Bug 6082 - torque and torque-client have incorrect permissions (also CVE-2011-2193)
Summary: torque and torque-client have incorrect permissions (also CVE-2011-2193)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 2
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL: http://lwn.net/Vulnerabilities/448650/
Whiteboard: MGA2-32-OK MGA2-64-OK
Keywords: Junior_job, validated_update
Depends on: 2317
Blocks:
  Show dependency treegraph
 
Reported: 2012-05-25 12:59 CEST by Steven Tucker
Modified: 2012-09-04 20:33 CEST (History)
5 users (show)

See Also:
Source RPM: torque
CVE:
Status comment:


Attachments
Screenshot of xpbs on Mageia 2 i586 (81.34 KB, image/png)
2012-08-31 03:43 CEST, Dave Hodgins
Details
Screenshot of xpbs on Mageia 2 x86-64 (99.05 KB, image/png)
2012-08-31 03:47 CEST, Dave Hodgins
Details

Description Steven Tucker 2012-05-25 12:59:38 CEST
Incorrect permission in /var/spool/pbs directory causes pbs_server pbs_sched and pbs_mom all to fail loading.

For torque-client the following commands fix the issue

chmod -R 1755 /var/spool/pbs/*
chmod -R 1777 /var/spool/pbs/spool
chmod -R 1777 /var/spool/pbs/undelivered

Similar for torque
Manuel Hiebel 2012-05-27 12:20:26 CEST

Keywords: (none) => Junior_job
Source RPM: (none) => torque

Comment 1 David Walser 2012-08-11 20:10:35 CEST
This is also missing a fix for CVE-2011-2193.

Fedora has issued an advisory on June 10, 2011:
http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062638.html

Debian has issued an advisory on October 27:
http://www.debian.org/security/2011/dsa-2329

Version: 2 => Cauldron
URL: (none) => http://lwn.net/Vulnerabilities/448650/
Hardware: x86_64 => All
Component: RPM Packages => Security
CC: (none) => luigiwalser
Assignee: bugsquad => fundawang
Summary: torque and torque-client have incorrect permissions => torque and torque-client have incorrect permissions (also CVE-2011-2193)
Whiteboard: (none) => MGA2TOO

Comment 2 Chris Denice 2012-08-24 21:56:18 CEST
Hi there,

for many other reasons, torque has been updated to 2.5.12 on Cauldron; which is not concerned by CVE-2011-2193 according to:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2193

Also, pbs_server, pbs_mom and pbs_sched work with default installation permissions now (at least on my machines). Let me know if you still have those problems.

Cheers,
Chris.

PS: for mga2, I don't know if we can update it to 2.5.12 too?

CC: (none) => dirteat

Comment 3 David Walser 2012-08-24 22:43:23 CEST
(In reply to comment #2)
> PS: for mga2, I don't know if we can update it to 2.5.12 too?

Since it has been unmaintained, if that's the easiest way to address these issues, we can do that.  We have done the same for some other packages.
Comment 4 Chris Denice 2012-08-26 18:13:06 CEST
Ok, I am doing it then and write an advisory when it lands on update/testing.
I am reassigning the bug the myself.

Cheers,
Chris.

Assignee: fundawang => dirteat

Comment 5 Chris Denice 2012-08-27 10:45:18 CEST
Dear QA Team,

torque-2.5.12-1.mga2 has just landed in core/updates_testing for Mageia 2.

You can test it by running the three init.d scripts provided by its packages paying attention to the following points:

1) The sub-package torque-mom should only requires libtorque2 and torque at install (it should not trigger the installation of torque-sched or torque-server). Once installed, running a "service pbs_mom start" should be fine although error messages in the logs (/var/log/messages) are expected if you don't edit the configuration file (/etc/torque/nodes).

2) The other subpackages torque-sched and torque-server install the two services "pbs_server" and "pbs_sched". These services should not failed by issuing the commands "service pbs_server start" and "service pbs_sched start".

3) torque-gui install some graphic tools, it should trigger the installation of torque-client. To test it just run "xpbs" and "xpbsmom" and check that an (ugly) window appears displaying various cool informations.

Suggested advisory:
========================

Updated torque packages fix bug 6082 and a security issue (CVE-1234-5678)
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2193

========================

Updated packages in core/updates_testing:
========================
lib(64)torque2-2.5.12-1.mga2
lib(64)torque-devel-2.5.12-1.mga2
torque-2.5.12-1.mga2
torque-client-2.5.12-1.mga2
torque-gui-2.5.12-1
torque-mom-2.5.12-1.mga2
torque-sched-2.5.12-1
torque-server-2.5.12-1

Source RPM: 
torque-2.5.12-1.mga2.src.rpm

Assignee: dirteat => qa-bugs

Samuel Verschelde 2012-08-27 10:58:31 CEST

Version: Cauldron => 2
Whiteboard: MGA2TOO => (none)

Comment 6 David Walser 2012-08-27 15:12:05 CEST
Thanks Chris!

I suggest copying the CVE description from the Debian advisory.

Suggested Advisory:
========================

Updated torque packages fix security vulnerability:

Bartlomiej Balcerek discovered several buffer overflows in TORQUE server,
a PBS-derived batch processing server. This allows an attacker to crash the
service or execute arbitrary code with privileges of the server via crafted
job or host names (CVE-2011-2193).

Additionally, permissions problems that caused pbs_server, pbs_sched, and
pbs_mom to fail to load have been corrected.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2193
http://www.debian.org/security/2011/dsa-2329
Comment 7 Dave Hodgins 2012-08-31 03:43:59 CEST
Created attachment 2709 [details]
Screenshot of xpbs on Mageia 2 i586
Comment 8 Dave Hodgins 2012-08-31 03:47:01 CEST
Created attachment 2710 [details]
Screenshot of xpbs on Mageia 2 x86-64

As shown by the attachments, there is something wrong on i586.

The left four characters are cut off, and the menu is missing, when
compared to what is shown on x86-64.

Other than the display problems on i586, all suggested tests are
working on both i586 and x86-64.

As this is a security update, so you want to look into the i586
display problems, or should I go ahead and validate the update?
Comment 9 Dave Hodgins 2012-08-31 03:58:17 CEST
Ignore comment 7 and comment 8.  I've realized it was a difference in
the resolution used within the vb guests.

Validating the update.

Could someone from the sysadmin team push the srpm
torque-2.5.12-1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and
link the following rpm packages from Core Release to Core Updates
openssh-server-5.9p1-5.mga2 (Core 32bit Release (distrib31))
openssh-server-5.9p1-5.mga2 (Core Release (distrib1))

Advisory: Updated torque packages fix security vulnerability:

Bartlomiej Balcerek discovered several buffer overflows in TORQUE server,
a PBS-derived batch processing server. This allows an attacker to crash the
service or execute arbitrary code with privileges of the server via crafted
job or host names (CVE-2011-2193).

Additionally, permissions problems that caused pbs_server, pbs_sched, and
pbs_mom to fail to load have been corrected.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2193
http://www.debian.org/security/2011/dsa-2329

https://bugs.mageia.org/show_bug.cgi?id=6082

Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs
Depends on: (none) => 2317
Whiteboard: (none) => MGA2-32-OK MGA2-64-OK

Comment 10 Thomas Backlund 2012-09-04 20:33:40 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0254

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.