Your message dated Sat, 17 Dec 2011 17:48:51 +0000
with message-id <[email protected]>
and subject line Bug#627403: fixed in ntp 1:4.2.6.p3+dfsg-2
has caused the Debian Bug report #627403,
regarding ntp: format-security warnings; fails to build with hardening-wrapper
1.32
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
627403: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627403
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: ntp
Version: 1:4.2.6.p2+dfsg-1
Severity: important
Tags: patch
User: [email protected]
Usertags: origin-ubuntu ubuntu-patch oneiric
Ubuntu's ntp package is built with hardening-wrapper (#542721). Version
1.32 of that package enables -Werror=format-security by default. This
exposes some mistakes which might be potential security problems in the
future (although I don't *think* they're problems right now), and which
I think we ought to fix:
* There are a few cases where ntp assumes that the translation of a
%-less string will also be a %-less string; ntp still uses catgets
(!) so I'm having trouble figuring out how its translations are
handled, but this is a fragile assumption that's often broken by
mistake let alone malice. (gettext at least does c-format checking
on strings that look like format strings, but not usually on %-less
strings.)
* There are some functions that use snprintf or similar to construct a
string, and then pass that to a printf-like function as a format
string; this will cause the printf-like function to dereference junk
pointers from the stack if one of the arguments passed to snprintf
itself contains %, which again is easy to break by mistake let alone
malice.
* There's a case in ntpd/ntp_config.c where GCC isn't smart enough to
prove that a const char * that's only ever assigned a %-less literal
string can be treated as equivalent to such; but given the other
problems I think it's reasonable to change the code to pacify GCC.
A quilt patch fixing these warnings is attached.
Thanks,
--
Colin Watson [[email protected]]
Description: Fix build failures with -Werror=format-security
The change to ntp_config.c is merely pacifying GCC, since signd_warning is
a constant string containing no '%' characters. In the other cases, it is
much more difficult to prove that the format string cannot contain any '%'
characters.
Author: Colin Watson <[email protected]>
Last-Update: 2011-05-20
Index: b/lib/isc/unix/ifiter_ioctl.c
===================================================================
--- a/lib/isc/unix/ifiter_ioctl.c
+++ b/lib/isc/unix/ifiter_ioctl.c
@@ -159,7 +159,7 @@
break;
}
if (iter->bufsize >= IFCONF_BUFSIZE_MAX) {
- UNEXPECTED_ERROR(__FILE__, __LINE__,
+ UNEXPECTED_ERROR(__FILE__, __LINE__, "%s",
isc_msgcat_get(isc_msgcat,
ISC_MSGSET_IFITERIOCTL,
ISC_MSG_BUFFERMAX,
@@ -260,7 +260,7 @@
break;
}
if (iter->bufsize6 >= IFCONF_BUFSIZE_MAX) {
- UNEXPECTED_ERROR(__FILE__, __LINE__,
+ UNEXPECTED_ERROR(__FILE__, __LINE__, "%s",
isc_msgcat_get(isc_msgcat,
ISC_MSGSET_IFITERIOCTL,
ISC_MSG_BUFFERMAX,
Index: b/ntpd/ntp_config.c
===================================================================
--- a/ntpd/ntp_config.c
+++ b/ntpd/ntp_config.c
@@ -2324,7 +2324,7 @@
if ((RES_MSSNTP & flags) && !warned_signd) {
warned_signd = 1;
fprintf(stderr, "%s\n", signd_warning);
- msyslog(LOG_WARNING, signd_warning);
+ msyslog(LOG_WARNING, "%s", signd_warning);
}
}
}
Index: b/ntpd/ntp_control.c
===================================================================
--- a/ntpd/ntp_control.c
+++ b/ntpd/ntp_control.c
@@ -2948,7 +2948,7 @@
" %s", str);
}
NLOG(NLOG_SYSEVENT)
- msyslog(LOG_INFO, statstr);
+ msyslog(LOG_INFO, "%s", statstr);
} else {
/*
@@ -2980,7 +2980,7 @@
" %s", str);
}
NLOG(NLOG_PEEREVENT)
- msyslog(LOG_INFO, statstr);
+ msyslog(LOG_INFO, "%s", statstr);
}
record_proto_stats(statstr);
#if DEBUG
Index: b/ntpd/ntpd.c
===================================================================
--- a/ntpd/ntpd.c
+++ b/ntpd/ntpd.c
@@ -1283,7 +1283,7 @@
msyslog(LOG_ERR, "%s:%d: fatal error:", file, line);
vsnprintf(errbuf, sizeof(errbuf), format, args);
- msyslog(LOG_ERR, errbuf);
+ msyslog(LOG_ERR, "%s", errbuf);
msyslog(LOG_ERR, "exiting (due to fatal error in library)");
abort();
@@ -1305,7 +1305,7 @@
msyslog(LOG_ERR, "%s:%d: unexpected error:", file, line);
vsnprintf(errbuf, sizeof(errbuf), format, args);
- msyslog(LOG_ERR, errbuf);
+ msyslog(LOG_ERR, "%s", errbuf);
if (++unexpected_error_cnt == MAX_UNEXPECTED_ERRORS)
{
--- End Message ---
--- Begin Message ---
Source: ntp
Source-Version: 1:4.2.6.p3+dfsg-2
We believe that the bug you reported is fixed in the latest version of
ntp, which is due to be installed in the Debian FTP archive:
ntp-doc_4.2.6.p3+dfsg-2_all.deb
to main/n/ntp/ntp-doc_4.2.6.p3+dfsg-2_all.deb
ntp_4.2.6.p3+dfsg-2.debian.tar.gz
to main/n/ntp/ntp_4.2.6.p3+dfsg-2.debian.tar.gz
ntp_4.2.6.p3+dfsg-2.dsc
to main/n/ntp/ntp_4.2.6.p3+dfsg-2.dsc
ntp_4.2.6.p3+dfsg-2_i386.deb
to main/n/ntp/ntp_4.2.6.p3+dfsg-2_i386.deb
ntpdate_4.2.6.p3+dfsg-2_i386.deb
to main/n/ntp/ntpdate_4.2.6.p3+dfsg-2_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Peter Eisentraut <[email protected]> (supplier of updated ntp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 17 Dec 2011 19:00:10 +0200
Source: ntp
Binary: ntp ntpdate ntp-doc
Architecture: source all i386
Version: 1:4.2.6.p3+dfsg-2
Distribution: unstable
Urgency: low
Maintainer: Debian NTP Team <[email protected]>
Changed-By: Peter Eisentraut <[email protected]>
Description:
ntp - Network Time Protocol daemon and utility programs
ntp-doc - Network Time Protocol documentation
ntpdate - client for setting system time from NTP servers
Closes: 528440 542721 587871 593417 606349 608542 613349 624275 627403 644120
Changes:
ntp (1:4.2.6.p3+dfsg-2) unstable; urgency=low
.
* Use architecture wildcard for libcap2-dev build dependency, removing
type-handing dependency (closes: #528440, #587871)
* Updated standards version
* Get build flags from dpkg-buildflags, and fix the resulting
-Wformat-security errors using patch from Colin Watson (closes:
#542721, #627403)
* Add -Wl,--as-needed to LDFLAGS, which drops the dependency of ntpdate
on libcap2
* Add sntp-manpage.patch to fix some errors in sntp man page pointed out
by lintian
* Re-remove tickadj. The previous method of achieving this by tweaking
configure cache variables apparently broke at some point, so this time
do it more directly.
* Explicitly disable building ntpsnmpd and remove man page (closes:
#608542; see also #622819)
* ntpdate-debian: Improve parsing of ntp.conf (closes: #606349)
* Add descriptions of -4/-6 options to ntpd man page (closes: #613349)
* Update options list on ntptrace man page to match reality (closes:
#593417)
* Add build-arch and build-indep debian/rules targets, per lintian
* Create ntp user and group separately, to handle the case where the
user already exists but not the group (closes: #624275)
* Don't ignore errors from adduser. If the system user or group already
exist, this is ignored anyway. Anything else we want to know about.
* Generalize ntp.cron.daily to cover all possible filegen stats files
(closes: #644120)
Checksums-Sha1:
c85835f164a819ed5e063d68aebb801d96096293 1561 ntp_4.2.6.p3+dfsg-2.dsc
3ae89cda60363f45721fb6f59b494a4218cccb16 558970
ntp_4.2.6.p3+dfsg-2.debian.tar.gz
dbf767bdcab90f27cab4f0af60e8108b1f556608 1142438
ntp-doc_4.2.6.p3+dfsg-2_all.deb
282b3d011379df44281e256ec399bf862e6d0f4d 515926 ntp_4.2.6.p3+dfsg-2_i386.deb
2a698b3d50d977492c87c5df9f54c46802be31a0 81298 ntpdate_4.2.6.p3+dfsg-2_i386.deb
Checksums-Sha256:
abd3e6c4e67bac711d97837122dabef1da922eaa5b2c03834cb6235801b0db84 1561
ntp_4.2.6.p3+dfsg-2.dsc
7f895c84c4aec217653545eb90a4a70a0b1f3546e6688e76d013a7073aa4288c 558970
ntp_4.2.6.p3+dfsg-2.debian.tar.gz
4be39485360c2bdf50e5a7b8bd98d6f435fee496e80b96dd77b927849a5d7f12 1142438
ntp-doc_4.2.6.p3+dfsg-2_all.deb
728ed4abe5afc87956a145f5c664bc65e38e4fc39416c6bca48f3512ac1451ed 515926
ntp_4.2.6.p3+dfsg-2_i386.deb
1cce5d32ed75405167daae42a9d8751bd488e4f345a2e921178c033a64b854d2 81298
ntpdate_4.2.6.p3+dfsg-2_i386.deb
Files:
69886f7c29925c7b037caedfd706afec 1561 net optional ntp_4.2.6.p3+dfsg-2.dsc
1b31cd7f21f97f38491c8e8887b862ba 558970 net optional
ntp_4.2.6.p3+dfsg-2.debian.tar.gz
47f1be65890e7c508a8d7e1f13cb4329 1142438 doc optional
ntp-doc_4.2.6.p3+dfsg-2_all.deb
10cff78903953212644bcdca2f5d3072 515926 net optional
ntp_4.2.6.p3+dfsg-2_i386.deb
ef3910babffaccef37d83df7a9cdba27 81298 net optional
ntpdate_4.2.6.p3+dfsg-2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk7s0s8ACgkQTTx8oVVPtMYULgCgsAkK3SePBoLIv/AAykSxQHdg
yzQAoKfFswCgXcILNouSaHJNDlkn0Y5j
=PQ34
-----END PGP SIGNATURE-----
--- End Message ---