[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#782175: marked as done (Unblock: chrony/1.30-2 [RC] -- RFS at mentors.debian.net)

Your message dated Sat, 11 Apr 2015 17:48:47 +0200
with message-id <20150411154846.GD5982@ugent.be>
and subject line Re: Bug#782175: Unblock: chrony/1.30-2 [RC] -- RFS at mentors.debian.net
has caused the Debian Bug report #782175,
regarding Unblock: chrony/1.30-2 [RC] -- RFS at mentors.debian.net
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
782175: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782175
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: important
User: release.debian.org@packages.debian.org
Usertags: unblock

Hello release team,

because of three CVE security messages I have made an updated package
of chrony which is now on mentors.debian.net.

Please unblock package chrony/1.30-2.

The RFS can be seen here:
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782173


The updated package fixes three RC bugs:

  * It includes the following security fixes (Closes: #782160):
    - Fix CVE-2015-1853: Protect authenticated symmetric NTP
                         associations against DoS attacks.
    - Fix CVE-2015-1821: Fix access configuration with subnet
                         size indivisible by 4.
    - Fix CVE-2015-1822: Fix initialization of reply slots for
                         authenticated commands.


Details are in the attached debdiff.

Please unblock package chrony/1.30-2.

Many thanks for your work,

---
Have a nice day.

Joachim (Germany)

diff -urN d10/debian/changelog d14/debian/changelog
--- d10/debian/changelog	2014-08-10 19:10:56.000000000 +0200
+++ d14/debian/changelog	2015-04-09 00:31:10.000000000 +0200
@@ -1,3 +1,19 @@
+chrony (1.30-2) unstable; urgency=medium
+
+  * New upstream release.
+  * It includes the following security fixes (Closes: #782160):
+    - Fix CVE-2015-1853: Protect authenticated symmetric NTP
+                         associations against DoS attacks.
+    - Fix CVE-2015-1821: Fix access configuration with subnet
+                         size indivisible by 4.
+    - Fix CVE-2015-1822: Fix initialization of reply slots for
+                         authenticated commands.
+  * debian/control:
+   - Update e-mail address of myself.
+   - Add Vincent Blut as co-maintainer.
+
+ -- Joachim Wiedorn <joodebian@joonet.de>  Thu, 09 Apr 2015 00:06:34 +0200
+
 chrony (1.30-1) unstable; urgency=medium
 
   * New upstream release with following bugfixes:
diff -urN d10/debian/control d14/debian/control
--- d10/debian/control	2014-08-08 20:40:03.000000000 +0200
+++ d14/debian/control	2015-04-09 00:05:48.000000000 +0200
@@ -1,7 +1,8 @@
 Source: chrony
 Section: admin
 Priority: extra
-Maintainer: Joachim Wiedorn <ad_debian@joonet.de>
+Maintainer: Joachim Wiedorn <joodebian@joonet.de>
+Uploaders: Vincent Blut <vincent.debian@free.fr>
 Standards-Version: 3.9.5
 Build-Depends: debhelper (>= 9),
  texinfo, bison,
diff -urN d10/debian/patches/11_protect-authenticated-symmetric-ass.patch d14/debian/patches/11_protect-authenticated-symmetric-ass.patch
--- d10/debian/patches/11_protect-authenticated-symmetric-ass.patch	1970-01-01 01:00:00.000000000 +0100
+++ d14/debian/patches/11_protect-authenticated-symmetric-ass.patch	2015-04-08 23:50:45.000000000 +0200
@@ -0,0 +1,72 @@
+From d856bd34c4862398411d29200520e3a3b1d4569e Mon Sep 17 00:00:00 2001
+From: Miroslav Lichvar <mlichvar@redhat.com>
+Date: Thu, 5 Mar 2015 12:44:30 +0100
+Subject: ntp: protect authenticated symmetric associations against DoS attacks
+
+An attacker knowing that NTP hosts A and B are peering with each other
+(symmetric association) can send a packet with random timestamps to host
+A with source address of B which will set the NTP state variables on A
+to the values sent by the attacker. Host A will then send on its next
+poll to B a packet with originate timestamp that doesn't match the
+transmit timestamp of B and the packet will be dropped. If the attacker
+does this periodically for both hosts, they won't be able to synchronize
+to each other. It is a denial-of-service attack.
+
+According to [1], NTP authentication is supposed to protect symmetric
+associations against this attack, but in the NTPv3 (RFC 1305) and NTPv4
+(RFC 5905) specifications the state variables are updated before the
+authentication check is performed, which means the association is
+vulnerable to the attack even when authentication is enabled.
+
+To fix this problem, save the originate and local timestamps only when
+the authentication check (test5) passed.
+
+[1] https://www.eecis.udel.edu/~mills/onwire.html
+
+diff --git a/ntp_core.c b/ntp_core.c
+index ebb6a7c..e654c88 100644
+--- a/ntp_core.c
++++ b/ntp_core.c
+@@ -914,9 +914,6 @@ receive_packet(NTP_Packet *message, struct timeval *now, double now_err, NCR_Ins
+ 
+   /* ==================== */
+ 
+-  /* Save local receive timestamp */
+-  inst->local_rx = *now;
+-
+   pkt_leap = (message->lvm >> 6) & 0x3;
+   if (pkt_leap == 0x3) {
+     source_is_synchronized = 0;
+@@ -948,14 +945,6 @@ receive_packet(NTP_Packet *message, struct timeval *now, double now_err, NCR_Ins
+     test2 = 1; /* Success */
+   }
+ 
+-  /* Regardless of any validity checks we apply, we are required to
+-     save this field from the packet into the ntp source
+-     instance record.  See RFC1305 section 3.4.4, peer.org <- pkt.xmt
+-     & peer.peerpoll <- pkt.poll.  Note we can't do this assignment
+-     before test1 has been carried out!! */
+-
+-  inst->remote_orig = message->transmit_ts;
+-
+   /* Test 3 requires that pkt.org != 0 and pkt.rec != 0.  If
+      either of these are true it means the association is not properly
+      'up'. */
+@@ -1128,6 +1117,14 @@ receive_packet(NTP_Packet *message, struct timeval *now, double now_err, NCR_Ins
+         kod_rate = 1;
+   }
+ 
++  /* The transmit timestamp and local receive timestamp must not be saved when
++     the authentication test failed to prevent denial-of-service attacks on
++     symmetric associations using authentication */
++  if (test5) {
++    inst->remote_orig = message->transmit_ts;
++    inst->local_rx = *now;
++  }
++
+   valid_kod = test1 && test2 && test5;
+ 
+   valid_data = test1 && test2 && test3 && test4 && test4a && test4b;
+-- 
+cgit v0.10.2
+
diff -urN d10/debian/patches/12_fix-subnet-size-indivisible-by-four.patch d14/debian/patches/12_fix-subnet-size-indivisible-by-four.patch
--- d10/debian/patches/12_fix-subnet-size-indivisible-by-four.patch	1970-01-01 01:00:00.000000000 +0100
+++ d14/debian/patches/12_fix-subnet-size-indivisible-by-four.patch	2015-04-08 23:50:45.000000000 +0200
@@ -0,0 +1,35 @@
+From cf19042ecb656b8afec0cc4906e7dd3ea9266ac8 Mon Sep 17 00:00:00 2001
+From: Miroslav Lichvar <mlichvar@redhat.com>
+Date: Mon, 30 Mar 2015 14:41:37 +0200
+Subject: addrfilt: fix access configuration with subnet size indivisible by 4
+
+When NTP or cmdmon access was configured (from chrony.conf or via
+authenticated cmdmon) with a subnet size that is indivisible by 4 and
+an address that has nonzero bits in the 4-bit subnet remainder (e.g.
+192.168.15.0/22 or f000::/3), the new setting was written to an
+incorrect location, possibly outside the allocated array.
+
+An attacker that has the command key and is allowed to access cmdmon
+(only localhost is allowed by default) could exploit this to crash
+chronyd or possibly execute arbitrary code with the privileges of the
+chronyd process.
+
+diff --git a/addrfilt.c b/addrfilt.c
+index 0930289..4b8879a 100644
+--- a/addrfilt.c
++++ b/addrfilt.c
+@@ -199,7 +199,10 @@ set_subnet(TableNode *start_node,
+ 
+       /* How many subnet entries to set : 1->8, 2->4, 3->2 */
+       N = 1 << (NBITS-bits_to_go);
+-      subnet = get_subnet(ip, bits_consumed);
++
++      subnet = get_subnet(ip, bits_consumed) & ~(N - 1);
++      assert(subnet + N <= TABLE_SIZE);
++
+       if (!(node->extended)) {
+         open_node(node);
+       }
+-- 
+cgit v0.10.2
+
diff -urN d10/debian/patches/13_fix-initialization-of-allocated-reply-slots.patch d14/debian/patches/13_fix-initialization-of-allocated-reply-slots.patch
--- d10/debian/patches/13_fix-initialization-of-allocated-reply-slots.patch	1970-01-01 01:00:00.000000000 +0100
+++ d14/debian/patches/13_fix-initialization-of-allocated-reply-slots.patch	2015-04-08 23:50:45.000000000 +0200
@@ -0,0 +1,30 @@
+From 79eacdb7e694c7e6681b68006425df3faca51aec Mon Sep 17 00:00:00 2001
+From: Miroslav Lichvar <mlichvar@redhat.com>
+Date: Mon, 30 Mar 2015 15:13:27 +0200
+Subject: cmdmon: fix initialization of allocated reply slots
+
+When allocating memory to save unacknowledged replies to authenticated
+command requests, the last "next" pointer was not initialized to NULL.
+When all allocated reply slots were used, the next reply could be
+written to an invalid memory instead of allocating a new slot for it.
+
+An attacker that has the command key and is allowed to access cmdmon
+(only localhost is allowed by default) could exploit this to crash
+chronyd or possibly execute arbitrary code with the privileges of the
+chronyd process.
+
+diff --git a/cmdmon.c b/cmdmon.c
+index 58a6c90..343baf4 100644
+--- a/cmdmon.c
++++ b/cmdmon.c
+@@ -558,6 +558,7 @@ get_more_replies(void)
+     for (i=1; i<REPLY_EXTEND_QUANTUM; i++) {
+       new_replies[i-1].next = new_replies + i;
+     }
++    new_replies[REPLY_EXTEND_QUANTUM - 1].next = NULL;
+     free_replies = new_replies;
+   }
+ }
+-- 
+cgit v0.10.2
+
diff -urN d10/debian/patches/series d14/debian/patches/series
--- d10/debian/patches/series	2013-12-21 01:02:54.000000000 +0100
+++ d14/debian/patches/series	2015-04-08 23:51:04.000000000 +0200
@@ -2,3 +2,6 @@
 03_recreate-always-getdate-c.patch
 04_do-not-look-for-ncurses.patch
 05_disable-installation-of-license.patch
+11_protect-authenticated-symmetric-ass.patch
+12_fix-subnet-size-indivisible-by-four.patch
+13_fix-initialization-of-allocated-reply-slots.patch

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
On Thu, Apr 09, 2015 at 08:41:58AM +0200, Niels Thykier wrote:
> Approved, provided it is uploaded in time to reach Jessie before the
> quiet period.  Please let us know once it has reached unstable.

It was uploaded. Unblocked.

Cheers,

Ivo

--- End Message ---
Reply to: