diff options
| author |   Justin Bronder <jsbronder@gentoo.org> | 2013-12-23 18:01:35 +0000 |
|---|---|---|
| committer | Justin Bronder <jsbronder@gentoo.org> | 2013-12-23 18:01:35 +0000 |
| commit | 3ab9a97770d485e1fa0f972bf51da001e70ee178 (patch) | |
| tree | b8423fdafd2fba935f320974eacaf6a0751c57dc /sys-cluster | |
| parent | Stable for HPPA (bug #475480). (diff) | |
| download | gentoo-2-3ab9a97770d485e1fa0f972bf51da001e70ee178.tar.gz gentoo-2-3ab9a97770d485e1fa0f972bf51da001e70ee178.tar.bz2 gentoo-2-3ab9a97770d485e1fa0f972bf51da001e70ee178.zip | |
Add patches for CVE-2013-4319 (#484320).
(Portage version: 2.2.7/cvs/Linux x86_64, signed Manifest commit with key 4D7043C9)
Diffstat (limited to 'sys-cluster')
| -rw-r--r-- | sys-cluster/torque/ChangeLog | 13 | ||||
| -rw-r--r-- | sys-cluster/torque/files/CVE-2013-4319-2.x-root-submit-fix.patch | 40 | ||||
| -rw-r--r-- | sys-cluster/torque/files/CVE-2013-4319-4.x-root-submit-fix.patch | 38 | ||||
| -rw-r--r-- | sys-cluster/torque/torque-2.4.16-r1.ebuild | 257 | ||||
| -rw-r--r-- | sys-cluster/torque/torque-2.4.16.ebuild | 3 | ||||
| -rw-r--r-- | sys-cluster/torque/torque-2.5.12-r1.ebuild (renamed from sys-cluster/torque/torque-2.5.12.ebuild) | 4 | ||||
| -rw-r--r-- | sys-cluster/torque/torque-4.1.5.1-r1.ebuild (renamed from sys-cluster/torque/torque-4.1.5.1.ebuild) | 5 |
7 files changed, 355 insertions, 5 deletions
diff --git a/sys-cluster/torque/ChangeLog b/sys-cluster/torque/ChangeLog index 91c59eae77ab..e1a703fc12d9 100644 --- a/sys-cluster/torque/ChangeLog +++ b/sys-cluster/torque/ChangeLog @@ -1,6 +1,17 @@ # ChangeLog for sys-cluster/torque # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/sys-cluster/torque/ChangeLog,v 1.156 2013/12/23 17:35:39 jsbronder Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-cluster/torque/ChangeLog,v 1.157 2013/12/23 18:01:35 jsbronder Exp $ + +*torque-4.1.5.1-r1 (23 Dec 2013) +*torque-2.5.12-r1 (23 Dec 2013) +*torque-2.4.16-r1 (23 Dec 2013) + + 23 Dec 2013; Justin Bronder <jsbronder@gentoo.org> torque-2.4.16.ebuild, + +torque-2.4.16-r1.ebuild, -torque-2.5.12.ebuild, +torque-2.5.12-r1.ebuild, + -torque-4.1.5.1.ebuild, +torque-4.1.5.1-r1.ebuild, + +files/CVE-2013-4319-2.x-root-submit-fix.patch, + +files/CVE-2013-4319-4.x-root-submit-fix.patch: + Add patches for CVE-2013-4319 (#484320). 23 Dec 2013; Justin Bronder <jsbronder@gentoo.org> -torque-2.3.13.ebuild, -torque-3.0.6-r1.ebuild: diff --git a/sys-cluster/torque/files/CVE-2013-4319-2.x-root-submit-fix.patch b/sys-cluster/torque/files/CVE-2013-4319-2.x-root-submit-fix.patch new file mode 100644 index 000000000000..aa53239f157c --- /dev/null +++ b/sys-cluster/torque/files/CVE-2013-4319-2.x-root-submit-fix.patch @@ -0,0 +1,40 @@ +From 5dee0365a56dd2cc4cfd0b182bc843b4f32c086c Mon Sep 17 00:00:00 2001 +From: Justin Bronder <jsbronder@gmail.com> +Date: Mon, 23 Dec 2013 12:40:27 -0500 +Subject: [PATCH] CVE-2013-4319: 2.x root submit fix + +https://bugs.gentoo.org/show_bug.cgi?id=484320 +http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4319\ +--- + src/server/process_request.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/src/server/process_request.c b/src/server/process_request.c +index d4a3c92..b06a333 100644 +--- a/src/server/process_request.c ++++ b/src/server/process_request.c +@@ -640,6 +640,21 @@ void process_request( + log_buffer); + } + ++ if (svr_conn[sfds].cn_authen != PBS_NET_CONN_FROM_PRIVIL) ++ { ++ sprintf(log_buffer, "request type %s from host %s rejected (connection not privileged)", ++ reqtype_to_txt(request->rq_type), ++ request->rq_host); ++ ++ log_record(PBSEVENT_JOB, PBS_EVENTCLASS_JOB, id, log_buffer); ++ ++ req_reject(PBSE_BADHOST, 0, request, NULL, "request not authorized"); ++ ++ close_client(sfds); ++ ++ return; ++ } ++ + if (!tfind(svr_conn[sfds].cn_addr, &okclients)) + { + sprintf(log_buffer, "request type %s from host %s rejected (host not authorized)", +-- +1.8.3.2 + diff --git a/sys-cluster/torque/files/CVE-2013-4319-4.x-root-submit-fix.patch b/sys-cluster/torque/files/CVE-2013-4319-4.x-root-submit-fix.patch new file mode 100644 index 000000000000..3614e42721de --- /dev/null +++ b/sys-cluster/torque/files/CVE-2013-4319-4.x-root-submit-fix.patch @@ -0,0 +1,38 @@ +From 6424696d7b160c8a9ad806c4a6b0f77f0d359962 Mon Sep 17 00:00:00 2001 +From: Justin Bronder <jsbronder@gmail.com> +Date: Mon, 23 Dec 2013 12:48:22 -0500 +Subject: [PATCH] CVE-2013-4319: 4.x root submit fix + +https://bugs.gentoo.org/show_bug.cgi?id=484320 +http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4319 +--- + src/resmom/mom_process_request.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/src/resmom/mom_process_request.c b/src/resmom/mom_process_request.c +index 049f63f..813833f 100644 +--- a/src/resmom/mom_process_request.c ++++ b/src/resmom/mom_process_request.c +@@ -238,6 +238,19 @@ void *mom_process_request( + log_record(PBSEVENT_JOB, PBS_EVENTCLASS_JOB, __func__, log_buffer); + } + ++ if (svr_conn[chan->sock].cn_authen != PBS_NET_CONN_FROM_PRIVIL) ++ { ++ sprintf(log_buffer, "request type %s from host %s rejected (connection not privileged)", ++ reqtype_to_txt(request->rq_type), ++ request->rq_host); ++ ++ log_record(PBSEVENT_JOB, PBS_EVENTCLASS_JOB, __func__, log_buffer); ++ req_reject(PBSE_BADHOST, 0, request, NULL, "request not authorized"); ++ mom_close_client(chan->sock); ++ DIS_tcp_cleanup(chan); ++ return NULL; ++ } ++ + if (!AVL_is_in_tree_no_port_compare(svr_conn[chan->sock].cn_addr, 0, okclients)) + { + sprintf(log_buffer, "request type %s from host %s rejected (host not authorized)", +-- +1.8.3.2 + diff --git a/sys-cluster/torque/torque-2.4.16-r1.ebuild b/sys-cluster/torque/torque-2.4.16-r1.ebuild new file mode 100644 index 000000000000..5caa85c2c44e --- /dev/null +++ b/sys-cluster/torque/torque-2.4.16-r1.ebuild @@ -0,0 +1,257 @@ +# Copyright 1999-2013 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/sys-cluster/torque/torque-2.4.16-r1.ebuild,v 1.1 2013/12/23 18:01:35 jsbronder Exp $ + +EAPI=2 +WANT_AUTOMAKE="1.12" +inherit flag-o-matic eutils linux-info autotools + +DESCRIPTION="Resource manager and queuing system based on OpenPBS" +HOMEPAGE="http://www.adaptivecomputing.com/products/open-source/torque" +SRC_URI="http://www.adaptivecomputing.com/resources/downloads/${PN}/${P}.tar.gz" + +LICENSE="openpbs" + +SLOT="0" +KEYWORDS="~alpha ~amd64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86" +IUSE="tk +crypt drmaa server +syslog doc cpusets kernel_linux" + +# ed is used by makedepend-sh +DEPEND_COMMON="sys-libs/ncurses + sys-libs/readline + tk? ( dev-lang/tk ) + syslog? ( virtual/logger ) + !games-util/qstat" + +DEPEND="${DEPEND_COMMON} + doc? ( drmaa? ( + || ( <app-doc/doxygen-1.7.6.1[latex,-nodot] >=app-doc/doxygen-1.7.6.1[latex,dot] ) + ) ) + sys-apps/ed" + +RDEPEND="${DEPEND_COMMON} + crypt? ( net-misc/openssh ) + !crypt? ( net-misc/netkit-rsh )" + +pkg_setup() { + PBS_SERVER_HOME="${PBS_SERVER_HOME:-/var/spool/torque}" + + # Find a Torque server to use. Check environment, then + # current setup (if any), and fall back on current hostname. + if [ -z "${PBS_SERVER_NAME}" ]; then + if [ -f "${ROOT}${PBS_SERVER_HOME}/server_name" ]; then + PBS_SERVER_NAME="$(<${ROOT}${PBS_SERVER_HOME}/server_name)" + else + PBS_SERVER_NAME=$(hostname -f) + fi + fi + + USE_CPUSETS="--disable-cpuset" + if use cpusets; then + if ! use kernel_linux; then + einfo + elog " Torque currently only has support for cpusets in linux." + elog "Assuming you didn't really want this USE flag." + einfo + else + linux-info_pkg_setup + einfo + elog " Torque support for cpusets is still in development, you may" + elog "wish to disable it for production use." + einfo + if ! linux_config_exists || ! linux_chkconfig_present CPUSETS; then + einfo + elog " Torque support for cpusets will require that you recompile" + elog "your kernel with CONFIG_CPUSETS enabled." + einfo + fi + USE_CPUSETS="--enable-cpuset" + fi + fi +} + +src_prepare() { + # Unused and causes breakage when switching from glibc to tirpc. + # https://github.com/adaptivecomputing/torque/pull/148 + sed -i '/rpc\/rpc\.h/d' src/lib/Libnet/net_client.c || die + + epatch "${FILESDIR}"/0002-fix-implicit-declaration-warnings.patch + epatch "${FILESDIR}"/disable-automagic-doc-building-2.4.14.patch + epatch "${FILESDIR}"/CVE-2013-4319-2.x-root-submit-fix.patch + + sed -i \ + -e 's,\(COMPACT_LATEX *=\).*,\1 NO,' \ + -e 's,\(GENERATE_MAN *=\).*,\1 NO,' \ + src/drmaa/Doxyfile.in || die + sed -i \ + -e '/INSTALL_DATA/d' \ + src/drmaa/Makefile.am || die + eautoreconf +} + +src_configure() { + local myconf="--with-rcp=mom_rcp" + + use crypt && myconf="--with-rcp=scp" + + if use drmaa && use doc; then + myconf="${myconf} --enable-apidocs" + else + myconf="${myconf} --disable-apidocs" + fi + + econf \ + $(use_enable tk gui) \ + $(use_enable syslog) \ + $(use_enable server) \ + $(use_enable drmaa) \ + --with-server-home=${PBS_SERVER_HOME} \ + --with-environ=/etc/pbs_environment \ + --with-default-server=${PBS_SERVER_NAME} \ + --disable-gcc-warnings \ + ${USE_CPUSETS} \ + ${myconf} +} + +# WARNING +# OpenPBS is extremely stubborn about directory permissions. Sometimes it will +# just fall over with the error message, but in some spots it will just ignore +# you and fail strangely. Likewise it also barfs on our .keep files! +pbs_createspool() { + local root="$1" + local s="$(dirname "${PBS_SERVER_HOME}")" + local h="${PBS_SERVER_HOME}" + local sp="${h}/server_priv" + einfo "Building spool directory under ${D}${h}" + local a d m + local dir_spec=" + 0755:${h}/aux 0700:${h}/checkpoint + 0755:${h}/mom_logs 0751:${h}/mom_priv 0751:${h}/mom_priv/jobs + 1777:${h}/spool 1777:${h}/undelivered" + + if use server; then + dir_spec="${dir_spec} 0755:${h}/sched_logs + 0755:${h}/sched_priv/accounting 0755:${h}/server_logs + 0750:${h}/server_priv 0755:${h}/server_priv/accounting + 0750:${h}/server_priv/acl_groups 0750:${h}/server_priv/acl_hosts + 0750:${h}/server_priv/acl_svr 0750:${h}/server_priv/acl_users + 0750:${h}/server_priv/jobs 0750:${h}/server_priv/queues" + fi + + for a in ${dir_spec}; do + d="${a/*:}" + m="${a/:*}" + if [[ ! -d "${root}${d}" ]]; then + install -d -m${m} "${root}${d}" + else + chmod ${m} "${root}${d}" + fi + # (#149226) If we're running in src_*, then keepdir + if [[ "${root}" = "${D}" ]]; then + keepdir ${d} + fi + done +} + +src_install() { + # Make directories first + pbs_createspool "${D}" + + emake DESTDIR="${D}" install || die "make install failed" + + dodoc CHANGELOG README.* Release_Notes || die "dodoc failed" + if use doc; then + dodoc doc/admin_guide.ps doc/*.pdf || die "dodoc failed" + if use drmaa; then + dohtml -r src/drmaa/doc/html/* || die + dodoc src/drmaa/drmaa.pdf || die + fi + fi + + # The build script isn't alternative install location friendly, + # So we have to fix some hard-coded paths in tclIndex for xpbs* to work + for file in `find "${D}" -iname tclIndex`; do + sed -e "s/${D//\// }/ /" "${file}" > "${file}.new" || die + mv "${file}.new" "${file}" || die + done + + if use server; then + newinitd "${FILESDIR}"/pbs_server-init.d pbs_server + newinitd "${FILESDIR}"/pbs_sched-init.d pbs_sched + fi + newinitd "${FILESDIR}"/pbs_mom-init.d pbs_mom + newconfd "${FILESDIR}"/torque-conf.d torque + newenvd "${FILESDIR}"/torque-env.d 25torque + + [ -d "${D}"/usr/share/doc/torque-drmaa ] && \ + rm -rf "${D}"/usr/share/doc/torque-drmaa +} + +pkg_preinst() { + if [[ -f "${ROOT}etc/pbs_environment" ]]; then + cp "${ROOT}etc/pbs_environment" "${D}"/etc/pbs_environment + fi + + echo "${PBS_SERVER_NAME}" > "${D}${PBS_SERVER_HOME}/server_name" + + # Fix up the env.d file to use our set server home. + sed -i "s:/var/spool/torque:${PBS_SERVER_HOME}:g" \ + "${D}"/etc/env.d/25torque || die +} + +pkg_postinst() { + pbs_createspool "${ROOT}" + elog " If this is the first time torque has been installed, then you are not" + elog "ready to start the server. Please refer to the documentation located at:" + elog "http://www.clusterresources.com/wiki/doku.php?id=torque:torque_wiki" + + elog " For a basic setup, you may use emerge --config ${PN}" +} + +# root will be setup as the primary operator/manager, the local machine +# will be added as a node and we'll create a simple queue, batch. +pkg_config() { + local h="$(echo "${ROOT}/${PBS_SERVER_HOME}" | sed 's:///*:/:g')" + local rc=0 + + ebegin "Configuring Torque" + einfo "Using ${h} as the pbs homedir" + einfo "Using ${PBS_SERVER_NAME} as the pbs_server" + + # Check for previous configuration and bail if found. + if [ -e "${h}/server_priv/acl_svr/operators" ] \ + || [ -e "${h}/server_priv/nodes" ] \ + || [ -e "${h}/mom_priv/config" ]; then + ewarn "Previous Torque configuration detected. Press any key to" + ewarn "continue or press Control-C to abort now" + read + fi + + # pbs_mom configuration. + echo "\$pbsserver ${PBS_SERVER_NAME}" > "${h}/mom_priv/config" + echo "\$logevent 255" >> "${h}/mom_priv/config" + + if use server; then + local qmgr="${ROOT}/usr/bin/qmgr -c" + # pbs_server bails on repeated backslashes. + if ! echo "y" | "${ROOT}"/usr/sbin/pbs_server -d "${h}" -t create; then + eerror "Failed to start pbs_server" + rc=1 + else + ${qmgr} "set server operators = root@$(hostname -f)" ${PBS_SERVER_NAME} + ${qmgr} "create queue batch" ${PBS_SERVER_NAME} + ${qmgr} "set queue batch queue_type = Execution" ${PBS_SERVER_NAME} + ${qmgr} "set queue batch started = True" ${PBS_SERVER_NAME} + ${qmgr} "set queue batch enabled = True" ${PBS_SERVER_NAME} + ${qmgr} "set server default_queue = batch" ${PBS_SERVER_NAME} + ${qmgr} "set server resources_default.nodes = 1" ${PBS_SERVER_NAME} + ${qmgr} "set server scheduling = True" ${PBS_SERVER_NAME} + + "${ROOT}"/usr/bin/qterm -t quick ${PBS_SERVER_NAME} || rc=1 + + # Add the local machine as a node. + echo "$(hostname -f) np=1" > "${h}/server_priv/nodes" + fi + fi + eend ${rc} +} diff --git a/sys-cluster/torque/torque-2.4.16.ebuild b/sys-cluster/torque/torque-2.4.16.ebuild index b2b964bf545f..15435b5fb5d1 100644 --- a/sys-cluster/torque/torque-2.4.16.ebuild +++ b/sys-cluster/torque/torque-2.4.16.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2013 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-cluster/torque/torque-2.4.16.ebuild,v 1.13 2013/06/01 19:49:33 jsbronder Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-cluster/torque/torque-2.4.16.ebuild,v 1.14 2013/12/23 18:01:35 jsbronder Exp $ EAPI=2 WANT_AUTOMAKE="1.12" @@ -77,6 +77,7 @@ src_prepare() { epatch "${FILESDIR}"/0002-fix-implicit-declaration-warnings.patch epatch "${FILESDIR}"/disable-automagic-doc-building-2.4.14.patch + epatch "${FILESDIR}"/CVE-2013-4319-2.x-root-submit-fix.patch sed -i \ -e 's,\(COMPACT_LATEX *=\).*,\1 NO,' \ diff --git a/sys-cluster/torque/torque-2.5.12.ebuild b/sys-cluster/torque/torque-2.5.12-r1.ebuild index eb5697614d31..2db5baa1eef2 100644 --- a/sys-cluster/torque/torque-2.5.12.ebuild +++ b/sys-cluster/torque/torque-2.5.12-r1.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2013 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-cluster/torque/torque-2.5.12.ebuild,v 1.6 2013/06/01 19:49:33 jsbronder Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-cluster/torque/torque-2.5.12-r1.ebuild,v 1.1 2013/12/23 18:01:35 jsbronder Exp $ EAPI=4 @@ -76,6 +76,8 @@ pkg_setup() { } src_prepare() { + epatch "${FILESDIR}"/CVE-2013-4319-2.x-root-submit-fix.patch + # Unused and causes breakage when switching from glibc to tirpc. # https://github.com/adaptivecomputing/torque/pull/148 sed -i '/rpc\/rpc\.h/d' src/lib/Libnet/net_client.c || die diff --git a/sys-cluster/torque/torque-4.1.5.1.ebuild b/sys-cluster/torque/torque-4.1.5.1-r1.ebuild index 487efd9dd472..294b54165130 100644 --- a/sys-cluster/torque/torque-4.1.5.1.ebuild +++ b/sys-cluster/torque/torque-4.1.5.1-r1.ebuild @@ -1,8 +1,8 @@ # Copyright 1999-2013 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-cluster/torque/torque-4.1.5.1.ebuild,v 1.4 2013/06/12 06:53:19 jlec Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-cluster/torque/torque-4.1.5.1-r1.ebuild,v 1.1 2013/12/23 18:01:35 jsbronder Exp $ -EAPI=2 +EAPI=4 inherit flag-o-matic eutils linux-info DESCRIPTION="Resource manager and queuing system based on OpenPBS" @@ -75,6 +75,7 @@ src_prepare() { sed -i '/mk_default_ld_lib_file || return 1/d' buildutils/pbs_mkdirs.in || die epatch "${FILESDIR}"/${P}-tcl8.6.patch + epatch "${FILESDIR}"/CVE-2013-4319-4.x-root-submit-fix.patch } src_configure() { |