Bug 27444

Summary:	crmsh possible new security issues (including CVE-2020-35459)
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	andrewsfarm, geiger.david68210, mageia, ouaurelien, sysadmin-bugs
Version:	7	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA7-64-OK
Source RPM:	crmsh-3.0.3-2.mga7.src.rpm	CVE:	CVE-2020-35459
Status comment:

Description David Walser 2020-10-18 00:48:41 CEST

SUSE and openSUSE have issued advisories on October 15 and 17:
https://lists.suse.com/pipermail/sle-security-updates/2020-October/007579.html
https://lists.opensuse.org/opensuse-security-announce/2020-10/msg00032.html

Comment 1 Aurelien Oudelet 2020-10-19 20:49:57 CEST

Hi, thanks for reporting this bug.
Assigned to the package maintainer, belong to ennael.
All packagers cc'd.

(Please set the status to 'assigned' if you are working on it)

Keywords: (none) => Triaged
Assignee: bugsquad => ennael1
CC: (none) => pkg-bugs

Comment 2 David Walser 2020-10-19 22:29:13 CEST

Anne hasn't been active in packaging for years.

Assignee: ennael1 => pkg-bugs

David Walser 2020-12-27 21:04:43 CET

CC: pkg-bugs => geiger.david68210
Status comment: (none) => Fixed in upstream git in September/October 2020
Whiteboard: (none) => MGA7TOO

Comment 3 Nicolas Lécureuil 2021-01-01 23:00:30 CET

new rpm in cauldron based on latest 4.2.0 git snapshot

Version: Cauldron => 7
CC: (none) => mageia
Whiteboard: MGA7TOO => (none)

Comment 4 Nicolas Lécureuil 2021-01-01 23:09:50 CET

New rpm in mga7:
src:
    crmsh-4.2.0-0.39d42c2.1.mga7

Assignee: pkg-bugs => qa-bugs

Comment 5 David Walser 2021-01-01 23:55:58 CET

Build failed, saving advisory for later.

Advisory:
========================

Updated crmsh packages fix security vulnerabilities:

The crm configure and hb_report commands failed to sanitize sensitive
information by default (bsc#1163581).

The crmsh package has been updated to the latest git snapshot, fixing these
issues and several others.

References:
https://lists.opensuse.org/opensuse-security-announce/2020-10/msg00032.html
========================

Updated packages in core/updates_testing:
========================
crmsh-scripts-4.2.0-0.39d42c2.1.mga7
crmsh-test-4.2.0-0.39d42c2.1.mga7
crmsh-4.2.0-0.39d42c2.1.mga7

from crmsh-4.2.0-0.39d42c2.1.mga7.src.rpm

Assignee: qa-bugs => mageia
Status comment: Fixed in upstream git in September/October 2020 => Build failed in Mageia 7

Nicolas Lécureuil 2021-01-02 01:10:18 CET

Status comment: Build failed in Mageia 7 => (none)

Comment 6 David Walser 2021-01-02 01:16:33 CET

Advisory and package list in Comment 5.

Assignee: mageia => qa-bugs

Comment 7 David Walser 2021-01-12 17:25:10 CET

An additional patch needs to be applied to crmsh, see this message:
https://www.openwall.com/lists/oss-security/2021/01/12/3

Summary: crmsh possible new security issues => crmsh possible new security issues (including CVE-2020-35459)
Assignee: qa-bugs => mageia
Status comment: (none) => Patch available to fix CVE-2020-35459
Version: 7 => Cauldron
Whiteboard: (none) => MGA7TOO

Comment 8 Nicolas Lécureuil 2021-01-12 18:46:49 CET

fix pushed in cauldron.

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)

Comment 9 Nicolas Lécureuil 2021-01-12 19:14:56 CET

fix pushed in mageia 7:
src:
    crmsh-4.2.0-0.39d42c2.1.1.mga7

Assignee: mageia => qa-bugs

Comment 10 David Walser 2021-01-12 19:19:45 CET

Advisory:
========================

Updated crmsh packages fix security vulnerabilities:

The crm configure and hb_report commands failed to sanitize sensitive
information by default (bsc#1163581).

An issue was discovered in ClusterLabs crmsh through 4.2.1. Local attackers
able to call "crm history" (when "crm" is run) were able to execute commands
via shell code injection to the crm history commandline, potentially allowing
escalation of privileges (CVE-2020-25459).

The crmsh package has been updated to the latest git snapshot, fixing these
issues and several others.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35459
https://lists.opensuse.org/opensuse-security-announce/2020-10/msg00032.html
========================

Updated packages in core/updates_testing:
========================
crmsh-scripts-4.2.0-0.39d42c2.1.1.mga7
crmsh-test-4.2.0-0.39d42c2.1.1.mga7
crmsh-4.2.0-0.39d42c2.1.1.mga7

from crmsh-4.2.0-0.39d42c2.1.1.mga7.src.rpm

Comment 11 David Walser 2021-01-13 19:39:35 CET

(In reply to David Walser from comment #7)
> An additional patch needs to be applied to crmsh, see this message:
> https://www.openwall.com/lists/oss-security/2021/01/12/3

SUSE has issued an advisory for this on January 12:
https://lists.suse.com/pipermail/sle-security-updates/2021-January/008178.html

Comment 12 David Walser 2021-01-15 21:40:44 CET

openSUSE has issued an advisory for this on January 13:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RKSUG2OZN3Y2FQVQ55HP5MZIQZXZ5OD6/

Adding reference to the advisory.

Advisory:
========================

Updated crmsh packages fix security vulnerabilities:

The crm configure and hb_report commands failed to sanitize sensitive
information by default (bsc#1163581).

An issue was discovered in ClusterLabs crmsh through 4.2.1. Local attackers
able to call "crm history" (when "crm" is run) were able to execute commands
via shell code injection to the crm history commandline, potentially allowing
escalation of privileges (CVE-2020-25459).

The crmsh package has been updated to the latest git snapshot and patched for
CVE-2020-25459, fixing these issues and several others.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35459
https://lists.opensuse.org/opensuse-security-announce/2020-10/msg00032.html
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RKSUG2OZN3Y2FQVQ55HP5MZIQZXZ5OD6/

Comment 13 Thomas Andrews 2021-01-20 23:34:16 CET

No installation issues. The original crmsh installation brought in corosync and some other dependencies. Updating the packages brought in those listed above plus a couple of python3 packages.

Crmsh is supposed to be a tool to help with configuration of Pacemaker, so...

Pacemaker already installed for another bug. Attempted to use the procedure in Bug 24691 to configure and start the corosync service, but failed miserably. I'm assuming that's because I misinterpreted the instructions for editing the /etc/corosync/corosync.conf file.

Undeterred, I tried to follow som commands from a link in bug 11724:
http://clusterlabs.org/wiki/Example_configurations

I didn't get very far here, either:

root@localhost ~]# crm
crm(live/localhost.localdomain)# cib new test-conf
Signon to CIB failed: Transport endpoint is not connected
crm(live/localhost.localdomain)# 

But then, as I look at Bug 11724, I see that Claire didn't get much farther with her test. At least the "crm" command seems to work OK.

That's as far as I can go with this. I'm willing to OK it on a clean install, and the single command that did work. If it needs more, I'll need some help to get there.

CC: (none) => andrewsfarm

Comment 14 Thomas Andrews 2021-01-21 22:23:48 CET

I'm sending this on. Validating. Advisory in Comment 12.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: (none) => MGA7-64-OK

Comment 15 Aurelien Oudelet 2021-01-22 16:37:06 CET

Advisory pushed to SVN.

CC: (none) => ouaurelien
Source RPM: crmsh-4.1.0-2.mga8.src.rpm => crmsh-3.0.3-2.mga7.src.rpm
Status comment: Patch available to fix CVE-2020-35459 => (none)
Keywords: Triaged => advisory
CVE: (none) => CVE-2020-35459

Comment 16 Mageia Robot 2021-01-23 00:51:28 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0049.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED