import CS pmix-3.2.3-5.el9

This commit is contained in:
eabdullin 2024-03-28 11:26:02 +00:00
parent f55a1ca9d1
commit 9c86ced5f4
2 changed files with 158 additions and 1 deletions

View File

@ -0,0 +1,133 @@
From 247fe50c796402ccb1734e66dcc1f0ee4c196774 Mon Sep 17 00:00:00 2001
From: Ralph Castain <rhc@pmix.org>
Date: Thu, 7 Sep 2023 07:59:57 -0600
Subject: [PATCH] Do not follow links when doing "chown"
There is a potential issue with allowing a "chown" operation
to follow user-created links, so let's limit any use of that
function to "lchown" - which directs the "chown" operation to
NOT follow a link.
Signed-off-by: Ralph Castain <rhc@pmix.org>
(cherry picked from commit ae62cdf67b19e80fd821420816f09bf0a56a8166)
(cherry picked from commit da036933c2795c1f40d0835e15f17e204e4daf0f)
Signed-off-by: Kamal Heib <kheib@redhat.com>
---
src/mca/common/dstore/dstore_base.c | 4 ++--
src/mca/common/dstore/dstore_segment.c | 4 ++--
src/mca/gds/ds12/gds_ds12_lock_fcntl.c | 2 +-
src/mca/gds/ds12/gds_ds12_lock_pthread.c | 2 +-
src/mca/ptl/usock/ptl_usock_component.c | 6 +++---
src/util/pmix_pty.c | 2 +-
6 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/src/mca/common/dstore/dstore_base.c b/src/mca/common/dstore/dstore_base.c
index f22461cdeb7a..7ff2e4d6aa2c 100644
--- a/src/mca/common/dstore/dstore_base.c
+++ b/src/mca/common/dstore/dstore_base.c
@@ -528,7 +528,7 @@ static int _esh_session_init(pmix_common_dstore_ctx_t *ds_ctx, size_t idx, ns_ma
}
}
if (s->setjobuid > 0){
- if (0 > chown(s->nspace_path, (uid_t) s->jobuid, (gid_t) -1)){
+ if (0 > lchown(s->nspace_path, (uid_t) s->jobuid, (gid_t) -1)){
rc = PMIX_ERROR;
PMIX_ERROR_LOG(rc);
return rc;
@@ -1682,7 +1682,7 @@ pmix_common_dstore_ctx_t *pmix_common_dstor_init(const char *ds_name, pmix_info_
}
}
if (ds_ctx->setjobuid > 0) {
- if (chown(ds_ctx->base_path, (uid_t) ds_ctx->jobuid, (gid_t) -1) < 0){
+ if (lchown(ds_ctx->base_path, (uid_t) ds_ctx->jobuid, (gid_t) -1) < 0){
rc = PMIX_ERR_NO_PERMISSIONS;
PMIX_ERROR_LOG(rc);
goto err_exit;
diff --git a/src/mca/common/dstore/dstore_segment.c b/src/mca/common/dstore/dstore_segment.c
index f0c4f9bb9efc..0e68dbf4fedf 100644
--- a/src/mca/common/dstore/dstore_segment.c
+++ b/src/mca/common/dstore/dstore_segment.c
@@ -120,7 +120,7 @@ PMIX_EXPORT pmix_dstore_seg_desc_t *pmix_common_dstor_create_new_lock_seg(const
if (setuid > 0){
rc = PMIX_ERR_PERM;
- if (0 > chown(file_name, (uid_t) uid, (gid_t) -1)){
+ if (0 > lchown(file_name, (uid_t) uid, (gid_t) -1)){
PMIX_ERROR_LOG(rc);
goto err_exit;
}
@@ -211,7 +211,7 @@ PMIX_EXPORT pmix_dstore_seg_desc_t *pmix_common_dstor_create_new_segment(pmix_ds
if (setuid > 0){
rc = PMIX_ERR_PERM;
- if (0 > chown(file_name, (uid_t) uid, (gid_t) -1)){
+ if (0 > lchown(file_name, (uid_t) uid, (gid_t) -1)){
PMIX_ERROR_LOG(rc);
goto err_exit;
}
diff --git a/src/mca/gds/ds12/gds_ds12_lock_fcntl.c b/src/mca/gds/ds12/gds_ds12_lock_fcntl.c
index 445231668c57..82b6d358316e 100644
--- a/src/mca/gds/ds12/gds_ds12_lock_fcntl.c
+++ b/src/mca/gds/ds12/gds_ds12_lock_fcntl.c
@@ -127,7 +127,7 @@ pmix_status_t pmix_gds_ds12_lock_init(pmix_common_dstor_lock_ctx_t *ctx, const c
}
}
if (0 != setuid) {
- if (0 > chown(lock_ctx->lockfile, uid, (gid_t) -1)) {
+ if (0 > lchown(lock_ctx->lockfile, uid, (gid_t) -1)) {
rc = PMIX_ERROR;
PMIX_ERROR_LOG(rc);
goto error;
diff --git a/src/mca/gds/ds12/gds_ds12_lock_pthread.c b/src/mca/gds/ds12/gds_ds12_lock_pthread.c
index 8192f0532e03..57d855f52049 100644
--- a/src/mca/gds/ds12/gds_ds12_lock_pthread.c
+++ b/src/mca/gds/ds12/gds_ds12_lock_pthread.c
@@ -113,7 +113,7 @@ pmix_status_t pmix_gds_ds12_lock_init(pmix_common_dstor_lock_ctx_t *ctx, const c
}
memset(lock_ctx->segment->seg_base_addr, 0, size);
if (0 != setuid) {
- if (0 > chown(lock_ctx->lockfile, (uid_t) uid, (gid_t) -1)){
+ if (0 > lchown(lock_ctx->lockfile, (uid_t) uid, (gid_t) -1)){
rc = PMIX_ERROR;
PMIX_ERROR_LOG(rc);
goto error;
diff --git a/src/mca/ptl/usock/ptl_usock_component.c b/src/mca/ptl/usock/ptl_usock_component.c
index 312030250a9d..660b03370ac1 100644
--- a/src/mca/ptl/usock/ptl_usock_component.c
+++ b/src/mca/ptl/usock/ptl_usock_component.c
@@ -265,16 +265,16 @@ static pmix_status_t setup_listener(pmix_info_t info[], size_t ninfo,
CLOSE_THE_SOCKET(lt->socket);
goto sockerror;
}
- /* chown as required */
+ /* lchown as required */
if (lt->owner_given) {
- if (0 != chown(address->sun_path, lt->owner, -1)) {
+ if (0 != lchown(address->sun_path, lt->owner, -1)) {
pmix_output(0, "CANNOT CHOWN socket %s: %s", address->sun_path, strerror (errno));
CLOSE_THE_SOCKET(lt->socket);
goto sockerror;
}
}
if (lt->group_given) {
- if (0 != chown(address->sun_path, -1, lt->group)) {
+ if (0 != lchown(address->sun_path, -1, lt->group)) {
pmix_output(0, "CANNOT CHOWN socket %s: %s", address->sun_path, strerror (errno));
CLOSE_THE_SOCKET(lt->socket);
goto sockerror;
diff --git a/src/util/pmix_pty.c b/src/util/pmix_pty.c
index 58e8d5143e8a..e01b854d17f0 100644
--- a/src/util/pmix_pty.c
+++ b/src/util/pmix_pty.c
@@ -248,7 +248,7 @@ static int ptys_open(int fdm, char *pts_name)
gid = -1; /* group tty is not in the group file */
}
/* following two functions don't work unless we're root */
- chown(pts_name, getuid(), gid);
+ lchown(pts_name, getuid(), gid); // DO NOT FOLLOW LINKS
chmod(pts_name, S_IRUSR | S_IWUSR | S_IWGRP);
fds = open(pts_name, O_RDWR);
if (fds < 0) {
--
2.41.0

View File

@ -1,11 +1,13 @@
Name: pmix Name: pmix
Version: 3.2.3 Version: 3.2.3
Release: 3%{?dist} Release: 5%{?dist}
Summary: Process Management Interface Exascale (PMIx) Summary: Process Management Interface Exascale (PMIx)
License: BSD License: BSD
URL: https://pmix.org/ URL: https://pmix.org/
Source0: https://github.com/pmix/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.bz2 Source0: https://github.com/pmix/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.bz2
Patch1: 0001-Do-not-follow-links-when-doing-chown.patch
BuildRequires: autoconf BuildRequires: autoconf
BuildRequires: automake BuildRequires: automake
BuildRequires: flex BuildRequires: flex
@ -73,6 +75,8 @@ based starters (e.g., mpirun).
%prep %prep
%setup -q -n %{name}-%{version} %setup -q -n %{name}-%{version}
%patch1 -p1
# touch lexer sources to recompile them # touch lexer sources to recompile them
find src -name \*.l -print -exec touch --no-create {} \; find src -name \*.l -print -exec touch --no-create {} \;
@ -83,6 +87,7 @@ find src -name \*.l -print -exec touch --no-create {} \;
--sysconfdir=%{_sysconfdir}/%{name} \ --sysconfdir=%{_sysconfdir}/%{name} \
--disable-static \ --disable-static \
--disable-silent-rules \ --disable-silent-rules \
--with-tests-examples \
--enable-shared \ --enable-shared \
--enable-pmi-backward-compatibility \ --enable-pmi-backward-compatibility \
--with-munge --with-munge
@ -98,6 +103,14 @@ find src -name \*.l -print -exec touch --no-create {} \;
# remove libtool archives # remove libtool archives
find %{buildroot} -name '*.la' | xargs rm -f find %{buildroot} -name '*.la' | xargs rm -f
# set up pmix self-test infra for install
install -d -m 0755 %{buildroot}%{_datadir}/%{name}/test
for f in pmix_client pmix_regex
do
mv test/.libs/$f %{buildroot}%{_datadir}/%{name}/$f
done
mv test/.libs/pmix_test %{buildroot}%{_datadir}/%{name}/test/pmix_test
%ldconfig_scriptlets %ldconfig_scriptlets
%ldconfig_scriptlets devel %ldconfig_scriptlets devel
@ -105,10 +118,13 @@ find %{buildroot} -name '*.la' | xargs rm -f
%license LICENSE %license LICENSE
%doc README %doc README
%dir %{_datadir}/%{name} %dir %{_datadir}/%{name}
%dir %{_datadir}/%{name}/test
%dir %{_libdir}/%{name} %dir %{_libdir}/%{name}
%dir %{_sysconfdir}/%{name} %dir %{_sysconfdir}/%{name}
%config(noreplace) %{_sysconfdir}/%{name}/*.conf %config(noreplace) %{_sysconfdir}/%{name}/*.conf
%{_datadir}/%{name}/*.txt %{_datadir}/%{name}/*.txt
%{_datadir}/%{name}/pmix_*
%{_datadir}/%{name}/test/pmix_test
%{_libdir}/libmca_common_dstore.so.1* %{_libdir}/libmca_common_dstore.so.1*
%{_libdir}/libpmix.so.2* %{_libdir}/libpmix.so.2*
%{_libdir}/%{name}/*.so %{_libdir}/%{name}/*.so
@ -133,6 +149,14 @@ find %{buildroot} -name '*.la' | xargs rm -f
%{_bindir}/* %{_bindir}/*
%changelog %changelog
* Tue Nov 14 2023 Kamal Heib <kheib@redhat.com> - 3.2.3-5
- Add pmix_test
- Resolves: RHEL-3693
* Thu Nov 02 2023 Kamal Heib <kheib@redhat.com> - 3.2.3-4
- Fix CVE-2023-41915
- Resolves: RHEL-3693
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 3.2.3-3 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 3.2.3-3
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688 Related: rhbz#1991688