Version in base suite: 4.0.0-4.1 Base version: pmix_4.0.0-4.1 Target version: pmix_4.0.0-4.1+deb11u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/pmix/pmix_4.0.0-4.1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/p/pmix/pmix_4.0.0-4.1+deb11u1.dsc changelog | 7 + patches/Do-not-follow-links-when-doing-chown.patch | 95 +++++++++++++++++++++ patches/series | 1 rules | 1 4 files changed, 104 insertions(+) diff -Nru pmix-4.0.0/debian/changelog pmix-4.0.0/debian/changelog --- pmix-4.0.0/debian/changelog 2021-08-01 09:20:07.000000000 +0000 +++ pmix-4.0.0/debian/changelog 2023-10-28 18:49:38.000000000 +0000 @@ -1,3 +1,10 @@ +pmix (4.0.0-4.1+deb11u1) bullseye-security; urgency=high + + * Non-maintainer upload by the Security Team. + * Do not follow links when doing "chown" (CVE-2023-41915) (Closes: #1051729) + + -- Salvatore Bonaccorso Sat, 28 Oct 2023 20:49:38 +0200 + pmix (4.0.0-4.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru pmix-4.0.0/debian/patches/Do-not-follow-links-when-doing-chown.patch pmix-4.0.0/debian/patches/Do-not-follow-links-when-doing-chown.patch --- pmix-4.0.0/debian/patches/Do-not-follow-links-when-doing-chown.patch 1970-01-01 00:00:00.000000000 +0000 +++ pmix-4.0.0/debian/patches/Do-not-follow-links-when-doing-chown.patch 2023-10-28 18:47:30.000000000 +0000 @@ -0,0 +1,95 @@ +From: Ralph Castain +Date: Thu, 7 Sep 2023 07:59:57 -0600 +Subject: Do not follow links when doing "chown" +Origin: https://github.com/openpmix/openpmix/commit/da036933c2795c1f40d0835e15f17e204e4daf0f +Bug-Debian: https://bugs.debian.org/1051729 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-41915 + +There is a potential issue with allowing a "chown" operation +to follow user-created links, so let's limit any use of that +function to "lchown" - which directs the "chown" operation to +NOT follow a link. + +Signed-off-by: Ralph Castain +(cherry picked from commit ae62cdf67b19e80fd821420816f09bf0a56a8166) +--- + src/mca/common/dstore/dstore_base.c | 4 ++-- + src/mca/common/dstore/dstore_segment.c | 4 ++-- + src/mca/gds/ds12/gds_ds12_lock_fcntl.c | 2 +- + src/mca/gds/ds12/gds_ds12_lock_pthread.c | 2 +- + src/util/pmix_pty.c | 4 ++-- + 5 files changed, 8 insertions(+), 8 deletions(-) + +--- a/src/mca/common/dstore/dstore_base.c ++++ b/src/mca/common/dstore/dstore_base.c +@@ -528,7 +528,7 @@ static int _esh_session_init(pmix_common + } + } + if (s->setjobuid > 0){ +- if (0 > chown(s->nspace_path, (uid_t) s->jobuid, (gid_t) -1)){ ++ if (0 > lchown(s->nspace_path, (uid_t) s->jobuid, (gid_t) -1)){ + rc = PMIX_ERROR; + PMIX_ERROR_LOG(rc); + return rc; +@@ -1682,7 +1682,7 @@ pmix_common_dstore_ctx_t *pmix_common_ds + } + } + if (ds_ctx->setjobuid > 0) { +- if (chown(ds_ctx->base_path, (uid_t) ds_ctx->jobuid, (gid_t) -1) < 0){ ++ if (lchown(ds_ctx->base_path, (uid_t) ds_ctx->jobuid, (gid_t) -1) < 0){ + rc = PMIX_ERR_NO_PERMISSIONS; + PMIX_ERROR_LOG(rc); + goto err_exit; +--- a/src/mca/common/dstore/dstore_segment.c ++++ b/src/mca/common/dstore/dstore_segment.c +@@ -120,7 +120,7 @@ PMIX_EXPORT pmix_dstore_seg_desc_t *pmix + + if (setuid > 0){ + rc = PMIX_ERR_PERM; +- if (0 > chown(file_name, (uid_t) uid, (gid_t) -1)){ ++ if (0 > lchown(file_name, (uid_t) uid, (gid_t) -1)){ + PMIX_ERROR_LOG(rc); + goto err_exit; + } +@@ -211,7 +211,7 @@ PMIX_EXPORT pmix_dstore_seg_desc_t *pmix + + if (setuid > 0){ + rc = PMIX_ERR_PERM; +- if (0 > chown(file_name, (uid_t) uid, (gid_t) -1)){ ++ if (0 > lchown(file_name, (uid_t) uid, (gid_t) -1)){ + PMIX_ERROR_LOG(rc); + goto err_exit; + } +--- a/src/mca/gds/ds12/gds_ds12_lock_fcntl.c ++++ b/src/mca/gds/ds12/gds_ds12_lock_fcntl.c +@@ -127,7 +127,7 @@ pmix_status_t pmix_gds_ds12_lock_init(pm + } + } + if (0 != setuid) { +- if (0 > chown(lock_ctx->lockfile, uid, (gid_t) -1)) { ++ if (0 > lchown(lock_ctx->lockfile, uid, (gid_t) -1)) { + rc = PMIX_ERROR; + PMIX_ERROR_LOG(rc); + goto error; +--- a/src/mca/gds/ds12/gds_ds12_lock_pthread.c ++++ b/src/mca/gds/ds12/gds_ds12_lock_pthread.c +@@ -113,7 +113,7 @@ pmix_status_t pmix_gds_ds12_lock_init(pm + } + memset(lock_ctx->segment->seg_base_addr, 0, size); + if (0 != setuid) { +- if (0 > chown(lock_ctx->lockfile, (uid_t) uid, (gid_t) -1)){ ++ if (0 > lchown(lock_ctx->lockfile, (uid_t) uid, (gid_t) -1)){ + rc = PMIX_ERROR; + PMIX_ERROR_LOG(rc); + goto error; +--- a/src/util/pmix_pty.c ++++ b/src/util/pmix_pty.c +@@ -248,7 +248,7 @@ static int ptys_open(int fdm, char *pts_ + gid = -1; /* group tty is not in the group file */ + } + /* following two functions don't work unless we're root */ +- chown(pts_name, getuid(), gid); ++ lchown(pts_name, getuid(), gid); // DO NOT FOLLOW LINKS + chmod(pts_name, S_IRUSR | S_IWUSR | S_IWGRP); + fds = open(pts_name, O_RDWR); + if (fds < 0) { diff -Nru pmix-4.0.0/debian/patches/series pmix-4.0.0/debian/patches/series --- pmix-4.0.0/debian/patches/series 2021-01-20 17:30:05.000000000 +0000 +++ pmix-4.0.0/debian/patches/series 2023-10-28 18:49:38.000000000 +0000 @@ -1,2 +1,3 @@ # hurd-fix.patch # python3.patch +# Do-not-follow-links-when-doing-chown.patch diff -Nru pmix-4.0.0/debian/rules pmix-4.0.0/debian/rules --- pmix-4.0.0/debian/rules 2021-01-20 17:30:05.000000000 +0000 +++ pmix-4.0.0/debian/rules 2023-10-28 18:49:38.000000000 +0000 @@ -47,6 +47,7 @@ override_dh_auto_configure: # Hack to fix quilt issue in 4.0.0 patch -p1 < debian/patches/python3.patch + patch -p1 < debian/patches/Do-not-follow-links-when-doing-chown.patch dh_auto_configure --builddirectory=debian/static-build -- $(BUILD_FLAGS) \ --enable-static dh_auto_configure --builddirectory=debian/shared-build -- $(BUILD_FLAGS) \