--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package pacemaker
Dear Release Team,
It turned out that the original upstream security fixes for #927714
(already contained in pacemaker 2.0.1-4 in testing) introduced some
bugs, which were fixed in three followup upstream patches. These are
all lumped together in the proposed 1.1.16-1+deb9u1 security upload (see
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927714#29). The
following debdiff brings the above fixes of the fixes into buster as well:
diff -Nru pacemaker-2.0.1/debian/changelog pacemaker-2.0.1/debian/changelog
--- pacemaker-2.0.1/debian/changelog 2019-05-12 14:23:41.000000000 +0200
+++ pacemaker-2.0.1/debian/changelog 2019-06-02 14:01:06.000000000 +0200
@@ -1,3 +1,12 @@
+pacemaker (2.0.1-5) unstable; urgency=medium
+
+ * [17ae230] Backport three more patches from upstream fixing memory safety
+ bugs.
+ Clearing up fallout from the preceding security fixes.
+ Thanks to Ken Gaillot <kgaillot@redhat.com>
+
+ -- Ferenc Wágner <wferi@debian.org> Sun, 02 Jun 2019 14:01:06 +0200
+
pacemaker (2.0.1-4) unstable; urgency=high
* [54ace53] Fix check for already present statoverride.
diff -Nru pacemaker-2.0.1/debian/patches/from-upstream/Fix-libcrmcommon-avoid-use-of-NULL-when-checking-whether-.patch pacemaker-2.0.1/debian/patches/from-upstream/Fix-libcrmcommon-avoid-use-of-NULL-when-checking-whether-.patch
--- pacemaker-2.0.1/debian/patches/from-upstream/Fix-libcrmcommon-avoid-use-of-NULL-when-checking-whether-.patch 1970-01-01 01:00:00.000000000 +0100
+++ pacemaker-2.0.1/debian/patches/from-upstream/Fix-libcrmcommon-avoid-use-of-NULL-when-checking-whether-.patch 2019-06-02 13:49:43.000000000 +0200
@@ -0,0 +1,22 @@
+From: Ken Gaillot <kgaillot@redhat.com>
+Date: Wed, 24 Apr 2019 16:25:46 -0500
+Subject: Fix: libcrmcommon: avoid use-of-NULL when checking whether process
+ is active
+
+---
+ lib/common/pid.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/common/pid.c b/lib/common/pid.c
+index 2439680..4fbf2dd 100644
+--- a/lib/common/pid.c
++++ b/lib/common/pid.c
+@@ -57,7 +57,7 @@ crm_pid_active(long pid, const char *daemon)
+ } else if (rc == 0 && (daemon == NULL || have_proc_pid == -1)) {
+ return 1; /* kill as the only indicator, cannot double check */
+
+- } else {
++ } else if (daemon != NULL) {
+ /* make sure PID hasn't been reused by another process
+ XXX: might still be just a zombie, which could confuse decisions */
+ bool checked_through_kill = (rc == 0);
diff -Nru pacemaker-2.0.1/debian/patches/from-upstream/Log-libcrmcluster-improve-CPG-membership-messages.patch pacemaker-2.0.1/debian/patches/from-upstream/Log-libcrmcluster-improve-CPG-membership-messages.patch
--- pacemaker-2.0.1/debian/patches/from-upstream/Log-libcrmcluster-improve-CPG-membership-messages.patch 1970-01-01 01:00:00.000000000 +0100
+++ pacemaker-2.0.1/debian/patches/from-upstream/Log-libcrmcluster-improve-CPG-membership-messages.patch 2019-06-02 13:49:43.000000000 +0200
@@ -0,0 +1,182 @@
+From: Ken Gaillot <kgaillot@redhat.com>
+Date: Fri, 12 Apr 2019 09:46:51 -0500
+Subject: Log: libcrmcluster: improve CPG membership messages
+
+Show CPG event reason when provided by corosync, make messages more readable,
+upgrade duplicate pid messages to warnings (and log only one message in those
+cases).
+---
+ lib/cluster/cpg.c | 91 ++++++++++++++++++++++++++++++++++---------------------
+ 1 file changed, 56 insertions(+), 35 deletions(-)
+
+diff --git a/lib/cluster/cpg.c b/lib/cluster/cpg.c
+index 2898c51..ef6fa36 100644
+--- a/lib/cluster/cpg.c
++++ b/lib/cluster/cpg.c
+@@ -360,8 +360,6 @@ pcmk_message_common_cs(cpg_handle_t handle, uint32_t nodeid, uint32_t pid, void
+ return NULL;
+ }
+
+-#define PEER_NAME(peer) ((peer)? ((peer)->uname? (peer)->uname : "<unknown>") : "<none>")
+-
+ static int cmp_member_list_nodeid(const void *first,
+ const void *second)
+ {
+@@ -376,6 +374,32 @@ static int cmp_member_list_nodeid(const void *first,
+ return 0;
+ }
+
++static const char *
++cpgreason2str(cpg_reason_t reason)
++{
++ switch (reason) {
++ case CPG_REASON_JOIN: return " via cpg_join";
++ case CPG_REASON_LEAVE: return " via cpg_leave";
++ case CPG_REASON_NODEDOWN: return " via cluster exit";
++ case CPG_REASON_NODEUP: return " via cluster join";
++ case CPG_REASON_PROCDOWN: return " for unknown reason";
++ default: break;
++ }
++ return "";
++}
++
++static inline const char *
++peer_name(crm_node_t *peer)
++{
++ if (peer == NULL) {
++ return "unknown node";
++ } else if (peer->uname == NULL) {
++ return "peer node";
++ } else {
++ return peer->uname;
++ }
++}
++
+ void
+ pcmk_cpg_membership(cpg_handle_t handle,
+ const struct cpg_name *groupName,
+@@ -387,7 +411,7 @@ pcmk_cpg_membership(cpg_handle_t handle,
+ gboolean found = FALSE;
+ static int counter = 0;
+ uint32_t local_nodeid = get_local_nodeid(handle);
+- const struct cpg_address *key, **rival, **sorted;
++ const struct cpg_address *key, **sorted;
+
+ sorted = malloc(member_list_entries * sizeof(const struct cpg_address *));
+ CRM_ASSERT(sorted != NULL);
+@@ -401,10 +425,7 @@ pcmk_cpg_membership(cpg_handle_t handle,
+
+ for (i = 0; i < left_list_entries; i++) {
+ crm_node_t *peer = crm_find_peer(left_list[i].nodeid, NULL);
+-
+- crm_info("Group event %s.%d: node %u (%s) left: %llu",
+- groupName->value, counter, left_list[i].nodeid,
+- PEER_NAME(peer), (unsigned long long) left_list[i].pid);
++ const struct cpg_address **rival = NULL;
+
+ /* in CPG world, NODE:PROCESS-IN-MEMBERSHIP-OF-G is an 1:N relation
+ and not playing by this rule may go wild in case of multiple
+@@ -418,7 +439,7 @@ pcmk_cpg_membership(cpg_handle_t handle,
+ also API end-point carriers, and that's what matters locally
+ (who's the winner);
+ remotely, we will just compare leave_list and member_list and if
+- the left process has it's node retained in member_list (under some
++ the left process has its node retained in member_list (under some
+ other PID, anyway) we will just ignore it as well
+ XXX: long-term fix is to establish in-out PID-aware tracking? */
+ if (peer) {
+@@ -426,50 +447,51 @@ pcmk_cpg_membership(cpg_handle_t handle,
+ rival = bsearch(&key, sorted, member_list_entries,
+ sizeof(const struct cpg_address *),
+ cmp_member_list_nodeid);
+- if (rival == NULL) {
++ }
++
++ if (rival == NULL) {
++ crm_info("Group %s event %d: %s (node %u pid %u) left%s",
++ groupName->value, counter, peer_name(peer),
++ left_list[i].nodeid, left_list[i].pid,
++ cpgreason2str(left_list[i].reason));
++ if (peer) {
+ crm_update_peer_proc(__FUNCTION__, peer, crm_proc_cpg,
+ OFFLINESTATUS);
+- } else if (left_list[i].nodeid == local_nodeid) {
+- crm_info("Ignoring the above event %s.%d, comes from a local"
+- " rival process (presumably not us): %llu",
+- groupName->value, counter,
+- (unsigned long long) left_list[i].pid);
+- } else {
+- crm_info("Ignoring the above event %s.%d, comes from"
+- " a rival-rich node: %llu (e.g. %llu process"
+- " carries on)",
+- groupName->value, counter,
+- (unsigned long long) left_list[i].pid,
+- (unsigned long long) (*rival)->pid);
+ }
++ } else if (left_list[i].nodeid == local_nodeid) {
++ crm_warn("Group %s event %d: duplicate local pid %u left%s",
++ groupName->value, counter,
++ left_list[i].pid, cpgreason2str(left_list[i].reason));
++ } else {
++ crm_warn("Group %s event %d: "
++ "%s (node %u) duplicate pid %u left%s (%u remains)",
++ groupName->value, counter, peer_name(peer),
++ left_list[i].nodeid, left_list[i].pid,
++ cpgreason2str(left_list[i].reason), (*rival)->pid);
+ }
+ }
+ free(sorted);
+ sorted = NULL;
+
+ for (i = 0; i < joined_list_entries; i++) {
+- crm_info("Group event %s.%d: node %u joined: %llu"
+- " (unchecked for rivals)",
++ crm_info("Group %s event %d: node %u pid %u joined%s",
+ groupName->value, counter, joined_list[i].nodeid,
+- (unsigned long long) joined_list[i].pid);
++ joined_list[i].pid, cpgreason2str(joined_list[i].reason));
+ }
+
+ for (i = 0; i < member_list_entries; i++) {
+ crm_node_t *peer = crm_get_peer(member_list[i].nodeid, NULL);
+
+- crm_info("Group event %s.%d: node %u (%s) is member: %llu"
+- " (at least once)",
+- groupName->value, counter, member_list[i].nodeid,
+- PEER_NAME(peer), member_list[i].pid);
+-
+ if (member_list[i].nodeid == local_nodeid
+ && member_list[i].pid != getpid()) {
+ /* see the note above */
+- crm_info("Ignoring the above event %s.%d, comes from a local rival"
+- " process: %llu", groupName->value, counter,
+- (unsigned long long) member_list[i].pid);
++ crm_warn("Group %s event %d: detected duplicate local pid %u",
++ groupName->value, counter, member_list[i].pid);
+ continue;
+ }
++ crm_info("Group %s event %d: %s (node %u pid %u) is member",
++ groupName->value, counter, peer_name(peer),
++ member_list[i].nodeid, member_list[i].pid);
+
+ /* If the caller left auto-reaping enabled, this will also update the
+ * state to member.
+@@ -492,8 +514,7 @@ pcmk_cpg_membership(cpg_handle_t handle,
+
+ } else if (now > (peer->when_lost + 60)) {
+ // If it persists for more than a minute, update the state
+- crm_warn("Node %u member of group %s but believed offline"
+- " (unchecked for rivals)",
++ crm_warn("Node %u is member of group %s but was believed offline",
+ member_list[i].nodeid, groupName->value);
+ crm_update_peer_state(__FUNCTION__, peer, CRM_NODE_MEMBER, 0);
+ }
+@@ -505,7 +526,7 @@ pcmk_cpg_membership(cpg_handle_t handle,
+ }
+
+ if (!found) {
+- crm_err("We're not part of CPG group '%s' anymore!", groupName->value);
++ crm_err("Local node was evicted from group %s", groupName->value);
+ cpg_evicted = TRUE;
+ }
+
diff -Nru pacemaker-2.0.1/debian/patches/from-upstream/Low-libcrmcommon-return-proper-code-if-testing-pid-is-den.patch pacemaker-2.0.1/debian/patches/from-upstream/Low-libcrmcommon-return-proper-code-if-testing-pid-is-den.patch
--- pacemaker-2.0.1/debian/patches/from-upstream/Low-libcrmcommon-return-proper-code-if-testing-pid-is-den.patch 1970-01-01 01:00:00.000000000 +0100
+++ pacemaker-2.0.1/debian/patches/from-upstream/Low-libcrmcommon-return-proper-code-if-testing-pid-is-den.patch 2019-06-02 13:49:43.000000000 +0200
@@ -0,0 +1,23 @@
+From: Ken Gaillot <kgaillot@redhat.com>
+Date: Mon, 29 Apr 2019 14:34:32 -0500
+Subject: Low: libcrmcommon: return proper code if testing pid is denied
+
+7dda20d avoided a use-of-NULL in an unlikely corner case, but returned the
+wrong code in that case.
+---
+ lib/common/pid.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/common/pid.c b/lib/common/pid.c
+index 4fbf2dd..ccee03f 100644
+--- a/lib/common/pid.c
++++ b/lib/common/pid.c
+@@ -47,7 +47,7 @@ crm_pid_active(long pid, const char *daemon)
+ } else if ((rc = kill(pid, 0)) < 0 && errno == ESRCH) {
+ return 0; /* no such PID detected */
+
+- } else if (rc < 0 && have_proc_pid == -1) {
++ } else if (rc < 0 && (daemon == NULL || have_proc_pid == -1)) {
+ if (last_asked_pid != pid) {
+ crm_info("Cannot examine PID %ld: %s", pid, strerror(errno));
+ last_asked_pid = pid;
diff -Nru pacemaker-2.0.1/debian/patches/series pacemaker-2.0.1/debian/patches/series
--- pacemaker-2.0.1/debian/patches/series 2019-05-07 17:17:57.000000000 +0200
+++ pacemaker-2.0.1/debian/patches/series 2019-06-02 13:49:43.000000000 +0200
@@ -11,3 +11,6 @@
PR1749/High-pacemakerd-vs.-IPC-procfs-confused-deputy-authentici-3.patch
PR1749/High-pacemakerd-vs.-IPC-procfs-confused-deputy-authentici-4.patch
PR1749/Med-controld-fix-possible-NULL-pointer-dereference.patch
+from-upstream/Log-libcrmcluster-improve-CPG-membership-messages.patch
+from-upstream/Fix-libcrmcommon-avoid-use-of-NULL-when-checking-whether-.patch
+from-upstream/Low-libcrmcommon-return-proper-code-if-testing-pid-is-den.patch
This would get us through the full list in
https://lists.clusterlabs.org/pipermail/users/2019-May/025822.html, so
please
unblock pacemaker/2.0.1-5
--
Thanks,
Feri.
--- End Message ---