summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJustin Bronder <jsbronder@gentoo.org>2013-12-23 18:01:35 +0000
committerJustin Bronder <jsbronder@gentoo.org>2013-12-23 18:01:35 +0000
commit3ab9a97770d485e1fa0f972bf51da001e70ee178 (patch)
treeb8423fdafd2fba935f320974eacaf6a0751c57dc
parentStable for HPPA (bug #475480). (diff)
downloadgentoo-2-3ab9a97770d485e1fa0f972bf51da001e70ee178.tar.gz
gentoo-2-3ab9a97770d485e1fa0f972bf51da001e70ee178.tar.bz2
gentoo-2-3ab9a97770d485e1fa0f972bf51da001e70ee178.zip
Add patches for CVE-2013-4319 (#484320).
(Portage version: 2.2.7/cvs/Linux x86_64, signed Manifest commit with key 4D7043C9)
-rw-r--r--sys-cluster/torque/ChangeLog13
-rw-r--r--sys-cluster/torque/files/CVE-2013-4319-2.x-root-submit-fix.patch40
-rw-r--r--sys-cluster/torque/files/CVE-2013-4319-4.x-root-submit-fix.patch38
-rw-r--r--sys-cluster/torque/torque-2.4.16-r1.ebuild257
-rw-r--r--sys-cluster/torque/torque-2.4.16.ebuild3
-rw-r--r--sys-cluster/torque/torque-2.5.12-r1.ebuild (renamed from sys-cluster/torque/torque-2.5.12.ebuild)4
-rw-r--r--sys-cluster/torque/torque-4.1.5.1-r1.ebuild (renamed from sys-cluster/torque/torque-4.1.5.1.ebuild)5
7 files changed, 355 insertions, 5 deletions
diff --git a/sys-cluster/torque/ChangeLog b/sys-cluster/torque/ChangeLog
index 91c59eae77ab..e1a703fc12d9 100644
--- a/sys-cluster/torque/ChangeLog
+++ b/sys-cluster/torque/ChangeLog
@@ -1,6 +1,17 @@
# ChangeLog for sys-cluster/torque
# Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-cluster/torque/ChangeLog,v 1.156 2013/12/23 17:35:39 jsbronder Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-cluster/torque/ChangeLog,v 1.157 2013/12/23 18:01:35 jsbronder Exp $
+
+*torque-4.1.5.1-r1 (23 Dec 2013)
+*torque-2.5.12-r1 (23 Dec 2013)
+*torque-2.4.16-r1 (23 Dec 2013)
+
+ 23 Dec 2013; Justin Bronder <jsbronder@gentoo.org> torque-2.4.16.ebuild,
+ +torque-2.4.16-r1.ebuild, -torque-2.5.12.ebuild, +torque-2.5.12-r1.ebuild,
+ -torque-4.1.5.1.ebuild, +torque-4.1.5.1-r1.ebuild,
+ +files/CVE-2013-4319-2.x-root-submit-fix.patch,
+ +files/CVE-2013-4319-4.x-root-submit-fix.patch:
+ Add patches for CVE-2013-4319 (#484320).
23 Dec 2013; Justin Bronder <jsbronder@gentoo.org> -torque-2.3.13.ebuild,
-torque-3.0.6-r1.ebuild:
diff --git a/sys-cluster/torque/files/CVE-2013-4319-2.x-root-submit-fix.patch b/sys-cluster/torque/files/CVE-2013-4319-2.x-root-submit-fix.patch
new file mode 100644
index 000000000000..aa53239f157c
--- /dev/null
+++ b/sys-cluster/torque/files/CVE-2013-4319-2.x-root-submit-fix.patch
@@ -0,0 +1,40 @@
+From 5dee0365a56dd2cc4cfd0b182bc843b4f32c086c Mon Sep 17 00:00:00 2001
+From: Justin Bronder <jsbronder@gmail.com>
+Date: Mon, 23 Dec 2013 12:40:27 -0500
+Subject: [PATCH] CVE-2013-4319: 2.x root submit fix
+
+https://bugs.gentoo.org/show_bug.cgi?id=484320
+http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4319\
+---
+ src/server/process_request.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/src/server/process_request.c b/src/server/process_request.c
+index d4a3c92..b06a333 100644
+--- a/src/server/process_request.c
++++ b/src/server/process_request.c
+@@ -640,6 +640,21 @@ void process_request(
+ log_buffer);
+ }
+
++ if (svr_conn[sfds].cn_authen != PBS_NET_CONN_FROM_PRIVIL)
++ {
++ sprintf(log_buffer, "request type %s from host %s rejected (connection not privileged)",
++ reqtype_to_txt(request->rq_type),
++ request->rq_host);
++
++ log_record(PBSEVENT_JOB, PBS_EVENTCLASS_JOB, id, log_buffer);
++
++ req_reject(PBSE_BADHOST, 0, request, NULL, "request not authorized");
++
++ close_client(sfds);
++
++ return;
++ }
++
+ if (!tfind(svr_conn[sfds].cn_addr, &okclients))
+ {
+ sprintf(log_buffer, "request type %s from host %s rejected (host not authorized)",
+--
+1.8.3.2
+
diff --git a/sys-cluster/torque/files/CVE-2013-4319-4.x-root-submit-fix.patch b/sys-cluster/torque/files/CVE-2013-4319-4.x-root-submit-fix.patch
new file mode 100644
index 000000000000..3614e42721de
--- /dev/null
+++ b/sys-cluster/torque/files/CVE-2013-4319-4.x-root-submit-fix.patch
@@ -0,0 +1,38 @@
+From 6424696d7b160c8a9ad806c4a6b0f77f0d359962 Mon Sep 17 00:00:00 2001
+From: Justin Bronder <jsbronder@gmail.com>
+Date: Mon, 23 Dec 2013 12:48:22 -0500
+Subject: [PATCH] CVE-2013-4319: 4.x root submit fix
+
+https://bugs.gentoo.org/show_bug.cgi?id=484320
+http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4319
+---
+ src/resmom/mom_process_request.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/src/resmom/mom_process_request.c b/src/resmom/mom_process_request.c
+index 049f63f..813833f 100644
+--- a/src/resmom/mom_process_request.c
++++ b/src/resmom/mom_process_request.c
+@@ -238,6 +238,19 @@ void *mom_process_request(
+ log_record(PBSEVENT_JOB, PBS_EVENTCLASS_JOB, __func__, log_buffer);
+ }
+
++ if (svr_conn[chan->sock].cn_authen != PBS_NET_CONN_FROM_PRIVIL)
++ {
++ sprintf(log_buffer, "request type %s from host %s rejected (connection not privileged)",
++ reqtype_to_txt(request->rq_type),
++ request->rq_host);
++
++ log_record(PBSEVENT_JOB, PBS_EVENTCLASS_JOB, __func__, log_buffer);
++ req_reject(PBSE_BADHOST, 0, request, NULL, "request not authorized");
++ mom_close_client(chan->sock);
++ DIS_tcp_cleanup(chan);
++ return NULL;
++ }
++
+ if (!AVL_is_in_tree_no_port_compare(svr_conn[chan->sock].cn_addr, 0, okclients))
+ {
+ sprintf(log_buffer, "request type %s from host %s rejected (host not authorized)",
+--
+1.8.3.2
+
diff --git a/sys-cluster/torque/torque-2.4.16-r1.ebuild b/sys-cluster/torque/torque-2.4.16-r1.ebuild
new file mode 100644
index 000000000000..5caa85c2c44e
--- /dev/null
+++ b/sys-cluster/torque/torque-2.4.16-r1.ebuild
@@ -0,0 +1,257 @@
+# Copyright 1999-2013 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/sys-cluster/torque/torque-2.4.16-r1.ebuild,v 1.1 2013/12/23 18:01:35 jsbronder Exp $
+
+EAPI=2
+WANT_AUTOMAKE="1.12"
+inherit flag-o-matic eutils linux-info autotools
+
+DESCRIPTION="Resource manager and queuing system based on OpenPBS"
+HOMEPAGE="http://www.adaptivecomputing.com/products/open-source/torque"
+SRC_URI="http://www.adaptivecomputing.com/resources/downloads/${PN}/${P}.tar.gz"
+
+LICENSE="openpbs"
+
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86"
+IUSE="tk +crypt drmaa server +syslog doc cpusets kernel_linux"
+
+# ed is used by makedepend-sh
+DEPEND_COMMON="sys-libs/ncurses
+ sys-libs/readline
+ tk? ( dev-lang/tk )
+ syslog? ( virtual/logger )
+ !games-util/qstat"
+
+DEPEND="${DEPEND_COMMON}
+ doc? ( drmaa? (
+ || ( <app-doc/doxygen-1.7.6.1[latex,-nodot] >=app-doc/doxygen-1.7.6.1[latex,dot] )
+ ) )
+ sys-apps/ed"
+
+RDEPEND="${DEPEND_COMMON}
+ crypt? ( net-misc/openssh )
+ !crypt? ( net-misc/netkit-rsh )"
+
+pkg_setup() {
+ PBS_SERVER_HOME="${PBS_SERVER_HOME:-/var/spool/torque}"
+
+ # Find a Torque server to use. Check environment, then
+ # current setup (if any), and fall back on current hostname.
+ if [ -z "${PBS_SERVER_NAME}" ]; then
+ if [ -f "${ROOT}${PBS_SERVER_HOME}/server_name" ]; then
+ PBS_SERVER_NAME="$(<${ROOT}${PBS_SERVER_HOME}/server_name)"
+ else
+ PBS_SERVER_NAME=$(hostname -f)
+ fi
+ fi
+
+ USE_CPUSETS="--disable-cpuset"
+ if use cpusets; then
+ if ! use kernel_linux; then
+ einfo
+ elog " Torque currently only has support for cpusets in linux."
+ elog "Assuming you didn't really want this USE flag."
+ einfo
+ else
+ linux-info_pkg_setup
+ einfo
+ elog " Torque support for cpusets is still in development, you may"
+ elog "wish to disable it for production use."
+ einfo
+ if ! linux_config_exists || ! linux_chkconfig_present CPUSETS; then
+ einfo
+ elog " Torque support for cpusets will require that you recompile"
+ elog "your kernel with CONFIG_CPUSETS enabled."
+ einfo
+ fi
+ USE_CPUSETS="--enable-cpuset"
+ fi
+ fi
+}
+
+src_prepare() {
+ # Unused and causes breakage when switching from glibc to tirpc.
+ # https://github.com/adaptivecomputing/torque/pull/148
+ sed -i '/rpc\/rpc\.h/d' src/lib/Libnet/net_client.c || die
+
+ epatch "${FILESDIR}"/0002-fix-implicit-declaration-warnings.patch
+ epatch "${FILESDIR}"/disable-automagic-doc-building-2.4.14.patch
+ epatch "${FILESDIR}"/CVE-2013-4319-2.x-root-submit-fix.patch
+
+ sed -i \
+ -e 's,\(COMPACT_LATEX *=\).*,\1 NO,' \
+ -e 's,\(GENERATE_MAN *=\).*,\1 NO,' \
+ src/drmaa/Doxyfile.in || die
+ sed -i \
+ -e '/INSTALL_DATA/d' \
+ src/drmaa/Makefile.am || die
+ eautoreconf
+}
+
+src_configure() {
+ local myconf="--with-rcp=mom_rcp"
+
+ use crypt && myconf="--with-rcp=scp"
+
+ if use drmaa && use doc; then
+ myconf="${myconf} --enable-apidocs"
+ else
+ myconf="${myconf} --disable-apidocs"
+ fi
+
+ econf \
+ $(use_enable tk gui) \
+ $(use_enable syslog) \
+ $(use_enable server) \
+ $(use_enable drmaa) \
+ --with-server-home=${PBS_SERVER_HOME} \
+ --with-environ=/etc/pbs_environment \
+ --with-default-server=${PBS_SERVER_NAME} \
+ --disable-gcc-warnings \
+ ${USE_CPUSETS} \
+ ${myconf}
+}
+
+# WARNING
+# OpenPBS is extremely stubborn about directory permissions. Sometimes it will
+# just fall over with the error message, but in some spots it will just ignore
+# you and fail strangely. Likewise it also barfs on our .keep files!
+pbs_createspool() {
+ local root="$1"
+ local s="$(dirname "${PBS_SERVER_HOME}")"
+ local h="${PBS_SERVER_HOME}"
+ local sp="${h}/server_priv"
+ einfo "Building spool directory under ${D}${h}"
+ local a d m
+ local dir_spec="
+ 0755:${h}/aux 0700:${h}/checkpoint
+ 0755:${h}/mom_logs 0751:${h}/mom_priv 0751:${h}/mom_priv/jobs
+ 1777:${h}/spool 1777:${h}/undelivered"
+
+ if use server; then
+ dir_spec="${dir_spec} 0755:${h}/sched_logs
+ 0755:${h}/sched_priv/accounting 0755:${h}/server_logs
+ 0750:${h}/server_priv 0755:${h}/server_priv/accounting
+ 0750:${h}/server_priv/acl_groups 0750:${h}/server_priv/acl_hosts
+ 0750:${h}/server_priv/acl_svr 0750:${h}/server_priv/acl_users
+ 0750:${h}/server_priv/jobs 0750:${h}/server_priv/queues"
+ fi
+
+ for a in ${dir_spec}; do
+ d="${a/*:}"
+ m="${a/:*}"
+ if [[ ! -d "${root}${d}" ]]; then
+ install -d -m${m} "${root}${d}"
+ else
+ chmod ${m} "${root}${d}"
+ fi
+ # (#149226) If we're running in src_*, then keepdir
+ if [[ "${root}" = "${D}" ]]; then
+ keepdir ${d}
+ fi
+ done
+}
+
+src_install() {
+ # Make directories first
+ pbs_createspool "${D}"
+
+ emake DESTDIR="${D}" install || die "make install failed"
+
+ dodoc CHANGELOG README.* Release_Notes || die "dodoc failed"
+ if use doc; then
+ dodoc doc/admin_guide.ps doc/*.pdf || die "dodoc failed"
+ if use drmaa; then
+ dohtml -r src/drmaa/doc/html/* || die
+ dodoc src/drmaa/drmaa.pdf || die
+ fi
+ fi
+
+ # The build script isn't alternative install location friendly,
+ # So we have to fix some hard-coded paths in tclIndex for xpbs* to work
+ for file in `find "${D}" -iname tclIndex`; do
+ sed -e "s/${D//\// }/ /" "${file}" > "${file}.new" || die
+ mv "${file}.new" "${file}" || die
+ done
+
+ if use server; then
+ newinitd "${FILESDIR}"/pbs_server-init.d pbs_server
+ newinitd "${FILESDIR}"/pbs_sched-init.d pbs_sched
+ fi
+ newinitd "${FILESDIR}"/pbs_mom-init.d pbs_mom
+ newconfd "${FILESDIR}"/torque-conf.d torque
+ newenvd "${FILESDIR}"/torque-env.d 25torque
+
+ [ -d "${D}"/usr/share/doc/torque-drmaa ] && \
+ rm -rf "${D}"/usr/share/doc/torque-drmaa
+}
+
+pkg_preinst() {
+ if [[ -f "${ROOT}etc/pbs_environment" ]]; then
+ cp "${ROOT}etc/pbs_environment" "${D}"/etc/pbs_environment
+ fi
+
+ echo "${PBS_SERVER_NAME}" > "${D}${PBS_SERVER_HOME}/server_name"
+
+ # Fix up the env.d file to use our set server home.
+ sed -i "s:/var/spool/torque:${PBS_SERVER_HOME}:g" \
+ "${D}"/etc/env.d/25torque || die
+}
+
+pkg_postinst() {
+ pbs_createspool "${ROOT}"
+ elog " If this is the first time torque has been installed, then you are not"
+ elog "ready to start the server. Please refer to the documentation located at:"
+ elog "http://www.clusterresources.com/wiki/doku.php?id=torque:torque_wiki"
+
+ elog " For a basic setup, you may use emerge --config ${PN}"
+}
+
+# root will be setup as the primary operator/manager, the local machine
+# will be added as a node and we'll create a simple queue, batch.
+pkg_config() {
+ local h="$(echo "${ROOT}/${PBS_SERVER_HOME}" | sed 's:///*:/:g')"
+ local rc=0
+
+ ebegin "Configuring Torque"
+ einfo "Using ${h} as the pbs homedir"
+ einfo "Using ${PBS_SERVER_NAME} as the pbs_server"
+
+ # Check for previous configuration and bail if found.
+ if [ -e "${h}/server_priv/acl_svr/operators" ] \
+ || [ -e "${h}/server_priv/nodes" ] \
+ || [ -e "${h}/mom_priv/config" ]; then
+ ewarn "Previous Torque configuration detected. Press any key to"
+ ewarn "continue or press Control-C to abort now"
+ read
+ fi
+
+ # pbs_mom configuration.
+ echo "\$pbsserver ${PBS_SERVER_NAME}" > "${h}/mom_priv/config"
+ echo "\$logevent 255" >> "${h}/mom_priv/config"
+
+ if use server; then
+ local qmgr="${ROOT}/usr/bin/qmgr -c"
+ # pbs_server bails on repeated backslashes.
+ if ! echo "y" | "${ROOT}"/usr/sbin/pbs_server -d "${h}" -t create; then
+ eerror "Failed to start pbs_server"
+ rc=1
+ else
+ ${qmgr} "set server operators = root@$(hostname -f)" ${PBS_SERVER_NAME}
+ ${qmgr} "create queue batch" ${PBS_SERVER_NAME}
+ ${qmgr} "set queue batch queue_type = Execution" ${PBS_SERVER_NAME}
+ ${qmgr} "set queue batch started = True" ${PBS_SERVER_NAME}
+ ${qmgr} "set queue batch enabled = True" ${PBS_SERVER_NAME}
+ ${qmgr} "set server default_queue = batch" ${PBS_SERVER_NAME}
+ ${qmgr} "set server resources_default.nodes = 1" ${PBS_SERVER_NAME}
+ ${qmgr} "set server scheduling = True" ${PBS_SERVER_NAME}
+
+ "${ROOT}"/usr/bin/qterm -t quick ${PBS_SERVER_NAME} || rc=1
+
+ # Add the local machine as a node.
+ echo "$(hostname -f) np=1" > "${h}/server_priv/nodes"
+ fi
+ fi
+ eend ${rc}
+}
diff --git a/sys-cluster/torque/torque-2.4.16.ebuild b/sys-cluster/torque/torque-2.4.16.ebuild
index b2b964bf545f..15435b5fb5d1 100644
--- a/sys-cluster/torque/torque-2.4.16.ebuild
+++ b/sys-cluster/torque/torque-2.4.16.ebuild
@@ -1,6 +1,6 @@
# Copyright 1999-2013 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-cluster/torque/torque-2.4.16.ebuild,v 1.13 2013/06/01 19:49:33 jsbronder Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-cluster/torque/torque-2.4.16.ebuild,v 1.14 2013/12/23 18:01:35 jsbronder Exp $
EAPI=2
WANT_AUTOMAKE="1.12"
@@ -77,6 +77,7 @@ src_prepare() {
epatch "${FILESDIR}"/0002-fix-implicit-declaration-warnings.patch
epatch "${FILESDIR}"/disable-automagic-doc-building-2.4.14.patch
+ epatch "${FILESDIR}"/CVE-2013-4319-2.x-root-submit-fix.patch
sed -i \
-e 's,\(COMPACT_LATEX *=\).*,\1 NO,' \
diff --git a/sys-cluster/torque/torque-2.5.12.ebuild b/sys-cluster/torque/torque-2.5.12-r1.ebuild
index eb5697614d31..2db5baa1eef2 100644
--- a/sys-cluster/torque/torque-2.5.12.ebuild
+++ b/sys-cluster/torque/torque-2.5.12-r1.ebuild
@@ -1,6 +1,6 @@
# Copyright 1999-2013 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-cluster/torque/torque-2.5.12.ebuild,v 1.6 2013/06/01 19:49:33 jsbronder Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-cluster/torque/torque-2.5.12-r1.ebuild,v 1.1 2013/12/23 18:01:35 jsbronder Exp $
EAPI=4
@@ -76,6 +76,8 @@ pkg_setup() {
}
src_prepare() {
+ epatch "${FILESDIR}"/CVE-2013-4319-2.x-root-submit-fix.patch
+
# Unused and causes breakage when switching from glibc to tirpc.
# https://github.com/adaptivecomputing/torque/pull/148
sed -i '/rpc\/rpc\.h/d' src/lib/Libnet/net_client.c || die
diff --git a/sys-cluster/torque/torque-4.1.5.1.ebuild b/sys-cluster/torque/torque-4.1.5.1-r1.ebuild
index 487efd9dd472..294b54165130 100644
--- a/sys-cluster/torque/torque-4.1.5.1.ebuild
+++ b/sys-cluster/torque/torque-4.1.5.1-r1.ebuild
@@ -1,8 +1,8 @@
# Copyright 1999-2013 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-cluster/torque/torque-4.1.5.1.ebuild,v 1.4 2013/06/12 06:53:19 jlec Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-cluster/torque/torque-4.1.5.1-r1.ebuild,v 1.1 2013/12/23 18:01:35 jsbronder Exp $
-EAPI=2
+EAPI=4
inherit flag-o-matic eutils linux-info
DESCRIPTION="Resource manager and queuing system based on OpenPBS"
@@ -75,6 +75,7 @@ src_prepare() {
sed -i '/mk_default_ld_lib_file || return 1/d' buildutils/pbs_mkdirs.in || die
epatch "${FILESDIR}"/${P}-tcl8.6.patch
+ epatch "${FILESDIR}"/CVE-2013-4319-4.x-root-submit-fix.patch
}
src_configure() {