import CS pmix-3.2.3-5.el9
This commit is contained in:
parent
f55a1ca9d1
commit
9c86ced5f4
133
SOURCES/0001-Do-not-follow-links-when-doing-chown.patch
Normal file
133
SOURCES/0001-Do-not-follow-links-when-doing-chown.patch
Normal file
@ -0,0 +1,133 @@
|
|||||||
|
From 247fe50c796402ccb1734e66dcc1f0ee4c196774 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Ralph Castain <rhc@pmix.org>
|
||||||
|
Date: Thu, 7 Sep 2023 07:59:57 -0600
|
||||||
|
Subject: [PATCH] Do not follow links when doing "chown"
|
||||||
|
|
||||||
|
There is a potential issue with allowing a "chown" operation
|
||||||
|
to follow user-created links, so let's limit any use of that
|
||||||
|
function to "lchown" - which directs the "chown" operation to
|
||||||
|
NOT follow a link.
|
||||||
|
|
||||||
|
Signed-off-by: Ralph Castain <rhc@pmix.org>
|
||||||
|
(cherry picked from commit ae62cdf67b19e80fd821420816f09bf0a56a8166)
|
||||||
|
(cherry picked from commit da036933c2795c1f40d0835e15f17e204e4daf0f)
|
||||||
|
Signed-off-by: Kamal Heib <kheib@redhat.com>
|
||||||
|
---
|
||||||
|
src/mca/common/dstore/dstore_base.c | 4 ++--
|
||||||
|
src/mca/common/dstore/dstore_segment.c | 4 ++--
|
||||||
|
src/mca/gds/ds12/gds_ds12_lock_fcntl.c | 2 +-
|
||||||
|
src/mca/gds/ds12/gds_ds12_lock_pthread.c | 2 +-
|
||||||
|
src/mca/ptl/usock/ptl_usock_component.c | 6 +++---
|
||||||
|
src/util/pmix_pty.c | 2 +-
|
||||||
|
6 files changed, 10 insertions(+), 10 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/mca/common/dstore/dstore_base.c b/src/mca/common/dstore/dstore_base.c
|
||||||
|
index f22461cdeb7a..7ff2e4d6aa2c 100644
|
||||||
|
--- a/src/mca/common/dstore/dstore_base.c
|
||||||
|
+++ b/src/mca/common/dstore/dstore_base.c
|
||||||
|
@@ -528,7 +528,7 @@ static int _esh_session_init(pmix_common_dstore_ctx_t *ds_ctx, size_t idx, ns_ma
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if (s->setjobuid > 0){
|
||||||
|
- if (0 > chown(s->nspace_path, (uid_t) s->jobuid, (gid_t) -1)){
|
||||||
|
+ if (0 > lchown(s->nspace_path, (uid_t) s->jobuid, (gid_t) -1)){
|
||||||
|
rc = PMIX_ERROR;
|
||||||
|
PMIX_ERROR_LOG(rc);
|
||||||
|
return rc;
|
||||||
|
@@ -1682,7 +1682,7 @@ pmix_common_dstore_ctx_t *pmix_common_dstor_init(const char *ds_name, pmix_info_
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if (ds_ctx->setjobuid > 0) {
|
||||||
|
- if (chown(ds_ctx->base_path, (uid_t) ds_ctx->jobuid, (gid_t) -1) < 0){
|
||||||
|
+ if (lchown(ds_ctx->base_path, (uid_t) ds_ctx->jobuid, (gid_t) -1) < 0){
|
||||||
|
rc = PMIX_ERR_NO_PERMISSIONS;
|
||||||
|
PMIX_ERROR_LOG(rc);
|
||||||
|
goto err_exit;
|
||||||
|
diff --git a/src/mca/common/dstore/dstore_segment.c b/src/mca/common/dstore/dstore_segment.c
|
||||||
|
index f0c4f9bb9efc..0e68dbf4fedf 100644
|
||||||
|
--- a/src/mca/common/dstore/dstore_segment.c
|
||||||
|
+++ b/src/mca/common/dstore/dstore_segment.c
|
||||||
|
@@ -120,7 +120,7 @@ PMIX_EXPORT pmix_dstore_seg_desc_t *pmix_common_dstor_create_new_lock_seg(const
|
||||||
|
|
||||||
|
if (setuid > 0){
|
||||||
|
rc = PMIX_ERR_PERM;
|
||||||
|
- if (0 > chown(file_name, (uid_t) uid, (gid_t) -1)){
|
||||||
|
+ if (0 > lchown(file_name, (uid_t) uid, (gid_t) -1)){
|
||||||
|
PMIX_ERROR_LOG(rc);
|
||||||
|
goto err_exit;
|
||||||
|
}
|
||||||
|
@@ -211,7 +211,7 @@ PMIX_EXPORT pmix_dstore_seg_desc_t *pmix_common_dstor_create_new_segment(pmix_ds
|
||||||
|
|
||||||
|
if (setuid > 0){
|
||||||
|
rc = PMIX_ERR_PERM;
|
||||||
|
- if (0 > chown(file_name, (uid_t) uid, (gid_t) -1)){
|
||||||
|
+ if (0 > lchown(file_name, (uid_t) uid, (gid_t) -1)){
|
||||||
|
PMIX_ERROR_LOG(rc);
|
||||||
|
goto err_exit;
|
||||||
|
}
|
||||||
|
diff --git a/src/mca/gds/ds12/gds_ds12_lock_fcntl.c b/src/mca/gds/ds12/gds_ds12_lock_fcntl.c
|
||||||
|
index 445231668c57..82b6d358316e 100644
|
||||||
|
--- a/src/mca/gds/ds12/gds_ds12_lock_fcntl.c
|
||||||
|
+++ b/src/mca/gds/ds12/gds_ds12_lock_fcntl.c
|
||||||
|
@@ -127,7 +127,7 @@ pmix_status_t pmix_gds_ds12_lock_init(pmix_common_dstor_lock_ctx_t *ctx, const c
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if (0 != setuid) {
|
||||||
|
- if (0 > chown(lock_ctx->lockfile, uid, (gid_t) -1)) {
|
||||||
|
+ if (0 > lchown(lock_ctx->lockfile, uid, (gid_t) -1)) {
|
||||||
|
rc = PMIX_ERROR;
|
||||||
|
PMIX_ERROR_LOG(rc);
|
||||||
|
goto error;
|
||||||
|
diff --git a/src/mca/gds/ds12/gds_ds12_lock_pthread.c b/src/mca/gds/ds12/gds_ds12_lock_pthread.c
|
||||||
|
index 8192f0532e03..57d855f52049 100644
|
||||||
|
--- a/src/mca/gds/ds12/gds_ds12_lock_pthread.c
|
||||||
|
+++ b/src/mca/gds/ds12/gds_ds12_lock_pthread.c
|
||||||
|
@@ -113,7 +113,7 @@ pmix_status_t pmix_gds_ds12_lock_init(pmix_common_dstor_lock_ctx_t *ctx, const c
|
||||||
|
}
|
||||||
|
memset(lock_ctx->segment->seg_base_addr, 0, size);
|
||||||
|
if (0 != setuid) {
|
||||||
|
- if (0 > chown(lock_ctx->lockfile, (uid_t) uid, (gid_t) -1)){
|
||||||
|
+ if (0 > lchown(lock_ctx->lockfile, (uid_t) uid, (gid_t) -1)){
|
||||||
|
rc = PMIX_ERROR;
|
||||||
|
PMIX_ERROR_LOG(rc);
|
||||||
|
goto error;
|
||||||
|
diff --git a/src/mca/ptl/usock/ptl_usock_component.c b/src/mca/ptl/usock/ptl_usock_component.c
|
||||||
|
index 312030250a9d..660b03370ac1 100644
|
||||||
|
