Rebased to latest upstream sources, Fixes for: CVE-2018-1079, CVE-2018-1086

2018-04-09 14:52:49 +02:00 · 2018-04-09 14:52:49 +02:00 · c088c221c9
commit c088c221c9
parent 33b5b2b10a
5 changed files with 119 additions and 93 deletions
--- a/.gitignore
+++ b/.gitignore
@ -48,3 +48,4 @@
 /pcs-0.9.163.tar.gz
 /pyagentx-0.4.pcs.2.tar.gz
 /sinatra-contrib-2.0.0.gem
+/pcs-0.9.164.tar.gz
--- a/fedfix.patch
+++ b/fedfix.patch
@ -1,4 +1,4 @@
-From f9f4b3cb4566c854263044ab3fc3f9968dd5758d Mon Sep 17 00:00:00 2001
+From f7b706961ce0f51beebe24bdce1d56eb38ec8fca Mon Sep 17 00:00:00 2001
 From: Ivan Devat <idevat@redhat.com>
 Date: Mon, 19 Feb 2018 17:54:35 +0100
 Subject: [PATCH] fedfix
@ -8,16 +8,16 @@ Codebase was adapted for sinatra 2 and rack 2.
 ---
 pcs/pcs                   |  2 +-
 pcs/test/suite.py         |  2 +-
- pcsd/Makefile             | 39 ++++++++-------------------------------
+ pcsd/Makefile             | 36 ++++++++----------------------------
 pcsd/pcsd.rb              | 18 +++++-------------
 pcsd/pcsd.service-runner  |  3 ++-
 pcsd/session.rb           | 25 ++++++++++++-------------
 pcsd/ssl.rb               |  1 -
 pcsd/test/test_session.rb | 37 +++++++++++++++++++------------------
- 8 files changed, 48 insertions(+), 79 deletions(-)
+ 8 files changed, 48 insertions(+), 76 deletions(-)

 diff --git a/pcs/pcs b/pcs/pcs
-index 736f9cd..3dff69a 100755
+index 736f9cd2..3dff69a5 100755
 --- a/pcs/pcs
 +++ b/pcs/pcs
@@ -1,4 +1,4 @@
@ -27,7 +27,7 @@ index 736f9cd..3dff69a 100755
 from __future__ import absolute_import
 import os.path
 diff --git a/pcs/test/suite.py b/pcs/test/suite.py
-index 809596b..98c5a26 100755
+index 809596bc..98c5a268 100755
 --- a/pcs/test/suite.py
 +++ b/pcs/test/suite.py
@@ -1,4 +1,4 @@
@ -37,10 +37,10 @@ index 809596b..98c5a26 100755
     absolute_import,
     division,
 diff --git a/pcsd/Makefile b/pcsd/Makefile
-index d452ac0..c83bd95 100644
+index d7d98f60..c83bd958 100644
 --- a/pcsd/Makefile
 +++ b/pcsd/Makefile
-@@ -1,36 +1,13 @@
+@@ -1,33 +1,13 @@
 -FFI_VERSION="1.9.18"
 -FFI_C_DIR=vendor/bundle/ruby/gems/ffi-${FFI_VERSION}/ext/ffi_c
 -
@ -55,38 +55,35 @@ index d452ac0..c83bd95 100644
 -		fi; \
 -	done;
 -
-# RHEL6 needs special rpam-ruby19 gem to work with 1.8.7
-# also bundler is not available on RHEL6 in rpm
-build_gems_rhel6:
+-build_gems_without_bundler:
 +# Comment from specfile from distgit 9b7a65231 Mamoru TASAKA:
 +# So it seems that with rubygems 2.7.3 --install-dir option always
 +# needs --no-user-install???
 +# tld;dr; added flag --no-user-install, details in the commit
 +build_gems:
 	mkdir -p vendor/bundle/ruby
-	gem install --verbose --no-rdoc --no-ri -l -i vendor/bundle/ruby \
-	vendor/cache/backports-3.6.8.gem \
-	vendor/cache/ethon-0.9.1.gem \
+-	gem install --verbose --no-rdoc --no-ri -l --ignore-dependencies -i vendor/bundle/ruby \
+-	vendor/cache/backports-3.9.1.gem \
+-	vendor/cache/ethon-0.10.1.gem \
 -	vendor/cache/ffi-${FFI_VERSION}.gem \
-	vendor/cache/json-2.0.3.gem \
-	vendor/cache/multi_json-1.12.1.gem \
+-	vendor/cache/json-2.1.0.gem \
+-	vendor/cache/multi_json-1.12.2.gem \
 -	vendor/cache/open4-1.3.4.gem \
-+	gem install --force --verbose --no-rdoc --no-ri -l --no-user-install -i vendor/bundle/ruby \
- 	vendor/cache/orderedhash-0.0.6.gem \
 -	vendor/cache/rack-1.6.4.gem \
-	vendor/cache/rack-protection-1.5.3.gem \
-	vendor/cache/rack-test-0.6.3.gem \
-	vendor/cache/rpam-ruby19-feist-1.2.1.1.gem \
+-	vendor/cache/rack-protection-1.5.5.gem \
+-	vendor/cache/rack-test-0.7.0.gem \
+	gem install --force --verbose --no-rdoc --no-ri -l --no-user-install -i vendor/bundle/ruby \
+	vendor/cache/orderedhash-0.0.6.gem \
+ 	vendor/cache/rpam-ruby19-1.2.1.gem \
 -	vendor/cache/sinatra-1.4.8.gem \
 -	vendor/cache/sinatra-contrib-1.4.7.gem \
-	vendor/cache/tilt-2.0.6.gem \
-+	vendor/cache/rpam-ruby19-1.2.1.gem \
+-	vendor/cache/tilt-2.0.8.gem \
 +	vendor/cache/sinatra-contrib-2.0.0.gem \
 	-- '--with-ldflags="-Wl,-z,now -Wl,-z,relro"'
 
 get_gems:
 diff --git a/pcsd/pcsd.rb b/pcsd/pcsd.rb
-index 01f2f5c..1d51b5e 100644
+index 61b28044..39c69608 100644
 --- a/pcsd/pcsd.rb
 +++ b/pcsd/pcsd.rb
@@ -83,6 +83,11 @@ before do
@ -122,7 +119,7 @@ index 01f2f5c..1d51b5e 100644
   def is_ajax?
     return request.env['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest'
 diff --git a/pcsd/pcsd.service-runner b/pcsd/pcsd.service-runner
-index 883d290..712913e 100644
+index 883d2908..712913ea 100644
 --- a/pcsd/pcsd.service-runner
 +++ b/pcsd/pcsd.service-runner
@@ -3,8 +3,9 @@
@ -137,7 +134,7 @@ index 883d290..712913e 100644
 
   # change current directory (ruby -C)
 diff --git a/pcsd/session.rb b/pcsd/session.rb
-index 8b09ed8..f42bf73 100644
+index 8b09ed82..f42bf73e 100644
 --- a/pcsd/session.rb
 +++ b/pcsd/session.rb
@@ -1,4 +1,3 @@
@ -213,7 +210,7 @@ index 8b09ed8..f42bf73 100644
     @pool_timestamp.delete(sid)
   end
 diff --git a/pcsd/ssl.rb b/pcsd/ssl.rb
-index eaf2cbf..2668c95 100644
+index eaf2cbf1..2668c958 100644
 --- a/pcsd/ssl.rb
 +++ b/pcsd/ssl.rb
@@ -2,7 +2,6 @@ require 'rubygems'
@ -225,7 +222,7 @@ index eaf2cbf..2668c95 100644
 require 'socket'
 
