Bug 711674 (CVE-2018-16877, CVE-2018-16878, CVE-2019-3885)

Comment 1 Sam James 2020-03-09 19:16:18 UTC

(In reply to sam_c (Security Padawan) from comment #0)
> Description:
> "A use-after-free flaw was found in pacemaker up to and including version
> 2.0.1 which could result in certain sensitive information to be leaked via
> the system logs."
> 
> ---
> Security notices: https://wiki.clusterlabs.org/wiki/Security
> 
> Affected versions, as per security page:
> - 1.1.18 to 1.1.20 resp. 2.0.1

The PR (https://github.com/ClusterLabs/pacemaker/pull/1749) mentions fixes for two other CVEs (CVE-2018-16877, CVE-2018-16878). So changing description and rating based on these (see https://bugzilla.redhat.com/show_bug.cgi?id=1652646#c7).

Upstream are unclear about if .16 is affected or not (https://github.com/ClusterLabs/pacemaker/pull/1750#issuecomment-494469643).

2) CVE-2018-16877

Description:
"A flaw was found in the way pacemaker's client-server authentication was implemented in versions up to and including 2.0.0. A local attacker could use this flaw, and combine it with other IPC weaknesses, to achieve local privilege escalation."

3) CVE-2018-16878

Description:
"A flaw was found in pacemaker up to and including version 2.0.1. An insufficient verification inflicted preference of uncontrolled processes can lead to DoS"

Comment 2 Sam James 2020-04-22 01:26:09 UTC

@maintainer(s): ping, please bump

Comment 3 Michał Górny 2020-09-26 13:13:10 UTC

Final ping.

Comment 4 Ultrabug 2020-10-12 12:47:09 UTC

will do via https://github.com/gentoo/gentoo/pull/16803

Comment 5 Larry the Git Cow 2020-10-21 12:59:54 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=694bc6925f5e973d4eda78d9366013dc5974a487

commit 694bc6925f5e973d4eda78d9366013dc5974a487
Author:     Timo Rothenpieler <btbn@btbn.de>
AuthorDate: 2020-07-24 19:35:49 +0000
Commit:     Alexys Jacob <ultrabug@gentoo.org>
CommitDate: 2020-10-21 12:58:11 +0000

    sys-cluster/pacemaker: bump for 2.0.4
    
    Bug: https://bugs.gentoo.org/711674
    Signed-off-by: Timo Rothenpieler <btbn@btbn.de>
    Signed-off-by: Alexys Jacob <ultrabug@gentoo.org>

 sys-cluster/pacemaker/Manifest                     |  1 +
 .../files/pacemaker-2.0.4-qa-warnings.patch        | 16 +++++
 sys-cluster/pacemaker/pacemaker-2.0.4.ebuild       | 78 ++++++++++++++++++++++
 3 files changed, 95 insertions(+)

Comment 6 John Helmert III 2020-10-21 14:06:41 UTC

Please stable when ready.

Comment 10 Marc Schiffbauer 2020-11-10 20:58:31 UTC

>=1.1.21 is also not affected

from https://github.com/ClusterLabs/pacemaker/releases/tag/Pacemaker-1.1.21-rc1

Changes since Pacemaker-1.1.20

    Important security fixes for CVE-2018-16878, CVE-2018-16877, CVE-2019-3885

Comment 11 Larry the Git Cow 2020-11-10 23:22:41 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3b5d8d7b3e3513fab0c2c7feb10b3a3df929692f

commit 3b5d8d7b3e3513fab0c2c7feb10b3a3df929692f
Author:     Marc Schiffbauer <mschiff@gentoo.org>
AuthorDate: 2020-11-10 23:21:25 +0000
Commit:     Marc Schiffbauer <mschiff@gentoo.org>
CommitDate: 2020-11-10 23:22:25 +0000

    sys-cluster/pacemaker: bump 2.0 version
    
    Bug: https://bugs.gentoo.org/751430
    Bug: https://bugs.gentoo.org/711674
    Package-Manager: Portage-3.0.8, Repoman-3.0.2
    Signed-off-by: Marc Schiffbauer <mschiff@gentoo.org>

 sys-cluster/pacemaker/Manifest                   |  1 +
 sys-cluster/pacemaker/pacemaker-2.0.5_rc1.ebuild | 78 ++++++++++++++++++++++++
 2 files changed, 79 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0d50a2d60855edd7408b35062cc596e4fca7a3f1

commit 0d50a2d60855edd7408b35062cc596e4fca7a3f1
Author:     Marc Schiffbauer <mschiff@gentoo.org>
AuthorDate: 2020-11-10 23:19:16 +0000
Commit:     Marc Schiffbauer <mschiff@gentoo.org>
CommitDate: 2020-11-10 23:22:21 +0000

