| Summary: | <sys-cluster/pacemaker-1.1.16: improper IPC guarding | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | cluster |
| Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.openwall.com/lists/oss-security/2016/11/03/5 | ||
| Whiteboard: | B2 [glsa cve] | ||
| Package list: |
sys-cluster/pacemaker-1.1.16
|
Runtime testing required: | --- |
| Bug Depends on: | |||
| Bug Blocks: | 546550 | ||
Fixed via https://github.com/ClusterLabs/pacemaker/commit/5d71e65049d143435b03d6b3709d82900f32276f which is in v1.1.16 which is already in Gentoo's repository. @ Arches, please test and mark stable: =sys-cluster/pacemaker-1.1.16 amd64 stable x86 stable Arches, please finish stabilizing hppa. Gentoo Security Padawan ChrisADR @security, hppa is testing only for this package version, marking whiteboard to reflect the progress of ticket and following procedure to close on report. Daj'Uan (jmbailey/mbailey_j) Gentoo Security Padawan hppa project: we can no longer wait on stabilization. Please finish up stabilization. New GLSA Request filed. Maintainers please clean up vulnerable versions. Slyfox / hppa - This is holding up a security bug, and security cleanup. Please stabilize or drop stable keyword. This issue was resolved and addressed in GLSA 201710-08 at https://security.gentoo.org/glsa/201710-08 by GLSA coordinator Aaron Bauman (b-man). re-opened for cleanup. hppa stable @Maintainers proceed to clean the tree. Thank you Tree cleaned up, thanks guys! (In reply to Ultrabug from comment #12) > Tree cleaned up, thanks guys! Thank you! |
From ${URL} : A vulnerability has been found in pacemaker, a software package for high-availability clustering. It was discovered that at some not so uncommon circumstances, some pacemaker daemons could be talked to, via libqb-facilitated IPC, by unprivileged clients due to flawed authorization decision. Depending on the capabilities of affected daemons, this might equip unauthorized user with local privilege escalation or up to cluster-wide remote execution of possibly arbitrary commands when such user happens to reside at standard or remote/guest cluster node, respectively. The original vulnerability was introduced in an attempt to allow unprivileged IPC clients to clean up the file system materialized leftovers in case the server (otherwise responsible for the lifecycle of these files) crashes. While the intended part of such behavior is now effectively voided (along with the unintended one), a best-effort fix to address this corner case systemically at libqb is coming along (https://github.com/ClusterLabs/libqb/pull/231). Affected versions: 1.1.10-rc1 (2013-04-17) - 1.1.15 (2016-06-21) Impact: Important CVSSv3 ranking: 8.8 : AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Credits for independent findings, in chronological order: Jan "poki" Pokorný, of Red Hat Alain Moulle, of ATOS/BULL Patch for the issue, which is applicable on all affected versions: https://github.com/ClusterLabs/pacemaker/pull/1166/commits/5a20855d6054ebaae590c09262b328d957cc1fc2 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.