*Vulnerability:* A non-privileged user who can run jobs or login to a node running pbs_server or pbs_mom can submit an arbitrary job to the cluster; that job can run as root. The user can submit a command directly to a pbs_mom daemon to queue and run a job. A malicious user could use this vulnerability to remotely execute code as root on the cluster. *Versions Affected:* All versions of TORQUE *Mitigating Factors:* - The user must be logged in on a node that is already legitimately able to contact pbs_mom daemons or submit jobs. - If a user submits a job via this defect and pbs_server is running, pbs_server will kill the job unless job syncing is disabled. It may take up to 45 seconds for pbs_server to kill the job. - There are no known instances of this vulnerability being exploited.
@maintainers: patch for 2.5 at [1], patch for 4.x available at [2]. [1] http://www.adaptivecomputing.com/torquepatch/fix_mom_priv_2.5.patch [2] http://www.adaptivecomputing.com/torquepatch/fix_mom_priv.patch
CVE-2013-4319 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4319): pbs_mom in Terascale Open-Source Resource and Queue Manager (aka TORQUE Resource Manager) 2.5.x, 4.x, and earlier does not properly restrict access by unprivileged ports, which allows remote authenticated users to execute arbitrary jobs by submitting a command.
23 Dec 2013; Justin Bronder <jsbronder@gentoo.org> torque-2.4.16.ebuild, +torque-2.4.16-r1.ebuild, -torque-2.5.12.ebuild, +torque-2.5.12-r1.ebuild, -torque-4.1.5.1.ebuild, +torque-4.1.5.1-r1.ebuild, +files/CVE-2013-4319-2.x-root-submit-fix.patch, +files/CVE-2013-4319-4.x-root-submit-fix.patch: Add patches for CVE-2013-4319 (#484320). @security, both 2.5.12-r1 and 4.1.5.1-r1 should be stable targets (many people still rely on the old 2.5 series and 4.1 has been in the tree more than long enough). Thanks!
Arches, please test and stabilize: =sys-cluster/torque-2.5.12-r1 =sys-cluster/torque-4.1.5.1-r1 Target arches: alpha amd64 hppa ia64 ppc ppc64 sparc x86
Stable for HPPA.
amd64 stable
x86 stable
ppc64 stable
ppc stable
sparc stable
ia64 stable
alpha stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
Arches and Maintainer(s), Thank you for your work. New GLSA Request filed.
This issue was resolved and addressed in GLSA 201412-47 at http://security.gentoo.org/glsa/glsa-201412-47.xml by GLSA coordinator Yury German (BlueKnight).