From 55d6d2b0c76c52043f07de6c2658943f47f736a6a56f0ff8ab92ae72ff050fca Mon Sep 17 00:00:00 2001 From: Egbert Eich Date: Mon, 11 Jun 2018 10:31:14 +0000 Subject: [PATCH] Accepting request 615950 from home:mslacken - Fix security issue in handling of username and gid fields CVE-2018-10995 what implied an update from 17.11.5 to 17.11.7 - Update from 17.11.5 to 17.11.7 Highlights of 17.11.6: * CRAY - Add slurmsmwd to the contribs/cray dir * PMIX - Added the direct connect authentication. * Prevent the backup slurmctld from losing the active/available node features list on takeover. * Be able to force power_down of cloud node even if in power_save state. * Allow cloud nodes to be recognized in Slurm when booted out of band. * Numerous fixes - check 'NEWS' file. Highlights of 17.11.7: * Notify srun and ctld when unkillable stepd exits. * Numerous fixes - check 'NEWS' file. OBS-URL: https://build.opensuse.org/request/show/615950 OBS-URL: https://build.opensuse.org/package/show/network:cluster/slurm?expand=0&rev=58 --- removed-deprecated-xdaemon.patch | 38 ++++++------- slurm-17.11.5.tar.bz2 | 3 -- slurm-17.11.7.tar.bz2 | 3 ++ slurm.changes | 19 +++++++ slurm.spec | 10 ++-- slurmctld-uses-xdaemon_-for-systemd.patch | 27 +++++----- slurmd-uses-xdaemon_-for-systemd.patch | 16 +++--- slurmdbd-uses-xdaemon_-for-systemd.patch | 18 +++---- slurmsmwd-uses-xdaemon_-for-systemd.patch | 41 ++++++++++++++ ...-xdaemon_init-and-xdaemon_finish-for.patch | 54 ++++++++----------- 10 files changed, 137 insertions(+), 92 deletions(-) delete mode 100644 slurm-17.11.5.tar.bz2 create mode 100644 slurm-17.11.7.tar.bz2 create mode 100644 slurmsmwd-uses-xdaemon_-for-systemd.patch rename split-xdaemon-in-xdaemon_init-and-xdaemon_finish-for-systemd-compatibilty.patch => split-xdaemon-in-xdaemon_init-and-xdaemon_finish-for.patch (75%) diff --git a/removed-deprecated-xdaemon.patch b/removed-deprecated-xdaemon.patch index 7338fc3..c7e3d63 100644 --- a/removed-deprecated-xdaemon.patch +++ b/removed-deprecated-xdaemon.patch @@ -1,17 +1,12 @@ +From 783f241cc56d789bf795efc7172672da1c8b2a10 Mon Sep 17 00:00:00 2001 From: Christian Goll -Date: Mon Apr 9 11:52:58 2018 +0200 -Subject: removed deprecated xdaemon -Patch-mainline: Not yet -Git-repo: https://github.com/SchedMD/slurm -Git-commit: ca2921a03af842792810efd3d49fbdbfeccfd438 -References: bsc#1084125 +Date: Mon, 9 Apr 2018 11:52:58 +0200 +Subject: [PATCH 6/6] removed deprecated xdaemon - -Signed-off-by: Egbert Eich --- src/common/daemonize.c | 11 ----------- - src/common/daemonize.h | 7 ------- - 2 files changed, 18 deletions(-) + src/common/daemonize.h | 1 - + 2 files changed, 12 deletions(-) diff --git a/src/common/daemonize.c b/src/common/daemonize.c index 2987a40af0..32dc79c577 100644 @@ -36,20 +31,17 @@ index 2987a40af0..32dc79c577 100644 /* * Read and return pid stored in pidfile. diff --git a/src/common/daemonize.h b/src/common/daemonize.h -index c932d83f74..d0ab92e860 100644 +index 8b2a866b61..4ec16f22b0 100644 --- a/src/common/daemonize.h +++ b/src/common/daemonize.h -@@ -60,13 +60,6 @@ extern int xdaemon_init(void); +@@ -44,7 +44,6 @@ + * Start fork process into background and inherit new session. + * */ - extern void xdaemon_finish(int fd); - --/* -- * Fork process into background and inherit new session. -- * -- * Returns -1 on error. -- */ -extern int xdaemon(void); -- - /* Write pid into file pidfile if uid is not 0 change the owner of the - * pidfile to that user. - */ + extern int xdaemon_init(void); + + /* +-- +2.13.7 + diff --git a/slurm-17.11.5.tar.bz2 b/slurm-17.11.5.tar.bz2 deleted file mode 100644 index 0216cff..0000000 --- a/slurm-17.11.5.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:39f5c53bc101909494c4abc1fb47a8cd86cba16ec77503aa9e994c11bef7f01d -size 6248551 diff --git a/slurm-17.11.7.tar.bz2 b/slurm-17.11.7.tar.bz2 new file mode 100644 index 0000000..b2466b1 --- /dev/null +++ b/slurm-17.11.7.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a4ab10870b1c35f67a3465796960b32e4270e52acc257987b10acc4f17035a57 +size 6249399 diff --git a/slurm.changes b/slurm.changes index 3044217..1ccbcac 100644 --- a/slurm.changes +++ b/slurm.changes @@ -1,3 +1,22 @@ +------------------------------------------------------------------- +Tue Jun 5 13:24:43 UTC 2018 - cgoll@suse.com + +- Fix security issue in handling of username and gid fields + CVE-2018-10995 what implied an update from 17.11.5 to 17.11.7 +- Update from 17.11.5 to 17.11.7 + Highlights of 17.11.6: + * CRAY - Add slurmsmwd to the contribs/cray dir + * PMIX - Added the direct connect authentication. + * Prevent the backup slurmctld from losing the active/available node + features list on takeover. + * Be able to force power_down of cloud node even if in power_save state. + * Allow cloud nodes to be recognized in Slurm when booted out of band. + * Numerous fixes - check 'NEWS' file. + Highlights of 17.11.7: + * Notify srun and ctld when unkillable stepd exits. + * Numerous fixes - check 'NEWS' file. + + ------------------------------------------------------------------- Thu Apr 19 21:05:04 UTC 2018 - eich@suse.com diff --git a/slurm.spec b/slurm.spec index 7889afc..061161a 100644 --- a/slurm.spec +++ b/slurm.spec @@ -18,7 +18,7 @@ # Check file META in sources: update so_version to (API_CURRENT - API_AGE) %define so_version 32 -%define ver 17.11.5 +%define ver 17.11.7 # so-version is 0 and seems to be stable %define pmi_so 0 @@ -67,11 +67,13 @@ Source1: slurm-rpmlintrc Patch0: slurm-2.4.4-rpath.patch Patch1: slurm-2.4.4-init.patch Patch2: pam_slurm-Initialize-arrays-and-pass-sizes.patch -Patch3: split-xdaemon-in-xdaemon_init-and-xdaemon_finish-for-systemd-compatibilty.patch +Patch3: split-xdaemon-in-xdaemon_init-and-xdaemon_finish-for.patch Patch4: slurmctld-uses-xdaemon_-for-systemd.patch Patch5: slurmd-uses-xdaemon_-for-systemd.patch Patch6: slurmdbd-uses-xdaemon_-for-systemd.patch -Patch7: removed-deprecated-xdaemon.patch +Patch7: slurmsmwd-uses-xdaemon_-for-systemd.patch +Patch8: removed-deprecated-xdaemon.patch + Requires: slurm-config = %{version} Requires: slurm-node = %{version} %if 0%{?suse_version} <= 1140 @@ -325,6 +327,7 @@ for the slurm daemons. %patch5 -p1 %patch6 -p1 %patch7 -p1 +%patch8 -p1 %build %configure --enable-shared \ @@ -624,6 +627,7 @@ exit 0 %{_bindir}/strigger %{?have_netloc:%{_bindir}/netloc_to_topology} %{_sbindir}/slurmctld +%{_sbindir}/slurmsmwd %{_mandir}/man1/sacct.1* %{_mandir}/man1/sacctmgr.1* %{_mandir}/man1/salloc.1* diff --git a/slurmctld-uses-xdaemon_-for-systemd.patch b/slurmctld-uses-xdaemon_-for-systemd.patch index e1b8e6c..c09c5a3 100644 --- a/slurmctld-uses-xdaemon_-for-systemd.patch +++ b/slurmctld-uses-xdaemon_-for-systemd.patch @@ -1,19 +1,14 @@ +From f0650e14983c9551fd644697285d84b35dad16aa Mon Sep 17 00:00:00 2001 From: Christian Goll -Date: Mon Apr 9 10:23:01 2018 +0200 -Subject: slurmctld uses xdaemon_* for systemd -Patch-mainline: Not yet -Git-repo: https://github.com/SchedMD/slurm -Git-commit: b11aae54f69855084370aaf0af3e928f63c639b3 -References: bsc#1084125 +Date: Mon, 9 Apr 2018 10:23:01 +0200 +Subject: [PATCH 2/6] slurmctld uses xdaemon_* for systemd - -Signed-off-by: Egbert Eich --- - src/slurmctld/controller.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) + src/slurmctld/controller.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/src/slurmctld/controller.c b/src/slurmctld/controller.c -index 7867e1d479..dd5f3863b1 100644 +index 7867e1d479..bd1c12600e 100644 --- a/src/slurmctld/controller.c +++ b/src/slurmctld/controller.c @@ -250,7 +250,7 @@ static bool _wait_for_server_thread(void); @@ -25,17 +20,20 @@ index 7867e1d479..dd5f3863b1 100644 struct stat stat_buf; struct rlimit rlim; /* Locks: Write configuration, job, node, and partition */ -@@ -298,7 +298,8 @@ int main(int argc, char **argv) +@@ -298,7 +298,11 @@ int main(int argc, char **argv) if (daemonize) { slurmctld_config.daemonize = 1; - if (xdaemon()) ++ /* ++ * Just start daemonizing if not in test mode ++ */ + fd = xdaemon_init(); + if (fd == -1) error("daemon(): %m"); log_set_timefmt(slurmctld_conf.log_fmt); log_alter(log_opts, LOG_DAEMON, -@@ -318,6 +319,9 @@ int main(int argc, char **argv) +@@ -318,6 +322,9 @@ int main(int argc, char **argv) */ _init_pidfile(); _become_slurm_user(); @@ -45,3 +43,6 @@ index 7867e1d479..dd5f3863b1 100644 /* * Create StateSaveLocation directory if necessary. +-- +2.13.7 + diff --git a/slurmd-uses-xdaemon_-for-systemd.patch b/slurmd-uses-xdaemon_-for-systemd.patch index 262813c..09bea62 100644 --- a/slurmd-uses-xdaemon_-for-systemd.patch +++ b/slurmd-uses-xdaemon_-for-systemd.patch @@ -1,19 +1,14 @@ +From 712caf6306c5b08b12e5a481d60bb91adc6c625e Mon Sep 17 00:00:00 2001 From: Christian Goll -Date: Mon Apr 9 10:59:57 2018 +0200 -Subject: slurmd uses xdaemon_* for systemd -Patch-mainline: Not yet -Git-repo: https://github.com/SchedMD/slurm -Git-commit: a048f30f7e41089f9f2f014897ca2c02bc41abb5 -References: bsc#1084125 +Date: Mon, 9 Apr 2018 10:59:57 +0200 +Subject: [PATCH 3/6] slurmd uses xdaemon_* for systemd - -Signed-off-by: Egbert Eich --- src/slurmd/slurmd/slurmd.