From 8f62042dd8bf7244055f6f2e5223e1dcae8522d9 Mon Sep 17 00:00:00 2001
From: Jan Friesse <jfriesse@redhat.com>
Date: Fri, 15 Nov 2024 14:34:23 +0100
Subject: [PATCH 1/2] New upstream release

Signed-off-by: Jan Friesse <jfriesse@redhat.com>
---
 .gitignore    |  1 +
 corosync.spec | 11 +++++++----
 sources       |  2 +-
 3 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/.gitignore b/.gitignore
index 63f502d..836dba5 100644
--- a/.gitignore
+++ b/.gitignore
@@ -50,3 +50,4 @@ corosync-1.2.7.tar.gz
 /corosync-3.1.6.tar.gz
 /corosync-3.1.7.tar.gz
 /corosync-3.1.8.tar.gz
+/corosync-3.1.9.tar.gz
diff --git a/corosync.spec b/corosync.spec
index 1494717..cff36b5 100644
--- a/corosync.spec
+++ b/corosync.spec
@@ -17,8 +17,8 @@
 
 Name: corosync
 Summary: The Corosync Cluster Engine and Application Programming Interfaces
-Version: 3.1.8
-Release: 3%{?gitver}%{?dist}
+Version: 3.1.9
+Release: 1%{?gitver}%{?dist}
 License: BSD-3-Clause
 URL: http://corosync.github.io/corosync/
 Source0: http://build.clusterlabs.org/corosync/releases/%{name}-%{version}%{?gittarver}.tar.gz
@@ -116,7 +116,7 @@ BuildRequires: make
 
 %if %{with dbus}
 mkdir -p -m 0700 %{buildroot}/%{_sysconfdir}/dbus-1/system.d
-install -m 644 %{_builddir}/%{name}-%{version}%{?gittarver}/conf/corosync-signals.conf %{buildroot}/%{_sysconfdir}/dbus-1/system.d/corosync-signals.conf
+install -m 644 %{_builddir}/%{name}-%{version}%{?gittarver}/conf/corosync-signals.conf %{buildroot}/%{_datadir}/dbus-1/system.d/corosync-signals.conf
 %endif
 
 ## tree fixup
@@ -185,7 +185,7 @@ fi
 %config(noreplace) %{_sysconfdir}/sysconfig/corosync
 %config(noreplace) %{_sysconfdir}/logrotate.d/corosync
 %if %{with dbus}
-%{_sysconfdir}/dbus-1/system.d/corosync-signals.conf
+%{_datadir}/dbus-1/system.d/corosync-signals.conf
 %endif
 %if %{with snmp}
 %{_datadir}/snmp/mibs/COROSYNC-MIB.txt
@@ -289,6 +289,9 @@ network splits)
 %endif
 
 %changelog
+* Fri Nov 15 2024 Jan Friesse <jfriesse@redhat.com> - 3.1.9-1
+- New upstream release
+
 * Wed Jan 24 2024 Fedora Release Engineering <releng@fedoraproject.org> - 3.1.8-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
 
diff --git a/sources b/sources
index fd916ac..d3e0db1 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (corosync-3.1.8.tar.gz) = 6325ae39bada33dbc0c85eb07d137af78235a1c0f8a4d1f90a20088e011bff65263903e5688956256ddfb58daec45f6d96c04624ff320be0c00ec36aa5d568f8
+SHA512 (corosync-3.1.9.tar.gz) = d5332c65535dd40e3bee48912ebf2e71c55380b3dba93c36ff8b74090edf3ec44b69685cd11fda3732e4b0dab0b2954f08be94d772fcff6aaf9a4a846ef2e4cc

From aa60e553caa43978291f5d16e22f30b3caf378dc Mon Sep 17 00:00:00 2001
From: Jan Friesse <jfriesse@redhat.com>
Date: Wed, 26 Mar 2025 10:44:54 +0100
Subject: [PATCH 2/2] Fix CVE-2025-30472

- totemsrp: Check size of orf_token msg
  (fixes CVE-2025-30472)

- Resolves: rhbz#2354383

Signed-off-by: Jan Friesse <jfriesse@redhat.com>
---
 corosync.spec                              | 18 +++---
 totemsrp-Check-size-of-orf_token-msg.patch | 68 ++++++++++++++++++++++
 2 files changed, 79 insertions(+), 7 deletions(-)
 create mode 100644 totemsrp-Check-size-of-orf_token-msg.patch

diff --git a/corosync.spec b/corosync.spec
index cff36b5..ab92613 100644
--- a/corosync.spec
+++ b/corosync.spec
@@ -12,16 +12,15 @@
 %bcond_without runautogen
 %bcond_without userflags
 
-%global gitver %{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}
-%global gittarver %{?numcomm:.%{numcomm}}%{?alphatag:-%{alphatag}}%{?dirty:-%{dirty}}
-
 Name: corosync
 Summary: The Corosync Cluster Engine and Application Programming Interfaces
 Version: 3.1.9
-Release: 1%{?gitver}%{?dist}
+Release: 2%{?dist}
 License: BSD-3-Clause
 URL: http://corosync.github.io/corosync/
-Source0: http://build.clusterlabs.org/corosync/releases/%{name}-%{version}%{?gittarver}.tar.gz
+Source0: http://build.clusterlabs.org/corosync/releases/%{name}-%{version}.tar.gz
+
+Patch0: totemsrp-Check-size-of-orf_token-msg.patch
 
 # Runtime bits
 # The automatic dependency overridden in favor of explicit version lock
@@ -68,9 +67,10 @@ Requires: libxslt
 BuildRequires: readline-devel
 %endif
 BuildRequires: make
+BuildRequires: git
 
 %prep
-%setup -q -n %{name}-%{version}%{?gittarver}
+%autosetup -S git_am
 
 %build
 %if %{with runautogen}
@@ -116,7 +116,7 @@ BuildRequires: make
 
 %if %{with dbus}
 mkdir -p -m 0700 %{buildroot}/%{_sysconfdir}/dbus-1/system.d
-install -m 644 %{_builddir}/%{name}-%{version}%{?gittarver}/conf/corosync-signals.conf %{buildroot}/%{_datadir}/dbus-1/system.d/corosync-signals.conf
+install -m 644 %{_builddir}/%{name}-%{version}/conf/corosync-signals.conf %{buildroot}/%{_datadir}/dbus-1/system.d/corosync-signals.conf
 %endif
 
 ## tree fixup
@@ -289,6 +289,10 @@ network splits)
 %endif
 
 %changelog
+* Wed Mar 26 2025 Jan Friesse <jfriesse@redhat.com> - 3.1.9-2
+- totemsrp: Check size of orf_token msg
+  (fixes CVE-2025-30472)
+
 * Fri Nov 15 2024 Jan Friesse <jfriesse@redhat.com> - 3.1.9-1
 - New upstream release
 
diff --git a/totemsrp-Check-size-of-orf_token-msg.patch b/totemsrp-Check-size-of-orf_token-msg.patch
new file mode 100644
index 0000000..17b4c3e
--- /dev/null
+++ b/totemsrp-Check-size-of-orf_token-msg.patch
@@ -0,0 +1,68 @@
+From 7839990f9cdf34e55435ed90109e82709032466a Mon Sep 17 00:00:00 2001
+From: Jan Friesse <jfriesse@redhat.com>
+Date: Mon, 24 Mar 2025 12:05:08 +0100
+Subject: [PATCH] totemsrp: Check size of orf_token msg
+
+orf_token message is stored into preallocated array on endian convert
+so carefully crafted malicious message can lead to crash of corosync.
+
+Solution is to check message size beforehand.
+
+Signed-off-by: Jan Friesse <jfriesse@redhat.com>
+Reviewed-by: Christine Caulfield <ccaulfie@redhat.com>
+---
+ exec/totemsrp.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/exec/totemsrp.c b/exec/totemsrp.c
+index 962d0e2a..364528ce 100644
+--- a/exec/totemsrp.c
++++ b/exec/totemsrp.c
+@@ -3679,12 +3679,20 @@ static int check_orf_token_sanity(
+ 	const struct totemsrp_instance *instance,
+ 	const void *msg,
+ 	size_t msg_len,
++	size_t max_msg_len,
+ 	int endian_conversion_needed)
+ {
+ 	int rtr_entries;
+ 	const struct orf_token *token = (const struct orf_token *)msg;
+ 	size_t required_len;
+ 
++	if (msg_len > max_msg_len) {
++		log_printf (instance->totemsrp_log_level_security,
++		    "Received orf_token message is too long...  ignoring.");
++
++		return (-1);
++	}
++
+ 	if (msg_len < sizeof(struct orf_token)) {
+ 		log_printf (instance->totemsrp_log_level_security,
+ 		    "Received orf_token message is too short...  ignoring.");
+@@ -3698,6 +3706,13 @@ static int check_orf_token_sanity(
+ 		rtr_entries = token->rtr_list_entries;
+ 	}
+ 
++	if (rtr_entries > RETRANSMIT_ENTRIES_MAX) {
++		log_printf (instance->totemsrp_log_level_security,
++		    "Received orf_token message rtr_entries is corrupted...  ignoring.");
++
++		return (-1);
++	}
++
+ 	required_len = sizeof(struct orf_token) + rtr_entries * sizeof(struct rtr_item);
+ 	if (msg_len < required_len) {
+ 		log_printf (instance->totemsrp_log_level_security,
+@@ -3868,7 +3883,8 @@ static int message_handler_orf_token (
+ 	    "Time since last token %0.4f ms", tv_diff / (float)QB_TIME_NS_IN_MSEC);
+ #endif
+ 
+-	if (check_orf_token_sanity(instance, msg, msg_len, endian_conversion_needed) == -1) {
++	if (check_orf_token_sanity(instance, msg, msg_len, sizeof(token_storage),
++	    endian_conversion_needed) == -1) {
+ 		return (0);
+ 	}
+ 
+-- 
+2.47.0
+