Summary: | <sys-cluster/torque-{2.5.13,4.1.7}: Command Injection Vulnerability (CVE-2013-4495) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | cluster, jsbronder |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://secunia.com/advisories/55645/ | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 532430 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2013-11-14 21:02:16 UTC
CVE-2013-4495 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4495): The send_the_mail function in server/svr_mail.c in Terascale Open-Source Resource and Queue Manager (aka TORQUE Resource Manager) before 4.2.6 allows remote attackers to execute arbitrary commands via shell metacharacters in the email (-M switch) to qsub. Upstream commits for 4.1 [1] and 2.5 [2] branches: [1] https://github.com/adaptivecomputing/torque/commit/2aad72c3d2ac612ecbb66828ac6ed5ab51eff5f3 [2] https://github.com/adaptivecomputing/torque/commit/64da0af7ed27284f3397081313850bba270593db patch for 2.5 was superseeded by this: https://github.com/adaptivecomputing/torque/commit/8246d967bbcf174482ef01b1bf4920a5944b1011 2.5.13 has been added to the tree with fixes for this issue and can be considered a stabilization target. I'm still working on 4.1.x +*torque-2.5.13 (19 Jun 2014) + + 19 Jun 2014; Justin Bronder <jsbronder@gentoo.org> +torque-2.5.13.ebuild, + +files/CVE-2013-4495.patch, +files/CVE-2014-0749.patch: + Bump 2.5.13 with additional patches for CVE-2013-4495 (#491270) and + CVE-2014-0749 (#510726) Alright, 4.1.7 is in the tree as well with the aforementioned patch applied. Please consider this to also be a stable target. Thanks, Justin! Arches, please test and mark stable: =sys-cluster/torque-2.5.13 =sys-cluster/torque-4.1.7 Target KEYWORDS="alpha amd64 hppa ia64 ~mips ppc ppc64 sparc x86" Stable for HPPA. amd64 stable x86 stable alpha stable ppc stable ppc64 stable ia64 stable sparc stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. + 26 Dec 2014; Kacper Kowalik <xarthisius@gentoo.org> -torque-2.5.12-r1.ebuild, + -torque-2.5.12.ebuild, -torque-4.1.5.1-r1.ebuild: + Drop old wrt #491270 there is glsa for it already. This issue was resolved and addressed in GLSA 201412-47 at http://security.gentoo.org/glsa/glsa-201412-47.xml by GLSA coordinator Yury German (BlueKnight). |