Upstream released a TORQUE security advisory [1] that indicated that a non-privileged user who was able to run jobs or login to a node which ran pbs_server or pbs_mom, could submit arbitrary jobs to a pbs_mom daemon to queue and run the job, which would run as root. All versions of TORQUE are affected. The advisory also notes the following mitigating factors: - The user must be logged in on a node that is already legitimately able to contact pbs_mom daemons or submit jobs. - If a user submits a job via this defect and pbs_server is running, pbs_server will kill the job unless job syncing is disabled. It may take up to 45 seconds for pbs_server to kill the job. A patch for 2.5 is available [2], as well as 4.x [3]. Fedora ships with TORQUE 3.x, so will need to backport (or forwardport) one of these patches. [1] http://www.supercluster.org/pipermail/torqueusers/2013-September/016098.html [2] http://www.adaptivecomputing.com/torquepatch/fix_mom_priv_2.5.patch [3] http://www.adaptivecomputing.com/torquepatch/fix_mom_priv.patch A CVE request has been made: http://www.openwall.com/lists/oss-security/2013/09/09/4
Created torque tracking bugs for this issue: Affects: fedora-all [bug 1005919] Affects: epel-all [bug 1005920]
CVE-2013-4319 was assigned: http://www.openwall.com/lists/oss-security/2013/09/09/11
The Torque package in EPEL is no longer maintained, as far as I am aware. I recommend that it be withdrawn.
torque-3.0.4-6.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
torque-3.0.4-5.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.