[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#773854: marked as done (unblock: ntp/1:4.2.6.p5+dfsg-3.2)

Your message dated Wed, 24 Dec 2014 10:54:24 +0000
with message-id <4f872f35f0791d11771acba670cdde11@mail.adsl.funky-badger.org>
and subject line Re: Bug#773854: unblock: ntp/1:4.2.6.p5+dfsg-3.2
has caused the Debian Bug report #773854,
regarding unblock: ntp/1:4.2.6.p5+dfsg-3.2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
773854: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773854
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package ntp version 1:4.2.6.p5+dfsg-3.2. This version
contains the security fixes described in bug 773576 and released for
stable in DSA 3108-1.

diffstat:

 changelog                               |   11 +++++++++
 patches/ntp-4.2.6p5-cve-2014-9293.patch |   37 ++++++++++++++++++++++++++++++
 patches/ntp-4.2.6p5-cve-2014-9294.patch |  111 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 patches/ntp-4.2.6p5-cve-2014-9295.patch |  107 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 patches/ntp-4.2.6p5-cve-2014-9296.patch |   15 ++++++++++++
 patches/series                          |    4 +++

See attached diff for the change details.

unblock ntp/1:4.2.6.p5+dfsg-3.2

-- System Information:
Debian Release: 7.7
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru ntp-4.2.6.p5+dfsg/debian/changelog ntp-4.2.6.p5+dfsg/debian/changelog
--- ntp-4.2.6.p5+dfsg/debian/changelog	2014-07-16 09:49:08.000000000 -0700
+++ ntp-4.2.6.p5+dfsg/debian/changelog	2014-12-21 12:01:59.000000000 -0800
@@ -1,3 +1,14 @@
+ntp (1:4.2.6.p5+dfsg-3.2) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Apply fixes for security updates (Closes: 773576)
+    - cve-2014-9293
+    - cve-2014-9294
+    - cve-2014-9295
+    - cve-2014-9296
+
+ -- Noah Meyerhans <noahm@debian.org>  Sun, 21 Dec 2014 12:01:50 -0800
+
 ntp (1:4.2.6.p5+dfsg-3.1) unstable; urgency=low
 
