[gridengine users] Security hole in most versions of Grid Engine

Dave Love d.love at liverpool.ac.uk
Thu Apr 19 16:38:17 UTC 2012


Sorry I saw this after posting about sgepasswd before.

Rayson Ho <rayson at scalablelogic.com> writes:

> Note that Oracle also fixed the code injection bug found by William in
> their CPU (Critical Patch Update) release today.

That suggests the part of the problem I found is unfixed, as it just
says "qrsh".

> Andy shared a buffer overflow issue in sgepasswd (first with me, and
> then he also shared it with all other forks -

I only knew one had been reported and had to assume I'd already fixed it
after auditing sgepasswd.  (For what it's worth, the scanf overflows are
detected on a Red Hat 5 system with the compilation options used for RPM
builds.)

> we didn't want to put
> security bug fixes as features in marketing slides...).

Unfortunately no-one has made a reasonable proposal about how to handle
such things in future.  I don't think it's acceptable to have to hold
back fixes and development for months to fit Oracle's schedule,
especially when commercial customers get fixes in the meantime or to be
told one can't even seek review of fixes.  To be fair, Andy Schwierskott
sounds sympathetic, but it's not specific to OGE; we at least seem to be
better off than distributors of MySQL, like Debian.

-- 
Community Grid Engine:  http://arc.liv.ac.uk/SGE/



More information about the users mailing list