[Pkg-gridengine-devel] Bug#678618: Bug#678618: gridengine: diff for NMU version 6.2u5-7.1
Dave Love
d.love at liverpool.ac.uk
Thu Jun 28 11:16:42 UTC 2012
Luk Claes <luk at debian.org> writes:
>> ?? The CVE is already addressed
>> <http://packages.debian.org/changelogs/pool/main/g/gridengine/gridengine_6.2u5-1squeeze1/changelog>
>
> That's for the current stable release, not for the next one...
It's in 6.2u5-6 (the relevant environment-cleaning part). If you think
there's something wrong with it, and want to reduce the protection for
some reason (why?), you'll need to back it out. As far as I remember,
the different patch has a bigger (undocumented) effect on behaviour, but
if you check the code, you'll find that it's subsumed at a lower level
in the cases that matter. (I have documentation, but that part of the
man pages has been considerably reorganized, so it's difficult to
apply.)
>> and it's ironic to propose an inferior fix that looks as if it came from
>> OGS, given their reaction to reporting issues that you find and fix,
>> specifically to Debian security.
>
> As that's the fix that is referenced in the CVE and there is no other
> fix referenced there nor in this bug report that's what one gets.
?? Debian assigned the CVE when I sent to the security list (an earlier
version of?) the patch which was installed a while ago, after the
unfortunate Oracle embargo I reluctantly went along with. Are you
suggesting I did something wrong reporting this and chasing it up, or
that I don't know what I'm talking about as (joint) discoverer and
original fixer of these issues?
> Feel free to send the patch to this bug report or prepare an upload
> yourself to improve the situation.
I don't know what patch you mean, but I'm not a DM, so I can't do
anything about it anyway. If you mean a patch for sgepasswd, then it's
irrelevant if Debian doesn't ship the program, and complicated because I
made changes to pass-and-pray buffers in code it calls. As I said, it
seems rather irrelevant if the configuration (that users can't change
with what's shipped) allows you a more-or-less trivial root on execution
nodes anyhow.
I've offered to try to maintain a Debian package from a code base which
is proactive about security, but it's beginning to look as if gridengine
should be removed from Debian.
--
Community Grid Engine: http://arc.liv.ac.uk/SGE/
More information about the Pkg-gridengine-devel
mailing list