Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 920104 (CVE-2023-49933, CVE-2023-49934, CVE-2023-49935, CVE-2023-49936, CVE-2023-49937, CVE-2023-49938) - sys-cluster/slurm: multiple vulnerabilities
Summary: sys-cluster/slurm: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2023-49933, CVE-2023-49934, CVE-2023-49935, CVE-2023-49936, CVE-2023-49937, CVE-2023-49938
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://lists.schedmd.com/pipermail/s...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2023-12-16 10:08 UTC by Jarkko Suominen
Modified: 2024-09-22 07:40 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jarkko Suominen 2023-12-16 10:08:03 UTC
https://lists.schedmd.com/pipermail/slurm-announce/2023/000103.html

Slurm versions 23.11.1, 23.02.7, 22.05.11 are now available and address 
a number of recently-discovered security issues. They've been assigned 
CVE-2023-49933 through CVE-2023-49938.


1) CVE-2023-49935 Slurmd Message Integrity Bypass. (Slurm 23.02 and 23.11.)

Permits an attacker to reuse root-level authentication tokens when 
interacting with the slurmd process, bypassing the RPC message hashes 
which protect against malicious MUNGE credential reuse.


2) CVE-2023-49938 Slurm Arbitrary File Overwrite. (Slurm 22.05 and 23.02.)
    
Permits an attacker to modified their extended group list used with the 
sbcast subsystem, and open files with an incorrect set of extended groups.


3) CVE-2023-49936 Slurm NULL Pointer Dereference. (Slurm 22.05, 23.02, 23.11.)

Denial of service.


4) CVE-2023-49937 Slurm Protocol Double Free. (Slurm 22.05, 23.02, 23.11.)
    
Denial of service, potential for arbitrary code execution.


5) CVE-2023-49933 Slurm Protocol Message Extension. (Slurm 22.05, 23.02, 23.11.)
    
Allows for malicious modification of RPC traffic that bypasses the 
message hash checks.


6) CVE-2023-49934 SQL Injection. (Slurm 23.11.)
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2024-01-14 22:20:50 UTC
Thanks! Already masked for bug 631552.
Comment 2 Larry the Git Cow gentoo-dev 2024-01-14 22:27:22 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=878ee04160ad05c9a40beeac3ba2c973dbf436d6

commit 878ee04160ad05c9a40beeac3ba2c973dbf436d6
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2024-01-14 22:20:09 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2024-01-14 22:20:19 +0000

    sys-cluster/slurm: treeclean
    
    Bug: https://bugs.gentoo.org/631552
    Bug: https://bugs.gentoo.org/920104
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 profiles/package.mask                              |   4 -
 sys-cluster/slurm/Manifest                         |   1 -
 sys-cluster/slurm/files/logrotate                  |  20 --
 .../slurm/files/slurm-22.05.3_autoconf-lua.patch   |  49 ----
 sys-cluster/slurm/files/slurm.confd                |   6 -
 sys-cluster/slurm/files/slurm.tmpfiles             |   1 -
 sys-cluster/slurm/files/slurmctld.initd            |  76 ------
 sys-cluster/slurm/files/slurmd.initd               |  79 ------
 sys-cluster/slurm/files/slurmdbd.initd             |  74 ------
 sys-cluster/slurm/metadata.xml                     |  28 --
 sys-cluster/slurm/slurm-22.05.3.ebuild             | 287 ---------------------
 11 files changed, 625 deletions(-)
Comment 3 Larry the Git Cow gentoo-dev 2024-01-15 15:46:50 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/proj/guru.git/commit/?id=d6957c8ab178c1284b5407f185196f3aa146ffb4

commit d6957c8ab178c1284b5407f185196f3aa146ffb4
Author:     Anna (cybertailor) Vyalkova <cyber+gentoo@sysrq.in>
AuthorDate: 2024-01-15 03:29:52 +0000
Commit:     Anna (cybertailor) Vyalkova <cyber+gentoo@sysrq.in>
CommitDate: 2024-01-15 03:29:52 +0000

    profiles: mask a bunch of sys-cluster/* pkgs
    
    Bug: https://bugs.gentoo.org/631552
    Bug: https://bugs.gentoo.org/920104
    Signed-off-by: Anna (cybertailor) Vyalkova <cyber+gentoo@sysrq.in>

 profiles/package.mask | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)
Comment 4 Benda Xu gentoo-dev 2024-04-24 06:27:15 UTC
Hi John, I don't understand why sys-cluster/slurm deserves a treeclean.  Newer versions addressing the CVE are available.  Version bumps will solve the bugs.
Comment 5 Peter Gustafson 2024-06-17 13:33:38 UTC
Hi, I just saw this left the tree and am pretty bummed about it.  Its mission critical for me.  I hope you would reconsider, given the CVEs have bug fixed.

Thanks for you work on this and for considering the request.
Comment 6 Hans de Graaff gentoo-dev Security 2024-06-17 13:42:35 UTC
This package was already removed in Januari. In any case I'm sure it could be added back when someone want to maintain it and address the CVEs. That wasn't being done and hence the package was listed for removal.

I'm not sure if ajak has additional considerations here.
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2024-09-22 01:57:41 UTC
> I'm not sure if ajak has additional considerations here.

Nope, someone just needs to maintain it.
Comment 8 Larry the Git Cow gentoo-dev 2024-09-22 07:39:48 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=b2a8e7761946e4dd7bf5f993678482d2a80f8d73

commit b2a8e7761946e4dd7bf5f993678482d2a80f8d73
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-09-22 07:39:27 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-09-22 07:39:40 +0000

    [ GLSA 202409-16 ] Slurm: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/631552
    Bug: https://bugs.gentoo.org/920104
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202409-16.xml | 47 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)