Bug 372959 (CVE-2011-2193)

Summary:	<sys-cluster/torque-{2.4.14,2.5.6}: Unspecified vulnerability (CVE-2011-2193)
Product:	Gentoo Security	Reporter:	GLSAMaker/CVETool Bot <glsamaker>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	major	CC:	cluster, jsbronder
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B1 [glsa]
Package list:		Runtime testing required:	---

Description GLSAMaker/CVETool Bot gentoo-dev

2011-06-25 12:18:13 UTC

CVE-2011-2193 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2193):
  Multiple buffer overflows in Terascale Open-Source Resource and Queue
  Manager (aka TORQUE Resource Manager) 2.x before 2.4.14, 2.5.x before 2.5.6,
  and 3.x before 3.0.2 allow (1) remote authenticated users to gain privileges
  via a long Job_Name field in a qsub command to the server, and might allow
  (2) local users to gain privileges via vectors involving a long host
  variable in pbs_iff.

Comment 1 Justin Bronder (RETIRED) gentoo-dev

2011-06-26 02:00:13 UTC

2.4.14 and 2.5.6 are both in the tree, both can be considered for stable as CR probably isn't going to fix 2.3.

Comment 2 Tim Sammut (RETIRED) gentoo-dev

2011-06-26 20:33:03 UTC

(In reply to comment #1)
> 2.4.14 and 2.5.6 are both in the tree, both can be considered for stable as CR
> probably isn't going to fix 2.3.

Thanks, Justin. Can we move forward? And which version should we target?

Comment 3 Justin Bronder (RETIRED) gentoo-dev

2011-06-26 22:11:14 UTC

(In reply to comment #2)
> (In reply to comment #1)
> > 2.4.14 and 2.5.6 are both in the tree, both can be considered for stable as CR
> > probably isn't going to fix 2.3.
> 
> Thanks, Justin. Can we move forward? And which version should we target?

I'd suggest 2.4.14.

Comment 4 Tim Sammut (RETIRED) gentoo-dev

2011-06-26 22:25:13 UTC

Ok, tnx.

Arches, please test and mark stable:
=sys-cluster/torque-2.4.14
Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"

Comment 5 Ian Delaney (RETIRED) gentoo-dev

2011-06-27 02:37:46 UTC

amd64:

texlive-basic-2008-r1 has done it again, still, does not emerge.  Subsequently can't emerge with use-doc

emerges with

USE="crypt syslog cpusets -doc drmaa server tk" emerge -1 torque

Comment 6 Agostino Sarubbo gentoo-dev

2011-06-27 17:19:30 UTC

amd64 ok

Comment 7 Andreas Schürch gentoo-dev

2011-06-28 11:29:46 UTC

(In reply to comment #5)

> texlive-basic-2008-r1 has done it again, still, does not emerge.  Subsequently
> can't emerge with use-doc

Ian, i've also hit this bug #369883... 
The solution is to rebuild dev-texlive/texlive-latex-2008-r2.

Everything looks fine here on x86 with =sys-cluster/torque-2.4.14, apart from a revdep, but that is not a regression as of bug #328549.

Comment 8 Jeroen Roovers (RETIRED) gentoo-dev

2011-06-29 01:41:06 UTC

Stable for HPPA.

Comment 9 Christoph Mende (RETIRED) gentoo-dev

2011-06-29 15:05:39 UTC

amd64 stable

Comment 10 Markus Meier gentoo-dev

2011-06-29 19:43:22 UTC

x86 stable, thanks Andreas

Comment 11 Raúl Porcel (RETIRED) gentoo-dev

2011-07-02 18:36:37 UTC

alpha/ia64/sparc stable

Comment 12 Mark Loeser (RETIRED) gentoo-dev

2011-07-06 21:34:06 UTC

ppc64 done

Comment 13 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev

2011-07-09 08:46:41 UTC

ppc stable, last arch done

Comment 14 Tim Sammut (RETIRED) gentoo-dev

2011-07-09 16:19:07 UTC

Thanks, folks. GLSA request filed.

Comment 15 Justin Lecher (RETIRED) gentoo-dev

2014-09-18 11:57:16 UTC

All vulnerable versions gone, GLSA issued?

Comment 16 GLSAMaker/CVETool Bot gentoo-dev

2014-12-26 20:04:25 UTC

This issue was resolved and addressed in
 GLSA 201412-47 at http://security.gentoo.org/glsa/glsa-201412-47.xml
by GLSA coordinator Yury German (BlueKnight).