Package: gridengine
Version: 6.2u5-7
Severity: normal
Tags: patch pending
Dear maintainer,
I've prepared an NMU for gridengine (versioned as 6.2u5-7.1) and
uploaded it to DELAYED/02. Please feel free to tell me if I
should delay it longer.
Cheers
Luk
diff -u gridengine-6.2u5/debian/changelog gridengine-6.2u5/debian/changelog
--- gridengine-6.2u5/debian/changelog
+++ gridengine-6.2u5/debian/changelog
@@ -1,3 +1,10 @@
+gridengine (6.2u5-7.1) unstable; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Fix code injection and buffer overflow (CVE-2012-0523).
+
+ -- Luk Claes <l...@debian.org> Sat, 23 Jun 2012 09:24:47 +0200
+
gridengine (6.2u5-7) unstable; urgency=low
* gridengine-common: Add Replaces gridengine-client << 6.2u5-2 to avoid
diff -u gridengine-6.2u5/debian/patches/series gridengine-6.2u5/debian/patches/series
--- gridengine-6.2u5/debian/patches/series
+++ gridengine-6.2u5/debian/patches/series
@@ -18,0 +19,2 @@
+120-env-code-injection.diff
+120-buffer-overflow.diff
only in patch2:
unchanged:
--- gridengine-6.2u5.orig/debian/patches/120-buffer-overflow.diff
+++ gridengine-6.2u5/debian/patches/120-buffer-overflow.diff
@@ -0,0 +1,70 @@
+Index: source/utilbin/sge_passwd.c
+===================================================================
+--- a/source/utilbin/sge_passwd.c (revision 115)
++++ b/source/utilbin/sge_passwd.c (working copy)
+@@ -1049,7 +1049,7 @@
+ static void
+ sge_passwd_add_change(const char *username, const char *domain, uid_t uid)
+ {
+- char user[128] = "";
++ char user[128+128] = ""; /* actually (128-1) + (1) + (128-1) + (1) */
+ char **users = NULL;
+ char **encryped_pwd = NULL;
+ char err_str[MAX_STRING_SIZE];
+@@ -1319,9 +1319,13 @@
+ DEXIT;
+ exit(1);
+ }
+- if (!strcmp(argv[1],"-D")) {
++ if (!strcmp(argv[1],"-D"))
++ {
+ argc--; argv++;
+- if (argc != 1 && sscanf(argv[1], "%s", domain) == 1) {
++
++ if (argc != 1 && strncpy(domain, argv[1], sizeof(domain)) && domain[0] != '\0')
++ {
++ domain[sizeof(domain)-1] = '\0';
+ argc--; argv++;
+ continue;
+ } else {
+@@ -1330,7 +1334,8 @@
+ exit(1);
+ }
+ }
+- if (!strcmp(argv[1],"-d")) {
++ if (!strcmp(argv[1],"-d"))
++ {
+ uid_t uid = getuid();
+
+ if (uid != 0) {
+@@ -1340,7 +1345,11 @@
+ }
+
+ argc--; argv++;
+- if (argc != 1 && sscanf(argv[1], "%s", username) == 1) {
++
++ if (argc != 1 && strncpy(username, argv[1], sizeof(username)) && username[0] != '\0')
++ {
++ username[sizeof(username)-1] = '\0';
++
+ argc--; argv++;
+ do_delete = true;
+ continue;
+@@ -1349,10 +1358,15 @@
+ DEXIT;
+ exit(1);
+ }
+- }
+- if (argv[1][0] != '-' && sscanf(argv[1], "%s", username) == 1) {
++ }
++
++
++ if (argv[1][0] != '-' && strncpy(username, argv[1], sizeof(username)) && username[0] != '\0')
++ {
+ uid_t uid = getuid();
+
++ username[sizeof(username)-1] = '\0';
++
+ if (uid != 0) {
+ fprintf(stderr, MSG_PWD_ONLY_USER_SS, SGE_PASSWD_PROG_NAME, username);
+ fprintf(stderr, "\n");
only in patch2:
unchanged:
--- gridengine-6.2u5.orig/debian/patches/120-env-code-injection.diff
+++ gridengine-6.2u5/debian/patches/120-env-code-injection.diff
@@ -0,0 +1,172 @@
+Index: source/daemons/shepherd/shepherd.c
+===================================================================
+--- a/source/daemons/shepherd/shepherd.c (revision 84)
++++ b/source/daemons/shepherd/shepherd.c (working copy)
+@@ -2202,7 +2202,7 @@
+ }
+ } else if (received_signal != 0 || *postponed_signal != 0) { /* received any other signal */
+ #if defined(INTERIX)
+- sge_set_environment();
++ sge_set_environment(true);
+ if(strcmp(childname, "job") == 0 &&
+ wl_get_GUI_mode(get_conf_val("display_win_gui")) == true) {
+ /*
+@@ -2359,7 +2359,7 @@
+
+ #if defined(INTERIX)
+ /* <Windows_GUI> */
+- sge_set_environment();
++ sge_set_environment(true);
+ if (strcmp(childname, "job") == 0 &&
+ wl_get_GUI_mode(get_conf_val("display_win_gui")) == true) {
+ if (npid != -1) {
+@@ -2603,7 +2603,7 @@
+ pid = getpid();
+ setpgid(pid, pid);
+ setrlimits(0);
+- sge_set_environment();
++ sge_set_environment(true);
+ umask(022);
+ tmp_str = search_conf_val("qsub_gid");
+ if (tmp_str && strcmp(tmp_str, "no")) {
+@@ -2877,6 +2877,9 @@
+ if (!strcmp(name, "PVM_TASK_ID"))
+ strcpy(pvm_task_id, value);
+
++ if (is_dangerous_env(name))
++ continue;
++
+ sge_set_env_value(name, value);
+ }
+
+Index: source/daemons/shepherd/builtin_starter.c
+===================================================================
+--- a/source/daemons/shepherd/builtin_starter.c (revision 84)
++++ b/source/daemons/shepherd/builtin_starter.c (working copy)
+@@ -48,6 +48,7 @@
+ #include "uti/sge_arch.h"
+ #include "setosjobid.h"
+ #include "sge_fileio.h"
++#include "sge_var.h"
+
+ #include "msg_common.h"
+
+@@ -365,7 +366,7 @@
+ setrlimits(!strcmp(childname, "job"));
+
+ shepherd_trace("setting environment");
+- sge_set_environment();
++ sge_set_environment(strcmp(childname, "job") || ( is_qlogin && !g_new_interactive_job_support));
+
+ /* Create the "error" and the "exit" status file here.
