The HTCondor scheduler can optionally notify a user of completed jobs by sending an email. Due to the way the daemon sent the email message, authenticated users able to submit jobs could execute arbitrary code with the privileges of the condor user. Acknowledgements: This issue was discovered by Florian Weimer of Red Hat Product Security.
Upstream bug report: https://htcondor-wiki.cs.wisc.edu/index.cgi/tktview?tn=4764 And upstream fix: https://htcondor-wiki.cs.wisc.edu/index.cgi/chngview?cn=41878 https://github.com/htcondor/htcondor/commit/e891cea9970496aac74caf72604475a2b7e6a0ca.patch
Created attachment 977841 [details] sendmail.patch This patch also needs a configuration file change to set the SENDMAIL parameter.
Created condor tracking bugs for this issue: Affects: fedora-all [bug 1181291]
This issue has been addressed in the following products: MRG for RHEL-5 v. 2 Via RHSA-2015:0036 https://rhn.redhat.com/errata/RHSA-2015-0036.html
This issue has been addressed in the following products: MRG for RHEL-6 v.2 Via RHSA-2015:0035 https://rhn.redhat.com/errata/RHSA-2015-0035.html
condor-8.3.6-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.