Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

slurm-llnl: CVE-2018-7033: Issue in accounting_storage/mysql plugin by always escaping strings within the slurmdbd

Related Vulnerabilities: CVE-2018-7033  

Source

Debian Bug report logs - #893044
slurm-llnl: CVE-2018-7033: Issue in accounting_storage/mysql plugin by always escaping strings within the slurmdbd

version graph

Package: src:slurm-llnl; Maintainer for src:slurm-llnl is Debian HPC Team <debian-hpc@lists.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Thu, 15 Mar 2018 21:09:01 UTC

Severity: grave

Tags: patch, security, upstream

Found in version slurm-llnl/14.03.9-5

Fixed in versions slurm-llnl/17.11.5-1, slurm-llnl/16.05.9-1+deb9u2, slurm-llnl/14.03.9-5+deb8u4

Done: Gennaro Oliva <oliva.g@na.icar.cnr.it>

Bug is archived. No further changes may be made.

Forwarded to https://bugs.schedmd.com/show_bug.cgi?id=4792

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Gennaro Oliva <oliva.g@na.icar.cnr.it>:
Bug#893044; Package src:slurm-llnl. (Thu, 15 Mar 2018 21:09:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Gennaro Oliva <oliva.g@na.icar.cnr.it>. (Thu, 15 Mar 2018 21:09:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: slurm-llnl: CVE-2018-7033: Issue in accounting_storage/mysql plugin by always escaping strings within the slurmdbd
Date: Thu, 15 Mar 2018 22:04:51 +0100
Source: slurm-llnl
Version: 14.03.9-5
Severity: grave
Tags: patch security upstream
Forwarded: https://bugs.schedmd.com/show_bug.cgi?id=4792

Hi,

the following vulnerability was published for slurm-llnl, filling as
grave to be on safe side, but details are yet not disclosed in the
upstream report.

CVE-2018-7033[0]:
|Issue in accounting_storage/mysql plugin by always escaping strings
|within the slurmdbd

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-7033
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7033
[1] https://bugs.schedmd.com/show_bug.cgi?id=4792

Regards,
Salvatore

Marked as fixed in versions slurm-llnl/17.11.5-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 18 Mar 2018 21:42:09 GMT) (full text, mbox, link).

Marked Bug as done Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 18 Mar 2018 21:42:10 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sun, 18 Mar 2018 21:42:11 GMT) (full text, mbox, link).

Message sent on to Salvatore Bonaccorso <carnil@debian.org>:
Bug#893044. (Sun, 18 Mar 2018 21:42:15 GMT) (full text, mbox, link).

Message #14 received at 893044-submitter@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: control@bugs.debian.org
Cc: 893044-submitter@bugs.debian.org
Subject: closing 893044
Date: Sun, 18 Mar 2018 22:40:08 +0100
close 893044 17.11.5-1
thanks

Marked as fixed in versions slurm-llnl/16.05.9-1+deb9u2. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 24 Jul 2018 18:39:06 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Gennaro Oliva <oliva.g@na.icar.cnr.it>:
Bug#893044; Package src:slurm-llnl. (Mon, 30 Jul 2018 09:15:07 GMT) (full text, mbox, link).

Acknowledgement sent to Stephane Vaillant <Stephane.Vaillant@obspm.fr>:
Extra info received and forwarded to list. Copy sent to Gennaro Oliva <oliva.g@na.icar.cnr.it>. (Mon, 30 Jul 2018 09:15:07 GMT) (full text, mbox, link).

Message #21 received at 893044@bugs.debian.org (full text, mbox, reply):

From: Stephane Vaillant <Stephane.Vaillant@obspm.fr>
To: 893044@bugs.debian.org
Subject: Re: closing 893044
Date: Mon, 30 Jul 2018 11:07:21 +0200
On Sun, 18 Mar 2018 22:40:08 +0100 Salvatore Bonaccorso 
<carnil@debian.org> wrote:
> close 893044 17.11.5-1
> thanks
> 
> 
> 

Hi,

The patched version breaks the accounting: slurmdbd issues invalid mysql 
INSERT queries using 'job_ptr->gres_alloc' as the name of a column 
instead of 'gres_alloc' (the same for job_ptr->gres_req).

The problem seems to be located in CVE-2018-7033-2.patch (provided in 
the slurm-llnl_14.03.9-5+deb8u3.debian.tar.xz archive) :
-               if (gres_req)
-                       xstrcat(query, ", gres_req");
-               if (gres_alloc)
-                       xstrcat(query, ", gres_alloc");
+               if (job_ptr->gres_req)
+                       xstrcat(query, ", job_ptr->gres_req");
+               if (job_ptr->gres_alloc)
+                       xstrcat(query, ", job_ptr->gres_alloc");

I guess the 'if' condition is right but job_ptr->gres_req should not 
occur inside the quotes as it is the name of a column, instead it should 
remain unchanged.

Best regards,
Stéphane Vaillant

Information forwarded to debian-bugs-dist@lists.debian.org, Gennaro Oliva <oliva.g@na.icar.cnr.it>:
Bug#893044; Package src:slurm-llnl. (Wed, 08 Aug 2018 10:30:03 GMT) (full text, mbox, link).

Acknowledgement sent to Holger Levsen <holger@layer-acht.org>:
Extra info received and forwarded to list. Copy sent to Gennaro Oliva <oliva.g@na.icar.cnr.it>. (Wed, 08 Aug 2018 10:30:03 GMT) (full text, mbox, link).

Message #26 received at 893044@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>
To: Gennaro Oliva <oliva.g@na.icar.cnr.it>, 893044@bugs.debian.org, Salvatore Bonaccorso <carnil@debian.org>
Cc: debian-lts@lists.debian.org
Subject: Re: Regression update for slurm-llnl in jessie
Date: Wed, 8 Aug 2018 10:27:08 +0000
[Message part 1 (text/plain, inline)]
Hi Gennaro,

On Wed, Aug 08, 2018 at 11:14:52AM +0200, Gennaro Oliva wrote:
> I have prepared a regression update of my package slurm-llnl in jessie, 
> because of:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=893044#21
> I'm the maintainer of the package, but last upload was a NMU.
> 
> The updated package can be found here:
> https://people.debian.org/~oliva/slurm-llnl_14.03.9-5+deb8u4
> 
> Please let me know if I can be of any further assistance,

thanks for preparing this update, I'll upload it shortly.


-- 
cheers,
	Holger

-------------------------------------------------------------------------------
                    holger@(debian|reproducible-builds).org

[signature.asc (application/pgp-signature, inline)]

Reply sent to Gennaro Oliva <oliva.g@na.icar.cnr.it>:
You have taken responsibility. (Thu, 09 Aug 2018 16:27:06 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Thu, 09 Aug 2018 16:27:06 GMT) (full text, mbox, link).

Message #31 received at 893044-done@bugs.debian.org (full text, mbox, reply):

From: Gennaro Oliva <oliva.g@na.icar.cnr.it>
To: Stephane Vaillant <Stephane.Vaillant@obspm.fr>, 893044-done@bugs.debian.org
Subject: Re: Bug#893044: closing 893044
Date: Thu, 9 Aug 2018 18:15:20 +0200
Package: slurm-llnl
Version: 14.03.9-5+deb8u4

Hi Stephane,

On Mon, Jul 30, 2018 at 11:07:21AM +0200, Stephane Vaillant wrote:
> The problem seems to be located in CVE-2018-7033-2.patch (provided in the
> slurm-llnl_14.03.9-5+deb8u3.debian.tar.xz archive) :
> -               if (gres_req)
> -                       xstrcat(query, ", gres_req");
> -               if (gres_alloc)
> -                       xstrcat(query, ", gres_alloc");
> +               if (job_ptr->gres_req)
> +                       xstrcat(query, ", job_ptr->gres_req");
> +               if (job_ptr->gres_alloc)
> +                       xstrcat(query, ", job_ptr->gres_alloc");

the patch was fixed, by quoting the columns name.
Thank you for your investigations and report.
Best regards,
-- 
Gennaro Oliva

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 25 Nov 2018 07:27:07 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 14:06:23 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started