Hello community, here is the log from the commit of package ntp for openSUSE:Factory checked in at 2017-04-11 12:40:07 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ntp (Old) and /work/SRC/openSUSE:Factory/.ntp.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ntp" Tue Apr 11 12:40:07 2017 rev:110 rq:486156 version:4.2.8p10 Changes: -------- --- /work/SRC/openSUSE:Factory/ntp/ntp.changes 2017-03-21 22:45:05.424603377 +0100 +++ /work/SRC/openSUSE:Factory/.ntp.new/ntp.changes 2017-04-11 12:40:09.964958070 +0200 @@ -1,0 +2,53 @@ +Thu Apr 6 13:55:57 UTC 2017 - [email protected] + +- Enable experimental leap smearing (fate#321003). + See /usr/share/doc/packages/ntp/README.leapsmear for details. + +------------------------------------------------------------------- +Thu Apr 6 13:26:34 UTC 2017 - [email protected] + +- Fix spelling and default values in conf.sysconfig.ntp + +------------------------------------------------------------------- +Wed Mar 22 15:57:48 UTC 2017 - [email protected] + +- Update to 4.2.8p10 (bsc#1030050): + * Sec 3389 / CVE-2017-6464 / VU#325339: NTP-01-016 NTP: + Denial of Service via Malformed Config + * Sec 3388 / CVE-2017-6462 / VU#325339: NTP-01-014 NTP: + Buffer Overflow in DPTS Clock + * Sec 3387 / CVE-2017-6463 / VU#325339: NTP-01-012 NTP: + Authenticated DoS via Malicious Config Option + * Sec 3386: NTP-01-011 NTP: + ntpq_stripquotes() returns incorrect Value + * Sec 3385: NTP-01-010 NTP: + ereallocarray()/eallocarray() underused + * Sec 3381: NTP-01-006 NTP: Copious amounts of Unused Code + * Sec 3380: NTP-01-005 NTP: Off-by-one in Oncore GPS Receiver + * Sec 3379 / CVE-2017-6458 / VU#325339: NTP-01-004 NTP: + Potential Overflows in ctl_put() functions + * Sec 3378 / CVE-2017-6451 / VU#325339: NTP-01-003 + Improper use of snprintf() in mx4200_send() + * Sec 3377 / CVE-2017-6460 / VU#325339: NTP-01-002 + Buffer Overflow in ntpq when fetching reslist + * Sec 3376: NTP-01-001 Makefile does not enforce Security Flags + * Sec 3361 / CVE-2016-9042 / VU#325339: 0rigin (zero origin) DoS. + * [Bug 3393] clang scan-build findings + * [Bug 3363] Support for openssl-1.1.0 without compatibility modes + * [Bug 3356] Bugfix 3072 breaks multicastclient + * [Bug 3173] forking async worker: interrupted pipe I/O + * [Bug 3139] (...) time_pps_create: Exec format error + * [Bug 3107] Incorrect Logic for Peer Event Limiting + * [Bug 3062] Change the process name of forked DNS worker + * [Bug 2923] Trap Configuration Fail + * [Bug 2896] Nothing happens if minsane < maxclock < minclock + * [Bug 2851] allow -4/-6 on restrict line with mask + * [Bug 2645] out-of-bound pointers in ctl_putsys and decode_bitflags +- Removed patches: + * ntp-openssl-version.patch: fixed upstream + * ntp-processname.patch: accepted upstream + * ntp-trap.patch: accepted upstream + * ntp-unbreak-multicast.patch: fixed upstream +- Remove spurious log messages (bsc#1014172, ntp-warnings.patch). + +------------------------------------------------------------------- @@ -10 +63 @@ -- Move ntp-kod to /var/lib/ntp/db, because /var/db is not a +- Move ntp-kod to /var/lib/ntp, because /var/db is not a Old: ---- ntp-4.2.8p9.tar.gz ntp-openssl-version.patch ntp-processname.patch ntp-trap.patch ntp-unbreak-multicast.patch New: ---- ntp-4.2.8p10.tar.gz ntp-warnings.