[chrony/el5] don't send uninitialized data in command replies (CVE-2012-4503)

Miroslav Lichvar mlichvar at fedoraproject.org
Fri Aug 9 11:55:53 UTC 2013 

commit 1b7e24c665f8763e355c077cfbccefdd2137d22b
Author: Miroslav Lichvar <mlichvar at redhat.com>
Date:   Fri Aug 9 13:09:22 2013 +0200

    don't send uninitialized data in command replies (CVE-2012-4503)

 chrony-cve-2012-4503.patch |   35 +++++++++++++++++++++++++++++++++++
 chrony.spec                |    2 ++
 2 files changed, 37 insertions(+), 0 deletions(-)
---
diff --git a/chrony-cve-2012-4503.patch b/chrony-cve-2012-4503.patch
new file mode 100644
index 0000000..7c3ff01
--- /dev/null
+++ b/chrony-cve-2012-4503.patch
@@ -0,0 +1,35 @@
+commit c6fdeeb6bb0b17dc28c19ae492c4a1c498e54ea3
+Author: Miroslav Lichvar <mlichvar at redhat.com>
+Date:   Wed Jul 31 15:02:09 2013 +0200
+
+    Don't send uninitialized data in command replies
+    
+    The RPY_SUBNETS_ACCESSED and RPY_CLIENT_ACCESSES command replies can
+    contain uninitalized data from stack when the client logging is disabled
+    or a bad subnet is requested. These commands were never used by chronyc
+    and they require the client to be authenticated since version 1.25.
+
+diff --git a/cmdmon.c b/cmdmon.c
+index e4f7349..6d6e32b 100644
+--- a/cmdmon.c
++++ b/cmdmon.c
+@@ -1513,9 +1513,11 @@ handle_subnets_accessed(CMD_Request *rx_message, CMD_Reply *tx_message)
+         break;
+       case CLG_BADSUBNET:
+         tx_message->status = htons(STT_BADSUBNET);
++        tx_message->data.subnets_accessed.n_subnets = htonl(0);
+         return;
+       case CLG_INACTIVE:
+         tx_message->status = htons(STT_INACTIVE);
++        tx_message->data.subnets_accessed.n_subnets = htonl(0);
+         return;
+       default:
+         assert(0);
+@@ -1569,6 +1571,7 @@ handle_client_accesses(CMD_Request *rx_message, CMD_Reply *tx_message)
+         break;
+       case CLG_INACTIVE:
+         tx_message->status = htons(STT_INACTIVE);
++        tx_message->data.client_accesses.n_clients = htonl(0);
+         return;
+       default:
+         assert(0);
diff --git a/chrony.spec b/chrony.spec
index 885c901..f436073 100644
--- a/chrony.spec
+++ b/chrony.spec
@@ -15,6 +15,7 @@ Source5:        chrony.logrotate
 # wget -O timepps.h 'http://gitweb.enneenne.com/?p=linuxpps;a=blob_plain;f=Documentation/pps/timepps.h;hb=b895b1a28558b83907c691aad231c41a0d14df88'
 %{?gitpatch:Patch0: chrony-%{version}-%{gitpatch}.patch.gz}
 Patch1:         chrony-cve-2012-4502.patch
+Patch2:         chrony-cve-2012-4503.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 BuildRequires:  libcap-devel readline-devel ncurses-devel bison texinfo
@@ -35,6 +36,7 @@ clocks, system real-time clock or manual input as time references.
 %setup -q -n %{name}-%{version}%{?prerelease}
 %{?gitpatch:%patch0 -p1}
 %patch1 -p1 -b .cve-2012-4502
+%patch2 -p1 -b .cve-2012-4503
 
 %{?gitpatch: echo %{version}-%{gitpatch} > version.txt}

More information about the scm-commits mailing list