Debian 10225 Published by

The following updates has been released for Debian GUN/Linux:

[DLA 192-1] ntp security update
[DSA 3218-1] wesnoth-1.10 security update
[DSA 3219-1] libdbd-firebird-perl security update
[DSA 3220-1] libtasn1-3 security update



[DLA 192-1] ntp security update

Package : ntp
Version : 1:4.2.6.p2+dfsg-1+deb6u3
CVE ID : CVE-2015-1798 CVE-2015-1799
Debian Bug : #782095

Brief introduction

CVE-2015-1798

When ntpd is configured to use a symmetric key to authenticate a remote NTP
server/peer, it checks if the NTP message authentication code (MAC) in received
packets is valid, but not if there actually is any MAC included. Packets without
a MAC are accepted as if they had a valid MAC. This allows a MITM attacker to
send false packets that are accepted by the client/peer without having to know
the symmetric key. The attacker needs to know the transmit timestamp of the
client to match it in the forged reply and the false reply needs to reach the
client before the genuine reply from the server. The attacker doesn't
necessarily need to be relaying the packets between the client and the server.

Authentication using autokey doesn't have this problem as there is a check that
requires the key ID to be larger than NTP_MAXKEY, which fails for packets
without a MAC.

CVE-2015-1799

An attacker knowing that NTP hosts A and B are peering with each other
(symmetric association) can send a packet to host A with source address of B
which will set the NTP state variables on A to the values sent by the attacker.
Host A will then send on its next poll to B a packet with originate timestamp
that doesn't match the transmit timestamp of B and the packet will be dropped.
If the attacker does this periodically for both hosts, they won't be able to
synchronize to each other. This is a known denial-of-service attack, described
at https://www.eecis.udel.edu/~mills/onwire.html .

According to the document the NTP authentication is supposed to protect
symmetric associations against this attack, but that doesn't seem to be the
case. The state variables are updated even when authentication fails and the
peers are sending packets with originate timestamps that don't match the
transmit timestamps on the receiving side.

ntp-keygen on big endian hosts

Using ntp-keygen to generate an MD5 key on big endian hosts resulted in
either an infite loop or an key of only 93 possible keys.


[DSA 3218-1] wesnoth-1.10 security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3218-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
April 10, 2015 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : wesnoth-1.10
CVE ID : CVE-2015-0844

Ignacio R. Morelle discovered that missing path restrictions in the
"Battle of Wesnoth" game could result in the disclosure of arbitrary
files in the user's home directory if malicious campaigns/maps are
loaded.

For the stable distribution (wheezy), this problem has been fixed in
version 1.10.3-3+deb7u1.

For the unstable distribution (sid), this problem has been fixed in
version 1:1.10.7-2 and in version 1:1.12.1-1 of the wesnoth-1.12
source package.

We recommend that you upgrade your wesnoth-1.10 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3219-1] libdbd-firebird-perl security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3219-1 security@debian.org
http://www.debian.org/security/ Alessandro Ghedini
April 11, 2015 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libdbd-firebird-perl
CVE ID : CVE-2015-2788
Debian Bug : 780925

Stefan Roas discovered a way to cause a buffer overflow in DBD-FireBird,
a Perl DBI driver for the Firebird RDBMS, in certain error conditions, due
to the use of the sprintf() function to write to a fixed-size memory buffer.

For the stable distribution (wheezy), this problem has been fixed in
version 0.91-2+deb7u1.

For the upcoming stable distribution (jessie), this problem has been
fixed in version 1.18-2.

For the unstable distribution (sid), this problem has been fixed in
version 1.18-2.

We recommend that you upgrade your libdbd-firebird-perl packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3220-1] libtasn1-3 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3220-1 security@debian.org
http://www.debian.org/security/ Salvatore Bonaccorso
April 11, 2015 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libtasn1-3
CVE ID : CVE-2015-2806

Hanno Boeck discovered a stack-based buffer overflow in the
asn1_der_decoding function in Libtasn1, a library to manage ASN.1
structures. A remote attacker could take advantage of this flaw to cause
an application using the Libtasn1 library to crash, or potentially to
execute arbitrary code.

For the stable distribution (wheezy), this problem has been fixed in
version 2.13-2+deb7u2.

We recommend that you upgrade your libtasn1-3 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/