From mboxrd@z Thu Jan 1 00:00:00 1970 From: Yann E. MORIN Date: Sun, 23 Aug 2020 15:31:42 +0200 Subject: [Buildroot] [PATCH] package/chrony: security bump to version 3.5.1 In-Reply-To: <20200821205105.733-1-peter@korsgaard.com> References: <20200821205105.733-1-peter@korsgaard.com> Message-ID: <20200823133142.GG8728@scaer> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: buildroot@busybox.net Peter, All, On 2020-08-21 22:51 +0200, Peter Korsgaard spake thusly: > Fixes the following security issues: > > CVE-2020-14367: Insecure writing of pidfile > ------------------------------------------- > > When chronyd is configured to save the pidfile in a directory where the > chrony user has write permissions (e.g. /var/run/chrony - the default > since chrony-3.4), an attacker that compromised the chrony user account > could create a symbolic link at the location of the pidfile to make > chronyd starting with root privileges follow the symlink and write its > process ID to a file for which the chrony user doesn't have write > permissions, causing a denial of service, or data loss. > > This issue was reported by Matthias Gerstner of SUSE. > > For further details, see the oss-security posting: > https://www.openwall.com/lists/oss-security/2020/08/21/1 > > Signed-off-by: Peter Korsgaard Security fix => applied to master, thanks. Regards, Yann E. MORIN. > --- > package/chrony/chrony.hash | 7 +++---- > package/chrony/chrony.mk | 2 +- > 2 files changed, 4 insertions(+), 5 deletions(-) > > diff --git a/package/chrony/chrony.hash b/package/chrony/chrony.hash > index c31c6893aa..57ce91ac80 100644 > --- a/package/chrony/chrony.hash > +++ b/package/chrony/chrony.hash > @@ -1,5 +1,4 @@ > -# From https://listengine.tuxfamily.org/chrony.tuxfamily.org/chrony-announce/2019/05/msg00001.html > -md5 5f66338bc940a9b51eede8f391e7bed3 chrony-3.5.tar.gz > -sha1 79e9aeace143550300387a99f17bff04b45673f7 chrony-3.5.tar.gz > +# From https://listengine.tuxfamily.org/chrony.tuxfamily.org/chrony-announce/2020/08/msg00000.html > +sha256 1ba82f70db85d414cd7420c39858e3ceca4b9eb8b028cbe869512c3a14a2dca7 chrony-3.5.1.tar.gz > # Locally calculated > -sha256 ab15fd526bd8dd18a9e77ebc139656bf4d33e97fc7238cd11bf60e2b9b8666c6 COPYING > +sha256 ab15fd526bd8dd18a9e77ebc139656bf4d33e97fc7238cd11bf60e2b9b8666c6 COPYING > diff --git a/package/chrony/chrony.mk b/package/chrony/chrony.mk > index d7f5c05183..f8938a80f5 100644 > --- a/package/chrony/chrony.mk > +++ b/package/chrony/chrony.mk > @@ -4,7 +4,7 @@ > # > ################################################################################ > > -CHRONY_VERSION = 3.5 > +CHRONY_VERSION = 3.5.1 > CHRONY_SITE = http://download.tuxfamily.org/chrony > CHRONY_LICENSE = GPL-2.0 > CHRONY_LICENSE_FILES = COPYING > -- > 2.20.1 > > _______________________________________________ > buildroot mailing list > buildroot at busybox.net > http://lists.busybox.net/mailman/listinfo/buildroot -- .-----------------.--------------------.------------------.--------------------. | Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: | | +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ | | +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no | | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. | '------------------------------^-------^------------------^--------------------'