Source: pmix Version: 5.0.0~rc1-2 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for pmix. CVE-2023-41915[0]: | OpenPMIx PMIx before 4.2.6 and 5.0.x before 5.0.1 allows attackers | to obtain ownership of arbitrary files via a race condition during | execution of library code with UID 0. As mentioned in [2]: | A filesystem race condition could permit a malicious user | to obtain ownership of an arbitrary file on the filesystem | when parts of the PMIx library are called by a process | running as uid 0. This may happen under the default | configuration of certain workload managers, including Slurm. (fs.protected_symlinks not protecting in such a case) Please downgrade the severity if you do not agree on the assessment, but at a very start the unstable version should be fixed. We can have a look what need to be done for bookworm and bullseye in next step. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-41915 https://www.cve.org/CVERecord?id=CVE-2023-41915 [1] https://github.com/openpmix/openpmix/commit/0bf9801a3017eb6ca411e158da39570ccb998c17 [2] https://github.com/openpmix/openpmix/releases/tag/v5.0.1 Please adjust the affected versions in the BTS as needed. Regards, Salvatore