[chrony-dev] chrony-1.29 released (security) |
[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ]
chrony-1.29 is now available. It fixes two security vulnerabilities. The sources can be downloaded here: http://download.tuxfamily.org/chrony/chrony-1.29.tar.gz MD5 and SHA1 sums: 6e1a8ee2ce6632bedc2f8b5cdccfa69f chrony-1.29.tar.gz 442fb7d62a6f23bf1057864a3dbdfa55e1b6eb35 chrony-1.29.tar.gz Security fixes -------------- * Fix crash when processing crafted commands (CVE-2012-4502) (possible with IP addresses allowed by cmdallow and localhost) * Don't send uninitialized data in SUBNETS_ACCESSED and CLIENT_ACCESSES replies (CVE-2012-4503) (not used by chronyc) Other changes ------------- * Drop support for SUBNETS_ACCESSED and CLIENT_ACCESSES commands CVE-2012-4502: Buffer overflow when processing crafted command packets When the length of the REQ_SUBNETS_ACCESSED, REQ_CLIENT_ACCESSES command requests and the RPY_SUBNETS_ACCESSED, RPY_CLIENT_ACCESSES, RPY_CLIENT_ACCESSES_BY_INDEX, RPY_MANUAL_LIST command replies is calculated, the number of items stored in the packet is not validated. A crafted command request/reply can be used to crash the server/client. Only clients allowed by cmdallow (by default only localhost) can crash the server. With chrony versions 1.25 and 1.26 this bug has a smaller security impact as the server requires the clients to be authenticated in order to process the subnet and client accesses commands. In 1.27 and 1.28, however, the invalid calculated length is included also in the authentication check which may cause another crash. CVE-2012-4503: Uninitialized data in command replies The RPY_SUBNETS_ACCESSED and RPY_CLIENT_ACCESSES command replies can contain uninitalized data from stack when the client logging is disabled or a bad subnet is requested. These commands were never used by chronyc and they require the client to be authenticated since version 1.25. -- Miroslav Lichvar
Attachment:
pgpULEDM1oSzE.pgp
Description: PGP signature
Mail converted by MHonArc 2.6.19+ | http://listengine.tuxfamily.org/ |