Re: ntp security update
On Sun, Oct 25, 2015 at 11:23:50PM +0100, Kurt Roeckx wrote:
> On Mon, Oct 26, 2015 at 06:55:06AM +0900, Ben Hutchings wrote:
> > On Sun, 2015-10-25 at 22:45 +0100, Kurt Roeckx wrote:
> > > On Mon, Oct 26, 2015 at 06:13:07AM +0900, Ben Hutchings wrote:
> > [...]
> > > > > While I have addiotional patches for:
> > > > > CVE-2014-9750.patch (it was missing 1 patch while it was fixed it
> > > > > seems)
> > > >
> > > > Which is split from CVE-2014-9297.
> > >
> > > From what I understand CVE-2014-9297 was changed to CVE-2014-9750
> > > and CVE-2014-9298 to CVE-2014-9751 because someone mixed them up.
> > > There is nothing split.
> > >
> > > In any case, there is a patch missing.
> >
> > OK, which one is that? I looked through the upstream commits for bug
> > 2671 and they all seemed to have been included in CVE-2014-9297.patch.
>
> *look confused*
>
> At some point 348fc9fa390c7894f589104fbca4d635868b7a45 was
> missing.
>
> But redhat has a diff that looks like:
> --- ntp_crypto.c
> +++ ntp_crypto.c
> @@ -1575,6 +1575,7 @@
> EVP_MD_CTX ctx; /* signature context */
> tstamp_t tstamp; /* NTP timestamp */
> u_int32 temp32;
> + u_char *puch;
>
> /*
> * Extract the public key from the request.
> @@ -1596,9 +1597,9 @@
> vallen = EVP_PKEY_size(pkey);
> vp->vallen = htonl(vallen);
> vp->ptr = emalloc(vallen);
> - ptr = vp->ptr;
> + puch = vp->ptr;
> temp32 = htonl(*cookie);
> - if (RSA_public_encrypt(4, (u_char *)&temp32, ptr,
> + if (RSA_public_encrypt(4, (u_char *)&temp32, puch,
> pkey->pkey.rsa, RSA_PKCS1_OAEP_PADDING) <= 0) {
> msyslog(LOG_ERR, "crypto_encrypt: %s",
> ERR_error_string(ERR_get_error(), NULL));
>
>
> (Didn't look at what that does yet, looks like part of a change of
> a much older commit.)
So the effect of this seems to be that "ptr" which is a parameter
to a function isn't use anymore as some pointer. But ptr isn't
used anymore at this point, so seems that it doesn't have any
effect.
Kurt
Reply to: