Bug 27444 - crmsh possible new security issues (including CVE-2020-35459)
Summary: crmsh possible new security issues (including CVE-2020-35459)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-10-18 00:48 CEST by David Walser
Modified: 2021-01-23 00:51 CET (History)
5 users (show)

See Also:
Source RPM: crmsh-3.0.3-2.mga7.src.rpm
CVE: CVE-2020-35459
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Comment 1 Aurelien Oudelet 2020-10-19 20:49:57 CEST 
Hi, thanks for reporting this bug.
Assigned to the package maintainer, belong to ennael.
All packagers cc'd.

(Please set the status to 'assigned' if you are working on it)

Keywords: (none) => Triaged
Assignee: bugsquad => ennael1
CC: (none) => pkg-bugs

Comment 2 David Walser 2020-10-19 22:29:13 CEST 
Anne hasn't been active in packaging for years.

Assignee: ennael1 => pkg-bugs

David Walser 2020-12-27 21:04:43 CET

CC: pkg-bugs => geiger.david68210
Status comment: (none) => Fixed in upstream git in September/October 2020
Whiteboard: (none) => MGA7TOO

Comment 3 Nicolas Lécureuil 2021-01-01 23:00:30 CET 
new rpm in cauldron based on latest 4.2.0 git snapshot

Version: Cauldron => 7
CC: (none) => mageia
Whiteboard: MGA7TOO => (none)

Comment 4 Nicolas Lécureuil 2021-01-01 23:09:50 CET 
New rpm in mga7:
src:
    crmsh-4.2.0-0.39d42c2.1.mga7

Assignee: pkg-bugs => qa-bugs

Comment 5 David Walser 2021-01-01 23:55:58 CET 
Build failed, saving advisory for later.

Advisory:
========================

Updated crmsh packages fix security vulnerabilities:

The crm configure and hb_report commands failed to sanitize sensitive
information by default (bsc#1163581).

The crmsh package has been updated to the latest git snapshot, fixing these
issues and several others.

References:
https://lists.opensuse.org/opensuse-security-announce/2020-10/msg00032.html
========================

Updated packages in core/updates_testing:
========================
crmsh-scripts-4.2.0-0.39d42c2.1.mga7
crmsh-test-4.2.0-0.39d42c2.1.mga7
crmsh-4.2.0-0.39d42c2.1.mga7

from crmsh-4.2.0-0.39d42c2.1.mga7.src.rpm

Assignee: qa-bugs => mageia
Status comment: Fixed in upstream git in September/October 2020 => Build failed in Mageia 7

Nicolas Lécureuil 2021-01-02 01:10:18 CET

Status comment: Build failed in Mageia 7 => (none)

Comment 6 David Walser 2021-01-02 01:16:33 CET 
Advisory and package list in Comment 5.

Assignee: mageia => qa-bugs

Comment 7 David Walser 2021-01-12 17:25:10 CET 
An additional patch needs to be applied to crmsh, see this message:
https://www.openwall.com/lists/oss-security/2021/01/12/3

Summary: crmsh possible new security issues => crmsh possible new security issues (including CVE-2020-35459)
Assignee: qa-bugs => mageia
Status comment: (none) => Patch available to fix CVE-2020-35459
Version: 7 => Cauldron
Whiteboard: (none) => MGA7TOO

Comment 8 Nicolas Lécureuil 2021-01-12 18:46:49 CET 
fix pushed in cauldron.

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)

Comment 9 Nicolas Lécureuil 2021-01-12 19:14:56 CET 
fix pushed in mageia 7:
src:
    crmsh-4.2.0-0.39d42c2.1.1.mga7

Assignee: mageia => qa-bugs

Comment 10 David Walser 2021-01-12 19:19:45 CET 
Advisory:
========================

Updated crmsh packages fix security vulnerabilities:

The crm configure and hb_report commands failed to sanitize sensitive
information by default (bsc#1163581).

An issue was discovered in ClusterLabs crmsh through 4.2.1. Local attackers
able to call "crm history" (when "crm" is run) were able to execute commands
via shell code injection to the crm history commandline, potentially allowing
escalation of privileges (CVE-2020-25459).

The crmsh package has been updated to the latest git snapshot, fixing these
issues and several others.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35459
https://lists.opensuse.org/opensuse-security-announce/2020-10/msg00032.html
========================

Updated packages in core/updates_testing:
========================
crmsh-scripts-4.2.0-0.39d42c2.1.1.mga7
crmsh-test-4.2.0-0.39d42c2.1.1.mga7
crmsh-4.2.0-0.39d42c2.1.1.mga7

from crmsh-4.2.0-0.39d42c2.1.1.mga7.src.rpm
Comment 11 David Walser 2021-01-13 19:39:35 CET 
(In reply to David Walser from comment #7)
> An additional patch needs to be applied to crmsh, see this message:
> https://www.openwall.com/lists/oss-security/2021/01/12/3

SUSE has issued an advisory for this on January 12:
https://lists.suse.com/pipermail/sle-security-updates/2021-January/008178.html
Comment 12 David Walser 2021-01-15 21:40:44 CET 
openSUSE has issued an advisory for this on January 13:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RKSUG2OZN3Y2FQVQ55HP5MZIQZXZ5OD6/

Adding reference to the advisory.

Advisory:
========================

Updated crmsh packages fix security vulnerabilities:

The crm configure and hb_report commands failed to sanitize sensitive
information by default (bsc#1163581).

An issue was discovered in ClusterLabs crmsh through 4.2.1. Local attackers
able to call "crm history" (when "crm" is run) were able to execute commands
via shell code injection to the crm history commandline, potentially allowing
escalation of privileges (CVE-2020-25459).

The crmsh package has been updated to the latest git snapshot and patched for
CVE-2020-25459, fixing these issues and several others.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35459
https://lists.opensuse.org/opensuse-security-announce/2020-10/msg00032.html
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RKSUG2OZN3Y2FQVQ55HP5MZIQZXZ5OD6/
Comment 13 Thomas Andrews 2021-01-20 23:34:16 CET 
No installation issues. The original crmsh installation brought in corosync and some other dependencies. Updating the packages brought in those listed above plus a couple of python3 packages.

Crmsh is supposed to be a tool to help with configuration of Pacemaker, so...

Pacemaker already installed for another bug. Attempted to use the procedure in Bug 24691 to configure and start the corosync service, but failed miserably. I'm assuming that's because I misinterpreted the instructions for editing the /etc/corosync/corosync.conf file.

Undeterred, I tried to follow som commands from a link in bug 11724:
http://clusterlabs.org/wiki/Example_configurations

I didn't get very far here, either:

root@localhost ~]# crm
crm(live/localhost.localdomain)# cib new test-conf
Signon to CIB failed: Transport endpoint is not connected
crm(live/localhost.localdomain)# 

But then, as I look at Bug 11724, I see that Claire didn't get much farther with her test. At least the "crm" command seems to work OK.

That's as far as I can go with this. I'm willing to OK it on a clean install, and the single command that did work. If it needs more, I'll need some help to get there.

CC: (none) => andrewsfarm

Comment 14 Thomas Andrews 2021-01-21 22:23:48 CET 
I'm sending this on. Validating. Advisory in Comment 12.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: (none) => MGA7-64-OK

Comment 15 Aurelien Oudelet 2021-01-22 16:37:06 CET 
Advisory pushed to SVN.

CC: (none) => ouaurelien
Source RPM: crmsh-4.1.0-2.mga8.src.rpm => crmsh-3.0.3-2.mga7.src.rpm
Status comment: Patch available to fix CVE-2020-35459 => (none)
Keywords: Triaged => advisory
CVE: (none) => CVE-2020-35459

Comment 16 Mageia Robot 2021-01-23 00:51:28 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0049.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.