[pkg-ntp-maintainers] Bug#525373: CVE-2009-0159: buffer overflow in ntpq
Steffen Joeris
steffen.joeris at skolelinux.de
Fri Apr 24 03:15:53 UTC 2009
Package: ntp
Severity: important
Tags: patch, security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for ntp.
CVE-2009-0159[0]:
| Stack-based buffer overflow in the cookedprint function in ntpq/ntpq.c
| in ntpq in NTP before 4.2.4p7-RC2 allows remote NTP servers to execute
| arbitrary code via a crafted response.
The upstream bug together with the patch can be found here[1]. The issue
can only be exploited by querying a malicious server and even then the
overflow is fairly limited.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0159
http://security-tracker.debian.net/tracker/CVE-2009-0159
[1] https://support.ntp.org/bugs/show_bug.cgi?id=1144
More information about the pkg-ntp-maintainers
mailing list