Ubuntu
ntp package

Merge ~kick-d/ubuntu/+source/ntp:logical/4.2.6.p5+dfsg-3ubuntu9 into ~ubuntu-server-dev/ubuntu/+source/ntp:logical

  1. Git
  2. lp:~kick-d/ubuntu/+source/ntp
  3. logical/4.2.6.p5+dfsg-3ubuntu9
  4. Merge into logical
Proposed by Kick In
Status: Rejected
Rejected by: Robie Basak
Proposed branch: ~kick-d/ubuntu/+source/ntp:logical/4.2.6.p5+dfsg-3ubuntu9
Merge into: ~ubuntu-server-dev/ubuntu/+source/ntp:logical
Diff against target: 2416 lines (+2058/-21)
39 files modified
debian/apparmor-profile (+81/-0)
debian/apparmor-profile.tunable (+15/-0)
debian/control (+4/-2)
debian/ntp.conf (+12/-12)
debian/ntp.dhcp (+1/-1)
debian/ntp.dirs (+3/-0)
debian/ntp.init (+2/-2)
debian/ntp.preinst (+6/-0)
debian/ntpdate-debian (+1/-1)
debian/ntpdate.default (+1/-1)
debian/ntpdate.if-up (+10/-0)
debian/patches/CVE-2014-9293.patch (+42/-0)
debian/patches/CVE-2014-9294.patch (+118/-0)
debian/patches/CVE-2014-9295.patch (+108/-0)
debian/patches/CVE-2014-9296.patch (+16/-0)
debian/patches/CVE-2014-9297.patch (+371/-0)
debian/patches/CVE-2014-9298.patch (+43/-0)
debian/patches/CVE-2015-1798.patch (+33/-0)
debian/patches/CVE-2015-1799.patch (+42/-0)
debian/patches/CVE-2015-5146.patch (+128/-0)
debian/patches/CVE-2015-5194.patch (+49/-0)
debian/patches/CVE-2015-5195.patch (+47/-0)
debian/patches/CVE-2015-5196.patch (+57/-0)
debian/patches/CVE-2015-5219.patch (+27/-0)
debian/patches/CVE-2015-5300.patch (+16/-0)
debian/patches/CVE-2015-7691.patch (+225/-0)
debian/patches/CVE-2015-7701.patch (+23/-0)
debian/patches/CVE-2015-7704.patch (+19/-0)
debian/patches/CVE-2015-7850.patch (+235/-0)
debian/patches/CVE-2015-7852.patch (+35/-0)
debian/patches/CVE-2015-7853.patch (+46/-0)
debian/patches/CVE-2015-7855.patch (+29/-0)
debian/patches/CVE-2015-7871.patch (+40/-0)
debian/patches/ignore-ENOBUFS-on-routing-netlink-socket.patch (+32/-0)
debian/patches/ntp-keygen-endless-loop.patch (+38/-0)
debian/patches/series (+25/-0)
debian/patches/use-after-free-in-routing-socket.patch (+33/-0)
debian/rules (+23/-2)
debian/source_ntp.py (+22/-0)
Reviewer Review Type Date Requested Status
Robie Basak Disapprove
Review via email: mp+284274@code.launchpad.net

Description of the change

Logical changes from ubuntu

To post a comment you must log in.
Revision history for this message
Robie Basak (racb) wrote :

Hi Pierre,

Good job on this one. The only diff between this and 1:4.2.6.p5+dfsg-3ubuntu9 are debian/changelog and update-maintainer as I expect.

Good job also squashing down all the different Apparmor-related changes into one commit.

My only complaint is on commits 93ec5cb and 8c7e386. These both touch the same lines in debian/ntpdate.if-up. In 8c7e386 the "LOCKFILE" line is changed and "invoke-rc.d" lines added, and in 93ec5cb the "LOCKFILE" line is changed back again and one of the previously added "invoke-rc.d" lines is moved. This is churn that we want to squash out at this logical stage.

For example:

@@ -30,7 +30,7 @@ if [ -r /lib/udev/hotplug.functions ]; then
        wait_for_file /usr/sbin/ntpdate-debian
 fi

-LOCKFILE=/var/lock/ntpdate
+LOCKFILE=/var/lock/ntpdate-ifup

 # Avoid running more than one at a time
 if [ -x /usr/bin/lockfile-create ]; then

and then later:

@@ -30,7 +30,7 @@ if [ -r /lib/udev/hotplug.functions ]; then
        wait_for_file /usr/sbin/ntpdate-debian
 fi

-LOCKFILE=/var/lock/ntpdate-ifup
+LOCKFILE=/var/lock/ntpdate

 # Avoid running more than one at a time
 if [ -x /usr/bin/lockfile-create ]; then

Indicate churn to me. When figuring out the logical set of changes made, these hunks cancel out and so should not appear at all. The same applies to one of the two invoke-rc.d lines.

I would split "debian/ntpdate.if-up: Fix interaction with openntpd", which I take to be the "if [ -e /usr/sbin/openntpd ]; then" stanza into its own commit. Then there would be a separate commit that doesn't need to touch LOCKFILE and just adds the two invoke-rc.d lines directly into their final places. Since this distils the previous uploads, the commit messages will probably need tweaking a little so that they make sense.

Apart from this, everything else is byte-perfect. I'm not sure it's necessary to redo this. It's minor enough that I can probably just keep it in mind while reviewing your merge. So I'll do that next. No action needed here for now. Thanks!

Revision history for this message
Kick In (kick-d) wrote :

Thanks, and sorry for this one. I kept this in my head, and forgot to
squash.

2016-01-28 14:31 GMT+01:00 Robie Basak <email address hidden>:

> Hi Pierre,
>
> Good job on this one. The only diff between this and
> 1:4.2.6.p5+dfsg-3ubuntu9 are debian/changelog and update-maintainer as I
> expect.
>
> Good job also squashing down all the different Apparmor-related changes
> into one commit.
>
> My only complaint is on commits 93ec5cb and 8c7e386. These both touch the
> same lines in debian/ntpdate.if-up. In 8c7e386 the "LOCKFILE" line is
> changed and "invoke-rc.d" lines added, and in 93ec5cb the "LOCKFILE" line
> is changed back again and one of the previously added "invoke-rc.d" lines
> is moved. This is churn that we want to squash out at this logical stage.
>
> For example:
>
> @@ -30,7 +30,7 @@ if [ -r /lib/udev/hotplug.functions ]; then
> wait_for_file /usr/sbin/ntpdate-debian
> fi
>
> -LOCKFILE=/var/lock/ntpdate
> +LOCKFILE=/var/lock/ntpdate-ifup
>
> # Avoid running more than one at a time
> if [ -x /usr/bin/lockfile-create ]; then
>
>
> and then later:
>
> @@ -30,7 +30,7 @@ if [ -r /lib/udev/hotplug.functions ]; then
> wait_for_file /usr/sbin/ntpdate-debian
> fi
>
> -LOCKFILE=/var/lock/ntpdate-ifup
> +LOCKFILE=/var/lock/ntpdate
>
> # Avoid running more than one at a time
> if [ -x /usr/bin/lockfile-create ]; then
>
> Indicate churn to me. When figuring out the logical set of changes made,
> these hunks cancel out and so should not appear at all. The same applies to
> one of the two invoke-rc.d lines.
>
> I would split "debian/ntpdate.if-up: Fix interaction with openntpd", which
> I take to be the "if [ -e /usr/sbin/openntpd ]; then" stanza into its own
> commit. Then there would be a separate commit that doesn't need to touch
> LOCKFILE and just adds the two invoke-rc.d lines directly into their final
> places. Since this distils the previous uploads, the commit messages will
> probably need tweaking a little so that they make sense.
>
> Apart from this, everything else is byte-perfect. I'm not sure it's
> necessary to redo this. It's minor enough that I can probably just keep it
> in mind while reviewing your merge. So I'll do that next. No action needed
> here for now. Thanks!
> --
>
> https://code.launchpad.net/~kick-d/ubuntu/+source/ntp/+git/ntp/+merge/284274
> You are the owner of
> ~kick-d/ubuntu/+source/ntp:logical/4.2.6.p5+dfsg-3ubuntu9.
>

Revision history for this message
Kick In (kick-d) wrote :

OK I'll split this out in my merge proposal.

2016-01-28 15:27 GMT+01:00 Pierre-Andre Morey <
<email address hidden>>:

> Thanks, and sorry for this one. I kept this in my head, and forgot to
> squash.
>
> 2016-01-28 14:31 GMT+01:00 Robie Basak <email address hidden>:
>
>> Hi Pierre,
>>
>> Good job on this one. The only diff between this and
>> 1:4.2.6.p5+dfsg-3ubuntu9 are debian/changelog and update-maintainer as I
>> expect.
>>
>> Good job also squashing down all the different Apparmor-related changes
>> into one commit.
>>
>> My only complaint is on commits 93ec5cb and 8c7e386. These both touch the
>> same lines in debian/ntpdate.if-up. In 8c7e386 the "LOCKFILE" line is
>> changed and "invoke-rc.d" lines added, and in 93ec5cb the "LOCKFILE" line
>> is changed back again and one of the previously added "invoke-rc.d" lines
>> is moved. This is churn that we want to squash out at this logical stage.
>>
>> For example:
>>
>> @@ -30,7 +30,7 @@ if [ -r /lib/udev/hotplug.functions ]; then
>> wait_for_file /usr/sbin/ntpdate-debian
>> fi
>>
>> -LOCKFILE=/var/lock/ntpdate
>> +LOCKFILE=/var/lock/ntpdate-ifup
>>
>> # Avoid running more than one at a time
>> if [ -x /usr/bin/lockfile-create ]; then
>>
>>
>> and then later:
>>
>> @@ -30,7 +30,7 @@ if [ -r /lib/udev/hotplug.functions ]; then
>> wait_for_file /usr/sbin/ntpdate-debian
>> fi
>>
>> -LOCKFILE=/var/lock/ntpdate-ifup
>> +LOCKFILE=/var/lock/ntpdate
>>
>> # Avoid running more than one at a time
>> if [ -x /usr/bin/lockfile-create ]; then
>>
>> Indicate churn to me. When figuring out the logical set of changes made,
>> these hunks cancel out and so should not appear at all. The same applies to
>> one of the two invoke-rc.d lines.
>>
>> I would split "debian/ntpdate.if-up: Fix interaction with openntpd",
>> which I take to be the "if [ -e /usr/sbin/openntpd ]; then" stanza into its
>> own commit. Then there would be a separate commit that doesn't need to
>> touch LOCKFILE and just adds the two invoke-rc.d lines directly into their
>> final places. Since this distils the previous uploads, the commit messages
>> will probably need tweaking a little so that they make sense.
>>
>> Apart from this, everything else is byte-perfect. I'm not sure it's
>> necessary to redo this. It's minor enough that I can probably just keep it
>> in mind while reviewing your merge. So I'll do that next. No action needed
>> here for now. Thanks!
>> --
>>
>> https://code.launchpad.net/~kick-d/ubuntu/+source/ntp/+git/ntp/+merge/284274
>> You are the owner of
>> ~kick-d/ubuntu/+source/ntp:logical/4.2.6.p5+dfsg-3ubuntu9.
>>
>
>

Revision history for this message
Robie Basak (racb) wrote :

This was resolved. Not merged, but superseded by the real merge.

review: Needs Resubmitting
Revision history for this message
Robie Basak (racb) wrote :

(not sure how to set the merge status to "Superseded")

review: Disapprove

Unmerged commits

c8a02ba... by Kick In

  * SECURITY UPDATE: symmetric association authentication bypass via
    crypto-NAK
    - debian/patches/CVE-2015-7871.patch: drop unhandled packet in
      ntpd/ntp_proto.c.
    - CVE-2015-7871

da8c14c... by Kick In

  * SECURITY UPDATE: denial of service via ASSERT in decodenetnum
    - debian/patches/CVE-2015-7855.patch: simply return fail in
      libntp/decodenetnum.c.
    - CVE-2015-7855

f0f93bb... by Kick In

  * SECURITY UPDATE: buffer overflow via custom refclock driver
    - debian/patches/CVE-2015-7853.patch: properly calculate length in
      ntpd/ntp_io.c.
    - CVE-2015-7853

bca2843... by Kick In

  * SECURITY UPDATE: ntpq atoascii memory corruption
    - debian/patches/CVE-2015-7852.patch: avoid buffer overrun in
      ntpq/ntpq.c.
    - CVE-2015-7852

9af4d3a... by Kick In

  * SECURITY UPDATE: denial of service via same logfile and keyfile
    - debian/patches/CVE-2015-7850.patch: rate limit errors in
      include/ntp_stdlib.h, include/ntp_syslog.h, libntp/authreadkeys.c,
      libntp/msyslog.c.
    - CVE-2015-7850

56e59ee... by Kick In

  * SECURITY UPDATE: denial of service by spoofed KoD
    - debian/patches/CVE-2015-7704.patch: add check to ntpd/ntp_proto.c.
    - CVE-2015-7704
    - CVE-2015-7705

a64bbbd... by Kick In

  * SECURITY UPDATE: file overwrite via remote pidfile and driftfile
    configuration directives
    - debian/patches/CVE-2015-5196.patch: disable remote configuration in
      ntpd/ntp_parser.y.
    - CVE-2015-5196
    - CVE-2015-7703

b574fc2... by Kick In

  * SECURITY UPDATE: memory leak in CRYPTO_ASSOC
    - debian/patches/CVE-2015-7701.patch: add missing free in
      ntpd/ntp_crypto.c.
    - CVE-2015-7701

5afebc5... by Kick In

  * SECURITY UPDATE: incomplete autokey data packet length checks
    - debian/patches/CVE-2015-7691.patch: add length and size checks to
      ntpd/ntp_crypto.c.
    - CVE-2015-7691
    - CVE-2015-7692
    - CVE-2015-7702

d8365e5... by Kick In

  * SECURITY UPDATE: timeshifting by reboot issue
    - debian/patches/CVE-2015-5300.patch: disable panic in
      ntpd/ntp_loopfilter.c.
    - CVE-2015-5300

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/apparmor-profile b/debian/apparmor-profile
0new file mode 1006440new file mode 100644
index 0000000..48e8d7a
--- /dev/null
+++ b/debian/apparmor-profile
@@ -0,0 +1,81 @@
1# vim:syntax=apparmor
2# Updated for Ubuntu by: Jamie Strandboge <jamie@canonical.com>
3# ------------------------------------------------------------------
4#
5# Copyright (C) 2002-2005 Novell/SUSE
6# Copyright (C) 2009-2012 Canonical Ltd.
7#
8# This program is free software; you can redistribute it and/or
9# modify it under the terms of version 2 of the GNU General Public
10# License published by the Free Software Foundation.
11#
12# ------------------------------------------------------------------
13
14#include <tunables/global>
15#include <tunables/ntpd>
16/usr/sbin/ntpd {
17 #include <abstractions/base>
18 #include <abstractions/nameservice>
19 #include <abstractions/user-tmp>
20
21 capability ipc_lock,
22 capability net_bind_service,
23 capability setgid,
24 capability setuid,
25 capability sys_chroot,
26 capability sys_resource,
27 capability sys_time,
28 capability sys_nice,
29
30 network inet dgram,
31 network inet6 dgram,
32 network inet stream,
33 network inet6 stream,
34
35 @{PROC}/net/if_inet6 r,
36 @{PROC}/*/net/if_inet6 r,
37 @{NTPD_DEVICE} rw,
38
39 /{,s}bin/ r,
40 /usr/{,s}bin/ r,
41 /usr/sbin/ntpd rmix,
42
43 /etc/ntp.conf r,
44 /etc/ntp.conf.dhcp r,
45 /etc/ntpd.conf r,
46 /etc/ntpd.conf.tmp r,
47 /var/lib/ntp/ntp.conf.dhcp r,
48
49 /etc/ntp.keys r,
50 /etc/ntp/** r,
51
52 /etc/ntp.drift rwl,
53 /etc/ntp.drift.TEMP rwl,
54 /etc/ntp/drift* rwl,
55 /var/lib/ntp/*drift rw,
56 /var/lib/ntp/*drift.TEMP rw,
57
58 /var/log/ntp w,
59 /var/log/ntp.log w,
60 /var/log/ntpd w,
61 /var/log/ntpstats/clockstats* rwl,
62 /var/log/ntpstats/loopstats* rwl,
63 /var/log/ntpstats/peerstats* rwl,
64 /var/log/ntpstats/protostats* rwl,
65 /var/log/ntpstats/rawstats* rwl,
66 /var/log/ntpstats/sysstats* rwl,
67
68 /{,var/}run/ntpd.pid w,
69
70 # samba4 ntp signing socket
71 /{,var/}run/samba/ntp_signd/socket rw,
72
73 # For use with clocks that report via shared memory (e.g. gpsd),
74 # you may need to give ntpd access to all of shared memory, though
75 # this can be considered dangerous. See https://launchpad.net/bugs/722815
76 # for details. To enable, add this to local/usr.sbin.ntpd:
77 # capability ipc_owner,
78
79 # Site-specific additions and overrides. See local/README for details.
80 #include <local/usr.sbin.ntpd>
81}
diff --git a/debian/apparmor-profile.tunable b/debian/apparmor-profile.tunable
0new file mode 10064482new file mode 100644
index 0000000..1fc2d8f
--- /dev/null
+++ b/debian/apparmor-profile.tunable
@@ -0,0 +1,15 @@
1# vim:syntax=apparmor
2# ------------------------------------------------------------------
3#
4# Copyright (C) 2002-2005 Novell/SUSE
5# Copyright (C) 2011 Canonical, Ltd.
6#
7# This program is free software; you can redistribute it and/or
8# modify it under the terms of version 2 of the GNU General Public
9# License published by the Free Software Foundation.
10#
11# ------------------------------------------------------------------
12
13#Add your ntpd devices here eg. if you have a DCF clock
14# @{NTPD_DEVICE}="/dev/ttyS1"
15@{NTPD_DEVICE}="/dev/null"
diff --git a/debian/control b/debian/control
index 5f175fd..f3624dd 100644
--- a/debian/control
+++ b/debian/control
@@ -3,7 +3,7 @@ Section: net
3Priority: optional3Priority: optional
4Maintainer: Debian NTP Team <pkg-ntp-maintainers@lists.alioth.debian.org>4Maintainer: Debian NTP Team <pkg-ntp-maintainers@lists.alioth.debian.org>
5Uploaders: Bdale Garbee <bdale@gag.com>, Peter Eisentraut <petere@debian.org>, Kurt Roeckx <kurt@roeckx.be>5Uploaders: Bdale Garbee <bdale@gag.com>, Peter Eisentraut <petere@debian.org>, Kurt Roeckx <kurt@roeckx.be>
6Build-Depends: autotools-dev, debhelper (>= 6), libedit-dev, libcap2-dev [linux-any], libssl-dev (>= 1.0.0e-1), autogen (>= 1:5.11)6Build-Depends: autotools-dev, debhelper (>= 6), libedit-dev, libcap2-dev [linux-any], libssl-dev (>= 1.0.0e-1), autogen (>= 1:5.11), hardening-wrapper, dh-apparmor, bison
7Build-Conflicts: libavahi-compat-libdnssd-dev, libwww-dev, libwww-ssl-dev7Build-Conflicts: libavahi-compat-libdnssd-dev, libwww-dev, libwww-ssl-dev
8Standards-Version: 3.9.38Standards-Version: 3.9.3
9Homepage: http://support.ntp.org/9Homepage: http://support.ntp.org/
@@ -15,7 +15,9 @@ Architecture: any
15Depends: adduser, lsb-base (>= 3.2-13), netbase, ${misc:Depends}, ${shlibs:Depends}15Depends: adduser, lsb-base (>= 3.2-13), netbase, ${misc:Depends}, ${shlibs:Depends}
16Pre-Depends: dpkg (>= 1.15.7.2)16Pre-Depends: dpkg (>= 1.15.7.2)
17Recommends: ${perl:Depends}17Recommends: ${perl:Depends}
18Suggests: ntp-doc18Suggests: ntp-doc, apparmor (>= 2.1+1075-0ubuntu6)
19Conflicts: apparmor-profiles (<< 2.3.1+1403-0ubuntu10), apparmor (<< 2.3.1+1403-0ubuntu10)
20Replaces: apparmor-profiles (<< 2.3.1+1403-0ubuntu10), apparmor (<< 2.3.1+1403-0ubuntu10)
19Breaks: dhcp3-client (<< 4.1.0-1)21Breaks: dhcp3-client (<< 4.1.0-1)
20Description: Network Time Protocol daemon and utility programs22Description: Network Time Protocol daemon and utility programs
21 NTP, the Network Time Protocol, is used to keep computer clocks23 NTP, the Network Time Protocol, is used to keep computer clocks
diff --git a/debian/ntp.conf b/debian/ntp.conf
index cb7d021..4457652 100644
--- a/debian/ntp.conf
+++ b/debian/ntp.conf
@@ -11,18 +11,18 @@ filegen loopstats file loopstats type day enable
11filegen peerstats file peerstats type day enable11filegen peerstats file peerstats type day enable
12filegen clockstats file clockstats type day enable12filegen clockstats file clockstats type day enable
1313
1414# Specify one or more NTP servers.
15# You do need to talk to an NTP server or two (or three).15
16#server ntp.your-provider.example16# Use servers from the NTP Pool Project. Approved by Ubuntu Technical Board
1717# on 2011-02-08 (LP: #104525). See http://www.pool.ntp.org/join.html for
18# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will18# more information.
19# pick a different set every time it starts up. Please consider joining the19server 0.ubuntu.pool.ntp.org
20# pool: <http://www.pool.ntp.org/join.html>20server 1.ubuntu.pool.ntp.org
21server 0.debian.pool.ntp.org iburst21server 2.ubuntu.pool.ntp.org
22server 1.debian.pool.ntp.org iburst22server 3.ubuntu.pool.ntp.org
23server 2.debian.pool.ntp.org iburst23
24server 3.debian.pool.ntp.org iburst24# Use Ubuntu's ntp server as a fallback.
2525server ntp.ubuntu.com
2626
27# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for27# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
28# details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>28# details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
diff --git a/debian/ntp.dhcp b/debian/ntp.dhcp
index a1acb21..a629d16 100644
--- a/debian/ntp.dhcp
+++ b/debian/ntp.dhcp
@@ -40,7 +40,7 @@ ntp_servers_setup_add() {
40 echo "server $server iburst"40 echo "server $server iburst"
41 done41 done
42 echo42 echo
43 sed -r -e '/^ *(server|peer).*$/d' $NTP_CONF43 sed -r -e '/^ *(server *[^1][^2][^7]\.|peer).*$/d' $NTP_CONF
44 ) >>$tmp44 ) >>$tmp
45 45
46 mv $tmp $NTP_DHCP_CONF46 mv $tmp $NTP_DHCP_CONF
diff --git a/debian/ntp.dirs b/debian/ntp.dirs
index 49d3819..314ad95 100644
--- a/debian/ntp.dirs
+++ b/debian/ntp.dirs
@@ -1,3 +1,6 @@
1usr/sbin1usr/sbin
2var/lib/ntp2var/lib/ntp
3var/log/ntpstats3var/log/ntpstats
4etc/apparmor.d/force-complain
5etc/apparmor.d/tunables
6usr/share/apport/package-hooks
diff --git a/debian/ntp.init b/debian/ntp.init
index 3a5ccc5..9755091 100644
--- a/debian/ntp.init
+++ b/debian/ntp.init
@@ -5,7 +5,7 @@
5# Required-Start: $network $remote_fs $syslog5# Required-Start: $network $remote_fs $syslog
6# Required-Stop: $network $remote_fs $syslog6# Required-Stop: $network $remote_fs $syslog
7# Default-Start: 2 3 4 57# Default-Start: 2 3 4 5
8# Default-Stop: 8# Default-Stop: 1
9# Short-Description: Start NTP daemon9# Short-Description: Start NTP daemon
10### END INIT INFO10### END INIT INFO
1111
@@ -22,7 +22,7 @@ if [ -r /etc/default/ntp ]; then
22 . /etc/default/ntp22 . /etc/default/ntp
23fi23fi
2424
25if [ -e /var/lib/ntp/ntp.conf.dhcp ]; then25if [ /var/lib/ntp/ntp.conf.dhcp -nt /etc/ntp.conf ]; then
26 NTPD_OPTS="$NTPD_OPTS -c /var/lib/ntp/ntp.conf.dhcp"26 NTPD_OPTS="$NTPD_OPTS -c /var/lib/ntp/ntp.conf.dhcp"
27fi27fi
2828
diff --git a/debian/ntp.preinst b/debian/ntp.preinst
index 3c9f0a0..25da0e3 100644
--- a/debian/ntp.preinst
+++ b/debian/ntp.preinst
@@ -18,5 +18,11 @@ if dpkg-maintscript-helper supports mv_conffile; then
18 1:4.2.6.p1+dfsg-1 -- "$@"18 1:4.2.6.p1+dfsg-1 -- "$@"
19fi19fi
2020
21if [ "$1" = install ] && [ -e /etc/ntp.conf ] && [ ! -s /etc/ntp.conf ]; then
22 # Work around system-tools-backends bug that left an empty file
23 # (https://bugs.launchpad.net/bugs/83604).
24 rm -f /etc/ntp.conf
25fi
26
21#DEBHELPER#27#DEBHELPER#
2228
diff --git a/debian/ntpdate-debian b/debian/ntpdate-debian
index 4748b3a..c0f8c3b 100644
--- a/debian/ntpdate-debian
+++ b/debian/ntpdate-debian
@@ -8,7 +8,7 @@ fi
88
9if [ "$NTPDATE_USE_NTP_CONF" = yes ]; then9if [ "$NTPDATE_USE_NTP_CONF" = yes ]; then
10 for f in /var/lib/ntp/ntp.conf.dhcp /etc/ntp.conf /etc/openntpd/ntpd.conf; do10 for f in /var/lib/ntp/ntp.conf.dhcp /etc/ntp.conf /etc/openntpd/ntpd.conf; do
11 if [ -r "$f" ]; then11 if [ -r "$f" ] && [ -s "$f" ]; then
12 file=$f12 file=$f
13 break13 break
14 fi14 fi
diff --git a/debian/ntpdate.default b/debian/ntpdate.default
index 3241694..f239b18 100644
--- a/debian/ntpdate.default
+++ b/debian/ntpdate.default
@@ -7,7 +7,7 @@ NTPDATE_USE_NTP_CONF=yes
77
8# List of NTP servers to use (Separate multiple servers with spaces.)8# List of NTP servers to use (Separate multiple servers with spaces.)
9# Not used if NTPDATE_USE_NTP_CONF is yes.9# Not used if NTPDATE_USE_NTP_CONF is yes.
10NTPSERVERS="0.debian.pool.ntp.org 1.debian.pool.ntp.org 2.debian.pool.ntp.org 3.debian.pool.ntp.org"10NTPSERVERS="ntp.ubuntu.com"
1111
12# Additional options to pass to ntpdate12# Additional options to pass to ntpdate
13NTPOPTIONS=""13NTPOPTIONS=""
diff --git a/debian/ntpdate.if-up b/debian/ntpdate.if-up
index 8bd08b3..5271d4f 100644
--- a/debian/ntpdate.if-up
+++ b/debian/ntpdate.if-up
@@ -39,6 +39,14 @@ if [ -x /usr/bin/lockfile-create ]; then
39 LOCKTOUCHPID="$!"39 LOCKTOUCHPID="$!"
40fi40fi
4141
42if [ -e /usr/sbin/openntpd ]; then
43 service='openntpd'
44else
45 service='ntp'
46fi
47
48invoke-rc.d --quiet $service stop >/dev/null 2>&1 || true
49
42/usr/sbin/ntpdate-debian -s $OPTS 2>/dev/null || :50/usr/sbin/ntpdate-debian -s $OPTS 2>/dev/null || :
4351
44if [ -x /usr/bin/lockfile-create ] ; then52if [ -x /usr/bin/lockfile-create ] ; then
@@ -46,4 +54,6 @@ if [ -x /usr/bin/lockfile-create ] ; then
46 lockfile-remove $LOCKFILE54 lockfile-remove $LOCKFILE
47fi55fi
4856
57invoke-rc.d --quiet $service start >/dev/null 2>&1 || true
58
49) &59) &
diff --git a/debian/patches/CVE-2014-9293.patch b/debian/patches/CVE-2014-9293.patch
50new file mode 10064460new file mode 100644
index 0000000..2775e99
--- /dev/null
+++ b/debian/patches/CVE-2014-9293.patch
@@ -0,0 +1,42 @@
1Description: fix weak default key in config_auth()
2Author: thanks to Red Hat
3Origin: vendor, https://git.centos.org/blob/rpms!ntp.git/c054b85192ea340529fc9a659cac7ea6b893b50e/SOURCES!ntp-4.2.6p5-cve-2014-9293.patch
4Bug: http://bugs.ntp.org/show_bug.cgi?id=2665
5
6Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_config.c
7===================================================================
8--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_config.c 2014-12-19 19:55:14.000000000 -0500
9+++ ntp-4.2.6.p5+dfsg/ntpd/ntp_config.c 2014-12-20 05:45:33.818645887 -0500
10@@ -1866,13 +1866,16 @@
11 req_hashlen = digest_len;
12 #endif
13 } else {
14- int rankey;
15+ unsigned char rankey[16];
16+
17+ if (ntp_crypto_random_buf(rankey, sizeof (rankey))) {
18+ msyslog(LOG_ERR, "ntp_crypto_random_buf() failed.");
19+ exit(1);
20+ }
21
22- rankey = ntp_random();
23 req_keytype = NID_md5;
24 req_hashlen = 16;
25- MD5auth_setkey(req_keyid, req_keytype,
26- (u_char *)&rankey, sizeof(rankey));
27+ MD5auth_setkey(req_keyid, req_keytype, rankey, sizeof(rankey));
28 authtrust(req_keyid, 1);
29 }
30
31Index: ntp-4.2.6.p5+dfsg/ntpd/ntpd.c
32===================================================================
33--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntpd.c 2014-12-19 19:55:14.000000000 -0500
34+++ ntp-4.2.6.p5+dfsg/ntpd/ntpd.c 2014-12-20 05:45:33.818645887 -0500
35@@ -597,6 +597,7 @@
36 get_systime(&now);
37
38 ntp_srandom((int)(now.l_i * now.l_uf));
39+ ntp_crypto_srandom();
40
41 #if !defined(VMS)
42 # ifndef NODETACH
diff --git a/debian/patches/CVE-2014-9294.patch b/debian/patches/CVE-2014-9294.patch
0new file mode 10064443new file mode 100644
index 0000000..052cc8d
--- /dev/null
+++ b/debian/patches/CVE-2014-9294.patch
@@ -0,0 +1,118 @@
1Description: fix non-cryptographic random number generator with weak
2 seed used by ntp-keygen to generate symmetric keys
3Author: thanks to Red Hat for backport
4Origin: vendor, https://git.centos.org/blob/rpms!ntp.git/c054b85192ea340529fc9a659cac7ea6b893b50e/SOURCES!ntp-4.2.6p5-cve-2014-9294.patch
5Origin: backport, http://bk1.ntp.org/ntp-dev/?PAGE=patch&REV=548db6ddlELn4rnqUZ4kKGOjvtXwbQ
6Bug: http://bugs.ntp.org/show_bug.cgi?id=2666
7
8Index: ntp-4.2.6.p5+dfsg/include/ntp_random.h
9===================================================================
10--- ntp-4.2.6.p5+dfsg.orig/include/ntp_random.h 2009-12-09 02:36:35.000000000 -0500
11+++ ntp-4.2.6.p5+dfsg/include/ntp_random.h 2014-12-20 05:46:18.807038967 -0500
12@@ -1,6 +1,9 @@
13
14 #include <ntp_types.h>
15
16+void ntp_crypto_srandom(void);
17+int ntp_crypto_random_buf(void *buf, size_t nbytes);
18+
19 long ntp_random (void);
20 void ntp_srandom (unsigned long);
21 void ntp_srandomdev (void);
22Index: ntp-4.2.6.p5+dfsg/libntp/ntp_random.c
23===================================================================
24--- ntp-4.2.6.p5+dfsg.orig/libntp/ntp_random.c 2009-12-09 02:36:36.000000000 -0500
25+++ ntp-4.2.6.p5+dfsg/libntp/ntp_random.c 2014-12-20 05:46:18.807038967 -0500
26@@ -481,3 +481,63 @@
27 }
28 return(i);
29 }
30+
31+/*
32+ * Crypto-quality random number functions
33+ *
34+ * Author: Harlan Stenn, 2014
35+ *
36+ * This file is Copyright (c) 2014 by Network Time Foundation.
37+ * BSD terms apply: see the file COPYRIGHT in the distribution root for details.
38+ */
39+
40+#include <openssl/err.h>
41+#include <openssl/rand.h>
42+
43+int crypto_rand_init = 0;
44+
45+/*
46+ * ntp_crypto_srandom:
47+ *
48+ * Initialize the random number generator, if needed by the underlying
49+ * crypto random number generation mechanism.
50+ */
51+
52+void
53+ntp_crypto_srandom(
54+ void
55+ )
56+{
57+ if (!crypto_rand_init) {
58+ RAND_poll();
59+ crypto_rand_init = 1;
60+ }
61+}
62+
63+/*
64+ * ntp_crypto_random_buf:
65+ *
66+ * Returns 0 on success, -1 on error.
67+ */
68+int
69+ntp_crypto_random_buf(
70+ void *buf,
71+ size_t nbytes
72+ )
73+{
74+ int rc;
75+
76+ rc = RAND_bytes(buf, nbytes);
77+ if (1 != rc) {
78+ unsigned long err;
79+ char *err_str;
80+
81+ err = ERR_get_error();
82+ err_str = ERR_error_string(err, NULL);
83+ /* XXX: Log the error */
84+
85+ return -1;
86+ }
87+ return 0;
88+}
89+
90Index: ntp-4.2.6.p5+dfsg/util/ntp-keygen.c
91===================================================================
92--- ntp-4.2.6.p5+dfsg.orig/util/ntp-keygen.c 2011-12-24 18:27:16.000000000 -0500
93+++ ntp-4.2.6.p5+dfsg/util/ntp-keygen.c 2014-12-20 05:46:18.811039002 -0500
94@@ -261,6 +261,8 @@
95 ssl_check_version();
96 #endif /* OPENSSL */
97
98+ ntp_crypto_srandom();
99+
100 /*
101 * Process options, initialize host name and timestamp.
102 */
103@@ -727,7 +729,14 @@
104 int temp;
105
106 while (1) {
107- temp = ntp_random() & 0xff;
108+ int rc;
109+
110+ rc = ntp_crypto_random_buf(&temp, 1);
111+ if (-1 == rc) {
112+ fprintf(stderr, "ntp_crypto_random_buf() failed.\n");
113+ exit (-1);
114+ }
115+ temp &= 0xff;
116 if (temp == '#')
117 continue;
118
diff --git a/debian/patches/CVE-2014-9295.patch b/debian/patches/CVE-2014-9295.patch
0new file mode 100644119new file mode 100644
index 0000000..97b12cb
--- /dev/null
+++ b/debian/patches/CVE-2014-9295.patch
@@ -0,0 +1,108 @@
1Description: fix buffer overflows in crypto_recv(), ctl_putdata(), configure()
2Origin: backport, http://bk1.ntp.org/ntp-dev/?PAGE=patch&REV=548acc4dN1TbM1tRJrbPcA4yc1aTdA
3Origin: backport, http://bk1.ntp.org/ntp-dev/?PAGE=patch&REV=548acdf3tUSFizXcv_X4b77Jt_Y-cg
4Origin: backport, http://bk1.ntp.org/ntp-dev/?PAGE=patch&REV=548acf55dxKfhb6MuYQwzu8eDlS97g
5Bug: http://bugs.ntp.org/show_bug.cgi?id=2667
6Bug: http://bugs.ntp.org/show_bug.cgi?id=2668
7Bug: http://bugs.ntp.org/show_bug.cgi?id=2669
8
9Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_control.c
10===================================================================
11--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_control.c 2014-12-20 05:46:26.695107896 -0500
12+++ ntp-4.2.6.p5+dfsg/ntpd/ntp_control.c 2014-12-20 05:46:40.583228864 -0500
13@@ -486,6 +486,10 @@
14 static char *reqpt;
15 static char *reqend;
16
17+#ifndef MIN
18+#define MIN(a, b) (((a) <= (b)) ? (a) : (b))
19+#endif
20+
21 /*
22 * init_control - initialize request data
23 */
24@@ -995,6 +999,7 @@
25 )
26 {
27 int overhead;
28+ unsigned int currentlen;
29
30 overhead = 0;
31 if (!bin) {
32@@ -1018,12 +1023,22 @@
33 /*
34 * Save room for trailing junk
35 */
36- if (dlen + overhead + datapt > dataend) {
37+ while (dlen + overhead + datapt > dataend) {
38 /*
39 * Not enough room in this one, flush it out.
40 */
41+ currentlen = MIN(dlen, dataend - datapt);
42+
43+ memcpy(datapt, dp, currentlen);
44+
45+ datapt += currentlen;
46+ dp += currentlen;
47+ dlen -= currentlen;
48+ datalinelen += currentlen;
49+
50 ctl_flushpkt(CTL_MORE);
51 }
52+
53 memmove((char *)datapt, dp, (unsigned)dlen);
54 datapt += dlen;
55 datalinelen += dlen;
56@@ -2492,6 +2507,20 @@
57
58 /* Initialize the remote config buffer */
59 data_count = reqend - reqpt;
60+
61+ if (data_count > sizeof(remote_config.buffer) - 2) {
62+ snprintf(remote_config.err_msg,
63+ sizeof(remote_config.err_msg),
64+ "runtime configuration failed: request too long");
65+ ctl_putdata(remote_config.err_msg,
66+ strlen(remote_config.err_msg), 0);
67+ ctl_flushpkt(0);
68+ msyslog(LOG_NOTICE,
69+ "runtime config from %s rejected: request too long",
70+ stoa(&rbufp->recv_srcadr));
71+ return;
72+ }
73+
74 memcpy(remote_config.buffer, reqpt, data_count);
75 if (data_count > 0
76 && '\n' != remote_config.buffer[data_count - 1])
77Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_crypto.c
78===================================================================
79--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_crypto.c 2011-11-30 21:55:17.000000000 -0500
80+++ ntp-4.2.6.p5+dfsg/ntpd/ntp_crypto.c 2014-12-20 05:46:40.579228829 -0500
81@@ -789,15 +789,24 @@
82 * errors.
83 */
84 if (vallen == (u_int)EVP_PKEY_size(host_pkey)) {
85+ u_int32 *cookiebuf = malloc(
86+ RSA_size(host_pkey->pkey.rsa));
87+ if (!cookiebuf) {
88+ rval = XEVNT_CKY;
89+ break;
90+ }
91+
92 if (RSA_private_decrypt(vallen,
93 (u_char *)ep->pkt,
94- (u_char *)&temp32,
95+ (u_char *)cookiebuf,
96 host_pkey->pkey.rsa,
97- RSA_PKCS1_OAEP_PADDING) <= 0) {
98+ RSA_PKCS1_OAEP_PADDING) != 4) {
99 rval = XEVNT_CKY;
100+ free(cookiebuf);
101 break;
102 } else {
103- cookie = ntohl(temp32);
104+ cookie = ntohl(*cookiebuf);
105+ free(cookiebuf);
106 }
107 } else {
108 rval = XEVNT_CKY;
diff --git a/debian/patches/CVE-2014-9296.patch b/debian/patches/CVE-2014-9296.patch
0new file mode 100644109new file mode 100644
index 0000000..0eb972c
--- /dev/null
+++ b/debian/patches/CVE-2014-9296.patch
@@ -0,0 +1,16 @@
1Description: fix missing return on error in receive()
2Origin: backport, http://bk1.ntp.org/ntp-dev/?PAGE=patch&REV=548ad06feXHK1HlZoY-WZVyynwvwAg
3Bug: http://bugs.ntp.org/show_bug.cgi?id=2670
4
5Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_proto.c
6===================================================================
7--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_proto.c 2011-12-08 21:00:53.000000000 -0500
8+++ ntp-4.2.6.p5+dfsg/ntpd/ntp_proto.c 2014-12-20 05:47:01.139407818 -0500
9@@ -947,6 +947,7 @@
10 fast_xmit(rbufp, MODE_ACTIVE, 0,
11 restrict_mask);
12 sys_restricted++;
13+ return;
14 }
15 }
16
diff --git a/debian/patches/CVE-2014-9297.patch b/debian/patches/CVE-2014-9297.patch
0new file mode 10064417new file mode 100644
index 0000000..b367d81
--- /dev/null
+++ b/debian/patches/CVE-2014-9297.patch
@@ -0,0 +1,371 @@
1Description: fix denial of service and possible info leakage via
2 extension fields
3Origin: upstream, http://bk1.ntp.org/ntp-stable/?PAGE=patch&REV=5492d353ncauuWt_PONxaDhC5Qv_SA
4Origin: upstream, http://bk1.ntp.org/ntp-stable/?PAGE=patch&REV=54a7c595jlwS3KmAxBML75HFGLR_pQ
5Origin: upstream, http://bk1.ntp.org/ntp-stable/?PAGE=patch&REV=54abb266In81wLNAqIaovtP8f2UmUw
6Bug: http://bugs.ntp.org/show_bug.cgi?id=2671
7
8Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_crypto.c
9===================================================================
10--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_crypto.c 2015-02-06 07:58:50.000000000 -0500
11+++ ntp-4.2.6.p5+dfsg/ntpd/ntp_crypto.c 2015-02-06 08:44:08.207402853 -0500
12@@ -109,6 +109,7 @@
13 #define TAI_1972 10 /* initial TAI offset (s) */
14 #define MAX_LEAP 100 /* max UTC leapseconds (s) */
15 #define VALUE_LEN (6 * 4) /* min response field length */
16+#define MAX_VALLEN (65535 - VALUE_LEN)
17 #define YEAR (60 * 60 * 24 * 365) /* seconds in year */
18
19 /*
20@@ -147,8 +148,8 @@
21 */
22 static int crypto_verify (struct exten *, struct value *,
23 struct peer *);
24-static int crypto_encrypt (struct exten *, struct value *,
25- keyid_t *);
26+static int crypto_encrypt (const u_char *, u_int, keyid_t *,
27+ struct value *);
28 static int crypto_alice (struct peer *, struct value *);
29 static int crypto_alice2 (struct peer *, struct value *);
30 static int crypto_alice3 (struct peer *, struct value *);
31@@ -444,6 +445,12 @@
32 tstamp = ntohl(ep->tstamp);
33 fstamp = ntohl(ep->fstamp);
34 vallen = ntohl(ep->vallen);
35+ /*
36+ * Bug 2761: I hope this isn't too early...
37+ */
38+ if ( vallen == 0
39+ || len - VALUE_LEN < vallen)
40+ return XEVNT_LEN;
41 }
42 switch (code) {
43
44@@ -494,8 +501,9 @@
45 rval = XEVNT_ERR;
46 break;
47 }
48+ INSIST(len >= VALUE_LEN);
49 if (vallen == 0 || vallen > MAXHOSTNAME ||
50- len < VALUE_LEN + vallen) {
51+ len - VALUE_LEN < vallen) {
52 rval = XEVNT_LEN;
53 break;
54 }
55@@ -1162,8 +1170,9 @@
56 * choice.
57 */
58 case CRYPTO_CERT | CRYPTO_RESP:
59- vallen = ntohl(ep->vallen);
60- if (vallen == 0 || vallen > MAXHOSTNAME) {
61+ vallen = ntohl(ep->vallen); /* Must be <64k */
62+ if (vallen == 0 || vallen > MAXHOSTNAME ||
63+ len - VALUE_LEN < vallen) {
64 rval = XEVNT_LEN;
65 break;
66
67@@ -1315,7 +1324,10 @@
68 * anything goes wrong.
69 */
70 case CRYPTO_COOK | CRYPTO_RESP:
71- if ((opcode & 0xffff) < VALUE_LEN) {
72+ vallen = ntohl(ep->vallen); /* Must be <64k */
73+ if ( vallen == 0
74+ || (vallen >= MAX_VALLEN)
75+ || (opcode & 0x0000ffff) < VALUE_LEN + vallen) {
76 rval = XEVNT_LEN;
77 break;
78 }
79@@ -1323,8 +1335,8 @@
80 tcookie = cookie;
81 else
82 tcookie = peer->hcookie;
83- if ((rval = crypto_encrypt(ep, &vtemp, &tcookie)) ==
84- XEVNT_OK) {
85+ if ((rval = crypto_encrypt((const u_char *)ep->pkt, vallen, &tcookie, &vtemp))
86+ == XEVNT_OK) {
87 len = crypto_send(fp, &vtemp, start);
88 value_free(&vtemp);
89 }
90@@ -1464,13 +1476,16 @@
91 * up to the next word (4 octets).
92 */
93 vallen = ntohl(ep->vallen);
94- if (vallen == 0)
95+ if ( vallen == 0
96+ || vallen > MAX_VALLEN)
97 return (XEVNT_LEN);
98
99 i = (vallen + 3) / 4;
100 siglen = ntohl(ep->pkt[i++]);
101- if (len < VALUE_LEN + ((vallen + 3) / 4) * 4 + ((siglen + 3) /
102- 4) * 4)
103+ if ( siglen > MAX_VALLEN
104+ || len - VALUE_LEN < ((vallen + 3) / 4) * 4
105+ || len - VALUE_LEN - ((vallen + 3) / 4) * 4
106+ < ((siglen + 3) / 4) * 4)
107 return (XEVNT_LEN);
108
109 /*
110@@ -1528,6 +1543,7 @@
111 * proventic bit. What a relief.
112 */
113 EVP_VerifyInit(&ctx, peer->digest);
114+ /* XXX: the "+ 12" needs to be at least documented... */
115 EVP_VerifyUpdate(&ctx, (u_char *)&ep->tstamp, vallen + 12);
116 if (EVP_VerifyFinal(&ctx, (u_char *)&ep->pkt[i], siglen,
117 pkey) <= 0)
118@@ -1540,34 +1556,31 @@
119
120
121 /*
122- * crypto_encrypt - construct encrypted cookie and signature from
123- * extension field and cookie
124+ * crypto_encrypt - construct vp (encrypted cookie and signature) from
125+ * the public key and cookie.
126 *
127- * Returns
128+ * Returns:
129 * XEVNT_OK success
130 * XEVNT_CKY bad or missing cookie
131 * XEVNT_PUB bad or missing public key
132 */
133 static int
134 crypto_encrypt(
135- struct exten *ep, /* extension pointer */
136- struct value *vp, /* value pointer */
137- keyid_t *cookie /* server cookie */
138+ const u_char *ptr, /* Public Key */
139+ u_int vallen, /* Length of Public Key */
140+ keyid_t *cookie, /* server cookie */
141+ struct value *vp /* value pointer */
142 )
143 {
144 EVP_PKEY *pkey; /* public key */
145 EVP_MD_CTX ctx; /* signature context */
146 tstamp_t tstamp; /* NTP timestamp */
147 u_int32 temp32;
148- u_int len;
149- u_char *ptr;
150
151 /*
152 * Extract the public key from the request.
153 */
154- len = ntohl(ep->vallen);
155- ptr = (u_char *)ep->pkt;
156- pkey = d2i_PublicKey(EVP_PKEY_RSA, NULL, &ptr, len);
157+ pkey = d2i_PublicKey(EVP_PKEY_RSA, NULL, &ptr, vallen);
158 if (pkey == NULL) {
159 msyslog(LOG_ERR, "crypto_encrypt: %s",
160 ERR_error_string(ERR_get_error(), NULL));
161@@ -1581,9 +1594,9 @@
162 tstamp = crypto_time();
163 vp->tstamp = htonl(tstamp);
164 vp->fstamp = hostval.tstamp;
165- len = EVP_PKEY_size(pkey);
166- vp->vallen = htonl(len);
167- vp->ptr = emalloc(len);
168+ vallen = EVP_PKEY_size(pkey);
169+ vp->vallen = htonl(vallen);
170+ vp->ptr = emalloc(vallen);
171 ptr = vp->ptr;
172 temp32 = htonl(*cookie);
173 if (RSA_public_encrypt(4, (u_char *)&temp32, ptr,
174@@ -1601,8 +1614,8 @@
175 vp->sig = emalloc(sign_siglen);
176 EVP_SignInit(&ctx, sign_digest);
177 EVP_SignUpdate(&ctx, (u_char *)&vp->tstamp, 12);
178- EVP_SignUpdate(&ctx, vp->ptr, len);
179- if (EVP_SignFinal(&ctx, vp->sig, &len, sign_pkey))
180+ EVP_SignUpdate(&ctx, vp->ptr, vallen);
181+ if (EVP_SignFinal(&ctx, vp->sig, &vallen, sign_pkey))
182 vp->siglen = htonl(sign_siglen);
183 return (XEVNT_OK);
184 }
185@@ -1673,6 +1686,9 @@
186 * call in the protocol module.
187 *
188 * Returns extension field pointer (no errors)
189+ *
190+ * XXX: opcode and len should really be 32-bit quantities and
191+ * we should make sure that str is not too big.
192 */
193 struct exten *
194 crypto_args(
195@@ -1685,24 +1701,31 @@
196 tstamp_t tstamp; /* NTP timestamp */
197 struct exten *ep; /* extension field pointer */
198 u_int len; /* extension field length */
199+ size_t slen;
200
201 tstamp = crypto_time();
202 len = sizeof(struct exten);
203- if (str != NULL)
204- len += strlen(str);
205+ if (str != NULL) {
206+ slen = strlen(str);
207+ INSIST(slen < MAX_VALLEN);
208+ len += slen;
209+ }
210 ep = emalloc(len);
211 memset(ep, 0, len);
212 if (opcode == 0)
213 return (ep);
214
215+ REQUIRE(0 == (len & ~0x0000ffff));
216+ REQUIRE(0 == (opcode & ~0xffff0000));
217+
218 ep->opcode = htonl(opcode + len);
219 ep->associd = htonl(associd);
220 ep->tstamp = htonl(tstamp);
221 ep->fstamp = hostval.tstamp;
222 ep->vallen = 0;
223 if (str != NULL) {
224- ep->vallen = htonl(strlen(str));
225- memcpy((char *)ep->pkt, str, strlen(str));
226+ ep->vallen = htonl(slen);
227+ memcpy((char *)ep->pkt, str, slen);
228 }
229 return (ep);
230 }
231@@ -1715,6 +1738,8 @@
232 * Note: it is not polite to send a nonempty signature with zero
233 * timestamp or a nonzero timestamp with an empty signature, but those
234 * rules are not enforced here.
235+ *
236+ * XXX This code won't work on a box with 16-bit ints.
237 */
238 int
239 crypto_send(
240@@ -1730,8 +1755,9 @@
241 * Calculate extension field length and check for buffer
242 * overflow. Leave room for the MAC.
243 */
244- len = 16;
245+ len = 16; /* XXX Document! */
246 vallen = ntohl(vp->vallen);
247+ INSIST(vallen <= MAX_VALLEN);
248 len += ((vallen + 3) / 4 + 1) * 4;
249 siglen = ntohl(vp->siglen);
250 len += ((siglen + 3) / 4 + 1) * 4;
251@@ -1772,6 +1798,7 @@
252 }
253 opcode = ntohl(ep->opcode);
254 ep->opcode = htonl((opcode & 0xffff0000) | len);
255+ ENSURE(len <= MAX_VALLEN);
256 return (len);
257 }
258
259@@ -1807,7 +1834,6 @@
260 if (hostval.tstamp == 0)
261 return;
262
263-
264 /*
265 * Sign public key and timestamps. The filestamp is derived from
266 * the host key file extension from wherever the file was
267@@ -2108,7 +2134,8 @@
268 tstamp_t tstamp; /* NTP timestamp */
269 BIGNUM *bn, *bk, *r;
270 u_char *ptr;
271- u_int len;
272+ u_int len; /* extension field length */
273+ u_int vallen = 0; /* value length */
274
275 /*
276 * If the IFF parameters are not valid, something awful
277@@ -2123,8 +2150,11 @@
278 /*
279 * Extract r from the challenge.
280 */
281- len = ntohl(ep->vallen);
282- if ((r = BN_bin2bn((u_char *)ep->pkt, len, NULL)) == NULL) {
283+ vallen = ntohl(ep->vallen);
284+ len = ntohl(ep->opcode) & 0x0000ffff;
285+ if (vallen == 0 || len < VALUE_LEN || len - VALUE_LEN < vallen)
286+ return XEVNT_LEN;
287+ if ((r = BN_bin2bn((u_char *)ep->pkt, vallen, NULL)) == NULL) {
288 msyslog(LOG_ERR, "crypto_bob: %s",
289 ERR_error_string(ERR_get_error(), NULL));
290 return (XEVNT_ERR);
291@@ -2136,7 +2166,7 @@
292 */
293 bctx = BN_CTX_new(); bk = BN_new(); bn = BN_new();
294 sdsa = DSA_SIG_new();
295- BN_rand(bk, len * 8, -1, 1); /* k */
296+ BN_rand(bk, vallen * 8, -1, 1); /* k */
297 BN_mod_mul(bn, dsa->priv_key, r, dsa->q, bctx); /* b r mod q */
298 BN_add(bn, bn, bk);
299 BN_mod(bn, bn, dsa->q, bctx); /* k + b r mod q */
300@@ -2155,30 +2185,37 @@
301 * Encode the values in ASN.1 and sign. The filestamp is from
302 * the local file.
303 */
304- len = i2d_DSA_SIG(sdsa, NULL);
305- if (len == 0) {
306+ vallen = i2d_DSA_SIG(sdsa, NULL);
307+ if (vallen == 0) {
308 msyslog(LOG_ERR, "crypto_bob: %s",
309 ERR_error_string(ERR_get_error(), NULL));
310 DSA_SIG_free(sdsa);
311 return (XEVNT_ERR);
312 }
313+ if (vallen > MAX_VALLEN) {
314+ msyslog(LOG_ERR, "crypto_bob: signature is too big: %d",
315+ vallen);
316+ DSA_SIG_free(sdsa);
317+ return (XEVNT_LEN);
318+ }
319 memset(vp, 0, sizeof(struct value));
320 tstamp = crypto_time();
321 vp->tstamp = htonl(tstamp);
322 vp->fstamp = htonl(iffkey_info->fstamp);
323- vp->vallen = htonl(len);
324- ptr = emalloc(len);
325+ vp->vallen = htonl(vallen);
326+ ptr = emalloc(vallen);
327 vp->ptr = ptr;
328 i2d_DSA_SIG(sdsa, &ptr);
329 DSA_SIG_free(sdsa);
330 if (tstamp == 0)
331 return (XEVNT_OK);
332
333+ /* XXX: more validation to make sure the sign fits... */
334 vp->sig = emalloc(sign_siglen);
335 EVP_SignInit(&ctx, sign_digest);
336 EVP_SignUpdate(&ctx, (u_char *)&vp->tstamp, 12);
337- EVP_SignUpdate(&ctx, vp->ptr, len);
338- if (EVP_SignFinal(&ctx, vp->sig, &len, sign_pkey))
339+ EVP_SignUpdate(&ctx, vp->ptr, vallen);
340+ if (EVP_SignFinal(&ctx, vp->sig, &vallen, sign_pkey))
341 vp->siglen = htonl(sign_siglen);
342 return (XEVNT_OK);
343 }
344Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_proto.c
345===================================================================
346--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_proto.c 2015-02-06 07:58:50.000000000 -0500
347+++ ntp-4.2.6.p5+dfsg/ntpd/ntp_proto.c 2015-02-06 08:32:45.146114360 -0500
348@@ -431,7 +431,7 @@
349 */
350 authlen = LEN_PKT_NOMAC;
351 has_mac = rbufp->recv_length - authlen;
352- while (has_mac != 0) {
353+ while (has_mac > 0) {
354 u_int32 len;
355
356 if (has_mac % 4 != 0 || has_mac < MIN_MAC_LEN) {
357@@ -456,6 +456,14 @@
358 }
359
360 /*
361+ * If has_mac is < 0 we had a malformed packet.
362+ */
363+ if (has_mac < 0) {
364+ sys_badlength++;
365+ return; /* bad length */
366+ }
367+
368+ /*
369 * If authentication required, a MAC must be present.
370 */
371 if (restrict_mask & RES_DONTTRUST && has_mac == 0) {
diff --git a/debian/patches/CVE-2014-9298.patch b/debian/patches/CVE-2014-9298.patch
0new file mode 100644372new file mode 100644
index 0000000..6a5ea31
--- /dev/null
+++ b/debian/patches/CVE-2014-9298.patch
@@ -0,0 +1,43 @@
1Description: fix IPv6 ACL bypass
2Origin: upstream, http://bk1.ntp.org/ntp-stable/?PAGE=patch&REV=54922b65gDSbE4G7c3JjkuK1Tv33qQ
3Origin: upstream, http://bk1.ntp.org/ntp-stable/?PAGE=patch&REV=5492d2879rotbnnuVch_ZC3RAfS8AA
4Origin: upstream, http://bk1.ntp.org/ntp-stable/?PAGE=patch&REV=5493f333hALqPcXLR4-76bC6j-16xQ
5Origin: upstream, http://bk1.ntp.org/ntp-stable/?PAGE=patch&REV=5496213frLaEz5PHLZVhuYjM7Lalkw
6Origin: upstream, http://bk1.ntp.org/ntp-stable/ntpd/ntp_io.c?PAGE=diffs&REV=54a0f621LdfQSkkWKUKN6PaFbH25_Q
7Origin: upstream, http://bk1.ntp.org/ntp-stable/?PAGE=patch&REV=54c2228bpOp4_zrX9aGXdMEZJEGzkg
8Bug: http://bugs.ntp.org/show_bug.cgi?id=2672
9
10Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_io.c
11===================================================================
12--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_io.c 2011-11-30 21:55:17.000000000 -0500
13+++ ntp-4.2.6.p5+dfsg/ntpd/ntp_io.c 2015-02-06 08:57:54.277845529 -0500
14@@ -3470,6 +3470,29 @@
15 fd, buflen, stoa(&rb->recv_srcadr)));
16
17 /*
18+ ** Bug 2672: Some OSes (MacOSX and Linux) don't block spoofed ::1
19+ */
20+
21+ if (AF_INET6 == itf->family) {
22+ DPRINTF(2, ("Got an IPv6 packet, from <%s> (%d) to <%s> (%d)\n",
23+ stoa(&rb->recv_srcadr),
24+ IN6_IS_ADDR_LOOPBACK(PSOCK_ADDR6(&rb->recv_srcadr)),
25+ stoa(&itf->sin),
26+ !IN6_IS_ADDR_LOOPBACK(PSOCK_ADDR6(&itf->sin))
27+ ));
28+
29+ if ( IN6_IS_ADDR_LOOPBACK(PSOCK_ADDR6(&rb->recv_srcadr))
30+ && !IN6_IS_ADDR_LOOPBACK(PSOCK_ADDR6(&itf->sin))
31+ ) {
32+ packets_dropped++;
33+ DPRINTF(2, ("DROPPING that packet\n"));
34+ freerecvbuf(rb);
35+ return buflen;
36+ }
37+ DPRINTF(2, ("processing that packet\n"));
38+ }
39+
40+ /*
41 * Got one. Mark how and when it got here,
42 * put it on the full list and do bookkeeping.
43 */
diff --git a/debian/patches/CVE-2015-1798.patch b/debian/patches/CVE-2015-1798.patch
0new file mode 10064444new file mode 100644
index 0000000..1eb65ba
--- /dev/null
+++ b/debian/patches/CVE-2015-1798.patch
@@ -0,0 +1,33 @@
1Description: fix symmetric key unauthenticated packet MITM attack
2Origin: upstream, http://bk.ntp.org/ntp-stable/?PAGE=patch&REV=550a80b0iGyIv4t9J1GJ_74V_eEx4A
3Bug: http://bugs.ntp.org/show_bug.cgi?id=2779
4
5Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_proto.c
6===================================================================
7--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_proto.c 2015-04-07 12:47:11.000000000 -0400
8+++ ntp-4.2.6.p5+dfsg/ntpd/ntp_proto.c 2015-04-07 12:47:56.583800918 -0400
9@@ -1131,18 +1121,20 @@
10 return;
11
12 /*
13- * If the digest fails, the client cannot authenticate a server
14+ * If the digest fails or it's missing for authenticated
15+ * associations, the client cannot authenticate a server
16 * reply to a client packet previously sent. The loopback check
17 * is designed to avoid a bait-and-switch attack, which was
18 * possible in past versions. If symmetric modes, return a
19 * crypto-NAK. The peer should restart the protocol.
20 */
21- } else if (!AUTH(has_mac || (restrict_mask & RES_DONTTRUST),
22- is_authentic)) {
23+ } else if (!AUTH(peer->keyid || has_mac ||
24+ (restrict_mask & RES_DONTTRUST), is_authentic)) {
25 report_event(PEVNT_AUTH, peer, "digest");
26 peer->flash |= TEST5; /* bad auth */
27 peer->badauth++;
28- if (hismode == MODE_ACTIVE || hismode == MODE_PASSIVE)
29+ if (has_mac &&
30+ (hismode == MODE_ACTIVE || hismode == MODE_PASSIVE))
31 fast_xmit(rbufp, MODE_ACTIVE, 0, restrict_mask);
32 if (peer->flags & FLAG_PREEMPT) {
33 unpeer(peer);
diff --git a/debian/patches/CVE-2015-1799.patch b/debian/patches/CVE-2015-1799.patch
0new file mode 10064434new file mode 100644
index 0000000..4882970
--- /dev/null
+++ b/debian/patches/CVE-2015-1799.patch
@@ -0,0 +1,42 @@
1Description: fix symmetric association DoS attack
2Origin: upstream, http://bk.ntp.org/ntp-stable/?PAGE=patch&REV=550a80b0iGyIv4t9J1GJ_74V_eEx4A
3Bug: http://bugs.ntp.org/show_bug.cgi?id=2781
4
5Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_proto.c
6===================================================================
7--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_proto.c 2015-04-07 12:52:45.538476188 -0400
8+++ ntp-4.2.6.p5+dfsg/ntpd/ntp_proto.c 2015-04-07 12:52:45.534476151 -0400
9@@ -1102,16 +1102,6 @@
10 }
11
12 /*
13- * Update the state variables.
14- */
15- if (peer->flip == 0) {
16- if (hismode != MODE_BROADCAST)
17- peer->rec = p_xmt;
18- peer->dst = rbufp->recv_time;
19- }
20- peer->xmt = p_xmt;
21-
22- /*
23 * If this is a crypto_NAK, the server cannot authenticate a
24 * client packet. The server might have just changed keys. Clear
25 * the association and restart the protocol.
26@@ -1158,6 +1148,16 @@
27 }
28
29 /*
30+ * Update the state variables.
31+ */
32+ if (peer->flip == 0) {
33+ if (hismode != MODE_BROADCAST)
34+ peer->rec = p_xmt;
35+ peer->dst = rbufp->recv_time;
36+ }
37+ peer->xmt = p_xmt;
38+
39+ /*
40 * Set the peer ppoll to the maximum of the packet ppoll and the
41 * peer minpoll. If a kiss-o'-death, set the peer minpoll to
42 * this maximumn and advance the headway to give the sender some
diff --git a/debian/patches/CVE-2015-5146.patch b/debian/patches/CVE-2015-5146.patch
0new file mode 10064443new file mode 100644
index 0000000..a6a05af
--- /dev/null
+++ b/debian/patches/CVE-2015-5146.patch
@@ -0,0 +1,128 @@
1Backport of:
2
3From c3e7afb9cd88784c6b4f81182bd878fc3a2d23a1 Mon Sep 17 00:00:00 2001
4From: <jnperlin@hydra.(none)>
5Date: Wed, 24 Jun 2015 09:18:52 +0200
6Subject: [PATCH] Bug 2853 - FICORA #829967
7
8---
9 ChangeLog | 1 +
10 ntpd/ntp_control.c | 77 +++++++++++++++++++++++++++++++++++++++---------------
11 2 files changed, 57 insertions(+), 21 deletions(-)
12
13Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_control.c
14===================================================================
15--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_control.c 2015-10-23 08:51:25.428716718 -0400
16+++ ntp-4.2.6.p5+dfsg/ntpd/ntp_control.c 2015-10-23 08:53:11.285800571 -0400
17@@ -2471,6 +2471,35 @@
18 ctl_flushpkt(0);
19 }
20
21+/* Bug 2853 */
22+/* evaluate the length of the command sequence. This breaks at the first
23+ * char that is not >= SPACE and <= 127 after trimming from the right.
24+ */
25+static size_t
26+cmdlength(
27+ const char *src_buf,
28+ const char *src_end
29+ )
30+{
31+ const char *scan;
32+ unsigned char ch;
33+
34+ /* trim whitespace & garbage from the right */
35+ while (src_end != src_buf) {
36+ ch = src_end[-1];
37+ if (ch > ' ' && ch < 128)
38+ break;
39+ --src_end;
40+ }
41+ /* now do a forward scan */
42+ for (scan = src_buf; scan != src_end; ++scan) {
43+ ch = scan[0];
44+ if ((ch < ' ' || ch >= 128) && ch != '\t')
45+ break;
46+ }
47+ return (size_t)(scan - src_buf);
48+}
49+
50 /*
51 * configure() processes ntpq :config/config-from-file, allowing
52 * generic runtime reconfiguration.
53@@ -2482,7 +2511,6 @@
54 {
55 size_t data_count;
56 int retval;
57- int replace_nl;
58
59 /* I haven't yet implemented changes to an existing association.
60 * Hence check if the association id is 0
61@@ -2506,7 +2534,7 @@
62 }
63
64 /* Initialize the remote config buffer */
65- data_count = reqend - reqpt;
66+ data_count = cmdlength(reqpt, reqend);
67
68 if (data_count > sizeof(remote_config.buffer) - 2) {
69 snprintf(remote_config.err_msg,
70@@ -2520,32 +2548,41 @@
71 stoa(&rbufp->recv_srcadr));
72 return;
73 }
74+ /* Bug 2853 -- check if all characters were acceptable */
75+ if (data_count != (size_t)(reqend - reqpt)) {
76+ snprintf(remote_config.err_msg,
77+ sizeof(remote_config.err_msg),
78+ "runtime configuration failed: request contains an unprintable character");
79+ ctl_putdata(remote_config.err_msg,
80+ strlen(remote_config.err_msg), 0);
81+ ctl_flushpkt(0);
82+ msyslog(LOG_NOTICE,
83+ "runtime config from %s rejected: request contains an unprintable character: %0x",
84+ stoa(&rbufp->recv_srcadr),
85+ reqpt[data_count]);
86+ return;
87+ }
88
89 memcpy(remote_config.buffer, reqpt, data_count);
90- if (data_count > 0
91- && '\n' != remote_config.buffer[data_count - 1])
92- remote_config.buffer[data_count++] = '\n';
93+ /* The buffer has no trailing linefeed or NUL right now. For
94+ * logging, we do not want a newline, so we do that first after
95+ * adding the necessary NUL byte.
96+ */
97 remote_config.buffer[data_count] = '\0';
98- remote_config.pos = 0;
99- remote_config.err_pos = 0;
100- remote_config.no_errors = 0;
101-
102- /* do not include terminating newline in log */
103- if (data_count > 0
104- && '\n' == remote_config.buffer[data_count - 1]) {
105- remote_config.buffer[data_count - 1] = '\0';
106- replace_nl = 1;
107- } else
108- replace_nl = 0;
109-
110 DPRINTF(1, ("Got Remote Configuration Command: %s\n",
111 remote_config.buffer));
112 msyslog(LOG_NOTICE, "%s config: %s",
113 stoa(&rbufp->recv_srcadr),
114 remote_config.buffer);
115
116- if (replace_nl)
117- remote_config.buffer[data_count - 1] = '\n';
118+ /* Now we have to make sure there is a NL/NUL sequence at the
119+ * end of the buffer before we parse it.
120+ */
121+ remote_config.buffer[data_count++] = '\n';
122+ remote_config.buffer[data_count] = '\0';
123+ remote_config.pos = 0;
124+ remote_config.err_pos = 0;
125+ remote_config.no_errors = 0;
126
127 config_remotely(&rbufp->recv_srcadr);
128
diff --git a/debian/patches/CVE-2015-5194.patch b/debian/patches/CVE-2015-5194.patch
0new file mode 100644129new file mode 100644
index 0000000..2938aa2
--- /dev/null
+++ b/debian/patches/CVE-2015-5194.patch
@@ -0,0 +1,49 @@
1Backport of:
2
3From 553f2fa65865c31c5e3c48812cfd46176cffdd27 Mon Sep 17 00:00:00 2001
4From: <davehart@shiny.ad.hartbrothers.com>
5Date: Wed, 28 Jul 2010 05:33:53 +0000
6Subject: [PATCH] [Bug 1593] ntpd abort in free() with logconfig syntax error.
7
8---
9 ChangeLog | 1 +
10 ntpd/ntp_parser.c | 114 +++++++++++++++++++++++++++++-------------------------
11 ntpd/ntp_parser.y | 24 ++++++++----
12 3 files changed, 80 insertions(+), 59 deletions(-)
13
14Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_parser.y
15===================================================================
16--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_parser.y 2015-10-22 15:04:36.368602522 -0400
17+++ ntp-4.2.6.p5+dfsg/ntpd/ntp_parser.y 2015-10-22 15:04:36.368602522 -0400
18@@ -1037,14 +1037,24 @@
19 log_config_command
20 : T_String
21 {
22- char prefix = $1[0];
23- char *type = $1 + 1;
24+ char prefix;
25+ char * type;
26
27- if (prefix != '+' && prefix != '-' && prefix != '=') {
28- yyerror("Logconfig prefix is not '+', '-' or '='\n");
29- }
30- else
31- $$ = create_attr_sval(prefix, estrdup(type));
32+ switch ($1[0]) {
33+
34+ case '+':
35+ case '-':
36+ case '=':
37+ prefix = $1[0];
38+ type = $1 + 1;
39+ break;
40+
41+ default:
42+ prefix = '=';
43+ type = $1;
44+ }
45+
46+ $$ = create_attr_sval(prefix, estrdup(type));
47 YYFREE($1);
48 }
49 ;
diff --git a/debian/patches/CVE-2015-5195.patch b/debian/patches/CVE-2015-5195.patch
0new file mode 10064450new file mode 100644
index 0000000..507ffb4
--- /dev/null
+++ b/debian/patches/CVE-2015-5195.patch
@@ -0,0 +1,47 @@
1Backport of:
2
3From 52e977d79a0c4ace997e5c74af429844da2f27be Mon Sep 17 00:00:00 2001
4From: <davehart@shiny.ad.hartbrothers.com>
5Date: Thu, 6 Jan 2011 04:02:24 +0000
6Subject: [PATCH] [Bug 1773] openssl not detected during ./configure. [Bug
7 1774] Segfaults if cryptostats enabled and built without OpenSSL.
8
9---
10 ChangeLog | 2 ++
11 m4/ntp_openssl.m4 | 38 ++++++++++++++++----------------------
12 ntpd/ntp_config.c | 12 ++++++++++++
13 ntpd/ntp_util.c | 12 ++----------
14 4 files changed, 32 insertions(+), 32 deletions(-)
15
16Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_config.c
17===================================================================
18--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_config.c 2015-10-22 15:07:29.534321900 -0400
19+++ ntp-4.2.6.p5+dfsg/ntpd/ntp_config.c 2015-10-22 15:12:42.233434208 -0400
20@@ -2022,6 +2022,13 @@
21 while (pfilegen_token != NULL) {
22 filegen_string = keyword(*pfilegen_token);
23 filegen = filegen_get(filegen_string);
24+ if (NULL == filegen) {
25+ msyslog(LOG_ERR,
26+ "stats %s unrecognized",
27+ filegen_string);
28+ pfilegen_token = next_node(pfilegen_token);
29+ continue;
30+ }
31
32 DPRINTF(4, ("enabling filegen for %s statistics '%s%s'\n",
33 filegen_string, filegen->prefix,
34@@ -2035,6 +2042,13 @@
35 while (my_node != NULL) {
36 filegen_file = keyword(my_node->filegen_token);
37 filegen = filegen_get(filegen_file);
38+ if (NULL == filegen) {
39+ msyslog(LOG_ERR,
40+ "filegen category '%s' unrecognized",
41+ filegen_file);
42+ my_node = next_node(my_node);
43+ continue;
44+ }
45
46 /* Initialize the filegen variables to their pre-configurtion states */
47 filegen_flag = filegen->flag;
diff --git a/debian/patches/CVE-2015-5196.patch b/debian/patches/CVE-2015-5196.patch
0new file mode 10064448new file mode 100644
index 0000000..2f7714a
--- /dev/null
+++ b/debian/patches/CVE-2015-5196.patch
@@ -0,0 +1,57 @@
1Description: fix file overwrite via remote pidfile and driftfile
2 configuration directives
3Origin: vendor, http://pkgs.fedoraproject.org/cgit/ntp.git/tree/ntp-4.2.6p5-cve-2015-5196.patch
4
5Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_parser.y
6===================================================================
7--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_parser.y 2015-10-22 15:55:22.498495669 -0400
8+++ ntp-4.2.6.p5+dfsg/ntpd/ntp_parser.y 2015-10-22 15:55:22.498495669 -0400
9@@ -988,23 +988,43 @@
10
11 misc_cmd_str_keyword
12 : T_Leapfile
13- | T_Pidfile
14 | T_Qos
15 ;
16
17 misc_cmd_str_lcl_keyword
18 : T_Logfile
19+ | T_Pidfile
20 | T_Saveconfigdir
21 ;
22
23 drift_parm
24 : T_String
25- { enqueue(cfgt.vars, create_attr_sval(T_Driftfile, $1)); }
26+ {
27+ if (input_from_file) {
28+ enqueue(cfgt.vars, create_attr_sval(T_Driftfile, $1));
29+ } else {
30+ YYFREE($1);
31+ yyerror("driftfile remote configuration ignored");
32+ }
33+ }
34 | T_String T_Double
35- { enqueue(cfgt.vars, create_attr_dval(T_WanderThreshold, $2));
36- enqueue(cfgt.vars, create_attr_sval(T_Driftfile, $1)); }
37+ {
38+ if (input_from_file) {
39+ enqueue(cfgt.vars, create_attr_dval(T_WanderThreshold, $2));
40+ enqueue(cfgt.vars, create_attr_sval(T_Driftfile, $1));
41+ } else {
42+ YYFREE($1);
43+ yyerror("driftfile remote configuration ignored");
44+ }
45+ }
46 | /* Null driftfile, indicated by null string "\0" */
47- { enqueue(cfgt.vars, create_attr_sval(T_Driftfile, "\0")); }
48+ {
49+ if (input_from_file) {
50+ enqueue(cfgt.vars, create_attr_sval(T_Driftfile, estrdup("")));
51+ } else {
52+ yyerror("driftfile remote configuration ignored");
53+ }
54+ }
55 ;
56
57 variable_assign
diff --git a/debian/patches/CVE-2015-5219.patch b/debian/patches/CVE-2015-5219.patch
0new file mode 10064458new file mode 100644
index 0000000..35a651e
--- /dev/null
+++ b/debian/patches/CVE-2015-5219.patch
@@ -0,0 +1,27 @@
1From 5f295cd05c3c136d39f5b3e500a2d781bdbb59c8 Mon Sep 17 00:00:00 2001
2From: <stenn@deacon.udel.edu>
3Date: Wed, 24 Apr 2013 19:13:53 -0400
4Subject: [PATCH] [Bug 2382] Implement LOGTOD using ldexp() instead of shifting
5
6---
7 ChangeLog | 1 +
8 include/ntp.h | 5 ++---
9 2 files changed, 3 insertions(+), 3 deletions(-)
10
11Index: ntp-4.2.6.p5+dfsg/include/ntp.h
12===================================================================
13--- ntp-4.2.6.p5+dfsg.orig/include/ntp.h 2015-10-22 15:17:12.632029576 -0400
14+++ ntp-4.2.6.p5+dfsg/include/ntp.h 2015-10-22 15:17:12.632029576 -0400
15@@ -163,10 +163,9 @@
16 #define SQUARE(x) ((x) * (x))
17 #define SQRT(x) (sqrt(x))
18 #define DIFF(x, y) (SQUARE((x) - (y)))
19-#define LOGTOD(a) ((a) < 0 ? 1. / (1L << -(a)) : \
20- 1L << (int)(a)) /* log2 to double */
21+#define LOGTOD(a) ldexp(1., (int)(a)) /* log2 to double */
22 #define UNIVAR(x) (SQUARE(.28867513 * LOGTOD(x))) /* std uniform distr */
23-#define ULOGTOD(a) (1L << (int)(a)) /* ulog2 to double */
24+#define ULOGTOD(a) ldexp(1., (int)(a)) /* ulog2 to double */
25
26 #define EVENT_TIMEOUT 0 /* one second, that is */
27
diff --git a/debian/patches/CVE-2015-5300.patch b/debian/patches/CVE-2015-5300.patch
0new file mode 10064428new file mode 100644
index 0000000..563a7ee
--- /dev/null
+++ b/debian/patches/CVE-2015-5300.patch
@@ -0,0 +1,16 @@
1Description: fix timeshifting by reboot issue
2Origin: vendor, http://pkgs.fedoraproject.org/cgit/ntp.git/plain/ntp-4.2.6p5-cve-2015-5300.patch
3Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-5300
4
5Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_loopfilter.c
6===================================================================
7--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_loopfilter.c 2015-10-22 16:10:31.039787300 -0400
8+++ ntp-4.2.6.p5+dfsg/ntpd/ntp_loopfilter.c 2015-10-22 16:10:31.039787300 -0400
9@@ -386,6 +386,7 @@
10 report_event(EVNT_CLOCKRESET, NULL, tbuf);
11 step_systime(fp_offset);
12 reinit_timer();
13+ allow_panic = FALSE;
14 tc_counter = 0;
15 clock_jitter = LOGTOD(sys_precision);
16 rval = 2;
diff --git a/debian/patches/CVE-2015-7691.patch b/debian/patches/CVE-2015-7691.patch
0new file mode 10064417new file mode 100644
index 0000000..7dbe95b
--- /dev/null
+++ b/debian/patches/CVE-2015-7691.patch
@@ -0,0 +1,225 @@
1Description: fix incomplete autokey data packet length checks
2Origin: upstream, https://github.com/ntp-project/ntp/commit/c4cd4aaf418f57f7225708a93bf48afb2bc9c1da
3Origin: upstream, https://github.com/ntp-project/ntp/commit/c454d5defd5679947ed34b988c85bab6ed9066cf
4Bug: http://bugs.ntp.org/show_bug.cgi?id=2899
5
6Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_crypto.c
7===================================================================
8--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_crypto.c 2015-10-23 09:06:08.625810791 -0400
9+++ ntp-4.2.6.p5+dfsg/ntpd/ntp_crypto.c 2015-10-23 09:07:35.018715125 -0400
10@@ -170,6 +170,7 @@
11 static struct pkey_info *crypto_key (char *, char *, sockaddr_u *);
12 static void bighash (BIGNUM *, BIGNUM *);
13 static struct cert_info *crypto_cert (char *);
14+static u_int exten_payload_size(const struct exten *);
15
16 #ifdef SYS_WINNT
17 int
18@@ -389,7 +390,7 @@
19 struct autokey *ap, *bp; /* autokey pointer */
20 struct exten *ep, *fp; /* extension pointers */
21 struct cert_info *xinfo; /* certificate info pointer */
22- int has_mac; /* length of MAC field */
23+ int macbytes; /* length of MAC field, signed by intention */
24 int authlen; /* offset of MAC field */
25 associd_t associd; /* association ID */
26 tstamp_t tstamp = 0; /* timestamp */
27@@ -417,7 +418,11 @@
28 */
29 authlen = LEN_PKT_NOMAC;
30 hismode = (int)PKT_MODE((&rbufp->recv_pkt)->li_vn_mode);
31- while ((has_mac = rbufp->recv_length - authlen) > MAX_MAC_LEN) {
32+ while ((macbytes = rbufp->recv_length - authlen) > (int)MAX_MAC_LEN) {
33+ /* We can be reasonably sure that we can read at least
34+ * the opcode and the size field here. More stringent
35+ * checks follow up shortly.
36+ */
37 pkt = (u_int32 *)&rbufp->recv_pkt + authlen / 4;
38 ep = (struct exten *)pkt;
39 code = ntohl(ep->opcode) & 0xffff0000;
40@@ -441,6 +446,18 @@
41 code |= CRYPTO_ERROR;
42 }
43
44+ /* Check if the declared size fits into the remaining
45+ * buffer.
46+ */
47+ if (len > macbytes) {
48+ DPRINTF(1, ("crypto_recv: possible attack detected, associd %d\n",
49+ associd));
50+ return XEVNT_LEN;
51+ }
52+
53+ /* Check if the paylod of the extension fits into the
54+ * declared frame.
55+ */
56 if (len >= VALUE_LEN) {
57 tstamp = ntohl(ep->tstamp);
58 fstamp = ntohl(ep->fstamp);
59@@ -1170,9 +1187,8 @@
60 * choice.
61 */
62 case CRYPTO_CERT | CRYPTO_RESP:
63- vallen = ntohl(ep->vallen); /* Must be <64k */
64- if (vallen == 0 || vallen > MAXHOSTNAME ||
65- len - VALUE_LEN < vallen) {
66+ vallen = exten_payload_size(ep); /* Must be <64k */
67+ if (vallen == 0 || vallen >= sizeof(certname) ) {
68 rval = XEVNT_LEN;
69 break;
70
71@@ -2134,8 +2150,7 @@
72 tstamp_t tstamp; /* NTP timestamp */
73 BIGNUM *bn, *bk, *r;
74 u_char *ptr;
75- u_int len; /* extension field length */
76- u_int vallen = 0; /* value length */
77+ u_int len; /* extension field value length */
78
79 /*
80 * If the IFF parameters are not valid, something awful
81@@ -2150,11 +2165,10 @@
82 /*
83 * Extract r from the challenge.
84 */
85- vallen = ntohl(ep->vallen);
86- len = ntohl(ep->opcode) & 0x0000ffff;
87- if (vallen == 0 || len < VALUE_LEN || len - VALUE_LEN < vallen)
88- return XEVNT_LEN;
89- if ((r = BN_bin2bn((u_char *)ep->pkt, vallen, NULL)) == NULL) {
90+ len = exten_payload_size(ep);
91+ if (len == 0 || len > MAX_VALLEN)
92+ return (XEVNT_LEN);
93+ if ((r = BN_bin2bn((u_char *)ep->pkt, len, NULL)) == NULL) {
94 msyslog(LOG_ERR, "crypto_bob: %s",
95 ERR_error_string(ERR_get_error(), NULL));
96 return (XEVNT_ERR);
97@@ -2166,7 +2180,7 @@
98 */
99 bctx = BN_CTX_new(); bk = BN_new(); bn = BN_new();
100 sdsa = DSA_SIG_new();
101- BN_rand(bk, vallen * 8, -1, 1); /* k */
102+ BN_rand(bk, len * 8, -1, 1); /* k */
103 BN_mod_mul(bn, dsa->priv_key, r, dsa->q, bctx); /* b r mod q */
104 BN_add(bn, bn, bk);
105 BN_mod(bn, bn, dsa->q, bctx); /* k + b r mod q */
106@@ -2185,16 +2199,16 @@
107 * Encode the values in ASN.1 and sign. The filestamp is from
108 * the local file.
109 */
110- vallen = i2d_DSA_SIG(sdsa, NULL);
111- if (vallen == 0) {
112+ len = i2d_DSA_SIG(sdsa, NULL);
113+ if (len == 0) {
114 msyslog(LOG_ERR, "crypto_bob: %s",
115 ERR_error_string(ERR_get_error(), NULL));
116 DSA_SIG_free(sdsa);
117 return (XEVNT_ERR);
118 }
119- if (vallen > MAX_VALLEN) {
120- msyslog(LOG_ERR, "crypto_bob: signature is too big: %d",
121- vallen);
122+ if (len > MAX_VALLEN) {
123+ msyslog(LOG_ERR, "crypto_bob: signature is too big: %u",
124+ len);
125 DSA_SIG_free(sdsa);
126 return (XEVNT_LEN);
127 }
128@@ -2202,8 +2216,8 @@
129 tstamp = crypto_time();
130 vp->tstamp = htonl(tstamp);
131 vp->fstamp = htonl(iffkey_info->fstamp);
132- vp->vallen = htonl(vallen);
133- ptr = emalloc(vallen);
134+ vp->vallen = htonl(len);
135+ ptr = emalloc(len);
136 vp->ptr = ptr;
137 i2d_DSA_SIG(sdsa, &ptr);
138 DSA_SIG_free(sdsa);
139@@ -2214,9 +2228,11 @@
140 vp->sig = emalloc(sign_siglen);
141 EVP_SignInit(&ctx, sign_digest);
142 EVP_SignUpdate(&ctx, (u_char *)&vp->tstamp, 12);
143- EVP_SignUpdate(&ctx, vp->ptr, vallen);
144- if (EVP_SignFinal(&ctx, vp->sig, &vallen, sign_pkey))
145- vp->siglen = htonl(sign_siglen);
146+ EVP_SignUpdate(&ctx, vp->ptr, len);
147+ if (EVP_SignFinal(&ctx, vp->sig, &len, sign_pkey)) {
148+ INSIST(len <= sign_siglen);
149+ vp->siglen = htonl(len);
150+ }
151 return (XEVNT_OK);
152 }
153
154@@ -2462,7 +2478,9 @@
155 /*
156 * Extract r from the challenge.
157 */
158- len = ntohl(ep->vallen);
159+ len = exten_payload_size(ep);
160+ if (len == 0 || len > MAX_VALLEN)
161+ return (XEVNT_LEN);
162 if ((r = BN_bin2bn((u_char *)ep->pkt, len, NULL)) == NULL) {
163 msyslog(LOG_ERR, "crypto_bob2: %s",
164 ERR_error_string(ERR_get_error(), NULL));
165@@ -2787,7 +2805,9 @@
166 /*
167 * Extract r from the challenge.
168 */
169- len = ntohl(ep->vallen);
170+ len = exten_payload_size(ep);
171+ if (len == 0 || len > MAX_VALLEN)
172+ return (XEVNT_LEN);
173 if ((r = BN_bin2bn((u_char *)ep->pkt, len, NULL)) == NULL) {
174 msyslog(LOG_ERR, "crypto_bob3: %s",
175 ERR_error_string(ERR_get_error(), NULL));
176@@ -3002,8 +3022,11 @@
177 if (tstamp == 0)
178 return (XEVNT_TSP);
179
180+ len = exten_payload_size(ep);
181+ if (len == 0 || len > MAX_VALLEN)
182+ return (XEVNT_LEN);
183 ptr = (u_char *)ep->pkt;
184- if ((req = d2i_X509(NULL, &ptr, ntohl(ep->vallen))) == NULL) {
185+ if ((req = d2i_X509(NULL, &ptr, len)) == NULL) {
186 msyslog(LOG_ERR, "cert_sign: %s",
187 ERR_error_string(ERR_get_error(), NULL));
188 return (XEVNT_CRT);
189@@ -3968,6 +3991,36 @@
190 break;
191 }
192 }
193+
194+/*
195+ * Get the payload size (internal value length) of an extension packet.
196+ * If the inner value size does not match the outer packet size (that
197+ * is, the value would end behind the frame given by the opcode/size
198+ * field) the function will effectively return UINT_MAX. If the frame is
199+ * too short to hold a variable-sized value, the return value is zero.
200+ */
201+static u_int
202+exten_payload_size(
203+ const struct exten * ep)
204+{
205+ typedef const u_char *BPTR;
206+
207+ size_t extn_size;
208+ size_t data_size;
209+ size_t head_size;
210+
211+ data_size = 0;
212+ if (NULL != ep) {
213+ head_size = (BPTR)(&ep->vallen + 1) - (BPTR)ep;
214+ extn_size = (uint16_t)(ntohl(ep->opcode) & 0x0000ffff);
215+ if (extn_size >= head_size) {
216+ data_size = (uint32_t)ntohl(ep->vallen);
217+ if (data_size > extn_size - head_size)
218+ data_size = ~(size_t)0u;
219+ }
220+ }
221+ return (u_int)data_size;
222+}
223 # else
224 int ntp_crypto_bs_pubkey;
225 # endif /* OPENSSL */
diff --git a/debian/patches/CVE-2015-7701.patch b/debian/patches/CVE-2015-7701.patch
0new file mode 100644226new file mode 100644
index 0000000..d04cb2c
--- /dev/null
+++ b/debian/patches/CVE-2015-7701.patch
@@ -0,0 +1,23 @@
1From d7cd5e186034340402f1393e0813c7d2b14ea6ca Mon Sep 17 00:00:00 2001
2From: <jnperlin@hydra.localnet>
3Date: Mon, 28 Sep 2015 18:22:06 +0200
4Subject: [PATCH] [Bug 2909] - Slow memory leak in CRYPTO_ASSOC - added
5 missing call to 'free()' in ntp_crypto.c.
6
7---
8 ChangeLog | 1 +
9 ntpd/ntp_crypto.c | 1 +
10 2 files changed, 2 insertions(+)
11
12Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_crypto.c
13===================================================================
14--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_crypto.c 2015-10-22 15:25:26.448658993 -0400
15+++ ntp-4.2.6.p5+dfsg/ntpd/ntp_crypto.c 2015-10-22 15:25:26.448658993 -0400
16@@ -500,6 +500,7 @@
17 rval = XEVNT_ERR;
18 break;
19 }
20+ free(peer->cmmd); /* will be set again! */
21 }
22 fp = emalloc(len);
23 memcpy(fp, ep, len);
diff --git a/debian/patches/CVE-2015-7704.patch b/debian/patches/CVE-2015-7704.patch
0new file mode 10064424new file mode 100644
index 0000000..351c7da
--- /dev/null
+++ b/debian/patches/CVE-2015-7704.patch
@@ -0,0 +1,19 @@
1Description: fix denial of service by spoofed KoD
2Author: Miroslav Lichvar <mlichvar@redhat.com>
3Origin: other, http://lists.ntp.org/pipermail/pool/2015-October/007631.html
4Bug: http://bugs.ntp.org/show_bug.cgi?id=2901
5Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-7704
6
7Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_proto.c
8===================================================================
9--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_proto.c 2015-10-22 15:55:30.498577692 -0400
10+++ ntp-4.2.6.p5+dfsg/ntpd/ntp_proto.c 2015-10-22 15:57:47.587982624 -0400
11@@ -1166,7 +1166,7 @@
12 peer->ppoll = max(peer->minpoll, pkt->ppoll);
13 if (hismode == MODE_SERVER && hisleap == LEAP_NOTINSYNC &&
14 hisstratum == STRATUM_UNSPEC && memcmp(&pkt->refid,
15- "RATE", 4) == 0) {
16+ "RATE", 4) == 0 && !(peer->flash & PKT_TEST_MASK)) {
17 peer->selbroken++;
18 report_event(PEVNT_RATE, peer, NULL);
19 if (pkt->ppoll > peer->minpoll)
diff --git a/debian/patches/CVE-2015-7850.patch b/debian/patches/CVE-2015-7850.patch
0new file mode 10064420new file mode 100644
index 0000000..e7d9491
--- /dev/null
+++ b/debian/patches/CVE-2015-7850.patch
@@ -0,0 +1,235 @@
1backport of:
2
3From bb928ef08eec020ef6008f3a140702ccc0536b8e Mon Sep 17 00:00:00 2001
4From: <jnperlin@hydra.localnet>
5Date: Sat, 3 Oct 2015 09:08:20 +0200
6Subject: [PATCH] [TALOS-CAN-0055] Infinite loop if extended logging enabled
7 and the logfile and keyfile are the same
8
9---
10 ChangeLog | 2 ++
11 include/ntp_stdlib.h | 1 +
12 include/ntp_syslog.h | 1 +
13 libntp/authreadkeys.c | 89 ++++++++++++++++++++++++++++++++++++++++-----------
14 libntp/msyslog.c | 12 +++++++
15 5 files changed, 87 insertions(+), 18 deletions(-)
16
17Index: ntp-4.2.6.p5+dfsg/include/ntp_stdlib.h
18===================================================================
19--- ntp-4.2.6.p5+dfsg.orig/include/ntp_stdlib.h 2015-10-23 08:30:31.515986332 -0400
20+++ ntp-4.2.6.p5+dfsg/include/ntp_stdlib.h 2015-10-23 08:30:31.511986291 -0400
21@@ -46,7 +46,8 @@
22 __attribute__((__format__(__printf__, 3, 4)));
23 extern void msyslog(int, const char *, ...)
24 __attribute__((__format__(__printf__, 2, 3)));
25-
26+extern void mvsyslog(int, const char *, va_list)
27+ __attribute__((__format__(__printf__, 2, 0)));
28 /*
29 * When building without OpenSSL, use a few macros of theirs to
30 * minimize source differences in NTP.
31Index: ntp-4.2.6.p5+dfsg/include/ntp_syslog.h
32===================================================================
33--- ntp-4.2.6.p5+dfsg.orig/include/ntp_syslog.h 2015-10-23 08:30:31.515986332 -0400
34+++ ntp-4.2.6.p5+dfsg/include/ntp_syslog.h 2015-10-23 08:30:31.511986291 -0400
35@@ -9,6 +9,7 @@
36
37 # ifdef VMS
38 extern void msyslog();
39+extern void mvsyslog();
40 # else
41 # ifndef SYS_VXWORKS
42 # include <syslog.h>
43Index: ntp-4.2.6.p5+dfsg/libntp/authreadkeys.c
44===================================================================
45--- ntp-4.2.6.p5+dfsg.orig/libntp/authreadkeys.c 2015-10-23 08:30:31.515986332 -0400
46+++ ntp-4.2.6.p5+dfsg/libntp/authreadkeys.c 2015-10-23 08:32:05.104935695 -0400
47@@ -61,6 +61,40 @@
48 }
49
50
51+/* TALOS-CAN-0055: possibly DoS attack by setting the key file to the
52+ * log file. This is hard to prevent (it would need to check two files
53+ * to be the same on the inode level, which will not work so easily with
54+ * Windows or VMS) but we can avoid the self-amplification loop: We only
55+ * log the first 5 errors, silently ignore the next 10 errors, and give
56+ * up when when we have found more than 15 errors.
57+ *
58+ * This avoids the endless file iteration we will end up with otherwise,
59+ * and also avoids overflowing the log file.
60+ *
61+ * Nevertheless, once this happens, the keys are gone since this would
62+ * require a save/swap strategy that is not easy to apply due to the
63+ * data on global/static level.
64+ */
65+
66+static const size_t nerr_loglimit = 5u;
67+static const size_t nerr_maxlimit = 15;
68+
69+static void log_maybe(size_t*, const char*, ...) __attribute__((__format__(__printf__, 2, 3)));
70+
71+static void
72+log_maybe(
73+ size_t *pnerr,
74+ const char *fmt ,
75+ ...)
76+{
77+ va_list ap;
78+ if (++(*pnerr) <= nerr_loglimit) {
79+ va_start(ap, fmt);
80+ mvsyslog(LOG_ERR, fmt, ap);
81+ va_end(ap);
82+ }
83+}
84+
85 /*
86 * authreadkeys - (re)read keys from a file.
87 */
88@@ -78,7 +112,7 @@
89 u_char keystr[20];
90 int len;
91 int j;
92-
93+ size_t nerr;
94 /*
95 * Open file. Complain and return if it can't be opened.
96 */
97@@ -98,7 +132,10 @@
98 /*
99 * Now read lines from the file, looking for key entries
100 */
101+ nerr = 0;
102 while ((line = fgets(buf, sizeof buf, fp)) != NULL) {
103+ if (nerr > nerr_maxlimit)
104+ break;
105 token = nexttok(&line);
106 if (token == NULL)
107 continue;
108@@ -108,15 +145,16 @@
109 */
110 keyno = atoi(token);
111 if (keyno == 0) {
112- msyslog(LOG_ERR,
113- "authreadkeys: cannot change key %s", token);
114+ log_maybe(&nerr,
115+ "authreadkeys: cannot change key %s",
116+ token);
117 continue;
118 }
119
120 if (keyno > NTP_MAXKEY) {
121- msyslog(LOG_ERR,
122- "authreadkeys: key %s > %d reserved for Autokey",
123- token, NTP_MAXKEY);
124+ log_maybe(&nerr,
125+ "authreadkeys: key %s > %d reserved for Autokey",
126+ token, NTP_MAXKEY);
127 continue;
128 }
129
130@@ -125,8 +163,9 @@
131 */
132 token = nexttok(&line);
133 if (token == NULL) {
134- msyslog(LOG_ERR,
135- "authreadkeys: no key type for key %d", keyno);
136+ log_maybe(&nerr,
137+ "authreadkeys: no key type for key %d",
138+ keyno);
139 continue;
140 }
141 #ifdef OPENSSL
142@@ -138,13 +177,15 @@
143 */
144 keytype = keytype_from_text(token, NULL);
145 if (keytype == 0) {
146- msyslog(LOG_ERR,
147- "authreadkeys: invalid type for key %d", keyno);
148+ log_maybe(&nerr,
149+ "authreadkeys: invalid type for key %d",
150+ keyno);
151 continue;
152 }
153 if (EVP_get_digestbynid(keytype) == NULL) {
154- msyslog(LOG_ERR,
155- "authreadkeys: no algorithm for key %d", keyno);
156+ log_maybe(&nerr,
157+ "authreadkeys: no algorithm for key %d",
158+ keyno);
159 continue;
160 }
161 #else /* OPENSSL */
162@@ -154,8 +195,9 @@
163 * 'm' for compatibility.
164 */
165 if (!(*token == 'M' || *token == 'm')) {
166- msyslog(LOG_ERR,
167- "authreadkeys: invalid type for key %d", keyno);
168+ log_maybe(&nerr,
169+ "authreadkeys: invalid type for key %d",
170+ keyno);
171 continue;
172 }
173 keytype = KEY_TYPE_MD5;
174@@ -169,8 +211,8 @@
175 */
176 token = nexttok(&line);
177 if (token == NULL) {
178- msyslog(LOG_ERR,
179- "authreadkeys: no key for key %d", keyno);
180+ log_maybe(&nerr,
181+ "authreadkeys: no key for key %d", keyno);
182 continue;
183 }
184 len = strlen(token);
185@@ -186,8 +228,9 @@
186 for (j = 0; j < jlim; j++) {
187 ptr = strchr(hex, tolower(token[j]));
188 if (ptr == NULL) {
189- msyslog(LOG_ERR,
190- "authreadkeys: invalid hex digit for key %d", keyno);
191+ log_maybe(&nerr,
192+ "authreadkeys: invalid hex digit for key %d",
193+ keyno);
194 continue;
195 }
196 temp = (u_char)(ptr - hex);
197@@ -200,5 +243,15 @@
198 }
199 }
200 fclose(fp);
201+ if (nerr > nerr_maxlimit) {
202+ msyslog(LOG_ERR,
203+ "authreadkeys: emergency break after %u errors",
204+ nerr);
205+ return (0);
206+ } else if (nerr > nerr_loglimit) {
207+ msyslog(LOG_ERR,
208+ "authreadkeys: found %u more error(s)",
209+ nerr - nerr_loglimit);
210+ }
211 return (1);
212 }
213Index: ntp-4.2.6.p5+dfsg/libntp/msyslog.c
214===================================================================
215--- ntp-4.2.6.p5+dfsg.orig/libntp/msyslog.c 2015-10-23 08:30:31.515986332 -0400
216+++ ntp-4.2.6.p5+dfsg/libntp/msyslog.c 2015-10-23 08:30:31.511986291 -0400
217@@ -271,6 +271,18 @@
218 return rc;
219 }
220
221+void
222+mvsyslog(
223+ int level,
224+ const char * fmt,
225+ va_list ap
226+ )
227+{
228+ char buf[1024];
229+ mvsnprintf(buf, sizeof(buf), fmt, ap);
230+ addto_syslog(level, buf);
231+}
232+
233
234 void
235 msyslog(
diff --git a/debian/patches/CVE-2015-7852.patch b/debian/patches/CVE-2015-7852.patch
0new file mode 100644236new file mode 100644
index 0000000..33cc916
--- /dev/null
+++ b/debian/patches/CVE-2015-7852.patch
@@ -0,0 +1,35 @@
1Backport of:
2
3From 07a5b8141e354a998a52994c3c9cd547927e56ce Mon Sep 17 00:00:00 2001
4From: <jnperlin@hydra.localnet>
5Date: Wed, 30 Sep 2015 20:15:13 +0200
6Subject: [PATCH] [TALOS-CAN-0063] avoid buffer overrun in ntpq
7
8---
9 ChangeLog | 1 +
10 ntpq/ntpq.c | 7 ++++++-
11 2 files changed, 7 insertions(+), 1 deletion(-)
12
13Index: ntp-4.2.6.p5+dfsg/ntpq/ntpq.c
14===================================================================
15--- ntp-4.2.6.p5+dfsg.orig/ntpq/ntpq.c 2015-10-22 16:25:23.504874749 -0400
16+++ ntp-4.2.6.p5+dfsg/ntpq/ntpq.c 2015-10-22 16:27:01.905821489 -0400
17@@ -3448,12 +3448,17 @@
18 char bv[401];
19 int len;
20
21+ /* TALOS-CAN-0063: avoid buffer overrun */
22 atoascii(name, MAXVARLEN, bn, sizeof(bn));
23- atoascii(value, MAXVARLEN, bv, sizeof(bv));
24 if (output_raw != '*') {
25+ atoascii(value, MAXVALLEN,
26+ bv, sizeof(bv) - 1);
27 len = strlen(bv);
28 bv[len] = output_raw;
29 bv[len+1] = '\0';
30+ } else {
31+ atoascii(value, MAXVALLEN,
32+ bv, sizeof(bv));
33 }
34 output(fp, bn, bv);
35 }
diff --git a/debian/patches/CVE-2015-7853.patch b/debian/patches/CVE-2015-7853.patch
0new file mode 10064436new file mode 100644
index 0000000..f6a1202
--- /dev/null
+++ b/debian/patches/CVE-2015-7853.patch
@@ -0,0 +1,46 @@
1Backport of:
2
3From 8482b536f9494a5d45196ab5b7e13040f5940261 Mon Sep 17 00:00:00 2001
4From: <jnperlin@hydra.localnet>
5Date: Wed, 30 Sep 2015 21:55:09 +0200
6Subject: [PATCH] [TALOS-CAN-0064] signed/unsiged clash could lead to buffer
7 overun
8
9---
10 ChangeLog | 2 ++
11 ntpd/ntp_io.c | 15 +++++++++------
12 2 files changed, 11 insertions(+), 6 deletions(-)
13
14Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_io.c
15===================================================================
16--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_io.c 2015-10-22 16:27:40.686182025 -0400
17+++ ntp-4.2.6.p5+dfsg/ntpd/ntp_io.c 2015-10-22 16:32:28.776865553 -0400
18@@ -3255,7 +3255,7 @@
19 static inline int
20 read_refclock_packet(SOCKET fd, struct refclockio *rp, l_fp ts)
21 {
22- int i;
23+ u_int read_count;
24 int buflen;
25 register struct recvbuf *rb;
26
27@@ -3272,11 +3272,14 @@
28 return (buflen);
29 }
30
31- i = (rp->datalen == 0
32- || rp->datalen > sizeof(rb->recv_space))
33- ? sizeof(rb->recv_space)
34- : rp->datalen;
35- buflen = read(fd, (char *)&rb->recv_space, (unsigned)i);
36+ /* TALOS-CAN-0064: avoid signed/unsigned clashes that can lead
37+ * to buffer overrun and memory corruption
38+ */
39+ if (rp->datalen <= 0 || rp->datalen > sizeof(rb->recv_space))
40+ read_count = sizeof(rb->recv_space);
41+ else
42+ read_count = (u_int)rp->datalen;
43+ buflen = read(fd, (char *)&rb->recv_space, read_count);
44
45 if (buflen < 0) {
46 if (errno != EINTR && errno != EAGAIN)
diff --git a/debian/patches/CVE-2015-7855.patch b/debian/patches/CVE-2015-7855.patch
0new file mode 10064447new file mode 100644
index 0000000..91a44e3
--- /dev/null
+++ b/debian/patches/CVE-2015-7855.patch
@@ -0,0 +1,29 @@
1Backport of:
2
3From ba716a464ecb20618560075f2e4e1051e5b6f24f Mon Sep 17 00:00:00 2001
4From: <stenn@psp-deb1.ntp.org>
5Date: Tue, 6 Oct 2015 08:51:27 +0000
6Subject: [PATCH] [Sec 2922] decodenetnum() will ASSERT botch instead of
7 returning FAIL on some bogus values. Harlan Stenn.
8
9---
10 ChangeLog | 2 ++
11 libntp/decodenetnum.c | 5 ++++-
12 2 files changed, 6 insertions(+), 1 deletion(-)
13
14Index: ntp-4.2.6.p5+dfsg/libntp/decodenetnum.c
15===================================================================
16--- ntp-4.2.6.p5+dfsg.orig/libntp/decodenetnum.c 2015-10-22 16:33:46.801593867 -0400
17+++ ntp-4.2.6.p5+dfsg/libntp/decodenetnum.c 2015-10-22 16:34:20.921912557 -0400
18@@ -36,7 +36,10 @@
19 char name[80];
20
21 NTP_REQUIRE(num != NULL);
22- NTP_REQUIRE(strlen(num) < sizeof(name));
23+
24+ if (strlen(num) >= sizeof(name)) {
25+ return 0;
26+ }
27
28 port_str = NULL;
29 if ('[' != num[0]) {
diff --git a/debian/patches/CVE-2015-7871.patch b/debian/patches/CVE-2015-7871.patch
0new file mode 10064430new file mode 100644
index 0000000..249882b
--- /dev/null
+++ b/debian/patches/CVE-2015-7871.patch
@@ -0,0 +1,40 @@
1From aa44b5835d69d8ee031736bb8ee2730a514edb7d Mon Sep 17 00:00:00 2001
2From: <jnperlin@hydra.localnet>
3Date: Sun, 11 Oct 2015 08:10:20 +0200
4Subject: [PATCH] [Bug 2941] NAK to the Future: Symmetric association
5 authentication bypass via crypto-NAK
6
7---
8 ChangeLog | 3 +++
9 ntpd/ntp_proto.c | 18 ++++++++++++++++++
10 2 files changed, 21 insertions(+)
11
12Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_proto.c
13===================================================================
14--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_proto.c 2015-10-22 16:35:02.202298283 -0400
15+++ ntp-4.2.6.p5+dfsg/ntpd/ntp_proto.c 2015-10-22 16:37:51.971886405 -0400
16@@ -957,6 +957,24 @@
17 sys_restricted++;
18 return;
19 }
20+ /* [Bug 2941]
21+ * If we got here, the packet isn't part of an
22+ * existing association, it isn't correctly
23+ * authenticated, and it didn't meet either of
24+ * the previous two special cases so we should
25+ * just drop it on the floor. For example,
26+ * crypto-NAKs (is_authentic == AUTH_CRYPTO)
27+ * will make it this far. This is just
28+ * debug-printed and not logged to avoid log
29+ * flooding.
30+ */
31+ DPRINTF(1, ("receive: at %ld refusing to mobilize passive association"
32+ " with unknown peer %s mode %d keyid %08x len %d auth %d\n",
33+ current_time, stoa(&rbufp->recv_srcadr),
34+ hismode, skeyid, (authlen + has_mac),
35+ is_authentic));
36+ sys_declined++;
37+ return;
38 }
39
40 /*
diff --git a/debian/patches/ignore-ENOBUFS-on-routing-netlink-socket.patch b/debian/patches/ignore-ENOBUFS-on-routing-netlink-socket.patch
0new file mode 10064441new file mode 100644
index 0000000..3d1ec56
--- /dev/null
+++ b/debian/patches/ignore-ENOBUFS-on-routing-netlink-socket.patch
@@ -0,0 +1,32 @@
1Description: [Bug 2890] Ignore ENOBUFS on routing netlink socket.
2
3Recv from netlink socket can return ENOBUFS if kernel failed to allocate buffer
4for broadcast message. This happens from time-time on high-loaded systems with
5a lot of interface and huge routing tables.
6
7Bug : http://bugs.ntp.org/show_bug.cgi?id=2890
8Author: <stenn@psp-at1.ntp.org>
9Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_io.c
10===================================================================
11--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_io.c
12+++ ntp-4.2.6.p5+dfsg/ntpd/ntp_io.c
13@@ -4433,10 +4433,15 @@ process_routing_msgs(struct asyncio_read
14 cnt = read(reader->fd, buffer, sizeof(buffer));
15
16 if (cnt < 0) {
17- msyslog(LOG_ERR,
18- "i/o error on routing socket %m - disabling");
19- remove_asyncio_reader(reader);
20- delete_asyncio_reader(reader);
21+ if (errno == ENOBUFS) {
22+ msyslog(LOG_ERR,
23+ "routing socket reports: %m");
24+ } else {
25+ msyslog(LOG_ERR,
26+ "routing socket reports: %m - disabling");
27+ remove_asyncio_reader(reader);
28+ delete_asyncio_reader(reader);
29+ }
30 return;
31 }
32
diff --git a/debian/patches/ntp-keygen-endless-loop.patch b/debian/patches/ntp-keygen-endless-loop.patch
0new file mode 10064433new file mode 100644
index 0000000..f0e387c
--- /dev/null
+++ b/debian/patches/ntp-keygen-endless-loop.patch
@@ -0,0 +1,38 @@
1Description: fix ntp-keygen infinite loop or lack of randonmess on big
2 endian platforms
3Origin: backport, http://bk1.ntp.org/ntp-stable/?PAGE=patch&REV=55199296N2gFqH1Hm5GOnhrk9Ypygg
4Bug: https://bugs.ntp.org/show_bug.cgi?id=2797
5
6Index: ntp-4.2.6.p5+dfsg/util/ntp-keygen.c
7===================================================================
8--- ntp-4.2.6.p5+dfsg.orig/util/ntp-keygen.c 2015-04-13 08:58:49.317778349 -0400
9+++ ntp-4.2.6.p5+dfsg/util/ntp-keygen.c 2015-04-13 08:58:49.317778349 -0400
10@@ -726,24 +726,24 @@
11 ntp_srandom((u_long)epoch);
12 for (i = 1; i <= MD5KEYS; i++) {
13 for (j = 0; j < MD5SIZE; j++) {
14- int temp;
15+ u_char temp;
16
17 while (1) {
18 int rc;
19
20- rc = ntp_crypto_random_buf(&temp, 1);
21+ rc = ntp_crypto_random_buf(
22+ &temp, sizeof(temp));
23 if (-1 == rc) {
24 fprintf(stderr, "ntp_crypto_random_buf() failed.\n");
25 exit (-1);
26 }
27- temp &= 0xff;
28 if (temp == '#')
29 continue;
30
31 if (temp > 0x20 && temp < 0x7f)
32 break;
33 }
34- md5key[j] = (u_char)temp;
35+ md5key[j] = temp;
36 }
37 md5key[j] = '\0';
38 fprintf(str, "%2d MD5 %s # MD5 key\n", i,
diff --git a/debian/patches/series b/debian/patches/series
index c2ec25e..a1ccd71 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -10,3 +10,28 @@ format-security.patch
10sntp-manpage.patch10sntp-manpage.patch
11openssl-headers.patch11openssl-headers.patch
12autotools.patch12autotools.patch
13CVE-2014-9293.patch
14CVE-2014-9294.patch
15CVE-2014-9295.patch
16CVE-2014-9296.patch
17CVE-2014-9297.patch
18CVE-2014-9298.patch
19CVE-2015-1798.patch
20CVE-2015-1799.patch
21ntp-keygen-endless-loop.patch
22use-after-free-in-routing-socket.patch
23ignore-ENOBUFS-on-routing-netlink-socket.patch
24CVE-2015-5146.patch
25CVE-2015-5194.patch
26CVE-2015-5195.patch
27CVE-2015-5219.patch
28CVE-2015-5300.patch
29CVE-2015-7691.patch
30CVE-2015-7701.patch
31CVE-2015-5196.patch
32CVE-2015-7704.patch
33CVE-2015-7850.patch
34CVE-2015-7852.patch
35CVE-2015-7853.patch
36CVE-2015-7855.patch
37CVE-2015-7871.patch
diff --git a/debian/patches/use-after-free-in-routing-socket.patch b/debian/patches/use-after-free-in-routing-socket.patch
13new file mode 10064438new file mode 100644
index 0000000..e7c8dec
--- /dev/null
+++ b/debian/patches/use-after-free-in-routing-socket.patch
@@ -0,0 +1,33 @@
1Description: Fix use-after-free in routing socket code.
2Origin: backport, https://bugs.ntp.org/attachment.cgi?id=883
3Bug: http://bugs.ntp.org/2224
4Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_io.c
5===================================================================
6--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_io.c
7+++ ntp-4.2.6.p5+dfsg/ntpd/ntp_io.c
8@@ -3534,7 +3534,8 @@ input_handler(
9 int select_count = 0;
10 endpt *ep;
11 #if defined(HAS_ROUTING_SOCKET)
12- struct asyncio_reader *asyncio_reader;
13+ struct asyncio_reader * asyncio_reader;
14+ struct asyncio_reader * next_asyncio_reader;
15 #endif
16
17 handler_calls++;
18@@ -3637,11 +3638,13 @@ input_handler(
19 asyncio_reader = asyncio_reader_list;
20
21 while (asyncio_reader != NULL) {
22+ /* callback may unlink and free asyncio_reader */
23+ next_asyncio_reader = asyncio_reader->link;
24 if (FD_ISSET(asyncio_reader->fd, &fds)) {
25 ++select_count;
26- (asyncio_reader->receiver)(asyncio_reader);
27+ (*asyncio_reader->receiver)(asyncio_reader);
28 }
29- asyncio_reader = asyncio_reader->link;
30+ asyncio_reader = next_asyncio_reader;
31 }
32 #endif /* HAS_ROUTING_SOCKET */
33
diff --git a/debian/rules b/debian/rules
index 6effbda..0a1733d 100755
--- a/debian/rules
+++ b/debian/rules
@@ -1,11 +1,15 @@
1#!/usr/bin/make -f1#!/usr/bin/make -f
22
3export DEB_BUILD_HARDENING=1
4
3# hacks to avoid running these things during the build5# hacks to avoid running these things during the build
4export ACLOCAL = : aclocal6export ACLOCAL = : aclocal
5export AUTOCONF = : autoconf7export AUTOCONF = : autoconf
6export AUTOMAKE = : automake8export AUTOMAKE = : automake
7export AUTOHEADER = : autoheader9export AUTOHEADER = : autoheader
810
11genfiles:=ntpd/ntp_parser.c ntpd/ntp_parser.h
12
9DEB_HOST_ARCH_OS ?= $(shell dpkg-architecture -qDEB_HOST_ARCH_OS)13DEB_HOST_ARCH_OS ?= $(shell dpkg-architecture -qDEB_HOST_ARCH_OS)
1014
11CPPFLAGS = $(shell dpkg-buildflags --get CPPFLAGS) -D_GNU_SOURCE15CPPFLAGS = $(shell dpkg-buildflags --get CPPFLAGS) -D_GNU_SOURCE
@@ -19,10 +23,14 @@ ifeq (hurd, $(DEB_HOST_ARCH_OS))
19 exit 123 exit 1
20endif24endif
21 cp /usr/share/misc/config.guess /usr/share/misc/config.sub .25 cp /usr/share/misc/config.guess /usr/share/misc/config.sub .
26 cp /usr/share/misc/config.guess /usr/share/misc/config.sub sntp/.
27 # backup autogenerated files
28 for f in $(genfiles); do mv -f $$f $$f.backup; done
29
22 ./configure CFLAGS='$(CFLAGS)' CPPFLAGS='$(CPPFLAGS)' LDFLAGS='$(LDFLAGS)' \30 ./configure CFLAGS='$(CFLAGS)' CPPFLAGS='$(CPPFLAGS)' LDFLAGS='$(LDFLAGS)' \
23 --prefix=/usr \31 --prefix=/usr \
24 --enable-all-clocks --enable-parse-clocks --enable-SHM \32 --enable-all-clocks --enable-parse-clocks --enable-SHM \
25 --disable-debugging --sysconfdir=/var/lib/ntp \33 --enable-debugging --sysconfdir=/var/lib/ntp \
26 --with-sntp=no \34 --with-sntp=no \
27 --with-lineeditlibs=edit \35 --with-lineeditlibs=edit \
28 --without-ntpsnmpd \36 --without-ntpsnmpd \
@@ -45,6 +53,10 @@ clean:
45 rm -f build-stamp 53 rm -f build-stamp
46 [ ! -f Makefile ] || $(MAKE) -k distclean54 [ ! -f Makefile ] || $(MAKE) -k distclean
47 rm -f config.guess config.sub55 rm -f config.guess config.sub
56 # restore autogenerated files
57 for f in $(genfiles); do \
58 [ ! -e $$f.backup ] || ( rm -rf $$f; mv $$f.backup $$f ) ; \
59 done
48 dh_clean60 dh_clean
4961
50install: build-stamp62install: build-stamp
@@ -73,6 +85,14 @@ install: build-stamp
73 # remove upstream man pages, which are currently not as nice as ours / ntpsnmpd we don't want85 # remove upstream man pages, which are currently not as nice as ours / ntpsnmpd we don't want
74 rm $(addprefix debian/ntp/usr/share/man/man1/,ntpd.1 ntpdc.1 ntp-keygen.1 ntpq.1 ntpsnmpd.1)86 rm $(addprefix debian/ntp/usr/share/man/man1/,ntpd.1 ntpdc.1 ntp-keygen.1 ntpq.1 ntpsnmpd.1)
7587
88 # install apparmor profile
89 install -D -m 0644 debian/apparmor-profile debian/ntp/etc/apparmor.d/usr.sbin.ntpd
90 install -D -m 0644 debian/apparmor-profile.tunable debian/ntp/etc/apparmor.d/tunables/ntpd
91 dh_link -pntp etc/apparmor.d/usr.sbin.ntpd etc/apparmor/init/network-interface-security/usr.sbin.ntpd
92
93 # install apport hook
94 install -D -m 644 debian/source_ntp.py debian/ntp/usr/share/apport/package-hooks/source_ntp.py
95
76 dh_movefiles --sourcedir=debian/ntp96 dh_movefiles --sourcedir=debian/ntp
7797
78binary-indep: build install98binary-indep: build install
@@ -100,7 +120,8 @@ binary-arch: build install
100 dh_installdocs -a120 dh_installdocs -a
101 dh_installexamples -a121 dh_installexamples -a
102 dh_installman -a122 dh_installman -a
103 dh_installinit -pntp --update-rcd-params="start 23 2 3 4 5 ." --error-handler=installinit_error123 dh_apparmor -pntp --profile-name=usr.sbin.ntpd
124 dh_installinit -pntp --update-rcd-params="start 23 2 3 4 5 . stop 77 1 ." --error-handler=installinit_error
104 dh_installinit -pntpdate125 dh_installinit -pntpdate
105 dh_installcron -a126 dh_installcron -a
106 dh_installlogcheck -a127 dh_installlogcheck -a
diff --git a/debian/source_ntp.py b/debian/source_ntp.py
107new file mode 100644128new file mode 100644
index 0000000..3debc68
--- /dev/null
+++ b/debian/source_ntp.py
@@ -0,0 +1,22 @@
1'''apport package hook for ntp
2
3(c) 2010-2011 Canonical Ltd.
4Author: Chuck Short <zulcss@ubuntu.com>
5'''
6
7from apport.hookutils import *
8from os import path
9import re
10
11def add_info(report):
12 attach_conffiles(report, 'ntp')
13
14 # get apparmor stuff
15 attach_mac_events(report, '/usr/sbin/ntpd')
16 attach_file(report, '/etc/apparmor.d/usr.sbin.ntpd')
17
18 # get syslog stuff
19 recent_syslog(re.compile(r'ntpd\['))
20
21 # Get debug information
22 report['NtpStatus'] = command_output(['ntpq', '-p'])

Subscribers

People subscribed via source and target branches