An acl bypass flaw was found in pacemaker. When ACLs are not in use, any user in the haclient group has full access to the configuration, which effectively gives them the ability to run any code as root. When ACLs are in use, users still must be in the haclient group, but their read and write access to various parts of the configuration is limited by configured ACLs. The vulnerability is that users may use IPC communication with the various daemons directly to perform certain tasks that they would be prevented by ACLs from doing if they went through the configuration. Links: https://bugzilla.redhat.com/show_bug.cgi?id=1888191
Patches: -------- (master branch as of 2020-10-18): https://bugzilla.redhat.com/attachment.cgi?id=1722698&action=diff (upstream 2.0.4 release): https://bugzilla.redhat.com/attachment.cgi?id=1722699&action=diff (upstream 2.0.3 release): https://bugzilla.redhat.com/attachment.cgi?id=1722700&action=diff (upstream 1.1.23 release): https://bugzilla.redhat.com/attachment.cgi?id=1722701&action=diff Each patch is the same fix, but applicable to different points in the upstream code base (master branch as of this morning, the two most recent upstream releases 2.0.4 and 2.0.3, and the most recent release of the previous upstream major series 1.1.23).
Also, the following available versions are not affected, so bumping should be ok: https://github.com/ClusterLabs/pacemaker/releases/tag/Pacemaker-1.1.24-rc1 Changes since Pacemaker-1.1.23 Prevent the bypassing of ACLs by direct IPC (CVE-2020-25654) [...] https://github.com/ClusterLabs/pacemaker/releases/tag/Pacemaker-2.0.5-rc2 Changes since Pacemaker-2.0.5-rc1 Prevent the bypassing of ACLs by direct IPC (CVE-2020-25654)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3b5d8d7b3e3513fab0c2c7feb10b3a3df929692f commit 3b5d8d7b3e3513fab0c2c7feb10b3a3df929692f Author: Marc Schiffbauer <mschiff@gentoo.org> AuthorDate: 2020-11-10 23:21:25 +0000 Commit: Marc Schiffbauer <mschiff@gentoo.org> CommitDate: 2020-11-10 23:22:25 +0000 sys-cluster/pacemaker: bump 2.0 version Bug: https://bugs.gentoo.org/751430 Bug: https://bugs.gentoo.org/711674 Package-Manager: Portage-3.0.8, Repoman-3.0.2 Signed-off-by: Marc Schiffbauer <mschiff@gentoo.org> sys-cluster/pacemaker/Manifest | 1 + sys-cluster/pacemaker/pacemaker-2.0.5_rc1.ebuild | 78 ++++++++++++++++++++++++ 2 files changed, 79 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0d50a2d60855edd7408b35062cc596e4fca7a3f1 commit 0d50a2d60855edd7408b35062cc596e4fca7a3f1 Author: Marc Schiffbauer <mschiff@gentoo.org> AuthorDate: 2020-11-10 23:19:16 +0000 Commit: Marc Schiffbauer <mschiff@gentoo.org> CommitDate: 2020-11-10 23:22:21 +0000 sys-cluster/pacemaker: bump 1.1 version Bug: https://bugs.gentoo.org/751430 Bug: https://bugs.gentoo.org/711674 Closes: https://bugs.gentoo.org/728162 Package-Manager: Portage-3.0.8, Repoman-3.0.2 Signed-off-by: Marc Schiffbauer <mschiff@gentoo.org> sys-cluster/pacemaker/Manifest | 1 + .../files/pacemaker-1.1.24-python-fixes.patch | 26 +++++++ .../files/pacemaker-1.1.24-qa-warnings.patch | 12 ++++ sys-cluster/pacemaker/pacemaker-1.1.24_rc1.ebuild | 80 ++++++++++++++++++++++ 4 files changed, 119 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0275c17207295dced2f8f1d68f357e443a8f2aaa commit 0275c17207295dced2f8f1d68f357e443a8f2aaa Author: Sebastian Pipping <sping@gentoo.org> AuthorDate: 2020-11-12 11:06:28 +0000 Commit: Sebastian Pipping <sping@gentoo.org> CommitDate: 2020-11-12 11:19:48 +0000 package.mask: Revert last rite of sys-cluster/cluster-glue & revdeps As discussed with Marc Schiffbauer <mschiff@gentoo.org>. This reverts commit f51b83a43a70a06d93851b0fa41f7e6e993e1e6e. Bug #704610 of sys-cluster/cluster-glue turned out to be fixed by commit b5442dd701a9eaaf22fb92808fb0ec93f7a9f1e6 of July 2020. Vulnerable sys-cluster/pacemaker has been bumped yesterday. So the path to stabilization is no longer blocked. Bug: https://bugs.gentoo.org/704610 Bug: https://bugs.gentoo.org/711674 Bug: https://bugs.gentoo.org/751430 Signed-off-by: Sebastian Pipping <sping@gentoo.org> profiles/base/package.use.mask | 4 ---- profiles/package.mask | 14 -------------- 2 files changed, 18 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f074c5ed7ad2d388e27114105dda9a147b5f31d1 commit f074c5ed7ad2d388e27114105dda9a147b5f31d1 Author: Marc Schiffbauer <mschiff@gentoo.org> AuthorDate: 2020-11-17 18:54:01 +0000 Commit: Marc Schiffbauer <mschiff@gentoo.org> CommitDate: 2020-11-17 18:54:25 +0000 sys-cluster/pacemaker: bump for CVE-2020-25654 Bug: https://bugs.gentoo.org/751430 Package-Manager: Portage-3.0.8, Repoman-3.0.2 Signed-off-by: Marc Schiffbauer <mschiff@gentoo.org> sys-cluster/pacemaker/Manifest | 1 + sys-cluster/pacemaker/pacemaker-2.0.5_rc3.ebuild | 78 ++++++++++++++++++++++++ 2 files changed, 79 insertions(+)
FWIU, this package has been revived. Please CC treecleaners again if the new 'maintainer' doesn't cope.
I dropped <pacemaker-2.0.5; I guess we're good here
Package list is empty or all packages have requested keywords.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=1879b11c680b5a942bb283d62aff5b3aa0b78304 commit 1879b11c680b5a942bb283d62aff5b3aa0b78304 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-09-29 08:35:00 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2023-09-29 08:37:36 +0000 [ GLSA 202309-09 ] Pacemaker: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/711674 Bug: https://bugs.gentoo.org/751430 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202309-09.xml | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+)