Package: release.debian.org
Tags: jessie
Followup-For: Bug #825087
User: release.debian....@packages.debian.org
Usertags: pu

[forgot to attach the debdiff]

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (990, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.5.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru chrony-1.30/debian/changelog chrony-1.30/debian/changelog
--- chrony-1.30/debian/changelog	2015-09-09 20:00:38.000000000 +0200
+++ chrony-1.30/debian/changelog	2016-05-22 17:40:58.000000000 +0200
@@ -1,3 +1,16 @@
+chrony (1.30-2+deb8u2) jessie; urgency=medium
+
+  * Fix CVE-2016-1567: Restrict authentication of server/peer to specified
+    key. (Closes: #812923)
+
+  * debian/postrm:
+    - Remove /var/lib/chrony on purge only. (Closes: #568492)
+
+  * debian/logrotate:
+    - Rework postrotate script. (Closes: #763542)
+
+ -- Vincent Blut <vincent.deb...@free.fr>  Sat, 21 May 2016 02:27:34 +0200
+
 chrony (1.30-2+deb8u1) jessie; urgency=medium
 
   * Build depend on libcap-dev. Without it, chronyd can’t drop root
diff -Nru chrony-1.30/debian/logrotate chrony-1.30/debian/logrotate
--- chrony-1.30/debian/logrotate	2015-09-09 19:31:39.000000000 +0200
+++ chrony-1.30/debian/logrotate	2016-05-22 17:40:58.000000000 +0200
@@ -8,10 +8,6 @@
 	sharedscripts
 	create 644
 	postrotate
-		PASSWORD=`awk '$1 ~ /^1$/ {print $2; exit}' /etc/chrony/chrony.keys`
-		cat << EOF | /usr/bin/chronyc | sed '/^200 OK$/d'
-		password $PASSWORD
-		cyclelogs
-		EOF
+		/usr/bin/chronyc -a cyclelogs > /dev/null 2>&1 || true
 	endscript
 }
diff -Nru chrony-1.30/debian/patches/14_restrict-authentication-of-server-peer-to-specified-key.patch chrony-1.30/debian/patches/14_restrict-authentication-of-server-peer-to-specified-key.patch
--- chrony-1.30/debian/patches/14_restrict-authentication-of-server-peer-to-specified-key.patch	1970-01-01 01:00:00.000000000 +0100
+++ chrony-1.30/debian/patches/14_restrict-authentication-of-server-peer-to-specified-key.patch	2016-05-22 19:01:52.000000000 +0200
@@ -0,0 +1,39 @@
+Description: ntp: restrict authentication of server/peer to specified key
+ When a server/peer was specified with a key number to enable
+ authentication with a symmetric key, packets received from the
+ server/peer were accepted if they were authenticated with any of
+ the keys contained in the key file and not just the specified key.
+
+ This allowed an attacker who knew one key of a client/peer to modify
+ packets from its servers/peers that were authenticated with other
+ keys in a man-in-the-middle (MITM) attack. For example, in a network
+ where each NTP association had a separate key and all hosts had only
+ keys they needed, a client of a server could not attack other clients
+ of the server, but it could attack the server and also attack its own
+ clients (i.e. modify packets from other servers).
+
+ To not allow the server/peer to be authenticated with other keys
+ extend the authentication test to check if the key ID in the received
+ packet is equal to the configured key number. As a consequence, it's
+ no longer possible to authenticate two peers to each other with two
+ different keys, both peers have to be configured to use the same key.
+
+ This issue was discovered by Matt Street of Cisco ASIG.
+
+Author: Miroslav Lichvar <mlich...@redhat.com>
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=812923
+Applied-Upstream: https://git.tuxfamily.org/chrony/chrony.git/commit/?h=1.31-security&id=df46e5ca5d70be1c0ae037f96b4b038362703832
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/ntp_core.c
++++ b/ntp_core.c
+@@ -1049,7 +1049,8 @@ receive_packet(NTP_Packet *message, stru
+   if (inst->do_auth) {
+     if (auth_len > 0) {
+       auth_key_id = ntohl(message->auth_keyid);
+-      test5 = check_packet_auth(message, auth_key_id, auth_len);
++      test5 = check_packet_auth(message, auth_key_id, auth_len) &&
++              auth_key_id == inst->auth_key_id;
+     } else {
+       /* If we expect authenticated info from this peer/server and the packet
+          doesn't have it, it's got to fail */
diff -Nru chrony-1.30/debian/patches/series chrony-1.30/debian/patches/series
--- chrony-1.30/debian/patches/series	2015-09-09 19:31:39.000000000 +0200
+++ chrony-1.30/debian/patches/series	2016-05-22 17:40:58.000000000 +0200
@@ -5,3 +5,4 @@
 11_protect-authenticated-symmetric-ass.patch
 12_fix-subnet-size-indivisible-by-four.patch
 13_fix-initialization-of-allocated-reply-slots.patch
+14_restrict-authentication-of-server-peer-to-specified-key.patch
diff -Nru chrony-1.30/debian/postrm chrony-1.30/debian/postrm
--- chrony-1.30/debian/postrm	2015-09-09 19:31:39.000000000 +0200
+++ chrony-1.30/debian/postrm	2016-05-22 17:40:58.000000000 +0200
@@ -23,7 +23,7 @@
     ;;
 
     remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
-        rm -f /var/lib/chrony/*
+
     ;;
 
     *)

Reply via email to