    sys-cluster/pacemaker: bump 1.1 version
    
    Bug: https://bugs.gentoo.org/751430
    Bug: https://bugs.gentoo.org/711674
    Closes: https://bugs.gentoo.org/728162
    Package-Manager: Portage-3.0.8, Repoman-3.0.2
    Signed-off-by: Marc Schiffbauer <mschiff@gentoo.org>

 sys-cluster/pacemaker/Manifest                     |  1 +
 .../files/pacemaker-1.1.24-python-fixes.patch      | 26 +++++++
 .../files/pacemaker-1.1.24-qa-warnings.patch       | 12 ++++
 sys-cluster/pacemaker/pacemaker-1.1.24_rc1.ebuild  | 80 ++++++++++++++++++++++
 4 files changed, 119 insertions(+)

Comment 12 Larry the Git Cow 2020-11-12 11:20:03 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0275c17207295dced2f8f1d68f357e443a8f2aaa

commit 0275c17207295dced2f8f1d68f357e443a8f2aaa
Author:     Sebastian Pipping <sping@gentoo.org>
AuthorDate: 2020-11-12 11:06:28 +0000
Commit:     Sebastian Pipping <sping@gentoo.org>
CommitDate: 2020-11-12 11:19:48 +0000

    package.mask: Revert last rite of sys-cluster/cluster-glue & revdeps
    
    As discussed with Marc Schiffbauer <mschiff@gentoo.org>.
    This reverts commit f51b83a43a70a06d93851b0fa41f7e6e993e1e6e.
    Bug #704610 of sys-cluster/cluster-glue turned out to be fixed
    by commit b5442dd701a9eaaf22fb92808fb0ec93f7a9f1e6 of July 2020.
    Vulnerable sys-cluster/pacemaker has been bumped yesterday.
    So the path to stabilization is no longer blocked.
    
    Bug: https://bugs.gentoo.org/704610
    Bug: https://bugs.gentoo.org/711674
    Bug: https://bugs.gentoo.org/751430
    
    Signed-off-by: Sebastian Pipping <sping@gentoo.org>

 profiles/base/package.use.mask |  4 ----
 profiles/package.mask          | 14 --------------
 2 files changed, 18 deletions(-)

Comment 16 John Helmert III 2020-11-12 15:41:50 UTC

Do we need to stabilize the 1.1.x branch too?

Comment 18 Larry the Git Cow 2020-11-17 18:59:56 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a68d6fc8efca86e21615ab9aa273386e3da72e7b

commit a68d6fc8efca86e21615ab9aa273386e3da72e7b
Author:     Marc Schiffbauer <mschiff@gentoo.org>
AuthorDate: 2020-11-17 18:59:29 +0000
Commit:     Marc Schiffbauer <mschiff@gentoo.org>
CommitDate: 2020-11-17 18:59:42 +0000

    sys-cluster/pacemaker: remove 2.0.5_rc1
    
    This version was vulnerable to CVE-2020-25654, so stabilize rc3 instead
    
    Bug: https://bugs.gentoo.org/711674
    Package-Manager: Portage-3.0.8, Repoman-3.0.2
    Signed-off-by: Marc Schiffbauer <mschiff@gentoo.org>

 sys-cluster/pacemaker/Manifest                   |  1 -
 sys-cluster/pacemaker/pacemaker-2.0.5_rc1.ebuild | 78 ------------------------
 2 files changed, 79 deletions(-)

Comment 19 Thomas Deutschmann (RETIRED) 2020-11-17 20:22:18 UTC

> Traceback (most recent call last):
>   File "/usr/lib/python-exec/python3.7/tatt", line 169, in <module>
>     myJob.packageList = packageFinder.findPackages(response["cf_stabilisation_atoms"], config['arch'], get_repo_dir(config['repodir']), options.bugnum)
>   File "/usr/lib/python3.7/site-packages/tatt/packageFinder.py", line 14, in findPackages
>     output = subprocess.check_output(['nattka', '--repo', repo, 'apply', '-a', arch, '-n', bugnum, '--ignore-sanity-check', '--ignore-dependencies'])
>   File "/usr/lib/python3.7/subprocess.py", line 411, in check_output
>     **kwargs).stdout
>   File "/usr/lib/python3.7/subprocess.py", line 512, in run
>     output=stdout, stderr=stderr)
> subprocess.CalledProcessError: Command '['nattka', '--repo', '/usr/portage/', 'apply', '-a', 'x86', '-n', '711674', '--ignore-sanity-check', '--ignore-dependencies']' returned non-zero exit status 1.
>

Comment 20 Agostino Sarubbo 2020-11-18 06:55:18 UTC

ppc stable

Comment 21 Sergei Trofimovich (RETIRED) 2020-11-23 08:21:59 UTC

hppa/ppc64 stable

Comment 22 Thomas Deutschmann (RETIRED) 2020-11-25 11:45:20 UTC

sys-cluster/corosync which is required for this package doesn't build, bug 743841.

