Bug#773854: unblock: ntp/1:4.2.6.p5+dfsg-3.2

Tue, 23 Dec 2014 21:21:37 -0800 

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock

Please unblock package ntp version 1:4.2.6.p5+dfsg-3.2. This version
contains the security fixes described in bug 773576 and released for
stable in DSA 3108-1.

diffstat:

 changelog                               |   11 +++++++++
 patches/ntp-4.2.6p5-cve-2014-9293.patch |   37 ++++++++++++++++++++++++++++++
 patches/ntp-4.2.6p5-cve-2014-9294.patch |  111 
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 patches/ntp-4.2.6p5-cve-2014-9295.patch |  107 
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 patches/ntp-4.2.6p5-cve-2014-9296.patch |   15 ++++++++++++
 patches/series                          |    4 +++

See attached diff for the change details.

unblock ntp/1:4.2.6.p5+dfsg-3.2

-- System Information:
Debian Release: 7.7
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru ntp-4.2.6.p5+dfsg/debian/changelog ntp-4.2.6.p5+dfsg/debian/changelog
--- ntp-4.2.6.p5+dfsg/debian/changelog	2014-07-16 09:49:08.000000000 -0700
+++ ntp-4.2.6.p5+dfsg/debian/changelog	2014-12-21 12:01:59.000000000 -0800
@@ -1,3 +1,14 @@
+ntp (1:4.2.6.p5+dfsg-3.2) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Apply fixes for security updates (Closes: 773576)
+    - cve-2014-9293
+    - cve-2014-9294
+    - cve-2014-9295
+    - cve-2014-9296
+
+ -- Noah Meyerhans <no...@debian.org>  Sun, 21 Dec 2014 12:01:50 -0800
+
 ntp (1:4.2.6.p5+dfsg-3.1) unstable; urgency=low
 
   * Non-maintainer upload.
diff -Nru ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2014-9293.patch ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2014-9293.patch
--- ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2014-9293.patch	1969-12-31 16:00:00.000000000 -0800
+++ ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2014-9293.patch	2014-12-21 12:00:30.000000000 -0800
@@ -0,0 +1,37 @@
+Index: git/ntpd/ntp_config.c
+===================================================================
+--- git.orig/ntpd/ntp_config.c	2014-12-20 18:45:45.232872120 +0100
++++ git/ntpd/ntp_config.c	2014-12-20 18:45:47.672921968 +0100
+@@ -1866,13 +1866,16 @@
+ 		req_hashlen = digest_len;
+ #endif
+ 	} else {
+-		int	rankey;
++		unsigned char rankey[16];
++
++		if (ntp_crypto_random_buf(rankey, sizeof (rankey))) {
++			msyslog(LOG_ERR, "ntp_crypto_random_buf() failed.");
++			exit(1);
++		}
+ 
+-		rankey = ntp_random();
+ 		req_keytype = NID_md5;
+ 		req_hashlen = 16;
+-		MD5auth_setkey(req_keyid, req_keytype,
+-		    (u_char *)&rankey, sizeof(rankey));
++		MD5auth_setkey(req_keyid, req_keytype, rankey, sizeof(rankey));
+ 		authtrust(req_keyid, 1);
+ 	}
+ 
+Index: git/ntpd/ntpd.c
+===================================================================
+--- git.orig/ntpd/ntpd.c	2014-12-20 18:45:45.232872120 +0100
++++ git/ntpd/ntpd.c	2014-12-20 18:45:47.672921968 +0100
+@@ -597,6 +597,7 @@
+ 	get_systime(&now);
+ 
+ 	ntp_srandom((int)(now.l_i * now.l_uf));
++	ntp_crypto_srandom();
+ 
+ #if !defined(VMS)
+ # ifndef NODETACH
diff -Nru ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2014-9294.patch ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2014-9294.patch
--- ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2014-9294.patch	1969-12-31 16:00:00.000000000 -0800
+++ ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2014-9294.patch	2014-12-21 12:00:30.000000000 -0800
@@ -0,0 +1,111 @@
+Index: git/include/ntp_random.h
+===================================================================
+--- git.orig/include/ntp_random.h	2014-12-20 18:45:44.712861496 +0100
++++ git/include/ntp_random.h	2014-12-20 18:45:52.817027062 +0100
+@@ -1,6 +1,9 @@
+ 
+ #include <ntp_types.h>
+ 
++void ntp_crypto_srandom(void);
++int ntp_crypto_random_buf(void *buf, size_t nbytes);
++
+ long ntp_random (void);
+ void ntp_srandom (unsigned long);
+ void ntp_srandomdev (void);
+Index: git/libntp/ntp_random.c
+===================================================================
+--- git.orig/libntp/ntp_random.c	2014-12-20 18:45:44.712861496 +0100
++++ git/libntp/ntp_random.c	2014-12-20 18:45:52.817027062 +0100
+@@ -481,3 +481,63 @@
+ 	}
+ 	return(i);
+ }
++
++/*
++ * Crypto-quality random number functions
++ *
++ * Author: Harlan Stenn, 2014
++ *
++ * This file is Copyright (c) 2014 by Network Time Foundation.
++ * BSD terms apply: see the file COPYRIGHT in the distribution root for details.
++ */
++
++#include <openssl/err.h>
++#include <openssl/rand.h>
++
++int crypto_rand_init = 0;
++
++/*
++ * ntp_crypto_srandom:
++ *
++ * Initialize the random number generator, if needed by the underlying
++ * crypto random number generation mechanism.
++ */
++
++void
++ntp_crypto_srandom(
++	void
++	)
++{
++	if (!crypto_rand_init) {
++		RAND_poll();
++		crypto_rand_init = 1;
++	}
++}
++
++/*
++ * ntp_crypto_random_buf:
++ *
++ * Returns 0 on success, -1 on error.
++ */
++int
++ntp_crypto_random_buf(
++	void *buf,
++	size_t nbytes
++	)
++{
++	int rc;
++
++	rc = RAND_bytes(buf, nbytes);
++	if (1 != rc) {
++		unsigned long err;
++		char *err_str;
++
++		err = ERR_get_error();
++		err_str = ERR_error_string(err, NULL);
++		/* XXX: Log the error */
++
++		return -1;
++	}
++	return 0;
++}
++
+Index: git/util/ntp-keygen.c
+===================================================================
+--- git.orig/util/ntp-keygen.c	2014-12-20 18:45:44.712861496 +0100
++++ git/util/ntp-keygen.c	2014-12-20 18:45:52.817027062 +0100
+@@ -261,6 +261,8 @@
+ 	ssl_check_version();
+ #endif /* OPENSSL */
+ 
++	ntp_crypto_srandom();
++
+ 	/*
+ 	 * Process options, initialize host name and timestamp.
+ 	 */
+@@ -727,7 +729,14 @@
+ 			int temp;
+ 
+ 			while (1) {
+-				temp = ntp_random() & 0xff;
++				int rc;
++
++				rc = ntp_crypto_random_buf(&temp, 1);
++				if (-1 == rc) {
++					fprintf(stderr, "ntp_crypto_random_buf() failed.\n");
++					exit (-1);
++				}
++				temp &= 0xff;
+ 				if (temp == '#')
+ 					continue;
+ 
diff -Nru ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2014-9295.patch ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2014-9295.patch
--- ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2014-9295.patch	1969-12-31 16:00:00.000000000 -0800
+++ ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2014-9295.patch	2014-12-21 12:00:30.000000000 -0800
@@ -0,0 +1,107 @@
+2014-12-12 11:06:03+00:00, st...@psp-fb1.ntp.org +12 -3
+  [Sec 2667] buffer overflow in crypto_recv()
+2014-12-12 11:13:40+00:00, st...@psp-fb1.ntp.org +16 -1
+  [Sec 2668] buffer overflow in ctl_putdata()
+2014-12-12 11:19:37+00:00, st...@psp-fb1.ntp.org +14 -0
+  [Sec 2669] buffer overflow in configure()
+
+Index: git/ntpd/ntp_crypto.c
+===================================================================
+--- git.orig/ntpd/ntp_crypto.c	2014-12-20 18:45:44.208851199 +0100
++++ git/ntpd/ntp_crypto.c	2014-12-20 18:45:56.425100776 +0100
+@@ -789,15 +789,24 @@
+ 			 * errors.
+ 			 */
+ 			if (vallen == (u_int)EVP_PKEY_size(host_pkey)) {
++				u_int32 *cookiebuf = malloc(
++				    RSA_size(host_pkey->pkey.rsa));
++				if (!cookiebuf) {
++					rval = XEVNT_CKY;
++					break;
++				}
++
+ 				if (RSA_private_decrypt(vallen,
+ 				    (u_char *)ep->pkt,
+-				    (u_char *)&temp32,
++				    (u_char *)cookiebuf,
+ 				    host_pkey->pkey.rsa,
+-				    RSA_PKCS1_OAEP_PADDING) <= 0) {
++				    RSA_PKCS1_OAEP_PADDING) != 4) {
+ 					rval = XEVNT_CKY;
++					free(cookiebuf);
+ 					break;
+ 				} else {
+-					cookie = ntohl(temp32);
++					cookie = ntohl(*cookiebuf);
++					free(cookiebuf);
+ 				}
+ 			} else {
+ 				rval = XEVNT_CKY;
+Index: git/ntpd/ntp_control.c
+===================================================================
+--- git.orig/ntpd/ntp_control.c	2014-12-20 18:45:44.208851199 +0100
++++ git/ntpd/ntp_control.c	2014-12-20 18:45:56.429100859 +0100
+@@ -486,6 +486,10 @@
+ static	char *reqpt;
+ static	char *reqend;
+ 
++#ifndef MIN
++#define MIN(a, b) (((a) <= (b)) ? (a) : (b))
++#endif
++
+ /*
+  * init_control - initialize request data
+  */
+@@ -995,6 +999,7 @@
+ 	)
+ {
+ 	int overhead;
++	unsigned int currentlen;
+ 
+ 	overhead = 0;
+ 	if (!bin) {
+@@ -1018,12 +1023,22 @@
+ 	/*
+ 	 * Save room for trailing junk
+ 	 */
+-	if (dlen + overhead + datapt > dataend) {
++	while (dlen + overhead + datapt > dataend) {
+ 		/*
+ 		 * Not enough room in this one, flush it out.
+ 		 */
++		currentlen = MIN(dlen, dataend - datapt);
++
++		memcpy(datapt, dp, currentlen);
++
++		datapt += currentlen;
++		dp += currentlen;
++		dlen -= currentlen;
++		datalinelen += currentlen;
++
+ 		ctl_flushpkt(CTL_MORE);
+ 	}
++
+ 	memmove((char *)datapt, dp, (unsigned)dlen);
+ 	datapt += dlen;
+ 	datalinelen += dlen;
+@@ -2492,6 +2507,20 @@
+ 
+ 	/* Initialize the remote config buffer */
+ 	data_count = reqend - reqpt;
++
++	if (data_count > sizeof(remote_config.buffer) - 2) {
++		snprintf(remote_config.err_msg,
++			 sizeof(remote_config.err_msg),
++			 "runtime configuration failed: request too long");
++		ctl_putdata(remote_config.err_msg,
++			    strlen(remote_config.err_msg), 0);
++		ctl_flushpkt(0);
++		msyslog(LOG_NOTICE,
++			"runtime config from %s rejected: request too long",
++			stoa(&rbufp->recv_srcadr));
++		return;
++	}
++
+ 	memcpy(remote_config.buffer, reqpt, data_count);
+ 	if (data_count > 0
+ 	    && '\n' != remote_config.buffer[data_count - 1])
diff -Nru ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2014-9296.patch ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2014-9296.patch
--- ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2014-9296.patch	1969-12-31 16:00:00.000000000 -0800
+++ ntp-4.2.6.p5+dfsg/debian/patches/ntp-4.2.6p5-cve-2014-9296.patch	2014-12-21 12:00:30.000000000 -0800
@@ -0,0 +1,15 @@
+2014-12-12 11:24:22+00:00, st...@psp-fb1.ntp.org +1 -0
+  [Sec 2670] Missing return; from error clause
+
+Index: git/ntpd/ntp_proto.c
+===================================================================
+--- git.orig/ntpd/ntp_proto.c	2014-12-20 18:45:42.760821618 +0100
++++ git/ntpd/ntp_proto.c	2014-12-20 18:46:00.153176945 +0100
+@@ -947,6 +947,7 @@
+ 				fast_xmit(rbufp, MODE_ACTIVE, 0,
+ 				    restrict_mask);
+ 				sys_restricted++;
++				return;
+ 			}
+ 		}
+ 
diff -Nru ntp-4.2.6.p5+dfsg/debian/patches/series ntp-4.2.6.p5+dfsg/debian/patches/series
--- ntp-4.2.6.p5+dfsg/debian/patches/series	2013-05-20 07:19:33.000000000 -0700
+++ ntp-4.2.6.p5+dfsg/debian/patches/series	2014-12-21 12:00:35.000000000 -0800
@@ -10,3 +10,7 @@
 sntp-manpage.patch
 openssl-headers.patch
 autotools.patch
+ntp-4.2.6p5-cve-2014-9293.patch
+ntp-4.2.6p5-cve-2014-9294.patch
+ntp-4.2.6p5-cve-2014-9295.patch
+ntp-4.2.6p5-cve-2014-9296.patch

Reply via email to