--- a/src/mca/ptl/usock/ptl_usock_component.c
|
||||||
|
+++ b/src/mca/ptl/usock/ptl_usock_component.c
|
||||||
|
@@ -265,16 +265,16 @@ static pmix_status_t setup_listener(pmix_info_t info[], size_t ninfo,
|
||||||
|
CLOSE_THE_SOCKET(lt->socket);
|
||||||
|
goto sockerror;
|
||||||
|
}
|
||||||
|
- /* chown as required */
|
||||||
|
+ /* lchown as required */
|
||||||
|
if (lt->owner_given) {
|
||||||
|
- if (0 != chown(address->sun_path, lt->owner, -1)) {
|
||||||
|
+ if (0 != lchown(address->sun_path, lt->owner, -1)) {
|
||||||
|
pmix_output(0, "CANNOT CHOWN socket %s: %s", address->sun_path, strerror (errno));
|
||||||
|
CLOSE_THE_SOCKET(lt->socket);
|
||||||
|
goto sockerror;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if (lt->group_given) {
|
||||||
|
- if (0 != chown(address->sun_path, -1, lt->group)) {
|
||||||
|
+ if (0 != lchown(address->sun_path, -1, lt->group)) {
|
||||||
|
pmix_output(0, "CANNOT CHOWN socket %s: %s", address->sun_path, strerror (errno));
|
||||||
|
CLOSE_THE_SOCKET(lt->socket);
|
||||||
|
goto sockerror;
|
||||||
|
diff --git a/src/util/pmix_pty.c b/src/util/pmix_pty.c
|
||||||
|
index 58e8d5143e8a..e01b854d17f0 100644
|
||||||
|
--- a/src/util/pmix_pty.c
|
||||||
|
+++ b/src/util/pmix_pty.c
|
||||||
|
@@ -248,7 +248,7 @@ static int ptys_open(int fdm, char *pts_name)
|
||||||
|
gid = -1; /* group tty is not in the group file */
|
||||||
|
}
|
||||||
|
/* following two functions don't work unless we're root */
|
||||||
|
- chown(pts_name, getuid(), gid);
|
||||||
|
+ lchown(pts_name, getuid(), gid); // DO NOT FOLLOW LINKS
|
||||||
|
chmod(pts_name, S_IRUSR | S_IWUSR | S_IWGRP);
|
||||||
|
fds = open(pts_name, O_RDWR);
|
||||||
|
if (fds < 0) {
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
@ -1,11 +1,13 @@
|
|||||||
Name: pmix
|
Name: pmix
|
||||||
Version: 3.2.3
|
Version: 3.2.3
|
||||||
Release: 3%{?dist}
|
Release: 5%{?dist}
|
||||||
Summary: Process Management Interface Exascale (PMIx)
|
Summary: Process Management Interface Exascale (PMIx)
|
||||||
License: BSD
|
License: BSD
|
||||||
URL: https://pmix.org/
|
URL: https://pmix.org/
|
||||||
Source0: https://github.com/pmix/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.bz2
|
Source0: https://github.com/pmix/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.bz2
|
||||||
|
|
||||||
|
Patch1: 0001-Do-not-follow-links-when-doing-chown.patch
|
||||||
|
|
||||||
BuildRequires: autoconf
|
BuildRequires: autoconf
|
||||||
BuildRequires: automake
|
BuildRequires: automake
|
||||||
BuildRequires: flex
|
BuildRequires: flex
|
||||||
@ -73,6 +75,8 @@ based starters (e.g., mpirun).
|
|||||||
%prep
|
%prep
|
||||||
%setup -q -n %{name}-%{version}
|
%setup -q -n %{name}-%{version}
|
||||||
|
|
||||||
|
%patch1 -p1
|
||||||
|
|
||||||
# touch lexer sources to recompile them
|
# touch lexer sources to recompile them
|
||||||
find src -name \*.l -print -exec touch --no-create {} \;
|
find src -name \*.l -print -exec touch --no-create {} \;
|
||||||
|
|
||||||
@ -83,6 +87,7 @@ find src -name \*.l -print -exec touch --no-create {} \;
|
|||||||
--sysconfdir=%{_sysconfdir}/%{name} \
|
--sysconfdir=%{_sysconfdir}/%{name} \
|
||||||
--disable-static \
|
--disable-static \
|
||||||
--disable-silent-rules \
|
--disable-silent-rules \
|
||||||
|
--with-tests-examples \
|
||||||
--enable-shared \
|
--enable-shared \
|
||||||
--enable-pmi-backward-compatibility \
|
--enable-pmi-backward-compatibility \
|
||||||
--with-munge
|
--with-munge
|
||||||
@ -98,6 +103,14 @@ find src -name \*.l -print -exec touch --no-create {} \;
|
|||||||
# remove libtool archives
|
# remove libtool archives
|
||||||
find %{buildroot} -name '*.la' | xargs rm -f
|
find %{buildroot} -name '*.la' | xargs rm -f
|
||||||
|
|
||||||
|
# set up pmix self-test infra for install
|
||||||
|
install -d -m 0755 %{buildroot}%{_datadir}/%{name}/test
|
||||||
|
for f in pmix_client pmix_regex
|
||||||
|
do
|
||||||
|
mv test/.libs/$f %{buildroot}%{_datadir}/%{name}/$f
|
||||||
|
done
|
||||||
|
mv test/.libs/pmix_test %{buildroot}%{_datadir}/%{name}/test/pmix_test
|
||||||
|
|
||||||
%ldconfig_scriptlets
|
%ldconfig_scriptlets
|
||||||
%ldconfig_scriptlets devel
|
%ldconfig_scriptlets devel
|
||||||
|
|
||||||
@ -105,10 +118,13 @@ find %{buildroot} -name '*.la' | xargs rm -f
|
|||||||
%license LICENSE
|
%license LICENSE
|
||||||
%doc README
|
%doc README
|
||||||
%dir %{_datadir}/%{name}
|
%dir %{_datadir}/%{name}
|
||||||
|
%dir %{_datadir}/%{name}/test
|
||||||
%dir %{_libdir}/%{name}
|
%dir %{_libdir}/%{name}
|
||||||
%dir %{_sysconfdir}/%{name}
|
%dir %{_sysconfdir}/%{name}
|
||||||
%config(noreplace) %{_sysconfdir}/%{name}/*.conf
|
%config(noreplace) %{_sysconfdir}/%{name}/*.conf
|
||||||
%{_datadir}/%{name}/*.txt
|
%{_datadir}/%{name}/*.txt
|
||||||
|
%{_datadir}/%{name}/pmix_*
|
||||||
|
%{_datadir}/%{name}/test/pmix_test
|
||||||
%{_libdir}/libmca_common_dstore.so.1*
|
%{_libdir}/libmca_common_dstore.so.1*
|
||||||
%{_libdir}/libpmix.so.2*
|
%{_libdir}/libpmix.so.2*
|
||||||
%{_libdir}/%{name}/*.so
|
%{_libdir}/%{name}/*.so
|
||||||
@ -133,6 +149,14 @@ find %{buildroot} -name '*.la' | xargs rm -f
|
|||||||
%{_bindir}/*
|
%{_bindir}/*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Nov 14 2023 Kamal Heib <kheib@redhat.com> - 3.2.3-5
|
||||||
|
- Add pmix_test
|
||||||
|
- Resolves: RHEL-3693
|
||||||
|
|
||||||
|
* Thu Nov 02 2023 Kamal Heib <kheib@redhat.com> - 3.2.3-4
|
||||||
|
- Fix CVE-2023-41915
|
||||||
|
- Resolves: RHEL-3693
|
||||||
|
|
||||||
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 3.2.3-3
|
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 3.2.3-3
|
||||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||||
Related: rhbz#1991688
|
Related: rhbz#1991688
|
||||||
|
Loading…
Reference in New Issue
Block a user