Bug#1107252: marked as done (bookworm-pu: package corosync/3.1.7-1+deb12u1)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 06 Sep 2025 12:14:50 +0100
with message-id <ee4c0876608d99eb3f8b333b556fbd92e7a652eb.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 12.12
has caused the Debian Bug report #1107252,
regarding bookworm-pu: package corosync/3.1.7-1+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1107252: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107252
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: bookworm-pu: package corosync/3.1.7-1+deb12u1
• From: Moritz Muehlenhoff <jmm@debian.org>
• Date: Tue, 03 Jun 2025 22:56:17 +0200
• Message-id: <174898417725.4181.5835922175863934925.reportbug@hullmann.westfalen.local>

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: corosync@packages.debian.org, wferi@debian.org
Control: affects -1 + src:corosync
User: release.debian.org@packages.debian.org
Usertags: pu

Fixes a minor security issue, debdiff below.

Cheers,
        Moritz

diff -Nru corosync-3.1.7/debian/changelog corosync-3.1.7/debian/changelog
--- corosync-3.1.7/debian/changelog	2023-01-15 15:00:42.000000000 +0100
+++ corosync-3.1.7/debian/changelog	2025-05-18 21:16:40.000000000 +0200
@@ -1,3 +1,9 @@
+corosync (3.1.7-1+deb12u1) bookworm; urgency=medium
+
+  * CVE-2025-30472 (Closes: #1102006)
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Sun, 18 May 2025 21:16:40 +0200
+
 corosync (3.1.7-1) unstable; urgency=medium
 
   * [f3d69c9] New upstream release (3.1.7)
diff -Nru corosync-3.1.7/debian/patches/CVE-2025-30472.patch corosync-3.1.7/debian/patches/CVE-2025-30472.patch
--- corosync-3.1.7/debian/patches/CVE-2025-30472.patch	1970-01-01 01:00:00.000000000 +0100
+++ corosync-3.1.7/debian/patches/CVE-2025-30472.patch	2025-05-18 21:16:40.000000000 +0200
@@ -0,0 +1,63 @@
+From 7839990f9cdf34e55435ed90109e82709032466a Mon Sep 17 00:00:00 2001
+From: Jan Friesse <jfriesse@redhat.com>
+Date: Mon, 24 Mar 2025 12:05:08 +0100
+Subject: [PATCH] totemsrp: Check size of orf_token msg
+
+orf_token message is stored into preallocated array on endian convert
+so carefully crafted malicious message can lead to crash of corosync.
+
+Solution is to check message size beforehand.
+
+Signed-off-by: Jan Friesse <jfriesse@redhat.com>
+Reviewed-by: Christine Caulfield <ccaulfie@redhat.com>
+---
+ exec/totemsrp.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+--- corosync-3.1.7.orig/exec/totemsrp.c
++++ corosync-3.1.7/exec/totemsrp.c
+@@ -3679,12 +3679,20 @@ static int check_orf_token_sanity(
+ 	const struct totemsrp_instance *instance,
+ 	const void *msg,
+ 	size_t msg_len,
++	size_t max_msg_len,
+ 	int endian_conversion_needed)
+ {
+ 	int rtr_entries;
+ 	const struct orf_token *token = (const struct orf_token *)msg;
+ 	size_t required_len;
+ 
++	if (msg_len > max_msg_len) {
++		log_printf (instance->totemsrp_log_level_security,
++		    "Received orf_token message is too long...  ignoring.");
++
++		return (-1);
++	}
++
+ 	if (msg_len < sizeof(struct orf_token)) {
+ 		log_printf (instance->totemsrp_log_level_security,
+ 		    "Received orf_token message is too short...  ignoring.");
+@@ -3698,6 +3706,13 @@ static int check_orf_token_sanity(
+ 		rtr_entries = token->rtr_list_entries;
+ 	}
+ 
++	if (rtr_entries > RETRANSMIT_ENTRIES_MAX) {
++		log_printf (instance->totemsrp_log_level_security,
++		    "Received orf_token message rtr_entries is corrupted...  ignoring.");
++
++		return (-1);
++	}
++
+ 	required_len = sizeof(struct orf_token) + rtr_entries * sizeof(struct rtr_item);
+ 	if (msg_len < required_len) {
+ 		log_printf (instance->totemsrp_log_level_security,
+@@ -3866,7 +3881,8 @@ static int message_handler_orf_token (
+ 	"Time since last token %0.4f ms", ((float)tv_diff) / 1000000.0);
+ #endif
+ 
+-	if (check_orf_token_sanity(instance, msg, msg_len, endian_conversion_needed) == -1) {
++	if (check_orf_token_sanity(instance, msg, msg_len, sizeof(token_storage),
++	    endian_conversion_needed) == -1) {
+ 		return (0);
+ 	}
+ 
diff -Nru corosync-3.1.7/debian/patches/series corosync-3.1.7/debian/patches/series
--- corosync-3.1.7/debian/patches/series	2023-01-15 13:41:46.000000000 +0100
+++ corosync-3.1.7/debian/patches/series	2025-05-18 21:16:40.000000000 +0200
@@ -2,3 +2,4 @@
 Enable-PrivateTmp-in-the-systemd-service-files.patch
 Make-the-example-config-valid.patch
 Revert-logrotate-Use-copytruncate-method-by-default.patch
+CVE-2025-30472.patch

