summaryrefslogtreecommitdiffstats
path: root/meta-networking
diff options
context:
space:
mode:
authorGyorgy Sarvari <skandigraun@gmail.com>2026-04-28 17:01:04 +1200
committerAnuj Mittal <anuj.mittal@oss.qualcomm.com>2026-04-29 10:14:29 +0530
commit985cc4d3848de58aacb0c345da63207fde2ad5d8 (patch)
tree3718b8a4814cf9cb4e41f60eb7d1a72190415ce4 /meta-networking
parent9a19b0f3cb781caba872cbd359480de5a0824d43 (diff)
downloadmeta-openembedded-985cc4d3848de58aacb0c345da63207fde2ad5d8.tar.gz
corosync: patch CVE-2026-35091
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-35091 Pick the patch that mentions the CVE ID explicitly (it was identified by Debian also as the fix[1]) [1]: https://security-tracker.debian.org/tracker/CVE-2026-35091 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com> (cherry picked from commit 701b22fda35648efc333d6e6e7abd8e70aa49870) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Diffstat (limited to 'meta-networking')
-rw-r--r--meta-networking/recipes-extended/corosync/corosync/CVE-2026-35091.patch47
-rw-r--r--meta-networking/recipes-extended/corosync/corosync_3.1.10.bb1
2 files changed, 48 insertions, 0 deletions
diff --git a/meta-networking/recipes-extended/corosync/corosync/CVE-2026-35091.patch b/meta-networking/recipes-extended/corosync/corosync/CVE-2026-35091.patch
new file mode 100644
index 0000000000..8afa5d6841
--- /dev/null
+++ b/meta-networking/recipes-extended/corosync/corosync/CVE-2026-35091.patch
@@ -0,0 +1,47 @@
1From b9cb461121c8721c94a94309eb345a3c2f9ee9b4 Mon Sep 17 00:00:00 2001
2From: Jan Friesse <jfriesse@redhat.com>
3Date: Thu, 2 Apr 2026 09:00:39 +0200
4Subject: [PATCH] totemsrp: Return error if sanity check fails
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9Previously, the check_memb_commit_token_sanity function correctly
10checked the minimum message length. However, if the message was too
11short, it incorrectly returned a success code (0) instead of the
12expected failure code (-1).
13
14This commit ensures the appropriate error code is returned when the
15message length sanity check fails.
16
17Fixes: CVE-2026-35091
18
19Reported-by: Sebastián Alba Vives (@Sebasteuo / 0xS4bb1) <sebasjosue84@gmail.com>
20Signed-off-by: Jan Friesse <jfriesse@redhat.com>
21Also-proposed-by: nicholasyang <nicholas.yang@suse.com>
22Reviewed-by: Christine Caulfield <ccaulfie@redhat.com>
23
24CVE: CVE-2026-35091
25Upstream-Status: Backport [https://github.com/corosync/corosync/commit/a16614accfdb3481264d7281843fadf439d9ab1b]
26Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
27---
28 exec/totemsrp.c | 4 ++--
29 1 file changed, 2 insertions(+), 2 deletions(-)
30
31diff --git a/exec/totemsrp.c b/exec/totemsrp.c
32index 35bf971..94d6c21 100644
33--- a/exec/totemsrp.c
34+++ b/exec/totemsrp.c
35@@ -3811,10 +3811,10 @@ static int check_memb_commit_token_sanity(
36 log_printf (instance->totemsrp_log_level_security,
37 "Received memb_commit_token message is too short... ignoring.");
38
39- return (0);
40+ return (-1);
41 }
42
43- addr_entries= mct_msg->addr_entries;
44+ addr_entries = mct_msg->addr_entries;
45 if (endian_conversion_needed) {
46 addr_entries = swab32(addr_entries);
47 }
diff --git a/meta-networking/recipes-extended/corosync/corosync_3.1.10.bb b/meta-networking/recipes-extended/corosync/corosync_3.1.10.bb
index 0cb475a4d4..0e7f48272f 100644
--- a/meta-networking/recipes-extended/corosync/corosync_3.1.10.bb
+++ b/meta-networking/recipes-extended/corosync/corosync_3.1.10.bb
@@ -9,6 +9,7 @@ inherit autotools pkgconfig systemd github-releases
9 9
10SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/${BP}.tar.gz \ 10SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/${BP}.tar.gz \
11 file://corosync.conf \ 11 file://corosync.conf \
12 file://CVE-2026-35091.patch \
12 " 13 "
13SRC_URI[sha256sum] = "be361c827f99b215b3bd3fa2fb071c03dac6831c2a351963d938caef62604bc8" 14SRC_URI[sha256sum] = "be361c827f99b215b3bd3fa2fb071c03dac6831c2a351963d938caef62604bc8"
14UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)" 15UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)"