Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 711674 (CVE-2018-16877, CVE-2018-16878, CVE-2019-3885) - <sys-cluster/pacemaker-{1.1.24_rc1,2.0.4}: Multiple vulnerabilities (CVE-2018-{16877,16878}, CVE-2019-3885)
Summary: <sys-cluster/pacemaker-{1.1.24_rc1,2.0.4}: Multiple vulnerabilities (CVE-2018...
Status: IN_PROGRESS
Alias: CVE-2018-16877, CVE-2018-16878, CVE-2019-3885
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Deadline: 2020-12-07
Assignee: Gentoo Security
URL: https://github.com/ClusterLabs/pacema...
Whiteboard: B1 [glsa? cve]
Keywords: PullRequest
: 762988 (view as bug list)
Depends on: 704610 743841
Blocks: CVE-2020-25654
  Show dependency tree
 
Reported: 2020-03-06 12:07 UTC by Sam James
Modified: 2021-03-04 22:58 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-03-06 12:07:53 UTC
Description:
"A use-after-free flaw was found in pacemaker up to and including version 2.0.1 which could result in certain sensitive information to be leaked via the system logs."

---
Security notices: https://wiki.clusterlabs.org/wiki/Security

Affected versions, as per security page:
- 1.1.18 to 1.1.20 resp. 2.0.1
Comment 1 Sam James archtester gentoo-dev Security 2020-03-09 19:16:18 UTC
(In reply to sam_c (Security Padawan) from comment #0)
> Description:
> "A use-after-free flaw was found in pacemaker up to and including version
> 2.0.1 which could result in certain sensitive information to be leaked via
> the system logs."
> 
> ---
> Security notices: https://wiki.clusterlabs.org/wiki/Security
> 
> Affected versions, as per security page:
> - 1.1.18 to 1.1.20 resp. 2.0.1

The PR (https://github.com/ClusterLabs/pacemaker/pull/1749) mentions fixes for two other CVEs (CVE-2018-16877, CVE-2018-16878). So changing description and rating based on these (see https://bugzilla.redhat.com/show_bug.cgi?id=1652646#c7).

Upstream are unclear about if .16 is affected or not (https://github.com/ClusterLabs/pacemaker/pull/1750#issuecomment-494469643).

2) CVE-2018-16877

Description:
"A flaw was found in the way pacemaker's client-server authentication was implemented in versions up to and including 2.0.0. A local attacker could use this flaw, and combine it with other IPC weaknesses, to achieve local privilege escalation."

3) CVE-2018-16878

Description:
"A flaw was found in pacemaker up to and including version 2.0.1. An insufficient verification inflicted preference of uncontrolled processes can lead to DoS"
Comment 2 Sam James archtester gentoo-dev Security 2020-04-22 01:26:09 UTC
@maintainer(s): ping, please bump
Comment 3 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-09-26 13:13:10 UTC
Final ping.
Comment 4 Ultrabug gentoo-dev 2020-10-12 12:47:09 UTC
will do via https://github.com/gentoo/gentoo/pull/16803
Comment 5 Larry the Git Cow gentoo-dev 2020-10-21 12:59:54 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=694bc6925f5e973d4eda78d9366013dc5974a487

commit 694bc6925f5e973d4eda78d9366013dc5974a487
Author:     Timo Rothenpieler <btbn@btbn.de>
AuthorDate: 2020-07-24 19:35:49 +0000
Commit:     Alexys Jacob <ultrabug@gentoo.org>
CommitDate: 2020-10-21 12:58:11 +0000

    sys-cluster/pacemaker: bump for 2.0.4
    
    Bug: https://bugs.gentoo.org/711674
    Signed-off-by: Timo Rothenpieler <btbn@btbn.de>
    Signed-off-by: Alexys Jacob <ultrabug@gentoo.org>

