Commit 0b0d197e authored by Kurt Roeckx's avatar Kurt Roeckx

1:4.2.6.p5+dfsg-2+deb7u1

parent eed737ab
ntp (1:4.2.6.p5+dfsg-2+deb7u1) wheezy-security; urgency=high
* Apply patches from the Red Hat security update:
+ ntp-4.2.6p5-cve-2014-9293.patch
+ ntp-4.2.6p5-cve-2014-9294.patch
+ ntp-4.2.6p5-cve-2014-9295.patch
+ ntp-4.2.6p5-cve-2014-9296.patch
-- Florian Weimer <fw@deneb.enyo.de> Sat, 20 Dec 2014 18:37:08 +0100
ntp (1:4.2.6.p5+dfsg-2) unstable; urgency=medium
* Re-enable crypto support by pointing openssl libdir to multiarch dir.
......
Index: git/ntpd/ntp_config.c
===================================================================
--- git.orig/ntpd/ntp_config.c 2014-12-20 18:45:45.232872120 +0100
+++ git/ntpd/ntp_config.c 2014-12-20 18:45:47.672921968 +0100
@@ -1866,13 +1866,16 @@
req_hashlen = digest_len;
#endif
} else {
- int rankey;
+ unsigned char rankey[16];
+
+ if (ntp_crypto_random_buf(rankey, sizeof (rankey))) {
+ msyslog(LOG_ERR, "ntp_crypto_random_buf() failed.");
+ exit(1);
+ }
- rankey = ntp_random();
req_keytype = NID_md5;
req_hashlen = 16;
- MD5auth_setkey(req_keyid, req_keytype,
- (u_char *)&rankey, sizeof(rankey));
+ MD5auth_setkey(req_keyid, req_keytype, rankey, sizeof(rankey));
authtrust(req_keyid, 1);
}
Index: git/ntpd/ntpd.c
===================================================================
--- git.orig/ntpd/ntpd.c 2014-12-20 18:45:45.232872120 +0100
+++ git/ntpd/ntpd.c 2014-12-20 18:45:47.672921968 +0100
@@ -597,6 +597,7 @@
get_systime(&now);
ntp_srandom((int)(now.l_i * now.l_uf));
+ ntp_crypto_srandom();
#if !defined(VMS)
# ifndef NODETACH
Index: git/include/ntp_random.h
===================================================================
--- git.orig/include/ntp_random.h 2014-12-20 18:45:44.712861496 +0100
+++ git/include/ntp_random.h 2014-12-20 18:45:52.817027062 +0100
@@ -1,6 +1,9 @@
#include <ntp_types.h>
+void ntp_crypto_srandom(void);
+int ntp_crypto_random_buf(void *buf, size_t nbytes);
+
long ntp_random (void);
void ntp_srandom (unsigned long);
void ntp_srandomdev (void);
Index: git/libntp/ntp_random.c
===================================================================
--- git.orig/libntp/ntp_random.c 2014-12-20 18:45:44.712861496 +0100
+++ git/libntp/ntp_random.c 2014-12-20 18:45:52.817027062 +0100
@@ -481,3 +481,63 @@
}
return(i);
}
+
+/*
+ * Crypto-quality random number functions
+ *
+ * Author: Harlan Stenn, 2014
+ *
+ * This file is Copyright (c) 2014 by Network Time Foundation.
+ * BSD terms apply: see the file COPYRIGHT in the distribution root for details.
+ */
+
+#include <openssl/err.h>
+#include <openssl/rand.h>
+
+int crypto_rand_init = 0;
+
+/*
+ * ntp_crypto_srandom:
+ *
+ * Initialize the random number generator, if needed by the underlying
+ * crypto random number generation mechanism.
+ */
+
+void
+ntp_crypto_srandom(
+ void
+ )
+{
+ if (!crypto_rand_init) {
+ RAND_poll();
+ crypto_rand_init = 1;
+ }
+}
+
+/*
+ * ntp_crypto_random_buf:
+ *
+ * Returns 0 on success, -1 on error.
+ */
+int
+ntp_crypto_random_buf(
+ void *buf,
+ size_t nbytes
+ )
+{
+ int rc;
+
+ rc = RAND_bytes(buf, nbytes);
+ if (1 != rc) {
+ unsigned long err;
+ char *err_str;
+
+ err = ERR_get_error();
+ err_str = ERR_error_string(err, NULL);
+ /* XXX: Log the error */
+
+ return -1;
+ }
+ return 0;
+}
+
Index: git/util/ntp-keygen.c
===================================================================
--- git.orig/util/ntp-keygen.c 2014-12-20 18:45:44.712861496 +0100
+++ git/util/ntp-keygen.c 2014-12-20 18:45:52.817027062 +0100
@@ -261,6 +261,8 @@
ssl_check_version();
#endif /* OPENSSL */
+ ntp_crypto_srandom();
+
/*
* Process options, initialize host name and timestamp.
*/
@@ -727,7 +729,14 @@
int temp;
while (1) {
- temp = ntp_random() & 0xff;
+ int rc;
+
+ rc = ntp_crypto_random_buf(&temp, 1);
+ if (-1 == rc) {
+ fprintf(stderr, "ntp_crypto_random_buf() failed.\n");
+ exit (-1);
+ }
+ temp &= 0xff;
if (temp == '#')
continue;
2014-12-12 11:06:03+00:00, stenn@psp-fb1.ntp.org +12 -3
[Sec 2667] buffer overflow in crypto_recv()
2014-12-12 11:13:40+00:00, stenn@psp-fb1.ntp.org +16 -1
[Sec 2668] buffer overflow in ctl_putdata()
2014-12-12 11:19:37+00:00, stenn@psp-fb1.ntp.org +14 -0
[Sec 2669] buffer overflow in configure()
Index: git/ntpd/ntp_crypto.c
===================================================================
--- git.orig/ntpd/ntp_crypto.c 2014-12-20 18:45:44.208851199 +0100
+++ git/ntpd/ntp_crypto.c 2014-12-20 18:45:56.425100776 +0100
@@ -789,15 +789,24 @@
* errors.
*/
if (vallen == (u_int)EVP_PKEY_size(host_pkey)) {
+ u_int32 *cookiebuf = malloc(
+ RSA_size(host_pkey->pkey.rsa));
+ if (!cookiebuf) {
+ rval = XEVNT_CKY;
+ break;
+ }
+
if (RSA_private_decrypt(vallen,
(u_char *)ep->pkt,
- (u_char *)&temp32,
+ (u_char *)cookiebuf,
host_pkey->pkey.rsa,
- RSA_PKCS1_OAEP_PADDING) <= 0) {
+ RSA_PKCS1_OAEP_PADDING) != 4) {
rval = XEVNT_CKY;
+ free(cookiebuf);
break;
} else {
- cookie = ntohl(temp32);
+ cookie = ntohl(*cookiebuf);
+ free(cookiebuf);
}
} else {
rval = XEVNT_CKY;
Index: git/ntpd/ntp_control.c
===================================================================
--- git.orig/ntpd/ntp_control.c 2014-12-20 18:45:44.208851199 +0100
+++ git/ntpd/ntp_control.c 2014-12-20 18:45:56.429100859 +0100
@@ -486,6 +486,10 @@
static char *reqpt;
static char *reqend;
+#ifndef MIN
+#define MIN(a, b) (((a) <= (b)) ? (a) : (b))
+#endif
+
/*
* init_control - initialize request data
*/
@@ -995,6 +999,7 @@
)
{
int overhead;
+ unsigned int currentlen;
overhead = 0;
if (!bin) {
@@ -1018,12 +1023,22 @@
/*
* Save room for trailing junk
*/
- if (dlen + overhead + datapt > dataend) {
+ while (dlen + overhead + datapt > dataend) {
/*
* Not enough room in this one, flush it out.
*/
+ currentlen = MIN(dlen, dataend - datapt);
+
+ memcpy(datapt, dp, currentlen);
+
+ datapt += currentlen;
+ dp += currentlen;
+ dlen -= currentlen;
+ datalinelen += currentlen;
+
ctl_flushpkt(CTL_MORE);
}
+
memmove((char *)datapt, dp, (unsigned)dlen);
datapt += dlen;
datalinelen += dlen;
@@ -2492,6 +2507,20 @@
/* Initialize the remote config buffer */
data_count = reqend - reqpt;
+
+ if (data_count > sizeof(remote_config.buffer) - 2) {
+ snprintf(remote_config.err_msg,
+ sizeof(remote_config.err_msg),
+ "runtime configuration failed: request too long");
+ ctl_putdata(remote_config.err_msg,
+ strlen(remote_config.err_msg), 0);
+ ctl_flushpkt(0);
+ msyslog(LOG_NOTICE,
+ "runtime config from %s rejected: request too long",
+ stoa(&rbufp->recv_srcadr));
+ return;
+ }
+
memcpy(remote_config.buffer, reqpt, data_count);
if (data_count > 0
&& '\n' != remote_config.buffer[data_count - 1])
2014-12-12 11:24:22+00:00, stenn@psp-fb1.ntp.org +1 -0
[Sec 2670] Missing return; from error clause
Index: git/ntpd/ntp_proto.c
===================================================================
--- git.orig/ntpd/ntp_proto.c 2014-12-20 18:45:42.760821618 +0100
+++ git/ntpd/ntp_proto.c 2014-12-20 18:46:00.153176945 +0100
@@ -947,6 +947,7 @@
fast_xmit(rbufp, MODE_ACTIVE, 0,
restrict_mask);
sys_restricted++;
+ return;
}
}
......@@ -9,3 +9,7 @@ libedit.patch
autotools.patch
format-security.patch
sntp-manpage.patch
ntp-4.2.6p5-cve-2014-9293.patch
ntp-4.2.6p5-cve-2014-9294.patch
ntp-4.2.6p5-cve-2014-9295.patch
ntp-4.2.6p5-cve-2014-9296.patch
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment