diffstat for corosync-3.1.10 corosync-3.1.10 changelog | 8 + patches/0001-totemsrp-Return-error-if-sanity-check-fails.patch | 46 ++++++++ patches/0002-totemsrp-Fix-integer-overflow-in-memb_join_sanity.patch | 56 ++++++++++ patches/series | 2 4 files changed, 112 insertions(+) diff -Nru corosync-3.1.10/debian/changelog corosync-3.1.10/debian/changelog --- corosync-3.1.10/debian/changelog 2026-02-21 18:53:23.000000000 +0200 +++ corosync-3.1.10/debian/changelog 2026-05-02 10:41:59.000000000 +0300 @@ -1,3 +1,11 @@ +corosync (3.1.10-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * CVE-2026-35091: out-of-bounds read (Closes: #1133838) + * CVE-2026-35092: integer overflow (Closes: #1133837) + + -- Adrian Bunk Sat, 02 May 2026 10:41:59 +0300 + corosync (3.1.10-1) unstable; urgency=medium * [dbde8b2] New upstream release (3.1.10) diff -Nru corosync-3.1.10/debian/patches/0001-totemsrp-Return-error-if-sanity-check-fails.patch corosync-3.1.10/debian/patches/0001-totemsrp-Return-error-if-sanity-check-fails.patch --- corosync-3.1.10/debian/patches/0001-totemsrp-Return-error-if-sanity-check-fails.patch 1970-01-01 02:00:00.000000000 +0200 +++ corosync-3.1.10/debian/patches/0001-totemsrp-Return-error-if-sanity-check-fails.patch 2026-05-02 10:28:29.000000000 +0300 @@ -0,0 +1,46 @@ +From 4dee4c4585be39b258018490162fbab35d0adee9 Mon Sep 17 00:00:00 2001 +From: Jan Friesse +Date: Thu, 2 Apr 2026 09:00:39 +0200 +Subject: totemsrp: Return error if sanity check fails +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Previously, the check_memb_commit_token_sanity function correctly +checked the minimum message length. However, if the message was too +short, it incorrectly returned a success code (0) instead of the +expected failure code (-1). + +This commit ensures the appropriate error code is returned when the +message length sanity check fails. + +Fixes: CVE-2026-35091 + +Reported-by: Sebastián Alba Vives (@Sebasteuo / 0xS4bb1) +Signed-off-by: Jan Friesse +Also-proposed-by: nicholasyang +Reviewed-by: Christine Caulfield +--- + exec/totemsrp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/exec/totemsrp.c b/exec/totemsrp.c +index 35bf971d..94d6c216 100644 +--- a/exec/totemsrp.c ++++ b/exec/totemsrp.c +@@ -3811,10 +3811,10 @@ static int check_memb_commit_token_sanity( + log_printf (instance->totemsrp_log_level_security, + "Received memb_commit_token message is too short... ignoring."); + +- return (0); ++ return (-1); + } + +- addr_entries= mct_msg->addr_entries; ++ addr_entries = mct_msg->addr_entries; + if (endian_conversion_needed) { + addr_entries = swab32(addr_entries); + } +-- +2.47.3 + diff -Nru corosync-3.1.10/debian/patches/0002-totemsrp-Fix-integer-overflow-in-memb_join_sanity.patch corosync-3.1.10/debian/patches/0002-totemsrp-Fix-integer-overflow-in-memb_join_sanity.patch --- corosync-3.1.10/debian/patches/0002-totemsrp-Fix-integer-overflow-in-memb_join_sanity.patch 1970-01-01 02:00:00.000000000 +0200 +++ corosync-3.1.10/debian/patches/0002-totemsrp-Fix-integer-overflow-in-memb_join_sanity.patch 2026-05-02 10:28:29.000000000 +0300 @@ -0,0 +1,56 @@ +From e002e5f0d68437fe86c435147ff032cdefbaa6b8 Mon Sep 17 00:00:00 2001 +From: Jan Friesse +Date: Thu, 2 Apr 2026 09:44:06 +0200 +Subject: totemsrp: Fix integer overflow in memb_join_sanity +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This commit addresses an integer overflow (wraparound) vulnerability +in the check_memb_join_sanity function. + +Previously, the 32-bit unsigned network values proc_list_entries and +failed_list_entries were added together before being promoted to +size_t. This allowed the addition to wrap around in 32-bit arithmetic +(e.g., 0x80000000 + 0x80000000 = 0), resulting in a required_len +calculation that was incorrectly small. + +The solution is to cast the list entries to size_t and verify that +neither exceeds the maximum allowed value before the addition occurs. + +Fixes: CVE-2026-35092 + +Reported-by: Sebastián Alba Vives (@Sebasteuo / 0xS4bb1) +Signed-off-by: Jan Friesse +Also-proposed-by: nicholasyang +Reviewed-by: Christine Caulfield +--- + exec/totemsrp.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/exec/totemsrp.c b/exec/totemsrp.c +index 94d6c216..6845cec5 100644 +--- a/exec/totemsrp.c ++++ b/exec/totemsrp.c +@@ -3786,7 +3786,17 @@ static int check_memb_join_sanity( + failed_list_entries = swab32(failed_list_entries); + } + +- required_len = sizeof(struct memb_join) + ((proc_list_entries + failed_list_entries) * sizeof(struct srp_addr)); ++ if (proc_list_entries > PROCESSOR_COUNT_MAX || ++ failed_list_entries > PROCESSOR_COUNT_MAX) { ++ log_printf (instance->totemsrp_log_level_security, ++ "Received memb_join message list_entries exceeds the maximum " ++ "allowed value... ignoring."); ++ ++ return (-1); ++ } ++ ++ required_len = sizeof(struct memb_join) + ++ (((size_t)proc_list_entries + (size_t)failed_list_entries) * sizeof(struct srp_addr)); + if (msg_len < required_len) { + log_printf (instance->totemsrp_log_level_security, + "Received memb_join message is too short... ignoring."); +-- +2.47.3 + diff -Nru corosync-3.1.10/debian/patches/series corosync-3.1.10/debian/patches/series --- corosync-3.1.10/debian/patches/series 2026-02-21 18:53:02.000000000 +0200 +++ corosync-3.1.10/debian/patches/series 2026-05-02 10:41:55.000000000 +0300 @@ -3,3 +3,5 @@ Make-the-example-config-valid.patch Revert-logrotate-Use-copytruncate-method-by-default.patch build-Use-the-configured-with-logdir-more-extensively.patch +0001-totemsrp-Return-error-if-sanity-check-fails.patch +0002-totemsrp-Fix-integer-overflow-in-memb_join_sanity.patch