diff -Nru pacemaker-1.1.14/debian/changelog pacemaker-1.1.14/debian/changelog --- pacemaker-1.1.14/debian/changelog 2016-08-04 15:00:01.000000000 +0000 +++ pacemaker-1.1.14/debian/changelog 2017-06-02 18:10:24.000000000 +0000 @@ -1,3 +1,15 @@ +pacemaker (1.1.14-2ubuntu1.2) xenial-security; urgency=medium + + * SECURITY UPDATE: Improper IPC guarding + - debian/patches/CVE-2016-7035.patch: fix logic in lib/common/ipc.c. + - CVE-2016-7035 + * SECURITY UPDATE: denial of service in pacemaker remote + - debian/patches/CVE-2016-7797.patch: notify only on completed + handshake in lrmd/tls_backend.c. + - CVE-2016-7797 + + -- Marc Deslauriers Fri, 02 Jun 2017 14:08:57 -0400 + pacemaker (1.1.14-2ubuntu1.1) xenial; urgency=medium * add missing dependency to dbus (LP: #1595901) diff -Nru pacemaker-1.1.14/debian/patches/CVE-2016-7035.patch pacemaker-1.1.14/debian/patches/CVE-2016-7035.patch --- pacemaker-1.1.14/debian/patches/CVE-2016-7035.patch 1970-01-01 00:00:00.000000000 +0000 +++ pacemaker-1.1.14/debian/patches/CVE-2016-7035.patch 2017-06-02 18:08:47.000000000 +0000 @@ -0,0 +1,75 @@ +From 5d71e65049d143435b03d6b3709d82900f32276f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20Pokorn=C3=BD?= +Date: Thu, 3 Nov 2016 14:43:10 +0100 +Subject: [PATCH] High: libcrmcommon: fix CVE-2016-7035 (improper IPC guarding) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +It was discovered that at some not so uncommon circumstances, some +pacemaker daemons could be talked to, via libqb-facilitated IPC, by +unprivileged clients due to flawed authorization decision. Depending +on the capabilities of affected daemons, this might equip unauthorized +user with local privilege escalation or up to cluster-wide remote +execution of possibly arbitrary commands when such user happens to +reside at standard or remote/guest cluster node, respectively. + +The original vulnerability was introduced in an attempt to allow +unprivileged IPC clients to clean up the file system materialized +leftovers in case the server (otherwise responsible for the lifecycle +of these files) crashes. While the intended part of such behavior is +now effectively voided (along with the unintended one), a best-effort +fix to address this corner case systemically at libqb is coming along +(https://github.com/ClusterLabs/libqb/pull/231). + +Affected versions: 1.1.10-rc1 (2013-04-17) - 1.1.15 (2016-06-21) +Impact: Important +CVSSv3 ranking: 8.8 : AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H + +Credits for independent findings, in chronological order: + Jan "poki" Pokorný, of Red Hat + Alain Moulle, of ATOS/BULL +--- + lib/common/ipc.c | 14 +++----------- + 1 file changed, 3 insertions(+), 11 deletions(-) + +Index: pacemaker-1.1.14/lib/common/ipc.c +=================================================================== +--- pacemaker-1.1.14.orig/lib/common/ipc.c 2017-06-02 14:08:45.127784122 -0400 ++++ pacemaker-1.1.14/lib/common/ipc.c 2017-06-02 14:08:45.127784122 -0400 +@@ -287,7 +287,6 @@ crm_client_disconnect_all(qb_ipcs_servic + crm_client_t * + crm_client_new(qb_ipcs_connection_t * c, uid_t uid_client, gid_t gid_client) + { +- static uid_t uid_server = 0; + static gid_t gid_cluster = 0; + + crm_client_t *client = NULL; +@@ -298,7 +297,6 @@ crm_client_new(qb_ipcs_connection_t * c, + } + + if (gid_cluster == 0) { +- uid_server = getuid(); + if(crm_user_lookup(CRM_DAEMON_USER, NULL, &gid_cluster) < 0) { + static bool have_error = FALSE; + if(have_error == FALSE) { +@@ -308,16 +306,10 @@ crm_client_new(qb_ipcs_connection_t * c, + } + } + +- if(gid_cluster != 0 && gid_client != 0) { +- uid_t best_uid = -1; /* Passing -1 to chown(2) means don't change */ +- +- if(uid_client == 0 || uid_server == 0) { /* Someone is priveliged, but the other may not be */ +- best_uid = QB_MAX(uid_client, uid_server); +- crm_trace("Allowing user %u to clean up after disconnect", best_uid); +- } +- ++ if (uid_client != 0) { + crm_trace("Giving access to group %u", gid_cluster); +- qb_ipcs_connection_auth_set(c, best_uid, gid_cluster, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP); ++ /* Passing -1 to chown(2) means don't change */ ++ qb_ipcs_connection_auth_set(c, -1, gid_cluster, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP); + } + + crm_client_init(); diff -Nru pacemaker-1.1.14/debian/patches/CVE-2016-7797.patch pacemaker-1.1.14/debian/patches/CVE-2016-7797.patch --- pacemaker-1.1.14/debian/patches/CVE-2016-7797.patch 1970-01-01 00:00:00.000000000 +0000 +++ pacemaker-1.1.14/debian/patches/CVE-2016-7797.patch 2017-06-02 18:08:55.000000000 +0000 @@ -0,0 +1,33 @@ +From 5ec24a2642bd0854b884d1a9b51d12371373b410 Mon Sep 17 00:00:00 2001 +From: "Gao,Yan" +Date: Mon, 22 Feb 2016 18:12:05 +0100 +Subject: [PATCH] Fix: remote: cl#5269 - Notify other clients of a new + connection only if the handshake has completed (bsc#967388) + +--- + lrmd/tls_backend.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +Index: pacemaker-1.1.14/lrmd/tls_backend.c +=================================================================== +--- pacemaker-1.1.14.orig/lrmd/tls_backend.c 2017-06-02 14:08:53.055880474 -0400 ++++ pacemaker-1.1.14/lrmd/tls_backend.c 2017-06-02 14:08:53.051880425 -0400 +@@ -79,6 +79,9 @@ lrmd_remote_client_msg(gpointer data) + g_source_remove(client->remote->auth_timeout); + } + client->remote->auth_timeout = 0; ++ ++ /* Alert other clients of the new connection */ ++ notify_of_new_client(client); + } + return 0; + } +@@ -245,8 +248,6 @@ lrmd_remote_listen(gpointer data) + &lrmd_remote_fd_cb); + g_hash_table_insert(client_connections, new_client->id, new_client); + +- /* Alert other clients of the new connection */ +- notify_of_new_client(new_client); + return TRUE; + } + diff -Nru pacemaker-1.1.14/debian/patches/series pacemaker-1.1.14/debian/patches/series --- pacemaker-1.1.14/debian/patches/series 2016-03-21 14:10:08.000000000 +0000 +++ pacemaker-1.1.14/debian/patches/series 2017-06-02 18:08:51.000000000 +0000 @@ -10,3 +10,5 @@ Fix-typo-afer-after.patch The-DTD-RNG-and-XSL-files-are-not-executable.patch Create-CRM_CORE_DIR-during-installation.patch +CVE-2016-7035.patch +CVE-2016-7797.patch