From e9a040ef0632180648c0e9416c71a28ade86a794 Mon Sep 17 00:00:00 2001
From: AlmaLinux RelEng Bot <eabdullin@almalinux.org>
Date: Mon, 11 May 2026 11:40:42 -0400
Subject: [PATCH] import Oracle_OSS corosync-3.1.9-2.el10_1.1

---
 ...p-Return-error-if-sanity-check-fails.patch |  46 +++++++
 ...integer-overflow-in-memb_join_sanity.patch |  56 +++++++++
 ...-Add-support-for-env-STATE_DIRECTORY.patch | 113 ++++++++++++++++++
 ...e-LogsDirectory-in-systemd-unit-file.patch |  50 ++++++++
 corosync.spec                                 |  21 +++-
 5 files changed, 285 insertions(+), 1 deletion(-)
 create mode 100644 RHEL-163801-totemsrp-Return-error-if-sanity-check-fails.patch
 create mode 100644 RHEL-163822-totemsrp-Fix-integer-overflow-in-memb_join_sanity.patch
 create mode 100644 RHEL-96073-1-exec-Add-support-for-env-STATE_DIRECTORY.patch
 create mode 100644 RHEL-96073-2-init-Use-LogsDirectory-in-systemd-unit-file.patch

diff --git a/RHEL-163801-totemsrp-Return-error-if-sanity-check-fails.patch b/RHEL-163801-totemsrp-Return-error-if-sanity-check-fails.patch
new file mode 100644
index 0000000..8fc1d7b
--- /dev/null
+++ b/RHEL-163801-totemsrp-Return-error-if-sanity-check-fails.patch
@@ -0,0 +1,46 @@
+From a16614accfdb3481264d7281843fadf439d9ab1b Mon Sep 17 00:00:00 2001
+From: Jan Friesse <jfriesse@redhat.com>
+Date: Thu, 2 Apr 2026 09:00:39 +0200
+Subject: [PATCH 1/2] totemsrp: Return error if sanity check fails
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Previously, the check_memb_commit_token_sanity function correctly
+checked the minimum message length. However, if the message was too
+short, it incorrectly returned a success code (0) instead of the
+expected failure code (-1).
+
+This commit ensures the appropriate error code is returned when the
+message length sanity check fails.
+
+Fixes: CVE-2026-35091
+
+Reported-by: Sebastián Alba Vives (@Sebasteuo / 0xS4bb1) <sebasjosue84@gmail.com>
+Signed-off-by: Jan Friesse <jfriesse@redhat.com>
+Also-proposed-by: nicholasyang <nicholas.yang@suse.com>
+Reviewed-by: Christine Caulfield <ccaulfie@redhat.com>
+---
+ exec/totemsrp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/exec/totemsrp.c b/exec/totemsrp.c
+index a716ae9f..372a96d1 100644
+--- a/exec/totemsrp.c
++++ b/exec/totemsrp.c
+@@ -3811,10 +3811,10 @@ static int check_memb_commit_token_sanity(
+ 		log_printf (instance->totemsrp_log_level_security,
+ 		    "Received memb_commit_token message is too short...  ignoring.");
+ 
+-		return (0);
++		return (-1);
+ 	}
+ 
+-	addr_entries= mct_msg->addr_entries;
++	addr_entries = mct_msg->addr_entries;
+ 	if (endian_conversion_needed) {
+ 		addr_entries = swab32(addr_entries);
+ 	}
+-- 
+2.47.3
+
diff --git a/RHEL-163822-totemsrp-Fix-integer-overflow-in-memb_join_sanity.patch b/RHEL-163822-totemsrp-Fix-integer-overflow-in-memb_join_sanity.patch
new file mode 100644
index 0000000..0d78101
--- /dev/null
+++ b/RHEL-163822-totemsrp-Fix-integer-overflow-in-memb_join_sanity.patch
@@ -0,0 +1,56 @@
+From 4082294f5094a7591e4e00658c5a605f05d644f1 Mon Sep 17 00:00:00 2001
+From: Jan Friesse <jfriesse@redhat.com>
+Date: Thu, 2 Apr 2026 09:44:06 +0200
+Subject: [PATCH 2/2] totemsrp: Fix integer overflow in memb_join_sanity
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This commit addresses an integer overflow (wraparound) vulnerability
+in the check_memb_join_sanity function.
+
+Previously, the 32-bit unsigned network values proc_list_entries and
+failed_list_entries were added together before being promoted to
+size_t. This allowed the addition to wrap around in 32-bit arithmetic
+(e.g., 0x80000000 + 0x80000000 = 0), resulting in a required_len
+calculation that was incorrectly small.
+
+The solution is to cast the list entries to size_t and verify that
+neither exceeds the maximum allowed value before the addition occurs.
+
+Fixes: CVE-2026-35092
+
+Reported-by: Sebastián Alba Vives (@Sebasteuo / 0xS4bb1) <sebasjosue84@gmail.com>
+Signed-off-by: Jan Friesse <jfriesse@redhat.com>
+Also-proposed-by: nicholasyang <nicholas.yang@suse.com>
+Reviewed-by: Christine Caulfield <ccaulfie@redhat.com>
+---
+ exec/totemsrp.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/exec/totemsrp.c b/exec/totemsrp.c
+index 372a96d1..67596911 100644
+--- a/exec/totemsrp.c
++++ b/exec/totemsrp.c
+@@ -3786,7 +3786,17 @@ static int check_memb_join_sanity(
+ 		failed_list_entries = swab32(failed_list_entries);
+ 	}
+ 
+-	required_len = sizeof(struct memb_join) + ((proc_list_entries + failed_list_entries) * sizeof(struct srp_addr));
++	if (proc_list_entries > PROCESSOR_COUNT_MAX ||
++	    failed_list_entries > PROCESSOR_COUNT_MAX) {
++		log_printf (instance->totemsrp_log_level_security,
++		    "Received memb_join message list_entries exceeds the maximum "
++		    "allowed value...  ignoring.");
++
++		return (-1);
++	}
++
++	required_len = sizeof(struct memb_join) +
++	  (((size_t)proc_list_entries + (size_t)failed_list_entries) * sizeof(struct srp_addr));
+ 	if (msg_len < required_len) {
+ 		log_printf (instance->totemsrp_log_level_security,
+ 		    "Received memb_join message is too short...  ignoring.");
+-- 
+2.47.3
+
diff --git a/RHEL-96073-1-exec-Add-support-for-env-STATE_DIRECTORY.patch b/RHEL-96073-1-exec-Add-support-for-env-STATE_DIRECTORY.patch
new file mode 100644
index 0000000..429b41c
--- /dev/null
+++ b/RHEL-96073-1-exec-Add-support-for-env-STATE_DIRECTORY.patch
@@ -0,0 +1,113 @@
+From: Jan Friesse <jfriesse@redhat.com>
+Date: Wed, 11 Jun 2025 17:26:41 +0200
+Subject: [PATCH 1/2] exec: Add support for env STATE_DIRECTORY
+
+Image mode recommendation is to not ship /var/lib subdirectories if
+possible and bootc lint produces warning if not. This was the case
+also for Corosync.
+
+Simplest possible solution seems to implement support for systemd
+unit StateDirectory functionality and not ship /var/lib/corosync
+in rpm.
+
+So patch:
+1. Adds support for reading the environment variable STATE_DIRECTORY
+   which is set by systemd and use it as a default value for
+   system.state_dir configuration option. This is generally useful
+   feature even for non-systemd builds.
+2. Set StateDirectory in service file
+3. Drop /var/lib/corosync directory from RPM for systemd builds
+
+Signed-off-by: Jan Friesse <jfriesse@redhat.com>
+Reviewed-by: Christine Caulfield <ccaulfie@redhat.com>
+---
+ corosync.spec.in         |  2 ++
+ exec/util.c              | 19 +++++++++++++++----
+ init/corosync.service.in |  1 +
+ man/corosync.conf.5      |  4 ++--
+ 4 files changed, 20 insertions(+), 6 deletions(-)
+
+diff --git a/corosync.spec.in b/corosync.spec.in
+index 80040a46..049c585a 100644
+--- a/corosync.spec.in
++++ b/corosync.spec.in
+@@ -207,7 +207,9 @@ fi
+ %{_initrddir}/corosync
+ %{_initrddir}/corosync-notifyd
+ %endif
++%if %{without systemd}
+ %dir %{_localstatedir}/lib/corosync
++%endif
+ %dir %{_localstatedir}/log/cluster
+ %{_mandir}/man7/corosync_overview.7*
+ %{_mandir}/man8/corosync.8*
+diff --git a/exec/util.c b/exec/util.c
+index 8988ab29..795ea5c5 100644
+--- a/exec/util.c
++++ b/exec/util.c
+@@ -174,13 +174,24 @@ int cs_name_tisEqual (cs_name_t *str1, char *str2) {
+ const char *get_state_dir(void)
+ {
+ 	static char path[PATH_MAX] = {'\0'};
+-	char *cmap_state_dir;
++	char *state_dir;
+ 	int res;
+ 
+ 	if (path[0] == '\0') {
+-		if (icmap_get_string("system.state_dir", &cmap_state_dir) == CS_OK) {
+-			res = snprintf(path, PATH_MAX, "%s", cmap_state_dir);
+-			free(cmap_state_dir);
++		if (icmap_get_string("system.state_dir", &state_dir) == CS_OK) {
++			res = snprintf(path, PATH_MAX, "%s", state_dir);
++			free(state_dir);
++		} else if ((state_dir = getenv("STATE_DIRECTORY")) != NULL) {
++			/*
++			 * systemd allows multiple directory names that are
++			 * passed to env variable separated by colon. Support for this feature
++			 * is deliberately not implemented because corosync always
++			 * uses just one state directory and it is unclear what behavior should
++			 * be taken for multiple ones. If reasonable need for
++			 * supporting multiple directories appear, it must be implemented also
++			 * for cmap.
++			 */
++			res = snprintf(path, PATH_MAX, "%s", state_dir);
+ 		} else {
+ 			res = snprintf(path, PATH_MAX, "%s/%s", LOCALSTATEDIR, "lib/corosync");
+ 		}
+diff --git a/init/corosync.service.in b/init/corosync.service.in
+index bd2a48a9..3e3efef8 100644
+--- a/init/corosync.service.in
++++ b/init/corosync.service.in
+@@ -9,6 +9,7 @@ After=network-online.target
+ EnvironmentFile=-@INITCONFIGDIR@/corosync
+ ExecStart=@SBINDIR@/corosync -f $COROSYNC_OPTIONS
+ ExecStop=@SBINDIR@/corosync-cfgtool -H --force
++StateDirectory=corosync
+ Type=notify
+ 
+ # In typical systemd deployments, both standard outputs are forwarded to
+diff --git a/man/corosync.conf.5 b/man/corosync.conf.5
+index 3510ab6b..3bcda7c7 100644
+--- a/man/corosync.conf.5
++++ b/man/corosync.conf.5
+@@ -32,7 +32,7 @@
+ .\" * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ .\" * THE POSSIBILITY OF SUCH DAMAGE.
+ .\" */
+-.TH COROSYNC_CONF 5 2024-07-22 "corosync Man Page" "Corosync Cluster Engine Programmer's Manual"
++.TH COROSYNC_CONF 5 2025-06-12 "corosync Man Page" "Corosync Cluster Engine Programmer's Manual"
+ .SH NAME
+ corosync.conf - corosync executive configuration file
+ 
+@@ -900,7 +900,7 @@ state_dir
+ Existing directory where corosync should chdir into. Corosync stores
+ important state files and blackboxes there.
+ 
+-The default is /var/lib/corosync.
++The default is the value of the environment variable STATE_DIRECTORY or /var/lib/corosync.
+ 
+ .PP
+ Within the
+-- 
+2.43.5
+
diff --git a/RHEL-96073-2-init-Use-LogsDirectory-in-systemd-unit-file.patch b/RHEL-96073-2-init-Use-LogsDirectory-in-systemd-unit-file.patch
new file mode 100644
index 0000000..240bee1
--- /dev/null
+++ b/RHEL-96073-2-init-Use-LogsDirectory-in-systemd-unit-file.patch
@@ -0,0 +1,50 @@
+From 050933cf334ef4ac6a6b4a3988508ca181da34b0 Mon Sep 17 00:00:00 2001
+From: Jan Friesse <jfriesse@redhat.com>
+Date: Thu, 12 Jun 2025 09:40:45 +0200
+Subject: [PATCH 2/2] init: Use LogsDirectory in systemd unit file
+
+Similarly as StateDirectory, this is mainly for image mode.
