Debian Bug report logs -
#893044
slurm-llnl: CVE-2018-7033: Issue in accounting_storage/mysql plugin by always escaping strings within the slurmdbd
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Gennaro Oliva <oliva.g@na.icar.cnr.it>
:
Bug#893044
; Package src:slurm-llnl
.
(Thu, 15 Mar 2018 21:09:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Gennaro Oliva <oliva.g@na.icar.cnr.it>
.
(Thu, 15 Mar 2018 21:09:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: slurm-llnl
Version: 14.03.9-5
Severity: grave
Tags: patch security upstream
Forwarded: https://bugs.schedmd.com/show_bug.cgi?id=4792
Hi,
the following vulnerability was published for slurm-llnl, filling as
grave to be on safe side, but details are yet not disclosed in the
upstream report.
CVE-2018-7033[0]:
|Issue in accounting_storage/mysql plugin by always escaping strings
|within the slurmdbd
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-7033
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7033
[1] https://bugs.schedmd.com/show_bug.cgi?id=4792
Regards,
Salvatore
Marked as fixed in versions slurm-llnl/17.11.5-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sun, 18 Mar 2018 21:42:09 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sun, 18 Mar 2018 21:42:10 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Sun, 18 Mar 2018 21:42:11 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug#893044.
(Sun, 18 Mar 2018 21:42:15 GMT) (full text, mbox, link).
Message #14 received at 893044-submitter@bugs.debian.org (full text, mbox, reply):
close 893044 17.11.5-1
thanks
Marked as fixed in versions slurm-llnl/16.05.9-1+deb9u2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Tue, 24 Jul 2018 18:39:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Gennaro Oliva <oliva.g@na.icar.cnr.it>
:
Bug#893044
; Package src:slurm-llnl
.
(Mon, 30 Jul 2018 09:15:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Stephane Vaillant <Stephane.Vaillant@obspm.fr>
:
Extra info received and forwarded to list. Copy sent to Gennaro Oliva <oliva.g@na.icar.cnr.it>
.
(Mon, 30 Jul 2018 09:15:07 GMT) (full text, mbox, link).
Message #21 received at 893044@bugs.debian.org (full text, mbox, reply):
On Sun, 18 Mar 2018 22:40:08 +0100 Salvatore Bonaccorso
<carnil@debian.org> wrote:
> close 893044 17.11.5-1
> thanks
>
>
>
Hi,
The patched version breaks the accounting: slurmdbd issues invalid mysql
INSERT queries using 'job_ptr->gres_alloc' as the name of a column
instead of 'gres_alloc' (the same for job_ptr->gres_req).
The problem seems to be located in CVE-2018-7033-2.patch (provided in
the slurm-llnl_14.03.9-5+deb8u3.debian.tar.xz archive) :
- if (gres_req)
- xstrcat(query, ", gres_req");
- if (gres_alloc)
- xstrcat(query, ", gres_alloc");
+ if (job_ptr->gres_req)
+ xstrcat(query, ", job_ptr->gres_req");
+ if (job_ptr->gres_alloc)
+ xstrcat(query, ", job_ptr->gres_alloc");
I guess the 'if' condition is right but job_ptr->gres_req should not
occur inside the quotes as it is the name of a column, instead it should
remain unchanged.
Best regards,
Stéphane Vaillant
Information forwarded
to debian-bugs-dist@lists.debian.org, Gennaro Oliva <oliva.g@na.icar.cnr.it>
:
Bug#893044
; Package src:slurm-llnl
.
(Wed, 08 Aug 2018 10:30:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Holger Levsen <holger@layer-acht.org>
:
Extra info received and forwarded to list. Copy sent to Gennaro Oliva <oliva.g@na.icar.cnr.it>
.
(Wed, 08 Aug 2018 10:30:03 GMT) (full text, mbox, link).
Message #26 received at 893044@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Gennaro,
On Wed, Aug 08, 2018 at 11:14:52AM +0200, Gennaro Oliva wrote:
> I have prepared a regression update of my package slurm-llnl in jessie,
> because of:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=893044#21
> I'm the maintainer of the package, but last upload was a NMU.
>
> The updated package can be found here:
> https://people.debian.org/~oliva/slurm-llnl_14.03.9-5+deb8u4
>
> Please let me know if I can be of any further assistance,
thanks for preparing this update, I'll upload it shortly.
--
cheers,
Holger
-------------------------------------------------------------------------------
holger@(debian|reproducible-builds).org
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Gennaro Oliva <oliva.g@na.icar.cnr.it>
:
You have taken responsibility.
(Thu, 09 Aug 2018 16:27:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Thu, 09 Aug 2018 16:27:06 GMT) (full text, mbox, link).
Message #31 received at 893044-done@bugs.debian.org (full text, mbox, reply):
Package: slurm-llnl
Version: 14.03.9-5+deb8u4
Hi Stephane,
On Mon, Jul 30, 2018 at 11:07:21AM +0200, Stephane Vaillant wrote:
> The problem seems to be located in CVE-2018-7033-2.patch (provided in the
> slurm-llnl_14.03.9-5+deb8u3.debian.tar.xz archive) :
> - if (gres_req)
> - xstrcat(query, ", gres_req");
> - if (gres_alloc)
> - xstrcat(query, ", gres_alloc");
> + if (job_ptr->gres_req)
> + xstrcat(query, ", job_ptr->gres_req");
> + if (job_ptr->gres_alloc)
> + xstrcat(query, ", job_ptr->gres_alloc");
the patch was fixed, by quoting the columns name.
Thank you for your investigations and report.
Best regards,
--
Gennaro Oliva
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 25 Nov 2018 07:27:07 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:06:23 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.