Your message dated Fri, 27 May 2016 21:30:40 +0200
with message-id <20160527193040.ge3...@betterave.cristau.org>
and subject line Re: Bug#825297: wheezy-pu: package chrony/1.24-3.1+deb7u4
has caused the Debian Bug report #825297,
regarding wheezy-pu: package chrony/1.24-3.1+deb7u4
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
825297: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=825297
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian....@packages.debian.org
Usertags: pu
Hi,
Could you please accept chrony 1.24-3.1+deb7u4 in the last wheezy point
release?
It fixes CVE-2016-1567 which I have backported to that specific upstream
version. It is well tested since the exact same patch has been in
squeeze-lts for a while.
The next fix is an adjustment ensuring we don’t delete the
/var/lib/chrony content. That directory contains some really important
data, notably the driftfile which stores the gain or loss of the system
clock relative to the RTC. Deleting it each time chrony is upgraded or
installed from Config-Files state was a mistake; let’s fix that!
Thanks for your time,
Vincent
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (990, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.5.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -u chrony-1.24/ntp_core.c chrony-1.24/ntp_core.c
--- chrony-1.24/ntp_core.c
+++ chrony-1.24/ntp_core.c
@@ -966,7 +966,8 @@
if (!KEY_KeyKnown(auth_key_id)) {
test5 = 0;
} else {
- test5 = check_packet_auth(message, auth_key_id);
+ test5 = check_packet_auth(message, auth_key_id) &&
+ auth_key_id == inst->auth_key_id;
}
} else {
/* If we expect authenticated info from this peer/server and the packet
diff -u chrony-1.24/debian/changelog chrony-1.24/debian/changelog
--- chrony-1.24/debian/changelog
+++ chrony-1.24/debian/changelog
@@ -1,3 +1,13 @@
+chrony (1.24-3.1+deb7u4) wheezy; urgency=medium
+
+ * Fix CVE-2016-1567: Restrict authentication of server/peer to specified
+ key. (Closes: #812923)
+
+ * debian/postrm:
+ - Remove /var/lib/chrony on purge only. (Closes: #568492)
+
+ -- Vincent Blut <vincent.deb...@free.fr> Wed, 25 May 2016 17:15:18 +0200
+
chrony (1.24-3.1+deb7u3) wheezy-security; urgency=medium
* With the following security bugfixes (See: #782160):
diff -u chrony-1.24/debian/postrm chrony-1.24/debian/postrm
--- chrony-1.24/debian/postrm
+++ chrony-1.24/debian/postrm
@@ -3,7 +3,6 @@
# postrm for chrony John Hasler 1998-2006
# Any possessor of a copy of this program may treat it as if it
# were in the public domain. I waive all rights.
-rm -f /var/lib/chrony/*
if [ -x update-menus ] ; then
update-menus
fi
diff -u chrony-1.24/debian/applied/series chrony-1.24/debian/applied/series
--- chrony-1.24/debian/applied/series
+++ chrony-1.24/debian/applied/series
@@ -7,0 +8 @@
+14_restrict-authentication-of-server-peer-to-specified-key.patch
only in patch2:
unchanged:
--- chrony-1.24.orig/debian/applied/14_restrict-authentication-of-server-peer-to-specified-key.patch
+++ chrony-1.24/debian/applied/14_restrict-authentication-of-server-peer-to-specified-key.patch
@@ -0,0 +1,24 @@
+From: Vincent Blut <vincent.deb...@free.fr>
+Date: Tue, 02 Feb 2016 23:29:25 +0100
+Subject: ntp: restrict authentication of server/peer to specified key
+
+This patch fixes CVE-2016-1567 in chrony 1.24. In versions prior to 1.31.2 as
+well as all releases from the 2.x branch before 2.2.1, chrony does not verify
+peer associations of symmetric keys when authenticating packets, which might
+allow remote attackers to conduct impersonation attacks via an arbitrary
+trusted key, aka a "skeleton key".
+---
+
+diff -urNpa a/chrony-1.24/ntp_core.c b/chrony-1.24/ntp_core.c
+--- a/chrony-1.24/ntp_core.c 2016-02-02 23:28:39.070377463 +0100
++++ b/chrony-1.24/ntp_core.c 2016-02-02 23:01:10.414119775 +0100
+@@ -966,7 +966,8 @@ receive_packet(NTP_Packet *message, stru
+ if (!KEY_KeyKnown(auth_key_id)) {
+ test5 = 0;
+ } else {
+- test5 = check_packet_auth(message, auth_key_id);
++ test5 = check_packet_auth(message, auth_key_id) &&
++ auth_key_id == inst->auth_key_id;
+ }
+ } else {
+ /* If we expect authenticated info from this peer/server and the packet
--- End Message ---
--- Begin Message ---
On Fri, May 27, 2016 at 19:44:22 +0200, Vincent Blut wrote:
> On Fri, May 27, 2016 at 06:24:26PM +0100, Adam D. Barratt wrote:
> > Control: tags -1 + moreinfo
> >
> > On Wed, 2016-05-25 at 19:58 +0200, Vincent Blut wrote:
> > > Could you please accept chrony 1.24-3.1+deb7u4 in the last wheezy point
> > > release?
> > >
> > > It fixes CVE-2016-1567 which I have backported to that specific upstream
> > > version. It is well tested since the exact same patch has been in
> > > squeeze-lts for a while.
> >
> > Since wheezy-lts started, we've only been accepting wheezy uploads that
> > are regression fixes so would need a compelling reason that this
> > shouldn't simply be fixed via wheezy-lts (I realise this wasn't
> > explicitly mentioned in the announcement).
>
> Oh ok. As you said, that wasn’t really clear from the announcement that
> regression fixes only would be acceptable; I will get in touch with LTS
> folks then.
>
Thanks; closing.
Cheers,
Julien
--- End Message ---
