Debian 10203 Published by

The following Debian updates has been released:

[DLA 193-1] chrony security update
[DLA 194-1] das-watchdog security update
[DLA 195-1] libtasn1-3 security update
[DSA 3221-1] das-watchdog security update
[DSA 3222-1] chrony security update
[DSA 3223-1] ntp security update
[DSA 3224-1] libx11 security update



[DLA 193-1] chrony security update

Package : chrony
Version : 1.24-3+squeeze2
CVE ID : CVE-2015-1821 CVE-2015-1822 CVE-2015-1853
Debian Bug : 782160

CVE-2015-1853:

Protect authenticated symmetric NTP associations against DoS attacks.

An attacker knowing that NTP hosts A and B are peering with each other
(symmetric association) can send a packet with random timestamps to host
A with source address of B which will set the NTP state variables on A
to the values sent by the attacker. Host A will then send on its next
poll to B a packet with originate timestamp that doesn't match the
transmit timestamp of B and the packet will be dropped. If the attacker
does this periodically for both hosts, they won't be able to synchronize
to each other. It is a denial-of-service attack.

According to [1], NTP authentication is supposed to protect symmetric
associations against this attack, but in the NTPv3 (RFC 1305) and NTPv4
(RFC 5905) specifications the state variables are updated before the
authentication check is performed, which means the association is
vulnerable to the attack even when authentication is enabled.

To fix this problem, save the originate and local timestamps only when
the authentication check (test5) passed.

[1] https://www.eecis.udel.edu/~mills/onwire.html

CVE-2015-1821:

Fix access configuration with subnet size indivisible by 4.

When NTP or cmdmon access was configured (from chrony.conf or via
authenticated cmdmon) with a subnet size that is indivisible by 4 and
an address that has nonzero bits in the 4-bit subnet remainder (e.g.
192.168.15.0/22 or f000::/3), the new setting was written to an
incorrect location, possibly outside the allocated array.

An attacker that has the command key and is allowed to access cmdmon
(only localhost is allowed by default) could exploit this to crash
chronyd or possibly execute arbitrary code with the privileges of the
chronyd process.

CVE-2015-1822:

Fix initialization of reply slots for authenticated commands.

When allocating memory to save unacknowledged replies to authenticated
command requests, the last "next" pointer was not initialized to NULL.
When all allocated reply slots were used, the next reply could be
written to an invalid memory instead of allocating a new slot for it.

An attacker that has the command key and is allowed to access cmdmon
(only localhost is allowed by default) could exploit this to crash
chronyd or possibly execute arbitrary code with the privileges of the
chronyd process.

[DLA 194-1] das-watchdog security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package : das-watchdog
Version : 0.9.0-2+deb6u1
CVE ID : CVE-2015-2831
Debian Bug : 781806

Adam Sampson discovered a buffer overflow in the handling of the
XAUTHORITY environment variable in das-watchdog, a watchdog daemon to
ensure a realtime process won't hang the machine. A local user can
exploit this flaw to escalate his privileges and execute arbitrary
code as root.

[DLA 195-1] libtasn1-3 security update

Package : libtasn1-3
Version : 2.7-1+squeeze+3
CVE ID : CVE-2015-2806

Hanno Boeck discovered a stack-based buffer overflow in the
asn1_der_decoding function in Libtasn1, a library to manage ASN.1
structures. A remote attacker could take advantage of this flaw to cause
an application using the Libtasn1 library to crash, or potentially to
execute arbitrary code.

[DSA 3221-1] das-watchdog security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3221-1 security@debian.org
http://www.debian.org/security/ Salvatore Bonaccorso
April 12, 2015 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : das-watchdog
CVE ID : CVE-2015-2831
Debian Bug : 781806

Adam Sampson discovered a buffer overflow in the handling of the
XAUTHORITY environment variable in das-watchdog, a watchdog daemon to
ensure a realtime process won't hang the machine. A local user can
exploit this flaw to escalate his privileges and execute arbitrary
code as root.

For the stable distribution (wheezy), this problem has been fixed in
version 0.9.0-2+deb7u1.

For the unstable distribution (sid), this problem has been fixed in
version 0.9.0-3.1.

We recommend that you upgrade your das-watchdog packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3222-1] chrony security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3222-1 security@debian.org
http://www.debian.org/security/ Alessandro Ghedini
April 12, 2015 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : chrony
CVE ID : CVE-2015-1821 CVE-2015-1822 CVE-2015-1853
Debian Bug : 782160

Miroslav Lichvar of Red Hat discovered multiple vulnerabilities in chrony,
an alternative NTP client and server:

CVE-2015-1821

Using particular address/subnet pairs when configuring access control
would cause an invalid memory write. This could allow attackers to
cause a denial of service (crash) or execute arbitrary code.

CVE-2015-1822

When allocating memory to save unacknowledged replies to authenticated
command requests, a pointer would be left uninitialized, which could
trigger an invalid memory write. This could allow attackers to cause a
denial of service (crash) or execute arbitrary code.

CVE-2015-1853

When peering with other NTP hosts using authenticated symmetric
association, the internal state variables would be updated before the
MAC of the NTP messages was validated. This could allow a remote
attacker to cause a denial of service by impeding synchronization
between NTP peers.

For the stable distribution (wheezy), these problems have been fixed in
version 1.24-3.1+deb7u3.

For the unstable distribution (sid), these problems have been fixed in
version 1.30-2.

We recommend that you upgrade your chrony packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3223-1] ntp security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3223-1 security@debian.org
http://www.debian.org/security/ Alessandro Ghedini
April 12, 2015 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : ntp
CVE ID : CVE-2015-1798 CVE-2015-1799
Debian Bug : 782095

Multiple vulnerabilities were discovered in ntp, an implementation of the
Network Time Protocol:

CVE-2015-1798

When configured to use a symmetric key with an NTP peer, ntpd would
accept packets without MAC as if they had a valid MAC. This could
allow a remote attacker to bypass the packet authentication and send
malicious packets without having to know the symmetric key.

CVE-2015-1799

When peering with other NTP hosts using authenticated symmetric
association, ntpd would update its internal state variables before
the MAC of the NTP messages was validated. This could allow a remote
attacker to cause a denial of service by impeding synchronization
between NTP peers.

Additionally, it was discovered that generating MD5 keys using ntp-keygen
on big endian machines would either trigger an endless loop, or generate
non-random keys.

For the stable distribution (wheezy), these problems have been fixed in
version 1:4.2.6.p5+dfsg-2+deb7u4.

For the unstable distribution (sid), these problems have been fixed in
version 1:4.2.6.p5+dfsg-7.

We recommend that you upgrade your ntp packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3224-1] libx11 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3224-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
April 12, 2015 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libx11
CVE ID : CVE-2013-7439

Abhishek Arya discovered a buffer overflow in the MakeBigReq macro
provided by libx11, which could result in denial of service or the
execution of arbitrary code.

Several other xorg packages (e.g. libxrender) will be recompiled against
the fixed package after the release of this update. For detailed
information on the status of recompiled packages please refer to the
Debian Security Tracker at
https://security-tracker.debian.org/tracker/CVE-2013-7439

For the stable distribution (wheezy), this problem has been fixed in
version 2:1.5.0-1+deb7u2.

For the upcoming stable distribution (jessie), this problem has been
fixed in version 2:1.6.0-1.

For the unstable distribution (sid), this problem has been fixed in
version 2:1.6.0-1.

We recommend that you upgrade your libx11 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/