The ntp daemon included in OpenBSD is our own openntpd, written
from scratch.
openntpd is not vulnerable.
Around 10 years ago it was written by Henning, at my request because
the ntpd source code scared the hell out of us. At the time
communications with the ntp team showed they had little interest in
removing unused functionality from the ntp.org code, or any help with
our form of source code audit.
Because it was a rewrite, the major benefit in openntpd is that it
priviledge seperated. If problems like these were found, they would
not be realistically exploitable. Furthermore openntpd is a modern
piece of code <5000 lines long written using best known practices of
the time, whereas ntp.org's codebase is reportedly 100,000 lines of
unknown or largely unused code, poorly smithed in the past when these
kinds of programming mistakes were not a significant consideration.
This might be a good time to circle the conversation back to the
common practice of:
srand(time(NULL));
Sorry, getting really jaded. When will the software vendors WAKE THE
HELL UP? This is not 2000 anymore.
It has become abundantly clear that it is very difficult to push
lessons regarding better software practices into the greater open
source community and the vendors who live off the teat.
