[Bug 291265] Re: Buffer overflow in check_ntp_peer - Nagios can't check time servers in Intrepid
Debdiff for Intrepid SRU nagios-plugins (1.4.11-2ubuntu2.1) intrepid-proposed; urgency=low * Added 99_check_ntp_segfaults.dpatch: Fix for check_ntp and check_ntp_peer segfaults (LP: #291265) ** Attachment added: nagios-plugins_1.4.11-2ubuntu2.1.debdiff http://launchpadlibrarian.net/19804616/nagios-plugins_1.4.11-2ubuntu2.1.debdiff ** Summary changed: - Buffer overflow in check_ntp_peer - Nagios can't check time servers in Intrepid + [SRU] Buffer overflow in check_ntp_peer - Nagios can't check time servers in Intrepid -- [SRU] Buffer overflow in check_ntp_peer - Nagios can't check time servers in Intrepid https://bugs.launchpad.net/bugs/291265 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nagios-plugins in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 291265] Re: Buffer overflow in check_ntp_peer - Nagios can't check time servers in Intrepid
Fix is in SVN r2086: http://nagiosplug.svn.sourceforge.net/viewvc/nagiosplug?view=revrevision=2086 ** Changed in: nagios-plugins (Ubuntu) Assignee: (unassigned) = Thierry Carrez (tcarrez) Status: Confirmed = In Progress -- Buffer overflow in check_ntp_peer - Nagios can't check time servers in Intrepid https://bugs.launchpad.net/bugs/291265 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nagios-plugins in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 291265] Re: Buffer overflow in check_ntp_peer - Nagios can't check time servers in Intrepid
Debdiff to fix this in the current development release nagios-plugins (1.4.12-4ubuntu2) jaunty; urgency=low * Added 99_check_ntp_segfaults.dpatch: Fix for check_ntp and check_ntp_peer segfaults (LP: #291265) ** Attachment added: nagios-plugins_1.4.12-4ubuntu2.debdiff http://launchpadlibrarian.net/19792204/nagios-plugins_1.4.12-4ubuntu2.debdiff ** Changed in: nagios-plugins (Ubuntu) Assignee: Thierry Carrez (tcarrez) = (unassigned) Status: In Progress = Confirmed -- Buffer overflow in check_ntp_peer - Nagios can't check time servers in Intrepid https://bugs.launchpad.net/bugs/291265 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nagios-plugins in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 291265] Re: Buffer overflow in check_ntp_peer - Nagios can't check time servers in Intrepid
This bug was fixed in the package nagios-plugins - 1.4.12-4ubuntu2 --- nagios-plugins (1.4.12-4ubuntu2) jaunty; urgency=low * Added 99_check_ntp_segfaults.dpatch: Fix for check_ntp and check_ntp_peer segfaults (LP: #291265) -- Thierry Carrez [EMAIL PROTECTED] Wed, 19 Nov 2008 16:44:27 + ** Changed in: nagios-plugins (Ubuntu) Status: Confirmed = Fix Released -- Buffer overflow in check_ntp_peer - Nagios can't check time servers in Intrepid https://bugs.launchpad.net/bugs/291265 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nagios-plugins in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 291265] Re: Buffer overflow in check_ntp_peer - Nagios can't check time servers in Intrepid
Thank you for the job, mantainers and developers! -- Buffer overflow in check_ntp_peer - Nagios can't check time servers in Intrepid https://bugs.launchpad.net/bugs/291265 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nagios-plugins in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 291265] Re: Buffer overflow in check_ntp_peer - Nagios can't check time servers in Intrepid
Confirmed, something gets caught by the stack smashing police. Regression in intrepid, as it was working well in hardy. ** Changed in: nagios-plugins (Ubuntu) Importance: Undecided = High Status: New = Confirmed -- Buffer overflow in check_ntp_peer - Nagios can't check time servers in Intrepid https://bugs.launchpad.net/bugs/291265 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nagios-plugins in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 291265] Re: Buffer overflow in check_ntp_peer - Nagios can't check time servers in Intrepid
It fails on line 264 on if(read(conn, req, SIZEOF_NTPCM(req)) == -1) Upstream bug is: http://sourceforge.net/tracker/?func=detailatid=397597aid=1999319group_id=29880 It's closed by saying the bug is in _FORTIFY_SOURCE, as the author checked that the read call should not exceed allocated value. check_ntp doesn't fail so it can be used as a workaround. ** Changed in: nagios-plugins (Ubuntu) Importance: High = Medium -- Buffer overflow in check_ntp_peer - Nagios can't check time servers in Intrepid https://bugs.launchpad.net/bugs/291265 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nagios-plugins in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 291265] Re: Buffer overflow in check_ntp_peer - Nagios can't check time servers in Intrepid
I looked at this a bit, and the math seems to be wrong in this line: #define SIZEOF_NTPCM(m) (12+ntohs(m.count)+((m.count)?4-(ntohs(m.count)%4):0)) In ntp_request we have (where MAX_CM_SIZE is defined as 468): req.count=htons(MAX_CM_SIZE); Which makes req.count = 54273. Later, we have: if(read(conn, req, SIZEOF_NTPCM(req)) == -1) So the nbytes for read() ends up being: (12 + 468 + (4 - 0)) = 484 However, a sizeof(req) reveals that it is 480 bytes (this can also be seen by looking at the ntp_control_message struct (1+1+2+2+2+2+2+468)). This is not security relevant, because the 4 bytes that are overwritten end up being the 'conn' file descriptor (as seen from gdb), which triggers read() to: read(3, 0xb850, 484)= ? ERESTARTSYS (To be restarted) --- SIGALRM (Alarm clock) @ 0 (0) --- resulting in check_ntp_peer to error out with: CRITICAL - Socket timeout after 10 seconds This is a bug whether or not _FORTIFY_SOURCE is used, because read() may SIGALRM. You'll also notice that check_ntp.c suffers from the same problem (the code in question is identical), as seen with: $ /usr/lib/nagios/plugins/check_ntp -H foo -j 1 -- Buffer overflow in check_ntp_peer - Nagios can't check time servers in Intrepid https://bugs.launchpad.net/bugs/291265 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nagios-plugins in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
