[chrony-users] about CVE-2020-14367

[chrony-users] about CVE-2020-14367

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]

To: "chrony-users@xxxxxxxxxxxxxxxxxxxx" <chrony-users@xxxxxxxxxxxxxxxxxxxx>
Subject: [chrony-users] about CVE-2020-14367
From: chengyechun <chengyechun1@xxxxxxxxxx>
Date: Mon, 6 Jun 2022 09:04:46 +0000
Accept-language: zh-CN, en-US
Thread-index: Adh5geEfS6Ujq4JTSHmOT8Pa0Zv+4w==
Thread-topic: about CVE-2020-14367

All，

I'm using chrony version 4.1 on an embedded Linux system and I found something about CVE-2020-14367：if some user with privileged to change the chronyd.pid file, like echo another pid > chronyd.pid, and then we cann’t use the command “chronyd” to start chronyd service; This is because the checkpid function checks whether a valid pid exists in the pid file. However, if the pid value in the chrony.pid file is not that of the chronyd service, the denial of service will occur. Check whether the PID in the chronyd.pid file is the PID of the chronyd service instead of rejecting the file?

Thank you for any reply

Messages sorted by: [ date | thread ]
Prev by Date: [chrony-users] Seeking assistance deciphering NTP packet capture
Next by Date: 答复: [chrony-users] about CVE-2020-14367
Previous by thread: RE: [chrony-users] Seeking assistance deciphering NTP packet capture
Next by thread: 答复: [chrony-users] about CVE-2020-14367

Mail converted by MHonArc 2.6.19+

http://listengine.tuxfamily.org/