Bug 15647 - chrony new security issues CVE-2015-1821, CVE-2015-1822, and CVE-2015-1853
Summary: chrony new security issues CVE-2015-1821, CVE-2015-1822, and CVE-2015-1853
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/640166/
Whiteboard: MGA4-32-OK advisory
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-04-07 19:20 CEST by David Walser
Modified: 2015-04-23 23:15 CEST (History)
2 users (show)

See Also:
Source RPM: chrony-1.31-2.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2015-04-07 19:20:45 CEST
Upstream has announced three security issues today (April 7):
http://chrony.tuxfamily.org/News.html

The issues are fixed in 1.31.1.

It got mentioned on oss-security as well:
http://openwall.com/lists/oss-security/2015/04/07/5

Mageia 4 and Mageia 5 are affected.

For Mageia 5, we can just update to 1.31.1.  For Mageia 4, we'll probably want to see if we can get backported patches for 1.29.1.

Reproducible: 

Steps to Reproduce:
David Walser 2015-04-07 19:20:51 CEST

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-04-08 13:51:40 CEST
A more direct mention of this on oss-security:
http://openwall.com/lists/oss-security/2015/04/07/10
Comment 2 David Walser 2015-04-08 14:52:38 CEST
RHEL7 has chrony 1.29.1, so some backported patches may show up there.  Unfortunately, Fedora 19 is no longer supported, so Fedora won't be backporting patches to 1.29.1.  Ubuntu 14.10 also has 1.29.1.

Severity: normal => major

Comment 3 David Walser 2015-04-08 21:11:56 CEST
chrony-1.31.1-1.mga5 uploaded for Cauldron.

Version: Cauldron => 4
Whiteboard: MGA5TOO, MGA4TOO => (none)

Sander Lepik 2015-04-11 22:21:15 CEST

CC: (none) => mageia
Assignee: bugsquad => luigiwalser

Comment 5 David Walser 2015-04-13 23:10:14 CEST
Debian has issued an advisory for this on April 12:
https://lists.debian.org/debian-security-announce/2015/msg00110.html

URL: (none) => http://lwn.net/Vulnerabilities/640166/

Comment 6 David Walser 2015-04-20 15:59:36 CEST
Patched package uploaded for Mageia 4.

Advisory:
========================

Updated chrony package fixes security vulnerabilities:

Using particular address/subnet pairs when configuring access control would
cause an invalid memory write. This could allow attackers to cause a denial
of service (crash) or execute arbitrary code (CVE-2015-1821).

When allocating memory to save unacknowledged replies to authenticated
command requests, a pointer would be left uninitialized, which could trigger
an invalid memory write. This could allow attackers to cause a denial of
service (crash) or execute arbitrary code (CVE-2015-1822).

When peering with other NTP hosts using authenticated symmetric association,
the internal state variables would be updated before the MAC of the NTP
messages was validated. This could allow a remote attacker to cause a denial
of service by impeding synchronization between NTP peers (CVE-2015-1853).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1821
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1822
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1853
http://chrony.tuxfamily.org/News.html
https://www.debian.org/security/2015/dsa-3222
========================

Updated packages in core/updates_testing:
========================
chrony-1.29.1-1.1.mga4

from chrony-1.29.1-1.1.mga4.src.rpm

Assignee: luigiwalser => qa-bugs

Comment 7 David Walser 2015-04-20 21:47:16 CEST
Works fine on Mageia 4 i586.

Whiteboard: (none) => MGA4-32-OK

Comment 8 claire robinson 2015-04-22 17:57:43 CEST
Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA4-32-OK => MGA4-32-OK advisory
CC: (none) => sysadmin-bugs

Comment 9 Mageia Robot 2015-04-23 23:15:08 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0163.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.