fix(corosync): CVE-2025-30472

[deepin-ci-robot]

CVE 修复

CVE ID: CVE-2025-30472

漏洞描述: Corosync through 3.1.9 has a stack-based buffer overflow in orf_token_endian_convert in exec/totemsrp.c via a large UDP packet. If encryption is disabled or the attacker knows the encryption key, this can lead to crash of corosync or potentially arbitrary code execution.

修复方案: Patch (backport upstream fix)

• Added size check for orf_token message before endian conversion
• Added validation for rtr_entries to prevent corruption
• Prevents buffer overflow from carefully crafted malicious UDP packets

受影响版本: corosync <= 3.1.9

当前版本: 3.1.5-2

验证状态: ✅ Patch tested and applies cleanly

上游修复: corosync/corosync@7839990

---

Fix-Approach: patch (backport upstream commit)
Generated-By: CVE-Fixer Agent
Co-Authored-By: hudeng hudeng@deepin.org

[deepin-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign zccrs for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• https:/raw.githubusercontent.com/deepin-community/template-repository/master/debian/deepin/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[github-actions]

TAG Bot

TAG: 3.1.5-3
EXISTED: no
DISTRIBUTION: unstable

[hudeng-go]

/integrate

[github-actions]

AutoIntegrationPr Bot
auto integrate with pr url: deepin-community/Repository-Integration#3971
PrNumber: 3971
PrBranch: auto-integration-25590057767