diff -Nru torque-2.4.16+dfsg/debian/changelog torque-2.4.16+dfsg/debian/changelog --- torque-2.4.16+dfsg/debian/changelog 2013-12-17 11:28:25.000000000 +0000 +++ torque-2.4.16+dfsg/debian/changelog 2019-02-04 14:42:58.000000000 +0000 @@ -1,3 +1,18 @@ +torque (2.4.16+dfsg-1.3ubuntu1.1) trusty-security; urgency=medium + + * SECURITY UPDATE: Buffer overflow vulnerability allows remote attackers + to execute arbitrary code via a large count value. + - debian/patches/CVE-2014-0749.patch: Fix stack-based buffer overflow in + disrsi_.c + - CVE-2014-0749 + * SECURITY UPDATE: Lack of validation on process owner allows remote + authenticated users to kill arbitrary processes via a crafted executable. + - debian/patches/CVE-2014-3684.patch: Limit tm_adopt to only adopt a session + id that is owned by the calling user. + - CVE-2014-3684 + + -- Eduardo Barretto Mon, 04 Feb 2019 12:00:09 -0200 + torque (2.4.16+dfsg-1.3ubuntu1) trusty; urgency=medium * Merge from debian. Remaining changes: diff -Nru torque-2.4.16+dfsg/debian/patches/CVE-2014-0749.patch torque-2.4.16+dfsg/debian/patches/CVE-2014-0749.patch --- torque-2.4.16+dfsg/debian/patches/CVE-2014-0749.patch 1970-01-01 00:00:00.000000000 +0000 +++ torque-2.4.16+dfsg/debian/patches/CVE-2014-0749.patch 2019-02-04 13:58:40.000000000 +0000 @@ -0,0 +1,40 @@ +Description: Fix stack-based buffer overflow in disrsi_.c + CVE-2014-0749: The file disrsi_.c fails to ensure that the length of + count (which is read from the request packet) is less than dis_umaxd + prior to being used in a later memcpy(). As a result a specially + crafted request can smuggle through a count value which is later + decremented and becomes the ct value in a memcpy() made from within + tcp_gets(): + . + memcpy((char *)str, tp->tdis_leadp, ct); + . + This failure to validate count allows control over the size of the + memcpy() to be leveraged and as a result control over the amount of + data read from the remainder of the packet. If this value is large the + memcpy() will overwrite the stack and so can be leveraged in order to + gain control over the execution of the program. +Origin: upstream, https://github.com/adaptivecomputing/torque/commit/3ed749263abe3d69fa3626d142a5789dcb5a5684 +Bug: https://github.com/adaptivecomputing/torque/pull/171 +Bug-Debian: https://bugs.debian.org/748827 +Forwarded: not-needed +Author: David Beer +Last-Update: 2014-05-21 + +--- a/src/lib/Libdis/disrsi_.c ++++ b/src/lib/Libdis/disrsi_.c +@@ -112,6 +112,15 @@ int disrsi_( + if (dis_umaxd == 0) + disiui_(); + ++ if (count >= dis_umaxd) ++ { ++ if (count > dis_umaxd) ++ goto overflow; ++ ++ if (memcmp(scratch, dis_umax, dis_umaxd) > 0) ++ goto overflow; ++ } ++ + switch (c = (*dis_getc)(stream)) + { + diff -Nru torque-2.4.16+dfsg/debian/patches/CVE-2014-3684.patch torque-2.4.16+dfsg/debian/patches/CVE-2014-3684.patch --- torque-2.4.16+dfsg/debian/patches/CVE-2014-3684.patch 1970-01-01 00:00:00.000000000 +0000 +++ torque-2.4.16+dfsg/debian/patches/CVE-2014-3684.patch 2019-02-04 13:58:50.000000000 +0000 @@ -0,0 +1,145 @@ +Description: CVE-2014-3684: non-root users able to kill any process on any node in a job + limit tm_adopt() to only adopt a session id that is owned by the + calling user. + . + Within a TORQUE Resource Manager job, the tm_adopt() TORQUE library + call enables a user-built executable calling tm_adopt() to adopt any + session id (and its child processes) regardless of the session id owner + on any node within a job. When a job that includes the executable + calling tm_adopt() exits, the adopted processes are killed along with + the job processes during normal job cleanup. This can enable a non-root + user to kill processes he/she doesn't own including root-owned ones on + any node in a job. +Origin: backport, https://github.com/adaptivecomputing/torque/commit/f2f4c950f3d461a249111c8826da3beaafccace9 +Bug-Debian: https://bugs.debian.org/763922 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1149044 +Forwarded: not-needed +Author: Chad Vizino +Reviewed-by: Salvatore Bonaccorso +Last-Update: 2014-10-21 + +--- a/src/cmds/pbs_track.c ++++ b/src/cmds/pbs_track.c +@@ -232,6 +232,12 @@ int main( + + break; + ++ case TM_EPERM: ++ ++ fprintf(stderr, "pbs_track: permission denied: %s (%d)\n", ++ pbse_to_txt(rc), ++ rc); ++ + default: + + /* Unexpected error occurred */ +--- a/src/include/tm.h ++++ b/src/include/tm.h +@@ -195,7 +195,7 @@ int tm_register(tm_whattodo_t *what, + /* + * DJH 15 Nov 2001. + * Generic "out-of-band" task adoption call for tasks parented by +- * another job management system. Minor security hole? ++ * another job management system. + * Cannot be called with any other tm call. + * 26 Feb 2002. Allows id to be jobid (adoptCmd = TM_ADOPT_JOBID) + * or some altid (adoptCmd = TM_ADOPT_ALTID) +--- a/src/include/tm_.h ++++ b/src/include/tm_.h +@@ -133,6 +133,7 @@ typedef unsigned int tm_task_id; + #define TM_EBADENVIRONMENT 17005 + #define TM_ENOTFOUND 17006 + #define TM_BADINIT 17007 ++#define TM_EPERM 17008 + + #define TM_TODO_NOP 5000 /* Do nothing (the nodes value may be new) */ + #define TM_TODO_CKPT 5001 /* Checkpoint and continue it */ +--- a/src/lib/Libifl/tm.c ++++ b/src/lib/Libifl/tm.c +@@ -80,10 +80,14 @@ + + #include /* the master config generated by configure */ + ++/* define the following so we get prototype for snprintf() */ ++#define _ISOC99_SOURCE ++ + /* define the following so we get prototype for getsid() */ + #define _XOPEN_SOURCE + #define _XOPEN_SOURCE_EXTENDED 1 + ++#include + #include + #include + #include +@@ -94,6 +98,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -173,6 +178,31 @@ static event_info *event_hash[EVENT_HASH + static int event_count = 0; + + /* ++ * check if the owner of this process matches the owner of pid ++ * returns TRUE if so, FALSE otherwise ++ */ ++bool ispidowner(pid_t pid) ++ { ++ char path[MAXPATHLEN]; ++ struct stat sbuf; ++ ++ /* build path to pid */ ++ snprintf(path, sizeof(path), "/proc/%d", pid); ++ ++ /* do the stat */ ++ /* if it fails, assume not owner */ ++ if (stat(path, &sbuf) != 0) ++ return(FALSE); ++ ++ /* see if caller is the owner of pid */ ++ if (getuid() != sbuf.st_uid) ++ return(FALSE); ++ ++ /* caller is owner */ ++ return(TRUE); ++ } ++ ++/* + ** Find an event number or return a NULL. + */ + static event_info * +@@ -1648,8 +1678,8 @@ err: + * some mpiruns simply use rsh to start remote processes - no AMS + * tracking or management facilities are available. + * +- * This function allows any task (session) to be adopted into a PBS +- * job. It is used by: ++ * This function allows any task (session) owned by the owner ++ * of the job to be adopted into a PBS job. It is used by: + * - "adopter" (which is in turn used by our pvmrun) + * - our rmsloader wrapper (a home-brew replacement for RMS' + * rmsloader that does some work and then exec()s the real +@@ -1683,7 +1713,8 @@ err: + * the mom. Returns TM_ENOTFOUND if the mom couldn't find a job + * with the given RMS resource id. Returns TM_ESYSTEM or + * TM_ENOTCONNECTED if there was some sort of comms error talking +- * to the mom ++ * to the mom. Returns TM_EPERM if an attempt was made to adopt ++ * a session not owned by the owner of the job. + * + * Side effects: + * Sets the tm_* globals to fake values if tm_init() has never +@@ -1701,6 +1732,10 @@ int tm_adopt(char *id, int adoptCmd, pid + + sid = getsid(pid); + ++ /* do not adopt a sid not owned by caller */ ++ if (!ispidowner(sid)) ++ return(TM_EPERM); ++ + /* Must be the only call to call to tm and + must only be called once */ + diff -Nru torque-2.4.16+dfsg/debian/patches/series torque-2.4.16+dfsg/debian/patches/series --- torque-2.4.16+dfsg/debian/patches/series 2013-12-17 11:24:14.000000000 +0000 +++ torque-2.4.16+dfsg/debian/patches/series 2019-02-04 13:58:50.000000000 +0000 @@ -7,3 +7,5 @@ CVE-2013-4319.patch fix-FTBFS-on-kfreebsd.patch CVE-2013-4495.patch +CVE-2014-0749.patch +CVE-2014-3684.patch