On Wed, 24 Apr 2019 17:50:02 +0200 wf...@niif.hu wrote:
> On Mon, 22 Apr 2019 09:07:04 +0200 Salvatore Bonaccorso
> wrote:
>
>>> Please see https://www.openwall.com/lists/oss-security/2019/04/17/1
>>
>> Please note that when fixing the issues, in the original patchsets
>> there were some behaviour regressions, I think they should be adressed
>> in the followups as noted in
>> https://www.openwall.com/lists/oss-security/2019/04/18/2
>
> After several readings of the followup you linked to I think those
> "prior behavioral changes" are the fixes themselves, that is, the more
> thorough authorization checks. Don't you agree?
According to
https://github.com/ClusterLabs/pacemaker/pull/1750#issuecomment-494765240,
those behavioral changes are already addressed in the pull request.
> I proceeded to apply the patches in the pull request to the pacemaker
> quilt queue. Unfortunately they introduce new symbols in libcrmcommon:
> crm_ipc_is_authentic_process and pcmk__ipc_is_authentic_process_active.
> Am I expected to update the libtool version info in light of this?
I left those internal symbols unaccounted for now, just tell if it needs
adjustment.
As per the previous comment CVE-2019-3885 does not affect 1.1.16 (the
version in stretch), so that patch was left out (you may want to
indicate this in the security tracker). On the other hand three
followup patches fixing two bugs in the security fixes are included
based on
https://lists.clusterlabs.org/pipermail/users/2019-May/025822.html.
Here is the full glorious debdiff:
diff -Nru pacemaker-1.1.16/debian/changelog pacemaker-1.1.16/debian/changelog
--- pacemaker-1.1.16/debian/changelog 2016-12-01 14:15:23.0 +0100
+++ pacemaker-1.1.16/debian/changelog 2019-06-02 08:08:12.0 +0200
@@ -1,3 +1,35 @@
+pacemaker (1.1.16-1+deb9u1) stretch-security; urgency=high
+
+ [ Christoph Berg ]
+ * [d3d1561] Remove myself from Uploaders.
+
+ [ Ferenc Wágner ]
+ * [53a63fc] Backport upstream security fixes from pull request #1749.
+1. CVE-2018-16877: Insufficient local IPC client-server authentication
+ on the client's side can lead to local privesc. A local attacker
+ could use this flaw, and combine it with other IPC weaknesses, to
+ achieve local privilege escalation.
+2. CVE-2018-16878: Insufficient verification inflicted preference of
+ uncontrolled processes can lead to DoS.
+The backported patch bundles were taken from
+
https://src.fedoraproject.org/rpms/pacemaker/c/f48a85ec68e299dfc53655b121e661b7c488ed71?branch=f28:
+- High-pacemakerd-vs.-IPC-procfs-confused-deputy-authentic.patch
+ (fixes CVE-2018-16877 and CVE-2018-16878)
+- Med-controld-fix-possible-NULL-pointer-dereference.patch
+ (fixes an additional problem which is more likely triggerable now that
+ the problems related to CVE-2018-16878 are avoided)
+CVE-2019-3885 does not affect Pacemaker 1.1.16, so
+High-libservices-fix-use-after-free-wrt.-alert-handl.patch is not
+included in this backport.
+Thanks to Jan Pokorný (Closes: #927714)
+ * [fcbaaae] Acknowledge the new symbols
+ * [babde58] Backport three more patches from upstream fixing memory safety
+bugs.
+Clearing up fallout from the preceding security fixes.
+Thanks to Ken Gaillot
+
+ -- Ferenc Wágner Sun, 02 Jun 2019 08:08:12 +0200
+
pacemaker (1.1.16-1) unstable; urgency=medium
* [d90daf5] Refresh our patches
diff -Nru pacemaker-1.1.16/debian/control pacemaker-1.1.16/debian/control
--- pacemaker-1.1.16/debian/control 2016-12-01 14:14:42.0 +0100
+++ pacemaker-1.1.16/debian/control 2019-05-18 16:41:29.0 +0200
@@ -5,7 +5,6 @@
Uploaders:
Richard B Winters ,
Ferenc Wágner ,
- Christoph Berg ,
Adrian Vondendriesch ,
Build-Depends:
cluster-glue-dev,
diff -Nru pacemaker-1.1.16/debian/gbp.conf pacemaker-1.1.16/debian/gbp.conf
--- pacemaker-1.1.16/debian/gbp.conf2016-12-01 14:07:08.0 +0100
+++ pacemaker-1.1.16/debian/gbp.conf2019-05-22 11:01:26.0 +0200
@@ -1,15 +1,12 @@
[DEFAULT]
-debian-branch = debian/master
+debian-branch = debian/stretch
upstream-branch = upstream/latest
-debian-tag-msg = Debian release %(version)s
-
-[import-orig]
pristine-tar = True
-[gbp-pq]
+[pq]
patch-numbers = False
-[gbp-dch]
+[dch]
full = True
multimaint-merge = True
id-length = 7
diff -Nru pacemaker-1.1.16/debian/libcrmcommon3.symbols
pacemaker-1.1.16/debian/libcrmcommon3.symbols
--- pacemaker-1.1.16/debian/libcrmcommon3.symbols 2016-12-01
14:14:42.0 +0100
+++ pacemaker-1.1.16/debian/libcrmcommon3.symbols 2019-05-22
11:56:47.0 +0200
@@ -94,6 +94,7 @@
crm_ipc_default_buffer_size@Base 1.1.11
crm_ipc_destroy@Base 1.1.9
crm_ipc_get_fd@Base 1.1.9
+ crm_ipc_is_authentic_process@Base 1.1.16-1+deb9u1~
crm_ipc_name@Base 1.1.9
crm_ipc_new@Base 1.1.9
crm_ipc_prepare@Base 1.1.9
@@ -292,6 +293,7 @@
parse_date@Base 1.1.9
parse_op_key@Base 1.1.9
patch