Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

slurm-llnl: CVE-2016-10030

Related Vulnerabilities: CVE-2016-10030  

Source

Debian Bug report logs - #850491
slurm-llnl: CVE-2016-10030

version graph

Package: src:slurm-llnl; Maintainer for src:slurm-llnl is Debian HPC Team <debian-hpc@lists.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Sat, 7 Jan 2017 06:39:01 UTC

Severity: grave

Tags: fixed-upstream, patch, security, upstream

Found in version slurm-llnl/14.03.9-5

Fixed in version slurm-llnl/16.05.8-1

Done: Salvatore Bonaccorso <carnil@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Gennaro Oliva <oliva.g@na.icar.cnr.it>:
Bug#850491; Package src:slurm-llnl. (Sat, 07 Jan 2017 06:39:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Gennaro Oliva <oliva.g@na.icar.cnr.it>. (Sat, 07 Jan 2017 06:39:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: slurm-llnl: CVE-2016-10030
Date: Sat, 07 Jan 2017 07:34:45 +0100
Source: slurm-llnl
Version: 14.03.9-5
Severity: grave
Tags: upstream patch security fixed-upstream
Justification: user security hole

Hi,

the following vulnerability was published for slurm-llnl.

CVE-2016-10030[0]:
| The _prolog_error function in slurmd/req.c in Slurm before 15.08.13,
| 16.x before 16.05.7, and 17.x before 17.02.0-pre4 has a vulnerability
| in how the slurmd daemon informs users of a Prolog failure on a compute
| node. That vulnerability could allow a user to assume control of an
| arbitrary file on the system. Any exploitation of this is dependent on
| the user being able to cause or anticipate the failure (non-zero return
| code) of a Prolog script that their job would run on. This issue
| affects all Slurm versions from 0.6.0 (September 2005) to present.
| Workarounds to prevent exploitation of this are to either disable your
| Prolog script, or modify it such that it always returns 0 ("success")
| and adjust it to set the node as down using scontrol instead of relying
| on the slurmd to handle that automatically. If you do not have a Prolog
| set you are unaffected by this issue.

I'm not to familiar with slurm, but looking at the description and
code this should be the case. It is fixed upstream.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-10030
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10030
[1] https://www.schedmd.com/news.php?id=178
[2] https://github.com/SchedMD/slurm/commit/92362a92fffe60187df61f99ab11c249d44120ee

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Sat, 07 Jan 2017 06:45:07 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sat, 07 Jan 2017 06:45:07 GMT) (full text, mbox, link).

Message #10 received at 850491-done@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 850491-done@bugs.debian.org
Subject: Re: Bug#850491: slurm-llnl: CVE-2016-10030
Date: Sat, 7 Jan 2017 07:41:18 +0100
Source: slurm-llnl
Source-Version: 16.05.8-1

On Sat, Jan 07, 2017 at 07:34:45AM +0100, Salvatore Bonaccorso wrote:
> Source: slurm-llnl
> Version: 14.03.9-5
> Severity: grave
> Tags: upstream patch security fixed-upstream
> Justification: user security hole
> 
> Hi,
> 
> the following vulnerability was published for slurm-llnl.
> 
> CVE-2016-10030[0]:
> | The _prolog_error function in slurmd/req.c in Slurm before 15.08.13,
> | 16.x before 16.05.7, and 17.x before 17.02.0-pre4 has a vulnerability
> | in how the slurmd daemon informs users of a Prolog failure on a compute
> | node. That vulnerability could allow a user to assume control of an
> | arbitrary file on the system. Any exploitation of this is dependent on
> | the user being able to cause or anticipate the failure (non-zero return
> | code) of a Prolog script that their job would run on. This issue
> | affects all Slurm versions from 0.6.0 (September 2005) to present.
> | Workarounds to prevent exploitation of this are to either disable your
> | Prolog script, or modify it such that it always returns 0 ("success")
> | and adjust it to set the node as down using scontrol instead of relying
> | on the slurmd to handle that automatically. If you do not have a Prolog
> | set you are unaffected by this issue.
> 
> I'm not to familiar with slurm, but looking at the description and
> code this should be the case. It is fixed upstream.

And now included with the recent upload of some hours ago to unstable.
So closing with that version.

Regards,
Salvatore

Information forwarded to debian-bugs-dist@lists.debian.org, Gennaro Oliva <oliva.g@na.icar.cnr.it>:
Bug#850491; Package src:slurm-llnl. (Thu, 20 Apr 2017 16:39:03 GMT) (full text, mbox, link).

Acknowledgement sent to Raphael Hertzog <hertzog@debian.org>:
Extra info received and forwarded to list. Copy sent to Gennaro Oliva <oliva.g@na.icar.cnr.it>. (Thu, 20 Apr 2017 16:39:03 GMT) (full text, mbox, link).

Message #15 received at 850491@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>
To: Salvatore Bonaccorso <carnil@debian.org>, 850491@bugs.debian.org
Subject: Re: Bug#850491: slurm-llnl: CVE-2016-10030
Date: Thu, 20 Apr 2017 18:34:49 +0200
[Message part 1 (text/plain, inline)]
On Sat, 07 Jan 2017, Salvatore Bonaccorso wrote:
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

If you want to fix this for jessie, you should start with the patch
from the 15.08 branch and it should be easy to backport:
https://github.com/SchedMD/slurm/commit/465c98ccff9f1e0018e6a0e6e86ee485ae480ae6

At least it was for me for the version in wheezy. I attach my backported
patch for reference. But I don't really know how to test it...

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

[CVE-2016-10030 (text/plain, attachment)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 16 Jul 2017 07:55:33 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 13:44:08 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started