diff -Nru pacemaker-1.1.14/debian/changelog pacemaker-1.1.14/debian/changelog --- pacemaker-1.1.14/debian/changelog 2019-04-18 13:22:47.000000000 +0000 +++ pacemaker-1.1.14/debian/changelog 2020-10-29 13:06:38.000000000 +0000 @@ -1,3 +1,31 @@ +pacemaker (1.1.14-2ubuntu1.9) xenial-security; urgency=medium + + * SECURITY UPDATE: ACL restrictions bypass + - debian/patches/CVE-2020-25654-*.patch: restrict IPC connections. + - CVE-2020-25654 + + -- Marc Deslauriers Thu, 29 Oct 2020 09:06:38 -0400 + +pacemaker (1.1.14-2ubuntu1.8) xenial; urgency=medium + + * d/p/lp1877280/0001-Fix-attrd-crash-on-exit-if-initialization-fails.patch, + d/p/lp1877280/0002-Fix-attrd-ipc-Prevent-possible-segfault-on-exit.patch: + - avoid segfault on exit (LP: #1877280) + + -- Dan Streetman Thu, 07 May 2020 06:34:35 -0400 + +pacemaker (1.1.14-2ubuntu1.7) xenial; urgency=medium + + [ Victor Tapia ] + * d/p/lp1871166/0001-Fix-libservices-prevent-use-after-free-when-freeing-.patch, + d/p/lp1871166/0002-Fix-libservices-ensure-completed-ops-aren-t-on-block.patch, + d/p/lp1871166/0003-Refactor-libservices-handle-in-flight-case-first-whe.patch, + d/p/lp1871166/0004-Fix-libservices-properly-cancel-in-flight-systemd-up.patch, + d/p/lp1871166/0005-Fix-libservices-properly-detect-in-flight-systemd-up.patch: + - prevent use-after-free segfault (LP: #1871166) + + -- Dan Streetman Mon, 06 Apr 2020 13:37:40 -0400 + pacemaker (1.1.14-2ubuntu1.6) xenial-security; urgency=medium * SECURITY UPDATE: DoS and local privilege escalation in client-server diff -Nru pacemaker-1.1.14/debian/libcrmservice3.symbols pacemaker-1.1.14/debian/libcrmservice3.symbols --- pacemaker-1.1.14/debian/libcrmservice3.symbols 2016-03-21 14:10:08.000000000 +0000 +++ pacemaker-1.1.14/debian/libcrmservice3.symbols 2020-05-07 10:34:35.000000000 +0000 @@ -42,4 +42,5 @@ services_os_action_execute@Base 1.1.13 services_os_get_directory_list@Base 1.1.13 services_set_op_pending@Base 1.1.14~rc4 + services_untrack_op@Base 1.1.14-2ubuntu1.7 systemd_unit_exec_with_unit@Base 1.1.13 diff -Nru pacemaker-1.1.14/debian/patches/CVE-2020-25654-1.patch pacemaker-1.1.14/debian/patches/CVE-2020-25654-1.patch --- pacemaker-1.1.14/debian/patches/CVE-2020-25654-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ pacemaker-1.1.14/debian/patches/CVE-2020-25654-1.patch 2020-10-29 12:58:29.000000000 +0000 @@ -0,0 +1,192 @@ +Backport of: + +From 23beea9083e61f7cae48f1b76adcc249ab4dea77 Mon Sep 17 00:00:00 2001 +From: Ken Gaillot +Date: Tue, 27 Mar 2018 15:05:47 -0500 +Subject: [PATCH 1/8] Refactor: lrmd: functionize creating reply + +reduces duplication, and enforces consistency in reply XML and logging +--- + lrmd/lrmd.c | 94 ++++++++++++++++++++++++++----------------------------------- + 1 file changed, 40 insertions(+), 54 deletions(-) + +--- a/lrmd/lrmd.c ++++ b/lrmd/lrmd.c +@@ -371,23 +371,15 @@ schedule_lrmd_cmd(lrmd_rsc_t * rsc, lrmd + } + } + +-static void +-send_reply(crm_client_t * client, int rc, uint32_t id, int call_id) ++static xmlNode * ++create_lrmd_reply(const char *origin, int rc, int call_id) + { +- int send_rc = 0; +- xmlNode *reply = NULL; ++ xmlNode *reply = create_xml_node(NULL, T_LRMD_REPLY); + +- reply = create_xml_node(NULL, T_LRMD_REPLY); +- crm_xml_add(reply, F_LRMD_ORIGIN, __FUNCTION__); ++ crm_xml_add(reply, F_LRMD_ORIGIN, origin); + crm_xml_add_int(reply, F_LRMD_RC, rc); + crm_xml_add_int(reply, F_LRMD_CALLID, call_id); +- +- send_rc = lrmd_server_send_reply(client, id, reply); +- +- free_xml(reply); +- if (send_rc < 0) { +- crm_warn("LRMD reply to %s failed: %d", client->name, send_rc); +- } ++ return reply; + } + + static void +@@ -1371,21 +1363,21 @@ free_rsc(gpointer data) + free(rsc); + } + +-static int +-process_lrmd_signon(crm_client_t * client, uint32_t id, xmlNode * request) ++static xmlNode * ++process_lrmd_signon(crm_client_t * client, xmlNode *request, int call_id) + { +- xmlNode *reply = create_xml_node(NULL, "reply"); ++ xmlNode *reply = NULL; ++ int rc = pcmk_ok; + const char *is_ipc_provider = crm_element_value(request, F_LRMD_IS_IPC_PROVIDER); + const char *protocol_version = crm_element_value(request, F_LRMD_PROTOCOL_VERSION); + + if (safe_str_neq(protocol_version, LRMD_PROTOCOL_VERSION)) { +- crm_xml_add_int(reply, F_LRMD_RC, -EPROTO); +- crm_xml_add(reply, F_LRMD_PROTOCOL_VERSION, LRMD_PROTOCOL_VERSION); ++ rc = -EPROTO; + } + ++ reply = create_lrmd_reply(__FUNCTION__, rc, call_id); + crm_xml_add(reply, F_LRMD_OPERATION, CRM_OP_REGISTER); + crm_xml_add(reply, F_LRMD_CLIENTID, client->id); +- lrmd_server_send_reply(client, id, reply); + + if (crm_is_true(is_ipc_provider)) { + /* this is a remote connection from a cluster nodes crmd */ +@@ -1393,9 +1385,7 @@ process_lrmd_signon(crm_client_t * clien + ipc_proxy_add_provider(client); + #endif + } +- +- free_xml(reply); +- return pcmk_ok; ++ return reply; + } + + static int +@@ -1423,52 +1413,34 @@ process_lrmd_rsc_register(crm_client_t * + return rc; + } + +-static void +-process_lrmd_get_rsc_info(crm_client_t * client, uint32_t id, xmlNode * request) ++static xmlNode * ++process_lrmd_get_rsc_info(xmlNode *request, int call_id) + { + int rc = pcmk_ok; +- int send_rc = 0; +- int call_id = 0; + xmlNode *rsc_xml = get_xpath_object("//" F_LRMD_RSC, request, LOG_ERR); + const char *rsc_id = crm_element_value(rsc_xml, F_LRMD_RSC_ID); + xmlNode *reply = NULL; + lrmd_rsc_t *rsc = NULL; + +- crm_element_value_int(request, F_LRMD_CALLID, &call_id); +- +- if (!rsc_id) { +- rc = -ENODEV; +- goto get_rsc_done; +- } +- +- if (!(rsc = g_hash_table_lookup(rsc_list, rsc_id))) { +- crm_info("Resource '%s' not found (%d active resources)", +- rsc_id, g_hash_table_size(rsc_list)); ++ if (rsc_id == NULL) { + rc = -ENODEV; +- goto get_rsc_done; ++ } else { ++ rsc = g_hash_table_lookup(rsc_list, rsc_id); ++ if (rsc == NULL) { ++ crm_info("Resource '%s' not found (%d active resources)", ++ rsc_id, g_hash_table_size(rsc_list)); ++ rc = -ENODEV; ++ } + } + +- get_rsc_done: +- +- reply = create_xml_node(NULL, T_LRMD_REPLY); +- crm_xml_add(reply, F_LRMD_ORIGIN, __FUNCTION__); +- crm_xml_add_int(reply, F_LRMD_RC, rc); +- crm_xml_add_int(reply, F_LRMD_CALLID, call_id); +- ++ reply = create_lrmd_reply(__FUNCTION__, rc, call_id); + if (rsc) { + crm_xml_add(reply, F_LRMD_RSC_ID, rsc->rsc_id); + crm_xml_add(reply, F_LRMD_CLASS, rsc->class); + crm_xml_add(reply, F_LRMD_PROVIDER, rsc->provider); + crm_xml_add(reply, F_LRMD_TYPE, rsc->type); + } +- +- send_rc = lrmd_server_send_reply(client, id, reply); +- +- if (send_rc < 0) { +- crm_warn("LRMD reply to %s failed: %d", client->name, send_rc); +- } +- +- free_xml(reply); ++ return reply; + } + + static int +@@ -1648,6 +1620,7 @@ process_lrmd_message(crm_client_t * clie + const char *op = crm_element_value(request, F_LRMD_OPERATION); + int do_reply = 0; + int do_notify = 0; ++ xmlNode *reply = NULL; + + crm_trace("Processing %s operation from %s", op, client->id); + crm_element_value_int(request, F_LRMD_CALLID, &call_id); +@@ -1658,13 +1631,15 @@ process_lrmd_message(crm_client_t * clie + #endif + do_reply = 1; + } else if (crm_str_eq(op, CRM_OP_REGISTER, TRUE)) { +- rc = process_lrmd_signon(client, id, request); ++ reply = process_lrmd_signon(client, request, call_id); ++ do_reply = 1; + } else if (crm_str_eq(op, LRMD_OP_RSC_REG, TRUE)) { + rc = process_lrmd_rsc_register(client, id, request); + do_notify = 1; + do_reply = 1; + } else if (crm_str_eq(op, LRMD_OP_RSC_INFO, TRUE)) { +- process_lrmd_get_rsc_info(client, id, request); ++ reply = process_lrmd_get_rsc_info(request, call_id); ++ do_reply = 1; + } else if (crm_str_eq(op, LRMD_OP_RSC_UNREG, TRUE)) { + rc = process_lrmd_rsc_unregister(client, id, request); + /* don't notify anyone about failed un-registers */ +@@ -1692,7 +1667,17 @@ process_lrmd_message(crm_client_t * clie + op, client->id, rc, do_reply, do_notify, exit); + + if (do_reply) { +- send_reply(client, rc, id, call_id); ++ int send_rc = pcmk_ok; ++ ++ if (reply == NULL) { ++ reply = create_lrmd_reply(__FUNCTION__, rc, call_id); ++ } ++ send_rc = lrmd_server_send_reply(client, id, reply); ++ free_xml(reply); ++ if (send_rc < 0) { ++ crm_warn("Reply to client %s failed: %s " CRM_XS " %d", ++ client->name, pcmk_strerror(send_rc), send_rc); ++ } + } + + if (do_notify) { diff -Nru pacemaker-1.1.14/debian/patches/CVE-2020-25654-2.patch pacemaker-1.1.14/debian/patches/CVE-2020-25654-2.patch --- pacemaker-1.1.14/debian/patches/CVE-2020-25654-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ pacemaker-1.1.14/debian/patches/CVE-2020-25654-2.patch 2020-10-29 13:00:49.000000000 +0000 @@ -0,0 +1,64 @@ +Backport of: + +From 3e0d13bb6745ec54c6da2eff591460b19f320522 Mon Sep 17 00:00:00 2001 +From: Ken Gaillot +Date: Fri, 9 Oct 2020 09:56:03 -0500 +Subject: [PATCH 2/8] Log: executor: show CRM_OP_REGISTER rc in debug message + +Previously, process_lrmd_signon() would add the rc to the client reply +but not pass it back to process_lrmd_message(), which would always log "OK" in +its debug message, even if the sign-on was rejected. +--- + lrmd/lrmd.c | 21 +++++++++++---------- + 1 file changed, 11 insertions(+), 10 deletions(-) + +--- a/lrmd/lrmd.c ++++ b/lrmd/lrmd.c +@@ -1363,10 +1363,10 @@ free_rsc(gpointer data) + free(rsc); + } + +-static xmlNode * +-process_lrmd_signon(crm_client_t * client, xmlNode *request, int call_id) ++static int ++process_lrmd_signon(crm_client_t * client, xmlNode *request, int call_id, ++ xmlNode **reply) + { +- xmlNode *reply = NULL; + int rc = pcmk_ok; + const char *is_ipc_provider = crm_element_value(request, F_LRMD_IS_IPC_PROVIDER); + const char *protocol_version = crm_element_value(request, F_LRMD_PROTOCOL_VERSION); +@@ -1375,17 +1375,19 @@ process_lrmd_signon(crm_client_t * clien + rc = -EPROTO; + } + +- reply = create_lrmd_reply(__FUNCTION__, rc, call_id); +- crm_xml_add(reply, F_LRMD_OPERATION, CRM_OP_REGISTER); +- crm_xml_add(reply, F_LRMD_CLIENTID, client->id); +- + if (crm_is_true(is_ipc_provider)) { + /* this is a remote connection from a cluster nodes crmd */ + #ifdef SUPPORT_REMOTE + ipc_proxy_add_provider(client); + #endif + } +- return reply; ++ ++ *reply = create_lrmd_reply(__func__, rc, call_id); ++ crm_xml_add(*reply, F_LRMD_OPERATION, CRM_OP_REGISTER); ++ crm_xml_add(*reply, F_LRMD_CLIENTID, client->id); ++ crm_xml_add(*reply, F_LRMD_PROTOCOL_VERSION, LRMD_PROTOCOL_VERSION); ++ ++ return rc; + } + + static int +@@ -1631,7 +1633,7 @@ process_lrmd_message(crm_client_t * clie + #endif + do_reply = 1; + } else if (crm_str_eq(op, CRM_OP_REGISTER, TRUE)) { +- reply = process_lrmd_signon(client, request, call_id); ++ rc = process_lrmd_signon(client, request, call_id, &reply); + do_reply = 1; + } else if (crm_str_eq(op, LRMD_OP_RSC_REG, TRUE)) { + rc = process_lrmd_rsc_register(client, id, request); diff -Nru pacemaker-1.1.14/debian/patches/CVE-2020-25654-3.patch pacemaker-1.1.14/debian/patches/CVE-2020-25654-3.patch --- pacemaker-1.1.14/debian/patches/CVE-2020-25654-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ pacemaker-1.1.14/debian/patches/CVE-2020-25654-3.patch 2020-10-29 13:01:06.000000000 +0000 @@ -0,0 +1,32 @@ +Backport of: + +From 878d80a007c6110287e07d8b6a18259c74e41c48 Mon Sep 17 00:00:00 2001 +From: Ken Gaillot +Date: Fri, 9 Oct 2020 15:16:39 -0500 +Subject: [PATCH 3/8] Low: executor: mark controller connections to + pacemaker-remoted as privileged + +Previously, crm_client_flag_ipc_privileged was only set when local clients connected +(as root or hacluster). Now, set it when pacemaker-remoted successfully +completes the TLS handshake with a remote client (i.e., the controller on a +cluster node). + +This has no effect as of this commit but will with later commits. +--- + lrmd/tls_backend.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/lrmd/tls_backend.c ++++ b/lrmd/tls_backend.c +@@ -80,6 +80,11 @@ lrmd_remote_client_msg(gpointer data) + } + client->remote->auth_timeout = 0; + ++ /* Only a client with access to the TLS key can connect, so we can treat ++ * it as privileged. ++ */ ++ set_bit(client->flags, crm_client_flag_ipc_privileged); ++ + /* Alert other clients of the new connection */ + notify_of_new_client(client); + } diff -Nru pacemaker-1.1.14/debian/patches/CVE-2020-25654-4.patch pacemaker-1.1.14/debian/patches/CVE-2020-25654-4.patch --- pacemaker-1.1.14/debian/patches/CVE-2020-25654-4.patch 1970-01-01 00:00:00.000000000 +0000 +++ pacemaker-1.1.14/debian/patches/CVE-2020-25654-4.patch 2020-10-29 13:01:13.000000000 +0000 @@ -0,0 +1,34 @@ +From 7eff6997995ba09afa85c7eef78ae30834daa38a Mon Sep 17 00:00:00 2001 +From: Ken Gaillot +Date: Thu, 15 Oct 2020 15:33:13 -0500 +Subject: [PATCH 4/8] Low: executor: return appropriate error code when no + remote support + +--- + lrmd/lrmd.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/lrmd/lrmd.c ++++ b/lrmd/lrmd.c +@@ -1376,9 +1376,11 @@ process_lrmd_signon(crm_client_t * clien + } + + if (crm_is_true(is_ipc_provider)) { +- /* this is a remote connection from a cluster nodes crmd */ + #ifdef SUPPORT_REMOTE ++ // This is a remote connection from a cluster node's controller + ipc_proxy_add_provider(client); ++#else ++ rc = -EPROTONOSUPPORT; + #endif + } + +@@ -1630,6 +1632,8 @@ process_lrmd_message(crm_client_t * clie + if (crm_str_eq(op, CRM_OP_IPC_FWD, TRUE)) { + #ifdef SUPPORT_REMOTE + ipc_proxy_forward_client(client, request); ++#else ++ rc = -EPROTONOSUPPORT; + #endif + do_reply = 1; + } else if (crm_str_eq(op, CRM_OP_REGISTER, TRUE)) { diff -Nru pacemaker-1.1.14/debian/patches/CVE-2020-25654-5.patch pacemaker-1.1.14/debian/patches/CVE-2020-25654-5.patch --- pacemaker-1.1.14/debian/patches/CVE-2020-25654-5.patch 1970-01-01 00:00:00.000000000 +0000 +++ pacemaker-1.1.14/debian/patches/CVE-2020-25654-5.patch 2020-10-29 13:04:06.000000000 +0000 @@ -0,0 +1,134 @@ +Backport of: + +From b16aa136e7e835d5947a9b4c0078cc84e8013b83 Mon Sep 17 00:00:00 2001 +From: Ken Gaillot +Date: Thu, 15 Oct 2020 15:33:57 -0500 +Subject: [PATCH 5/8] High: executor: restrict certain IPC requests to + Pacemaker daemons + +The executor IPC API allows clients to register resources, request agent +execution, and so forth. + +If ACLs are enabled, this could allow an ACL-restricted user to bypass ACLs and +execute any code as root. (If ACLs are not enabled, users in the haclient group +have full access to the CIB, which already gives them that ability, so there is +no additional exposure in that case.) + +When ACLs are supported, this commit effectively disables the executor IPC API +for clients that aren't connecting as root or hacluster. Such clients can only +register and poke now. +--- + lrmd/lrmd.c | 85 ++++++++++++++++++++++++++++++++++++++++++++++++------------- + 1 file changed, 68 insertions(+), 17 deletions(-) + +--- a/lrmd/lrmd.c ++++ b/lrmd/lrmd.c +@@ -1377,8 +1377,12 @@ process_lrmd_signon(crm_client_t * clien + + if (crm_is_true(is_ipc_provider)) { + #ifdef SUPPORT_REMOTE +- // This is a remote connection from a cluster node's controller +- ipc_proxy_add_provider(client); ++ if ((client->remote != NULL) && client->remote->tls_handshake_complete) { ++ // This is a remote connection from a cluster node's controller ++ ipc_proxy_add_provider(client); ++ } else { ++ rc = -EACCES; ++ } + #else + rc = -EPROTONOSUPPORT; + #endif +@@ -1626,12 +1630,26 @@ process_lrmd_message(crm_client_t * clie + int do_notify = 0; + xmlNode *reply = NULL; + ++ bool allowed = true; ++ ++#if ENABLE_ACL ++ /* Certain IPC commands may be done only by privileged users (i.e. root or ++ * hacluster) when ACLs are enabled, because they would otherwise provide a ++ * means of bypassing ACLs. ++ */ ++ allowed = is_set(client->flags, crm_client_flag_ipc_privileged); ++#endif ++ + crm_trace("Processing %s operation from %s", op, client->id); + crm_element_value_int(request, F_LRMD_CALLID, &call_id); + + if (crm_str_eq(op, CRM_OP_IPC_FWD, TRUE)) { + #ifdef SUPPORT_REMOTE +- ipc_proxy_forward_client(client, request); ++ if (allowed) { ++ ipc_proxy_forward_client(client, request); ++ } else { ++ rc = -EACCES; ++ } + #else + rc = -EPROTONOSUPPORT; + #endif +@@ -1640,24 +1658,44 @@ process_lrmd_message(crm_client_t * clie + rc = process_lrmd_signon(client, request, call_id, &reply); + do_reply = 1; + } else if (crm_str_eq(op, LRMD_OP_RSC_REG, TRUE)) { +- rc = process_lrmd_rsc_register(client, id, request); +- do_notify = 1; ++ if (allowed) { ++ rc = process_lrmd_rsc_register(client, id, request); ++ do_notify = 1; ++ } else { ++ rc = -EACCES; ++ } + do_reply = 1; + } else if (crm_str_eq(op, LRMD_OP_RSC_INFO, TRUE)) { +- reply = process_lrmd_get_rsc_info(request, call_id); ++ if (allowed) { ++ reply = process_lrmd_get_rsc_info(request, call_id); ++ } else { ++ rc = -EACCES; ++ } + do_reply = 1; + } else if (crm_str_eq(op, LRMD_OP_RSC_UNREG, TRUE)) { +- rc = process_lrmd_rsc_unregister(client, id, request); +- /* don't notify anyone about failed un-registers */ +- if (rc == pcmk_ok || rc == -EINPROGRESS) { +- do_notify = 1; ++ if (allowed) { ++ rc = process_lrmd_rsc_unregister(client, id, request); ++ /* don't notify anyone about failed un-registers */ ++ if (rc == pcmk_ok || rc == -EINPROGRESS) { ++ do_notify = 1; ++ } ++ } else { ++ rc = -EACCES; + } + do_reply = 1; + } else if (crm_str_eq(op, LRMD_OP_RSC_EXEC, TRUE)) { +- rc = process_lrmd_rsc_exec(client, id, request); ++ if (allowed) { ++ rc = process_lrmd_rsc_exec(client, id, request); ++ } else { ++ rc = -EACCES; ++ } + do_reply = 1; + } else if (crm_str_eq(op, LRMD_OP_RSC_CANCEL, TRUE)) { +- rc = process_lrmd_rsc_cancel(client, id, request); ++ if (allowed) { ++ rc = process_lrmd_rsc_cancel(client, id, request); ++ } else { ++ rc = -EACCES; ++ } + do_reply = 1; + } else if (crm_str_eq(op, LRMD_OP_POKE, TRUE)) { + do_notify = 1; +@@ -1669,6 +1707,11 @@ process_lrmd_message(crm_client_t * clie + crm_log_xml_warn(request, "UnknownOp"); + } + ++ if (rc == -EACCES) { ++ crm_warn("Rejecting IPC request '%s' from unprivileged client %s", ++ op, crm_client_name(client)); ++ } ++ + crm_debug("Processed %s operation from %s: rc=%d, reply=%d, notify=%d, exit=%d", + op, client->id, rc, do_reply, do_notify, exit); + diff -Nru pacemaker-1.1.14/debian/patches/CVE-2020-25654-6.patch pacemaker-1.1.14/debian/patches/CVE-2020-25654-6.patch --- pacemaker-1.1.14/debian/patches/CVE-2020-25654-6.patch 1970-01-01 00:00:00.000000000 +0000 +++ pacemaker-1.1.14/debian/patches/CVE-2020-25654-6.patch 2020-10-29 13:04:23.000000000 +0000 @@ -0,0 +1,26 @@ +From 3b71b8027fc6b5bde2dbb6d8ff7c23703cf5ad49 Mon Sep 17 00:00:00 2001 +From: Ken Gaillot +Date: Fri, 9 Oct 2020 11:16:43 -0500 +Subject: [PATCH 6/8] Low: pacemakerd: check client for NULL before using it + +... to guard against bugs in client tracking +--- + mcp/pacemaker.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/mcp/pacemaker.c ++++ b/mcp/pacemaker.c +@@ -552,9 +552,12 @@ pcmk_ipc_dispatch(qb_ipcs_connection_t * + uint32_t id = 0; + uint32_t flags = 0; + const char *task = NULL; ++ xmlNode *msg = NULL; + crm_client_t *c = crm_client_get(qbc); +- xmlNode *msg = crm_ipcs_recv(c, data, size, &id, &flags); + ++ CRM_CHECK(c != NULL, return 0); ++ ++ msg = crm_ipcs_recv(c, data, size, &id, &flags); + crm_ipcs_send_ack(c, id, flags, "ack", __FUNCTION__, __LINE__); + if (msg == NULL) { + return 0; diff -Nru pacemaker-1.1.14/debian/patches/CVE-2020-25654-7.patch pacemaker-1.1.14/debian/patches/CVE-2020-25654-7.patch --- pacemaker-1.1.14/debian/patches/CVE-2020-25654-7.patch 1970-01-01 00:00:00.000000000 +0000 +++ pacemaker-1.1.14/debian/patches/CVE-2020-25654-7.patch 2020-10-29 13:04:28.000000000 +0000 @@ -0,0 +1,51 @@ +From 8e81dca1f505001de043a64f826df4eb71798951 Mon Sep 17 00:00:00 2001 +From: Ken Gaillot +Date: Fri, 9 Oct 2020 11:17:18 -0500 +Subject: [PATCH 7/8] High: pacemakerd: ignore shutdown requests from + unprivileged users + +The pacemakerd IPC API supports a shutdown request, along with a +command-line interface for using it (pacemakerd --shutdown). + +Only the haclient group has access to the IPC. Without ACLs, that group can +already shut down Pacemaker via the CIB, so there's no security implication. + +However, it might not be desired to allow ACL-restricted users to shut down +Pacemaker, so block users other than root or hacluster if ACLs are supported. +--- + mcp/pacemaker.c | 24 ++++++++++++++++++++---- + 1 file changed, 20 insertions(+), 4 deletions(-) + +--- a/mcp/pacemaker.c ++++ b/mcp/pacemaker.c +@@ -565,10 +565,26 @@ pcmk_ipc_dispatch(qb_ipcs_connection_t * + + task = crm_element_value(msg, F_CRM_TASK); + if (crm_str_eq(task, CRM_OP_QUIT, TRUE)) { +- /* Time to quit */ +- crm_notice("Shutting down in response to ticket %s (%s)", +- crm_element_value(msg, F_CRM_REFERENCE), crm_element_value(msg, F_CRM_ORIGIN)); +- pcmk_shutdown(15); ++ bool allowed = true; ++ ++#if ENABLE_ACL ++ /* Only allow privileged users (i.e. root or hacluster) ++ * to shut down Pacemaker from the command line (or direct IPC). ++ * ++ * We only check when ACLs are enabled, because without them, any client ++ * with IPC access could shut down Pacemaker via the CIB anyway. ++ */ ++ allowed = is_set(c->flags, crm_client_flag_ipc_privileged); ++#endif ++ if (allowed) { ++ crm_notice("Shutting down in response to IPC request %s from %s", ++ crm_element_value(msg, F_CRM_REFERENCE), ++ crm_element_value(msg, F_CRM_ORIGIN)); ++ pcmk_shutdown(15); ++ } else { ++ crm_warn("Ignoring shutdown request from unprivileged client %s", ++ crm_client_name(c)); ++ } + + } else if (crm_str_eq(task, CRM_OP_RM_NODE_CACHE, TRUE)) { + /* Send to everyone */ diff -Nru pacemaker-1.1.14/debian/patches/CVE-2020-25654-8.patch pacemaker-1.1.14/debian/patches/CVE-2020-25654-8.patch --- pacemaker-1.1.14/debian/patches/CVE-2020-25654-8.patch 1970-01-01 00:00:00.000000000 +0000 +++ pacemaker-1.1.14/debian/patches/CVE-2020-25654-8.patch 2020-10-29 13:06:26.000000000 +0000 @@ -0,0 +1,107 @@ +Backport of: + +From 1e0db7e36788b94202d050b6c52ad74abb55b382 Mon Sep 17 00:00:00 2001 +From: Ken Gaillot +Date: Fri, 9 Oct 2020 11:55:26 -0500 +Subject: [PATCH 8/8] Fix: fencer: restrict certain IPC requests to privileged + users + +The fencer IPC API allows clients to register fence devices. + +If ACLs are enabled, this could allow an ACL-restricted user to bypass ACLs to +configure fencing. If the user is able to install executables to the standard +fencing agent locations, have