Bug 1159692 (CVE-2019-19728) - VUL-0: CVE-2019-19728: slurm: [HPC,SLURM,CVE-2019-19728] Due to Race srun may run as User root
Summary: VUL-0: CVE-2019-19728: slurm: [HPC,SLURM,CVE-2019-19728] Due to Race srun may...
Status: RESOLVED FIXED
Alias: CVE-2019-19728
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: All SLES 15
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Egbert Eich
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/249662/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-12-21 08:35 UTC by Egbert Eich
Modified: 2025-02-13 10:48 UTC (History)
1 user (show)

See Also:
Found By: Development
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Egbert Eich 2019-12-21 08:35:01 UTC
"srun --uid" may not always drop into the correct user account, and instead will print a warning message but launch the tasks as root.

Note that "srun --uid" is only available to the root user, and that this issue is only shown by a race condition between successive lookup calls within the srun client command. SchedMD does not recommend use of the "srun --uid" option (e.g., it does not load the target user's environment but will export the root users) and may remove this option in a future release.

Announced on Dec, 20 2019:
https://www.schedmd.com/news.php
Comment 2 Swamp Workflow Management 2020-01-08 20:00:21 UTC
This is an autogenerated message for OBS integration:
This bug (1159692) was mentioned in
https://build.opensuse.org/request/show/761961 Factory / slurm
Comment 5 Swamp Workflow Management 2020-01-16 14:23:45 UTC
SUSE-SU-2020:0110-1: An update that solves three vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1140709,1153095,1153259,1155784,1158696,1159692
CVE References: CVE-2019-12838,CVE-2019-19727,CVE-2019-19728
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    slurm-18.08.9-3.10.1
SUSE Linux Enterprise Module for HPC 15-SP1 (src):    slurm-18.08.9-3.10.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Swamp Workflow Management 2020-01-21 14:15:37 UTC
openSUSE-SU-2020:0085-1: An update that solves three vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1140709,1153095,1153259,1155784,1158696,1159692
CVE References: CVE-2019-12838,CVE-2019-19727,CVE-2019-19728
Sources used:
openSUSE Leap 15.1 (src):    slurm-18.08.9-lp151.2.6.1
Comment 7 Swamp Workflow Management 2020-02-19 17:12:21 UTC
SUSE-SU-2020:0420-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1159692
CVE References: CVE-2019-19728
Sources used:
SUSE Linux Enterprise Module for HPC 12 (src):    slurm-17.02.11-6.39.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2020-02-24 23:13:36 UTC
SUSE-SU-2020:0443-1: An update that solves 8 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1018371,1065697,1085240,1095508,1123304,1140709,1155784,1158709,1158798,1159692
CVE References: CVE-2016-10030,CVE-2017-15566,CVE-2018-10995,CVE-2018-7033,CVE-2019-12838,CVE-2019-19727,CVE-2019-19728,CVE-2019-6438
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    pdsh-2.33-7.6.1
SUSE Linux Enterprise Module for HPC 15-SP1 (src):    pdsh-2.33-7.6.1
SUSE Linux Enterprise Module for HPC 15 (src):    pdsh-2.33-7.6.1, slurm_18_08-18.08.9-1.5.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Egbert Eich 2020-03-19 06:42:48 UTC
Released.
Comment 13 Swamp Workflow Management 2020-09-11 10:38:09 UTC
SUSE-SU-2020:2607-1: An update that solves 9 vulnerabilities, contains four features and has 22 fixes is now available.

Category: security (moderate)
Bug References: 1007053,1018371,1031872,1041706,1065697,1084125,1084917,1085240,1085606,1086859,1088693,1090292,1095508,1100850,1103561,1108671,1109373,1116758,1123304,1140709,1153095,1153259,1155784,1158696,1159692,1161716,1162377,1164326,1164386,1172004,1173805
CVE References: CVE-2016-10030,CVE-2017-15566,CVE-2018-10995,CVE-2018-7033,CVE-2019-12838,CVE-2019-19727,CVE-2019-19728,CVE-2019-6438,CVE-2020-12693
JIRA References: SLE-10800,SLE-7341,SLE-7342,SLE-8491
Sources used:
SUSE Linux Enterprise Module for HPC 12 (src):    pdsh_slurm_18_08-2.34-7.26.2, pdsh_slurm_20_02-2.34-7.26.2, slurm_20_02-20.02.3-3.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Swamp Workflow Management 2021-03-12 17:18:19 UTC
SUSE-SU-2021:0773-1: An update that fixes 11 vulnerabilities, contains one feature is now available.

Category: security (important)
Bug References: 1018371,1065697,1085240,1095508,1123304,1140709,1155784,1159692,1172004,1178890,1178891
CVE References: CVE-2016-10030,CVE-2017-15566,CVE-2018-10995,CVE-2018-7033,CVE-2019-12838,CVE-2019-19727,CVE-2019-19728,CVE-2019-6438,CVE-2020-12693,CVE-2020-27745,CVE-2020-27746
JIRA References: ECO-2412
Sources used:
SUSE Linux Enterprise Module for HPC 12 (src):    pdsh-2.34-7.32.1, pdsh_slurm_18_08-2.34-7.32.1, pdsh_slurm_20_02-2.34-7.32.1, pdsh_slurm_20_11-2.34-7.32.1, slurm_20_11-20.11.4-3.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.