[pkg-ntp-maintainers] wheezy update of ntp? (was: squeeze update of ntp?)
Santiago Ruano Rincón
santiagorr at riseup.net
Wed Jun 1 05:23:22 UTC 2016
Hi Kurt,
El 18/05/16 a las 23:20, Kurt Roeckx escribió:
> On Wed, May 18, 2016 at 04:27:22PM -0400, Antoine Beaupré wrote:
> > On 2016-05-18 13:56:37, Kurt Roeckx wrote:
> > > There are 22 open, some of which are marked as non-important. Of
> > > the new ones some should probably also be marked as such.
> >
> > I did so with CVE-2015-8158 as it affects only ntpq under very specific
> > conditions and the impact is minor (it hangs).
>
> There are also some things that you need to be authenticated for,
> which is at least a none default config. I consider all of those to
> be non-imporant.
>
> > > I've spend several hours during the weekend going over commits in
> > > bitkeeper. But as ussual, it's all a big mess. I have 10 issues
> > > fixed in svn. I also have 7 files with the patches in as they
> > > apply to 4.2.8 version, but I didn't try to apply them to 4.2.6
> > > version yet, so I have no idea what the state of those patches
> > > is. Then there also seem to be at least 2 other bug fixes that
> > > appear to be security issues but that didn't get a CVE.
> >
...
> I suggest that you at least let me finish the patches I started
> on.
>
I have picked your patches (I hope all of them) from the svn to build a
test package, and have also taken a look to remaining issues. I have
only could "backport" the fix for CVE-2016-1551, the refclock
impersonation.
For https://security-tracker.debian.org/tracker/CVE-2016-1547, I am not
sure that it affects 4.2.6.
I haven't found the fix for the Sybil attack
https://security-tracker.debian.org/tracker/CVE-2016-1549
The fix for https://security-tracker.debian.org/tracker/CVE-2016-2517
requires a 4.2.8 ntp_keyacc.h, and I think it could be marked as
non-important too.
And the fix for https://security-tracker.debian.org/tracker/CVE-2016-2519
requires more study.
A debdiff is attached. These are the changes from the changelog entry:
[Kurt Roeckx]
* Fix CVE-2015-7974: ntp_proto: Verify peer key ID.
* Fix CVE-2015-7977 and CVE-2015-7978: ntp_request: null pointer
dereference, stack overflow and overfull reply buffers by flawns in
restrict list processing.
* Fix CVE-2015-7979: Off-path Denial of Service (DoS) attack on
authenticated broadcast mode.
* Fix CVE-2015-8138: ntp: missing check for zero originate timestamp.
* Fix CVE-2016-1548: ntp_proto: DoS attack enabling the symmetric
interleaved mode with spoofed packets.
* Fix CVE-2016-1550: Timing attack for authenticated packets.
* Fix CVE-2016-2516: ntp_request: Assertion failure by duplicate IPs on
unconfig directives.
* Fix CVE-2016-2518: ntp_request: Out-of-bounds reference caused by crafted
addpeer.
.
[Santiago Ruano Rincón]
* Fix CVE-2016-1551: ntp_io.c: [Sec 3020] Refclock impersonation.
debian/rules: configure with --enable-bug3020-fix.
And the package is available at:
https://people.debian.org/~santiago/debian/santiago-wheezy/ntp_4.2.6.p5+dfsg-2+deb7u7~3.dsc
and at the repo:
deb https://people.debian.org/~santiago/debian santiago-wheezy/
deb-src https://people.debian.org/~santiago/debian santiago-wheezy/
Please, tell me if I could do anything else to help you handling this
package. AFAIK, you want to upload it :)
I hope this is useful,
Santiago
-------------- next part --------------
diff -Nru ntp-4.2.6.p5+dfsg/debian/changelog ntp-4.2.6.p5+dfsg/debian/changelog
--- ntp-4.2.6.p5+dfsg/debian/changelog 2015-10-28 21:05:59.000000000 +0100
+++ ntp-4.2.6.p5+dfsg/debian/changelog 2016-06-01 00:43:58.000000000 +0200
@@ -1,3 +1,29 @@
+ntp (1:4.2.6.p5+dfsg-2+deb7u7~3) santiago-wheezy; urgency=medium
+
+ * Team upload
+
+ [Kurt Roeckx]
+ * Fix CVE-2015-7974: ntp_proto: Verify peer key ID.
+ * Fix CVE-2015-7977 and CVE-2015-7978: ntp_request: null pointer
+ dereference, stack overflow and overfull reply buffers by flawns in
+ restrict list processing.
+ * Fix CVE-2015-7979: Off-path Denial of Service (DoS) attack on
+ authenticated broadcast mode.
+ * Fix CVE-2015-8138: ntp: missing check for zero originate timestamp.
+ * Fix CVE-2016-1548: ntp_proto: DoS attack enabling the symmetric
+ interleaved mode with spoofed packets.
+ * Fix CVE-2016-1550: Timing attack for authenticated packets.
+ * Fix CVE-2016-2516: ntp_request: Assertion failure by duplicate IPs on
+ unconfig directives.
+ * Fix CVE-2016-2518: ntp_request: Out-of-bounds reference caused by crafted
+ addpeer.
+
+ [Santiago Ruano Rincón]
+ * Fix CVE-2016-1551: ntp_io.c: [Sec 3020] Refclock impersonation.
+ debian/rules: configure with --enable-bug3020-fix.
+
+ -- Santiago Ruano Rincón <santiagorr at riseup.net> Tue, 31 May 2016 19:38:12 +0200
+
ntp (1:4.2.6.p5+dfsg-2+deb7u6) wheezy-security; urgency=medium
* Fix errors in previous changelog entry
diff -Nru ntp-4.2.6.p5+dfsg/debian/patches/CVE-2015-7701.patch ntp-4.2.6.p5+dfsg/debian/patches/CVE-2015-7701.patch
--- ntp-4.2.6.p5+dfsg/debian/patches/CVE-2015-7701.patch 2015-10-23 20:11:01.000000000 +0200
+++ ntp-4.2.6.p5+dfsg/debian/patches/CVE-2015-7701.patch 2016-05-29 13:22:30.000000000 +0200
@@ -1,6 +1,8 @@
---- 1.181/ntpd/ntp_crypto.c 2015-07-19 01:36:46 -04:00
-+++ 1.181.1.1/ntpd/ntp_crypto.c 2015-09-28 12:22:06 -04:00
-@@ -508,6 +508,7 @@ crypto_recv(
+Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_crypto.c
+===================================================================
+--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_crypto.c
++++ ntp-4.2.6.p5+dfsg/ntpd/ntp_crypto.c
+@@ -483,6 +483,7 @@ crypto_recv(
rval = XEVNT_ERR;
break;
}
@@ -8,4 +10,3 @@
}
fp = emalloc(len);
memcpy(fp, ep, len);
-
diff -Nru ntp-4.2.6.p5+dfsg/debian/patches/CVE-2015-7704.patch ntp-4.2.6.p5+dfsg/debian/patches/CVE-2015-7704.patch
--- ntp-4.2.6.p5+dfsg/debian/patches/CVE-2015-7704.patch 2015-10-23 20:11:01.000000000 +0200
+++ ntp-4.2.6.p5+dfsg/debian/patches/CVE-2015-7704.patch 2016-05-29 13:22:25.000000000 +0200
@@ -1,7 +1,8 @@
-diff -up ntp-4.2.6p5/ntpd/ntp_proto.c.kodtest ntp-4.2.6p5/ntpd/ntp_proto.c
---- ntp-4.2.6p5/ntpd/ntp_proto.c.kodtest 2015-09-24 18:20:19.121981664 +0200
-+++ ntp-4.2.6p5/ntpd/ntp_proto.c 2015-09-24 18:20:54.596594166 +0200
-@@ -1165,7 +1165,7 @@ receive(
+Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_proto.c
+===================================================================
+--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_proto.c
++++ ntp-4.2.6.p5+dfsg/ntpd/ntp_proto.c
+@@ -1171,7 +1171,7 @@ receive(
peer->ppoll = max(peer->minpoll, pkt->ppoll);
if (hismode == MODE_SERVER && hisleap == LEAP_NOTINSYNC &&
hisstratum == STRATUM_UNSPEC && memcmp(&pkt->refid,
diff -Nru ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2015-7974.patch ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2015-7974.patch
--- ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2015-7974.patch 1970-01-01 01:00:00.000000000 +0100
+++ ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2015-7974.patch 2016-05-29 11:09:32.000000000 +0200
@@ -0,0 +1,20 @@
+diff -up ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2015-7974 ntp-4.2.6p5/ntpd/ntp_proto.c
+--- ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2015-7974 2016-01-21 14:06:18.958346184 +0100
++++ ntp-4.2.6p5/ntpd/ntp_proto.c 2016-01-21 14:16:34.894828262 +0100
+@@ -674,10 +674,13 @@ receive(
+ * succeed in bloating the key cache. If an autokey,
+ * purge it immediately, since we won't be needing it
+ * again. If the packet is authentic, it can mobilize an
+- * association. Note that there is no key zero.
++ * association. If it's a persistent association using a
++ * symmetric key, the key ID has to match the configured
++ * value. Note that there is no key zero.
+ */
+- if (!authdecrypt(skeyid, (u_int32 *)pkt, authlen,
+- has_mac))
++ if ((peer && !(peer->flags & FLAG_PREEMPT) &&
++ peer->keyid <= NTP_MAXKEY && skeyid != peer->keyid) ||
++ !authdecrypt(skeyid, (u_int32 *)pkt, authlen, has_mac))
+ is_authentic = AUTH_ERROR;
+ else
+ is_authentic = AUTH_OK;
diff -Nru ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2015-7977_7978.patch ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2015-7977_7978.patch
--- ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2015-7977_7978.patch 1970-01-01 01:00:00.000000000 +0100
+++ ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2015-7977_7978.patch 2016-05-29 11:12:58.000000000 +0200
@@ -0,0 +1,183 @@
+diff -up ntp-4.2.6p5/ntpd/ntp_request.c.cve-2015-7977_7978 ntp-4.2.6p5/ntpd/ntp_request.c
+--- ntp-4.2.6p5/ntpd/ntp_request.c.cve-2015-7977_7978 2011-12-01 03:55:17.000000000 +0100
++++ ntp-4.2.6p5/ntpd/ntp_request.c 2016-01-20 11:14:20.855586406 +0100
+@@ -1730,56 +1730,143 @@ setclr_flags(
+ loop_config(LOOP_DRIFTCOMP, drift_comp);
+ }
+
++/* There have been some issues with the restrict list processing,
++ * ranging from problems with deep recursion (resulting in stack
++ * overflows) and overfull reply buffers.
++ *
++ * To avoid this trouble the list reversal is done iteratively using a
++ * scratch pad.
++ */
++typedef struct RestrictStack RestrictStackT;
++struct RestrictStack {
++ RestrictStackT *link;
++ size_t fcnt;
++ const restrict_u *pres[63];
++};
++
++static size_t
++getStackSheetSize(
++ RestrictStackT *sp
++ )
++{
++ if (sp)
++ return sizeof(sp->pres)/sizeof(sp->pres[0]);
++ return 0u;
++}
++
++static int/*BOOL*/
++pushRestriction(
++ RestrictStackT **spp,
++ const restrict_u *ptr
++ )
++{
++ RestrictStackT *sp;
++
++ if (NULL == (sp = *spp) || 0 == sp->fcnt) {
++ /* need another sheet in the scratch pad */
++ sp = emalloc(sizeof(*sp));
++ sp->link = *spp;
++ sp->fcnt = getStackSheetSize(sp);
++ *spp = sp;
++ }
++ sp->pres[--sp->fcnt] = ptr;
++ return TRUE;
++}
++
++static int/*BOOL*/
++popRestriction(
++ RestrictStackT **spp,
++ const restrict_u **opp
++ )
++{
++ RestrictStackT *sp;
++
++ if (NULL == (sp = *spp) || sp->fcnt >= getStackSheetSize(sp))
++ return FALSE;
++
++ *opp = sp->pres[sp->fcnt++];
++ if (sp->fcnt >= getStackSheetSize(sp)) {
++ /* discard sheet from scratch pad */
++ *spp = sp->link;
++ free(sp);
++ }
++ return TRUE;
++}
++
++static void
++flushRestrictionStack(
++ RestrictStackT **spp
++ )
++{
++ RestrictStackT *sp;
++
++ while (NULL != (sp = *spp)) {
++ *spp = sp->link;
++ free(sp);
++ }
++}
++
+ /*
+- * list_restrict4 - recursive helper for list_restrict dumps IPv4
++ * list_restrict4 - iterative helper for list_restrict dumps IPv4
+ * restriction list in reverse order.