+/var/log/cluster shouldn't be included in rpm package, so
+use LogsDirectory to make systemd create /var/log/cluster during
+corosync startup.
+
+No code change is needed, because logging to log file is fully
+configured by user in config file so there is no default to read from
+environment variable.
+
+Signed-off-by: Jan Friesse <jfriesse@redhat.com>
+Reviewed-by: Christine Caulfield <ccaulfie@redhat.com>
+---
+ corosync.spec.in         | 2 +-
+ init/corosync.service.in | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/corosync.spec.in b/corosync.spec.in
+index 049c585a..7cb70114 100644
+--- a/corosync.spec.in
++++ b/corosync.spec.in
+@@ -209,8 +209,8 @@ fi
+ %endif
+ %if %{without systemd}
+ %dir %{_localstatedir}/lib/corosync
+-%endif
+ %dir %{_localstatedir}/log/cluster
++%endif
+ %{_mandir}/man7/corosync_overview.7*
+ %{_mandir}/man8/corosync.8*
+ %{_mandir}/man8/corosync-blackbox.8*
+diff --git a/init/corosync.service.in b/init/corosync.service.in
+index 3e3efef8..89d67b5e 100644
+--- a/init/corosync.service.in
++++ b/init/corosync.service.in
+@@ -10,6 +10,7 @@ EnvironmentFile=-@INITCONFIGDIR@/corosync
+ ExecStart=@SBINDIR@/corosync -f $COROSYNC_OPTIONS
+ ExecStop=@SBINDIR@/corosync-cfgtool -H --force
+ StateDirectory=corosync
++LogsDirectory=cluster
+ Type=notify
+ 
+ # In typical systemd deployments, both standard outputs are forwarded to
+-- 
+2.43.5
+
diff --git a/corosync.spec b/corosync.spec
index 32333ba..0b13a76 100644
--- a/corosync.spec
+++ b/corosync.spec
@@ -15,12 +15,16 @@
 Name: corosync
 Summary: The Corosync Cluster Engine and Application Programming Interfaces
 Version: 3.1.9
-Release: 1%{?dist}.1
+Release: 2%{?dist}.1
 License: BSD-3-Clause
 URL: http://corosync.github.io/corosync/
 Source0: http://build.clusterlabs.org/corosync/releases/%{name}-%{version}.tar.gz
 
 Patch0: RHEL-84612-totemsrp-Check-size-of-orf_token-msg.patch
+Patch1: RHEL-96073-1-exec-Add-support-for-env-STATE_DIRECTORY.patch
+Patch2: RHEL-96073-2-init-Use-LogsDirectory-in-systemd-unit-file.patch
+Patch3: RHEL-163801-totemsrp-Return-error-if-sanity-check-fails.patch
+Patch4: RHEL-163822-totemsrp-Fix-integer-overflow-in-memb_join_sanity.patch
 
 # Runtime bits
 # The automatic dependency overridden in favor of explicit version lock
@@ -197,8 +201,10 @@ fi
 %{_initrddir}/corosync
 %{_initrddir}/corosync-notifyd
 %endif
+%if %{without systemd}
 %dir %{_localstatedir}/lib/corosync
 %dir %{_localstatedir}/log/cluster
+%endif
 %{_mandir}/man7/corosync_overview.7*
 %{_mandir}/man8/corosync.8*
 %{_mandir}/man8/corosync-blackbox.8*
@@ -289,6 +295,19 @@ network splits)
 %endif
 
 %changelog
+* Fri Apr 10 2026 Jan Friesse <jfriesse@redhat.com> - 3.1.9-2.1
+- Resolves: RHEL-163801
+- Resolves: RHEL-163822
+
+- totemsrp: Return error if sanity check fails (fixes CVE-2026-35091)
+- totemsrp: Fix integer overflow in memb_join_sanity (fixes CVE-2026-35092)
+
+* Mon Jun 16 2025 Jan Friesse <jfriesse@redhat.com> - 3.1.9-2
+- Resolves: RHEL-96073
+
+- exec: Add support for env STATE_DIRECTORY
+- init: Use LogsDirectory in systemd unit file
+
 * Fri Mar 28 2025 Jan Friesse <jfriesse@redhat.com> - 3.1.9-1.1
 - Resolves: RHEL-84612