Bug 153495 - sys-cluster/openpbs possible multiple issues (CVE-2006-5616)
Bug#: 153495 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: enhancement Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: aetius@gentoo.org
Component: Vulnerabilities
URL:  http://secunia.com/advisories/22637/
Summary: sys-cluster/openpbs possible multiple issues (CVE-2006-5616)
Keywords:  
Status Whiteboard: B1? [maskglsa] jaervosz
Opened: 2006-10-30 16:51 0000
Description:   Opened: 2006-10-30 16:51 0000 
http://lists.suse.com/archive/suse-security-announce/2006-Oct/0007.html

Version is unspecified, but since 2.3.x has been around for a while, I'm
assuming our current stable is vulnerable.  From SuSE:

- OpenPBS potential security problems

     An audit of OpenPBS found some potential security vulnerabilities that
     may allow the compromising of a system remotely and/or locally. An update
was
     released to fix these issues.

------- Comment #1 From Matt Drew 2006-11-10 05:13:06 0000 ------- 
attaching patch from duplicate bug #154315, altering title to be more
descriptive, adding CVE reference.

------- Comment #2 From Matt Drew 2006-11-10 05:17:16 0000 ------- 
Created an attachment (id=101596) [details]
OpenPBS_2_3_16-security.diff

Untested patch from Thomas Biege via bug #154315.

------- Comment #3 From Raphael Marichez 2006-11-10 05:19:19 0000 ------- 
*** Bug 154315 has been marked as a duplicate of this bug. ***

------- Comment #4 From Sune Kloppenborg Jeppesen 2006-11-20 23:02:39 0000 ------- 
Pulling in herd for advise. Does openpbs run with root privileges?

------- Comment #5 From Donnie Berkholz 2006-11-21 23:16:55 0000 ------- 
(In reply to comment #4)
> Pulling in herd for advise. Does openpbs run with root privileges?

Yeah. And the patch applies clean, although I was unable to find a fixed SRPM
on SuSE's servers -- e.g.
http://ftp.opensuse.org/pub/opensuse/distribution/SL-10.1/inst-source/suse/src/
does not appear to have any recent OpenPBS patch.

------- Comment #6 From Raphael Marichez 2007-03-09 21:54:46 0000 ------- 
is something possible here? otherwise if no upgrade is possible, we should
begin to think about p.masking it :(

------- Comment #7 From Donnie Berkholz 2007-03-09 23:47:24 0000 ------- 
I wouldn't mind just telling people to switch over to Torque. It's based off
OpenPBS and is actually maintained.

------- Comment #8 From Raphael Marichez 2007-03-15 22:26:08 0000 ------- 
mind someone if i p.mask it advising sys-cluster/torque as a replacement?

------- Comment #9 From Donnie Berkholz 2007-03-21 17:42:45 0000 ------- 
Fine by me.

------- Comment #10 From Raphael Marichez 2007-03-26 23:16:42 0000 ------- 
p.masked, glsa request filled

------- Comment #11 From Raphael Marichez 2007-03-27 15:33:52 0000 ------- 
Donnie, an old sys-cluster/mpiexec-0.75 still depends on the vulnerable
openpbs.

Hi, x86 team, please could you test and mark stable sys-cluster/mpiexec-0.82 if
appropriate. If it fails, you can try mpiexec-0.76-r2, thanks.

------- Comment #12 From Christian Faulhammer 2007-03-27 18:54:21 0000 ------- 
Of course, x86 can...x86 can do a lot...x86 is making you happy, everyday.

------- Comment #13 From Jakub Moc (RETIRED) 2007-03-28 10:53:40 0000 ------- 
(In reply to comment #10)
> p.masked, glsa request filled

You need to p.mask <=sys-cluster/mpiexec-0.76-r1 as well.

------- Comment #14 From Mr. Bones. 2007-03-29 17:52:37 0000 ------- 
I commented out the mask due to the dep breakage:

sys-cluster/mpiexec-0.75: nonsolvable depset(depends) keyword(x86) profile
(default-linux/x86/2006.1/desktop): solutions: [ sys-cluster/openpbs ]

remask it without dep breakage please.

------- Comment #15 From Raphael Marichez 2007-03-29 19:24:04 0000 ------- 
now with <=sys-cluster/mpiexec-0.75 that should be OK, ping me if there is
still something wrong but now repoman is happy. Sorry for the mess.

------- Comment #16 From Raphael Marichez 2007-04-03 23:03:05 0000 ------- 
GLSA 200704-04, thanks everybody

------- Comment #17 From Donnie Berkholz 2007-05-12 00:00:01 0000 ------- 
(In reply to comment #16)
> GLSA 200704-04, thanks everybody

This ready to close?

------- Comment #18 From Sune Kloppenborg Jeppesen 2007-05-14 18:00:57 0000 ------- 
sys-cluster/openpbs seems nuked.