--- End Message ---

--- Begin Message ---

• To: 1086622-done@bugs.debian.org, 1098225-done@bugs.debian.org, 1098229-done@bugs.debian.org, 1098783-done@bugs.debian.org, 1100607-done@bugs.debian.org, 1100960-done@bugs.debian.org, 1101144-done@bugs.debian.org, 1102091-done@bugs.debian.org, 1102675-done@bugs.debian.org, 1102752-done@bugs.debian.org, 1103926-done@bugs.debian.org, 1103927-done@bugs.debian.org, 1104028-done@bugs.debian.org, 1104154-done@bugs.debian.org, 1104821-done@bugs.debian.org, 1104874-done@bugs.debian.org, 1104882-done@bugs.debian.org, 1105009-done@bugs.debian.org, 1105113-done@bugs.debian.org, 1105816-done@bugs.debian.org, 1105888-done@bugs.debian.org, 1105957-done@bugs.debian.org, 1105971-done@bugs.debian.org, 1105996-done@bugs.debian.org, 1106300-done@bugs.debian.org, 1106328-done@bugs.debian.org, 1106348-done@bugs.debian.org, 1106536-done@bugs.debian.org, 1106721-done@bugs.debian.org, 1106756-done@bugs.debian.org, 1106761-done@bugs.debian.org, 1106867-done@bugs.debian.org, 1107069-done@bugs.debian.org, 1107116-done@bugs.debian.org, 1107147-done@bugs.debian.org, 1107217-done@bugs.debian.org, 1107252-done@bugs.debian.org, 1107253-done@bugs.debian.org, 1107568-done@bugs.debian.org, 1107852-done@bugs.debian.org, 1107902-done@bugs.debian.org, 1108122-done@bugs.debian.org, 1108127-done@bugs.debian.org, 1108137-done@bugs.debian.org, 1108185-done@bugs.debian.org, 1108308-done@bugs.debian.org, 1108353-done@bugs.debian.org, 1108504-done@bugs.debian.org, 1108508-done@bugs.debian.org, 1108543-done@bugs.debian.org, 1108548-done@bugs.debian.org, 1108921-done@bugs.debian.org, 1109012-done@bugs.debian.org, 1109034-done@bugs.debian.org, 1109084-done@bugs.debian.org, 1109087-done@bugs.debian.org, 1109095-done@bugs.debian.org, 1109127-done@bugs.debian.org, 1109147-done@bugs.debian.org, 1109207-done@bugs.debian.org, 1109545-done@bugs.debian.org, 1109611-done@bugs.debian.org, 1109763-done@bugs.debian.org, 1109819-done@bugs.debian.org, 1109943-done@bugs.debian.org, 1109945-done@bugs.debian.org, 1109947-done@bugs.debian.org, 1109995-done@bugs.debian.org, 1110034-done@bugs.debian.org, 1110080-done@bugs.debian.org, 1110114-done@bugs.debian.org, 1110340-done@bugs.debian.org, 1110489-done@bugs.debian.org, 1110643-done@bugs.debian.org, 1110686-done@bugs.debian.org, 1110813-done@bugs.debian.org, 1111034-done@bugs.debian.org, 1111076-done@bugs.debian.org, 1111426-done@bugs.debian.org, 1111486-done@bugs.debian.org, 1111600-done@bugs.debian.org, 1111607-done@bugs.debian.org, 1111653-done@bugs.debian.org, 1111666-done@bugs.debian.org, 1111835-done@bugs.debian.org, 1111859-done@bugs.debian.org, 1111924-done@bugs.debian.org, 1111959-done@bugs.debian.org, 1111966-done@bugs.debian.org, 1111969-done@bugs.debian.org, 1111987-done@bugs.debian.org, 1111989-done@bugs.debian.org, 1112039-done@bugs.debian.org, 1112053-done@bugs.debian.org, 1112070-done@bugs.debian.org, 1112074-done@bugs.debian.org, 1112124-done@bugs.debian.org, 1112129-done@bugs.debian.org, 1112141-done@bugs.debian.org, 1112195-done@bugs.debian.org, 1112239-done@bugs.debian.org, 1112252-done@bugs.debian.org, 1112340-done@bugs.debian.org, 1112347-done@bugs.debian.org, 1112368-done@bugs.debian.org, 1112449-done@bugs.debian.org, 1112459-done@bugs.debian.org, 1112467-done@bugs.debian.org, 1112542-done@bugs.debian.org
• Subject: Closing p-u requests for fixes included in 12.12
• From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Date: Sat, 06 Sep 2025 12:14:50 +0100
• Message-id: <ee4c0876608d99eb3f8b333b556fbd92e7a652eb.camel@adam-barratt.org.uk>

Package: release.debian.org
Version: 12.12

Hi,

Each of the updates referenced by these requests was included in
today's 12.12 point release for bookworm.

Regards,

Adam

--- End Message ---