Bug 15647

Summary: chrony new security issues CVE-2015-1821, CVE-2015-1822, and CVE-2015-1853
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: mageia, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/640166/
Whiteboard: MGA4-32-OK advisory
Source RPM: chrony-1.31-2.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-04-07 19:20:45 CEST 
Upstream has announced three security issues today (April 7):
http://chrony.tuxfamily.org/News.html

The issues are fixed in 1.31.1.

It got mentioned on oss-security as well:
http://openwall.com/lists/oss-security/2015/04/07/5

Mageia 4 and Mageia 5 are affected.

For Mageia 5, we can just update to 1.31.1.  For Mageia 4, we'll probably want to see if we can get backported patches for 1.29.1.

Reproducible: 

Steps to Reproduce:
David Walser 2015-04-07 19:20:51 CEST

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-04-08 13:51:40 CEST 
A more direct mention of this on oss-security:
http://openwall.com/lists/oss-security/2015/04/07/10
Comment 2 David Walser 2015-04-08 14:52:38 CEST 
RHEL7 has chrony 1.29.1, so some backported patches may show up there.  Unfortunately, Fedora 19 is no longer supported, so Fedora won't be backporting patches to 1.29.1.  Ubuntu 14.10 also has 1.29.1.

Severity: normal => major

Comment 3 David Walser 2015-04-08 21:11:56 CEST 
chrony-1.31.1-1.mga5 uploaded for Cauldron.

Version: Cauldron => 4
Whiteboard: MGA5TOO, MGA4TOO => (none)

Sander Lepik 2015-04-11 22:21:15 CEST

CC: (none) => mageia
Assignee: bugsquad => luigiwalser

Comment 5 David Walser 2015-04-13 23:10:14 CEST 
Debian has issued an advisory for this on April 12:
https://lists.debian.org/debian-security-announce/2015/msg00110.html

URL: (none) => http://lwn.net/Vulnerabilities/640166/

Comment 6 David Walser 2015-04-20 15:59:36 CEST 
Patched package uploaded for Mageia 4.

Advisory:
========================

Updated chrony package fixes security vulnerabilities:

Using particular address/subnet pairs when configuring access control would
cause an invalid memory write. This could allow attackers to cause a denial
of service (crash) or execute arbitrary code (CVE-2015-1821).

When allocating memory to save unacknowledged replies to authenticated
command requests, a pointer would be left uninitialized, which could trigger
an invalid memory write. This could allow attackers to cause a denial of
service (crash) or execute arbitrary code (CVE-2015-1822).

When peering with other NTP hosts using authenticated symmetric association,
the internal state variables would be updated before the MAC of the NTP
messages was validated. This could allow a remote attacker to cause a denial
of service by impeding synchronization between NTP peers (CVE-2015-1853).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1821
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1822
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1853
http://chrony.tuxfamily.org/News.html
https://www.debian.org/security/2015/dsa-3222
========================

Updated packages in core/updates_testing:
========================
chrony-1.29.1-1.1.mga4

from chrony-1.29.1-1.1.mga4.src.rpm

Assignee: luigiwalser => qa-bugs

Comment 7 David Walser 2015-04-20 21:47:16 CEST 
Works fine on Mageia 4 i586.

Whiteboard: (none) => MGA4-32-OK

Comment 8 claire robinson 2015-04-22 17:57:43 CEST 
Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA4-32-OK => MGA4-32-OK advisory
CC: (none) => sysadmin-bugs

Comment 9 Mageia Robot 2015-04-23 23:15:08 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0163.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED