153495 2006-10-30 16:51 0000 sys-cluster/openpbs possible multiple issues (CVE-2006-5616) 2007-05-14 18:00:57 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://secunia.com/advisories/22637/ B1? [maskglsa] jaervosz P2 enhancement --- 1 aetius@gentoo.org security@gentoo.org hp-cluster@gentoo.org tantive@gentoo.org aetius@gentoo.org 2006-10-30 16:51:35 0000 http://lists.suse.com/archive/suse-security-announce/2006-Oct/0007.html Version is unspecified, but since 2.3.x has been around for a while, I'm assuming our current stable is vulnerable. From SuSE: - OpenPBS potential security problems An audit of OpenPBS found some potential security vulnerabilities that may allow the compromising of a system remotely and/or locally. An update was released to fix these issues. aetius@gentoo.org 2006-11-10 05:13:06 0000 attaching patch from duplicate bug #154315, altering title to be more descriptive, adding CVE reference. aetius@gentoo.org 2006-11-10 05:17:16 0000 Created an attachment (id=101596) OpenPBS_2_3_16-security.diff Untested patch from Thomas Biege via bug #154315. falco@gentoo.org 2006-11-10 05:19:19 0000 *** Bug 154315 has been marked as a duplicate of this bug. *** jaervosz@gentoo.org 2006-11-20 23:02:39 0000 Pulling in herd for advise. Does openpbs run with root privileges? dberkholz@gentoo.org 2006-11-21 23:16:55 0000 (In reply to comment #4) > Pulling in herd for advise. Does openpbs run with root privileges? Yeah. And the patch applies clean, although I was unable to find a fixed SRPM on SuSE's servers -- e.g. http://ftp.opensuse.org/pub/opensuse/distribution/SL-10.1/inst-source/suse/src/ does not appear to have any recent OpenPBS patch. falco@gentoo.org 2007-03-09 21:54:46 0000 is something possible here? otherwise if no upgrade is possible, we should begin to think about p.masking it :( dberkholz@gentoo.org 2007-03-09 23:47:24 0000 I wouldn't mind just telling people to switch over to Torque. It's based off OpenPBS and is actually maintained. falco@gentoo.org 2007-03-15 22:26:08 0000 mind someone if i p.mask it advising sys-cluster/torque as a replacement? dberkholz@gentoo.org 2007-03-21 17:42:45 0000 Fine by me. falco@gentoo.org 2007-03-26 23:16:42 0000 p.masked, glsa request filled falco@gentoo.org 2007-03-27 15:33:52 0000 Donnie, an old sys-cluster/mpiexec-0.75 still depends on the vulnerable openpbs. Hi, x86 team, please could you test and mark stable sys-cluster/mpiexec-0.82 if appropriate. If it fails, you can try mpiexec-0.76-r2, thanks. fauli@gentoo.org 2007-03-27 18:54:21 0000 Of course, x86 can...x86 can do a lot...x86 is making you happy, everyday. jakub@gentoo.org 2007-03-28 10:53:40 0000 (In reply to comment #10) > p.masked, glsa request filled You need to p.mask <=sys-cluster/mpiexec-0.76-r1 as well. mr_bones_@gentoo.org 2007-03-29 17:52:37 0000 I commented out the mask due to the dep breakage: sys-cluster/mpiexec-0.75: nonsolvable depset(depends) keyword(x86) profile (default-linux/x86/2006.1/desktop): solutions: [ sys-cluster/openpbs ] remask it without dep breakage please. falco@gentoo.org 2007-03-29 19:24:04 0000 now with <=sys-cluster/mpiexec-0.75 that should be OK, ping me if there is still something wrong but now repoman is happy. Sorry for the mess. falco@gentoo.org 2007-04-03 23:03:05 0000 GLSA 200704-04, thanks everybody dberkholz@gentoo.org 2007-05-12 00:00:01 0000 (In reply to comment #16) > GLSA 200704-04, thanks everybody This ready to close? jaervosz@gentoo.org 2007-05-14 18:00:57 0000 sys-cluster/openpbs seems nuked. 101596 2006-11-10 05:17 0000 OpenPBS_2_3_16-security.diff OpenPBS_2_3_16-security.diff text/plain ZGlmZiAtRWJydSBPcGVuUEJTXzJfM18xNi9zcmMvaWZmL2lmZjIuYyBPcGVuUEJTXzJfM18xNi5w YXRjaGVkL3NyYy9pZmYvaWZmMi5jCi0tLSBPcGVuUEJTXzJfM18xNi9zcmMvaWZmL2lmZjIuYwky MDAxLTEyLTA1IDAxOjM4OjA4LjAwMDAwMDAwMCArMDEwMAorKysgT3BlblBCU18yXzNfMTYucGF0 Y2hlZC9zcmMvaWZmL2lmZjIuYwkyMDA2LTA5LTI3IDE2OjAxOjI4LjAwMDAwMDAwMCArMDIwMApA QCAtMTA2LDYgKzEwNiwxNCBAQAogCiBzdGF0aWMgY2hhciBpZGVudFtdID0gIkAoIykgJFJDU2Zp bGU6IGlmZjIuYyx2ICQgJFJldmlzaW9uOiAyLjIuMTAuOCAkIjsKIAorI2RlZmluZSBfR05VX1NP VVJDRQorI2luY2x1ZGUgPHVuaXN0ZC5oPgorCisvLyB3ZSBhcmUgbGF6eSBhbmQgZG8gbm90IGNo ZWNrIGZvciBlcnJvcnMgaGVyZSA6KAordWlkX3QgX19ldWlkOworI2RlZmluZSBEUk9QRVVJRCBf X2V1aWQgPSBnZXRldWlkKCk7IHNldHJlc3VpZChnZXR1aWQoKSwgZ2V0dWlkKCksIGdldGV1aWQo KSkKKyNkZWZpbmUgUkVTVE9SRUVVSUQgc2V0cmVzdWlkKGdldHVpZCgpLCBfX2V1aWQsIGdldHVp ZCgpKQorCiBpbnQgcGJzX2Vycm5vOwogc3RydWN0IGNvbm5lY3RfaGFuZGxlIGNvbm5lY3Rpb25b TkNPTk5FQ1RTXTsKIApAQCAtMTM1LDYgKzE0Myw4IEBACiAJZXh0ZXJuIGludCAgIG9wdGluZDsK IAlleHRlcm4gY2hhciAqb3B0YXJnOwogCisJRFJPUEVVSUQ7CisKIAkvKiBOZWVkIHRvIHVuc2V0 IExPQ0FMRE9NQUlOIGlmIHNldCwgd2FudCBsb2NhbCBob3N0IG5hbWUgKi8KIAogCWZvciAoaT0w OyBlbnZwW2ldOyArK2kpIHsKQEAgLTE3NiwxMiArMTg2LDE1IEBACiAJaWYgKChzZXJ2cG9ydCA9 IGF0b2koYXJndlsrK29wdGluZF0pKSA8PSAwKQogCQlyZXR1cm4gKDEpOwogCisJUkVTVE9SRUVV SUQ7CS8vIHdlIG5lZWQgYSByZXNlcnZlZCBwb3J0IGhlcmUKIAlmb3IgKGk9MDsgaTwxMDsgaSsr KSB7CiAJCXNvY2sgPSBjbGllbnRfdG9fc3ZyKGhvc3RhZGRyLCAodW5zaWduZWQgaW50KXNlcnZw b3J0LCAxKTsKIAkJaWYgKHNvY2sgIT0gUEJTX05FVF9SQ19SRVRSWSkKIAkJCWJyZWFrOwogCQlz bGVlcCgxKTsKIAl9CisJRFJPUEVVSUQ7CisKIAlpZiAoc29jayA8IDApIHsKIAkJZnByaW50Zihz dGRlcnIsICJwYnNfaWZmOiBjYW5ub3QgY29ubmVjdCB0byBob3N0XG4iKTsKIAkJcmV0dXJuICg0 KTsKTnVyIGluIE9wZW5QQlNfMl8zXzE2LnBhdGNoZWQvc3JjL2lmZjogaWZmMi5jfi4KZGlmZiAt RWJydSBPcGVuUEJTXzJfM18xNi9zcmMvbW9tX3JjcC9yY3AuYyBPcGVuUEJTXzJfM18xNi5wYXRj aGVkL3NyYy9tb21fcmNwL3JjcC5jCi0tLSBPcGVuUEJTXzJfM18xNi9zcmMvbW9tX3JjcC9yY3Au YwkxOTk4LTEwLTE1IDAxOjA5OjA4LjAwMDAwMDAwMCArMDIwMAorKysgT3BlblBCU18yXzNfMTYu cGF0Y2hlZC9zcmMvbW9tX3JjcC9yY3AuYwkyMDA2LTA5LTI3IDE1OjA2OjMwLjAwMDAwMDAwMCAr MDIwMApAQCAtMTM1LDcgKzEzNSw4IEBACiAjaWZkZWYJS0VSQkVST1MKIAkJY2FzZSAnayc6CiAJ CQlkZXN0X3JlYWxtID0gZHN0X3JlYWxtX2J1ZjsKLQkJCSh2b2lkKXN0cm5jcHkoZHN0X3JlYWxt X2J1Ziwgb3B0YXJnLCBSRUFMTV9TWik7CisJCQltZW1zZXQoZHN0X3JlYWxtX2J1ZiwgMCwgUkVB TE1fU1opOworCQkJKHZvaWQpc3RybmNweShkc3RfcmVhbG1fYnVmLCBvcHRhcmcsIFJFQUxNX1Na LTEpOwogCQkJYnJlYWs7CiAjaWZkZWYgQ1JZUFQKIAkJY2FzZSAneCc6CkBAIC0xOTcsMTMgKzE5 OCwxNSBAQAogCiAJaWYgKGZmbGFnKSB7CQkJLyogRm9sbG93ICJwcm90b2NvbCIsIHNlbmQgZGF0 YS4gKi8KIAkJKHZvaWQpcmVzcG9uc2UoKTsKLQkJKHZvaWQpc2V0dWlkKHVzZXJpZCk7CisJCWlm KHNldHVpZCh1c2VyaWQpICE9IDApCisJCQllcnJ4KDEsICJjYW4ndCBjaGFuZ2UgdG8gdWlkICVk IiwgKGludCl1c2VyaWQpOwogCQlzb3VyY2UoYXJnYywgYXJndik7CiAJCWV4aXQoZXJycyk7CiAJ fQogCiAJaWYgKHRmbGFnKSB7CQkJLyogUmVjZWl2ZSBkYXRhLiAqLwotCQkodm9pZClzZXR1aWQo dXNlcmlkKTsKKwkJaWYoc2V0dWlkKHVzZXJpZCkgIT0gMCkKKwkJCWVycngoMSwgImNhbid0IGNo YW5nZSB0byB1aWQgJWQiLCAoaW50KXVzZXJpZCk7CiAJCXNpbmsoYXJnYywgYXJndik7CiAJCWV4 aXQoZXJycyk7CiAJfQpAQCAtNjM3LDYgKzY0MCw5IEBACiAKIAkJZm9yIChzaXplID0gMDsgaXNk aWdpdCgqY3ApOykKIAkJCXNpemUgPSBzaXplICogMTAgKyAoKmNwKysgLSAnMCcpOworCQlpZihz aXplIDwgMCkgLy8gaW50ZWdlciBvdmVyZmxvdywgbW9yZSBjYW4gaGFwcGVuIGluIHRoZSBsb29w IGJ1dCBsZXRzIGF2b2lkIHRlc3RpbmcgZm9yIHRoZSBzYWtlIG9mIHBlcmZvcm1hbmNlCisJCQlT Q1JFV1VQKCJzaXplIGJlY29tZXMgdG9vIGJpZyBhbmQgc3dhcHBlZCIpOworCiAJCWlmICgqY3Ar KyAhPSAnICcpCiAJCQlTQ1JFV1VQKCJzaXplIG5vdCBkZWxpbWl0ZWQiKTsKIAkJaWYgKHRhcmdp c2RpcikgewpAQCAtNjQ0LDEyICs2NTAsMTIgQEAKIAkJCXN0YXRpYyBpbnQgY3Vyc2l6ZTsKIAkJ CXNpemVfdCBuZWVkOwogCi0JCQluZWVkID0gc3RybGVuKHRhcmcpICsgc3RybGVuKGNwKSArIDI1 MDsKKwkJCW5lZWQgPSBzdHJsZW4odGFyZykgKyBzdHJsZW4oY3ApICsgMjUwOyAvLyBiL2MgdGhp