Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 765352 (CVE-2020-35459) - sys-cluster/crmsh: privilege escalation (CVE-2020-35459)
Summary: sys-cluster/crmsh: privilege escalation (CVE-2020-35459)
Status: CONFIRMED
Alias: CVE-2020-35459
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: ~1 [ebuild?]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-01-13 22:19 UTC by John Helmert III (ajak)
Modified: 2021-02-13 15:25 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III (ajak) gentoo-dev Security 2021-01-13 22:19:32 UTC
CVE-2020-35459 (http://www.openwall.com/lists/oss-security/2021/01/12/3):

An issue was discovered in ClusterLabs crmsh through 4.2.1. Local attackers able to call "crm history" (when "crm" is run) were able to execute commands via shell code injection to the crm history commandline, potentially allowing escalation of privileges.


Maintainers, I can't find a patch applied to crmsh in Git, so please confirm
if a newer release fixes this issue. There's also a patch at URL which might
work if not.
Comment 1 Ultrabug gentoo-dev 2021-02-08 09:26:46 UTC
I dropped the older versions, only 4.2.1 is left in tree !

Thanks
Comment 2 Ultrabug gentoo-dev 2021-02-08 09:29:18 UTC
hmm on a second read, it seems that "through" 4.2.1 means that it's also affected right?

There's no higher release yet.
Comment 3 Zdravko Spoljar 2021-02-10 02:31:37 UTC
 # crm node status        
Fatal error:
    No module named 'parallax'


in version 4.2.1. ?