Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 484320 (CVE-2013-4319) - <sys-cluster/torque-{2.5.12-r1,}: privilege escallation (CVE-2013-4319)
Summary: <sys-cluster/torque-{2.5.12-r1,}: privilege escallation (CVE-2013-4...
Alias: CVE-2013-4319
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
Whiteboard: B1 [glsa]
Depends on:
Reported: 2013-09-09 10:10 UTC by Kacper Kowalik (Xarthisius) (RETIRED)
Modified: 2014-12-26 20:04 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2013-09-09 10:10:33 UTC
*Vulnerability:* A non-privileged user who can run jobs or login to a
node running
pbs_server or pbs_mom can submit an arbitrary job to the cluster; that job
can run as root. The user can submit a command directly to a pbs_mom daemon
to queue and run a job. A malicious user could use this vulnerability to
remotely execute code as root on the cluster.

*Versions Affected:* All versions of TORQUE

*Mitigating Factors:*

- The user must be logged in on a node that is already legitimately able to
contact pbs_mom daemons or submit jobs.

- If a user submits a job via this defect and pbs_server is running,
pbs_server will kill the job unless job syncing is disabled. It may take up
to 45 seconds for pbs_server to kill the job.

- There are no known instances of this vulnerability being exploited.
Comment 1 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-22 02:20:57 UTC
@maintainers: patch for 2.5 at [1], patch for 4.x available at [2].

Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2013-10-16 01:27:09 UTC
CVE-2013-4319 (
  pbs_mom in Terascale Open-Source Resource and Queue Manager (aka TORQUE
  Resource Manager) 2.5.x, 4.x, and earlier does not properly restrict access
  by unprivileged ports, which allows remote authenticated users to execute
  arbitrary jobs by submitting a command.
Comment 3 Justin Bronder (RETIRED) gentoo-dev 2013-12-23 18:02:43 UTC
  23 Dec 2013; Justin Bronder <> torque-2.4.16.ebuild,
  +torque-2.4.16-r1.ebuild, -torque-2.5.12.ebuild, +torque-2.5.12-r1.ebuild,
  -torque-, +torque-,
  Add patches for CVE-2013-4319 (#484320).

@security, both 2.5.12-r1 and should be stable targets (many people still rely on the old 2.5 series and 4.1 has been in the tree more than long enough).

Comment 4 Chris Reffett (RETIRED) gentoo-dev Security 2013-12-24 02:29:04 UTC
Arches, please test and stabilize:
Target arches: alpha amd64 hppa ia64 ppc ppc64 sparc x86
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2013-12-25 21:37:29 UTC
Stable for HPPA.
Comment 6 Agostino Sarubbo gentoo-dev 2014-01-03 21:11:51 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2014-01-03 21:16:47 UTC
x86 stable
Comment 8 Agostino Sarubbo gentoo-dev 2014-01-05 08:59:13 UTC
ppc64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2014-01-05 09:02:44 UTC
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-01-05 09:04:24 UTC
sparc stable
Comment 11 Agostino Sarubbo gentoo-dev 2014-01-12 13:17:59 UTC
ia64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2014-01-19 13:54:43 UTC
alpha stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 13 Yury German Gentoo Infrastructure gentoo-dev 2014-06-18 01:34:12 UTC
Arches and Maintainer(s), Thank you for your work.

New GLSA Request filed.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2014-12-26 20:04:48 UTC
This issue was resolved and addressed in
 GLSA 201412-47 at
by GLSA coordinator Yury German (BlueKnight).