- Resolves: RHEL-122942

Signed-off-by: Jan Friesse <jfriesse@redhat.com>
2025-11-18 13:25:07 +01:00 · 2025-11-18 13:25:07 +01:00 · 24eeeb4c36
commit 24eeeb4c36
parent 64106f2da4
4 changed files with 13 additions and 75 deletions
--- a/.gitignore
+++ b/.gitignore
@ -50,3 +50,4 @@ corosync-1.2.7.tar.gz
 /corosync-3.1.7.tar.gz
 /corosync-3.1.8.tar.gz
 /corosync-3.1.9.tar.gz
+/corosync-3.1.10.tar.gz
--- a/RHEL-84616-totemsrp-Check-size-of-orf_token-msg.patch
+++ b/RHEL-84616-totemsrp-Check-size-of-orf_token-msg.patch
@ -1,68 +0,0 @@
-From 7839990f9cdf34e55435ed90109e82709032466a Mon Sep 17 00:00:00 2001
-From: Jan Friesse <jfriesse@redhat.com>
-Date: Mon, 24 Mar 2025 12:05:08 +0100
-Subject: [PATCH] totemsrp: Check size of orf_token msg
-
-orf_token message is stored into preallocated array on endian convert
-so carefully crafted malicious message can lead to crash of corosync.
-
-Solution is to check message size beforehand.
-
-Signed-off-by: Jan Friesse <jfriesse@redhat.com>
-Reviewed-by: Christine Caulfield <ccaulfie@redhat.com>
---
- exec/totemsrp.c | 18 +++++++++++++++++-
- 1 file changed, 17 insertions(+), 1 deletion(-)
-
-diff --git a/exec/totemsrp.c b/exec/totemsrp.c
-index 962d0e2a..364528ce 100644
--- a/exec/totemsrp.c
-+++ b/exec/totemsrp.c
-@@ -3679,12 +3679,20 @@ static int check_orf_token_sanity(
- 	const struct totemsrp_instance *instance,
- 	const void *msg,
- 	size_t msg_len,
-+	size_t max_msg_len,
- 	int endian_conversion_needed)
- {
- 	int rtr_entries;
- 	const struct orf_token *token = (const struct orf_token *)msg;
- 	size_t required_len;
- 
-+	if (msg_len > max_msg_len) {
-+		log_printf (instance->totemsrp_log_level_security,
-+		    "Received orf_token message is too long...  ignoring.");
-+
-+		return (-1);
-+	}
-+
- 	if (msg_len < sizeof(struct orf_token)) {
- 		log_printf (instance->totemsrp_log_level_security,
- 		    "Received orf_token message is too short...  ignoring.");
-@@ -3698,6 +3706,13 @@ static int check_orf_token_sanity(
- 		rtr_entries = token->rtr_list_entries;
- 	}
- 
-+	if (rtr_entries > RETRANSMIT_ENTRIES_MAX) {
-+		log_printf (instance->totemsrp_log_level_security,
-+		    "Received orf_token message rtr_entries is corrupted...  ignoring.");
-+
-+		return (-1);
-+	}
-+
- 	required_len = sizeof(struct orf_token) + rtr_entries * sizeof(struct rtr_item);
- 	if (msg_len < required_len) {
- 		log_printf (instance->totemsrp_log_level_security,
-@@ -3868,7 +3883,8 @@ static int message_handler_orf_token (
- 	    "Time since last token %0.4f ms", tv_diff / (float)QB_TIME_NS_IN_MSEC);
- #endif
- 
-	if (check_orf_token_sanity(instance, msg, msg_len, endian_conversion_needed) == -1) {
-+	if (check_orf_token_sanity(instance, msg, msg_len, sizeof(token_storage),
-+	    endian_conversion_needed) == -1) {
- 		return (0);
- 	}
- 
-- 
-2.47.0
-
--- a/corosync.spec
+++ b/corosync.spec
@ -14,13 +14,11 @@

 Name: corosync
 Summary: The Corosync Cluster Engine and Application Programming Interfaces
-Version: 3.1.9
-Release: 2%{?dist}
-License: BSD
+Version: 3.1.10
+Release: 1%{?dist}
+License: BSD-3-Clause
 URL: http://corosync.github.io/corosync/
-Source0: http://build.clusterlabs.org/corosync/releases/%{name}-%{version}.tar.gz
-
-Patch0: RHEL-84616-totemsrp-Check-size-of-orf_token-msg.patch
+Source0: https://github.com/%{name}/%{name}/releases/download/v%{version}/%{name}-%{version}%{?gittarver}.tar.gz

 # Runtime bits
 # The automatic dependency overridden in favor of explicit version lock
@ -197,8 +195,10 @@ fi
 %{_initrddir}/corosync
 %{_initrddir}/corosync-notifyd
 %endif
+%if %{without systemd}
 %dir %{_localstatedir}/lib/corosync
 %dir %{_localstatedir}/log/cluster
+%endif
 %{_mandir}/man7/corosync_overview.7*
 %{_mandir}/man8/corosync.8*
 %{_mandir}/man8/corosync-blackbox.8*
@ -289,6 +289,11 @@ network splits)
 %endif

 %changelog
+* Tue Nov 18 2025 Jan Friesse <jfriesse@redhat.com> - 3.1.10-1
+- Resolves: RHEL-122942
+
+- New upstream release (RHEL-122942)
+
 * Wed Mar 26 2025 Jan Friesse <jfriesse@redhat.com> - 3.1.9-2
 - Resolves: RHEL-84616

--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (corosync-3.1.9.tar.gz) = d5332c65535dd40e3bee48912ebf2e71c55380b3dba93c36ff8b74090edf3ec44b69685cd11fda3732e4b0dab0b2954f08be94d772fcff6aaf9a4a846ef2e4cc
+SHA512 (corosync-3.1.10.tar.gz) = cf2014d15fdbd3495cfe64629255f7855a79651a595938dac7bc7ec67338d843079ae40cf1c15de23b50d85cb39b2c2e3e3448a9cc33759ad8988b8c85ce59d3