Bug #99923 Segfault when libkbr5.so.3 is not present
Submitted: 17 Jun 2020 21:29 Modified: 23 Jun 2020 13:06
Reporter: Daniel Katz Email Updates:
Status: Verified Impact on me:
None 
Category:Connector / Python Severity:S3 (Non-critical)
Version:8.0.20 OS:Any
Assigned to: CPU Architecture:Any

[17 Jun 2020 21:29] Daniel Katz
Description:
Importing `mysql.connector` will yield a segmentation fault, if libkbr5.so.3 (Kerberos 5 library) is not installed on the client system.

The problem appears to happen in two phases:

1. Importing `mysql.connector` transitively imports `_mysql_connector` (native module), which loads (among other things) `libcrypto.so.1.1` and `libkbr5.so.3`. Loading the later fails, which surfaces an `ImportError`; this is caught in `mysql.connector.__init__.py` by a `try-except` that allows execution to continue.

2. Later, the loading of `mysql/connector/authentication.py` loads `hashlib`, which loads `_hashlib` (the native component of the same standard library). When `_hashlib` also loads `libcrypto.so.1.1` and tries to call symbols therein, a segmentation fault occurs.

Interestingly, the segmentation fault does not occur if `libcrypto.so.1.1` is loaded prior to importing `_mysql_connector`. This may suggest that the aborted loading of `_mysql_connector` somehow "poisons" the state of `libcrypto.so.1.1`, if it is the first to load the module.

How to repeat:
Segmentation fault case:
    docker run -it python:3.8-slim /bin/bash
    python -m pip install mysql-connector-python==8.0.20
    python -c "import mysql.connector"  # Observe segmentation fault.

Working case, with library installed:
    docker run -it python:3.8-slim /bin/bash
    apt update && apt install -y libkrb5-dev
    python -m pip install mysql-connector-python==8.0.20
    python -c "import mysql.connector"  # Observe that command runs.

Working case, with a different module imported first.
    docker run -it python:3.8-slim /bin/bash
    python -m pip install mysql-connector-python==8.0.20
    python -c "import _hashlib, mysql.connector"  # Observe that command runs.

Suggested fix:
Using `ldd` demonstrates that `libkbr5.so.3` library was not a dependency of `_mysql_connector.so` in the 8.0.19 release; the dependency is new for the 8.0.20 release. Though I'm not very familiar with this codebase, my best guess is that this commit to the MySQL Server project may have introduced the dependency:

https://github.com/mysql/mysql-server/commit/039fc4991a7144a6dcb2d9bcea92d39207450f05

I believe this may be fixed by vendoring the `libkbr5.so.3` library alongside `libssl.so.1.1` and `libcrypto.so.1.1` for wheel-distributions of `mysql-connector-python`.

https://github.com/mysql/mysql-connector-python/blob/e424cbf2ba6093caaa96bda1db5dbdfec2e60...
(and other associated references in that file)

This seems like it should make the distribution more independent of the libraries installed in the client environment.

Thanks in advance for taking a look!
[23 Jun 2020 13:06] MySQL Verification Team
Hello Daniel Katz,

Thank you for the report and feedback.

regards,
Umesh