Summary: | <sys-cluster/torque-{2.5.12-r1,4.1.5.1-r1}: privilege escallation (CVE-2013-4319) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Kacper Kowalik (Xarthisius) (RETIRED) <xarthisius> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | cluster, jsbronder |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.supercluster.org/pipermail/torqueusers/2013-September/016098.html | ||
Whiteboard: | B1 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Kacper Kowalik (Xarthisius) (RETIRED)
2013-09-09 10:10:33 UTC
@maintainers: patch for 2.5 at [1], patch for 4.x available at [2]. [1] http://www.adaptivecomputing.com/torquepatch/fix_mom_priv_2.5.patch [2] http://www.adaptivecomputing.com/torquepatch/fix_mom_priv.patch CVE-2013-4319 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4319): pbs_mom in Terascale Open-Source Resource and Queue Manager (aka TORQUE Resource Manager) 2.5.x, 4.x, and earlier does not properly restrict access by unprivileged ports, which allows remote authenticated users to execute arbitrary jobs by submitting a command. 23 Dec 2013; Justin Bronder <jsbronder@gentoo.org> torque-2.4.16.ebuild, +torque-2.4.16-r1.ebuild, -torque-2.5.12.ebuild, +torque-2.5.12-r1.ebuild, -torque-4.1.5.1.ebuild, +torque-4.1.5.1-r1.ebuild, +files/CVE-2013-4319-2.x-root-submit-fix.patch, +files/CVE-2013-4319-4.x-root-submit-fix.patch: Add patches for CVE-2013-4319 (#484320). @security, both 2.5.12-r1 and 4.1.5.1-r1 should be stable targets (many people still rely on the old 2.5 series and 4.1 has been in the tree more than long enough). Thanks! Arches, please test and stabilize: =sys-cluster/torque-2.5.12-r1 =sys-cluster/torque-4.1.5.1-r1 Target arches: alpha amd64 hppa ia64 ppc ppc64 sparc x86 Stable for HPPA. amd64 stable x86 stable ppc64 stable ppc stable sparc stable ia64 stable alpha stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. Arches and Maintainer(s), Thank you for your work. New GLSA Request filed. This issue was resolved and addressed in GLSA 201412-47 at http://security.gentoo.org/glsa/glsa-201412-47.xml by GLSA coordinator Yury German (BlueKnight). |