arbitrary code executed as root (the standard +locations generally require root for write access, so that is unlikely to be an +issue). + +If ACLs are not enabled, users in the haclient group have full access to the +CIB, which already gives them these capabilities, so there is no additional +exposure in that case. + +This commit does not restrict unprivileged users from using other fencing API, +such as requesting actual fencing. +--- + fencing/commands.c | 41 +++++++++++++++++++++++++++++++++++++---- + 1 file changed, 37 insertions(+), 4 deletions(-) + +--- a/fencing/commands.c ++++ b/fencing/commands.c +@@ -2271,6 +2271,18 @@ handle_request(crm_client_t * client, ui + const char *op = crm_element_value(request, F_STONITH_OPERATION); + const char *client_id = crm_element_value(request, F_STONITH_CLIENTID); + ++ bool allowed = true; ++ ++#if ENABLE_ACL ++ /* IPC commands related to fencing configuration may be done only by ++ * privileged users (i.e. root or hacluster) when ACLs are supported, ++ * because all other users should go through the CIB to have ACLs applied. ++ */ ++ if (client != NULL) { ++ allowed = is_set(client->flags, crm_client_flag_ipc_privileged); ++ } ++#endif ++ + crm_element_value_int(request, F_STONITH_CALLOPTS, &call_options); + + if (is_set(call_options, st_opt_sync_call)) { +@@ -2413,27 +2425,43 @@ handle_request(crm_client_t * client, ui + } else if (crm_str_eq(op, STONITH_OP_DEVICE_ADD, TRUE)) { + const char *id = NULL; + +- rc = stonith_device_register(request, &id, FALSE); ++ if (allowed) { ++ rc = stonith_device_register(request, &id, FALSE); ++ } else { ++ rc = -EACCES; ++ } + do_stonith_notify_device(call_options, op, rc, id); + + } else if (crm_str_eq(op, STONITH_OP_DEVICE_DEL, TRUE)) { + xmlNode *dev = get_xpath_object("//" F_STONITH_DEVICE, request, LOG_ERR); + const char *id = crm_element_value(dev, XML_ATTR_ID); + +- rc = stonith_device_remove(id, FALSE); ++ if (allowed) { ++ rc = stonith_device_remove(id, FALSE); ++ } else { ++ rc = -EACCES; ++ } + do_stonith_notify_device(call_options, op, rc, id); + + } else if (crm_str_eq(op, STONITH_OP_LEVEL_ADD, TRUE)) { + char *id = NULL; + +- rc = stonith_level_register(request, &id); ++ if (allowed) { ++ rc = stonith_level_register(request, &id); ++ } else { ++ rc = -EACCES; ++ } + do_stonith_notify_level(call_options, op, rc, id); + free(id); + + } else if (crm_str_eq(op, STONITH_OP_LEVEL_DEL, TRUE)) { + char *id = NULL; + +- rc = stonith_level_remove(request, &id); ++ if (allowed) { ++ rc = stonith_level_remove(request, &id); ++ } else { ++ rc = -EACCES; ++ } + do_stonith_notify_level(call_options, op, rc, id); + + } else if (crm_str_eq(op, STONITH_OP_CONFIRM, TRUE)) { +@@ -2464,6 +2492,11 @@ handle_request(crm_client_t * client, ui + + done: + ++ if (rc == -EACCES) { ++ crm_warn("Rejecting IPC request '%s' from unprivileged client %s", ++ crm_str(op), crm_client_name(client)); ++ } ++ + /* Always reply unless the request is in process still. + * If in progress, a reply will happen async after the request + * processing is finished */ diff -Nru pacemaker-1.1.14/debian/patches/CVE-2020-25654-pre1.patch pacemaker-1.1.14/debian/patches/CVE-2020-25654-pre1.patch --- pacemaker-1.1.14/debian/patches/CVE-2020-25654-pre1.patch 1970-01-01 00:00:00.000000000 +0000 +++ pacemaker-1.1.14/debian/patches/CVE-2020-25654-pre1.patch 2020-10-29 13:31:32.000000000 +0000 @@ -0,0 +1,62 @@ +From ae780515cd4db1e6f23db9f75a628ce9c39bdd49 Mon Sep 17 00:00:00 2001 +From: Ken Gaillot +Date: Fri, 9 Jun 2017 12:35:36 -0500 +Subject: [PATCH] Refactor: libcrmcommon: remember when IPC client is root or + cluster user + +will allow using a different eviction threshold +--- + include/crm/common/ipcs.h | 3 ++- + lib/common/ipc.c | 13 ++++++++++--- + 2 files changed, 12 insertions(+), 4 deletions(-) + +--- a/include/crm/common/ipcs.h ++++ b/include/crm/common/ipcs.h +@@ -60,7 +60,8 @@ struct crm_remote_s { + + enum crm_client_flags + { +- crm_client_flag_ipc_proxied = 0x00001, /* ipc_proxy code only */ ++ crm_client_flag_ipc_proxied = 0x00001, /* ipc_proxy code only */ ++ crm_client_flag_ipc_privileged = 0x00002, /* root or cluster user */ + }; + + struct crm_client_s { +--- a/lib/common/ipc.c ++++ b/lib/common/ipc.c +@@ -297,6 +297,7 @@ crm_client_disconnect_all(qb_ipcs_servic + crm_client_t * + crm_client_new(qb_ipcs_connection_t * c, uid_t uid_client, gid_t gid_client) + { ++ static gid_t uid_cluster = 0; + static gid_t gid_cluster = 0; + + crm_client_t *client = NULL; +@@ -306,11 +307,12 @@ crm_client_new(qb_ipcs_connection_t * c, + return NULL; + } + +- if (gid_cluster == 0) { +- if(crm_user_lookup(CRM_DAEMON_USER, NULL, &gid_cluster) < 0) { ++ if (uid_cluster == 0) { ++ if (crm_user_lookup(CRM_DAEMON_USER, &uid_cluster, &gid_cluster) < 0) { + static bool have_error = FALSE; + if(have_error == FALSE) { +- crm_warn("Could not find group for user %s", CRM_DAEMON_USER); ++ crm_warn("Could not find user and group IDs for user %s", ++ CRM_DAEMON_USER); + have_error = TRUE; + } + } +@@ -333,6 +335,11 @@ crm_client_new(qb_ipcs_connection_t * c, + + client->id = crm_generate_uuid(); + ++ if ((uid_client == 0) || (uid_client == uid_cluster)) { ++ /* Remember when a connection came from root or hacluster */ ++ set_bit(client->flags, crm_client_flag_ipc_privileged); ++ } ++ + crm_debug("Connecting %p for uid=%d gid=%d pid=%u id=%s", c, uid_client, gid_client, client->pid, client->id); + + #if ENABLE_ACL diff -Nru pacemaker-1.1.14/debian/patches/lp1871166/0001-Fix-libservices-prevent-use-after-free-when-freeing-.patch