Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 524362 (CVE-2014-3684) - <sys-cluster/torque-4.2.9: non-root users able to kill any process on any node in a job (CVE-2014-3684)
Summary: <sys-cluster/torque-4.2.9: non-root users able to kill any process on any nod...
Alias: CVE-2014-3684
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: ~3 [noglsa]
Depends on:
Reported: 2014-10-03 10:01 UTC by Agostino Sarubbo
Modified: 2014-12-13 01:07 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-10-03 10:01:45 UTC
From ${URL} :

Chad Vizino reported a flaw in the TORQUE Resource Manager that would allow non-root users to kill 
any process, including root-owned ones on any node in a job:

The fixes in the 4.2 branch appear applicable to the version of TORQUE in Fedora and EPEL:

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Justin Bronder (RETIRED) gentoo-dev 2014-10-17 03:23:37 UTC
The prior 4.2 ebuild was unstable, probably no need for stabilization.

+*torque-4.2.9-r1 (17 Oct 2014)
+  17 Oct 2014; Justin Bronder <> -torque-4.2.9.ebuild,
+  +torque-4.2.9-r1.ebuild,
+  +files/TRQ-2885-limit-tm_adopt-to-only-adopt-a-session-id-t.patch:
+  Apply upstream fixes for TRQ-2885. #524362
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2014-12-13 01:07:54 UTC
Thanks for the bump, Justin. 

The 4.2 branch is not stable, so closing noglsa.