Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 790296 (CVE-2021-31215)

Summary: <sys-cluster/slurm-22.05.3: Remote code execution via environment mishandling (CVE-2021-31215)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: alexxy, cluster, peter.gustafson
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://lists.schedmd.com/pipermail/slurm-announce/2021/000055.html
Whiteboard: ~2 [noglsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
patch required for minor bump none

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-15 01:27:59 UTC
Description:
"SchedMD Slurm before 20.02.7 and 20.03.x through 20.11.x before 20.11.7 allows remote code execution as SlurmUser because use of a PrologSlurmctld or EpilogSlurmctld script leads to environment mishandling."
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-15 01:28:12 UTC
Please bump.
Comment 2 NATTkA bot gentoo-dev 2021-07-29 17:22:23 UTC Comment hidden (obsolete)
Comment 3 NATTkA bot gentoo-dev 2021-07-29 17:30:38 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:38:35 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 17:46:42 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 18:02:41 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-07-29 18:10:57 UTC
Package list is empty or all packages have requested keywords.
Comment 8 Larry the Git Cow gentoo-dev 2022-08-15 00:36:36 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=002aa381e511ead5a8b433a8b2ad5d5afd4d94fe

commit 002aa381e511ead5a8b433a8b2ad5d5afd4d94fe
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2022-08-15 00:16:59 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-15 00:35:55 +0000

    profiles: last rite sys-cluster/slurm
    
    Also remove the collectd unmasks in arch package.use.masks.
    
    Bug: https://bugs.gentoo.org/631552
    Bug: https://bugs.gentoo.org/790296
    Bug: https://bugs.gentoo.org/842789
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 profiles/arch/amd64/package.use.mask | 4 ----
 profiles/arch/x86/package.use.mask   | 4 ----
 profiles/base/package.use.mask       | 3 +++
 profiles/package.mask                | 6 ++++++
 4 files changed, 9 insertions(+), 8 deletions(-)
Comment 9 Peter Gustafson 2022-09-02 19:17:30 UTC
Created attachment 802792 [details, diff]
patch required for minor bump
Comment 10 Peter Gustafson 2022-09-02 19:19:51 UTC
Major version (22.05.3) and minor (20.11.9) are both out and would address this bug.

https://www.schedmd.com/news.php?id=265#OPT_265
Comment 11 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-03 15:58:06 UTC
(In reply to Peter Gustafson from comment #9)
> Created attachment 802792 [details, diff] [details, diff]
> patch required for minor bump

Could you file a PR?
Comment 12 Larry the Git Cow gentoo-dev 2022-09-15 08:01:05 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b1947dd126dfbf1a19f631b770d3e36fffdf334e

commit b1947dd126dfbf1a19f631b770d3e36fffdf334e
Author:     Alexey Shvetsov <alexxy@gentoo.org>
AuthorDate: 2022-09-15 08:00:39 +0000
Commit:     Alexey Shvetsov <alexxy@gentoo.org>
CommitDate: 2022-09-15 08:00:39 +0000

    sys-cluster/slurm: Update to new version
    
    Closes: https://bugs.gentoo.org/744148
    Bug: https://bugs.gentoo.org/790296
    Bug: https://bugs.gentoo.org/842789
    Signed-off-by: Alexey Shvetsov <alexxy@gentoo.org>

 sys-cluster/slurm/Manifest                         |   2 +-
 ...-lua.patch => slurm-22.05.3_autoconf-lua.patch} |  19 +-
 sys-cluster/slurm/metadata.xml                     |   6 +-
 sys-cluster/slurm/slurm-20.11.0.1-r105.ebuild      | 275 ---------------------
 ...-20.11.0.1-r104.ebuild => slurm-22.05.3.ebuild} |  34 ++-
 5 files changed, 38 insertions(+), 298 deletions(-)
Comment 13 Larry the Git Cow gentoo-dev 2022-09-15 08:08:25 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a34a195a9b018eecac186686a2f88d21daff2f04

commit a34a195a9b018eecac186686a2f88d21daff2f04
Author:     Alexey Shvetsov <alexxy@gentoo.org>
AuthorDate: 2022-09-15 08:07:56 +0000
Commit:     Alexey Shvetsov <alexxy@gentoo.org>
CommitDate: 2022-09-15 08:07:56 +0000

    profiles: Remove slurm p.mask since valnurable version no longer in tree
    
    Bug: https://bugs.gentoo.org/631552
    Bug: https://bugs.gentoo.org/790296
    Bug: https://bugs.gentoo.org/842789
    Signed-off-by: Alexey Shvetsov <alexxy@gentoo.org>

 profiles/package.mask | 6 ------
 1 file changed, 6 deletions(-)