diff --git a/.corosync.metadata b/.corosync.metadata index cb1167b..a24e47d 100644 --- a/.corosync.metadata +++ b/.corosync.metadata @@ -1 +1 @@ -29bea300734f649b5ed42dd9f87ed75209da72d1 SOURCES/corosync-3.1.8.tar.gz +2ceb27fe91b45d64eabbfec59ae1937e71697296 SOURCES/corosync-3.1.9.tar.gz diff --git a/.gitignore b/.gitignore index 9b13db4..01f2ef1 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/corosync-3.1.8.tar.gz +SOURCES/corosync-3.1.9.tar.gz diff --git a/SOURCES/RHEL-84616-totemsrp-Check-size-of-orf_token-msg.patch b/SOURCES/RHEL-84616-totemsrp-Check-size-of-orf_token-msg.patch new file mode 100644 index 0000000..17b4c3e --- /dev/null +++ b/SOURCES/RHEL-84616-totemsrp-Check-size-of-orf_token-msg.patch @@ -0,0 +1,68 @@ +From 7839990f9cdf34e55435ed90109e82709032466a Mon Sep 17 00:00:00 2001 +From: Jan Friesse +Date: Mon, 24 Mar 2025 12:05:08 +0100 +Subject: [PATCH] totemsrp: Check size of orf_token msg + +orf_token message is stored into preallocated array on endian convert +so carefully crafted malicious message can lead to crash of corosync. + +Solution is to check message size beforehand. + +Signed-off-by: Jan Friesse +Reviewed-by: Christine Caulfield +--- + exec/totemsrp.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/exec/totemsrp.c b/exec/totemsrp.c +index 962d0e2a..364528ce 100644 +--- a/exec/totemsrp.c ++++ b/exec/totemsrp.c +@@ -3679,12 +3679,20 @@ static int check_orf_token_sanity( + const struct totemsrp_instance *instance, + const void *msg, + size_t msg_len, ++ size_t max_msg_len, + int endian_conversion_needed) + { + int rtr_entries; + const struct orf_token *token = (const struct orf_token *)msg; + size_t required_len; + ++ if (msg_len > max_msg_len) { ++ log_printf (instance->totemsrp_log_level_security, ++ "Received orf_token message is too long... ignoring."); ++ ++ return (-1); ++ } ++ + if (msg_len < sizeof(struct orf_token)) { + log_printf (instance->totemsrp_log_level_security, + "Received orf_token message is too short... ignoring."); +@@ -3698,6 +3706,13 @@ static int check_orf_token_sanity( + rtr_entries = token->rtr_list_entries; + } + ++ if (rtr_entries > RETRANSMIT_ENTRIES_MAX) { ++ log_printf (instance->totemsrp_log_level_security, ++ "Received orf_token message rtr_entries is corrupted... ignoring."); ++ ++ return (-1); ++ } ++ + required_len = sizeof(struct orf_token) + rtr_entries * sizeof(struct rtr_item); + if (msg_len < required_len) { + log_printf (instance->totemsrp_log_level_security, +@@ -3868,7 +3883,8 @@ static int message_handler_orf_token ( + "Time since last token %0.4f ms", tv_diff / (float)QB_TIME_NS_IN_MSEC); + #endif + +- if (check_orf_token_sanity(instance, msg, msg_len, endian_conversion_needed) == -1) { ++ if (check_orf_token_sanity(instance, msg, msg_len, sizeof(token_storage), ++ endian_conversion_needed) == -1) { + return (0); + } + +-- +2.47.0 + diff --git a/SPECS/corosync.spec b/SPECS/corosync.spec index 3ff5e40..e936027 100644 --- a/SPECS/corosync.spec +++ b/SPECS/corosync.spec @@ -12,16 +12,15 @@ %bcond_without runautogen %bcond_without userflags -%global gitver %{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}} -%global gittarver %{?numcomm:.%{numcomm}}%{?alphatag:-%{alphatag}}%{?dirty:-%{dirty}} - Name: corosync Summary: The Corosync Cluster Engine and Application Programming Interfaces -Version: 3.1.8 -Release: 1%{?gitver}%{?dist} +Version: 3.1.9 +Release: 2%{?dist} License: BSD URL: http://corosync.github.io/corosync/ -Source0: http://build.clusterlabs.org/corosync/releases/%{name}-%{version}%{?gittarver}.tar.gz +Source0: http://build.clusterlabs.org/corosync/releases/%{name}-%{version}.tar.gz + +Patch0: RHEL-84616-totemsrp-Check-size-of-orf_token-msg.patch # Runtime bits # The automatic dependency overridden in favor of explicit version lock @@ -68,9 +67,10 @@ Requires: libxslt BuildRequires: readline-devel %endif BuildRequires: make +BuildRequires: git %prep -%setup -q -n %{name}-%{version}%{?gittarver} +%autosetup -S git_am %build %if %{with runautogen} @@ -116,7 +116,7 @@ BuildRequires: make %if %{with dbus} mkdir -p -m 0700 %{buildroot}/%{_sysconfdir}/dbus-1/system.d -install -m 644 %{_builddir}/%{name}-%{version}%{?gittarver}/conf/corosync-signals.conf %{buildroot}/%{_sysconfdir}/dbus-1/system.d/corosync-signals.conf +install -m 644 %{_builddir}/%{name}-%{version}/conf/corosync-signals.conf %{buildroot}/%{_datadir}/dbus-1/system.d/corosync-signals.conf %endif ## tree fixup @@ -185,7 +185,7 @@ fi %config(noreplace) %{_sysconfdir}/sysconfig/corosync %config(noreplace) %{_sysconfdir}/logrotate.d/corosync %if %{with dbus} -%{_sysconfdir}/dbus-1/system.d/corosync-signals.conf +%{_datadir}/dbus-1/system.d/corosync-signals.conf %endif %if %{with snmp} %{_datadir}/snmp/mibs/COROSYNC-MIB.txt @@ -289,6 +289,21 @@ network splits) %endif %changelog +* Wed Mar 26 2025 Jan Friesse - 3.1.9-2 +- Resolves: RHEL-84616 + +- totemsrp: Check size of orf_token msg (fixes CVE-2025-30472) + +* Fri Nov 15 2024 Jan Friesse - 3.1.9-1 +- Resolves: RHEL-65699 + +- New upstream release (RHEL-65699) + +* Tue May 21 2024 Jan Friesse - 3.1.8-2 +- Resolves: RHEL-24163 + +- Report crypto errors back to cfg reload (RHEL-24163) + * Wed Nov 15 2023 Jan Friesse - 3.1.8-1 - Resolves: RHEL-15264