Re: ntp security update

To: Ben Hutchings <ben@decadent.org.uk>
Cc: Debian LTS <debian-lts@lists.debian.org>
Subject: Re: ntp security update
From: Kurt Roeckx <kurt@roeckx.be>
Date: Sun, 25 Oct 2015 22:45:07 +0100
Message-id: <[🔎] 20151025214507.GA17238@roeckx.be>
In-reply-to: <[🔎] 1445807587.2395.69.camel@decadent.org.uk>
References: <[🔎] 1445747418.2395.25.camel@decadent.org.uk> <[🔎] 20151025101903.GA18081@roeckx.be> <[🔎] 1445807587.2395.69.camel@decadent.org.uk>

On Mon, Oct 26, 2015 at 06:13:07AM +0900, Ben Hutchings wrote:
> > Your bug-2899.patch patch looks a little different.  You have:
> > @@ -2207,8 +2221,8 @@ crypto_bob(
> >        vp->sig = emalloc(sign_siglen);
> >        EVP_SignInit(&ctx, sign_digest);
> >        EVP_SignUpdate(&ctx, (u_char *)&vp->tstamp, 12);
> > -      EVP_SignUpdate(&ctx, vp->ptr, vallen);
> > -      if (EVP_SignFinal(&ctx, vp->sig, &vallen, sign_pkey))
> > +      EVP_SignUpdate(&ctx, vp->ptr, len);
> > +      if (EVP_SignFinal(&ctx, vp->sig, &len, sign_pkey))
> >                vp->siglen = htonl(sign_siglen);
> >        return (XEVNT_OK);
> >  }
> > 
> > The patch from upstream and the one from redhat has:
> > @@ -2214,9 +2228,9 @@ crypto_bob(
> >         vp->sig = emalloc(sign_siglen);
> >         EVP_SignInit(&ctx, sign_digest);
> >         EVP_SignUpdate(&ctx, (u_char *)&vp->tstamp, 12);
> > -       EVP_SignUpdate(&ctx, vp->ptr, vallen);
> > -       if (EVP_SignFinal(&ctx, vp->sig, &vallen, sign_pkey))
> > -               vp->siglen = htonl(sign_siglen);
> > +       EVP_SignUpdate(&ctx, vp->ptr, len);
> > +       if (EVP_SignFinal(&ctx, vp->sig, &len, sign_pkey))
> > +               vp->siglen = htonl(len);
> >         return (XEVNT_OK);
> >  }
> > 
> > 
> > As in, the htonl() call changes sign_siglen to len.
> 
> No, it changes vallen to len.  But in 4.2.6 vallen is ignored and the
> previously calculated sign_siglen is assumed to be correct.  I didn't
> want to change that.

Will take a look at this.

> > While I have addiotional patches for:
> > CVE-2014-9750.patch (it was missing 1 patch while it was fixed it
> > seems)
> 
> Which is split from CVE-2014-9297.

>From what I understand CVE-2014-9297 was changed to CVE-2014-9750
and CVE-2014-9298 to CVE-2014-9751 because someone mixed them up.
There is nothing split.

In any case, there is a patch missing.

> > ntp-4.2.6p5-cve-2015-5219.patch
> > ntp-4.2.6p5-cve-2015-5195.patch
> > ntp-4.2.6p5-cve-2015-5194.patch
> > ntp-4.2.6p5-cve-2015-5146.patch
> 
> These were already marked as no-DSA-required in the security tracker.

I don't see why we shouldn't fix them.

> > CVE-2015-7705.patch
> 
> Where does this come from?

That's a good question.  It just seems to be about logging, so
that seems to be wrong.

> > CVE-2015-7851.patch
> 
> VMS only, so I didn't bother.
> 
> > CVE-2015-7853.patch
> 
> This really isn't needed because 4.2.6 doesn't have the incorrect cast
> from size_t to int.  Please revert your change in the security tracker.

You're right, I somehow missed the casts.


Kurt

Reply to:

Follow-Ups:
- Re: ntp security update
  - From: Ben Hutchings <ben@decadent.org.uk>

References:
- ntp security update
  - From: Ben Hutchings <ben@decadent.org.uk>
- Re: ntp security update
  - From: Kurt Roeckx <kurt@roeckx.be>
- Re: ntp security update
  - From: Ben Hutchings <ben@decadent.org.uk>

Prev by Date: Re: ntp security update
Next by Date: Re: ntp security update
Previous by thread: Re: ntp security update
Next by thread: Re: ntp security update
Index(es):
- Date
- Thread