+ */
+ static void
+ list_restrict4(
+- restrict_u * res,
++ const restrict_u * res,
+ struct info_restrict ** ppir
+ )
+ {
++ RestrictStackT * rpad;
+ struct info_restrict * pir;
+
+- if (res->link != NULL)
+- list_restrict4(res->link, ppir);
+-
+ pir = *ppir;
+- pir->addr = htonl(res->u.v4.addr);
+- if (client_v6_capable)
+- pir->v6_flag = 0;
+- pir->mask = htonl(res->u.v4.mask);
+- pir->count = htonl(res->count);
+- pir->flags = htons(res->flags);
+- pir->mflags = htons(res->mflags);
+- *ppir = (struct info_restrict *)more_pkt();
++ for (rpad = NULL; res; res = res->link)
++ if (!pushRestriction(&rpad, res))
++ break;
++
++ while (pir && popRestriction(&rpad, &res)) {
++ pir->addr = htonl(res->u.v4.addr);
++ if (client_v6_capable)
++ pir->v6_flag = 0;
++ pir->mask = htonl(res->u.v4.mask);
++ pir->count = htonl(res->count);
++ pir->flags = htons(res->flags);
++ pir->mflags = htons(res->mflags);
++ pir = (struct info_restrict *)more_pkt();
++ }
++ flushRestrictionStack(&rpad);
++ *ppir = pir;
+ }
+
+-
+ /*
+- * list_restrict6 - recursive helper for list_restrict dumps IPv6
++ * list_restrict6 - iterative helper for list_restrict dumps IPv6
+ * restriction list in reverse order.
+ */
+ static void
+ list_restrict6(
+- restrict_u * res,
++ const restrict_u * res,
+ struct info_restrict ** ppir
+ )
+ {
++ RestrictStackT * rpad;
+ struct info_restrict * pir;
+
+- if (res->link != NULL)
+- list_restrict6(res->link, ppir);
+-
+ pir = *ppir;
+- pir->addr6 = res->u.v6.addr;
+- pir->mask6 = res->u.v6.mask;
+- pir->v6_flag = 1;
+- pir->count = htonl(res->count);
+- pir->flags = htons(res->flags);
+- pir->mflags = htons(res->mflags);
+- *ppir = (struct info_restrict *)more_pkt();
++ for (rpad = NULL; res; res = res->link)
++ if (!pushRestriction(&rpad, res))
++ break;
++
++ while (pir && popRestriction(&rpad, &res)) {
++ pir->addr6 = res->u.v6.addr;
++ pir->mask6 = res->u.v6.mask;
++ pir->v6_flag = 1;
++ pir->count = htonl(res->count);
++ pir->flags = htons(res->flags);
++ pir->mflags = htons(res->mflags);
++ pir = (struct info_restrict *)more_pkt();
++ }
++ flushRestrictionStack(&rpad);
++ *ppir = pir;
+ }
+
+
+@@ -1803,8 +1890,7 @@ list_restrict(
+ /*
+ * The restriction lists are kept sorted in the reverse order
+ * than they were originally. To preserve the output semantics,
+- * dump each list in reverse order. A recursive helper function
+- * achieves that.
++ * dump each list in reverse order. The workers take care of that.
+ */
+ list_restrict4(restrictlist4, &ir);
+ if (client_v6_capable)
diff -Nru ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2015-7979.patch ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2015-7979.patch
--- ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2015-7979.patch 1970-01-01 01:00:00.000000000 +0100
+++ ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2015-7979.patch 2016-05-29 11:18:32.000000000 +0200
@@ -0,0 +1,24 @@
+Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_proto.c
+===================================================================
+--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_proto.c
++++ ntp-4.2.6.p5+dfsg/ntpd/ntp_proto.c
+@@ -1113,7 +1113,8 @@ receive(
+ report_event(PEVNT_AUTH, peer, "crypto_NAK");
+ peer->flash |= TEST5; /* bad auth */
+ peer->badauth++;
+- if (peer->flags & FLAG_PREEMPT) {
++ if (peer->flags & FLAG_PREEMPT && hismode != MODE_BROADCAST &&
++ !(peer->flash & (TEST2 | TEST3))) {
+ unpeer(peer);
+ return;
+ }
+@@ -1139,7 +1140,8 @@ receive(
+ if (has_mac &&
+ (hismode == MODE_ACTIVE || hismode == MODE_PASSIVE))
+ fast_xmit(rbufp, MODE_ACTIVE, 0, restrict_mask);
+- if (peer->flags & FLAG_PREEMPT) {
++ if (peer->flags & FLAG_PREEMPT && hismode != MODE_BROADCAST &&
++ !(peer->flash & (TEST2 | TEST3))) {
+ unpeer(peer);
+ return;
+ }
diff -Nru ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2015-8138.patch ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2015-8138.patch
--- ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2015-8138.patch 1970-01-01 01:00:00.000000000 +0100
+++ ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2015-8138.patch 2016-05-27 14:44:09.000000000 +0200
@@ -0,0 +1,13 @@
+Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_proto.c
+===================================================================
+--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_proto.c
++++ ntp-4.2.6.p5+dfsg/ntpd/ntp_proto.c
+@@ -1061,7 +1061,7 @@ receive(
+ * the packet is not bogus in symmetric interleaved mode.
