Bug 906834 (CVE-2013-0250)

Summary: corosync 2.x: Remote DoS due improper HMAC initialization
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: agk, cluster-maint, fdinitto, jfriesse, sdake
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Corosync 2.3.0 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-02 12:52:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Lieskovsky 2013-02-01 16:17:43 UTC
A remote denial of service flaw was found in the way Corosync, the cluster engine and application programming interfaces, performed processing of network packets. Previously the HMAC key was not initialized properly, which allowed random targeted packets to be processed by the internal process of corosync and possibly leading to a daemon crash.

References:
[1] http://lists.fedoraproject.org/pipermail/package-announce/2013-January/097833.html
[2] http://lwn.net/Vulnerabilities/535234/
[3] https://bugs.mageia.org/show_bug.cgi?id=8905

Relevant upstream patch (might not be complete set):
[4] https://github.com/corosync/corosync/commit/b3f456a8ceefac6e9f2e9acc2ea0c159d412b595

Comment 4 Fabio Massimo Di Nitto 2013-02-01 16:26:55 UTC
> Relevant upstream patch (might not be complete set):
> [4]
> https://github.com/corosync/corosync/commit/
> b3f456a8ceefac6e9f2e9acc2ea0c159d412b595


https://github.com/corosync/corosync/commit/55dc09ea237482f827333759fd45608bc9518d64

https://github.com/corosync/corosync/commit/ebb007a16c6a8d9e6f783ed82b324cb232c64be5

complete set is 3 patches.

Comment 5 Jan Lieskovsky 2013-02-01 16:28:51 UTC
CVE Request:
  http://www.openwall.com/lists/oss-security/2013/02/01/1

Comment 7 Jan Lieskovsky 2013-02-01 16:33:03 UTC
This issue did NOT affect the version of the corosync package, as shipped with Red Hat Enterprise Linux 6.

Comment 8 Jan Lieskovsky 2013-02-01 16:37:12 UTC
Statement:

Not vulnerable. This issue did not affect the version of corosync as shipped with Red Hat Enterprise Linux 6.

Comment 11 Jan Lieskovsky 2013-02-02 12:52:49 UTC
The CVE identifier of CVE-2013-0250 has been assigned to this issue:
  http://www.openwall.com/lists/oss-security/2013/02/01/3