 sys-cluster/pacemaker/Manifest                     |  1 +
 .../files/pacemaker-2.0.4-qa-warnings.patch        | 16 +++++
 sys-cluster/pacemaker/pacemaker-2.0.4.ebuild       | 78 ++++++++++++++++++++++
 3 files changed, 95 insertions(+)
Comment 6 John Helmert III gentoo-dev Security 2020-10-21 14:06:41 UTC
Please stable when ready.
Comment 7 NATTkA bot gentoo-dev 2020-10-21 14:09:06 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2020-11-07 04:05:43 UTC Comment hidden (obsolete)
Comment 9 NATTkA bot gentoo-dev 2020-11-07 09:25:14 UTC Comment hidden (obsolete)
Comment 10 Marc Schiffbauer gentoo-dev 2020-11-10 20:58:31 UTC
>=1.1.21 is also not affected

from https://github.com/ClusterLabs/pacemaker/releases/tag/Pacemaker-1.1.21-rc1

Changes since Pacemaker-1.1.20

    Important security fixes for CVE-2018-16878, CVE-2018-16877, CVE-2019-3885
Comment 11 Larry the Git Cow gentoo-dev 2020-11-10 23:22:41 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3b5d8d7b3e3513fab0c2c7feb10b3a3df929692f

commit 3b5d8d7b3e3513fab0c2c7feb10b3a3df929692f
Author:     Marc Schiffbauer <mschiff@gentoo.org>
AuthorDate: 2020-11-10 23:21:25 +0000
Commit:     Marc Schiffbauer <mschiff@gentoo.org>
CommitDate: 2020-11-10 23:22:25 +0000

    sys-cluster/pacemaker: bump 2.0 version
    
    Bug: https://bugs.gentoo.org/751430
    Bug: https://bugs.gentoo.org/711674
    Package-Manager: Portage-3.0.8, Repoman-3.0.2
    Signed-off-by: Marc Schiffbauer <mschiff@gentoo.org>

 sys-cluster/pacemaker/Manifest                   |  1 +
 sys-cluster/pacemaker/pacemaker-2.0.5_rc1.ebuild | 78 ++++++++++++++++++++++++
 2 files changed, 79 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0d50a2d60855edd7408b35062cc596e4fca7a3f1

commit 0d50a2d60855edd7408b35062cc596e4fca7a3f1
Author:     Marc Schiffbauer <mschiff@gentoo.org>
AuthorDate: 2020-11-10 23:19:16 +0000
Commit:     Marc Schiffbauer <mschiff@gentoo.org>
CommitDate: 2020-11-10 23:22:21 +0000

    sys-cluster/pacemaker: bump 1.1 version
    
    Bug: https://bugs.gentoo.org/751430
    Bug: https://bugs.gentoo.org/711674
    Closes: https://bugs.gentoo.org/728162
    Package-Manager: Portage-3.0.8, Repoman-3.0.2
    Signed-off-by: Marc Schiffbauer <mschiff@gentoo.org>

 sys-cluster/pacemaker/Manifest                     |  1 +
 .../files/pacemaker-1.1.24-python-fixes.patch      | 26 +++++++
 .../files/pacemaker-1.1.24-qa-warnings.patch       | 12 ++++
 sys-cluster/pacemaker/pacemaker-1.1.24_rc1.ebuild  | 80 ++++++++++++++++++++++
 4 files changed, 119 insertions(+)
Comment 12 Larry the Git Cow gentoo-dev 2020-11-12 11:20:03 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0275c17207295dced2f8f1d68f357e443a8f2aaa

commit 0275c17207295dced2f8f1d68f357e443a8f2aaa
Author:     Sebastian Pipping <sping@gentoo.org>
AuthorDate: 2020-11-12 11:06:28 +0000
Commit:     Sebastian Pipping <sping@gentoo.org>
CommitDate: 2020-11-12 11:19:48 +0000

    package.mask: Revert last rite of sys-cluster/cluster-glue & revdeps
    
    As discussed with Marc Schiffbauer <mschiff@gentoo.org>.
    This reverts commit f51b83a43a70a06d93851b0fa41f7e6e993e1e6e.
    Bug #704610 of sys-cluster/cluster-glue turned out to be fixed
    by commit b5442dd701a9eaaf22fb92808fb0ec93f7a9f1e6 of July 2020.
    Vulnerable sys-cluster/pacemaker has been bumped yesterday.
    So the path to stabilization is no longer blocked.
    
    Bug: https://bugs.gentoo.org/704610
    Bug: https://bugs.gentoo.org/711674
    Bug: https://bugs.gentoo.org/751430
    
    Signed-off-by: Sebastian Pipping <sping@gentoo.org>

 profiles/base/package.use.mask |  4 ----
 profiles/package.mask          | 14 --------------
 2 files changed, 18 deletions(-)
Comment 13 NATTkA bot gentoo-dev 2020-11-12 11:21:26 UTC Comment hidden (obsolete)
Comment 14 NATTkA bot gentoo-dev 2020-11-12 11:29:10 UTC Comment hidden (obsolete)
Comment 15 NATTkA bot gentoo-dev 2020-11-12 11:37:56 UTC Comment hidden (obsolete)
Comment 16 John Helmert III gentoo-dev Security 2020-11-12 15:41:50 UTC
Do we need to stabilize the 1.1.x branch too?
Comment 17 NATTkA bot gentoo-dev 2020-11-14 23:41:07 UTC Comment hidden (obsolete)
Comment 18 Larry the Git Cow gentoo-dev 2020-11-17 18:59:56 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a68d6fc8efca86e21615ab9aa273386e3da72e7b

commit a68d6fc8efca86e21615ab9aa273386e3da72e7b
Author:     Marc Schiffbauer <mschiff@gentoo.org>
AuthorDate: 2020-11-17 18:59:29 +0000
Commit:     Marc Schiffbauer <mschiff@gentoo.org>
CommitDate: 2020-11-17 18:59:42 +0000

    sys-cluster/pacemaker: remove 2.0.5_rc1
    
    This version was vulnerable to CVE-2020-25654, so stabilize rc3 instead
    
    Bug: https://bugs.gentoo.org/711674
    Package-Manager: Portage-3.0.8, Repoman-3.0.2
    Signed-off-by: Marc Schiffbauer <mschiff@gentoo.org>

 sys-cluster/pacemaker/Manifest                   |  1 -
 sys-cluster/pacemaker/pacemaker-2.0.5_rc1.ebuild | 78 ------------------------
 2 files changed, 79 deletions(-)
Comment 19 Thomas Deutschmann gentoo-dev Security 2020-11-17 20:22:18 UTC
> Traceback (most recent call last):
>   File "/usr/lib/python-exec/python3.7/tatt", line 169, in <module>
>     myJob.packageList = packageFinder.findPackages(response["cf_stabilisation_atoms"], config['arch'], get_repo_dir(config['repodir']), options.bugnum)
>   File "/usr/lib/python3.7/site-packages/tatt/packageFinder.py", line 14, in findPackages
>     output = subprocess.check_output(['nattka', '--repo', repo, 'apply', '-a', arch, '-n', bugnum, '--ignore-sanity-check', '--ignore-dependencies'])
>   File "/usr/lib/python3.7/subprocess.py", line 411, in check_output
>     **kwargs).stdout
>   File "/usr/lib/python3.7/subprocess.py", line 512, in run
>     output=stdout, stderr=stderr)
> subprocess.CalledProcessError: Command '['nattka', '--repo', '/usr/portage/', 'apply', '-a', 'x86', '-n', '711674', '--ignore-sanity-check', '--ignore-dependencies']' returned non-zero exit status 1.
>
Comment 20 Agostino Sarubbo gentoo-dev 2020-11-18 06:55:18 UTC
ppc stable
Comment 21 Sergei Trofimovich (RETIRED) gentoo-dev 2020-11-23 08:21:59 UTC
hppa/ppc64 stable
Comment 22 Thomas Deutschmann gentoo-dev Security 2020-11-25 11:45:20 UTC
sys-cluster/corosync which is required for this package doesn't build, bug 743841.
Comment 23 Marc Schiffbauer gentoo-dev 2020-11-27 21:27:32 UTC
(In reply to Thomas Deutschmann from comment #22)
> sys-cluster/corosync which is required for this package doesn't build, bug
> 743841.

Hi Thomas, thanks for the info, I was not aware of this. I recomment stabilizing sys-cluster/corosync-2.4.5 first then and use that.
Comment 24 Marc Schiffbauer gentoo-dev 2020-12-01 22:16:11 UTC
I added sys-cluster/corosync-2.4.5 to the package list as this is the minimum version in tree which is compatible with sys-cluster/libqb-2.0.1-r1
Comment 25 Larry the Git Cow gentoo-dev 2020-12-04 00:55:27 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=25a9a9601046177b2c80702bf4b50541bd6d198f

commit 25a9a9601046177b2c80702bf4b50541bd6d198f
Author:     Marc Schiffbauer <mschiff@gentoo.org>
AuthorDate: 2020-12-04 00:54:15 +0000
Commit:     Marc Schiffbauer <mschiff@gentoo.org>
CommitDate: 2020-12-04 00:55:07 +0000

    sys-cluster/pacemaker: bump to 1.1.24 final
    
    Bug: https://bugs.gentoo.org/711674
    Package-Manager: Portage-3.0.9, Repoman-3.0.2
    Signed-off-by: Marc Schiffbauer <mschiff@gentoo.org>

 sys-cluster/pacemaker/Manifest                                          | 2 +-
 .../pacemaker/{pacemaker-1.1.24_rc1.ebuild => pacemaker-1.1.24.ebuild}  | 0
 2 files changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8f24402dfd6437c52f328fd4f2b4f4412e244ace

commit 8f24402dfd6437c52f328fd4f2b4f4412e244ace
Author:     Marc Schiffbauer <mschiff@gentoo.org>
AuthorDate: 2020-12-04 00:51:43 +0000
Commit:     Marc Schiffbauer <mschiff@gentoo.org>
CommitDate: 2020-12-04 00:55:04 +0000

    sys-cluster/pacemaker: bump to 2.0.5 final
    
    Bug: https://bugs.gentoo.org/711674
    Package-Manager: Portage-3.0.9, Repoman-3.0.2
    Signed-off-by: Marc Schiffbauer <mschiff@gentoo.org>

 sys-cluster/pacemaker/Manifest                                          | 2 +-
 .../pacemaker/{pacemaker-2.0.5_rc3.ebuild => pacemaker-2.0.5.ebuild}    | 0
 2 files changed, 1 insertion(+), 1 deletion(-)
Comment 26 NATTkA bot gentoo-dev 2020-12-04 00:57:38 UTC Comment hidden (obsolete)
Comment 27 Marc Schiffbauer gentoo-dev 2020-12-04 00:58:39 UTC
Pacemaker 2.0.5 has been released, package list updated
Comment 28 NATTkA bot gentoo-dev 2020-12-04 01:01:13 UTC Comment hidden (obsolete)
Comment 29 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-12-18 08:50:01 UTC
FWIU, this package has been revived.  Please CC treecleaners again if the new 'maintainer' doesn't cope.
Comment 30 John Helmert III gentoo-dev Security 2021-01-01 22:33:22 UTC
*** Bug 762988 has been marked as a duplicate of this bug. ***
Comment 31 Sam James archtester gentoo-dev Security 2021-01-01 23:29:38 UTC
amd64 done
Comment 32 Ultrabug gentoo-dev 2021-01-08 08:23:40 UTC
pacemaker-1.1.16 dropped from tree, we should be good here
Comment 33 Sam James archtester gentoo-dev Security 2021-01-08 10:31:36 UTC
(In reply to Ultrabug from comment #32)
> pacemaker-1.1.16 dropped from tree, we should be good here

Thanks!
Comment 34 Thomas Deutschmann gentoo-dev Security 2021-02-03 20:19:56 UTC
x86 stable
Comment 35 NATTkA bot gentoo-dev 2021-02-03 20:21:17 UTC
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Comment 36 Ultrabug gentoo-dev 2021-02-08 09:20:03 UTC
I dropped <pacemaker-2.0.5; I guess we're good here

I also dropped <corosync-3.1.0 FYI
Comment 37 Andreas K. Hüttel archtester gentoo-dev 2021-03-04 22:58:29 UTC
Not blocking gcc anymore