pmix: CVE-2023-41915

Debian Bug report logs - #1051729
pmix: CVE-2023-41915

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: pmix: CVE-2023-41915

Date: Mon, 11 Sep 2023 21:37:03 +0200

Source: pmix
Version: 5.0.0~rc1-2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for pmix.

CVE-2023-41915[0]:
| OpenPMIx PMIx before 4.2.6 and 5.0.x before 5.0.1 allows attackers
| to obtain ownership of arbitrary files via a race condition during
| execution of library code with UID 0.

As mentioned in [2]:
| A filesystem race condition could permit a malicious user
| to obtain ownership of an arbitrary file on the filesystem
| when parts of the PMIx library are called by a process
| running as uid 0. This may happen under the default
| configuration of certain workload managers, including Slurm.

(fs.protected_symlinks not protecting in such a case)

Please downgrade the severity if you do not agree on the assessment,
but at a very start the unstable version should be fixed. We can have
a look what need to be done for bookworm and bullseye in next step.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-41915
    https://www.cve.org/CVERecord?id=CVE-2023-41915
[1] https://github.com/openpmix/openpmix/commit/0bf9801a3017eb6ca411e158da39570ccb998c17
[2] https://github.com/openpmix/openpmix/releases/tag/v5.0.1

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 1051729-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 1051729-close@bugs.debian.org

Subject: Bug#1051729: fixed in pmix 5.0.1-1

Date: Tue, 12 Sep 2023 08:09:15 +0000

Source: pmix
Source-Version: 5.0.1-1
Done: Alastair McKinstry <mckinstry@debian.org>

We believe that the bug you reported is fixed in the latest version of
pmix, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1051729@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alastair McKinstry <mckinstry@debian.org> (supplier of updated pmix package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 08 Aug 2023 09:50:20 +0100
Source: pmix
Architecture: source
Version: 5.0.1-1
Distribution: unstable
Urgency: medium
Maintainer: Alastair McKinstry <mckinstry@debian.org>
Changed-By: Alastair McKinstry <mckinstry@debian.org>
Closes: 1043263 1051729
Changes:
 pmix (5.0.1-1) unstable; urgency=medium
 .
   * New upstream release. Closes: #1051729, #1043263
Checksums-Sha1:
 37e79cc8ba1c040967a27916d2a3fb9606c49bb2 2375 pmix_5.0.1-1.dsc
 5686f6e6e128dcf89a670407652e805d8f3a3d86 976948 pmix_5.0.1.orig.tar.xz
 b03b54bd4923b7b9adf2320aa36493351e986269 11460 pmix_5.0.1-1.debian.tar.xz
Checksums-Sha256:
 32a4fbdcbe069d4329cb1c62c82cc20541af291ebbdf3b5969e9cc88b32efb55 2375 pmix_5.0.1-1.dsc
 2e53a02f62c69a5928385463ce039ee00e1b6ebd7cfe7e5bbb102d776a96dd37 976948 pmix_5.0.1.orig.tar.xz
 86c04faf35d996fa4503387783913cac2f63210d13cc4fc9ac08561c9a18f2d8 11460 pmix_5.0.1-1.debian.tar.xz
Files:
 948fbefdb8c49eb833c646f0dcc674c2 2375 net optional pmix_5.0.1-1.dsc
 0a191e1061092a625dc8ab728c2e9426 976948 net optional pmix_5.0.1.orig.tar.xz
 c80f914c2edba460da571fb9ed28e66d 11460 net optional pmix_5.0.1-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEgjg86RZbNHx4cIGiy+a7Tl2a06UFAmUAFT0ACgkQy+a7Tl2a
06U7Uw/+P0bLEVKXglMCRGNISb1BUoUgaH7fkiwasy0pZb1XcAna47SmRmHfd7r2
T0oVXHyLjaCYgwvmmh6XV0mgFE2pSodWHU0hk7hQV5wbIrE0IS7sEPs80Mf6Pe6E
Ii4CujPD6CP4U8PnH98AmNz8UycgHrMjWY9tB97BXCMuKXjdSSVoXVjWUuyG3hB7
7KoZg4VXzZoV3nJSMhGdJtHPHh8LRdkx9lmjA9Q57w6ge+NpW5uzC3ncVQtiVqUQ
tHQbsKZtQI5mSJQgxWZ1M6Zh9gAdiR30VXJf2t971q+MkWqzMvHBFF1eGaOUdygP
68L+SF9WgifSxNO1pQXOYmMajmB33yhMThb1Any70riSWcZa3HkS6p0WJqIsM5Ui
ROQvi51QPDMyRTAIrJxbz+d9lpQtRBoH/lehCfnWV5b8rLK1sFief36quRMvxBXB
qLF0IN07074L0GbQl9h4QK53Hsy0L1R/Dk15nWdajO3UN6OtKg/9ZpKhzkAcoUDK
bUvClm5XTNfqStRcYA1OimNMS8ear5VdmcwouIj8Y6sVgNrhG4vNrsTwI0PC+XD+
73IHZJKq14BBW+Ht+7N7DZyBDitm0npX+MiPmJ9HXnm+9yVpAxv3q8FIAd52YMIh
MdWmFOhriWYVj5eKNHLrhEJsWosVeMXjIeLRaFGDaw1bqcQdFFg=
=9tJ+
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.