+ * The "exit_status" file indicates that the son is started.
+@@ -935,13 +936,60 @@
+ return;
+ }
+
++int is_dangerous_env(const char *name)
++{
++ if (strncmp(name, "LD_", 3) == 0)
++ return true;
++
++ if (strncmp(name, "PERL5LIB", 8) == 0)
++ return true;
++
++ if (strncmp(name, "PERLLIB", 7) == 0)
++ return true;
++
++ if (strncmp(name, "PERLOPT", 7) == 0)
++ return true;
++
++ if (strncmp(name, "PYTHONPATH", 10) == 0)
++ return true;
++
++ if (strncmp(name, "BASH_ENV", 8) == 0)
++ return true;
++
++#if defined(AIX)
++ if (strncmp(name, "LIBPATH", 7) == 0)
++ return true;
++
++ if (strncmp(name, "LDR_PRELOAD", 11) == 0)
++ return true;
++
++#elif defined(DARWIN)
++ if (strncmp(name, "DYLD_", 5) == 0)
++ return true;
++
++#elif defined(HP11)
++ if (strncmp(name, "SHLIB_PATH", 10) == 0)
++ return true;
++
++#elif defined(LINUX)
++ if (strncmp(name, "MALLOC_TRACE", 12) == 0)
++ return true;
++
++#elif defined(IRIX) || defined(ALPHA)
++ if (strncmp(name, "_RLD_LIST", 9) == 0)
++ return true;
++#endif
++
++ return false;
++}
++
+ /****** Shepherd/sge_set_environment() *****************************************
+ * NAME
+ * sge_set_environment () -- Read the environment from the "environment" file
+ * and store it in the appropriate environment, inherited or internal.
+ *
+ * SYNOPSIS
+-* int sge_set_environment(void)
++* int sge_set_environment(int)
+ *
+ * FUNCTION
+ * This function reads the "environment" file written out by the execd and
+@@ -954,7 +1002,7 @@
+ * NOTES
+ * MT-NOTE: sge_set_environment() is not MT safe
+ *******************************************************************************/
+-int sge_set_environment()
++int sge_set_environment(int cleanenv)
+ {
+ const char *const filename = "environment";
+ FILE *fp;
+@@ -993,6 +1041,8 @@
+
+ while (fgets(buf, sizeof(buf), fp)) {
+
++ char new_name[128];
++
+ line++;
+
+ if (strlen(buf) <= 1) /* empty line or lastline */
+@@ -1004,6 +1054,14 @@
+ shepherd_error(1, "error reading environment file: line=%d, contents:%s",
+ line, buf);
+ }
++ else if (cleanenv)
++ {
++ if (is_dangerous_env(name))
++ {
++ snprintf(new_name, sizeof(new_name), "SGE_WRAP_%s", name);
++ name = new_name;
++ }
++ }
+
+ value = strtok(NULL, "\n");
+ if (value == NULL) {
+Index: source/daemons/shepherd/builtin_starter.h
+===================================================================
+--- a/source/daemons/shepherd/builtin_starter.h (revision 84)
++++ b/source/daemons/shepherd/builtin_starter.h (working copy)
+@@ -34,8 +34,9 @@
+
+
+ void son(const char *childname, char *script_file, int truncate_stderr_out);
+-int sge_set_environment(void);
++int sge_set_environment(int);
+ char** sge_get_environment(void);
++int is_dangerous_env(const char *name);
+ int sge_set_env_value(const char *, const char *);
+ const char *sge_get_env_value(const char *);
+ void start_command(const char *, char *, char *, char *, char *, int, int, int, int, char *, int);
