Bug#511511: marked as done (slurm-llnl: Imporer checking of EVP_VerifyFinal() return value.)

Debian Bug Tracking System Thu, 22 Jan 2009 09:51:51 -0800

Your message dated Thu, 22 Jan 2009 17:32:06 +0000
with message-id <e1lq3ps-0007sd...@ries.debian.org>
and subject line Bug#511511: fixed in slurm-llnl 1.3.6-1lenny1
has caused the Debian Bug report #511511,
regarding slurm-llnl: Imporer checking of EVP_VerifyFinal() return value.
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
511511: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511511
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: slurm-llnl
Severity: serious
Tags: security

Hi,

I've been checking packages to see if they properly check the return
value of some of the functions in openssl.  In
src/plugins/crypto/openssl/crypto_openssl.c there is this piece of code:
        rc = EVP_VerifyFinal(&ectx, (unsigned char *) signature,
                sig_size, (EVP_PKEY *) key);
        if (!rc)
                rc = SLURM_ERROR;
        else
                rc = SLURM_SUCCESS;

But EVP_VerifyFinal() can also return -1 on errors.  A good way to check
the value would be something like:
        if (rc <= 0)

I have no idea if this code is being used and what the consequences
of this might be.


Kurt

--- End Message ---

--- Begin Message ---

Source: slurm-llnl
Source-Version: 1.3.6-1lenny1

We believe that the bug you reported is fixed in the latest version of
slurm-llnl, which is due to be installed in the Debian FTP archive:

libpmi0-dev_1.3.6-1lenny1_amd64.deb
  to pool/main/s/slurm-llnl/libpmi0-dev_1.3.6-1lenny1_amd64.deb
libpmi0_1.3.6-1lenny1_amd64.deb
  to pool/main/s/slurm-llnl/libpmi0_1.3.6-1lenny1_amd64.deb
libslurm13-dev_1.3.6-1lenny1_amd64.deb
  to pool/main/s/slurm-llnl/libslurm13-dev_1.3.6-1lenny1_amd64.deb
libslurm13_1.3.6-1lenny1_amd64.deb
  to pool/main/s/slurm-llnl/libslurm13_1.3.6-1lenny1_amd64.deb
slurm-llnl-basic-plugins-dev_1.3.6-1lenny1_amd64.deb
  to pool/main/s/slurm-llnl/slurm-llnl-basic-plugins-dev_1.3.6-1lenny1_amd64.deb
slurm-llnl-basic-plugins_1.3.6-1lenny1_amd64.deb
  to pool/main/s/slurm-llnl/slurm-llnl-basic-plugins_1.3.6-1lenny1_amd64.deb
slurm-llnl-doc_1.3.6-1lenny1_all.deb
  to pool/main/s/slurm-llnl/slurm-llnl-doc_1.3.6-1lenny1_all.deb
slurm-llnl-slurmdbd_1.3.6-1lenny1_amd64.deb
  to pool/main/s/slurm-llnl/slurm-llnl-slurmdbd_1.3.6-1lenny1_amd64.deb
slurm-llnl-sview_1.3.6-1lenny1_amd64.deb
  to pool/main/s/slurm-llnl/slurm-llnl-sview_1.3.6-1lenny1_amd64.deb
slurm-llnl_1.3.6-1lenny1.diff.gz
  to pool/main/s/slurm-llnl/slurm-llnl_1.3.6-1lenny1.diff.gz
slurm-llnl_1.3.6-1lenny1.dsc
  to pool/main/s/slurm-llnl/slurm-llnl_1.3.6-1lenny1.dsc
slurm-llnl_1.3.6-1lenny1_amd64.deb
  to pool/main/s/slurm-llnl/slurm-llnl_1.3.6-1lenny1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 511...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Kurt Roeckx <k...@roeckx.be> (supplier of updated slurm-llnl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 21 Jan 2009 20:13:15 +0100
Source: slurm-llnl
Binary: slurm-llnl libslurm13 libpmi0 libslurm13-dev libpmi0-dev slurm-llnl-doc 
slurm-llnl-basic-plugins slurm-llnl-basic-plugins-dev slurm-llnl-sview 
slurm-llnl-slurmdbd
Architecture: source amd64 all
Version: 1.3.6-1lenny1
Distribution: testing-security
Urgency: high
Maintainer: Gennaro Oliva <oliv...@na.icar.cnr.it>
Changed-By: Kurt Roeckx <k...@roeckx.be>
Description: 
 libpmi0    - SLURM PMI library implementation
 libpmi0-dev - SLURM PMI library implementation
 libslurm13 - Runtime library files for SLURM
 libslurm13-dev - SLURM development files
 slurm-llnl - Simple Linux Utility for Resource Management
 slurm-llnl-basic-plugins - SLURM docmentation
 slurm-llnl-basic-plugins-dev - SLURM docmentation
 slurm-llnl-doc - SLURM docmentation
 slurm-llnl-slurmdbd - Secure enterprise-wide interface to a database for SLURM
 slurm-llnl-sview - GUI to view and modify SLURM state
Closes: 511511
Changes: 
 slurm-llnl (1.3.6-1lenny1) testing-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix to crypto/openssl plugin that could result in job launch requests
     being spoofed through the use of an improperly formed credential. This bug
     could permit a user to launch tasks on compute nodes not allocated for
     their use, but will NOT permit them to run tasks as another user.
     This is related to CVE-2008-5077 and DSA 1701  (Closes: #511511)
Checksums-Sha1: 
 6bd97509ac9624bb4d7fa0deafc2d757d2abe556 1418 slurm-llnl_1.3.6-1lenny1.dsc
 e2675139a33dee42f336150157f245c88f304a8e 6594797 slurm-llnl_1.3.6.orig.tar.gz
 c3cce2e421f67f26f69355899e3d871654a077a7 62825 slurm-llnl_1.3.6-1lenny1.diff.gz
 b52927171ae39d2f24526c9bb0777dba2f1d7dcf 5260794 
slurm-llnl_1.3.6-1lenny1_amd64.deb
 ac2f19ac1c38b220180155418195f2c832e12dcb 274012 
libslurm13_1.3.6-1lenny1_amd64.deb
 d914323673e834e1ec15ec8dd0192a569a66b32d 18812 libpmi0_1.3.6-1lenny1_amd64.deb
 4c69b4ce321af95212e342c9fff6ed4769635acf 437602 
libslurm13-dev_1.3.6-1lenny1_amd64.deb
 62ce74622d96457c5bc6799b43fc76920c1df160 23234 
libpmi0-dev_1.3.6-1lenny1_amd64.deb
 99991dfde1d731f1bed6a355fc01be5fc8f876f7 392278 
slurm-llnl-basic-plugins_1.3.6-1lenny1_amd64.deb
 dbd8e7377d26b9a7ad109c331da1eed3a21f495d 1358880 
slurm-llnl-basic-plugins-dev_1.3.6-1lenny1_amd64.deb
 529c0b3f7cf858630ed13cc8e2d49015035d9afb 355748 
slurm-llnl-sview_1.3.6-1lenny1_amd64.deb
 b60330aef7200a159ad5479c7a0a56cffd1bcc4d 635812 
slurm-llnl-slurmdbd_1.3.6-1lenny1_amd64.deb
 25469f68933e33d4a09b006e9418165ffc19c760 850656 
slurm-llnl-doc_1.3.6-1lenny1_all.deb
Checksums-Sha256: 
 888e6607706539dc3d2aa5e52ae59b0e8f02db0e488be54911c99f9a70fe108e 1418 
slurm-llnl_1.3.6-1lenny1.dsc
 40edb201b1662c7810c4f1131032c77e661f5649877330f8b08d3d650e05219a 6594797 
slurm-llnl_1.3.6.orig.tar.gz
 e3d70a853f2080dfc7291da57550e8bfa9072f9513a30245f8a6d5e280a666c3 62825 
slurm-llnl_1.3.6-1lenny1.diff.gz
 03bc3c1d2ef7189e8213ae1652bb537aff6e52ced629bc7dced79eff008ee651 5260794 
slurm-llnl_1.3.6-1lenny1_amd64.deb
 a04dedc98794cbcaba2382b691f62f90867ebeaa81e08944a3c212de3adb79de 274012 
libslurm13_1.3.6-1lenny1_amd64.deb
 8de2ad65a0864339cc5f0e44a9bbb4e752d29f07f72db781b5d6e9692c281512 18812 
libpmi0_1.3.6-1lenny1_amd64.deb
 500a5100581ef139e1dfccff7656671ae281178c3c877bcb1e5ce535e898a98b 437602 
libslurm13-dev_1.3.6-1lenny1_amd64.deb
 407930d919ee8b0d3c1e8da5d5e13199bb84ee547ba380b5ff46f37510b685be 23234 
libpmi0-dev_1.3.6-1lenny1_amd64.deb
 ddfb50015df6f7f465c147a9b75bcdc3c413e3f541604b8a2a9e83f2c9e54a14 392278 
slurm-llnl-basic-plugins_1.3.6-1lenny1_amd64.deb
 d177e2dbc0af9d5edf193d8422130947db7aec9e88ba6560021beb3c97e5c541 1358880 
slurm-llnl-basic-plugins-dev_1.3.6-1lenny1_amd64.deb
 e99380591974bb3ab44a702e2e8ca27a6f2e77fe325c2ebad7be03c2bf963863 355748 
slurm-llnl-sview_1.3.6-1lenny1_amd64.deb
 b632ed177cc4d3cf2ad757e729109d32ddb924ff2231b3614b92ac1c84b0a0f4 635812 
slurm-llnl-slurmdbd_1.3.6-1lenny1_amd64.deb
 66c08ca91194f03aa5c02e63c65b6f7183871809592abe4466858c56c0f1797d 850656 
slurm-llnl-doc_1.3.6-1lenny1_all.deb
Files: 
 f43f78af0551a9c8b51c09e9395dde37 1418 admin extra slurm-llnl_1.3.6-1lenny1.dsc
 1d0585a558b91158c65db7298dd22426 6594797 admin extra 
slurm-llnl_1.3.6.orig.tar.gz
 d70e906fa2f68c3e8f6415d2a3e7a4a9 62825 admin extra 
slurm-llnl_1.3.6-1lenny1.diff.gz
 f25685eb8e5bb67786206b8c984edf6c 5260794 admin extra 
slurm-llnl_1.3.6-1lenny1_amd64.deb
 75893ad55f938540d01692c1b689a12b 274012 libs extra 
libslurm13_1.3.6-1lenny1_amd64.deb
 660e6d84fa36946978e374035f49472f 18812 libs extra 
libpmi0_1.3.6-1lenny1_amd64.deb
 1deef09fc15c2db2661832a0c2999034 437602 libdevel extra 
libslurm13-dev_1.3.6-1lenny1_amd64.deb
 62601ec90b9d63ef477952edeb472130 23234 libdevel extra 
libpmi0-dev_1.3.6-1lenny1_amd64.deb
 a5e65b79b8438facefdba5d2091147dd 392278 admin extra 
slurm-llnl-basic-plugins_1.3.6-1lenny1_amd64.deb
 acc80fa3684add135ec50d0fd04ea1ea 1358880 devel extra 
slurm-llnl-basic-plugins-dev_1.3.6-1lenny1_amd64.deb
 443d3e647b31ada29bcc67498f469130 355748 admin extra 
slurm-llnl-sview_1.3.6-1lenny1_amd64.deb
 27555cb622329ebe519b1c3da8673054 635812 admin extra 
slurm-llnl-slurmdbd_1.3.6-1lenny1_amd64.deb
 6393607e5e7a5d383076f34b05e18c16 850656 doc extra 
slurm-llnl-doc_1.3.6-1lenny1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkl3eqcACgkQQdwckHJElwvHlwCZAYT3VCkbWNZIy9eyvELpJNb2
RkgAn1h8lMMt0/flb3+acWFAi9pmMMoa
=8WB4
-----END PGP SIGNATURE-----

--- End Message ---

Bug#511511: marked as done (slurm-llnl: Imporer checking of EVP_VerifyFinal() return value.)

Reply via email to