Bug 22905 - corosync new security issue CVE-2018-1084
Summary: corosync new security issue CVE-2018-1084
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, has_procedure, validated_update
Depends on:
Blocks:
 
Reported: 2018-04-14 03:36 CEST by David Walser
Modified: 2018-06-06 20:16 CEST (History)
4 users (show)

See Also:
Source RPM: corosync-2.4.3-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-04-14 03:36:01 CEST
Upstream has issued an advisory on April 12:
http://openwall.com/lists/oss-security/2018/04/12/2

The issue is fixed upstream in 2.4.4 and the message above contains a link to the commit that fixed it.

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-04-14 03:36:08 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Shlomi Fish 2018-04-14 10:10:33 CEST
2.4.4 submitted to mga7.

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Comment 2 David Walser 2018-04-14 16:08:53 CEST
Patched version also submitted by Shlomi to fix this for Mageia 6.

Advisory:
========================

Updated corosync packages fix security vulnerability:

An integer overflow leading to an out-of-bound read was found in
authenticate_nss_2_3() in Corosync. An attacker could craft a malicious
packet that would lead to a denial of service (CVE-2018-1084).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1084
http://openwall.com/lists/oss-security/2018/04/12/2
========================

Updated packages in core/updates_testing:
========================
corosync-2.3.5-2.1.mga6
libcorosync4-2.3.5-2.1.mga6
libcorosync-devel-2.3.5-2.1.mga6

from corosync-2.3.5-2.1.mga6.src.rpm

CC: (none) => shlomif
Assignee: shlomif => qa-bugs

Comment 3 Herman Viaene 2018-04-16 15:24:57 CEST
MGA6-32 on Dell Latitude D600 MATE
No installation issues. left devel out.
This is about "high availability clusters", difficult to apply to this little lappy. Anyway, tried the simpliest commands I found:
$ corosync-blackbox 
/usr/bin/corosync-blackbox: regel 32: corosync-cmapctl: opdracht niet gevonden
/usr/bin/corosync-blackbox: regel 33: corosync-cmapctl: opdracht niet gevonden
/usr/bin/corosync-blackbox: regel 34: qb-blackbox: opdracht niet gevonden
meaning : command not found
Something missing ???
and
# corosync
error   [MAIN  ] Can't read file /etc/corosync/corosync.conf reason = (No such file or directory)
error   [MAIN  ] Corosync Cluster Engine exiting with status 8 at main.c:1208.
File is not there, but a /etc/corosync/corosync.conf.example is, and that needs manual editing to get a valid conf file, according a tutorial I found googling.
Giving up here.

CC: (none) => herman.viaene

Comment 4 David Walser 2018-04-21 22:59:35 CEST
Debian has issued an advisory for this on April 17:
https://www.debian.org/security/2018/dsa-4174
Comment 5 Lewis Smith 2018-04-23 21:47:50 CEST
Some more background:
 http://corosync.github.io/corosync/
"The Corosync Cluster Engine is a Group Communication System with additional features for implementing high availability within applications."
The FAQ page was last edited 2012, but there are a couple of presentations from 2017, so the software *is* current.
 https://github.com/corosync/corosync/wiki/Archive-quickstart-quide
is less useful than one might hope.
 https://github.com/corosync/corosync/wiki/archive-installing-the-software
says "The best method is to use Corosync as distributed by one of the Linux vendors that distribute Corosync". Up to us.

 $ urpmq -i corosync
This package contains the Corosync Cluster Engine Executive, several default
APIs and libraries, default configuration files, and an init script.
 $ urpmq -l corosync | grep bin/ | sort -u
/usr/bin/corosync-blackbox      [has man page]
/usr/sbin/corosync              [has man page]
/usr/sbin/corosync-cfgtool
/usr/sbin/corosync-cmapctl
/usr/sbin/corosync-cpgtool
/usr/sbin/corosync-keygen
/usr/sbin/corosync-notifyd
/usr/sbin/corosync-quorumtool
Comment 6 Lewis Smith 2018-04-23 22:13:57 CEST
M5/64

BEFORE update:
 corosync-2.3.5-2.mga6
 lib64corosync4-2.3.5-2.mga6

 # corosync -v
Corosync Cluster Engine, version '2.3.5'
Copyright (c) 2006-2009 Red Hat, Inc.
 # corosync -t
error   [MAIN  ] Can't read file /etc/corosync/corosync.conf reason = (No such file or directory)
error   [MAIN  ] Corosync Cluster Engine exiting with status 8 at main.c:1208.
 Nothing relevant in /usr/share/doc/corosync ;
 a couple of scripts in /usr/share/corosync .