Comment 23 Marc Schiffbauer 2020-11-27 21:27:32 UTC

(In reply to Thomas Deutschmann from comment #22)
> sys-cluster/corosync which is required for this package doesn't build, bug
> 743841.

Hi Thomas, thanks for the info, I was not aware of this. I recomment stabilizing sys-cluster/corosync-2.4.5 first then and use that.

Comment 24 Marc Schiffbauer 2020-12-01 22:16:11 UTC

I added sys-cluster/corosync-2.4.5 to the package list as this is the minimum version in tree which is compatible with sys-cluster/libqb-2.0.1-r1

Comment 25 Larry the Git Cow 2020-12-04 00:55:27 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=25a9a9601046177b2c80702bf4b50541bd6d198f

commit 25a9a9601046177b2c80702bf4b50541bd6d198f
Author:     Marc Schiffbauer <mschiff@gentoo.org>
AuthorDate: 2020-12-04 00:54:15 +0000
Commit:     Marc Schiffbauer <mschiff@gentoo.org>
CommitDate: 2020-12-04 00:55:07 +0000

    sys-cluster/pacemaker: bump to 1.1.24 final
    
    Bug: https://bugs.gentoo.org/711674
    Package-Manager: Portage-3.0.9, Repoman-3.0.2
    Signed-off-by: Marc Schiffbauer <mschiff@gentoo.org>

 sys-cluster/pacemaker/Manifest                                          | 2 +-
 .../pacemaker/{pacemaker-1.1.24_rc1.ebuild => pacemaker-1.1.24.ebuild}  | 0
 2 files changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8f24402dfd6437c52f328fd4f2b4f4412e244ace

commit 8f24402dfd6437c52f328fd4f2b4f4412e244ace
Author:     Marc Schiffbauer <mschiff@gentoo.org>
AuthorDate: 2020-12-04 00:51:43 +0000
Commit:     Marc Schiffbauer <mschiff@gentoo.org>
CommitDate: 2020-12-04 00:55:04 +0000

    sys-cluster/pacemaker: bump to 2.0.5 final
    
    Bug: https://bugs.gentoo.org/711674
    Package-Manager: Portage-3.0.9, Repoman-3.0.2
    Signed-off-by: Marc Schiffbauer <mschiff@gentoo.org>

 sys-cluster/pacemaker/Manifest                                          | 2 +-
 .../pacemaker/{pacemaker-2.0.5_rc3.ebuild => pacemaker-2.0.5.ebuild}    | 0
 2 files changed, 1 insertion(+), 1 deletion(-)

Comment 27 Marc Schiffbauer 2020-12-04 00:58:39 UTC

Pacemaker 2.0.5 has been released, package list updated

Comment 29 Michał Górny 2020-12-18 08:50:01 UTC

FWIU, this package has been revived.  Please CC treecleaners again if the new 'maintainer' doesn't cope.

Comment 30 John Helmert III 2021-01-01 22:33:22 UTC

*** Bug 762988 has been marked as a duplicate of this bug. ***

Comment 31 Sam James 2021-01-01 23:29:38 UTC

amd64 done

Comment 32 Ultrabug 2021-01-08 08:23:40 UTC

pacemaker-1.1.16 dropped from tree, we should be good here

Comment 33 Sam James 2021-01-08 10:31:36 UTC

(In reply to Ultrabug from comment #32)
> pacemaker-1.1.16 dropped from tree, we should be good here

Thanks!

Comment 34 Thomas Deutschmann (RETIRED) 2021-02-03 20:19:56 UTC

x86 stable

Comment 35 NATTkA bot 2021-02-03 20:21:17 UTC

Resetting sanity check; keywords are not fully specified and arches are not CC-ed.

Comment 36 Ultrabug 2021-02-08 09:20:03 UTC

I dropped <pacemaker-2.0.5; I guess we're good here

I also dropped <corosync-3.1.0 FYI

Comment 37 Andreas K. Hüttel 2021-03-04 22:58:29 UTC

Not blocking gcc anymore

Comment 38 Larry the Git Cow 2023-09-29 08:37:47 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=1879b11c680b5a942bb283d62aff5b3aa0b78304

commit 1879b11c680b5a942bb283d62aff5b3aa0b78304
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-09-29 08:35:00 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2023-09-29 08:37:36 +0000

    [ GLSA 202309-09 ] Pacemaker: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/711674
    Bug: https://bugs.gentoo.org/751430
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202309-09.xml | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)