Bug 1694554 (CVE-2019-3885)

Summary: CVE-2019-3885 pacemaker: Information disclosure through use-after-free
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abeekhof, andrew, anprice, cluster-maint, dbecker, jjoyce, jpokorny, jschluet, kbasil, kgaillot, lhh, lpeer, mburns, sclewis, security-response-team, sisharma, slinaber, ssaha, vbellur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pacemaker 2.0.2-rc1 Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in pacemaker which could result in certain sensitive information to be leaked via the system logs.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:52:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1694907, 1694908, 1697264, 1700704, 1700737, 1706307    
Bug Blocks: 1652647    
Attachments:
Description Flags
Cumulative patches to address CVE-2018-16877, CVE-2018-16878 and CVE-2019-3885 none

Description Huzaifa S. Sidhpurwala 2019-04-01 05:41:58 UTC 
A use-after-free defect was discovered in pacemaker that can possibly lead to unsolicited information disclosure in the log outputs.
Comment 1 Huzaifa S. Sidhpurwala 2019-04-01 05:42:00 UTC 
Acknowledgments:

Name: Jan Pokorný (Red Hat)
Comment 6 Huzaifa S. Sidhpurwala 2019-04-17 05:59:01 UTC 
Created attachment 1555736 [details]
Cumulative patches to address CVE-2018-16877, CVE-2018-16878 and CVE-2019-3885
Comment 7 Huzaifa S. Sidhpurwala 2019-04-17 09:46:48 UTC 
Public via:
https://www.openwall.com/lists/oss-security/2019/04/17/1
Comment 8 Huzaifa S. Sidhpurwala 2019-04-17 09:51:15 UTC 
Created pacemaker tracking bugs for this issue:

Affects: fedora-all [bug 1700737]
Comment 9 Huzaifa S. Sidhpurwala 2019-04-18 04:47:32 UTC 
Upstream patch: https://github.com/ClusterLabs/pacemaker/pull/1749/commits/970736b1c7ad5c78cc5295a4231e546104d55893
Comment 10 Huzaifa S. Sidhpurwala 2019-05-04 07:59:26 UTC 
Created pacemaker tracking bugs for this issue:

Affects: openstack-rdo [bug 1706307]
Comment 11 errata-xmlrpc 2019-05-27 15:59:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:1279 https://access.redhat.com/errata/RHSA-2019:1279
Comment 12 errata-xmlrpc 2019-05-27 16:00:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:1278 https://access.redhat.com/errata/RHSA-2019:1278