mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-01-11 15:11:26 +00:00
Code Issues Projects Releases Wiki Activity

corosync: upgrade 3.1.9 -> 3.1.10

Browse Source 
CVE-2025-30472.patch
removed since it's included in 3.1.10

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This commit is contained in:
Wang Mingyu
2025-11-18 17:08:18 +08:00
committed by Khem Raj
parent 299eedd640
commit 7915bcecf5
2 changed files with 2 additions and 72 deletions
Download Patch File Download Diff File Expand all files Collapse all files

69
meta-networking/recipes-extended/corosync/corosync/CVE-2025-30472.patch
View File

@@ -1,69 +0,0 @@
From 7839990f9cdf34e55435ed90109e82709032466a Mon Sep 17 00:00:00 2001
From: Jan Friesse <jfriesse@redhat.com>
Date: Mon, 24 Mar 2025 12:05:08 +0100
Subject: [PATCH] totemsrp: Check size of orf_token msg
orf_token message is stored into preallocated array on endian convert
so carefully crafted malicious message can lead to crash of corosync.
Solution is to check message size beforehand.
Signed-off-by: Jan Friesse <jfriesse@redhat.com>
Reviewed-by: Christine Caulfield <ccaulfie@redhat.com>
CVE: CVE-2025-30472
Upstream-Status: Backport [https://github.com/corosync/corosync/commits/7839990f9cdf34e55435ed90109e82709032466a]
Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
exec/totemsrp.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/exec/totemsrp.c b/exec/totemsrp.c
index 962d0e2a..364528ce 100644
--- a/exec/totemsrp.c
+++ b/exec/totemsrp.c
@@ -3679,12 +3679,20 @@ static int check_orf_token_sanity(
const struct totemsrp_instance *instance,
const void *msg,
size_t msg_len,
+ size_t max_msg_len,
int endian_conversion_needed)
{
int rtr_entries;
const struct orf_token *token = (const struct orf_token *)msg;
size_t required_len;
+ if (msg_len > max_msg_len) {
+ log_printf (instance->totemsrp_log_level_security,
+ "Received orf_token message is too long... ignoring.");
+
+ return (-1);
+ }
+
if (msg_len < sizeof(struct orf_token)) {
log_printf (instance->totemsrp_log_level_security,
"Received orf_token message is too short... ignoring.");
@@ -3698,6 +3706,13 @@ static int check_orf_token_sanity(
rtr_entries = token->rtr_list_entries;
}
+ if (rtr_entries > RETRANSMIT_ENTRIES_MAX) {
+ log_printf (instance->totemsrp_log_level_security,
+ "Received orf_token message rtr_entries is corrupted... ignoring.");
+
+ return (-1);
+ }
+
required_len = sizeof(struct orf_token) + rtr_entries * sizeof(struct rtr_item);
if (msg_len < required_len) {
log_printf (instance->totemsrp_log_level_security,
@@ -3868,7 +3883,8 @@ static int message_handler_orf_token (
"Time since last token %0.4f ms", tv_diff / (float)QB_TIME_NS_IN_MSEC);
#endif
- if (check_orf_token_sanity(instance, msg, msg_len, endian_conversion_needed) == -1) {
+ if (check_orf_token_sanity(instance, msg, msg_len, sizeof(token_storage),
+ endian_conversion_needed) == -1) {
return (0);
}

5
meta-networking/recipes-extended/corosync/corosync_3.1.9.bb → meta-networking/recipes-extended/corosync/corosync_3.1.10.bb
View File

@@ -9,9 +9,8 @@ inherit autotools pkgconfig systemd github-releases
SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/${BP}.tar.gz \ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/${BP}.tar.gz \
file://corosync.conf \ file://corosync.conf \
file://CVE-2025-30472.patch \ "
" SRC_URI[sha256sum] = "be361c827f99b215b3bd3fa2fb071c03dac6831c2a351963d938caef62604bc8"
SRC_URI[sha256sum] = "203354bbddee1a97b3c50a076eae89c635f406dd674ccaefc94bb9092acd9535"
UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)" UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)"
LICENSE = "BSD-3-Clause" LICENSE = "BSD-3-Clause"