On Sun, 18 Mar 2018 22:40:08 +0100 Salvatore Bonaccorso
<car...@debian.org> wrote:
close 893044 17.11.5-1
thanks
Hi,
The patched version breaks the accounting: slurmdbd issues invalid mysql
INSERT queries using 'job_ptr->gres_alloc' as the name of a column
instead of 'gres_alloc' (the same for job_ptr->gres_req).
The problem seems to be located in CVE-2018-7033-2.patch (provided in
the slurm-llnl_14.03.9-5+deb8u3.debian.tar.xz archive) :
- if (gres_req)
- xstrcat(query, ", gres_req");
- if (gres_alloc)
- xstrcat(query, ", gres_alloc");
+ if (job_ptr->gres_req)
+ xstrcat(query, ", job_ptr->gres_req");
+ if (job_ptr->gres_alloc)
+ xstrcat(query, ", job_ptr->gres_alloc");
I guess the 'if' condition is right but job_ptr->gres_req should not
occur inside the quotes as it is the name of a column, instead it should
remain unchanged.
Best regards,
Stéphane Vaillant
