Re: ntp security update
On Mon, Oct 26, 2015 at 06:13:07AM +0900, Ben Hutchings wrote:
> > Your bug-2899.patch patch looks a little different. You have:
> > @@ -2207,8 +2221,8 @@ crypto_bob(
> > vp->sig = emalloc(sign_siglen);
> > EVP_SignInit(&ctx, sign_digest);
> > EVP_SignUpdate(&ctx, (u_char *)&vp->tstamp, 12);
> > - EVP_SignUpdate(&ctx, vp->ptr, vallen);
> > - if (EVP_SignFinal(&ctx, vp->sig, &vallen, sign_pkey))
> > + EVP_SignUpdate(&ctx, vp->ptr, len);
> > + if (EVP_SignFinal(&ctx, vp->sig, &len, sign_pkey))
> > vp->siglen = htonl(sign_siglen);
> > return (XEVNT_OK);
> > }
> >
> > The patch from upstream and the one from redhat has:
> > @@ -2214,9 +2228,9 @@ crypto_bob(
> > vp->sig = emalloc(sign_siglen);
> > EVP_SignInit(&ctx, sign_digest);
> > EVP_SignUpdate(&ctx, (u_char *)&vp->tstamp, 12);
> > - EVP_SignUpdate(&ctx, vp->ptr, vallen);
> > - if (EVP_SignFinal(&ctx, vp->sig, &vallen, sign_pkey))
> > - vp->siglen = htonl(sign_siglen);
> > + EVP_SignUpdate(&ctx, vp->ptr, len);
> > + if (EVP_SignFinal(&ctx, vp->sig, &len, sign_pkey))
> > + vp->siglen = htonl(len);
> > return (XEVNT_OK);
> > }
> >
> >
> > As in, the htonl() call changes sign_siglen to len.
>
> No, it changes vallen to len. But in 4.2.6 vallen is ignored and the
> previously calculated sign_siglen is assumed to be correct. I didn't
> want to change that.
Will take a look at this.
> > While I have addiotional patches for:
> > CVE-2014-9750.patch (it was missing 1 patch while it was fixed it
> > seems)
>
> Which is split from CVE-2014-9297.
>From what I understand CVE-2014-9297 was changed to CVE-2014-9750
and CVE-2014-9298 to CVE-2014-9751 because someone mixed them up.
There is nothing split.
In any case, there is a patch missing.
> > ntp-4.2.6p5-cve-2015-5219.patch
> > ntp-4.2.6p5-cve-2015-5195.patch
> > ntp-4.2.6p5-cve-2015-5194.patch
> > ntp-4.2.6p5-cve-2015-5146.patch
>
> These were already marked as no-DSA-required in the security tracker.
I don't see why we shouldn't fix them.
> > CVE-2015-7705.patch
>
> Where does this come from?
That's a good question. It just seems to be about logging, so
that seems to be wrong.
> > CVE-2015-7851.patch
>
> VMS only, so I didn't bother.
>
> > CVE-2015-7853.patch
>
> This really isn't needed because 4.2.6 doesn't have the incorrect cast
> from size_t to int. Please revert your change in the security tracker.
You're right, I somehow missed the casts.
Kurt
Reply to: