Bug#719132: chrony: New version, fixes security bugs

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#719132: chrony: New version, fixes security bugs
From: John Hasler <jhasler@debian.org>
Date: Thu, 08 Aug 2013 11:27:59 -0500
Message-id: <[🔎] 20130808162759.5274.57871.reportbug@thumper.dhh.gt.org>
Reply-to: John Hasler <jhasler@debian.org>, 719132@bugs.debian.org

Package: chrony
Version: 1.26-4
Severity: important

8 Aug 2013 : chrony-1.29 released

It fixes the following security vulnerabilities:

    Fix crash when processing crafted commands (CVE-2012-4502)
    (possible with IP addresses allowed by cmdallow and localhost)
    Don't send uninitialized data in SUBNETS_ACCESSED and CLIENT_ACCESSES
    replies (CVE-2012-4503) (not used by chronyc)

and includes other changes:

    Drop support for SUBNETS_ACCESSED and CLIENT_ACCESSES commands

CVE-2012-4502: Buffer overflow when processing crafted command packets

When the length of the REQ_SUBNETS_ACCESSED, REQ_CLIENT_ACCESSES command
requests and the RPY_SUBNETS_ACCESSED, RPY_CLIENT_ACCESSES, 
RPY_CLIENT_ACCESSES_BY_INDEX, RPY_MANUAL_LIST command replies is calculated, 
the number of items stored in the packet is not validated. A crafted command 
request/reply can be used to crash the server/client. Only clients allowed 
by cmdallow (by default only localhost) can crash the server. With chrony 
versions 1.25 and 1.26 this bug has a smaller security impact as the server 
requires the clients to be authenticated in order to process the subnet and 
client accesses commands. In 1.27 and 1.28, however, the invalid calculated 
length is included also in the authentication check which may cause another 
crash. CVE-2012-4503: Uninitialized data in command replies The 
RPY_SUBNETS_ACCESSED and RPY_CLIENT_ACCESSES command replies can contain 
uninitalized data from stack when the client logging is disabled or a bad 
subnet is requested. These commands were never used by chronyc and they 
require the client to be authenticated since version 1.25.


-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.38-2-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages chrony depends on:
ii  dpkg          1.16.10
ii  install-info  5.1.dfsg.1-3
ii  libc6         2.17-1
ii  libedit2      2.11-20080614-5
ii  net-tools     1.60-24.2
ii  timelimit     1.8-1
ii  ucf           3.0025+nmu3

Versions of packages chrony recommends:
ii  udev  175-7.2

chrony suggests no packages.

-- no debconf information

Reply to:

Prev by Date: Bug#642357: Downgrade on Wheezy
Next by Date: Bug#719049: (no subject)
Previous by thread: Bug#642357: Downgrade on Wheezy
Next by thread: Bug#719049: (no subject)
Index(es):
- Date
- Thread