[chrony/el5] don't send uninitialized data in command replies (CVE-2012-4503)
Miroslav Lichvar
mlichvar at fedoraproject.org
Fri Aug 9 11:55:53 UTC 2013
commit 1b7e24c665f8763e355c077cfbccefdd2137d22b
Author: Miroslav Lichvar <mlichvar at redhat.com>
Date: Fri Aug 9 13:09:22 2013 +0200
don't send uninitialized data in command replies (CVE-2012-4503)
chrony-cve-2012-4503.patch | 35 +++++++++++++++++++++++++++++++++++
chrony.spec | 2 ++
2 files changed, 37 insertions(+), 0 deletions(-)
---
diff --git a/chrony-cve-2012-4503.patch b/chrony-cve-2012-4503.patch
new file mode 100644
index 0000000..7c3ff01
--- /dev/null
+++ b/chrony-cve-2012-4503.patch
@@ -0,0 +1,35 @@
+commit c6fdeeb6bb0b17dc28c19ae492c4a1c498e54ea3
+Author: Miroslav Lichvar <mlichvar at redhat.com>
+Date: Wed Jul 31 15:02:09 2013 +0200
+
+ Don't send uninitialized data in command replies
+
+ The RPY_SUBNETS_ACCESSED and RPY_CLIENT_ACCESSES command replies can
+ contain uninitalized data from stack when the client logging is disabled
+ or a bad subnet is requested. These commands were never used by chronyc
+ and they require the client to be authenticated since version 1.25.
+
+diff --git a/cmdmon.c b/cmdmon.c
+index e4f7349..6d6e32b 100644
+--- a/cmdmon.c
++++ b/cmdmon.c
+@@ -1513,9 +1513,11 @@ handle_subnets_accessed(CMD_Request *rx_message, CMD_Reply *tx_message)
+ break;
+ case CLG_BADSUBNET:
+ tx_message->status = htons(STT_BADSUBNET);
++ tx_message->data.subnets_accessed.n_subnets = htonl(0);
+ return;
+ case CLG_INACTIVE:
+ tx_message->status = htons(STT_INACTIVE);
++ tx_message->data.subnets_accessed.n_subnets = htonl(0);
+ return;
+ default:
+ assert(0);
+@@ -1569,6 +1571,7 @@ handle_client_accesses(CMD_Request *rx_message, CMD_Reply *tx_message)
+ break;
+ case CLG_INACTIVE:
+ tx_message->status = htons(STT_INACTIVE);
++ tx_message->data.client_accesses.n_clients = htonl(0);
+ return;
+ default:
+ assert(0);
diff --git a/chrony.spec b/chrony.spec
index 885c901..f436073 100644
--- a/chrony.spec
+++ b/chrony.spec
@@ -15,6 +15,7 @@ Source5: chrony.logrotate
# wget -O timepps.h 'http://gitweb.enneenne.com/?p=linuxpps;a=blob_plain;f=Documentation/pps/timepps.h;hb=b895b1a28558b83907c691aad231c41a0d14df88'
%{?gitpatch:Patch0: chrony-%{version}-%{gitpatch}.patch.gz}
Patch1: chrony-cve-2012-4502.patch
+Patch2: chrony-cve-2012-4503.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: libcap-devel readline-devel ncurses-devel bison texinfo
@@ -35,6 +36,7 @@ clocks, system real-time clock or manual input as time references.
%setup -q -n %{name}-%{version}%{?prerelease}
%{?gitpatch:%patch0 -p1}
%patch1 -p1 -b .cve-2012-4502
+%patch2 -p1 -b .cve-2012-4503
%{?gitpatch: echo %{version}-%{gitpatch} > version.txt}
More information about the scm-commits
mailing list