[pkg-ntp-maintainers] NMU for security bug 773576
Noah Meyerhans
noahm at debian.org
Sun Dec 21 23:28:12 UTC 2014
Hi folks. I just uploaded ntp_4.2.6.p5+dfsg-3.2 containing fixes for the
security issues described in bug 773576 and fixed in stable with DSA
3108.
It seems that I don't have write access to the svn repo, which was
unexpected, so I didn't commit the changes. I also see that there are
some unreleased changes in svn. Since I'm not familiar with those
changes and don't know if they're ready for upload or should target
jessie, I did not include them in my upload. My upload was based on the
version currently in unstable.
Full diff of the upload is attached. Diffstat follows:
changelog | 11 +++++++++
patches/ntp-4.2.6p5-cve-2014-9293.patch | 37 ++++++++++++++++++++++++++++++
patches/ntp-4.2.6p5-cve-2014-9294.patch | 111 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
patches/ntp-4.2.6p5-cve-2014-9295.patch | 107 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
patches/ntp-4.2.6p5-cve-2014-9296.patch | 15 ++++++++++++
patches/series | 4 +++
Thanks
noah
-------------- next part --------------
diff -Nru ntp-4.2.6.p5+dfsg/debian/changelog ntp-4.2.6.p5+dfsg/debian/changelog
--- ntp-4.2.6.p5+dfsg/debian/changelog 2014-07-16 09:49:08.000000000 -0700
+++ ntp-4.2.6.p5+dfsg/debian/changelog 2014-12-21 12:01:59.000000000 -0800
@@ -1,3 +1,14 @@
+ntp (1:4.2.6.p5+dfsg-3.2) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Apply fixes for security updates (Closes: 773576)
+ - cve-2014-9293
+ - cve-2014-9294
+ - cve-2014-9295
+ - cve-2014-9296
+
+ -- Noah Meyerhans <noahm at debian.org> Sun, 21 Dec 2014 12:01:50 -0800
+
ntp (1:4.2.6.p5+dfsg-3.1) unstable; urgency=low
* Non-maintainer upload.
diff -Nru ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2014-9293.patch ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2014-9293.patch
--- ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2014-9293.patch 1969-12-31 16:00:00.000000000 -0800
+++ ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2014-9293.patch 2014-12-21 12:00:30.000000000 -0800
@@ -0,0 +1,37 @@
+Index: git/ntpd/ntp_config.c
+===================================================================
+--- git.orig/ntpd/ntp_config.c 2014-12-20 18:45:45.232872120 +0100
++++ git/ntpd/ntp_config.c 2014-12-20 18:45:47.672921968 +0100
+@@ -1866,13 +1866,16 @@
+ req_hashlen = digest_len;
+ #endif
+ } else {
+- int rankey;
++ unsigned char rankey[16];
++
++ if (ntp_crypto_random_buf(rankey, sizeof (rankey))) {
++ msyslog(LOG_ERR, "ntp_crypto_random_buf() failed.");
++ exit(1);
++ }
+
+- rankey = ntp_random();
+ req_keytype = NID_md5;
+ req_hashlen = 16;
+- MD5auth_setkey(req_keyid, req_keytype,
+- (u_char *)&rankey, sizeof(rankey));
++ MD5auth_setkey(req_keyid, req_keytype, rankey, sizeof(rankey));
+ authtrust(req_keyid, 1);
+ }
+
+Index: git/ntpd/ntpd.c
+===================================================================
+--- git.orig/ntpd/ntpd.c 2014-12-20 18:45:45.232872120 +0100
++++ git/ntpd/ntpd.c 2014-12-20 18:45:47.672921968 +0100
+@@ -597,6 +597,7 @@
+ get_systime(&now);
+
+ ntp_srandom((int)(now.l_i * now.l_uf));
++ ntp_crypto_srandom();
+
+ #if !defined(VMS)
+ # ifndef NODETACH
diff -Nru ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2014-9294.patch ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2014-9294.patch
--- ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2014-9294.patch 1969-12-31 16:00:00.000000000 -0800
+++ ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2014-9294.patch 2014-12-21 12:00:30.000000000 -0800
@@ -0,0 +1,111 @@
+Index: git/include/ntp_random.h
+===================================================================
+--- git.orig/include/ntp_random.h 2014-12-20 18:45:44.712861496 +0100
++++ git/include/ntp_random.h 2014-12-20 18:45:52.817027062 +0100
+@@ -1,6 +1,9 @@
+
+ #include <ntp_types.h>
+
++void ntp_crypto_srandom(void);
++int ntp_crypto_random_buf(void *buf, size_t nbytes);
++
+ long ntp_random (void);
+ void ntp_srandom (unsigned long);
+ void ntp_srandomdev (void);
+Index: git/libntp/ntp_random.c
+===================================================================
+--- git.orig/libntp/ntp_random.c 2014-12-20 18:45:44.712861496 +0100
++++ git/libntp/ntp_random.c 2014-12-20 18:45:52.817027062 +0100
+@@ -481,3 +481,63 @@
+ }
+ return(i);
+ }
++
++/*
++ * Crypto-quality random number functions
++ *
++ * Author: Harlan Stenn, 2014
++ *
++ * This file is Copyright (c) 2014 by Network Time Foundation.
++ * BSD terms apply: see the file COPYRIGHT in the distribution root for details.
++ */
++
++#include <openssl/err.h>
++#include <openssl/rand.h>
++
++int crypto_rand_init = 0;
++
++/*
++ * ntp_crypto_srandom:
++ *
++ * Initialize the random number generator, if needed by the underlying
++ * crypto random number generation mechanism.
++ */
++
++void
++ntp_crypto_srandom(
++ void
++ )
++{
++ if (!crypto_rand_init) {
++ RAND_poll();
++ crypto_rand_init = 1;
++ }
++}
++
++/*
++ * ntp_crypto_random_buf:
++ *
++ * Returns 0 on success, -1 on error.
++ */
++int
++ntp_crypto_random_buf(
++ void *buf,
++ size_t nbytes
++ )
++{
++ int rc;
++
++ rc = RAND_bytes(buf, nbytes);
++ if (1 != rc) {
++ unsigned long err;
++ char *err_str;
++
++ err = ERR_get_error();
++ err_str = ERR_error_string(err, NULL);
++ /* XXX: Log the error */
++
++ return -1;
++ }
++ return 0;
++}
++
+Index: git/util/ntp-keygen.c
+===================================================================
+--- git.orig/util/ntp-keygen.c 2014-12-20 18:45:44.712861496 +0100
++++ git/util/ntp-keygen.c 2014-12-20 18:45:52.817027062 +0100
+@@ -261,6 +261,8 @@
+ ssl_check_version();
+ #endif /* OPENSSL */
+
++ ntp_crypto_srandom();
++
+ /*
+ * Process options, initialize host name and timestamp.
+ */
+@@ -727,7 +729,14 @@
+ int temp;
+
+ while (1) {
+- temp = ntp_random() & 0xff;
++ int rc;
++
++ rc = ntp_crypto_random_buf(&temp, 1);
++ if (-1 == rc) {
++ fprintf(stderr, "ntp_crypto_random_buf() failed.\n");
++ exit (-1);
++ }
++ temp &= 0xff;
+ if (temp == '#')
+ continue;
+
diff -Nru ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2014-9295.patch ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2014-9295.patch
--- ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2014-9295.patch 1969-12-31 16:00:00.000000000 -0800
+++ ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2014-9295.patch 2014-12-21 12:00:30.000000000 -0800
@@ -0,0 +1,107 @@
+2014-12-12 11:06:03+00:00, stenn at psp-fb1.ntp.org +12 -3
+ [Sec 2667] buffer overflow in crypto_recv()
+2014-12-12 11:13:40+00:00, stenn at psp-fb1.ntp.org +16 -1
+ [Sec 2668] buffer overflow in ctl_putdata()
+2014-12-12 11:19:37+00:00, stenn at psp-fb1.ntp.org +14 -0
+ [Sec 2669] buffer overflow in configure()
+
+Index: git/ntpd/ntp_crypto.c
+===================================================================
+--- git.orig/ntpd/ntp_crypto.c 2014-12-20 18:45:44.208851199 +0100
++++ git/ntpd/ntp_crypto.c 2014-12-20 18:45:56.425100776 +0100
+@@ -789,15 +789,24 @@
+ * errors.
+ */
+ if (vallen == (u_int)EVP_PKEY_size(host_pkey)) {
++ u_int32 *cookiebuf = malloc(
++ RSA_size(host_pkey->pkey.rsa));
++ if (!cookiebuf) {
++ rval = XEVNT_CKY;
++ break;
++ }
++
+ if (RSA_private_decrypt(vallen,
+ (u_char *)ep->pkt,
+- (u_char *)&temp32,
++ (u_char *)cookiebuf,
+ host_pkey->pkey.rsa,
+- RSA_PKCS1_OAEP_PADDING) <= 0) {
++ RSA_PKCS1_OAEP_PADDING) != 4) {
+ rval = XEVNT_CKY;
++ free(cookiebuf);
+ break;
+ } else {
+- cookie = ntohl(temp32);
++ cookie = ntohl(*cookiebuf);
++ free(cookiebuf);
+ }
+ } else {
+ rval = XEVNT_CKY;
+Index: git/ntpd/ntp_control.c
+===================================================================
+--- git.orig/ntpd/ntp_control.c 2014-12-20 18:45:44.208851199 +0100
++++ git/ntpd/ntp_control.c 2014-12-20 18:45:56.429100859 +0100
+@@ -486,6 +486,10 @@
+ static char *reqpt;
+ static char *reqend;
+
++#ifndef MIN
++#define MIN(a, b) (((a) <= (b)) ? (a) : (b))
++#endif
++
+ /*
+ * init_control - initialize request data
+ */
+@@ -995,6 +999,7 @@
+ )
+ {
+ int overhead;
++ unsigned int currentlen;
+
+ overhead = 0;
+ if (!bin) {
+@@ -1018,12 +1023,22 @@
+ /*
+ * Save room for trailing junk
+ */
+- if (dlen + overhead + datapt > dataend) {
++ while (dlen + overhead + datapt > dataend) {
+ /*
+ * Not enough room in this one, flush it out.
+ */
++ currentlen = MIN(dlen, dataend - datapt);
++
++ memcpy(datapt, dp, currentlen);
++
++ datapt += currentlen;
++ dp += currentlen;
++ dlen -= currentlen;
++ datalinelen += currentlen;
++
+ ctl_flushpkt(CTL_MORE);
+ }
++
+ memmove((char *)datapt, dp, (unsigned)dlen);
+ datapt += dlen;
+ datalinelen += dlen;
+@@ -2492,6 +2507,20 @@
+
+ /* Initialize the remote config buffer */
+ data_count = reqend - reqpt;
++
++ if (data_count > sizeof(remote_config.buffer) - 2) {
++ snprintf(remote_config.err_msg,
++ sizeof(remote_config.err_msg),
++ "runtime configuration failed: request too long");
++ ctl_putdata(remote_config.err_msg,
++ strlen(remote_config.err_msg), 0);
++ ctl_flushpkt(0);
++ msyslog(LOG_NOTICE,
++ "runtime config from %s rejected: request too long",
++ stoa(&rbufp->recv_srcadr));
++ return;
++ }
++
+ memcpy(remote_config.buffer, reqpt, data_count);
+ if (data_count > 0
+ && '\n' != remote_config.buffer[data_count - 1])
diff -Nru ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2014-9296.patch ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2014-9296.patch
--- ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2014-9296.patch 1969-12-31 16:00:00.000000000 -0800
+++ ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2014-9296.patch 2014-12-21 12:00:30.000000000 -0800
@@ -0,0 +1,15 @@
+2014-12-12 11:24:22+00:00, stenn at psp-fb1.ntp.org +1 -0
+ [Sec 2670] Missing return; from error clause
+
+Index: git/ntpd/ntp_proto.c
+===================================================================
+--- git.orig/ntpd/ntp_proto.c 2014-12-20 18:45:42.760821618 +0100
++++ git/ntpd/ntp_proto.c 2014-12-20 18:46:00.153176945 +0100
+@@ -947,6 +947,7 @@
+ fast_xmit(rbufp, MODE_ACTIVE, 0,
+ restrict_mask);
+ sys_restricted++;
++ return;
+ }
+ }
+
diff -Nru ntp-4.2.6.p5+dfsg/debian/patches/series ntp-4.2.6.p5+dfsg/debian/patches/series
--- ntp-4.2.6.p5+dfsg/debian/patches/series 2013-05-20 07:19:33.000000000 -0700
+++ ntp-4.2.6.p5+dfsg/debian/patches/series 2014-12-21 12:00:35.000000000 -0800
@@ -10,3 +10,7 @@
sntp-manpage.patch
openssl-headers.patch
autotools.patch
+ntp-4.2.6p5-cve-2014-9293.patch
+ntp-4.2.6p5-cve-2014-9294.patch
+ntp-4.2.6p5-cve-2014-9295.patch
+ntp-4.2.6p5-cve-2014-9296.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 811 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-ntp-maintainers/attachments/20141221/3152f9f8/attachment-0001.sig>
More information about the pkg-ntp-maintainers
mailing list