Bug#1035898: unblock: chrony/4.3-2+deb12u1
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: chr...@packages.debian.org
Control: affects -1 + src:chrony
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi,
Please unblock package chrony
[ Reason ]
This softens a rule in the AppArmor profile. Currently, the profile is way too
strict about allowed gpsd socket names.
[ Impact ]
Users may need to override the AppArmor profile (or put the profile in complain
mode) so that chronyd can consume time information from gpsd using sockets.
Overriding an AppArmor profile is acceptable when dealing with some exotic
configurations, but here even trying to feed chronyd with something as common
as PPS samples would be denied by the profile.
[ Tests ]
I checked that chronyd was able to receive PPS samples from gpsd through a
Unix socket driver using the '/run/chrony.pps0.sock' path. This is no longer
denied with chrony 4.3-2+deb12u1.
[ Risks ]
None that I know of.
[ Checklist ]
[✓] all changes are documented in the d/changelog
[✓] I reviewed all changes and I approve them
[✓] attach debdiff against the package in testing
[ Other info ]
I must admit that the version number is atypical for an upload to unstable but
chrony 4.3-3 is already in experimental.
unblock chrony/4.3-2+deb12u1
-BEGIN PGP SIGNATURE-
iHUEARYKAB0WIQSRJQjHKbAUfuoc+DAQn1qAt/bgAQUCZFv+fQAKCRAQn1qAt/bg
ATptAQDKB1vG2CXDXkwW1dGb9l3GFwua+oeoc1qOm3LNhqNfSgD/ZBld8s8e1XSD
QXFm/ZXjxKXIkU+1m8TaS5JL5oRWDwk=
=uMJh
-END PGP SIGNATURE-
diff -Nru chrony-4.3/debian/changelog chrony-4.3/debian/changelog
--- chrony-4.3/debian/changelog 2023-01-27 22:51:17.0 +0100
+++ chrony-4.3/debian/changelog 2023-05-08 22:05:00.0 +0200
@@ -1,3 +1,13 @@
+chrony (4.3-2+deb12u1) unstable; urgency=medium
+
+ * debian/usr.sbin.chronyd:
+- Modify the AppArmor profile to allow more gpsd socket names. This will
+avoid the need for users to override the profile to let chronyd consume PPS
+samples or serial time supplied by gpsd over a Unix-domain socket.
+Thanks to Ryan Govostes for the report. (Closes: #1034519)
+
+ -- Vincent Blut Mon, 08 May 2023 22:05:00 +0200
+
chrony (4.3-2) unstable; urgency=medium
* debian/control:
diff -Nru chrony-4.3/debian/usr.sbin.chronyd chrony-4.3/debian/usr.sbin.chronyd
--- chrony-4.3/debian/usr.sbin.chronyd 2023-01-27 22:51:17.0 +0100
+++ chrony-4.3/debian/usr.sbin.chronyd 2023-05-08 22:05:00.0 +0200
@@ -59,7 +59,7 @@
# Configs using a 'chrony.' prefix like the tempcomp config file example
/etc/chrony.* r,
# Example gpsd socket is outside @{run}/chrony/
- @{run}/chrony.tty{,*}.sock rw,
+ @{run}/chrony.*.sock rw,
# To sign replies to MS-SNTP clients by the smbd daemon
/var/lib/samba/ntp_signd/socket rw,
Bug#1007747: bullseye-pu: package chrony/4.0-8+deb11u2
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi,
[ Reason ]
The AppArmor profile for chronyd does not include a rule to read the chronyd
configuration file generated by the timemaster program.
[ Impact ]
Without the proposed fix, users must override the Apparmor profile (or at worse
set the profile to complain mode) to flowlessly use chronyd with timemaster.
[ Tests ]
I checked that AppArmor no longer sends 'denied' log entries as seen in
#1004745 when using chronyd with timemaster.
[ Risks ]
Low. An equivalent fix sits in testing/unstable for over a month now without
any regression so far.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Adding a rule in the AppArmor profile to allow chronyd to read the
configuration file /run/timemaster/chrony.conf
Cheers,
Vincent
-BEGIN PGP SIGNATURE-
iHUEARYKAB0WIQSRJQjHKbAUfuoc+DAQn1qAt/bgAQUCYjEp0AAKCRAQn1qAt/bg
AT7sAQDwqm/E7R4J1CelQmf5dq9+BUU5BRzBxgboHwcfU6N1WwD/Scx21KLyOQdJ
89J1VMvMWWCQDPENpd8SLsVGwEDrPwY=
=L1xq
-END PGP SIGNATURE-
diff -Nru chrony-4.0/debian/changelog chrony-4.0/debian/changelog
--- chrony-4.0/debian/changelog 2021-10-19 22:02:40.0 +0200
+++ chrony-4.0/debian/changelog 2022-03-14 22:17:25.0 +0100
@@ -1,3 +1,11 @@
+chrony (4.0-8+deb11u2) bullseye; urgency=medium
+
+ * debian/usr.sbin.chronyd:
+- Allow reading the chronyd configuration file that timemaster(8)
+generates. Thanks to Michael Lestinsky for the report! (Closes: #1004745)
+
+ -- Vincent Blut Mon, 14 Mar 2022 22:17:25 +0100
+
chrony (4.0-8+deb11u1) bullseye; urgency=medium
* debian/patches/:
diff -Nru chrony-4.0/debian/usr.sbin.chronyd chrony-4.0/debian/usr.sbin.chronyd
--- chrony-4.0/debian/usr.sbin.chronyd 2021-10-19 22:02:40.0 +0200
+++ chrony-4.0/debian/usr.sbin.chronyd 2022-03-14 22:17:25.0 +0100
@@ -67,6 +67,9 @@
/dev/pps[0-9]* rw,
/dev/ptp[0-9]* rw,
+ # Allow reading the chronyd configuration file that timemaster(8) generates
+ @{run}/timemaster/chrony.conf r,
+
# For use with clocks that report via shared memory (e.g. gpsd),
# you may need to give ntpd access to all of shared memory, though
# this can be considered dangerous. See https://launchpad.net/bugs/722815
Bug#1007745: buster-pu: package chrony/3.4-4+deb10u2
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi,
[ Reason ]
The AppArmor profile for chronyd does not include a rule to read the chronyd
configuration file generated by the timemaster program.
[ Impact ]
Without the proposed fix, users must override the Apparmor profile (or at worse
set the profile to complain mode) to flowlessly use chronyd with timemaster.
[ Tests ]
I checked that AppArmor no longer sends 'denied' log entries as seen in
#1004745 when using chronyd with timemaster.
[ Risks ]
Low. An equivalent fix sits in testing/unstable for over a month now without
any regression so far.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Adding a rule in the AppArmor profile to allow chronyd to read the
configuration file /run/timemaster/chrony.conf
Cheers,
Vincent
-BEGIN PGP SIGNATURE-
iHUEARYKAB0WIQSRJQjHKbAUfuoc+DAQn1qAt/bgAQUCYjEhAwAKCRAQn1qAt/bg
ARIMAQDhOqCNkBnilT1AOQfJKVilWa909Qm/lfAPopWsSnBmHgEAoUTteuwrv0HM
Q/mTQmEg0kLhzYZ3BoujiNnP5iGHqgk=
=bn+y
-END PGP SIGNATURE-
diff -Nru chrony-3.4/debian/changelog chrony-3.4/debian/changelog
--- chrony-3.4/debian/changelog 2020-09-16 13:44:04.0 +0200
+++ chrony-3.4/debian/changelog 2022-03-15 13:45:14.0 +0100
@@ -1,3 +1,11 @@
+chrony (3.4-4+deb10u2) buster; urgency=medium
+
+ * debian/usr.sbin.chronyd:
+- Allow reading the chronyd configuration file that timemaster(8)
+generates. Thanks to Michael Lestinsky for the report! (Closes: #1004745)
+
+ -- Vincent Blut Tue, 15 Mar 2022 13:45:14 +0100
+
chrony (3.4-4+deb10u1) buster; urgency=medium
* debian/patches/:
diff -Nru chrony-3.4/debian/usr.sbin.chronyd chrony-3.4/debian/usr.sbin.chronyd
--- chrony-3.4/debian/usr.sbin.chronyd 2020-09-16 13:44:04.0 +0200
+++ chrony-3.4/debian/usr.sbin.chronyd 2022-03-15 13:45:14.0 +0100
@@ -50,6 +50,9 @@
/dev/pps[0-9]* rw,
/dev/ptp[0-9]* rw,
+ # Allow reading the chronyd configuration file that timemaster(8) generates
+ /{,var/}run/timemaster/chrony.conf r,
+
# For use with clocks that report via shared memory (e.g. gpsd),
# you may need to give ntpd access to all of shared memory, though
# this can be considered dangerous. See https://launchpad.net/bugs/722815
Bug#997597: bullseye-pu: package chrony/4.0-8+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi,
[ Reason ]
chrony 4.0 allows binding the NTP, NTS-KE, client and UDP command sockets
to a specific network device using the 'binddevice', 'bindacqdevice' and
'bindcmddevice' directives.
In Bullseye, using these directives with a network interface name longer
than 3 characters (e.g. binddevice eth0) will cause chronyd to crash because
of the way the system call filter handles the SO_BINDTODEVICE socket option.
[ Impact ]
To bind sockets to a network interface with a "long" name, users have to
disable chronyd's system call filter which is certainly not ideal.
[ Tests ]
I manually tested each of the aforementioned directives with a network
interface name longer than 3 characters. I also made sure that autopkgtests
still run fine.
[ Risks ]
The fix is trivial and well tested.
[ Checklist ]
[ ] *all* changes are documented in the d/changelog
[✓] I reviewed all changes and I approve them
[✓] attach debdiff against the package in (old)stable
[✓] the issue is verified as fixed in unstable
[ Changes ]
In addition to the patch fixing the issue with the system call filter, I also
made a few anecdotal but practical changes that I considered unnecessary to
mention for a revision targetting stable:
- pointing Vcs-Git to the 'debian/bullseye' branch
- running the Salsa CI pipeline on Bullseye
Cheers,
Vincent
-BEGIN PGP SIGNATURE-
iHUEARYKAB0WIQSRJQjHKbAUfuoc+DAQn1qAt/bgAQUCYXR7MQAKCRAQn1qAt/bg
AVlbAP9ZaHpjsgLA3HNcLPsWJXhMm/SUcU3DgEpdM9nMiJjDJgEAxYspGEhLBnGK
4n5lB38HAKdWm6aY1/VHGAcLZ0X9tQM=
=K28n
-END PGP SIGNATURE-
diff -Nru chrony-4.0/debian/changelog chrony-4.0/debian/changelog
--- chrony-4.0/debian/changelog 2021-05-13 16:51:41.0 +0200
+++ chrony-4.0/debian/changelog 2021-10-19 22:02:40.0 +0200
@@ -1,3 +1,12 @@
+chrony (4.0-8+deb11u1) bullseye; urgency=medium
+
+ * debian/patches/:
+- Add fix-seccomp-filter-for-BINDTODEVICE-socket-option.patch to be able
+to bind a socket to a network device with a name longer than 3 characters
+when the system call filter is enabled. (Closes: #995207)
+
+ -- Vincent Blut Tue, 19 Oct 2021 22:02:40 +0200
+
chrony (4.0-8) unstable; urgency=medium
* debian/patches/:
diff -Nru chrony-4.0/debian/control chrony-4.0/debian/control
--- chrony-4.0/debian/control 2021-05-13 16:51:41.0 +0200
+++ chrony-4.0/debian/control 2021-10-19 22:02:40.0 +0200
@@ -18,7 +18,7 @@
pps-tools (>= 0.20120406+g0deb9c7e-2) [linux-any],
procps
Homepage: https://chrony.tuxfamily.org
-Vcs-Git: https://salsa.debian.org/debian/chrony.git -b debian/latest
+Vcs-Git: https://salsa.debian.org/debian/chrony.git -b debian/bullseye
Vcs-Browser: https://salsa.debian.org/debian/chrony
Rules-Requires-Root: no
diff -Nru chrony-4.0/debian/.gitlab-ci.yml chrony-4.0/debian/.gitlab-ci.yml
--- chrony-4.0/debian/.gitlab-ci.yml2021-05-13 16:51:41.0 +0200
+++ chrony-4.0/debian/.gitlab-ci.yml2021-10-19 22:02:40.0 +0200
@@ -9,3 +9,6 @@
only:
variables:
- $SEE_YOU_SOON_REPROTEST
+
+variables:
+RELEASE: 'bullseye'
diff -Nru
chrony-4.0/debian/patches/fix-seccomp-filter-for-BINDTODEVICE-socket-option.patch
chrony-4.0/debian/patches/fix-seccomp-filter-for-BINDTODEVICE-socket-option.patch
---
chrony-4.0/debian/patches/fix-seccomp-filter-for-BINDTODEVICE-socket-option.patch
1970-01-01 01:00:00.0 +0100
+++
chrony-4.0/debian/patches/fix-seccomp-filter-for-BINDTODEVICE-socket-option.patch
2021-10-19 22:02:40.0 +0200
@@ -0,0 +1,33 @@
+From 29d7d3176d9d1b208039a9d2ca3f26bc3cc5a387 Mon Sep 17 00:00:00 2001
+From: Miroslav Lichvar
+Date: Wed, 6 Oct 2021 10:02:34 +0200
+Subject: sys_linux: fix seccomp filter for BINDTODEVICE option
+
+The BINDTODEVICE socket option is the first option in the seccomp filter
+setting a string instead of int. Remove the length check from the
+setsockopt rules to allow a device name longer than 3 characters.
+
+This was reported in Debian bug #995207.
+
+Fixes: b9f5ce83b02e ("sys_linux: allow BINDTODEVICE option in seccomp filter")
+
+Origin: upstream,
https://git.tuxfamily.org/chrony/chrony.git/commit/?id=29d7d3176d9d1b208039a9d2ca3f26bc3cc5a387
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995207
+
+Index: chrony/sys_linux.c
+===
+--- chrony.orig/sys_linux.c
chrony/sys_linux.c
+@@ -694,10 +694,9 @@ SYS_Linux_EnableSystemCallFilter(int lev
+
+ /* Allow selected socket options */
+ for (i = 0; i < sizeof (socket_options) / sizeof (*socket_options); i++) {
+- if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt), 3,
++ if (seccomp_rule_add(c
Bug#986705: unblock: chrony/4.0-7
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi,
Please unblock package chrony
[ Reason ]
The IP_TOS socket option is currently missing in chronyd's seccomp filter
which prevents users from using the 'dscp' directive in the chronyd
configuration file while the seccomp filter is enabled. This directive allows
one to set the Differentiated Services Code Point to a specific value.
[ Impact ]
Since chronyd's seccomp filter is enabled by default in Debian, chronyd would be
killed right after being started when using the 'dscp' directive. Consequently,
to use this feature, users have to disable the seccomp filter.
[ Tests ]
Since the issue is easy to trigger, I manually tested the proposed fix while
ensuring that autopkgtest reports no regressions. Here are some steps to
reproduce the issue encountered by chrony 4.0-6:
# echo 'dscp 22' > /etc/chrony/conf.d/dscp.conf
# systemctl restart chrony.service
# systemctl is-active chrony.service
failed
With chrony 4.0-7, the last command reports chrony.service as active.
[ Risks ]
Harmless. We just allow the IP_TOS setsockopt() option in the seccomp filter.
[ Checklist ]
[✓] all changes are documented in the d/changelog
[✓] I reviewed all changes and I approve them
[✓] attach debdiff against the package in testing
unblock chrony/4.0-7
Cheers,
Vincent
-BEGIN PGP SIGNATURE-
iHUEARYKAB0WIQSRJQjHKbAUfuoc+DAQn1qAt/bgAQUCYHC9bQAKCRAQn1qAt/bg
AbvgAQCCCKwtSJ/J5u9UJFT0KFVLrBo2b7wYV/uHY20Mq+WHZAEA0xNSEF/09KJi
JIMz/mzm/PGJ3Q9K3BT5zSewfjmLBwI=
=skob
-END PGP SIGNATURE-
diff -Nru chrony-4.0/debian/changelog chrony-4.0/debian/changelog
--- chrony-4.0/debian/changelog 2021-02-21 21:59:22.0 +0100
+++ chrony-4.0/debian/changelog 2021-04-08 16:21:16.0 +0200
@@ -1,3 +1,11 @@
+chrony (4.0-7) unstable; urgency=medium
+
+ * debian/patches/:
+- Add allow-IP_TOS-socket-option-in-seccomp-filter.patch to enable the use
+ of the 'dscp' directive.
+
+ -- Vincent Blut Thu, 08 Apr 2021 16:21:16 +0200
+
chrony (4.0-6) unstable; urgency=medium
* debian/tests/helper-functions:
diff -Nru
chrony-4.0/debian/patches/allow-IP_TOS-socket-option-in-seccomp-filter.patch
chrony-4.0/debian/patches/allow-IP_TOS-socket-option-in-seccomp-filter.patch
---
chrony-4.0/debian/patches/allow-IP_TOS-socket-option-in-seccomp-filter.patch
1970-01-01 01:00:00.0 +0100
+++
chrony-4.0/debian/patches/allow-IP_TOS-socket-option-in-seccomp-filter.patch
2021-04-08 16:21:16.0 +0200
@@ -0,0 +1,33 @@
+From 966e6fd939df724235a93e7a89dd7cf67178f99d Mon Sep 17 00:00:00 2001
+From: Foster Snowhill
+Date: Sun, 4 Apr 2021 15:12:17 +0200
+Subject: sys_linux: allow setsockopt(SOL_IP, IP_TOS) in seccomp
+
+This system call is required by the DSCP marking feature introduced in commit
+6a5665ca5877 ("conf: add dscp directive").
+
+Before this change, enabling seccomp filtering (chronyd -F 1) and specifying a
+custom DSCP value in the configuration (for example "dscp 46") caused the
+process to be killed by seccomp due to IP_TOS not being allowed by the filter.
+
+Tested before and after the change on Ubuntu 21.04, kernel 5.11.0-13-generic.
+IP_TOS is available since Linux 1.0, so I didn't add any ifdefs for it.
+
+Signed-off-by: Foster Snowhill
+
+Bug:
https://listengine.tuxfamily.org/chrony.tuxfamily.org/chrony-dev/2021/04/msg0.html
+Applied-Upstream:
https://git.tuxfamily.org/chrony/chrony.git/commit/?id=966e6fd939df724235a93e7a89dd7cf67178f99d
+Last-Update: 2021-04-08
+Index: chrony/sys_linux.c
+===
+--- chrony.orig/sys_linux.c
chrony/sys_linux.c
+@@ -615,7 +615,7 @@ SYS_Linux_EnableSystemCallFilter(int lev
+ };
+
+ const static int socket_options[][2] = {
+-{ SOL_IP, IP_PKTINFO }, { SOL_IP, IP_FREEBIND },
++{ SOL_IP, IP_PKTINFO }, { SOL_IP, IP_FREEBIND }, { SOL_IP, IP_TOS },
+ #ifdef FEAT_IPV6
+ { SOL_IPV6, IPV6_V6ONLY }, { SOL_IPV6, IPV6_RECVPKTINFO },
+ #endif
diff -Nru chrony-4.0/debian/patches/series chrony-4.0/debian/patches/series
--- chrony-4.0/debian/patches/series2021-02-21 21:59:22.0 +0100
+++ chrony-4.0/debian/patches/series2021-04-08 16:21:16.0 +0200
@@ -1 +1,2 @@
+allow-IP_TOS-socket-option-in-seccomp-filter.patch
nm-dispatcher-dhcp_Move-server_dir-to-run.patch
Bug#969349: buster-pu: package chrony/3.4-4+deb10u1
Hi,
On 2020-08-31T21:34+0200, Vincent Blut wrote:
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi,
[ Reason ]
chrony versions prior to 3.5.1 are vulnerable to a symlink race when
creating the PID file. CVE-2020-14367 has been assigned to this
vulnerability.
In accordance with Salvatore Bonaccorso from the security team, no DSA
has been released.
[ Impact ]
Data loss and a denial of service due to the path traversal are possible
in some cases.
While that sounds worrisome, this vulnerabilily can’t be exploited using
the default configuration provided by chrony on Debian, that’s why the
security team marked it as “unimportant”.
[ Tests ]
I manually tested the proposed update to ensure that chronyd still runs
fine using the default PID file location and an alternative one where
the vulnerability could be exploited. I can confirm that the issue is
fixed by the proposed patch and that no regression appeared while
testing.
[ Risks ]
Most of the other major distributions provide this patch now with no
apparent problems, so the risks seem quite low.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Switch from fopen() to the open() function with the O_CREAT|O_EXCL flags
to avoid following a symlink and writing the PID to an unexpected file
when chronyd still has the root privileges.
[ Other info ]
I also took the oportunity to fix the autopkgtest of chrony which was
failing on Buster since quite a while.
In the meantime, Matt Corallo encountered a limitation in our AppArmor
profile, which prevents the use of the “tempcomp” directive (#970421).
Updated debdiff attached.
Cheers,
Vincent
diff -Nru chrony-3.4/debian/changelog chrony-3.4/debian/changelog
--- chrony-3.4/debian/changelog 2019-03-18 19:35:34.0 +0100
+++ chrony-3.4/debian/changelog 2020-09-16 13:44:04.0 +0200
@@ -1,3 +1,19 @@
+chrony (3.4-4+deb10u1) buster; urgency=medium
+
+ * debian/patches/:
+- Add create-new-file-when-writing-pidfile.patch to prevent symlink race
+when writing to PID file (CVE-2020-14367).
+
+ * debian/tests/:
+- Fix a regression when running upstream-simulation-test-suite autopkgtest
+on Buster.
+
+ [ Matt Corallo ]
+ * debian/usr.sbin.chronyd:
+- Fix temperature reading. (Closes: #970421)
+
+ -- Vincent Blut Wed, 16 Sep 2020 13:44:04 +0200
+
chrony (3.4-4) unstable; urgency=medium
* debian/patches/*:
diff -Nru chrony-3.4/debian/.gitlab-ci.yml chrony-3.4/debian/.gitlab-ci.yml
--- chrony-3.4/debian/.gitlab-ci.yml2019-03-18 19:35:34.0 +0100
+++ chrony-3.4/debian/.gitlab-ci.yml2020-09-16 13:40:06.0 +0200
@@ -1,20 +1,7 @@
-include:
https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
+include:
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
+ -
https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
-build:
-extends: .build-unstable
-reprotest:
-extends: .test-reprotest
-
-lintian:
-extends: .test-lintian
-
-autopkgtest:
-extends: .test-autopkgtest
-allow_failure: true
-
-piuparts:
-extends: .test-piuparts
-
-blhc:
-extends: .test-blhc
+variables:
+ RELEASE: 'buster'
diff -Nru chrony-3.4/debian/patches/create-new-file-when-writing-pidfile.patch
chrony-3.4/debian/patches/create-new-file-when-writing-pidfile.patch
--- chrony-3.4/debian/patches/create-new-file-when-writing-pidfile.patch
1970-01-01 01:00:00.0 +0100
+++ chrony-3.4/debian/patches/create-new-file-when-writing-pidfile.patch
2020-09-16 13:40:06.0 +0200
@@ -0,0 +1,187 @@
+From f00fed20092b6a42283f29c6ee1f58244d74b545 Mon Sep 17 00:00:00 2001
+From: Miroslav Lichvar
+Date: Thu, 6 Aug 2020 09:31:11 +0200
+Subject: main: create new file when writing pidfile
+
+When writing the pidfile, open the file with the O_CREAT|O_EXCL flags
+to avoid following a symlink and writing the PID to an unexpected file,
+when chronyd still has the root privileges.
+
+The Linux open(2) man page warns about O_EXCL not working as expected on
+NFS versions before 3 and Linux versions before 2.6. Saving pidfiles on
+a distributed filesystem like NFS is not generally expected, but if
+there is a reason to do that, these old kernel and NFS versions are not
+considered to be supported for saving files by chronyd.
+
+This is a minimal backport specific to this issue of the following
+commits:
+- commit 2fc8edacb810 ("use PATH_MAX")
+- commit f4c6a00b2a11 ("logging: call exit() in LOG_Message()")
+- commit 7a4c396bba8f ("util: add functions for common file operations")
+- commit e18903a6b563 ("switch to new util file functions")
+
+Reporte
Bug#969349: buster-pu: package chrony/3.4-4+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi, [ Reason ] chrony versions prior to 3.5.1 are vulnerable to a symlink race when creating the PID file. CVE-2020-14367 has been assigned to this vulnerability. In accordance with Salvatore Bonaccorso from the security team, no DSA has been released. [ Impact ] Data loss and a denial of service due to the path traversal are possible in some cases. While that sounds worrisome, this vulnerabilily can’t be exploited using the default configuration provided by chrony on Debian, that’s why the security team marked it as “unimportant”. [ Tests ] I manually tested the proposed update to ensure that chronyd still runs fine using the default PID file location and an alternative one where the vulnerability could be exploited. I can confirm that the issue is fixed by the proposed patch and that no regression appeared while testing. [ Risks ] Most of the other major distributions provide this patch now with no apparent problems, so the risks seem quite low. [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Switch from fopen() to the open() function with the O_CREAT|O_EXCL flags to avoid following a symlink and writing the PID to an unexpected file when chronyd still has the root privileges. [ Other info ] I also took the oportunity to fix the autopkgtest of chrony which was failing on Buster since quite a while. Cheers, Vincent -BEGIN PGP SIGNATURE- iQJLBAEBCgA1FiEE/VQBlxWoTJPh4vI5ipzudlpxp4AFAl9NUNgXHHZpbmNlbnQu ZGViaWFuQGZyZWUuZnIACgkQipzudlpxp4CUhA//drGMsuRybyVv99bmgdtEzxZu uTsxCF2YL6W7aGxTJnKMfVYJ/PAtAbzjXWUZyYNkmL/vSsf+432slB2IYsDNzs5M sAXUZkMl/G5BhQ8F25LwNQs7Xnplq0p5MZEcNF97P1G9RFIBjW4+7Rj5OHQDbxHr odWcsgl9kSAQ/l7A8jJQODWd+n7/saeyUL3UHEiLiZUw/PWuOdxv/ekBtU6a4kzM YWjCcuvzvRuoBZNIihWYCQcJfRdMdSGe/eehf3mfwAfTJB/PdapATiUGN7rFrnnM jhjRfS9QlKBrOxKzsGdSaGz4JcmSc3VqOs2AmguQ3a11dWQ6kjc4PyQ+Un5aZ71M 9Qv/zG/P+YX8L56jYxQk+qBYsD/qP2/a2apVgMeEl146ECx1WdAm+vyBSJxgZYdM sNmCDJfpR+2xg8CDcWQZFGmusbaDfgvD/wgU+STOWrvKkjo0M8pH7+aETmAEk7Wc btyvooG44zL0OmQm0CAIISgMZpXXvFLyeLJcfv9HZSoc0GqcL2lrhrgsWHw7F8T0 VAOMC3IiAriuSJuIIfCZI7ZDVklCr/xZK4S1RwSIJXSY4RmWVqFh5mDTZFVQ2ZIl 2vJcQQJhnHy8q1N14nHEcBsNffEB/O5caerl7DBs8MpCgLyo+vMJ7ifUa/4xqpae e8KuReDpa8ZtwLuDTCQ= =lYFE -END PGP SIGNATURE- diff -Nru chrony-3.4/debian/changelog chrony-3.4/debian/changelog --- chrony-3.4/debian/changelog 2019-03-18 19:35:34.0 +0100 +++ chrony-3.4/debian/changelog 2020-08-29 20:13:04.0 +0200 @@ -1,3 +1,15 @@ +chrony (3.4-4+deb10u1) buster; urgency=medium + + * debian/patches/: +- Add create-new-file-when-writing-pidfile.patch to prevent symlink race +when writing to PID file (CVE-2020-14367). + + * debian/tests/: +- Fix a regression when running upstream-simulation-test-suite autopkgtest +on Buster. + + -- Vincent Blut Sat, 29 Aug 2020 20:13:04 +0200 + chrony (3.4-4) unstable; urgency=medium * debian/patches/*: diff -Nru chrony-3.4/debian/.gitlab-ci.yml chrony-3.4/debian/.gitlab-ci.yml --- chrony-3.4/debian/.gitlab-ci.yml2019-03-18 19:35:34.0 +0100 +++ chrony-3.4/debian/.gitlab-ci.yml2020-08-26 18:41:29.0 +0200 @@ -1,20 +1,7 @@ -include: https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml +include: + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml -build: -extends: .build-unstable -reprotest: -extends: .test-reprotest - -lintian: -extends: .test-lintian - -autopkgtest: -extends: .test-autopkgtest -allow_failure: true - -piuparts: -extends: .test-piuparts - -blhc: -extends: .test-blhc +variables: + RELEASE: 'buster' diff -Nru chrony-3.4/debian/patches/create-new-file-when-writing-pidfile.patch chrony-3.4/debian/patches/create-new-file-when-writing-pidfile.patch --- chrony-3.4/debian/patches/create-new-file-when-writing-pidfile.patch 1970-01-01 01:00:00.0 +0100 +++ chrony-3.4/debian/patches/create-new-file-when-writing-pidfile.patch 2020-08-26 18:41:29.0 +0200 @@ -0,0 +1,187 @@ +From f00fed20092b6a42283f29c6ee1f58244d74b545 Mon Sep 17 00:00:00 2001 +From: Miroslav Lichvar +Date: Thu, 6 Aug 2020 09:31:11 +0200 +Subject: main: create new file when writing pidfile + +When writing the pidfile, open the file with the O_CREAT|O_EXCL flags +to avoid following a symlink and writing the PID to an unexpected file, +when chronyd still has the root privileges. + +The Linux open(2) man page warns about O_EXCL not working as expected on +NFS versions before 3 and Linux versions before 2.6. Saving pidfiles on +a distributed files
Bug#924952: unblock: chrony/3.4-4
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hello, Please unblock package chrony Compared to chrony 3.4-3, this release just add some necessary system calls to the seccomp filter whitelist. This allows to fix #924494, and probably many other bugs on some of our release architectures. Debdiff attached! unblock chrony/3.4-4 Thanks for your time, Vincent -BEGIN PGP SIGNATURE- iQJLBAEBCgA1FiEE/VQBlxWoTJPh4vI5ipzudlpxp4AFAlyQK6IXHHZpbmNlbnQu ZGViaWFuQGZyZWUuZnIACgkQipzudlpxp4CA6A/9G3j6lxibIjVPS7VuUT9N/SCD pTC8bnCh4Mtktg9xWHualzKZHdFC2AsobBJwXH9Fkm3u2sCPlhX42Jm0Y8RDgnr3 BG0dDPL816xWQF0LDV7EAUYdqlgRGCqEArbxkmSfdmKdG/V9N4detZEw8Iv8I31U 82WrFDh068XbxyT3F+JTn0e4icQKaXFR4q4NwF5y5bElfFYxwleX4VBRHbitSMGc Ikjm1w6/1FOkrjzRpCpFmKfjli430usyAGEIH8C9jDSdE5mQhM+ZiTIIzcJjxOje 7zqIJWLt2KTsfX7Oz3QEd9l5H2mxUZMO7HdAznNxaQNFVH47+QD3X7iA607HYh6s vLMO5VFYEMKLiuDvvhP4sqistIhcokDGiC0zjKwxYRHSpTjRzLWvNdjP01LlwAMc vJCJ15wDXOpLyDvoEAkcDZtDY4n2z3qe7QBn/5zoaF+AKm6jtZOpePIA4Z8k51B8 7gSR6WEi1cBC2+lxXry9i5EN8rjX1Js7vV6FTMLNn0NEV0TVMmvfslxJwh6nbciz xKf85Ejf8e/SbOdR0gSmNQIuzh0qaREsc2eHIkOfi+CKeIQ8viFnLjeeThIbcD3v OR6dod5jRtmUFboteKAVMMpNsgfnjHOr64nq+CXeNQt4QLEyfJi33wx+s0HT0BgV 8LdGuqGG+ZLHwU377OE= =K3hy -END PGP SIGNATURE- diffstat for chrony-3.4 chrony-3.4 changelog | 14 + patches/allow-further-syscalls-in-seccomp-filter.patch | 41 + patches/allow-recv-send-in-seccomp-filter.patch| 24 + patches/series |2 4 files changed, 81 insertions(+) diff -Nru chrony-3.4/debian/changelog chrony-3.4/debian/changelog --- chrony-3.4/debian/changelog 2019-03-04 23:32:12.0 +0100 +++ chrony-3.4/debian/changelog 2019-03-18 19:35:34.0 +0100 @@ -1,3 +1,17 @@ +chrony (3.4-4) unstable; urgency=medium + + * debian/patches/*: +- Add allow-further-syscalls-in-seccomp-filter.patch. Supplementing the +seccomp filter whitelist with those syscalls is a prerequisite, notably for +the arm64 architecture. + + [ Leigh Brown ] + * debian/patches/*: +- Add allow-recv-send-in-seccomp-filter.patch. Necessary on armel and +ppc64el. Other architectures might also be affected. (Closes: #924494) + + -- Vincent Blut Mon, 18 Mar 2019 19:35:34 +0100 + chrony (3.4-3) unstable; urgency=medium * debian/.gitlab-ci.yml: diff -Nru chrony-3.4/debian/patches/allow-further-syscalls-in-seccomp-filter.patch chrony-3.4/debian/patches/allow-further-syscalls-in-seccomp-filter.patch --- chrony-3.4/debian/patches/allow-further-syscalls-in-seccomp-filter.patch 1970-01-01 01:00:00.0 +0100 +++ chrony-3.4/debian/patches/allow-further-syscalls-in-seccomp-filter.patch 2019-03-18 19:32:24.0 +0100 @@ -0,0 +1,41 @@ +From: Vincent Blut +Date: Fri, 15 Mar 2019 00:03:24 +0100 +Subject: sys_linux: allow further syscalls in seccomp filter + +Adding these syscalls in the seccomp filter whitelist is a prerequisite for +the arm64 architecture. + +Forwarded: https://listengine.tuxfamily.org/chrony.tuxfamily.org/chrony-dev/2019/03/msg1.html +Applied-Upstream: https://git.tuxfamily.org/chrony/chrony.git/commit/?id=2ddd0ae23181f529bf0e8abaecfc9c726d672568 +--- + sys_linux.c | 12 +++- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/sys_linux.c b/sys_linux.c +@@ -499,9 +499,11 @@ SYS_Linux_EnableSystemCallFilter(int lev + SCMP_SYS(mprotect), SCMP_SYS(mremap), SCMP_SYS(munmap), SCMP_SYS(shmdt), + /* Filesystem */ + SCMP_SYS(_llseek), SCMP_SYS(access), SCMP_SYS(chmod), SCMP_SYS(chown), +-SCMP_SYS(chown32), SCMP_SYS(fstat), SCMP_SYS(fstat64), SCMP_SYS(getdents), +-SCMP_SYS(getdents64), SCMP_SYS(lseek), SCMP_SYS(rename), SCMP_SYS(stat), +-SCMP_SYS(stat64), SCMP_SYS(statfs), SCMP_SYS(statfs64), SCMP_SYS(unlink), ++SCMP_SYS(chown32), SCMP_SYS(faccessat), SCMP_SYS(fchmodat), SCMP_SYS(fchownat), ++SCMP_SYS(fstat), SCMP_SYS(fstat64), SCMP_SYS(getdents), SCMP_SYS(getdents64), ++SCMP_SYS(lseek), SCMP_SYS(newfstatat), SCMP_SYS(rename), SCMP_SYS(renameat), ++SCMP_SYS(stat), SCMP_SYS(stat64), SCMP_SYS(statfs), SCMP_SYS(statfs64), ++SCMP_SYS(unlink), SCMP_SYS(unlinkat), + /* Socket */ + SCMP_SYS(bind), SCMP_SYS(connect), SCMP_SYS(getsockname), SCMP_SYS(getsockopt), + SCMP_SYS(recv), SCMP_SYS(recvfrom), SCMP_SYS(recvmmsg), SCMP_SYS(recvmsg), +@@ -510,8 +512,8 @@ SYS_Linux_EnableSystemCallFilter(int lev + SCMP_SYS(socketcall), + /* General I/O */ + SCMP_SYS(_newselect), SCMP_SYS(close), SCMP_SYS(open), SCMP_SYS(openat), SCMP_SYS(pipe), +-SCMP_SYS(poll), SCMP_SYS(read), SCMP_SYS(futex), SCMP_SYS(select), +-SCMP_SYS(set_robust_list), SCMP_SYS(write), ++SCMP_SYS(pipe2), SCMP_SYS(poll), SCMP_SYS(ppoll), SCMP_SYS(pselect6), SCMP_SYS(read), ++SCMP_SYS(futex), SCMP_SYS(select), SCMP_SYS
Bug#923897: stretch-pu: package chrony/3.0-4+deb9u2
On Sat, Mar 09, 2019 at 02:21:28PM +, Adam D. Barratt wrote: Control: tags -1 + confirmed On Wed, 2019-03-06 at 22:07 +0100, Vincent Blut wrote: I would like to update chrony in Stretch to fix #923137 (severity important). This issue is caused by the absence of the _llseek() system call in the seccomp filter provided by chrony, which prevents some information to be logged on various 32-bit architectures when the system call filter is active. While working on the bug report mentionned above, I discovered that chronyd could also be incorrectly stopped when the system call filter is enabled. This is due to the waitpid() system call being absent from the seccomp filter. This is addressed by the allow-waitpid-in-seccomp-filter.patch patch. Please go ahead. Uploaded. Regards, Adam Thanks, Vincent signature.asc Description: PGP signature
Bug#923897: stretch-pu: package chrony/3.0-4+deb9u2
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi,
I would like to update chrony in Stretch to fix #923137 (severity
important). This issue is caused by the absence of the _llseek() system
call in the seccomp filter provided by chrony, which prevents some
information to be logged on various 32-bit architectures when the system
call filter is active.
While working on the bug report mentionned above, I discovered that
chronyd could also be incorrectly stopped when the system call filter is
enabled. This is due to the waitpid() system call being absent from the
seccomp filter. This is addressed by the
allow-waitpid-in-seccomp-filter.patch patch.
I’m testing the proposed changes since a few days without any
regression. Debdiff attached!
Cheers,
Vincent
-BEGIN PGP SIGNATURE-
iQJLBAEBCgA1FiEE/VQBlxWoTJPh4vI5ipzudlpxp4AFAlyANnwXHHZpbmNlbnQu
ZGViaWFuQGZyZWUuZnIACgkQipzudlpxp4BwUg//cxLwFRApU06w57sr7smRmwS7
00dR4NHcHHf2os82AmP1ugaHYT5KeQeCoU1s8pIIq3dXbwemf/TgjzOSBsOVK018
Qb15o3B5mN3ydeQl5sqKUwlBpnmj4IBD9ktmTMHbR6BQBvuBNI3OkZnjHTAFlZCB
htH3g0u8VUZ7p2hqr+PrBICUhooIFSEvrnEUcZfEFPjD+aTq6joMbrslNTgLkhvE
SEx/QZCzAgbEcbczeu2+s3PvvtLdPBRE+szWBNcXZoRJCfXuDqvBJzlQngwhCYNY
CTiQVmB2fjROjVpTzDYj97TdEJVV4EtOJefywYmquugdtphg5d4lVJ4vhYy8sp6t
ukOm43Q240Ae/bzvahXNU5xqFdZ3muOhG9uSPsg9KzOncyu65mHPxRpZ6Cq8vUlC
1uOCkzfvRS7vnUTM4K8QHIatqPcjQNu1/qyLoHUleQqClC+iZruvCwYyr7yijj+M
e9C5f34lKYm39CrPdMxy6gCtwJZEIkCPFwFYh1XtTMt+daLjpS3+mtlI5wl6l2Q3
qRXS1PVgA+nETU30e+ofPPGPGHwtx32yhtnIY3durfPkChR7qQVIFJ4jHoYpL4G9
u5cgeGg37wyCxcnmi8qFHrzpEaf2vFc0zqIPYYN4s6jBBjfqzmbZ9rx1xuLlZc9M
GKtwRTA840u1nN2zaLE=
=JdHo
-END PGP SIGNATURE-
diffstat for chrony-3.0 chrony-3.0
changelog | 12 ++
patches/allow-_llseek-in-seccomp-filter.patch | 30 ++
patches/allow-waitpid-in-seccomp-filter.patch | 20 +
patches/series|2 +
4 files changed, 64 insertions(+)
diff -Nru chrony-3.0/debian/changelog chrony-3.0/debian/changelog
--- chrony-3.0/debian/changelog 2017-07-22 17:24:44.0 +0200
+++ chrony-3.0/debian/changelog 2019-03-06 11:13:29.0 +0100
@@ -1,3 +1,15 @@
+chrony (3.0-4+deb9u2) stretch; urgency=medium
+
+ * debian/patches/*:
+- Add allow-_llseek-in-seccomp-filter.patch. Needed on various 32-bit
+plateforms to log the {raw}measurements and statistics information when
+the seccomp filter is enabled. Thanks a lot to Francesco Poli (wintermute)
+ for the report. (Closes: #923137)
+- Add allow-waitpid-in-seccomp-filter.patch. Needed to correctly stop
+chronyd on some plateforms when the seccomp filter is enabled.
+
+ -- Vincent Blut Wed, 06 Mar 2019 11:13:29 +0100
+
chrony (3.0-4+deb9u1) stretch; urgency=medium
* debian/chrony.if-up:
diff -Nru chrony-3.0/debian/patches/allow-_llseek-in-seccomp-filter.patch
chrony-3.0/debian/patches/allow-_llseek-in-seccomp-filter.patch
--- chrony-3.0/debian/patches/allow-_llseek-in-seccomp-filter.patch
1970-01-01 01:00:00.0 +0100
+++ chrony-3.0/debian/patches/allow-_llseek-in-seccomp-filter.patch
2019-03-05 23:36:44.0 +0100
@@ -0,0 +1,30 @@
+From: Vincent Blut
+Date: Thu, 28 Feb 2019 14:39:13 +0100
+Subject: sys_linux: allow _llseek in seccomp filter
+
+This is needed on various 32-bit platforms to reposition read/write file
+offset on {raw}measurements and statistics log files.
+
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923137
+Forwarded:
https://listengine.tuxfamily.org/chrony.tuxfamily.org/chrony-dev/2019/02/msg3.html
+Applied-Upstream:
https://git.tuxfamily.org/chrony/chrony.git/commit/?id=e392d1fde94db26b88a0a017850415f1d34266d7
+---
+ sys_linux.c | 8
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+--- a/sys_linux.c
b/sys_linux.c
+@@ -473,10 +473,10 @@ SYS_Linux_EnableSystemCallFilter(int lev
+ SCMP_SYS(brk), SCMP_SYS(madvise), SCMP_SYS(mmap), SCMP_SYS(mmap2),
+ SCMP_SYS(mprotect), SCMP_SYS(mremap), SCMP_SYS(munmap), SCMP_SYS(shmdt),
+ /* Filesystem */
+-SCMP_SYS(access), SCMP_SYS(chmod), SCMP_SYS(chown), SCMP_SYS(chown32),
+-SCMP_SYS(fstat), SCMP_SYS(fstat64), SCMP_SYS(getdents),
SCMP_SYS(getdents64),
+-SCMP_SYS(lseek), SCMP_SYS(rename), SCMP_SYS(stat), SCMP_SYS(stat64),
+-SCMP_SYS(statfs), SCMP_SYS(statfs64), SCMP_SYS(unlink),
++SCMP_SYS(_llseek), SCMP_SYS(access), SCMP_SYS(chmod), SCMP_SYS(chown),
++SCMP_SYS(chown32), SCMP_SYS(fstat), SCMP_SYS(fstat64), SCMP_SYS(getdents),
++SCMP_SYS(getdents64), SCMP_SYS(lseek), SCMP_SYS(rename), SCMP_SYS(stat),
++SCMP_SYS(stat64), SCMP_SYS(statfs), SCMP_SYS(statfs64), SCMP_SYS(unlink),
+ /* Socket */
+ SCMP_SYS(bind), SCMP_SYS(connect), SCMP_SYS(getsockname),
+ SCMP_SYS(recvfrom), SCMP_SYS(recvmmsg), SCMP_SYS(recvmsg),
diff -Nru chrony-3.0/debian
Bug#869419: stretch-pu: package chrony/3.0-4+deb9u1
Hi Jonathan, On Sun, Aug 06, 2017 at 01:42:11PM +0100, Jonathan Wiltshire wrote: Control: tag -1 confirmed On Sun, Jul 23, 2017 at 02:17:23PM +0200, Vincent Blut wrote: I’d like to fix #868491 in Stretch to prevent the “if-up” script from failing in certain situations (usually at boot when chronyd isn’t fully ready) which impede ifupdown from correctly registering the concerned network interface in /run/network/ifstate. Please go ahead. Thanks to Paul Gevers, it should be done. Cheers, Vincent signature.asc Description: PGP signature
Bug#869419: stretch-pu: package chrony/3.0-4+deb9u1
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hello, I’d like to fix #868491 in Stretch to prevent the “if-up” script from failing in certain situations (usually at boot when chronyd isn’t fully ready) which impede ifupdown from correctly registering the concerned network interface in /run/network/ifstate. Cheers, Vincent - -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.11.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8), LANGUAGE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -BEGIN PGP SIGNATURE- iQJLBAEBCgA1FiEE/VQBlxWoTJPh4vI5ipzudlpxp4AFAll0k80XHHZpbmNlbnQu ZGViaWFuQGZyZWUuZnIACgkQipzudlpxp4AcuRAA2n+jALgsb71pdnKK/QoTikpG HpOJ7x+wdtgP0t4hr/CEu3pNONfq/HZQ+dJCkoKT+Z/pMcSzhVe7A7CQv8HfeDbx kdNZRxPqbEr8PTlm3T9ZGJbTTpGbY6JiOEsPdiOmpwxJCrb7fuF9gN20Yyerd67+ S3Fh9BFKINSbLl8oxz/WIap1TKAUmEN2yt9eeWTMmOHgPXwIsKczN8KC5EU0TTj7 zf5hX9tAPhD8oxAQir7SDIad6sWZ656UHpMVRT947M2TB7QynMZI6xuCl2uOCQEk bssbt1kzQUFFwXEXl5KbPnsRyHnwgr1C1jj+QIBuonyegcamHqCP87gquFV9Dww+ iuZ7atbCX9qQqgSeJb5F7bffKc4GxnBmLuV+9VRxlWHpNSeOupEAq3qEZjDa9ZWe IEzYEtgnSxTGcn437VDXRyh5a6NQMXecD6b16pCfG6LXDOu7jT5NSCAX7sjYO4ak uTEa4aKfzSkmVlliDPR5oUjqgHPgeQNMZz3dgKStCfKrHSwilnzwMRAevGXFfASC pNA8g+KCqxwU4UVCzpaXPmm0u6v5lB8Qh8RswcbRTDZC/E5nVtbwoBx1sHc/ilEV hhGJGendYWZDnC4+QfZvuwyerUkS9RjpCq4364ZVnI4+SC0DXlCsD8VtyX/bXhYa /K42g7nXGKvV8Mpf8Ns= =5MtQ -END PGP SIGNATURE- diffstat for chrony-3.0 chrony-3.0 changelog| 15 +++ chrony.if-up |2 +- chrony.ppp.ip-up |2 +- 3 files changed, 17 insertions(+), 2 deletions(-) diff -Nru chrony-3.0/debian/changelog chrony-3.0/debian/changelog --- chrony-3.0/debian/changelog 2017-04-26 17:39:44.0 +0200 +++ chrony-3.0/debian/changelog 2017-07-22 17:24:44.0 +0200 @@ -1,3 +1,18 @@ +chrony (3.0-4+deb9u1) stretch; urgency=medium + + * debian/chrony.if-up: +- Do not pass the “burst” command to chronyc as the script could return an +error in certain situations. As a consequence, that would prevent ifupdown +from writing the current state of the interfaces in /run/network/ifstate. +Thanks to John Eikenberry for reporting that issue. +(Closes: #868491) + + * debian/chrony.ppp.ip-up: +- Take the same action as for the “chrony.if-up” script as a precautionary +measure. + + -- Vincent Blut Sat, 22 Jul 2017 17:24:44 +0200 + chrony (3.0-4) unstable; urgency=medium * debian/patches/*: diff -Nru chrony-3.0/debian/chrony.if-up chrony-3.0/debian/chrony.if-up --- chrony-3.0/debian/chrony.if-up 2017-01-16 17:33:37.0 +0100 +++ chrony-3.0/debian/chrony.if-up 2017-07-22 17:23:39.0 +0200 @@ -6,7 +6,7 @@ if [ -e /run/chronyd.pid ] && ip r list dev $IFACE 2> /dev/null | grep -q '^default'; then -chronyc -m online 'burst 4/10' > /dev/null 2>&1 +chronyc online > /dev/null 2>&1 else exit 0 fi diff -Nru chrony-3.0/debian/chrony.ppp.ip-up chrony-3.0/debian/chrony.ppp.ip-up --- chrony-3.0/debian/chrony.ppp.ip-up 2017-01-16 17:33:37.0 +0100 +++ chrony-3.0/debian/chrony.ppp.ip-up 2017-07-22 17:23:39.0 +0200 @@ -6,6 +6,6 @@ # Modified by Vincent Blut /bin/pidof chronyd > /dev/null || exit 0 -/usr/bin/chronyc -m online 'burst 4/4' > /dev/null 2>&1 +/usr/bin/chronyc online > /dev/null 2>&1 touch /var/run/chrony-ppp-up exit 0
Bug#861435: unblock: chrony/3.0-4
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Please unblock package chrony Removal of “cached PID/TID in clone” from glibc 2.24-10 exposed a regression in chrony when running it with the system call filter enabled. That’s due to getpid(2) not being allowed in the seccomp filter. Chrony 3.0-4 fixes this and thus closes #861258¹ (severity important.) unblock chrony/3.0-4 Cheers, Vincent ¹https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861258 - -- System Information: Debian Release: 9.0 APT prefers testing APT policy: (990, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -BEGIN PGP SIGNATURE- iQJLBAEBCgA1FiEE/VQBlxWoTJPh4vI5ipzudlpxp4AFAlkD5GcXHHZpbmNlbnQu ZGViaWFuQGZyZWUuZnIACgkQipzudlpxp4ADJw/9ErKAa3uBO2vyw35vCY/gjgYZ /x9jLhcTVaEgenj/x6Wo5mYTwrQV32Rmyrcmz2wie7S51nzE8Vc3p8WdtSFsS/te khK0ptW6twA0OmLxckItzNfLzXCo9xEdqzJp5/VLoTF+z6cIbmMgA3BPqoFD74Tj 1fk99oSYIer3asGs56uoyvqV3xj3jc26QBKItK88sAy/l3Fl4fx/1UR0C9H6F8Hh a1wcjzFbNPQAUcDZP5Qxkrbd1rLTU5udmYFavBs4PF+b/SN8wYfWwVlj8ySlgQHZ qQa7lKCwHUBRBB99+UBpR906y3ifyaWrRR2t7xDp8ayQdeExh5j7YIJRR5/zEACN 2gmtITHXj2vn43C1MryTlHJvhkM8Doeqq3pn8xpQAENdCs9Z/03w5HZyux0dN9Nl T5IBxdtE/nocHEq/ZO8Abn+lZrZ6KRLds2R8bRT+5qBVlOrthpsoV8GFg8WO5FkF wrIe6xrCXuxKmhZIgISEHR7Y15OX9djgcn7Va0GQyEPM0cyCisdPyBfrxM0yk361 DKlxNLZrSdsZdAdp4/XNA+5XkcBr9Ic9hbcWbj83Cp1IHAUyEJ6ExPIiLFjYTqp3 FBblrFK/ePSQfS7chABPEfGO5xhUTn2caX4yGX8HJA48LG6Ir/1eaXWGZyXUgBaS z+vA8oIBSETvTNCUXbw= =v9co -END PGP SIGNATURE- diffstat for chrony-3.0 chrony-3.0 changelog|8 patches/allow_getpid_in_seccomp_filter.patch | 23 +++ patches/series |1 + 3 files changed, 32 insertions(+) diff -Nru chrony-3.0/debian/changelog chrony-3.0/debian/changelog --- chrony-3.0/debian/changelog 2017-02-07 00:37:24.0 +0100 +++ chrony-3.0/debian/changelog 2017-04-26 17:39:44.0 +0200 @@ -1,3 +1,11 @@ +chrony (3.0-4) unstable; urgency=medium + + * debian/patches/*: +- Backport commit 768bce799bfe to make chrony operable with the syscall +filtering feature enabled in level 1. (Closes: #861258) + + -- Vincent Blut Wed, 26 Apr 2017 17:39:44 +0200 + chrony (3.0-3) unstable; urgency=medium * debian/patches/*: diff -Nru chrony-3.0/debian/patches/allow_getpid_in_seccomp_filter.patch chrony-3.0/debian/patches/allow_getpid_in_seccomp_filter.patch --- chrony-3.0/debian/patches/allow_getpid_in_seccomp_filter.patch 1970-01-01 01:00:00.0 +0100 +++ chrony-3.0/debian/patches/allow_getpid_in_seccomp_filter.patch 2017-04-26 17:39:44.0 +0200 @@ -0,0 +1,23 @@ +Description: Allow getpid in seccomp filter +Author: Miroslav Lichvar +Origin: https://git.tuxfamily.org/chrony/chrony.git/commit/?id=768bce799bfe009e7dbaad5742738f7d05280d6d +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861258 +Applied-Upstream: 3.1-10-g768bce7 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/sys_linux.c b/sys_linux.c +@@ -465,9 +465,10 @@ SYS_Linux_EnableSystemCallFilter(int lev + SCMP_SYS(adjtimex), SCMP_SYS(clock_gettime), SCMP_SYS(gettimeofday), + SCMP_SYS(settimeofday), SCMP_SYS(time), + /* Process */ +-SCMP_SYS(clone), SCMP_SYS(exit), SCMP_SYS(exit_group), SCMP_SYS(getrlimit), +-SCMP_SYS(rt_sigaction), SCMP_SYS(rt_sigreturn), SCMP_SYS(rt_sigprocmask), +-SCMP_SYS(set_tid_address), SCMP_SYS(sigreturn), SCMP_SYS(wait4), ++SCMP_SYS(clone), SCMP_SYS(exit), SCMP_SYS(exit_group), SCMP_SYS(getpid), ++SCMP_SYS(getrlimit),SCMP_SYS(rt_sigaction), SCMP_SYS(rt_sigreturn), ++SCMP_SYS(rt_sigprocmask), SCMP_SYS(set_tid_address), SCMP_SYS(sigreturn), ++SCMP_SYS(wait4), + /* Memory */ + SCMP_SYS(brk), SCMP_SYS(madvise), SCMP_SYS(mmap), SCMP_SYS(mmap2), + SCMP_SYS(mprotect), SCMP_SYS(mremap), SCMP_SYS(munmap), SCMP_SYS(shmdt), diff -Nru chrony-3.0/debian/patches/series chrony-3.0/debian/patches/series --- chrony-3.0/debian/patches/series2017-02-06 20:03:25.0 +0100 +++ chrony-3.0/debian/patches/series2017-04-26 17:39:44.0 +0200 @@ -1 +1,2 @@ +allow_getpid_in_seccomp_filter.patch fix_time_smoothing_in_interleaved_mode.patch
Bug#854520: unblock: chrony/3.0-3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear release team, Please unblock package chrony This update solves #854424¹ (severity important) which affect chrony 3.0 (an NTP implementation.) This issue occurs when using the time smoothing process in interleaved mode and have the nasty effect of decreasing the timestamps accuracy… which is precisely what interleaved modes should improve. I left technical information in the bug report to avoid making that unblock request indigestible, but the proposed fix is quite easy to review (2 lines); it just consists in including the smoothing offset in the updated server's transmit timestamp. The proposed update has been uploaded (thanks to Paul Gevers) and built successfully on all applicable architectures. Source debdiff attached! unblock chrony/3.0-3 Cheers, Vincent ¹https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854424 -BEGIN PGP SIGNATURE- iQJLBAEBCgA1FiEE/VQBlxWoTJPh4vI5ipzudlpxp4AFAliaUb0XHHZpbmNlbnQu ZGViaWFuQGZyZWUuZnIACgkQipzudlpxp4AkHhAAu4EAEexXiA/56KHGo1uhK+D4 tod6rXONWSfj4HU8tWr7G1C83D2fkOLyCOYrVniHK0QiW5EiCwGR2yjEhA8QPvar Ynaantb00iTrTgkAsj2S57qtNqve8+jaD9fmHgtpZZeYdtLjTLkYUmfRuGqb3d35 x1b6XsbxmDm9If6tKFLfDwgnFALg8dGlqL8ezE64RpPwpm7SP6yH9ZcnJYeyNy/v w8czPQTEcktG0hxWSsbg2uRpg5ZxTCk3Z7XKjOP+LCafJVljuOrnifHIknBfOkJ3 zJ4Zi921v6gJADzeT7oA51ggx1iyMqMfXAywLHb1g7/9huhigKqR96XY5GhuOvv9 k0ZT8yYWVjuyYRxkGIAKOVeEKRyafUMo/IZ9Z0+FkCmpArAydoDD0uh2BwpsCE9D K53xhz3Wkrkigk9Q//jvAyCB2zZSslXM1/BXO9Q7YdDVlHRAp0mPW7yVLMKEC05F A+R/fXYgYzMwe1Q2XNEuAkAG/Ym9xb1cDNk60PfzSpvC8BCdb+iR3udtGkUpi2W8 VYVS3MBkFf+wcQBlTmRaQqcm6KCh8q8AYor07OPVdZA8fpSdCOUmap377G13pW18 UHkkaahJDC0s4+/goqkOeUb0As52i5Lqw535ETenivWfhF0fRPP9Xdd64KpLoQFF +9BnzO7fx+j15nNbSkU= =JCY4 -END PGP SIGNATURE- diffstat for chrony-3.0 chrony-3.0 changelog|8 + patches/fix_time_smoothing_in_interleaved_mode.patch | 26 +++ patches/series |1 3 files changed, 35 insertions(+) diff -Nru chrony-3.0/debian/changelog chrony-3.0/debian/changelog --- chrony-3.0/debian/changelog 2017-01-18 15:26:31.0 +0100 +++ chrony-3.0/debian/changelog 2017-02-07 00:37:24.0 +0100 @@ -1,3 +1,11 @@ +chrony (3.0-3) unstable; urgency=medium + + * debian/patches/*: +- Backport an upstream patch to fix time smoothing in interleaved mode. +(Closes: #854424) + + -- Vincent Blut Tue, 07 Feb 2017 00:37:24 +0100 + chrony (3.0-2) unstable; urgency=medium * debian/chrony.conf: diff -Nru chrony-3.0/debian/patches/fix_time_smoothing_in_interleaved_mode.patch chrony-3.0/debian/patches/fix_time_smoothing_in_interleaved_mode.patch --- chrony-3.0/debian/patches/fix_time_smoothing_in_interleaved_mode.patch 1970-01-01 01:00:00.0 +0100 +++ chrony-3.0/debian/patches/fix_time_smoothing_in_interleaved_mode.patch 2017-02-05 22:38:22.0 +0100 @@ -0,0 +1,26 @@ +Description: Fix time smoothing in interleaved mode + When the server's transmit timestamp was updated with a kernel/HW timestamp, + it didn't include the time smoothing offset. If the offset was larger than + one second, the update failed and clients using the interleaved mode received + less accurate timestamps. If the update succeeded, the clients received + timestamps that were not adjusted for the time smoothing offset, which added + an error of up to 0.5s/1s to their measured offset/delay. + + Fix the update to include the smoothing offset in the new timestamp. +Author: Miroslav Lichvar +Origin: https://git.tuxfamily.org/chrony/chrony.git/commit/?id=da2d33e9a84baa7325503440099dd8f1e567cdd4 +Applied-Upstream: 3.1 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/ntp_core.c b/ntp_core.c +@@ -2016,6 +2016,9 @@ NCR_ProcessTxUnknown(NTP_Remote_Address + if (log_index < 0) + return; + ++ if (SMT_IsEnabled() && NTP_LVM_TO_MODE(message->lvm) == MODE_SERVER) ++UTI_AddDoubleToTimespec(&tx_ts->ts, SMT_GetOffset(&tx_ts->ts), &tx_ts->ts); ++ + CLG_GetNtpTimestamps(log_index, &local_ntp_rx, &local_ntp_tx); + + if (UTI_IsZeroNtp64(local_ntp_tx)) diff -Nru chrony-3.0/debian/patches/series chrony-3.0/debian/patches/series --- chrony-3.0/debian/patches/series2017-01-16 17:33:37.0 +0100 +++ chrony-3.0/debian/patches/series2017-02-05 22:09:43.0 +0100 @@ -0,0 +1 @@ +fix_time_smoothing_in_interleaved_mode.patch
Bug#825297: wheezy-pu: package chrony/1.24-3.1+deb7u4
On Fri, May 27, 2016 at 06:24:26PM +0100, Adam D. Barratt wrote: Control: tags -1 + moreinfo On Wed, 2016-05-25 at 19:58 +0200, Vincent Blut wrote: Could you please accept chrony 1.24-3.1+deb7u4 in the last wheezy point release? It fixes CVE-2016-1567 which I have backported to that specific upstream version. It is well tested since the exact same patch has been in squeeze-lts for a while. Since wheezy-lts started, we've only been accepting wheezy uploads that are regression fixes so would need a compelling reason that this shouldn't simply be fixed via wheezy-lts (I realise this wasn't explicitly mentioned in the announcement). Oh ok. As you said, that wasn’t really clear from the announcement that regression fixes only would be acceptable; I will get in touch with LTS folks then. Regards, Adam Thanks for your time Adam, Vincent signature.asc Description: PGP signature
Bug#825297: wheezy-pu: package chrony/1.24-3.1+deb7u4
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian@packages.debian.org
Usertags: pu
Hi,
Could you please accept chrony 1.24-3.1+deb7u4 in the last wheezy point
release?
It fixes CVE-2016-1567 which I have backported to that specific upstream
version. It is well tested since the exact same patch has been in
squeeze-lts for a while.
The next fix is an adjustment ensuring we don’t delete the
/var/lib/chrony content. That directory contains some really important
data, notably the driftfile which stores the gain or loss of the system
clock relative to the RTC. Deleting it each time chrony is upgraded or
installed from Config-Files state was a mistake; let’s fix that!
Thanks for your time,
Vincent
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (990, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.5.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -u chrony-1.24/ntp_core.c chrony-1.24/ntp_core.c
--- chrony-1.24/ntp_core.c
+++ chrony-1.24/ntp_core.c
@@ -966,7 +966,8 @@
if (!KEY_KeyKnown(auth_key_id)) {
test5 = 0;
} else {
-test5 = check_packet_auth(message, auth_key_id);
+test5 = check_packet_auth(message, auth_key_id) &&
+auth_key_id == inst->auth_key_id;
}
} else {
/* If we expect authenticated info from this peer/server and the packet
diff -u chrony-1.24/debian/changelog chrony-1.24/debian/changelog
--- chrony-1.24/debian/changelog
+++ chrony-1.24/debian/changelog
@@ -1,3 +1,13 @@
+chrony (1.24-3.1+deb7u4) wheezy; urgency=medium
+
+ * Fix CVE-2016-1567: Restrict authentication of server/peer to specified
+key. (Closes: #812923)
+
+ * debian/postrm:
+- Remove /var/lib/chrony on purge only. (Closes: #568492)
+
+ -- Vincent Blut Wed, 25 May 2016 17:15:18 +0200
+
chrony (1.24-3.1+deb7u3) wheezy-security; urgency=medium
* With the following security bugfixes (See: #782160):
diff -u chrony-1.24/debian/postrm chrony-1.24/debian/postrm
--- chrony-1.24/debian/postrm
+++ chrony-1.24/debian/postrm
@@ -3,7 +3,6 @@
# postrm for chrony John Hasler 1998-2006
# Any possessor of a copy of this program may treat it as if it
# were in the public domain. I waive all rights.
-rm -f /var/lib/chrony/*
if [ -x update-menus ] ; then
update-menus
fi
diff -u chrony-1.24/debian/applied/series chrony-1.24/debian/applied/series
--- chrony-1.24/debian/applied/series
+++ chrony-1.24/debian/applied/series
@@ -7,0 +8 @@
+14_restrict-authentication-of-server-peer-to-specified-key.patch
only in patch2:
unchanged:
--- chrony-1.24.orig/debian/applied/14_restrict-authentication-of-server-peer-to-specified-key.patch
+++ chrony-1.24/debian/applied/14_restrict-authentication-of-server-peer-to-specified-key.patch
@@ -0,0 +1,24 @@
+From: Vincent Blut
+Date: Tue, 02 Feb 2016 23:29:25 +0100
+Subject: ntp: restrict authentication of server/peer to specified key
+
+This patch fixes CVE-2016-1567 in chrony 1.24. In versions prior to 1.31.2 as
+well as all releases from the 2.x branch before 2.2.1, chrony does not verify
+peer associations of symmetric keys when authenticating packets, which might
+allow remote attackers to conduct impersonation attacks via an arbitrary
+trusted key, aka a "skeleton key".
+---
+
+diff -urNpa a/chrony-1.24/ntp_core.c b/chrony-1.24/ntp_core.c
+--- a/chrony-1.24/ntp_core.c 2016-02-02 23:28:39.070377463 +0100
b/chrony-1.24/ntp_core.c 2016-02-02 23:01:10.414119775 +0100
+@@ -966,7 +966,8 @@ receive_packet(NTP_Packet *message, stru
+ if (!KEY_KeyKnown(auth_key_id)) {
+ test5 = 0;
+ } else {
+-test5 = check_packet_auth(message, auth_key_id);
++test5 = check_packet_auth(message, auth_key_id) &&
++auth_key_id == inst->auth_key_id;
+ }
+ } else {
+ /* If we expect authenticated info from this peer/server and the packet
Bug#825087: jessie-pu: package chrony/1.30-2+deb8u2
[cc’ing Paul this time] On Tue, May 24, 2016 at 11:04:41PM +0200, Vincent Blut wrote: On Tue, May 24, 2016 at 09:39:13PM +0100, Adam D. Barratt wrote: Control: tags -1 + confirmed On Mon, 2016-05-23 at 15:28 +0200, Vincent Blut wrote: Could you please accept chrony 1.30-2+deb8u2 in the next jessie point release? It fixes three issues of different magnitudes. The most important one is the fix for CVE-2016-1567 though it didn’t warrant a DSA. The next one might sound probably not important enough to be fixed in a stable point release but it has some nasty consequences. We are mistakenly deleting the content of /var/lib/chrony on package removal. This directory contains the driftfile and the measurement history for each time source. The former file has a particularly important role, it stores the gain or loss rate of the system clock relative to the RTC which could take some time to calculate depending of how crappy the RTC is so it would be definitely better if we could avoid to delete it each time chrony is upgraded or installed from Config-Files state. To conclude, the last fix revises the postrotate script from the logrotate configuration file. It suffers from two issues, the first one is that it assumes the commandkey directive from chrony.conf takes ID 1, that’s not necessarily true! Please go ahead. Thanks Adam! Paul, I just pushed these changes to the “jessie” branch; could you please build, sign and upload? Regards, Adam Cheers, Vincent signature.asc Description: PGP signature
Bug#825087: jessie-pu: package chrony/1.30-2+deb8u2
On Tue, May 24, 2016 at 09:39:13PM +0100, Adam D. Barratt wrote: Control: tags -1 + confirmed On Mon, 2016-05-23 at 15:28 +0200, Vincent Blut wrote: Could you please accept chrony 1.30-2+deb8u2 in the next jessie point release? It fixes three issues of different magnitudes. The most important one is the fix for CVE-2016-1567 though it didn’t warrant a DSA. The next one might sound probably not important enough to be fixed in a stable point release but it has some nasty consequences. We are mistakenly deleting the content of /var/lib/chrony on package removal. This directory contains the driftfile and the measurement history for each time source. The former file has a particularly important role, it stores the gain or loss rate of the system clock relative to the RTC which could take some time to calculate depending of how crappy the RTC is so it would be definitely better if we could avoid to delete it each time chrony is upgraded or installed from Config-Files state. To conclude, the last fix revises the postrotate script from the logrotate configuration file. It suffers from two issues, the first one is that it assumes the commandkey directive from chrony.conf takes ID 1, that’s not necessarily true! Please go ahead. Thanks Adam! Paul, I just pushed these changes to the “jessie” branch; could you please build, sign and upload? Regards, Adam Cheers, Vincent signature.asc Description: PGP signature
Bug#825087: jessie-pu: package chrony/1.30-2+deb8u2
Package: release.debian.org
Tags: jessie
Followup-For: Bug #825087
User: release.debian@packages.debian.org
Usertags: pu
[forgot to attach the debdiff]
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (990, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.5.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru chrony-1.30/debian/changelog chrony-1.30/debian/changelog
--- chrony-1.30/debian/changelog 2015-09-09 20:00:38.0 +0200
+++ chrony-1.30/debian/changelog 2016-05-22 17:40:58.0 +0200
@@ -1,3 +1,16 @@
+chrony (1.30-2+deb8u2) jessie; urgency=medium
+
+ * Fix CVE-2016-1567: Restrict authentication of server/peer to specified
+key. (Closes: #812923)
+
+ * debian/postrm:
+- Remove /var/lib/chrony on purge only. (Closes: #568492)
+
+ * debian/logrotate:
+- Rework postrotate script. (Closes: #763542)
+
+ -- Vincent Blut Sat, 21 May 2016 02:27:34 +0200
+
chrony (1.30-2+deb8u1) jessie; urgency=medium
* Build depend on libcap-dev. Without it, chronyd can’t drop root
diff -Nru chrony-1.30/debian/logrotate chrony-1.30/debian/logrotate
--- chrony-1.30/debian/logrotate 2015-09-09 19:31:39.0 +0200
+++ chrony-1.30/debian/logrotate 2016-05-22 17:40:58.0 +0200
@@ -8,10 +8,6 @@
sharedscripts
create 644
postrotate
- PASSWORD=`awk '$1 ~ /^1$/ {print $2; exit}' /etc/chrony/chrony.keys`
- cat << EOF | /usr/bin/chronyc | sed '/^200 OK$/d'
- password $PASSWORD
- cyclelogs
- EOF
+ /usr/bin/chronyc -a cyclelogs > /dev/null 2>&1 || true
endscript
}
diff -Nru chrony-1.30/debian/patches/14_restrict-authentication-of-server-peer-to-specified-key.patch chrony-1.30/debian/patches/14_restrict-authentication-of-server-peer-to-specified-key.patch
--- chrony-1.30/debian/patches/14_restrict-authentication-of-server-peer-to-specified-key.patch 1970-01-01 01:00:00.0 +0100
+++ chrony-1.30/debian/patches/14_restrict-authentication-of-server-peer-to-specified-key.patch 2016-05-22 19:01:52.0 +0200
@@ -0,0 +1,39 @@
+Description: ntp: restrict authentication of server/peer to specified key
+ When a server/peer was specified with a key number to enable
+ authentication with a symmetric key, packets received from the
+ server/peer were accepted if they were authenticated with any of
+ the keys contained in the key file and not just the specified key.
+
+ This allowed an attacker who knew one key of a client/peer to modify
+ packets from its servers/peers that were authenticated with other
+ keys in a man-in-the-middle (MITM) attack. For example, in a network
+ where each NTP association had a separate key and all hosts had only
+ keys they needed, a client of a server could not attack other clients
+ of the server, but it could attack the server and also attack its own
+ clients (i.e. modify packets from other servers).
+
+ To not allow the server/peer to be authenticated with other keys
+ extend the authentication test to check if the key ID in the received
+ packet is equal to the configured key number. As a consequence, it's
+ no longer possible to authenticate two peers to each other with two
+ different keys, both peers have to be configured to use the same key.
+
+ This issue was discovered by Matt Street of Cisco ASIG.
+
+Author: Miroslav Lichvar
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=812923
+Applied-Upstream: https://git.tuxfamily.org/chrony/chrony.git/commit/?h=1.31-security&id=df46e5ca5d70be1c0ae037f96b4b038362703832
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/ntp_core.c
b/ntp_core.c
+@@ -1049,7 +1049,8 @@ receive_packet(NTP_Packet *message, stru
+ if (inst->do_auth) {
+ if (auth_len > 0) {
+ auth_key_id = ntohl(message->auth_keyid);
+- test5 = check_packet_auth(message, auth_key_id, auth_len);
++ test5 = check_packet_auth(message, auth_key_id, auth_len) &&
++ auth_key_id == inst->auth_key_id;
+ } else {
+ /* If we expect authenticated info from this peer/server and the packet
+ doesn't have it, it's got to fail */
diff -Nru chrony-1.30/debian/patches/series chrony-1.30/debian/patches/series
--- chrony-1.30/debian/patches/series 2015-09-09 19:31:39.0 +0200
+++ chrony-1.30/debian/patches/series 2016-05-22 17:40:58.0 +0200
@@ -5,3 +5,4 @@
11_protect-authenticated-symmetric-ass.patch
12_fix-subnet-size-indivisible-by-four.patch
13_fix-initialization-of-allocated-reply-slots.patch
+14_restrict-authentication-of-server-peer-to-specified-key.patch
diff -Nru chrony-1.30/debian/postrm chrony-1.30/debian/postrm
--- chrony-1.30/debian/postrm 2015-09-09 19:31:39.0 +0200
+++ chrony-1.30/debian/postrm 2016-05-2
Bug#825087: jessie-pu: package chrony/1.30-2+deb8u2
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hi, Could you please accept chrony 1.30-2+deb8u2 in the next jessie point release? It fixes three issues of different magnitudes. The most important one is the fix for CVE-2016-1567 though it didn’t warrant a DSA. The next one might sound probably not important enough to be fixed in a stable point release but it has some nasty consequences. We are mistakenly deleting the content of /var/lib/chrony on package removal. This directory contains the driftfile and the measurement history for each time source. The former file has a particularly important role, it stores the gain or loss rate of the system clock relative to the RTC which could take some time to calculate depending of how crappy the RTC is so it would be definitely better if we could avoid to delete it each time chrony is upgraded or installed from Config-Files state. To conclude, the last fix revises the postrotate script from the logrotate configuration file. It suffers from two issues, the first one is that it assumes the commandkey directive from chrony.conf takes ID 1, that’s not necessarily true! Also, as leading tabs aren’t ignored in the heredoc, the delimiting identifier is passed to chronyc option causing some noise (Unrecognized command) in logs. To fix that issue, I could have appended a minus sign to “<<” but that wouldn’t have solved the other the other one, consequently I decided to just make use of the dedicated option provided by chronyc to fix both problems. Voilà, hope that’s receivable! Have a good day, Vincent -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (990, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.5.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
Bug#798584: jessie-pu: package chrony/1.30-2+deb8u1
On Thu, Jan 14, 2016 at 08:29:28PM +0100, Paul Gevers wrote: Hi all, Hey Paul, On 13-01-16 23:26, Vincent Blut wrote: Great. Hopefully my sponsor will be able to upload before the 8.3 window closes. Paul, let me know if you want me to upload the stuff to mentors.d.n; otherwise you can checkout the *jessie* branch from the git repo. Uploaded. Awesome, thanks for your disponibility! Cheers, Vincent Paul signature.asc Description: PGP signature
Bug#798584: jessie-pu: package chrony/1.30-2+deb8u1
On Wed, Jan 13, 2016 at 07:13:42PM +, Adam D. Barratt wrote: Control: tags -1 + confirmed On Wed, 2016-01-13 at 17:35 +0100, Vincent Blut wrote: AFAIR, new uploads will stop being processed on Sunday; This weekend, yes. Ok, thanks for confirming! consequently, can I request some of your time to tell me if the above change is acceptable for 8.3? Please go ahead; apologies for not getting back to you sooner. Great. Hopefully my sponsor will be able to upload before the 8.3 window closes. Paul, let me know if you want me to upload the stuff to mentors.d.n; otherwise you can checkout the *jessie* branch from the git repo. Cheers, Vincent Regards, Adam signature.asc Description: PGP signature
Bug#798584: jessie-pu: package chrony/1.30-2+deb8u1
On Thu, 10 Sep 2015 20:59:48 +0200 Vincent Blut wrote: Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hi, Please accept chrony 1.30-2+deb8u1 for the next Jessie point release; it fixes a missing build dependency on libcap-dev which prevent user from configuring chronyd to drop root privileges. That would close #768803. diff -Nru chrony-1.30/debian/changelog chrony-1.30/debian/changelog --- chrony-1.30/debian/changelog2015-04-10 11:43:39.0 +0200 +++ chrony-1.30/debian/changelog2015-09-09 20:00:38.0 +0200 @@ -1,3 +1,10 @@ +chrony (1.30-2+deb8u1) jessie; urgency=medium + + * Build depend on libcap-dev. Without it, chronyd canât drop root +privileges. (Closes: #768803) + + -- Vincent Blut Wed, 09 Sep 2015 19:50:09 +0200 + chrony (1.30-2) unstable; urgency=medium * With the following security bugfixes (Closes: #782160): diff -Nru chrony-1.30/debian/control chrony-1.30/debian/control --- chrony-1.30/debian/control 2015-04-09 00:05:48.0 +0200 +++ chrony-1.30/debian/control 2015-09-09 19:35:25.0 +0200 @@ -8,7 +8,8 @@ texinfo, bison, libedit-dev, libnss3-dev, - libtomcrypt-dev + libtomcrypt-dev, + libcap-dev Homepage: http://chrony.tuxfamily.org Vcs-Git: git://anonscm.debian.org/collab-maint/chrony.git Vcs-Browser: http://anonscm.debian.org/gitweb/?p=collab-maint/chrony.git Cheers, Vincent -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (990, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.1.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Hello, AFAIR, new uploads will stop being processed on Sunday; consequently, can I request some of your time to tell me if the above change is acceptable for 8.3? Thanks for your work, Vincent signature.asc Description: PGP signature
Bug#798584: jessie-pu: package chrony/1.30-2+deb8u1
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hi, Please accept chrony 1.30-2+deb8u1 for the next Jessie point release; it fixes a missing build dependency on libcap-dev which prevent user from configuring chronyd to drop root privileges. That would close #768803. diff -Nru chrony-1.30/debian/changelog chrony-1.30/debian/changelog --- chrony-1.30/debian/changelog2015-04-10 11:43:39.0 +0200 +++ chrony-1.30/debian/changelog2015-09-09 20:00:38.0 +0200 @@ -1,3 +1,10 @@ +chrony (1.30-2+deb8u1) jessie; urgency=medium + + * Build depend on libcap-dev. Without it, chronyd can’t drop root +privileges. (Closes: #768803) + + -- Vincent Blut Wed, 09 Sep 2015 19:50:09 +0200 + chrony (1.30-2) unstable; urgency=medium * With the following security bugfixes (Closes: #782160): diff -Nru chrony-1.30/debian/control chrony-1.30/debian/control --- chrony-1.30/debian/control 2015-04-09 00:05:48.0 +0200 +++ chrony-1.30/debian/control 2015-09-09 19:35:25.0 +0200 @@ -8,7 +8,8 @@ texinfo, bison, libedit-dev, libnss3-dev, - libtomcrypt-dev + libtomcrypt-dev, + libcap-dev Homepage: http://chrony.tuxfamily.org Vcs-Git: git://anonscm.debian.org/collab-maint/chrony.git Vcs-Browser: http://anonscm.debian.org/gitweb/?p=collab-maint/chrony.git Cheers, Vincent -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (990, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.1.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
Re: Uploading linux (3.2.50-1) to wheezy
Le 31/08/2013 21:15, Vincent Blut a écrit :
> Le 31/08/2013 20:21, Ben Hutchings a écrit :
>> On Fri, 2013-08-30 at 17:49 +0200, Vincent Blut wrote:
>>> [Cc'ing debian-{kernel, release} mailing lists]
>>>
>>> Le 26/08/2013 00:31, Ben Hutchings a écrit :
>>>> In preparation for the next stable update, I want to upload a
>>>> new kernel with bug fixes from the 3.2.y stable branch (and a
>>>> few others we've collected in Debian).
>>>>
>>>> There are probably some pending security fixes that should be
>>>> included in this and maybe a prior security update.
>>>>
>>>> Unfortunately I haven't found the time to work on new hardware
>>>> support for this update.
>>>>
>>>> Please let me know if there are any other fixes that should go
>>>> into this update, in particular for any regressions between
>>>> 3.2.46 and 3.2.50.
>>>
>>> Hi Ben,
>>>
>>> This is not a major issue but could you please cherry-pick:
>>>
>>> commit 016d5baad042 ACPI / battery: Fix parsing _BIX return
>>> value
>>>
>>> I guess it will be part of 3.2.51, but as Debian 7.2 is
>>> approaching, it might be the last kernel upload before its
>>> release.
>>
>> Is there a bug report for this? If not, could you open one?
>
> Apart the upstream one, no! I'll open one in the BTS later this evening.
Done!
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721468
>
>>
>> Ben.
>>
>
> Cheers,
> Vincent
>
>
--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/52227698.9050...@free.fr
Re: Uploading linux (3.2.50-1) to wheezy
Le 31/08/2013 20:21, Ben Hutchings a écrit :
> On Fri, 2013-08-30 at 17:49 +0200, Vincent Blut wrote:
>> [Cc'ing debian-{kernel, release} mailing lists]
>>
>> Le 26/08/2013 00:31, Ben Hutchings a écrit :
>>> In preparation for the next stable update, I want to upload a
>>> new kernel with bug fixes from the 3.2.y stable branch (and a
>>> few others we've collected in Debian).
>>>
>>> There are probably some pending security fixes that should be
>>> included in this and maybe a prior security update.
>>>
>>> Unfortunately I haven't found the time to work on new hardware
>>> support for this update.
>>>
>>> Please let me know if there are any other fixes that should go
>>> into this update, in particular for any regressions between
>>> 3.2.46 and 3.2.50.
>>
>> Hi Ben,
>>
>> This is not a major issue but could you please cherry-pick:
>>
>> commit 016d5baad042 ACPI / battery: Fix parsing _BIX return
>> value
>>
>> I guess it will be part of 3.2.51, but as Debian 7.2 is
>> approaching, it might be the last kernel upload before its
>> release.
>
> Is there a bug report for this? If not, could you open one?
Apart the upstream one, no! I'll open one in the BTS later this evening.
>
> Ben.
>
Cheers,
Vincent
--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/522240d5.8060...@free.fr
Re: Uploading linux (3.2.50-1) to wheezy
[Cc'ing debian-{kernel, release} mailing lists]
Le 26/08/2013 00:31, Ben Hutchings a écrit :
> In preparation for the next stable update, I want to upload a new
> kernel with bug fixes from the 3.2.y stable branch (and a few
> others we've collected in Debian).
>
> There are probably some pending security fixes that should be
> included in this and maybe a prior security update.
>
> Unfortunately I haven't found the time to work on new hardware
> support for this update.
>
> Please let me know if there are any other fixes that should go into
> this update, in particular for any regressions between 3.2.46 and
> 3.2.50.
Hi Ben,
This is not a major issue but could you please cherry-pick:
commit 016d5baad042
ACPI / battery: Fix parsing _BIX return value
I guess it will be part of 3.2.51, but as Debian 7.2 is approaching,
it might be
the last kernel upload before its release.
>
> Ben.
>
Cheers,
Vincent
--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/5220bf09.6060...@free.fr