cyBtaWdodCBvdmVyZmxvdyAodmVyeSB1bmxpa2VseSkgd2UgdXNlIHNOcHJpbnRmKCkgbGF0ZXIK IAkJCWlmIChuZWVkID4gY3Vyc2l6ZSkgewotCQkJCWlmICghKG5hbWVidWYgPSBtYWxsb2MobmVl ZCkpKQorCQkJCWlmICghKG5hbWVidWYgPSBtYWxsb2MobmVlZCkpKSAvLyB3aWxsIG5vdCBzZXQg YSBsaW1pdCBoZXJlCiAJCQkJCXJ1bl9lcnIoIiVzIiwgc3RyZXJyb3IoZXJybm8pKTsKIAkJCX0K LQkJCSh2b2lkKXNwcmludGYobmFtZWJ1ZiwgIiVzJXMlcyIsIHRhcmcsCisJCQkodm9pZClzbnBy aW50ZihuYW1lYnVmLCBuZWVkLCAiJXMlcyVzIiwgdGFyZywKIAkJCSAgICAqdGFyZyA/ICIvIiA6 ICIiLCBjcCk7CiAJCQlucCA9IG5hbWVidWY7CiAJCX0gZWxzZQpAQCAtODE4LDYgKzgyNCw4IEBA CiB7CiAJY2hhciBjaCwgKmNwLCByZXNwLCByYnVmW0JVRlNJWl07CiAKKwltZW1zZXQocmJ1Ziwg MCwgQlVGU0laKTsKKwogCWlmIChyZWFkKHJlbSwgJnJlc3AsIHNpemVvZihyZXNwKSkgIT0gc2l6 ZW9mKHJlc3ApKQogCQlsb3N0Y29ubigwKTsKIApAQCAtODM0LDcgKzg0Miw3IEBACiAJCQlpZiAo cmVhZChyZW0sICZjaCwgc2l6ZW9mKGNoKSkgIT0gc2l6ZW9mKGNoKSkKIAkJCQlsb3N0Y29ubigw KTsKIAkJCSpjcCsrID0gY2g7Ci0JCX0gd2hpbGUgKGNwIDwgJnJidWZbQlVGU0laXSAmJiBjaCAh PSAnXG4nKTsKKwkJfSB3aGlsZSAoY3AgPCAmcmJ1ZltCVUZTSVotMV0gJiYgY2ggIT0gJ1xuJyk7 CiAKIAkJaWYgKCFpYW1yZW1vdGUpCiAJCQkodm9pZCl3cml0ZShTVERFUlJfRklMRU5PLCByYnVm LCBjcCAtIHJidWYpOwpkaWZmIC1FYnJ1IE9wZW5QQlNfMl8zXzE2L3NyYy9tb21fcmNwL3V0aWwu YyBPcGVuUEJTXzJfM18xNi5wYXRjaGVkL3NyYy9tb21fcmNwL3V0aWwuYwotLS0gT3BlblBCU18y XzNfMTYvc3JjL21vbV9yY3AvdXRpbC5jCTE5OTgtMTAtMTUgMDE6MDk6MTMuMDAwMDAwMDAwICsw MjAwCisrKyBPcGVuUEJTXzJfM18xNi5wYXRjaGVkL3NyYy9tb21fcmNwL3V0aWwuYwkyMDA2LTA5 LTI3IDE0OjUyOjM4LjAwMDAwMDAwMCArMDIwMApAQCAtMTIwLDcgKzEyMCwxMSBAQAogCQlyZXR1 cm4gKDEyNyk7CiAJCiAJY2FzZSAwOgotCQkodm9pZClzZXR1aWQodXNlcmlkKTsKKwkJaWYoc2V0 dWlkKHVzZXJpZCkgIT0gMCkKKwkJeworCQkJcnVuX2Vycigic2V0dWlkKCV1KTogJXMiLCB1c2Vy aWQsIHN0cmVycm9yKGVycm5vKSk7CisJCQlfZXhpdCgxMjcpOworCQl9CiAJCWV4ZWNsKF9QQVRI X0JTSEVMTCwgInNoIiwgIi1jIiwgcywgTlVMTCk7CiAJCV9leGl0KDEyNyk7CiAJfQpAQCAtMTI5 LDYgKzEzMyw4IEBACiAJcmV0dXJuIChzdGF0dXMpOwogfQogCisvLyBhcmJpdHJhcnkgbGltaXQK KyNkZWZpbmUgVVBQRVJMSU1JVCAyXjIwCiBCVUYgKgogYWxsb2NidWYoYnAsIGZkLCBibGtzaXpl KQogCUJVRiAqYnA7CkBAIC0xNDEsNiArMTQ3LDEyIEBACiAJCXJ1bl9lcnIoImZzdGF0OiAlcyIs IHN0cmVycm9yKGVycm5vKSk7CiAJCXJldHVybiAoMCk7CiAJfQorCisJaWYoYmxrc2l6ZSA8PSAw IHx8IGJsa3NpemUgPiBVUFBFUkxJTUlUKQorCXsKKwkJcnVuX2VycigiYmxrc2l6ZSB2YWx1ZSBp cyBpdmFsaWQgKGVpdGhlciA8PSAwIG9yID4gJXUpXG4iLCBVUFBFUkxJTUlUKTsKKwkJcmV0dXJu IDA7CisJfQogCXNpemUgPSAoKChpbnQpc3RiLnN0X2Jsa3NpemUgKyBibGtzaXplIC0gMSkgLyBi bGtzaXplKSAqIGJsa3NpemU7CiAJaWYgKHNpemUgPT0gMCkKIAkJc2l6ZSA9IGJsa3NpemU7Cg==