Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi, [ Reason ] chrony versions prior to 3.5.1 are vulnerable to a symlink race when creating the PID file. CVE-2020-14367 has been assigned to this vulnerability. In accordance with Salvatore Bonaccorso from the security team, no DSA has been released. [ Impact ] Data loss and a denial of service due to the path traversal are possible in some cases. While that sounds worrisome, this vulnerabilily can’t be exploited using the default configuration provided by chrony on Debian, that’s why the security team marked it as “unimportant”. [ Tests ] I manually tested the proposed update to ensure that chronyd still runs fine using the default PID file location and an alternative one where the vulnerability could be exploited. I can confirm that the issue is fixed by the proposed patch and that no regression appeared while testing. [ Risks ] Most of the other major distributions provide this patch now with no apparent problems, so the risks seem quite low. [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Switch from fopen() to the open() function with the O_CREAT|O_EXCL flags to avoid following a symlink and writing the PID to an unexpected file when chronyd still has the root privileges. [ Other info ] I also took the oportunity to fix the autopkgtest of chrony which was failing on Buster since quite a while. Cheers, Vincent -----BEGIN PGP SIGNATURE----- iQJLBAEBCgA1FiEE/VQBlxWoTJPh4vI5ipzudlpxp4AFAl9NUNgXHHZpbmNlbnQu ZGViaWFuQGZyZWUuZnIACgkQipzudlpxp4CUhA//drGMsuRybyVv99bmgdtEzxZu uTsxCF2YL6W7aGxTJnKMfVYJ/PAtAbzjXWUZyYNkmL/vSsf+432slB2IYsDNzs5M sAXUZkMl/G5BhQ8F25LwNQs7Xnplq0p5MZEcNF97P1G9RFIBjW4+7Rj5OHQDbxHr odWcsgl9kSAQ/l7A8jJQODWd+n7/saeyUL3UHEiLiZUw/PWuOdxv/ekBtU6a4kzM YWjCcuvzvRuoBZNIihWYCQcJfRdMdSGe/eehf3mfwAfTJB/PdapATiUGN7rFrnnM jhjRfS9QlKBrOxKzsGdSaGz4JcmSc3VqOs2AmguQ3a11dWQ6kjc4PyQ+Un5aZ71M 9Qv/zG/P+YX8L56jYxQk+qBYsD/qP2/a2apVgMeEl146ECx1WdAm+vyBSJxgZYdM sNmCDJfpR+2xg8CDcWQZFGmusbaDfgvD/wgU+STOWrvKkjo0M8pH7+aETmAEk7Wc btyvooG44zL0OmQm0CAIISgMZpXXvFLyeLJcfv9HZSoc0GqcL2lrhrgsWHw7F8T0 VAOMC3IiAriuSJuIIfCZI7ZDVklCr/xZK4S1RwSIJXSY4RmWVqFh5mDTZFVQ2ZIl 2vJcQQJhnHy8q1N14nHEcBsNffEB/O5caerl7DBs8MpCgLyo+vMJ7ifUa/4xqpae e8KuReDpa8ZtwLuDTCQ= =lYFE -----END PGP SIGNATURE-----
diff -Nru chrony-3.4/debian/changelog chrony-3.4/debian/changelog --- chrony-3.4/debian/changelog 2019-03-18 19:35:34.000000000 +0100 +++ chrony-3.4/debian/changelog 2020-08-29 20:13:04.000000000 +0200 @@ -1,3 +1,15 @@ +chrony (3.4-4+deb10u1) buster; urgency=medium + + * debian/patches/: + - Add create-new-file-when-writing-pidfile.patch to prevent symlink race + when writing to PID file (CVE-2020-14367). + + * debian/tests/: + - Fix a regression when running upstream-simulation-test-suite autopkgtest + on Buster. + + -- Vincent Blut <vincent.deb...@free.fr> Sat, 29 Aug 2020 20:13:04 +0200 + chrony (3.4-4) unstable; urgency=medium * debian/patches/*: diff -Nru chrony-3.4/debian/.gitlab-ci.yml chrony-3.4/debian/.gitlab-ci.yml --- chrony-3.4/debian/.gitlab-ci.yml 2019-03-18 19:35:34.000000000 +0100 +++ chrony-3.4/debian/.gitlab-ci.yml 2020-08-26 18:41:29.000000000 +0200 @@ -1,20 +1,7 @@ -include: https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml +include: + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml -build: - extends: .build-unstable -reprotest: - extends: .test-reprotest - -lintian: - extends: .test-lintian - -autopkgtest: - extends: .test-autopkgtest - allow_failure: true - -piuparts: - extends: .test-piuparts - -blhc: - extends: .test-blhc +variables: + RELEASE: 'buster' diff -Nru chrony-3.4/debian/patches/create-new-file-when-writing-pidfile.patch chrony-3.4/debian/patches/create-new-file-when-writing-pidfile.patch --- chrony-3.4/debian/patches/create-new-file-when-writing-pidfile.patch 1970-01-01 01:00:00.000000000 +0100 +++ chrony-3.4/debian/patches/create-new-file-when-writing-pidfile.patch 2020-08-26 18:41:29.000000000 +0200 @@ -0,0 +1,187 @@ +From f00fed20092b6a42283f29c6ee1f58244d74b545 Mon Sep 17 00:00:00 2001 +From: Miroslav Lichvar <mlich...@redhat.com> +Date: Thu, 6 Aug 2020 09:31:11 +0200 +Subject: main: create new file when writing pidfile + +When writing the pidfile, open the file with the O_CREAT|O_EXCL flags +to avoid following a symlink and writing the PID to an unexpected file, +when chronyd still has the root privileges. + +The Linux open(2) man page warns about O_EXCL not working as expected on +NFS versions before 3 and Linux versions before 2.6. Saving pidfiles on +a distributed filesystem like NFS is not generally expected, but if +there is a reason to do that, these old kernel and NFS versions are not +considered to be supported for saving files by chronyd. + +This is a minimal backport specific to this issue of the following +commits: +- commit 2fc8edacb810 ("use PATH_MAX") +- commit f4c6a00b2a11 ("logging: call exit() in LOG_Message()") +- commit 7a4c396bba8f ("util: add functions for common file operations") +- commit e18903a6b563 ("switch to new util file functions") + +Reported-by: Matthias Gerstner <mgerst...@suse.de> + +--- a/logging.c ++++ b/logging.c +@@ -171,6 +171,7 @@ void LOG_Message(LOG_Severity severity, + system_log = 0; + log_message(1, severity, buf); + } ++ exit(1); + break; + default: + assert(0); +--- a/main.c ++++ b/main.c +@@ -281,13 +281,9 @@ write_pidfile(void) + if (!pidfile[0]) + return; + +- out = fopen(pidfile, "w"); +- if (!out) { +- LOG_FATAL("Could not open %s : %s", pidfile, strerror(errno)); +- } else { +- fprintf(out, "%d\n", (int)getpid()); +- fclose(out); +- } ++ out = UTI_OpenFile(NULL, pidfile, NULL, 'W', 0644); ++ fprintf(out, "%d\n", (int)getpid()); ++ fclose(out); + } + + /* ================================================== */ +--- a/sysincl.h ++++ b/sysincl.h +@@ -37,6 +37,7 @@ + #include <glob.h> + #include <grp.h> + #include <inttypes.h> ++#include <limits.h> + #include <math.h> + #include <netdb.h> + #include <netinet/in.h> +--- a/util.c ++++ b/util.c +@@ -1179,6 +1179,101 @@ UTI_CheckDirPermissions(const char *path + + /* ================================================== */ + ++static int ++join_path(const char *basedir, const char *name, const char *suffix, ++ char *buffer, size_t length, LOG_Severity severity) ++{ ++ const char *sep; ++ ++ if (!basedir) { ++ basedir = ""; ++ sep = ""; ++ } else { ++ sep = "/"; ++ } ++ ++ if (!suffix) ++ suffix = ""; ++ ++ if (snprintf(buffer, length, "%s%s%s%s", basedir, sep, name, suffix) >= length) { ++ LOG(severity, "File path %s%s%s%s too long", basedir, sep, name, suffix); ++ return 0; ++ } ++ ++ return 1; ++} ++ ++/* ================================================== */ ++ ++FILE * ++UTI_OpenFile(const char *basedir, const char *name, const char *suffix, ++ char mode, mode_t perm) ++{ ++ const char *file_mode; ++ char path[PATH_MAX]; ++ LOG_Severity severity; ++ int fd, flags; ++ FILE *file; ++ ++ severity = mode >= 'A' && mode <= 'Z' ? LOGS_FATAL : LOGS_ERR; ++ ++ if (!join_path(basedir, name, suffix, path, sizeof (path), severity)) ++ return NULL; ++ ++ switch (mode) { ++ case 'r': ++ case 'R': ++ flags = O_RDONLY; ++ file_mode = "r"; ++ if (severity != LOGS_FATAL) ++ severity = LOGS_DEBUG; ++ break; ++ case 'w': ++ case 'W': ++ flags = O_WRONLY | O_CREAT | O_EXCL; ++ file_mode = "w"; ++ break; ++ case 'a': ++ case 'A': ++ flags = O_WRONLY | O_CREAT | O_APPEND; ++ file_mode = "a"; ++ break; ++ default: ++ assert(0); ++ return NULL; ++ } ++ ++try_again: ++ fd = open(path, flags, perm); ++ if (fd < 0) { ++ if (errno == EEXIST) { ++ if (unlink(path) < 0) { ++ LOG(severity, "Could not remove %s : %s", path, strerror(errno)); ++ return NULL; ++ } ++ DEBUG_LOG("Removed %s", path); ++ goto try_again; ++ } ++ LOG(severity, "Could not open %s : %s", path, strerror(errno)); ++ return NULL; ++ } ++ ++ UTI_FdSetCloexec(fd); ++ ++ file = fdopen(fd, file_mode); ++ if (!file) { ++ LOG(severity, "Could not open %s : %s", path, strerror(errno)); ++ close(fd); ++ return NULL; ++ } ++ ++ DEBUG_LOG("Opened %s fd=%d mode=%c", path, fd, mode); ++ ++ return file; ++} ++ ++/* ================================================== */ ++ + void + UTI_DropRoot(uid_t uid, gid_t gid) + { +--- a/util.h ++++ b/util.h +@@ -176,6 +176,17 @@ extern int UTI_CreateDirAndParents(const + permissions and its uid/gid must match the specified values. */ + extern int UTI_CheckDirPermissions(const char *path, mode_t perm, uid_t uid, gid_t gid); + ++/* Open a file. The full path of the file is constructed from the basedir ++ (may be NULL), '/' (if basedir is not NULL), name, and suffix (may be NULL). ++ Created files have specified permissions (umasked). Returns NULL on error. ++ The following modes are supported (if the mode is an uppercase character, ++ errors are fatal): ++ r/R - open an existing file for reading ++ w/W - open a new file for writing (remove existing file) ++ a/A - open an existing file for appending (create if does not exist) */ ++extern FILE *UTI_OpenFile(const char *basedir, const char *name, const char *suffix, ++ char mode, mode_t perm); ++ + /* Set process user/group IDs and drop supplementary groups */ + extern void UTI_DropRoot(uid_t uid, gid_t gid); + diff -Nru chrony-3.4/debian/patches/series chrony-3.4/debian/patches/series --- chrony-3.4/debian/patches/series 2019-03-18 19:35:34.000000000 +0100 +++ chrony-3.4/debian/patches/series 2020-08-26 18:41:29.000000000 +0200 @@ -2,3 +2,4 @@ allow-waitpid-in-seccomp-filter.patch allow-recv-send-in-seccomp-filter.patch allow-further-syscalls-in-seccomp-filter.patch +create-new-file-when-writing-pidfile.patch diff -Nru chrony-3.4/debian/tests/upstream-simulation-test-suite chrony-3.4/debian/tests/upstream-simulation-test-suite --- chrony-3.4/debian/tests/upstream-simulation-test-suite 2019-03-18 19:35:34.000000000 +0100 +++ chrony-3.4/debian/tests/upstream-simulation-test-suite 2020-08-26 18:59:17.000000000 +0200 @@ -14,11 +14,13 @@ cd test/simulation if [ ! -d clknetsim ]; then - git clone https://github.com/mlichvar/clknetsim + if git clone https://github.com/mlichvar/clknetsim; then + cd clknetsim && git checkout 58c5e8b + fi fi -if [ ! -x "clknetsim/clknetsim" ] && [ ! -e "clknetsim/clknetsim.so" ]; then - make -C clknetsim +if [ ! -x "clknetsim" ] && [ ! -e "clknetsim.so" ]; then + make fi -./run -i 20 -m 2 +cd - && ./run -i 20 -m 2
