Bug 153495

Summary:

sys-cluster/openpbs possible multiple issues (CVE-2006-5616)

Product:

Gentoo Security

Reporter:

Matt Drew (RETIRED) <aetius>

Component:

Vulnerabilities

Assignee:

Gentoo Security <security>

Status:

RESOLVED FIXED

Severity:

enhancement

CC:

hp-cluster, tantive

Priority:

High

Version:

unspecified

Hardware:

All

OS:

Linux

URL:

http://secunia.com/advisories/22637/

Whiteboard:

B1? [maskglsa] jaervosz

Package list:

Runtime testing required:

---

Attachments:

Description	Flags
OpenPBS_2_3_16-security.diff	none

Description Matt Drew (RETIRED) gentoo-dev

2006-10-30 16:51:35 UTC

http://lists.suse.com/archive/suse-security-announce/2006-Oct/0007.html

Version is unspecified, but since 2.3.x has been around for a while, I'm assuming our current stable is vulnerable.  From SuSE:

- OpenPBS potential security problems

     An audit of OpenPBS found some potential security vulnerabilities that
     may allow the compromising of a system remotely and/or locally. An update was
     released to fix these issues.

Comment 1 Matt Drew (RETIRED) gentoo-dev

2006-11-10 05:13:06 UTC

attaching patch from duplicate bug #154315, altering title to be more descriptive, adding CVE reference.

Comment 2 Matt Drew (RETIRED) gentoo-dev

2006-11-10 05:17:16 UTC

Created attachment 101596 [details, diff]
OpenPBS_2_3_16-security.diff

Untested patch from Thomas Biege via bug #154315.

Comment 3 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2006-11-10 05:19:19 UTC

*** Bug 154315 has been marked as a duplicate of this bug. ***

Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-11-20 23:02:39 UTC

Pulling in herd for advise. Does openpbs run with root privileges?

Comment 5 Donnie Berkholz (RETIRED) gentoo-dev

2006-11-21 23:16:55 UTC

(In reply to comment #4)
> Pulling in herd for advise. Does openpbs run with root privileges?

Yeah. And the patch applies clean, although I was unable to find a fixed SRPM on SuSE's servers -- e.g. http://ftp.opensuse.org/pub/opensuse/distribution/SL-10.1/inst-source/suse/src/ does not appear to have any recent OpenPBS patch.

Comment 6 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2007-03-09 21:54:46 UTC

is something possible here? otherwise if no upgrade is possible, we should begin to think about p.masking it :(

Comment 7 Donnie Berkholz (RETIRED) gentoo-dev

2007-03-09 23:47:24 UTC

I wouldn't mind just telling people to switch over to Torque. It's based off OpenPBS and is actually maintained.

Comment 8 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2007-03-15 22:26:08 UTC

mind someone if i p.mask it advising sys-cluster/torque as a replacement?

Comment 9 Donnie Berkholz (RETIRED) gentoo-dev

2007-03-21 17:42:45 UTC

Fine by me.

Comment 10 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2007-03-26 23:16:42 UTC

p.masked, glsa request filled

Comment 11 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2007-03-27 15:33:52 UTC

Donnie, an old sys-cluster/mpiexec-0.75 still depends on the vulnerable openpbs.

Hi, x86 team, please could you test and mark stable sys-cluster/mpiexec-0.82 if appropriate. If it fails, you can try mpiexec-0.76-r2, thanks.

Comment 12 Christian Faulhammer (RETIRED) gentoo-dev

2007-03-27 18:54:21 UTC

Of course, x86 can...x86 can do a lot...x86 is making you happy, everyday.

Comment 13 Jakub Moc (RETIRED) gentoo-dev

2007-03-28 10:53:40 UTC

(In reply to comment #10)
> p.masked, glsa request filled

You need to p.mask <=sys-cluster/mpiexec-0.76-r1 as well.

Comment 14 Mr. Bones. (RETIRED) gentoo-dev

2007-03-29 17:52:37 UTC

I commented out the mask due to the dep breakage:

sys-cluster/mpiexec-0.75: nonsolvable depset(depends) keyword(x86) profile (default-linux/x86/2006.1/desktop): solutions: [ sys-cluster/openpbs ]

remask it without dep breakage please.

Comment 15 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2007-03-29 19:24:04 UTC

now with <=sys-cluster/mpiexec-0.75 that should be OK, ping me if there is still something wrong but now repoman is happy. Sorry for the mess.

Comment 16 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2007-04-03 23:03:05 UTC

GLSA 200704-04, thanks everybody

Comment 17 Donnie Berkholz (RETIRED) gentoo-dev

2007-05-12 00:00:01 UTC

(In reply to comment #16)
> GLSA 200704-04, thanks everybody

This ready to close?

Comment 18 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-05-14 18:00:57 UTC

sys-cluster/openpbs seems nuked.