Package: release.debian.org Severity: important User: release.debian....@packages.debian.org Usertags: unblock
Hello release team, because of three CVE security messages I have made an updated package of chrony which is now on mentors.debian.net. Please unblock package chrony/1.30-2. The RFS can be seen here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782173 The updated package fixes three RC bugs: * It includes the following security fixes (Closes: #782160): - Fix CVE-2015-1853: Protect authenticated symmetric NTP associations against DoS attacks. - Fix CVE-2015-1821: Fix access configuration with subnet size indivisible by 4. - Fix CVE-2015-1822: Fix initialization of reply slots for authenticated commands. Details are in the attached debdiff. Please unblock package chrony/1.30-2. Many thanks for your work, --- Have a nice day. Joachim (Germany)
diff -urN d10/debian/changelog d14/debian/changelog --- d10/debian/changelog 2014-08-10 19:10:56.000000000 +0200 +++ d14/debian/changelog 2015-04-09 00:31:10.000000000 +0200 @@ -1,3 +1,19 @@ +chrony (1.30-2) unstable; urgency=medium + + * New upstream release. + * It includes the following security fixes (Closes: #782160): + - Fix CVE-2015-1853: Protect authenticated symmetric NTP + associations against DoS attacks. + - Fix CVE-2015-1821: Fix access configuration with subnet + size indivisible by 4. + - Fix CVE-2015-1822: Fix initialization of reply slots for + authenticated commands. + * debian/control: + - Update e-mail address of myself. + - Add Vincent Blut as co-maintainer. + + -- Joachim Wiedorn <joodeb...@joonet.de> Thu, 09 Apr 2015 00:06:34 +0200 + chrony (1.30-1) unstable; urgency=medium * New upstream release with following bugfixes: diff -urN d10/debian/control d14/debian/control --- d10/debian/control 2014-08-08 20:40:03.000000000 +0200 +++ d14/debian/control 2015-04-09 00:05:48.000000000 +0200 @@ -1,7 +1,8 @@ Source: chrony Section: admin Priority: extra -Maintainer: Joachim Wiedorn <ad_deb...@joonet.de> +Maintainer: Joachim Wiedorn <joodeb...@joonet.de> +Uploaders: Vincent Blut <vincent.deb...@free.fr> Standards-Version: 3.9.5 Build-Depends: debhelper (>= 9), texinfo, bison, diff -urN d10/debian/patches/11_protect-authenticated-symmetric-ass.patch d14/debian/patches/11_protect-authenticated-symmetric-ass.patch --- d10/debian/patches/11_protect-authenticated-symmetric-ass.patch 1970-01-01 01:00:00.000000000 +0100 +++ d14/debian/patches/11_protect-authenticated-symmetric-ass.patch 2015-04-08 23:50:45.000000000 +0200 @@ -0,0 +1,72 @@ +From d856bd34c4862398411d29200520e3a3b1d4569e Mon Sep 17 00:00:00 2001 +From: Miroslav Lichvar <mlich...@redhat.com> +Date: Thu, 5 Mar 2015 12:44:30 +0100 +Subject: ntp: protect authenticated symmetric associations against DoS attacks + +An attacker knowing that NTP hosts A and B are peering with each other +(symmetric association) can send a packet with random timestamps to host +A with source address of B which will set the NTP state variables on A +to the values sent by the attacker. Host A will then send on its next +poll to B a packet with originate timestamp that doesn't match the +transmit timestamp of B and the packet will be dropped. If the attacker +does this periodically for both hosts, they won't be able to synchronize +to each other. It is a denial-of-service attack. + +According to [1], NTP authentication is supposed to protect symmetric +associations against this attack, but in the NTPv3 (RFC 1305) and NTPv4 +(RFC 5905) specifications the state variables are updated before the +authentication check is performed, which means the association is +vulnerable to the attack even when authentication is enabled. + +To fix this problem, save the originate and local timestamps only when +the authentication check (test5) passed. + +[1] https://www.eecis.udel.edu/~mills/onwire.html + +diff --git a/ntp_core.c b/ntp_core.c +index ebb6a7c..e654c88 100644 +--- a/ntp_core.c ++++ b/ntp_core.c +@@ -914,9 +914,6 @@ receive_packet(NTP_Packet *message, struct timeval *now, double now_err, NCR_Ins + + /* ==================== */ + +- /* Save local receive timestamp */ +- inst->local_rx = *now; +- + pkt_leap = (message->lvm >> 6) & 0x3; + if (pkt_leap == 0x3) { + source_is_synchronized = 0; +@@ -948,14 +945,6 @@ receive_packet(NTP_Packet *message, struct timeval *now, double now_err, NCR_Ins + test2 = 1; /* Success */ + } + +- /* Regardless of any validity checks we apply, we are required to +- save this field from the packet into the ntp source +- instance record. See RFC1305 section 3.4.4, peer.org <- pkt.xmt +- & peer.peerpoll <- pkt.poll. Note we can't do this assignment +- before test1 has been carried out!! */ +- +- inst->remote_orig = message->transmit_ts; +- + /* Test 3 requires that pkt.org != 0 and pkt.rec != 0. If + either of these are true it means the association is not properly + 'up'. */ +@@ -1128,6 +1117,14 @@ receive_packet(NTP_Packet *message, struct timeval *now, double now_err, NCR_Ins + kod_rate = 1; + } + ++ /* The transmit timestamp and local receive timestamp must not be saved when ++ the authentication test failed to prevent denial-of-service attacks on ++ symmetric associations using authentication */ ++ if (test5) { ++ inst->remote_orig = message->transmit_ts; ++ inst->local_rx = *now; ++ } ++ + valid_kod = test1 && test2 && test5; + + valid_data = test1 && test2 && test3 && test4 && test4a && test4b; +-- +cgit v0.10.2 + diff -urN d10/debian/patches/12_fix-subnet-size-indivisible-by-four.patch d14/debian/patches/12_fix-subnet-size-indivisible-by-four.patch --- d10/debian/patches/12_fix-subnet-size-indivisible-by-four.patch 1970-01-01 01:00:00.000000000 +0100 +++ d14/debian/patches/12_fix-subnet-size-indivisible-by-four.patch 2015-04-08 23:50:45.000000000 +0200 @@ -0,0 +1,35 @@ +From cf19042ecb656b8afec0cc4906e7dd3ea9266ac8 Mon Sep 17 00:00:00 2001 +From: Miroslav Lichvar <mlich...@redhat.com> +Date: Mon, 30 Mar 2015 14:41:37 +0200 +Subject: addrfilt: fix access configuration with subnet size indivisible by 4 + +When NTP or cmdmon access was configured (from chrony.conf or via +authenticated cmdmon) with a subnet size that is indivisible by 4 and +an address that has nonzero bits in the 4-bit subnet remainder (e.g. +192.168.15.0/22 or f000::/3), the new setting was written to an +incorrect location, possibly outside the allocated array. + +An attacker that has the command key and is allowed to access cmdmon +(only localhost is allowed by default) could exploit this to crash +chronyd or possibly execute arbitrary code with the privileges of the +chronyd process. + +diff --git a/addrfilt.c b/addrfilt.c +index 0930289..4b8879a 100644 +--- a/addrfilt.c ++++ b/addrfilt.c +@@ -199,7 +199,10 @@ set_subnet(TableNode *start_node, + + /* How many subnet entries to set : 1->8, 2->4, 3->2 */ + N = 1 << (NBITS-bits_to_go); +- subnet = get_subnet(ip, bits_consumed); ++ ++ subnet = get_subnet(ip, bits_consumed) & ~(N - 1); ++ assert(subnet + N <= TABLE_SIZE); ++ + if (!(node->extended)) { + open_node(node); + } +-- +cgit v0.10.2 + diff -urN d10/debian/patches/13_fix-initialization-of-allocated-reply-slots.patch d14/debian/patches/13_fix-initialization-of-allocated-reply-slots.patch --- d10/debian/patches/13_fix-initialization-of-allocated-reply-slots.patch 1970-01-01 01:00:00.000000000 +0100 +++ d14/debian/patches/13_fix-initialization-of-allocated-reply-slots.patch 2015-04-08 23:50:45.000000000 +0200 @@ -0,0 +1,30 @@ +From 79eacdb7e694c7e6681b68006425df3faca51aec Mon Sep 17 00:00:00 2001 +From: Miroslav Lichvar <mlich...@redhat.com> +Date: Mon, 30 Mar 2015 15:13:27 +0200 +Subject: cmdmon: fix initialization of allocated reply slots + +When allocating memory to save unacknowledged replies to authenticated +command requests, the last "next" pointer was not initialized to NULL. +When all allocated reply slots were used, the next reply could be +written to an invalid memory instead of allocating a new slot for it. + +An attacker that has the command key and is allowed to access cmdmon +(only localhost is allowed by default) could exploit this to crash +chronyd or possibly execute arbitrary code with the privileges of the +chronyd process. + +diff --git a/cmdmon.c b/cmdmon.c +index 58a6c90..343baf4 100644 +--- a/cmdmon.c ++++ b/cmdmon.c +@@ -558,6 +558,7 @@ get_more_replies(void) + for (i=1; i<REPLY_EXTEND_QUANTUM; i++) { + new_replies[i-1].next = new_replies + i; + } ++ new_replies[REPLY_EXTEND_QUANTUM - 1].next = NULL; + free_replies = new_replies; + } + } +-- +cgit v0.10.2 + diff -urN d10/debian/patches/series d14/debian/patches/series --- d10/debian/patches/series 2013-12-21 01:02:54.000000000 +0100 +++ d14/debian/patches/series 2015-04-08 23:51:04.000000000 +0200 @@ -2,3 +2,6 @@ 03_recreate-always-getdate-c.patch 04_do-not-look-for-ncurses.patch 05_disable-installation-of-license.patch +11_protect-authenticated-symmetric-ass.patch +12_fix-subnet-size-indivisible-by-four.patch +13_fix-initialization-of-allocated-reply-slots.patch
signature.asc
Description: PGP signature