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/slurmd/slurmd/slurmd.c b/src/slurmd/slurmd/slurmd.c -index 09d3a7136b..299fe3a2a9 100644 +index 140fd70adc..92d1faf0bc 100644 --- a/src/slurmd/slurmd/slurmd.c +++ b/src/slurmd/slurmd/slurmd.c @@ -214,7 +214,7 @@ static void _wait_for_all_threads(int secs); @@ -45,3 +40,6 @@ index 09d3a7136b..299fe3a2a9 100644 rfc2822_timestamp(time_stamp, sizeof(time_stamp)); info("%s started on %s", slurm_prog_name, time_stamp); +-- +2.13.7 + diff --git a/slurmdbd-uses-xdaemon_-for-systemd.patch b/slurmdbd-uses-xdaemon_-for-systemd.patch index d93ba93..44b6000 100644 --- a/slurmdbd-uses-xdaemon_-for-systemd.patch +++ b/slurmdbd-uses-xdaemon_-for-systemd.patch @@ -1,19 +1,14 @@ +From 9533827148d1214b8fe9a9ba47a9dd20287085d7 Mon Sep 17 00:00:00 2001 From: Christian Goll -Date: Mon Apr 9 11:13:54 2018 +0200 -Subject: slurmdbd uses xdaemon_* for systemd -Patch-mainline: Not yet -Git-repo: https://github.com/SchedMD/slurm -Git-commit: fde4321ead76bc2a419d37d09b2a9b8273e836de -References: bsc#1084125 +Date: Mon, 9 Apr 2018 11:13:54 +0200 +Subject: [PATCH 4/6] slurmdbd uses xdaemon_* for systemd - -Signed-off-by: Egbert Eich --- src/slurmdbd/slurmdbd.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/src/slurmdbd/slurmdbd.c b/src/slurmdbd/slurmdbd.c -index d37cad28a7..6b523691bd 100644 +index ae2f27d617..7b336b824f 100644 --- a/src/slurmdbd/slurmdbd.c +++ b/src/slurmdbd/slurmdbd.c @@ -103,7 +103,7 @@ static List lft_rgt_list = NULL; @@ -55,7 +50,7 @@ index d37cad28a7..6b523691bd 100644 _become_slurm_user(); if (foreground == 0) _set_work_dir(); -@@ -593,11 +598,14 @@ static void _init_pidfile(void) +@@ -595,11 +600,14 @@ static void _init_pidfile(void) /* Become a daemon (child of init) and * "cd" to the LogFile directory (if one is configured) */ @@ -72,3 +67,6 @@ index d37cad28a7..6b523691bd 100644 } static void _set_work_dir(void) +-- +2.13.7 + diff --git a/slurmsmwd-uses-xdaemon_-for-systemd.patch b/slurmsmwd-uses-xdaemon_-for-systemd.patch new file mode 100644 index 0000000..8690576 --- /dev/null +++ b/slurmsmwd-uses-xdaemon_-for-systemd.patch @@ -0,0 +1,41 @@ +From b01f2ce29ce362b0724ea8104aadbab45122e9a4 Mon Sep 17 00:00:00 2001 +From: Christian Goll +Date: Mon, 4 Jun 2018 14:44:31 +0200 +Subject: [PATCH 5/6] slurmsmwd uses xdaemon_* for systemd + +--- + contribs/cray/slurmsmwd/main.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/contribs/cray/slurmsmwd/main.c b/contribs/cray/slurmsmwd/main.c +index 8d405b2916..c1d3fce2d4 100644 +--- a/contribs/cray/slurmsmwd/main.c ++++ b/contribs/cray/slurmsmwd/main.c +@@ -536,6 +536,7 @@ int main(int argc, char **argv) + { + pthread_t processing_thread, signal_handler_thread; + pthread_attr_t thread_attr; ++ int pipefd; + + _parse_commandline(argc, argv); + +@@ -544,11 +545,15 @@ int main(int argc, char **argv) + slurmsmwd_print_config(); + + if (!foreground) { +- if (xdaemon()) ++ pipefd = xdaemon_init(); ++ if (pipefd == -1) + error("daemon(): %m"); + } + if (create_pidfile("/var/run/slurmsmwd.pid", 0) < 0) + fatal("Unable to create pidfile /var/run/slurmswmd.pid"); ++ if (!foreground) { ++ xdaemon_finish(pipefd); ++ } + + slurm_mutex_init(&down_node_lock); + +-- +2.13.7 + diff --git a/split-xdaemon-in-xdaemon_init-and-xdaemon_finish-for-systemd-compatibilty.patch b/split-xdaemon-in-xdaemon_init-and-xdaemon_finish-for.patch similarity index 75% rename from split-xdaemon-in-xdaemon_init-and-xdaemon_finish-for-systemd-compatibilty.patch rename to split-xdaemon-in-xdaemon_init-and-xdaemon_finish-for.patch index 2b5cf7b..a79fe76 100644 --- a/split-xdaemon-in-xdaemon_init-and-xdaemon_finish-for-systemd-compatibilty.patch +++ b/split-xdaemon-in-xdaemon_init-and-xdaemon_finish-for.patch @@ -1,17 +1,13 @@ +From 1f12c590038c7f738ff19159629fdc38de5cba82 Mon Sep 17 00:00:00 2001 From: Christian Goll -Date: Mon Apr 9 10:05:50 2018 +0200 -Subject: split xdaemon in xdaemon_init and xdaemon_finish for systemd compatibilty -Patch-mainline: Not yet -Git-repo: https://github.com/SchedMD/slurm -Git-commit: 2bbe988c0ef133942d0d0077b0f064eff553e3a2 -References: bsc#1084125 +Date: Mon, 9 Apr 2018 10:05:50 +0200 +Subject: [PATCH 1/6] split xdaemon in xdaemon_init and xdaemon_finish for + systemd compatibilty - -Signed-off-by: Egbert Eich --- src/common/daemonize.c | 73 ++++++++++++++++++++++++++++++++++++++++++++------ - src/common/daemonize.h | 20 ++++++++++++++ - 2 files changed, 85 insertions(+), 8 deletions(-) + src/common/daemonize.h | 10 +++++-- + 2 files changed, 73 insertions(+), 10 deletions(-) diff --git a/src/common/daemonize.c b/src/common/daemonize.c index e22a1d0a7f..2987a40af0 100644 @@ -124,33 +120,29 @@ index e22a1d0a7f..2987a40af0 100644 /* diff --git a/src/common/daemonize.h b/src/common/daemonize.h -index 22a31f6ccf..c932d83f74 100644 +index 22a31f6ccf..8b2a866b61 100644 --- a/src/common/daemonize.h +++ b/src/common/daemonize.h -@@ -40,6 +40,26 @@ - #ifndef _HAVE_DAEMONIZE_H +@@ -41,11 +41,17 @@ #define _HAVE_DAEMONIZE_H -+ -+/* -+ * Fork process into background open a pipe to -+ * communicate status between parent and child. -+ * parent: wait until child has closed the pipe. -+ * child: return fd. -+ * -+ * Returns fd or -1 on error. -+ */ + /* +- * Fork process into background and inherit new session. ++ * Start fork process into background and inherit new session. + * +- * Returns -1 on error. + */ + extern int xdaemon(void); +extern int xdaemon_init(void); + +/* -+ * Finish child side of the fork: -+ * This needs to get called after the PID file -+ * has been written. -+ * Close STDIN, STDOUT and STDERR and inherit -+ * new session. Close pipe when done. ++ * Finish daemonization by ending grandparen + */ -+extern void xdaemon_finish(int fd); + - /* - * Fork process into background and inherit new session. - * ++extern void xdaemon_finish(int fd); + + /* Write pid into file pidfile if uid is not 0 change the owner of the + * pidfile to that user. +-- +2.13.7 +