chrony: CVE-2012-4502 and CVE-2012-4503

Debian Bug report logs - #719203
chrony: CVE-2012-4502 and CVE-2012-4503

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: chrony: CVE-2012-4502 and CVE-2012-4503

Date: Fri, 09 Aug 2013 10:46:07 +0200

Package: chrony
Severity: important

Hi,

the following vulnerabilities were published for chrony.

CVE-2012-4502[0]:
Buffer overflow when processing crafted command packets

CVE-2012-4503[1]:
Uninitialized data in command replies

Upstream commits fixing these issues are at [2] and [3]. See also [4].

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] http://security-tracker.debian.org/tracker/CVE-2012-4502
[1] http://security-tracker.debian.org/tracker/CVE-2012-4503
[2] http://git.tuxfamily.org/chrony/chrony.git/?p=chrony/chrony.git;a=commitdiff;h=7712455d9aa33d0db0945effaa07e900b85987b1
[3] http://git.tuxfamily.org/chrony/chrony.git/?p=chrony/chrony.git;a=commitdiff;h=c6fdeeb6bb0b17dc28c19ae492c4a1c498e54ea3
[4] http://permalink.gmane.org/gmane.comp.time.chrony.announce/15

Regards,
Salvatore

Message #14 received at 719203@bugs.debian.org (full text, mbox, reply):

From: Adrian Bunk <bunk@stusta.de>

To: 719203@bugs.debian.org

Cc: control@bugs.debian.org, Moritz Muehlenhoff <jmm@debian.org>

Subject: Raising severity

Date: Thu, 24 Oct 2013 23:09:16 +0300

severity 719203 grave
tags 719203 +security
thanks

Setting RC severity.

DSA for stable was already released  more than a month ago:
  http://www.debian.org/security/2013/dsa-2760


cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

Message #23 received at 719203-close@bugs.debian.org (full text, mbox, reply):