 diff --git a/pcsd/test/test_session.rb b/pcsd/test/test_session.rb
-index e72bf01..c212b1a 100644
+index e72bf012..c212b1a0 100644
 --- a/pcsd/test/test_session.rb
 +++ b/pcsd/test/test_session.rb
@@ -2,18 +2,19 @@ require 'test/unit'
@ -310,5 +307,5 @@ index e72bf01..c212b1a 100644
 
 end
 -- 
-1.8.3.1
+2.13.6

--- a/open-corosync-pacemaker-authkey-in-binary-mode.patch
+++ b/open-corosync-pacemaker-authkey-in-binary-mode.patch
@ -1,51 +0,0 @@
-From 6913cef1fa9d7134689c9bdcfe177fb226d9b0d4 Mon Sep 17 00:00:00 2001
-From: Ivan Devat <idevat@redhat.com>
-Date: Mon, 26 Feb 2018 16:24:20 +0100
-Subject: [PATCH] open corosync + pacemaker authkey in binary mode
-
---
- pcs/cluster.py                                    | 2 +-
- pcs/lib/commands/test/remote_node/fixtures_add.py | 1 +
- pcs/lib/pacemaker/env.py                          | 1 +
- 3 files changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/pcs/cluster.py b/pcs/cluster.py
-index 50f05f7..d7158b1 100644
--- a/pcs/cluster.py
-+++ b/pcs/cluster.py
-@@ -1834,7 +1834,7 @@ def node_add(lib_env, node0, node1, modifiers):
-             com_cmd = DistributeFiles(
-                 lib_env.report_processor,
-                 node_communication_format.corosync_authkey_file(
-                    open(settings.corosync_authkey_file).read()
-+                    open(settings.corosync_authkey_file, "rb").read()
-                 ),
-                 # added force, it was missing before
-                 # but it doesn't make sence here
-diff --git a/pcs/lib/commands/test/remote_node/fixtures_add.py b/pcs/lib/commands/test/remote_node/fixtures_add.py
-index 2b674b8..a4c2092 100644
--- a/pcs/lib/commands/test/remote_node/fixtures_add.py
-+++ b/pcs/lib/commands/test/remote_node/fixtures_add.py
-@@ -82,6 +82,7 @@ class EnvConfigMixin(object):
- 
-         self.config.fs.open(
-             self.PCMK_AUTHKEY_PATH,
-+            mode="rb",
-             **kwargs
-         )
- 
-diff --git a/pcs/lib/pacemaker/env.py b/pcs/lib/pacemaker/env.py
-index 43f3b07..933bac1 100644
--- a/pcs/lib/pacemaker/env.py
-+++ b/pcs/lib/pacemaker/env.py
-@@ -17,6 +17,7 @@ class PacemakerEnv(object):
-         self.__authkey = RealFile(
-             file_role=env_file_role_codes.PACEMAKER_AUTHKEY,
-             file_path=settings.pacemaker_authkey_file,
-+            is_binary=True,
-         )
- 
-     @property
-- 
-1.8.3.1
-
--- a/pcs.spec
+++ b/pcs.spec
@ -1,6 +1,6 @@
 Name: pcs
-Version: 0.9.163
-Release: 2%{?dist}
+Version: 0.9.164
+Release: 1%{?dist}
 License: GPLv2
 URL: https://github.com/ClusterLabs/pcs
 Group: System Environment/Base
@ -24,7 +24,6 @@ Source13: https://rubygems.org/downloads/sinatra-contrib-2.0.0.gem
 Source41: https://github.com/ondrejmular/pyagentx/archive/v%{pyagentx_version}.tar.gz#/pyagentx-%{pyagentx_version}.tar.gz

 Patch0: fedfix.patch
-Patch1: open-corosync-pacemaker-authkey-in-binary-mode.patch

