Bug 22905 - corosync new security issue CVE-2018-1084
Summary: corosync new security issue CVE-2018-1084
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-04-14 03:36 CEST by David Walser
Modified: 2018-04-21 22:59 CEST (History)
2 users (show)

See Also:
Source RPM: corosync-2.4.3-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-04-14 03:36:01 CEST
Upstream has issued an advisory on April 12:
http://openwall.com/lists/oss-security/2018/04/12/2

The issue is fixed upstream in 2.4.4 and the message above contains a link to the commit that fixed it.

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-04-14 03:36:08 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Shlomi Fish 2018-04-14 10:10:33 CEST
2.4.4 submitted to mga7.

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

Comment 2 David Walser 2018-04-14 16:08:53 CEST
Patched version also submitted by Shlomi to fix this for Mageia 6.

Advisory:
========================

Updated corosync packages fix security vulnerability:

An integer overflow leading to an out-of-bound read was found in
authenticate_nss_2_3() in Corosync. An attacker could craft a malicious
packet that would lead to a denial of service (CVE-2018-1084).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1084
http://openwall.com/lists/oss-security/2018/04/12/2
========================

Updated packages in core/updates_testing:
========================
corosync-2.3.5-2.1.mga6
libcorosync4-2.3.5-2.1.mga6
libcorosync-devel-2.3.5-2.1.mga6

from corosync-2.3.5-2.1.mga6.src.rpm

CC: (none) => shlomif
Assignee: shlomif => qa-bugs

Comment 3 Herman Viaene 2018-04-16 15:24:57 CEST
MGA6-32 on Dell Latitude D600 MATE
No installation issues. left devel out.
This is about "high availability clusters", difficult to apply to this little lappy. Anyway, tried the simpliest commands I found:
$ corosync-blackbox 
/usr/bin/corosync-blackbox: regel 32: corosync-cmapctl: opdracht niet gevonden
/usr/bin/corosync-blackbox: regel 33: corosync-cmapctl: opdracht niet gevonden
/usr/bin/corosync-blackbox: regel 34: qb-blackbox: opdracht niet gevonden
meaning : command not found
Something missing ???
and
# corosync
error   [MAIN  ] Can't read file /etc/corosync/corosync.conf reason = (No such file or directory)
error   [MAIN  ] Corosync Cluster Engine exiting with status 8 at main.c:1208.
File is not there, but a /etc/corosync/corosync.conf.example is, and that needs manual editing to get a valid conf file, according a tutorial I found googling.
Giving up here.

CC: (none) => herman.viaene

Comment 4 David Walser 2018-04-21 22:59:35 CEST
Debian has issued an advisory for this on April 17:
https://www.debian.org/security/2018/dsa-4174

Note You need to log in before you can comment on or make changes to this bug.