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ntp.spec ++++++ --- /var/tmp/diff_new_pack.d1VIVV/_old 2017-04-11 12:40:12.620582843 +0200 +++ /var/tmp/diff_new_pack.d1VIVV/_new 2017-04-11 12:40:12.620582843 +0200 @@ -18,7 +18,7 @@ %define ntpfaqversion 3.4 Name: ntp -Version: 4.2.8p9 +Version: 4.2.8p10 Release: 0 Summary: Network Time Protocol daemon (version 4) License: (MIT and BSD-3-Clause and BSD-4-Clause) and GPL-2.0 @@ -51,16 +51,13 @@ Patch19: ntp-ENOBUFS.patch Patch20: ntp-sntp-dst.patch Patch21: ntp-4.2.6p2-ntpq-speedup-782060.patch -Patch22: ntp-openssl-version.patch -Patch23: ntp-processname.patch Patch24: ntp-daemonize.patch Patch25: ntp-usrgrp-resolver.patch Patch26: ntp-sntp-a.patch Patch27: ntp-netlink.patch -Patch28: ntp-trap.patch Patch29: ntp-pathfind.patch Patch30: ntp-move-kod-file.patch -Patch31: ntp-unbreak-multicast.patch +Patch31: ntp-warnings.patch BuildRequires: autoconf BuildRequires: avahi-compat-mDNSResponder-devel @@ -134,16 +131,13 @@ %patch19 -p1 %patch20 -p1 %patch21 -%patch22 -%patch23 %patch24 -%patch25 -p1 +%patch25 %patch26 %patch27 -%patch28 %patch29 %patch30 -%patch31 -p1 +%patch31 # fix DOS line breaks sed -i 's/\r//g' html/scripts/{footer.txt,style.css} @@ -178,6 +172,7 @@ --with-openssl-incdir=%{_includedir} \ --disable-thread-support \ --without-threads \ + --enable-leap-smear \ --enable-ntp-signd make %{?_smp_mflags} @@ -247,8 +242,8 @@ install -d %{buildroot}%{_datadir}/omc/svcinfo.d/ install -m 644 %{SOURCE14} %{buildroot}%{_datadir}/omc/svcinfo.d/ install -m 755 scripts/ntp-wait/ntp-wait %{buildroot}%{_sbindir}/ -install -d %{buildroot}/var/lib/ntp/db -install -m 644 /dev/null %{buildroot}/var/lib/ntp/db/ntp-kod +install -d %{buildroot}/var/lib/ntp +install -m 644 /dev/null %{buildroot}/var/lib/ntp/kod %pre %{_sbindir}/groupadd -r ntp 2> /dev/null || : @@ -362,7 +357,7 @@ %attr(0755,ntp,root) %{_localstatedir}/lib/ntp%{_localstatedir}/run/ntp %ghost %config(noreplace) %{_localstatedir}/log/ntp %{_datadir}/omc/svcinfo.d/ntp.xml -/var/lib/ntp/db +/var/lib/ntp %files doc %defattr(-,root,root) ++++++ conf.sysconfig.ntp ++++++ --- /var/tmp/diff_new_pack.d1VIVV/_old 2017-04-11 12:40:12.800557413 +0200 +++ /var/tmp/diff_new_pack.d1VIVV/_new 2017-04-11 12:40:12.800557413 +0200 @@ -10,7 +10,7 @@ NTPD_OPTIONS="-g -u ntp:ntp" ## Type: yesno -## Default: yes +## Default: no ## ServiceRestart: ntp # # Shall the time server ntpd run in the chroot jail /var/lib/ntp? @@ -55,16 +55,16 @@ NTP_PARSE_DEVICE="" ## Type: boolean -## Default: "yes" +## Default: "no" # -# Force time synchronization befor start ntpd +# Force time synchronization before start ntpd # NTPD_FORCE_SYNC_ON_STARTUP="no" ## Type: boolean -## Default: "no" +## Default: "yes" # -# Force time synchronization of hwclock befor start ntpd. +# Force time synchronization of hwclock before start ntpd. # This works only if NTPD_FORCE_SYNC_ON_STARTUP is set # to yes. # ++++++ ntp-4.2.8p9.tar.gz -> ntp-4.2.8p10.tar.gz ++++++ /work/SRC/openSUSE:Factory/ntp/ntp-4.2.8p9.tar.gz /work/SRC/openSUSE:Factory/.ntp.new/ntp-4.2.8p10.tar.gz differ: char 5, line 1 ++++++ ntp-move-kod-file.patch ++++++ --- /var/tmp/diff_new_pack.d1VIVV/_old 2017-04-11 12:40:12.880546111 +0200 +++ /var/tmp/diff_new_pack.d1VIVV/_new 2017-04-11 12:40:12.884545546 +0200 @@ -1,44 +1,70 @@ ---- html/sntp.html -+++ html/sntp.html 2017/02/16 16:49:54 +--- html/sntp.html.orig ++++ html/sntp.html @@ -47,7 +47,7 @@ <dt><tt>-g <i>delay</i>, --gap <i>delay</i></tt></dt> <dd>Specify the <i>delay</i> in milliseconds between outgoing queries, defaulting to 50. <tt>sntp</tt> sends queries to all provided hostnames/addresses in short succession, and by default terminates once the first valid response is received. With multiple time sources provided, all but one will not be used. To limit the number of queries whose responses will not be used, each query is separated from the preceding one by <i>delay</i> milliseconds, to allow time for responses to earlier queries to be received. A larger <i>delay</i> reduces the query load on the time sources, increasing the time to receive a valid response if the first source attempted is slow or unreachable.</dd> <dt><tt>-K <i>kodfile</i>, --kod <i>kodfile</i></tt></dt> - <dd>Specifies the filename <i>kodfile</i> to be used for the persistent history of KoD (Kiss Of Death, or rate-limiting) responses received from servers. The default is <tt>/var/db/ntp-kod</tt>. If the file does not exist, a warning message will be displayed. The file will not be created. Note that the short option is <tt>-K</tt>, an uppercase letter K.</dd> -+ <dd>Specifies the filename <i>kodfile</i> to be used for the persistent history of KoD (Kiss Of Death, or rate-limiting) responses received from servers. The default is <tt>/var/lib/ntp/db/ntp-kod</tt>. If the file does not exist, a warning message will be displayed. The file will not be created. Note that the short option is <tt>-K</tt>, an uppercase letter K.</dd> ++ <dd>Specifies the filename <i>kodfile</i> to be used for the persistent history of KoD (Kiss Of Death, or rate-limiting) responses received from servers. The default is <tt>/var/lib/ntp/kod</tt>. If the file does not exist, a warning message will be displayed. The file will not be created. Note that the short option is <tt>-K</tt>, an uppercase letter K.</dd> <dt><tt>-k <i>keyfile</i>, --keyfile <i>keyfile</i></tt></dt> <dd>Specifies the filename <i>keyfile</i> used with the <tt>-a</tt>/<tt>--authentication</tt> option. The format of the file is described on the <a href="keygen.html"><tt>ntp-keygen</tt> page</a>.