914381 – (CVE-2023-41915) sys-cluster/pmix: root privilege escalation

Bug 914381 (CVE-2023-41915) - sys-cluster/pmix: root privilege escalation

Summary: sys-cluster/pmix: root privilege escalation

Status:	UNCONFIRMED

Alias:	CVE-2023-41915

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	~1 [ebuild]
Keywords:

Depends on:
Blocks:

Reported:	2023-09-18 12:54 UTC by Timo Rothenpieler
Modified:	2023-10-22 23:39 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Timo Rothenpieler 2023-09-18 12:54:50 UTC

pmix just released a bunch of new versions for all supported (and officially unsupported) branches: https://github.com/openpmix/openpmix/releases

All of them address CVE-2023-41915.

Comment 1 John Helmert III archtester

2023-10-22 23:39:05 UTC

CVE-2023-41915:

OpenPMIx PMIx before 4.2.6 and 5.0.x before 5.0.1 allows attackers to obtain ownership of arbitrary files via a race condition during execution of library code with UID 0.

Fixes indeed appear to be in 4.2.6 and 5.0.1:

https://github.com/openpmix/openpmix/releases/tag/v4.2.6
https://github.com/openpmix/openpmix/releases/tag/v5.0.1