Version in base suite: 3.1.7-1 Base version: corosync_3.1.7-1 Target version: corosync_3.1.7-1+deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/c/corosync/corosync_3.1.7-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/c/corosync/corosync_3.1.7-1+deb12u1.dsc changelog | 6 ++++ patches/CVE-2025-30472.patch | 63 +++++++++++++++++++++++++++++++++++++++++++ patches/series | 1 3 files changed, 70 insertions(+) diff -Nru corosync-3.1.7/debian/changelog corosync-3.1.7/debian/changelog --- corosync-3.1.7/debian/changelog 2023-01-15 14:00:42.000000000 +0000 +++ corosync-3.1.7/debian/changelog 2025-05-18 19:16:40.000000000 +0000 @@ -1,3 +1,9 @@ +corosync (3.1.7-1+deb12u1) bookworm; urgency=medium + + * CVE-2025-30472 (Closes: #1102006) + + -- Moritz Mühlenhoff Sun, 18 May 2025 21:16:40 +0200 + corosync (3.1.7-1) unstable; urgency=medium * [f3d69c9] New upstream release (3.1.7) diff -Nru corosync-3.1.7/debian/patches/CVE-2025-30472.patch corosync-3.1.7/debian/patches/CVE-2025-30472.patch --- corosync-3.1.7/debian/patches/CVE-2025-30472.patch 1970-01-01 00:00:00.000000000 +0000 +++ corosync-3.1.7/debian/patches/CVE-2025-30472.patch 2025-05-18 19:16:40.000000000 +0000 @@ -0,0 +1,63 @@ +From 7839990f9cdf34e55435ed90109e82709032466a Mon Sep 17 00:00:00 2001 +From: Jan Friesse +Date: Mon, 24 Mar 2025 12:05:08 +0100 +Subject: [PATCH] totemsrp: Check size of orf_token msg + +orf_token message is stored into preallocated array on endian convert +so carefully crafted malicious message can lead to crash of corosync. + +Solution is to check message size beforehand. + +Signed-off-by: Jan Friesse +Reviewed-by: Christine Caulfield +--- + exec/totemsrp.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +--- corosync-3.1.7.orig/exec/totemsrp.c ++++ corosync-3.1.7/exec/totemsrp.c +@@ -3679,12 +3679,20 @@ static int check_orf_token_sanity( + const struct totemsrp_instance *instance, + const void *msg, + size_t msg_len, ++ size_t max_msg_len, + int endian_conversion_needed) + { + int rtr_entries; + const struct orf_token *token = (const struct orf_token *)msg; + size_t required_len; + ++ if (msg_len > max_msg_len) { ++ log_printf (instance->totemsrp_log_level_security, ++ "Received orf_token message is too long... ignoring."); ++ ++ return (-1); ++ } ++ + if (msg_len < sizeof(struct orf_token)) { + log_printf (instance->totemsrp_log_level_security, + "Received orf_token message is too short... ignoring."); +@@ -3698,6 +3706,13 @@ static int check_orf_token_sanity( + rtr_entries = token->rtr_list_entries; + } + ++ if (rtr_entries > RETRANSMIT_ENTRIES_MAX) { ++ log_printf (instance->totemsrp_log_level_security, ++ "Received orf_token message rtr_entries is corrupted... ignoring."); ++ ++ return (-1); ++ } ++ + required_len = sizeof(struct orf_token) + rtr_entries * sizeof(struct rtr_item); + if (msg_len < required_len) { + log_printf (instance->totemsrp_log_level_security, +@@ -3866,7 +3881,8 @@ static int message_handler_orf_token ( + "Time since last token %0.4f ms", ((float)tv_diff) / 1000000.0); + #endif + +- if (check_orf_token_sanity(instance, msg, msg_len, endian_conversion_needed) == -1) { ++ if (check_orf_token_sanity(instance, msg, msg_len, sizeof(token_storage), ++ endian_conversion_needed) == -1) { + return (0); + } + diff -Nru corosync-3.1.7/debian/patches/series corosync-3.1.7/debian/patches/series --- corosync-3.1.7/debian/patches/series 2023-01-15 12:41:46.000000000 +0000 +++ corosync-3.1.7/debian/patches/series 2025-05-18 19:16:40.000000000 +0000 @@ -2,3 +2,4 @@ Enable-PrivateTmp-in-the-systemd-service-files.patch Make-the-example-config-valid.patch Revert-logrotate-Use-copytruncate-method-by-default.patch +CVE-2025-30472.patch