Hello, I would like to see chrony being updated in wheezy-lts to fixCVE-2016-1567. Also, I included a fix to make sure we don’t delete the /var/lib/chrony content. That directory contains the driftfile which stores the gain or loss of the system clock relative to the RTC. Deleting it each time chrony is upgraded or installed from Config-Files state is a mistake as it could take some time for chrony to recalculate that rate depending on how crappy the RTC is.
I attached a debdiff, please tell me if see something wrong. Cheers, Vincent
diff -u chrony-1.24/ntp_core.c chrony-1.24/ntp_core.c
--- chrony-1.24/ntp_core.c
+++ chrony-1.24/ntp_core.c
@@ -966,7 +966,8 @@
if (!KEY_KeyKnown(auth_key_id)) {
test5 = 0;
} else {
- test5 = check_packet_auth(message, auth_key_id);
+ test5 = check_packet_auth(message, auth_key_id) &&
+ auth_key_id == inst->auth_key_id;
}
} else {
/* If we expect authenticated info from this peer/server and the packet
diff -u chrony-1.24/debian/changelog chrony-1.24/debian/changelog
--- chrony-1.24/debian/changelog
+++ chrony-1.24/debian/changelog
@@ -1,3 +1,13 @@
+chrony (1.24-3.1+deb7u4) wheezy-security; urgency=medium
+
+ * Fix CVE-2016-1567: Restrict authentication of server/peer to specified
+ key. (Closes: #812923)
+
+ * debian/postrm:
+ - Remove /var/lib/chrony on purge only. (Closes: #568492)
+
+ -- Vincent Blut <vincent.debian@free.fr> Mon, 12 Dec 2016 18:55:18 +0100
+
chrony (1.24-3.1+deb7u3) wheezy-security; urgency=medium
* With the following security bugfixes (See: #782160):
diff -u chrony-1.24/debian/postrm chrony-1.24/debian/postrm
--- chrony-1.24/debian/postrm
+++ chrony-1.24/debian/postrm
@@ -3,7 +3,6 @@
# postrm for chrony John Hasler 1998-2006
# Any possessor of a copy of this program may treat it as if it
# were in the public domain. I waive all rights.
-rm -f /var/lib/chrony/*
if [ -x update-menus ] ; then
update-menus
fi
diff -u chrony-1.24/debian/applied/series chrony-1.24/debian/applied/series
--- chrony-1.24/debian/applied/series
+++ chrony-1.24/debian/applied/series
@@ -7,0 +8 @@
+14_restrict-authentication-of-server-peer-to-specified-key.patch
only in patch2:
unchanged:
--- chrony-1.24.orig/debian/applied/14_restrict-authentication-of-server-peer-to-specified-key.patch
+++ chrony-1.24/debian/applied/14_restrict-authentication-of-server-peer-to-specified-key.patch
@@ -0,0 +1,24 @@
+From: Vincent Blut <vincent.debian@free.fr>
+Date: Tue, 02 Feb 2016 23:29:25 +0100
+Subject: ntp: restrict authentication of server/peer to specified key
+
+This patch fixes CVE-2016-1567 in chrony 1.24. In versions prior to 1.31.2 as
+well as all releases from the 2.x branch before 2.2.1, chrony does not verify
+peer associations of symmetric keys when authenticating packets, which might
+allow remote attackers to conduct impersonation attacks via an arbitrary
+trusted key, aka a "skeleton key".
+---
+
+diff -urNpa a/chrony-1.24/ntp_core.c b/chrony-1.24/ntp_core.c
+--- a/chrony-1.24/ntp_core.c 2016-02-02 23:28:39.070377463 +0100
++++ b/chrony-1.24/ntp_core.c 2016-02-02 23:01:10.414119775 +0100
+@@ -966,7 +966,8 @@ receive_packet(NTP_Packet *message, stru
+ if (!KEY_KeyKnown(auth_key_id)) {
+ test5 = 0;
+ } else {
+- test5 = check_packet_auth(message, auth_key_id);
++ test5 = check_packet_auth(message, auth_key_id) &&
++ auth_key_id == inst->auth_key_id;
+ }
+ } else {
+ /* If we expect authenticated info from this peer/server and the packet
Attachment:
signature.asc
Description: PGP signature