packages/pcs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2022-2735

Browse Source 
(cherry picked from commit 100347fb270e417d2874c935ef8519965229215b)
This commit is contained in:
jxy_git 2022-09-07 15:01:25 +08:00 committed by openeuler-sync-bot
parent 8ae7d03ec1
commit ed76fe6fcd
2 changed files with 54 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
0002-CVE-2022-2735.patch Normal file
View File

@ -0,0 +1,46 @@
From 8a948565932a0ef93aedda6b2b3f4b9bab5e161f Mon Sep 17 00:00:00 2001
From: jxy_git <jiangxinyu@kylinos.cn>
Date: Wed, 7 Sep 2022 14:34:47 +0800
Subject: [PATCH] CVE-2022-2735
---
pcsd/rserver.rb | 23 +++++++++++++++++++++++
1 file changed, 23 insertions(+)
diff --git a/pcsd/rserver.rb b/pcsd/rserver.rb
index c37f9df..a54509f 100644
--- a/pcsd/rserver.rb
+++ b/pcsd/rserver.rb
@@ -7,6 +7,29 @@ require 'thin'
require 'settings.rb'
+# Replace Thin::Backends::UnixServer:connect
+# The only change is 'File.umask(0o777)' instead of 'File.umask(0)' to properly
+# set python-ruby socket permissions
+module Thin
+ module Backends
+ class UnixServer < Base
+ def connect
+ at_exit { remove_socket_file } # In case it crashes
+ old_umask = File.umask(0o077)
+ begin
+ EventMachine.start_unix_domain_server(@socket, UnixConnection, &method(:initialize_connection))
+ # HACK EventMachine.start_unix_domain_server doesn't return the connection signature
+ # so we have to go in the internal stuff to find it.
+ @signature = EventMachine.instance_eval{@acceptors.keys.first}
+ ensure
+ File.umask(old_umask)
+ end
+ end
+ end
+ end
+end
+
+
def pack_response(response)
return [200, {}, [response.to_json.to_str]]
end
--
2.33.0

9
pcs.spec
View File

@ -1,6 +1,6 @@
Name: pcs
Version: 0.10.5
Release: 2
Release: 3
License: GPLv2 and BSD-2-Clause and ASL 2.0 and MIT
URL: https://github.com/ClusterLabs/pcs
Summary: Pacemaker Configuration System
@ -53,6 +53,7 @@ Source6: https://github.com/idevat/pcs-web-ui/archive/%{ui_commit}/%{ui_src_name
Source7: https://github.com/idevat/pcs-web-ui/releases/download/%{ui_commit}/pcs-web-ui-node-modules-%{ui_commit}.tar.xz
Patch0: 0001-FIX-CVE-2022-1049.patch
Patch1: 0002-CVE-2022-2735.patch
# git for patches
BuildRequires: git
@ -437,6 +438,12 @@ remove_all_tests
%license pyagentx_LICENSE.txt
%changelog
* Wed Sep 07 2022 jiangxinyu <jiangxinyu@kylinos.cn> - 0.10.5-3
- Type:cves
- ID:CVE-2022-2735
- SUG:NA
- DESC:fix CVE-2022-2735
* Fri Jun 17 2022 duyiwei <duyiwei@kylinos.cn> - 0.10.5-2
- FIX-CVE-2022-1049