 # git for patches
 BuildRequires: git
@ -159,8 +158,6 @@ UpdateTimestamps() {

 %patch0 -p1
 UpdateTimestamps -p1 %{PATCH0}
-%patch1 -p1
-UpdateTimestamps -p1 %{PATCH1}

 mkdir -p pcsd/.bundle
 cp -f %SOURCE1 pcsd/.bundle/config
@ -238,15 +235,93 @@ run_all_tests(){
  #     not provide valid metadata: error: crm_abort: systemd_unit_exec:
  #     Triggered fatal assert at systemd.c:728 : systemd_init(), use --force to
  #     override
+  # pcs.lib.commands.test.test_resource_agent.DescribeAgentUtf8.test_describe
+  #   For a unknwon reason this test is passing outside the mock environment.
+  #   TODO: Investigate the issue
+  # all others:
+  #   resource agents metadata have been changed lately, units (seconds) have
+  #   been added to the intervals etc. (e.g.: interval="10" => interval="10s")

-  # Tests are not passing because of pacemaker breakage, therefore we are
-  # temporarily disabling all pcs tests until pacemaker is fixed.
-  # %{__python3} ${sitelib}/pcs/test/suite.py -v --vanilla --all-but \
-  #   pcs.test.test_cluster.ClusterTest.testUIDGID \
-  #   pcs.test.cib_resource.test_create.Success.test_base_create_with_agent_name_including_systemd_instance \
-  #
-  # test_result_python=$?
-  test_result_python=0
+  %{__python3} ${sitelib}/pcs/test/suite.py -v --vanilla --all-but \
+    pcs.test.test_cluster.ClusterTest.testUIDGID \
+    pcs.test.cib_resource.test_create.Success.test_base_create_with_agent_name_including_systemd_instance \
+    pcs.lib.commands.test.test_resource_agent.DescribeAgentUtf8.test_describe \
+    pcs.test.cib_resource.test_create.Bundle.test_success \
+    pcs.test.cib_resource.test_create.FailOrWarnGroup.test_fail_when_try_use_id_of_another_element \
+    pcs.test.cib_resource.test_create.Success.test_base_create \
+    pcs.test.cib_resource.test_create.Success.test_base_create_with_default_ops \
+    pcs.test.cib_resource.test_create.Success.test_create_disabled \
+    pcs.test.cib_resource.test_create.Success.test_create_with_trace_options \
+    pcs.test.cib_resource.test_create.Success.test_with_clone \
+    pcs.test.cib_resource.test_create.Success.test_with_clone_options \
+    pcs.test.cib_resource.test_create.Success.test_with_master \
+    pcs.test.cib_resource.test_create.SuccessClone.test_clone_does_not_overshadow_meta_options \
+    pcs.test.cib_resource.test_create.SuccessClone.test_clone_does_not_overshadow_operations \
+    pcs.test.cib_resource.test_create.SuccessClone.test_clone_places_disabled_correctly \
+    pcs.test.cib_resource.test_create.SuccessGroup.test_with_existing_group \
+    pcs.test.cib_resource.test_create.SuccessGroup.test_with_group \
+    pcs.test.cib_resource.test_create.SuccessGroup.test_with_group_with_after \
+    pcs.test.cib_resource.test_create.SuccessGroup.test_with_group_with_before \
+    pcs.test.cib_resource.test_create.SuccessMaster.test_disable_is_on_master_element \
+    pcs.test.cib_resource.test_create.SuccessMaster.test_do_not_steal_primitive_meta_options \
+    pcs.test.cib_resource.test_create.SuccessMaster.test_put_options_after_master_as_its_meta_fix_1 \
+    pcs.test.cib_resource.test_create.SuccessOperations.test_completing_monitor_operation \
+    pcs.test.cib_resource.test_create.SuccessOperations.test_default_ops_only \
+    pcs.test.cib_resource.test_create.SuccessOperations.test_merging_default_ops_explictly_specified \
+    pcs.test.cib_resource.test_create.SuccessOperations.test_warn_on_forced_unknown_operation \
+    pcs.test.cib_resource.test_manage_unmanage.ManageUnmanage.test_manage_monitor \
+    pcs.test.cib_resource.test_manage_unmanage.ManageUnmanage.test_manage_monitor_disabled \
+    pcs.test.cib_resource.test_manage_unmanage.ManageUnmanage.test_manage_more \
