Bug 1694554 (CVE-2019-3885)

Summary: CVE-2019-3885 pacemaker: Information disclosure through use-after-free
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abeekhof, andrew, anprice, cluster-maint, dbecker, jjoyce, jpokorny, jschluet, kbasil, kgaillot, lhh, lpeer, mburns, sclewis, security-response-team, sisharma, slinaber, ssaha, vbellur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20190417:0945,reported=20190401,source=redhat,cvss3=3.3/CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N,cwe=CWE-416,rhel-6/pacemaker=wontfix,rhel-7/pacemaker=affected,rhel-8/pacemaker=affected,fedora-all/pacemaker=affected,rhes-3/pacemaker=wontfix,openstack-rdo/pacemaker=affected
Fixed In Version: pacemaker 2.0.2-rc1 Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in pacemaker which could result in certain sensitive information to be leaked via the system logs.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:52:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1694907, 1694908, 1706307, 1697264, 1700704, 1700737    
Bug Blocks: 1652647    
Attachments:
Description Flags
Cumulative patches to address CVE-2018-16877, CVE-2018-16878 and CVE-2019-3885 none

Description Huzaifa S. Sidhpurwala 2019-04-01 05:41:58 UTC
A use-after-free defect was discovered in pacemaker that can possibly lead to unsolicited information disclosure in the log outputs.

Comment 1 Huzaifa S. Sidhpurwala 2019-04-01 05:42:00 UTC
Acknowledgments:

Name: Jan Pokorný (Red Hat)

Comment 6 Huzaifa S. Sidhpurwala 2019-04-17 05:59 UTC
Created attachment 1555736 [details]
Cumulative patches to address CVE-2018-16877, CVE-2018-16878 and CVE-2019-3885

Comment 7 Huzaifa S. Sidhpurwala 2019-04-17 09:46:48 UTC
Public via:
https://www.openwall.com/lists/oss-security/2019/04/17/1

Comment 8 Huzaifa S. Sidhpurwala 2019-04-17 09:51:15 UTC
Created pacemaker tracking bugs for this issue:

Affects: fedora-all [bug 1700737]

Comment 10 Huzaifa S. Sidhpurwala 2019-05-04 07:59:26 UTC
Created pacemaker tracking bugs for this issue:

Affects: openstack-rdo [bug 1706307]

Comment 11 errata-xmlrpc 2019-05-27 15:59:51 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:1279 https://access.redhat.com/errata/RHSA-2019:1279

Comment 12 errata-xmlrpc 2019-05-27 16:00:09 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:1278 https://access.redhat.com/errata/RHSA-2019:1278