Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 457572 (CVE-2013-0281) - <sys-cluster/pacemaker-1.1.12-r2: Denial of service (CVE-2013-0281)
Summary: <sys-cluster/pacemaker-1.1.12-r2: Denial of service (CVE-2013-0281)
Status: RESOLVED FIXED
Alias: CVE-2013-0281
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [noglsa]
Keywords:
Depends on: 455418 490908 539608
Blocks:
  Show dependency tree
 
Reported: 2013-02-14 18:43 UTC by Agostino Sarubbo
Modified: 2015-05-11 16:29 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-02-14 18:43:39 UTC
From ${URL} :

A denial of service flaw was found in the way Pacemaker, an advanced, scalable high-availability cluster resource manager for Linux-HA (Heartbeat) and/or Corosync, 
performed authentication and processing of remote connections in certain circumstances. In general Pacemaker used a blocking socket (without a timeout) to wait for 
authentication credentials to arrive. When Pacemaker was configured to allow remote Cluster Information Base (CIB) cluster's configuration / cluster's resources management, 
a remote attacker could use this flaw to cause Pacemaker to block indefinitely (preventing it from serving another requests).
Comment 2 Ultrabug gentoo-dev 2013-02-25 10:58:47 UTC
FYI I'm in discussion with upstream to get a new tag release of pacemaker which would avoid the need to patch this ourselves.

<Ultrabug> meaning, this week ? :p
<beekhof> highly likely

I should be able to fix this soon ;)
Comment 3 Ultrabug gentoo-dev 2013-03-08 17:35:27 UTC
Now 1.1.9 is tagged, builds fine but doesn't work... I'm in contact with upstream about this :(
Comment 4 Ultrabug gentoo-dev 2013-03-13 13:50:03 UTC
+*pacemaker-1.1.9 (13 Mar 2013)
+
+  13 Mar 2013; Ultrabug <ultrabug@gentoo.org> +pacemaker-1.1.9.ebuild:
+  Version bump fix #457572
+

NOTE that due to perm issues with newer pacemaker/libqb ACL support, you now need to add root to the haclient group if pacemaker is compiled with USE acl !
Comment 5 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-17 00:59:47 UTC
Are we okay to stable pacemaker-1.1.10?
Comment 6 Ultrabug gentoo-dev 2013-10-17 19:19:56 UTC
(In reply to Chris Reffett from comment #5)
> Are we okay to stable pacemaker-1.1.10?

By all means, yes !
Comment 7 Yury German Gentoo Infrastructure gentoo-dev 2013-10-18 03:47:02 UTC
Arches, please test and mark stable:

=sys-cluster/pacemaker-1.1.10;

Target keywords : "amd64 hppa x86"
Comment 8 Agostino Sarubbo gentoo-dev 2013-10-27 16:26:14 UTC
@Jeroen: why bug 455418 is a blocker for this?
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2013-11-19 16:37:44 UTC
(In reply to Agostino Sarubbo from comment #8)
> @Jeroen: why bug 455418 is a blocker for this?

Because we're being asked to stabilise sys-cluster/libdlm which has the problem pointed out in that bug report.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2013-11-27 10:19:04 UTC
CVE-2013-0281 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0281):
  Pacemaker 1.1.10, when remote Cluster Information Base (CIB) configuration
  or resource management is enabled, does not limit the duration of
  connections to the blocking sockets, which allows remote attackers to cause
  a denial of service (connection blocking).
Comment 11 Agostino Sarubbo gentoo-dev 2013-12-23 13:25:33 UTC
CC back the arch teams when it is ready
Comment 12 Ultrabug gentoo-dev 2015-03-23 11:16:15 UTC
All fixed, please proceed with related stabilization.

I'll drop all 1.0.x versions afterwards.
Comment 13 Yury German Gentoo Infrastructure gentoo-dev 2015-04-05 04:48:24 UTC
Version: 1.1.12-r2 has been stabilized as part of bug #539608.

Maintainer(s), please drop the vulnerable version(s).

GLSA Vote: No
Comment 14 Ultrabug gentoo-dev 2015-04-07 08:11:03 UTC
dropped. thx.

+  07 Apr 2015; Ultrabug <ultrabug@gentoo.org> -pacemaker-1.0.10.ebuild,
+  -pacemaker-1.0.12.ebuild, metadata.xml:
+  drop vulnerable wrt #457572
+
Comment 15 Yury German Gentoo Infrastructure gentoo-dev 2015-04-11 03:41:22 UTC
Maintainer(s), Thank you for you for cleanup.
Comment 16 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-05-11 16:29:29 UTC
GLSA Vote: No