From a25482be06e6cfc7ffe3ca9c9ea1f4510e5d8d0b Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 15 May 2024 08:38:16 +0000 Subject: [PATCH] Import from AlmaLinux stable repository --- ...Do-not-follow-links-when-doing-chown.patch | 133 ++++++++++++++++++ SPECS/pmix.spec | 26 +++- 2 files changed, 158 insertions(+), 1 deletion(-) create mode 100644 SOURCES/0001-Do-not-follow-links-when-doing-chown.patch diff --git a/SOURCES/0001-Do-not-follow-links-when-doing-chown.patch b/SOURCES/0001-Do-not-follow-links-when-doing-chown.patch new file mode 100644 index 0000000..9a7ae26 --- /dev/null +++ b/SOURCES/0001-Do-not-follow-links-when-doing-chown.patch @@ -0,0 +1,133 @@ +From 247fe50c796402ccb1734e66dcc1f0ee4c196774 Mon Sep 17 00:00:00 2001 +From: Ralph Castain +Date: Thu, 7 Sep 2023 07:59:57 -0600 +Subject: [PATCH] Do not follow links when doing "chown" + +There is a potential issue with allowing a "chown" operation +to follow user-created links, so let's limit any use of that +function to "lchown" - which directs the "chown" operation to +NOT follow a link. + +Signed-off-by: Ralph Castain +(cherry picked from commit ae62cdf67b19e80fd821420816f09bf0a56a8166) +(cherry picked from commit da036933c2795c1f40d0835e15f17e204e4daf0f) +Signed-off-by: Kamal Heib +--- + src/mca/common/dstore/dstore_base.c | 4 ++-- + src/mca/common/dstore/dstore_segment.c | 4 ++-- + src/mca/gds/ds12/gds_ds12_lock_fcntl.c | 2 +- + src/mca/gds/ds12/gds_ds12_lock_pthread.c | 2 +- + src/mca/ptl/usock/ptl_usock_component.c | 6 +++--- + src/util/pmix_pty.c | 2 +- + 6 files changed, 10 insertions(+), 10 deletions(-) + +diff --git a/src/mca/common/dstore/dstore_base.c b/src/mca/common/dstore/dstore_base.c +index f22461cdeb7a..7ff2e4d6aa2c 100644 +--- a/src/mca/common/dstore/dstore_base.c ++++ b/src/mca/common/dstore/dstore_base.c +@@ -528,7 +528,7 @@ static int _esh_session_init(pmix_common_dstore_ctx_t *ds_ctx, size_t idx, ns_ma + } + } + if (s->setjobuid > 0){ +- if (0 > chown(s->nspace_path, (uid_t) s->jobuid, (gid_t) -1)){ ++ if (0 > lchown(s->nspace_path, (uid_t) s->jobuid, (gid_t) -1)){ + rc = PMIX_ERROR; + PMIX_ERROR_LOG(rc); + return rc; +@@ -1682,7 +1682,7 @@ pmix_common_dstore_ctx_t *pmix_common_dstor_init(const char *ds_name, pmix_info_ + } + } + if (ds_ctx->setjobuid > 0) { +- if (chown(ds_ctx->base_path, (uid_t) ds_ctx->jobuid, (gid_t) -1) < 0){ ++ if (lchown(ds_ctx->base_path, (uid_t) ds_ctx->jobuid, (gid_t) -1) < 0){ + rc = PMIX_ERR_NO_PERMISSIONS; + PMIX_ERROR_LOG(rc); + goto err_exit; +diff --git a/src/mca/common/dstore/dstore_segment.c b/src/mca/common/dstore/dstore_segment.c +index f0c4f9bb9efc..0e68dbf4fedf 100644 +--- a/src/mca/common/dstore/dstore_segment.c ++++ b/src/mca/common/dstore/dstore_segment.c +@@ -120,7 +120,7 @@ PMIX_EXPORT pmix_dstore_seg_desc_t *pmix_common_dstor_create_new_lock_seg(const + + if (setuid > 0){ + rc = PMIX_ERR_PERM; +- if (0 > chown(file_name, (uid_t) uid, (gid_t) -1)){ ++ if (0 > lchown(file_name, (uid_t) uid, (gid_t) -1)){ + PMIX_ERROR_LOG(rc); + goto err_exit; + } +@@ -211,7 +211,7 @@ PMIX_EXPORT pmix_dstore_seg_desc_t *pmix_common_dstor_create_new_segment(pmix_ds + + if (setuid > 0){ + rc = PMIX_ERR_PERM; +- if (0 > chown(file_name, (uid_t) uid, (gid_t) -1)){ ++ if (0 > lchown(file_name, (uid_t) uid, (gid_t) -1)){ + PMIX_ERROR_LOG(rc); + goto err_exit; + } +diff --git a/src/mca/gds/ds12/gds_ds12_lock_fcntl.c b/src/mca/gds/ds12/gds_ds12_lock_fcntl.c +index 445231668c57..82b6d358316e 100644 +--- a/src/mca/gds/ds12/gds_ds12_lock_fcntl.c ++++ b/src/mca/gds/ds12/gds_ds12_lock_fcntl.c +@@ -127,7 +127,7 @@ pmix_status_t pmix_gds_ds12_lock_init(pmix_common_dstor_lock_ctx_t *ctx, const c + } + } + if (0 != setuid) { +- if (0 > chown(lock_ctx->lockfile, uid, (gid_t) -1)) { ++ if (0 > lchown(lock_ctx->lockfile, uid, (gid_t) -1)) { + rc = PMIX_ERROR; + PMIX_ERROR_LOG(rc); + goto error; +diff --git a/src/mca/gds/ds12/gds_ds12_lock_pthread.c b/src/mca/gds/ds12/gds_ds12_lock_pthread.c +index 8192f0532e03..57d855f52049 100644 +--- a/src/mca/gds/ds12/gds_ds12_lock_pthread.c ++++ b/src/mca/gds/ds12/gds_ds12_lock_pthread.c +@@ -113,7 +113,7 @@ pmix_status_t pmix_gds_ds12_lock_init(pmix_common_dstor_lock_ctx_t *ctx, const c + } + memset(lock_ctx->segment->seg_base_addr, 0, size); + if (0 != setuid) { +- if (0 > chown(lock_ctx->lockfile, (uid_t) uid, (gid_t) -1)){ ++ if (0 > lchown(lock_ctx->lockfile, (uid_t) uid, (gid_t) -1)){ + rc = PMIX_ERROR; + PMIX_ERROR_LOG(rc); + goto error; +diff --git a/src/mca/ptl/usock/ptl_usock_component.c b/src/mca/ptl/usock/ptl_usock_component.c +index 312030250a9d..660b03370ac1 100644 +--- a/src/mca/ptl/usock/ptl_usock_component.c ++++ b/src/mca/ptl/usock/ptl_usock_component.c +@@ -265,16 +265,16 @@ static pmix_status_t setup_listener(pmix_info_t info[], size_t ninfo, + CLOSE_THE_SOCKET(lt->socket); + goto sockerror; + } +- /* chown as required */ ++ /* lchown as required */ + if (lt->owner_given) { +- if (0 != chown(address->sun_path, lt->owner, -1)) { ++ if (0 != lchown(address->sun_path, lt->owner, -1)) { + pmix_output(0, "CANNOT CHOWN socket %s: %s", address->sun_path, strerror (errno)); + CLOSE_THE_SOCKET(lt->socket); + goto sockerror; + } + } + if (lt->group_given) { +- if (0 != chown(address->sun_path, -1, lt->group)) { ++ if (0 != lchown(address->sun_path, -1, lt->group)) { + pmix_output(0, "CANNOT CHOWN socket %s: %s", address->sun_path, strerror (errno)); + CLOSE_THE_SOCKET(lt->socket); + goto sockerror; +diff --git a/src/util/pmix_pty.c b/src/util/pmix_pty.c +index 58e8d5143e8a..e01b854d17f0 100644 +--- a/src/util/pmix_pty.c ++++ b/src/util/pmix_pty.c +@@ -248,7 +248,7 @@ static int ptys_open(int fdm, char *pts_name) + gid = -1; /* group tty is not in the group file */ + } + /* following two functions don't work unless we're root */ +- chown(pts_name, getuid(), gid); ++ lchown(pts_name, getuid(), gid); // DO NOT FOLLOW LINKS + chmod(pts_name, S_IRUSR | S_IWUSR | S_IWGRP); + fds = open(pts_name, O_RDWR); + if (fds < 0) { +-- +2.41.0 + diff --git a/SPECS/pmix.spec b/SPECS/pmix.spec index 2884bf1..3471b47 100644 --- a/SPECS/pmix.spec +++ b/SPECS/pmix.spec @@ -1,11 +1,13 @@ Name: pmix Version: 3.2.3 -Release: 3%{?dist} +Release: 5%{?dist} Summary: Process Management Interface Exascale (PMIx) License: BSD URL: https://pmix.org/ Source0: https://github.com/pmix/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.bz2 +Patch1: 0001-Do-not-follow-links-when-doing-chown.patch + BuildRequires: autoconf BuildRequires: automake BuildRequires: flex @@ -73,6 +75,8 @@ based starters (e.g., mpirun). %prep %setup -q -n %{name}-%{version} +%patch1 -p1 + # touch lexer sources to recompile them find src -name \*.l -print -exec touch --no-create {} \; @@ -83,6 +87,7 @@ find src -name \*.l -print -exec touch --no-create {} \; --sysconfdir=%{_sysconfdir}/%{name} \ --disable-static \ --disable-silent-rules \ + --with-tests-examples \ --enable-shared \ --enable-pmi-backward-compatibility \ --with-munge @@ -98,6 +103,14 @@ find src -name \*.l -print -exec touch --no-create {} \; # remove libtool archives find %{buildroot} -name '*.la' | xargs rm -f +# set up pmix self-test infra for install +install -d -m 0755 %{buildroot}%{_datadir}/%{name}/test +for f in pmix_client pmix_regex +do + mv test/.libs/$f %{buildroot}%{_datadir}/%{name}/$f +done +mv test/.libs/pmix_test %{buildroot}%{_datadir}/%{name}/test/pmix_test + %ldconfig_scriptlets %ldconfig_scriptlets devel @@ -105,10 +118,13 @@ find %{buildroot} -name '*.la' | xargs rm -f %license LICENSE %doc README %dir %{_datadir}/%{name} +%dir %{_datadir}/%{name}/test %dir %{_libdir}/%{name} %dir %{_sysconfdir}/%{name} %config(noreplace) %{_sysconfdir}/%{name}/*.conf %{_datadir}/%{name}/*.txt +%{_datadir}/%{name}/pmix_* +%{_datadir}/%{name}/test/pmix_test %{_libdir}/libmca_common_dstore.so.1* %{_libdir}/libpmix.so.2* %{_libdir}/%{name}/*.so @@ -133,6 +149,14 @@ find %{buildroot} -name '*.la' | xargs rm -f %{_bindir}/* %changelog +* Tue Nov 14 2023 Kamal Heib - 3.2.3-5 +- Add pmix_test +- Resolves: RHEL-3693 + +* Thu Nov 02 2023 Kamal Heib - 3.2.3-4 +- Fix CVE-2023-41915 +- Resolves: RHEL-3693 + * Mon Aug 09 2021 Mohan Boddu - 3.2.3-3 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688