[Pkg-gridengine-devel] Bug#678618: Bug#678618: gridengine: diff for NMU version 6.2u5-7.1
Dave Love
d.love at liverpool.ac.uk
Mon Jun 25 10:45:24 UTC 2012
Luk Claes <luk at debian.org> writes:
> Package: gridengine
> Version: 6.2u5-7
> Severity: normal
> Tags: patch pending
>
> Dear maintainer,
>
> I've prepared an NMU for gridengine (versioned as 6.2u5-7.1) and
> uploaded it to DELAYED/02. Please feel free to tell me if I
> should delay it longer.
?? The CVE is already addressed
<http://packages.debian.org/changelogs/pool/main/g/gridengine/gridengine_6.2u5-1squeeze1/changelog>
and it's ironic to propose an inferior fix that looks as if it came from
OGS, given their reaction to reporting issues that you find and fix,
specifically to Debian security.
The patch I supplied took sensitive environment variables from Debian's
libc and sudo, which I take to be canonical though I'd value comments
from security people. (Things like PYTHONPATH are irrelevant because
you can/should use "python -E" in methods, and then where do you stop --
why not Ruby? Also, it's now clear that the issue of the user
environment needs addressing more fundamentally.)
Debian doesn't distribute sgepasswd, so I ignored it, but there are more
issues with it
<https://arc.liv.ac.uk/trac/SGE/log/sge/source/utilbin/sge_passwd.c>.
However, this is probably irrelevant with the current packaging, which I
didn't realize initially. The Debian-supplied configuration allows
equivalent privilege elevation anyway, and the package doesn't have the
script to change it (#598510).
--
Community Grid Engine: http://arc.liv.ac.uk/SGE/
More information about the Pkg-gridengine-devel
mailing list