Bug 846392 (CVE-2012-4502, CVE-2012-4503)

Summary: CVE-2012-4502 CVE-2012-4503 chrony: Two security flaws fixed in chrony-1.29 release
Product: [Other] Security Response Reporter: Florian Weimer <fweimer>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jlieskov, mlichvar, osoukup, ovasik, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: chrony 1.29 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-11-08 20:22:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 995373, 995375, 995376    
Bug Blocks: 846000, 846506    

Description Florian Weimer 2012-08-07 16:19:02 UTC
In pktlength.c:PKL_CommandLength(), the computation in the REQ_SUBNETS_ACCESSED/REQ_CLIENT_ACCESSES cases can overflow, and PKL_CommandLength can return a negative value.  As a result, the subsequent attempt to hash the packet triggers an out-of-bounds read, segmentation fault, and daemon crash.  Attacks are possible from IP addresses listed in the cmdallow ACL (restricted to localhost by default) by sending UDP packets to port 323; no additional authentication is required.

The length computations in pktlength.c:PKL_ReplyLength() should be guarded against overflow, too.

Comment 25 Jan Lieskovsky 2013-08-09 07:47:04 UTC
Chrony upstream has released 1.29 version correcting the following two security flaws:

* CVE-2012-4502: Buffer overflow when processing crafted command packets

  calculated, the number of items stored in the packet is not validated.

  A crafted command request/reply can be used to crash the server/client.
  Only clients allowed by cmdallow (by default only localhost) can crash
  the server.

  With chrony versions 1.25 and 1.26 this bug has a smaller security
  impact as the server requires the clients to be authenticated in order
  to process the subnet and client accesses commands. In 1.27 and 1.28,
  however, the invalid calculated length is included also in the
  authentication check which may cause another crash.

* CVE-2012-4503: Uninitialized data in command replies

  contain uninitalized data from stack when the client logging is disabled
  or a bad subnet is requested. These commands were never used by chronyc
  and they require the client to be authenticated since version 1.25.

Comment 28 Jan Lieskovsky 2013-08-09 08:05:54 UTC
These issues affect the (latest) versions of the chrony package, as shipped with Fedora release of 18, 19, Fedora EPEL-5, and Fedora EPEL-6. Please schedule an update.

Comment 31 Jan Lieskovsky 2013-08-09 08:08:14 UTC
Created chrony tracking bugs for this issue:

Affects: fedora-all [bug 995375]
Affects: epel-all [bug 995376]

Comment 32 Fedora Update System 2013-08-11 18:32:50 UTC
chrony-1.29-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 33 Fedora Update System 2013-08-15 02:51:37 UTC
chrony-1.29-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 34 Fedora Update System 2013-09-02 18:07:51 UTC
chrony-1.25-3.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 35 Fedora Update System 2013-09-02 18:09:13 UTC
chrony-1.25-3.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 36 Tomas Hoger 2013-11-08 20:22:08 UTC
Announcement of fixed upstream chrony version 1.29: