chrony: Multiple issues: CVE-2015-1821 CVE-2015-1822 CVE-2015-1853

Debian Bug report logs - #782160
chrony: Multiple issues: CVE-2015-1821 CVE-2015-1822 CVE-2015-1853

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: chrony: Multiple issues: CVE-2015-1821 CVE-2015-1822 CVE-2015-1853

Date: Wed, 08 Apr 2015 20:07:12 +0200

Source: chrony
Version: 1.30-1
Severity: grave
Tags: security upstream patch fixed-upstream



*** /tmp/chrony.reportbug
Package: chrony
Severity: FILLINSEVERITY
Tags: security

Hi,

the following vulnerabilities were published for chrony. Note, that I
choosed severity grave, since two CVEs seem to potentially be
exploited to execute arbitrary code and chronyd is running as root.
Please lower the severity if you don't agree (I don't know chrony very
well):

CVE-2015-1821[0]:
Heap out of bound write in address filter

CVE-2015-1822[1]:
uninitialized pointer in cmdmon reply slots

CVE-2015-1853[2]:
authentication doesn't protect symmetric associations against DoS attacks

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2015-1821
[1] https://security-tracker.debian.org/tracker/CVE-2015-1822
[2] https://security-tracker.debian.org/tracker/CVE-2015-1853

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 782160-close@bugs.debian.org (full text, mbox, reply):

From: Joachim Wiedorn <joodebian@joonet.de>

To: 782160-close@bugs.debian.org

Subject: Bug#782160: fixed in chrony 1.30-2

Date: Fri, 10 Apr 2015 15:49:09 +0000

Source: chrony
Source-Version: 1.30-2

We believe that the bug you reported is fixed in the latest version of
chrony, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 782160@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Joachim Wiedorn <joodebian@joonet.de> (supplier of updated chrony package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 10 Apr 2015 11:41:31 +0200
Source: chrony
Binary: chrony
Architecture: source
Version: 1.30-2
Distribution: unstable
Urgency: medium
Maintainer: Joachim Wiedorn <joodebian@joonet.de>
Changed-By: Joachim Wiedorn <joodebian@joonet.de>
Description:
 chrony     - Set the computer clock from time servers on the Net
Closes: 782160
Changes:
 chrony (1.30-2) unstable; urgency=medium
 .
   * With the following security bugfixes (Closes: #782160):
     - Fix CVE-2015-1853: Protect authenticated symmetric NTP
                          associations against DoS attacks.
     - Fix CVE-2015-1821: Fix access configuration with subnet
                          size indivisible by 4.
     - Fix CVE-2015-1822: Fix initialization of reply slots for
                          authenticated commands.
   * debian/control:
    - Update e-mail address of myself.
    - Add Vincent Blut as co-maintainer.
Checksums-Sha1:
 90a844e0f263b90c0f47adc4b47e405b124b67ab 2046 chrony_1.30-2.dsc
 5b3e26ce27cf8791c4af7639b541d569c0701c08 24392 chrony_1.30-2.debian.tar.xz
Checksums-Sha256:
 f54104a121ebecc55b50e55eb30713543cd95f5e8aea66d532ea20615f6bd181 2046 chrony_1.30-2.dsc
 826c1b4111c991bffa10b26e5ff42d16718c3454550654e0a3bb7aaf315e547b 24392 chrony_1.30-2.debian.tar.xz
Files:
 d5e4baaffa5a6005e8764a0e4389df16 2046 admin extra chrony_1.30-2.dsc
 7507786201f508505276bf441e137e39 24392 admin extra chrony_1.30-2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJ8BAEBCgBmBQJVJ9R9XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXREMUUxMzE2RTkzQTc2MEE4MTA0RDg1RkFC
QjNBNjgwMTg2NDlBQTA2AAoJELs6aAGGSaoGEU4QAK9wAy+1sGk2zwWAvsc1WfQ5
Uh/D0ZNfbeK8b+DsaW219yBnCis0Wcepj36cQ1xKkBEJMmyDBqdsQ1wB0pL35LzH
2ICfgoNVgzHgLsld+ExBDMJSS5F2ZRk/JgO5kT6sqhNmoMH1Xi2Uqusg159SAN5s
uNeJV5Mpte0dUp/FbLz6dteGBdhROA8ARSc0SezITirGEJmn84k7G12a8mh5yBys
XfVV+fRlLJy+If0NAbBjhHGKKkWmzSJTb+IBKX0iS023Lv7umoZ/ZM2A4ffiVsmU
IDfmLDCIJei/x/xGPhqcyKmc8e3u31jnkYDtbLPYQpRhTAqecE75Pdeuf9QHYLoR
nx1l42hBykjEfVVUJfx1qNNSm+S4sOsTaLYTTJR1nZD/guEcalmiyUEW08pfnjb3
Dwf9aVnF0XTCpKHaJXf4fxI4nPGDgZqOwrRcFeb+0LQywreRVkM4wH/ptpD8GGpb
hsPdZAhLn/oqAp7wjs5FZTF4paMBbQlw2GxmmVz94MuR9GJ2rU9u2qm2LmHryrnf
h0CQoH1Wi8RA6MT4/x58KsuCL1EFcsXdGA+uWx92KBZhubsENqCgUz0g8g/nSVlQ
Cp/u85mnrRlMco+AifXILRibNbEpCQtRtO5BrxAgqzpx+S7EBDnqe3898Uj/sjBj
E3bjSMcRKS0gIzwZ/ZB0
=k/gR
-----END PGP SIGNATURE-----

