import Oracle_OSS corosync-3.1.10-1.el9_8.1

This commit is contained in:
AlmaLinux RelEng Bot 2026-06-23 04:03:40 -04:00
parent a6b673c6f3
commit 2e3cb38410
6 changed files with 18 additions and 80 deletions

View File

@ -1 +1 @@
2ceb27fe91b45d64eabbfec59ae1937e71697296 SOURCES/corosync-3.1.9.tar.gz
42c2e9d62f30c933768b5430e0a8165f07889301 SOURCES/corosync-3.1.10.tar.gz

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/corosync-3.1.9.tar.gz
SOURCES/corosync-3.1.10.tar.gz

View File

@ -1,68 +0,0 @@
From 7839990f9cdf34e55435ed90109e82709032466a Mon Sep 17 00:00:00 2001
From: Jan Friesse <jfriesse@redhat.com>
Date: Mon, 24 Mar 2025 12:05:08 +0100
Subject: [PATCH] totemsrp: Check size of orf_token msg
orf_token message is stored into preallocated array on endian convert
so carefully crafted malicious message can lead to crash of corosync.
Solution is to check message size beforehand.
Signed-off-by: Jan Friesse <jfriesse@redhat.com>
Reviewed-by: Christine Caulfield <ccaulfie@redhat.com>
---
exec/totemsrp.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/exec/totemsrp.c b/exec/totemsrp.c
index 962d0e2a..364528ce 100644
--- a/exec/totemsrp.c
+++ b/exec/totemsrp.c
@@ -3679,12 +3679,20 @@ static int check_orf_token_sanity(
const struct totemsrp_instance *instance,
const void *msg,
size_t msg_len,
+ size_t max_msg_len,
int endian_conversion_needed)
{
int rtr_entries;
const struct orf_token *token = (const struct orf_token *)msg;
size_t required_len;
+ if (msg_len > max_msg_len) {
+ log_printf (instance->totemsrp_log_level_security,
+ "Received orf_token message is too long... ignoring.");
+
+ return (-1);
+ }
+
if (msg_len < sizeof(struct orf_token)) {
log_printf (instance->totemsrp_log_level_security,
"Received orf_token message is too short... ignoring.");
@@ -3698,6 +3706,13 @@ static int check_orf_token_sanity(
rtr_entries = token->rtr_list_entries;
}
+ if (rtr_entries > RETRANSMIT_ENTRIES_MAX) {
+ log_printf (instance->totemsrp_log_level_security,
+ "Received orf_token message rtr_entries is corrupted... ignoring.");
+
+ return (-1);
+ }
+
required_len = sizeof(struct orf_token) + rtr_entries * sizeof(struct rtr_item);
if (msg_len < required_len) {
log_printf (instance->totemsrp_log_level_security,
@@ -3868,7 +3883,8 @@ static int message_handler_orf_token (
"Time since last token %0.4f ms", tv_diff / (float)QB_TIME_NS_IN_MSEC);
#endif
- if (check_orf_token_sanity(instance, msg, msg_len, endian_conversion_needed) == -1) {
+ if (check_orf_token_sanity(instance, msg, msg_len, sizeof(token_storage),
+ endian_conversion_needed) == -1) {
return (0);
}
--
2.47.0

View File

@ -14,15 +14,14 @@
Name: corosync
Summary: The Corosync Cluster Engine and Application Programming Interfaces
Version: 3.1.9
Release: 2%{?dist}.1
License: BSD
Version: 3.1.10
Release: 1%{?dist}.1
License: BSD-3-Clause
URL: http://corosync.github.io/corosync/
Source0: http://build.clusterlabs.org/corosync/releases/%{name}-%{version}.tar.gz
Source0: https://github.com/%{name}/%{name}/releases/download/v%{version}/%{name}-%{version}%{?gittarver}.tar.gz
Patch0: RHEL-84616-totemsrp-Check-size-of-orf_token-msg.patch
Patch1: RHEL-163815-totemsrp-Return-error-if-sanity-check-fails.patch
Patch2: RHEL-163836-totemsrp-Fix-integer-overflow-in-memb_join_sanity.patch
Patch0: RHEL-163816-totemsrp-Return-error-if-sanity-check-fails.patch
Patch1: RHEL-163837-totemsrp-Fix-integer-overflow-in-memb_join_sanity.patch
# Runtime bits
# The automatic dependency overridden in favor of explicit version lock
@ -199,8 +198,10 @@ fi
%{_initrddir}/corosync
%{_initrddir}/corosync-notifyd
%endif
%if %{without systemd}
%dir %{_localstatedir}/lib/corosync
%dir %{_localstatedir}/log/cluster
%endif
%{_mandir}/man7/corosync_overview.7*
%{_mandir}/man8/corosync.8*
%{_mandir}/man8/corosync-blackbox.8*
@ -291,13 +292,18 @@ network splits)
%endif
%changelog
* Fri Apr 10 2026 Jan Friesse <jfriesse@redhat.com> - 3.1.9-2.1
- Resolves: RHEL-163815
- Resolves: RHEL-163836
* Thu Apr 09 2026 Jan Friesse <jfriesse@redhat.com> - 3.1.10-1.1
- Resolves: RHEL-163816
- Resolves: RHEL-163837
- totemsrp: Return error if sanity check fails (fixes CVE-2026-35091)
- totemsrp: Fix integer overflow in memb_join_sanity (fixes CVE-2026-35092)
* Tue Nov 18 2025 Jan Friesse <jfriesse@redhat.com> - 3.1.10-1
- Resolves: RHEL-122942
- New upstream release (RHEL-122942)
* Wed Mar 26 2025 Jan Friesse <jfriesse@redhat.com> - 3.1.9-2
- Resolves: RHEL-84616