Bug 14226 - torque new security issue CVE-2014-3684
Summary: torque new security issue CVE-2014-3684
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/615625/
Whiteboard: MGA3TOO has_procedure advisory MGA3-3...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-10-03 18:56 CEST by David Walser
Modified: 2014-10-13 18:12 CEST (History)
3 users (show)

See Also:
Source RPM: torque-4.2.8-3.mga5.src.rpm
CVE: CVE-2014-3684
Status comment:


Attachments

Description David Walser 2014-10-03 18:56:15 CEST
A security issue in torque has been announced on October 2:
http://openwall.com/lists/oss-security/2014/10/02/45

Upstream commits are referenced in the message above.

Reproducible: 

Steps to Reproduce:
David Walser 2014-10-03 18:56:23 CEST

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 Chris Denice 2014-10-03 19:08:39 CEST
thanks for the link; I'll update everybody asap then.
cheers.
Comment 2 Chris Denice 2014-10-04 01:35:23 CEST
I have uploaded a patched package for both Mageia 3 & 4 fixing the security hole CVE-2014-3684.

I have backported the upstream fix:
https://github.com/adaptivecomputing/torque/commit/f2f4c950f3d461a249111c8826da3beaafccace9f2f4c950f3d461a249111c8826da3beaafccace9
for the torque versions distributed in mga3 (4.1.5.1) and mga4 (4.1.6).

Suggested advisory:
========================

Updated torque packages fix security vulnerabilities:

Chad Vizino reported that within a TORQUE Resource Manager job a non-root user could use a vulnerability in the tm_adopt() library call to kill processes
he/she doesn't own including root-owned ones on any node in a job (CVE-2014-3684).

This update implements the upstream fixes.

References:
http://openwall.com/lists/oss-security/2014/10/02/45

========================
Updated packages in 3/core/updates_testing:
torque-4.1.5.1-1.3.mga3.src.rpm
========================
lib64torque2-4.1.5.1-1.3.mga3
torque-gui-4.1.5.1-1.3.mga3
lib64torque-devel-4.1.5.1-1.3.mga3
torque-mom-4.1.5.1-1.3.mga3
torque-4.1.5.1-1.3.mga3
torque-sched-4.1.5.1-1.3.mga3
torque-client-4.1.5.1-1.3.mga3
torque-server-4.1.5.1-1.3.mga3



========================
Updated packages in 4/core/updates_testing:
SRPM: torque-4.1.6-4.1.mga4.src.rpm
========================
torque-4.1.6-4.1.mga4
lib64torque2-4.1.6-4.1.mga4
torque-client-4.1.6-4.1.mga4
lib64torque-devel-4.1.6-4.1.mga4
torque-server-4.1.6-4.1.mga4
torque-sched-4.1.6-4.1.mga4
torque-mom-4.1.6-4.1.mga54
torque-gui-4.1.6-4.1.mga4

CVE: (none) => CVE-2014-3684
Assignee: dirteat => qa-bugs

Comment 3 David Walser 2014-10-04 03:03:19 CEST
Thanks Chris!  Is Cauldron not affected?

Version: Cauldron => 4
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 4 claire robinson 2014-10-06 14:21:06 CEST
Procedure: https://bugs.mageia.org/show_bug.cgi?id=11421#c2

Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 5 William Kenney 2014-10-07 17:49:39 CEST
In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
torque torque-server torque-sched torque-mom

Test per procedure: https://bugs.mageia.org/show_bug.cgi?id=11421#c2

default install of torque torque-server torque-sched torque-mom

[root@localhost wilcal]# urpmi torque
Package torque-4.1.5.1-1.2.mga3.i586 is already installed
[root@localhost wilcal]# urpmi torque-server
Package torque-server-4.1.5.1-1.2.mga3.i586 is already installed
[root@localhost wilcal]# urpmi torque-sched
Package torque-sched-4.1.5.1-1.2.mga3.i586 is already installed
[root@localhost wilcal]# urpmi torque-mom
Package torque-mom-4.1.5.1-1.2.mga3.i586 is already installed

[root@localhost ~]# service pbs_mom status
pbs_mom.service - LSB: The Torque node manager MOM
          Loaded: loaded (/etc/rc.d/init.d/pbs_mom)
          Active: active (running) since Tue, 2014-10-07 08:38:27 PDT; 18s ago
         Process: 4601 ExecStart=/etc/rc.d/init.d/pbs_mom start.....
          CGroup: name=systemd:/system/pbs_mom.service
                  â 4612 /usr/sbin/pbs_mom -p -d /var/spool/torque

pbs_mom is running

install torque torque-server torque-sched torque-mom from updates_testing

[root@localhost wilcal]# urpmi torque
Package torque-4.1.5.1-1.3.mga3.i586 is already installed
[root@localhost wilcal]# urpmi torque-server
Package torque-server-4.1.5.1-1.3.mga3.i586 is already installed
[root@localhost wilcal]# urpmi torque-sched
Package torque-sched-4.1.5.1-1.3.mga3.i586 is already installed
[root@localhost wilcal]# urpmi torque-mom
Package torque-mom-4.1.5.1-1.3.mga3.i586 is already installed

[root@localhost wilcal]# service pbs_mom status
pbs_mom.service - LSB: The Torque node manager MOM
          Loaded: loaded (/etc/rc.d/init.d/pbs_mom)
          Active: active (running) since Tue, 2014-10-07 08:42:29 PDT; 27s ago
         Process: 5811 ExecStop=/etc/rc.d/init.d/pbs_mom stop.....
         Process: 5860 ExecStart=/etc/rc.d/init.d/pbs_mom start.....
          CGroup: name=systemd:/system/pbs_mom.service
                  â 5871 /usr/sbin/pbs_mom -p -d /var/spool/torque

pbs_mom is running

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

CC: (none) => wilcal.int
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA3-32-OK

Comment 6 William Kenney 2014-10-07 18:25:00 CEST
In VirtualBox, M3, KDE, 64-bit

Package(s) under test:
torque torque-server torque-sched torque-mom lib64torque2

Test per procedure: https://bugs.mageia.org/show_bug.cgi?id=11421#c2

default install of torque torque-server torque-sched torque-mom lib64torque2

[root@localhost wilcal]# urpmi torque
Package torque-4.1.5.1-1.2.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi torque-server
Package torque-server-4.1.5.1-1.2.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi torque-sched
Package torque-sched-4.1.5.1-1.2.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi torque-mom
Package torque-mom-4.1.5.1-1.2.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64torque2
Package lib64torque2-4.1.5.1-1.2.mga3.x86_64 is already installed
writing /var/lib/rpm/installed-through-deps.list

[root@localhost wilcal]# service pbs_mom status
pbs_mom.service - LSB: The Torque node manager MOM
          Loaded: loaded (/etc/rc.d/init.d/pbs_mom)
          Active: active (running) since Tue, 2014-10-07 09:10:17 PDT; 1min 0s ago
         Process: 3563 ExecStart=/etc/rc.d/init.d/pbs_mom start.....
          CGroup: name=systemd:/system/pbs_mom.service
                  â 3574 /usr/sbin/pbs_mom -p -d /var/spool/torque

pbs_mom is running

install torque torque-server torque-sched torque-mom lib64torque2 from updates_testing

Stop and restart pbs services

[root@localhost wilcal]# urpmi torque
Package torque-4.1.5.1-1.3.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi torque-server
Package torque-server-4.1.5.1-1.3.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi torque-sched
Package torque-sched-4.1.5.1-1.3.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi torque-mom
Package torque-mom-4.1.5.1-1.3.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64torque2
Package lib64torque2-4.1.5.1-1.3.mga3.x86_64 is already installed

[root@localhost wilcal]# service pbs_mom status
pbs_mom.service - LSB: The Torque node manager MOM
          Loaded: loaded (/etc/rc.d/init.d/pbs_mom)
          Active: active (running) since Tue, 2014-10-07 09:21:11 PDT; 26s ago
         Process: 5090 ExecStop=/etc/rc.d/init.d/pbs_mom stop.....
         Process: 5237 ExecStart=/etc/rc.d/init.d/pbs_mom start.....
          CGroup: name=systemd:/system/pbs_mom.service
                  â 5248 /usr/sbin/pbs_mom -p -d /var/spool/torque

pbs_mom is running

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

Whiteboard: MGA3TOO has_procedure MGA3-32-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK

Comment 7 William Kenney 2014-10-07 18:40:12 CEST
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
torque torque-server torque-sched torque-mom libtorque2

Test per procedure: https://bugs.mageia.org/show_bug.cgi?id=11421#c2

default install of torque torque-server torque-sched torque-mom libtorque2

[root@localhost wilcal]# urpmi torque
Package torque-4.1.6-4.mga4.i586 is already installed
[root@localhost wilcal]# urpmi torque-server
Package torque-server-4.1.6-4.mga4.i586 is already installed
[root@localhost wilcal]# urpmi torque-sched
Package torque-sched-4.1.6-4.mga4.i586 is already installed
[root@localhost wilcal]# urpmi torque-mom
Package torque-mom-4.1.6-4.mga4.i586 is already installed
[root@localhost wilcal]# urpmi libtorque2
Package libtorque2-4.1.6-4.mga4.i586 is already installed

[root@localhost wilcal]# service pbs_mom status
pbs_mom.service - LSB: The Torque node manager MOM
   Loaded: loaded (/etc/rc.d/init.d/pbs_mom)
   Active: active (running) since Tue 2014-10-07 09:33:27 PDT; 25s ago
  Process: 5397 ExecStart=/etc/rc.d/init.d/pbs_mom start.....
   CGroup: /system.slice/pbs_mom.service
           ââ5408 /usr/sbin/pbs_mom -p -d /var/spool/torque

pbs_mom is running

install torque torque-server torque-sched torque-mom libtorque2 from updates_testing

Stop and restart pbs services

[root@localhost wilcal]# urpmi torque
Package torque-4.1.6-4.1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi torque-server
Package torque-server-4.1.6-4.1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi torque-sched
Package torque-sched-4.1.6-4.1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi torque-mom
Package torque-mom-4.1.6-4.1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi libtorque2
Package libtorque2-4.1.6-4.1.mga4.i586 is already installed

[root@localhost wilcal]# service pbs_mom status
pbs_mom.service - LSB: The Torque node manager MOM
   Loaded: loaded (/etc/rc.d/init.d/pbs_mom)
   Active: active (running) since Tue 2014-10-07 09:36:22 PDT; 1min 20s ago
  Process: 7571 ExecStop=/etc/rc.d/init.d/pbs_mom stop.....
  Process: 7720 ExecStart=/etc/rc.d/init.d/pbs_mom start.....
   CGroup: /system.slice/pbs_mom.service
           ââ7731 /usr/sbin/pbs_mom -p -d /var/spool/torque

pbs_mom is running

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK

Comment 8 William Kenney 2014-10-07 19:01:47 CEST
In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
torque torque-server torque-sched torque-mom lib64torque2

Test per procedure: https://bugs.mageia.org/show_bug.cgi?id=11421#c2

default install of torque torque-server torque-sched torque-mom lib64torque2

[root@localhost wilcal]# urpmi torque
Package torque-4.1.6-4.mga4.i586 is already installed
[root@localhost wilcal]# urpmi torque-server
Package torque-server-4.1.6-4.mga4.i586 is already installed
[root@localhost wilcal]# urpmi torque-sched
Package torque-sched-4.1.6-4.mga4.i586 is already installed
[root@localhost wilcal]# urpmi torque-mom
Package torque-mom-4.1.6-4.mga4.i586 is already installed
[root@localhost wilcal]# urpmi lib64torque2
Package libtorque2-4.1.6-4.mga4.i586 is already installed

[root@localhost wilcal]# service pbs_mom status
pbs_mom.service - LSB: The Torque node manager MOM
   Loaded: loaded (/etc/rc.d/init.d/pbs_mom)
   Active: active (running) since Tue 2014-10-07 09:33:27 PDT; 25s ago
  Process: 5397 ExecStart=/etc/rc.d/init.d/pbs_mom start.....
   CGroup: /system.slice/pbs_mom.service
           ââ5408 /usr/sbin/pbs_mom -p -d /var/spool/torque

pbs_mom is running

install torque torque-server torque-sched torque-mom libtorque2 from updates_testing

Stop and restart pbs services

[root@localhost wilcal]# urpmi torque
Package torque-4.1.6-4.1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi torque-server
Package torque-server-4.1.6-4.1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi torque-sched
Package torque-sched-4.1.6-4.1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi torque-mom
Package torque-mom-4.1.6-4.1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64torque2
Package lib64torque2-4.1.6-4.1.mga4.x86_64 is already installed

[root@localhost wilcal]# service pbs_mom status
pbs_mom.service - LSB: The Torque node manager MOM
   Loaded: loaded (/etc/rc.d/init.d/pbs_mom)
   Active: active (running) since Tue 2014-10-07 09:57:42 PDT; 1min 33s ago
  Process: 6467 ExecStop=/etc/rc.d/init.d/pbs_mom stop.....
  Process: 6703 ExecStart=/etc/rc.d/init.d/pbs_mom start.....
   CGroup: /system.slice/pbs_mom.service
           ââ6714 /usr/sbin/pbs_mom -p -d /var/spool/torque

pbs_mom is running

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK

Comment 9 William Kenney 2014-10-07 19:02:52 CEST
For me this update works fine.
Many thanks to Claire for a great procedure
Testing complete for mga3 32-bit & 64-bit
Testing complete for mga4 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push this to updates.
Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 10 claire robinson 2014-10-07 19:56:36 CEST
Advisory uploaded.

Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO has_procedure advisory MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK

Comment 11 David Walser 2014-10-08 18:41:23 CEST
Chris, just in case you didn't see this on the -dev list, a problem in the Cauldron package:
https://ml.mageia.org/l/arc/dev/2014-10/msg00321.html

I checked the Mageia 4 build and it's not affected by this issue.
Comment 12 Mageia Robot 2014-10-09 16:06:59 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0408.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2014-10-09 18:34:58 CEST

URL: (none) => http://lwn.net/Vulnerabilities/615625/

Comment 13 Chris Denice 2014-10-13 18:12:33 CEST
thanks guys,
sorry, I missed all your posts as I am always forgetting to add me in CC when I change to bug assignment to QA :)

I see everything is good, fortunately.

cheers.

CC: (none) => dirteat


Note You need to log in before you can comment on or make changes to this bug.