diff --git a/.fmf/version b/.fmf/version deleted file mode 100644 index d00491f..0000000 --- a/.fmf/version +++ /dev/null @@ -1 +0,0 @@ -1 diff --git a/.gitignore b/.gitignore index be468d1..836dba5 100644 --- a/.gitignore +++ b/.gitignore @@ -51,4 +51,3 @@ corosync-1.2.7.tar.gz /corosync-3.1.7.tar.gz /corosync-3.1.8.tar.gz /corosync-3.1.9.tar.gz -/corosync-3.1.10.tar.gz diff --git a/corosync.spec b/corosync.spec index 6e04bf1..772196b 100644 --- a/corosync.spec +++ b/corosync.spec @@ -14,11 +14,13 @@ Name: corosync Summary: The Corosync Cluster Engine and Application Programming Interfaces -Version: 3.1.10 -Release: 1%{?dist} +Version: 3.1.9 +Release: 2%{?dist} License: BSD-3-Clause URL: http://corosync.github.io/corosync/ -Source0: https://github.com/%{name}/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.gz +Source0: http://build.clusterlabs.org/corosync/releases/%{name}-%{version}.tar.gz + +Patch0: totemsrp-Check-size-of-orf_token-msg.patch # Runtime bits # The automatic dependency overridden in favor of explicit version lock @@ -195,10 +197,8 @@ fi %{_initrddir}/corosync %{_initrddir}/corosync-notifyd %endif -%if %{without systemd} %dir %{_localstatedir}/lib/corosync %dir %{_localstatedir}/log/cluster -%endif %{_mandir}/man7/corosync_overview.7* %{_mandir}/man8/corosync.8* %{_mandir}/man8/corosync-blackbox.8* @@ -289,23 +289,10 @@ network splits) %endif %changelog -* Sat Nov 15 2025 Jan Friesse - 3.1.10-1 -- New upstream release - -* Wed Jul 23 2025 Fedora Release Engineering - 3.1.9-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild - -* Mon Jun 16 2025 Jan Friesse - 3.1.9-4 -- exec: Add support for env STATE_DIRECTORY -- init: Use LogsDirectory in systemd unit file - -* Wed Mar 26 2025 Jan Friesse - 3.1.9-3 +* Wed Mar 26 2025 Jan Friesse - 3.1.9-2 - totemsrp: Check size of orf_token msg (fixes CVE-2025-30472) -* Thu Jan 16 2025 Fedora Release Engineering - 3.1.9-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild - * Fri Nov 15 2024 Jan Friesse - 3.1.9-1 - New upstream release diff --git a/sources b/sources index 9c626fd..d3e0db1 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (corosync-3.1.10.tar.gz) = cf2014d15fdbd3495cfe64629255f7855a79651a595938dac7bc7ec67338d843079ae40cf1c15de23b50d85cb39b2c2e3e3448a9cc33759ad8988b8c85ce59d3 +SHA512 (corosync-3.1.9.tar.gz) = d5332c65535dd40e3bee48912ebf2e71c55380b3dba93c36ff8b74090edf3ec44b69685cd11fda3732e4b0dab0b2954f08be94d772fcff6aaf9a4a846ef2e4cc diff --git a/tests/.gitignore b/tests/.gitignore new file mode 100644 index 0000000..e6c79fd --- /dev/null +++ b/tests/.gitignore @@ -0,0 +1,3 @@ +# Ignore tests runs/artefacts. +artifacts/** +**/*.retry diff --git a/tests/plan.fmf b/tests/plan.fmf deleted file mode 100644 index 1c97683..0000000 --- a/tests/plan.fmf +++ /dev/null @@ -1,12 +0,0 @@ -summary: Run all smoke tests -discover: - how: fmf -execute: - how: tmt -prepare: - how: install - package: - - gcc - - iproute - - corosync - - corosync-devel diff --git a/tests/smoke/main.fmf b/tests/smoke/main.fmf deleted file mode 100644 index c431594..0000000 --- a/tests/smoke/main.fmf +++ /dev/null @@ -1,2 +0,0 @@ -summary: Basic smoke test -test: ./runtest.sh diff --git a/tests/smoke/runtest.sh b/tests/smoke/runtest.sh old mode 100755 new mode 100644 diff --git a/tests/tests.yml b/tests/tests.yml new file mode 100644 index 0000000..39b6209 --- /dev/null +++ b/tests/tests.yml @@ -0,0 +1,12 @@ +- hosts: localhost + roles: + - role: standard-test-basic + tags: + - classic + tests: + - smoke + required_packages: + - gcc + - iproute + - corosync + - corosync-devel diff --git a/totemsrp-Check-size-of-orf_token-msg.patch b/totemsrp-Check-size-of-orf_token-msg.patch new file mode 100644 index 0000000..17b4c3e --- /dev/null +++ b/totemsrp-Check-size-of-orf_token-msg.patch @@ -0,0 +1,68 @@ +From 7839990f9cdf34e55435ed90109e82709032466a Mon Sep 17 00:00:00 2001 +From: Jan Friesse +Date: Mon, 24 Mar 2025 12:05:08 +0100 +Subject: [PATCH] totemsrp: Check size of orf_token msg + +orf_token message is stored into preallocated array on endian convert +so carefully crafted malicious message can lead to crash of corosync. + +Solution is to check message size beforehand. + +Signed-off-by: Jan Friesse +Reviewed-by: Christine Caulfield +--- + exec/totemsrp.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/exec/totemsrp.c b/exec/totemsrp.c +index 962d0e2a..364528ce 100644 +--- a/exec/totemsrp.c ++++ b/exec/totemsrp.c +@@ -3679,12 +3679,20 @@ static int check_orf_token_sanity( + const struct totemsrp_instance *instance, + const void *msg, + size_t msg_len, ++ size_t max_msg_len, + int endian_conversion_needed) + { + int rtr_entries; + const struct orf_token *token = (const struct orf_token *)msg; + size_t required_len; + ++ if (msg_len > max_msg_len) { ++ log_printf (instance->totemsrp_log_level_security, ++ "Received orf_token message is too long... ignoring."); ++ ++ return (-1); ++ } ++ + if (msg_len < sizeof(struct orf_token)) { + log_printf (instance->totemsrp_log_level_security, + "Received orf_token message is too short... ignoring."); +@@ -3698,6 +3706,13 @@ static int check_orf_token_sanity( + rtr_entries = token->rtr_list_entries; + } + ++ if (rtr_entries > RETRANSMIT_ENTRIES_MAX) { ++ log_printf (instance->totemsrp_log_level_security, ++ "Received orf_token message rtr_entries is corrupted... ignoring."); ++ ++ return (-1); ++ } ++ + required_len = sizeof(struct orf_token) + rtr_entries * sizeof(struct rtr_item); + if (msg_len < required_len) { + log_printf (instance->totemsrp_log_level_security, +@@ -3868,7 +3883,8 @@ static int message_handler_orf_token ( + "Time since last token %0.4f ms", tv_diff / (float)QB_TIME_NS_IN_MSEC); + #endif + +- if (check_orf_token_sanity(instance, msg, msg_len, endian_conversion_needed) == -1) { ++ if (check_orf_token_sanity(instance, msg, msg_len, sizeof(token_storage), ++ endian_conversion_needed) == -1) { + return (0); + } + +-- +2.47.0 +