1.1.15-3 - Apply fix for CVE-2016-7035 (improper IPC guarding)
This commit is contained in:
Jan Pokorný
parent
75b067a8df
commit
1dd7338b33
78
CVE-2016-7035-improper-IPC-guarding.patch
Normal file
78
CVE-2016-7035-improper-IPC-guarding.patch
Normal file
@ -0,0 +1,78 @@
|
||||
From 5a20855d6054ebaae590c09262b328d957cc1fc2 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Jan=20Pokorn=C3=BD?= <jpokorny@redhat.com>
|
||||
Date: Thu, 3 Nov 2016 11:16:37 +0100
|
||||
Subject: [PATCH] High: libcrmcommon: fix CVE-2016-7035 (improper IPC guarding)
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
It was discovered that at some not so uncommon circumstances, some
|
||||
pacemaker daemons could be talked to, via libqb-facilitated IPC, by
|
||||
unprivileged clients due to flawed authorization decision. Depending
|
||||
on the capabilities of affected daemons, this might equip unauthorized
|
||||
user with local privilege escalation or up to cluster-wide remote
|
||||
execution of possibly arbitrary commands when such user happens to
|
||||
reside at standard or remote/guest cluster node, respectively.
|
||||
|
||||
The original vulnerability was introduced in an attempt to allow
|
||||
unprivileged IPC clients to clean up the file system materialized
|
||||
leftovers in case the server (otherwise responsible for the lifecycle
|
||||
of these files) crashes. While the intended part of such behavior is
|
||||
now effectively voided (along with the unintended one), a best-effort
|
||||
fix to address this corner case systemically at libqb is coming along
|
||||
(https://github.com/ClusterLabs/libqb/pull/231).
|
||||
|
||||
Affected versions: 1.1.10-rc1 (2013-04-17) - 1.1.15 (2016-06-21)
|
||||
Impact: Important
|
||||
CVSSv3 ranking: 8.8 : AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
|
||||
|
||||
Credits for independent findings, in chronological order:
|
||||
Jan "poki" Pokorný, of Red Hat
|
||||
Alain Moulle, of ATOS/BULL
|
||||
---
|
||||
lib/common/ipc.c | 14 +++-----------
|
||||
1 file changed, 3 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/lib/common/ipc.c b/lib/common/ipc.c
|
||||
index f060fcd..2949837 100644
|
||||
--- a/lib/common/ipc.c
|
||||
+++ b/lib/common/ipc.c
|
||||
@@ -293,7 +293,6 @@ crm_client_disconnect_all(qb_ipcs_service_t *service)
|
||||
crm_client_t *
|
||||
crm_client_new(qb_ipcs_connection_t * c, uid_t uid_client, gid_t gid_client)
|
||||
{
|
||||
- static uid_t uid_server = 0;
|
||||
static gid_t gid_cluster = 0;
|
||||
|
||||
crm_client_t *client = NULL;
|
||||
@@ -304,7 +303,6 @@ crm_client_new(qb_ipcs_connection_t * c, uid_t uid_client, gid_t gid_client)
|
||||
}
|
||||
|
||||
if (gid_cluster == 0) {
|
||||
- uid_server = getuid();
|
||||
if(crm_user_lookup(CRM_DAEMON_USER, NULL, &gid_cluster) < 0) {
|
||||
static bool have_error = FALSE;
|
||||
if(have_error == FALSE) {
|
||||
@@ -314,16 +312,10 @@ crm_client_new(qb_ipcs_connection_t * c, uid_t uid_client, gid_t gid_client)
|
||||
}
|
||||
}
|
||||
|
||||
- if(gid_cluster != 0 && gid_client != 0) {
|
||||
- uid_t best_uid = -1; /* Passing -1 to chown(2) means don't change */
|
||||
-
|
||||
- if(uid_client == 0 || uid_server == 0) { /* Someone is priveliged, but the other may not be */
|
||||
- best_uid = QB_MAX(uid_client, uid_server);
|
||||
- crm_trace("Allowing user %u to clean up after disconnect", best_uid);
|
||||
- }
|
||||
-
|
||||
+ if (uid_client != 0) {
|
||||
crm_trace("Giving access to group %u", gid_cluster);
|
||||
- qb_ipcs_connection_auth_set(c, best_uid, gid_cluster, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP);
|
||||
+ /* Passing -1 to chown(2) means don't change */
|
||||
+ qb_ipcs_connection_auth_set(c, -1, gid_cluster, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP);
|
||||
}
|
||||
|
||||
crm_client_init();
|
||||
--
|
||||
2.4.11
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
%global uname hacluster
|
||||
%global pcmk_docdir %{_docdir}/%{name}
|
||||
|
||||
%global specversion 2
|
||||
%global specversion 3
|
||||
%global pcmkversion 1.1.15
|
||||
# set following to the actual commit or, for final release, concatenate
|
||||
# "pcmkversion" macro to "Pacemaker-" (will yield a tag per the convention)
|
||||
@ -78,7 +78,7 @@
|
||||
Name: pacemaker
|
||||
Summary: Scalable High-Availability cluster resource manager
|
||||
Version: %{pcmkversion}
|
||||
Release: %{pcmk_release}%{?dist}.1
|
||||
Release: %{pcmk_release}%{?dist}
|
||||
License: GPLv2+ and LGPLv2+
|
||||
Url: http://www.clusterlabs.org
|
||||
Group: System Environment/Daemons
|
||||
@ -88,6 +88,7 @@ Source1: https://github.com/%{github_owner}/%{nagios_name}/archive/%{nagio
|
||||
Patch1: 001-makefile-cleanup.patch
|
||||
Patch2: 002-build-cleanup.patch
|
||||
Patch3: 003-harden-toolchain.patch
|
||||
Patch4: CVE-2016-7035-improper-IPC-guarding.patch
|
||||
# ---
|
||||
# keep following commented out for now
|
||||
#Patch100: bz1179335-system-wide-crypto-policies.patch
|
||||
@ -632,6 +633,9 @@ exit 0
|
||||
%attr(0644,root,root) %{_datadir}/pacemaker/nagios/plugins-metadata/*
|
||||
|
||||
%changelog
|
||||
* Thu Nov 03 2016 Jan Pokorný <jpokorny+rpm-pacemaker@redhat.com> - 1.1.15-3
|
||||
- Apply fix for CVE-2016-7035 (improper IPC guarding)
|
||||
|
||||
* Tue Jul 19 2016 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.1.15-2.1
|
||||
- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user