Bug 11421 - torque new security issue CVE-2013-4319
: torque new security issue CVE-2013-4319
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/569853/
: MGA2TOO has_procedure mga2-32-ok mga2...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-10-09 21:40 CEST by David Walser
Modified: 2013-10-17 22:04 CEST (History)
3 users (show)

See Also:
Source RPM: torque-4.1.6-1.mga4.src.rpm
CVE:


Attachments

Description David Walser 2013-10-09 21:40:43 CEST
Debian has issued an advisory today (October 9):
http://lists.debian.org/debian-security-announce/2013/msg00181.html

Patched packages uploaded for Mageia 2, Mageia 3, and Cauldron.

Advisory:
========================

Updated torque package fixes security vulnerability:

A non-priviledged user who was able to run jobs or login to a node which ran
pbs_server or pbs_mom, could submit arbitrary jobs to a pbs_mom daemon to queue
and run the job, which would run as root (CVE-2013-4319).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4319
http://www.supercluster.org/pipermail/torqueusers/2013-September/016098.html
http://www.debian.org/security/2013/dsa-2770
========================

Updated packages in core/updates_testing:
========================
torque-2.5.12-1.1.mga2
libtorque2-2.5.12-1.1.mga2
libtorque-devel-2.5.12-1.1.mga2
torque-client-2.5.12-1.1.mga2
torque-server-2.5.12-1.1.mga2
torque-sched-2.5.12-1.1.mga2
torque-mom-2.5.12-1.1.mga2
torque-gui-2.5.12-1.1.mga2
torque-4.1.5.1-1.1.mga3
libtorque2-4.1.5.1-1.1.mga3
libtorque-devel-4.1.5.1-1.1.mga3
torque-client-4.1.5.1-1.1.mga3
torque-server-4.1.5.1-1.1.mga3
torque-sched-4.1.5.1-1.1.mga3
torque-mom-4.1.5.1-1.1.mga3
torque-gui-4.1.5.1-1.1.mga3

from SRPMS:
torque-2.5.12-1.1.mga2.src.rpm
torque-4.1.5.1-1.1.mga3.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 claire robinson 2013-10-14 14:10:41 CEST
Procedure: https://bugs.mageia.org/show_bug.cgi?id=6082#c5
Comment 2 Chris Denice 2013-10-14 18:27:18 CEST
To test the torque mom daemon, please start from a clean install and then.

1) Install torque-server, torque-sched, torque-mom.

2) Execute as root
service pbs_server start
service pbs_sched start

verifies that the daemon runs
service pbs_server status
service pbs_sched status

3) Edit /etc/torque/nodes by appending the line
localhost np=1

4) start mom daemon
service pbs_mom start

5) check that it works
service pbs_mom status

your done!

cheers,
chris.
Comment 3 claire robinson 2013-10-15 17:57:26 CEST
Thanks for the procedure Chris.

Testing complete mga3 64
Comment 4 claire robinson 2013-10-15 17:59:11 CEST
Sorry that was mga2 64, testing others shortly
Comment 5 claire robinson 2013-10-15 18:18:00 CEST
Testing complete mga2 32 and mga3 32 & 64

Found that any with a hostname set had to have hostname in /etc/torque/nodes rather than 'localhost' or restarting pbs_server shows an error in the status.

LOG_ERROR::get_node_from_str, Node localhost is reporting on node <hostname>, which pbs_server doesn't know about

Once set though and restarted, the error cleared.
Comment 6 claire robinson 2013-10-15 18:20:50 CEST
Suffers from the same harmless warnings during removal as quagga and dropbear (see bug 11458) due to the redundant SysV init scripts.
Comment 7 claire robinson 2013-10-15 18:27:23 CEST
Validating. Advisory uploaded.

Could sysadmin please push from 2&3 core/updates_testing to updates

Thanks!
Comment 8 Chris Denice 2013-10-15 18:33:03 CEST
"LOG_ERROR::get_node_from_str, Node localhost is reporting on node <hostname>, which pbs_server doesn't know about"

yes, I fought for a while with this, if "localhost" is not your hostname pbs_server fails and the way you solved is what is in the Torque manual.

(I'll add a README to the torque package for mga4 to make various of these annoying "features" clearer)

thanks Claire.
Comment 9 Thomas Backlund 2013-10-17 22:04:47 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2013-0308.html

Note You need to log in before you can comment on or make changes to this bug.