*Vulnerability:* A non-privileged user who can run jobs or login to a
pbs_server or pbs_mom can submit an arbitrary job to the cluster; that job
can run as root. The user can submit a command directly to a pbs_mom daemon
to queue and run a job. A malicious user could use this vulnerability to
remotely execute code as root on the cluster.
*Versions Affected:* All versions of TORQUE
- The user must be logged in on a node that is already legitimately able to
contact pbs_mom daemons or submit jobs.
- If a user submits a job via this defect and pbs_server is running,
pbs_server will kill the job unless job syncing is disabled. It may take up
to 45 seconds for pbs_server to kill the job.
- There are no known instances of this vulnerability being exploited.
@maintainers: patch for 2.5 at , patch for 4.x available at .
pbs_mom in Terascale Open-Source Resource and Queue Manager (aka TORQUE
Resource Manager) 2.5.x, 4.x, and earlier does not properly restrict access
by unprivileged ports, which allows remote authenticated users to execute
arbitrary jobs by submitting a command.
23 Dec 2013; Justin Bronder <firstname.lastname@example.org> torque-2.4.16.ebuild,
+torque-2.4.16-r1.ebuild, -torque-2.5.12.ebuild, +torque-2.5.12-r1.ebuild,
Add patches for CVE-2013-4319 (#484320).
@security, both 2.5.12-r1 and 188.8.131.52-r1 should be stable targets (many people still rely on the old 2.5 series and 4.1 has been in the tree more than long enough).
Arches, please test and stabilize:
Target arches: alpha amd64 hppa ia64 ppc ppc64 sparc x86
Stable for HPPA.
Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Arches and Maintainer(s), Thank you for your work.
New GLSA Request filed.
This issue was resolved and addressed in
GLSA 201412-47 at http://security.gentoo.org/glsa/glsa-201412-47.xml
by GLSA coordinator Yury German (BlueKnight).