Miroslav Lichvar | 8 Aug 17:46 2013
Picon

chrony-1.29 released (security)

chrony-1.29 is now available. It fixes two security vulnerabilities.

The sources can be downloaded here:
http://download.tuxfamily.org/chrony/chrony-1.29.tar.gz

MD5 and SHA1 sums:
6e1a8ee2ce6632bedc2f8b5cdccfa69f  chrony-1.29.tar.gz
442fb7d62a6f23bf1057864a3dbdfa55e1b6eb35  chrony-1.29.tar.gz

Security fixes
--------------
* Fix crash when processing crafted commands (CVE-2012-4502)
  (possible with IP addresses allowed by cmdallow and localhost)
* Don't send uninitialized data in SUBNETS_ACCESSED and CLIENT_ACCESSES
  replies (CVE-2012-4503) (not used by chronyc)

Other changes
-------------
* Drop support for SUBNETS_ACCESSED and CLIENT_ACCESSES commands

CVE-2012-4502: Buffer overflow when processing crafted command packets

  When the length of the REQ_SUBNETS_ACCESSED, REQ_CLIENT_ACCESSES
  command requests and the RPY_SUBNETS_ACCESSED, RPY_CLIENT_ACCESSES,
  RPY_CLIENT_ACCESSES_BY_INDEX, RPY_MANUAL_LIST command replies is
  calculated, the number of items stored in the packet is not validated.

  A crafted command request/reply can be used to crash the server/client.
  Only clients allowed by cmdallow (by default only localhost) can crash
  the server.

  With chrony versions 1.25 and 1.26 this bug has a smaller security
  impact as the server requires the clients to be authenticated in order
  to process the subnet and client accesses commands. In 1.27 and 1.28,
  however, the invalid calculated length is included also in the
  authentication check which may cause another crash.

CVE-2012-4503: Uninitialized data in command replies

  The RPY_SUBNETS_ACCESSED and RPY_CLIENT_ACCESSES command replies can
  contain uninitalized data from stack when the client logging is disabled
  or a bad subnet is requested. These commands were never used by chronyc
  and they require the client to be authenticated since version 1.25.

--

-- 
Miroslav Lichvar

Gmane