[Debian-ha-maintainers] Bug#1102006: corosync: CVE-2025-30472
Salvatore Bonaccorso
carnil at debian.org
Fri Apr 4 09:12:45 BST 2025
Hi Ferenc,
On Fri, Apr 04, 2025 at 09:58:41AM +0200, Ferenc Wágner wrote:
> Salvatore Bonaccorso <carnil at debian.org> writes:
>
> > CVE-2025-30472[0]:
> > | Corosync through 3.1.9, if encryption is disabled or the attacker
> > | knows the encryption key, has a stack-based buffer overflow in
> > | orf_token_endian_convert in exec/totemsrp.c via a large UDP packet.
> >
> > For further information see:
> >
> > [0] https://security-tracker.debian.org/tracker/CVE-2025-30472
> > https://www.cve.org/CVERecord?id=CVE-2025-30472
> > [1] https://github.com/corosync/corosync/issues/778
>
> Dear Salvatore,
>
> Considering the linked discussion with Corosync upstream, do you think
> Debian should release a patched package to bookworm? According to the
> security tracker, this is a postponed minor issue in bullseye, and I do
> not see why it would be weighted differently anywhere else. If it is, I
> am willing to backport the patch and prepare updates packages for
> bookworm and unstable. Upstream has not released a new version yet.
Right I do not think this will for instance warrant a DSA.
I would propose to include the fix just in a point release either
together with other fixes or once a more important issue arises for
corosync. I will mark it as no-dsa later in the tracker.
Regards,
Salvatore
More information about the Debian-ha-maintainers
mailing list