pacemaker-1.1.14/debian/patches/lp1871166/0001-Fix-libservices-prevent-use-after-free-when-freeing-.patch --- pacemaker-1.1.14/debian/patches/lp1871166/0001-Fix-libservices-prevent-use-after-free-when-freeing-.patch 1970-01-01 00:00:00.000000000 +0000 +++ pacemaker-1.1.14/debian/patches/lp1871166/0001-Fix-libservices-prevent-use-after-free-when-freeing-.patch 2020-05-07 10:34:35.000000000 +0000 @@ -0,0 +1,31 @@ +From 933d46ef20591757301784773a37e06b78906584 Mon Sep 17 00:00:00 2001 +From: Ken Gaillot +Date: Mon, 27 Feb 2017 14:28:36 -0600 +Subject: [PATCH] Fix: libservices: prevent use-after-free when freeing an + operation +Origin: upstream, https://github.com/ClusterLabs/pacemaker/commit/933d46ef20591757301784773a37e06b78906584 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/pacemaker/+bug/1871166 + +--- + lib/services/services.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/lib/services/services.c ++++ b/lib/services/services.c +@@ -422,6 +422,16 @@ services_action_free(svc_action_t * op) + return; + } + ++ /* The operation should be removed from all tracking lists by this point. ++ * If it's not, we have a bug somewhere, so bail. That may lead to a ++ * memory leak, but it's better than a use-after-free segmentation fault. ++ */ ++ CRM_CHECK(g_list_find(inflight_ops, op) == NULL, return); ++ CRM_CHECK(g_list_find(blocked_ops, op) == NULL, return); ++ CRM_CHECK((recurring_actions == NULL) ++ || (g_hash_table_lookup(recurring_actions, op->id) == NULL), ++ return); ++ + services_action_cleanup(op); + + if (op->opaque->repeat_timer) { diff -Nru pacemaker-1.1.14/debian/patches/lp1871166/0002-Fix-libservices-ensure-completed-ops-aren-t-on-block.patch pacemaker-1.1.14/debian/patches/lp1871166/0002-Fix-libservices-ensure-completed-ops-aren-t-on-block.patch --- pacemaker-1.1.14/debian/patches/lp1871166/0002-Fix-libservices-ensure-completed-ops-aren-t-on-block.patch 1970-01-01 00:00:00.000000000 +0000 +++ pacemaker-1.1.14/debian/patches/lp1871166/0002-Fix-libservices-ensure-completed-ops-aren-t-on-block.patch 2020-05-07 10:34:35.000000000 +0000 @@ -0,0 +1,92 @@ +From 94a4c58f675d163085a055f59fd6c3a2c9f57c43 Mon Sep 17 00:00:00 2001 +From: Ken Gaillot +Date: Mon, 27 Feb 2017 14:17:01 -0600 +Subject: [PATCH] Fix: libservices: ensure completed ops aren't on blocked ops + list +Origin: upstream, https://github.com/ClusterLabs/pacemaker/commit/94a4c58f675d163085a055f59fd6c3a2c9f57c43 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/pacemaker/+bug/1871166 + +This refactors removal of a completed operation from the in-flight ops list +into a new internal function services_untrack_op(), which allows the +in-flight ops list and handle_blocked_ops() to be static to services.c. + +The new function also ensures the op isn't on the blocked ops list, +which could otherwise result in a use-after-free bug. + +vvv +Ubuntu Xenial backport note: +Unlike the upstream patch, this does not convert inflight_ops nor +handle_blocked_ops() to static, as that would remove symbols from +the libcrmservice3 library; this leaves them published. However, +nothing else in Ubuntu appears to r-dep libcrmservice3, and any +external users of libcrmservice3 are very unlikely to use either +symbol, which are for internal housekeeping; but in any case, they +remain published and available, so should not break any possible +users of the symbols in Xenial. +^^^ + +--- + lib/services/services.c | 23 +++++++++++++++++++++-- + lib/services/services_linux.c | 7 +------ + lib/services/services_private.h | 2 +- + 3 files changed, 23 insertions(+), 9 deletions(-) + +--- a/lib/services/services.c ++++ b/lib/services/services.c +@@ -624,6 +624,23 @@ services_add_inflight_op(svc_action_t * + } + } + ++/*! ++ * \internal ++ * \brief Stop tracking an operation that completed ++ * ++ * \param[in] op Operation to stop tracking ++ */ ++void ++services_untrack_op(svc_action_t *op) ++{ ++ /* Op is no longer in-flight or blocked */ ++ inflight_ops = g_list_remove(inflight_ops, op); ++ blocked_ops = g_list_remove(blocked_ops, op); ++ ++ /* Op is no longer blocking other ops, so check if any need to run */ ++ handle_blocked_ops(); ++} ++ + gboolean + services_action_async(svc_action_t * op, void (*action_callback) (svc_action_t *)) + { +--- a/lib/services/services_linux.c ++++ b/lib/services/services_linux.c +@@ -47,9 +47,6 @@ + # include "crm/common/cib_secrets.h" + #endif + +-/* ops currently active (in-flight) */ +-extern GList *inflight_ops; +- + static inline void + set_fd_opts(int fd, int opts) + { +@@ -259,9 +256,7 @@ operation_finalize(svc_action_t * op) + + op->pid = 0; + +- inflight_ops = g_list_remove(inflight_ops, op); +- +- handle_blocked_ops(); ++ services_untrack_op(op); + + if (!recurring && op->synchronous == FALSE) { + /* +--- a/lib/services/services_private.h ++++ b/lib/services/services_private.h +@@ -62,6 +62,7 @@ gboolean operation_finalize(svc_action_t + void services_add_inflight_op(svc_action_t *op); + + void handle_blocked_ops(void); ++void services_untrack_op(svc_action_t *op); + + gboolean is_op_blocked(const char *rsc); + diff -Nru pacemaker-1.1.14/debian/patches/lp1871166/0003-Refactor-libservices-handle-in-flight-case-first-whe.patch pacemaker-1.1.14/debian/patches/lp1871166/0003-Refactor-libservices-handle-in-flight-case-first-whe.patch --- pacemaker-1.1.14/debian/patches/lp1871166/0003-Refactor-libservices-handle-in-flight-case-first-whe.patch 1970-01-01 00:00:00.000000000 +0000 +++ pacemaker-1.1.14/debian/patches/lp1871166/0003-Refactor-libservices-handle-in-flight-case-first-whe.patch 2020-05-07 10:34:35.000000000 +0000 @@ -0,0 +1,103 @@ +From dc36d4375c049024a6f9e4d2277a3e6444fad05b Mon Sep 17 00:00:00 2001 +From: Ken Gaillot +Date: Tue, 28 Feb 2017 15:41:10 -0600 +Subject: [PATCH] Refactor: libservices: handle in-flight case first when + cancelling an operation +Origin: upstream, https://github.com/ClusterLabs/pacemaker/commit/dc36d4375c049024a6f9e4d2277a3e6444fad05b +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/pacemaker/+bug/1871166 + +will make next bugfix easier +--- + lib/services/services.c | 65 ++++++++++++++++++++++++++--------------- + 1 file changed, 42 insertions(+), 23 deletions(-) + +--- a/lib/services/services.c ++++ b/lib/services/services.c +@@ -482,42 +482,62 @@ cancel_recurring_action(svc_action_t * o + return TRUE; + } + ++/*! ++ * \brief Cancel a recurring action ++ * ++ * \param[in] name Name of resource that operation is for ++ * \param[in] action Name of operation to cancel ++ * \param[in] interval Interval of operation to cancel ++ * ++ * \return TRUE if action was successfully cancelled, FALSE otherwise ++ */ + gboolean + services_action_cancel(const char *name, const char *action, int interval) + { +- svc_action_t *op = NULL; +- char id[512]; +- +- snprintf(id, sizeof(id), "%s_%s_%d", name, action, interval); +- +- if (!(op = g_hash_table_lookup(recurring_actions, id))) { +- return FALSE; ++ gboolean cancelled = FALSE; ++ char *id = generate_op_key(name, action, interval); ++ svc_action_t *op = g_hash_table_lookup(recurring_actions, id); ++ ++ /* We can only cancel a recurring action */ ++ if (op == NULL) { ++ goto done; + } + +- /* Always kill the recurring timer */ ++ /* Tell operation_finalize() not to reschedule the operation */ ++ op->cancel = TRUE; ++ ++ /* Stop tracking it as a recurring operation, and stop its timer */ + cancel_recurring_action(op); + +- if (op->pid == 0) { +- op->status = PCMK_LRM_OP_CANCELLED; +- if (op->opaque->callback) { +- op->opaque->callback(op); ++ /* If the op has a PID, it's an in-flight child process, so kill it. ++ * ++ * Whether the kill succeeds or fails, the main loop will send the op to ++ * operation_finished() (and thus operation_finalize()) when the process ++ * goes away. ++ */ ++ if (op->pid != 0) { ++ crm_info("Terminating in-flight op %s (pid %d) early because it was cancelled", ++ id, op->pid); ++ cancelled = mainloop_child_kill(op->pid); ++ if (cancelled == FALSE) { ++ crm_err("Termination of %s (pid %d) failed", id, op->pid); + } ++ goto done; ++ } + +- blocked_ops = g_list_remove(blocked_ops, op); +- services_action_free(op); +- +- } else { +- crm_info("Cancelling in-flight op: performing early termination of %s (pid=%d)", id, op->pid); +- op->cancel = 1; +- if (mainloop_child_kill(op->pid) == FALSE) { +- /* even though the early termination failed, +- * the op will be marked as cancelled once it completes. */ +- crm_err("Termination of %s (pid=%d) failed", id, op->pid); +- return FALSE; +- } ++ /* Otherwise, operation is not in-flight, just report as cancelled */ ++ op->status = PCMK_LRM_OP_CANCELLED; ++ if (op->opaque->callback) { ++ op->opaque->callback(op); + } + +- return TRUE; ++ blocked_ops = g_list_remove(blocked_ops, op); ++ services_action_free(op); ++ cancelled = TRUE; ++ ++done: ++ free(id); ++ return cancelled; + } + + gboolean diff -Nru pacemaker-1.1.14/debian/patches/lp1871166/0004-Fix-libservices-properly-cancel-in-flight-systemd-up.patch pacemaker-1.1.14/debian/patches/lp1871166/0004-Fix-libservices-properly-cancel-in-flight-systemd-up.patch --- pacemaker-1.1.14/debian/patches/lp1871166/0004-Fix-libservices-properly-cancel-in-flight-systemd-up.patch 1970-01-01 00:00:00.000000000 +0000 +++ pacemaker-1.1.14/debian/patches/lp1871166/0004-Fix-libservices-properly-cancel-in-flight-systemd-up.patch 2020-05-07 10:34:35.000000000 +0000 @@ -0,0 +1,55 @@ +From deabcc5a6aa93dadf0b20364715b559a5b9848ac Mon Sep 17 00:00:00 2001 +From: Ken Gaillot +Date: Tue, 28 Feb 2017 15:48:11 -0600 +Subject: [PATCH] Fix: libservices: properly cancel in-flight systemd/upstart + op +Origin: upstream, https://github.com/ClusterLabs/pacemaker/commit/deabcc5a6aa93dadf0b20364715b559a5b9848ac +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/pacemaker/+bug/1871166 + +--- + lib/services/services.c | 27 +++++++++++++++++++++++++++ + 1 file changed, 27 insertions(+) + +--- a/lib/services/services.c ++++ b/lib/services/services.c +@@ -98,6 +98,21 @@ resources_find_service_class(const char + return NULL; + } + ++/*! ++ * \internal ++ * \brief Check whether op is in-flight systemd or upstart op ++ * ++ * \param[in] op Operation to check ++ * ++ * \return TRUE if op is in-flight systemd or upstart op ++ */ ++static inline gboolean ++inflight_systemd_or_upstart(svc_action_t *op) ++{ ++ return (safe_str_eq(op->standard, "systemd") ++ || safe_str_eq(op->standard, "upstart")) ++ && (g_list_find(inflight_ops, op) != NULL); ++} + + svc_action_t * + resources_action_create(const char *name, const char *standard, const char *provider, +@@ -525,6 +540,18 @@ services_action_cancel(const char *name, + goto done; + } + ++ /* In-flight systemd and upstart ops don't have a pid. The relevant handlers ++ * will call operation_finalize() when the operation completes. ++ * @TODO: Can we request early termination, maybe using ++ * dbus_pending_call_cancel()? ++ */ ++ if (inflight_systemd_or_upstart(op)) { ++ crm_info("Will cancel %s op %s when in-flight instance completes", ++ op->standard, op->id); ++ cancelled = FALSE; ++ goto done; ++ } ++ + /* Otherwise, operation is not in-flight, just report as cancelled */ + op->status = PCMK_LRM_OP_CANCELLED; + if (op->opaque->callback) { diff -Nru pacemaker-1.1.14/debian/patches/lp1871166/0005-Fix-libservices-properly-detect-in-flight-systemd-up.patch pacemaker-1.1.14/debian/patches/lp1871166/0005-Fix-libservices-properly-detect-in-flight-systemd-up.patch --- pacemaker-1.1.14/debian/patches/lp1871166/0005-Fix-libservices-properly-detect-in-flight-systemd-up.patch 1970-01-01 00:00:00.000000000 +0000 +++ pacemaker-1.1.14/debian/patches/lp1871166/0005-Fix-libservices-properly-detect-in-flight-systemd-up.patch 2020-05-07 10:34:35.000000000 +0000 @@ -0,0 +1,24 @@ +From b85037b75255061a41d0ec3fd9b64f271351b43e Mon Sep 17 00:00:00 2001 +From: Ken Gaillot +Date: Tue, 28 Feb 2017 16:43:52 -0600 +Subject: [PATCH] Fix: libservices: properly detect in-flight systemd/upstart + ops when kicking +Origin: upstream, https://github.com/ClusterLabs/pacemaker/commit/b85037b75255061a41d0ec3fd9b64f271351b43e +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/pacemaker/+bug/1871166 + +--- + lib/services/services.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/lib/services/services.c ++++ b/lib/services/services.c +@@ -584,7 +584,8 @@ services_action_kick(const char *name, c + return FALSE; + } + +- if (op->pid) { ++ ++ if (op->pid || inflight_systemd_or_upstart(op)) { + return TRUE; + } else { + if (op->opaque->repeat_timer) { diff -Nru pacemaker-1.1.14/debian/patches/lp1877280/0001-Fix-attrd-crash-on-exit-if-initialization-fails.patch pacemaker-1.1.14/debian/patches/lp1877280/0001-Fix-attrd-crash-on-exit-if-initialization-fails.patch --- pacemaker-1.1.14/debian/patches/lp1877280/0001-Fix-attrd-crash-on-exit-if-initialization-fails.patch 1970-01-01 00:00:00.000000000 +0000 +++ pacemaker-1.1.14/debian/patches/lp1877280/0001-Fix-attrd-crash-on-exit-if-initialization-fails.patch 2020-05-07 10:34:35.000000000 +0000 @@ -0,0 +1,28 @@ +From f9a61522456ac94ddd160e88371979f7996eaff6 Mon Sep 17 00:00:00 2001 +From: Ken Gaillot +Date: Wed, 16 Mar 2016 17:56:51 -0500 +Subject: [PATCH] Fix: attrd: crash on exit if initialization fails +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/pacemaker/+bug/1877280 +Origin: upstream, https://github.com/ClusterLabs/pacemaker/commit/f9a61522456ac94ddd160e88371979f7996eaff6 + +Patch supplied by Vladislav Bogdanov +on the users@clusterlabs.org mailing list on 2015-10-12 +--- + attrd/main.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/attrd/main.c ++++ b/attrd/main.c +@@ -384,8 +384,10 @@ main(int argc, char **argv) + + election_fini(writer); + crm_client_disconnect_all(ipcs); +- qb_ipcs_destroy(ipcs); +- g_hash_table_destroy(attributes); ++ if (ipcs) { ++ qb_ipcs_destroy(ipcs); ++ g_hash_table_destroy(attributes); ++ } + + if (the_cib) { + the_cib->cmds->signoff(the_cib); diff -Nru pacemaker-1.1.14/debian/patches/lp1877280/0002-Fix-attrd-ipc-Prevent-possible-segfault-on-exit.patch pacemaker-1.1.14/debian/patches/lp1877280/0002-Fix-attrd-ipc-Prevent-possible-segfault-on-exit.patch --- pacemaker-1.1.14/debian/patches/lp1877280/0002-Fix-attrd-ipc-Prevent-possible-segfault-on-exit.patch 1970-01-01 00:00:00.000000000 +0000 +++ pacemaker-1.1.14/debian/patches/lp1877280/0002-Fix-attrd-ipc-Prevent-possible-segfault-on-exit.patch 2020-05-07 10:34:35.000000000 +0000 @@ -0,0 +1,41 @@ +From 3c62fb1d0deab7a15603c90abeff163aa093802f Mon Sep 17 00:00:00 2001 +From: "Gao,Yan" +Date: Fri, 17 Jun 2016 11:20:13 +0200 +Subject: [PATCH] Fix: attrd,ipc: Prevent possible segfault on exit +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/pacemaker/+bug/1877280 +Origin: upstream, https://github.com/ClusterLabs/pacemaker/commit/3c62fb1d0deab7a15603c90abeff163aa093802f + +--- + attrd/main.c | 2 +- + lib/common/ipc.c | 8 +++++++- + 2 files changed, 8 insertions(+), 2 deletions(-) + +--- a/attrd/main.c ++++ b/attrd/main.c +@@ -383,8 +383,8 @@ main(int argc, char **argv) + crm_notice("Cleaning up before exit"); + + election_fini(writer); +- crm_client_disconnect_all(ipcs); + if (ipcs) { ++ crm_client_disconnect_all(ipcs); + qb_ipcs_destroy(ipcs); + g_hash_table_destroy(attributes); + } +--- a/lib/common/ipc.c ++++ b/lib/common/ipc.c +@@ -274,7 +274,13 @@ crm_client_cleanup(void) + void + crm_client_disconnect_all(qb_ipcs_service_t *service) + { +- qb_ipcs_connection_t *c = qb_ipcs_connection_first_get(service); ++ qb_ipcs_connection_t *c = NULL; ++ ++ if (service == NULL) { ++ return; ++ } ++ ++ c = qb_ipcs_connection_first_get(service); + + while (c != NULL) { + qb_ipcs_connection_t *last = c; diff -Nru pacemaker-1.1.14/debian/patches/series pacemaker-1.1.14/debian/patches/series --- pacemaker-1.1.14/debian/patches/series 2019-04-18 12:30:33.000000000 +0000 +++ pacemaker-1.1.14/debian/patches/series 2020-10-29 13:31:28.000000000 +0000 @@ -20,3 +20,19 @@ CVE-2018-1687x-4.patch CVE-2018-1687x-5.patch CVE-2018-1687x-6.patch +lp1871166/0001-Fix-libservices-prevent-use-after-free-when-freeing-.patch +lp1871166/0002-Fix-libservices-ensure-completed-ops-aren-t-on-block.patch +lp1871166/0003-Refactor-libservices-handle-in-flight-case-first-whe.patch +lp1871166/0004-Fix-libservices-properly-cancel-in-flight-systemd-up.patch +lp1871166/0005-Fix-libservices-properly-detect-in-flight-systemd-up.patch +lp1877280/0001-Fix-attrd-crash-on-exit-if-initialization-fails.patch +lp1877280/0002-Fix-attrd-ipc-Prevent-possible-segfault-on-exit.patch +CVE-2020-25654-pre1.patch +CVE-2020-25654-1.patch +CVE-2020-25654-2.patch +CVE-2020-25654-3.patch +CVE-2020-25654-4.patch +CVE-2020-25654-5.patch +CVE-2020-25654-6.patch +CVE-2020-25654-7.patch +CVE-2020-25654-8.patch