Summary: | <sys-cluster/pacemaker-{1.1.24_rc1,2.0.4}: Multiple vulnerabilities (CVE-2018-{16877,16878}, CVE-2019-3885) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | cluster, jsmolic, mgorny |
Priority: | Normal | Keywords: | PullRequest |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/ClusterLabs/pacemaker/pull/1749 | ||
See Also: | https://github.com/gentoo/gentoo/pull/16803 | ||
Whiteboard: | B1 [glsa+ cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 704610, 743841 | ||
Bug Blocks: | 751430 | ||
Deadline: | 2020-12-07 |
Description
Sam James
2020-03-06 12:07:53 UTC
(In reply to sam_c (Security Padawan) from comment #0) > Description: > "A use-after-free flaw was found in pacemaker up to and including version > 2.0.1 which could result in certain sensitive information to be leaked via > the system logs." > > --- > Security notices: https://wiki.clusterlabs.org/wiki/Security > > Affected versions, as per security page: > - 1.1.18 to 1.1.20 resp. 2.0.1 The PR (https://github.com/ClusterLabs/pacemaker/pull/1749) mentions fixes for two other CVEs (CVE-2018-16877, CVE-2018-16878). So changing description and rating based on these (see https://bugzilla.redhat.com/show_bug.cgi?id=1652646#c7). Upstream are unclear about if .16 is affected or not (https://github.com/ClusterLabs/pacemaker/pull/1750#issuecomment-494469643). 2) CVE-2018-16877 Description: "A flaw was found in the way pacemaker's client-server authentication was implemented in versions up to and including 2.0.0. A local attacker could use this flaw, and combine it with other IPC weaknesses, to achieve local privilege escalation." 3) CVE-2018-16878 Description: "A flaw was found in pacemaker up to and including version 2.0.1. An insufficient verification inflicted preference of uncontrolled processes can lead to DoS" @maintainer(s): ping, please bump Final ping. will do via https://github.com/gentoo/gentoo/pull/16803 The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=694bc6925f5e973d4eda78d9366013dc5974a487 commit 694bc6925f5e973d4eda78d9366013dc5974a487 Author: Timo Rothenpieler <btbn@btbn.de> AuthorDate: 2020-07-24 19:35:49 +0000 Commit: Alexys Jacob <ultrabug@gentoo.org> CommitDate: 2020-10-21 12:58:11 +0000 sys-cluster/pacemaker: bump for 2.0.4 Bug: https://bugs.gentoo.org/711674 Signed-off-by: Timo Rothenpieler <btbn@btbn.de> Signed-off-by: Alexys Jacob <ultrabug@gentoo.org> sys-cluster/pacemaker/Manifest | 1 + .../files/pacemaker-2.0.4-qa-warnings.patch | 16 +++++ sys-cluster/pacemaker/pacemaker-2.0.4.ebuild | 78 ++++++++++++++++++++++ 3 files changed, 95 insertions(+) Please stable when ready. Sanity check failed:
> sys-cluster/pacemaker-2.0.4
> depend amd64 stable profile default/linux/amd64/17.0 (39 total)
> >=sys-cluster/cluster-glue-1.0.12-r1
> >=sys-cluster/libqb-2.0.0:=
> depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total)
> >=sys-cluster/cluster-glue-1.0.12-r1
> >=sys-cluster/libqb-2.0.0:=
> rdepend amd64 stable profile default/linux/amd64/17.0 (39 total)
> >=sys-cluster/cluster-glue-1.0.12-r1
> >=sys-cluster/libqb-2.0.0:=
> rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total)
> >=sys-cluster/cluster-glue-1.0.12-r1
> >=sys-cluster/libqb-2.0.0:=
Sanity check failed:
> sys-cluster/pacemaker-2.0.4
> depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total)
> >=sys-cluster/cluster-glue-1.0.12-r1
> >=sys-cluster/libqb-2.0.0:=
> depend amd64 stable profile default/linux/amd64/17.1 (25 total)
> >=sys-cluster/cluster-glue-1.0.12-r1
> >=sys-cluster/libqb-2.0.0:=
> rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total)
> >=sys-cluster/cluster-glue-1.0.12-r1
> >=sys-cluster/libqb-2.0.0:=
> rdepend amd64 stable profile default/linux/amd64/17.1 (25 total)
> >=sys-cluster/cluster-glue-1.0.12-r1
> >=sys-cluster/libqb-2.0.0:=
Unable to check for sanity:
> package masked: sys-cluster/pacemaker-2.0.4
>=1.1.21 is also not affected from https://github.com/ClusterLabs/pacemaker/releases/tag/Pacemaker-1.1.21-rc1 Changes since Pacemaker-1.1.20 Important security fixes for CVE-2018-16878, CVE-2018-16877, CVE-2019-3885 The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3b5d8d7b3e3513fab0c2c7feb10b3a3df929692f commit 3b5d8d7b3e3513fab0c2c7feb10b3a3df929692f Author: Marc Schiffbauer <mschiff@gentoo.org> AuthorDate: 2020-11-10 23:21:25 +0000 Commit: Marc Schiffbauer <mschiff@gentoo.org> CommitDate: 2020-11-10 23:22:25 +0000 sys-cluster/pacemaker: bump 2.0 version Bug: https://bugs.gentoo.org/751430 Bug: https://bugs.gentoo.org/711674 Package-Manager: Portage-3.0.8, Repoman-3.0.2 Signed-off-by: Marc Schiffbauer <mschiff@gentoo.org> sys-cluster/pacemaker/Manifest | 1 + sys-cluster/pacemaker/pacemaker-2.0.5_rc1.ebuild | 78 ++++++++++++++++++++++++ 2 files changed, 79 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0d50a2d60855edd7408b35062cc596e4fca7a3f1 commit 0d50a2d60855edd7408b35062cc596e4fca7a3f1 Author: Marc Schiffbauer <mschiff@gentoo.org> AuthorDate: 2020-11-10 23:19:16 +0000 Commit: Marc Schiffbauer <mschiff@gentoo.org> CommitDate: 2020-11-10 23:22:21 +0000 sys-cluster/pacemaker: bump 1.1 version Bug: https://bugs.gentoo.org/751430 Bug: https://bugs.gentoo.org/711674 Closes: https://bugs.gentoo.org/728162 Package-Manager: Portage-3.0.8, Repoman-3.0.2 Signed-off-by: Marc Schiffbauer <mschiff@gentoo.org> sys-cluster/pacemaker/Manifest | 1 + .../files/pacemaker-1.1.24-python-fixes.patch | 26 +++++++ .../files/pacemaker-1.1.24-qa-warnings.patch | 12 ++++ sys-cluster/pacemaker/pacemaker-1.1.24_rc1.ebuild | 80 ++++++++++++++++++++++ 4 files changed, 119 insertions(+) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0275c17207295dced2f8f1d68f357e443a8f2aaa commit 0275c17207295dced2f8f1d68f357e443a8f2aaa Author: Sebastian Pipping <sping@gentoo.org> AuthorDate: 2020-11-12 11:06:28 +0000 Commit: Sebastian Pipping <sping@gentoo.org> CommitDate: 2020-11-12 11:19:48 +0000 package.mask: Revert last rite of sys-cluster/cluster-glue & revdeps As discussed with Marc Schiffbauer <mschiff@gentoo.org>. This reverts commit f51b83a43a70a06d93851b0fa41f7e6e993e1e6e. Bug #704610 of sys-cluster/cluster-glue turned out to be fixed by commit b5442dd701a9eaaf22fb92808fb0ec93f7a9f1e6 of July 2020. Vulnerable sys-cluster/pacemaker has been bumped yesterday. So the path to stabilization is no longer blocked. Bug: https://bugs.gentoo.org/704610 Bug: https://bugs.gentoo.org/711674 Bug: https://bugs.gentoo.org/751430 Signed-off-by: Sebastian Pipping <sping@gentoo.org> profiles/base/package.use.mask | 4 ---- profiles/package.mask | 14 -------------- 2 files changed, 18 deletions(-) Sanity check failed:
> sys-cluster/pacemaker-2.0.4
> depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (3 total)
> >=sys-cluster/cluster-glue-1.0.12-r1
> >=sys-cluster/libqb-2.0.0:=
> depend amd64 stable profile default/linux/amd64/17.1 (25 total)
> >=sys-cluster/cluster-glue-1.0.12-r1
> >=sys-cluster/libqb-2.0.0:=
> rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (3 total)
> >=sys-cluster/cluster-glue-1.0.12-r1
> >=sys-cluster/libqb-2.0.0:=
> rdepend amd64 stable profile default/linux/amd64/17.1 (25 total)
> >=sys-cluster/cluster-glue-1.0.12-r1
> >=sys-cluster/libqb-2.0.0:=
Sanity check failed:
> sys-cluster/pacemaker-2.0.5_rc1
> depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (3 total)
> >=sys-cluster/cluster-glue-1.0.12-r1
> >=sys-cluster/libqb-2.0.0:=
> depend amd64 stable profile default/linux/amd64/17.1 (25 total)
> >=sys-cluster/cluster-glue-1.0.12-r1
> >=sys-cluster/libqb-2.0.0:=
> rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (3 total)
> >=sys-cluster/cluster-glue-1.0.12-r1
> >=sys-cluster/libqb-2.0.0:=
> rdepend amd64 stable profile default/linux/amd64/17.1 (25 total)
> >=sys-cluster/cluster-glue-1.0.12-r1
> >=sys-cluster/libqb-2.0.0:=
All sanity-check issues have been resolved Do we need to stabilize the 1.1.x branch too? Resetting sanity check; keywords are not fully specified and arches are not CC-ed. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a68d6fc8efca86e21615ab9aa273386e3da72e7b commit a68d6fc8efca86e21615ab9aa273386e3da72e7b Author: Marc Schiffbauer <mschiff@gentoo.org> AuthorDate: 2020-11-17 18:59:29 +0000 Commit: Marc Schiffbauer <mschiff@gentoo.org> CommitDate: 2020-11-17 18:59:42 +0000 sys-cluster/pacemaker: remove 2.0.5_rc1 This version was vulnerable to CVE-2020-25654, so stabilize rc3 instead Bug: https://bugs.gentoo.org/711674 Package-Manager: Portage-3.0.8, Repoman-3.0.2 Signed-off-by: Marc Schiffbauer <mschiff@gentoo.org> sys-cluster/pacemaker/Manifest | 1 - sys-cluster/pacemaker/pacemaker-2.0.5_rc1.ebuild | 78 ------------------------ 2 files changed, 79 deletions(-) > Traceback (most recent call last):
> File "/usr/lib/python-exec/python3.7/tatt", line 169, in <module>
> myJob.packageList = packageFinder.findPackages(response["cf_stabilisation_atoms"], config['arch'], get_repo_dir(config['repodir']), options.bugnum)
> File "/usr/lib/python3.7/site-packages/tatt/packageFinder.py", line 14, in findPackages
> output = subprocess.check_output(['nattka', '--repo', repo, 'apply', '-a', arch, '-n', bugnum, '--ignore-sanity-check', '--ignore-dependencies'])
> File "/usr/lib/python3.7/subprocess.py", line 411, in check_output
> **kwargs).stdout
> File "/usr/lib/python3.7/subprocess.py", line 512, in run
> output=stdout, stderr=stderr)
> subprocess.CalledProcessError: Command '['nattka', '--repo', '/usr/portage/', 'apply', '-a', 'x86', '-n', '711674', '--ignore-sanity-check', '--ignore-dependencies']' returned non-zero exit status 1.
>
ppc stable hppa/ppc64 stable sys-cluster/corosync which is required for this package doesn't build, bug 743841. (In reply to Thomas Deutschmann from comment #22) > sys-cluster/corosync which is required for this package doesn't build, bug > 743841. Hi Thomas, thanks for the info, I was not aware of this. I recomment stabilizing sys-cluster/corosync-2.4.5 first then and use that. I added sys-cluster/corosync-2.4.5 to the package list as this is the minimum version in tree which is compatible with sys-cluster/libqb-2.0.1-r1 The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=25a9a9601046177b2c80702bf4b50541bd6d198f commit 25a9a9601046177b2c80702bf4b50541bd6d198f Author: Marc Schiffbauer <mschiff@gentoo.org> AuthorDate: 2020-12-04 00:54:15 +0000 Commit: Marc Schiffbauer <mschiff@gentoo.org> CommitDate: 2020-12-04 00:55:07 +0000 sys-cluster/pacemaker: bump to 1.1.24 final Bug: https://bugs.gentoo.org/711674 Package-Manager: Portage-3.0.9, Repoman-3.0.2 Signed-off-by: Marc Schiffbauer <mschiff@gentoo.org> sys-cluster/pacemaker/Manifest | 2 +- .../pacemaker/{pacemaker-1.1.24_rc1.ebuild => pacemaker-1.1.24.ebuild} | 0 2 files changed, 1 insertion(+), 1 deletion(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8f24402dfd6437c52f328fd4f2b4f4412e244ace commit 8f24402dfd6437c52f328fd4f2b4f4412e244ace Author: Marc Schiffbauer <mschiff@gentoo.org> AuthorDate: 2020-12-04 00:51:43 +0000 Commit: Marc Schiffbauer <mschiff@gentoo.org> CommitDate: 2020-12-04 00:55:04 +0000 sys-cluster/pacemaker: bump to 2.0.5 final Bug: https://bugs.gentoo.org/711674 Package-Manager: Portage-3.0.9, Repoman-3.0.2 Signed-off-by: Marc Schiffbauer <mschiff@gentoo.org> sys-cluster/pacemaker/Manifest | 2 +- .../pacemaker/{pacemaker-2.0.5_rc3.ebuild => pacemaker-2.0.5.ebuild} | 0 2 files changed, 1 insertion(+), 1 deletion(-) Unable to check for sanity:
> no match for package: sys-cluster/pacemaker-2.0.5_rc3
Pacemaker 2.0.5 has been released, package list updated All sanity-check issues have been resolved FWIU, this package has been revived. Please CC treecleaners again if the new 'maintainer' doesn't cope. *** Bug 762988 has been marked as a duplicate of this bug. *** amd64 done pacemaker-1.1.16 dropped from tree, we should be good here (In reply to Ultrabug from comment #32) > pacemaker-1.1.16 dropped from tree, we should be good here Thanks! x86 stable Resetting sanity check; keywords are not fully specified and arches are not CC-ed. I dropped <pacemaker-2.0.5; I guess we're good here I also dropped <corosync-3.1.0 FYI Not blocking gcc anymore The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=1879b11c680b5a942bb283d62aff5b3aa0b78304 commit 1879b11c680b5a942bb283d62aff5b3aa0b78304 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-09-29 08:35:00 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2023-09-29 08:37:36 +0000 [ GLSA 202309-09 ] Pacemaker: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/711674 Bug: https://bugs.gentoo.org/751430 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202309-09.xml | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) |