[chrony-users] about CVE-2020-14367

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]



I'm using chrony version 4.1 on an embedded Linux system and I found something about CVE-2020-14367if some user with privileged to change the chronyd.pid file, like echo another pid > chronyd.pid, and then we cann’t use the command “chronyd” to start chronyd service; This is because the checkpid function checks whether a valid pid exists in the pid file. However, if the pid value in the chrony.pid file is not that of the chronyd service, the denial of service will occur. Check whether the PID in the chronyd.pid file is the PID of the chronyd service instead of rejecting the file?


Thank you for any reply

Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/