[gridengine/f15] Add upstream env-code-injection security patch
Orion Poplawski
orion at fedoraproject.org
Tue Apr 17 15:33:21 UTC 2012
commit 9cad4ba310536a885e72154a24d8d0196ef89976
Author: Orion Poplawski <orion at cora.nwra.com>
Date: Tue Apr 17 09:30:30 2012 -0600
Add upstream env-code-injection security patch
env-code-injection-SGE6.2u5p3.patch | 130 +++++++++++++++++++++++++++++++++++
gridengine.spec | 8 ++-
2 files changed, 137 insertions(+), 1 deletions(-)
---
diff --git a/env-code-injection-SGE6.2u5p3.patch b/env-code-injection-SGE6.2u5p3.patch
new file mode 100644
index 0000000..f822b46
--- /dev/null
+++ b/env-code-injection-SGE6.2u5p3.patch
@@ -0,0 +1,130 @@
+Index: source/daemons/shepherd/shepherd.c
+===================================================================
+--- source/daemons/shepherd/shepherd.c (revision 84)
++++ source/daemons/shepherd/shepherd.c (working copy)
+@@ -2202,7 +2202,7 @@
+ }
+ } else if (received_signal != 0 || *postponed_signal != 0) { /* received any other signal */
+ #if defined(INTERIX)
+- sge_set_environment();
++ sge_set_environment(true);
+ if(strcmp(childname, "job") == 0 &&
+ wl_get_GUI_mode(get_conf_val("display_win_gui")) == true) {
+ /*
+@@ -2359,7 +2359,7 @@
+
+ #if defined(INTERIX)
+ /* <Windows_GUI> */
+- sge_set_environment();
++ sge_set_environment(true);
+ if (strcmp(childname, "job") == 0 &&
+ wl_get_GUI_mode(get_conf_val("display_win_gui")) == true) {
+ if (npid != -1) {
+@@ -2603,7 +2603,7 @@
+ pid = getpid();
+ setpgid(pid, pid);
+ setrlimits(0);
+- sge_set_environment();
++ sge_set_environment(true);
+ umask(022);
+ tmp_str = search_conf_val("qsub_gid");
+ if (tmp_str && strcmp(tmp_str, "no")) {
+Index: source/daemons/shepherd/builtin_starter.c
+===================================================================
+--- source/daemons/shepherd/builtin_starter.c (revision 84)
++++ source/daemons/shepherd/builtin_starter.c (working copy)
+@@ -48,6 +48,7 @@
+ #include "uti/sge_arch.h"
+ #include "setosjobid.h"
+ #include "sge_fileio.h"
++#include "sge_var.h"
+
+ #include "msg_common.h"
+
+@@ -365,7 +366,7 @@
+ setrlimits(!strcmp(childname, "job"));
+
+ shepherd_trace("setting environment");
+- sge_set_environment();
++ sge_set_environment(strcmp(childname, "job") || ( is_qlogin && !g_new_interactive_job_support));
+
+ /* Create the "error" and the "exit" status file here.
+ * The "exit_status" file indicates that the son is started.
+@@ -941,7 +942,7 @@
+ * and store it in the appropriate environment, inherited or internal.
+ *
+ * SYNOPSIS
+-* int sge_set_environment(void)
++* int sge_set_environment(int)
+ *
+ * FUNCTION
+ * This function reads the "environment" file written out by the execd and
+@@ -954,7 +955,7 @@
+ * NOTES
+ * MT-NOTE: sge_set_environment() is not MT safe
+ *******************************************************************************/
+-int sge_set_environment()
++int sge_set_environment(int cleanenv)
+ {
+ const char *const filename = "environment";
+ FILE *fp;
+@@ -993,6 +994,8 @@
+
+ while (fgets(buf, sizeof(buf), fp)) {
+
++ char new_name[128];
++
+ line++;
+
+ if (strlen(buf) <= 1) /* empty line or lastline */
+@@ -1004,6 +1007,24 @@
+ shepherd_error(1, "error reading environment file: line=%d, contents:%s",
+ line, buf);
+ }
++ else if (cleanenv)
++ {
++ #if defined(AIX)
++ if (strncmp(name, "LD_", 3) == 0 || strncmp(name, "LIBPATH", 7) == 0 || strncmp(name, "LDR_PRELOAD", 11) == 0)
++ #elif defined(DARWIN)
++ if (strncmp(name, "LD_", 3) == 0 || strncmp(name, "DYLD_", 5) == 0)
++ #elif defined(HP11)
++ if (strncmp(name, "LD_", 3) == 0 || strncmp(name, "SHLIB_PATH", 10) == 0)
++ #elif defined(LINUX)
++ if (strncmp(name, "LD_", 3) == 0 || strncmp(name, "MALLOC_TRACE", 12) == 0)
++ #else
++ if (strncmp(name, "LD_", 3) == 0)
++ #endif
++ {
++ snprintf(new_name, sizeof(new_name), "SGE_WRAP_%s", name);
++ name = new_name;
++ }
++ }
+
+ value = strtok(NULL, "\n");
+ if (value == NULL) {
+Index: source/daemons/shepherd/builtin_starter.h
+===================================================================
+--- source/daemons/shepherd/builtin_starter.h (revision 84)
++++ source/daemons/shepherd/builtin_starter.h (working copy)
+@@ -34,7 +34,7 @@
+
+
+ void son(const char *childname, char *script_file, int truncate_stderr_out);
+-int sge_set_environment(void);
++int sge_set_environment(int);
+ char** sge_get_environment(void);
+ int sge_set_env_value(const char *, const char *);
+ const char *sge_get_env_value(const char *);
+Index: source/libs/gdi/version.c
+===================================================================
+--- source/libs/gdi/version.c (revision 84)
++++ source/libs/gdi/version.c (working copy)
+@@ -34,7 +34,7 @@
+
+ #include "gdi/version.h"
+
+-const char GDI_VERSION[] = "6.2u5";
++const char GDI_VERSION[] = "6.2u5p3";
+
+ const gdi_ulong32 GRM_GDI_VERSION = 0x100020F8;
+
diff --git a/gridengine.spec b/gridengine.spec
index 9dedd2f..28571b5 100644
--- a/gridengine.spec
+++ b/gridengine.spec
@@ -6,7 +6,7 @@
Name: gridengine
Version: 6.2u5
-Release: 10%{?dist}.2
+Release: 10%{?dist}.3
Summary: Grid Engine - Distributed Computing Management software
Group: Applications/System
@@ -79,6 +79,8 @@ Patch30: gridengine-6.2u5-slotwise.patch
Patch31: gridengine-jemalloc.patch
# Fix some '//' in include paths
Patch32: gridengine-paths.patch
+# Upstream env-code-injection security patch
+Patch35: env-code-injection-SGE6.2u5p3.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
ExcludeArch: ppc64
@@ -204,6 +206,7 @@ sed -i -e '/^#! *\/bin\/sh/d' source/dist/util/install_modules/*.sh
%patch31 -p1 -b .jemalloc
rm -r source/3rdparty/jemalloc
%patch32 -p1 -b .paths
+%patch35 -p0 -b .env-code-injection
sed -i.arch -e 's,/\$DSTARCH,,g' source/scripts/distinst
#Don't ship rctemplates
rm -rf source/dist/util/rctemplates
@@ -587,6 +590,9 @@ fi
%changelog
+* Tue Apr 17 2012 Orion Poplawski <orion at cora.nwra.com> 6.2u5-10.3
+- Add upstream env-code-injection security patch
+
* Thu Mar 15 2012 Orion Poplawski <orion at cora.nwra.com> 6.2u5-10.2
- Use sge_/SGE_ in man pages
More information about the scm-commits
mailing list