On Thu, Feb 04, 2016 at 04:57:15PM -0500, Antoine Beaupré wrote:
On 2016-02-04 11:56:50, Vincent Blut wrote:Hey Antoine,On 2016-01-30 15:16:49, Antoine Beaupré wrote: >> On 2016-01-28 17:27:41, Vincent Blut wrote: >>> On Thu, Jan 28, 2016 at 09:23:01PM +0100, Guido Günther wrote: >>>>Hello dear maintainers, >>> >>> Hello Guido, >>> >>>>the Debian LTS team would like to fix the security issues which are >>>>currently open in the Squeeze version of chrony: >>>>https://security-tracker.debian.org/tracker/CVE-2016-1567 >>>> >>>>Would you like to take care of this yourself? >>> >>> I’m well aware of that security issue. Sadly, I’m totally busy these >>> days, thus I won’t be able to deal with this prior to Sunday/Monday. >>> Hope that deadline is acceptable for you‽ >> >> I think that is fine, thanks for looking into it! > >Ping! Did you have time to followup on this? Yes, I’ve had an ack from upstream about my backported patch, I’m testing the patched package since yesterday. I do intend to upload to mentors.d.n tonight.Great, keep us informed!
Ok, so my attempt to upload to mentors.d.n has been rejected due to squeeze-lts not being understood by the service. Hopefully this will be fixed to ease cooperation with non DD or DM without upload right.
Whilst seeking a solution, here is a debdiff: chrony_1.24-3+squeeze2 chrony_1.24-3+squeeze3chrony-1.24/debian/applied/series | 1 chrony-1.24/debian/changelog | 10 ++++
chrony-1.24/ntp_core.c
| 3 -
debian/applied/14_restrict-authentication-of-server-peer-to-specified-key.patch
| 24 ++++++++++
4 files changed, 37 insertions(+), 1 deletion(-)
diff -u chrony-1.24/debian/applied/series chrony-1.24/debian/applied/series
--- chrony-1.24/debian/applied/series
+++ chrony-1.24/debian/applied/series
@@ -7,0 +8 @@
+14_restrict-authentication-of-server-peer-to-specified-key.patch
diff -u chrony-1.24/debian/changelog chrony-1.24/debian/changelog
--- chrony-1.24/debian/changelog
+++ chrony-1.24/debian/changelog
@@ -1,3 +1,13 @@
+chrony (1.24-3+squeeze3) squeeze-lts; urgency=medium
+
+ * Fix CVE-2016-1567: retrict authentication of server/peer
+ to specified key
+ * debian/applied/:
+ - Add 14_restrict-authentication-of-server-peer-to-specified-key.patch,
+ and update the series file accordingly.
+
+ -- Vincent Blut <vincent.deb...@free.fr> Wed, 03 Feb 2016 17:34:59 +0100
+
chrony (1.24-3+squeeze2) squeeze-lts; urgency=high
* With the following security bugfixes (See: #782160):
diff -u chrony-1.24/ntp_core.c chrony-1.24/ntp_core.c
--- chrony-1.24/ntp_core.c
+++ chrony-1.24/ntp_core.c
@@ -966,7 +966,8 @@
if (!KEY_KeyKnown(auth_key_id)) {
test5 = 0;
} else {
- test5 = check_packet_auth(message, auth_key_id);
+ test5 = check_packet_auth(message, auth_key_id) &&
+ auth_key_id == inst->auth_key_id;
}
} else {
/* If we expect authenticated info from this peer/server and the packet
only in patch2:
unchanged:
---
chrony-1.24.orig/debian/applied/14_restrict-authentication-of-server-peer-to-specified-key.patch
+++
chrony-1.24/debian/applied/14_restrict-authentication-of-server-peer-to-specified-key.patch
@@ -0,0 +1,24 @@
+From: Vincent Blut <vincent.deb...@free.fr>
+Date: Tue, 02 Feb 2016 23:29:25 +0100
+Subject: ntp: restrict authentication of server/peer to specified key
+
+This patch fixes CVE-2016-1567 in chrony 1.24. Prior to version 1.31.2,
+chrony does not verify peer associations of symmetric keys when authenticating
+packets, which might allow remote attackers to conduct impersonation attacks
+via an arbitrary trusted key, aka a "skeleton key." This issue also affects
+chrony 2.2 and has been fixed in version 2.2.1.
+---
+
+diff -urNpa a/chrony-1.24/ntp_core.c b/chrony-1.24/ntp_core.c
+--- a/chrony-1.24/ntp_core.c 2016-02-02 23:28:39.070377463 +0100
++++ b/chrony-1.24/ntp_core.c 2016-02-02 23:01:10.414119775 +0100
+@@ -966,7 +966,8 @@ receive_packet(NTP_Packet *message, stru
+ if (!KEY_KeyKnown(auth_key_id)) {
+ test5 = 0;
+ } else {
+- test5 = check_packet_auth(message, auth_key_id);
++ test5 = check_packet_auth(message, auth_key_id) &&
++ auth_key_id == inst->auth_key_id;
+ }
+ } else {
+ /* If we expect authenticated info from this peer/server and the packet
Cheers,
Vincent
signature.asc
Description: PGP signature
