CVE-2023-41915

NameCVE-2023-41915
DescriptionOpenPMIx PMIx before 4.2.6 and 5.0.x before 5.0.1 allows attackers to obtain ownership of arbitrary files via a race condition during execution of library code with UID 0.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3643-1, DSA-5547-1
Debian Bugs1051729

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
pmix (PTS)buster3.1.2-3vulnerable
buster (security)3.1.2-3+deb10u1fixed
bullseye (security), bullseye4.0.0-4.1+deb11u1fixed
bookworm, bookworm (security)4.2.2-1+deb12u1fixed
sid, trixie5.0.2-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
pmixsourcebuster3.1.2-3+deb10u1DLA-3643-1
pmixsourcebullseye4.0.0-4.1+deb11u1DSA-5547-1
pmixsourcebookworm4.2.2-1+deb12u1DSA-5547-1
pmixsource(unstable)5.0.1-11051729

Notes

https://github.com/openpmix/openpmix/commit/da036933c2795c1f40d0835e15f17e204e4daf0f (v4.2.6)
https://github.com/openpmix/openpmix/commit/0bf9801a3017eb6ca411e158da39570ccb998c17 (v5.0.1)
Search for package or bug name: Reporting problems