[Debian-ha-maintainers] Bug#1102006: corosync: CVE-2025-30472
Salvatore Bonaccorso
carnil at debian.org
Wed Jun 18 22:09:25 BST 2025
Hi Ferenc,
On Fri, Apr 04, 2025 at 10:12:45AM +0200, Salvatore Bonaccorso wrote:
> Hi Ferenc,
>
> On Fri, Apr 04, 2025 at 09:58:41AM +0200, Ferenc Wágner wrote:
> > Salvatore Bonaccorso <carnil at debian.org> writes:
> >
> > > CVE-2025-30472[0]:
> > > | Corosync through 3.1.9, if encryption is disabled or the attacker
> > > | knows the encryption key, has a stack-based buffer overflow in
> > > | orf_token_endian_convert in exec/totemsrp.c via a large UDP packet.
> > >
> > > For further information see:
> > >
> > > [0] https://security-tracker.debian.org/tracker/CVE-2025-30472
> > > https://www.cve.org/CVERecord?id=CVE-2025-30472
> > > [1] https://github.com/corosync/corosync/issues/778
> >
> > Dear Salvatore,
> >
> > Considering the linked discussion with Corosync upstream, do you think
> > Debian should release a patched package to bookworm? According to the
> > security tracker, this is a postponed minor issue in bullseye, and I do
> > not see why it would be weighted differently anywhere else. If it is, I
> > am willing to backport the patch and prepare updates packages for
> > bookworm and unstable. Upstream has not released a new version yet.
>
> Right I do not think this will for instance warrant a DSA.
>
> I would propose to include the fix just in a point release either
> together with other fixes or once a more important issue arises for
> corosync. I will mark it as no-dsa later in the tracker.
While I think this still holds and does not warrant a DSA, Moritz has
prepared and proposed an update fo the next bookworm point release.
But if it's not fixed in the upper suite it cannot be accepted in the
point release.
Would you be up to prepare an upload an upload for unstable,
targetting trixie?
Regards,
Salvatore
More information about the Debian-ha-maintainers
mailing list