Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 491270 (CVE-2013-4495) - <sys-cluster/torque-{2.5.13,4.1.7}: Command Injection Vulnerability (CVE-2013-4495)
Summary: <sys-cluster/torque-{2.5.13,4.1.7}: Command Injection Vulnerability (CVE-2013...
Status: RESOLVED FIXED
Alias: CVE-2013-4495
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/55645/
Whiteboard: B2 [glsa]
Keywords:
Depends on: 532430
Blocks:
  Show dependency tree
 
Reported: 2013-11-14 21:02 UTC by Agostino Sarubbo
Modified: 2014-12-26 20:04 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-11-14 21:02:16 UTC
From ${URL} :

Description

A vulnerability has been reported in TORQUE Resource Manager, which can be exploited by malicious 
users to compromise a vulnerable system.

For more information:
SA55622


Solution:
Fixed in the source code repository.

Further details available to Secunia VIM customers

Original Advisory:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=729333


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2013-11-27 21:21:06 UTC
CVE-2013-4495 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4495):
  The send_the_mail function in server/svr_mail.c in Terascale Open-Source
  Resource and Queue Manager (aka TORQUE Resource Manager) before 4.2.6 allows
  remote attackers to execute arbitrary commands via shell metacharacters in
  the email (-M switch) to qsub.
Comment 3 Justin Bronder (RETIRED) gentoo-dev 2014-06-19 19:50:01 UTC
patch for 2.5 was superseeded by this:
https://github.com/adaptivecomputing/torque/commit/8246d967bbcf174482ef01b1bf4920a5944b1011
Comment 4 Justin Bronder (RETIRED) gentoo-dev 2014-06-19 19:56:46 UTC
2.5.13 has been added to the tree with fixes for this issue and can be considered a stabilization target.  I'm still working on 4.1.x

+*torque-2.5.13 (19 Jun 2014)
+
+  19 Jun 2014; Justin Bronder <jsbronder@gentoo.org> +torque-2.5.13.ebuild,
+  +files/CVE-2013-4495.patch, +files/CVE-2014-0749.patch:
+  Bump 2.5.13 with additional patches for CVE-2013-4495 (#491270) and
+  CVE-2014-0749 (#510726)
Comment 5 Justin Bronder (RETIRED) gentoo-dev 2014-06-19 20:31:42 UTC
Alright, 4.1.7 is in the tree as well with the aforementioned patch applied.  Please consider this to also be a stable target.
Comment 6 Sean Amoss (RETIRED) gentoo-dev Security 2014-12-13 01:23:34 UTC
Thanks, Justin!

Arches, please test and mark stable:
=sys-cluster/torque-2.5.13
=sys-cluster/torque-4.1.7

Target KEYWORDS="alpha amd64 hppa ia64 ~mips ppc ppc64 sparc x86"
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2014-12-16 08:33:31 UTC
Stable for HPPA.
Comment 8 Agostino Sarubbo gentoo-dev 2014-12-21 11:37:39 UTC
amd64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2014-12-21 11:42:26 UTC
x86 stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-12-23 09:36:28 UTC
alpha stable
Comment 11 Agostino Sarubbo gentoo-dev 2014-12-24 14:37:06 UTC
ppc stable
Comment 12 Agostino Sarubbo gentoo-dev 2014-12-24 14:47:12 UTC
ppc64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2014-12-25 11:28:05 UTC
ia64 stable
Comment 14 Agostino Sarubbo gentoo-dev 2014-12-26 09:29:32 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 15 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2014-12-26 16:03:23 UTC
+  26 Dec 2014; Kacper Kowalik <xarthisius@gentoo.org> -torque-2.5.12-r1.ebuild,
+  -torque-2.5.12.ebuild, -torque-4.1.5.1-r1.ebuild:
+  Drop old wrt #491270
Comment 16 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2014-12-26 18:08:50 UTC
there is glsa for it already.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2014-12-26 20:04:56 UTC
This issue was resolved and addressed in
 GLSA 201412-47 at http://security.gentoo.org/glsa/glsa-201412-47.xml
by GLSA coordinator Yury German (BlueKnight).