Version in base suite: 22.05.8-4+deb12u2

Base version: slurm-wlm_22.05.8-4+deb12u2
Target version: slurm-wlm_22.05.8-4+deb12u3
Base file: /srv/ftp-master.debian.org/ftp/pool/main/s/slurm-wlm/slurm-wlm_22.05.8-4+deb12u2.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/s/slurm-wlm/slurm-wlm_22.05.8-4+deb12u3.dsc

 changelog             |    9 +++++++-
 patches/CVE-2025-4390 |   55 ++++++++++++++++++++++++++++++++++++++++++++++++++
 patches/series        |    1 
 3 files changed, 64 insertions(+), 1 deletion(-)

diff -Nru slurm-wlm-22.05.8/debian/changelog slurm-wlm-22.05.8/debian/changelog
--- slurm-wlm-22.05.8/debian/changelog	2023-12-25 08:26:16.000000000 +0000
+++ slurm-wlm-22.05.8/debian/changelog	2025-07-04 09:32:39.000000000 +0000
@@ -1,7 +1,14 @@
+slurm-wlm (22.05.8-4+deb12u3) bookworm-security; urgency=medium
+
+  * Non-maintainer upload by the Security Team.
+  * Add patch to fix CVE-2025-43904 (Closes: #1104929).
+
+ -- Shengqi Chen <harry@debian.org>  Fri, 04 Jul 2025 17:32:39 +0800
+
 slurm-wlm (22.05.8-4+deb12u2) bookworm-security; urgency=medium
 
   * Fix CVE-2023-49933, CVE-2023-49935, CVE-2023-49936, CVE-2023-49937,
-        CVE-2023-49938 (Closes: #1058720) 
+        CVE-2023-49938 (Closes: #1058720)
 
  -- Gennaro Oliva <oliva.g@na.icar.cnr.it>  Mon, 25 Dec 2023 09:26:16 +0100
 
diff -Nru slurm-wlm-22.05.8/debian/patches/CVE-2025-4390 slurm-wlm-22.05.8/debian/patches/CVE-2025-4390
--- slurm-wlm-22.05.8/debian/patches/CVE-2025-4390	1970-01-01 00:00:00.000000000 +0000
+++ slurm-wlm-22.05.8/debian/patches/CVE-2025-4390	2025-07-04 09:32:39.000000000 +0000
@@ -0,0 +1,55 @@
+Origin: commit:a3d696b6d6400e6b66a39fbbd01225edbda2ee1c
+Author: Danny Auble <da@schedmd.com>
+Reviewed-by: Shengqi Chen <harry@debian.org>
+Bug: https://security-tracker.debian.org/tracker/CVE-2025-4390
+Date: Wed, 7 May 2025 10:39:15 -0600
+Description: [PATCH] Fix issue where a coord could add a user with elevated
+ privileges
+
+Changelog: Fix security issue where a coordinator could add a user with
+ elevated privileges. CVE-2025-43904.
+Issue: 50391
+---
+ .../accounting_storage/mysql/as_mysql_user.c    | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+--- a/src/plugins/accounting_storage/mysql/as_mysql_user.c
++++ b/src/plugins/accounting_storage/mysql/as_mysql_user.c
+@@ -275,6 +275,7 @@
+ 	int affect_rows = 0;
+ 	List assoc_list;
+ 	List wckey_list;
++	bool is_admin = false;
+ 
+ 	if (check_connection(mysql_conn) != SLURM_SUCCESS)
+ 		return ESLURM_DB_CONNECTION;
+@@ -295,6 +296,8 @@
+ 		 * these accounts if they are coordinators of the
+ 		 * parent they are trying to add to
+ 		 */
++	} else {
++		is_admin = true;
+ 	}
+ 
+ 	assoc_list = list_create(slurmdb_destroy_assoc_rec);
+@@ -318,6 +321,11 @@
+ 			   (long)now, (long)now, object->name);
+ 
+ 		if (object->admin_level != SLURMDB_ADMIN_NOTSET) {
++			if (!is_admin) {
++				error("Only admins/operators can add an admin/operator");
++				rc = ESLURM_ACCESS_DENIED;
++				break;
++			}
+ 			xstrcat(cols, ", admin_level");
+ 			xstrfmtcat(vals, ", %u", object->admin_level);
+ 			xstrfmtcat(extra, ", admin_level=%u",
+@@ -416,7 +424,7 @@
+ 	list_iterator_destroy(itr);
+ 	xfree(user_name);
+ 
+-	if (rc != SLURM_ERROR) {
++	if (rc == SLURM_SUCCESS) {
+ 		if (txn_query) {
+ 			xstrcat(txn_query, ";");
+ 			rc = mysql_db_query(mysql_conn,
diff -Nru slurm-wlm-22.05.8/debian/patches/series slurm-wlm-22.05.8/debian/patches/series
--- slurm-wlm-22.05.8/debian/patches/series	2023-12-25 08:26:16.000000000 +0000
+++ slurm-wlm-22.05.8/debian/patches/series	2025-07-04 09:32:39.000000000 +0000
@@ -10,3 +10,4 @@
 force-nvml
 CVE-2023-41914
 CVE-2023-49933-49935-49936-49937-49938
+CVE-2025-4390