Hi Kurt, El 18/05/16 a las 23:20, Kurt Roeckx escribió: > On Wed, May 18, 2016 at 04:27:22PM -0400, Antoine Beaupré wrote: > > On 2016-05-18 13:56:37, Kurt Roeckx wrote: > > > There are 22 open, some of which are marked as non-important. Of > > > the new ones some should probably also be marked as such. > > > > I did so with CVE-2015-8158 as it affects only ntpq under very specific > > conditions and the impact is minor (it hangs). > > There are also some things that you need to be authenticated for, > which is at least a none default config. I consider all of those to > be non-imporant. > > > > I've spend several hours during the weekend going over commits in > > > bitkeeper. But as ussual, it's all a big mess. I have 10 issues > > > fixed in svn. I also have 7 files with the patches in as they > > > apply to 4.2.8 version, but I didn't try to apply them to 4.2.6 > > > version yet, so I have no idea what the state of those patches > > > is. Then there also seem to be at least 2 other bug fixes that > > > appear to be security issues but that didn't get a CVE. > > ... > I suggest that you at least let me finish the patches I started > on. > I have picked your patches (I hope all of them) from the svn to build a test package, and have also taken a look to remaining issues. I have only could "backport" the fix for CVE-2016-1551, the refclock impersonation. For https://security-tracker.debian.org/tracker/CVE-2016-1547, I am not sure that it affects 4.2.6. I haven't found the fix for the Sybil attack https://security-tracker.debian.org/tracker/CVE-2016-1549 The fix for https://security-tracker.debian.org/tracker/CVE-2016-2517 requires a 4.2.8 ntp_keyacc.h, and I think it could be marked as non-important too. And the fix for https://security-tracker.debian.org/tracker/CVE-2016-2519 requires more study. A debdiff is attached. These are the changes from the changelog entry: [Kurt Roeckx] * Fix CVE-2015-7974: ntp_proto: Verify peer key ID. * Fix CVE-2015-7977 and CVE-2015-7978: ntp_request: null pointer dereference, stack overflow and overfull reply buffers by flawns in restrict list processing. * Fix CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode. * Fix CVE-2015-8138: ntp: missing check for zero originate timestamp. * Fix CVE-2016-1548: ntp_proto: DoS attack enabling the symmetric interleaved mode with spoofed packets. * Fix CVE-2016-1550: Timing attack for authenticated packets. * Fix CVE-2016-2516: ntp_request: Assertion failure by duplicate IPs on unconfig directives. * Fix CVE-2016-2518: ntp_request: Out-of-bounds reference caused by crafted addpeer. . [Santiago Ruano Rincón] * Fix CVE-2016-1551: ntp_io.c: [Sec 3020] Refclock impersonation. debian/rules: configure with --enable-bug3020-fix. And the package is available at: https://people.debian.org/~santiago/debian/santiago-wheezy/ntp_4.2.6.p5+dfsg-2+deb7u7~3.dsc and at the repo: deb https://people.debian.org/~santiago/debian santiago-wheezy/ deb-src https://people.debian.org/~santiago/debian santiago-wheezy/ Please, tell me if I could do anything else to help you handling this package. AFAIK, you want to upload it :) I hope this is useful, Santiago
diff -Nru ntp-4.2.6.p5+dfsg/debian/changelog ntp-4.2.6.p5+dfsg/debian/changelog --- ntp-4.2.6.p5+dfsg/debian/changelog 2015-10-28 21:05:59.000000000 +0100 +++ ntp-4.2.6.p5+dfsg/debian/changelog 2016-06-01 00:43:58.000000000 +0200 @@ -1,3 +1,29 @@ +ntp (1:4.2.6.p5+dfsg-2+deb7u7~3) santiago-wheezy; urgency=medium + + * Team upload + + [Kurt Roeckx] + * Fix CVE-2015-7974: ntp_proto: Verify peer key ID. + * Fix CVE-2015-7977 and CVE-2015-7978: ntp_request: null pointer + dereference, stack overflow and overfull reply buffers by flawns in + restrict list processing. + * Fix CVE-2015-7979: Off-path Denial of Service (DoS) attack on + authenticated broadcast mode. + * Fix CVE-2015-8138: ntp: missing check for zero originate timestamp. + * Fix CVE-2016-1548: ntp_proto: DoS attack enabling the symmetric + interleaved mode with spoofed packets. + * Fix CVE-2016-1550: Timing attack for authenticated packets. + * Fix CVE-2016-2516: ntp_request: Assertion failure by duplicate IPs on + unconfig directives. + * Fix CVE-2016-2518: ntp_request: Out-of-bounds reference caused by crafted + addpeer. + + [Santiago Ruano Rincón] + * Fix CVE-2016-1551: ntp_io.c: [Sec 3020] Refclock impersonation. + debian/rules: configure with --enable-bug3020-fix. + + -- Santiago Ruano Rincón <santiagorr@riseup.net> Tue, 31 May 2016 19:38:12 +0200 + ntp (1:4.2.6.p5+dfsg-2+deb7u6) wheezy-security; urgency=medium * Fix errors in previous changelog entry diff -Nru ntp-4.2.6.p5+dfsg/debian/patches/CVE-2015-7701.patch ntp-4.2.6.p5+dfsg/debian/patches/CVE-2015-7701.patch --- ntp-4.2.6.p5+dfsg/debian/patches/CVE-2015-7701.patch 2015-10-23 20:11:01.000000000 +0200 +++ ntp-4.2.6.p5+dfsg/debian/patches/CVE-2015-7701.patch 2016-05-29 13:22:30.000000000 +0200 @@ -1,6 +1,8 @@ ---- 1.181/ntpd/ntp_crypto.c 2015-07-19 01:36:46 -04:00 -+++ 1.181.1.1/ntpd/ntp_crypto.c 2015-09-28 12:22:06 -04:00 -@@ -508,6 +508,7 @@ crypto_recv( +Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_crypto.c +=================================================================== +--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_crypto.c ++++ ntp-4.2.6.p5+dfsg/ntpd/ntp_crypto.c +@@ -483,6 +483,7 @@ crypto_recv( rval = XEVNT_ERR; break; } @@ -8,4 +10,3 @@ } fp = emalloc(len); memcpy(fp, ep, len); - diff -Nru ntp-4.2.6.p5+dfsg/debian/patches/CVE-2015-7704.patch ntp-4.2.6.p5+dfsg/debian/patches/CVE-2015-7704.patch --- ntp-4.2.6.p5+dfsg/debian/patches/CVE-2015-7704.patch 2015-10-23 20:11:01.000000000 +0200 +++ ntp-4.2.6.p5+dfsg/debian/patches/CVE-2015-7704.patch 2016-05-29 13:22:25.000000000 +0200 @@ -1,7 +1,8 @@ -diff -up ntp-4.2.6p5/ntpd/ntp_proto.c.kodtest ntp-4.2.6p5/ntpd/ntp_proto.c ---- ntp-4.2.6p5/ntpd/ntp_proto.c.kodtest 2015-09-24 18:20:19.121981664 +0200 -+++ ntp-4.2.6p5/ntpd/ntp_proto.c 2015-09-24 18:20:54.596594166 +0200 -@@ -1165,7 +1165,7 @@ receive( +Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_proto.c +=================================================================== +--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_proto.c ++++ ntp-4.2.6.p5+dfsg/ntpd/ntp_proto.c +@@ -1171,7 +1171,7 @@ receive( peer->ppoll = max(peer->minpoll, pkt->ppoll); if (hismode == MODE_SERVER && hisleap == LEAP_NOTINSYNC && hisstratum == STRATUM_UNSPEC && memcmp(&pkt->refid, diff -Nru ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2015-7974.patch ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2015-7974.patch --- ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2015-7974.patch 1970-01-01 01:00:00.000000000 +0100 +++ ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2015-7974.patch 2016-05-29 11:09:32.000000000 +0200 @@ -0,0 +1,20 @@ +diff -up ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2015-7974 ntp-4.2.6p5/ntpd/ntp_proto.c +--- ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2015-7974 2016-01-21 14:06:18.958346184 +0100 ++++ ntp-4.2.6p5/ntpd/ntp_proto.c 2016-01-21 14:16:34.894828262 +0100 +@@ -674,10 +674,13 @@ receive( + * succeed in bloating the key cache. If an autokey, + * purge it immediately, since we won't be needing it + * again. If the packet is authentic, it can mobilize an +- * association. Note that there is no key zero. ++ * association. If it's a persistent association using a ++ * symmetric key, the key ID has to match the configured ++ * value. Note that there is no key zero. + */ +- if (!authdecrypt(skeyid, (u_int32 *)pkt, authlen, +- has_mac)) ++ if ((peer && !(peer->flags & FLAG_PREEMPT) && ++ peer->keyid <= NTP_MAXKEY && skeyid != peer->keyid) || ++ !authdecrypt(skeyid, (u_int32 *)pkt, authlen, has_mac)) + is_authentic = AUTH_ERROR; + else + is_authentic = AUTH_OK; diff -Nru ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2015-7977_7978.patch ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2015-7977_7978.patch --- ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2015-7977_7978.patch 1970-01-01 01:00:00.000000000 +0100 +++ ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2015-7977_7978.patch 2016-05-29 11:12:58.000000000 +0200 @@ -0,0 +1,183 @@ +diff -up ntp-4.2.6p5/ntpd/ntp_request.c.cve-2015-7977_7978 ntp-4.2.6p5/ntpd/ntp_request.c +--- ntp-4.2.6p5/ntpd/ntp_request.c.cve-2015-7977_7978 2011-12-01 03:55:17.000000000 +0100 ++++ ntp-4.2.6p5/ntpd/ntp_request.c 2016-01-20 11:14:20.855586406 +0100 +@@ -1730,56 +1730,143 @@ setclr_flags( + loop_config(LOOP_DRIFTCOMP, drift_comp); + } + ++/* There have been some issues with the restrict list processing, ++ * ranging from problems with deep recursion (resulting in stack ++ * overflows) and overfull reply buffers. ++ * ++ * To avoid this trouble the list reversal is done iteratively using a ++ * scratch pad. ++ */ ++typedef struct RestrictStack RestrictStackT; ++struct RestrictStack { ++ RestrictStackT *link; ++ size_t fcnt; ++ const restrict_u *pres[63]; ++}; ++ ++static size_t ++getStackSheetSize( ++ RestrictStackT *sp ++ ) ++{ ++ if (sp) ++ return sizeof(sp->pres)/sizeof(sp->pres[0]); ++ return 0u; ++} ++ ++static int/*BOOL*/ ++pushRestriction( ++ RestrictStackT **spp, ++ const restrict_u *ptr ++ ) ++{ ++ RestrictStackT *sp; ++ ++ if (NULL == (sp = *spp) || 0 == sp->fcnt) { ++ /* need another sheet in the scratch pad */ ++ sp = emalloc(sizeof(*sp)); ++ sp->link = *spp; ++ sp->fcnt = getStackSheetSize(sp); ++ *spp = sp; ++ } ++ sp->pres[--sp->fcnt] = ptr; ++ return TRUE; ++} ++ ++static int/*BOOL*/ ++popRestriction( ++ RestrictStackT **spp, ++ const restrict_u **opp ++ ) ++{ ++ RestrictStackT *sp; ++ ++ if (NULL == (sp = *spp) || sp->fcnt >= getStackSheetSize(sp)) ++ return FALSE; ++ ++ *opp = sp->pres[sp->fcnt++]; ++ if (sp->fcnt >= getStackSheetSize(sp)) { ++ /* discard sheet from scratch pad */ ++ *spp = sp->link; ++ free(sp); ++ } ++ return TRUE; ++} ++ ++static void ++flushRestrictionStack( ++ RestrictStackT **spp ++ ) ++{ ++ RestrictStackT *sp; ++ ++ while (NULL != (sp = *spp)) { ++ *spp = sp->link; ++ free(sp); ++ } ++} ++ + /* +- * list_restrict4 - recursive helper for list_restrict dumps IPv4 ++ * list_restrict4 - iterative helper for list_restrict dumps IPv4 + * restriction list in reverse order. + */ + static void + list_restrict4( +- restrict_u * res, ++ const restrict_u * res, + struct info_restrict ** ppir + ) + { ++ RestrictStackT * rpad; + struct info_restrict * pir; + +- if (res->link != NULL) +- list_restrict4(res->link, ppir); +- + pir = *ppir; +- pir->addr = htonl(res->u.v4.addr); +- if (client_v6_capable) +- pir->v6_flag = 0; +- pir->mask = htonl(res->u.v4.mask); +- pir->count = htonl(res->count); +- pir->flags = htons(res->flags); +- pir->mflags = htons(res->mflags); +- *ppir = (struct info_restrict *)more_pkt(); ++ for (rpad = NULL; res; res = res->link) ++ if (!pushRestriction(&rpad, res)) ++ break; ++ ++ while (pir && popRestriction(&rpad, &res)) { ++ pir->addr = htonl(res->u.v4.addr); ++ if (client_v6_capable) ++ pir->v6_flag = 0; ++ pir->mask = htonl(res->u.v4.mask); ++ pir->count = htonl(res->count); ++ pir->flags = htons(res->flags); ++ pir->mflags = htons(res->mflags); ++ pir = (struct info_restrict *)more_pkt(); ++ } ++ flushRestrictionStack(&rpad); ++ *ppir = pir; + } + +- + /* +- * list_restrict6 - recursive helper for list_restrict dumps IPv6 ++ * list_restrict6 - iterative helper for list_restrict dumps IPv6 + * restriction list in reverse order. + */ + static void + list_restrict6( +- restrict_u * res, ++ const restrict_u * res, + struct info_restrict ** ppir + ) + { ++ RestrictStackT * rpad; + struct info_restrict * pir; + +- if (res->link != NULL) +- list_restrict6(res->link, ppir); +- + pir = *ppir; +- pir->addr6 = res->u.v6.addr; +- pir->mask6 = res->u.v6.mask; +- pir->v6_flag = 1; +- pir->count = htonl(res->count); +- pir->flags = htons(res->flags); +- pir->mflags = htons(res->mflags); +- *ppir = (struct info_restrict *)more_pkt(); ++ for (rpad = NULL; res; res = res->link) ++ if (!pushRestriction(&rpad, res)) ++ break; ++ ++ while (pir && popRestriction(&rpad, &res)) { ++ pir->addr6 = res->u.v6.addr; ++ pir->mask6 = res->u.v6.mask; ++ pir->v6_flag = 1; ++ pir->count = htonl(res->count); ++ pir->flags = htons(res->flags); ++ pir->mflags = htons(res->mflags); ++ pir = (struct info_restrict *)more_pkt(); ++ } ++ flushRestrictionStack(&rpad); ++ *ppir = pir; + } + + +@@ -1803,8 +1890,7 @@ list_restrict( + /* + * The restriction lists are kept sorted in the reverse order + * than they were originally. To preserve the output semantics, +- * dump each list in reverse order. A recursive helper function +- * achieves that. ++ * dump each list in reverse order. The workers take care of that. + */ + list_restrict4(restrictlist4, &ir); + if (client_v6_capable) diff -Nru ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2015-7979.patch ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2015-7979.patch --- ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2015-7979.patch 1970-01-01 01:00:00.000000000 +0100 +++ ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2015-7979.patch 2016-05-29 11:18:32.000000000 +0200 @@ -0,0 +1,24 @@ +Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_proto.c +=================================================================== +--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_proto.c ++++ ntp-4.2.6.p5+dfsg/ntpd/ntp_proto.c +@@ -1113,7 +1113,8 @@ receive( + report_event(PEVNT_AUTH, peer, "crypto_NAK"); + peer->flash |= TEST5; /* bad auth */ + peer->badauth++; +- if (peer->flags & FLAG_PREEMPT) { ++ if (peer->flags & FLAG_PREEMPT && hismode != MODE_BROADCAST && ++ !(peer->flash & (TEST2 | TEST3))) { + unpeer(peer); + return; + } +@@ -1139,7 +1140,8 @@ receive( + if (has_mac && + (hismode == MODE_ACTIVE || hismode == MODE_PASSIVE)) + fast_xmit(rbufp, MODE_ACTIVE, 0, restrict_mask); +- if (peer->flags & FLAG_PREEMPT) { ++ if (peer->flags & FLAG_PREEMPT && hismode != MODE_BROADCAST && ++ !(peer->flash & (TEST2 | TEST3))) { + unpeer(peer); + return; + } diff -Nru ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2015-8138.patch ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2015-8138.patch --- ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2015-8138.patch 1970-01-01 01:00:00.000000000 +0100 +++ ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2015-8138.patch 2016-05-27 14:44:09.000000000 +0200 @@ -0,0 +1,13 @@ +Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_proto.c +=================================================================== +--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_proto.c ++++ ntp-4.2.6.p5+dfsg/ntpd/ntp_proto.c +@@ -1061,7 +1061,7 @@ receive( + * the packet is not bogus in symmetric interleaved mode. + */ + } else if (peer->flip == 0) { +- if (!L_ISEQU(&p_org, &peer->aorg)) { ++ if (L_ISZERO(&p_org) || !L_ISEQU(&p_org, &peer->aorg)) { + peer->bogusorg++; + peer->flash |= TEST2; /* bogus */ + if (!L_ISZERO(&peer->dst) && L_ISEQU(&p_org, diff -Nru ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2016-1548.patch ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2016-1548.patch --- ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2016-1548.patch 1970-01-01 01:00:00.000000000 +0100 +++ ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2016-1548.patch 2016-05-27 14:47:19.000000000 +0200 @@ -0,0 +1,65 @@ +Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_proto.c +=================================================================== +--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_proto.c ++++ ntp-4.2.6.p5+dfsg/ntpd/ntp_proto.c +@@ -306,6 +306,7 @@ receive( + int authlen; /* offset of MAC field */ + int is_authentic = 0; /* cryptosum ok */ + int retcode = AM_NOMATCH; /* match code */ ++ int xleave_mismatch = 0; /* mismatch in xleave mode */ + keyid_t skeyid = 0; /* key IDs */ + u_int32 opcode = 0; /* extension field opcode */ + sockaddr_u *dstadr_sin; /* active runway */ +@@ -1056,9 +1057,8 @@ receive( + } + + /* +- * Check for bogus packet in basic mode. If found, switch to +- * interleaved mode and resynchronize, but only after confirming +- * the packet is not bogus in symmetric interleaved mode. ++ * Check for bogus packet in basic mode. If found, check if it's not ++ * a valid packet in symmetric interleaved mode. + */ + } else if (peer->flip == 0) { + if (L_ISZERO(&p_org) || !L_ISEQU(&p_org, &peer->aorg)) { +@@ -1066,8 +1066,7 @@ receive( + peer->flash |= TEST2; /* bogus */ + if (!L_ISZERO(&peer->dst) && L_ISEQU(&p_org, + &peer->dst)) { +- peer->flip = 1; +- report_event(PEVNT_XLEAVE, peer, NULL); ++ xleave_mismatch = 1; + } + } else { + L_CLR(&peer->aorg); +@@ -1093,6 +1092,16 @@ receive( + } + + /* ++ * If the packet is bogus in basic mode but not in symmetric ++ * interleaved mode and it passed the authentication check, ++ * enable the mode and resynchronize. ++ */ ++ if (xleave_mismatch && hismode == MODE_ACTIVE) { ++ peer->flip = 1; ++ report_event(PEVNT_XLEAVE, peer, NULL); ++ } ++ ++ /* + * Update the state variables. + */ + if (peer->flip == 0) { +@@ -1673,6 +1682,13 @@ clock_update( + sys_rootdisp = dtemp + peer->rootdisp; + sys_rootdelay = peer->delay + peer->rootdelay; + sys_reftime = peer->dst; ++ ++ /* Randomize the fraction part of the reference time to not reveal ++ peer->dst to NTP clients as it could be used in a DoS attack ++ enabling the symmetric interleaved mode with spoofed packets */ ++ ntp_crypto_random_buf(&sys_reftime.l_uf, sizeof (sys_reftime.l_uf)); ++ if (L_ISHIS(&sys_reftime, &peer->dst)) ++ sys_reftime.l_ui--; + + #ifdef DEBUG + if (debug) diff -Nru ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2016-1550.patch ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2016-1550.patch --- ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2016-1550.patch 1970-01-01 01:00:00.000000000 +0100 +++ ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2016-1550.patch 2016-05-27 14:48:59.000000000 +0200 @@ -0,0 +1,26 @@ +Index: ntp-4.2.6.p5+dfsg/libntp/a_md5encrypt.c +=================================================================== +--- ntp-4.2.6.p5+dfsg.orig/libntp/a_md5encrypt.c ++++ ntp-4.2.6.p5+dfsg/libntp/a_md5encrypt.c +@@ -80,7 +80,7 @@ MD5authdecrypt( + "MAC decrypt: MAC length error"); + return (0); + } +- return (!memcmp(digest, (char *)pkt + length + 4, len)); ++ return (!CRYPTO_memcmp(digest, (char *)pkt + length + 4, len)); + } + + /* +Index: ntp-4.2.6.p5+dfsg/sntp/crypto.c +=================================================================== +--- ntp-4.2.6.p5+dfsg.orig/sntp/crypto.c ++++ ntp-4.2.6.p5+dfsg/sntp/crypto.c +@@ -58,7 +58,7 @@ auth_md5( + if (!hash_len) + authentic = FALSE; + else +- authentic = !memcmp(digest, pkt_data + pkt_size + 4, ++ authentic = !CRYPTO_memcmp(digest, pkt_data + pkt_size + 4, + hash_len); + return authentic; + } diff -Nru ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2016-1551.patch ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2016-1551.patch --- ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2016-1551.patch 1970-01-01 01:00:00.000000000 +0100 +++ ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2016-1551.patch 2016-06-01 00:14:42.000000000 +0200 @@ -0,0 +1,55 @@ +Origin: http://bk1.ntp.org/ntp-stable/?PAGE=cset&REV=56d4cdadyjbEtsWIuGaFIpsC0XrP2A +Description: CVE-2016-1551 [Sec 3020] Refclock impersonation. + +Index: ntp-4.2.6.p5+dfsg/configure.ac +=================================================================== +--- ntp-4.2.6.p5+dfsg.orig/configure.ac ++++ ntp-4.2.6.p5+dfsg/configure.ac +@@ -5092,6 +5092,24 @@ case "$ans" in + esac + + ++AC_MSG_CHECKING([if we want the explicit 127.0.0.0/8 martian filter]) ++AC_ARG_ENABLE( ++ [bug3020-fix], ++ [AS_HELP_STRING( ++ [--enable-bug3020-fix], ++ [+ Provide the explicit 127.0.0.0/8 martian filter] ++ )], ++ [ans=$enableval], ++ [ans=yes] ++) ++AC_MSG_RESULT([$ans]) ++case "$ans" in ++ yes) ++ AC_DEFINE([ENABLE_BUG3020_FIX], [1], ++ [Provide the explicit 127.0.0.0/8 martian filter?]) ++esac ++ ++ + AC_MSG_CHECKING([if we should use the IRIG sawtooth filter]) + + case "$host" in +Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_io.c +=================================================================== +--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_io.c ++++ ntp-4.2.6.p5+dfsg/ntpd/ntp_io.c +@@ -3469,6 +3469,18 @@ read_network_packet( + DPRINTF(3, ("read_network_packet: fd=%d length %d from %s\n", + fd, buflen, stoa(&rb->recv_srcadr))); + ++#ifdef ENABLE_BUG3020_FIX ++ if (ISREFCLOCKADR(&rb->recv_srcadr)) { ++ msyslog(LOG_ERR, "recvfrom(%s) fd=%d: refclock srcadr on a network interface!", ++ stoa(&rb->recv_srcadr), fd); ++ DPRINTF(1, ("read_network_packet: fd=%d dropped (refclock srcadr))\n", ++ fd)); ++ packets_dropped++; ++ freerecvbuf(rb); ++ return (buflen); ++ } ++#endif ++ + /* + ** Bug 2672: Some OSes (MacOSX and Linux) don't block spoofed ::1 + */ diff -Nru ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2016-2516.patch ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2016-2516.patch --- ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2016-2516.patch 1970-01-01 01:00:00.000000000 +0100 +++ ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2016-2516.patch 2016-05-27 14:54:47.000000000 +0200 @@ -0,0 +1,22 @@ +Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_request.c +=================================================================== +--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_request.c ++++ ntp-4.2.6.p5+dfsg/ntpd/ntp_request.c +@@ -1626,11 +1626,13 @@ do_unconf( + if (peer->flags & FLAG_CONFIG) + found = 1; + } +- NTP_INSIST(found); +- NTP_INSIST(peer); + +- peer_clear(peer, "GONE"); +- unpeer(peer); ++ if (found) { ++ NTP_INSIST(peer); ++ ++ peer_clear(peer, "GONE"); ++ unpeer(peer); ++ } + + cp = (struct conf_unpeer *) + ((char *)cp + INFO_ITEMSIZE(inpkt->mbz_itemsize)); diff -Nru ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2016-2518.patch ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2016-2518.patch --- ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2016-2518.patch 1970-01-01 01:00:00.000000000 +0100 +++ ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2016-2518.patch 2016-05-27 19:07:29.000000000 +0200 @@ -0,0 +1,19 @@ +diff -up ntp-4.2.6p5/ntpd/ntp_request.c.cve-2016-2518 ntp-4.2.6p5/ntpd/ntp_request.c +--- ntp-4.2.6p5/ntpd/ntp_request.c.cve-2016-2518 2016-04-29 13:41:22.690006470 +0200 ++++ ntp-4.2.6p5/ntpd/ntp_request.c 2016-04-29 13:56:12.039936978 +0200 +@@ -1342,7 +1342,6 @@ do_conf( + memset(&temp_cp, 0, sizeof(struct conf_peer)); + memcpy(&temp_cp, (char *)cp, INFO_ITEMSIZE(inpkt->mbz_itemsize)); + +-#if 0 /* paranoid checking - these are done in newpeer() */ + fl = 0; + while (items-- > 0 && !fl) { + if (((temp_cp.version) > NTP_VERSION) +@@ -1363,7 +1362,6 @@ do_conf( + req_ack(srcadr, inter, inpkt, INFO_ERR_FMT); + return; + } +-#endif /* end paranoid checking */ + + /* + * Looks okay, try it out diff -Nru ntp-4.2.6.p5+dfsg/debian/patches/series ntp-4.2.6.p5+dfsg/debian/patches/series --- ntp-4.2.6.p5+dfsg/debian/patches/series 2015-10-28 20:54:51.000000000 +0100 +++ ntp-4.2.6.p5+dfsg/debian/patches/series 2016-06-01 00:31:59.000000000 +0200 @@ -18,6 +18,9 @@ CVE-2015-1798.patch CVE-2015-1799.patch CVE-2015-3405.patch +ntp-4.2.6p5-cve-2015-7974.patch +ntp-4.2.6p5-cve-2015-7977_7978.patch +ntp-4.2.6p5-cve-2015-7979.patch CVE-2015-7850.patch CVE-2015-7704.patch CVE-2015-7701.patch @@ -32,3 +35,9 @@ ntp-4.2.6p5-cve-2015-5219.patch ntp-4.2.6p5-cve-2015-5300.patch ntp-4.2.6p5-cve-2015-7691_7962_7702.patch +ntp-4.2.6p5-cve-2015-8138.patch +ntp-4.2.6p5-cve-2016-1548.patch +ntp-4.2.6p5-cve-2016-1550.patch +ntp-4.2.6p5-cve-2016-1551.patch +ntp-4.2.6p5-cve-2016-2516.patch +ntp-4.2.6p5-cve-2016-2518.patch diff -Nru ntp-4.2.6.p5+dfsg/debian/rules ntp-4.2.6.p5+dfsg/debian/rules --- ntp-4.2.6.p5+dfsg/debian/rules 2015-02-04 21:03:41.000000000 +0100 +++ ntp-4.2.6.p5+dfsg/debian/rules 2016-05-31 23:57:31.000000000 +0200 @@ -29,7 +29,8 @@ --disable-local-libopts \ --enable-ntp-signd \ --disable-dependency-tracking \ - --with-openssl-libdir=/usr/lib/$(DEB_HOST_MULTIARCH) + --with-openssl-libdir=/usr/lib/$(DEB_HOST_MULTIARCH) \ + --enable-bug3020-fix build: build-arch build-indep build-arch: build-stamp
Attachment:
signature.asc
Description: PGP signature