CVE-2020-35459 (http://www.openwall.com/lists/oss-security/2021/01/12/3): An issue was discovered in ClusterLabs crmsh through 4.2.1. Local attackers able to call "crm history" (when "crm" is run) were able to execute commands via shell code injection to the crm history commandline, potentially allowing escalation of privileges. Maintainers, I can't find a patch applied to crmsh in Git, so please confirm if a newer release fixes this issue. There's also a patch at URL which might work if not.
I dropped the older versions, only 4.2.1 is left in tree ! Thanks
hmm on a second read, it seems that "through" 4.2.1 means that it's also affected right? There's no higher release yet.
# crm node status Fatal error: No module named 'parallax' in version 4.2.1. ?
Package list is empty or all packages have requested keywords.
Patches in 4.3.1: https://github.com/ClusterLabs/crmsh/commit/7f6f8d5b05ba160c3902f7b2ddcbd66de64da207 https://github.com/ClusterLabs/crmsh/commit/c538024b8ebd138dc373b005189471d9b77e9c82 These also reference CVE-2021-3020, which is only marked as reserved. The corresponding SUSE bug is also private.
CVE-2021-3020: https://github.com/ClusterLabs/crmsh/commit/c538024b8ebd138dc373b005189471d9b77e9c82 An issue was discovered in ClusterLabs Hawk (aka HA Web Konsole) through 2.3.0-15. It ships the binary hawk_invoke (built from tools/hawk_invoke.c), intended to be used as a setuid program. This allows the hacluster user to invoke certain commands as root (with an attempt to limit this to safe combinations). This user is able to execute an interactive "shell" that isn't limited to the commands specified in hawk_invoke, allowing escalation to root. I'm not sure how crmsh relates to this.
Sergey, since you reversed the mask, could you offer any commentary on this security bug? If these issues aren't solved, we may as well last rite this for its security problems.
(In reply to John Helmert III from comment #12) > Sergey, since you reversed the mask, could you offer any commentary on this > security bug? If these issues aren't solved, we may as well last rite this > for its security problems. Older versions of crmsh ships hardcoded values for autoconfigure root ssh keys and execute commands at root level. Newer versions can do this for supplied user, instead of root. This is definitely fixed in 4.3.1 I am working on version bump(to 4.4.0), but it requires some time, because my test lab is not perfect in terms of speed :-/
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c104794da495831ac6c1552091ec95e9a9bbbbca commit c104794da495831ac6c1552091ec95e9a9bbbbca Author: Sergey Popov <pinkbyte@gentoo.org> AuthorDate: 2023-11-08 10:54:09 +0000 Commit: Sergey Popov <pinkbyte@gentoo.org> CommitDate: 2023-11-08 10:58:29 +0000 sys-cluster/crmsh-4.5.0: version bump Signed-off-by: Christian Richter <motzned@gmail.com> Signed-off-by: Sergey Popov <pinkbyte@gentoo.org> Bug: https://bugs.gentoo.org/765352 Closes: https://bugs.gentoo.org/864925 Closes: https://bugs.gentoo.org/897286 Closes: https://github.com/gentoo/gentoo/pull/27926 sys-cluster/crmsh/Manifest | 1 + sys-cluster/crmsh/crmsh-4.5.0.ebuild | 46 ++++++++++++++++++++++++++++++++++++ 2 files changed, 47 insertions(+)