 $ ls -l /etc/corosync/
-rw-r--r-- 1 root root 2881 Ion  17  2016 corosync.conf.example
-rw-r--r-- 1 root root  767 Ion  17  2016 corosync.conf.example.udpu
drwxr-xr-x 2 root root 4096 Ion  17  2016 service.d/
drwxr-xr-x 2 root root 4096 Ion  17  2016 uidgid.d/
 Both the first two say "# Please read the corosync.conf.5 manual page"
which is indeed instructive. Tried copying the 2 conf files knocking out '.example' to give:
-rw-r--r-- 1 root root 2881 Ebr  23 22:07 corosync.conf
-rw-r--r-- 1 root root  767 Ebr  23 22:07 corosync.conf.udpu
 and tried again:
# corosync -t
parse error in config: Can't open logfile '/var/log/cluster/corosync.log' for reason: No such file or directory (2).
 which is an advance. Will try more tomorrow, but not optimistic.
Comment 7 Lewis Smith 2018-04-23 22:15:01 CEST
Previous comment should start M6/64, *not* M5.
Comment 8 Lewis Smith 2018-04-24 20:39:41 CEST
M6/64 continued (still before update)

 # ls /var/log       shows:
corosync/
 # ls -l /var/log/corosync/
total 0

Edited /etc/corosync/corosync.conf to:
        logfile: /var/log/corosync/corosync.log
where /corosync/ replaces /cluster/ .

 # corosync -t
No output.
 # corosync
 # ps ax | grep corosync
 8973 ?        Ssl    0:00 corosync
so it is running. Now can try corosync-blackbox.
From its man page:
"corosync-blackbox Trigger corosync to write it's "flight data"  out  to
file and then run qb-blackbox which prints it out."
 # corosync-blackbox
 /usr/bin/corosync-blackbox: line 34: qb-blackbox: command not found
which is consistent. So where is it?
Hence the feedback marker.
 However, in addition to the corosync process:
# ps ax | grep corosync
14213 pts/1    S+     0:00 man corosync-blackbox

Keywords: (none) => feedback

Comment 9 Dave Hodgins 2018-06-06 08:23:35 CEST
Installed corosync, lib64qb0 and lib64corosync4 from core release.
# cp /etc/corosync/corosync.conf.example /etc/corosync/corosync.conf
edit corosync.conf. Change bindnetaddr: based on my ip/netmask. 192.168.0.0
This vb guest is set to ip 192.168.10.114 with a /16 netmask (255.255.0.0).
Note most systems will use a default of a /24 netmask, so with that ip
address the bindnetaddr would be 192.168.10.0

To work with the rest as default config values, created the log dir ...
# mkdir /var/log/cluster

Started the services ...
# systemctl start corosync.service

Created the config file for corosync-notifyd and start it ...
# echo 'OPTIONS=" -l"'>/etc/sysconfig/corosync-notifyd
# systemctl start corosync-notifyd.service

Confirmed with systemctl status that both services are running.
# corosync-blackbox
 /usr/bin/corosync-blackbox: line 34: qb-blackbox: command not found

urpmf shows qb-blackbox is in the devel package. As it's clearly required, it
looks like it should be in the main package, not a devel package. Installing
lib64qb-devel to get around this error.

 corosync-blackbox      
Dumping the contents of /var/lib/corosync/fdata
[debug] shm size:8392717; real_size:8396800; rb->word_size:2099200
[debug] read total of: 8392724
Ringbuffer: 
 ->NORMAL
<snip>
ERROR: qb_rb_chunk_read failed: Connection timed out
[trace] ENTERING qb_rb_close()
[debug] Free'ing ringbuffer: /dev/shm/qb-create_from_file-header

As the services are running, that's as far as I'm going to dig to get this
working for this update.

Installed lib64corosync4 and corosync from updates testing.
# systemctl restart corosync.service 
# systemctl restart corosync-notifyd.service

Confirmed both services restarted ok, and corosync-blackbox output is same
as before the update.

Advisory committed to svn. Validating the update.

Keywords: feedback => advisory, has_procedure, validated_update
Whiteboard: (none) => MGA6-64-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 10 Mageia Robot 2018-06-06 20:16:41 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0275.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.