Description:
Importing `mysql.connector` will yield a segmentation fault, if libkbr5.so.3 (Kerberos 5 library) is not installed on the client system.
The problem appears to happen in two phases:
1. Importing `mysql.connector` transitively imports `_mysql_connector` (native module), which loads (among other things) `libcrypto.so.1.1` and `libkbr5.so.3`. Loading the later fails, which surfaces an `ImportError`; this is caught in `mysql.connector.__init__.py` by a `try-except` that allows execution to continue.
2. Later, the loading of `mysql/connector/authentication.py` loads `hashlib`, which loads `_hashlib` (the native component of the same standard library). When `_hashlib` also loads `libcrypto.so.1.1` and tries to call symbols therein, a segmentation fault occurs.
Interestingly, the segmentation fault does not occur if `libcrypto.so.1.1` is loaded prior to importing `_mysql_connector`. This may suggest that the aborted loading of `_mysql_connector` somehow "poisons" the state of `libcrypto.so.1.1`, if it is the first to load the module.
How to repeat:
Segmentation fault case:
docker run -it python:3.8-slim /bin/bash
python -m pip install mysql-connector-python==8.0.20
python -c "import mysql.connector" # Observe segmentation fault.
Working case, with library installed:
docker run -it python:3.8-slim /bin/bash
apt update && apt install -y libkrb5-dev
python -m pip install mysql-connector-python==8.0.20
python -c "import mysql.connector" # Observe that command runs.
Working case, with a different module imported first.
docker run -it python:3.8-slim /bin/bash
python -m pip install mysql-connector-python==8.0.20
python -c "import _hashlib, mysql.connector" # Observe that command runs.
Suggested fix:
Using `ldd` demonstrates that `libkbr5.so.3` library was not a dependency of `_mysql_connector.so` in the 8.0.19 release; the dependency is new for the 8.0.20 release. Though I'm not very familiar with this codebase, my best guess is that this commit to the MySQL Server project may have introduced the dependency:
https://github.com/mysql/mysql-server/commit/039fc4991a7144a6dcb2d9bcea92d39207450f05
I believe this may be fixed by vendoring the `libkbr5.so.3` library alongside `libssl.so.1.1` and `libcrypto.so.1.1` for wheel-distributions of `mysql-connector-python`.
https://github.com/mysql/mysql-connector-python/blob/e424cbf2ba6093caaa96bda1db5dbdfec2e60...
(and other associated references in that file)
This seems like it should make the distribution more independent of the libraries installed in the client environment.
Thanks in advance for taking a look!
Description: Importing `mysql.connector` will yield a segmentation fault, if libkbr5.so.3 (Kerberos 5 library) is not installed on the client system. The problem appears to happen in two phases: 1. Importing `mysql.connector` transitively imports `_mysql_connector` (native module), which loads (among other things) `libcrypto.so.1.1` and `libkbr5.so.3`. Loading the later fails, which surfaces an `ImportError`; this is caught in `mysql.connector.__init__.py` by a `try-except` that allows execution to continue. 2. Later, the loading of `mysql/connector/authentication.py` loads `hashlib`, which loads `_hashlib` (the native component of the same standard library). When `_hashlib` also loads `libcrypto.so.1.1` and tries to call symbols therein, a segmentation fault occurs. Interestingly, the segmentation fault does not occur if `libcrypto.so.1.1` is loaded prior to importing `_mysql_connector`. This may suggest that the aborted loading of `_mysql_connector` somehow "poisons" the state of `libcrypto.so.1.1`, if it is the first to load the module. How to repeat: Segmentation fault case: docker run -it python:3.8-slim /bin/bash python -m pip install mysql-connector-python==8.0.20 python -c "import mysql.connector" # Observe segmentation fault. Working case, with library installed: docker run -it python:3.8-slim /bin/bash apt update && apt install -y libkrb5-dev python -m pip install mysql-connector-python==8.0.20 python -c "import mysql.connector" # Observe that command runs. Working case, with a different module imported first. docker run -it python:3.8-slim /bin/bash python -m pip install mysql-connector-python==8.0.20 python -c "import _hashlib, mysql.connector" # Observe that command runs. Suggested fix: Using `ldd` demonstrates that `libkbr5.so.3` library was not a dependency of `_mysql_connector.so` in the 8.0.19 release; the dependency is new for the 8.0.20 release. Though I'm not very familiar with this codebase, my best guess is that this commit to the MySQL Server project may have introduced the dependency: https://github.com/mysql/mysql-server/commit/039fc4991a7144a6dcb2d9bcea92d39207450f05 I believe this may be fixed by vendoring the `libkbr5.so.3` library alongside `libssl.so.1.1` and `libcrypto.so.1.1` for wheel-distributions of `mysql-connector-python`. https://github.com/mysql/mysql-connector-python/blob/e424cbf2ba6093caaa96bda1db5dbdfec2e60... (and other associated references in that file) This seems like it should make the distribution more independent of the libraries installed in the client environment. Thanks in advance for taking a look!