summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGyorgy Sarvari <skandigraun@gmail.com>2026-04-28 17:01:05 +1200
committerAnuj Mittal <anuj.mittal@oss.qualcomm.com>2026-04-29 10:14:29 +0530
commit5ce7602ce108f1aefccaa3afcc2b4081dc654a4c (patch)
treee5c8d3443b076d167da1ef8478714a89a98d6e72
parent985cc4d3848de58aacb0c345da63207fde2ad5d8 (diff)
downloadmeta-openembedded-5ce7602ce108f1aefccaa3afcc2b4081dc654a4c.tar.gz
corosync: patch CVE-2026-35092
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-35092 Pick the patch that mentions the CVE ID explicitly (the same commit was identified by Debian also[1]) [1]: https://security-tracker.debian.org/tracker/CVE-2026-35092 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com> (cherry picked from commit af73e716bc7150ae8d912d8af00f6995e25f2031) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
-rw-r--r--meta-networking/recipes-extended/corosync/corosync/CVE-2026-35092.patch57
-rw-r--r--meta-networking/recipes-extended/corosync/corosync_3.1.10.bb1
2 files changed, 58 insertions, 0 deletions
diff --git a/meta-networking/recipes-extended/corosync/corosync/CVE-2026-35092.patch b/meta-networking/recipes-extended/corosync/corosync/CVE-2026-35092.patch
new file mode 100644
index 0000000000..8182647840
--- /dev/null
+++ b/meta-networking/recipes-extended/corosync/corosync/CVE-2026-35092.patch
@@ -0,0 +1,57 @@
1From 8f8a4747a0223b8897deda9a40a8a099c61fa80f Mon Sep 17 00:00:00 2001
2From: Jan Friesse <jfriesse@redhat.com>
3Date: Thu, 2 Apr 2026 09:44:06 +0200
4Subject: [PATCH] totemsrp: Fix integer overflow in memb_join_sanity
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9This commit addresses an integer overflow (wraparound) vulnerability
10in the check_memb_join_sanity function.
11
12Previously, the 32-bit unsigned network values proc_list_entries and
13failed_list_entries were added together before being promoted to
14size_t. This allowed the addition to wrap around in 32-bit arithmetic
15(e.g., 0x80000000 + 0x80000000 = 0), resulting in a required_len
16calculation that was incorrectly small.
17
18The solution is to cast the list entries to size_t and verify that
19neither exceeds the maximum allowed value before the addition occurs.
20
21Fixes: CVE-2026-35092
22
23Reported-by: Sebastián Alba Vives (@Sebasteuo / 0xS4bb1) <sebasjosue84@gmail.com>
24Signed-off-by: Jan Friesse <jfriesse@redhat.com>
25Also-proposed-by: nicholasyang <nicholas.yang@suse.com>
26Reviewed-by: Christine Caulfield <ccaulfie@redhat.com>
27
28CVE: CVE-2026-35092
29Upstream-Status: Backport [https://github.com/corosync/corosync/commit/4082294f5094a7591e4e00658c5a605f05d644f1]
30Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
31---
32 exec/totemsrp.c | 12 +++++++++++-
33 1 file changed, 11 insertions(+), 1 deletion(-)
34
35diff --git a/exec/totemsrp.c b/exec/totemsrp.c
36index 94d6c21..6845cec 100644
37--- a/exec/totemsrp.c
38+++ b/exec/totemsrp.c
39@@ -3786,7 +3786,17 @@ static int check_memb_join_sanity(
40 failed_list_entries = swab32(failed_list_entries);
41 }
42
43- required_len = sizeof(struct memb_join) + ((proc_list_entries + failed_list_entries) * sizeof(struct srp_addr));
44+ if (proc_list_entries > PROCESSOR_COUNT_MAX ||
45+ failed_list_entries > PROCESSOR_COUNT_MAX) {
46+ log_printf (instance->totemsrp_log_level_security,
47+ "Received memb_join message list_entries exceeds the maximum "
48+ "allowed value... ignoring.");
49+
50+ return (-1);
51+ }
52+
53+ required_len = sizeof(struct memb_join) +
54+ (((size_t)proc_list_entries + (size_t)failed_list_entries) * sizeof(struct srp_addr));
55 if (msg_len < required_len) {
56 log_printf (instance->totemsrp_log_level_security,
57 "Received memb_join message is too short... ignoring.");
diff --git a/meta-networking/recipes-extended/corosync/corosync_3.1.10.bb b/meta-networking/recipes-extended/corosync/corosync_3.1.10.bb
index 0e7f48272f..722dbcbbbc 100644
--- a/meta-networking/recipes-extended/corosync/corosync_3.1.10.bb
+++ b/meta-networking/recipes-extended/corosync/corosync_3.1.10.bb
@@ -10,6 +10,7 @@ inherit autotools pkgconfig systemd github-releases
10SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/${BP}.tar.gz \ 10SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/${BP}.tar.gz \
11 file://corosync.conf \ 11 file://corosync.conf \
12 file://CVE-2026-35091.patch \ 12 file://CVE-2026-35091.patch \
13 file://CVE-2026-35092.patch \
13 " 14 "
14SRC_URI[sha256sum] = "be361c827f99b215b3bd3fa2fb071c03dac6831c2a351963d938caef62604bc8" 15SRC_URI[sha256sum] = "be361c827f99b215b3bd3fa2fb071c03dac6831c2a351963d938caef62604bc8"
15UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)" 16UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)"