Bug 846392 (CVE-2012-4502, CVE-2012-4503)
| Summary: | CVE-2012-4502 CVE-2012-4503 chrony: Two security flaws fixed in chrony-1.29 release | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Florian Weimer <fweimer> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | jlieskov, mlichvar, osoukup, ovasik, security-response-team |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | chrony 1.29 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-11-08 20:22:08 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 995373, 995375, 995376 | ||
| Bug Blocks: | 846000, 846506 | ||
|
Description
Florian Weimer
2012-08-07 16:19:02 UTC
Chrony upstream has released 1.29 version correcting the following two security flaws: * CVE-2012-4502: Buffer overflow when processing crafted command packets When the length of the REQ_SUBNETS_ACCESSED, REQ_CLIENT_ACCESSES command requests and the RPY_SUBNETS_ACCESSED, RPY_CLIENT_ACCESSES, RPY_CLIENT_ACCESSES_BY_INDEX, RPY_MANUAL_LIST command replies is calculated, the number of items stored in the packet is not validated. A crafted command request/reply can be used to crash the server/client. Only clients allowed by cmdallow (by default only localhost) can crash the server. With chrony versions 1.25 and 1.26 this bug has a smaller security impact as the server requires the clients to be authenticated in order to process the subnet and client accesses commands. In 1.27 and 1.28, however, the invalid calculated length is included also in the authentication check which may cause another crash. * CVE-2012-4503: Uninitialized data in command replies The RPY_SUBNETS_ACCESSED and RPY_CLIENT_ACCESSES command replies can contain uninitalized data from stack when the client logging is disabled or a bad subnet is requested. These commands were never used by chronyc and they require the client to be authenticated since version 1.25. Upstream patches: http://git.tuxfamily.org/chrony/chrony.git/?p=chrony/chrony.git;a=commitdiff;h=7712455d9aa33d0db0945effaa07e900b85987b1 (for CVE-2013-4502) http://git.tuxfamily.org/chrony/chrony.git/?p=chrony/chrony.git;a=commitdiff;h=c6fdeeb6bb0b17dc28c19ae492c4a1c498e54ea3 (for CVE-2013-4503) These issues affect the (latest) versions of the chrony package, as shipped with Fedora release of 18, 19, Fedora EPEL-5, and Fedora EPEL-6. Please schedule an update. Created chrony tracking bugs for this issue: Affects: fedora-all [bug 995375] Affects: epel-all [bug 995376] chrony-1.29-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. chrony-1.29-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. chrony-1.25-3.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report. chrony-1.25-3.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. Announcement of fixed upstream chrony version 1.29: http://permalink.gmane.org/gmane.comp.time.chrony.announce/15 |