   * Non-maintainer upload.
diff -Nru ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2014-9293.patch ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2014-9293.patch
--- ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2014-9293.patch	1969-12-31 16:00:00.000000000 -0800
+++ ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2014-9293.patch	2014-12-21 12:00:30.000000000 -0800
@@ -0,0 +1,37 @@
+Index: git/ntpd/ntp_config.c
+===================================================================
+--- git.orig/ntpd/ntp_config.c	2014-12-20 18:45:45.232872120 +0100
++++ git/ntpd/ntp_config.c	2014-12-20 18:45:47.672921968 +0100
+@@ -1866,13 +1866,16 @@
+ 		req_hashlen = digest_len;
+ #endif
+ 	} else {
+-		int	rankey;
++		unsigned char rankey[16];
++
++		if (ntp_crypto_random_buf(rankey, sizeof (rankey))) {
++			msyslog(LOG_ERR, "ntp_crypto_random_buf() failed.");
++			exit(1);
++		}
+ 
+-		rankey = ntp_random();
+ 		req_keytype = NID_md5;
+ 		req_hashlen = 16;
+-		MD5auth_setkey(req_keyid, req_keytype,
+-		    (u_char *)&rankey, sizeof(rankey));
++		MD5auth_setkey(req_keyid, req_keytype, rankey, sizeof(rankey));
+ 		authtrust(req_keyid, 1);
+ 	}
+ 
+Index: git/ntpd/ntpd.c
+===================================================================
+--- git.orig/ntpd/ntpd.c	2014-12-20 18:45:45.232872120 +0100
++++ git/ntpd/ntpd.c	2014-12-20 18:45:47.672921968 +0100
+@@ -597,6 +597,7 @@
+ 	get_systime(&now);
+ 
+ 	ntp_srandom((int)(now.l_i * now.l_uf));
++	ntp_crypto_srandom();
+ 
+ #if !defined(VMS)
+ # ifndef NODETACH
diff -Nru ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2014-9294.patch ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2014-9294.patch
--- ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2014-9294.patch	1969-12-31 16:00:00.000000000 -0800
+++ ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2014-9294.patch	2014-12-21 12:00:30.000000000 -0800
@@ -0,0 +1,111 @@
+Index: git/include/ntp_random.h
+===================================================================
+--- git.orig/include/ntp_random.h	2014-12-20 18:45:44.712861496 +0100
++++ git/include/ntp_random.h	2014-12-20 18:45:52.817027062 +0100
+@@ -1,6 +1,9 @@
+ 
+ #include <ntp_types.h>
+ 
++void ntp_crypto_srandom(void);
++int ntp_crypto_random_buf(void *buf, size_t nbytes);
++
+ long ntp_random (void);
+ void ntp_srandom (unsigned long);
+ void ntp_srandomdev (void);
+Index: git/libntp/ntp_random.c
+===================================================================
+--- git.orig/libntp/ntp_random.c	2014-12-20 18:45:44.712861496 +0100
++++ git/libntp/ntp_random.c	2014-12-20 18:45:52.817027062 +0100
+@@ -481,3 +481,63 @@
+ 	}
+ 	return(i);
+ }
++
++/*
++ * Crypto-quality random number functions
++ *
++ * Author: Harlan Stenn, 2014
++ *
++ * This file is Copyright (c) 2014 by Network Time Foundation.
++ * BSD terms apply: see the file COPYRIGHT in the distribution root for details.
++ */
++
++#include <openssl/err.h>
++#include <openssl/rand.h>
++
++int crypto_rand_init = 0;
++
++/*
++ * ntp_crypto_srandom:
++ *
++ * Initialize the random number generator, if needed by the underlying
++ * crypto random number generation mechanism.
++ */
++
++void
++ntp_crypto_srandom(
++	void
++	)
++{
++	if (!crypto_rand_init) {
++		RAND_poll();
++		crypto_rand_init = 1;
++	}
++}
++
++/*
++ * ntp_crypto_random_buf:
++ *
++ * Returns 0 on success, -1 on error.
++ */
++int
++ntp_crypto_random_buf(
++	void *buf,
++	size_t nbytes
++	)
++{
++	int rc;
++
++	rc = RAND_bytes(buf, nbytes);
++	if (1 != rc) {
++		unsigned long err;
++		char *err_str;
++
++		err = ERR_get_error();
++		err_str = ERR_error_string(err, NULL);
++		/* XXX: Log the error */
++
++		return -1;
++	}
++	return 0;
++}
++
+Index: git/util/ntp-keygen.c
+===================================================================
+--- git.orig/util/ntp-keygen.c	2014-12-20 18:45:44.712861496 +0100
++++ git/util/ntp-keygen.c	2014-12-20 18:45:52.817027062 +0100
+@@ -261,6 +261,8 @@
+ 	ssl_check_version();
+ #endif /* OPENSSL */
+ 
++	ntp_crypto_srandom();
++
+ 	/*
+ 	 * Process options, initialize host name and timestamp.
+ 	 */
+@@ -727,7 +729,14 @@
+ 			int temp;
+ 
+ 			while (1) {
+-				temp = ntp_random() & 0xff;
++				int rc;
++
++				rc = ntp_crypto_random_buf(&temp, 1);
++				if (-1 == rc) {
++					fprintf(stderr, "ntp_crypto_random_buf() failed.\n");
++					exit (-1);
++				}
++				temp &= 0xff;
+ 				if (temp == '#')
+ 					continue;
+ 
diff -Nru ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2014-9295.patch ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2014-9295.patch
--- ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2014-9295.patch	1969-12-31 16:00:00.000000000 -0800
+++ ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2014-9295.patch	2014-12-21 12:00:30.000000000 -0800
@@ -0,0 +1,107 @@
+2014-12-12 11:06:03+00:00, stenn@psp-fb1.ntp.org +12 -3
+  [Sec 2667] buffer overflow in crypto_recv()
+2014-12-12 11:13:40+00:00, stenn@psp-fb1.ntp.org +16 -1
+  [Sec 2668] buffer overflow in ctl_putdata()
+2014-12-12 11:19:37+00:00, stenn@psp-fb1.ntp.org +14 -0
+  [Sec 2669] buffer overflow in configure()
+
+Index: git/ntpd/ntp_crypto.c
+===================================================================
+--- git.orig/ntpd/ntp_crypto.c	2014-12-20 18:45:44.208851199 +0100
++++ git/ntpd/ntp_crypto.c	2014-12-20 18:45:56.425100776 +0100
+@@ -789,15 +789,24 @@
+ 			 * errors.
+ 			 */
+ 			if (vallen == (u_int)EVP_PKEY_size(host_pkey)) {
++				u_int32 *cookiebuf = malloc(
++				    RSA_size(host_pkey->pkey.rsa));
++				if (!cookiebuf) {
++					rval = XEVNT_CKY;
++					break;
++				}
++
+ 				if (RSA_private_decrypt(vallen,
+ 				    (u_char *)ep->pkt,
+-				    (u_char *)&temp32,
++				    (u_char *)cookiebuf,
+ 				    host_pkey->pkey.rsa,
+-				    RSA_PKCS1_OAEP_PADDING) <= 0) {
++				    RSA_PKCS1_OAEP_PADDING) != 4) {
+ 					rval = XEVNT_CKY;
++					free(cookiebuf);
+ 					break;
+ 				} else {
+-					cookie = ntohl(temp32);
++					cookie = ntohl(*cookiebuf);
++					free(cookiebuf);
+ 				}
+ 			} else {
+ 				rval = XEVNT_CKY;
+Index: git/ntpd/ntp_control.c
+===================================================================
+--- git.orig/ntpd/ntp_control.c	2014-12-20 18:45:44.208851199 +0100
++++ git/ntpd/ntp_control.c	2014-12-20 18:45:56.429100859 +0100
+@@ -486,6 +486,10 @@
+ static	char *reqpt;
+ static	char *reqend;
+ 
++#ifndef MIN
++#define MIN(a, b) (((a) <= (b)) ? (a) : (b))
++#endif
++
+ /*
+  * init_control - initialize request data
+  */
+@@ -995,6 +999,7 @@
+ 	)
+ {
+ 	int overhead;
++	unsigned int currentlen;
+ 
+ 	overhead = 0;
+ 	if (!bin) {
+@@ -1018,12 +1023,22 @@
+ 	/*
+ 	 * Save room for trailing junk
+ 	 */
+-	if (dlen + overhead + datapt > dataend) {
++	while (dlen + overhead + datapt > dataend) {
+ 		/*
+ 		 * Not enough room in this one, flush it out.
+ 		 */
++		currentlen = MIN(dlen, dataend - datapt);
++
++		memcpy(datapt, dp, currentlen);
++
++		datapt += currentlen;
++		dp += currentlen;
++		dlen -= currentlen;
++		datalinelen += currentlen;
++
+ 		ctl_flushpkt(CTL_MORE);
+ 	}
++
+ 	memmove((char *)datapt, dp, (unsigned)dlen);
+ 	datapt += dlen;
+ 	datalinelen += dlen;
+@@ -2492,6 +2507,20 @@
+ 
+ 	/* Initialize the remote config buffer */
+ 	data_count = reqend - reqpt;
++
++	if (data_count > sizeof(remote_config.buffer) - 2) {
++		snprintf(remote_config.err_msg,
++			 sizeof(remote_config.err_msg),
++			 "runtime configuration failed: request too long");
++		ctl_putdata(remote_config.err_msg,
++			    strlen(remote_config.err_msg), 0);
++		ctl_flushpkt(0);
++		msyslog(LOG_NOTICE,
++			"runtime config from %s rejected: request too long",
++			stoa(&rbufp->recv_srcadr));
++		return;
++	}
++
+ 	memcpy(remote_config.buffer, reqpt, data_count);
+ 	if (data_count > 0
+ 	    && '\n' != remote_config.buffer[data_count - 1])
diff -Nru ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2014-9296.patch ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2014-9296.patch
--- ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2014-9296.patch	1969-12-31 16:00:00.000000000 -0800
+++ ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2014-9296.patch	2014-12-21 12:00:30.000000000 -0800
@@ -0,0 +1,15 @@
+2014-12-12 11:24:22+00:00, stenn@psp-fb1.ntp.org +1 -0
+  [Sec 2670] Missing return; from error clause
+
+Index: git/ntpd/ntp_proto.c
+===================================================================
+--- git.orig/ntpd/ntp_proto.c	2014-12-20 18:45:42.760821618 +0100
++++ git/ntpd/ntp_proto.c	2014-12-20 18:46:00.153176945 +0100
+@@ -947,6 +947,7 @@
+ 				fast_xmit(rbufp, MODE_ACTIVE, 0,
+ 				    restrict_mask);
+ 				sys_restricted++;
++				return;
+ 			}
+ 		}
+ 
diff -Nru ntp-4.2.6.p5+dfsg/debian/patches/series ntp-4.2.6.p5+dfsg/debian/patches/series
--- ntp-4.2.6.p5+dfsg/debian/patches/series	2013-05-20 07:19:33.000000000 -0700
+++ ntp-4.2.6.p5+dfsg/debian/patches/series	2014-12-21 12:00:35.000000000 -0800
@@ -10,3 +10,7 @@
 sntp-manpage.patch
 openssl-headers.patch
 autotools.patch
+ntp-4.2.6p5-cve-2014-9293.patch
+ntp-4.2.6p5-cve-2014-9294.patch
+ntp-4.2.6p5-cve-2014-9295.patch
+ntp-4.2.6p5-cve-2014-9296.patch

--- End Message ---
--- Begin Message --- 
On 2014-12-24 5:16, Noah Meyerhans wrote:

Please unblock package ntp version 1:4.2.6.p5+dfsg-3.2. This version
contains the security fixes described in bug 773576 and released for
stable in DSA 3108-1.
This was already unblocked, and migrated to testing in last night's britney run. 

Regards,

Adam

--- End Message ---
Reply to: