Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package pmix for openSUSE:Factory checked in at 2024-02-21 18:01:35 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/pmix (Old) and /work/SRC/openSUSE:Factory/.pmix.new.1706 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pmix" Wed Feb 21 18:01:35 2024 rev:18 rq:1148733 version:3.2.5 Changes: -------- --- /work/SRC/openSUSE:Factory/pmix/pmix.changes 2023-09-12 21:05:59.958844194 +0200 +++ /work/SRC/openSUSE:Factory/.pmix.new.1706/pmix.changes 2024-02-21 18:01:41.346748365 +0100 @@ -1,0 +2,14 @@ +Sun Feb 18 10:12:27 UTC 2024 - Andrea Manzini <[email protected]> + +- Update to 3.2.5: + * fix for CVE-2023-41915: Do not follow links when doing "chown" + +- Update to 3.2.4: + * Must spawn something in tests + * direct: ptl/base: retry recv when it encounter EAGAIN or EWOULDBLOCK + * direct: Make abort on component not found optional + +- dropped patch Fix-a-potential-vulnerability-which-allows-chown-on-user-created-links.patch + as already included in upstream + +------------------------------------------------------------------- Old: ---- Fix-a-potential-vulnerability-which-allows-chown-on-user-created-links.patch openpmix-3.2.3.tar.gz New: ---- openpmix-3.2.5.tar.gz BETA DEBUG BEGIN: Old: - dropped patch Fix-a-potential-vulnerability-which-allows-chown-on-user-created-links.patch as already included in upstream BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pmix.spec ++++++ --- /var/tmp/diff_new_pack.AAKR1k/_old 2024-02-21 18:01:42.598793723 +0100 +++ /var/tmp/diff_new_pack.AAKR1k/_new 2024-02-21 18:01:42.610794157 +0100 @@ -1,7 +1,7 @@ # # spec file for package pmix # -# Copyright (c) 2023 SUSE LLC +# Copyright (c) 2024 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -19,14 +19,13 @@ # Name: pmix -Version: 3.2.3 +Version: 3.2.5 Release: 0 Summary: Process Management Interface for MPI License: BSD-3-Clause Group: Development/Libraries/Parallel URL: https://pmix.org/ Source0: https://github.com/openpmix/openpmix/archive/v%{version}.tar.gz#/openpmix-%{version}.tar.gz -Patch0: Fix-a-potential-vulnerability-which-allows-chown-on-user-created-links.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: fdupes ++++++ openpmix-3.2.3.tar.gz -> openpmix-3.2.5.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openpmix-3.2.3/NEWS new/openpmix-3.2.5/NEWS --- old/openpmix-3.2.3/NEWS 2021-02-11 21:42:51.000000000 +0100 +++ new/openpmix-3.2.5/NEWS 2023-09-12 20:23:29.000000000 +0200 @@ -1,6 +1,6 @@ Copyright (c) 2015-2020 Intel, Inc. All rights reserved. Copyright (c) 2017-2020 IBM Corporation. All rights reserved. -Copyright (c) 2021 Nanook Consulting. All rights reserved. +Copyright (c) 2021-2023 Nanook Consulting. All rights reserved. $COPYRIGHT$ Additional copyrights may follow @@ -21,6 +21,31 @@ example, a bug might be fixed in the master, and then moved to multiple release branches. +3.2.5 -- 12 Sep 2023 +-------------------- +Warning:: CVE-2023-41915 + +A security issue was reported by François Diakhate (CEA) +which is addressed in the PMIx v4.2.6 and v5.0.1 releases. +(Older PMIx versions may be vulnerable, but are no longer +supported.) + +A filesystem race condition could permit a malicious user +to obtain ownership of an arbitrary file on the filesystem +when parts of the PMIx library are called by a process +running as uid 0. This may happen under the default +configuration of certain workload managers, including Slurm. + + - PR #3156: Do not follow links when doing "chown" + + +3.2.4 -- 22 Jan 2023 +---------------------- + - PR #2126: Must spawn something in tests + - direct: ptl/base: retry recv when it encounter EAGAIN or + EWOULDBLOCK + - direct: Make abort on component not found optional + 3.2.3 -- 12 Feb 2021 ---------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openpmix-3.2.3/VERSION new/openpmix-3.2.5/VERSION --- old/openpmix-3.2.3/VERSION 2021-02-11 21:42:51.000000000 +0100 +++ new/openpmix-3.2.5/VERSION 2023-09-12 20:23:29.000000000 +0200 @@ -16,7 +16,7 @@ major=3 minor=2 -release=3 +release=5 # greek is used for alpha or beta release tags. If it is non-empty, # it will be appended to the version number. It does not have to be @@ -24,7 +24,7 @@ # The only requirement is that it must be entirely printable ASCII # characters and have no white space. -greek=rc1 +greek=a1 # If repo_rev is empty, then the repository version number will be # obtained during "make dist" via the "git describe --tags --always" @@ -76,7 +76,7 @@ # Version numbers are described in the Libtool current:revision:age # format. -libpmix_so_version=4:33:2 +libpmix_so_version=4:35:2 libpmi_so_version=1:1:0 libpmi2_so_version=1:0:0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openpmix-3.2.3/src/mca/base/base.h new/openpmix-3.2.5/src/mca/base/base.h --- old/openpmix-3.2.3/src/mca/base/base.h 2021-02-11 21:42:51.000000000 +0100 +++ new/openpmix-3.2.5/src/mca/base/base.h 2023-09-12 20:23:29.000000000 +0200 @@ -16,6 +16,7 @@ * Copyright (c) 2015 Research Organization for Information Science * and Technology (RIST). All rights reserved. * Copyright (c) 2016-2020 Intel, Inc. All rights reserved. + * Copyright (c) 2023 Nanook Consulting. All rights reserved. * $COPYRIGHT$ * * Additional copyrights may follow @@ -69,6 +70,7 @@ */ PMIX_EXPORT extern char *pmix_mca_base_component_path; PMIX_EXPORT extern bool pmix_mca_base_component_show_load_errors; +PMIX_EXPORT extern bool pmix_mca_base_component_abort_on_load_error; PMIX_EXPORT extern bool pmix_mca_base_component_track_load_errors; PMIX_EXPORT extern bool pmix_mca_base_component_disable_dlopen; PMIX_EXPORT extern char *pmix_mca_base_system_default_path; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openpmix-3.2.3/src/mca/base/pmix_mca_base_component_find.c new/openpmix-3.2.5/src/mca/base/pmix_mca_base_component_find.c --- old/openpmix-3.2.3/src/mca/base/pmix_mca_base_component_find.c 2021-02-11 21:42:51.000000000 +0100 +++ new/openpmix-3.2.5/src/mca/base/pmix_mca_base_component_find.c 2023-09-12 20:23:29.000000000 +0200 @@ -17,6 +17,7 @@ * Copyright (c) 2014-2015 Los Alamos National Security, LLC. All rights * reserved. * Copyright (c) 2016-2020 Intel, Inc. All rights reserved. + * Copyright (c) 2023 Nanook Consulting. All rights reserved. * $COPYRIGHT$ * * Additional copyrights may follow @@ -339,12 +340,16 @@ } if (!found) { - char h[PMIX_MAXHOSTNAMELEN] = {0}; - gethostname(h, sizeof(h)-1); - pmix_show_help("help-pmix-mca-base.txt", - "find-available:not-valid", true, - h, framework->framework_name, requested_component_names[i]); - return PMIX_ERR_NOT_FOUND; + if (pmix_mca_base_component_show_load_errors) { + char h[PMIX_MAXHOSTNAMELEN] = {0}; + gethostname(h, sizeof(h)-1); + pmix_show_help("help-pmix-mca-base.txt", + "find-available:not-valid", true, + h, framework->framework_name, requested_component_names[i]); + } + if (pmix_mca_base_component_abort_on_load_error) { + return