GLSA
Advocate
Joined: 12 May 2004
Posts: 2663
|
 Posted: Sun Aug 30, 2020 11:26 pm Post subject: [ GLSA 202008-23 ] chrony |
 |
|
Gentoo Linux Security Advisory
Title: chrony: Symlink vulnerability (GLSA 202008-23)
Severity: normal
Exploitable: local
Date: 2020-08-30
Bug(s): #738154
ID: 202008-23
Synopsis
A vulnerability in chrony may allow a privileged attacker to cause
data loss via a symlink.
Background
chrony is a versatile implementation of the Network Time Protocol (NTP).
Affected Packages
Package: net-misc/chrony
Vulnerable: < 3.5.1
Unaffected: >= 3.5.1
Architectures: All supported architectures
Description
It was found that chrony did not check whether its PID file was a
symlink.
Impact
A local attacker could perform symlink attack(s) to overwrite arbitrary
files with root privileges.
Workaround
There is no known workaround at this time.
Resolution
All chrony users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/chrony-3.5.1"
|
References
CVE-2020-14367
chrony-3.5.1 release announcement
|
|
News & Announcements