Message #15 received at 782160@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: Joachim Wiedorn <joodebian@joonet.de>

Cc: debian-lts@lists.debian.org, 782160@bugs.debian.org

Subject: squeeze update of chrony?

Date: Fri, 10 Apr 2015 21:33:37 +0200

Hello Joachim,

the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of chrony:
https://security-tracker.debian.org/tracker/CVE-2015-1821
https://security-tracker.debian.org/tracker/CVE-2015-1822
https://security-tracker.debian.org/tracker/CVE-2015-1853

Would you like to take care of this yourself? We are still understaffed so
any help is always highly appreciated. If you planned to prepare a fixed
wheezy version, it should not be too hard to handle squeeze at the same
time since squeeze has the same upstream version than wheezy.

If yes, please follow the workflow we have defined here:
http://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

Thank you very much.

Raphaël Hertzog,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Message #20 received at 782160@bugs.debian.org (full text, mbox, reply):

From: Joachim Wiedorn <joodebian@joonet.de>

To: Raphael Hertzog <hertzog@debian.org>

Cc: 782160@bugs.debian.org

Subject: Re: Bug#782160: squeeze update of chrony?

Date: Fri, 10 Apr 2015 22:46:27 +0200

[Message part 1 (text/plain, inline)]

Hello Raphael,

Raphael Hertzog wrote on 2015-04-10 21:33:

> Would you like to take care of this yourself? We are still understaffed so
> any help is always highly appreciated. If you planned to prepare a fixed
> wheezy version, it should not be too hard to handle squeeze at the same
> time since squeeze has the same upstream version than wheezy.

At first I have looked for patching the Wheezy package. It was doable.
Now I will test it on my (main) PC, which still have Wheezy installed.

Then I think it should be easy for Squeeze, too.

You will hear from me.

---
Have a nice day.

Joachim (Germany)

[signature.asc (application/pgp-signature, attachment)]

Message #25 received at 782160@bugs.debian.org (full text, mbox, reply):

From: Joachim Wiedorn <joodebian@joonet.de>

To: Raphael Hertzog <hertzog@debian.org>

Cc: 782160@bugs.debian.org, debian-lts@lists.debian.org

Subject: Re: Bug#782160: squeeze update of chrony + wheezy update of chrony

Date: Sat, 11 Apr 2015 00:14:44 +0200

[Message part 1 (text/plain, inline)]

Hello Raphael,

Raphael Hertzog wrote on 2015-04-10 21:33:

> If that workflow is a burden to you, feel free to just prepare an
> updated source package and send it to debian-lts@lists.debian.org
> (via a debdiff, or with an URL pointing to the the source package,
> or even with a pointer to your packaging repository), and the members
> of the LTS team will take care of the rest. Indicate clearly whether you
> have tested the updated package or not.