+    pcs.test.cib_resource.test_manage_unmanage.ManageUnmanage.test_manage_nonexistent \
+    pcs.test.cib_resource.test_manage_unmanage.ManageUnmanage.test_manage_one \
+    pcs.test.cib_resource.test_manage_unmanage.ManageUnmanage.test_unmanage_monitor \
+    pcs.test.cib_resource.test_manage_unmanage.ManageUnmanage.test_unmanage_monitor_enabled \
+    pcs.test.cib_resource.test_manage_unmanage.ManageUnmanage.test_unmanage_more \
+    pcs.test.cib_resource.test_manage_unmanage.ManageUnmanage.test_unmanage_nonexistent \
+    pcs.test.cib_resource.test_manage_unmanage.ManageUnmanage.test_unmanage_one \
+    pcs.test.cib_resource.test_operation_add.OperationAdd.test_add_with_OCF_CHECK_LEVEL \
+    pcs.test.cib_resource.test_operation_add.OperationAdd.test_base_add \
+    pcs.test.cib_resource.test_operation_add.OperationAdd.test_can_multiple_operation_add \
+    pcs.test.cib_resource.test_operation_add.OperationAdd.test_id_specified \
+    pcs.test.test_cluster.ClusterTest.testRemoteNode \
+    pcs.test.test_cluster_pcmk_remote.NodeAddGuest.test_fail_when_disallowed_option_appear \
+    pcs.test.test_cluster_pcmk_remote.NodeAddGuest.test_fail_when_guest_node_conflicts_with_existing_guest \
+    pcs.test.test_cluster_pcmk_remote.NodeAddGuest.test_fail_when_guest_node_conflicts_with_existing_id \
+    pcs.test.test_cluster_pcmk_remote.NodeAddGuest.test_fail_when_guest_node_conflicts_with_existing_remote \
+    pcs.test.test_cluster_pcmk_remote.NodeAddGuest.test_fail_when_guest_node_name_conflicts_with_existing_remote \
+    pcs.test.test_cluster_pcmk_remote.NodeAddGuest.test_fail_when_invalid_interval_appear \
+    pcs.test.test_cluster_pcmk_remote.NodeAddGuest.test_fail_when_invalid_port_appear \
+    pcs.test.test_cluster_pcmk_remote.NodeAddGuest.test_fail_when_option_remote_node_specified \
+    pcs.test.test_cluster_pcmk_remote.NodeAddGuest.test_success \
+    pcs.test.test_cluster_pcmk_remote.NodeAddGuest.test_success_when_guest_node_matches_with_existing_guest \
+    pcs.test.test_cluster_pcmk_remote.NodeAddGuest.test_success_with_options \
+    pcs.test.test_cluster_pcmk_remote.NodeRemoveGuest.test_success_remove_by_node_name \
+    pcs.test.test_cluster_pcmk_remote.NodeRemoveGuest.test_success_remove_by_resource_host \
+    pcs.test.test_cluster_pcmk_remote.NodeRemoveGuest.test_success_remove_by_resource_id \
+    pcs.test.test_resource.CloneMasterUpdate.test_no_op_allowed_in_clone_update \
+    pcs.test.test_resource.CloneMasterUpdate.test_no_op_allowed_in_master_update \
+    pcs.test.test_resource.ResourceTest.testAddOperation \
+    pcs.test.test_resource.ResourceTest.testAddResourcesLargeCib \
+    pcs.test.test_resource.ResourceTest.testCloneMaster \
+    pcs.test.test_resource.ResourceTest.testCloneRemove \
+    pcs.test.test_resource.ResourceTest.testClonedGroup \
+    pcs.test.test_resource.ResourceTest.testClonedMasteredGroup \
+    pcs.test.test_resource.ResourceTest.testGroupRemoveTest \
+    pcs.test.test_resource.ResourceTest.testGroupRemoveWithConstraints2 \
+    pcs.test.test_resource.ResourceTest.testMSGroup \
+    pcs.test.test_resource.ResourceTest.testMasteredGroup \
+    pcs.test.test_resource.ResourceTest.testNoMoveMSClone \
+    pcs.test.test_resource.ResourceTest.testOPOption \
+    pcs.test.test_resource.ResourceTest.testResourceCloneId \
+    pcs.test.test_resource.ResourceTest.testResourceCloneUpdate \
+    pcs.test.test_resource.ResourceTest.testResourceEnable \
+    pcs.test.test_resource.ResourceTest.testResourceEnableClone \
+    pcs.test.test_resource.ResourceTest.testResourceMasterId \
+    pcs.test.test_resource.ResourceTest.testResourceMissingValues \
+    pcs.test.test_resource.ResourceTest.testUnclone \
+    pcs.test.test_resource.ResourceTest.testUpdateOperation \
+
+  test_result_python=$?

  #remove pcs tests, we do not distribute them in the rpm
  find ${sitelib}/pcs -name test -type d -print0|xargs -0 rm -r -v --
@ -343,6 +418,10 @@ end
 %doc pyagentx_README.md

 %changelog
+* Mon Apr 09 2018 Ondrej Mular <omular@redhat.com> - 0.9.164-1
+- Rebased to latest upstream sources (see CHANGELOG.md)
+- Fixed: CVE-2018-1086, CVE-2018-1079
+
 * Mon Feb 26 2018 Ivan Devát <idevat@redhat.com> - 0.9.163-2
 - Fixed crash when adding a node to a cluster

--- a/2
+++ b/2
@ -1,6 +1,6 @@
-SHA512 (pcs-0.9.163.tar.gz) = 6f3f5b4f7135f598c4448a6d36b366557c109550bbb672081da39c450a1c70a5e749729682c51aa485076a35db3ee5517b09606780463743e16eaf11ca777b7e
 SHA512 (pcsd-bundle-config-1) = f2a2df2dab39c2012cc6a91517716dde8f5a48788d1069c4addf619bc4dc45a98fd48f0f7964b5400e43e84fe96f942a550d2762553fea97e63dc7ad9b8be823
 SHA512 (orderedhash-0.0.6.gem) = b2dae648187437ea7d9d9be47b9ff8d0e1a96bc2ff9e50117033d5bd4cf09cfff3c0740c99c322910138cac90f33b425705ee7a30be84aa193e6afd9f576f64a
 SHA512 (rpam-ruby19-1.2.1.gem) = b403964295e96a6247289518ff46e59bbae6c78bcfb647e12b7dbb247698642b4a1ee04492521b782fb3c594c2ede8143c765819fecde087e2ec850e3aea3503
 SHA512 (sinatra-contrib-2.0.0.gem) = 2e9c1fccfee050af8ef93ce0fe92504930ee41db3ff5aec3c2260ab49f334474386787057011adcb6cfa7de62f9e24ea228944d25bdf8af316b0b7614008ce03
 SHA512 (pyagentx-0.4.pcs.2.tar.gz) = d4194fec9a3e5fefe3793d49b7fec1feafef294c7e613a06046c2993daeefc5cb39d7c5b2b402ff83e49b2d976953f862264288c758c0be09d997b5323cc558a
+SHA512 (pcs-0.9.164.tar.gz) = f5c26e470ace01e961f50ec6883d78e3556a572c274b7093005d496baed4fc33d38409169b06b67722b2fed32d5fd42cf8eb2b6832fe8e55027bf12a37dd5dc4