FIXED: shibd segfaults because of libxerces-c (RHEL 6.6 SP 2.5.4)

Heijdendael, Andreas andreas.heijdendael at atos.net
Mon Jul 20 10:15:22 EDT 2015


Hi guys/girls,

Found the problem eventually by doing comparison between RHEL and CentOS system.
For some odd reason /lib64/libxerces-c-3.1.so was symlinked to some version from BMC.
This wasn't obvious from the output of ldd as it doesn't show symlinks. Only after comparing ldd output and fysical files this came to show.

So, shibd was not using the correct libxerces. Changing /etc/sysconfig/shibd to reflect the correct LD_LIBRARY_PATH and service shibd start was all of a sudden saying [Ok] :D :D

Greetings,

Andreas


-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Charles R. Tompkins
Sent: Wednesday, July 15, 2015 7:48 PM
To: Shib Users
Subject: RE: shibd segfaults because of libxerces-c (RHEL 6.6 SP 2.5.4)

RHEL 6.6 with shibboleth-2.5.4-3.3.el6.x86_64 user, here.

I haven't seen any problems of this nature.

How are you installing and where are you installing these packages from?

I'm using the OpenSUSE repo for yum-based installs:
http://download.opensuse.org/repositories/security:/shibboleth/

$ rpm -qi shibboleth
Name        : shibboleth                   Relocations: (not relocatable)
Version     : 2.5.4                             Vendor: Shibboleth
Consortium
Release     : 3.3.el6                       Build Date: Wed 29 Apr 2015
11:03:57 AM EDT
Install Date: Wed 27 May 2015 09:32:46 AM EDT      Build Host: build77
Group       : Productivity/Networking/Security   Source RPM:
shibboleth-2.5.4-3.3.el6.src.rpm
Size        : 5116128                          License: Apache 2.0
Signature   : DSA/SHA1, Wed 29 Apr 2015 11:04:08 AM EDT, Key ID
73c937457d0a1b3d
URL         : http://shibboleth.net/
Summary     : Open source system for attribute-based Web SSO
Description :
Shibboleth is a Web Single Sign-On implementations based on OpenSAML that supports multiple protocols, federated identity, and the extensible exchange of rich attributes subject to privacy controls.

This package contains the Shibboleth Service Provider runtime libraries, daemon, default plugins, and Apache module(s).

$ rpm -qi libxerces-c-3_1
Name        : libxerces-c-3_1              Relocations: /usr
Version     : 3.1.2                             Vendor:
obs://build.opensuse.org/security:shibboleth
Release     : 3.1.el6                       Build Date: Thu 19 Mar 2015
09:38:14 PM EDT
Install Date: Mon 06 Apr 2015 12:58:23 PM EDT      Build Host: cloud116
Group       : Development/Libraries         Source RPM:
xerces-c-3.1.2-3.1.el6.src.rpm
Size        : 3870784                          License: Apache
Signature   : DSA/SHA1, Thu 19 Mar 2015 09:38:29 PM EDT, Key ID
73c937457d0a1b3d
URL         : http://xerces.apache.org/xerces-c/
Summary     : Shared library for Xerces-C++ validating XML parser
Description :
Xerces-C++ is a validating XML parser written in a portable subset of C++.
Xerces-C++ makes it easy to give your application the ability to read
Xerces-C++ and
write XML data. A shared library is provided for parsing, generating, manipulating, and validating XML documents.

This package contains just the shared library.


Regards,

Charles Tompkins
UF Information Technology
Enterprise Infrastructure and Operations



-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor, Scott
Sent: Wednesday, July 15, 2015 12:05 PM
To: Shib Users <users at shibboleth.net>
Subject: Re: shibd segfaults because of libxerces-c (RHEL 6.6 SP 2.5.4)

On 7/15/15, 10:47 AM, "Cantor, Scott" <cantor.2 at osu.edu> wrote:
>
>I'll see if I can load the RH packages onto CentOS as a test.

That worked fine.

And FWIW, the libssh2 dependency is coming from the wrong version of libcurl, you're running the ldd commands without setting LD_LIBRARY_PATH. It shouldn't crash on the wrong one, but it certainly isn't supported, so testing shibd by hand without setting the path also isn't reliable.

I don't see anything wrong with the packages, though of course a real test on RH6 would be more definitive.

The upcoming patch will cause both package sets to be rebased on OpenSSL
1.0.1 on both versions which is certainly better than the slighty out of sync situation at the moment.

-- Scott

--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, Atos’ liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted. On all offers and agreements under which Atos Nederland B.V. supplies goods and/or services of whatever nature, the Terms of Delivery from Atos Nederland B.V. exclusively apply. The Terms of Delivery shall be promptly submitted to you on your request.


More information about the users mailing list