mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-05-07 05:10:20 +00:00
Code Issues Projects Releases Wiki Activity

corosync: patch CVE-2026-35091

Browse Source 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-35091

Pick the patch that mentions the CVE ID explicitly (it was identified
by Debian also as the fix[1])

[1]: https://security-tracker.debian.org/tracker/CVE-2026-35091

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
This commit is contained in:
Gyorgy Sarvari
2026-04-13 20:02:20 +02:00
committed by Khem Raj
parent f58d124eb5
commit 701b22fda3
2 changed files with 48 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta-networking/recipes-extended/corosync/corosync/CVE-2026-35091.patch
+47
View File
@@ -0,0 +1,47 @@
From b9cb461121c8721c94a94309eb345a3c2f9ee9b4 Mon Sep 17 00:00:00 2001
From: Jan Friesse <jfriesse@redhat.com>
Date: Thu, 2 Apr 2026 09:00:39 +0200
Subject: [PATCH] totemsrp: Return error if sanity check fails
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Previously, the check_memb_commit_token_sanity function correctly
checked the minimum message length. However, if the message was too
short, it incorrectly returned a success code (0) instead of the
expected failure code (-1).
This commit ensures the appropriate error code is returned when the
message length sanity check fails.
Fixes: CVE-2026-35091
Reported-by: Sebastián Alba Vives (@Sebasteuo / 0xS4bb1) <sebasjosue84@gmail.com>
Signed-off-by: Jan Friesse <jfriesse@redhat.com>
Also-proposed-by: nicholasyang <nicholas.yang@suse.com>
Reviewed-by: Christine Caulfield <ccaulfie@redhat.com>
CVE: CVE-2026-35091
Upstream-Status: Backport [https://github.com/corosync/corosync/commit/a16614accfdb3481264d7281843fadf439d9ab1b]
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
exec/totemsrp.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/exec/totemsrp.c b/exec/totemsrp.c
index 35bf971..94d6c21 100644
--- a/exec/totemsrp.c
+++ b/exec/totemsrp.c
@@ -3811,10 +3811,10 @@ static int check_memb_commit_token_sanity(
log_printf (instance->totemsrp_log_level_security,
"Received memb_commit_token message is too short... ignoring.");
- return (0);
+ return (-1);
}
- addr_entries= mct_msg->addr_entries;
+ addr_entries = mct_msg->addr_entries;
if (endian_conversion_needed) {
addr_entries = swab32(addr_entries);
}
meta-networking/recipes-extended/corosync/corosync_3.1.10.bb
+1
View File
@@ -9,6 +9,7 @@ inherit autotools pkgconfig systemd github-releases
SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/${BP}.tar.gz \
file://corosync.conf \
file://CVE-2026-35091.patch \
"
SRC_URI[sha256sum] = "be361c827f99b215b3bd3fa2fb071c03dac6831c2a351963d938caef62604bc8"
UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)"