ompi
ompi copied to clipboard
open-mpi
ompi/v4.1.x libevent code has CVEs that are fixed in libevent/master.
Background information
A security tool we use identified three CVEs (1x Critical, 2x High) in ompi/v4.1.x's copy of libevent.
These CVEs are fixed in libevent/master.
Here are the CVEs with links to the libevent issues and their fixes:
- https://nvd.nist.gov/vuln/detail/CVE-2016-10195
- libevent issue: https://github.com/libevent/libevent/issues/317
- libevent fixing commit: https://github.com/libevent/libevent/commit/96f64a022014a208105ead6c8a7066018449d86d
- https://nvd.nist.gov/vuln/detail/CVE-2016-10196
- libevent issue: https://github.com/libevent/libevent/issues/318
- libevent fixing commit: https://github.com/libevent/libevent/commit/329acc18a0768c21ba22522f01a5c7f46cacc4d5
- https://nvd.nist.gov/vuln/detail/CVE-2016-10197
- libevent issue: https://github.com/libevent/libevent/issues/332
- libevent fixing commit: https://github.com/libevent/libevent/commit/ec65c42052d95d2c23d1d837136d1cf1d9ecef9e
I compared ompi/v4.1.x libevent code to the CVE fixes from libevent and confirmed these are true hits.
libevent 2.1.8 is the first non-beta, non-prerelease libevent to have the above fixes. ompi/v4.1.x has libevent 2.0.22 code.
What version of Open MPI are you using? (e.g., v3.0.5, v4.0.2, git branch name and hash, etc.)
v4.1.x, head commit 1c67bf1c6a.
Describe how Open MPI was installed (e.g., from a source/distribution tarball, from a git clone, from an operating system distribution package, etc.)
git clone.
If you are building/installing from a git clone, please copy-n-paste the output from git submodule status.
N/A
Please describe the system on which you are running
- Operating system/version: N/A
- Computer hardware: N/A
- Network type: N/A
Details of the problem
N/A, all in the background section.
evdns.c is only compiled when libevent is built with DNS support. ompi/v4.1.x does not appear to build libevent with DNS support. I am still able to build v4.1.x if I remove evdns.c and edit libevent/Makefile.am like so:
diff --git a/opal/mca/event/libevent2022/libevent/Makefile.am b/opal/mca/event/libevent2022/libevent/Makefile.am
index 6109c8d7a0..f59b54deb4 100644
--- a/opal/mca/event/libevent2022/libevent/Makefile.am
+++ b/opal/mca/event/libevent2022/libevent/Makefile.am
@@ -187,9 +187,6 @@ CORE_LIBS =
if HTTP
CORE_SRC += http.c
endif
-if DNS
-CORE_SRC += evdns.c
-endif
if RPC
CORE_SRC += evrpc.c
endif
The libevent CVE fix-commits cherry-pick easily to ompi/v4.1.x:
git remote add libevent ../libevent/
git fetch libevent
git cherry-pick -Xsubtree=opal/mca/event/libevent2022/libevent 96f64a0 329acc1 ec65c42
git diff origin/v4.1.x
diff --git a/opal/mca/event/libevent2022/libevent/evdns.c b/opal/mca/event/libevent2022/libevent/evdns.c
index f55a50a0bc..08dc290098 100644
--- a/opal/mca/event/libevent2022/libevent/evdns.c
+++ b/opal/mca/event/libevent2022/libevent/evdns.c
@@ -958,7 +958,6 @@ name_parse(u8 *packet, int length, int *idx, char *name_out, int name_out_len) {
for (;;) {
u8 label_len;
- if (j >= length) return -1;
GET8(label_len);
if (!label_len) break;
if (label_len & 0xc0) {
@@ -979,6 +978,7 @@ name_parse(u8 *packet, int length, int *idx, char *name_out, int name_out_len) {
*cp++ = '.';
}
if (cp + label_len >= end) return -1;
+ if (j + label_len > length) return -1;
memcpy(cp, packet + j, label_len);
cp += label_len;
j += label_len;
@@ -3120,9 +3120,12 @@ search_set_from_hostname(struct evdns_base *base) {
static char *
search_make_new(const struct search_state *const state, int n, const char *const base_name) {
const size_t base_len = strlen(base_name);
- const char need_to_append_dot = base_name[base_len - 1] == '.' ? 0 : 1;
+ char need_to_append_dot;
struct search_domain *dom;
+ if (!base_len) return NULL;
+ need_to_append_dot = base_name[base_len - 1] == '.' ? 0 : 1;
+
for (dom = state->head; dom; dom = dom->next) {
if (!n--) {
/* this is the postfix we want */
diff --git a/opal/mca/event/libevent2022/libevent/evutil.c b/opal/mca/event/libevent2022/libevent/evutil.c
index 214f9082db..cb1b81cad7 100644
--- a/opal/mca/event/libevent2022/libevent/evutil.c
+++ b/opal/mca/event/libevent2022/libevent/evutil.c
@@ -1808,12 +1808,12 @@ evutil_parse_sockaddr_port(const char *ip_as_string, struct sockaddr *out, int *
cp = strchr(ip_as_string, ':');
if (*ip_as_string == '[') {
- int len;
+ size_t len;
if (!(cp = strchr(ip_as_string, ']'))) {
return -1;
}
- len = (int) ( cp-(ip_as_string + 1) );
- if (len > (int)sizeof(buf)-1) {
+ len = ( cp-(ip_as_string + 1) );
+ if (len > sizeof(buf)-1) {
return -1;
}
memcpy(buf, ip_as_string+1, len);
ompi/v4.1.x built with these changes (./autogen.pl && ./configure && make -j). I have not verified these changes.
We've minimally discussed this on Slack so far -- we think the risk is super low / Open MPI doesn't use this functionality. We'll discuss in more detail at this Tuesday's upcoming weekly Webex.
As discussed in Slack, it looks like we've made other local changes to the embedded libevent. It may be worth making these changes on the basis of:
- For at least the DNS change, there is demonstrably no difference to OMPI (because we're not using that functionality).
- We don't have to explain why OMPI has unpatched CVE code every time someone stumbles across it.
- We have precedent for making other local changes to libevent.
I'm not thrilled with yet another local-only change, especially on a stable branch like 4.1. If we're going to make a local change, let's just remove the dead .c files?
@jsquyres can I close this issue? You merged the fixes into v4.1.x and no work is needed for main or v5.0.x, right?