[Pkg-gridengine-devel] Bug#678618: Bug#678618: gridengine: diff for NMU version 6.2u5-7.1
Luk Claes
luk at debian.org
Mon Jun 25 17:59:57 UTC 2012
On 06/25/2012 12:45 PM, Dave Love wrote:
> Luk Claes <luk at debian.org> writes:
>> I've prepared an NMU for gridengine (versioned as 6.2u5-7.1) and
>> uploaded it to DELAYED/02. Please feel free to tell me if I
>> should delay it longer.
>
> ?? The CVE is already addressed
> <http://packages.debian.org/changelogs/pool/main/g/gridengine/gridengine_6.2u5-1squeeze1/changelog>
That's for the current stable release, not for the next one...
> and it's ironic to propose an inferior fix that looks as if it came from
> OGS, given their reaction to reporting issues that you find and fix,
> specifically to Debian security.
As that's the fix that is referenced in the CVE and there is no other
fix referenced there nor in this bug report that's what one gets.
> The patch I supplied took sensitive environment variables from Debian's
> libc and sudo, which I take to be canonical though I'd value comments
> from security people. (Things like PYTHONPATH are irrelevant because
> you can/should use "python -E" in methods, and then where do you stop --
> why not Ruby? Also, it's now clear that the issue of the user
> environment needs addressing more fundamentally.)
>
> Debian doesn't distribute sgepasswd, so I ignored it, but there are more
> issues with it
> <https://arc.liv.ac.uk/trac/SGE/log/sge/source/utilbin/sge_passwd.c>.
>
> However, this is probably irrelevant with the current packaging, which I
> didn't realize initially. The Debian-supplied configuration allows
> equivalent privilege elevation anyway, and the package doesn't have the
> script to change it (#598510).
Feel free to send the patch to this bug report or prepare an upload
yourself to improve the situation.
Thanks already.
Luk
More information about the Pkg-gridengine-devel
mailing list