| Summary: | pmix new security issue CVE-2023-41915 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Nicolas Salguero <nicolas.salguero> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, eatdirt, sysadmin-bugs |
| Version: | 9 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA9-64-OK | ||
| Source RPM: | openpmix-4.2.3-1.mga9.src.rpm | CVE: | CVE-2023-41915 |
| Status comment: | Fixed upstream in 4.2.6 and patch available from upstream | ||
|
Description
Nicolas Salguero
2024-04-30 17:07:06 CEST
Nicolas Salguero
2024-04-30 17:07:31 CEST
Source RPM:
(none) =>
openpmix-4.2.3-1.mga9.src.rpm Cauldron is more than up-to-date, so this is just for M9. Assigning to ChrisD who maintains this pkg. Assignee:
bugsquad =>
eatdirt thank you, I'll dig into that! Here we go, openpmix-4.2.3-1.1.mga9 landing in core/updates_testing. This is a system library, not too much tests to do, but at least, checking that "pmix_info" returns something. ---------------- Update advisory. This update fixes a race condition allowing attackers to obtain ownership of arbitrary files (CVE-2023-41915). Updated packages in core/updates_testing: ======================== lib(64)openpmix2-4.2.3-1.1.mga9 lib(64)openpmix-devel-4.2.3-1.1.mga9 openpmix-4.2.3-1.1.mga9 Source RPMs: openpmix-4.2.3-1.1.mga9.src.rpm Assignee:
eatdirt =>
qa-bugs
katnatek
2024-05-01 03:38:31 CEST
Keywords:
(none) =>
advisory RH mageia 9 x86_64
LC_ALL=C urpmi /home/katnatek/qa-testing/x86_64/*.rpm
To satisfy dependencies, the following packages are going to be installed:
Package Version Release Arch
(medium "Core Release (distrib1)")
lib64event-devel 2.1.12 4.mga9 x86_64
lib64hwloc-devel 2.9.1 2.mga9 x86_64
lib64hwloc15 2.9.1 2.mga9 x86_64
lib64opencl-devel 2.3.1 2.mga9 x86_64
lib64pciaccess-devel 0.17 1.mga9 x86_64
opencl-headers 3.0 0.20230206.1> noarch
(medium "Core Updates (distrib3)")
lib64xml2-devel 2.10.4 1.2.mga9 x86_64
(command line)
lib64openpmix-devel 4.2.3 1.1.mga9 x86_64
lib64openpmix2 4.2.3 1.1.mga9 x86_64
openpmix 4.2.3 1.1.mga9 x86_64
13MB of additional disk space will be used.
4.8MB of packages will be retrieved.
Proceed with the installation of the 10 packages? (Y/n) y
https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/lib64event-devel-2.1.12-4.mga9.x86_64.rpm
https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/lib64opencl-devel-2.3.1-2.mga9.x86_64.rpm
https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/lib64hwloc15-2.9.1-2.mga9.x86_64.rpm
https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/opencl-headers-3.0-0.20230206.1.mga9.noarch.rpm
https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/lib64pciaccess-devel-0.17-1.mga9.x86_64.rpm
https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/lib64hwloc-devel-2.9.1-2.mga9.x86_64.rpm
https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/lib64xml2-devel-2.10.4-1.2.mga9.x86_64.rpm
installing /var/cache/urpmi/rpms/lib64pciaccess-devel-0.17-1.mga9.x86_64.rpm
/var/cache/urpmi/rpms/opencl-headers-3.0-0.20230206.1.mga9.noarch.rpm
/var/cache/urpmi/rpms/lib64hwloc-devel-2.9.1-2.mga9.x86_64.rpm
/var/cache/urpmi/rpms/lib64xml2-devel-2.10.4-1.2.mga9.x86_64.rpm
/home/katnatek/qa-testing/x86_64/lib64openpmix-devel-4.2.3-1.1.mga9.x86_64.rpm
/var/cache/urpmi/rpms/lib64event-devel-2.1.12-4.mga9.x86_64.rpm
/home/katnatek/qa-testing/x86_64/lib64openpmix2-4.2.3-1.1.mga9.x86_64.rpm
/home/katnatek/qa-testing/x86_64/openpmix-4.2.3-1.1.mga9.x86_64.rpm
/var/cache/urpmi/rpms/lib64hwloc15-2.9.1-2.mga9.x86_64.rpm
/var/cache/urpmi/rpms/lib64opencl-devel-2.3.1-2.mga9.x86_64.rpm
Preparing... ##################################################################################################
1/10: lib64hwloc15 ##################################################################################################
2/10: lib64openpmix2 ##################################################################################################
3/10: lib64opencl-devel ##################################################################################################
4/10: opencl-headers ##################################################################################################
5/10: lib64event-devel ##################################################################################################
6/10: lib64xml2-devel ##################################################################################################
7/10: lib64pciaccess-devel #################################################################################################
8/10: lib64hwloc-devel ##################################################################################################
9/10: lib64openpmix-devel ##################################################################################################
10/10: openpmix ##################################################################################################
pmix_info
Package: PMIx iurt@ecosse.mageia.org Distribution
PMIX: 4.2.3
PMIX repo revision: gitc5661387
PMIX release date: Feb 07, 2023
PMIX Standard: 4.2
PMIX Standard ABI: Stable (0.0), Provisional (0.0)
Prefix: /usr
Configured architecture: pmix.arch
Configure host: ecosse.mageia.org
Configured by: iurt
Configured on: Tue Apr 30 19:38:38 UTC 2024
Configure host: ecosse.mageia.org
Configure command line: '--host=x86_64-mageia-linux-gnu'
'--build=x86_64-mageia-linux-gnu'
'--program-prefix=' '--disable-dependency-tracking'
'--prefix=/usr' '--exec-prefix=/usr'
'--bindir=/usr/bin' '--sbindir=/usr/sbin'
'--sysconfdir=/etc' '--datadir=/usr/share'
'--includedir=/usr/include' '--libdir=/usr/lib64'
'--libexecdir=/usr/libexec' '--localstatedir=/var'
'--sharedstatedir=/var/lib'
'--mandir=/usr/share/man'
'--infodir=/usr/share/info' '--with-devel-headers'
Built by: iurt
Built on: Tue Apr 30 19:39:36 UTC 2024
Built host: ecosse.mageia.org
C compiler: gcc
C compiler absolute: /usr/bin/gcc
C compiler family name: GNU
C compiler version: "12" "." "3" "." "0"
Internal debug support: no
dl support: yes
Symbol vis. support: yes
Manpages built: yes
MCA bfrops: v12 (MCA v2.1.0, API v1.0.0, Component v4.2.3)
MCA bfrops: v20 (MCA v2.1.0, API v1.0.0, Component v4.2.3)
MCA bfrops: v21 (MCA v2.1.0, API v1.0.0, Component v4.2.3)
MCA bfrops: v3 (MCA v2.1.0, API v1.0.0, Component v4.2.3)
MCA bfrops: v4 (MCA v2.1.0, API v1.0.0, Component v4.2.3)
MCA bfrops: v41 (MCA v2.1.0, API v1.0.0, Component v4.2.3)
MCA gds: hash (MCA v2.1.0, API v1.0.0, Component v4.2.3)
MCA gds: ds12 (MCA v2.1.0, API v1.0.0, Component v4.2.3)
MCA gds: ds21 (MCA v2.1.0, API v1.0.0, Component v4.2.3)
MCA pcompress: zlib (MCA v2.1.0, API v2.0.0, Component v4.2.3)
MCA pdl: pdlopen (MCA v2.1.0, API v1.0.0, Component v4.2.3)
MCA pfexec: linux (MCA v2.1.0, API v1.0.0, Component v4.2.3)
MCA pif: linux_ipv6 (MCA v2.1.0, API v2.0.0, Component
v4.2.3)
MCA pif: posix_ipv4 (MCA v2.1.0, API v2.0.0, Component
v4.2.3)
MCA pinstalldirs: env (MCA v2.1.0, API v1.0.0, Component v4.2.3)
MCA pinstalldirs: config (MCA v2.1.0, API v1.0.0, Component v4.2.3)
MCA plog: default (MCA v2.1.0, API v1.0.0, Component v4.2.3)
MCA plog: stdfd (MCA v2.1.0, API v1.0.0, Component v4.2.3)
MCA plog: syslog (MCA v2.1.0, API v1.0.0, Component v4.2.3)
MCA pmdl: ompi (MCA v2.1.0, API v1.0.0, Component v4.2.3)
MCA pmdl: oshmem (MCA v2.1.0, API v1.0.0, Component v4.2.3)
MCA pnet: opa (MCA v2.1.0, API v1.0.0, Component v4.2.3)
MCA preg: compress (MCA v2.1.0, API v1.0.0, Component v4.2.3)
MCA preg: native (MCA v2.1.0, API v1.0.0, Component v4.2.3)
MCA preg: raw (MCA v2.1.0, API v1.0.0, Component v4.2.3)
MCA prm: slurm (MCA v2.1.0, API v1.0.0, Component v4.2.3)
MCA prm: default (MCA v2.1.0, API v1.0.0, Component v4.2.3)
MCA psec: native (MCA v2.1.0, API v1.0.0, Component v4.2.3)
MCA psec: none (MCA v2.1.0, API v1.0.0, Component v4.2.3)
MCA psensor: file (MCA v2.1.0, API v1.0.0, Component v4.2.3)
MCA psensor: heartbeat (MCA v2.1.0, API v1.0.0, Component
v4.2.3)
MCA pshmem: mmap (MCA v2.1.0, API v1.0.0, Component v4.2.3)
MCA psquash: flex128 (MCA v2.1.0, API v1.0.0, Component v4.2.3)
MCA psquash: native (MCA v2.1.0, API v1.0.0, Component v4.2.3)
MCA pstat: linux (MCA v2.1.0, API v1.0.0, Component v4.2.3)
MCA ptl: client (MCA v2.1.0, API v2.0.0, Component v4.2.3)
MCA ptl: server (MCA v2.1.0, API v2.0.0, Component v4.2.3)
MCA ptl: tool (MCA v2.1.0, API v2.0.0, Component v4.2.3)
LC_ALL=C urpme $(rpm -qa|grep openpmix)
removing lib64openpmix-devel-4.2.3-1.1.mga9.x86_64 lib64openpmix2-4.2.3-1.1.mga9.x86_64 openpmix-4.2.3-1.1.mga9.x86_64
removing package lib64openpmix-devel-4.2.3-1.1.mga9.x86_64
1/3: removing lib64openpmix-devel-4.2.3-1.1.mga9.x86_64
##################################################################################################
removing package openpmix-4.2.3-1.1.mga9.x86_64
2/3: removing openpmix-4.2.3-1.1.mga9.x86_64
##################################################################################################
removing package lib64openpmix2-4.2.3-1.1.mga9.x86_64
3/3: removing lib64openpmix2-4.2.3-1.1.mga9.x86_64
##################################################################################################
writing /var/lib/rpm/installed-through-deps.list
The following packages:
lib64event-devel-2.1.12-4.mga9.x86_64
lib64hwloc-devel-2.9.1-2.mga9.x86_64
lib64hwloc15-2.9.1-2.mga9.x86_64
lib64opencl-devel-2.3.1-2.mga9.x86_64
lib64pciaccess-devel-0.17-1.mga9.x86_64
lib64xml2-devel-2.10.4-1.2.mga9.x86_64
opencl-headers-3.0-0.20230206.1.mga9.noarch
are now orphaned, if you wish to remove them, you can use "urpme --auto-orphans"
LC_ALL=C urpme --auto-orphans --auto
removing lib64event-devel-2.1.12-4.mga9.x86_64 lib64hwloc-devel-2.9.1-2.mga9.x86_64 lib64hwloc15-2.9.1-2.mga9.x86_64 lib64opencl-devel-2.3.1-2.mga9.x86_64 lib64pciaccess-devel-0.17-1.mga9.x86_64 lib64xml2-devel-2.10.4-1.2.mga9.x86_64 opencl-headers-3.0-0.20230206.1.mga9.noarch
removing package lib64hwloc-devel-2.9.1-2.mga9.x86_64
1/7: removing lib64hwloc-devel-2.9.1-2.mga9.x86_64
##################################################################################################
removing package lib64opencl-devel-2.3.1-2.mga9.x86_64
2/7: removing lib64opencl-devel-2.3.1-2.mga9.x86_64
##################################################################################################
removing package opencl-headers-3.0-0.20230206.1.mga9.noarch
3/7: removing opencl-headers-3.0-0.20230206.1.mga9.noarch
##################################################################################################
removing package lib64pciaccess-devel-0.17-1.mga9.x86_64
4/7: removing lib64pciaccess-devel-0.17-1.mga9.x86_64
##################################################################################################
removing package lib64xml2-devel-2.10.4-1.2.mga9.x86_64
5/7: removing lib64xml2-devel-2.10.4-1.2.mga9.x86_64
##################################################################################################
removing package lib64event-devel-2.1.12-4.mga9.x86_64
6/7: removing lib64event-devel-2.1.12-4.mga9.x86_64
##################################################################################################
removing package lib64hwloc15-2.9.1-2.mga9.x86_64
7/7: removing lib64hwloc15-2.9.1-2.mga9.x86_64
##################################################################################################
katnatek
2024-05-01 03:53:41 CEST
CC:
(none) =>
andrewsfarm Clean Install/unistall Test the suggested command Whiteboard:
(none) =>
MGA9-64-OK Validating. Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0162.html Status:
NEW =>
RESOLVED |