From ${URL} : Chrony upstream has released v1.29 version, correcting two security flaws: * Issue #1: CVE-2012-4502: Buffer overflow when processing crafted command packets This issue was found by Florian Weimer of Red Hat. Relevant patch: http://git.tuxfamily.org/chrony/chrony.git/?p=chrony/chrony.git;a=commitdiff;h=7712455d9aa33d0db0945effaa07e900b85987b1 Announcement: http://permalink.gmane.org/gmane.comp.time.chrony.announce/15 Red Hat bug: https://bugzilla.redhat.com/show_bug.cgi?id=846392 * Issue #2: CVE-2012-4503: Uninitialized data in command replies This issue was found by Miroslav Lichvar of Red Hat. Relevant patch: http://git.tuxfamily.org/chrony/chrony.git/?p=chrony/chrony.git;a=commitdiff;h=c6fdeeb6bb0b17dc28c19ae492c4a1c498e54ea3 Announcement: http://permalink.gmane.org/gmane.comp.time.chrony.announce/15 Red Hat bug: https://bugzilla.redhat.com/show_bug.cgi?id=846392 @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Arch teams, please test and mark stable: =net-misc/chrony-1.29 Targeted stable KEYWORDS : amd64 hppa ppc sparc x86
ppc stable
amd64 stable
x86 stable
Stable for HPPA.
sparc stable
Thanks for your work New GLSA request filed
CVE-2012-4503 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4503): cmdmon.c in Chrony before 1.29 allows remote attackers to obtain potentially sensitive information from stack memory via vectors related to (1) an invalid subnet in a RPY_SUBNETS_ACCESSED command to the handle_subnets_accessed function or (2) a RPY_CLIENT_ACCESSES command to the handle_client_accesses function when client logging is disabled, which causes uninitialized data to be included in a reply. CVE-2012-4502 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4502): Multiple integer overflows in pktlength.c in Chrony before 1.29 allow remote attackers to cause a denial of service (crash) via a crafted (1) REQ_SUBNETS_ACCESSED or (2) REQ_CLIENT_ACCESSES command request to the PKL_CommandLength function or crafted (3) RPY_SUBNETS_ACCESSED, (4) RPY_CLIENT_ACCESSES, (5) RPY_CLIENT_ACCESSES_BY_INDEX, or (6) RPY_MANUAL_LIST command reply to the PKL_ReplyLength function, which triggers an out-of-bounds read or buffer overflow. NOTE: versions 1.27 and 1.28 do not require authentication to exploit.
This issue was resolved and addressed in GLSA 201402-28 at http://security.gentoo.org/glsa/glsa-201402-28.xml by GLSA coordinator Sergey Popov (pinkbyte).
