diff --git a/.gitignore b/.gitignore index da9b5a5..157ec45 100644 --- a/.gitignore +++ b/.gitignore @@ -50,3 +50,4 @@ corosync-1.2.7.tar.gz /corosync-3.1.7.tar.gz /corosync-3.1.8.tar.gz /corosync-3.1.9.tar.gz +/corosync-3.1.10.tar.gz diff --git a/RHEL-84616-totemsrp-Check-size-of-orf_token-msg.patch b/RHEL-84616-totemsrp-Check-size-of-orf_token-msg.patch deleted file mode 100644 index 17b4c3e..0000000 --- a/RHEL-84616-totemsrp-Check-size-of-orf_token-msg.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 7839990f9cdf34e55435ed90109e82709032466a Mon Sep 17 00:00:00 2001 -From: Jan Friesse -Date: Mon, 24 Mar 2025 12:05:08 +0100 -Subject: [PATCH] totemsrp: Check size of orf_token msg - -orf_token message is stored into preallocated array on endian convert -so carefully crafted malicious message can lead to crash of corosync. - -Solution is to check message size beforehand. - -Signed-off-by: Jan Friesse -Reviewed-by: Christine Caulfield ---- - exec/totemsrp.c | 18 +++++++++++++++++- - 1 file changed, 17 insertions(+), 1 deletion(-) - -diff --git a/exec/totemsrp.c b/exec/totemsrp.c -index 962d0e2a..364528ce 100644 ---- a/exec/totemsrp.c -+++ b/exec/totemsrp.c -@@ -3679,12 +3679,20 @@ static int check_orf_token_sanity( - const struct totemsrp_instance *instance, - const void *msg, - size_t msg_len, -+ size_t max_msg_len, - int endian_conversion_needed) - { - int rtr_entries; - const struct orf_token *token = (const struct orf_token *)msg; - size_t required_len; - -+ if (msg_len > max_msg_len) { -+ log_printf (instance->totemsrp_log_level_security, -+ "Received orf_token message is too long... ignoring."); -+ -+ return (-1); -+ } -+ - if (msg_len < sizeof(struct orf_token)) { - log_printf (instance->totemsrp_log_level_security, - "Received orf_token message is too short... ignoring."); -@@ -3698,6 +3706,13 @@ static int check_orf_token_sanity( - rtr_entries = token->rtr_list_entries; - } - -+ if (rtr_entries > RETRANSMIT_ENTRIES_MAX) { -+ log_printf (instance->totemsrp_log_level_security, -+ "Received orf_token message rtr_entries is corrupted... ignoring."); -+ -+ return (-1); -+ } -+ - required_len = sizeof(struct orf_token) + rtr_entries * sizeof(struct rtr_item); - if (msg_len < required_len) { - log_printf (instance->totemsrp_log_level_security, -@@ -3868,7 +3883,8 @@ static int message_handler_orf_token ( - "Time since last token %0.4f ms", tv_diff / (float)QB_TIME_NS_IN_MSEC); - #endif - -- if (check_orf_token_sanity(instance, msg, msg_len, endian_conversion_needed) == -1) { -+ if (check_orf_token_sanity(instance, msg, msg_len, sizeof(token_storage), -+ endian_conversion_needed) == -1) { - return (0); - } - --- -2.47.0 - diff --git a/corosync.spec b/corosync.spec index e936027..01c9683 100644 --- a/corosync.spec +++ b/corosync.spec @@ -14,13 +14,11 @@ Name: corosync Summary: The Corosync Cluster Engine and Application Programming Interfaces -Version: 3.1.9 -Release: 2%{?dist} -License: BSD +Version: 3.1.10 +Release: 1%{?dist} +License: BSD-3-Clause URL: http://corosync.github.io/corosync/ -Source0: http://build.clusterlabs.org/corosync/releases/%{name}-%{version}.tar.gz - -Patch0: RHEL-84616-totemsrp-Check-size-of-orf_token-msg.patch +Source0: https://github.com/%{name}/%{name}/releases/download/v%{version}/%{name}-%{version}%{?gittarver}.tar.gz # Runtime bits # The automatic dependency overridden in favor of explicit version lock @@ -197,8 +195,10 @@ fi %{_initrddir}/corosync %{_initrddir}/corosync-notifyd %endif +%if %{without systemd} %dir %{_localstatedir}/lib/corosync %dir %{_localstatedir}/log/cluster +%endif %{_mandir}/man7/corosync_overview.7* %{_mandir}/man8/corosync.8* %{_mandir}/man8/corosync-blackbox.8* @@ -289,6 +289,11 @@ network splits) %endif %changelog +* Tue Nov 18 2025 Jan Friesse - 3.1.10-1 +- Resolves: RHEL-122942 + +- New upstream release (RHEL-122942) + * Wed Mar 26 2025 Jan Friesse - 3.1.9-2 - Resolves: RHEL-84616 diff --git a/sources b/sources index d3e0db1..9c626fd 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (corosync-3.1.9.tar.gz) = d5332c65535dd40e3bee48912ebf2e71c55380b3dba93c36ff8b74090edf3ec44b69685cd11fda3732e4b0dab0b2954f08be94d772fcff6aaf9a4a846ef2e4cc +SHA512 (corosync-3.1.10.tar.gz) = cf2014d15fdbd3495cfe64629255f7855a79651a595938dac7bc7ec67338d843079ae40cf1c15de23b50d85cb39b2c2e3e3448a9cc33759ad8988b8c85ce59d3