Version in base suite: 3.1.9-2

Base version: corosync_3.1.9-2
Target version: corosync_3.1.9-2+deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/c/corosync/corosync_3.1.9-2.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/c/corosync/corosync_3.1.9-2+deb13u1.dsc

 changelog                                                       |    9 +
 gbp.conf                                                        |    2 
 patches/series                                                  |    2 
 patches/totemsrp-Fix-integer-overflow-in-memb_join_sanity.patch |   54 ++++++++++
 patches/totemsrp-Return-error-if-sanity-check-fails.patch       |   44 ++++++++
 5 files changed, 110 insertions(+), 1 deletion(-)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpmz48rxto/corosync_3.1.9-2.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpmz48rxto/corosync_3.1.9-2+deb13u1.dsc: no acceptable signature found
diff -Nru corosync-3.1.9/debian/changelog corosync-3.1.9/debian/changelog
--- corosync-3.1.9/debian/changelog	2025-06-21 09:54:36.000000000 +0000
+++ corosync-3.1.9/debian/changelog	2026-05-07 20:36:24.000000000 +0000
@@ -1,3 +1,12 @@
+corosync (3.1.9-2+deb13u1) trixie-security; urgency=high
+
+  * [128a6c1] New patch: totemsrp: Return error if sanity check fails.
+    Fixes CVE-2026-35091. Thanks to Jan Friesse (Closes: #1133838)
+  * [f46d7eb] New patch: totemsrp: Fix integer overflow in memb_join_sanity.
+    Fixes CVE-2026-35092. Thanks to Jan Friesse (Closes: #1133837)
+
+ -- Ferenc Wágner <wferi@debian.org>  Thu, 07 May 2026 22:36:24 +0200
+
 corosync (3.1.9-2) unstable; urgency=medium
 
   * [d29071e] New patch: totemsrp: Check size of orf_token msg.
diff -Nru corosync-3.1.9/debian/gbp.conf corosync-3.1.9/debian/gbp.conf
--- corosync-3.1.9/debian/gbp.conf	2024-07-20 17:17:26.000000000 +0000
+++ corosync-3.1.9/debian/gbp.conf	2026-05-07 20:36:24.000000000 +0000
@@ -1,5 +1,5 @@
 [DEFAULT]
-debian-branch = debian/master
+debian-branch = debian/trixie
 upstream-branch = upstream/latest
 
 [import-orig]
diff -Nru corosync-3.1.9/debian/patches/series corosync-3.1.9/debian/patches/series
--- corosync-3.1.9/debian/patches/series	2025-06-21 09:47:36.000000000 +0000
+++ corosync-3.1.9/debian/patches/series	2026-05-07 20:36:24.000000000 +0000
@@ -3,3 +3,5 @@
 Make-the-example-config-valid.patch
 Revert-logrotate-Use-copytruncate-method-by-default.patch
 totemsrp-Check-size-of-orf_token-msg.patch
+totemsrp-Return-error-if-sanity-check-fails.patch
+totemsrp-Fix-integer-overflow-in-memb_join_sanity.patch
diff -Nru corosync-3.1.9/debian/patches/totemsrp-Fix-integer-overflow-in-memb_join_sanity.patch corosync-3.1.9/debian/patches/totemsrp-Fix-integer-overflow-in-memb_join_sanity.patch
--- corosync-3.1.9/debian/patches/totemsrp-Fix-integer-overflow-in-memb_join_sanity.patch	1970-01-01 00:00:00.000000000 +0000
+++ corosync-3.1.9/debian/patches/totemsrp-Fix-integer-overflow-in-memb_join_sanity.patch	2026-05-07 20:36:24.000000000 +0000
@@ -0,0 +1,54 @@
+From: Jan Friesse <jfriesse@redhat.com>
+Date: Thu, 2 Apr 2026 09:44:06 +0200
+Subject: totemsrp: Fix integer overflow in memb_join_sanity
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+This commit addresses an integer overflow (wraparound) vulnerability
+in the check_memb_join_sanity function.
+
+Previously, the 32-bit unsigned network values proc_list_entries and
+failed_list_entries were added together before being promoted to
+size_t. This allowed the addition to wrap around in 32-bit arithmetic
+(e.g., 0x80000000 + 0x80000000 = 0), resulting in a required_len
+calculation that was incorrectly small.
+
+The solution is to cast the list entries to size_t and verify that
+neither exceeds the maximum allowed value before the addition occurs.
+
+Fixes: CVE-2026-35092
+
+Reported-by: Sebastián Alba Vives (@Sebasteuo / 0xS4bb1) <sebasjosue84@gmail.com>
+Signed-off-by: Jan Friesse <jfriesse@redhat.com>
+Also-proposed-by: nicholasyang <nicholas.yang@suse.com>
+Reviewed-by: Christine Caulfield <ccaulfie@redhat.com>
+
+Closes: #1133837
+---
+ exec/totemsrp.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/exec/totemsrp.c b/exec/totemsrp.c
+index 54a1b6f..6a6a82e 100644
+--- a/exec/totemsrp.c
++++ b/exec/totemsrp.c
+@@ -3784,7 +3784,17 @@ static int check_memb_join_sanity(
+ 		failed_list_entries = swab32(failed_list_entries);
+ 	}
+ 
+-	required_len = sizeof(struct memb_join) + ((proc_list_entries + failed_list_entries) * sizeof(struct srp_addr));
++	if (proc_list_entries > PROCESSOR_COUNT_MAX ||
++	    failed_list_entries > PROCESSOR_COUNT_MAX) {
++		log_printf (instance->totemsrp_log_level_security,
++		    "Received memb_join message list_entries exceeds the maximum "
++		    "allowed value...  ignoring.");
++
++		return (-1);
++	}
++
++	required_len = sizeof(struct memb_join) +
++	  (((size_t)proc_list_entries + (size_t)failed_list_entries) * sizeof(struct srp_addr));
+ 	if (msg_len < required_len) {
+ 		log_printf (instance->totemsrp_log_level_security,
+ 		    "Received memb_join message is too short...  ignoring.");
diff -Nru corosync-3.1.9/debian/patches/totemsrp-Return-error-if-sanity-check-fails.patch corosync-3.1.9/debian/patches/totemsrp-Return-error-if-sanity-check-fails.patch
--- corosync-3.1.9/debian/patches/totemsrp-Return-error-if-sanity-check-fails.patch	1970-01-01 00:00:00.000000000 +0000
+++ corosync-3.1.9/debian/patches/totemsrp-Return-error-if-sanity-check-fails.patch	2026-05-07 20:36:24.000000000 +0000
@@ -0,0 +1,44 @@
+From: Jan Friesse <jfriesse@redhat.com>
+Date: Thu, 2 Apr 2026 09:00:39 +0200
+Subject: totemsrp: Return error if sanity check fails
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+Previously, the check_memb_commit_token_sanity function correctly
+checked the minimum message length. However, if the message was too
+short, it incorrectly returned a success code (0) instead of the
+expected failure code (-1).
+
+This commit ensures the appropriate error code is returned when the
+message length sanity check fails.
+
+Fixes: CVE-2026-35091
+
+Reported-by: Sebastián Alba Vives (@Sebasteuo / 0xS4bb1) <sebasjosue84@gmail.com>
+Signed-off-by: Jan Friesse <jfriesse@redhat.com>
+Also-proposed-by: nicholasyang <nicholas.yang@suse.com>
+Reviewed-by: Christine Caulfield <ccaulfie@redhat.com>
+
+Closes: #1133838
+---
+ exec/totemsrp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/exec/totemsrp.c b/exec/totemsrp.c
+index 364528c..54a1b6f 100644
+--- a/exec/totemsrp.c
++++ b/exec/totemsrp.c
+@@ -3809,10 +3809,10 @@ static int check_memb_commit_token_sanity(
+ 		log_printf (instance->totemsrp_log_level_security,
+ 		    "Received memb_commit_token message is too short...  ignoring.");
+ 
+-		return (0);
++		return (-1);
+ 	}
+ 
+-	addr_entries= mct_msg->addr_entries;
++	addr_entries = mct_msg->addr_entries;
+ 	if (endian_conversion_needed) {
+ 		addr_entries = swab32(addr_entries);
+ 	}