[torqueusers] security advisory

Dimitrakakis Georgios giwrgis at chemistry.uoc.gr
Thu Sep 19 12:02:05 MDT 2013


I am also interested in a test case to evaluate the patch on v.2.3.7

Best,

G.


> On Thu, Sep 19, 2013 at 01:03:15PM +0200, Ole Holm Nielsen wrote:
>> >
>> > For 2.5.x versions of TORQUE:
>> >
>> > ----------------------------
>> >
>> > 1. Download the patch file:
>> >
>> >      $ wget
>> > http://www.adaptivecomputing.com/torquepatch/fix_mom_priv_2.5.patch
>>
>> Question: Will this patch work correctly with Torque 2.3.x?  Has anyone
>> tried and tested this?
>
> We've applied it successfully to torque 2.3.7 and the resulting code
> runs fine.  I haven't tested it to verify that it eliminates the
> vulnerability (mainly 'cause I don't have an exploit for it), but
> comparing the source of 2.3.x w/ 2.5.x, I don't see much difference,
> so I assume it eliminates it.  If someone wants to send me a test
> case, I would be happy to try it out.
>
> We've also successfully applied the 2.5.x patch to torque 3.0.x.  In
> that case, we had to change the three lines of "context" at the bottom
> of the 2.5 patch from:
>
>      if (!tfind(svr_conn[sfds].cn_addr, &okclients))
>        {
>        sprintf(log_buffer, "request type %s from host %s rejected (host
> not authorized)",
>
> to:
>
>  /*    if (!tfind(svr_conn[sfds].cn_addr, &okclients)) */
>      if (!AVL_is_in_tree(svr_conn[sfds].cn_addr, 0, okclients))
>        {
>
> In both cases, you'll need to use a fuzz factor with the patch command
> in order for the patch to apply, or else you'll need to adjust the line
> numbers in the patch accordingly.  patch normally allows a fuzz
> factor, but if you're building rpms with newer rpmbuild (eg, on
> RHEL/CentOS 6.x), the fuzz factor may be disabled.  I re-enable fuzz
> for rpmbuild using "%_default_patch_fuzz -1" in my ~/.rpmmacros file.
>
> John
>
> ----------------------------------------------------------------------
> John Valdes                       Laboratory Computing Resource Center
> valdes at anl.gov                             Argonne National Laboratory
> _______________________________________________
> torqueusers mailing list
> torqueusers at supercluster.org
> http://www.supercluster.org/mailman/listinfo/torqueusers
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the torqueusers mailing list