Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 765352 (CVE-2020-35459) - sys-cluster/crmsh: privilege escalation (CVE-2020-35459)
Summary: sys-cluster/crmsh: privilege escalation (CVE-2020-35459)
Alias: CVE-2020-35459
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~1 [ebuild?]
Depends on:
Reported: 2021-01-13 22:19 UTC by John Helmert III
Modified: 2021-07-29 18:13 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-01-13 22:19:32 UTC
CVE-2020-35459 (

An issue was discovered in ClusterLabs crmsh through 4.2.1. Local attackers able to call "crm history" (when "crm" is run) were able to execute commands via shell code injection to the crm history commandline, potentially allowing escalation of privileges.

Maintainers, I can't find a patch applied to crmsh in Git, so please confirm
if a newer release fixes this issue. There's also a patch at URL which might
work if not.
Comment 1 Ultrabug gentoo-dev 2021-02-08 09:26:46 UTC
I dropped the older versions, only 4.2.1 is left in tree !

Comment 2 Ultrabug gentoo-dev 2021-02-08 09:29:18 UTC
hmm on a second read, it seems that "through" 4.2.1 means that it's also affected right?

There's no higher release yet.
Comment 3 Zdravko Spoljar 2021-02-10 02:31:37 UTC
 # crm node status        
Fatal error:
    No module named 'parallax'

in version 4.2.1. ?
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:24:32 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 17:33:03 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 17:40:53 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-07-29 17:49:04 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2021-07-29 18:04:59 UTC Comment hidden (obsolete)
Comment 9 NATTkA bot gentoo-dev 2021-07-29 18:13:17 UTC
Package list is empty or all packages have requested keywords.