diff options
| author | Gyorgy Sarvari <skandigraun@gmail.com> | 2026-04-28 17:01:05 +1200 |
|---|---|---|
| committer | Anuj Mittal <anuj.mittal@oss.qualcomm.com> | 2026-04-29 10:14:29 +0530 |
| commit | 5ce7602ce108f1aefccaa3afcc2b4081dc654a4c (patch) | |
| tree | e5c8d3443b076d167da1ef8478714a89a98d6e72 | |
| parent | 985cc4d3848de58aacb0c345da63207fde2ad5d8 (diff) | |
| download | meta-openembedded-5ce7602ce108f1aefccaa3afcc2b4081dc654a4c.tar.gz | |
corosync: patch CVE-2026-35092
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-35092
Pick the patch that mentions the CVE ID explicitly (the same commit
was identified by Debian also[1])
[1]: https://security-tracker.debian.org/tracker/CVE-2026-35092
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
(cherry picked from commit af73e716bc7150ae8d912d8af00f6995e25f2031)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
| -rw-r--r-- | meta-networking/recipes-extended/corosync/corosync/CVE-2026-35092.patch | 57 | ||||
| -rw-r--r-- | meta-networking/recipes-extended/corosync/corosync_3.1.10.bb | 1 |
2 files changed, 58 insertions, 0 deletions
diff --git a/meta-networking/recipes-extended/corosync/corosync/CVE-2026-35092.patch b/meta-networking/recipes-extended/corosync/corosync/CVE-2026-35092.patch new file mode 100644 index 0000000000..8182647840 --- /dev/null +++ b/meta-networking/recipes-extended/corosync/corosync/CVE-2026-35092.patch | |||
| @@ -0,0 +1,57 @@ | |||
| 1 | From 8f8a4747a0223b8897deda9a40a8a099c61fa80f Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Jan Friesse <jfriesse@redhat.com> | ||
| 3 | Date: Thu, 2 Apr 2026 09:44:06 +0200 | ||
| 4 | Subject: [PATCH] totemsrp: Fix integer overflow in memb_join_sanity | ||
| 5 | MIME-Version: 1.0 | ||
| 6 | Content-Type: text/plain; charset=UTF-8 | ||
| 7 | Content-Transfer-Encoding: 8bit | ||
| 8 | |||
| 9 | This commit addresses an integer overflow (wraparound) vulnerability | ||
| 10 | in the check_memb_join_sanity function. | ||
| 11 | |||
| 12 | Previously, the 32-bit unsigned network values proc_list_entries and | ||
| 13 | failed_list_entries were added together before being promoted to | ||
| 14 | size_t. This allowed the addition to wrap around in 32-bit arithmetic | ||
| 15 | (e.g., 0x80000000 + 0x80000000 = 0), resulting in a required_len | ||
| 16 | calculation that was incorrectly small. | ||
| 17 | |||
| 18 | The solution is to cast the list entries to size_t and verify that | ||
| 19 | neither exceeds the maximum allowed value before the addition occurs. | ||
| 20 | |||
| 21 | Fixes: CVE-2026-35092 | ||
| 22 | |||
| 23 | Reported-by: Sebastián Alba Vives (@Sebasteuo / 0xS4bb1) <sebasjosue84@gmail.com> | ||
| 24 | Signed-off-by: Jan Friesse <jfriesse@redhat.com> | ||
| 25 | Also-proposed-by: nicholasyang <nicholas.yang@suse.com> | ||
| 26 | Reviewed-by: Christine Caulfield <ccaulfie@redhat.com> | ||
| 27 | |||
| 28 | CVE: CVE-2026-35092 | ||
| 29 | Upstream-Status: Backport [https://github.com/corosync/corosync/commit/4082294f5094a7591e4e00658c5a605f05d644f1] | ||
| 30 | Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> | ||
| 31 | --- | ||
| 32 | exec/totemsrp.c | 12 +++++++++++- | ||
| 33 | 1 file changed, 11 insertions(+), 1 deletion(-) | ||
| 34 | |||
| 35 | diff --git a/exec/totemsrp.c b/exec/totemsrp.c | ||
| 36 | index 94d6c21..6845cec 100644 | ||
| 37 | --- a/exec/totemsrp.c | ||
| 38 | +++ b/exec/totemsrp.c | ||
| 39 | @@ -3786,7 +3786,17 @@ static int check_memb_join_sanity( | ||
| 40 | failed_list_entries = swab32(failed_list_entries); | ||
| 41 | } | ||
| 42 | |||
| 43 | - required_len = sizeof(struct memb_join) + ((proc_list_entries + failed_list_entries) * sizeof(struct srp_addr)); | ||
| 44 | + if (proc_list_entries > PROCESSOR_COUNT_MAX || | ||
| 45 | + failed_list_entries > PROCESSOR_COUNT_MAX) { | ||
| 46 | + log_printf (instance->totemsrp_log_level_security, | ||
| 47 | + "Received memb_join message list_entries exceeds the maximum " | ||
| 48 | + "allowed value... ignoring."); | ||
| 49 | + | ||
| 50 | + return (-1); | ||
| 51 | + } | ||
| 52 | + | ||
| 53 | + required_len = sizeof(struct memb_join) + | ||
| 54 | + (((size_t)proc_list_entries + (size_t)failed_list_entries) * sizeof(struct srp_addr)); | ||
| 55 | if (msg_len < required_len) { | ||
| 56 | log_printf (instance->totemsrp_log_level_security, | ||
| 57 | "Received memb_join message is too short... ignoring."); | ||
diff --git a/meta-networking/recipes-extended/corosync/corosync_3.1.10.bb b/meta-networking/recipes-extended/corosync/corosync_3.1.10.bb index 0e7f48272f..722dbcbbbc 100644 --- a/meta-networking/recipes-extended/corosync/corosync_3.1.10.bb +++ b/meta-networking/recipes-extended/corosync/corosync_3.1.10.bb | |||
| @@ -10,6 +10,7 @@ inherit autotools pkgconfig systemd github-releases | |||
| 10 | SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/${BP}.tar.gz \ | 10 | SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/${BP}.tar.gz \ |
| 11 | file://corosync.conf \ | 11 | file://corosync.conf \ |
| 12 | file://CVE-2026-35091.patch \ | 12 | file://CVE-2026-35091.patch \ |
| 13 | file://CVE-2026-35092.patch \ | ||
| 13 | " | 14 | " |
| 14 | SRC_URI[sha256sum] = "be361c827f99b215b3bd3fa2fb071c03dac6831c2a351963d938caef62604bc8" | 15 | SRC_URI[sha256sum] = "be361c827f99b215b3bd3fa2fb071c03dac6831c2a351963d938caef62604bc8" |
| 15 | UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)" | 16 | UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)" |
