Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 390167 (CVE-2011-4925) - <sys-cluster/torque-2.5.9: Munge Authentication Security Bypass Vulnerability (CVE-2011-4925)
Summary: <sys-cluster/torque-2.5.9: Munge Authentication Security Bypass Vulnerability...
Status: RESOLVED FIXED
Alias: CVE-2011-4925
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/47381/
Whiteboard: B4 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-11-11 10:35 UTC by Justin Lecher (RETIRED)
Modified: 2014-12-26 20:04 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Justin Lecher (RETIRED) gentoo-dev 2011-11-11 10:35:47 UTC
Please bump if needed
Comment 1 Agostino Sarubbo gentoo-dev 2012-01-02 13:59:11 UTC
security bug
Comment 2 Agostino Sarubbo gentoo-dev 2012-01-02 14:01:06 UTC
from secunia security advisory at $URL:

Description:
The vulnerability is caused due to an unspecified error when using munge authentication and can be exploited to impersonate other users.

The vulnerability is reported in versions prior to 2.5.9.

Solution:
Update to version 2.5.9.
Comment 3 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2012-01-03 15:57:19 UTC
+  03 Jan 2012; Kacper Kowalik <xarthisius@gentoo.org> +torque-2.5.9.ebuild,
+  -torque-2.5.8.ebuild:
+  Version bump wrt #390167, drop old
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2012-01-03 16:05:06 UTC
Thanks.

Arches, please test and mark stable:
=sys-cluster/torque-2.5.9
Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2012-01-03 16:37:09 UTC
I may have jumped the gun; apologies for that.

@cluster and Alexey, should we move forward and stabilize =sys-cluster/torque-2.5.9?
Comment 6 Justin Bronder (RETIRED) gentoo-dev 2012-01-05 16:17:55 UTC
There shouldn't be any need to stabilize as torque-2.5.x has never been stable (and most likely never will if 3.0 continues progressing well).
Comment 7 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2012-01-05 18:17:47 UTC
(In reply to comment #6)
> There shouldn't be any need to stabilize as torque-2.5.x has never been stable
> (and most likely never will if 3.0 continues progressing well).

As I understand only 2.5.x branch was affected. The bug was in munge authentication which was introduced in 2.5.3. I can't find information whether it's relevant for 3.0.x, but I suppose it is, since it was a backport.
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2012-01-05 18:44:37 UTC
Ok, thanks. It looks like CVE-2011-2907/bug 378805 affect 2.4 or 2.5; would you agree?

http://www.clusterresources.com/pipermail/torqueusers/2011-August/013194.html
Comment 9 Justin Bronder (RETIRED) gentoo-dev 2012-01-05 19:48:26 UTC
(In reply to comment #8)
> Ok, thanks. It looks like CVE-2011-2907/bug 378805 affect 2.4 or 2.5; would you
> agree?
> 
> http://www.clusterresources.com/pipermail/torqueusers/2011-August/013194.html

Correct.  For 2.5.x the workaround is to use munge.  For 2.4.x, use acl_hosts.  As noted in the linked thread, it's always been the assumption that the cluster is behind a firewall.
Comment 10 Tim Sammut (RETIRED) gentoo-dev 2012-01-06 03:22:10 UTC
Thanks, Jason. Can we move forward then and stabilize 2.5.9 (via bug 378805)?
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2012-02-21 01:21:46 UTC
CVE-2011-4925 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4925):
  Terascale Open-Source Resource and Queue Manager (aka TORQUE Resource
  Manager) before 2.5.9, when munge authentication is used, allows remote
  authenticated users to impersonate arbitrary user accounts via unspecified
  vectors.
Comment 12 Tobias Heinlein (RETIRED) gentoo-dev 2013-03-24 20:04:50 UTC
We do realize this bug is quite old, but is there any target version for stabilization?
Comment 13 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-11 03:52:13 UTC
Arches, please test and stabilize:
=sys-cluster/torque-2.5.12
Target arches: alpha amd64 hppa ia64 ppc ppc64 sparc x86
Comment 14 Agostino Sarubbo gentoo-dev 2013-09-11 12:39:02 UTC
(In reply to Chris Reffett from comment #13)
> Arches, please test and stabilize:
> =sys-cluster/torque-2.5.12
> Target arches: alpha amd64 hppa ia64 ppc ppc64 sparc x86

Make no sense do two stabilization in few days, lets wait for bug 484320
Comment 15 Yury German Gentoo Infrastructure gentoo-dev 2014-06-18 01:32:58 UTC
Added to an existing GLSA request
Comment 16 Justin Lecher (RETIRED) gentoo-dev 2014-09-18 11:56:12 UTC
All vulnerable gone, GLSA issued?
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2014-12-26 20:04:40 UTC
This issue was resolved and addressed in
 GLSA 201412-47 at http://security.gentoo.org/glsa/glsa-201412-47.xml
by GLSA coordinator Yury German (BlueKnight).