Hello community, here is the log from the commit of package ntp for openSUSE:Factory checked in at 2016-06-13 21:54:39 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ntp (Old) and /work/SRC/openSUSE:Factory/.ntp.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ntp" Changes: -------- --- /work/SRC/openSUSE:Factory/ntp/ntp.changes 2016-03-18 21:28:53.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.ntp.new/ntp.changes 2016-06-13 21:54:46.000000000 +0200 @@ -1,0 +2,60 @@ +Tue Jun 7 07:42:00 UTC 2016 - [email protected] + +- Keep the parent process alive until the daemon has finished + initialisation, to make sure that the PID file exists when the + parent returns (ntp-daemonize.patch). +- Update to 4.2.8p8 (bsc#982056): + * CVE-2016-4953, bsc#982065: Bad authentication demobilizes + ephemeral associations. + * CVE-2016-4954, bsc#982066: Processing spoofed server packets. + * CVE-2016-4955, bsc#982067: Autokey association reset. + * CVE-2016-4956, bsc#982068: Broadcast interleave. + * CVE-2016-4957, bsc#982064: CRYPTO_NAK crash. +- Change the process name of the forking DNS worker process to + avoid the impression that ntpd is started twice. + (bsc#979302, ntp-processname.patch). +- Don't ignore SIGCHILD because it breaks wait() + (boo#981422, ntp-sigchld.patch). +- ntp-wait does not accept fractional seconds, so use 1 instead of + 0.2 in ntp-wait.service (boo#979981). +- Separate the creation of ntp.keys and key #1 in it to avoid + problems when upgrading installations that have the file, but + no key #1, which is needed e.g. by "rcntp addserver". +- Fix the TZ offset output of sntp during DST. + (bsc#951559, ntp-sntp-dst.patch) +- Add /var/db/ntp-kod (bsc#916617). +- Add ntp-ENOBUFS.patch to limit a warning that might happen + quite a lot on loaded systems (bsc#956773). +- Don't wait for 11 minutes to restart ntpd when it has died + (boo#894031). + +------------------------------------------------------------------- +Wed May 4 15:08:05 UTC 2016 - [email protected] + +- Update to 4.2.8p7 (bsc#977446): + * CVE-2016-1547, bsc#977459: + Validate crypto-NAKs, AKA: CRYPTO-NAK DoS. + * CVE-2016-1548, bsc#977461: Interleave-pivot + * CVE-2016-1549, bsc#977451: + Sybil vulnerability: ephemeral association attack. + * CVE-2016-1550, bsc#977464: Improve NTP security against buffer + comparison timing attacks. + * CVE-2016-1551, bsc#977450: + Refclock impersonation vulnerability + * CVE-2016-2516, bsc#977452: Duplicate IPs on unconfig + directives will cause an assertion botch in ntpd. + * CVE-2016-2517, bsc#977455: remote configuration trustedkey/ + requestkey/controlkey values are not properly validated. + * CVE-2016-2518, bsc#977457: Crafted addpeer with hmode > 7 + causes array wraparound with MATCH_ASSOC. + * CVE-2016-2519, bsc#977458: ctl_getitem() return value not + always checked. + * integrate ntp-fork.patch + * Improve the fixes for: + CVE-2015-7704, CVE-2015-7705, CVE-2015-7974 +- Restrict the parser in the startup script to the first + occurrance of "keys" and "controlkey" in ntp.conf (boo#957226). +- Depend on pps-tools-devel to provide timepps.h header to enable + Linux PPSAPI support to make GPS devices usefull. (boo#977563) + +------------------------------------------------------------------- Old: ---- ntp-4.2.8p6.tar.gz New: ---- ntp-4.2.8p8.tar.gz ntp-ENOBUFS.patch ntp-daemonize.patch ntp-processname.patch ntp-sigchld.patch ntp-sntp-dst.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ntp.spec ++++++ --- /var/tmp/diff_new_pack.svQzwD/_old 2016-06-13 21:54:48.000000000 +0200 +++ /var/tmp/diff_new_pack.svQzwD/_new 2016-06-13 21:54:48.000000000 +0200 @@ -21,7 +21,7 @@ %global _ntpunitsdir %{_libexecdir}/systemd/ntp-units.d %endif Name: ntp -Version: 4.2.8p6 +Version: 4.2.8p8 Release: 0 Summary: Network Time Protocol daemon (version 4) License: (MIT and BSD-3-Clause and BSD-4-Clause) and GPL-2.0 @@ -51,13 +51,20 @@ Patch15: bnc#506908.diff Patch16: MOD_NANO.diff Patch18: bnc#574885.diff -Patch19: ntp-4.2.6p2-ntpq-speedup-782060.patch +Patch19: ntp-ENOBUFS.patch +Patch20: ntp-sntp-dst.patch +Patch21: ntp-4.2.6p2-ntpq-speedup-782060.patch +Patch22: ntp-sigchld.patch +Patch23: ntp-processname.patch +Patch24: ntp-daemonize.patch + BuildRequires: autoconf BuildRequires: avahi-compat-mDNSResponder-devel BuildRequires: fdupes BuildRequires: libcap-devel BuildRequires: libtool BuildRequires: openssl-devel +BuildRequires: pps-tools-devel BuildRequires: readline-devel BuildRequires: pkgconfig(systemd) Requires: /bin/logger @@ -117,7 +124,12 @@ %patch15 %patch16 %patch18 -%patch19 +%patch19 -p1 +%patch20 -p1 +%patch21 +%patch22 -p1 +%patch23 +%patch24 # fix DOS line breaks sed -i 's/\r//g' html/scripts/{footer.txt,style.css} @@ -133,12 +145,11 @@ %ifarch ia64 RPM_OPT_FLAGS="$RPM_OPT_FLAGS -ffast-math" %endif -CFLAGS="$RPM_OPT_FLAGS -fPIE" LDFLAGS="-pie" ./configure \ +export CFLAGS="$RPM_OPT_FLAGS -fPIE" +export LDFLAGS="-pie" +%configure \ --with-binsubdir=bin \ --bindir=%{_sbindir} \ - --mandir=%{_mandir} \ - --infodir=%{_infodir} \ - --datadir=%{_datadir} \ --htmldir=%{_docdir}/ntp-doc \ --enable-parse-clocks \ --enable-all-clocks \ @@ -150,7 +161,10 @@ --with-lineeditlibs=readline \ --with-crypto=openssl \ --with-openssl-libdir=%{_libdir} \ - --with-openssl-incdir=%{_includedir} + --with-openssl-incdir=%{_includedir} \ + --disable-thread-support \ + --without-threads \ + --enable-ntp-signd make %{?_smp_mflags} @@ -219,6 +233,8 @@ install -d %{buildroot}%{_datadir}/omc/svcinfo.d/ install -m 644 %{SOURCE14} %{buildroot}%{_datadir}/omc/svcinfo.d/ install -m 755 scripts/ntp-wait/ntp-wait %{buildroot}%{_sbindir}/ +install -d %{buildroot}/var/db +install -m 644 /dev/null %{buildroot}/var/db/ntp-kod %if %{defined _ntpunitsdir} install -d %{buildroot}%{_ntpunitsdir} @@ -253,20 +269,24 @@ FILE=$(mktemp -p /etc) chmod 0640 $FILE chown root:ntp $FILE - KEY=$(tr -dc '[:alnum:]' < /dev/urandom | head -c 20) - echo "1 SHA1 $KEY" > $FILE mv $FILE /etc/ntp.keys fi +# Make sure we have a key with ID 1, because it is needed +# by the startup scripts. +if awk '$1 == "1" {exit 1}' /etc/ntp.keys; then + KEY=$(tr -dc '[:alnum:]' < /dev/urandom | head -c 20) + echo "1 SHA1 $KEY" >> /etc/ntp.keys +fi # Are we in update mode? -if [ -f %{_sysconfdir}/sysconfig/ntp ]; then - grep -q '^keys %{_sysconfdir}/ntp.keys' %{_sysconfdir}/ntp.conf || { +if [ -f /etc/sysconfig/ntp ]; then + grep -q '^keys /etc/ntp.keys' /etc/ntp.conf || { echo "# # Authentication stuff # -keys %{_sysconfdir}/ntp.keys # path for keys file +keys /etc/ntp.keys # path for keys file trustedkey 1 # define trusted keys requestkey 1 # key (7) for accessing server variables -" >> %{_sysconfdir}/ntp.conf +" >> /etc/ntp.conf } fi if [ -f /etc/sysconfig/ntp ]; then @@ -336,6 +356,7 @@ %attr(0755,ntp,root) %{_localstatedir}/lib/ntp%{_localstatedir}/run/ntp %ghost %config(noreplace) %{_localstatedir}/log/ntp %{_datadir}/omc/svcinfo.d/ntp.xml +/var/db %files doc %defattr(-,root,root) ++++++ conf.ntp-wait.service ++++++ --- /var/tmp/diff_new_pack.svQzwD/_old 2016-06-13 21:54:48.000000000 +0200 +++ /var/tmp/diff_new_pack.svQzwD/_new 2016-06-13 21:54:48.000000000 +0200 @@ -10,7 +10,7 @@ [Service] Type=oneshot -ExecStart=/usr/sbin/ntp-wait -s 0.2 -n 30000 +ExecStart=/usr/sbin/ntp-wait -s 1 -n 30000 RemainAfterExit=yes StandardOutput=null ++++++ conf.ntpd.service ++++++ --- /var/tmp/diff_new_pack.svQzwD/_old 2016-06-13 21:54:48.000000000 +0200 +++ /var/tmp/diff_new_pack.svQzwD/_new 2016-06-13 21:54:48.000000000 +0200 @@ -12,7 +12,6 @@ Type=forking PIDFile=/var/run/ntp/ntpd.pid ExecStart=/usr/sbin/start-ntpd start -RestartSec=11min Restart=always PrivateTmp=true ++++++ conf.start-ntpd ++++++ --- /var/tmp/diff_new_pack.svQzwD/_old 2016-06-13 21:54:48.000000000 +0200 +++ /var/tmp/diff_new_pack.svQzwD/_new 2016-06-13 21:54:48.000000000 +0200 @@ -1,4 +1,4 @@ -#! /bin/bash +#!/bin/bash # Copyright (c) 1995-2014 SuSE Linux AG, Nuernberg, Germany. # All rights reserved. # @@ -22,8 +22,8 @@ NTPQ_BIN="/usr/sbin/ntpq" -NTP_KEYS=$(awk '/^keys[[:blank:]]/ { print $2 }' $NTP_CONF) -NTP_KEYID=$(awk '/^controlkey[[:blank:]]/ { print $2 }' $NTP_CONF) +NTP_KEYS=$(awk '/^keys[[:blank:]]/ { print $2; exit }' $NTP_CONF) +NTP_KEYID=$(awk '/^controlkey[[:blank:]]/ { print $2; exit }' $NTP_CONF) if test -n "$NTP_KEYS" -a -n "$NTP_KEYID" -a -r "$NTP_KEYS"; then NTP_KEYTYPE=$(awk '$1 == "'$NTP_KEYID'"{ print $2 }' $NTP_KEYS) NTP_PASSWD=$(awk '$1 == "'$NTP_KEYID'"{ print $3 }' $NTP_KEYS) ++++++ ntp-4.2.8p6.tar.gz -> ntp-4.2.8p8.tar.gz ++++++ /work/SRC/openSUSE:Factory/ntp/ntp-4.2.8p6.tar.gz /work/SRC/openSUSE:Factory/.ntp.new/ntp-4.2.8p8.tar.gz differ: char 5, line 1 ++++++ ntp-ENOBUFS.patch ++++++ --- ntp-4.2.8p6.orig/ntpd/ntp_io.c +++ ntp-4.2.8p6/ntpd/ntp_io.c @@ -4568,6 +4568,7 @@ struct rt_msghdr rtm; char *p; #endif + static int netlink_warn = 1; if (disable_dynamic_updates) { /* @@ -4582,14 +4583,15 @@ cnt = read(reader->fd, buffer, sizeof(buffer)); if (cnt < 0) { - if (errno == ENOBUFS) { - msyslog(LOG_ERR, - "routing socket reports: %m"); - } else { + if (errno != ENOBUFS) { msyslog(LOG_ERR, "routing socket reports: %m - disabling"); remove_asyncio_reader(reader); delete_asyncio_reader(reader); + } else if (netlink_warn == 1) { + msyslog(LOG_ERR, + "routing socket reports: %m"); + netlink_warn = 0; } return; } ++++++ ntp-daemonize.patch ++++++ --- ntpd/ntpd.c.orig +++ ntpd/ntpd.c @@ -690,16 +690,17 @@ ntpdmain( /* make sure the FDs are initialised */ pipe_fds[0] = -1; pipe_fds[1] = -1; - do { /* 'loop' once */ - if (!HAVE_OPT( WAIT_SYNC )) - break; + if (HAVE_OPT( WAIT_SYNC )) { wait_sync = OPT_VALUE_WAIT_SYNC; - if (wait_sync <= 0) { - wait_sync = 0; - break; - } + } + if (wait_sync <= 0) { + wait_sync = 0; + } + if (wait_sync > 0) { /* -w requires a fork() even with debug > 0 */ nofork = FALSE; + } + if (!nofork) { if (pipe(pipe_fds)) { exit_code = (errno) ? errno : -1; msyslog(LOG_ERR, @@ -707,7 +708,7 @@ ntpdmain( exit(exit_code); } waitsync_fd_to_close = pipe_fds[1]; - } while (0); /* 'loop' once */ + } # endif /* HAVE_WORKING_FORK */ init_lib(); @@ -1240,6 +1241,20 @@ int scmp_sc[] = { } #endif /* LIBSECCOMP and KERN_SECCOMP */ +#ifdef HAVE_WORKING_FORK + if (!nofork && wait_sync == 0 && waitsync_fd_to_close != -1) { + /* + * Initialisation of the daemon is complete and the + * user does not want to wait for synchronisation, so + * tell the forground process to exit successfully. + */ + char ret = 0; + write(waitsync_fd_to_close, &ret, 1); + close(waitsync_fd_to_close); + waitsync_fd_to_close = -1; + } +#endif + # ifdef HAVE_IO_COMPLETION_PORT for (;;) { @@ -1436,11 +1451,17 @@ wait_child_sync_if( fd_set readset; struct timeval wtimeout; - if (0 == wait_sync) - return 0; - /* waitsync_fd_to_close used solely by child */ close(waitsync_fd_to_close); + + if (0 == wait_sync) { + /* Wait for the daemon to finish initialisation and + exit with success or failure accordingly */ + char ret = 1; + (void) read(pipe_read_fd, &ret, 1); + return ret; + } + wait_end_time = time(NULL) + wait_sync; do { cur_time = time(NULL); ++++++ ntp-processname.patch ++++++ --- libntp/work_fork.c.orig +++ libntp/work_fork.c @@ -24,6 +24,8 @@ int worker_process; addremove_io_fd_func addremove_io_fd; static volatile int worker_sighup_received; +int saved_argc = 0; +char **saved_argv; /* === function prototypes === */ static void fork_blocking_child(blocking_child *); @@ -495,6 +497,22 @@ fork_blocking_child( worker_process = TRUE; /* + * Change the process name of the child to avoid confusion + * about ntpd trunning twice. + */ + if (saved_argc != 0) { + int argcc; + int argvlen = 0; + /* Clear argv */ + for (argcc = 0; argcc < saved_argc; argcc++) { + int l = strlen(saved_argv[argcc]); + argvlen += l + 1; + memset(saved_argv[argcc], 0, l); + } + strlcpy(saved_argv[0], "ntpd: asynchronous dns resolver", argvlen); + } + + /* * In the child, close all files except stdin, stdout, stderr, * and the two child ends of the pipes. */ --- include/ntpd.h.orig +++ include/ntpd.h @@ -321,6 +321,8 @@ extern void parse_cmdline_opts(int *, ch /* ntp_config.c */ extern char const * progname; +extern int saved_argc; +extern char **saved_argv; extern char *sys_phone[]; /* ACTS phone numbers */ #if defined(HAVE_SCHED_SETSCHEDULER) extern int config_priority_override; --- ntpd/ntpd.c.orig +++ ntpd/ntpd.c @@ -230,8 +230,10 @@ static RETSIGTYPE no_debug (int); # endif /* !DEBUG */ #endif /* !SIM && !SYS_WINNT */ +#ifndef WORK_FORK int saved_argc; char ** saved_argv; +#endif #ifndef SIM int ntpdmain (int, char **); ++++++ ntp-sigchld.patch ++++++ --- ntp-4.2.8p7.orig/libntp/work_fork.c +++ ntp-4.2.8p7/libntp/work_fork.c @@ -461,8 +461,6 @@ fflush(stdout); fflush(stderr); - signal_no_reset(SIGCHLD, SIG_IGN); - childpid = fork(); if (-1 == childpid) { msyslog(LOG_ERR, "unable to fork worker: %m"); ++++++ ntp-sntp-dst.patch ++++++ Index: ntp-4.2.8p4/sntp/utilities.c =================================================================== --- ntp-4.2.8p4.orig/sntp/utilities.c +++ ntp-4.2.8p4/sntp/utilities.c @@ -139,34 +139,36 @@ tv_to_str( { const size_t bufsize = 48; char *buf; - time_t gmt_time, local_time; - struct tm *p_tm_local; + time_t time_gmt, time_local; + struct tm tm_gmt, tm_local; int hh, mm, lto; - /* - * convert to struct tm in UTC, then intentionally feed - * that tm to mktime() which expects local time input, to - * derive the offset from UTC to local time. + /* Get local time, convert it to GMT, adjust the tm_isdst to the + * current local DST value. Then call mktime which will not adjust + * for DST allowing us to calculate the offset from local to GMT */ - gmt_time = tv->tv_sec; - local_time = mktime(gmtime(&gmt_time)); - p_tm_local = localtime(&gmt_time); + time_gmt = tv->tv_sec; + localtime_r(&time_gmt, &tm_local); + time_local = mktime(&tm_local); + gmtime_r(&time_local, &tm_gmt); + tm_gmt.tm_isdst=tm_local.tm_isdst; + time_gmt = mktime(&tm_gmt); /* Local timezone offsets should never cause an overflow. Yeah. */ - lto = difftime(local_time, gmt_time); + lto = difftime(time_local, time_gmt); lto /= 60; hh = lto / 60; mm = abs(lto % 60); - buf = emalloc(bufsize); + buf = malloc(bufsize); snprintf(buf, bufsize, "%d-%.2d-%.2d %.2d:%.2d:%.2d.%.6d (%+03d%02d)", - p_tm_local->tm_year + 1900, - p_tm_local->tm_mon + 1, - p_tm_local->tm_mday, - p_tm_local->tm_hour, - p_tm_local->tm_min, - p_tm_local->tm_sec, + tm_local.tm_year + 1900, + tm_local.tm_mon + 1, + tm_local.tm_mday, + tm_local.tm_hour, + tm_local.tm_min, + tm_local.tm_sec, (int)tv->tv_usec, hh, mm);
