Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package corosync for openSUSE:Factory checked in at 2026-04-04 19:05:29 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/corosync (Old) and /work/SRC/openSUSE:Factory/.corosync.new.21863 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "corosync" Sat Apr 4 19:05:29 2026 rev:85 rq:1344407 version:3.1.10 Changes: -------- --- /work/SRC/openSUSE:Factory/corosync/corosync.changes 2026-01-26 10:56:42.411929411 +0100 +++ /work/SRC/openSUSE:Factory/.corosync.new.21863/corosync.changes 2026-04-04 19:06:55.599917813 +0200 @@ -1,0 +2,6 @@ +Thu Apr 2 06:32:26 UTC 2026 - Nicholas Yang <[email protected]> + +- Add a patch to fix CVE-2026-35091 and CVE-2026-35092 (bsc#1261299)(bsc#1261300) + * 820.patch + +------------------------------------------------------------------- New: ---- 820.patch ----------(New B)---------- New:- Add a patch to fix CVE-2026-35091 and CVE-2026-35092 (bsc#1261299)(bsc#1261300) * 820.patch ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ corosync.spec ++++++ --- /var/tmp/diff_new_pack.ImF8lw/_old 2026-04-04 19:06:56.211942906 +0200 +++ /var/tmp/diff_new_pack.ImF8lw/_new 2026-04-04 19:06:56.215943070 +0200 @@ -40,6 +40,7 @@ Source0: %{name}-%{version}.tar.gz Source1: %{name}.tmpfiles.d.conf Patch0: 0001-harden-services-with-systemd-sandboxing.patch +Patch1: 820.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build ++++++ 820.patch ++++++ >From d5315f96fa502310d7cf722ca4eb9c9f1a7c844d Mon Sep 17 00:00:00 2001 From: Jan Friesse <[email protected]> Date: Thu, 2 Apr 2026 09:00:39 +0200 Subject: [PATCH 1/2] totemsrp: Return error if sanity check fails MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Previously, the check_memb_commit_token_sanity function correctly checked the minimum message length. However, if the message was too short, it incorrectly returned a success code (0) instead of the expected failure code (-1). This commit ensures the appropriate error code is returned when the message length sanity check fails. Fixes: CVE-2026-35091 Reported-by: Sebastián Alba Vives (@Sebasteuo / 0xS4bb1) <[email protected]> Signed-off-by: Jan Friesse <[email protected]> --- exec/totemsrp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/exec/totemsrp.c b/exec/totemsrp.c index a716ae9fe..372a96d1f 100644 --- a/exec/totemsrp.c +++ b/exec/totemsrp.c @@ -3811,10 +3811,10 @@ static int check_memb_commit_token_sanity( log_printf (instance->totemsrp_log_level_security, "Received memb_commit_token message is too short... ignoring."); - return (0); + return (-1); } - addr_entries= mct_msg->addr_entries; + addr_entries = mct_msg->addr_entries; if (endian_conversion_needed) { addr_entries = swab32(addr_entries); } >From 261a200b6d0b69ddb580a7267f152c163c1f0325 Mon Sep 17 00:00:00 2001 From: Jan Friesse <[email protected]> Date: Thu, 2 Apr 2026 09:44:06 +0200 Subject: [PATCH 2/2] totemsrp: Fix integer overflow in memb_join_sanity MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This commit addresses an integer overflow (wraparound) vulnerability in the check_memb_join_sanity function. Previously, the 32-bit unsigned network values proc_list_entries and failed_list_entries were added together before being promoted to size_t. This allowed the addition to wrap around in 32-bit arithmetic (e.g., 0x80000000 + 0x80000000 = 0), resulting in a required_len calculation that was incorrectly small. The solution is to cast the list entries to size_t and verify that neither exceeds the maximum allowed value before the addition occurs. Fixes: CVE-2026-35092 Reported-by: Sebastián Alba Vives (@Sebasteuo / 0xS4bb1) <[email protected]> Signed-off-by: Jan Friesse <[email protected]> --- exec/totemsrp.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/exec/totemsrp.c b/exec/totemsrp.c index 372a96d1f..67596911a 100644 --- a/exec/totemsrp.c +++ b/exec/totemsrp.c @@ -3786,7 +3786,17 @@ static int check_memb_join_sanity( failed_list_entries = swab32(failed_list_entries); } - required_len = sizeof(struct memb_join) + ((proc_list_entries + failed_list_entries) * sizeof(struct srp_addr)); + if (proc_list_entries > PROCESSOR_COUNT_MAX || + failed_list_entries > PROCESSOR_COUNT_MAX) { + log_printf (instance->totemsrp_log_level_security, + "Received memb_join message list_entries exceeds the maximum " + "allowed value... ignoring."); + + return (-1); + } + + required_len = sizeof(struct memb_join) + + (((size_t)proc_list_entries + (size_t)failed_list_entries) * sizeof(struct srp_addr)); if (msg_len < required_len) { log_printf (instance->totemsrp_log_level_security, "Received memb_join message is too short... ignoring.");
