From 2e3cb3841094efdd021c4ba236342086cd9a1fb0 Mon Sep 17 00:00:00 2001 From: AlmaLinux RelEng Bot Date: Tue, 23 Jun 2026 04:03:40 -0400 Subject: [PATCH] import Oracle_OSS corosync-3.1.10-1.el9_8.1 --- .corosync.metadata | 2 +- .gitignore | 2 +- ...-Return-error-if-sanity-check-fails.patch} | 0 ...nteger-overflow-in-memb_join_sanity.patch} | 0 ...totemsrp-Check-size-of-orf_token-msg.patch | 68 ------------------- SPECS/corosync.spec | 26 ++++--- 6 files changed, 18 insertions(+), 80 deletions(-) rename SOURCES/{RHEL-163815-totemsrp-Return-error-if-sanity-check-fails.patch => RHEL-163816-totemsrp-Return-error-if-sanity-check-fails.patch} (100%) rename SOURCES/{RHEL-163836-totemsrp-Fix-integer-overflow-in-memb_join_sanity.patch => RHEL-163837-totemsrp-Fix-integer-overflow-in-memb_join_sanity.patch} (100%) delete mode 100644 SOURCES/RHEL-84616-totemsrp-Check-size-of-orf_token-msg.patch diff --git a/.corosync.metadata b/.corosync.metadata index a24e47d..dfd7563 100644 --- a/.corosync.metadata +++ b/.corosync.metadata @@ -1 +1 @@ -2ceb27fe91b45d64eabbfec59ae1937e71697296 SOURCES/corosync-3.1.9.tar.gz +42c2e9d62f30c933768b5430e0a8165f07889301 SOURCES/corosync-3.1.10.tar.gz diff --git a/.gitignore b/.gitignore index 01f2ef1..8a476e9 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/corosync-3.1.9.tar.gz +SOURCES/corosync-3.1.10.tar.gz diff --git a/SOURCES/RHEL-163815-totemsrp-Return-error-if-sanity-check-fails.patch b/SOURCES/RHEL-163816-totemsrp-Return-error-if-sanity-check-fails.patch similarity index 100% rename from SOURCES/RHEL-163815-totemsrp-Return-error-if-sanity-check-fails.patch rename to SOURCES/RHEL-163816-totemsrp-Return-error-if-sanity-check-fails.patch diff --git a/SOURCES/RHEL-163836-totemsrp-Fix-integer-overflow-in-memb_join_sanity.patch b/SOURCES/RHEL-163837-totemsrp-Fix-integer-overflow-in-memb_join_sanity.patch similarity index 100% rename from SOURCES/RHEL-163836-totemsrp-Fix-integer-overflow-in-memb_join_sanity.patch rename to SOURCES/RHEL-163837-totemsrp-Fix-integer-overflow-in-memb_join_sanity.patch diff --git a/SOURCES/RHEL-84616-totemsrp-Check-size-of-orf_token-msg.patch b/SOURCES/RHEL-84616-totemsrp-Check-size-of-orf_token-msg.patch deleted file mode 100644 index 17b4c3e..0000000 --- a/SOURCES/RHEL-84616-totemsrp-Check-size-of-orf_token-msg.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 7839990f9cdf34e55435ed90109e82709032466a Mon Sep 17 00:00:00 2001 -From: Jan Friesse -Date: Mon, 24 Mar 2025 12:05:08 +0100 -Subject: [PATCH] totemsrp: Check size of orf_token msg - -orf_token message is stored into preallocated array on endian convert -so carefully crafted malicious message can lead to crash of corosync. - -Solution is to check message size beforehand. - -Signed-off-by: Jan Friesse -Reviewed-by: Christine Caulfield ---- - exec/totemsrp.c | 18 +++++++++++++++++- - 1 file changed, 17 insertions(+), 1 deletion(-) - -diff --git a/exec/totemsrp.c b/exec/totemsrp.c -index 962d0e2a..364528ce 100644 ---- a/exec/totemsrp.c -+++ b/exec/totemsrp.c -@@ -3679,12 +3679,20 @@ static int check_orf_token_sanity( - const struct totemsrp_instance *instance, - const void *msg, - size_t msg_len, -+ size_t max_msg_len, - int endian_conversion_needed) - { - int rtr_entries; - const struct orf_token *token = (const struct orf_token *)msg; - size_t required_len; - -+ if (msg_len > max_msg_len) { -+ log_printf (instance->totemsrp_log_level_security, -+ "Received orf_token message is too long... ignoring."); -+ -+ return (-1); -+ } -+ - if (msg_len < sizeof(struct orf_token)) { - log_printf (instance->totemsrp_log_level_security, - "Received orf_token message is too short... ignoring."); -@@ -3698,6 +3706,13 @@ static int check_orf_token_sanity( - rtr_entries = token->rtr_list_entries; - } - -+ if (rtr_entries > RETRANSMIT_ENTRIES_MAX) { -+ log_printf (instance->totemsrp_log_level_security, -+ "Received orf_token message rtr_entries is corrupted... ignoring."); -+ -+ return (-1); -+ } -+ - required_len = sizeof(struct orf_token) + rtr_entries * sizeof(struct rtr_item); - if (msg_len < required_len) { - log_printf (instance->totemsrp_log_level_security, -@@ -3868,7 +3883,8 @@ static int message_handler_orf_token ( - "Time since last token %0.4f ms", tv_diff / (float)QB_TIME_NS_IN_MSEC); - #endif - -- if (check_orf_token_sanity(instance, msg, msg_len, endian_conversion_needed) == -1) { -+ if (check_orf_token_sanity(instance, msg, msg_len, sizeof(token_storage), -+ endian_conversion_needed) == -1) { - return (0); - } - --- -2.47.0 - diff --git a/SPECS/corosync.spec b/SPECS/corosync.spec index 0b64e9e..32419fb 100644 --- a/SPECS/corosync.spec +++ b/SPECS/corosync.spec @@ -14,15 +14,14 @@ Name: corosync Summary: The Corosync Cluster Engine and Application Programming Interfaces -Version: 3.1.9 -Release: 2%{?dist}.1 -License: BSD +Version: 3.1.10 +Release: 1%{?dist}.1 +License: BSD-3-Clause URL: http://corosync.github.io/corosync/ -Source0: http://build.clusterlabs.org/corosync/releases/%{name}-%{version}.tar.gz +Source0: https://github.com/%{name}/%{name}/releases/download/v%{version}/%{name}-%{version}%{?gittarver}.tar.gz -Patch0: RHEL-84616-totemsrp-Check-size-of-orf_token-msg.patch -Patch1: RHEL-163815-totemsrp-Return-error-if-sanity-check-fails.patch -Patch2: RHEL-163836-totemsrp-Fix-integer-overflow-in-memb_join_sanity.patch +Patch0: RHEL-163816-totemsrp-Return-error-if-sanity-check-fails.patch +Patch1: RHEL-163837-totemsrp-Fix-integer-overflow-in-memb_join_sanity.patch # Runtime bits # The automatic dependency overridden in favor of explicit version lock @@ -199,8 +198,10 @@ fi %{_initrddir}/corosync %{_initrddir}/corosync-notifyd %endif +%if %{without systemd} %dir %{_localstatedir}/lib/corosync %dir %{_localstatedir}/log/cluster +%endif %{_mandir}/man7/corosync_overview.7* %{_mandir}/man8/corosync.8* %{_mandir}/man8/corosync-blackbox.8* @@ -291,13 +292,18 @@ network splits) %endif %changelog -* Fri Apr 10 2026 Jan Friesse - 3.1.9-2.1 -- Resolves: RHEL-163815 -- Resolves: RHEL-163836 +* Thu Apr 09 2026 Jan Friesse - 3.1.10-1.1 +- Resolves: RHEL-163816 +- Resolves: RHEL-163837 - totemsrp: Return error if sanity check fails (fixes CVE-2026-35091) - totemsrp: Fix integer overflow in memb_join_sanity (fixes CVE-2026-35092) +* Tue Nov 18 2025 Jan Friesse - 3.1.10-1 +- Resolves: RHEL-122942 + +- New upstream release (RHEL-122942) + * Wed Mar 26 2025 Jan Friesse - 3.1.9-2 - Resolves: RHEL-84616