Your message dated Sun, 05 Nov 2023 17:47:28 +0000
with message-id <e1qzhdc-007pow...@fasolo.debian.org>
and subject line Bug#1051729: fixed in pmix 4.2.2-1+deb12u1
has caused the Debian Bug report #1051729,
regarding pmix: CVE-2023-41915
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1051729: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051729
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: pmix
Version: 5.0.0~rc1-2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for pmix.
CVE-2023-41915[0]:
| OpenPMIx PMIx before 4.2.6 and 5.0.x before 5.0.1 allows attackers
| to obtain ownership of arbitrary files via a race condition during
| execution of library code with UID 0.
As mentioned in [2]:
| A filesystem race condition could permit a malicious user
| to obtain ownership of an arbitrary file on the filesystem
| when parts of the PMIx library are called by a process
| running as uid 0. This may happen under the default
| configuration of certain workload managers, including Slurm.
(fs.protected_symlinks not protecting in such a case)
Please downgrade the severity if you do not agree on the assessment,
but at a very start the unstable version should be fixed. We can have
a look what need to be done for bookworm and bullseye in next step.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-41915
https://www.cve.org/CVERecord?id=CVE-2023-41915
[1]
https://github.com/openpmix/openpmix/commit/0bf9801a3017eb6ca411e158da39570ccb998c17
[2] https://github.com/openpmix/openpmix/releases/tag/v5.0.1
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: pmix
Source-Version: 4.2.2-1+deb12u1
Done: Salvatore Bonaccorso <car...@debian.org>
We believe that the bug you reported is fixed in the latest version of
pmix, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1051...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated pmix package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 28 Oct 2023 17:04:42 +0200
Source: pmix
Architecture: source
Version: 4.2.2-1+deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: Alastair McKinstry <mckins...@debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Closes: 1051729
Changes:
pmix (4.2.2-1+deb12u1) bookworm-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Do not follow links when doing "chown" (CVE-2023-41915) (Closes: #1051729)
Checksums-Sha1:
609d86679a40e4f219cef96b3d5287f550391352 2497 pmix_4.2.2-1+deb12u1.dsc
f4f89bbe2b8c703a085f77e35410a149dd1a98b3 885680 pmix_4.2.2.orig.tar.xz
8b28c97042fea0d3d2c5a3cc2bf3faf3ef90dd25 11992
pmix_4.2.2-1+deb12u1.debian.tar.xz
02f45da205536acdc4055ef3d8a467a94e5885cc 7879
pmix_4.2.2-1+deb12u1_source.buildinfo
Checksums-Sha256:
fea5e777fff0ef7afa76117573bc5629c349cfcedf64b3370dc4d05a6646ef3e 2497
pmix_4.2.2-1+deb12u1.dsc
4a534a8f87220c6f0d1b4b3195820f585ffaf3ceb8e21e40460d58439b81d47b 885680
pmix_4.2.2.orig.tar.xz
92a012d218f08c3e8868ec5c1d2e23f23051c7805f56dccf6d852df84569a1de 11992
pmix_4.2.2-1+deb12u1.debian.tar.xz
d940ca5f926ac0990f9a67683e635442d61f5bf2d58432bc6acb0bfe1a1885dd 7879
pmix_4.2.2-1+deb12u1_source.buildinfo
Files:
a4b8f258d79514d1d58541cf88b8846e 2497 net optional pmix_4.2.2-1+deb12u1.dsc
c288751ba1c98de2b070f7ac64d07281 885680 net optional pmix_4.2.2.orig.tar.xz
28803d1047a7c9c754a292cb2d51c9f0 11992 net optional
pmix_4.2.2-1+deb12u1.debian.tar.xz
b14294d7b21c885c5c5c4c7107d2882e 7879 net optional
pmix_4.2.2-1+deb12u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmU9Mv9fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E3S4P/2Cy38my2MFW/fFcHAELKyn6ecKMIghS
EPzHCvQBDaGvjWhWxH7QGeU/AdJGgOZ5GVFV2VQMux22RHCjdFL8SDc1KFAQHSG7
TmHL9E+HDg9OPAYcbxKxhBzFQTM7m1opgr0AFkcCT8E1QMT+Ie8sSitjiw3Ba+Oe
JC3DRMl/mSD2J041F3SGgISF8skNj53VqgutOs3uETyI2twIgqWr+7Rc/BBUccXY
QC+lTOlz4EymKbJvwutDlFliJcHI+VuLcvRLQlmpV8MDwVRju45Nh8zipwK3PfcW
iOOyBIBp0pX8hyD+Ob4E1UrbozZCTmHlaaxM/FnfKZOWMP+5ODmngAgNUUX0LZ21
dM3261r+F4OC/10Lcdr8PMPdEvRXOchAGXg5CogHjwihPbvGJsE27kZVK0usUWp0
TxytTlY5j3arylMZEgh7o2+SMqts/gziVs+is7w0KSSjjCG+GqrK9aMDmz1C9l8+
wM62phYmbrRTXvzhzQtKDe+rZx+52///2UIEHhimESEuWr68P0YNsUqfgy5z/RjA
EuEMIA0/GADewCKc6j4EH2huO9ucJlPObX0HUpJBt7ovbNKxTRpsPrLisPj0cRcL
Jaq1PPvRJezEVC+n+rB5JREgTC97RWmMriC4PR1bVtnTAWk0ujz9oGuuEjt+7WBG
8vjyMEdR3EuK
=vItI
-----END PGP SIGNATURE-----
--- End Message ---
