Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 738154 (CVE-2020-14367) - <net-misc/chrony-3.5.1: Insecure temp file handling (CVE-2020-14367)
Summary: <net-misc/chrony-3.5.1: Insecure temp file handling (CVE-2020-14367)
Status: RESOLVED FIXED
Alias: CVE-2020-14367
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://www.mail-archive.com/chrony-d...
Whiteboard: A4 [glsa+ cleanup cve]
Keywords: CC-ARCHES
Depends on: 739684 739714
Blocks:
  Show dependency tree
 
Reported: 2020-08-20 07:14 UTC by Sam James
Modified: 2020-09-02 16:33 UTC (History)
2 users (show)

See Also:
Package list:
net-misc/chrony-3.5.1-r1
Runtime testing required: ---
nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-20 07:14:00 UTC 
"CVE-2020-14367: Insecure writing of pidfile
-------------------------------------------

When chronyd is configured to save the pidfile in a directory where the
chrony user has write permissions (e.g. /var/run/chrony - the default
since chrony-3.4), an attacker that compromised the chrony user account
could create a symbolic link at the location of the pidfile to make
chronyd starting with root privileges follow the symlink and write its
process ID to a file for which the chrony user doesn't have write
permissions, causing a denial of service, or data loss.

This issue was reported by Matthias Gerstner of SUSE."

Fixed in 3.5.1.
Comment 1 Larry the Git Cow gentoo-dev 2020-08-20 07:31:56 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=151b33bc43ba47d284b0aa711abd7e3b62f31ea4

commit 151b33bc43ba47d284b0aa711abd7e3b62f31ea4
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2020-08-20 07:31:33 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2020-08-20 07:31:53 +0000

    net-misc/chrony: Version 3.5.1
    
    Package-Manager: Portage-3.0.4, Repoman-3.0.1
    Bug: https://bugs.gentoo.org/738154
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 net-misc/chrony/Manifest            |   1 +
 net-misc/chrony/chrony-3.5.1.ebuild | 172 ++++++++++++++++++++++++++++++++++++
 2 files changed, 173 insertions(+)
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-20 09:02:40 UTC 
Thanks. Tell us when ready to stable.
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-25 23:32:09 UTC 
Any objections to stabling, or we will go ahead?
Comment 4 NATTkA bot gentoo-dev 2020-08-27 10:08:50 UTC 
Unable to check for sanity:

> no match for package: net-misc/chrony-3.5.1
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2020-08-30 17:15:24 UTC 
x86 stable
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-30 20:54:36 UTC 
amd64 done
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2020-08-30 21:14:52 UTC 
This issue was resolved and addressed in
 GLSA 202008-23 at https://security.gentoo.org/glsa/202008-23
by GLSA coordinator Sam James (sam_c).
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-30 21:15:22 UTC 
Reopening for stable.
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-30 22:51:18 UTC 
ppc64 done
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-30 23:01:19 UTC 
arm done
Comment 11 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-30 23:02:59 UTC 
sparc done
Comment 12 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-30 23:31:24 UTC 
ppc done
Comment 13 Larry the Git Cow gentoo-dev 2020-09-02 15:51:40 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0e1caaf3bc2225e4703cd9c66adf90ba3882836e

commit 0e1caaf3bc2225e4703cd9c66adf90ba3882836e
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2020-09-02 15:30:10 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2020-09-02 15:51:37 +0000

    net-misc/chrony: Old
    
    Package-Manager: Portage-3.0.5, Repoman-3.0.1
    Bug: https://bugs.gentoo.org/738154
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 net-misc/chrony/Manifest                           |   1 -
 net-misc/chrony/chrony-3.5-r2.ebuild               | 127 ---------------
 net-misc/chrony/chrony-3.5-r4.ebuild               | 172 ---------------------
 .../chrony/files/chrony-3.5-systemd-gentoo.patch   |  12 --
 net-misc/chrony/metadata.xml                       |   1 -
 5 files changed, 313 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=356b6432ed5d3ea159b68b5b6060cd9f9b843b12

commit 356b6432ed5d3ea159b68b5b6060cd9f9b843b12
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2020-09-02 15:26:17 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2020-09-02 15:51:36 +0000

    net-misc/chrony: Stable for HPPA
    
    Package-Manager: Portage-3.0.5, Repoman-3.0.1
    Bug: https://bugs.gentoo.org/738154
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 net-misc/chrony/chrony-3.5.1-r1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 14 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-09-02 16:16:08 UTC 
HPPA was last arch. Please cleanup.
Comment 15 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-09-02 16:33:32 UTC 
(In reply to John Helmert III (ajak) from comment #14)
> HPPA was last arch. Please cleanup.

Whoops, cleanup already done, sorry about that. All done.