In pktlength.c:PKL_CommandLength(), the computation in the REQ_SUBNETS_ACCESSED/REQ_CLIENT_ACCESSES cases can overflow, and PKL_CommandLength can return a negative value. As a result, the subsequent attempt to hash the packet triggers an out-of-bounds read, segmentation fault, and daemon crash. Attacks are possible from IP addresses listed in the cmdallow ACL (restricted to localhost by default) by sending UDP packets to port 323; no additional authentication is required.
The length computations in pktlength.c:PKL_ReplyLength() should be guarded against overflow, too.
Chrony upstream has released 1.29 version correcting the following two security flaws:
* CVE-2012-4502: Buffer overflow when processing crafted command packets
When the length of the REQ_SUBNETS_ACCESSED, REQ_CLIENT_ACCESSES
command requests and the RPY_SUBNETS_ACCESSED, RPY_CLIENT_ACCESSES,
RPY_CLIENT_ACCESSES_BY_INDEX, RPY_MANUAL_LIST command replies is
calculated, the number of items stored in the packet is not validated.
A crafted command request/reply can be used to crash the server/client.
Only clients allowed by cmdallow (by default only localhost) can crash
With chrony versions 1.25 and 1.26 this bug has a smaller security
impact as the server requires the clients to be authenticated in order
to process the subnet and client accesses commands. In 1.27 and 1.28,
however, the invalid calculated length is included also in the
authentication check which may cause another crash.
* CVE-2012-4503: Uninitialized data in command replies
The RPY_SUBNETS_ACCESSED and RPY_CLIENT_ACCESSES command replies can
contain uninitalized data from stack when the client logging is disabled
or a bad subnet is requested. These commands were never used by chronyc
and they require the client to be authenticated since version 1.25.
http://git.tuxfamily.org/chrony/chrony.git/?p=chrony/chrony.git;a=commitdiff;h=7712455d9aa33d0db0945effaa07e900b85987b1 (for CVE-2013-4502)
http://git.tuxfamily.org/chrony/chrony.git/?p=chrony/chrony.git;a=commitdiff;h=c6fdeeb6bb0b17dc28c19ae492c4a1c498e54ea3 (for CVE-2013-4503)
This issue was discovered by Florian Weimer of Red Hat.
This issue was discovered by Miroslav Lichvar of Red Hat.
These issues affect the (latest) versions of the chrony package, as shipped with Fedora release of 18, 19, Fedora EPEL-5, and Fedora EPEL-6. Please schedule an update.
Created chrony tracking bugs for this issue:
Affects: fedora-all [bug 995375]
Affects: epel-all [bug 995376]
chrony-1.29-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
chrony-1.29-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
chrony-1.25-3.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
chrony-1.25-3.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Announcement of fixed upstream chrony version 1.29: