diff options
| author | Gyorgy Sarvari <skandigraun@gmail.com> | 2026-04-28 17:01:04 +1200 |
|---|---|---|
| committer | Anuj Mittal <anuj.mittal@oss.qualcomm.com> | 2026-04-29 10:14:29 +0530 |
| commit | 985cc4d3848de58aacb0c345da63207fde2ad5d8 (patch) | |
| tree | 3718b8a4814cf9cb4e41f60eb7d1a72190415ce4 /meta-networking | |
| parent | 9a19b0f3cb781caba872cbd359480de5a0824d43 (diff) | |
| download | meta-openembedded-985cc4d3848de58aacb0c345da63207fde2ad5d8.tar.gz | |
corosync: patch CVE-2026-35091
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-35091
Pick the patch that mentions the CVE ID explicitly (it was identified
by Debian also as the fix[1])
[1]: https://security-tracker.debian.org/tracker/CVE-2026-35091
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
(cherry picked from commit 701b22fda35648efc333d6e6e7abd8e70aa49870)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Diffstat (limited to 'meta-networking')
| -rw-r--r-- | meta-networking/recipes-extended/corosync/corosync/CVE-2026-35091.patch | 47 | ||||
| -rw-r--r-- | meta-networking/recipes-extended/corosync/corosync_3.1.10.bb | 1 |
2 files changed, 48 insertions, 0 deletions
diff --git a/meta-networking/recipes-extended/corosync/corosync/CVE-2026-35091.patch b/meta-networking/recipes-extended/corosync/corosync/CVE-2026-35091.patch new file mode 100644 index 0000000000..8afa5d6841 --- /dev/null +++ b/meta-networking/recipes-extended/corosync/corosync/CVE-2026-35091.patch | |||
| @@ -0,0 +1,47 @@ | |||
| 1 | From b9cb461121c8721c94a94309eb345a3c2f9ee9b4 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Jan Friesse <jfriesse@redhat.com> | ||
| 3 | Date: Thu, 2 Apr 2026 09:00:39 +0200 | ||
| 4 | Subject: [PATCH] totemsrp: Return error if sanity check fails | ||
| 5 | MIME-Version: 1.0 | ||
| 6 | Content-Type: text/plain; charset=UTF-8 | ||
| 7 | Content-Transfer-Encoding: 8bit | ||
| 8 | |||
| 9 | Previously, the check_memb_commit_token_sanity function correctly | ||
| 10 | checked the minimum message length. However, if the message was too | ||
| 11 | short, it incorrectly returned a success code (0) instead of the | ||
| 12 | expected failure code (-1). | ||
| 13 | |||
| 14 | This commit ensures the appropriate error code is returned when the | ||
| 15 | message length sanity check fails. | ||
| 16 | |||
| 17 | Fixes: CVE-2026-35091 | ||
| 18 | |||
| 19 | Reported-by: Sebastián Alba Vives (@Sebasteuo / 0xS4bb1) <sebasjosue84@gmail.com> | ||
| 20 | Signed-off-by: Jan Friesse <jfriesse@redhat.com> | ||
| 21 | Also-proposed-by: nicholasyang <nicholas.yang@suse.com> | ||
| 22 | Reviewed-by: Christine Caulfield <ccaulfie@redhat.com> | ||
| 23 | |||
| 24 | CVE: CVE-2026-35091 | ||
| 25 | Upstream-Status: Backport [https://github.com/corosync/corosync/commit/a16614accfdb3481264d7281843fadf439d9ab1b] | ||
| 26 | Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> | ||
| 27 | --- | ||
| 28 | exec/totemsrp.c | 4 ++-- | ||
| 29 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
| 30 | |||
| 31 | diff --git a/exec/totemsrp.c b/exec/totemsrp.c | ||
| 32 | index 35bf971..94d6c21 100644 | ||
| 33 | --- a/exec/totemsrp.c | ||
| 34 | +++ b/exec/totemsrp.c | ||
| 35 | @@ -3811,10 +3811,10 @@ static int check_memb_commit_token_sanity( | ||
| 36 | log_printf (instance->totemsrp_log_level_security, | ||
| 37 | "Received memb_commit_token message is too short... ignoring."); | ||
| 38 | |||
| 39 | - return (0); | ||
| 40 | + return (-1); | ||
| 41 | } | ||
| 42 | |||
| 43 | - addr_entries= mct_msg->addr_entries; | ||
| 44 | + addr_entries = mct_msg->addr_entries; | ||
| 45 | if (endian_conversion_needed) { | ||
| 46 | addr_entries = swab32(addr_entries); | ||
| 47 | } | ||
diff --git a/meta-networking/recipes-extended/corosync/corosync_3.1.10.bb b/meta-networking/recipes-extended/corosync/corosync_3.1.10.bb index 0cb475a4d4..0e7f48272f 100644 --- a/meta-networking/recipes-extended/corosync/corosync_3.1.10.bb +++ b/meta-networking/recipes-extended/corosync/corosync_3.1.10.bb | |||
| @@ -9,6 +9,7 @@ inherit autotools pkgconfig systemd github-releases | |||
| 9 | 9 | ||
| 10 | SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/${BP}.tar.gz \ | 10 | SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/${BP}.tar.gz \ |
| 11 | file://corosync.conf \ | 11 | file://corosync.conf \ |
| 12 | file://CVE-2026-35091.patch \ | ||
| 12 | " | 13 | " |
| 13 | SRC_URI[sha256sum] = "be361c827f99b215b3bd3fa2fb071c03dac6831c2a351963d938caef62604bc8" | 14 | SRC_URI[sha256sum] = "be361c827f99b215b3bd3fa2fb071c03dac6831c2a351963d938caef62604bc8" |
| 14 | UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)" | 15 | UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)" |
