tags 722306 + pending thanks Dear maintainer,
I've prepared an NMU for torque (versioned as 2.4.16+dfsg-1.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. Regards, Salvatore
diff -Nru torque-2.4.16+dfsg/debian/changelog torque-2.4.16+dfsg/debian/changelog --- torque-2.4.16+dfsg/debian/changelog 2011-08-02 02:13:18.000000000 +0200 +++ torque-2.4.16+dfsg/debian/changelog 2013-10-08 19:30:37.000000000 +0200 @@ -1,3 +1,13 @@ +torque (2.4.16+dfsg-1.1) unstable; urgency=low + + * Non-maintainer upload. + * Add CVE-2013-4319.patch. + CVE-2013-4319: remote arbitrary command execution as root on cluster + by a non-priviledged user who is able to run jobs or login to a node + which runs pbs_server or pbs_mon. (Closes: #722306) + + -- Salvatore Bonaccorso <car...@debian.org> Mon, 07 Oct 2013 07:09:57 +0200 + torque (2.4.16+dfsg-1) unstable; urgency=low * New upstream release diff -Nru torque-2.4.16+dfsg/debian/patches/CVE-2013-4319.patch torque-2.4.16+dfsg/debian/patches/CVE-2013-4319.patch --- torque-2.4.16+dfsg/debian/patches/CVE-2013-4319.patch 1970-01-01 01:00:00.000000000 +0100 +++ torque-2.4.16+dfsg/debian/patches/CVE-2013-4319.patch 2013-10-08 19:30:37.000000000 +0200 @@ -0,0 +1,41 @@ +Description: CVE-2013-4319: remote arbitrary command execution as root on cluster + CVE-2013-4319: A non-priviledged user who was able to run jobs or login + to a node which ran pbs_server or pbs_mom, could submit arbitrary jobs + to a pbs_mom daemon to queue and run the job, which would run as root. + . + - The user must be logged in on a node that is already legitimately + able to contact pbs_mom daemons or submit jobs. + . + - If a user submits a job via this defect and pbs_server is running, + pbs_server will kill the job unless job syncing is disabled. It may + take up to 45 seconds for pbs_server to kill the job. +Origin: upstream, http://www.adaptivecomputing.com/torquepatch/fix_mom_priv_2.5.patch +Bug-Debian: http://bugs.debian.org/722306 +Forwarded: not-needed +Author: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2013-10-07 + +--- a/src/server/process_request.c ++++ b/src/server/process_request.c +@@ -640,6 +640,21 @@ + log_buffer); + } + ++ if (svr_conn[sfds].cn_authen != PBS_NET_CONN_FROM_PRIVIL) ++ { ++ sprintf(log_buffer, "request type %s from host %s rejected (connection not privileged)", ++ reqtype_to_txt(request->rq_type), ++ request->rq_host); ++ ++ log_record(PBSEVENT_JOB, PBS_EVENTCLASS_JOB, id, log_buffer); ++ ++ req_reject(PBSE_BADHOST, 0, request, NULL, "request not authorized"); ++ ++ close_client(sfds); ++ ++ return; ++ } ++ + if (!tfind(svr_conn[sfds].cn_addr, &okclients)) + { + sprintf(log_buffer, "request type %s from host %s rejected (host not authorized)", diff -Nru torque-2.4.16+dfsg/debian/patches/series torque-2.4.16+dfsg/debian/patches/series --- torque-2.4.16+dfsg/debian/patches/series 2011-05-13 05:54:16.000000000 +0200 +++ torque-2.4.16+dfsg/debian/patches/series 2013-10-08 19:30:37.000000000 +0200 @@ -4,3 +4,4 @@ c90string.patch xpbs_xpbsmon_tclIndex.patch tcl85.patch +CVE-2013-4319.patch
signature.asc
Description: Digital signature