+ */
+ } else if (peer->flip == 0) {
+- if (!L_ISEQU(&p_org, &peer->aorg)) {
++ if (L_ISZERO(&p_org) || !L_ISEQU(&p_org, &peer->aorg)) {
+ peer->bogusorg++;
+ peer->flash |= TEST2; /* bogus */
+ if (!L_ISZERO(&peer->dst) && L_ISEQU(&p_org,
diff -Nru ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2016-1548.patch ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2016-1548.patch
--- ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2016-1548.patch 1970-01-01 01:00:00.000000000 +0100
+++ ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2016-1548.patch 2016-05-27 14:47:19.000000000 +0200
@@ -0,0 +1,65 @@
+Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_proto.c
+===================================================================
+--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_proto.c
++++ ntp-4.2.6.p5+dfsg/ntpd/ntp_proto.c
+@@ -306,6 +306,7 @@ receive(
+ int authlen; /* offset of MAC field */
+ int is_authentic = 0; /* cryptosum ok */
+ int retcode = AM_NOMATCH; /* match code */
++ int xleave_mismatch = 0; /* mismatch in xleave mode */
+ keyid_t skeyid = 0; /* key IDs */
+ u_int32 opcode = 0; /* extension field opcode */
+ sockaddr_u *dstadr_sin; /* active runway */
+@@ -1056,9 +1057,8 @@ receive(
+ }
+
+ /*
+- * Check for bogus packet in basic mode. If found, switch to
+- * interleaved mode and resynchronize, but only after confirming
+- * the packet is not bogus in symmetric interleaved mode.
++ * Check for bogus packet in basic mode. If found, check if it's not
++ * a valid packet in symmetric interleaved mode.
+ */
+ } else if (peer->flip == 0) {
+ if (L_ISZERO(&p_org) || !L_ISEQU(&p_org, &peer->aorg)) {
+@@ -1066,8 +1066,7 @@ receive(
+ peer->flash |= TEST2; /* bogus */
+ if (!L_ISZERO(&peer->dst) && L_ISEQU(&p_org,
+ &peer->dst)) {
+- peer->flip = 1;
+- report_event(PEVNT_XLEAVE, peer, NULL);
++ xleave_mismatch = 1;
+ }
+ } else {
+ L_CLR(&peer->aorg);
+@@ -1093,6 +1092,16 @@ receive(
+ }
+
+ /*
++ * If the packet is bogus in basic mode but not in symmetric
++ * interleaved mode and it passed the authentication check,
++ * enable the mode and resynchronize.
++ */
++ if (xleave_mismatch && hismode == MODE_ACTIVE) {
++ peer->flip = 1;
++ report_event(PEVNT_XLEAVE, peer, NULL);
++ }
++
++ /*
+ * Update the state variables.
+ */
+ if (peer->flip == 0) {
+@@ -1673,6 +1682,13 @@ clock_update(
+ sys_rootdisp = dtemp + peer->rootdisp;
+ sys_rootdelay = peer->delay + peer->rootdelay;
+ sys_reftime = peer->dst;
++
++ /* Randomize the fraction part of the reference time to not reveal
++ peer->dst to NTP clients as it could be used in a DoS attack
++ enabling the symmetric interleaved mode with spoofed packets */
++ ntp_crypto_random_buf(&sys_reftime.l_uf, sizeof (sys_reftime.l_uf));
++ if (L_ISHIS(&sys_reftime, &peer->dst))
++ sys_reftime.l_ui--;
+
+ #ifdef DEBUG
+ if (debug)
diff -Nru ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2016-1550.patch ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2016-1550.patch
--- ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2016-1550.patch 1970-01-01 01:00:00.000000000 +0100
+++ ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2016-1550.patch 2016-05-27 14:48:59.000000000 +0200
@@ -0,0 +1,26 @@
+Index: ntp-4.2.6.p5+dfsg/libntp/a_md5encrypt.c
+===================================================================
+--- ntp-4.2.6.p5+dfsg.orig/libntp/a_md5encrypt.c
++++ ntp-4.2.6.p5+dfsg/libntp/a_md5encrypt.c
+@@ -80,7 +80,7 @@ MD5authdecrypt(
+ "MAC decrypt: MAC length error");
+ return (0);
+ }
+- return (!memcmp(digest, (char *)pkt + length + 4, len));
++ return (!CRYPTO_memcmp(digest, (char *)pkt + length + 4, len));
+ }
+
+ /*
+Index: ntp-4.2.6.p5+dfsg/sntp/crypto.c
+===================================================================
+--- ntp-4.2.6.p5+dfsg.orig/sntp/crypto.c
++++ ntp-4.2.6.p5+dfsg/sntp/crypto.c
+@@ -58,7 +58,7 @@ auth_md5(
+ if (!hash_len)
+ authentic = FALSE;
+ else
+- authentic = !memcmp(digest, pkt_data + pkt_size + 4,
++ authentic = !CRYPTO_memcmp(digest, pkt_data + pkt_size + 4,
+ hash_len);
+ return authentic;
+ }
diff -Nru ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2016-1551.patch ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2016-1551.patch
--- ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2016-1551.patch 1970-01-01 01:00:00.000000000 +0100
+++ ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2016-1551.patch 2016-06-01 00:14:42.000000000 +0200
@@ -0,0 +1,55 @@
+Origin: http://bk1.ntp.org/ntp-stable/?PAGE=cset&REV=56d4cdadyjbEtsWIuGaFIpsC0XrP2A
+Description: CVE-2016-1551 [Sec 3020] Refclock impersonation.
+
+Index: ntp-4.2.6.p5+dfsg/configure.ac
+===================================================================
+--- ntp-4.2.6.p5+dfsg.orig/configure.ac
++++ ntp-4.2.6.p5+dfsg/configure.ac
+@@ -5092,6 +5092,24 @@ case "$ans" in
+ esac
+
+
++AC_MSG_CHECKING([if we want the explicit 127.0.0.0/8 martian filter])
++AC_ARG_ENABLE(
++ [bug3020-fix],
++ [AS_HELP_STRING(
++ [--enable-bug3020-fix],
++ [+ Provide the explicit 127.0.0.0/8 martian filter]
++ )],
++ [ans=$enableval],
++ [ans=yes]
++)
++AC_MSG_RESULT([$ans])
++case "$ans" in
++ yes)
++ AC_DEFINE([ENABLE_BUG3020_FIX], [1],
++ [Provide the explicit 127.0.0.0/8 martian filter?])
++esac
++
++
+ AC_MSG_CHECKING([if we should use the IRIG sawtooth filter])
+
+ case "$host" in
+Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_io.c
+===================================================================
+--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_io.c
++++ ntp-4.2.6.p5+dfsg/ntpd/ntp_io.c
+@@ -3469,6 +3469,18 @@ read_network_packet(
+ DPRINTF(3, ("read_network_packet: fd=%d length %d from %s\n",
+ fd, buflen, stoa(&rb->recv_srcadr)));
+
++#ifdef ENABLE_BUG3020_FIX
++ if (ISREFCLOCKADR(&rb->recv_srcadr)) {
++ msyslog(LOG_ERR, "recvfrom(%s) fd=%d: refclock srcadr on a network interface!",
++ stoa(&rb->recv_srcadr), fd);
++ DPRINTF(1, ("read_network_packet: fd=%d dropped (refclock srcadr))\n",
++ fd));
++ packets_dropped++;
++ freerecvbuf(rb);
++ return (buflen);
++ }
++#endif
++
+ /*
+ ** Bug 2672: Some OSes (MacOSX and Linux) don't block spoofed ::1
+ */
diff -Nru ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2016-2516.patch ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2016-2516.patch
--- ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2016-2516.patch 1970-01-01 01:00:00.000000000 +0100
+++ ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2016-2516.patch 2016-05-27 14:54:47.000000000 +0200
@@ -0,0 +1,22 @@
+Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_request.c
+===================================================================
+--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_request.c
++++ ntp-4.2.6.p5+dfsg/ntpd/ntp_request.c
+@@ -1626,11 +1626,13 @@ do_unconf(
+ if (peer->flags & FLAG_CONFIG)
+ found = 1;
+ }
+- NTP_INSIST(found);
+- NTP_INSIST(peer);
+
+- peer_clear(peer, "GONE");
+- unpeer(peer);
++ if (found) {
++ NTP_INSIST(peer);
++
++ peer_clear(peer, "GONE");
++ unpeer(peer);
++ }
+
+ cp = (struct conf_unpeer *)
+ ((char *)cp + INFO_ITEMSIZE(inpkt->mbz_itemsize));
diff -Nru ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2016-2518.patch ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2016-2518.patch
--- ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2016-2518.patch 1970-01-01 01:00:00.000000000 +0100
+++ ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2016-2518.patch 2016-05-27 19:07:29.000000000 +0200
@@ -0,0 +1,19 @@
+diff -up ntp-4.2.6p5/ntpd/ntp_request.c.cve-2016-2518 ntp-4.2.6p5/ntpd/ntp_request.c
+--- ntp-4.2.6p5/ntpd/ntp_request.c.cve-2016-2518 2016-04-29 13:41:22.690006470 +0200
++++ ntp-4.2.6p5/ntpd/ntp_request.c 2016-04-29 13:56:12.039936978 +0200
+@@ -1342,7 +1342,6 @@ do_conf(
+ memset(&temp_cp, 0, sizeof(struct conf_peer));
+ memcpy(&temp_cp, (char *)cp, INFO_ITEMSIZE(inpkt->mbz_itemsize));
+
+-#if 0 /* paranoid checking - these are done in newpeer() */
+ fl = 0;
+ while (items-- > 0 && !fl) {
+ if (((temp_cp.version) > NTP_VERSION)
+@@ -1363,7 +1362,6 @@ do_conf(
+ req_ack(srcadr, inter, inpkt, INFO_ERR_FMT);
+ return;
+ }
+-#endif /* end paranoid checking */
+
+ /*
+ * Looks okay, try it out
diff -Nru ntp-4.2.6.p5+dfsg/debian/patches/series ntp-4.2.6.p5+dfsg/debian/patches/series
--- ntp-4.2.6.p5+dfsg/debian/patches/series 2015-10-28 20:54:51.000000000 +0100
+++ ntp-4.2.6.p5+dfsg/debian/patches/series 2016-06-01 00:31:59.000000000 +0200
@@ -18,6 +18,9 @@
CVE-2015-1798.patch
CVE-2015-1799.patch
CVE-2015-3405.patch
+ntp-4.2.6p5-cve-2015-7974.patch
+ntp-4.2.6p5-cve-2015-7977_7978.patch
+ntp-4.2.6p5-cve-2015-7979.patch
CVE-2015-7850.patch
CVE-2015-7704.patch
CVE-2015-7701.patch
@@ -32,3 +35,9 @@
ntp-4.2.6p5-cve-2015-5219.patch
ntp-4.2.6p5-cve-2015-5300.patch
ntp-4.2.6p5-cve-2015-7691_7962_7702.patch
+ntp-4.2.6p5-cve-2015-8138.patch
+ntp-4.2.6p5-cve-2016-1548.patch
+ntp-4.2.6p5-cve-2016-1550.patch
+ntp-4.2.6p5-cve-2016-1551.patch
+ntp-4.2.6p5-cve-2016-2516.patch
+ntp-4.2.6p5-cve-2016-2518.patch
diff -Nru ntp-4.2.6.p5+dfsg/debian/rules ntp-4.2.6.p5+dfsg/debian/rules
--- ntp-4.2.6.p5+dfsg/debian/rules 2015-02-04 21:03:41.000000000 +0100
+++ ntp-4.2.6.p5+dfsg/debian/rules 2016-05-31 23:57:31.000000000 +0200
@@ -29,7 +29,8 @@
--disable-local-libopts \
--enable-ntp-signd \
--disable-dependency-tracking \
- --with-openssl-libdir=/usr/lib/$(DEB_HOST_MULTIARCH)
+ --with-openssl-libdir=/usr/lib/$(DEB_HOST_MULTIARCH) \
+ --enable-bug3020-fix
build: build-arch build-indep
build-arch: build-stamp
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-ntp-maintainers/attachments/20160601/2258e5e5/attachment-0001.sig>
More information about the pkg-ntp-maintainers
mailing list