Bug#825087: jessie-pu: package chrony/1.30-2+deb8u2
Package: release.debian.org
Tags: jessie
Followup-For: Bug #825087
User: release.debian.org@packages.debian.org
Usertags: pu
[forgot to attach the debdiff]
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (990, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.5.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru chrony-1.30/debian/changelog chrony-1.30/debian/changelog
--- chrony-1.30/debian/changelog 2015-09-09 20:00:38.000000000 +0200
+++ chrony-1.30/debian/changelog 2016-05-22 17:40:58.000000000 +0200
@@ -1,3 +1,16 @@
+chrony (1.30-2+deb8u2) jessie; urgency=medium
+
+ * Fix CVE-2016-1567: Restrict authentication of server/peer to specified
+ key. (Closes: #812923)
+
+ * debian/postrm:
+ - Remove /var/lib/chrony on purge only. (Closes: #568492)
+
+ * debian/logrotate:
+ - Rework postrotate script. (Closes: #763542)
+
+ -- Vincent Blut <vincent.debian@free.fr> Sat, 21 May 2016 02:27:34 +0200
+
chrony (1.30-2+deb8u1) jessie; urgency=medium
* Build depend on libcap-dev. Without it, chronyd can’t drop root
diff -Nru chrony-1.30/debian/logrotate chrony-1.30/debian/logrotate
--- chrony-1.30/debian/logrotate 2015-09-09 19:31:39.000000000 +0200
+++ chrony-1.30/debian/logrotate 2016-05-22 17:40:58.000000000 +0200
@@ -8,10 +8,6 @@
sharedscripts
create 644
postrotate
- PASSWORD=`awk '$1 ~ /^1$/ {print $2; exit}' /etc/chrony/chrony.keys`
- cat << EOF | /usr/bin/chronyc | sed '/^200 OK$/d'
- password $PASSWORD
- cyclelogs
- EOF
+ /usr/bin/chronyc -a cyclelogs > /dev/null 2>&1 || true
endscript
}
diff -Nru chrony-1.30/debian/patches/14_restrict-authentication-of-server-peer-to-specified-key.patch chrony-1.30/debian/patches/14_restrict-authentication-of-server-peer-to-specified-key.patch
--- chrony-1.30/debian/patches/14_restrict-authentication-of-server-peer-to-specified-key.patch 1970-01-01 01:00:00.000000000 +0100
+++ chrony-1.30/debian/patches/14_restrict-authentication-of-server-peer-to-specified-key.patch 2016-05-22 19:01:52.000000000 +0200
@@ -0,0 +1,39 @@
+Description: ntp: restrict authentication of server/peer to specified key
+ When a server/peer was specified with a key number to enable
+ authentication with a symmetric key, packets received from the
+ server/peer were accepted if they were authenticated with any of
+ the keys contained in the key file and not just the specified key.
+
+ This allowed an attacker who knew one key of a client/peer to modify
+ packets from its servers/peers that were authenticated with other
+ keys in a man-in-the-middle (MITM) attack. For example, in a network
+ where each NTP association had a separate key and all hosts had only
+ keys they needed, a client of a server could not attack other clients
+ of the server, but it could attack the server and also attack its own
+ clients (i.e. modify packets from other servers).
+
+ To not allow the server/peer to be authenticated with other keys
+ extend the authentication test to check if the key ID in the received
+ packet is equal to the configured key number. As a consequence, it's
+ no longer possible to authenticate two peers to each other with two
+ different keys, both peers have to be configured to use the same key.
+
+ This issue was discovered by Matt Street of Cisco ASIG.
+
+Author: Miroslav Lichvar <mlichvar@redhat.com>
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=812923
+Applied-Upstream: https://git.tuxfamily.org/chrony/chrony.git/commit/?h=1.31-security&id=df46e5ca5d70be1c0ae037f96b4b038362703832
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/ntp_core.c
++++ b/ntp_core.c
+@@ -1049,7 +1049,8 @@ receive_packet(NTP_Packet *message, stru
+ if (inst->do_auth) {
+ if (auth_len > 0) {
+ auth_key_id = ntohl(message->auth_keyid);
+- test5 = check_packet_auth(message, auth_key_id, auth_len);
++ test5 = check_packet_auth(message, auth_key_id, auth_len) &&
++ auth_key_id == inst->auth_key_id;
+ } else {
+ /* If we expect authenticated info from this peer/server and the packet
+ doesn't have it, it's got to fail */
diff -Nru chrony-1.30/debian/patches/series chrony-1.30/debian/patches/series
--- chrony-1.30/debian/patches/series 2015-09-09 19:31:39.000000000 +0200
+++ chrony-1.30/debian/patches/series 2016-05-22 17:40:58.000000000 +0200
@@ -5,3 +5,4 @@
11_protect-authenticated-symmetric-ass.patch
12_fix-subnet-size-indivisible-by-four.patch
13_fix-initialization-of-allocated-reply-slots.patch
+14_restrict-authentication-of-server-peer-to-specified-key.patch
diff -Nru chrony-1.30/debian/postrm chrony-1.30/debian/postrm
--- chrony-1.30/debian/postrm 2015-09-09 19:31:39.000000000 +0200
+++ chrony-1.30/debian/postrm 2016-05-22 17:40:58.000000000 +0200
@@ -23,7 +23,7 @@
;;
remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
- rm -f /var/lib/chrony/*
+
;;
*)
Reply to: