This bug was fixed in the package ntp - 1:4.2.8p4+dfsg-3ubuntu5.3
---------------
ntp (1:4.2.8p4+dfsg-3ubuntu5.3) xenial-security; urgency=medium
* SECURITY UPDATE: Deja Vu replay attack on authenticated broadcast mode
- debian/patches/CVE-2015-7973.patch: improve timestamp verification in
include/ntp.h, ntpd/ntp_proto.c.
- CVE-2015-7973
* SECURITY UPDATE: impersonation between authenticated peers
- debian/patches/CVE-2015-7974.patch: check key ID in ntpd/ntp_proto.c.
- CVE-2015-7974
* SECURITY UPDATE: ntpq buffer overflow
- debian/patches/CVE-2015-7975.patch: add length check to ntpq/ntpq.c.
- CVE-2015-7975
* SECURITY UPDATE: ntpq saveconfig command allows dangerous characters in
filenames
- debian/patches/CVE-2015-7976.patch: check filename in
ntpd/ntp_control.c.
- CVE-2015-7976
* SECURITY UPDATE: restrict list denial of service
- debian/patches/CVE-2015-7977-7978.patch: improve restrict list
processing in ntpd/ntp_request.c.
- CVE-2015-7977
- CVE-2015-7978
* SECURITY UPDATE: authenticated broadcast mode off-path denial of
service
- debian/patches/CVE-2015-7979.patch: add more checks to
ntpd/ntp_proto.c.
- CVE-2015-7979
- CVE-2016-1547
* SECURITY UPDATE: Zero Origin Timestamp Bypass
- debian/patches/CVE-2015-8138.patch: check p_org in ntpd/ntp_proto.c.
- CVE-2015-8138
* SECURITY UPDATE: potential infinite loop in ntpq
- debian/patches/CVE-2015-8158.patch: add time checks to ntpdc/ntpdc.c,
ntpq/ntpq.c.
- CVE-2015-8158
* SECURITY UPDATE: NTP statsdir cleanup cronjob insecure (LP: #1528050)
- debian/ntp.cron.daily: fix security issues, patch thanks to halfdog!
- CVE-2016-0727
* SECURITY UPDATE: time spoofing via interleaved symmetric mode
- debian/patches/CVE-2016-1548.patch: check for bogus packets in
ntpd/ntp_proto.c.
- CVE-2016-1548
* SECURITY UPDATE: buffer comparison timing attacks
- debian/patches/CVE-2016-1550.patch: use CRYPTO_memcmp in
libntp/a_md5encrypt.c, sntp/crypto.c.
- CVE-2016-1550
* SECURITY UPDATE: DoS via duplicate IPs on unconfig directives
- debian/patches/CVE-2016-2516.patch: improve logic in
ntpd/ntp_request.c.
- CVE-2016-2516
* SECURITY UPDATE: denial of service via crafted addpeer
- debian/patches/CVE-2016-2518.patch: check mode value in
ntpd/ntp_request.c.
- CVE-2016-2518
* SECURITY UPDATE: denial of service via spoofed packets
- debian/patches/CVE-2016-4954.patch: discard packet that fails tests
in ntpd/ntp_proto.c.
- CVE-2016-4954
* SECURITY UPDATE: denial of service via spoofed crypto-NAK or incorrect
MAC
- debian/patches/CVE-2016-4955.patch: fix checks in ntpd/ntp_proto.c.
- CVE-2016-4955
* SECURITY UPDATE: denial of service via spoofed broadcast packet
- debian/patches/CVE-2016-4956.patch: properly handle switch in
broadcast interleaved mode in ntpd/ntp_proto.c.
- CVE-2016-4956
-- Marc Deslauriers <marc.deslauri...@ubuntu.com> Wed, 05 Oct 2016
08:01:29 -0400
** Changed in: ntp (Ubuntu Xenial)
Status: Triaged => Fix Released
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-4954
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-4955
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-4956
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1528050
Title:
NTP statsdir cleanup cronjob insecure
Status in ntp package in Ubuntu:
Fix Released
Status in ntp source package in Wily:
Won't Fix
Status in ntp source package in Xenial:
Fix Released
Bug description:
The cronjob script bundled with ntp package on Ubuntu Wily is intended
to perform cleanup on statistics files produced by NTP daemon running
with statistics enabled. The script is run as root during the daily
cronjobs all operations on the ntp-user controlled statistics
directory without switching to user ntp. Thus all steps are performed
with root permissions in place.
Due to multiple bugs in the script, a malicious ntp user can make the
backup process to overwrite arbitrary files with content controlled by
the attacker, thus gaining root privileges. The problematic parts in
/etc/cron.daily/ntp are:
find "$statsdir" -type f -mtime +7 -exec rm {} \;
# compress whatever is left to save space
cd "$statsdir"
ls *stats.???????? > /dev/null 2>&1
if [ $? -eq 0 ]; then
# Note that gzip won't compress the file names that
# are hard links to the live/current files, so this
# compresses yesterday and previous, leaving the live
# log alone. We supress the warnings gzip issues
# about not compressing the linked file.
gzip --best --quiet *stats.????????
Relevant targets are:
find and rm invocation is racy, symlinks on rm
rm can be invoked with one attacker controlled option
ls can be invoked with arbitrary number of attacker controlled command
line options
gzip can be invoked with arbitrary number of attacker controlled options
See
http://www.halfdog.net/Security/2015/NtpCronjobUserNtpToRootPrivilegeEscalation/
for working user ntp to root privilege escalation exploit (User:
InvitedOnly, Pass: wtq39EiZ), sharing policy is attached to this
issue.
# lsb_release -rd
Description: Ubuntu 15.10
Release: 15.10
# apt-cache policy ntp
ntp:
Installed: 1:4.2.6.p5+dfsg-3ubuntu8.1
Candidate: 1:4.2.6.p5+dfsg-3ubuntu8.1
Version table:
*** 1:4.2.6.p5+dfsg-3ubuntu8.1 0
500 http://archive.ubuntu.com/ubuntu/ wily-updates/main amd64 Packages
500 http://archive.ubuntu.com/ubuntu/ wily-security/main amd64
Packages
100 /var/lib/dpkg/status
1:4.2.6.p5+dfsg-3ubuntu8 0
500 http://archive.ubuntu.com/ubuntu/ wily/main amd64 Packages
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1528050/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
