Bug 11670 - torque new security issue CVE-2013-4495
: torque new security issue CVE-2013-4495
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: critical
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/573813/
: MGA2TOO has_procedure advisory mga2-3...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-11-14 19:14 CET by David Walser
Modified: 2013-11-18 15:47 CET (History)
4 users (show)

See Also:
Source RPM: torque-4.1.5.1-1.1.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-11-14 19:14:19 CET
Debian has issued an advisory on November 13:
http://lists.debian.org/debian-security-announce/2013/msg00208.html

The issue was fixed upstream in 4.2.6, as well as in patches for the 4.1.x and 2.5.x branches, links to which are in the Debian bug:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=729333

The upstream announcement is here:
http://www.supercluster.org/pipermail/torqueusers/2013-November/016425.html

Patched packages uploaded for Mageia 2, Mageia 3, and Cauldron.

Advisory:
========================

Updated torque packages fix security vulnerability:

A user could submit executable shell commands on the tail of what is passed
with the -M switch for qsub. This was later passed to a pipe, making it
possible for these commands to be executed as root on the pbs_server
(CVE-2013-4495).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4495
http://www.supercluster.org/pipermail/torqueusers/2013-November/016425.html
http://www.debian.org/security/2013/dsa-2796
========================

Updated packages in core/updates_testing:
========================
torque-2.5.12-1.2.mga2
libtorque2-2.5.12-1.2.mga2
libtorque-devel-2.5.12-1.2.mga2
torque-client-2.5.12-1.2.mga2
torque-server-2.5.12-1.2.mga2
torque-sched-2.5.12-1.2.mga2
torque-mom-2.5.12-1.2.mga2
torque-gui-2.5.12-1.2.mga2
torque-4.1.5.1-1.2.mga3
libtorque2-4.1.5.1-1.2.mga3
libtorque-devel-4.1.5.1-1.2.mga3
torque-client-4.1.5.1-1.2.mga3
torque-server-4.1.5.1-1.2.mga3
torque-sched-4.1.5.1-1.2.mga3
torque-mom-4.1.5.1-1.2.mga3
torque-gui-4.1.5.1-1.2.mga3

from SRPMS:
torque-2.5.12-1.2.mga2.src.rpm
torque-4.1.5.1-1.2.mga3.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-11-15 22:48:38 CET
Testing procedure is here:
https://bugs.mageia.org/show_bug.cgi?id=11421#c2
Comment 2 Philippe Makowski 2013-11-16 15:15:49 CET
tested and ok on mga2-64 and mga3-64 using Testing procedure :
https://bugs.mageia.org/show_bug.cgi?id=11421#c2
Comment 3 claire robinson 2013-11-18 14:11:41 CET
Testing complete mga3 32

As before, on a system with a hostname set it showed errors. Using the hostname in /etc/torque/nodes instead of localhost cured one but pbs_mom shows connection errors unless the hostname is also set in /etc/torque/server_name

After this is done and the services restarted the errors clear.

Also after starting trqauthd service ran qmgr as below which displays some settings.

# qmgr -c 'p s'
Comment 4 claire robinson 2013-11-18 14:26:55 CET
Testing complete mga2 32

In mga2 version there is no separate trqauthd but qmgr works without it.
Comment 5 claire robinson 2013-11-18 14:36:21 CET
Validating. Advisory uploaded.

Could sysadmin please push from 2&3 core/updates_testing to updates

Thanks!
Comment 6 Thomas Backlund 2013-11-18 15:47:05 CET
Update pushed:
http://advisories.mageia.org/MGASA-2013-0327.html

Note You need to log in before you can comment on or make changes to this bug.