</dd> <dt><tt>-l <i>logfile</i>, --filelog <i>logfile</i></tt></dt> ---- sntp/sntp.1sntpman -+++ sntp/sntp.1sntpman 2017/02/16 16:47:47 -@@ -154,7 +154,7 @@ +--- sntp/sntp.1sntpman.orig ++++ sntp/sntp.1sntpman +@@ -154,7 +154,7 @@ The default \f\*[I-Font]file\-name\f[] for this option is: .ti +4 - /var/db/ntp-kod -+ /var/lib/ntp/db/ntp-kod ++ /var/lib/ntp/kod .sp Specifies the filename to be used for the persistent history of KoD responses received from servers. If the file does not exist, a ---- sntp/sntp.man.in -+++ sntp/sntp.man.in 2017/02/16 16:48:11 -@@ -154,7 +154,7 @@ +--- sntp/sntp.man.in.orig ++++ sntp/sntp.man.in +@@ -154,7 +154,7 @@ The default \f\*[I-Font]file\-name\f[] for this option is: .ti +4 - /var/db/ntp-kod -+ /var/lib/ntp/db/ntp-kod ++ /var/lib/ntp/kod .sp Specifies the filename to be used for the persistent history of KoD responses received from servers. If the file does not exist, a ---- sntp/sntp-opts.c -+++ sntp/sntp-opts.c 2017/02/16 16:49:18 -@@ -114,7 +114,7 @@ - /* 1491 */ "KoD history filename\0" - /* 1512 */ "KOD\0" - /* 1516 */ "kod\0" --/* 1520 */ "/var/db/ntp-kod\0" -+/* 1520 */ "/var/lib/ntp/db/ntp-kod\0" - /* 1536 */ "Look in this file for the key specified with -a\0" - /* 1584 */ "KEYFILE\0" - /* 1592 */ "keyfile\0" +--- sntp/sntp-opts.c.orig ++++ sntp/sntp-opts.c +@@ -111,10 +111,15 @@ static char const sntp_opt_strs[2552] = + /* 1436 */ "The gap (in milliseconds) between time requests\0" + /* 1484 */ "GAP\0" + /* 1488 */ "gap\0" +-/* 1492 */ "KoD history filename\0" +-/* 1513 */ "KOD\0" +-/* 1517 */ "kod\0" +-/* 1521 */ "/var/db/ntp-kod\0" ++/* ++ * Dirty hack!! We "steal" four bytes from the description string to ++ * make space for a longer path name without messing up the indexes of ++ * subsequent options. ++ */ ++/* 1492 */ "KoD history file\0" ++/* 1509 */ "KOD\0" ++/* 1513 */ "kod\0" ++/* 1517 */ "/var/lib/ntp/kod\0..." + /* 1537 */ "Look in this file for the key specified with -a\0" + /* 1585 */ "KEYFILE\0" + /* 1593 */ "keyfile\0" +@@ -282,11 +287,11 @@ static int const aIpv6CantList[] = { + /** Descriptive text for the kod option */ + #define KOD_DESC (sntp_opt_strs+1492) + /** Upper-cased name for the kod option */ +-#define KOD_NAME (sntp_opt_strs+1513) ++#define KOD_NAME (sntp_opt_strs+1509) + /** Name string for the kod option */ +-#define KOD_name (sntp_opt_strs+1517) ++#define KOD_name (sntp_opt_strs+1513) + /** The compiled in default value for the kod option argument */ +-#define KOD_DFT_ARG (sntp_opt_strs+1521) ++#define KOD_DFT_ARG (sntp_opt_strs+1517) + /** Compiled in flag settings for the kod option */ + #define KOD_FLAGS (OPTST_DISABLED \ + | OPTST_SET_ARGTYPE(OPARG_TYPE_FILE)) ++++++ ntp-usrgrp-resolver.patch ++++++ --- /var/tmp/diff_new_pack.d1VIVV/_old 2017-04-11 12:40:12.920540460 +0200 +++ /var/tmp/diff_new_pack.d1VIVV/_new 2017-04-11 12:40:12.924539895 +0200 @@ -1,7 +1,5 @@ -Index: ntp-4.2.8p8/ntpd/ntpd.c -=================================================================== ---- ntp-4.2.8p8.orig/ntpd/ntpd.c -+++ ntp-4.2.8p8/ntpd/ntpd.c +--- ntpd/ntpd.c.orig ++++ ntpd/ntpd.c @@ -182,7 +182,6 @@ char *group; /* group to switch to */ const char *chrootdir; /* directory to chroot to */ uid_t sw_uid; @@ -409,10 +407,8 @@ # if !defined(HAVE_LINUX_CAPABILITIES) && !defined(HAVE_SOLARIS_PRIVS) /* -Index: ntp-4.2.8p8/libntp/work_fork.c -=================================================================== ---- ntp-4.2.8p8.orig/libntp/work_fork.c -+++ ntp-4.2.8p8/libntp/work_fork.c +--- libntp/work_fork.c.orig ++++ libntp/work_fork.c @@ -33,6 +33,9 @@ static RETSIGTYPE worker_sighup(int); static void send_worker_home_atexit(void); static void cleanup_after_child(blocking_child *); @@ -420,10 +416,10 @@ +# pragma weak set_user_group_ids +void set_user_group_ids(void); + - /* === functions === */ - /* - * exit_worker() -@@ -549,6 +552,9 @@ fork_blocking_child( + /* === I/O helpers === */ + /* Since we have signals enabled, there's a good chance that blocking IO + * via pipe suffers from EINTR -- and this goes for both directions. +@@ -592,6 +595,9 @@ fork_blocking_child( init_logging("ntp_intres", 0, FALSE); setup_logfile(NULL); ++++++ ntp-warnings.patch ++++++ --- ntpd/ntp_proto.c.orig +++ ntpd/ntp_proto.c @@ -51,8 +51,7 @@ enum kiss_codes { RATEKISS, /* Rate limit Kiss Code */ DENYKISS, /* Deny Kiss */ RSTRKISS, /* Restricted Kiss */ - XKISS, /* Experimental Kiss */ - UNKNOWNKISS /* Unknown Kiss Code */ + XKISS /* Experimental Kiss */ }; enum nak_error_codes { @@ -260,12 +259,9 @@ kiss_code_check( return (RSTRKISS); } else if(memcmp(&refid,"X", 1) == 0) { return (XKISS); - } else { - return (UNKNOWNKISS); } - } else { - return (NOKISS); } + return (NOKISS); } @@ -1575,9 +1571,12 @@ receive( * A KoD packet we pay attention to cannot have a 0 transmit * timestamp. */ + + kissCode = kiss_code_check(hisleap, hisstratum, hismode, pkt->refid); + if (L_ISZERO(&p_xmt)) { peer->flash |= TEST3; /* unsynch */ - if (STRATUM_UNSPEC == hisstratum) { /* KoD packet */ + if (kissCode != NOKISS) { /* KoD packet */ peer->bogusorg++; /* for TEST2 or TEST3 */ msyslog(LOG_INFO, "receive: Unexpected zero transmit timestamp in KoD from %s", @@ -1628,7 +1627,7 @@ receive( * (nonzero) org, rec, and xmt timestamps set to the xmt timestamp * that we have previously sent out. Watch interleave mode. */ - } else if (STRATUM_UNSPEC == hisstratum) { + } else if (kissCode != NOKISS) { DEBUG_INSIST(!L_ISZERO(&p_xmt)); if ( L_ISZERO(&p_org) /* We checked p_xmt above */ || L_ISZERO(&p_rec)) { @@ -1687,7 +1686,6 @@ receive( */ } else if (peer->flip == 0) { INSIST(0 != hisstratum); - INSIST(STRATUM_UNSPEC != hisstratum); if (0) { } else if (L_ISZERO(&p_org)) { @@ -1901,11 +1899,9 @@ receive( /* * Check for any kiss codes. Note this is only used when a server - * responds to a packet request + * responds to a packet request. */ - kissCode = kiss_code_check(hisleap, hisstratum, hismode, pkt->refid); - /* * Check to see if this is a RATE Kiss Code * Currently this kiss code will accept whatever poll
