Bug#1058720: slurm-wlm: CVE-2023-49933 CVE-2023-49935 CVE-2023-49936 CVE-2023-49937 CVE-2023-49938
Ciao Gennaro, On Sat, Feb 03, 2024 at 12:28:24PM +0100, Gennaro Oliva wrote: > Ciao Salvatore, > > On Sun, Jan 28, 2024 at 11:37:34AM +0100, Salvatore Bonaccorso wrote: > > Reviewing your uploaded changes, the changelog mentions > > CVE-2023-49935, but believe his was not affecting 22.05.8. Let's > > still release with that in the changelog, the security-tracker should > > be already correct on that. > > Sorry about that, I also forgot to build and upload the contrib package > (check #1062264) I have uploaded at the same url and attached the debdiff. > > https://people.debian.org/~oliva/slurm-wlm-22.05.8-4+deb12u2 Right I see we should have handled this similarly to DSA 5529-1. If you have tested the update then please do update. I think we should drop the CVE-2023-49935 reference here as well? > > Do you have any progress for unstable/trixie so we do not have a > > regression once after the DSA is released? > > I'm working on it this week end. It is a major release upgrade. I hope > to release it at the beginning of next week. Ok! Regards, Salvatore
Bug#1058720: slurm-wlm: CVE-2023-49933 CVE-2023-49935 CVE-2023-49936 CVE-2023-49937 CVE-2023-49938
Ciao Salvatore, On Sun, Jan 28, 2024 at 11:37:34AM +0100, Salvatore Bonaccorso wrote: > Reviewing your uploaded changes, the changelog mentions > CVE-2023-49935, but believe his was not affecting 22.05.8. Let's > still release with that in the changelog, the security-tracker should > be already correct on that. Sorry about that, I also forgot to build and upload the contrib package (check #1062264) I have uploaded at the same url and attached the debdiff. https://people.debian.org/~oliva/slurm-wlm-22.05.8-4+deb12u2 > Do you have any progress for unstable/trixie so we do not have a > regression once after the DSA is released? I'm working on it this week end. It is a major release upgrade. I hope to release it at the beginning of next week. Best regards, -- Gennaro Oliva diff -Nru slurm-wlm-contrib-22.05.8/debian/changelog slurm-wlm-contrib-22.05.8/debian/changelog --- slurm-wlm-contrib-22.05.8/debian/changelog 2023-10-14 02:11:20.0 +0200 +++ slurm-wlm-contrib-22.05.8/debian/changelog 2024-02-03 10:52:11.0 +0100 @@ -1,3 +1,10 @@ +slurm-wlm-contrib (22.05.8-4+deb12u2) bookworm-security; urgency=medium + + * Fix CVE-2023-49933, CVE-2023-49935, CVE-2023-49936, CVE-2023-49937, +CVE-2023-49938 (Closes: #1062264) + + -- Gennaro Oliva Sat, 03 Feb 2024 10:52:11 +0100 + slurm-wlm-contrib (22.05.8-4+deb12u1) bookworm-security; urgency=medium * Fix CVE-2023-41914 diff -Nru slurm-wlm-contrib-22.05.8/debian/patches/CVE-2023-49933-49935-49936-49937-49938 slurm-wlm-contrib-22.05.8/debian/patches/CVE-2023-49933-49935-49936-49937-49938 --- slurm-wlm-contrib-22.05.8/debian/patches/CVE-2023-49933-49935-49936-49937-49938 1970-01-01 01:00:00.0 +0100 +++ slurm-wlm-contrib-22.05.8/debian/patches/CVE-2023-49933-49935-49936-49937-49938 2024-02-03 10:50:40.0 +0100 @@ -0,0 +1,717 @@ +Description: Fix CVE-2023-49933/49935/49936/49937/49938 + Fix improper enforcement of message integrity during transmission in a + communication channel that allows attackers to modify RPC traffic in a way that + bypasses message hash checks. Fix a NULL pointer dereference that leads to denial of + service. Fix a double free that allows attackers to cause a denial of service or + possibly execute arbitrary code. Fix incorrect access control that can enable + an attacker to modify their extended group list that is used with the sbcast + subsystem, and open files with an unauthorized set of extended groups. +Author: Tim Wickberg +Last-Update: 2023-12-25 + +diff --git a/src/common/pack.c b/src/common/pack.c +index b7e048b02d..75238188a9 100644 +--- a/src/common/pack.c b/src/common/pack.c +@@ -521,17 +521,16 @@ void pack16_array(uint16_t *valp, uint32_t size_val, buf_t *buffer) + */ + int unpack16_array(uint16_t **valp, uint32_t *size_val, buf_t *buffer) + { +- uint32_t i = 0; +- +- if (unpack32(size_val, buffer)) +- return SLURM_ERROR; +- +- *valp = xmalloc_nz((*size_val) * sizeof(uint16_t)); +- for (i = 0; i < *size_val; i++) { +- if (unpack16((*valp) + i, buffer)) +- return SLURM_ERROR; +- } ++ *valp = NULL; ++ safe_unpack32(size_val, buffer); ++ safe_xcalloc(*valp, *size_val, sizeof(uint16_t)); ++ for (uint32_t i = 0; i < *size_val; i++) ++ safe_unpack16(&(*valp)[i], buffer); + return SLURM_SUCCESS; ++ ++unpack_error: ++ xfree(*valp); ++ return SLURM_ERROR; + } + + /* +@@ -555,17 +554,16 @@ void pack32_array(uint32_t *valp, uint32_t size_val, buf_t *buffer) + */ + int unpack32_array(uint32_t **valp, uint32_t *size_val, buf_t *buffer) + { +- uint32_t i = 0; +- +- if (unpack32(size_val, buffer)) +- return SLURM_ERROR; +- +- *valp = xmalloc_nz((*size_val) * sizeof(uint32_t)); +- for (i = 0; i < *size_val; i++) { +- if (unpack32((*valp) + i, buffer)) +- return SLURM_ERROR; +- } ++ *valp = NULL; ++ safe_unpack32(size_val, buffer); ++ safe_xcalloc(*valp, *size_val, sizeof(uint32_t)); ++ for (uint32_t i = 0; i < *size_val; i++) ++ safe_unpack32(&(*valp)[i], buffer); + return SLURM_SUCCESS; ++ ++unpack_error: ++ xfree(*valp); ++ return SLURM_ERROR; + } + + /* +@@ -588,17 +586,16 @@ void pack64_array(uint64_t *valp, uint32_t size_val, buf_t *buffer) + */ + int unpack64_array(uint64_t **valp, uint32_t *size_val, buf_t *buffer) + { +- uint32_t i = 0; +- +- if (unpack32(size_val, buffer)) +- return SLURM_ERROR; +- +- *valp = xmalloc_nz((*size_val) * sizeof(uint64_t)); +- for (i = 0; i < *size_val; i++) { +- if (unpack64((*valp) + i, buffer)) +- return SLURM_ERROR; +- } ++ *valp = NULL; ++ safe_unpack32(size_val, buffer); ++ safe_xcalloc(*valp, *size_val, sizeof(uint64_t)); ++ for (uint32_t i = 0; i < *size_val; i++) ++
Bug#1058720: slurm-wlm: CVE-2023-49933 CVE-2023-49935 CVE-2023-49936 CVE-2023-49937 CVE-2023-49938
Hi Gennaro, On Sat, Dec 30, 2023 at 10:55:32PM +0100, Gennaro Oliva wrote: > Dear Salvatore, > I prepared an updated version of the slurm-wlm package for bookworm in > response to CVE-2023-49933/49935/49936/49937/49938 > > The package can be found here: > > https://people.debian.org/~oliva/slurm-wlm-22.05.8-4+deb12u2 > > debdiff attached. > > A new package for sid in under preparation. > > Please let me know if I can be of any further help. > > I take this opportunity to wish you and to all the security team members > a successful and prosperous new year. Reviewing your uploaded changes, the changelog mentions CVE-2023-49935, but believe his was not affecting 22.05.8. Let's still release with that in the changelog, the security-tracker should be already correct on that. Do you have any progress for unstable/trixie so we do not have a regression once after the DSA is released? Regards, Salvatore
Bug#1058720: slurm-wlm: CVE-2023-49933 CVE-2023-49935 CVE-2023-49936 CVE-2023-49937 CVE-2023-49938
Hi Gennaro, On Sat, Dec 30, 2023 at 10:55:32PM +0100, Gennaro Oliva wrote: > Dear Salvatore, > I prepared an updated version of the slurm-wlm package for bookworm in > response to CVE-2023-49933/49935/49936/49937/49938 > > The package can be found here: > > https://people.debian.org/~oliva/slurm-wlm-22.05.8-4+deb12u2 > > debdiff attached. > > A new package for sid in under preparation. > > Please let me know if I can be of any further help. Thank a a lot. If you were able to test the version as well with the fixes and spotted no problem, please do upload to security-master. > > I take this opportunity to wish you and to all the security team members > a successful and prosperous new year. I wish you the very same :) Regards, Salvatore
Bug#1058720: slurm-wlm: CVE-2023-49933 CVE-2023-49935 CVE-2023-49936 CVE-2023-49937 CVE-2023-49938
Dear Salvatore, I prepared an updated version of the slurm-wlm package for bookworm in response to CVE-2023-49933/49935/49936/49937/49938 The package can be found here: https://people.debian.org/~oliva/slurm-wlm-22.05.8-4+deb12u2 debdiff attached. A new package for sid in under preparation. Please let me know if I can be of any further help. I take this opportunity to wish you and to all the security team members a successful and prosperous new year. Best regards, -- Gennaro Oliva On Fri, Dec 15, 2023 at 06:21:05AM +0100, Salvatore Bonaccorso wrote: > Source: slurm-wlm > Version: 23.02.6-1 > Severity: grave > Tags: security upstream > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > > Hi Gennaro, > > The following vulnerabilities were published for slurm-wlm. > > CVE-2023-49933[0]: > | An issue was discovered in SchedMD Slurm 22.05.x, 23.02.x, and > | 23.11.x. There is Improper Enforcement of Message Integrity During > | Transmission in a Communication Channel. This allows attackers to > | modify RPC traffic in a way that bypasses message hash checks. The > | fixed versions are 22.05.11, 23.02.7, and 23.11.1. > > > CVE-2023-49935[1]: > | An issue was discovered in SchedMD Slurm 23.02.x and 23.11.x. There > | is Incorrect Access Control because of a slurmd Message Integrity > | Bypass. An attacker can reuse root-level authentication tokens > | during interaction with the slurmd process. This bypasses the RPC > | message hashes that protect against undesired MUNGE credential > | reuse. The fixed versions are 23.02.7 and 23.11.1. > > > CVE-2023-49936[2]: > | An issue was discovered in SchedMD Slurm 22.05.x, 23.02.x, and > | 23.11.x. A NULL pointer dereference leads to denial of service. The > | fixed versions are 22.05.11, 23.02.7, and 23.11.1. > > > CVE-2023-49937[3]: > | An issue was discovered in SchedMD Slurm 22.05.x, 23.02.x, and > | 23.11.x. Because of a double free, attackers can cause a denial of > | service or possibly execute arbitrary code. The fixed versions are > | 22.05.11, 23.02.7, and 23.11.1. > > > CVE-2023-49938[4]: > | An issue was discovered in SchedMD Slurm 22.05.x and 23.02.x. There > | is Incorrect Access Control: an attacker can modified their extended > | group list that is used with the sbcast subsystem, and open files > | with an unauthorized set of extended groups. The fixed versions are > | 22.05.11 and 23.02.7. > > > If you fix the vulnerabilities please also make sure to include the > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2023-49933 > https://www.cve.org/CVERecord?id=CVE-2023-49933 > [1] https://security-tracker.debian.org/tracker/CVE-2023-49935 > https://www.cve.org/CVERecord?id=CVE-2023-49935 > [2] https://security-tracker.debian.org/tracker/CVE-2023-49936 > https://www.cve.org/CVERecord?id=CVE-2023-49936 > [3] https://security-tracker.debian.org/tracker/CVE-2023-49937 > https://www.cve.org/CVERecord?id=CVE-2023-49937 > [4] https://security-tracker.debian.org/tracker/CVE-2023-49938 > https://www.cve.org/CVERecord?id=CVE-2023-49938 > > Regards, > Salvatore > -- Gennaro Oliva diffstat for slurm-wlm-22.05.8 slurm-wlm-22.05.8 changelog|7 patches/CVE-2023-49933-49936-49937-49938 | 717 +++ patches/series |1 3 files changed, 725 insertions(+) diff -Nru slurm-wlm-22.05.8/debian/changelog slurm-wlm-22.05.8/debian/changelog --- slurm-wlm-22.05.8/debian/changelog 2023-10-12 20:09:40.0 +0200 +++ slurm-wlm-22.05.8/debian/changelog 2023-12-25 09:26:16.0 +0100 @@ -1,3 +1,10 @@ +slurm-wlm (22.05.8-4+deb12u2) bookworm-security; urgency=medium + + * Fix CVE-2023-49933, CVE-2023-49935, CVE-2023-49936, CVE-2023-49937, +CVE-2023-49938 (Closes: #1058720) + + -- Gennaro Oliva Mon, 25 Dec 2023 09:26:16 +0100 + slurm-wlm (22.05.8-4+deb12u1) bookworm-security; urgency=medium * Fix CVE-2023-41914 diff -Nru slurm-wlm-22.05.8/debian/patches/CVE-2023-49933-49936-49937-49938 slurm-wlm-22.05.8/debian/patches/CVE-2023-49933-49936-49937-49938 --- slurm-wlm-22.05.8/debian/patches/CVE-2023-49933-49936-49937-49938 1970-01-01 01:00:00.0 +0100 +++ slurm-wlm-22.05.8/debian/patches/CVE-2023-49933-49936-49937-49938 2023-12-25 09:26:16.0 +0100 @@ -0,0 +1,717 @@ +Description: Fix CVE-2023-49933/49935/49936/49937/49938 + Fix improper enforcement of message integrity during transmission in a + communication channel that allows attackers to modify RPC traffic in a way that + bypasses message hash checks. Fix a NULL pointer dereference that leads to denial of + service. Fix a double free that allows attackers to cause a denial of service or + possibly execute arbitrary code. Fix incorrect access control that can enable + an attacker to modify their extended group list that is used
Bug#1058720: slurm-wlm: CVE-2023-49933 CVE-2023-49935 CVE-2023-49936 CVE-2023-49937 CVE-2023-49938
Source: slurm-wlm Version: 23.02.6-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi Gennaro, The following vulnerabilities were published for slurm-wlm. CVE-2023-49933[0]: | An issue was discovered in SchedMD Slurm 22.05.x, 23.02.x, and | 23.11.x. There is Improper Enforcement of Message Integrity During | Transmission in a Communication Channel. This allows attackers to | modify RPC traffic in a way that bypasses message hash checks. The | fixed versions are 22.05.11, 23.02.7, and 23.11.1. CVE-2023-49935[1]: | An issue was discovered in SchedMD Slurm 23.02.x and 23.11.x. There | is Incorrect Access Control because of a slurmd Message Integrity | Bypass. An attacker can reuse root-level authentication tokens | during interaction with the slurmd process. This bypasses the RPC | message hashes that protect against undesired MUNGE credential | reuse. The fixed versions are 23.02.7 and 23.11.1. CVE-2023-49936[2]: | An issue was discovered in SchedMD Slurm 22.05.x, 23.02.x, and | 23.11.x. A NULL pointer dereference leads to denial of service. The | fixed versions are 22.05.11, 23.02.7, and 23.11.1. CVE-2023-49937[3]: | An issue was discovered in SchedMD Slurm 22.05.x, 23.02.x, and | 23.11.x. Because of a double free, attackers can cause a denial of | service or possibly execute arbitrary code. The fixed versions are | 22.05.11, 23.02.7, and 23.11.1. CVE-2023-49938[4]: | An issue was discovered in SchedMD Slurm 22.05.x and 23.02.x. There | is Incorrect Access Control: an attacker can modified their extended | group list that is used with the sbcast subsystem, and open files | with an unauthorized set of extended groups. The fixed versions are | 22.05.11 and 23.02.7. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-49933 https://www.cve.org/CVERecord?id=CVE-2023-49933 [1] https://security-tracker.debian.org/tracker/CVE-2023-49935 https://www.cve.org/CVERecord?id=CVE-2023-49935 [2] https://security-tracker.debian.org/tracker/CVE-2023-49936 https://www.cve.org/CVERecord?id=CVE-2023-49936 [3] https://security-tracker.debian.org/tracker/CVE-2023-49937 https://www.cve.org/CVERecord?id=CVE-2023-49937 [4] https://security-tracker.debian.org/tracker/CVE-2023-49938 https://www.cve.org/CVERecord?id=CVE-2023-49938 Regards, Salvatore