Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 738154 (CVE-2020-14367) - <net-misc/chrony-3.5.1: Insecure temp file handling (CVE-2020-14367)
Summary: <net-misc/chrony-3.5.1: Insecure temp file handling (CVE-2020-14367)
Status: RESOLVED FIXED
Alias: CVE-2020-14367
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://www.mail-archive.com/chrony-d...
Whiteboard: A4 [glsa+ cleanup cve]
Keywords: CC-ARCHES
Depends on: 739684 739714
Blocks:
  Show dependency tree
 
Reported: 2020-08-20 07:14 UTC by Sam James
Modified: 2020-09-02 16:33 UTC (History)
2 users (show)

See Also:
Package list:
net-misc/chrony-3.5.1-r1
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-20 07:14:00 UTC
"CVE-2020-14367: Insecure writing of pidfile
-------------------------------------------

When chronyd is configured to save the pidfile in a directory where the
chrony user has write permissions (e.g. /var/run/chrony - the default
since chrony-3.4), an attacker that compromised the chrony user account
could create a symbolic link at the location of the pidfile to make
chronyd starting with root privileges follow the symlink and write its
process ID to a file for which the chrony user doesn't have write
permissions, causing a denial of service, or data loss.

This issue was reported by Matthias Gerstner of SUSE."

Fixed in 3.5.1.
Comment 1 Larry the Git Cow gentoo-dev 2020-08-20 07:31:56 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=151b33bc43ba47d284b0aa711abd7e3b62f31ea4

commit 151b33bc43ba47d284b0aa711abd7e3b62f31ea4
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2020-08-20 07:31:33 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2020-08-20 07:31:53 +0000

    net-misc/chrony: Version 3.5.1
    
    Package-Manager: Portage-3.0.4, Repoman-3.0.1
    Bug: https://bugs.gentoo.org/738154
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 net-misc/chrony/Manifest            |   1 +
 net-misc/chrony/chrony-3.5.1.ebuild | 172 ++++++++++++++++++++++++++++++++++++
 2 files changed, 173 insertions(+)
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-20 09:02:40 UTC
Thanks. Tell us when ready to stable.
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-25 23:32:09 UTC
Any objections to stabling, or we will go ahead?
Comment 4 NATTkA bot gentoo-dev 2020-08-27 10:08:50 UTC
Unable to check for sanity:

> no match for package: net-misc/chrony-3.5.1
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2020-08-30 17:15:24 UTC
x86 stable
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-30 20:54:36 UTC
amd64 done
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2020-08-30 21:14:52 UTC
This issue was resolved and addressed in
 GLSA 202008-23 at https://security.gentoo.org/glsa/202008-23
by GLSA coordinator Sam James (sam_c).
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-30 21:15:22 UTC
Reopening for stable.
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-30 22:51:18 UTC
ppc64 done
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-30 23:01:19 UTC
arm done
Comment 11 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-30 23:02:59 UTC
sparc done
Comment 12 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-30 23:31:24 UTC
ppc done
Comment 13 Larry the Git Cow gentoo-dev 2020-09-02 15:51:40 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0e1caaf3bc2225e4703cd9c66adf90ba3882836e

commit 0e1caaf3bc2225e4703cd9c66adf90ba3882836e
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2020-09-02 15:30:10 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2020-09-02 15:51:37 +0000

    net-misc/chrony: Old
    
    Package-Manager: Portage-3.0.5, Repoman-3.0.1
    Bug: https://bugs.gentoo.org/738154
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 net-misc/chrony/Manifest                           |   1 -
 net-misc/chrony/chrony-3.5-r2.ebuild               | 127 ---------------
 net-misc/chrony/chrony-3.5-r4.ebuild               | 172 ---------------------
 .../chrony/files/chrony-3.5-systemd-gentoo.patch   |  12 --
 net-misc/chrony/metadata.xml                       |   1 -
 5 files changed, 313 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=356b6432ed5d3ea159b68b5b6060cd9f9b843b12

commit 356b6432ed5d3ea159b68b5b6060cd9f9b843b12
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2020-09-02 15:26:17 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2020-09-02 15:51:36 +0000

    net-misc/chrony: Stable for HPPA
    
    Package-Manager: Portage-3.0.5, Repoman-3.0.1
    Bug: https://bugs.gentoo.org/738154
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 net-misc/chrony/chrony-3.5.1-r1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 14 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-09-02 16:16:08 UTC
HPPA was last arch. Please cleanup.
Comment 15 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-09-02 16:33:32 UTC
(In reply to John Helmert III (ajak) from comment #14)
> HPPA was last arch. Please cleanup.

Whoops, cleanup already done, sorry about that. All done.