Acknowledgement sent
to Thijs Kinkhorst <thijs@debian.org>:
New Bug report received and forwarded. Copy sent to Gennaro Oliva <oliva.g@na.icar.cnr.it>.
(Tue, 21 Apr 2009 09:57:05 GMT) (full text, mbox, link).
Package: slurm-llnl
Version: 1.3.6-1
Severity: grave
Tags: security patch pending
The following issue has been reported on the slurm-llnl mailinglist.
Updated packages are in preparation.
---------- Forwarded Message ----------
A security flaw has been discovered in all releases of SLURM
versions 1.2 and 1.3. This flaw can be exploited by legitimate
users of a computer to increase their privileges based upon
the supplemental groups available to the SLURM daemons.
Description
A vulnerability exists in the current SLURM sbcast implementation.
The result of this flaw is that sbcast may not properly establish
user supplementary groups before opening files for writing, instead
inheriting the supplementary group list from the slurmd daemon,
which may contain system groups with elevated privileges.
Similar logic exists in support of the strigger command. If the
SlurmUser is configured to be root, unprivileged users may execute
a program inheriting the supplementary group list from the slurmctld
daemon, which may contain system groups with elevated privileges.
You can check the current list of supplementary groups that would be
inherited from these daemons by running the following command:
grep ^Groups /proc/`pidof slurmd`/status
grep ^Groups /proc/`pidof slurmctld`/status
Impact
A valid SLURM user may be able to write files in directories with
group write access for one of the inherited groups and/or may be able
to overwrite files with similar group write access. Depending upon
system configuration, this may allow a user to gain elevated privileges.
Solution
We are providing four options to fix this problem.
1. Apply the initgroups.patch2 to an existing SLURM version 1.3
or 1.2 distribution.
2. Install the nogroups.c wrapper to start the SLURM daemons without
any supplemental groups. This can be used with most configurations
and no change in the installed SLURM code.
3. Install SLURM version 1.3.14, which is the same as version
1.3.13 (a very stable release made on 13 January 2009) plus
initgroups.patch2.
4. Install SLURM version 1.3.15, which includes initgroups.patch2
plus support for BlueGene/P systems, an assortment of minor
bug fixes and some minor enhancements.
After performing one of these changes, the SLURM daemons must be
restarted for the change to take effect.
SLURM version 1.4.0-pre12 was also released today for those working
with a beta version of the next major release.
-------------------------------------------------------
Bug marked as fixed in version 1.3.6-1lenny3, send any further explanations to Thijs Kinkhorst <thijs@debian.org>
Request was from Thijs Kinkhorst <thijs@debian.org>
to control@bugs.debian.org.
(Tue, 21 Apr 2009 10:48:12 GMT) (full text, mbox, link).
Bug marked as fixed in version 1.3.15-1, send any further explanations to Thijs Kinkhorst <thijs@debian.org>
Request was from Thijs Kinkhorst <thijs@debian.org>
to control@bugs.debian.org.
(Tue, 21 Apr 2009 10:48:13 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 26 Jul 2009 07:37:42 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.