-
Type:
Bug
-
Resolution: Fixed
-
Priority:
Major - P3
-
Affects Version/s: None
-
Component/s: CLI Module, Connectivity
-
None
-
Environment:OS: RHEL8
Additional info:
-
3
-
Not Needed
-
Iteration Pterodactyl
Problem Statement/Rationale
mongosh statically links OpenSSL. This conflicts with a potential transitive OpenSSL dependency in libraries that mongosh depends on, such as kerberos, which happens to depend on the system OpenSSL installation in RHEL8/9-based operating systems.
Steps to Reproduce
Apply https://gist.github.com/addaleax/2427e73e5306aae189005344d13b120e to mongosh, then run the connectivity test suite.
Expected Results
Successful tests.
Actual Results
Segmentation faults. Stack trace from the original user report: https://gist.github.com/addaleax/d3680ffd4e21cd6e104095da89b95c21
Additional Notes
ldd -v /usr/bin/mongosh output: https://gist.github.com/addaleax/12f744be7030aacafc5dc13afa1b9836
This seems relatively high-priority, because:
- It results in crashes without any helpful information for the user
- It can lead to arbitrary memory corruption in mongosh processes.
The only reason I’m not opening this as P2 is that it has a reliable and safe workaround (namely, using the shared-OpenSSL binaries).
Unfortunately, fixing this is not trivial. Possible approaches would be to:
- Stop statically linking the Node.js kerberos addon. This breaks with our goal to provide a single-binary experience for mongosh users.
- Adjust the Node.js kerberos addon to (enable) loading kerberos functions at runtime. This adds a bit of complexity to the Node.js addon, but removes kerberos as a hard runtime dependency for mongosh.
- Disable kerberos as a feature in static-OpenSSL builds of mongosh.
- …?
- depends on
-
NODE-5746 Allow runtime linking against system kerberos libraries
-
- Closed
-
- is related to
-
-
- Closed
-
-
-
- Closed
-