Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[release-18.03] slurm: Fix CVE-2018-7033 #39668

Closed
wants to merge 1 commit into from
Closed

[release-18.03] slurm: Fix CVE-2018-7033 #39668

wants to merge 1 commit into from

Conversation

veprbl
Copy link
Member

@veprbl veprbl commented Apr 29, 2018

Motivation for this change
Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option build-use-sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Fits CONTRIBUTING.md.

@veprbl veprbl changed the title [release-18.03] slurm: 17.02.9 -> 17.02.10 fix CVE-2018-7033 [release-18.03] slurm: Fix CVE-2018-7033 Apr 29, 2018
@GrahamcOfBorg
Copy link

No attempt on x86_64-darwin (full log)

The following builds were skipped because they don't evaluate on x86_64-darwin: slurm

Partial log (click to expand)


a) For `nixos-rebuild` you can set
  { nixpkgs.config.allowBroken = true; }
in configuration.nix to override this.

b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
  { allowBroken = true; }
to ~/.config/nixpkgs/config.nix.

@GrahamcOfBorg
Copy link

Failure on x86_64-linux (full log)

Attempted: slurm

Partial log (click to expand)

Hunk #2 succeeded at 87 (offset 2 lines).
Hunk #3 succeeded at 829 (offset 26 lines).
1 out of 3 hunks FAILED -- saving rejects to file src/common/pack.c.rej
patching file src/common/pack.h
Hunk #1 succeeded at 126 (offset 1 line).
Hunk #2 succeeded at 337 (offset 1 line).
patching file src/common/slurm_xlator.h
Hunk #1 succeeded at 258 (offset 9 lines).
builder for '/nix/store/6n0g76b57g4zw61gsf6qwvhwdhc20hhr-slurm-17.11.3.drv' failed with exit code 1
error: build of '/nix/store/6n0g76b57g4zw61gsf6qwvhwdhc20hhr-slurm-17.11.3.drv' failed

@GrahamcOfBorg
Copy link

Failure on aarch64-linux (full log)

Attempted: slurm

Partial log (click to expand)

Hunk #2 succeeded at 87 (offset 2 lines).
Hunk #3 succeeded at 829 (offset 26 lines).
1 out of 3 hunks FAILED -- saving rejects to file src/common/pack.c.rej
patching file src/common/pack.h
Hunk #1 succeeded at 126 (offset 1 line).
Hunk #2 succeeded at 337 (offset 1 line).
patching file src/common/slurm_xlator.h
Hunk #1 succeeded at 258 (offset 9 lines).
builder for '/nix/store/9s7w5iw488qypzk0sqckvs0qpgzk5x3z-slurm-17.11.3.drv' failed with exit code 1
�[31;1merror:�[0m build of '/nix/store/9s7w5iw488qypzk0sqckvs0qpgzk5x3z-slurm-17.11.3.drv' failed

@veprbl veprbl force-pushed the pr/release-18.03/CVE-2018-7033 branch from fc4cacc to 4697144 Compare April 29, 2018 04:48
@GrahamcOfBorg
Copy link

No attempt on x86_64-darwin (full log)

The following builds were skipped because they don't evaluate on x86_64-darwin: slurm

Partial log (click to expand)


a) For `nixos-rebuild` you can set
  { nixpkgs.config.allowBroken = true; }
in configuration.nix to override this.

b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
  { allowBroken = true; }
to ~/.config/nixpkgs/config.nix.

@GrahamcOfBorg
Copy link

Failure on x86_64-linux (full log)

Attempted: slurm

Partial log (click to expand)

Hunk #2 succeeded at 87 (offset 2 lines).
Hunk #3 succeeded at 829 (offset 26 lines).
1 out of 3 hunks FAILED -- saving rejects to file src/common/pack.c.rej
patching file src/common/pack.h
Hunk #1 succeeded at 126 (offset 1 line).
Hunk #2 succeeded at 337 (offset 1 line).
patching file src/common/slurm_xlator.h
Hunk #1 succeeded at 258 (offset 9 lines).
builder for '/nix/store/09g990c94y4hb5xj2khzs98aq08kn9cv-slurm-17.11.3.drv' failed with exit code 1
error: build of '/nix/store/09g990c94y4hb5xj2khzs98aq08kn9cv-slurm-17.11.3.drv' failed

@GrahamcOfBorg
Copy link

Failure on aarch64-linux (full log)

Attempted: slurm

Partial log (click to expand)

Hunk #2 succeeded at 87 (offset 2 lines).
Hunk #3 succeeded at 829 (offset 26 lines).
1 out of 3 hunks FAILED -- saving rejects to file src/common/pack.c.rej
patching file src/common/pack.h
Hunk #1 succeeded at 126 (offset 1 line).
Hunk #2 succeeded at 337 (offset 1 line).
patching file src/common/slurm_xlator.h
Hunk #1 succeeded at 258 (offset 9 lines).
builder for '/nix/store/27awhwbgv1brd22awz7z3di6c5fwcxbc-slurm-17.11.3.drv' failed with exit code 1
�[31;1merror:�[0m build of '/nix/store/27awhwbgv1brd22awz7z3di6c5fwcxbc-slurm-17.11.3.drv' failed

@veprbl veprbl force-pushed the pr/release-18.03/CVE-2018-7033 branch 2 times, most recently from fe691eb to 6a731a8 Compare April 29, 2018 05:30
@veprbl veprbl force-pushed the pr/release-18.03/CVE-2018-7033 branch from 6a731a8 to 072d8bf Compare April 29, 2018 05:33
@GrahamcOfBorg
Copy link

No attempt on x86_64-darwin (full log)

The following builds were skipped because they don't evaluate on x86_64-darwin: slurm

Partial log (click to expand)


a) For `nixos-rebuild` you can set
  { nixpkgs.config.allowBroken = true; }
in configuration.nix to override this.

b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
  { allowBroken = true; }
to ~/.config/nixpkgs/config.nix.

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: slurm

Partial log (click to expand)

gzipping man pages under /nix/store/3w0qx83265xm83hqf21ngzr4y7my749n-slurm-17.11.3/share/man/
strip is /nix/store/b0zlxla7dmy1iwc3g459rjznx59797xy-binutils-2.28.1/bin/strip
stripping (with command strip and flags -S) in /nix/store/3w0qx83265xm83hqf21ngzr4y7my749n-slurm-17.11.3/lib  /nix/store/3w0qx83265xm83hqf21ngzr4y7my749n-slurm-17.11.3/bin  /nix/store/3w0qx83265xm83hqf21ngzr4y7my749n-slurm-17.11.3/sbin
patching script interpreter paths in /nix/store/3w0qx83265xm83hqf21ngzr4y7my749n-slurm-17.11.3
checking for references to /build in /nix/store/3w0qx83265xm83hqf21ngzr4y7my749n-slurm-17.11.3...
moving /nix/store/3w0qx83265xm83hqf21ngzr4y7my749n-slurm-17.11.3/sbin/* to /nix/store/3w0qx83265xm83hqf21ngzr4y7my749n-slurm-17.11.3/bin
shrinking RPATHs of ELF executables and libraries in /nix/store/gj0n8cmy21c40knb7aj8gm2bliw219qi-slurm-17.11.3-dev
strip is /nix/store/b0zlxla7dmy1iwc3g459rjznx59797xy-binutils-2.28.1/bin/strip
patching script interpreter paths in /nix/store/gj0n8cmy21c40knb7aj8gm2bliw219qi-slurm-17.11.3-dev
checking for references to /build in /nix/store/gj0n8cmy21c40knb7aj8gm2bliw219qi-slurm-17.11.3-dev...

@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: slurm

Partial log (click to expand)

strip is /nix/store/lvx1acn1ig1j2km8jds5x3ggh3f2wa8v-binutils-2.28.1/bin/strip
stripping (with command strip and flags -S) in /nix/store/m422c9nfbbikwqjngbbk97m20g15k818-slurm-17.11.3/lib  /nix/store/m422c9nfbbikwqjngbbk97m20g15k818-slurm-17.11.3/bin  /nix/store/m422c9nfbbikwqjngbbk97m20g15k818-slurm-17.11.3/sbin
patching script interpreter paths in /nix/store/m422c9nfbbikwqjngbbk97m20g15k818-slurm-17.11.3
checking for references to /build in /nix/store/m422c9nfbbikwqjngbbk97m20g15k818-slurm-17.11.3...
moving /nix/store/m422c9nfbbikwqjngbbk97m20g15k818-slurm-17.11.3/sbin/* to /nix/store/m422c9nfbbikwqjngbbk97m20g15k818-slurm-17.11.3/bin
shrinking RPATHs of ELF executables and libraries in /nix/store/4l8vygk7ik27yi6nwqyjcgg99sw3b311-slurm-17.11.3-dev
strip is /nix/store/lvx1acn1ig1j2km8jds5x3ggh3f2wa8v-binutils-2.28.1/bin/strip
patching script interpreter paths in /nix/store/4l8vygk7ik27yi6nwqyjcgg99sw3b311-slurm-17.11.3-dev
checking for references to /build in /nix/store/4l8vygk7ik27yi6nwqyjcgg99sw3b311-slurm-17.11.3-dev...
/nix/store/m422c9nfbbikwqjngbbk97m20g15k818-slurm-17.11.3

@xeji
Copy link
Contributor

xeji commented Apr 29, 2018

Why not bump to 17.11.5 (which includes this patch and other bugfixes) as recommended by upstream?

@Mic92
Copy link
Member

Mic92 commented Apr 29, 2018

Master should be also updated.

@veprbl
Copy link
Member Author

veprbl commented Apr 29, 2018

@xeji Any reason not to keep the version?
@Mic92 I don't think it needs to.

@Mic92
Copy link
Member

Mic92 commented Apr 29, 2018

Ah master already has that version.

@Mic92
Copy link
Member

Mic92 commented Apr 29, 2018
edited

@veprbl we usually also backport patch releases, if they contain bug fixes.

@xeji
Copy link
Contributor

xeji commented Apr 29, 2018

@veprbl In this case, upstream writes

The only safe mitigation, aside from installing these updated versions, is to disable slurmdbd on your system.

I suggest to go with the upstream recommendation unless there's a good reason to stick to our current version. Makes it easier to manage too.

@veprbl veprbl mentioned this pull request Apr 29, 2018
Merged
8 tasks
@xeji
Copy link
Contributor

xeji commented Apr 30, 2018

@GrahamcOfBorg build slurm slurm-full

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: slurm, slurm-full

Partial log (click to expand)

stripping (with command strip and flags -S) in /nix/store/3xasng8b17s0y7n2faxfibjhjwjlwbf0-slurm-17.11.3/lib  /nix/store/3xasng8b17s0y7n2faxfibjhjwjlwbf0-slurm-17.11.3/bin  /nix/store/3xasng8b17s0y7n2faxfibjhjwjlwbf0-slurm-17.11.3/sbin
patching script interpreter paths in /nix/store/3xasng8b17s0y7n2faxfibjhjwjlwbf0-slurm-17.11.3
checking for references to /build in /nix/store/3xasng8b17s0y7n2faxfibjhjwjlwbf0-slurm-17.11.3...
moving /nix/store/3xasng8b17s0y7n2faxfibjhjwjlwbf0-slurm-17.11.3/sbin/* to /nix/store/3xasng8b17s0y7n2faxfibjhjwjlwbf0-slurm-17.11.3/bin
shrinking RPATHs of ELF executables and libraries in /nix/store/215s8wijic7xbq6c7ww6jynf8zna3fhg-slurm-17.11.3-dev
strip is /nix/store/b0zlxla7dmy1iwc3g459rjznx59797xy-binutils-2.28.1/bin/strip
patching script interpreter paths in /nix/store/215s8wijic7xbq6c7ww6jynf8zna3fhg-slurm-17.11.3-dev
checking for references to /build in /nix/store/215s8wijic7xbq6c7ww6jynf8zna3fhg-slurm-17.11.3-dev...
/nix/store/3w0qx83265xm83hqf21ngzr4y7my749n-slurm-17.11.3
/nix/store/3xasng8b17s0y7n2faxfibjhjwjlwbf0-slurm-17.11.3

@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: slurm, slurm-full

Partial log (click to expand)

stripping (with command strip and flags -S) in /nix/store/n6im6r2ql6v0cbs1v2pq0km9pin99cg4-slurm-17.11.3/lib  /nix/store/n6im6r2ql6v0cbs1v2pq0km9pin99cg4-slurm-17.11.3/bin  /nix/store/n6im6r2ql6v0cbs1v2pq0km9pin99cg4-slurm-17.11.3/sbin
patching script interpreter paths in /nix/store/n6im6r2ql6v0cbs1v2pq0km9pin99cg4-slurm-17.11.3
checking for references to /build in /nix/store/n6im6r2ql6v0cbs1v2pq0km9pin99cg4-slurm-17.11.3...
moving /nix/store/n6im6r2ql6v0cbs1v2pq0km9pin99cg4-slurm-17.11.3/sbin/* to /nix/store/n6im6r2ql6v0cbs1v2pq0km9pin99cg4-slurm-17.11.3/bin
shrinking RPATHs of ELF executables and libraries in /nix/store/9sfkf90m97y9arsbsxc90i9cshmk4aag-slurm-17.11.3-dev
strip is /nix/store/lvx1acn1ig1j2km8jds5x3ggh3f2wa8v-binutils-2.28.1/bin/strip
patching script interpreter paths in /nix/store/9sfkf90m97y9arsbsxc90i9cshmk4aag-slurm-17.11.3-dev
checking for references to /build in /nix/store/9sfkf90m97y9arsbsxc90i9cshmk4aag-slurm-17.11.3-dev...
/nix/store/m422c9nfbbikwqjngbbk97m20g15k818-slurm-17.11.3
/nix/store/n6im6r2ql6v0cbs1v2pq0km9pin99cg4-slurm-17.11.3

@xeji
Copy link
Contributor

xeji commented Apr 30, 2018

@veprbl thank you for your new PR. I'm closing this in favor of #39688 to avoid confusion, but we can reopen it if the version bump doesn't work out with the python package.

@xeji xeji closed this Apr 30, 2018
@veprbl veprbl deleted the pr/release-18.03/CVE-2018-7033 branch December 1, 2020 16:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
1.severity: security 10.rebuild-darwin: 1-10 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@veprbl @GrahamcOfBorg @xeji @Mic92 @vcunat