Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package corosync for openSUSE:Factory checked in at 2025-03-27 22:31:38 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/corosync (Old) and /work/SRC/openSUSE:Factory/.corosync.new.2696 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "corosync" Thu Mar 27 22:31:38 2025 rev:81 rq:1256370 version:3.1.9 Changes: -------- --- /work/SRC/openSUSE:Factory/corosync/corosync.changes 2024-11-29 00:08:46.645168470 +0100 +++ /work/SRC/openSUSE:Factory/.corosync.new.2696/corosync.changes 2025-03-27 22:31:43.263165113 +0100 @@ -1,0 +2,6 @@ +Wed Mar 26 09:20:06 UTC 2025 - Nicholas Yang <[email protected]> + +- Add a patch to fix CVE-2025-30472 (bsc#1239987) + * 779.patch + +------------------------------------------------------------------- New: ---- 779.patch BETA DEBUG BEGIN: New:- Add a patch to fix CVE-2025-30472 (bsc#1239987) * 779.patch BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ corosync.spec ++++++ --- /var/tmp/diff_new_pack.qornjp/_old 2025-03-27 22:31:43.835188791 +0100 +++ /var/tmp/diff_new_pack.qornjp/_new 2025-03-27 22:31:43.835188791 +0100 @@ -1,7 +1,7 @@ # # spec file for package corosync # -# Copyright (c) 2024 SUSE LLC +# Copyright (c) 2025 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -56,6 +56,7 @@ URL: http://corosync.github.io/corosync/ Source0: %{name}-%{version}.tar.gz Patch0: 0001-harden-services-with-systemd-sandboxing.patch +Patch1: 779.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build # provide openais on purpose, the package has been deleted. ++++++ 779.patch ++++++ >From ea7d0a01337dd3849bee9a2719d4ccf54adf5c29 Mon Sep 17 00:00:00 2001 From: Jan Friesse <[email protected]> Date: Mon, 24 Mar 2025 12:05:08 +0100 Subject: [PATCH] totemsrp: Check size of orf_token msg orf_token message is stored into preallocated array on endian convert so carefully crafted malicious message can lead to crash of corosync. Solution is to check message size beforehand. Signed-off-by: Jan Friesse <[email protected]> --- exec/totemsrp.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/exec/totemsrp.c b/exec/totemsrp.c index 962d0e2a7..364528ce1 100644 --- a/exec/totemsrp.c +++ b/exec/totemsrp.c @@ -3679,12 +3679,20 @@ static int check_orf_token_sanity( const struct totemsrp_instance *instance, const void *msg, size_t msg_len, + size_t max_msg_len, int endian_conversion_needed) { int rtr_entries; const struct orf_token *token = (const struct orf_token *)msg; size_t required_len; + if (msg_len > max_msg_len) { + log_printf (instance->totemsrp_log_level_security, + "Received orf_token message is too long... ignoring."); + + return (-1); + } + if (msg_len < sizeof(struct orf_token)) { log_printf (instance->totemsrp_log_level_security, "Received orf_token message is too short... ignoring."); @@ -3698,6 +3706,13 @@ static int check_orf_token_sanity( rtr_entries = token->rtr_list_entries; } + if (rtr_entries > RETRANSMIT_ENTRIES_MAX) { + log_printf (instance->totemsrp_log_level_security, + "Received orf_token message rtr_entries is corrupted... ignoring."); + + return (-1); + } + required_len = sizeof(struct orf_token) + rtr_entries * sizeof(struct rtr_item); if (msg_len < required_len) { log_printf (instance->totemsrp_log_level_security, @@ -3868,7 +3883,8 @@ static int message_handler_orf_token ( "Time since last token %0.4f ms", tv_diff / (float)QB_TIME_NS_IN_MSEC); #endif - if (check_orf_token_sanity(instance, msg, msg_len, endian_conversion_needed) == -1) { + if (check_orf_token_sanity(instance, msg, msg_len, sizeof(token_storage), + endian_conversion_needed) == -1) { return (0); }
