Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 153495

Summary: sys-cluster/openpbs possible multiple issues (CVE-2006-5616)
Product: Gentoo Security Reporter: Matt Drew (RETIRED) <aetius>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: enhancement CC: hp-cluster, tantive
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/22637/
Whiteboard: B1? [maskglsa] jaervosz
Package list:
Runtime testing required: ---
Attachments:
Description Flags
OpenPBS_2_3_16-security.diff none

Description Matt Drew (RETIRED) gentoo-dev 2006-10-30 16:51:35 UTC
http://lists.suse.com/archive/suse-security-announce/2006-Oct/0007.html

Version is unspecified, but since 2.3.x has been around for a while, I'm assuming our current stable is vulnerable.  From SuSE:

- OpenPBS potential security problems

     An audit of OpenPBS found some potential security vulnerabilities that
     may allow the compromising of a system remotely and/or locally. An update was
     released to fix these issues.
Comment 1 Matt Drew (RETIRED) gentoo-dev 2006-11-10 05:13:06 UTC
attaching patch from duplicate bug #154315, altering title to be more descriptive, adding CVE reference.
Comment 2 Matt Drew (RETIRED) gentoo-dev 2006-11-10 05:17:16 UTC
Created attachment 101596 [details, diff]
OpenPBS_2_3_16-security.diff

Untested patch from Thomas Biege via bug #154315.
Comment 3 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-11-10 05:19:19 UTC
*** Bug 154315 has been marked as a duplicate of this bug. ***
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-11-20 23:02:39 UTC
Pulling in herd for advise. Does openpbs run with root privileges?
Comment 5 Donnie Berkholz (RETIRED) gentoo-dev 2006-11-21 23:16:55 UTC
(In reply to comment #4)
> Pulling in herd for advise. Does openpbs run with root privileges?

Yeah. And the patch applies clean, although I was unable to find a fixed SRPM on SuSE's servers -- e.g. http://ftp.opensuse.org/pub/opensuse/distribution/SL-10.1/inst-source/suse/src/ does not appear to have any recent OpenPBS patch.
Comment 6 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-09 21:54:46 UTC
is something possible here? otherwise if no upgrade is possible, we should begin to think about p.masking it :(
Comment 7 Donnie Berkholz (RETIRED) gentoo-dev 2007-03-09 23:47:24 UTC
I wouldn't mind just telling people to switch over to Torque. It's based off OpenPBS and is actually maintained.
Comment 8 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-15 22:26:08 UTC
mind someone if i p.mask it advising sys-cluster/torque as a replacement?
Comment 9 Donnie Berkholz (RETIRED) gentoo-dev 2007-03-21 17:42:45 UTC
Fine by me.
Comment 10 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-26 23:16:42 UTC
p.masked, glsa request filled
Comment 11 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-27 15:33:52 UTC
Donnie, an old sys-cluster/mpiexec-0.75 still depends on the vulnerable openpbs.

Hi, x86 team, please could you test and mark stable sys-cluster/mpiexec-0.82 if appropriate. If it fails, you can try mpiexec-0.76-r2, thanks.
Comment 12 Christian Faulhammer (RETIRED) gentoo-dev 2007-03-27 18:54:21 UTC
Of course, x86 can...x86 can do a lot...x86 is making you happy, everyday.
Comment 13 Jakub Moc (RETIRED) gentoo-dev 2007-03-28 10:53:40 UTC
(In reply to comment #10)
> p.masked, glsa request filled

You need to p.mask <=sys-cluster/mpiexec-0.76-r1 as well. 

Comment 14 Mr. Bones. (RETIRED) gentoo-dev 2007-03-29 17:52:37 UTC
I commented out the mask due to the dep breakage:

sys-cluster/mpiexec-0.75: nonsolvable depset(depends) keyword(x86) profile (default-linux/x86/2006.1/desktop): solutions: [ sys-cluster/openpbs ]

remask it without dep breakage please.
Comment 15 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-29 19:24:04 UTC
now with <=sys-cluster/mpiexec-0.75 that should be OK, ping me if there is still something wrong but now repoman is happy. Sorry for the mess.
Comment 16 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-04-03 23:03:05 UTC
GLSA 200704-04, thanks everybody


Comment 17 Donnie Berkholz (RETIRED) gentoo-dev 2007-05-12 00:00:01 UTC
(In reply to comment #16)
> GLSA 200704-04, thanks everybody

This ready to close?
Comment 18 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-14 18:00:57 UTC
sys-cluster/openpbs seems nuked.