From: Joachim Wiedorn <ad_debian@joonet.de>

To: 719203-close@bugs.debian.org

Subject: Bug#719203: fixed in chrony 1.29-1

Date: Sat, 21 Dec 2013 12:18:32 +0000

Source: chrony
Source-Version: 1.29-1

We believe that the bug you reported is fixed in the latest version of
chrony, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 719203@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Joachim Wiedorn <ad_debian@joonet.de> (supplier of updated chrony package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 20 Dec 2013 23:35:25 +0100
Source: chrony
Binary: chrony
Architecture: source amd64
Version: 1.29-1
Distribution: unstable
Urgency: medium
Maintainer: Joachim Wiedorn <ad_debian@joonet.de>
Changed-By: Joachim Wiedorn <ad_debian@joonet.de>
Description: 
 chrony     - Set the computer clock from time servers on the Net
Closes: 637514 646732 652207 705768 719132 719203
Changes: 
 chrony (1.29-1) unstable; urgency=medium
 .
   * New upstream release with some bugfixes:
     - Closes: #719132: new upstream version, fixes security bugs.
     - Closes: #719203: Fixing vulnerabilities:
         CVE-2012-4502 - Buffer overflow,
         CVE-2012-4503 - Uninitialized data.
 .
   * debian/control:
     - Set myself as new maintainer. Closes: #705768
     - Bump to Standards-Version 3.9.5.
     - Move to debhelper >= 9 and compat level 9.
     - Update package descriptions.
     - Add Vcs fields to new git repository.
     - Add dependency to lsb-base (for init script).
     - Add build dependency to libtomcrypt-dev.
   * Move to source format 3.0 (quilt).
   * Add the following patch files:  (Closes: #637514)
     - 01_fix-small-typo-in-manpages
     - 03_recreate-always-getdate-c
     - 04_do-not-look-for-ncurses    (Closes: #646732)
     - 05_disable-installation-of-license
   * debian/rules:
     - Move to dh-based rules file.
     - Enable parallel builds.
 .
   * Add debian/watch file.
   * Full update of debian/copyright file.
   * Add debian/doc-base file.
   * Full update of debian/README.Debian file.
   * Update debian/postinst, debian/postrm, debian/prerm.
   * Remove obsolete debian/preinst. Reduce mailing within postinst.
   * Do not use old md5sum file anymore for ucf in postinst script.
   * Add status action in init script (debian/init). Closes: #652207
   * Add debian/install file for installing example of chrony.conf.
   * Reduce debian/dirs file for use with debhelper 9.
Checksums-Sha1: 
 165a0e22dac426a70bff0eb9cf0474644ead46c6 1894 chrony_1.29-1.dsc
 442fb7d62a6f23bf1057864a3dbdfa55e1b6eb35 392880 chrony_1.29.orig.tar.gz
 edd3f283be83e4c0f521a347a837f7653d752f44 19008 chrony_1.29-1.debian.tar.gz
 54e0cbd50c62573a3438d6a536243e95e5fa2226 239766 chrony_1.29-1_amd64.deb
Checksums-Sha256: 
 0bd9873663eb18b52bc044d1d3ad06472b6494a9f0b98319348ea2f9882068de 1894 chrony_1.29-1.dsc
 c685f072ba0663ab026a7f56870ab2c246bd97ca4629dd2e1899617bd16ad39b 392880 chrony_1.29.orig.tar.gz
 64214a323a1e352149498f182e705d68023e0ffba49286328b52fa658737701e 19008 chrony_1.29-1.debian.tar.gz
 2ba47824e635d615d34c429f9f2359d9ae902772082f348dfc0ce77cd142095b 239766 chrony_1.29-1_amd64.deb
Files: 
 60e1729f519114f9b9c9dc4fcc3d5487 1894 admin extra chrony_1.29-1.dsc
 6e1a8ee2ce6632bedc2f8b5cdccfa69f 392880 admin extra chrony_1.29.orig.tar.gz
 344bda4f82dfd43636d46e843da5754d 19008 admin extra chrony_1.29-1.debian.tar.gz
 2153c9950cbd51289d940a867a296950 239766 admin extra chrony_1.29-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJStYMOAAoJEAFx4YKK4JNFL/wQAIwJy1lXVI5j2mdKIgJakkE5
Y5qtW4Xkw920PeYGb5KVr/bA5VWUDdFbcx6r46nATqMghQ38Y7Li0HpcMVINtAxl
mNHfLB8iLfyhfmj1pObgE/L3uVzq65mkzhNufHh+n+NF3ZBYl4dA76bpkyRmw9Dx
+rtQ3bGH7tYXN/fJM8TR8T4lwQGJ9YofXONKOwTPXCnkVehS4HM6EvTM1NPQD8t9
YBg1B7r9Waa+YITDPweD0ifkuRbE8N/VNLIq7iLwROyBcr6uR6nG/Q5P+yteZ2vJ
abb5r6Rp4XOnMqtaBOtbMxC7BkyVCASBWjRjIPN1abbWAGGmLnH8eQBeER+Dzjy3
gyY9MpmFejG8QDYpUJo6YGnlTIp8X0GZYmRNFKVeybbyfuOcVJdp67HUI+d0iUA5
km7LQ2xXXZTxAkUTAA9yduTUAKgKrkAD8pLNGglL/pTEDT6KYngIH1PZm60myssa
1akT0jVT7r3mKNnJDBq3MSCDNZd7hOiKmJYC2XDzLHd4oQeIaghWtlHlNsq81Lii
wLftfE6i2a80zPbJgpb7SiYcwHoRo0TRzRkQR98zDZ4Zn1P/kziWrE1iclKgPFiI
JEy/Tc64zA/SVR/Yjr2fTuQMkeImriPMGGZ+R+v5V3NjP1Tfynfu6c0Eu6t9fRfj
lPXSXypgXweI/DvHRv2x
=2D5E
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.