Dear maintainer, I've prepared an NMU for torque (versioned as 2.4.16+dfsg-1.5) and uploaded directly. Hope this is fine with you as the fix is for 763922 and the freeze coming nearer. Please find attached the used debdiff.
Regards, Salvatore
diff -Nru torque-2.4.16+dfsg/debian/changelog torque-2.4.16+dfsg/debian/changelog --- torque-2.4.16+dfsg/debian/changelog 2014-05-21 20:56:41.000000000 +0200 +++ torque-2.4.16+dfsg/debian/changelog 2014-10-26 07:55:56.000000000 +0100 @@ -1,3 +1,18 @@ +torque (2.4.16+dfsg-1.5) unstable; urgency=high + + * Non-maintainer upload. + * Add CVE-2014-3684.patch patch. + CVE-2014-3684: Within a TORQUE Resource Manager job, the tm_adopt() + TORQUE library call enables a user-built executable calling tm_adopt() + to adopt any session id (and its child processes) regardless of the + session id owner on any node within a job. When a job that includes the + executable calling tm_adopt() exits, the adopted processes are killed + along with the job processes during normal job cleanup. This can enable + a non-root user to kill processes he doesn't own including root-owned + ones on any node in a job. (Closes: #763922) + + -- Salvatore Bonaccorso <car...@debian.org> Sat, 25 Oct 2014 13:18:37 +0200 + torque (2.4.16+dfsg-1.4) unstable; urgency=high * Non-maintainer upload by the Security Team. diff -Nru torque-2.4.16+dfsg/debian/patches/CVE-2014-3684.patch torque-2.4.16+dfsg/debian/patches/CVE-2014-3684.patch --- torque-2.4.16+dfsg/debian/patches/CVE-2014-3684.patch 1970-01-01 01:00:00.000000000 +0100 +++ torque-2.4.16+dfsg/debian/patches/CVE-2014-3684.patch 2014-10-26 07:55:56.000000000 +0100 @@ -0,0 +1,145 @@ +Description: CVE-2014-3684: non-root users able to kill any process on any node in a job + limit tm_adopt() to only adopt a session id that is owned by the + calling user. + . + Within a TORQUE Resource Manager job, the tm_adopt() TORQUE library + call enables a user-built executable calling tm_adopt() to adopt any + session id (and its child processes) regardless of the session id owner + on any node within a job. When a job that includes the executable + calling tm_adopt() exits, the adopted processes are killed along with + the job processes during normal job cleanup. This can enable a non-root + user to kill processes he/she doesn't own including root-owned ones on + any node in a job. +Origin: backport, https://github.com/adaptivecomputing/torque/commit/f2f4c950f3d461a249111c8826da3beaafccace9 +Bug-Debian: https://bugs.debian.org/763922 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1149044 +Forwarded: not-needed +Author: Chad Vizino <cviz...@adaptivecomputing.com> +Reviewed-by: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2014-10-21 + +--- a/src/cmds/pbs_track.c ++++ b/src/cmds/pbs_track.c +@@ -232,6 +232,12 @@ int main( + + break; + ++ case TM_EPERM: ++ ++ fprintf(stderr, "pbs_track: permission denied: %s (%d)\n", ++ pbse_to_txt(rc), ++ rc); ++ + default: + + /* Unexpected error occurred */ +--- a/src/include/tm.h ++++ b/src/include/tm.h +@@ -195,7 +195,7 @@ int tm_register(tm_whattodo_t *what, + /* + * DJH 15 Nov 2001. + * Generic "out-of-band" task adoption call for tasks parented by +- * another job management system. Minor security hole? ++ * another job management system. + * Cannot be called with any other tm call. + * 26 Feb 2002. Allows id to be jobid (adoptCmd = TM_ADOPT_JOBID) + * or some altid (adoptCmd = TM_ADOPT_ALTID) +--- a/src/include/tm_.h ++++ b/src/include/tm_.h +@@ -133,6 +133,7 @@ typedef unsigned int tm_task_id; + #define TM_EBADENVIRONMENT 17005 + #define TM_ENOTFOUND 17006 + #define TM_BADINIT 17007 ++#define TM_EPERM 17008 + + #define TM_TODO_NOP 5000 /* Do nothing (the nodes value may be new) */ + #define TM_TODO_CKPT 5001 /* Checkpoint <what> and continue it */ +--- a/src/lib/Libifl/tm.c ++++ b/src/lib/Libifl/tm.c +@@ -80,10 +80,14 @@ + + #include <pbs_config.h> /* the master config generated by configure */ + ++/* define the following so we get prototype for snprintf() */ ++#define _ISOC99_SOURCE ++ + /* define the following so we get prototype for getsid() */ + #define _XOPEN_SOURCE + #define _XOPEN_SOURCE_EXTENDED 1 + ++#include <stdbool.h> + #include <stdio.h> + #include <stdlib.h> + #include <unistd.h> +@@ -94,6 +98,7 @@ + #include <errno.h> + #include <assert.h> + #include <sys/types.h> ++#include <sys/stat.h> + #include <sys/socket.h> + #include <sys/time.h> + #include <netinet/in.h> +@@ -173,6 +178,31 @@ static event_info *event_hash[EVENT_HASH + static int event_count = 0; + + /* ++ * check if the owner of this process matches the owner of pid ++ * returns TRUE if so, FALSE otherwise ++ */ ++bool ispidowner(pid_t pid) ++ { ++ char path[MAXPATHLEN]; ++ struct stat sbuf; ++ ++ /* build path to pid */ ++ snprintf(path, sizeof(path), "/proc/%d", pid); ++ ++ /* do the stat */ ++ /* if it fails, assume not owner */ ++ if (stat(path, &sbuf) != 0) ++ return(FALSE); ++ ++ /* see if caller is the owner of pid */ ++ if (getuid() != sbuf.st_uid) ++ return(FALSE); ++ ++ /* caller is owner */ ++ return(TRUE); ++ } ++ ++/* + ** Find an event number or return a NULL. + */ + static event_info * +@@ -1648,8 +1678,8 @@ err: + * some mpiruns simply use rsh to start remote processes - no AMS + * tracking or management facilities are available. + * +- * This function allows any task (session) to be adopted into a PBS +- * job. It is used by: ++ * This function allows any task (session) owned by the owner ++ * of the job to be adopted into a PBS job. It is used by: + * - "adopter" (which is in turn used by our pvmrun) + * - our rmsloader wrapper (a home-brew replacement for RMS' + * rmsloader that does some work and then exec()s the real +@@ -1683,7 +1713,8 @@ err: + * the mom. Returns TM_ENOTFOUND if the mom couldn't find a job + * with the given RMS resource id. Returns TM_ESYSTEM or + * TM_ENOTCONNECTED if there was some sort of comms error talking +- * to the mom ++ * to the mom. Returns TM_EPERM if an attempt was made to adopt ++ * a session not owned by the owner of the job. + * + * Side effects: + * Sets the tm_* globals to fake values if tm_init() has never +@@ -1701,6 +1732,10 @@ int tm_adopt(char *id, int adoptCmd, pid + + sid = getsid(pid); + ++ /* do not adopt a sid not owned by caller */ ++ if (!ispidowner(sid)) ++ return(TM_EPERM); ++ + /* Must be the only call to call to tm and + must only be called once */ + diff -Nru torque-2.4.16+dfsg/debian/patches/series torque-2.4.16+dfsg/debian/patches/series --- torque-2.4.16+dfsg/debian/patches/series 2014-05-21 20:56:41.000000000 +0200 +++ torque-2.4.16+dfsg/debian/patches/series 2014-10-26 07:55:56.000000000 +0100 @@ -8,3 +8,4 @@ fix-FTBFS-on-kfreebsd.patch CVE-2013-4495.patch CVE-2014-0749.patch +CVE-2014-3684.patch
