, I really appreciate it. I should have been more precise in my last comment, sorry about that, but I wasn't too sure whether anyone would be reading it ;).

I am currently running 16.04.1 Xenial and the file I am using in my squid configuration is "/usr/lib/squid/ext_wbinfo_group_acl". But it doesn't have the changes I suggested. In particular near the bottom of the file there is still the line

 $group =~ s/%([0-9a-fA-F][0-9a-fA-F])/pack("c",hex($1))/eg;

which should be

 $group =~ s/%([0-9a-fA-F][0-9a-fA-F])/pack("C",hex($1))/eg;

and the other changes aren't there either. Just to make sure that this is not something that I caused through a specific sever configuration of mine I downloaded the xenial squid package from packages.ubuntu.com and extracted it as an archive and looked at the contents. It doesn't have the changes I mentioned. I then tried the same for the zesty package (http://packages.ubuntu.com/zesty/amd64/squid/download) but it doesn't have the changes either.

I didn't check the upstream debian packages though. Where did you see my changes being adopted?

Maybe this is a very rare use case, or it might be that script works for most people and only rarely causes crashes. I have this squid setup in place at approximately 60 sites. It works for a lot of them, but there are a select few sites were these changes are necessary to guarantee stable operations (it only works for a short period of time, before squid crashes). I suspect that there are some fishy user or group names at those sites that cause the script and squid to fail, but I haven't been able to pinpoint it.

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for squid (Ubuntu) because there has been no activity for 60 days.]

Changed in squid (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.