Package: ntp Version: 1:4.2.4p6+dfsg-2 Severity: normal Tags: patch User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu karmic ubuntu-patch
In Ubuntu, we've applied the attached patch to achieve the following: * SECURITY UPDATE: fix DoS with mode 7 (MODE_PRIVATE) packets - debian/patches/CVE-2009-3563.patch: update ntpd/ntp_request.c to not send a response packet for and rate limit logging of invalid mode 7 requests and responses - CVE-2009-3563 We thought you might be interested in doing the same. Here are a couple more references: https://support.ntp.org/bugs/show_bug.cgi?id=1331 http://support.ntp.org/bin/view/Main/SecurityNotice#DoS_attack_from_certain_NTP_mode The attached patch should work fine going back to etch as well (with a little fuzz), as we used it as far back as ntp-4.2.0a+stable. Jamie -- System Information: Debian Release: squeeze/sid APT prefers karmic-updates APT policy: (500, 'karmic-updates'), (500, 'karmic-security'), (500, 'karmic') Architecture: amd64 (x86_64) Kernel: Linux 2.6.31-15-generic (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
diff -u ntp-4.2.4p6+dfsg/debian/changelog ntp-4.2.4p6+dfsg/debian/changelog diff -u ntp-4.2.4p6+dfsg/debian/patches/series ntp-4.2.4p6+dfsg/debian/patches/series --- ntp-4.2.4p6+dfsg/debian/patches/series +++ ntp-4.2.4p6+dfsg/debian/patches/series @@ -15,0 +16 @@ +CVE-2009-3563.patch only in patch2: unchanged: --- ntp-4.2.4p6+dfsg.orig/debian/patches/CVE-2009-3563.patch +++ ntp-4.2.4p6+dfsg/debian/patches/CVE-2009-3563.patch @@ -0,0 +1,31 @@ +Description: DoS with mode 7 packets - CVE-2009-3563 +Origin: CERT VU#568372 + +diff -Nur ntp-4.2.4p6+dfsg/ntpd/ntp_request.c ntp-4.2.4p6+dfsg.new/ntpd/ntp_request.c +--- ntp-4.2.4p6+dfsg/ntpd/ntp_request.c 2008-08-10 06:02:41.000000000 -0500 ++++ ntp-4.2.4p6+dfsg.new/ntpd/ntp_request.c 2009-12-03 14:15:58.943054585 -0600 +@@ -409,6 +409,7 @@ + int mod_okay + ) + { ++ static u_long quiet_until; + struct req_pkt *inpkt; + struct req_pkt_tail *tailinpkt; + struct sockaddr_storage *srcadr; +@@ -444,8 +445,14 @@ + || (++ec, INFO_MBZ(inpkt->mbz_itemsize) != 0) + || (++ec, rbufp->recv_length < REQ_LEN_HDR) + ) { +- msyslog(LOG_ERR, "process_private: INFO_ERR_FMT: test %d failed, pkt from %s", ec, stoa(srcadr)); +- req_ack(srcadr, inter, inpkt, INFO_ERR_FMT); ++ NLOG(NLOG_SYSEVENT) ++ if (current_time >= quiet_until) { ++ msyslog(LOG_ERR, ++ "process_private: drop test %d" ++ " failed, pkt from %s", ++ ec, stoa(srcadr)); ++ quiet_until = current_time + 60; ++ } + return; + } +