Red Hat Bugzilla – Bug 1005918
CVE-2013-4319 torque: remote arbitrary command execution as root on cluster
Last modified: 2015-07-31 03:10:17 EDT
Upstream released a TORQUE security advisory  that indicated that a non-privileged user who was able to run jobs or login to a node which ran pbs_server or pbs_mom, could submit arbitrary jobs to a pbs_mom daemon to queue and run the job, which would run as root. All versions of TORQUE are affected.
The advisory also notes the following mitigating factors:
- The user must be logged in on a node that is already legitimately able to
contact pbs_mom daemons or submit jobs.
- If a user submits a job via this defect and pbs_server is running,
pbs_server will kill the job unless job syncing is disabled. It may take up
to 45 seconds for pbs_server to kill the job.
A patch for 2.5 is available , as well as 4.x . Fedora ships with TORQUE 3.x, so will need to backport (or forwardport) one of these patches.
A CVE request has been made:
Created torque tracking bugs for this issue:
Affects: fedora-all [bug 1005919]
Affects: epel-all [bug 1005920]
CVE-2013-4319 was assigned:
The Torque package in EPEL is no longer maintained, as far as I am aware. I recommend that it be withdrawn.
torque-3.0.4-6.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
torque-3.0.4-5.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.