[torqueusers] security advisory

John Valdes valdes at anl.gov
Thu Sep 19 11:57:56 MDT 2013


On Thu, Sep 19, 2013 at 01:03:15PM +0200, Ole Holm Nielsen wrote:
> >
> > For 2.5.x versions of TORQUE:
> >
> > ----------------------------
> >
> > 1. Download the patch file:
> >
> >      $ wget
> > http://www.adaptivecomputing.com/torquepatch/fix_mom_priv_2.5.patch
> 
> Question: Will this patch work correctly with Torque 2.3.x?  Has anyone 
> tried and tested this?

We've applied it successfully to torque 2.3.7 and the resulting code
runs fine.  I haven't tested it to verify that it eliminates the
vulnerability (mainly 'cause I don't have an exploit for it), but
comparing the source of 2.3.x w/ 2.5.x, I don't see much difference,
so I assume it eliminates it.  If someone wants to send me a test
case, I would be happy to try it out.

We've also successfully applied the 2.5.x patch to torque 3.0.x.  In
that case, we had to change the three lines of "context" at the bottom
of the 2.5 patch from:

     if (!tfind(svr_conn[sfds].cn_addr, &okclients))
       {
       sprintf(log_buffer, "request type %s from host %s rejected (host not authorized)",

to:

 /*    if (!tfind(svr_conn[sfds].cn_addr, &okclients)) */
     if (!AVL_is_in_tree(svr_conn[sfds].cn_addr, 0, okclients))
       {

In both cases, you'll need to use a fuzz factor with the patch command
in order for the patch to apply, or else you'll need to adjust the line
numbers in the patch accordingly.  patch normally allows a fuzz
factor, but if you're building rpms with newer rpmbuild (eg, on
RHEL/CentOS 6.x), the fuzz factor may be disabled.  I re-enable fuzz
for rpmbuild using "%_default_patch_fuzz -1" in my ~/.rpmmacros file.

John

----------------------------------------------------------------------
John Valdes                       Laboratory Computing Resource Center
valdes at anl.gov                             Argonne National Laboratory


More information about the torqueusers mailing list