Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 599194 (CVE-2016-7035) - <sys-cluster/pacemaker-1.1.16: improper IPC guarding
Summary: <sys-cluster/pacemaker-1.1.16: improper IPC guarding
Status: RESOLVED FIXED
Alias: CVE-2016-7035
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B2 [glsa cve]
Keywords:
Depends on:
Blocks: CVE-2015-1867
  Show dependency tree
 
Reported: 2016-11-08 10:00 UTC by Agostino Sarubbo
Modified: 2018-01-25 11:35 UTC (History)
1 user (show)

See Also:
Package list:
sys-cluster/pacemaker-1.1.16
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-11-08 10:00:28 UTC
From ${URL} :

A vulnerability has been found in pacemaker, a software package for
high-availability clustering.

It was discovered that at some not so uncommon circumstances, some
pacemaker daemons could be talked to, via libqb-facilitated IPC, by
unprivileged clients due to flawed authorization decision.  Depending
on the capabilities of affected daemons, this might equip unauthorized
user with local privilege escalation or up to cluster-wide remote
execution of possibly arbitrary commands when such user happens to
reside at standard or remote/guest cluster node, respectively.

The original vulnerability was introduced in an attempt to allow
unprivileged IPC clients to clean up the file system materialized
leftovers in case the server (otherwise responsible for the lifecycle
of these files) crashes.  While the intended part of such behavior is
now effectively voided (along with the unintended one), a best-effort
fix to address this corner case systemically at libqb is coming along
(https://github.com/ClusterLabs/libqb/pull/231).

Affected versions:  1.1.10-rc1 (2013-04-17) - 1.1.15 (2016-06-21)
Impact:             Important
CVSSv3 ranking:     8.8 : AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Credits for independent findings, in chronological order:
  Jan "poki" Pokorný, of Red Hat
  Alain Moulle, of ATOS/BULL


Patch for the issue, which is applicable on all affected versions:
https://github.com/ClusterLabs/pacemaker/pull/1166/commits/5a20855d6054ebaae590c09262b328d957cc1fc2




@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Thomas Deutschmann gentoo-dev Security 2017-06-17 20:36:06 UTC
Fixed via https://github.com/ClusterLabs/pacemaker/commit/5d71e65049d143435b03d6b3709d82900f32276f which is in v1.1.16 which is already in Gentoo's repository.


@ Arches,

please test and mark stable: =sys-cluster/pacemaker-1.1.16
Comment 2 Agostino Sarubbo gentoo-dev 2017-06-18 14:01:41 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2017-06-20 05:18:09 UTC
x86 stable
Comment 4 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-08-16 02:03:09 UTC
Arches, please finish stabilizing hppa.

Gentoo Security Padawan
ChrisADR
Comment 5 D'juan McDonald (domhnall) 2017-09-03 15:47:07 UTC
@security, hppa is testing only for this package version, marking whiteboard to reflect the progress of ticket and following procedure to close on report.

Daj'Uan (jmbailey/mbailey_j)
Gentoo Security Padawan
Comment 6 Yury German Gentoo Infrastructure gentoo-dev Security 2017-09-03 21:27:44 UTC
hppa project: we can no longer wait on stabilization. Please finish up stabilization.
New GLSA Request filed.

Maintainers please clean up vulnerable versions.
Comment 7 Yury German Gentoo Infrastructure gentoo-dev Security 2017-10-02 04:41:59 UTC
Slyfox / hppa - This is holding up a security bug, and security cleanup. Please stabilize or drop stable keyword.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2017-10-08 14:15:30 UTC
This issue was resolved and addressed in
 GLSA 201710-08 at https://security.gentoo.org/glsa/201710-08
by GLSA coordinator Aaron Bauman (b-man).
Comment 9 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-10-08 14:17:51 UTC
re-opened for cleanup.
Comment 10 Sergei Trofimovich gentoo-dev 2017-10-14 20:26:33 UTC
hppa stable
Comment 11 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-15 04:19:26 UTC
@Maintainers proceed to clean the tree.

Thank you
Comment 12 Ultrabug gentoo-dev 2018-01-25 08:32:19 UTC
Tree cleaned up, thanks guys!
Comment 13 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-01-25 11:35:04 UTC
(In reply to Ultrabug from comment #12)
> Tree cleaned up, thanks guys!

Thank you!