3 pacemaker security flaws

[Huzaifa Sidhpurwala <huzaifas () redhat com>]

Hello all,

Jan Pokorný from Red Hat has discovered 3 security issues with the
pacemaker package. Details and proposed patches are available in this email.

Proposed unembargo date/time is: 10th April, 10:00 UTC

1. CVE-2018-16877 pacemaker: Insufficient local IPC client-server
authentication on the client's side can lead to local privesc:
A flaw was found in the way pacemaker's client-server authentication was
implemented. A local attacker could use this flaw, and combine it with
other IPC weaknesses, to achieve local privilege escalation.

2. CVE-2018-16878 pacemaker: Insufficient verification inflicted
preference of uncontrolled processes can lead to DoS:
A flaw was found in pacemaker. An insufficient verification inflicted
preference of uncontrolled processes can lead to DoS

3. CVE-2019-3885 pacemaker: Information disclosure through use-after-free:
A use-after-free defect was discovered in pacemaker that can possibly
lead to unsolicited information disclosure in the log outputs.


Enclosed are the final patches:
(We would like to thank Suse folks who found issues in the initial set
of patches we sent to distros)



-- 
Huzaifa Sidhpurwala / Red Hat Product Security Team

Attachment: master.patch
Description: