SOURCES/RHEL-163805-totemsrp-Return-error-if-sanity-check-fails.patch

@@ -1,46 +0,0 @@
-From a16614accfdb3481264d7281843fadf439d9ab1b Mon Sep 17 00:00:00 2001
-From: Jan Friesse <jfriesse@redhat.com>
-Date: Thu, 2 Apr 2026 09:00:39 +0200
-Subject: [PATCH 1/2] totemsrp: Return error if sanity check fails
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Previously, the check_memb_commit_token_sanity function correctly
-checked the minimum message length. However, if the message was too
-short, it incorrectly returned a success code (0) instead of the
-expected failure code (-1).
-
-This commit ensures the appropriate error code is returned when the
-message length sanity check fails.
-
-Fixes: CVE-2026-35091
-
-Reported-by: Sebastián Alba Vives (@Sebasteuo / 0xS4bb1) <sebasjosue84@gmail.com>
-Signed-off-by: Jan Friesse <jfriesse@redhat.com>
-Also-proposed-by: nicholasyang <nicholas.yang@suse.com>
-Reviewed-by: Christine Caulfield <ccaulfie@redhat.com>
----
- exec/totemsrp.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/exec/totemsrp.c b/exec/totemsrp.c
-index a716ae9f..372a96d1 100644
---- a/exec/totemsrp.c
-+++ b/exec/totemsrp.c
-@@ -3811,10 +3811,10 @@ static int check_memb_commit_token_sanity(
- 		log_printf (instance->totemsrp_log_level_security,
- 		    "Received memb_commit_token message is too short...  ignoring.");
- 
--		return (0);
-+		return (-1);
- 	}
- 
--	addr_entries= mct_msg->addr_entries;
-+	addr_entries = mct_msg->addr_entries;
- 	if (endian_conversion_needed) {
- 		addr_entries = swab32(addr_entries);
- 	}
--- 
-2.47.3
-

SOURCES/RHEL-163826-totemsrp-Fix-integer-overflow-in-memb_join_sanity.patch

@@ -1,56 +0,0 @@
-From 4082294f5094a7591e4e00658c5a605f05d644f1 Mon Sep 17 00:00:00 2001
-From: Jan Friesse <jfriesse@redhat.com>
-Date: Thu, 2 Apr 2026 09:44:06 +0200
-Subject: [PATCH 2/2] totemsrp: Fix integer overflow in memb_join_sanity
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This commit addresses an integer overflow (wraparound) vulnerability
-in the check_memb_join_sanity function.
-
-Previously, the 32-bit unsigned network values proc_list_entries and
-failed_list_entries were added together before being promoted to
-size_t. This allowed the addition to wrap around in 32-bit arithmetic
-(e.g., 0x80000000 + 0x80000000 = 0), resulting in a required_len
-calculation that was incorrectly small.
-
-The solution is to cast the list entries to size_t and verify that
-neither exceeds the maximum allowed value before the addition occurs.
-
-Fixes: CVE-2026-35092
-
-Reported-by: Sebastián Alba Vives (@Sebasteuo / 0xS4bb1) <sebasjosue84@gmail.com>
-Signed-off-by: Jan Friesse <jfriesse@redhat.com>
-Also-proposed-by: nicholasyang <nicholas.yang@suse.com>
-Reviewed-by: Christine Caulfield <ccaulfie@redhat.com>
----
- exec/totemsrp.c | 12 +++++++++++-
- 1 file changed, 11 insertions(+), 1 deletion(-)
-
-diff --git a/exec/totemsrp.c b/exec/totemsrp.c
-index 372a96d1..67596911 100644
---- a/exec/totemsrp.c
-+++ b/exec/totemsrp.c
-@@ -3786,7 +3786,17 @@ static int check_memb_join_sanity(
- 		failed_list_entries = swab32(failed_list_entries);
- 	}
- 
--	required_len = sizeof(struct memb_join) + ((proc_list_entries + failed_list_entries) * sizeof(struct srp_addr));
-+	if (proc_list_entries > PROCESSOR_COUNT_MAX ||
-+	    failed_list_entries > PROCESSOR_COUNT_MAX) {
-+		log_printf (instance->totemsrp_log_level_security,
-+		    "Received memb_join message list_entries exceeds the maximum "
-+		    "allowed value...  ignoring.");
-+
-+		return (-1);
-+	}
-+
-+	required_len = sizeof(struct memb_join) +
-+	  (((size_t)proc_list_entries + (size_t)failed_list_entries) * sizeof(struct srp_addr));
- 	if (msg_len < required_len) {
- 		log_printf (instance->totemsrp_log_level_security,
- 		    "Received memb_join message is too short...  ignoring.");
--- 
-2.47.3
-

SPECS/corosync.spec

@@ -23,14 +23,11 @@
 Name: corosync
 Summary: The Corosync Cluster Engine and Application Programming Interfaces
 Version: 3.1.8
-Release: 1%{?gitver}%{?dist}.1
+Release: 1%{?gitver}%{?dist}
 License: BSD
 URL: http://corosync.github.io/corosync/
 Source0: http://build.clusterlabs.org/corosync/releases/%{name}-%{version}%{?gittarver}.tar.gz
 
-Patch0: RHEL-163805-totemsrp-Return-error-if-sanity-check-fails.patch
-Patch1: RHEL-163826-totemsrp-Fix-integer-overflow-in-memb_join_sanity.patch
-
 %if %{with spausedd}
 Source1: https://github.com/jfriesse/spausedd/releases/download/%{spausedd_version}/spausedd-%{spausedd_version}.tar.gz
 # VMGuestLib exists only for x86_64 architecture
@@ -94,9 +91,6 @@ BuildRequires: pkgconfig(vmguestlib)
 %setup -q -n %{name}-%{version}%{?gittarver}
 %endif
 
-%patch0 -p1 -b .RHEL-163805
-%patch1 -p1 -b .RHEL-163826
-
 %build
 %if %{with runautogen}
 ./autogen.sh
@@ -395,13 +389,6 @@ fi
 %endif
 
 %changelog
-* Fri Apr 10 2026 Jan Friesse <jfriesse@redhat.com> - 3.1.8-1.1
-- Resolves: RHEL-163805
-- Resolves: RHEL-163826
-
-- totemsrp: Return error if sanity check fails (fixes CVE-2026-35091)
-- totemsrp: Fix integer overflow in memb_join_sanity (fixes CVE-2026-35092)
-
 * Wed Nov 15 2023 Jan Friesse <jfriesse@redhat.com> - 3.1.8-1
 - Resolves: RHEL-15263