Hello community, here is the log from the commit of package ntp for openSUSE:Factory checked in at 2014-12-22 12:54:08 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ntp (Old) and /work/SRC/openSUSE:Factory/.ntp.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ntp" Changes: -------- --- /work/SRC/openSUSE:Factory/ntp/ntp.changes 2014-10-14 08:59:18.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.ntp.new/ntp.changes 2014-12-22 12:52:43.000000000 +0100 @@ -1,0 +2,15 @@ +Fri Dec 19 17:48:56 UTC 2014 - [email protected] + +- bnc#910764: VU#852879 ntp security fixes + * A potential remote code execution problem was found inside + ntpd. The functions crypto_recv() (when using autokey + authentication), ctl_putdata(), and configure() where updated + to avoid buffer overflows that could be + exploited. (CVE-2014-9295) + * Furthermore a problem inside the ntpd error handling was found + that is missing a return statement. This could also lead to a + potentially attack vector. (CVE-2014-9296) +- ntp-CVE-2014-9295.patch and ntp-CVE-2014-9296.patch will be + obsoleted by the upcoming update to version 4.2.8. + +------------------------------------------------------------------- New: ---- ntp-CVE-2014-9295.patch ntp-CVE-2014-9296.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ntp.spec ++++++ --- /var/tmp/diff_new_pack.WNBFfa/_old 2014-12-22 12:52:45.000000000 +0100 +++ /var/tmp/diff_new_pack.WNBFfa/_new 2014-12-22 12:52:45.000000000 +0100 @@ -57,6 +57,8 @@ Patch19: ntp-4.2.6p2-ntpq-speedup-782060.patch Patch20: ntp-sntp-recverr.patch Patch21: bnc#817893.patch +Patch22: ntp-CVE-2014-9295.patch +Patch23: ntp-CVE-2014-9296.patch BuildRequires: autoconf BuildRequires: fdupes BuildRequires: libcap-devel @@ -126,6 +128,8 @@ %patch19 %patch20 %patch21 +%patch22 -p1 +%patch23 -p1 # fix DOS line breaks sed -i 's/\r//g' html/scripts/{footer.txt,style.css} ++++++ conf.start-ntpd ++++++ --- /var/tmp/diff_new_pack.WNBFfa/_old 2014-12-22 12:52:45.000000000 +0100 +++ /var/tmp/diff_new_pack.WNBFfa/_new 2014-12-22 12:52:45.000000000 +0100 @@ -1,4 +1,4 @@ -#! /bin/sh +#! /bin/bash # Copyright (c) 1995-2014 SuSE Linux AG, Nuernberg, Germany. # All rights reserved. # @@ -138,7 +138,7 @@ } function add_runtime_server() { - /usr/sbin/sntp -s $@ + [ "$NTPD_FORCE_SYNC_HWCLOCK_ON_STARTUP" = "yes" ] && /usr/sbin/sntp -s $@ NTPC_CMD="keyid $NTP_KEYID\npasswd $NTP_PASSWD\naddserver $@\n" NTPDC_LOG=$(echo -e "${NTPC_CMD}quit" | $NTPDC_BIN) logger -t $0 "runtime configuration: $NTPDC_LOG" ++++++ ntp-CVE-2014-9295.patch ++++++ diff -ru ntp-4.2.6p5.orig/ntpd/ntp_control.c ntp-4.2.6p5/ntpd/ntp_control.c --- ntp-4.2.6p5.orig/ntpd/ntp_control.c 2011-12-09 03:00:53.000000000 +0100 +++ ntp-4.2.6p5/ntpd/ntp_control.c 2014-12-19 17:55:21.065282610 +0100 @@ -486,6 +486,10 @@ static char *reqpt; static char *reqend; +#ifndef MIN +#define MIN(a, b) (((a) <= (b)) ? (a) : (b)) +#endif + /* * init_control - initialize request data */ @@ -995,6 +999,7 @@ ) { int overhead; + unsigned int currentlen; overhead = 0; if (!bin) { @@ -1018,12 +1023,22 @@ /* * Save room for trailing junk */ - if (dlen + overhead + datapt > dataend) { + while (dlen + overhead + datapt > dataend) { /* * Not enough room in this one, flush it out. */ + currentlen = MIN(dlen, dataend - datapt); + + memcpy(datapt, dp, currentlen); + + datapt += currentlen; + dp += currentlen; + dlen -= currentlen; + datalinelen += currentlen; + ctl_flushpkt(CTL_MORE); } + memmove((char *)datapt, dp, (unsigned)dlen); datapt += dlen; datalinelen += dlen; @@ -2492,6 +2507,20 @@ /* Initialize the remote config buffer */ data_count = reqend - reqpt; + + if (data_count > sizeof(remote_config.buffer) - 2) { + snprintf(remote_config.err_msg, + sizeof(remote_config.err_msg), + "runtime configuration failed: request too long"); + ctl_putdata(remote_config.err_msg, + strlen(remote_config.err_msg), 0); + ctl_flushpkt(0); + msyslog(LOG_NOTICE, + "runtime config from %s rejected: request too long", + stoa(&rbufp->recv_srcadr)); + return; + } + memcpy(remote_config.buffer, reqpt, data_count); if (data_count > 0 && '\n' != remote_config.buffer[data_count - 1]) Only in ntp-4.2.6p5/ntpd: ntp_control.c.orig diff -ru ntp-4.2.6p5.orig/ntpd/ntp_crypto.c ntp-4.2.6p5/ntpd/ntp_crypto.c --- ntp-4.2.6p5.orig/ntpd/ntp_crypto.c 2011-12-01 03:55:17.000000000 +0100 +++ ntp-4.2.6p5/ntpd/ntp_crypto.c 2014-12-19 17:55:21.063282575 +0100 @@ -789,15 +789,24 @@ * errors. */ if (vallen == (u_int)EVP_PKEY_size(host_pkey)) { + u_int32 *cookiebuf = malloc( + RSA_size(host_pkey->pkey.rsa)); + if (!cookiebuf) { + rval = XEVNT_CKY; + break; + } + if (RSA_private_decrypt(vallen, (u_char *)ep->pkt, - (u_char *)&temp32, + (u_char *)cookiebuf, host_pkey->pkey.rsa, - RSA_PKCS1_OAEP_PADDING) <= 0) { + RSA_PKCS1_OAEP_PADDING) != 4) { rval = XEVNT_CKY; + free(cookiebuf); break; } else { - cookie = ntohl(temp32); + cookie = ntohl(*cookiebuf); + free(cookiebuf); } } else { rval = XEVNT_CKY; Only in ntp-4.2.6p5/ntpd: ntp_crypto.c.orig ++++++ ntp-CVE-2014-9296.patch ++++++ --- 1.350/ntpd/ntp_proto.c 2014-11-21 11:06:57 +00:00 +++ 1.351/ntpd/ntp_proto.c 2014-12-12 11:24:22 +00:00 @@ -1089,6 +1089,7 @@ receive( fast_xmit(rbufp, MODE_ACTIVE, 0, restrict_mask); sys_restricted++; + return; } } -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
