diff --git a/SOURCES/CVE-2016-7035.patch b/SOURCES/CVE-2016-7035.patch new file mode 100644 index 0000000..d835e48 --- /dev/null +++ b/SOURCES/CVE-2016-7035.patch @@ -0,0 +1,77 @@ +From 07e1f547575096ad8a0a56394d8710488b4ac9ec Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20Pokorn=C3=BD?= +Date: Tue, 23 Aug 2016 18:09:49 +0200 +Subject: [PATCH] High: libcrmcommon: fix CVE-2016-7035 (improper IPC guarding) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +It was discovered that at some not so uncommon circumstances, some +pacemaker daemons could be talked to, via libqb-facilitated IPC, by +unprivileged clients due to flawed authorization decision. Depending +on the capabilities of affected daemons, this might equip unauthorized +user with local privilege escalation or up to cluster-wide remote +execution of possibly arbitrary commands when such user happens to +reside at standard or remote/guest cluster node, respectively. + +The original vulnerability was introduced in an attempt to allow +unprivileged IPC clients to clean up the file system materialized +leftovers in case the server (otherwise responsible for the lifecycle +of these files) crashes. While the intended part of such behavior is +now effectively voided (along with the unintended one), a best-effort +fix to address this corner case systemically at libqb is coming along. + +Affected versions: 1.1.10-rc1 (2013-04-17) - 1.1.15 (2016-06-21) +Impact: Important +CVSSv3 ranking: 7.8 : CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + +Credits for independent findings, in chronological order: + Jan "poki" Pokorný, of Red Hat + Alain Moulle, of ATOS/BULL +--- + lib/common/ipc.c | 14 +++----------- + 1 file changed, 3 insertions(+), 11 deletions(-) + +diff --git a/lib/common/ipc.c b/lib/common/ipc.c +index 6d6d3cd..9f63dfe 100644 +--- a/lib/common/ipc.c ++++ b/lib/common/ipc.c +@@ -293,7 +293,6 @@ crm_client_disconnect_all(qb_ipcs_service_t *service) + crm_client_t * + crm_client_new(qb_ipcs_connection_t * c, uid_t uid_client, gid_t gid_client) + { +- static uid_t uid_server = 0; + static gid_t gid_cluster = 0; + + crm_client_t *client = NULL; +@@ -304,7 +303,6 @@ crm_client_new(qb_ipcs_connection_t * c, uid_t uid_client, gid_t gid_client) + } + + if (gid_cluster == 0) { +- uid_server = getuid(); + if(crm_user_lookup(CRM_DAEMON_USER, NULL, &gid_cluster) < 0) { + static bool have_error = FALSE; + if(have_error == FALSE) { +@@ -314,16 +312,10 @@ crm_client_new(qb_ipcs_connection_t * c, uid_t uid_client, gid_t gid_client) + } + } + +- if(gid_cluster != 0 && gid_client != 0) { +- uid_t best_uid = -1; /* Passing -1 to chown(2) means don't change */ +- +- if(uid_client == 0 || uid_server == 0) { /* Someone is priveliged, but the other may not be */ +- best_uid = QB_MAX(uid_client, uid_server); +- crm_trace("Allowing user %u to clean up after disconnect", best_uid); +- } +- ++ if (uid_client != 0) { + crm_trace("Giving access to group %u", gid_cluster); +- qb_ipcs_connection_auth_set(c, best_uid, gid_cluster, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP); ++ /* Passing -1 to chown(2) means don't change */ ++ qb_ipcs_connection_auth_set(c, -1, gid_cluster, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP); + } + + crm_client_init(); +-- +2.4.11 + diff --git a/SOURCES/lrmd-protocol-version.patch b/SOURCES/lrmd-protocol-version.patch new file mode 100644 index 0000000..65071b6 --- /dev/null +++ b/SOURCES/lrmd-protocol-version.patch @@ -0,0 +1,28 @@ +From 8c497bc794e1e6a3ed188a548da771d768cef8f1 Mon Sep 17 00:00:00 2001 +From: Ken Gaillot +Date: Wed, 26 Oct 2016 11:18:17 -0500 +Subject: [PATCH] Fix: lrmd: undo unnecessary LRMD protocol version change + +The change breaks rolling upgrades in a cluster with Pacemaker Remote nodes, +and was never necessary. This introduces a divergence from upstream that +will need to be reconciled in the future. +--- + include/crm/lrmd.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/crm/lrmd.h b/include/crm/lrmd.h +index 446b39c..a099315 100644 +--- a/include/crm/lrmd.h ++++ b/include/crm/lrmd.h +@@ -35,7 +35,7 @@ typedef struct lrmd_key_value_s { + struct lrmd_key_value_s *next; + } lrmd_key_value_t; + +-#define LRMD_PROTOCOL_VERSION "1.1" ++#define LRMD_PROTOCOL_VERSION "1.0" + + /* *INDENT-OFF* */ + #define DEFAULT_REMOTE_KEY_LOCATION "/etc/pacemaker/authkey" +-- +1.8.3.1 + diff --git a/SPECS/pacemaker.spec b/SPECS/pacemaker.spec index b802f50..f7c18ea 100644 --- a/SPECS/pacemaker.spec +++ b/SPECS/pacemaker.spec @@ -83,7 +83,7 @@ Name: pacemaker Summary: Scalable High-Availability cluster resource manager Version: %{pcmkversion} -Release: %{pcmk_release}%{?dist} +Release: %{pcmk_release}%{?dist}.2 %if %{defined _unitdir} License: GPLv2+ and LGPLv2+ %else @@ -96,6 +96,8 @@ Group: System Environment/Daemons # eg. https://github.com/ClusterLabs/pacemaker/archive/8ae45302394b039fb098e150f156df29fc0cb576/pacemaker-8ae4530.tar.gz Source0: https://github.com/%{github_owner}/%{name}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz Source1: nagios-agents-metadata-%{nagios_hash}.tar.gz + +# upstream commits Patch1: 001-makefile-cleanup.patch Patch2: 002-build-cleanup.patch Patch3: 003-harden-toolchain.patch @@ -111,6 +113,10 @@ Patch12: 012-invalid-config-loop.patch Patch13: 013-clear-remote-history.patch Patch14: 014-crm_report.patch +# patches that aren't from upstream +Patch100: CVE-2016-7035.patch +Patch101: lrmd-protocol-version.patch + BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) AutoReqProv: on Requires: python >= 2.6 @@ -729,6 +735,14 @@ exit 0 %attr(0644,root,root) %{_datadir}/pacemaker/nagios/plugins-metadata/* %changelog +* Wed Oct 26 2016 Ken Gaillot - 1.1.15-11.2 +- Preserve rolling upgrades involving Pacemaker Remote nodes +- Resolves: rhbz#1389023 + +* Fri Oct 21 2016 Ken Gaillot - 1.1.15-11.1 +- Fix CVE-2016-7035 +- Resolves: rhbz#1374776 + * Thu Sep 22 2016 Ken Gaillot - 1.1.15-11 - Sanitize readable CIB output collected by crm_report - Document crm_report --sos-mode option