pacemaker: CVE-2020-25654

Debian Bug report logs - #973254
pacemaker: CVE-2020-25654

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: pacemaker: CVE-2020-25654

Date: Tue, 27 Oct 2020 21:18:16 +0100

Source: pacemaker
Version: 2.0.4-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 2.0.1-5

Hi,

The following vulnerability was published for pacemaker.

CVE-2020-25654[0]:
| ACL restrictions bypass

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-25654
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25654
[1] https://www.openwall.com/lists/oss-security/2020/10/27/1
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1888191

Regards,
Salvatore

Message #12 received at 973254@bugs.debian.org (full text, mbox, reply):

From: wferi@niif.hu

To: 973254@bugs.debian.org, Debian Security Team <team@security.debian.org>

Cc: wferi@niif.hu

Subject: Re: pacemaker: CVE-2020-25654 upload prepared

Date: Sat, 07 Nov 2020 20:56:38 +0100

Control: tag 973254 + patch

Dear Security Team,

I propose a security upload with the debdiff below.  The patch series
posted by upstream against 2.0.3 applies cleanly to the buster source,
and is hereby included.  I'll try to do some testing while you review.

Regards,
Feri

diff -Nru pacemaker-2.0.1/debian/changelog pacemaker-2.0.1/debian/changelog
--- pacemaker-2.0.1/debian/changelog	2019-06-02 14:01:06.000000000 +0200
+++ pacemaker-2.0.1/debian/changelog	2020-11-07 20:21:48.000000000 +0100
@@ -1,3 +1,19 @@
+pacemaker (2.0.1-5+deb10u1) buster-security; urgency=high
+
+  * [bf23450] Apply patch series fixing CVE-2020-25654: ACL bypass.
+    A vulnerability was found in Pacemaker allowing a user who is in the
+    haclient group but restricted by ACLs to bypass those ACLs, providing
+    cluster-wide arbitrary code execution with root privileges.  When the
+    enable-acl cluster option isn't set to true, members of the haclient
+    group (and root) can modify Pacemaker's CIB without restriction, which
+    already gives them these capabilities, so there is no additional
+    exposure in that case.
+    More info: https://www.openwall.com/lists/oss-security/2020/10/27/1
+    Patches: https://lists.clusterlabs.org/pipermail/developers/2020-October/002324.html
+    Thanks to Ken Gaillot (Closes: #973254)
+
+ -- Ferenc Wágner <wferi@debian.org>  Sat, 07 Nov 2020 20:21:48 +0100
+
 pacemaker (2.0.1-5) unstable; urgency=medium
 
   * [17ae230] Backport three more patches from upstream fixing memory safety
diff -Nru pacemaker-2.0.1/debian/gbp.conf pacemaker-2.0.1/debian/gbp.conf
--- pacemaker-2.0.1/debian/gbp.conf	2019-06-02 13:44:18.000000000 +0200
+++ pacemaker-2.0.1/debian/gbp.conf	2020-11-07 19:23:46.000000000 +0100
@@ -1,5 +1,5 @@
 [DEFAULT]
-debian-branch = debian/master
+debian-branch = debian/buster
 upstream-branch = upstream/latest
 
 [import-orig]
diff -Nru pacemaker-2.0.1/debian/patches/CVE-2020-25654/Fix-fencer-restrict-certain-IPC-requests-to-privileged-us.patch pacemaker-2.0.1/debian/patches/CVE-2020-25654/Fix-fencer-restrict-certain-IPC-requests-to-privileged-us.patch
--- pacemaker-2.0.1/debian/patches/CVE-2020-25654/Fix-fencer-restrict-certain-IPC-requests-to-privileged-us.patch	1970-01-01 01:00:00.000000000 +0100
+++ pacemaker-2.0.1/debian/patches/CVE-2020-25654/Fix-fencer-restrict-certain-IPC-requests-to-privileged-us.patch	2020-11-07 19:43:41.000000000 +0100
@@ -0,0 +1,105 @@
+From: Ken Gaillot <kgaillot@redhat.com>
+Date: Fri, 9 Oct 2020 11:55:26 -0500
+Subject: Fix: fencer: restrict certain IPC requests to privileged users
+
+The fencer IPC API allows clients to register fence devices.
+
+If ACLs are enabled, this could allow an ACL-restricted user to bypass ACLs to
+configure fencing. If the user is able to install executables to the standard
+fencing agent locations, have arbitrary code executed as root (the standard
+locations generally require root for write access, so that is unlikely to be an
+issue).
+
+If ACLs are not enabled, users in the haclient group have full access to the
+CIB, which already gives them these capabilities, so there is no additional
+exposure in that case.
+
+This commit does not restrict unprivileged users from using other fencing API,
+such as requesting actual fencing.
+---
+ daemons/fenced/fenced_commands.c | 41 ++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 37 insertions(+), 4 deletions(-)
+
+diff --git a/daemons/fenced/fenced_commands.c b/daemons/fenced/fenced_commands.c
+index b394fd6..1cc7d06 100644
+--- a/daemons/fenced/fenced_commands.c
++++ b/daemons/fenced/fenced_commands.c
+@@ -2474,6 +2474,18 @@ handle_request(crm_client_t * client, uint32_t id, uint32_t flags, xmlNode * req
+     const char *op = crm_element_value(request, F_STONITH_OPERATION);
+     const char *client_id = crm_element_value(request, F_STONITH_CLIENTID);
+ 
++    bool allowed = true;
++
++#if ENABLE_ACL
++    /* IPC commands related to fencing configuration may be done only by
++     * privileged users (i.e. root or hacluster) when ACLs are supported,
++     * because all other users should go through the CIB to have ACLs applied.
++     */
++    if (client != NULL) {
++        allowed = is_set(client->flags, crm_client_flag_ipc_privileged);
++    }
++#endif
++
+     crm_element_value_int(request, F_STONITH_CALLOPTS, &call_options);
+ 
+     if (is_set(call_options, st_opt_sync_call)) {
+@@ -2623,27 +2635,43 @@ handle_request(crm_client_t * client, uint32_t id, uint32_t flags, xmlNode * req
+     } else if (crm_str_eq(op, STONITH_OP_DEVICE_ADD, TRUE)) {
+         const char *device_id = NULL;
+ 
+-        rc = stonith_device_register(request, &device_id, FALSE);
++        if (allowed) {
++            rc = stonith_device_register(request, &device_id, FALSE);
++        } else {
++            rc = -EACCES;
++        }
+         do_stonith_notify_device(call_options, op, rc, device_id);
+ 
+     } else if (crm_str_eq(op, STONITH_OP_DEVICE_DEL, TRUE)) {
+         xmlNode *dev = get_xpath_object("//" F_STONITH_DEVICE, request, LOG_ERR);
+         const char *device_id = crm_element_value(dev, XML_ATTR_ID);
+ 
+-        rc = stonith_device_remove(device_id, FALSE);
++        if (allowed) {
++            rc = stonith_device_remove(device_id, FALSE);
++        } else {
++            rc = -EACCES;
++        }
+         do_stonith_notify_device(call_options, op, rc, device_id);
+ 
+     } else if (crm_str_eq(op, STONITH_OP_LEVEL_ADD, TRUE)) {
+         char *device_id = NULL;
+ 
+-        rc = stonith_level_register(request, &device_id);
++        if (allowed) {
++            rc = stonith_level_register(request, &device_id);
++        } else {
++            rc = -EACCES;
++        }
+         do_stonith_notify_level(call_options, op, rc, device_id);
+         free(device_id);
+ 
+     } else if (crm_str_eq(op, STONITH_OP_LEVEL_DEL, TRUE)) {
+         char *device_id = NULL;
+ 
+-        rc = stonith_level_remove(request, &device_id);
++        if (allowed) {
++            rc = stonith_level_remove(request, &device_id);
++        } else {
++            rc = -EACCES;
++        }
+         do_stonith_notify_level(call_options, op, rc, device_id);
+ 
+     } else if(safe_str_eq(op, CRM_OP_RM_NODE_CACHE)) {
+@@ -2663,6 +2691,11 @@ handle_request(crm_client_t * client, uint32_t id, uint32_t flags, xmlNode * req
+ 
+   done:
+ 
++    if (rc == -EACCES) {
++        crm_warn("Rejecting IPC request '%s' from unprivileged client %s",
++                 crm_str(op), crm_client_name(client));
++    }
++
+     /* Always reply unless the request is in process still.
+      * If in progress, a reply will happen async after the request
+      * processing is finished */
diff -Nru pacemaker-2.0.1/debian/patches/CVE-2020-25654/High-executor-restrict-certain-IPC-requests-to-Pacemaker-.patch pacemaker-2.0.1/debian/patches/CVE-2020-25654/High-executor-restrict-certain-IPC-requests-to-Pacemaker-.patch
--- pacemaker-2.0.1/debian/patches/CVE-2020-25654/High-executor-restrict-certain-IPC-requests-to-Pacemaker-.patch	1970-01-01 01:00:00.000000000 +0100
+++ pacemaker-2.0.1/debian/patches/CVE-2020-25654/High-executor-restrict-certain-IPC-requests-to-Pacemaker-.patch	2020-11-07 19:43:40.000000000 +0100
@@ -0,0 +1,164 @@
+From: Ken Gaillot <kgaillot@redhat.com>
+Date: Thu, 15 Oct 2020 15:33:57 -0500
+Subject: High: executor: restrict certain IPC requests to Pacemaker daemons
+
+The executor IPC API allows clients to register resources, request agent
+execution, and so forth.
+
+If ACLs are enabled, this could allow an ACL-restricted user to bypass ACLs and
+execute any code as root. (If ACLs are not enabled, users in the haclient group
+have full access to the CIB, which already gives them that ability, so there is
+no additional exposure in that case.)
+
+When ACLs are supported, this commit effectively disables the executor IPC API
+for clients that aren't connecting as root or hacluster. Such clients can only
+register and poke now.
+---
+ daemons/execd/execd_commands.c | 91 +++++++++++++++++++++++++++++++++---------
+ 1 file changed, 73 insertions(+), 18 deletions(-)
+
+diff --git a/daemons/execd/execd_commands.c b/daemons/execd/execd_commands.c
+index 61f40e8..77fc974 100644
+--- a/daemons/execd/execd_commands.c
++++ b/daemons/execd/execd_commands.c
+@@ -1294,8 +1294,12 @@ process_lrmd_signon(crm_client_t *client, xmlNode *request, int call_id,
+ 
+     if (crm_is_true(is_ipc_provider)) {
+ #ifdef SUPPORT_REMOTE
+-        // This is a remote connection from a cluster node's controller
+-        ipc_proxy_add_provider(client);
++        if ((client->remote != NULL) && client->remote->tls_handshake_complete) {
++            // This is a remote connection from a cluster node's controller
++            ipc_proxy_add_provider(client);
++        } else {
++            rc = -EACCES;
++        }
+ #else
+         rc = -EPROTONOSUPPORT;
+ #endif
+@@ -1612,12 +1616,26 @@ process_lrmd_message(crm_client_t * client, uint32_t id, xmlNode * request)
+     int do_notify = 0;
+     xmlNode *reply = NULL;
+ 
++    bool allowed = true;
++
++#if ENABLE_ACL
++    /* Certain IPC commands may be done only by privileged users (i.e. root or
++     * hacluster) when ACLs are enabled, because they would otherwise provide a
++     * means of bypassing ACLs.
++     */
++    allowed = is_set(client->flags, crm_client_flag_ipc_privileged);
++#endif
++
+     crm_trace("Processing %s operation from %s", op, client->id);
+     crm_element_value_int(request, F_LRMD_CALLID, &call_id);
+ 
+     if (crm_str_eq(op, CRM_OP_IPC_FWD, TRUE)) {
+ #ifdef SUPPORT_REMOTE
+-        ipc_proxy_forward_client(client, request);
++        if (allowed) {
++            ipc_proxy_forward_client(client, request);
++        } else {
++            rc = -EACCES;
++        }
+ #else
+         rc = -EPROTONOSUPPORT;
+ #endif
+@@ -1626,38 +1644,70 @@ process_lrmd_message(crm_client_t * client, uint32_t id, xmlNode * request)
+         rc = process_lrmd_signon(client, request, call_id, &reply);
+         do_reply = 1;
+     } else if (crm_str_eq(op, LRMD_OP_RSC_REG, TRUE)) {
+-        rc = process_lrmd_rsc_register(client, id, request);
+-        do_notify = 1;
++        if (allowed) {
++            rc = process_lrmd_rsc_register(client, id, request);
++            do_notify = 1;
++        } else {
++            rc = -EACCES;
++        }
+         do_reply = 1;
+     } else if (crm_str_eq(op, LRMD_OP_RSC_INFO, TRUE)) {
+-        reply = process_lrmd_get_rsc_info(request, call_id);
++        if (allowed) {
++            reply = process_lrmd_get_rsc_info(request, call_id);
++        } else {
++            rc = -EACCES;
++        }
+         do_reply = 1;
+     } else if (crm_str_eq(op, LRMD_OP_RSC_UNREG, TRUE)) {
+-        rc = process_lrmd_rsc_unregister(client, id, request);
+-        /* don't notify anyone about failed un-registers */
+-        if (rc == pcmk_ok || rc == -EINPROGRESS) {
+-            do_notify = 1;
++        if (allowed) {
++            rc = process_lrmd_rsc_unregister(client, id, request);
++            /* don't notify anyone about failed un-registers */
++            if (rc == pcmk_ok || rc == -EINPROGRESS) {
++                do_notify = 1;
++            }
++        } else {
++            rc = -EACCES;
+         }
+         do_reply = 1;
+     } else if (crm_str_eq(op, LRMD_OP_RSC_EXEC, TRUE)) {
+-        rc = process_lrmd_rsc_exec(client, id, request);
++        if (allowed) {
++            rc = process_lrmd_rsc_exec(client, id, request);
++        } else {
++            rc = -EACCES;
++        }
+         do_reply = 1;
+     } else if (crm_str_eq(op, LRMD_OP_RSC_CANCEL, TRUE)) {
+-        rc = process_lrmd_rsc_cancel(client, id, request);
++        if (allowed) {
++            rc = process_lrmd_rsc_cancel(client, id, request);
++        } else {
++            rc = -EACCES;
++        }
+         do_reply = 1;
+     } else if (crm_str_eq(op, LRMD_OP_POKE, TRUE)) {
+         do_notify = 1;
+         do_reply = 1;
+     } else if (crm_str_eq(op, LRMD_OP_CHECK, TRUE)) {
+-        xmlNode *data = get_message_xml(request, F_LRMD_CALLDATA); 
+-        const char *timeout = crm_element_value(data, F_LRMD_WATCHDOG);
+-        CRM_LOG_ASSERT(data != NULL);
+-        check_sbd_timeout(timeout);
++        if (allowed) {
++            xmlNode *data = get_message_xml(request, F_LRMD_CALLDATA);
++
++            CRM_LOG_ASSERT(data != NULL);
++            check_sbd_timeout(crm_element_value(data, F_LRMD_WATCHDOG));
++        } else {
++            rc = -EACCES;
++        }
+     } else if (crm_str_eq(op, LRMD_OP_ALERT_EXEC, TRUE)) {
+-        rc = process_lrmd_alert_exec(client, id, request);
++        if (allowed) {
++            rc = process_lrmd_alert_exec(client, id, request);
++        } else {
++            rc = -EACCES;
++        }
+         do_reply = 1;
+     } else if (crm_str_eq(op, LRMD_OP_GET_RECURRING, TRUE)) {
+-        reply = process_lrmd_get_recurring(request, call_id);
++        if (allowed) {
++            reply = process_lrmd_get_recurring(request, call_id);
++        } else {
++            rc = -EACCES;
++        }
+         do_reply = 1;
+     } else {
+         rc = -EOPNOTSUPP;
+@@ -1666,6 +1716,11 @@ process_lrmd_message(crm_client_t * client, uint32_t id, xmlNode * request)
+         crm_log_xml_warn(request, "UnknownOp");
+     }
+ 
++    if (rc == -EACCES) {
++        crm_warn("Rejecting IPC request '%s' from unprivileged client %s",
++                 op, crm_client_name(client));
++    }
++
+     crm_debug("Processed %s operation from %s: rc=%d, reply=%d, notify=%d",
+               op, client->id, rc, do_reply, do_notify);
+ 
diff -Nru pacemaker-2.0.1/debian/patches/CVE-2020-25654/High-pacemakerd-ignore-shutdown-requests-from-unprivilege.patch pacemaker-2.0.1/debian/patches/CVE-2020-25654/High-pacemakerd-ignore-shutdown-requests-from-unprivilege.patch
--- pacemaker-2.0.1/debian/patches/CVE-2020-25654/High-pacemakerd-ignore-shutdown-requests-from-unprivilege.patch	1970-01-01 01:00:00.000000000 +0100
+++ pacemaker-2.0.1/debian/patches/CVE-2020-25654/High-pacemakerd-ignore-shutdown-requests-from-unprivilege.patch	2020-11-07 19:43:41.000000000 +0100
@@ -0,0 +1,51 @@
+From: Ken Gaillot <kgaillot@redhat.com>
+Date: Fri, 9 Oct 2020 11:17:18 -0500
+Subject: High: pacemakerd: ignore shutdown requests from unprivileged users
+
+The pacemakerd IPC API supports a shutdown request, along with a
+command-line interface for using it (pacemakerd --shutdown).
+
+Only the haclient group has access to the IPC. Without ACLs, that group can
+already shut down Pacemaker via the CIB, so there's no security implication.
+
+However, it might not be desired to allow ACL-restricted users to shut down
+Pacemaker, so block users other than root or hacluster if ACLs are supported.
+---
+ daemons/pacemakerd/pacemakerd.c | 24 ++++++++++++++++++++----
+ 1 file changed, 20 insertions(+), 4 deletions(-)
+
+diff --git a/daemons/pacemakerd/pacemakerd.c b/daemons/pacemakerd/pacemakerd.c
+index 9e1bb7e..ee3719f 100644
+--- a/daemons/pacemakerd/pacemakerd.c
++++ b/daemons/pacemakerd/pacemakerd.c
+@@ -575,10 +575,26 @@ pcmk_ipc_dispatch(qb_ipcs_connection_t * qbc, void *data, size_t size)
+ 
+     task = crm_element_value(msg, F_CRM_TASK);
+     if (crm_str_eq(task, CRM_OP_QUIT, TRUE)) {
+-        /* Time to quit */
+-        crm_notice("Shutting down in response to ticket %s (%s)",
+-                   crm_element_value(msg, F_CRM_REFERENCE), crm_element_value(msg, F_CRM_ORIGIN));
+-        pcmk_shutdown(15);
++        bool allowed = true;
++
++#if ENABLE_ACL
++        /* Only allow privileged users (i.e. root or hacluster)
++         * to shut down Pacemaker from the command line (or direct IPC).
++         *
++         * We only check when ACLs are enabled, because without them, any client
++         * with IPC access could shut down Pacemaker via the CIB anyway.
++         */
++        allowed = is_set(c->flags, crm_client_flag_ipc_privileged);
++#endif
++        if (allowed) {
++            crm_notice("Shutting down in response to IPC request %s from %s",
++                       crm_element_value(msg, F_CRM_REFERENCE),
++                       crm_element_value(msg, F_CRM_ORIGIN));
++            pcmk_shutdown(15);
++        } else {
++            crm_warn("Ignoring shutdown request from unprivileged client %s",
++                     crm_client_name(c));
++        }
+ 
+     } else if (crm_str_eq(task, CRM_OP_RM_NODE_CACHE, TRUE)) {
+         /* Send to everyone */
diff -Nru pacemaker-2.0.1/debian/patches/CVE-2020-25654/Log-executor-show-CRM_OP_REGISTER-rc-in-debug-message.patch pacemaker-2.0.1/debian/patches/CVE-2020-25654/Log-executor-show-CRM_OP_REGISTER-rc-in-debug-message.patch
--- pacemaker-2.0.1/debian/patches/CVE-2020-25654/Log-executor-show-CRM_OP_REGISTER-rc-in-debug-message.patch	1970-01-01 01:00:00.000000000 +0100
+++ pacemaker-2.0.1/debian/patches/CVE-2020-25654/Log-executor-show-CRM_OP_REGISTER-rc-in-debug-message.patch	2020-11-07 19:43:40.000000000 +0100
@@ -0,0 +1,64 @@
+From: Ken Gaillot <kgaillot@redhat.com>
+Date: Fri, 9 Oct 2020 09:56:03 -0500
+Subject: Log: executor: show CRM_OP_REGISTER rc in debug message
+
+Previously, process_lrmd_signon() would add the rc to the client reply
+but not pass it back to process_lrmd_message(), which would always log "OK" in
+its debug message, even if the sign-on was rejected.
+---
+ daemons/execd/execd_commands.c | 21 +++++++++++----------
+ 1 file changed, 11 insertions(+), 10 deletions(-)
+
+diff --git a/daemons/execd/execd_commands.c b/daemons/execd/execd_commands.c
+index 1718dce..55230d1 100644
+--- a/daemons/execd/execd_commands.c
++++ b/daemons/execd/execd_commands.c
+@@ -1278,10 +1278,10 @@ free_rsc(gpointer data)
+     free(rsc);
+ }
+ 
+-static xmlNode *
+-process_lrmd_signon(crm_client_t *client, xmlNode *request, int call_id)
++static int
++process_lrmd_signon(crm_client_t *client, xmlNode *request, int call_id,
++                    xmlNode **reply)
+ {
+-    xmlNode *reply = NULL;
+     int rc = pcmk_ok;
+     const char *is_ipc_provider = crm_element_value(request, F_LRMD_IS_IPC_PROVIDER);
+     const char *protocol_version = crm_element_value(request, F_LRMD_PROTOCOL_VERSION);
+@@ -1292,18 +1292,19 @@ process_lrmd_signon(crm_client_t *client, xmlNode *request, int call_id)
+         rc = -EPROTO;
+     }
+ 
+-    reply = create_lrmd_reply(__FUNCTION__, rc, call_id);
+-    crm_xml_add(reply, F_LRMD_OPERATION, CRM_OP_REGISTER);
+-    crm_xml_add(reply, F_LRMD_CLIENTID, client->id);
+-    crm_xml_add(reply, F_LRMD_PROTOCOL_VERSION, LRMD_PROTOCOL_VERSION);
+-
+     if (crm_is_true(is_ipc_provider)) {
+         // This is a remote connection from a cluster node's controller
+ #ifdef SUPPORT_REMOTE
+         ipc_proxy_add_provider(client);
+ #endif
+     }
+-    return reply;
++
++    *reply = create_lrmd_reply(__func__, rc, call_id);
++    crm_xml_add(*reply, F_LRMD_OPERATION, CRM_OP_REGISTER);
++    crm_xml_add(*reply, F_LRMD_CLIENTID, client->id);
++    crm_xml_add(*reply, F_LRMD_PROTOCOL_VERSION, LRMD_PROTOCOL_VERSION);
++
++    return rc;
+ }
+ 
+ static int
+@@ -1618,7 +1619,7 @@ process_lrmd_message(crm_client_t * client, uint32_t id, xmlNode * request)
+ #endif
+         do_reply = 1;
+     } else if (crm_str_eq(op, CRM_OP_REGISTER, TRUE)) {
+-        reply = process_lrmd_signon(client, request, call_id);
++        rc = process_lrmd_signon(client, request, call_id, &reply);
+         do_reply = 1;
+     } else if (crm_str_eq(op, LRMD_OP_RSC_REG, TRUE)) {
+         rc = process_lrmd_rsc_register(client, id, request);
diff -Nru pacemaker-2.0.1/debian/patches/CVE-2020-25654/Low-executor-mark-controller-connections-to-pacemaker-rem.patch pacemaker-2.0.1/debian/patches/CVE-2020-25654/Low-executor-mark-controller-connections-to-pacemaker-rem.patch
--- pacemaker-2.0.1/debian/patches/CVE-2020-25654/Low-executor-mark-controller-connections-to-pacemaker-rem.patch	1970-01-01 01:00:00.000000000 +0100
+++ pacemaker-2.0.1/debian/patches/CVE-2020-25654/Low-executor-mark-controller-connections-to-pacemaker-rem.patch	2020-11-07 19:43:40.000000000 +0100
@@ -0,0 +1,31 @@
+From: Ken Gaillot <kgaillot@redhat.com>
+Date: Fri, 9 Oct 2020 15:16:39 -0500
+Subject: Low: executor: mark controller connections to pacemaker-remoted as
+ privileged
+
+Previously, crm_client_flag_ipc_privileged was only set when local clients connected
+(as root or hacluster). Now, set it when pacemaker-remoted successfully
+completes the TLS handshake with a remote client (i.e., the controller on a
+cluster node).
+
+This has no effect as of this commit but will with later commits.
+---
+ daemons/execd/remoted_tls.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/daemons/execd/remoted_tls.c b/daemons/execd/remoted_tls.c
+index f3ab3c7..c049a8d 100644
+--- a/daemons/execd/remoted_tls.c
++++ b/daemons/execd/remoted_tls.c
+@@ -72,6 +72,11 @@ remoted__read_handshake_data(crm_client_t *client)
+     client->remote->tls_handshake_complete = TRUE;
+     crm_notice("Remote client connection accepted");
+ 
++    /* Only a client with access to the TLS key can connect, so we can treat
++     * it as privileged.
++     */
++    set_bit(client->flags, crm_client_flag_ipc_privileged);
++
+     // Alert other clients of the new connection
+     notify_of_new_client(client);
+     return 0;
diff -Nru pacemaker-2.0.1/debian/patches/CVE-2020-25654/Low-executor-return-appropriate-error-code-when-no-remote.patch pacemaker-2.0.1/debian/patches/CVE-2020-25654/Low-executor-return-appropriate-error-code-when-no-remote.patch
--- pacemaker-2.0.1/debian/patches/CVE-2020-25654/Low-executor-return-appropriate-error-code-when-no-remote.patch	1970-01-01 01:00:00.000000000 +0100
+++ pacemaker-2.0.1/debian/patches/CVE-2020-25654/Low-executor-return-appropriate-error-code-when-no-remote.patch	2020-11-07 19:43:40.000000000 +0100
@@ -0,0 +1,34 @@
+From: Ken Gaillot <kgaillot@redhat.com>
+Date: Thu, 15 Oct 2020 15:33:13 -0500
+Subject: Low: executor: return appropriate error code when no remote support
+
+---
+ daemons/execd/execd_commands.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/daemons/execd/execd_commands.c b/daemons/execd/execd_commands.c
+index 55230d1..61f40e8 100644
+--- a/daemons/execd/execd_commands.c
++++ b/daemons/execd/execd_commands.c
+@@ -1293,9 +1293,11 @@ process_lrmd_signon(crm_client_t *client, xmlNode *request, int call_id,
+     }
+ 
+     if (crm_is_true(is_ipc_provider)) {
+-        // This is a remote connection from a cluster node's controller
+ #ifdef SUPPORT_REMOTE
++        // This is a remote connection from a cluster node's controller
+         ipc_proxy_add_provider(client);
++#else
++        rc = -EPROTONOSUPPORT;
+ #endif
+     }
+ 
+@@ -1616,6 +1618,8 @@ process_lrmd_message(crm_client_t * client, uint32_t id, xmlNode * request)
+     if (crm_str_eq(op, CRM_OP_IPC_FWD, TRUE)) {
+ #ifdef SUPPORT_REMOTE
+         ipc_proxy_forward_client(client, request);
++#else
++        rc = -EPROTONOSUPPORT;
+ #endif
+         do_reply = 1;
+     } else if (crm_str_eq(op, CRM_OP_REGISTER, TRUE)) {
diff -Nru pacemaker-2.0.1/debian/patches/CVE-2020-25654/Low-pacemakerd-check-client-for-NULL-before-using-it.patch pacemaker-2.0.1/debian/patches/CVE-2020-25654/Low-pacemakerd-check-client-for-NULL-before-using-it.patch
--- pacemaker-2.0.1/debian/patches/CVE-2020-25654/Low-pacemakerd-check-client-for-NULL-before-using-it.patch	1970-01-01 01:00:00.000000000 +0100
+++ pacemaker-2.0.1/debian/patches/CVE-2020-25654/Low-pacemakerd-check-client-for-NULL-before-using-it.patch	2020-11-07 19:43:40.000000000 +0100
@@ -0,0 +1,27 @@
+From: Ken Gaillot <kgaillot@redhat.com>
+Date: Fri, 9 Oct 2020 11:16:43 -0500
+Subject: Low: pacemakerd: check client for NULL before using it
+
+... to guard against bugs in client tracking
+---
+ daemons/pacemakerd/pacemakerd.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/daemons/pacemakerd/pacemakerd.c b/daemons/pacemakerd/pacemakerd.c
+index 536bcd5..9e1bb7e 100644
+--- a/daemons/pacemakerd/pacemakerd.c
++++ b/daemons/pacemakerd/pacemakerd.c
+@@ -562,9 +562,12 @@ pcmk_ipc_dispatch(qb_ipcs_connection_t * qbc, void *data, size_t size)
+     uint32_t id = 0;
+     uint32_t flags = 0;
+     const char *task = NULL;
++    xmlNode *msg = NULL;
+     crm_client_t *c = crm_client_get(qbc);
+-    xmlNode *msg = crm_ipcs_recv(c, data, size, &id, &flags);
+ 
++    CRM_CHECK(c != NULL, return 0);
++
++    msg = crm_ipcs_recv(c, data, size, &id, &flags);
+     crm_ipcs_send_ack(c, id, flags, "ack", __FUNCTION__, __LINE__);
+     if (msg == NULL) {
+         return 0;
diff -Nru pacemaker-2.0.1/debian/patches/series pacemaker-2.0.1/debian/patches/series
--- pacemaker-2.0.1/debian/patches/series	2019-06-02 13:49:43.000000000 +0200
+++ pacemaker-2.0.1/debian/patches/series	2020-11-07 19:43:41.000000000 +0100
@@ -14,3 +14,10 @@
 from-upstream/Log-libcrmcluster-improve-CPG-membership-messages.patch
 from-upstream/Fix-libcrmcommon-avoid-use-of-NULL-when-checking-whether-.patch
 from-upstream/Low-libcrmcommon-return-proper-code-if-testing-pid-is-den.patch
+CVE-2020-25654/Log-executor-show-CRM_OP_REGISTER-rc-in-debug-message.patch
+CVE-2020-25654/Low-executor-mark-controller-connections-to-pacemaker-rem.patch
+CVE-2020-25654/Low-executor-return-appropriate-error-code-when-no-remote.patch
+CVE-2020-25654/High-executor-restrict-certain-IPC-requests-to-Pacemaker-.patch
+CVE-2020-25654/Low-pacemakerd-check-client-for-NULL-before-using-it.patch
+CVE-2020-25654/High-pacemakerd-ignore-shutdown-requests-from-unprivilege.patch
+CVE-2020-25654/Fix-fencer-restrict-certain-IPC-requests-to-privileged-us.patch

Message #19 received at 973254@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: wferi@niif.hu

Cc: 973254@bugs.debian.org, Debian Security Team <team@security.debian.org>

Subject: Re: pacemaker: CVE-2020-25654 upload prepared

Date: Tue, 10 Nov 2020 12:07:04 +0100

Hi Ferenc,

On Sat, Nov 07, 2020 at 08:56:38PM +0100, wferi@niif.hu wrote:
> Control: tag 973254 + patch
> 
> Dear Security Team,
> 
> I propose a security upload with the debdiff below.  The patch series
> posted by upstream against 2.0.3 applies cleanly to the buster source,
> and is hereby included.  I'll try to do some testing while you review.

Thanks, this looks. I also compared the upstream 2.0.3 patch set against
the update Ubuntu released for their 20.4 release (which also ships
2.0.3) and which is identical (and without reported regressions so far)

Please upload to security-master if your tests were fine as well (and
remember to build with -sa since pacemaker is new in buster-security
(ftp.debian.org and security.debian.org don't share tarballs)

Cheers,
        Moritz

Message #26 received at 973254-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 973254-close@bugs.debian.org

Subject: Bug#973254: fixed in pacemaker 2.0.5~rc2-1

Date: Tue, 10 Nov 2020 22:34:18 +0000

Source: pacemaker
Source-Version: 2.0.5~rc2-1
Done: =?utf-8?q?Ferenc_W=C3=A1gner?= <wferi@debian.org>

We believe that the bug you reported is fixed in the latest version of
pacemaker, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 973254@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ferenc Wágner <wferi@debian.org> (supplier of updated pacemaker package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 10 Nov 2020 23:02:55 +0100
Source: pacemaker
Architecture: source
Version: 2.0.5~rc2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian HA Maintainers <debian-ha-maintainers@alioth-lists.debian.net>
Changed-By: Ferenc Wágner <wferi@debian.org>
Closes: 963791 973254
Changes:
 pacemaker (2.0.5~rc2-1) unstable; urgency=medium
 .
   [ Rafael David Tinoco ]
   * [0f1033e] Skip autopkgtest for unprivileged containers: (LP: #1828228)
     + d/t/control: mark pacemaker test as skippable
     + d/t/pacemaker: skip if memlock can't be set to unlimited by root
 .
   [ Ferenc Wágner ]
   * [34f6376] pacemaker-dev should pull in libpacemaker1, too
   * [039f205] The pacemaker-dev transition completed in buster
   * [800ae5e] Clean up remnants of long finished reorganizations
   * [0f0340c] pacemaker-dev in buster replaced its old dependencies from wheezy
   * [6956006] New upstream pre-release (2.0.5~rc2) (Closes: #973254)
   * [6b30c82] Delete upstreamed patch, refresh the rest
   * [8e78417] Tie skipping the autopkgtest to the concrete Corosync error.
     While unlimited memory lock is a good test for privileges, it isn't
     critical for Corosync.  Trigger on a specific error message instead,
     hint at a possible workaround and document the actual requirements.
   * [f184e2c] Update symbols files.
     See 4bcf7eb for the reasoning behind the two renamed symbols which
     weren't obviously internal: crm_config_error and crm_config_warning.
   * [0031784] Pacemaker and pacemaker-remote provide Conflicting functions.
     Breaks without a version was always suspicious to Lintian, and I've got
     no strong opinion on this specific case, so be it.
   * [2a33943] Replace the now-transitional build dep with libncurses-dev
   * [8662ee0] Add missing pkg-config dependencies (Closes: #963791)
   * [912a22b] New autopkgtest for pkg-config completeness
   * [5033800] Upgrade watch file to version 4 (no changes needed)
Checksums-Sha1:
 116b46661cd132a9552046b962c4d939ab50b6e9 3473 pacemaker_2.0.5~rc2-1.dsc
 ef81572b0b79e75d304e8a8d8f6a94eb4949b314 5432966 pacemaker_2.0.5~rc2.orig.tar.gz
 d6fafcab4ac49bed664563e8d37d73f2f704b904 46464 pacemaker_2.0.5~rc2-1.debian.tar.xz
 c64d7f0bee943859cb1fb4516354fe4404780043 27977 pacemaker_2.0.5~rc2-1_amd64.buildinfo
Checksums-Sha256:
 387969fd0fcc143c70a29e4cb49bcd3d9929a637ebfa66dfa981e0eb328e6d5f 3473 pacemaker_2.0.5~rc2-1.dsc
 e977f9e2bc261bc442e65847276c21c291477a22b26ce9a2a71041f15cf92511 5432966 pacemaker_2.0.5~rc2.orig.tar.gz
 7feb3bba9a13fdc3ceaf8dbaec25362b9145deacaaa04d7420bd9ed1b811e091 46464 pacemaker_2.0.5~rc2-1.debian.tar.xz
 7464389c8b1cf1d0569e37656e27e2b67ea2b0b67fba6f8548fe326185041cbb 27977 pacemaker_2.0.5~rc2-1_amd64.buildinfo
Files:
 f09db7c3aa73352b57058d32cc7582e6 3473 admin optional pacemaker_2.0.5~rc2-1.dsc
 af09f3ace1b63ff3f319313274cd4a35 5432966 admin optional pacemaker_2.0.5~rc2.orig.tar.gz
 40c7e71a7f17e7e56f2f45b643d20ce2 46464 admin optional pacemaker_2.0.5~rc2-1.debian.tar.xz
 a73d70cdf158cacdc44ae78800595929 27977 admin optional pacemaker_2.0.5~rc2-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEwddEx0RNIUL7eugtOsj3Fkd+2yMFAl+rEogACgkQOsj3Fkd+
2yPRFQ/+KcLuBDGiuqJroyYz5wmZAdBdqBJ5K/nZ59DBUC+b8apm6BkWJs3gWs3T
IpSrWRMlzHbS/s/9imJK0lhpSljMyMKf/ZgwqdXlx1yeiCQQzztyTzHFXh7IaZku
c7D2ukVzPSSbEfvUhrsVKQCcmEpVhJJtLiU/9LZHAbJIsCfYzW/zszWoOHel9moW
fPPqzNynBP8mNgQySGZufxpEap9nS3rRlumS6sXiqT+TvwEXpjR/1t4GwkOPiNTa
Jp8qByvgUlK1XmntwFfo7sIgZK+lpzQcP4HK94HxxHLLuXcewTpMFKaQpnBOP6vO
dt8d2R2bedyp/rOzrVlwrkIKjpGlTD6a9OLtvgh4UuBHeTlpU9whgTThHZgNtXTp
pl6bvL/Cg7NqFK28fgxgMfuucjB4gyeui7J1gEQKvwn6B0VWmknkHqoOCeq4vvUw
O/U3P4jn9Zx2KYZk9SPySqhqSy/dY6KLet4S46vtSqXvHIdkGpr+yDqZhS8K1ygs
q8Pa5R6GgRUMDDOjUxz8Pa6IaWdqH9py1M/k/BGYLZ9YF7DS+iUpyKloycoraz1V
3OPq/cCJfbLC3aEQ6AZzDRTBML1HAFe5+QKp5G2mA4toPniaAcFBlxL18lQY7uvA
3q9Mfuw+fnnkDTBlcGAkKxcZ1sbuG0BugVAPRpOdqlGAGok6BQc=
=sbgg
-----END PGP SIGNATURE-----

Message #31 received at 973254@bugs.debian.org (full text, mbox, reply):

From: wferi@niif.hu

To: Moritz Mühlenhoff <jmm@inutil.org>

Cc: wferi@niif.hu, 973254@bugs.debian.org, Debian Security Team <team@security.debian.org>

Subject: Re: pacemaker: CVE-2020-25654 upload prepared

Date: Thu, 12 Nov 2020 19:08:26 +0100

Moritz Mühlenhoff <jmm@inutil.org> writes:

> On Sat, Nov 07, 2020 at 08:56:38PM +0100, wferi@niif.hu wrote:
> 
>> I propose a security upload with the debdiff below.  The patch series
>> posted by upstream against 2.0.3 applies cleanly to the buster source,
>> and is hereby included.  I'll try to do some testing while you review.
>
> Thanks, this looks. I also compared the upstream 2.0.3 patch set against
> the update Ubuntu released for their 20.4 release (which also ships
> 2.0.3) and which is identical (and without reported regressions so far)

Cool.  One can't possibly test all relevant use cases here.

> Please upload to security-master if your tests were fine as well

Done.  I managed to provoke some of the new denials with the updated
package, and basic cluster operation remained unperturbed.

I think the changelog entry will work well enough as the DSA text.
The LTS update used a shorter version, which is fine as well.

> (and remember to build with -sa since pacemaker is new in
> buster-security (ftp.debian.org and security.debian.org don't share
> tarballs)

The --source-only-changes switch of sbuild seems to counteract -sa, but
I tried to revert that with changestool.  Hope it's fine.  If only I
also remembered to remove the buildinfo file...  Or is that problem
fixed already?

Salvatore Bonaccorso <carnil@debian.org> writes:

> Thanks for your upload to unstable!
>
> On Tue, Nov 10, 2020 at 10:34:18PM +0000, Debian FTP Masters wrote:
>>    * [6956006] New upstream pre-release (2.0.5~rc2) (Closes: #973254)
>
> Bonus point: please do include the assigned CVE id references which
> makes it easier to cross-check and track fixes for security issues.

I'll add the CVE ID to the changelog in the next upload, sorry.

> Thanks for your work here and for the stable upload!

Rather: thanks for your (plural) tireless work archive wide!
-- 
Cheers,
Feri

Message #36 received at 973254@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: wferi@niif.hu

Cc: Moritz Mühlenhoff <jmm@inutil.org>, 973254@bugs.debian.org, Debian Security Team <team@security.debian.org>

Subject: Re: pacemaker: CVE-2020-25654 upload prepared

Date: Thu, 12 Nov 2020 19:14:37 +0100

Hi,

On Thu, Nov 12, 2020 at 07:08:26PM +0100, wferi@niif.hu wrote:
> Moritz Mühlenhoff <jmm@inutil.org> writes:
> 
> > On Sat, Nov 07, 2020 at 08:56:38PM +0100, wferi@niif.hu wrote:
> > 
> >> I propose a security upload with the debdiff below.  The patch series
> >> posted by upstream against 2.0.3 applies cleanly to the buster source,
> >> and is hereby included.  I'll try to do some testing while you review.
> >
> > Thanks, this looks. I also compared the upstream 2.0.3 patch set against
> > the update Ubuntu released for their 20.4 release (which also ships
> > 2.0.3) and which is identical (and without reported regressions so far)
> 
> Cool.  One can't possibly test all relevant use cases here.
> 
> > Please upload to security-master if your tests were fine as well
> 
> Done.  I managed to provoke some of the new denials with the updated
> package, and basic cluster operation remained unperturbed.
> 
> I think the changelog entry will work well enough as the DSA text.
> The LTS update used a shorter version, which is fine as well.
> 
> > (and remember to build with -sa since pacemaker is new in
> > buster-security (ftp.debian.org and security.debian.org don't share
> > tarballs)
> 
> The --source-only-changes switch of sbuild seems to counteract -sa, but
> I tried to revert that with changestool.  Hope it's fine.  If only I
> also remembered to remove the buildinfo file...  Or is that problem
> fixed already?

Just quickly commenting on that: Yes the buildd now append a suffix so
that there will be no clash with the potential uploaded
_amd64.buildinfo (I have recently seen one buildd which did not yet
did so, but I hope this is fixed as well yet).

So yes, does not matter anymore if you have an _amd64.buildinfo in the
source only. If still we trigger the issue, we will do our package
reinject dance one time :)

Regards,
Salvatore

Send a report that this bug log contains spam.