This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 846392 - (CVE-2012-4502, CVE-2012-4503) CVE-2012-4502 CVE-2012-4503 chrony: Two security flaws fixed in chrony-1.29 release
CVE-2012-4502 CVE-2012-4503 chrony: Two security flaws fixed in chrony-1.29 r...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20130809,repor...
: Security
Depends On: 995373 995375 995376
Blocks: 846000 846506
  Show dependency treegraph
 
Reported: 2012-08-07 12:19 EDT by Florian Weimer
Modified: 2015-10-15 13:51 EDT (History)
4 users (show)

See Also:
Fixed In Version: chrony 1.29
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-11-08 15:22:08 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Florian Weimer 2012-08-07 12:19:02 EDT
In pktlength.c:PKL_CommandLength(), the computation in the REQ_SUBNETS_ACCESSED/REQ_CLIENT_ACCESSES cases can overflow, and PKL_CommandLength can return a negative value.  As a result, the subsequent attempt to hash the packet triggers an out-of-bounds read, segmentation fault, and daemon crash.  Attacks are possible from IP addresses listed in the cmdallow ACL (restricted to localhost by default) by sending UDP packets to port 323; no additional authentication is required.

The length computations in pktlength.c:PKL_ReplyLength() should be guarded against overflow, too.
Comment 25 Jan Lieskovsky 2013-08-09 03:47:04 EDT
Chrony upstream has released 1.29 version correcting the following two security flaws:

* CVE-2012-4502: Buffer overflow when processing crafted command packets

  When the length of the REQ_SUBNETS_ACCESSED, REQ_CLIENT_ACCESSES
  command requests and the RPY_SUBNETS_ACCESSED, RPY_CLIENT_ACCESSES,
  RPY_CLIENT_ACCESSES_BY_INDEX, RPY_MANUAL_LIST command replies is
  calculated, the number of items stored in the packet is not validated.

  A crafted command request/reply can be used to crash the server/client.
  Only clients allowed by cmdallow (by default only localhost) can crash
  the server.

  With chrony versions 1.25 and 1.26 this bug has a smaller security
  impact as the server requires the clients to be authenticated in order
  to process the subnet and client accesses commands. In 1.27 and 1.28,
  however, the invalid calculated length is included also in the
  authentication check which may cause another crash.

* CVE-2012-4503: Uninitialized data in command replies

  The RPY_SUBNETS_ACCESSED and RPY_CLIENT_ACCESSES command replies can
  contain uninitalized data from stack when the client logging is disabled
  or a bad subnet is requested. These commands were never used by chronyc
  and they require the client to be authenticated since version 1.25.
Comment 27 Jan Lieskovsky 2013-08-09 04:01:55 EDT
Acknowledgements CVE-2012-4502:

This issue was discovered by Florian Weimer of Red Hat.


Acknowledgements CVE-2012-4503:

This issue was discovered by Miroslav Lichvar of Red Hat.
Comment 28 Jan Lieskovsky 2013-08-09 04:05:54 EDT
These issues affect the (latest) versions of the chrony package, as shipped with Fedora release of 18, 19, Fedora EPEL-5, and Fedora EPEL-6. Please schedule an update.
Comment 31 Jan Lieskovsky 2013-08-09 04:08:14 EDT
Created chrony tracking bugs for this issue:

Affects: fedora-all [bug 995375]
Affects: epel-all [bug 995376]
Comment 32 Fedora Update System 2013-08-11 14:32:50 EDT
chrony-1.29-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 33 Fedora Update System 2013-08-14 22:51:37 EDT
chrony-1.29-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 34 Fedora Update System 2013-09-02 14:07:51 EDT
chrony-1.25-3.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 35 Fedora Update System 2013-09-02 14:09:13 EDT
chrony-1.25-3.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 36 Tomas Hoger 2013-11-08 15:22:08 EST
Announcement of fixed upstream chrony version 1.29:
http://permalink.gmane.org/gmane.comp.time.chrony.announce/15

Note You need to log in before you can comment on or make changes to this bug.