Bug 846392 (CVE-2012-4502, CVE-2012-4503) - CVE-2012-4502 CVE-2012-4503 chrony: Two security flaws fixed in chrony-1.29 release
Summary: CVE-2012-4502 CVE-2012-4503 chrony: Two security flaws fixed in chrony-1.29 r...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2012-4502, CVE-2012-4503
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20130809,repor...
Depends On: 995373 995375 995376
Blocks: 846000 846506
TreeView+ depends on / blocked
 
Reported: 2012-08-07 16:19 UTC by Florian Weimer
Modified: 2019-06-08 19:12 UTC (History)
4 users (show)

Fixed In Version: chrony 1.29
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-11-08 20:22:08 UTC


Attachments (Terms of Use)

Description Florian Weimer 2012-08-07 16:19:02 UTC
In pktlength.c:PKL_CommandLength(), the computation in the REQ_SUBNETS_ACCESSED/REQ_CLIENT_ACCESSES cases can overflow, and PKL_CommandLength can return a negative value.  As a result, the subsequent attempt to hash the packet triggers an out-of-bounds read, segmentation fault, and daemon crash.  Attacks are possible from IP addresses listed in the cmdallow ACL (restricted to localhost by default) by sending UDP packets to port 323; no additional authentication is required.

The length computations in pktlength.c:PKL_ReplyLength() should be guarded against overflow, too.

Comment 25 Jan Lieskovsky 2013-08-09 07:47:04 UTC
Chrony upstream has released 1.29 version correcting the following two security flaws:

* CVE-2012-4502: Buffer overflow when processing crafted command packets

  When the length of the REQ_SUBNETS_ACCESSED, REQ_CLIENT_ACCESSES
  command requests and the RPY_SUBNETS_ACCESSED, RPY_CLIENT_ACCESSES,
  RPY_CLIENT_ACCESSES_BY_INDEX, RPY_MANUAL_LIST command replies is
  calculated, the number of items stored in the packet is not validated.

  A crafted command request/reply can be used to crash the server/client.
  Only clients allowed by cmdallow (by default only localhost) can crash
  the server.

  With chrony versions 1.25 and 1.26 this bug has a smaller security
  impact as the server requires the clients to be authenticated in order
  to process the subnet and client accesses commands. In 1.27 and 1.28,
  however, the invalid calculated length is included also in the
  authentication check which may cause another crash.

* CVE-2012-4503: Uninitialized data in command replies

  The RPY_SUBNETS_ACCESSED and RPY_CLIENT_ACCESSES command replies can
  contain uninitalized data from stack when the client logging is disabled
  or a bad subnet is requested. These commands were never used by chronyc
  and they require the client to be authenticated since version 1.25.

Comment 27 Jan Lieskovsky 2013-08-09 08:01:55 UTC
Acknowledgements CVE-2012-4502:

This issue was discovered by Florian Weimer of Red Hat.


Acknowledgements CVE-2012-4503:

This issue was discovered by Miroslav Lichvar of Red Hat.

Comment 28 Jan Lieskovsky 2013-08-09 08:05:54 UTC
These issues affect the (latest) versions of the chrony package, as shipped with Fedora release of 18, 19, Fedora EPEL-5, and Fedora EPEL-6. Please schedule an update.

Comment 31 Jan Lieskovsky 2013-08-09 08:08:14 UTC
Created chrony tracking bugs for this issue:

Affects: fedora-all [bug 995375]
Affects: epel-all [bug 995376]

Comment 32 Fedora Update System 2013-08-11 18:32:50 UTC
chrony-1.29-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 33 Fedora Update System 2013-08-15 02:51:37 UTC
chrony-1.29-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 34 Fedora Update System 2013-09-02 18:07:51 UTC
chrony-1.25-3.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 35 Fedora Update System 2013-09-02 18:09:13 UTC
chrony-1.25-3.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 36 Tomas Hoger 2013-11-08 20:22:08 UTC
Announcement of fixed upstream chrony version 1.29:
http://permalink.gmane.org/gmane.comp.time.chrony.announce/15


Note You need to log in before you can comment on or make changes to this bug.