Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 751430 (CVE-2020-25654) - <sys-cluster/pacemaker-{1.1.24_rc1,2.0.5_rc2}: ACL restrictions bypass
Summary: <sys-cluster/pacemaker-{1.1.24_rc1,2.0.5_rc2}: ACL restrictions bypass
Status: UNCONFIRMED
Alias: CVE-2020-25654
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Deadline: 2020-12-07
Assignee: Gentoo Security
URL: https://seclists.org/oss-sec/2020/q4/83
Whiteboard: B1 [glsa?]
Keywords:
Depends on: CVE-2018-16877, CVE-2018-16878, CVE-2019-3885
Blocks:
  Show dependency tree
 
Reported: 2020-10-27 09:12 UTC by filip ambroz
Modified: 2021-07-29 18:06 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description filip ambroz 2020-10-27 09:12:48 UTC
An acl bypass flaw was found in pacemaker. When ACLs are not in use, any user in the haclient group has full access to the configuration, which effectively gives them the ability to run any code as root. 

When ACLs are in use, users still must be in the haclient group, but their read and write access to various parts of the configuration is limited by configured ACLs.

The vulnerability is that users may use IPC communication with the various daemons directly to perform certain tasks that they would be prevented by ACLs from doing if they went through the configuration.

Links:
https://bugzilla.redhat.com/show_bug.cgi?id=1888191
Comment 1 filip ambroz 2020-10-27 09:21:29 UTC
Patches:
--------

(master branch as of 2020-10-18): https://bugzilla.redhat.com/attachment.cgi?id=1722698&action=diff

(upstream 2.0.4 release): https://bugzilla.redhat.com/attachment.cgi?id=1722699&action=diff

(upstream 2.0.3 release): https://bugzilla.redhat.com/attachment.cgi?id=1722700&action=diff

(upstream 1.1.23 release): https://bugzilla.redhat.com/attachment.cgi?id=1722701&action=diff

Each patch is the same fix, but applicable to different points in the upstream code base (master branch as of this morning, the two most recent upstream releases 2.0.4 and 2.0.3, and the most recent release of the previous upstream major series 1.1.23).
Comment 2 Marc Schiffbauer gentoo-dev 2020-11-10 21:06:37 UTC
Also, the following available versions are not affected, so bumping should be ok:

https://github.com/ClusterLabs/pacemaker/releases/tag/Pacemaker-1.1.24-rc1

Changes since Pacemaker-1.1.23

    Prevent the bypassing of ACLs by direct IPC (CVE-2020-25654)
    [...]


https://github.com/ClusterLabs/pacemaker/releases/tag/Pacemaker-2.0.5-rc2

Changes since Pacemaker-2.0.5-rc1

    Prevent the bypassing of ACLs by direct IPC (CVE-2020-25654)
Comment 3 Larry the Git Cow gentoo-dev 2020-11-10 23:22:43 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3b5d8d7b3e3513fab0c2c7feb10b3a3df929692f

commit 3b5d8d7b3e3513fab0c2c7feb10b3a3df929692f
Author:     Marc Schiffbauer <mschiff@gentoo.org>
AuthorDate: 2020-11-10 23:21:25 +0000
Commit:     Marc Schiffbauer <mschiff@gentoo.org>
CommitDate: 2020-11-10 23:22:25 +0000

    sys-cluster/pacemaker: bump 2.0 version
    
    Bug: https://bugs.gentoo.org/751430
    Bug: https://bugs.gentoo.org/711674
    Package-Manager: Portage-3.0.8, Repoman-3.0.2
    Signed-off-by: Marc Schiffbauer <mschiff@gentoo.org>

 sys-cluster/pacemaker/Manifest                   |  1 +
 sys-cluster/pacemaker/pacemaker-2.0.5_rc1.ebuild | 78 ++++++++++++++++++++++++
 2 files changed, 79 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0d50a2d60855edd7408b35062cc596e4fca7a3f1

commit 0d50a2d60855edd7408b35062cc596e4fca7a3f1
Author:     Marc Schiffbauer <mschiff@gentoo.org>
AuthorDate: 2020-11-10 23:19:16 +0000
Commit:     Marc Schiffbauer <mschiff@gentoo.org>
CommitDate: 2020-11-10 23:22:21 +0000

    sys-cluster/pacemaker: bump 1.1 version
    
    Bug: https://bugs.gentoo.org/751430
    Bug: https://bugs.gentoo.org/711674
    Closes: https://bugs.gentoo.org/728162
    Package-Manager: Portage-3.0.8, Repoman-3.0.2
    Signed-off-by: Marc Schiffbauer <mschiff@gentoo.org>

 sys-cluster/pacemaker/Manifest                     |  1 +
 .../files/pacemaker-1.1.24-python-fixes.patch      | 26 +++++++
 .../files/pacemaker-1.1.24-qa-warnings.patch       | 12 ++++
 sys-cluster/pacemaker/pacemaker-1.1.24_rc1.ebuild  | 80 ++++++++++++++++++++++
 4 files changed, 119 insertions(+)
Comment 4 Larry the Git Cow gentoo-dev 2020-11-12 11:20:06 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0275c17207295dced2f8f1d68f357e443a8f2aaa

commit 0275c17207295dced2f8f1d68f357e443a8f2aaa
Author:     Sebastian Pipping <sping@gentoo.org>
AuthorDate: 2020-11-12 11:06:28 +0000
Commit:     Sebastian Pipping <sping@gentoo.org>
CommitDate: 2020-11-12 11:19:48 +0000

    package.mask: Revert last rite of sys-cluster/cluster-glue & revdeps
    
    As discussed with Marc Schiffbauer <mschiff@gentoo.org>.
    This reverts commit f51b83a43a70a06d93851b0fa41f7e6e993e1e6e.
    Bug #704610 of sys-cluster/cluster-glue turned out to be fixed
    by commit b5442dd701a9eaaf22fb92808fb0ec93f7a9f1e6 of July 2020.
    Vulnerable sys-cluster/pacemaker has been bumped yesterday.
    So the path to stabilization is no longer blocked.
    
    Bug: https://bugs.gentoo.org/704610
    Bug: https://bugs.gentoo.org/711674
    Bug: https://bugs.gentoo.org/751430
    
    Signed-off-by: Sebastian Pipping <sping@gentoo.org>

 profiles/base/package.use.mask |  4 ----
 profiles/package.mask          | 14 --------------
 2 files changed, 18 deletions(-)
Comment 5 Larry the Git Cow gentoo-dev 2020-11-17 18:54:39 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f074c5ed7ad2d388e27114105dda9a147b5f31d1

commit f074c5ed7ad2d388e27114105dda9a147b5f31d1
Author:     Marc Schiffbauer <mschiff@gentoo.org>
AuthorDate: 2020-11-17 18:54:01 +0000
Commit:     Marc Schiffbauer <mschiff@gentoo.org>
CommitDate: 2020-11-17 18:54:25 +0000

    sys-cluster/pacemaker: bump for CVE-2020-25654
    
    Bug: https://bugs.gentoo.org/751430
    Package-Manager: Portage-3.0.8, Repoman-3.0.2
    Signed-off-by: Marc Schiffbauer <mschiff@gentoo.org>

 sys-cluster/pacemaker/Manifest                   |  1 +
 sys-cluster/pacemaker/pacemaker-2.0.5_rc3.ebuild | 78 ++++++++++++++++++++++++
 2 files changed, 79 insertions(+)
Comment 6 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-12-18 08:50:00 UTC
FWIU, this package has been revived.  Please CC treecleaners again if the new 'maintainer' doesn't cope.
Comment 7 Ultrabug gentoo-dev 2021-02-08 09:19:18 UTC
I dropped <pacemaker-2.0.5; I guess we're good here
Comment 8 NATTkA bot gentoo-dev 2021-07-29 17:25:32 UTC Comment hidden (obsolete)
Comment 9 NATTkA bot gentoo-dev 2021-07-29 17:41:57 UTC Comment hidden (obsolete)
Comment 10 NATTkA bot gentoo-dev 2021-07-29 18:06:01 UTC
Package list is empty or all packages have requested keywords.