Merge ~kick-d/ubuntu/+source/ntp:logical/4.2.6.p5+dfsg-3ubuntu9 into ~ubuntu-server-dev/ubuntu/+source/ntp:logical
- Git
- lp:~kick-d/ubuntu/+source/ntp
- logical/4.2.6.p5+dfsg-3ubuntu9
- Merge into logical
Status: | Rejected |
---|---|
Rejected by: | Robie Basak |
Proposed branch: | ~kick-d/ubuntu/+source/ntp:logical/4.2.6.p5+dfsg-3ubuntu9 |
Merge into: | ~ubuntu-server-dev/ubuntu/+source/ntp:logical |
Diff against target: |
2416 lines (+2058/-21) 39 files modified
debian/apparmor-profile (+81/-0) debian/apparmor-profile.tunable (+15/-0) debian/control (+4/-2) debian/ntp.conf (+12/-12) debian/ntp.dhcp (+1/-1) debian/ntp.dirs (+3/-0) debian/ntp.init (+2/-2) debian/ntp.preinst (+6/-0) debian/ntpdate-debian (+1/-1) debian/ntpdate.default (+1/-1) debian/ntpdate.if-up (+10/-0) debian/patches/CVE-2014-9293.patch (+42/-0) debian/patches/CVE-2014-9294.patch (+118/-0) debian/patches/CVE-2014-9295.patch (+108/-0) debian/patches/CVE-2014-9296.patch (+16/-0) debian/patches/CVE-2014-9297.patch (+371/-0) debian/patches/CVE-2014-9298.patch (+43/-0) debian/patches/CVE-2015-1798.patch (+33/-0) debian/patches/CVE-2015-1799.patch (+42/-0) debian/patches/CVE-2015-5146.patch (+128/-0) debian/patches/CVE-2015-5194.patch (+49/-0) debian/patches/CVE-2015-5195.patch (+47/-0) debian/patches/CVE-2015-5196.patch (+57/-0) debian/patches/CVE-2015-5219.patch (+27/-0) debian/patches/CVE-2015-5300.patch (+16/-0) debian/patches/CVE-2015-7691.patch (+225/-0) debian/patches/CVE-2015-7701.patch (+23/-0) debian/patches/CVE-2015-7704.patch (+19/-0) debian/patches/CVE-2015-7850.patch (+235/-0) debian/patches/CVE-2015-7852.patch (+35/-0) debian/patches/CVE-2015-7853.patch (+46/-0) debian/patches/CVE-2015-7855.patch (+29/-0) debian/patches/CVE-2015-7871.patch (+40/-0) debian/patches/ignore-ENOBUFS-on-routing-netlink-socket.patch (+32/-0) debian/patches/ntp-keygen-endless-loop.patch (+38/-0) debian/patches/series (+25/-0) debian/patches/use-after-free-in-routing-socket.patch (+33/-0) debian/rules (+23/-2) debian/source_ntp.py (+22/-0) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Robie Basak | Disapprove | ||
Review via email: mp+284274@code.launchpad.net |
Commit message
Description of the change
Logical changes from ubuntu
Robie Basak (racb) wrote : | # |
Kick In (kick-d) wrote : | # |
Thanks, and sorry for this one. I kept this in my head, and forgot to
squash.
2016-01-28 14:31 GMT+01:00 Robie Basak <email address hidden>:
> Hi Pierre,
>
> Good job on this one. The only diff between this and
> 1:4.2.6.
> expect.
>
> Good job also squashing down all the different Apparmor-related changes
> into one commit.
>
> My only complaint is on commits 93ec5cb and 8c7e386. These both touch the
> same lines in debian/
> changed and "invoke-rc.d" lines added, and in 93ec5cb the "LOCKFILE" line
> is changed back again and one of the previously added "invoke-rc.d" lines
> is moved. This is churn that we want to squash out at this logical stage.
>
> For example:
>
> @@ -30,7 +30,7 @@ if [ -r /lib/udev/
> wait_for_file /usr/sbin/
> fi
>
> -LOCKFILE=
> +LOCKFILE=
>
> # Avoid running more than one at a time
> if [ -x /usr/bin/
>
>
> and then later:
>
> @@ -30,7 +30,7 @@ if [ -r /lib/udev/
> wait_for_file /usr/sbin/
> fi
>
> -LOCKFILE=
> +LOCKFILE=
>
> # Avoid running more than one at a time
> if [ -x /usr/bin/
>
> Indicate churn to me. When figuring out the logical set of changes made,
> these hunks cancel out and so should not appear at all. The same applies to
> one of the two invoke-rc.d lines.
>
> I would split "debian/
> I take to be the "if [ -e /usr/sbin/openntpd ]; then" stanza into its own
> commit. Then there would be a separate commit that doesn't need to touch
> LOCKFILE and just adds the two invoke-rc.d lines directly into their final
> places. Since this distils the previous uploads, the commit messages will
> probably need tweaking a little so that they make sense.
>
> Apart from this, everything else is byte-perfect. I'm not sure it's
> necessary to redo this. It's minor enough that I can probably just keep it
> in mind while reviewing your merge. So I'll do that next. No action needed
> here for now. Thanks!
> --
>
> https:/
> You are the owner of
> ~kick-d/
>
Kick In (kick-d) wrote : | # |
OK I'll split this out in my merge proposal.
2016-01-28 15:27 GMT+01:00 Pierre-Andre Morey <
<email address hidden>>:
> Thanks, and sorry for this one. I kept this in my head, and forgot to
> squash.
>
> 2016-01-28 14:31 GMT+01:00 Robie Basak <email address hidden>:
>
>> Hi Pierre,
>>
>> Good job on this one. The only diff between this and
>> 1:4.2.6.
>> expect.
>>
>> Good job also squashing down all the different Apparmor-related changes
>> into one commit.
>>
>> My only complaint is on commits 93ec5cb and 8c7e386. These both touch the
>> same lines in debian/
>> changed and "invoke-rc.d" lines added, and in 93ec5cb the "LOCKFILE" line
>> is changed back again and one of the previously added "invoke-rc.d" lines
>> is moved. This is churn that we want to squash out at this logical stage.
>>
>> For example:
>>
>> @@ -30,7 +30,7 @@ if [ -r /lib/udev/
>> wait_for_file /usr/sbin/
>> fi
>>
>> -LOCKFILE=
>> +LOCKFILE=
>>
>> # Avoid running more than one at a time
>> if [ -x /usr/bin/
>>
>>
>> and then later:
>>
>> @@ -30,7 +30,7 @@ if [ -r /lib/udev/
>> wait_for_file /usr/sbin/
>> fi
>>
>> -LOCKFILE=
>> +LOCKFILE=
>>
>> # Avoid running more than one at a time
>> if [ -x /usr/bin/
>>
>> Indicate churn to me. When figuring out the logical set of changes made,
>> these hunks cancel out and so should not appear at all. The same applies to
>> one of the two invoke-rc.d lines.
>>
>> I would split "debian/
>> which I take to be the "if [ -e /usr/sbin/openntpd ]; then" stanza into its
>> own commit. Then there would be a separate commit that doesn't need to
>> touch LOCKFILE and just adds the two invoke-rc.d lines directly into their
>> final places. Since this distils the previous uploads, the commit messages
>> will probably need tweaking a little so that they make sense.
>>
>> Apart from this, everything else is byte-perfect. I'm not sure it's
>> necessary to redo this. It's minor enough that I can probably just keep it
>> in mind while reviewing your merge. So I'll do that next. No action needed
>> here for now. Thanks!
>> --
>>
>> https:/
>> You are the owner of
>> ~kick-d/
>>
>
>
Robie Basak (racb) wrote : | # |
This was resolved. Not merged, but superseded by the real merge.
Robie Basak (racb) wrote : | # |
(not sure how to set the merge status to "Superseded")
Unmerged commits
- c8a02ba... by Kick In
-
* SECURITY UPDATE: symmetric association authentication bypass via
crypto-NAK
- debian/patches/ CVE-2015- 7871.patch: drop unhandled packet in
ntpd/ntp_proto. c.
- CVE-2015-7871 - da8c14c... by Kick In
-
* SECURITY UPDATE: denial of service via ASSERT in decodenetnum
- debian/patches/ CVE-2015- 7855.patch: simply return fail in
libntp/decodenetnum. c.
- CVE-2015-7855 - f0f93bb... by Kick In
-
* SECURITY UPDATE: buffer overflow via custom refclock driver
- debian/patches/ CVE-2015- 7853.patch: properly calculate length in
ntpd/ntp_io. c.
- CVE-2015-7853 - bca2843... by Kick In
-
* SECURITY UPDATE: ntpq atoascii memory corruption
- debian/patches/ CVE-2015- 7852.patch: avoid buffer overrun in
ntpq/ntpq.c.
- CVE-2015-7852 - 9af4d3a... by Kick In
-
* SECURITY UPDATE: denial of service via same logfile and keyfile
- debian/patches/ CVE-2015- 7850.patch: rate limit errors in
include/ntp_stdlib. h, include/ ntp_syslog. h, libntp/ authreadkeys. c,
libntp/msyslog. c.
- CVE-2015-7850 - 56e59ee... by Kick In
-
* SECURITY UPDATE: denial of service by spoofed KoD
- debian/patches/ CVE-2015- 7704.patch: add check to ntpd/ntp_proto.c.
- CVE-2015-7704
- CVE-2015-7705 - a64bbbd... by Kick In
-
* SECURITY UPDATE: file overwrite via remote pidfile and driftfile
configuration directives
- debian/patches/ CVE-2015- 5196.patch: disable remote configuration in
ntpd/ntp_parser. y.
- CVE-2015-5196
- CVE-2015-7703 - b574fc2... by Kick In
-
* SECURITY UPDATE: memory leak in CRYPTO_ASSOC
- debian/patches/ CVE-2015- 7701.patch: add missing free in
ntpd/ntp_crypto. c.
- CVE-2015-7701 - 5afebc5... by Kick In
-
* SECURITY UPDATE: incomplete autokey data packet length checks
- debian/patches/ CVE-2015- 7691.patch: add length and size checks to
ntpd/ntp_crypto. c.
- CVE-2015-7691
- CVE-2015-7692
- CVE-2015-7702 - d8365e5... by Kick In
-
* SECURITY UPDATE: timeshifting by reboot issue
- debian/patches/ CVE-2015- 5300.patch: disable panic in
ntpd/ntp_loopfilter. c.
- CVE-2015-5300
Preview Diff
1 | diff --git a/debian/apparmor-profile b/debian/apparmor-profile |
2 | new file mode 100644 |
3 | index 0000000..48e8d7a |
4 | --- /dev/null |
5 | +++ b/debian/apparmor-profile |
6 | @@ -0,0 +1,81 @@ |
7 | +# vim:syntax=apparmor |
8 | +# Updated for Ubuntu by: Jamie Strandboge <jamie@canonical.com> |
9 | +# ------------------------------------------------------------------ |
10 | +# |
11 | +# Copyright (C) 2002-2005 Novell/SUSE |
12 | +# Copyright (C) 2009-2012 Canonical Ltd. |
13 | +# |
14 | +# This program is free software; you can redistribute it and/or |
15 | +# modify it under the terms of version 2 of the GNU General Public |
16 | +# License published by the Free Software Foundation. |
17 | +# |
18 | +# ------------------------------------------------------------------ |
19 | + |
20 | +#include <tunables/global> |
21 | +#include <tunables/ntpd> |
22 | +/usr/sbin/ntpd { |
23 | + #include <abstractions/base> |
24 | + #include <abstractions/nameservice> |
25 | + #include <abstractions/user-tmp> |
26 | + |
27 | + capability ipc_lock, |
28 | + capability net_bind_service, |
29 | + capability setgid, |
30 | + capability setuid, |
31 | + capability sys_chroot, |
32 | + capability sys_resource, |
33 | + capability sys_time, |
34 | + capability sys_nice, |
35 | + |
36 | + network inet dgram, |
37 | + network inet6 dgram, |
38 | + network inet stream, |
39 | + network inet6 stream, |
40 | + |
41 | + @{PROC}/net/if_inet6 r, |
42 | + @{PROC}/*/net/if_inet6 r, |
43 | + @{NTPD_DEVICE} rw, |
44 | + |
45 | + /{,s}bin/ r, |
46 | + /usr/{,s}bin/ r, |
47 | + /usr/sbin/ntpd rmix, |
48 | + |
49 | + /etc/ntp.conf r, |
50 | + /etc/ntp.conf.dhcp r, |
51 | + /etc/ntpd.conf r, |
52 | + /etc/ntpd.conf.tmp r, |
53 | + /var/lib/ntp/ntp.conf.dhcp r, |
54 | + |
55 | + /etc/ntp.keys r, |
56 | + /etc/ntp/** r, |
57 | + |
58 | + /etc/ntp.drift rwl, |
59 | + /etc/ntp.drift.TEMP rwl, |
60 | + /etc/ntp/drift* rwl, |
61 | + /var/lib/ntp/*drift rw, |
62 | + /var/lib/ntp/*drift.TEMP rw, |
63 | + |
64 | + /var/log/ntp w, |
65 | + /var/log/ntp.log w, |
66 | + /var/log/ntpd w, |
67 | + /var/log/ntpstats/clockstats* rwl, |
68 | + /var/log/ntpstats/loopstats* rwl, |
69 | + /var/log/ntpstats/peerstats* rwl, |
70 | + /var/log/ntpstats/protostats* rwl, |
71 | + /var/log/ntpstats/rawstats* rwl, |
72 | + /var/log/ntpstats/sysstats* rwl, |
73 | + |
74 | + /{,var/}run/ntpd.pid w, |
75 | + |
76 | + # samba4 ntp signing socket |
77 | + /{,var/}run/samba/ntp_signd/socket rw, |
78 | + |
79 | + # For use with clocks that report via shared memory (e.g. gpsd), |
80 | + # you may need to give ntpd access to all of shared memory, though |
81 | + # this can be considered dangerous. See https://launchpad.net/bugs/722815 |
82 | + # for details. To enable, add this to local/usr.sbin.ntpd: |
83 | + # capability ipc_owner, |
84 | + |
85 | + # Site-specific additions and overrides. See local/README for details. |
86 | + #include <local/usr.sbin.ntpd> |
87 | +} |
88 | diff --git a/debian/apparmor-profile.tunable b/debian/apparmor-profile.tunable |
89 | new file mode 100644 |
90 | index 0000000..1fc2d8f |
91 | --- /dev/null |
92 | +++ b/debian/apparmor-profile.tunable |
93 | @@ -0,0 +1,15 @@ |
94 | +# vim:syntax=apparmor |
95 | +# ------------------------------------------------------------------ |
96 | +# |
97 | +# Copyright (C) 2002-2005 Novell/SUSE |
98 | +# Copyright (C) 2011 Canonical, Ltd. |
99 | +# |
100 | +# This program is free software; you can redistribute it and/or |
101 | +# modify it under the terms of version 2 of the GNU General Public |
102 | +# License published by the Free Software Foundation. |
103 | +# |
104 | +# ------------------------------------------------------------------ |
105 | + |
106 | +#Add your ntpd devices here eg. if you have a DCF clock |
107 | +# @{NTPD_DEVICE}="/dev/ttyS1" |
108 | +@{NTPD_DEVICE}="/dev/null" |
109 | diff --git a/debian/control b/debian/control |
110 | index 5f175fd..f3624dd 100644 |
111 | --- a/debian/control |
112 | +++ b/debian/control |
113 | @@ -3,7 +3,7 @@ Section: net |
114 | Priority: optional |
115 | Maintainer: Debian NTP Team <pkg-ntp-maintainers@lists.alioth.debian.org> |
116 | Uploaders: Bdale Garbee <bdale@gag.com>, Peter Eisentraut <petere@debian.org>, Kurt Roeckx <kurt@roeckx.be> |
117 | -Build-Depends: autotools-dev, debhelper (>= 6), libedit-dev, libcap2-dev [linux-any], libssl-dev (>= 1.0.0e-1), autogen (>= 1:5.11) |
118 | +Build-Depends: autotools-dev, debhelper (>= 6), libedit-dev, libcap2-dev [linux-any], libssl-dev (>= 1.0.0e-1), autogen (>= 1:5.11), hardening-wrapper, dh-apparmor, bison |
119 | Build-Conflicts: libavahi-compat-libdnssd-dev, libwww-dev, libwww-ssl-dev |
120 | Standards-Version: 3.9.3 |
121 | Homepage: http://support.ntp.org/ |
122 | @@ -15,7 +15,9 @@ Architecture: any |