I would be very pleased, if someone of the LTS team could sponsor 
my both packages:

for squeeze-security: chrony 1.24-3+squeeze2
see here:  http://www.joonet.de/sources/chrony/squeeze-security/
Both architectures were produced with pbuilder in a clean environment.
The deb files were not tested!

for wheezy-security:  chrony 1.24-3.1+deb7u3
see here: http://www.joonet.de/sources/chrony/wheezy-security/
Both architectures were produced with pbuilder in a clean environment.
The deb file for amd64 were tested, but not for i386.

For your information:
In the "debian" directory I have added a directory "applied" with
all applied patches to the sources, because both packages still
have source format 1.0. Only the three patches 11, 12, 13 are
new.

Changes since the last uploads:

  * With the following security bugfixes (See: #782160):
    - Fix CVE-2015-1853: Protect authenticated symmetric NTP
                         associations against DoS attacks.
    - Fix CVE-2015-1821: Fix access configuration with subnet
                         size indivisible by 4.
    - Fix CVE-2015-1822: Fix initialization of reply slots for
                         authenticated commands.


---
Have a nice day.

Joachim (Germany)

[signature.asc (application/pgp-signature, attachment)]

Message #30 received at 782160@bugs.debian.org (full text, mbox, reply):

From: Alessandro Ghedini <ghedo@debian.org>

To: Joachim Wiedorn <joodebian@joonet.de>, 782160@bugs.debian.org

Cc: Raphael Hertzog <hertzog@debian.org>, debian-lts@lists.debian.org

Subject: Re: Bug#782160: squeeze update of chrony + wheezy update of chrony

Date: Sun, 12 Apr 2015 14:00:28 +0200

[Message part 1 (text/plain, inline)]

Hi Joachim,

> Raphael Hertzog wrote on 2015-04-10 21:33:
> 
> > If that workflow is a burden to you, feel free to just prepare an
> > updated source package and send it to debian-lts@lists.debian.org
> > (via a debdiff, or with an URL pointing to the the source package,
> > or even with a pointer to your packaging repository), and the members
> > of the LTS team will take care of the rest. Indicate clearly whether you
> > have tested the updated package or not.
> 
> I would be very pleased, if someone of the LTS team could sponsor 
> my both packages:
> 
> for squeeze-security: chrony 1.24-3+squeeze2
> see here:  http://www.joonet.de/sources/chrony/squeeze-security/
> Both architectures were produced with pbuilder in a clean environment.
> The deb files were not tested!
> 
> for wheezy-security:  chrony 1.24-3.1+deb7u3
> see here: http://www.joonet.de/sources/chrony/wheezy-security/
> Both architectures were produced with pbuilder in a clean environment.
> The deb file for amd64 were tested, but not for i386.
> 
> For your information:
> In the "debian" directory I have added a directory "applied" with
> all applied patches to the sources, because both packages still
> have source format 1.0. Only the three patches 11, 12, 13 are
> new.
> 
> Changes since the last uploads:
> 
>   * With the following security bugfixes (See: #782160):
>     - Fix CVE-2015-1853: Protect authenticated symmetric NTP
>                          associations against DoS attacks.
>     - Fix CVE-2015-1821: Fix access configuration with subnet
>                          size indivisible by 4.
>     - Fix CVE-2015-1822: Fix initialization of reply slots for
>                          authenticated commands.

The wheezy update looks good, though in the future I'd avoid adding unnecessary
changes to the package (the debian/applied/ directory in this case) since it
makes reviewing the update harder.

Anyway, thanks for preparing the updated packages, I'll take care of the wheezy
DSA in a bit.

Cheers

[signature.asc (application/pgp-signature, inline)]

Message #35 received at 782160@bugs.debian.org (full text, mbox, reply):

From: Thorsten Alteholz <debian@alteholz.de>

To: Joachim Wiedorn <joodebian@joonet.de>

Cc: 782160@bugs.debian.org, debian-lts@lists.debian.org

Subject: Re: Bug#782160: squeeze update of chrony + wheezy update of chrony

Date: Sun, 12 Apr 2015 16:22:51 +0200 (CEST)

Hi Joachim,

thanks alot for preparing the package, I just uploaded it.

On Sat, 11 Apr 2015, Joachim Wiedorn wrote:
> I would be very pleased, if someone of the LTS team could sponsor
> my both packages:

I have only one remark. The packages for Squeeze need to go to 
"squeeze-lts" instead of "oldstable-security" now.

  Thorsten

Send a report that this bug log contains spam.