PMIX_ERR_NOT_FOUND; + } } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openpmix-3.2.3/src/mca/base/pmix_mca_base_open.c new/openpmix-3.2.5/src/mca/base/pmix_mca_base_open.c --- old/openpmix-3.2.3/src/mca/base/pmix_mca_base_open.c 2021-02-11 21:42:51.000000000 +0100 +++ new/openpmix-3.2.5/src/mca/base/pmix_mca_base_open.c 2023-09-12 20:23:29.000000000 +0200 @@ -14,6 +14,7 @@ * Copyright (c) 2015 Los Alamos National Security, LLC. All rights * reserved. * Copyright (c) 2016-2020 Intel, Inc. All rights reserved. + * Copyright (c) 2023 Nanook Consulting. All rights reserved. * $COPYRIGHT$ * * Additional copyrights may follow @@ -49,6 +50,7 @@ char *pmix_mca_base_system_default_path = NULL; char *pmix_mca_base_user_default_path = NULL; bool pmix_mca_base_component_show_load_errors = (bool) PMIX_SHOW_LOAD_ERRORS_DEFAULT; +bool pmix_mca_base_component_abort_on_load_error = false; bool pmix_mca_base_component_track_load_errors = false; bool pmix_mca_base_component_disable_dlopen = false; @@ -119,6 +121,15 @@ (void) pmix_mca_base_var_register_synonym(var_id, "pmix", "mca", NULL, "component_show_load_errors", PMIX_MCA_BASE_VAR_SYN_FLAG_DEPRECATED); + pmix_mca_base_component_abort_on_load_error = false; + var_id = pmix_mca_base_var_register("pmix", "mca", "base", "abort_on_load_error", + "Whether to abort when a specified component isn't found or cannot be loaded", + PMIX_MCA_BASE_VAR_TYPE_BOOL, NULL, 0, 0, + PMIX_INFO_LVL_9, + PMIX_MCA_BASE_VAR_SCOPE_READONLY, + &pmix_mca_base_component_abort_on_load_error); + + pmix_mca_base_component_track_load_errors = false; var_id = pmix_mca_base_var_register("pmix", "mca", "base", "component_track_load_errors", "Whether to track errors for components that failed to load or not", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openpmix-3.2.3/src/mca/common/dstore/dstore_base.c new/openpmix-3.2.5/src/mca/common/dstore/dstore_base.c --- old/openpmix-3.2.3/src/mca/common/dstore/dstore_base.c 2021-02-11 21:42:51.000000000 +0100 +++ new/openpmix-3.2.5/src/mca/common/dstore/dstore_base.c 2023-09-12 20:23:29.000000000 +0200 @@ -528,7 +528,7 @@ } } if (s->setjobuid > 0){ - if (0 > chown(s->nspace_path, (uid_t) s->jobuid, (gid_t) -1)){ + if (0 > lchown(s->nspace_path, (uid_t) s->jobuid, (gid_t) -1)){ rc = PMIX_ERROR; PMIX_ERROR_LOG(rc); return rc; @@ -1682,7 +1682,7 @@ } } if (ds_ctx->setjobuid > 0) { - if (chown(ds_ctx->base_path, (uid_t) ds_ctx->jobuid, (gid_t) -1) < 0){ + if (lchown(ds_ctx->base_path, (uid_t) ds_ctx->jobuid, (gid_t) -1) < 0){ rc = PMIX_ERR_NO_PERMISSIONS; PMIX_ERROR_LOG(rc); goto err_exit; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openpmix-3.2.3/src/mca/common/dstore/dstore_segment.c new/openpmix-3.2.5/src/mca/common/dstore/dstore_segment.c --- old/openpmix-3.2.3/src/mca/common/dstore/dstore_segment.c 2021-02-11 21:42:51.000000000 +0100 +++ new/openpmix-3.2.5/src/mca/common/dstore/dstore_segment.c 2023-09-12 20:23:29.000000000 +0200 @@ -120,7 +120,7 @@ if (setuid > 0){ rc = PMIX_ERR_PERM; - if (0 > chown(file_name, (uid_t) uid, (gid_t) -1)){ + if (0 > lchown(file_name, (uid_t) uid, (gid_t) -1)){ PMIX_ERROR_LOG(rc); goto err_exit; } @@ -211,7 +211,7 @@ if (setuid > 0){ rc = PMIX_ERR_PERM; - if (0 > chown(file_name, (uid_t) uid, (gid_t) -1)){ + if (0 > lchown(file_name, (uid_t) uid, (gid_t) -1)){ PMIX_ERROR_LOG(rc); goto err_exit; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openpmix-3.2.3/src/mca/gds/ds12/gds_ds12_lock_fcntl.c new/openpmix-3.2.5/src/mca/gds/ds12/gds_ds12_lock_fcntl.c --- old/openpmix-3.2.3/src/mca/gds/ds12/gds_ds12_lock_fcntl.c 2021-02-11 21:42:51.000000000 +0100 +++ new/openpmix-3.2.5/src/mca/gds/ds12/gds_ds12_lock_fcntl.c 2023-09-12 20:23:29.000000000 +0200 @@ -127,7 +127,7 @@ } } if (0 != setuid) { - if (0 > chown(lock_ctx->lockfile, uid, (gid_t) -1)) { + if (0 > lchown(lock_ctx->lockfile, uid, (gid_t) -1)) { rc = PMIX_ERROR; PMIX_ERROR_LOG(rc); goto error; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openpmix-3.2.3/src/mca/gds/ds12/gds_ds12_lock_pthread.c new/openpmix-3.2.5/src/mca/gds/ds12/gds_ds12_lock_pthread.c --- old/openpmix-3.2.3/src/mca/gds/ds12/gds_ds12_lock_pthread.c 2021-02-11 21:42:51.000000000 +0100 +++ new/openpmix-3.2.5/src/mca/gds/ds12/gds_ds12_lock_pthread.c 2023-09-12 20:23:29.000000000 +0200 @@ -113,7 +113,7 @@ } memset(lock_ctx->segment->seg_base_addr, 0, size); if (0 != setuid) { - if (0 > chown(lock_ctx->lockfile, (uid_t) uid, (gid_t) -1)){ + if (0 > lchown(lock_ctx->lockfile, (uid_t) uid, (gid_t) -1)){ rc = PMIX_ERROR; PMIX_ERROR_LOG(rc); goto error; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openpmix-3.2.3/src/mca/ptl/base/ptl_base_connect.c new/openpmix-3.2.5/src/mca/ptl/base/ptl_base_connect.c --- old/openpmix-3.2.3/src/mca/ptl/base/ptl_base_connect.c 2021-02-11 21:42:51.000000000 +0100 +++ new/openpmix-3.2.5/src/mca/ptl/base/ptl_base_connect.c 2023-09-12 20:23:29.000000000 +0200 @@ -147,7 +147,7 @@ pmix_output_verbose(8, pmix_ptl_base_framework.framework_output, "blocking_recv received error %d:%s from remote - cycling", pmix_socket_errno, strerror(pmix_socket_errno)); - return PMIX_ERR_TEMP_UNAVAILABLE; + continue; } if (pmix_socket_errno != EINTR ) { /* If we overflow the listen backlog, it's diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openpmix-3.2.3/src/util/pmix_pty.c new/openpmix-3.2.5/src/util/pmix_pty.c --- old/openpmix-3.2.3/src/util/pmix_pty.c 2021-02-11 21:42:51.000000000 +0100 +++ new/openpmix-3.2.5/src/util/pmix_pty.c 2023-09-12 20:23:29.000000000 +0200 @@ -11,6 +11,7 @@ * All rights reserved. * Copyright (c) 2018 Cisco Systems, Inc. All rights reserved * Copyright (c) 2019-2020 Intel, Inc. All rights reserved. + * Copyright (c) 2021-2023 Nanook Consulting. All rights reserved. * $COPYRIGHT$ * * Additional copyrights may follow @@ -248,7 +249,7 @@ gid = -1; /* group tty is not in the group file */ } /* following two functions don't work unless we're root */ - chown(pts_name, getuid(), gid); + lchown(pts_name, getuid(), gid); // DO NOT FOLLOW LINKS chmod(pts_name, S_IRUSR | S_IWUSR | S_IWGRP); fds = open(pts_name, O_RDWR); if (fds < 0) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openpmix-3.2.3/test/simple/Makefile.am new/openpmix-3.2.5/test/simple/Makefile.am --- old/openpmix-3.2.3/test/simple/Makefile.am 2021-02-11 21:42:51.000000000 +0100 +++ new/openpmix-3.2.5/test/simple/Makefile.am 2023-09-12 20:23:29.000000000 +0200 @@ -12,6 +12,7 @@ # Copyright (c) 2006-2010 Cisco Systems, Inc. All rights reserved. # Copyright (c) 2012-2013 Los Alamos National Security, Inc. All rights reserved. # Copyright (c) 2013-2020 Intel, Inc. All rights reserved. +# Copyright (c) 2023 Nanook Consulting. All rights reserved. # $COPYRIGHT$ # # Additional copyrights may follow @@ -28,103 +29,103 @@ gwtest gwclient stability quietclient simpjctrl \ pmitest -simptest_SOURCES = \ +simptest_SOURCES = $(headers) \ simptest.c simptest_LDFLAGS = $(PMIX_PKG_CONFIG_LDFLAGS) simptest_LDADD = \ $(top_builddir)/src/libpmix.la -simpclient_SOURCES = \ +simpclient_SOURCES = $(headers) \ simpclient.c simpclient_LDFLAGS = $(PMIX_PKG_CONFIG_LDFLAGS) simpclient_LDADD = \ $(top_builddir)/src/libpmix.la -simppub_SOURCES = \ +simppub_SOURCES = $(headers) \ simppub.c simppub_LDFLAGS = $(PMIX_PKG_CONFIG_LDFLAGS) simppub_LDADD = \ $(top_builddir)/src/libpmix.la -simpdmodex_SOURCES = \ +simpdmodex_SOURCES = $(headers) \ simpdmodex.c simpdmodex_LDFLAGS = $(PMIX_PKG_CONFIG_LDFLAGS) simpdmodex_LDADD = \ $(top_builddir)/src/libpmix.la -simpft_SOURCES = \ +simpft_SOURCES = $(headers) \ simpft.c simpft_LDFLAGS = $(PMIX_PKG_CONFIG_LDFLAGS) simpft_LDADD = \ $(top_builddir)/src/libpmix.la -simpdyn_SOURCES = \ +simpdyn_SOURCES = $(headers) \ simpdyn.c simpdyn_LDFLAGS = $(PMIX_PKG_CONFIG_LDFLAGS) simpdyn_LDADD = \ $(top_builddir)/src/libpmix.la -test_pmix_SOURCES = \ +test_pmix_SOURCES = $(headers) \ test_pmix.c test_pmix_LDFLAGS = $(PMIX_PKG_CONFIG_LDFLAGS) test_pmix_LDADD = \ $(top_builddir)/src/libpmix.la -simptool_SOURCES = \ +simptool_SOURCES = $(headers) \ simptool.c simptool_LDFLAGS = $(PMIX_PKG_CONFIG_LDFLAGS) simptool_LDADD = \ $(top_builddir)/src/libpmix.la -simpdie_SOURCES = \ +simpdie_SOURCES = $(headers) \ simpdie.c simpdie_LDFLAGS = $(PMIX_PKG_CONFIG_LDFLAGS) simpdie_LDADD = \ $(top_builddir)/src/libpmix.la -simplegacy_SOURCES = \ +simplegacy_SOURCES = $(headers) \ simplegacy.c simplegacy_LDFLAGS = $(PMIX_PKG_CONFIG_LDFLAGS) simplegacy_LDADD = \ $(top_builddir)/src/libpmi.la -simptimeout_SOURCES = \ +simptimeout_SOURCES = $(headers) \ simptimeout.c simptimeout_LDFLAGS = $(PMIX_PKG_CONFIG_LDFLAGS) simptimeout_LDADD = \ $(top_builddir)/src/libpmix.la -gwtest_SOURCES = \ +gwtest_SOURCES = $(headers) \ gwtest.c gwtest_LDFLAGS = $(PMIX_PKG_CONFIG_LDFLAGS) gwtest_LDADD = \ $(top_builddir)/src/libpmix.la -gwclient_SOURCES = \ +gwclient_SOURCES = $(headers) \ gwclient.c gwclient_LDFLAGS = $(PMIX_PKG_CONFIG_LDFLAGS) gwclient_LDADD = \ $(top_builddir)/src/libpmix.la -stability_SOURCES = \ +stability_SOURCES = $(headers) \ stability.c stability_LDFLAGS = $(PMIX_PKG_CONFIG_LDFLAGS) stability_LDADD = \ $(top_builddir)/src/libpmix.la -quietclient_SOURCES = \ +quietclient_SOURCES = $(headers) \ quietclient.c quietclient_LDFLAGS = $(PMIX_PKG_CONFIG_LDFLAGS) quietclient_LDADD = \ $(top_builddir)/src/libpmix.la -simpjctrl_SOURCES = \ +simpjctrl_SOURCES = $(headers) \ simpjctrl.c simpjctrl_LDFLAGS = $(PMIX_PKG_CONFIG_LDFLAGS) simpjctrl_LDADD = \ $(top_builddir)/src/libpmix.la -pmitest_SOURCES = \ +pmitest_SOURCES = $(headers) \ pmitest.c pmitest_LDFLAGS = $(PMIX_PKG_CONFIG_LDFLAGS) pmitest_LDADD = \ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openpmix-3.2.3/test/test_spawn.c new/openpmix-3.2.5/test/test_spawn.c --- old/openpmix-3.2.3/test/test_spawn.c 2021-02-11 21:42:51.000000000 +0100 +++ new/openpmix-3.2.5/test/test_spawn.c 2023-09-12 20:23:29.000000000 +0200 @@ -2,6 +2,7 @@ * Copyright (c) 2015-2019 Intel, Inc. All rights reserved. * Copyright (c) 2015 Mellanox Technologies, Inc. * All rights reserved. + * Copyright (c) 2021 Nanook Consulting. All rights reserved. * $COPYRIGHT$ * * Additional copyrights may follow @@ -36,6 +37,7 @@ memset(nspace, 0, PMIX_MAX_NSLEN+1); napps = 1; PMIX_APP_CREATE(apps, napps); + apps[0].cmd = strdup("foo"); // need SOMETHING we intend to spawn! if (blocking) { if (PMIX_SUCCESS != (rc = PMIx_Spawn(NULL, 0, apps, napps, nspace))) { PMIX_APP_FREE(apps, napps);