123 | Depends: adduser, lsb-base (>= 3.2-13), netbase, ${misc:Depends}, ${shlibs:Depends} |
124 | Pre-Depends: dpkg (>= 1.15.7.2) |
125 | Recommends: ${perl:Depends} |
126 | -Suggests: ntp-doc |
127 | +Suggests: ntp-doc, apparmor (>= 2.1+1075-0ubuntu6) |
128 | +Conflicts: apparmor-profiles (<< 2.3.1+1403-0ubuntu10), apparmor (<< 2.3.1+1403-0ubuntu10) |
129 | +Replaces: apparmor-profiles (<< 2.3.1+1403-0ubuntu10), apparmor (<< 2.3.1+1403-0ubuntu10) |
130 | Breaks: dhcp3-client (<< 4.1.0-1) |
131 | Description: Network Time Protocol daemon and utility programs |
132 | NTP, the Network Time Protocol, is used to keep computer clocks |
133 | diff --git a/debian/ntp.conf b/debian/ntp.conf |
134 | index cb7d021..4457652 100644 |
135 | --- a/debian/ntp.conf |
136 | +++ b/debian/ntp.conf |
137 | @@ -11,18 +11,18 @@ filegen loopstats file loopstats type day enable |
138 | filegen peerstats file peerstats type day enable |
139 | filegen clockstats file clockstats type day enable |
140 | |
141 | - |
142 | -# You do need to talk to an NTP server or two (or three). |
143 | -#server ntp.your-provider.example |
144 | - |
145 | -# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will |
146 | -# pick a different set every time it starts up. Please consider joining the |
147 | -# pool: <http://www.pool.ntp.org/join.html> |
148 | -server 0.debian.pool.ntp.org iburst |
149 | -server 1.debian.pool.ntp.org iburst |
150 | -server 2.debian.pool.ntp.org iburst |
151 | -server 3.debian.pool.ntp.org iburst |
152 | - |
153 | +# Specify one or more NTP servers. |
154 | + |
155 | +# Use servers from the NTP Pool Project. Approved by Ubuntu Technical Board |
156 | +# on 2011-02-08 (LP: #104525). See http://www.pool.ntp.org/join.html for |
157 | +# more information. |
158 | +server 0.ubuntu.pool.ntp.org |
159 | +server 1.ubuntu.pool.ntp.org |
160 | +server 2.ubuntu.pool.ntp.org |
161 | +server 3.ubuntu.pool.ntp.org |
162 | + |
163 | +# Use Ubuntu's ntp server as a fallback. |
164 | +server ntp.ubuntu.com |
165 | |
166 | # Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for |
167 | # details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions> |
168 | diff --git a/debian/ntp.dhcp b/debian/ntp.dhcp |
169 | index a1acb21..a629d16 100644 |
170 | --- a/debian/ntp.dhcp |
171 | +++ b/debian/ntp.dhcp |
172 | @@ -40,7 +40,7 @@ ntp_servers_setup_add() { |
173 | echo "server $server iburst" |
174 | done |
175 | echo |
176 | - sed -r -e '/^ *(server|peer).*$/d' $NTP_CONF |
177 | + sed -r -e '/^ *(server *[^1][^2][^7]\.|peer).*$/d' $NTP_CONF |
178 | ) >>$tmp |
179 | |
180 | mv $tmp $NTP_DHCP_CONF |
181 | diff --git a/debian/ntp.dirs b/debian/ntp.dirs |
182 | index 49d3819..314ad95 100644 |
183 | --- a/debian/ntp.dirs |
184 | +++ b/debian/ntp.dirs |
185 | @@ -1,3 +1,6 @@ |
186 | usr/sbin |
187 | var/lib/ntp |
188 | var/log/ntpstats |
189 | +etc/apparmor.d/force-complain |
190 | +etc/apparmor.d/tunables |
191 | +usr/share/apport/package-hooks |
192 | diff --git a/debian/ntp.init b/debian/ntp.init |
193 | index 3a5ccc5..9755091 100644 |
194 | --- a/debian/ntp.init |
195 | +++ b/debian/ntp.init |
196 | @@ -5,7 +5,7 @@ |
197 | # Required-Start: $network $remote_fs $syslog |
198 | # Required-Stop: $network $remote_fs $syslog |
199 | # Default-Start: 2 3 4 5 |
200 | -# Default-Stop: |
201 | +# Default-Stop: 1 |
202 | # Short-Description: Start NTP daemon |
203 | ### END INIT INFO |
204 | |
205 | @@ -22,7 +22,7 @@ if [ -r /etc/default/ntp ]; then |
206 | . /etc/default/ntp |
207 | fi |
208 | |
209 | -if [ -e /var/lib/ntp/ntp.conf.dhcp ]; then |
210 | +if [ /var/lib/ntp/ntp.conf.dhcp -nt /etc/ntp.conf ]; then |
211 | NTPD_OPTS="$NTPD_OPTS -c /var/lib/ntp/ntp.conf.dhcp" |
212 | fi |
213 | |
214 | diff --git a/debian/ntp.preinst b/debian/ntp.preinst |
215 | index 3c9f0a0..25da0e3 100644 |
216 | --- a/debian/ntp.preinst |
217 | +++ b/debian/ntp.preinst |
218 | @@ -18,5 +18,11 @@ if dpkg-maintscript-helper supports mv_conffile; then |
219 | 1:4.2.6.p1+dfsg-1 -- "$@" |
220 | fi |
221 | |
222 | +if [ "$1" = install ] && [ -e /etc/ntp.conf ] && [ ! -s /etc/ntp.conf ]; then |
223 | + # Work around system-tools-backends bug that left an empty file |
224 | + # (https://bugs.launchpad.net/bugs/83604). |
225 | + rm -f /etc/ntp.conf |
226 | +fi |
227 | + |
228 | #DEBHELPER# |
229 | |
230 | diff --git a/debian/ntpdate-debian b/debian/ntpdate-debian |
231 | index 4748b3a..c0f8c3b 100644 |
232 | --- a/debian/ntpdate-debian |
233 | +++ b/debian/ntpdate-debian |
234 | @@ -8,7 +8,7 @@ fi |
235 | |
236 | if [ "$NTPDATE_USE_NTP_CONF" = yes ]; then |
237 | for f in /var/lib/ntp/ntp.conf.dhcp /etc/ntp.conf /etc/openntpd/ntpd.conf; do |
238 | - if [ -r "$f" ]; then |
239 | + if [ -r "$f" ] && [ -s "$f" ]; then |
240 | file=$f |
241 | break |
242 | fi |
243 | diff --git a/debian/ntpdate.default b/debian/ntpdate.default |
244 | index 3241694..f239b18 100644 |
245 | --- a/debian/ntpdate.default |
246 | +++ b/debian/ntpdate.default |
247 | @@ -7,7 +7,7 @@ NTPDATE_USE_NTP_CONF=yes |
248 | |
249 | # List of NTP servers to use (Separate multiple servers with spaces.) |
250 | # Not used if NTPDATE_USE_NTP_CONF is yes. |
251 | -NTPSERVERS="0.debian.pool.ntp.org 1.debian.pool.ntp.org 2.debian.pool.ntp.org 3.debian.pool.ntp.org" |
252 | +NTPSERVERS="ntp.ubuntu.com" |
253 | |
254 | # Additional options to pass to ntpdate |
255 | NTPOPTIONS="" |
256 | diff --git a/debian/ntpdate.if-up b/debian/ntpdate.if-up |
257 | index 8bd08b3..5271d4f 100644 |
258 | --- a/debian/ntpdate.if-up |
259 | +++ b/debian/ntpdate.if-up |
260 | @@ -39,6 +39,14 @@ if [ -x /usr/bin/lockfile-create ]; then |
261 | LOCKTOUCHPID="$!" |
262 | fi |
263 | |
264 | +if [ -e /usr/sbin/openntpd ]; then |
265 | + service='openntpd' |
266 | +else |
267 | + service='ntp' |
268 | +fi |
269 | + |
270 | +invoke-rc.d --quiet $service stop >/dev/null 2>&1 || true |
271 | + |
272 | /usr/sbin/ntpdate-debian -s $OPTS 2>/dev/null || : |
273 | |
274 | if [ -x /usr/bin/lockfile-create ] ; then |
275 | @@ -46,4 +54,6 @@ if [ -x /usr/bin/lockfile-create ] ; then |
276 | lockfile-remove $LOCKFILE |
277 | fi |
278 | |
279 | +invoke-rc.d --quiet $service start >/dev/null 2>&1 || true |
280 | + |
281 | ) & |
282 | diff --git a/debian/patches/CVE-2014-9293.patch b/debian/patches/CVE-2014-9293.patch |
283 | new file mode 100644 |
284 | index 0000000..2775e99 |
285 | --- /dev/null |
286 | +++ b/debian/patches/CVE-2014-9293.patch |
287 | @@ -0,0 +1,42 @@ |
288 | +Description: fix weak default key in config_auth() |
289 | +Author: thanks to Red Hat |
290 | +Origin: vendor, https://git.centos.org/blob/rpms!ntp.git/c054b85192ea340529fc9a659cac7ea6b893b50e/SOURCES!ntp-4.2.6p5-cve-2014-9293.patch |
291 | +Bug: http://bugs.ntp.org/show_bug.cgi?id=2665 |
292 | + |
293 | +Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_config.c |
294 | +=================================================================== |
295 | +--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_config.c 2014-12-19 19:55:14.000000000 -0500 |
296 | ++++ ntp-4.2.6.p5+dfsg/ntpd/ntp_config.c 2014-12-20 05:45:33.818645887 -0500 |
297 | +@@ -1866,13 +1866,16 @@ |
298 | + req_hashlen = digest_len; |
299 | + #endif |
300 | + } else { |
301 | +- int rankey; |
302 | ++ unsigned char rankey[16]; |
303 | ++ |
304 | ++ if (ntp_crypto_random_buf(rankey, sizeof (rankey))) { |
305 | ++ msyslog(LOG_ERR, "ntp_crypto_random_buf() failed."); |
306 | ++ exit(1); |
307 | ++ } |
308 | + |
309 | +- rankey = ntp_random(); |
310 | + req_keytype = NID_md5; |
311 | + req_hashlen = 16; |
312 | +- MD5auth_setkey(req_keyid, req_keytype, |
313 | +- (u_char *)&rankey, sizeof(rankey)); |
314 | ++ MD5auth_setkey(req_keyid, req_keytype, rankey, sizeof(rankey)); |
315 | + authtrust(req_keyid, 1); |
316 | + } |
317 | + |
318 | +Index: ntp-4.2.6.p5+dfsg/ntpd/ntpd.c |
319 | +=================================================================== |
320 | +--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntpd.c 2014-12-19 19:55:14.000000000 -0500 |
321 | ++++ ntp-4.2.6.p5+dfsg/ntpd/ntpd.c 2014-12-20 05:45:33.818645887 -0500 |
322 | +@@ -597,6 +597,7 @@ |
323 | + get_systime(&now); |
324 | + |
325 | + ntp_srandom((int)(now.l_i * now.l_uf)); |
326 | ++ ntp_crypto_srandom(); |
327 | + |
328 | + #if !defined(VMS) |
329 | + # ifndef NODETACH |
330 | diff --git a/debian/patches/CVE-2014-9294.patch b/debian/patches/CVE-2014-9294.patch |
331 | new file mode 100644 |
332 | index 0000000..052cc8d |
333 | --- /dev/null |
334 | +++ b/debian/patches/CVE-2014-9294.patch |
335 | @@ -0,0 +1,118 @@ |
336 | +Description: fix non-cryptographic random number generator with weak |
337 | + seed used by ntp-keygen to generate symmetric keys |
338 | +Author: thanks to Red Hat for backport |
339 | +Origin: vendor, https://git.centos.org/blob/rpms!ntp.git/c054b85192ea340529fc9a659cac7ea6b893b50e/SOURCES!ntp-4.2.6p5-cve-2014-9294.patch |
340 | +Origin: backport, http://bk1.ntp.org/ntp-dev/?PAGE=patch&REV=548db6ddlELn4rnqUZ4kKGOjvtXwbQ |
341 | +Bug: http://bugs.ntp.org/show_bug.cgi?id=2666 |
342 | + |
343 | +Index: ntp-4.2.6.p5+dfsg/include/ntp_random.h |
344 | +=================================================================== |
345 | +--- ntp-4.2.6.p5+dfsg.orig/include/ntp_random.h 2009-12-09 02:36:35.000000000 -0500 |
346 | ++++ ntp-4.2.6.p5+dfsg/include/ntp_random.h 2014-12-20 05:46:18.807038967 -0500 |
347 | +@@ -1,6 +1,9 @@ |
348 | + |
349 | + #include <ntp_types.h> |
350 | + |
351 | ++void ntp_crypto_srandom(void); |
352 | ++int ntp_crypto_random_buf(void *buf, size_t nbytes); |
353 | ++ |
354 | + long ntp_random (void); |
355 | + void ntp_srandom (unsigned long); |
356 | + void ntp_srandomdev (void); |
357 | +Index: ntp-4.2.6.p5+dfsg/libntp/ntp_random.c |
358 | +=================================================================== |
359 | +--- ntp-4.2.6.p5+dfsg.orig/libntp/ntp_random.c 2009-12-09 02:36:36.000000000 -0500 |
360 | ++++ ntp-4.2.6.p5+dfsg/libntp/ntp_random.c 2014-12-20 05:46:18.807038967 -0500 |
361 | +@@ -481,3 +481,63 @@ |
362 | + } |
363 | + return(i); |
364 | + } |
365 | ++ |
366 | ++/* |
367 | ++ * Crypto-quality random number functions |
368 | ++ * |
369 | ++ * Author: Harlan Stenn, 2014 |
370 | ++ * |
371 | ++ * This file is Copyright (c) 2014 by Network Time Foundation. |
372 | ++ * BSD terms apply: see the file COPYRIGHT in the distribution root for details. |
373 | ++ */ |
374 | ++ |
375 | ++#include <openssl/err.h> |
376 | ++#include <openssl/rand.h> |
377 | ++ |
378 | ++int crypto_rand_init = 0; |
379 | ++ |
380 | ++/* |
381 | ++ * ntp_crypto_srandom: |
382 | ++ * |
383 | ++ * Initialize the random number generator, if needed by the underlying |
384 | ++ * crypto random number generation mechanism. |
385 | ++ */ |
386 | ++ |
387 | ++void |
388 | ++ntp_crypto_srandom( |
389 | ++ void |
390 | ++ ) |
391 | ++{ |
392 | ++ if (!crypto_rand_init) { |
393 | ++ RAND_poll(); |
394 | ++ crypto_rand_init = 1; |
395 | ++ } |
396 | ++} |
397 | ++ |
398 | ++/* |
399 | ++ * ntp_crypto_random_buf: |
400 | ++ * |
401 | ++ * Returns 0 on success, -1 on error. |
402 | ++ */ |
403 | ++int |
404 | ++ntp_crypto_random_buf( |
405 | ++ void *buf, |
406 | ++ size_t nbytes |
407 | ++ ) |
408 | ++{ |
409 | ++ int rc; |
410 | ++ |
411 | ++ rc = RAND_bytes(buf, nbytes); |
412 | ++ if (1 != rc) { |
413 | ++ unsigned long err; |
414 | ++ char *err_str; |
415 | ++ |
416 | ++ err = ERR_get_error(); |
417 | ++ err_str = ERR_error_string(err, NULL); |
418 | ++ /* XXX: Log the error */ |
419 | ++ |
420 | ++ return -1; |
421 | ++ } |
422 | ++ return 0; |
423 | ++} |
424 | ++ |
425 | +Index: ntp-4.2.6.p5+dfsg/util/ntp-keygen.c |
426 | +=================================================================== |
427 | +--- ntp-4.2.6.p5+dfsg.orig/util/ntp-keygen.c 2011-12-24 18:27:16.000000000 -0500 |
428 | ++++ ntp-4.2.6.p5+dfsg/util/ntp-keygen.c 2014-12-20 05:46:18.811039002 -0500 |
429 | +@@ -261,6 +261,8 @@ |
430 | + ssl_check_version(); |
431 | + #endif /* OPENSSL */ |
432 | + |
433 | ++ ntp_crypto_srandom(); |
434 | ++ |
435 | + /* |
436 | + * Process options, initialize host name and timestamp. |
437 | + */ |
438 | +@@ -727,7 +729,14 @@ |
439 | + int temp; |
440 | + |
441 | + while (1) { |
442 | +- temp = ntp_random() & 0xff; |
443 | ++ int rc; |
444 | ++ |
445 | ++ rc = ntp_crypto_random_buf(&temp, 1); |
446 | ++ if (-1 == rc) { |
447 | ++ fprintf(stderr, "ntp_crypto_random_buf() failed.\n"); |
448 | ++ exit (-1); |
449 | ++ } |
450 | ++ temp &= 0xff; |
451 | + if (temp == '#') |
452 | + continue; |
453 | + |
454 | diff --git a/debian/patches/CVE-2014-9295.patch b/debian/patches/CVE-2014-9295.patch |
455 | new file mode 100644 |
456 | index 0000000..97b12cb |
457 | --- /dev/null |
458 | +++ b/debian/patches/CVE-2014-9295.patch |
459 | @@ -0,0 +1,108 @@ |
460 | +Description: fix buffer overflows in crypto_recv(), ctl_putdata(), configure() |
461 | +Origin: backport, http://bk1.ntp.org/ntp-dev/?PAGE=patch&REV=548acc4dN1TbM1tRJrbPcA4yc1aTdA |
462 | +Origin: backport, http://bk1.ntp.org/ntp-dev/?PAGE=patch&REV=548acdf3tUSFizXcv_X4b77Jt_Y-cg |
463 | +Origin: backport, http://bk1.ntp.org/ntp-dev/?PAGE=patch&REV=548acf55dxKfhb6MuYQwzu8eDlS97g |
464 | +Bug: http://bugs.ntp.org/show_bug.cgi?id=2667 |
465 | +Bug: http://bugs.ntp.org/show_bug.cgi?id=2668 |
466 | +Bug: http://bugs.ntp.org/show_bug.cgi?id=2669 |
467 | + |
468 | +Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_control.c |
469 | +=================================================================== |
470 | +--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_control.c 2014-12-20 05:46:26.695107896 -0500 |
471 | ++++ ntp-4.2.6.p5+dfsg/ntpd/ntp_control.c 2014-12-20 05:46:40.583228864 -0500 |
472 | +@@ -486,6 +486,10 @@ |
473 | + static char *reqpt; |
474 | + static char *reqend; |
475 | + |
476 | ++#ifndef MIN |
477 | ++#define MIN(a, b) (((a) <= (b)) ? (a) : (b)) |
478 | ++#endif |
479 | ++ |
480 | + /* |
481 | + * init_control - initialize request data |
482 | + */ |
483 | +@@ -995,6 +999,7 @@ |
484 | + ) |
485 | + { |
486 | + int overhead; |
487 | ++ unsigned int currentlen; |
488 | + |
489 | + overhead = 0; |
490 | + if (!bin) { |
491 | +@@ -1018,12 +1023,22 @@ |
492 | + /* |
493 | + * Save room for trailing junk |
494 | + */ |
495 | +- if (dlen + overhead + datapt > dataend) { |
496 | ++ while (dlen + overhead + datapt > dataend) { |
497 | + /* |
498 | + * Not enough room in this one, flush it out. |
499 | + */ |
500 | ++ currentlen = MIN(dlen, dataend - datapt); |
501 | ++ |
502 | ++ memcpy(datapt, dp, currentlen); |
503 | ++ |
504 | ++ datapt += currentlen; |
505 | ++ dp += currentlen; |
506 | ++ dlen -= currentlen; |
507 | ++ datalinelen += currentlen; |
508 | ++ |
509 | + ctl_flushpkt(CTL_MORE); |
510 | + } |
511 | ++ |
512 | + memmove((char *)datapt, dp, (unsigned)dlen); |
513 | + datapt += dlen; |
514 | + datalinelen += dlen; |
515 | +@@ -2492,6 +2507,20 @@ |
516 | + |
517 | + /* Initialize the remote config buffer */ |
518 | + data_count = reqend - reqpt; |
519 | ++ |
520 | ++ if (data_count > sizeof(remote_config.buffer) - 2) { |
521 | ++ snprintf(remote_config.err_msg, |
522 | ++ sizeof(remote_config.err_msg), |
523 | ++ "runtime configuration failed: request too long"); |
524 | ++ ctl_putdata(remote_config.err_msg, |
525 | ++ strlen(remote_config.err_msg), 0); |
526 | ++ ctl_flushpkt(0); |
527 | ++ msyslog(LOG_NOTICE, |
528 | ++ "runtime config from %s rejected: request too long", |
529 | ++ stoa(&rbufp->recv_srcadr)); |
530 | ++ return; |
531 | ++ } |
532 | ++ |
533 | + memcpy(remote_config.buffer, reqpt, data_count); |
534 | + if (data_count > 0 |
535 | + && '\n' != remote_config.buffer[data_count - 1]) |
536 | +Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_crypto.c |
537 | +=================================================================== |
538 | +--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_crypto.c 2011-11-30 21:55:17.000000000 -0500 |
539 | ++++ ntp-4.2.6.p5+dfsg/ntpd/ntp_crypto.c 2014-12-20 05:46:40.579228829 -0500 |
540 | +@@ -789,15 +789,24 @@ |
541 | + * errors. |
542 | + */ |
543 | + if (vallen == (u_int)EVP_PKEY_size(host_pkey)) { |
544 | ++ u_int32 *cookiebuf = malloc( |
545 | ++ RSA_size(host_pkey->pkey.rsa)); |
546 | ++ if (!cookiebuf) { |
547 | ++ rval = XEVNT_CKY; |
548 | ++ break; |
549 | ++ } |
550 | ++ |
551 | + if (RSA_private_decrypt(vallen, |
552 | + (u_char *)ep->pkt, |
553 | +- (u_char *)&temp32, |
554 | ++ (u_char *)cookiebuf, |
555 | + host_pkey->pkey.rsa, |
556 | +- RSA_PKCS1_OAEP_PADDING) <= 0) { |
557 | ++ RSA_PKCS1_OAEP_PADDING) != 4) { |
558 | + rval = XEVNT_CKY; |
559 | ++ free(cookiebuf); |
560 | + break; |
561 | + } else { |
562 | +- cookie = ntohl(temp32); |
563 | ++ cookie = ntohl(*cookiebuf); |
564 | ++ free(cookiebuf); |
565 | + } |
566 | + } else { |
567 | + rval = XEVNT_CKY; |
568 | diff --git a/debian/patches/CVE-2014-9296.patch b/debian/patches/CVE-2014-9296.patch |
569 | new file mode 100644 |
570 | index 0000000..0eb972c |
571 | --- /dev/null |
572 | +++ b/debian/patches/CVE-2014-9296.patch |
573 | @@ -0,0 +1,16 @@ |
574 | +Description: fix missing return on error in receive() |
575 | +Origin: backport, http://bk1.ntp.org/ntp-dev/?PAGE=patch&REV=548ad06feXHK1HlZoY-WZVyynwvwAg |
576 | +Bug: http://bugs.ntp.org/show_bug.cgi?id=2670 |
577 | + |
578 | +Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_proto.c |
579 | +=================================================================== |
580 | +--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_proto.c 2011-12-08 21:00:53.000000000 -0500 |
581 | ++++ ntp-4.2.6.p5+dfsg/ntpd/ntp_proto.c 2014-12-20 05:47:01.139407818 -0500 |
582 | +@@ -947,6 +947,7 @@ |
583 | + fast_xmit(rbufp, MODE_ACTIVE, 0, |
584 | + restrict_mask); |
585 | + sys_restricted++; |
586 | ++ return; |
587 | + } |
588 | + } |
589 | + |
590 | diff --git a/debian/patches/CVE-2014-9297.patch b/debian/patches/CVE-2014-9297.patch |
591 | new file mode 100644 |
592 | index 0000000..b367d81 |
593 | --- /dev/null |
594 | +++ b/debian/patches/CVE-2014-9297.patch |
595 | @@ -0,0 +1,371 @@ |
596 | +Description: fix denial of service and possible info leakage via |
597 | + extension fields |
598 | +Origin: upstream, http://bk1.ntp.org/ntp-stable/?PAGE=patch&REV=5492d353ncauuWt_PONxaDhC5Qv_SA |
599 | +Origin: upstream, http://bk1.ntp.org/ntp-stable/?PAGE=patch&REV=54a7c595jlwS3KmAxBML75HFGLR_pQ |
600 | +Origin: upstream, http://bk1.ntp.org/ntp-stable/?PAGE=patch&REV=54abb266In81wLNAqIaovtP8f2UmUw |
601 | +Bug: http://bugs.ntp.org/show_bug.cgi?id=2671 |
602 | + |
603 | +Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_crypto.c |
604 | +=================================================================== |
605 | +--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_crypto.c 2015-02-06 07:58:50.000000000 -0500 |
606 | ++++ ntp-4.2.6.p5+dfsg/ntpd/ntp_crypto.c 2015-02-06 08:44:08.207402853 -0500 |
607 | +@@ -109,6 +109,7 @@ |
608 | + #define TAI_1972 10 /* initial TAI offset (s) */ |
609 | + #define MAX_LEAP 100 /* max UTC leapseconds (s) */ |
610 | + #define VALUE_LEN (6 * 4) /* min response field length */ |
611 | ++#define MAX_VALLEN (65535 - VALUE_LEN) |
612 | + #define YEAR (60 * 60 * 24 * 365) /* seconds in year */ |
613 | + |
614 | + /* |
615 | +@@ -147,8 +148,8 @@ |
616 | + */ |
617 | + static int crypto_verify (struct exten *, struct value *, |
618 | + struct peer *); |
619 | +-static int crypto_encrypt (struct exten *, struct value *, |
620 | +- keyid_t *); |
621 | ++static int crypto_encrypt (const u_char *, u_int, keyid_t *, |
622 | ++ struct value *); |
623 | + static int crypto_alice (struct peer *, struct value *); |
624 | + static int crypto_alice2 (struct peer *, struct value *); |
625 | + static int crypto_alice3 (struct peer *, struct value *); |
626 | +@@ -444,6 +445,12 @@ |
627 | + tstamp = ntohl(ep->tstamp); |
628 | + fstamp = ntohl(ep->fstamp); |
629 | + vallen = ntohl(ep->vallen); |
630 | ++ /* |
631 | ++ * Bug 2761: I hope this isn't too early... |
632 | ++ */ |
633 | ++ if ( vallen == 0 |
634 | ++ || len - VALUE_LEN < vallen) |
635 | ++ return XEVNT_LEN; |
636 | + } |
637 | + switch (code) { |
638 | + |
639 | +@@ -494,8 +501,9 @@ |
640 | + rval = XEVNT_ERR; |
641 | + break; |
642 | + } |
643 | ++ INSIST(len >= VALUE_LEN); |
644 | + if (vallen == 0 || vallen > MAXHOSTNAME || |
645 | +- len < VALUE_LEN + vallen) { |
646 | ++ len - VALUE_LEN < vallen) { |
647 | + rval = XEVNT_LEN; |
648 | + break; |
649 | + } |
650 | +@@ -1162,8 +1170,9 @@ |
651 | + * choice. |
652 | + */ |
653 | + case CRYPTO_CERT | CRYPTO_RESP: |
654 | +- vallen = ntohl(ep->vallen); |
655 | +- if (vallen == 0 || vallen > MAXHOSTNAME) { |
656 | ++ vallen = ntohl(ep->vallen); /* Must be <64k */ |
657 | ++ if (vallen == 0 || vallen > MAXHOSTNAME || |
658 | ++ len - VALUE_LEN < vallen) { |
659 | + rval = XEVNT_LEN; |
660 | + break; |
661 | + |
662 | +@@ -1315,7 +1324,10 @@ |
663 | + * anything goes wrong. |
664 | + */ |
665 | + case CRYPTO_COOK | CRYPTO_RESP: |
666 | +- if ((opcode & 0xffff) < VALUE_LEN) { |
667 | ++ vallen = ntohl(ep->vallen); /* Must be <64k */ |
668 | ++ if ( vallen == 0 |
669 | ++ || (vallen >= MAX_VALLEN) |
670 | ++ || (opcode & 0x0000ffff) < VALUE_LEN + vallen) { |
671 | + rval = XEVNT_LEN; |
672 | + break; |
673 | + } |
674 | +@@ -1323,8 +1335,8 @@ |
675 | + tcookie = cookie; |
676 | + else |
677 | + tcookie = peer->hcookie; |
678 | +- if ((rval = crypto_encrypt(ep, &vtemp, &tcookie)) == |
679 | +- XEVNT_OK) { |
680 | ++ if ((rval = crypto_encrypt((const u_char *)ep->pkt, vallen, &tcookie, &vtemp)) |
681 | ++ == XEVNT_OK) { |
682 | + len = crypto_send(fp, &vtemp, start); |
683 | + value_free(&vtemp); |
684 | + } |
685 | +@@ -1464,13 +1476,16 @@ |
686 | + * up to the next word (4 octets). |
687 | + */ |
688 | + vallen = ntohl(ep->vallen); |
689 | +- if (vallen == 0) |
690 | ++ if ( vallen == 0 |
691 | ++ || vallen > MAX_VALLEN) |
692 | + return (XEVNT_LEN); |
693 | + |
694 | + i = (vallen + 3) / 4; |
695 | + siglen = ntohl(ep->pkt[i++]); |
696 | +- if (len < VALUE_LEN + ((vallen + 3) / 4) * 4 + ((siglen + 3) / |
697 | +- 4) * 4) |
698 | ++ if ( siglen > MAX_VALLEN |
699 | ++ || len - VALUE_LEN < ((vallen + 3) / 4) * 4 |
700 | ++ || len - VALUE_LEN - ((vallen + 3) / 4) * 4 |
701 | ++ < ((siglen + 3) / 4) * 4) |
702 | + return (XEVNT_LEN); |
703 | + |
704 | + /* |
705 | +@@ -1528,6 +1543,7 @@ |
706 | + * proventic bit. What a relief. |
707 | + */ |
708 | + EVP_VerifyInit(&ctx, peer->digest); |
709 | ++ /* XXX: the "+ 12" needs to be at least documented... */ |
710 | + EVP_VerifyUpdate(&ctx, (u_char *)&ep->tstamp, vallen + 12); |
711 | + if (EVP_VerifyFinal(&ctx, (u_char *)&ep->pkt[i], siglen, |
712 | + pkey) <= 0) |
713 | +@@ -1540,34 +1556,31 @@ |
714 | + |
715 | + |
716 | + /* |
717 | +- * crypto_encrypt - construct encrypted cookie and signature from |
718 | +- * extension field and cookie |
719 | ++ * crypto_encrypt - construct vp (encrypted cookie and signature) from |
720 | ++ * the public key and cookie. |
721 | + * |
722 | +- * Returns |
723 | ++ * Returns: |
724 | + * XEVNT_OK success |
725 | + * XEVNT_CKY bad or missing cookie |
726 | + * XEVNT_PUB bad or missing public key |
727 | + */ |
728 | + static int |
729 | + crypto_encrypt( |
730 | +- struct exten *ep, /* extension pointer */ |
731 | +- struct value *vp, /* value pointer */ |
732 | +- keyid_t *cookie /* server cookie */ |
733 | ++ const u_char *ptr, /* Public Key */ |
734 | ++ u_int vallen, /* Length of Public Key */ |
735 | ++ keyid_t *cookie, /* server cookie */ |
736 | ++ struct value *vp /* value pointer */ |
737 | + ) |
738 | + { |
739 | + EVP_PKEY *pkey; /* public key */ |
740 | + EVP_MD_CTX ctx; /* signature context */ |
741 | + tstamp_t tstamp; /* NTP timestamp */ |
742 | + u_int32 temp32; |
743 | +- u_int len; |
744 | +- u_char *ptr; |
745 | + |
746 | + /* |
747 | + * Extract the public key from the request. |
748 | + */ |
749 | +- len = ntohl(ep->vallen); |
750 | +- ptr = (u_char *)ep->pkt; |
751 | +- pkey = d2i_PublicKey(EVP_PKEY_RSA, NULL, &ptr, len); |
752 | ++ pkey = d2i_PublicKey(EVP_PKEY_RSA, NULL, &ptr, vallen); |
753 | + if (pkey == NULL) { |
754 | + msyslog(LOG_ERR, "crypto_encrypt: %s", |
755 | + ERR_error_string(ERR_get_error(), NULL)); |
756 | +@@ -1581,9 +1594,9 @@ |
757 | + tstamp = crypto_time(); |
758 | + vp->tstamp = htonl(tstamp); |
759 | + vp->fstamp = hostval.tstamp; |
760 | +- len = EVP_PKEY_size(pkey); |
761 | +- vp->vallen = htonl(len); |
762 | +- vp->ptr = emalloc(len); |
763 | ++ vallen = EVP_PKEY_size(pkey); |
764 | ++ vp->vallen = htonl(vallen); |
765 | ++ vp->ptr = emalloc(vallen); |
766 | + ptr = vp->ptr; |
767 | + temp32 = htonl(*cookie); |
768 | + if (RSA_public_encrypt(4, (u_char *)&temp32, ptr, |
769 | +@@ -1601,8 +1614,8 @@ |
770 | + vp->sig = emalloc(sign_siglen); |
771 | + EVP_SignInit(&ctx, sign_digest); |
772 | + EVP_SignUpdate(&ctx, (u_char *)&vp->tstamp, 12); |
773 | +- EVP_SignUpdate(&ctx, vp->ptr, len); |
774 | +- if (EVP_SignFinal(&ctx, vp->sig, &len, sign_pkey)) |
775 | ++ EVP_SignUpdate(&ctx, vp->ptr, vallen); |
776 | ++ if (EVP_SignFinal(&ctx, vp->sig, &vallen, sign_pkey)) |
777 | + vp->siglen = htonl(sign_siglen); |
778 | + return (XEVNT_OK); |
779 | + } |
780 | +@@ -1673,6 +1686,9 @@ |
781 | + * call in the protocol module. |
782 | + * |
783 | + * Returns extension field pointer (no errors) |
784 | ++ * |
785 | ++ * XXX: opcode and len should really be 32-bit quantities and |
786 | ++ * we should make sure that str is not too big. |
787 | + */ |
788 | + struct exten * |
789 | + crypto_args( |
790 | +@@ -1685,24 +1701,31 @@ |
791 | + tstamp_t tstamp; /* NTP timestamp */ |
792 | + struct exten *ep; /* extension field pointer */ |
793 | + u_int len; /* extension field length */ |
794 | ++ size_t slen; |
795 | + |
796 | + tstamp = crypto_time(); |
797 | + len = sizeof(struct exten); |
798 | +- if (str != NULL) |
799 | +- len += strlen(str); |
800 | ++ if (str != NULL) { |
801 | ++ slen = strlen(str); |
802 | ++ INSIST(slen < MAX_VALLEN); |
803 | ++ len += slen; |
804 | ++ } |
805 | + ep = emalloc(len); |
806 | + memset(ep, 0, len); |
807 | + if (opcode == 0) |
808 | + return (ep); |
809 | + |
810 | ++ REQUIRE(0 == (len & ~0x0000ffff)); |
811 | ++ REQUIRE(0 == (opcode & ~0xffff0000)); |
812 | ++ |
813 | + ep->opcode = htonl(opcode + len); |
814 | + ep->associd = htonl(associd); |
815 | + ep->tstamp = htonl(tstamp); |
816 | + ep->fstamp = hostval.tstamp; |
817 | + ep->vallen = 0; |
818 | + if (str != NULL) { |
819 | +- ep->vallen = htonl(strlen(str)); |
820 | +- memcpy((char *)ep->pkt, str, strlen(str)); |
821 | ++ ep->vallen = htonl(slen); |
822 | ++ memcpy((char *)ep->pkt, str, slen); |
823 | + } |
824 | + return (ep); |
825 | + } |
826 | +@@ -1715,6 +1738,8 @@ |
827 | + * Note: it is not polite to send a nonempty signature with zero |
828 | + * timestamp or a nonzero timestamp with an empty signature, but those |
829 | + * rules are not enforced here. |
830 | ++ * |
831 | ++ * XXX This code won't work on a box with 16-bit ints. |
832 | + */ |
833 | + int |
834 | + crypto_send( |
835 | +@@ -1730,8 +1755,9 @@ |
836 | + * Calculate extension field length and check for buffer |
837 | + * overflow. Leave room for the MAC. |
838 | + */ |
839 | +- len = 16; |
840 | ++ len = 16; /* XXX Document! */ |
841 | + vallen = ntohl(vp->vallen); |
842 | ++ INSIST(vallen <= MAX_VALLEN); |
843 | + len += ((vallen + 3) / 4 + 1) * 4; |
844 | + siglen = ntohl(vp->siglen); |
845 | + len += ((siglen + 3) / 4 + 1) * 4; |
846 | +@@ -1772,6 +1798,7 @@ |
847 | + } |
848 | + opcode = ntohl(ep->opcode); |
849 | + ep->opcode = htonl((opcode & 0xffff0000) | len); |
850 | ++ ENSURE(len <= MAX_VALLEN); |
851 | + return (len); |
852 | + } |
853 | + |
854 | +@@ -1807,7 +1834,6 @@ |
855 | + if (hostval.tstamp == 0) |
856 | + return; |
857 | + |
858 | +- |
859 | + /* |
860 | + * Sign public key and timestamps. The filestamp is derived from |
861 | + * the host key file extension from wherever the file was |
862 | +@@ -2108,7 +2134,8 @@ |
863 | + tstamp_t tstamp; /* NTP timestamp */ |
864 | + BIGNUM *bn, *bk, *r; |
865 | + u_char *ptr; |
866 | +- u_int len; |
867 | ++ u_int len; /* extension field length */ |
868 | ++ u_int vallen = 0; /* value length */ |
869 | + |
870 | + /* |
871 | + * If the IFF parameters are not valid, something awful |
872 | +@@ -2123,8 +2150,11 @@ |
873 | + /* |
874 | + * Extract r from the challenge. |
875 | + */ |
876 | +- len = ntohl(ep->vallen); |
877 | +- if ((r = BN_bin2bn((u_char *)ep->pkt, len, NULL)) == NULL) { |
878 | ++ vallen = ntohl(ep->vallen); |
879 | ++ len = ntohl(ep->opcode) & 0x0000ffff; |
880 | ++ if (vallen == 0 || len < VALUE_LEN || len - VALUE_LEN < vallen) |
881 | ++ return XEVNT_LEN; |
882 | ++ if ((r = BN_bin2bn((u_char *)ep->pkt, vallen, NULL)) == NULL) { |
883 | + msyslog(LOG_ERR, "crypto_bob: %s", |
884 | + ERR_error_string(ERR_get_error(), NULL)); |
885 | + return (XEVNT_ERR); |
886 | +@@ -2136,7 +2166,7 @@ |
887 | + */ |
888 | + bctx = BN_CTX_new(); bk = BN_new(); bn = BN_new(); |
889 | + sdsa = DSA_SIG_new(); |
890 | +- BN_rand(bk, len * 8, -1, 1); /* k */ |
891 | ++ BN_rand(bk, vallen * 8, -1, 1); /* k */ |
892 | + BN_mod_mul(bn, dsa->priv_key, r, dsa->q, bctx); /* b r mod q */ |
893 | + BN_add(bn, bn, bk); |
894 | + BN_mod(bn, bn, dsa->q, bctx); /* k + b r mod q */ |
895 | +@@ -2155,30 +2185,37 @@ |
896 | + * Encode the values in ASN.1 and sign. The filestamp is from |
897 | + * the local file. |
898 | + */ |
899 | +- len = i2d_DSA_SIG(sdsa, NULL); |
900 | +- if (len == 0) { |
901 | ++ vallen = i2d_DSA_SIG(sdsa, NULL); |
902 | ++ if (vallen == 0) { |
903 | + msyslog(LOG_ERR, "crypto_bob: %s", |
904 | + ERR_error_string(ERR_get_error(), NULL)); |
905 | + DSA_SIG_free(sdsa); |
906 | + return (XEVNT_ERR); |
907 | + } |
908 | ++ if (vallen > MAX_VALLEN) { |
909 | ++ msyslog(LOG_ERR, "crypto_bob: signature is too big: %d", |
910 | ++ vallen); |
911 | ++ DSA_SIG_free(sdsa); |
912 | ++ return (XEVNT_LEN); |
913 | ++ } |
914 | + memset(vp, 0, sizeof(struct value)); |
915 | + tstamp = crypto_time(); |
916 | + vp->tstamp = htonl(tstamp); |
917 | + vp->fstamp = htonl(iffkey_info->fstamp); |
918 | +- vp->vallen = htonl(len); |
919 | +- ptr = emalloc(len); |
920 | ++ vp->vallen = htonl(vallen); |
921 | ++ ptr = emalloc(vallen); |
922 | + vp->ptr = ptr; |
923 | + i2d_DSA_SIG(sdsa, &ptr); |
924 | + DSA_SIG_free(sdsa); |
925 | + if (tstamp == 0) |
926 | + return (XEVNT_OK); |
927 | + |
928 | ++ /* XXX: more validation to make sure the sign fits... */ |
929 | + vp->sig = emalloc(sign_siglen); |
930 | + EVP_SignInit(&ctx, sign_digest); |
931 | + EVP_SignUpdate(&ctx, (u_char *)&vp->tstamp, 12); |
932 | +- EVP_SignUpdate(&ctx, vp->ptr, len); |
933 | +- if (EVP_SignFinal(&ctx, vp->sig, &len, sign_pkey)) |
934 | ++ EVP_SignUpdate(&ctx, vp->ptr, vallen); |
935 | ++ if (EVP_SignFinal(&ctx, vp->sig, &vallen, sign_pkey)) |
936 | + vp->siglen = htonl(sign_siglen); |
937 | + return (XEVNT_OK); |
938 | + } |
939 | +Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_proto.c |
940 | +=================================================================== |
941 | +--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_proto.c 2015-02-06 07:58:50.000000000 -0500 |
942 | ++++ ntp-4.2.6.p5+dfsg/ntpd/ntp_proto.c 2015-02-06 08:32:45.146114360 -0500 |
943 | +@@ -431,7 +431,7 @@ |
944 | + */ |
945 | + authlen = LEN_PKT_NOMAC; |
946 | + has_mac = rbufp->recv_length - authlen; |
947 | +- while (has_mac != 0) { |
948 | ++ while (has_mac > 0) { |
949 | + u_int32 len; |
950 | + |
951 | + if (has_mac % 4 != 0 || has_mac < MIN_MAC_LEN) { |
952 | +@@ -456,6 +456,14 @@ |
953 | + } |
954 | + |
955 | + /* |
956 | ++ * If has_mac is < 0 we had a malformed packet. |
957 | ++ */ |
958 | ++ if (has_mac < 0) { |
959 | ++ sys_badlength++; |
960 | ++ return; /* bad length */ |
961 | ++ } |
962 | ++ |
963 | ++ /* |
964 | + * If authentication required, a MAC must be present. |
965 | + */ |
966 | + if (restrict_mask & RES_DONTTRUST && has_mac == 0) { |
967 | diff --git a/debian/patches/CVE-2014-9298.patch b/debian/patches/CVE-2014-9298.patch |
968 | new file mode 100644 |
969 | index 0000000..6a5ea31 |
970 | --- /dev/null |
971 | +++ b/debian/patches/CVE-2014-9298.patch |
972 | @@ -0,0 +1,43 @@ |
973 | +Description: fix IPv6 ACL bypass |
974 | +Origin: upstream, http://bk1.ntp.org/ntp-stable/?PAGE=patch&REV=54922b65gDSbE4G7c3JjkuK1Tv33qQ |
975 | +Origin: upstream, http://bk1.ntp.org/ntp-stable/?PAGE=patch&REV=5492d2879rotbnnuVch_ZC3RAfS8AA |
976 | +Origin: upstream, http://bk1.ntp.org/ntp-stable/?PAGE=patch&REV=5493f333hALqPcXLR4-76bC6j-16xQ |
977 | +Origin: upstream, http://bk1.ntp.org/ntp-stable/?PAGE=patch&REV=5496213frLaEz5PHLZVhuYjM7Lalkw |
978 | +Origin: upstream, http://bk1.ntp.org/ntp-stable/ntpd/ntp_io.c?PAGE=diffs&REV=54a0f621LdfQSkkWKUKN6PaFbH25_Q |
979 | +Origin: upstream, http://bk1.ntp.org/ntp-stable/?PAGE=patch&REV=54c2228bpOp4_zrX9aGXdMEZJEGzkg |
980 | +Bug: http://bugs.ntp.org/show_bug.cgi?id=2672 |
981 | + |
982 | +Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_io.c |
983 | +=================================================================== |
984 | +--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_io.c 2011-11-30 21:55:17.000000000 -0500 |
985 | ++++ ntp-4.2.6.p5+dfsg/ntpd/ntp_io.c 2015-02-06 08:57:54.277845529 -0500 |
986 | +@@ -3470,6 +3470,29 @@ |
987 | + fd, buflen, stoa(&rb->recv_srcadr))); |
988 | + |
989 | + /* |
990 | ++ ** Bug 2672: Some OSes (MacOSX and Linux) don't block spoofed ::1 |
991 | ++ */ |
992 | ++ |
993 | ++ if (AF_INET6 == itf->family) { |
994 | ++ DPRINTF(2, ("Got an IPv6 packet, from <%s> (%d) to <%s> (%d)\n", |
995 | ++ stoa(&rb->recv_srcadr), |
996 | ++ IN6_IS_ADDR_LOOPBACK(PSOCK_ADDR6(&rb->recv_srcadr)), |
997 | ++ stoa(&itf->sin), |
998 | ++ !IN6_IS_ADDR_LOOPBACK(PSOCK_ADDR6(&itf->sin)) |
999 | ++ )); |
1000 | ++ |
1001 | ++ if ( IN6_IS_ADDR_LOOPBACK(PSOCK_ADDR6(&rb->recv_srcadr)) |
1002 | ++ && !IN6_IS_ADDR_LOOPBACK(PSOCK_ADDR6(&itf->sin)) |
1003 | ++ ) { |
1004 | ++ packets_dropped++; |
1005 | ++ DPRINTF(2, ("DROPPING that packet\n")); |
1006 | ++ freerecvbuf(rb); |
1007 | ++ return buflen; |
1008 | ++ } |
1009 | ++ DPRINTF(2, ("processing that packet\n")); |
1010 | ++ } |
1011 | ++ |
1012 | ++ /* |
1013 | + * Got one. Mark how and when it got here, |
1014 | + * put it on the full list and do bookkeeping. |
1015 | + */ |
1016 | diff --git a/debian/patches/CVE-2015-1798.patch b/debian/patches/CVE-2015-1798.patch |
1017 | new file mode 100644 |
1018 | index 0000000..1eb65ba |
1019 | --- /dev/null |
1020 | +++ b/debian/patches/CVE-2015-1798.patch |
1021 | @@ -0,0 +1,33 @@ |
1022 | +Description: fix symmetric key unauthenticated packet MITM attack |
1023 | +Origin: upstream, http://bk.ntp.org/ntp-stable/?PAGE=patch&REV=550a80b0iGyIv4t9J1GJ_74V_eEx4A |
1024 | +Bug: http://bugs.ntp.org/show_bug.cgi?id=2779 |
1025 | + |
1026 | +Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_proto.c |
1027 | +=================================================================== |
1028 | +--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_proto.c 2015-04-07 12:47:11.000000000 -0400 |
1029 | ++++ ntp-4.2.6.p5+dfsg/ntpd/ntp_proto.c 2015-04-07 12:47:56.583800918 -0400 |
1030 | +@@ -1131,18 +1121,20 @@ |
1031 | + return; |
1032 | + |
1033 | + /* |
1034 | +- * If the digest fails, the client cannot authenticate a server |
1035 | ++ * If the digest fails or it's missing for authenticated |
1036 | ++ * associations, the client cannot authenticate a server |
1037 | + * reply to a client packet previously sent. The loopback check |
1038 | + * is designed to avoid a bait-and-switch attack, which was |
1039 | + * possible in past versions. If symmetric modes, return a |
1040 | + * crypto-NAK. The peer should restart the protocol. |
1041 | + */ |
1042 | +- } else if (!AUTH(has_mac || (restrict_mask & RES_DONTTRUST), |
1043 | +- is_authentic)) { |
1044 | ++ } else if (!AUTH(peer->keyid || has_mac || |
1045 | ++ (restrict_mask & RES_DONTTRUST), is_authentic)) { |
1046 | + report_event(PEVNT_AUTH, peer, "digest"); |
1047 | + peer->flash |= TEST5; /* bad auth */ |
1048 | + peer->badauth++; |
1049 | +- if (hismode == MODE_ACTIVE || hismode == MODE_PASSIVE) |
1050 | ++ if (has_mac && |
1051 | ++ (hismode == MODE_ACTIVE || hismode == MODE_PASSIVE)) |
1052 | + fast_xmit(rbufp, MODE_ACTIVE, 0, restrict_mask); |
1053 | + if (peer->flags & FLAG_PREEMPT) { |
1054 | + unpeer(peer); |
1055 | diff --git a/debian/patches/CVE-2015-1799.patch b/debian/patches/CVE-2015-1799.patch |
1056 | new file mode 100644 |
1057 | index 0000000..4882970 |
1058 | --- /dev/null |
1059 | +++ b/debian/patches/CVE-2015-1799.patch |
1060 | @@ -0,0 +1,42 @@ |
1061 | +Description: fix symmetric association DoS attack |
1062 | +Origin: upstream, http://bk.ntp.org/ntp-stable/?PAGE=patch&REV=550a80b0iGyIv4t9J1GJ_74V_eEx4A |
1063 | +Bug: http://bugs.ntp.org/show_bug.cgi?id=2781 |
1064 | + |
1065 | +Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_proto.c |
1066 | +=================================================================== |
1067 | +--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_proto.c 2015-04-07 12:52:45.538476188 -0400 |
1068 | ++++ ntp-4.2.6.p5+dfsg/ntpd/ntp_proto.c 2015-04-07 12:52:45.534476151 -0400 |
1069 | +@@ -1102,16 +1102,6 @@ |
1070 | + } |
1071 | + |
1072 | + /* |
1073 | +- * Update the state variables. |
1074 | +- */ |
1075 | +- if (peer->flip == 0) { |
1076 | +- if (hismode != MODE_BROADCAST) |
1077 | +- peer->rec = p_xmt; |
1078 | +- peer->dst = rbufp->recv_time; |
1079 | +- } |
1080 | +- peer->xmt = p_xmt; |
1081 | +- |
1082 | +- /* |
1083 | + * If this is a crypto_NAK, the server cannot authenticate a |
1084 | + * client packet. The server might have just changed keys. Clear |
1085 | + * the association and restart the protocol. |
1086 | +@@ -1158,6 +1148,16 @@ |
1087 | + } |
1088 | + |
1089 | + /* |
1090 | ++ * Update the state variables. |
1091 | ++ */ |
1092 | ++ if (peer->flip == 0) { |
1093 | ++ if (hismode != MODE_BROADCAST) |
1094 | ++ peer->rec = p_xmt; |
1095 | ++ peer->dst = rbufp->recv_time; |
1096 | ++ } |
1097 | ++ peer->xmt = p_xmt; |
1098 | ++ |
1099 | ++ /* |
1100 | + * Set the peer ppoll to the maximum of the packet ppoll and the |
1101 | + * peer minpoll. If a kiss-o'-death, set the peer minpoll to |
1102 | + * this maximumn and advance the headway to give the sender some |
1103 | diff --git a/debian/patches/CVE-2015-5146.patch b/debian/patches/CVE-2015-5146.patch |
1104 | new file mode 100644 |
1105 | index 0000000..a6a05af |
1106 | --- /dev/null |
1107 | +++ b/debian/patches/CVE-2015-5146.patch |
1108 | @@ -0,0 +1,128 @@ |
1109 | +Backport of: |
1110 | + |
1111 | +From c3e7afb9cd88784c6b4f81182bd878fc3a2d23a1 Mon Sep 17 00:00:00 2001 |
1112 | +From: <jnperlin@hydra.(none)> |
1113 | +Date: Wed, 24 Jun 2015 09:18:52 +0200 |
1114 | +Subject: [PATCH] Bug 2853 - FICORA #829967 |
1115 | + |
1116 | +--- |
1117 | + ChangeLog | 1 + |
1118 | + ntpd/ntp_control.c | 77 +++++++++++++++++++++++++++++++++++++++--------------- |
1119 | + 2 files changed, 57 insertions(+), 21 deletions(-) |
1120 | + |
1121 | +Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_control.c |
1122 | +=================================================================== |
1123 | +--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_control.c 2015-10-23 08:51:25.428716718 -0400 |
1124 | ++++ ntp-4.2.6.p5+dfsg/ntpd/ntp_control.c 2015-10-23 08:53:11.285800571 -0400 |
1125 | +@@ -2471,6 +2471,35 @@ |
1126 | + ctl_flushpkt(0); |
1127 | + } |
1128 | + |
1129 | ++/* Bug 2853 */ |
1130 | ++/* evaluate the length of the command sequence. This breaks at the first |
1131 | ++ * char that is not >= SPACE and <= 127 after trimming from the right. |
1132 | ++ */ |
1133 | ++static size_t |
1134 | ++cmdlength( |
1135 | ++ const char *src_buf, |
1136 | ++ const char *src_end |
1137 | ++ ) |
1138 | ++{ |
1139 | ++ const char *scan; |
1140 | ++ unsigned char ch; |
1141 | ++ |
1142 | ++ /* trim whitespace & garbage from the right */ |
1143 | ++ while (src_end != src_buf) { |
1144 | ++ ch = src_end[-1]; |
1145 | ++ if (ch > ' ' && ch < 128) |
1146 | ++ break; |
1147 | ++ --src_end; |
1148 | ++ } |
1149 | ++ /* now do a forward scan */ |
1150 | ++ for (scan = src_buf; scan != src_end; ++scan) { |
1151 | ++ ch = scan[0]; |
1152 | ++ if ((ch < ' ' || ch >= 128) && ch != '\t') |
1153 | ++ break; |
1154 | ++ } |
1155 | ++ return (size_t)(scan - src_buf); |
1156 | ++} |
1157 | ++ |
1158 | + /* |
1159 | + * configure() processes ntpq :config/config-from-file, allowing |
1160 | + * generic runtime reconfiguration. |
1161 | +@@ -2482,7 +2511,6 @@ |
1162 | + { |
1163 | + size_t data_count; |
1164 | + int retval; |
1165 | +- int replace_nl; |
1166 | + |
1167 | + /* I haven't yet implemented changes to an existing association. |
1168 | + * Hence check if the association id is 0 |
1169 | +@@ -2506,7 +2534,7 @@ |
1170 | + } |
1171 | + |
1172 | + /* Initialize the remote config buffer */ |
1173 | +- data_count = reqend - reqpt; |
1174 | ++ data_count = cmdlength(reqpt, reqend); |
1175 | + |
1176 | + if (data_count > sizeof(remote_config.buffer) - 2) { |
1177 | + snprintf(remote_config.err_msg, |
1178 | +@@ -2520,32 +2548,41 @@ |
1179 | + stoa(&rbufp->recv_srcadr)); |
1180 | + return; |
1181 | + } |
1182 | ++ /* Bug 2853 -- check if all characters were acceptable */ |
1183 | ++ if (data_count != (size_t)(reqend - reqpt)) { |
1184 | ++ snprintf(remote_config.err_msg, |
1185 | ++ sizeof(remote_config.err_msg), |
1186 | ++ "runtime configuration failed: request contains an unprintable character"); |
1187 | ++ ctl_putdata(remote_config.err_msg, |
1188 | ++ strlen(remote_config.err_msg), 0); |
1189 | ++ ctl_flushpkt(0); |
1190 | ++ msyslog(LOG_NOTICE, |
1191 | ++ "runtime config from %s rejected: request contains an unprintable character: %0x", |
1192 | ++ stoa(&rbufp->recv_srcadr), |
1193 | ++ reqpt[data_count]); |
1194 | ++ return; |
1195 | ++ } |
1196 | + |
1197 | + memcpy(remote_config.buffer, reqpt, data_count); |
1198 | +- if (data_count > 0 |
1199 | +- && '\n' != remote_config.buffer[data_count - 1]) |
1200 | +- remote_config.buffer[data_count++] = '\n'; |
1201 | ++ /* The buffer has no trailing linefeed or NUL right now. For |
1202 | ++ * logging, we do not want a newline, so we do that first after |
1203 | ++ * adding the necessary NUL byte. |
1204 | ++ */ |
1205 | + remote_config.buffer[data_count] = '\0'; |
1206 | +- remote_config.pos = 0; |
1207 | +- remote_config.err_pos = 0; |
1208 | +- remote_config.no_errors = 0; |
1209 | +- |
1210 | +- /* do not include terminating newline in log */ |
1211 | +- if (data_count > 0 |
1212 | +- && '\n' == remote_config.buffer[data_count - 1]) { |
1213 | +- remote_config.buffer[data_count - 1] = '\0'; |
1214 | +- replace_nl = 1; |
1215 | +- } else |
1216 | +- replace_nl = 0; |
1217 | +- |
1218 | + DPRINTF(1, ("Got Remote Configuration Command: %s\n", |
1219 | + remote_config.buffer)); |
1220 | + msyslog(LOG_NOTICE, "%s config: %s", |
1221 | + stoa(&rbufp->recv_srcadr), |
1222 | + remote_config.buffer); |
1223 | + |
1224 | +- if (replace_nl) |
1225 | +- remote_config.buffer[data_count - 1] = '\n'; |
1226 | ++ /* Now we have to make sure there is a NL/NUL sequence at the |
1227 | ++ * end of the buffer before we parse it. |
1228 | ++ */ |
1229 | ++ remote_config.buffer[data_count++] = '\n'; |
1230 | ++ remote_config.buffer[data_count] = '\0'; |
1231 | ++ remote_config.pos = 0; |
1232 | ++ remote_config.err_pos = 0; |
1233 | ++ remote_config.no_errors = 0; |
1234 | + |
1235 | + config_remotely(&rbufp->recv_srcadr); |
1236 | + |
1237 | diff --git a/debian/patches/CVE-2015-5194.patch b/debian/patches/CVE-2015-5194.patch |
1238 | new file mode 100644 |
1239 | index 0000000..2938aa2 |
1240 | --- /dev/null |
1241 | +++ b/debian/patches/CVE-2015-5194.patch |
1242 | @@ -0,0 +1,49 @@ |
1243 | +Backport of: |
1244 | + |
1245 | +From 553f2fa65865c31c5e3c48812cfd46176cffdd27 Mon Sep 17 00:00:00 2001 |
1246 | +From: <davehart@shiny.ad.hartbrothers.com> |
1247 | +Date: Wed, 28 Jul 2010 05:33:53 +0000 |
1248 | +Subject: [PATCH] [Bug 1593] ntpd abort in free() with logconfig syntax error. |
1249 | + |
1250 | +--- |
1251 | + ChangeLog | 1 + |
1252 | + ntpd/ntp_parser.c | 114 +++++++++++++++++++++++++++++------------------------- |
1253 | + ntpd/ntp_parser.y | 24 ++++++++---- |
1254 | + 3 files changed, 80 insertions(+), 59 deletions(-) |
1255 | + |
1256 | +Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_parser.y |
1257 | +=================================================================== |
1258 | +--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_parser.y 2015-10-22 15:04:36.368602522 -0400 |
1259 | ++++ ntp-4.2.6.p5+dfsg/ntpd/ntp_parser.y 2015-10-22 15:04:36.368602522 -0400 |
1260 | +@@ -1037,14 +1037,24 @@ |
1261 | + log_config_command |
1262 | + : T_String |
1263 | + { |
1264 | +- char prefix = $1[0]; |
1265 | +- char *type = $1 + 1; |
1266 | ++ char prefix; |
1267 | ++ char * type; |
1268 | + |
1269 | +- if (prefix != '+' && prefix != '-' && prefix != '=') { |
1270 | +- yyerror("Logconfig prefix is not '+', '-' or '='\n"); |
1271 | +- } |
1272 | +- else |
1273 | +- $$ = create_attr_sval(prefix, estrdup(type)); |
1274 | ++ switch ($1[0]) { |
1275 | ++ |
1276 | ++ case '+': |
1277 | ++ case '-': |
1278 | ++ case '=': |
1279 | ++ prefix = $1[0]; |
1280 | ++ type = $1 + 1; |
1281 | ++ break; |
1282 | ++ |
1283 | ++ default: |
1284 | ++ prefix = '='; |
1285 | ++ type = $1; |
1286 | ++ } |
1287 | ++ |
1288 | ++ $$ = create_attr_sval(prefix, estrdup(type)); |
1289 | + YYFREE($1); |
1290 | + } |
1291 | + ; |
1292 | diff --git a/debian/patches/CVE-2015-5195.patch b/debian/patches/CVE-2015-5195.patch |
1293 | new file mode 100644 |
1294 | index 0000000..507ffb4 |
1295 | --- /dev/null |
1296 | +++ b/debian/patches/CVE-2015-5195.patch |
1297 | @@ -0,0 +1,47 @@ |
1298 | +Backport of: |
1299 | + |
1300 | +From 52e977d79a0c4ace997e5c74af429844da2f27be Mon Sep 17 00:00:00 2001 |
1301 | +From: <davehart@shiny.ad.hartbrothers.com> |
1302 | +Date: Thu, 6 Jan 2011 04:02:24 +0000 |
1303 | +Subject: [PATCH] [Bug 1773] openssl not detected during ./configure. [Bug |
1304 | + 1774] Segfaults if cryptostats enabled and built without OpenSSL. |
1305 | + |
1306 | +--- |
1307 | + ChangeLog | 2 ++ |
1308 | + m4/ntp_openssl.m4 | 38 ++++++++++++++++---------------------- |
1309 | + ntpd/ntp_config.c | 12 ++++++++++++ |
1310 | + ntpd/ntp_util.c | 12 ++---------- |
1311 | + 4 files changed, 32 insertions(+), 32 deletions(-) |
1312 | + |
1313 | +Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_config.c |
1314 | +=================================================================== |
1315 | +--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_config.c 2015-10-22 15:07:29.534321900 -0400 |
1316 | ++++ ntp-4.2.6.p5+dfsg/ntpd/ntp_config.c 2015-10-22 15:12:42.233434208 -0400 |
1317 | +@@ -2022,6 +2022,13 @@ |
1318 | + while (pfilegen_token != NULL) { |
1319 | + filegen_string = keyword(*pfilegen_token); |
1320 | + filegen = filegen_get(filegen_string); |
1321 | ++ if (NULL == filegen) { |
1322 | ++ msyslog(LOG_ERR, |
1323 | ++ "stats %s unrecognized", |
1324 | ++ filegen_string); |
1325 | ++ pfilegen_token = next_node(pfilegen_token); |
1326 | ++ continue; |
1327 | ++ } |
1328 | + |
1329 | + DPRINTF(4, ("enabling filegen for %s statistics '%s%s'\n", |
1330 | + filegen_string, filegen->prefix, |
1331 | +@@ -2035,6 +2042,13 @@ |
1332 | + while (my_node != NULL) { |
1333 | + filegen_file = keyword(my_node->filegen_token); |
1334 | + filegen = filegen_get(filegen_file); |
1335 | ++ if (NULL == filegen) { |
1336 | ++ msyslog(LOG_ERR, |
1337 | ++ "filegen category '%s' unrecognized", |
1338 | ++ filegen_file); |
1339 | ++ my_node = next_node(my_node); |
1340 | ++ continue; |
1341 | ++ } |
1342 | + |
1343 | + /* Initialize the filegen variables to their pre-configurtion states */ |
1344 | + filegen_flag = filegen->flag; |
1345 | diff --git a/debian/patches/CVE-2015-5196.patch b/debian/patches/CVE-2015-5196.patch |
1346 | new file mode 100644 |
1347 | index 0000000..2f7714a |
1348 | --- /dev/null |
1349 | +++ b/debian/patches/CVE-2015-5196.patch |
1350 | @@ -0,0 +1,57 @@ |
1351 | +Description: fix file overwrite via remote pidfile and driftfile |
1352 | + configuration directives |
1353 | +Origin: vendor, http://pkgs.fedoraproject.org/cgit/ntp.git/tree/ntp-4.2.6p5-cve-2015-5196.patch |
1354 | + |
1355 | +Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_parser.y |
1356 | +=================================================================== |
1357 | +--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_parser.y 2015-10-22 15:55:22.498495669 -0400 |
1358 | ++++ ntp-4.2.6.p5+dfsg/ntpd/ntp_parser.y 2015-10-22 15:55:22.498495669 -0400 |
1359 | +@@ -988,23 +988,43 @@ |
1360 | + |
1361 | + misc_cmd_str_keyword |
1362 | + : T_Leapfile |
1363 | +- | T_Pidfile |
1364 | + | T_Qos |
1365 | + ; |
1366 | + |
1367 | + misc_cmd_str_lcl_keyword |
1368 | + : T_Logfile |
1369 | ++ | T_Pidfile |
1370 | + | T_Saveconfigdir |
1371 | + ; |
1372 | + |
1373 | + drift_parm |
1374 | + : T_String |
1375 | +- { enqueue(cfgt.vars, create_attr_sval(T_Driftfile, $1)); } |
1376 | ++ { |
1377 | ++ if (input_from_file) { |
1378 | ++ enqueue(cfgt.vars, create_attr_sval(T_Driftfile, $1)); |
1379 | ++ } else { |
1380 | ++ YYFREE($1); |
1381 | ++ yyerror("driftfile remote configuration ignored"); |
1382 | ++ } |
1383 | ++ } |
1384 | + | T_String T_Double |
1385 | +- { enqueue(cfgt.vars, create_attr_dval(T_WanderThreshold, $2)); |
1386 | +- enqueue(cfgt.vars, create_attr_sval(T_Driftfile, $1)); } |
1387 | ++ { |
1388 | ++ if (input_from_file) { |
1389 | ++ enqueue(cfgt.vars, create_attr_dval(T_WanderThreshold, $2)); |
1390 | ++ enqueue(cfgt.vars, create_attr_sval(T_Driftfile, $1)); |
1391 | ++ } else { |
1392 | ++ YYFREE($1); |
1393 | ++ yyerror("driftfile remote configuration ignored"); |
1394 | ++ } |
1395 | ++ } |
1396 | + | /* Null driftfile, indicated by null string "\0" */ |
1397 | +- { enqueue(cfgt.vars, create_attr_sval(T_Driftfile, "\0")); } |
1398 | ++ { |
1399 | ++ if (input_from_file) { |
1400 | ++ enqueue(cfgt.vars, create_attr_sval(T_Driftfile, estrdup(""))); |
1401 | ++ } else { |
1402 | ++ yyerror("driftfile remote configuration ignored"); |
1403 | ++ } |
1404 | ++ } |
1405 | + ; |
1406 | + |
1407 | + variable_assign |
1408 | diff --git a/debian/patches/CVE-2015-5219.patch b/debian/patches/CVE-2015-5219.patch |
1409 | new file mode 100644 |
1410 | index 0000000..35a651e |
1411 | --- /dev/null |
1412 | +++ b/debian/patches/CVE-2015-5219.patch |
1413 | @@ -0,0 +1,27 @@ |
1414 | +From 5f295cd05c3c136d39f5b3e500a2d781bdbb59c8 Mon Sep 17 00:00:00 2001 |
1415 | +From: <stenn@deacon.udel.edu> |
1416 | +Date: Wed, 24 Apr 2013 19:13:53 -0400 |
1417 | +Subject: [PATCH] [Bug 2382] Implement LOGTOD using ldexp() instead of shifting |
1418 | + |
1419 | +--- |
1420 | + ChangeLog | 1 + |
1421 | + include/ntp.h | 5 ++--- |
1422 | + 2 files changed, 3 insertions(+), 3 deletions(-) |
1423 | + |
1424 | +Index: ntp-4.2.6.p5+dfsg/include/ntp.h |
1425 | +=================================================================== |
1426 | +--- ntp-4.2.6.p5+dfsg.orig/include/ntp.h 2015-10-22 15:17:12.632029576 -0400 |
1427 | ++++ ntp-4.2.6.p5+dfsg/include/ntp.h 2015-10-22 15:17:12.632029576 -0400 |
1428 | +@@ -163,10 +163,9 @@ |
1429 | + #define SQUARE(x) ((x) * (x)) |
1430 | + #define SQRT(x) (sqrt(x)) |
1431 | + #define DIFF(x, y) (SQUARE((x) - (y))) |
1432 | +-#define LOGTOD(a) ((a) < 0 ? 1. / (1L << -(a)) : \ |
1433 | +- 1L << (int)(a)) /* log2 to double */ |
1434 | ++#define LOGTOD(a) ldexp(1., (int)(a)) /* log2 to double */ |
1435 | + #define UNIVAR(x) (SQUARE(.28867513 * LOGTOD(x))) /* std uniform distr */ |
1436 | +-#define ULOGTOD(a) (1L << (int)(a)) /* ulog2 to double */ |
1437 | ++#define ULOGTOD(a) ldexp(1., (int)(a)) /* ulog2 to double */ |
1438 | + |
1439 | + #define EVENT_TIMEOUT 0 /* one second, that is */ |
1440 | + |
1441 | diff --git a/debian/patches/CVE-2015-5300.patch b/debian/patches/CVE-2015-5300.patch |
1442 | new file mode 100644 |
1443 | index 0000000..563a7ee |
1444 | --- /dev/null |
1445 | +++ b/debian/patches/CVE-2015-5300.patch |
1446 | @@ -0,0 +1,16 @@ |
1447 | +Description: fix timeshifting by reboot issue |
1448 | +Origin: vendor, http://pkgs.fedoraproject.org/cgit/ntp.git/plain/ntp-4.2.6p5-cve-2015-5300.patch |
1449 | +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-5300 |
1450 | + |
1451 | +Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_loopfilter.c |
1452 | +=================================================================== |
1453 | +--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_loopfilter.c 2015-10-22 16:10:31.039787300 -0400 |
1454 | ++++ ntp-4.2.6.p5+dfsg/ntpd/ntp_loopfilter.c 2015-10-22 16:10:31.039787300 -0400 |
1455 | +@@ -386,6 +386,7 @@ |
1456 | + report_event(EVNT_CLOCKRESET, NULL, tbuf); |
1457 | + step_systime(fp_offset); |
1458 | + reinit_timer(); |
1459 | ++ allow_panic = FALSE; |
1460 | + tc_counter = 0; |
1461 | + clock_jitter = LOGTOD(sys_precision); |
1462 | + rval = 2; |
1463 | diff --git a/debian/patches/CVE-2015-7691.patch b/debian/patches/CVE-2015-7691.patch |
1464 | new file mode 100644 |
1465 | index 0000000..7dbe95b |
1466 | --- /dev/null |
1467 | +++ b/debian/patches/CVE-2015-7691.patch |
1468 | @@ -0,0 +1,225 @@ |
1469 | +Description: fix incomplete autokey data packet length checks |
1470 | +Origin: upstream, https://github.com/ntp-project/ntp/commit/c4cd4aaf418f57f7225708a93bf48afb2bc9c1da |
1471 | +Origin: upstream, https://github.com/ntp-project/ntp/commit/c454d5defd5679947ed34b988c85bab6ed9066cf |
1472 | +Bug: http://bugs.ntp.org/show_bug.cgi?id=2899 |
1473 | + |
1474 | +Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_crypto.c |
1475 | +=================================================================== |
1476 | +--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_crypto.c 2015-10-23 09:06:08.625810791 -0400 |
1477 | ++++ ntp-4.2.6.p5+dfsg/ntpd/ntp_crypto.c 2015-10-23 09:07:35.018715125 -0400 |
1478 | +@@ -170,6 +170,7 @@ |
1479 | + static struct pkey_info *crypto_key (char *, char *, sockaddr_u *); |
1480 | + static void bighash (BIGNUM *, BIGNUM *); |
1481 | + static struct cert_info *crypto_cert (char *); |
1482 | ++static u_int exten_payload_size(const struct exten *); |
1483 | + |
1484 | + #ifdef SYS_WINNT |
1485 | + int |
1486 | +@@ -389,7 +390,7 @@ |
1487 | + struct autokey *ap, *bp; /* autokey pointer */ |
1488 | + struct exten *ep, *fp; /* extension pointers */ |
1489 | + struct cert_info *xinfo; /* certificate info pointer */ |
1490 | +- int has_mac; /* length of MAC field */ |
1491 | ++ int macbytes; /* length of MAC field, signed by intention */ |
1492 | + int authlen; /* offset of MAC field */ |
1493 | + associd_t associd; /* association ID */ |
1494 | + tstamp_t tstamp = 0; /* timestamp */ |
1495 | +@@ -417,7 +418,11 @@ |
1496 | + */ |
1497 | + authlen = LEN_PKT_NOMAC; |
1498 | + hismode = (int)PKT_MODE((&rbufp->recv_pkt)->li_vn_mode); |
1499 | +- while ((has_mac = rbufp->recv_length - authlen) > MAX_MAC_LEN) { |
1500 | ++ while ((macbytes = rbufp->recv_length - authlen) > (int)MAX_MAC_LEN) { |
1501 | ++ /* We can be reasonably sure that we can read at least |
1502 | ++ * the opcode and the size field here. More stringent |
1503 | ++ * checks follow up shortly. |
1504 | ++ */ |
1505 | + pkt = (u_int32 *)&rbufp->recv_pkt + authlen / 4; |
1506 | + ep = (struct exten *)pkt; |
1507 | + code = ntohl(ep->opcode) & 0xffff0000; |
1508 | +@@ -441,6 +446,18 @@ |
1509 | + code |= CRYPTO_ERROR; |
1510 | + } |
1511 | + |
1512 | ++ /* Check if the declared size fits into the remaining |
1513 | ++ * buffer. |
1514 | ++ */ |
1515 | ++ if (len > macbytes) { |
1516 | ++ DPRINTF(1, ("crypto_recv: possible attack detected, associd %d\n", |
1517 | ++ associd)); |
1518 | ++ return XEVNT_LEN; |
1519 | ++ } |
1520 | ++ |
1521 | ++ /* Check if the paylod of the extension fits into the |
1522 | ++ * declared frame. |
1523 | ++ */ |
1524 | + if (len >= VALUE_LEN) { |
1525 | + tstamp = ntohl(ep->tstamp); |
1526 | + fstamp = ntohl(ep->fstamp); |
1527 | +@@ -1170,9 +1187,8 @@ |
1528 | + * choice. |
1529 | + */ |
1530 | + case CRYPTO_CERT | CRYPTO_RESP: |
1531 | +- vallen = ntohl(ep->vallen); /* Must be <64k */ |
1532 | +- if (vallen == 0 || vallen > MAXHOSTNAME || |
1533 | +- len - VALUE_LEN < vallen) { |
1534 | ++ vallen = exten_payload_size(ep); /* Must be <64k */ |
1535 | ++ if (vallen == 0 || vallen >= sizeof(certname) ) { |
1536 | + rval = XEVNT_LEN; |
1537 | + break; |
1538 | + |
1539 | +@@ -2134,8 +2150,7 @@ |
1540 | + tstamp_t tstamp; /* NTP timestamp */ |
1541 | + BIGNUM *bn, *bk, *r; |
1542 | + u_char *ptr; |
1543 | +- u_int len; /* extension field length */ |
1544 | +- u_int vallen = 0; /* value length */ |
1545 | ++ u_int len; /* extension field value length */ |
1546 | + |
1547 | + /* |
1548 | + * If the IFF parameters are not valid, something awful |
1549 | +@@ -2150,11 +2165,10 @@ |
1550 | + /* |
1551 | + * Extract r from the challenge. |
1552 | + */ |
1553 | +- vallen = ntohl(ep->vallen); |
1554 | +- len = ntohl(ep->opcode) & 0x0000ffff; |
1555 | +- if (vallen == 0 || len < VALUE_LEN || len - VALUE_LEN < vallen) |
1556 | +- return XEVNT_LEN; |
1557 | +- if ((r = BN_bin2bn((u_char *)ep->pkt, vallen, NULL)) == NULL) { |
1558 | ++ len = exten_payload_size(ep); |
1559 | ++ if (len == 0 || len > MAX_VALLEN) |
1560 | ++ return (XEVNT_LEN); |
1561 | ++ if ((r = BN_bin2bn((u_char *)ep->pkt, len, NULL)) == NULL) { |
1562 | + msyslog(LOG_ERR, "crypto_bob: %s", |
1563 | + ERR_error_string(ERR_get_error(), NULL)); |
1564 | + return (XEVNT_ERR); |
1565 | +@@ -2166,7 +2180,7 @@ |
1566 | + */ |
1567 | + bctx = BN_CTX_new(); bk = BN_new(); bn = BN_new(); |
1568 | + sdsa = DSA_SIG_new(); |
1569 | +- BN_rand(bk, vallen * 8, -1, 1); /* k */ |
1570 | ++ BN_rand(bk, len * 8, -1, 1); /* k */ |
1571 | + BN_mod_mul(bn, dsa->priv_key, r, dsa->q, bctx); /* b r mod q */ |
1572 | + BN_add(bn, bn, bk); |
1573 | + BN_mod(bn, bn, dsa->q, bctx); /* k + b r mod q */ |
1574 | +@@ -2185,16 +2199,16 @@ |
1575 | + * Encode the values in ASN.1 and sign. The filestamp is from |
1576 | + * the local file. |
1577 | + */ |
1578 | +- vallen = i2d_DSA_SIG(sdsa, NULL); |
1579 | +- if (vallen == 0) { |
1580 | ++ len = i2d_DSA_SIG(sdsa, NULL); |
1581 | ++ if (len == 0) { |
1582 | + msyslog(LOG_ERR, "crypto_bob: %s", |
1583 | + ERR_error_string(ERR_get_error(), NULL)); |
1584 | + DSA_SIG_free(sdsa); |
1585 | + return (XEVNT_ERR); |
1586 | + } |
1587 | +- if (vallen > MAX_VALLEN) { |
1588 | +- msyslog(LOG_ERR, "crypto_bob: signature is too big: %d", |
1589 | +- vallen); |
1590 | ++ if (len > MAX_VALLEN) { |
1591 | ++ msyslog(LOG_ERR, "crypto_bob: signature is too big: %u", |
1592 | ++ len); |
1593 | + DSA_SIG_free(sdsa); |
1594 | + return (XEVNT_LEN); |
1595 | + } |
1596 | +@@ -2202,8 +2216,8 @@ |
1597 | + tstamp = crypto_time(); |
1598 | + vp->tstamp = htonl(tstamp); |
1599 | + vp->fstamp = htonl(iffkey_info->fstamp); |
1600 | +- vp->vallen = htonl(vallen); |
1601 | +- ptr = emalloc(vallen); |
1602 | ++ vp->vallen = htonl(len); |
1603 | ++ ptr = emalloc(len); |
1604 | + vp->ptr = ptr; |
1605 | + i2d_DSA_SIG(sdsa, &ptr); |
1606 | + DSA_SIG_free(sdsa); |
1607 | +@@ -2214,9 +2228,11 @@ |
1608 | + vp->sig = emalloc(sign_siglen); |
1609 | + EVP_SignInit(&ctx, sign_digest); |
1610 | + EVP_SignUpdate(&ctx, (u_char *)&vp->tstamp, 12); |
1611 | +- EVP_SignUpdate(&ctx, vp->ptr, vallen); |
1612 | +- if (EVP_SignFinal(&ctx, vp->sig, &vallen, sign_pkey)) |
1613 | +- vp->siglen = htonl(sign_siglen); |
1614 | ++ EVP_SignUpdate(&ctx, vp->ptr, len); |
1615 | ++ if (EVP_SignFinal(&ctx, vp->sig, &len, sign_pkey)) { |
1616 | ++ INSIST(len <= sign_siglen); |
1617 | ++ vp->siglen = htonl(len); |
1618 | ++ } |
1619 | + return (XEVNT_OK); |
1620 | + } |
1621 | + |
1622 | +@@ -2462,7 +2478,9 @@ |
1623 | + /* |
1624 | + * Extract r from the challenge. |
1625 | + */ |
1626 | +- len = ntohl(ep->vallen); |
1627 | ++ len = exten_payload_size(ep); |
1628 | ++ if (len == 0 || len > MAX_VALLEN) |
1629 | ++ return (XEVNT_LEN); |
1630 | + if ((r = BN_bin2bn((u_char *)ep->pkt, len, NULL)) == NULL) { |
1631 | + msyslog(LOG_ERR, "crypto_bob2: %s", |
1632 | + ERR_error_string(ERR_get_error(), NULL)); |
1633 | +@@ -2787,7 +2805,9 @@ |
1634 | + /* |
1635 | + * Extract r from the challenge. |
1636 | + */ |
1637 | +- len = ntohl(ep->vallen); |
1638 | ++ len = exten_payload_size(ep); |
1639 | ++ if (len == 0 || len > MAX_VALLEN) |
1640 | ++ return (XEVNT_LEN); |
1641 | + if ((r = BN_bin2bn((u_char *)ep->pkt, len, NULL)) == NULL) { |
1642 | + msyslog(LOG_ERR, "crypto_bob3: %s", |
1643 | + ERR_error_string(ERR_get_error(), NULL)); |
1644 | +@@ -3002,8 +3022,11 @@ |
1645 | + if (tstamp == 0) |
1646 | + return (XEVNT_TSP); |
1647 | + |
1648 | ++ len = exten_payload_size(ep); |
1649 | ++ if (len == 0 || len > MAX_VALLEN) |
1650 | ++ return (XEVNT_LEN); |
1651 | + ptr = (u_char *)ep->pkt; |
1652 | +- if ((req = d2i_X509(NULL, &ptr, ntohl(ep->vallen))) == NULL) { |
1653 | ++ if ((req = d2i_X509(NULL, &ptr, len)) == NULL) { |
1654 | + msyslog(LOG_ERR, "cert_sign: %s", |
1655 | + ERR_error_string(ERR_get_error(), NULL)); |
1656 | + return (XEVNT_CRT); |
1657 | +@@ -3968,6 +3991,36 @@ |
1658 | + break; |
1659 | + } |
1660 | + } |
1661 | ++ |
1662 | ++/* |
1663 | ++ * Get the payload size (internal value length) of an extension packet. |
1664 | ++ * If the inner value size does not match the outer packet size (that |
1665 | ++ * is, the value would end behind the frame given by the opcode/size |
1666 | ++ * field) the function will effectively return UINT_MAX. If the frame is |
1667 | ++ * too short to hold a variable-sized value, the return value is zero. |
1668 | ++ */ |
1669 | ++static u_int |
1670 | ++exten_payload_size( |
1671 | ++ const struct exten * ep) |
1672 | ++{ |
1673 | ++ typedef const u_char *BPTR; |
1674 | ++ |
1675 | ++ size_t extn_size; |
1676 | ++ size_t data_size; |
1677 | ++ size_t head_size; |
1678 | ++ |
1679 | ++ data_size = 0; |
1680 | ++ if (NULL != ep) { |
1681 | ++ head_size = (BPTR)(&ep->vallen + 1) - (BPTR)ep; |
1682 | ++ extn_size = (uint16_t)(ntohl(ep->opcode) & 0x0000ffff); |
1683 | ++ if (extn_size >= head_size) { |
1684 | ++ data_size = (uint32_t)ntohl(ep->vallen); |
1685 | ++ if (data_size > extn_size - head_size) |
1686 | ++ data_size = ~(size_t)0u; |
1687 | ++ } |
1688 | ++ } |
1689 | ++ return (u_int)data_size; |
1690 | ++} |
1691 | + # else |
1692 | + int ntp_crypto_bs_pubkey; |
1693 | + # endif /* OPENSSL */ |
1694 | diff --git a/debian/patches/CVE-2015-7701.patch b/debian/patches/CVE-2015-7701.patch |
1695 | new file mode 100644 |
1696 | index 0000000..d04cb2c |
1697 | --- /dev/null |
1698 | +++ b/debian/patches/CVE-2015-7701.patch |
1699 | @@ -0,0 +1,23 @@ |
1700 | +From d7cd5e186034340402f1393e0813c7d2b14ea6ca Mon Sep 17 00:00:00 2001 |
1701 | +From: <jnperlin@hydra.localnet> |
1702 | +Date: Mon, 28 Sep 2015 18:22:06 +0200 |
1703 | +Subject: [PATCH] [Bug 2909] - Slow memory leak in CRYPTO_ASSOC - added |
1704 | + missing call to 'free()' in ntp_crypto.c. |
1705 | + |
1706 | +--- |
1707 | + ChangeLog | 1 + |
1708 | + ntpd/ntp_crypto.c | 1 + |
1709 | + 2 files changed, 2 insertions(+) |
1710 | + |
1711 | +Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_crypto.c |
1712 | +=================================================================== |
1713 | +--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_crypto.c 2015-10-22 15:25:26.448658993 -0400 |
1714 | ++++ ntp-4.2.6.p5+dfsg/ntpd/ntp_crypto.c 2015-10-22 15:25:26.448658993 -0400 |
1715 | +@@ -500,6 +500,7 @@ |
1716 | + rval = XEVNT_ERR; |
1717 | + break; |
1718 | + } |
1719 | ++ free(peer->cmmd); /* will be set again! */ |
1720 | + } |
1721 | + fp = emalloc(len); |
1722 | + memcpy(fp, ep, len); |
1723 | diff --git a/debian/patches/CVE-2015-7704.patch b/debian/patches/CVE-2015-7704.patch |
1724 | new file mode 100644 |
1725 | index 0000000..351c7da |
1726 | --- /dev/null |
1727 | +++ b/debian/patches/CVE-2015-7704.patch |
1728 | @@ -0,0 +1,19 @@ |
1729 | +Description: fix denial of service by spoofed KoD |
1730 | +Author: Miroslav Lichvar <mlichvar@redhat.com> |
1731 | +Origin: other, http://lists.ntp.org/pipermail/pool/2015-October/007631.html |
1732 | +Bug: http://bugs.ntp.org/show_bug.cgi?id=2901 |
1733 | +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-7704 |
1734 | + |
1735 | +Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_proto.c |
1736 | +=================================================================== |
1737 | +--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_proto.c 2015-10-22 15:55:30.498577692 -0400 |
1738 | ++++ ntp-4.2.6.p5+dfsg/ntpd/ntp_proto.c 2015-10-22 15:57:47.587982624 -0400 |
1739 | +@@ -1166,7 +1166,7 @@ |
1740 | + peer->ppoll = max(peer->minpoll, pkt->ppoll); |
1741 | + if (hismode == MODE_SERVER && hisleap == LEAP_NOTINSYNC && |
1742 | + hisstratum == STRATUM_UNSPEC && memcmp(&pkt->refid, |
1743 | +- "RATE", 4) == 0) { |
1744 | ++ "RATE", 4) == 0 && !(peer->flash & PKT_TEST_MASK)) { |
1745 | + peer->selbroken++; |
1746 | + report_event(PEVNT_RATE, peer, NULL); |
1747 | + if (pkt->ppoll > peer->minpoll) |
1748 | diff --git a/debian/patches/CVE-2015-7850.patch b/debian/patches/CVE-2015-7850.patch |
1749 | new file mode 100644 |
1750 | index 0000000..e7d9491 |
1751 | --- /dev/null |
1752 | +++ b/debian/patches/CVE-2015-7850.patch |
1753 | @@ -0,0 +1,235 @@ |
1754 | +backport of: |
1755 | + |
1756 | +From bb928ef08eec020ef6008f3a140702ccc0536b8e Mon Sep 17 00:00:00 2001 |
1757 | +From: <jnperlin@hydra.localnet> |
1758 | +Date: Sat, 3 Oct 2015 09:08:20 +0200 |
1759 | +Subject: [PATCH] [TALOS-CAN-0055] Infinite loop if extended logging enabled |
1760 | + and the logfile and keyfile are the same |
1761 | + |
1762 | +--- |
1763 | + ChangeLog | 2 ++ |
1764 | + include/ntp_stdlib.h | 1 + |
1765 | + include/ntp_syslog.h | 1 + |
1766 | + libntp/authreadkeys.c | 89 ++++++++++++++++++++++++++++++++++++++++----------- |
1767 | + libntp/msyslog.c | 12 +++++++ |
1768 | + 5 files changed, 87 insertions(+), 18 deletions(-) |
1769 | + |
1770 | +Index: ntp-4.2.6.p5+dfsg/include/ntp_stdlib.h |
1771 | +=================================================================== |
1772 | +--- ntp-4.2.6.p5+dfsg.orig/include/ntp_stdlib.h 2015-10-23 08:30:31.515986332 -0400 |
1773 | ++++ ntp-4.2.6.p5+dfsg/include/ntp_stdlib.h 2015-10-23 08:30:31.511986291 -0400 |
1774 | +@@ -46,7 +46,8 @@ |
1775 | + __attribute__((__format__(__printf__, 3, 4))); |
1776 | + extern void msyslog(int, const char *, ...) |
1777 | + __attribute__((__format__(__printf__, 2, 3))); |
1778 | +- |
1779 | ++extern void mvsyslog(int, const char *, va_list) |
1780 | ++ __attribute__((__format__(__printf__, 2, 0))); |
1781 | + /* |
1782 | + * When building without OpenSSL, use a few macros of theirs to |
1783 | + * minimize source differences in NTP. |
1784 | +Index: ntp-4.2.6.p5+dfsg/include/ntp_syslog.h |
1785 | +=================================================================== |
1786 | +--- ntp-4.2.6.p5+dfsg.orig/include/ntp_syslog.h 2015-10-23 08:30:31.515986332 -0400 |
1787 | ++++ ntp-4.2.6.p5+dfsg/include/ntp_syslog.h 2015-10-23 08:30:31.511986291 -0400 |
1788 | +@@ -9,6 +9,7 @@ |
1789 | + |
1790 | + # ifdef VMS |
1791 | + extern void msyslog(); |
1792 | ++extern void mvsyslog(); |
1793 | + # else |
1794 | + # ifndef SYS_VXWORKS |
1795 | + # include <syslog.h> |
1796 | +Index: ntp-4.2.6.p5+dfsg/libntp/authreadkeys.c |
1797 | +=================================================================== |
1798 | +--- ntp-4.2.6.p5+dfsg.orig/libntp/authreadkeys.c 2015-10-23 08:30:31.515986332 -0400 |
1799 | ++++ ntp-4.2.6.p5+dfsg/libntp/authreadkeys.c 2015-10-23 08:32:05.104935695 -0400 |
1800 | +@@ -61,6 +61,40 @@ |
1801 | + } |
1802 | + |
1803 | + |
1804 | ++/* TALOS-CAN-0055: possibly DoS attack by setting the key file to the |
1805 | ++ * log file. This is hard to prevent (it would need to check two files |
1806 | ++ * to be the same on the inode level, which will not work so easily with |
1807 | ++ * Windows or VMS) but we can avoid the self-amplification loop: We only |
1808 | ++ * log the first 5 errors, silently ignore the next 10 errors, and give |
1809 | ++ * up when when we have found more than 15 errors. |
1810 | ++ * |
1811 | ++ * This avoids the endless file iteration we will end up with otherwise, |
1812 | ++ * and also avoids overflowing the log file. |
1813 | ++ * |
1814 | ++ * Nevertheless, once this happens, the keys are gone since this would |
1815 | ++ * require a save/swap strategy that is not easy to apply due to the |
1816 | ++ * data on global/static level. |
1817 | ++ */ |
1818 | ++ |
1819 | ++static const size_t nerr_loglimit = 5u; |
1820 | ++static const size_t nerr_maxlimit = 15; |
1821 | ++ |
1822 | ++static void log_maybe(size_t*, const char*, ...) __attribute__((__format__(__printf__, 2, 3))); |
1823 | ++ |
1824 | ++static void |
1825 | ++log_maybe( |
1826 | ++ size_t *pnerr, |
1827 | ++ const char *fmt , |
1828 | ++ ...) |
1829 | ++{ |
1830 | ++ va_list ap; |
1831 | ++ if (++(*pnerr) <= nerr_loglimit) { |
1832 | ++ va_start(ap, fmt); |
1833 | ++ mvsyslog(LOG_ERR, fmt, ap); |
1834 | ++ va_end(ap); |
1835 | ++ } |
1836 | ++} |
1837 | ++ |
1838 | + /* |
1839 | + * authreadkeys - (re)read keys from a file. |
1840 | + */ |
1841 | +@@ -78,7 +112,7 @@ |
1842 | + u_char keystr[20]; |
1843 | + int len; |
1844 | + int j; |
1845 | +- |
1846 | ++ size_t nerr; |
1847 | + /* |
1848 | + * Open file. Complain and return if it can't be opened. |
1849 | + */ |
1850 | +@@ -98,7 +132,10 @@ |
1851 | + /* |
1852 | + * Now read lines from the file, looking for key entries |
1853 | + */ |
1854 | ++ nerr = 0; |
1855 | + while ((line = fgets(buf, sizeof buf, fp)) != NULL) { |
1856 | ++ if (nerr > nerr_maxlimit) |
1857 | ++ break; |
1858 | + token = nexttok(&line); |
1859 | + if (token == NULL) |
1860 | + continue; |
1861 | +@@ -108,15 +145,16 @@ |
1862 | + */ |
1863 | + keyno = atoi(token); |
1864 | + if (keyno == 0) { |
1865 | +- msyslog(LOG_ERR, |
1866 | +- "authreadkeys: cannot change key %s", token); |
1867 | ++ log_maybe(&nerr, |
1868 | ++ "authreadkeys: cannot change key %s", |
1869 | ++ token); |
1870 | + continue; |
1871 | + } |
1872 | + |
1873 | + if (keyno > NTP_MAXKEY) { |
1874 | +- msyslog(LOG_ERR, |
1875 | +- "authreadkeys: key %s > %d reserved for Autokey", |
1876 | +- token, NTP_MAXKEY); |
1877 | ++ log_maybe(&nerr, |
1878 | ++ "authreadkeys: key %s > %d reserved for Autokey", |
1879 | ++ token, NTP_MAXKEY); |
1880 | + continue; |
1881 | + } |
1882 | + |
1883 | +@@ -125,8 +163,9 @@ |
1884 | + */ |
1885 | + token = nexttok(&line); |
1886 | + if (token == NULL) { |
1887 | +- msyslog(LOG_ERR, |
1888 | +- "authreadkeys: no key type for key %d", keyno); |
1889 | ++ log_maybe(&nerr, |
1890 | ++ "authreadkeys: no key type for key %d", |
1891 | ++ keyno); |
1892 | + continue; |
1893 | + } |
1894 | + #ifdef OPENSSL |
1895 | +@@ -138,13 +177,15 @@ |
1896 | + */ |
1897 | + keytype = keytype_from_text(token, NULL); |
1898 | + if (keytype == 0) { |
1899 | +- msyslog(LOG_ERR, |
1900 | +- "authreadkeys: invalid type for key %d", keyno); |
1901 | ++ log_maybe(&nerr, |
1902 | ++ "authreadkeys: invalid type for key %d", |
1903 | ++ keyno); |
1904 | + continue; |
1905 | + } |
1906 | + if (EVP_get_digestbynid(keytype) == NULL) { |
1907 | +- msyslog(LOG_ERR, |
1908 | +- "authreadkeys: no algorithm for key %d", keyno); |
1909 | ++ log_maybe(&nerr, |
1910 | ++ "authreadkeys: no algorithm for key %d", |
1911 | ++ keyno); |
1912 | + continue; |
1913 | + } |
1914 | + #else /* OPENSSL */ |
1915 | +@@ -154,8 +195,9 @@ |
1916 | + * 'm' for compatibility. |
1917 | + */ |
1918 | + if (!(*token == 'M' || *token == 'm')) { |
1919 | +- msyslog(LOG_ERR, |
1920 | +- "authreadkeys: invalid type for key %d", keyno); |
1921 | ++ log_maybe(&nerr, |
1922 | ++ "authreadkeys: invalid type for key %d", |
1923 | ++ keyno); |
1924 | + continue; |
1925 | + } |
1926 | + keytype = KEY_TYPE_MD5; |
1927 | +@@ -169,8 +211,8 @@ |
1928 | + */ |
1929 | + token = nexttok(&line); |
1930 | + if (token == NULL) { |
1931 | +- msyslog(LOG_ERR, |
1932 | +- "authreadkeys: no key for key %d", keyno); |
1933 | ++ log_maybe(&nerr, |
1934 | ++ "authreadkeys: no key for key %d", keyno); |
1935 | + continue; |
1936 | + } |
1937 | + len = strlen(token); |
1938 | +@@ -186,8 +228,9 @@ |
1939 | + for (j = 0; j < jlim; j++) { |
1940 | + ptr = strchr(hex, tolower(token[j])); |
1941 | + if (ptr == NULL) { |
1942 | +- msyslog(LOG_ERR, |
1943 | +- "authreadkeys: invalid hex digit for key %d", keyno); |
1944 | ++ log_maybe(&nerr, |
1945 | ++ "authreadkeys: invalid hex digit for key %d", |
1946 | ++ keyno); |
1947 | + continue; |
1948 | + } |
1949 | + temp = (u_char)(ptr - hex); |
1950 | +@@ -200,5 +243,15 @@ |
1951 | + } |
1952 | + } |
1953 | + fclose(fp); |
1954 | ++ if (nerr > nerr_maxlimit) { |
1955 | ++ msyslog(LOG_ERR, |
1956 | ++ "authreadkeys: emergency break after %u errors", |
1957 | ++ nerr); |
1958 | ++ return (0); |
1959 | ++ } else if (nerr > nerr_loglimit) { |
1960 | ++ msyslog(LOG_ERR, |
1961 | ++ "authreadkeys: found %u more error(s)", |
1962 | ++ nerr - nerr_loglimit); |
1963 | ++ } |
1964 | + return (1); |
1965 | + } |
1966 | +Index: ntp-4.2.6.p5+dfsg/libntp/msyslog.c |
1967 | +=================================================================== |
1968 | +--- ntp-4.2.6.p5+dfsg.orig/libntp/msyslog.c 2015-10-23 08:30:31.515986332 -0400 |
1969 | ++++ ntp-4.2.6.p5+dfsg/libntp/msyslog.c 2015-10-23 08:30:31.511986291 -0400 |
1970 | +@@ -271,6 +271,18 @@ |
1971 | + return rc; |
1972 | + } |
1973 | + |
1974 | ++void |
1975 | ++mvsyslog( |
1976 | ++ int level, |
1977 | ++ const char * fmt, |
1978 | ++ va_list ap |
1979 | ++ ) |
1980 | ++{ |
1981 | ++ char buf[1024]; |
1982 | ++ mvsnprintf(buf, sizeof(buf), fmt, ap); |
1983 | ++ addto_syslog(level, buf); |
1984 | ++} |
1985 | ++ |
1986 | + |
1987 | + void |
1988 | + msyslog( |
1989 | diff --git a/debian/patches/CVE-2015-7852.patch b/debian/patches/CVE-2015-7852.patch |
1990 | new file mode 100644 |
1991 | index 0000000..33cc916 |
1992 | --- /dev/null |
1993 | +++ b/debian/patches/CVE-2015-7852.patch |
1994 | @@ -0,0 +1,35 @@ |
1995 | +Backport of: |
1996 | + |
1997 | +From 07a5b8141e354a998a52994c3c9cd547927e56ce Mon Sep 17 00:00:00 2001 |
1998 | +From: <jnperlin@hydra.localnet> |
1999 | +Date: Wed, 30 Sep 2015 20:15:13 +0200 |
2000 | +Subject: [PATCH] [TALOS-CAN-0063] avoid buffer overrun in ntpq |
2001 | + |
2002 | +--- |
2003 | + ChangeLog | 1 + |
2004 | + ntpq/ntpq.c | 7 ++++++- |
2005 | + 2 files changed, 7 insertions(+), 1 deletion(-) |
2006 | + |
2007 | +Index: ntp-4.2.6.p5+dfsg/ntpq/ntpq.c |
2008 | +=================================================================== |
2009 | +--- ntp-4.2.6.p5+dfsg.orig/ntpq/ntpq.c 2015-10-22 16:25:23.504874749 -0400 |
2010 | ++++ ntp-4.2.6.p5+dfsg/ntpq/ntpq.c 2015-10-22 16:27:01.905821489 -0400 |
2011 | +@@ -3448,12 +3448,17 @@ |
2012 | + char bv[401]; |
2013 | + int len; |
2014 | + |
2015 | ++ /* TALOS-CAN-0063: avoid buffer overrun */ |
2016 | + atoascii(name, MAXVARLEN, bn, sizeof(bn)); |
2017 | +- atoascii(value, MAXVARLEN, bv, sizeof(bv)); |
2018 | + if (output_raw != '*') { |
2019 | ++ atoascii(value, MAXVALLEN, |
2020 | ++ bv, sizeof(bv) - 1); |
2021 | + len = strlen(bv); |
2022 | + bv[len] = output_raw; |
2023 | + bv[len+1] = '\0'; |
2024 | ++ } else { |
2025 | ++ atoascii(value, MAXVALLEN, |
2026 | ++ bv, sizeof(bv)); |
2027 | + } |
2028 | + output(fp, bn, bv); |
2029 | + } |
2030 | diff --git a/debian/patches/CVE-2015-7853.patch b/debian/patches/CVE-2015-7853.patch |
2031 | new file mode 100644 |
2032 | index 0000000..f6a1202 |
2033 | --- /dev/null |
2034 | +++ b/debian/patches/CVE-2015-7853.patch |
2035 | @@ -0,0 +1,46 @@ |
2036 | +Backport of: |
2037 | + |
2038 | +From 8482b536f9494a5d45196ab5b7e13040f5940261 Mon Sep 17 00:00:00 2001 |
2039 | +From: <jnperlin@hydra.localnet> |
2040 | +Date: Wed, 30 Sep 2015 21:55:09 +0200 |
2041 | +Subject: [PATCH] [TALOS-CAN-0064] signed/unsiged clash could lead to buffer |
2042 | + overun |
2043 | + |
2044 | +--- |
2045 | + ChangeLog | 2 ++ |
2046 | + ntpd/ntp_io.c | 15 +++++++++------ |
2047 | + 2 files changed, 11 insertions(+), 6 deletions(-) |
2048 | + |
2049 | +Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_io.c |
2050 | +=================================================================== |
2051 | +--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_io.c 2015-10-22 16:27:40.686182025 -0400 |
2052 | ++++ ntp-4.2.6.p5+dfsg/ntpd/ntp_io.c 2015-10-22 16:32:28.776865553 -0400 |
2053 | +@@ -3255,7 +3255,7 @@ |
2054 | + static inline int |
2055 | + read_refclock_packet(SOCKET fd, struct refclockio *rp, l_fp ts) |
2056 | + { |
2057 | +- int i; |
2058 | ++ u_int read_count; |
2059 | + int buflen; |
2060 | + register struct recvbuf *rb; |
2061 | + |
2062 | +@@ -3272,11 +3272,14 @@ |
2063 | + return (buflen); |
2064 | + } |
2065 | + |
2066 | +- i = (rp->datalen == 0 |
2067 | +- || rp->datalen > sizeof(rb->recv_space)) |
2068 | +- ? sizeof(rb->recv_space) |
2069 | +- : rp->datalen; |
2070 | +- buflen = read(fd, (char *)&rb->recv_space, (unsigned)i); |
2071 | ++ /* TALOS-CAN-0064: avoid signed/unsigned clashes that can lead |
2072 | ++ * to buffer overrun and memory corruption |
2073 | ++ */ |
2074 | ++ if (rp->datalen <= 0 || rp->datalen > sizeof(rb->recv_space)) |
2075 | ++ read_count = sizeof(rb->recv_space); |
2076 | ++ else |
2077 | ++ read_count = (u_int)rp->datalen; |
2078 | ++ buflen = read(fd, (char *)&rb->recv_space, read_count); |
2079 | + |
2080 | + if (buflen < 0) { |
2081 | + if (errno != EINTR && errno != EAGAIN) |
2082 | diff --git a/debian/patches/CVE-2015-7855.patch b/debian/patches/CVE-2015-7855.patch |
2083 | new file mode 100644 |
2084 | index 0000000..91a44e3 |
2085 | --- /dev/null |
2086 | +++ b/debian/patches/CVE-2015-7855.patch |
2087 | @@ -0,0 +1,29 @@ |
2088 | +Backport of: |
2089 | + |
2090 | +From ba716a464ecb20618560075f2e4e1051e5b6f24f Mon Sep 17 00:00:00 2001 |
2091 | +From: <stenn@psp-deb1.ntp.org> |
2092 | +Date: Tue, 6 Oct 2015 08:51:27 +0000 |
2093 | +Subject: [PATCH] [Sec 2922] decodenetnum() will ASSERT botch instead of |
2094 | + returning FAIL on some bogus values. Harlan Stenn. |
2095 | + |
2096 | +--- |
2097 | + ChangeLog | 2 ++ |
2098 | + libntp/decodenetnum.c | 5 ++++- |
2099 | + 2 files changed, 6 insertions(+), 1 deletion(-) |
2100 | + |
2101 | +Index: ntp-4.2.6.p5+dfsg/libntp/decodenetnum.c |
2102 | +=================================================================== |
2103 | +--- ntp-4.2.6.p5+dfsg.orig/libntp/decodenetnum.c 2015-10-22 16:33:46.801593867 -0400 |
2104 | ++++ ntp-4.2.6.p5+dfsg/libntp/decodenetnum.c 2015-10-22 16:34:20.921912557 -0400 |
2105 | +@@ -36,7 +36,10 @@ |
2106 | + char name[80]; |
2107 | + |
2108 | + NTP_REQUIRE(num != NULL); |
2109 | +- NTP_REQUIRE(strlen(num) < sizeof(name)); |
2110 | ++ |
2111 | ++ if (strlen(num) >= sizeof(name)) { |
2112 | ++ return 0; |
2113 | ++ } |
2114 | + |
2115 | + port_str = NULL; |
2116 | + if ('[' != num[0]) { |
2117 | diff --git a/debian/patches/CVE-2015-7871.patch b/debian/patches/CVE-2015-7871.patch |
2118 | new file mode 100644 |
2119 | index 0000000..249882b |
2120 | --- /dev/null |
2121 | +++ b/debian/patches/CVE-2015-7871.patch |
2122 | @@ -0,0 +1,40 @@ |
2123 | +From aa44b5835d69d8ee031736bb8ee2730a514edb7d Mon Sep 17 00:00:00 2001 |
2124 | +From: <jnperlin@hydra.localnet> |
2125 | +Date: Sun, 11 Oct 2015 08:10:20 +0200 |
2126 | +Subject: [PATCH] [Bug 2941] NAK to the Future: Symmetric association |
2127 | + authentication bypass via crypto-NAK |
2128 | + |
2129 | +--- |
2130 | + ChangeLog | 3 +++ |
2131 | + ntpd/ntp_proto.c | 18 ++++++++++++++++++ |
2132 | + 2 files changed, 21 insertions(+) |
2133 | + |
2134 | +Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_proto.c |
2135 | +=================================================================== |
2136 | +--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_proto.c 2015-10-22 16:35:02.202298283 -0400 |
2137 | ++++ ntp-4.2.6.p5+dfsg/ntpd/ntp_proto.c 2015-10-22 16:37:51.971886405 -0400 |
2138 | +@@ -957,6 +957,24 @@ |
2139 | + sys_restricted++; |
2140 | + return; |
2141 | + } |
2142 | ++ /* [Bug 2941] |
2143 | ++ * If we got here, the packet isn't part of an |
2144 | ++ * existing association, it isn't correctly |
2145 | ++ * authenticated, and it didn't meet either of |
2146 | ++ * the previous two special cases so we should |
2147 | ++ * just drop it on the floor. For example, |
2148 | ++ * crypto-NAKs (is_authentic == AUTH_CRYPTO) |
2149 | ++ * will make it this far. This is just |
2150 | ++ * debug-printed and not logged to avoid log |
2151 | ++ * flooding. |
2152 | ++ */ |
2153 | ++ DPRINTF(1, ("receive: at %ld refusing to mobilize passive association" |
2154 | ++ " with unknown peer %s mode %d keyid %08x len %d auth %d\n", |
2155 | ++ current_time, stoa(&rbufp->recv_srcadr), |
2156 | ++ hismode, skeyid, (authlen + has_mac), |
2157 | ++ is_authentic)); |
2158 | ++ sys_declined++; |
2159 | ++ return; |
2160 | + } |
2161 | + |
2162 | + /* |
2163 | diff --git a/debian/patches/ignore-ENOBUFS-on-routing-netlink-socket.patch b/debian/patches/ignore-ENOBUFS-on-routing-netlink-socket.patch |
2164 | new file mode 100644 |
2165 | index 0000000..3d1ec56 |
2166 | --- /dev/null |
2167 | +++ b/debian/patches/ignore-ENOBUFS-on-routing-netlink-socket.patch |
2168 | @@ -0,0 +1,32 @@ |
2169 | +Description: [Bug 2890] Ignore ENOBUFS on routing netlink socket. |
2170 | + |
2171 | +Recv from netlink socket can return ENOBUFS if kernel failed to allocate buffer |
2172 | +for broadcast message. This happens from time-time on high-loaded systems with |
2173 | +a lot of interface and huge routing tables. |
2174 | + |
2175 | +Bug : http://bugs.ntp.org/show_bug.cgi?id=2890 |
2176 | +Author: <stenn@psp-at1.ntp.org> |
2177 | +Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_io.c |
2178 | +=================================================================== |
2179 | +--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_io.c |
2180 | ++++ ntp-4.2.6.p5+dfsg/ntpd/ntp_io.c |
2181 | +@@ -4433,10 +4433,15 @@ process_routing_msgs(struct asyncio_read |
2182 | + cnt = read(reader->fd, buffer, sizeof(buffer)); |
2183 | + |
2184 | + if (cnt < 0) { |
2185 | +- msyslog(LOG_ERR, |
2186 | +- "i/o error on routing socket %m - disabling"); |
2187 | +- remove_asyncio_reader(reader); |
2188 | +- delete_asyncio_reader(reader); |
2189 | ++ if (errno == ENOBUFS) { |
2190 | ++ msyslog(LOG_ERR, |
2191 | ++ "routing socket reports: %m"); |
2192 | ++ } else { |
2193 | ++ msyslog(LOG_ERR, |
2194 | ++ "routing socket reports: %m - disabling"); |
2195 | ++ remove_asyncio_reader(reader); |
2196 | ++ delete_asyncio_reader(reader); |
2197 | ++ } |
2198 | + return; |
2199 | + } |
2200 | + |
2201 | diff --git a/debian/patches/ntp-keygen-endless-loop.patch b/debian/patches/ntp-keygen-endless-loop.patch |
2202 | new file mode 100644 |
2203 | index 0000000..f0e387c |
2204 | --- /dev/null |
2205 | +++ b/debian/patches/ntp-keygen-endless-loop.patch |
2206 | @@ -0,0 +1,38 @@ |
2207 | +Description: fix ntp-keygen infinite loop or lack of randonmess on big |
2208 | + endian platforms |
2209 | +Origin: backport, http://bk1.ntp.org/ntp-stable/?PAGE=patch&REV=55199296N2gFqH1Hm5GOnhrk9Ypygg |
2210 | +Bug: https://bugs.ntp.org/show_bug.cgi?id=2797 |
2211 | + |
2212 | +Index: ntp-4.2.6.p5+dfsg/util/ntp-keygen.c |
2213 | +=================================================================== |
2214 | +--- ntp-4.2.6.p5+dfsg.orig/util/ntp-keygen.c 2015-04-13 08:58:49.317778349 -0400 |
2215 | ++++ ntp-4.2.6.p5+dfsg/util/ntp-keygen.c 2015-04-13 08:58:49.317778349 -0400 |
2216 | +@@ -726,24 +726,24 @@ |
2217 | + ntp_srandom((u_long)epoch); |
2218 | + for (i = 1; i <= MD5KEYS; i++) { |
2219 | + for (j = 0; j < MD5SIZE; j++) { |
2220 | +- int temp; |
2221 | ++ u_char temp; |
2222 | + |
2223 | + while (1) { |
2224 | + int rc; |
2225 | + |
2226 | +- rc = ntp_crypto_random_buf(&temp, 1); |
2227 | ++ rc = ntp_crypto_random_buf( |
2228 | ++ &temp, sizeof(temp)); |
2229 | + if (-1 == rc) { |
2230 | + fprintf(stderr, "ntp_crypto_random_buf() failed.\n"); |
2231 | + exit (-1); |
2232 | + } |
2233 | +- temp &= 0xff; |
2234 | + if (temp == '#') |
2235 | + continue; |
2236 | + |
2237 | + if (temp > 0x20 && temp < 0x7f) |
2238 | + break; |
2239 | + } |
2240 | +- md5key[j] = (u_char)temp; |
2241 | ++ md5key[j] = temp; |
2242 | + } |
2243 | + md5key[j] = '\0'; |
2244 | + fprintf(str, "%2d MD5 %s # MD5 key\n", i, |
2245 | diff --git a/debian/patches/series b/debian/patches/series |
2246 | index c2ec25e..a1ccd71 100644 |
2247 | --- a/debian/patches/series |
2248 | +++ b/debian/patches/series |
2249 | @@ -10,3 +10,28 @@ format-security.patch |
2250 | sntp-manpage.patch |
2251 | openssl-headers.patch |
2252 | autotools.patch |
2253 | +CVE-2014-9293.patch |
2254 | +CVE-2014-9294.patch |
2255 | +CVE-2014-9295.patch |
2256 | +CVE-2014-9296.patch |
2257 | +CVE-2014-9297.patch |
2258 | +CVE-2014-9298.patch |
2259 | +CVE-2015-1798.patch |
2260 | +CVE-2015-1799.patch |
2261 | +ntp-keygen-endless-loop.patch |
2262 | +use-after-free-in-routing-socket.patch |
2263 | +ignore-ENOBUFS-on-routing-netlink-socket.patch |
2264 | +CVE-2015-5146.patch |
2265 | +CVE-2015-5194.patch |
2266 | +CVE-2015-5195.patch |
2267 | +CVE-2015-5219.patch |
2268 | +CVE-2015-5300.patch |
2269 | +CVE-2015-7691.patch |
2270 | +CVE-2015-7701.patch |
2271 | +CVE-2015-5196.patch |
2272 | +CVE-2015-7704.patch |
2273 | +CVE-2015-7850.patch |
2274 | +CVE-2015-7852.patch |
2275 | +CVE-2015-7853.patch |
2276 | +CVE-2015-7855.patch |
2277 | +CVE-2015-7871.patch |
2278 | diff --git a/debian/patches/use-after-free-in-routing-socket.patch b/debian/patches/use-after-free-in-routing-socket.patch |
2279 | new file mode 100644 |
2280 | index 0000000..e7c8dec |
2281 | --- /dev/null |
2282 | +++ b/debian/patches/use-after-free-in-routing-socket.patch |
2283 | @@ -0,0 +1,33 @@ |
2284 | +Description: Fix use-after-free in routing socket code. |
2285 | +Origin: backport, https://bugs.ntp.org/attachment.cgi?id=883 |
2286 | +Bug: http://bugs.ntp.org/2224 |
2287 | +Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_io.c |
2288 | +=================================================================== |
2289 | +--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_io.c |
2290 | ++++ ntp-4.2.6.p5+dfsg/ntpd/ntp_io.c |
2291 | +@@ -3534,7 +3534,8 @@ input_handler( |
2292 | + int select_count = 0; |
2293 | + endpt *ep; |
2294 | + #if defined(HAS_ROUTING_SOCKET) |
2295 | +- struct asyncio_reader *asyncio_reader; |
2296 | ++ struct asyncio_reader * asyncio_reader; |
2297 | ++ struct asyncio_reader * next_asyncio_reader; |
2298 | + #endif |
2299 | + |
2300 | + handler_calls++; |
2301 | +@@ -3637,11 +3638,13 @@ input_handler( |
2302 | + asyncio_reader = asyncio_reader_list; |
2303 | + |
2304 | + while (asyncio_reader != NULL) { |
2305 | ++ /* callback may unlink and free asyncio_reader */ |
2306 | ++ next_asyncio_reader = asyncio_reader->link; |
2307 | + if (FD_ISSET(asyncio_reader->fd, &fds)) { |
2308 | + ++select_count; |
2309 | +- (asyncio_reader->receiver)(asyncio_reader); |
2310 | ++ (*asyncio_reader->receiver)(asyncio_reader); |
2311 | + } |
2312 | +- asyncio_reader = asyncio_reader->link; |
2313 | ++ asyncio_reader = next_asyncio_reader; |
2314 | + } |
2315 | + #endif /* HAS_ROUTING_SOCKET */ |
2316 | + |
2317 | diff --git a/debian/rules b/debian/rules |
2318 | index 6effbda..0a1733d 100755 |
2319 | --- a/debian/rules |
2320 | +++ b/debian/rules |
2321 | @@ -1,11 +1,15 @@ |
2322 | #!/usr/bin/make -f |
2323 | |
2324 | +export DEB_BUILD_HARDENING=1 |
2325 | + |
2326 | # hacks to avoid running these things during the build |
2327 | export ACLOCAL = : aclocal |
2328 | export AUTOCONF = : autoconf |
2329 | export AUTOMAKE = : automake |
2330 | export AUTOHEADER = : autoheader |
2331 | |
2332 | +genfiles:=ntpd/ntp_parser.c ntpd/ntp_parser.h |
2333 | + |
2334 | DEB_HOST_ARCH_OS ?= $(shell dpkg-architecture -qDEB_HOST_ARCH_OS) |
2335 | |
2336 | CPPFLAGS = $(shell dpkg-buildflags --get CPPFLAGS) -D_GNU_SOURCE |
2337 | @@ -19,10 +23,14 @@ ifeq (hurd, $(DEB_HOST_ARCH_OS)) |
2338 | exit 1 |
2339 | endif |
2340 | cp /usr/share/misc/config.guess /usr/share/misc/config.sub . |
2341 | + cp /usr/share/misc/config.guess /usr/share/misc/config.sub sntp/. |
2342 | + # backup autogenerated files |
2343 | + for f in $(genfiles); do mv -f $$f $$f.backup; done |
2344 | + |
2345 | ./configure CFLAGS='$(CFLAGS)' CPPFLAGS='$(CPPFLAGS)' LDFLAGS='$(LDFLAGS)' \ |
2346 | --prefix=/usr \ |
2347 | --enable-all-clocks --enable-parse-clocks --enable-SHM \ |
2348 | - --disable-debugging --sysconfdir=/var/lib/ntp \ |
2349 | + --enable-debugging --sysconfdir=/var/lib/ntp \ |
2350 | --with-sntp=no \ |
2351 | --with-lineeditlibs=edit \ |
2352 | --without-ntpsnmpd \ |
2353 | @@ -45,6 +53,10 @@ clean: |
2354 | rm -f build-stamp |
2355 | [ ! -f Makefile ] || $(MAKE) -k distclean |
2356 | rm -f config.guess config.sub |
2357 | + # restore autogenerated files |
2358 | + for f in $(genfiles); do \ |
2359 | + [ ! -e $$f.backup ] || ( rm -rf $$f; mv $$f.backup $$f ) ; \ |
2360 | + done |
2361 | dh_clean |
2362 | |
2363 | install: build-stamp |
2364 | @@ -73,6 +85,14 @@ install: build-stamp |
2365 | # remove upstream man pages, which are currently not as nice as ours / ntpsnmpd we don't want |
2366 | rm $(addprefix debian/ntp/usr/share/man/man1/,ntpd.1 ntpdc.1 ntp-keygen.1 ntpq.1 ntpsnmpd.1) |
2367 | |
2368 | + # install apparmor profile |
2369 | + install -D -m 0644 debian/apparmor-profile debian/ntp/etc/apparmor.d/usr.sbin.ntpd |
2370 | + install -D -m 0644 debian/apparmor-profile.tunable debian/ntp/etc/apparmor.d/tunables/ntpd |
2371 | + dh_link -pntp etc/apparmor.d/usr.sbin.ntpd etc/apparmor/init/network-interface-security/usr.sbin.ntpd |
2372 | + |
2373 | + # install apport hook |
2374 | + install -D -m 644 debian/source_ntp.py debian/ntp/usr/share/apport/package-hooks/source_ntp.py |
2375 | + |
2376 | dh_movefiles --sourcedir=debian/ntp |
2377 | |
2378 | binary-indep: build install |
2379 | @@ -100,7 +120,8 @@ binary-arch: build install |
2380 | dh_installdocs -a |
2381 | dh_installexamples -a |
2382 | dh_installman -a |
2383 | - dh_installinit -pntp --update-rcd-params="start 23 2 3 4 5 ." --error-handler=installinit_error |
2384 | + dh_apparmor -pntp --profile-name=usr.sbin.ntpd |
2385 | + dh_installinit -pntp --update-rcd-params="start 23 2 3 4 5 . stop 77 1 ." --error-handler=installinit_error |
2386 | dh_installinit -pntpdate |
2387 | dh_installcron -a |
2388 | dh_installlogcheck -a |
2389 | diff --git a/debian/source_ntp.py b/debian/source_ntp.py |
2390 | new file mode 100644 |
2391 | index 0000000..3debc68 |
2392 | --- /dev/null |
2393 | +++ b/debian/source_ntp.py |
2394 | @@ -0,0 +1,22 @@ |
2395 | +'''apport package hook for ntp |
2396 | + |
2397 | +(c) 2010-2011 Canonical Ltd. |
2398 | +Author: Chuck Short <zulcss@ubuntu.com> |
2399 | +''' |
2400 | + |
2401 | +from apport.hookutils import * |
2402 | +from os import path |
2403 | +import re |
2404 | + |
2405 | +def add_info(report): |
2406 | + attach_conffiles(report, 'ntp') |
2407 | + |
2408 | + # get apparmor stuff |
2409 | + attach_mac_events(report, '/usr/sbin/ntpd') |
2410 | + attach_file(report, '/etc/apparmor.d/usr.sbin.ntpd') |
2411 | + |
2412 | + # get syslog stuff |
2413 | + recent_syslog(re.compile(r'ntpd\[')) |
2414 | + |
2415 | + # Get debug information |
2416 | + report['NtpStatus'] = command_output(['ntpq', '-p']) |
Hi Pierre,
Good job on this one. The only diff between this and 1:4.2.6. p5+dfsg- 3ubuntu9 are debian/changelog and update-maintainer as I expect.
Good job also squashing down all the different Apparmor-related changes into one commit.
My only complaint is on commits 93ec5cb and 8c7e386. These both touch the same lines in debian/ ntpdate. if-up. In 8c7e386 the "LOCKFILE" line is changed and "invoke-rc.d" lines added, and in 93ec5cb the "LOCKFILE" line is changed back again and one of the previously added "invoke-rc.d" lines is moved. This is churn that we want to squash out at this logical stage.
For example:
@@ -30,7 +30,7 @@ if [ -r /lib/udev/ hotplug. functions ]; then
wait_for_ file /usr/sbin/ ntpdate- debian
fi
-LOCKFILE= /var/lock/ ntpdate /var/lock/ ntpdate- ifup
+LOCKFILE=
# Avoid running more than one at a time lockfile- create ]; then
if [ -x /usr/bin/
and then later:
@@ -30,7 +30,7 @@ if [ -r /lib/udev/ hotplug. functions ]; then
wait_for_ file /usr/sbin/ ntpdate- debian
fi
-LOCKFILE= /var/lock/ ntpdate- ifup /var/lock/ ntpdate
+LOCKFILE=
# Avoid running more than one at a time lockfile- create ]; then
if [ -x /usr/bin/
Indicate churn to me. When figuring out the logical set of changes made, these hunks cancel out and so should not appear at all. The same applies to one of the two invoke-rc.d lines.
I would split "debian/ ntpdate. if-up: Fix interaction with openntpd", which I take to be the "if [ -e /usr/sbin/openntpd ]; then" stanza into its own commit. Then there would be a separate commit that doesn't need to touch LOCKFILE and just adds the two invoke-rc.d lines directly into their final places. Since this distils the previous uploads, the commit messages will probably need tweaking a little so that they make sense.
Apart from this, everything else is byte-perfect. I'm not sure it's necessary to redo this. It's minor enough that I can probably just keep it in mind while reviewing your merge. So I'll do that next. No action needed here for now. Thanks!