Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian....@packages.debian.org
Usertags: pu
Hi,
Could you please accept chrony 1.24-3.1+deb7u4 in the last wheezy point
release?
It fixes CVE-2016-1567 which I have backported to that specific upstream
version. It is well tested since the exact same patch has been in
squeeze-lts for a while.
The next fix is an adjustment ensuring we don’t delete the
/var/lib/chrony content. That directory contains some really important
data, notably the driftfile which stores the gain or loss of the system
clock relative to the RTC. Deleting it each time chrony is upgraded or
installed from Config-Files state was a mistake; let’s fix that!
Thanks for your time,
Vincent
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (990, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.5.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -u chrony-1.24/ntp_core.c chrony-1.24/ntp_core.c
--- chrony-1.24/ntp_core.c
+++ chrony-1.24/ntp_core.c
@@ -966,7 +966,8 @@
if (!KEY_KeyKnown(auth_key_id)) {
test5 = 0;
} else {
- test5 = check_packet_auth(message, auth_key_id);
+ test5 = check_packet_auth(message, auth_key_id) &&
+ auth_key_id == inst->auth_key_id;
}
} else {
/* If we expect authenticated info from this peer/server and the packet
diff -u chrony-1.24/debian/changelog chrony-1.24/debian/changelog
--- chrony-1.24/debian/changelog
+++ chrony-1.24/debian/changelog
@@ -1,3 +1,13 @@
+chrony (1.24-3.1+deb7u4) wheezy; urgency=medium
+
+ * Fix CVE-2016-1567: Restrict authentication of server/peer to specified
+ key. (Closes: #812923)
+
+ * debian/postrm:
+ - Remove /var/lib/chrony on purge only. (Closes: #568492)
+
+ -- Vincent Blut <vincent.deb...@free.fr> Wed, 25 May 2016 17:15:18 +0200
+
chrony (1.24-3.1+deb7u3) wheezy-security; urgency=medium
* With the following security bugfixes (See: #782160):
diff -u chrony-1.24/debian/postrm chrony-1.24/debian/postrm
--- chrony-1.24/debian/postrm
+++ chrony-1.24/debian/postrm
@@ -3,7 +3,6 @@
# postrm for chrony John Hasler 1998-2006
# Any possessor of a copy of this program may treat it as if it
# were in the public domain. I waive all rights.
-rm -f /var/lib/chrony/*
if [ -x update-menus ] ; then
update-menus
fi
diff -u chrony-1.24/debian/applied/series chrony-1.24/debian/applied/series
--- chrony-1.24/debian/applied/series
+++ chrony-1.24/debian/applied/series
@@ -7,0 +8 @@
+14_restrict-authentication-of-server-peer-to-specified-key.patch
only in patch2:
unchanged:
--- chrony-1.24.orig/debian/applied/14_restrict-authentication-of-server-peer-to-specified-key.patch
+++ chrony-1.24/debian/applied/14_restrict-authentication-of-server-peer-to-specified-key.patch
@@ -0,0 +1,24 @@
+From: Vincent Blut <vincent.deb...@free.fr>
+Date: Tue, 02 Feb 2016 23:29:25 +0100
+Subject: ntp: restrict authentication of server/peer to specified key
+
+This patch fixes CVE-2016-1567 in chrony 1.24. In versions prior to 1.31.2 as
+well as all releases from the 2.x branch before 2.2.1, chrony does not verify
+peer associations of symmetric keys when authenticating packets, which might
+allow remote attackers to conduct impersonation attacks via an arbitrary
+trusted key, aka a "skeleton key".
+---
+
+diff -urNpa a/chrony-1.24/ntp_core.c b/chrony-1.24/ntp_core.c
+--- a/chrony-1.24/ntp_core.c 2016-02-02 23:28:39.070377463 +0100
++++ b/chrony-1.24/ntp_core.c 2016-02-02 23:01:10.414119775 +0100
+@@ -966,7 +966,8 @@ receive_packet(NTP_Packet *message, stru
+ if (!KEY_KeyKnown(auth_key_id)) {
+ test5 = 0;
+ } else {
+- test5 = check_packet_auth(message, auth_key_id);
++ test5 = check_packet_auth(message, auth_key_id) &&
++ auth_key_id == inst->auth_key_id;
+ }
+ } else {
+ /* If we expect authenticated info from this peer/server and the packet
