Commit 58d1d4f3 authored by Kurt Roeckx's avatar Kurt Roeckx

New version for wheezy

parent 349d2200
ntp (1:4.2.6.p5+dfsg-2+deb7u5) wheezy-security; urgency=medium
* Fix CVE-2015-7850
* Fix CVE-2015-7704
* Fix CVE-2015-7701
* Fix CVE-2015-7852
* Fix CVE-2015-7853
* Fix CVE-2015-7851
* Fix CVE-2015-7705
* Fix CVE-2015-7855
* Fix CVE-2015-7871
* Rename CVE-2014-9297.patch to CVE-2014-9750.patch and add missing patch.
* Rename CVE-2014-9298.patch to CVE-2014-9751.patch
* Rename bug-2797.patch to CVE-2015-3405.patch
* FIX CVE-2015-5146
* FIX CVE-2015-5194
* FIX CVE-2015-5195
* FIX CVE-2015-5196
* FIX CVE-2015-5219
* FIX CVE-2015-5300
* FIX CVE-2015-7691, CVE-2015-7962, CVE-2015-7702
* Add build-depends on bison since one of the patches update the .y file.
-- Kurt Roeckx <kurt@roeckx.be> Fri, 23 Oct 2015 20:05:19 +0200
ntp (1:4.2.6.p5+dfsg-2+deb7u4) wheezy-security; urgency=medium
* Fix CVE-2015-1798 and CVE-2015-1799 (Closes: #782095)
......
......@@ -3,7 +3,7 @@ Section: net
Priority: optional
Maintainer: Debian NTP Team <pkg-ntp-maintainers@lists.alioth.debian.org>
Uploaders: Bdale Garbee <bdale@gag.com>, Peter Eisentraut <petere@debian.org>, Kurt Roeckx <kurt@roeckx.be>
Build-Depends: autotools-dev, debhelper (>= 6), libedit-dev, libcap2-dev [linux-any], libssl-dev (>= 1.0.0e-1), autogen (>= 1:5.11)
Build-Depends: autotools-dev, debhelper (>= 6), libedit-dev, libcap2-dev [linux-any], libssl-dev (>= 1.0.0e-1), autogen (>= 1:5.11), bison
Build-Conflicts: libavahi-compat-libdnssd-dev, libwww-dev, libwww-ssl-dev
Standards-Version: 3.9.3
Homepage: http://support.ntp.org/
......
Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_crypto.c
===================================================================
--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_crypto.c 2015-02-07 10:58:36.000000000 +0000
+++ ntp-4.2.6.p5+dfsg/ntpd/ntp_crypto.c 2015-02-07 10:58:49.198432087 +0000
http://bk.ntp.org/ntp-stable/?PAGE=patch&REV=54abb266In81wLNAqIaovtP8f2UmUw
http://bk.ntp.org/ntp-stable/?PAGE=patch&REV=54a7c595jlwS3KmAxBML75HFGLR_pQ
http://bk.ntp.org/ntp-stable/?PAGE=patch&REV=5492d353ncauuWt_PONxaDhC5Qv_SA
diff -up ntp-4.2.6p5/ntpd/ntp_crypto.c.cve-2014-9297 ntp-4.2.6p5/ntpd/ntp_crypto.c
--- ntp-4.2.6p5/ntpd/ntp_crypto.c.cve-2014-9297 2015-02-04 11:37:44.488673076 +0100
+++ ntp-4.2.6p5/ntpd/ntp_crypto.c 2015-02-04 11:37:44.491673082 +0100
@@ -109,6 +109,7 @@
#define TAI_1972 10 /* initial TAI offset (s) */
#define MAX_LEAP 100 /* max UTC leapseconds (s) */
......@@ -10,7 +13,7 @@ Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_crypto.c
#define YEAR (60 * 60 * 24 * 365) /* seconds in year */
/*
@@ -147,8 +148,8 @@
@@ -147,8 +148,8 @@ static char *rand_file = NULL; /* random
*/
static int crypto_verify (struct exten *, struct value *,
struct peer *);
......@@ -21,7 +24,7 @@ Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_crypto.c
static int crypto_alice (struct peer *, struct value *);
static int crypto_alice2 (struct peer *, struct value *);
static int crypto_alice3 (struct peer *, struct value *);
@@ -444,6 +445,12 @@
@@ -444,6 +445,12 @@ crypto_recv(
tstamp = ntohl(ep->tstamp);
fstamp = ntohl(ep->fstamp);
vallen = ntohl(ep->vallen);
......@@ -34,7 +37,7 @@ Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_crypto.c
}
switch (code) {
@@ -494,8 +501,9 @@
@@ -494,8 +501,9 @@ crypto_recv(
rval = XEVNT_ERR;
break;
}
......@@ -45,7 +48,7 @@ Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_crypto.c
rval = XEVNT_LEN;
break;
}
@@ -1162,8 +1170,9 @@
@@ -1162,11 +1170,11 @@ crypto_xmit(
* choice.
*/
case CRYPTO_CERT | CRYPTO_RESP:
......@@ -56,8 +59,11 @@ Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_crypto.c
+ len - VALUE_LEN < vallen) {
rval = XEVNT_LEN;
break;
@@ -1315,7 +1324,10 @@
-
} else {
memcpy(certname, ep->pkt, vallen);
certname[vallen] = '\0';
@@ -1315,7 +1323,10 @@ crypto_xmit(
* anything goes wrong.
*/
case CRYPTO_COOK | CRYPTO_RESP:
......@@ -69,7 +75,7 @@ Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_crypto.c
rval = XEVNT_LEN;
break;
}
@@ -1323,8 +1335,8 @@
@@ -1323,8 +1334,8 @@ crypto_xmit(
tcookie = cookie;
else
tcookie = peer->hcookie;
......@@ -80,7 +86,7 @@ Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_crypto.c
len = crypto_send(fp, &vtemp, start);
value_free(&vtemp);
}
@@ -1464,13 +1476,16 @@
@@ -1464,13 +1475,16 @@ crypto_verify(
* up to the next word (4 octets).
*/
vallen = ntohl(ep->vallen);
......@@ -100,7 +106,7 @@ Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_crypto.c
return (XEVNT_LEN);
/*
@@ -1528,6 +1543,7 @@
@@ -1528,6 +1542,7 @@ crypto_verify(
* proventic bit. What a relief.
*/
EVP_VerifyInit(&ctx, peer->digest);
......@@ -108,7 +114,7 @@ Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_crypto.c
EVP_VerifyUpdate(&ctx, (u_char *)&ep->tstamp, vallen + 12);
if (EVP_VerifyFinal(&ctx, (u_char *)&ep->pkt[i], siglen,
pkey) <= 0)
@@ -1540,34 +1556,31 @@
@@ -1540,34 +1555,32 @@ crypto_verify(
/*
......@@ -140,6 +146,7 @@ Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_crypto.c
u_int32 temp32;
- u_int len;
- u_char *ptr;
+ u_char *puch;
/*
* Extract the public key from the request.
......@@ -151,20 +158,25 @@ Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_crypto.c
if (pkey == NULL) {
msyslog(LOG_ERR, "crypto_encrypt: %s",
ERR_error_string(ERR_get_error(), NULL));
@@ -1581,9 +1594,9 @@
@@ -1581,12 +1594,12 @@ crypto_encrypt(
tstamp = crypto_time();
vp->tstamp = htonl(tstamp);
vp->fstamp = hostval.tstamp;
- len = EVP_PKEY_size(pkey);
- vp->vallen = htonl(len);
- vp->ptr = emalloc(len);
- ptr = vp->ptr;
+ vallen = EVP_PKEY_size(pkey);
+ vp->vallen = htonl(vallen);
+ vp->ptr = emalloc(vallen);
ptr = vp->ptr;
+ puch = vp->ptr;
temp32 = htonl(*cookie);
if (RSA_public_encrypt(4, (u_char *)&temp32, ptr,
@@ -1601,8 +1614,8 @@
- if (RSA_public_encrypt(4, (u_char *)&temp32, ptr,
+ if (RSA_public_encrypt(4, (u_char *)&temp32, puch,
pkey->pkey.rsa, RSA_PKCS1_OAEP_PADDING) <= 0) {
msyslog(LOG_ERR, "crypto_encrypt: %s",
ERR_error_string(ERR_get_error(), NULL));
@@ -1601,8 +1614,8 @@ crypto_encrypt(
vp->sig = emalloc(sign_siglen);
EVP_SignInit(&ctx, sign_digest);
EVP_SignUpdate(&ctx, (u_char *)&vp->tstamp, 12);
......@@ -175,7 +187,7 @@ Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_crypto.c
vp->siglen = htonl(sign_siglen);
return (XEVNT_OK);
}
@@ -1673,6 +1686,9 @@
@@ -1673,6 +1686,9 @@ crypto_ident(
* call in the protocol module.
*
* Returns extension field pointer (no errors)
......@@ -185,7 +197,7 @@ Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_crypto.c
*/
struct exten *
crypto_args(
@@ -1685,24 +1701,31 @@
@@ -1685,24 +1701,31 @@ crypto_args(
tstamp_t tstamp; /* NTP timestamp */
struct exten *ep; /* extension field pointer */
u_int len; /* extension field length */
......@@ -221,7 +233,7 @@ Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_crypto.c
}
return (ep);
}
@@ -1715,6 +1738,8 @@
@@ -1715,6 +1738,8 @@ crypto_args(
* Note: it is not polite to send a nonempty signature with zero
* timestamp or a nonzero timestamp with an empty signature, but those
* rules are not enforced here.
......@@ -230,7 +242,7 @@ Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_crypto.c
*/
int
crypto_send(
@@ -1730,8 +1755,9 @@
@@ -1730,8 +1755,9 @@ crypto_send(
* Calculate extension field length and check for buffer
* overflow. Leave room for the MAC.
*/
......@@ -241,7 +253,7 @@ Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_crypto.c
len += ((vallen + 3) / 4 + 1) * 4;
siglen = ntohl(vp->siglen);
len += ((siglen + 3) / 4 + 1) * 4;
@@ -1772,6 +1798,7 @@
@@ -1772,6 +1798,7 @@ crypto_send(
}
opcode = ntohl(ep->opcode);
ep->opcode = htonl((opcode & 0xffff0000) | len);
......@@ -249,7 +261,7 @@ Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_crypto.c
return (len);
}
@@ -1807,7 +1834,6 @@
@@ -1807,7 +1834,6 @@ crypto_update(void)
if (hostval.tstamp == 0)
return;
......@@ -257,7 +269,7 @@ Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_crypto.c
/*
* Sign public key and timestamps. The filestamp is derived from
* the host key file extension from wherever the file was
@@ -2108,7 +2134,8 @@
@@ -2108,7 +2134,8 @@ crypto_bob(
tstamp_t tstamp; /* NTP timestamp */
BIGNUM *bn, *bk, *r;
u_char *ptr;
......@@ -267,7 +279,7 @@ Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_crypto.c
/*
* If the IFF parameters are not valid, something awful
@@ -2123,8 +2150,11 @@
@@ -2123,8 +2150,11 @@ crypto_bob(
/*
* Extract r from the challenge.
*/
......@@ -281,7 +293,7 @@ Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_crypto.c
msyslog(LOG_ERR, "crypto_bob: %s",
ERR_error_string(ERR_get_error(), NULL));
return (XEVNT_ERR);
@@ -2136,7 +2166,7 @@
@@ -2136,7 +2166,7 @@ crypto_bob(
*/
bctx = BN_CTX_new(); bk = BN_new(); bn = BN_new();
sdsa = DSA_SIG_new();
......@@ -290,7 +302,7 @@ Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_crypto.c
BN_mod_mul(bn, dsa->priv_key, r, dsa->q, bctx); /* b r mod q */
BN_add(bn, bn, bk);
BN_mod(bn, bn, dsa->q, bctx); /* k + b r mod q */
@@ -2155,30 +2185,37 @@
@@ -2155,30 +2185,37 @@ crypto_bob(
* Encode the values in ASN.1 and sign. The filestamp is from
* the local file.
*/
......@@ -334,11 +346,10 @@ Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_crypto.c
vp->siglen = htonl(sign_siglen);
return (XEVNT_OK);
}
Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_proto.c
===================================================================
--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_proto.c 2015-02-07 10:58:36.000000000 +0000
+++ ntp-4.2.6.p5+dfsg/ntpd/ntp_proto.c 2015-02-07 10:58:49.270430734 +0000
@@ -431,7 +431,7 @@
diff -up ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2014-9297 ntp-4.2.6p5/ntpd/ntp_proto.c
--- ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2014-9297 2015-02-04 11:37:44.490673080 +0100
+++ ntp-4.2.6p5/ntpd/ntp_proto.c 2015-02-04 11:47:42.653868627 +0100
@@ -431,7 +431,7 @@ receive(
*/
authlen = LEN_PKT_NOMAC;
has_mac = rbufp->recv_length - authlen;
......@@ -347,7 +358,7 @@ Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_proto.c
u_int32 len;
if (has_mac % 4 != 0 || has_mac < MIN_MAC_LEN) {
@@ -456,6 +456,14 @@
@@ -456,6 +456,14 @@ receive(
}
/*
......
--- 1.181/ntpd/ntp_crypto.c 2015-07-19 01:36:46 -04:00
+++ 1.181.1.1/ntpd/ntp_crypto.c 2015-09-28 12:22:06 -04:00
@@ -508,6 +508,7 @@ crypto_recv(
rval = XEVNT_ERR;
break;
}
+ free(peer->cmmd); /* will be set again! */
}
fp = emalloc(len);
memcpy(fp, ep, len);
diff -up ntp-4.2.6p5/ntpd/ntp_proto.c.kodtest ntp-4.2.6p5/ntpd/ntp_proto.c
--- ntp-4.2.6p5/ntpd/ntp_proto.c.kodtest 2015-09-24 18:20:19.121981664 +0200
+++ ntp-4.2.6p5/ntpd/ntp_proto.c 2015-09-24 18:20:54.596594166 +0200
@@ -1165,7 +1165,7 @@ receive(
peer->ppoll = max(peer->minpoll, pkt->ppoll);
if (hismode == MODE_SERVER && hisleap == LEAP_NOTINSYNC &&
hisstratum == STRATUM_UNSPEC && memcmp(&pkt->refid,
- "RATE", 4) == 0) {
+ "RATE", 4) == 0 && !(peer->flash & PKT_TEST_MASK)) {
peer->selbroken++;
report_event(PEVNT_RATE, peer, NULL);
if (pkt->ppoll > peer->minpoll)
Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_proto.c
===================================================================
--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_proto.c
+++ ntp-4.2.6.p5+dfsg/ntpd/ntp_proto.c
@@ -1109,11 +1109,17 @@ receive(
* Check for bogus packet in basic mode. If found, switch to
* interleaved mode and resynchronize, but only after confirming
* the packet is not bogus in symmetric interleaved mode.
+ *
+ * This could also mean somebody is forging packets claiming to
+ * be from us, attempting to cause our server to KoD us.
*/
} else if (peer->flip == 0) {
if (!L_ISEQU(&p_org, &peer->aorg)) {
peer->bogusorg++;
peer->flash |= TEST2; /* bogus */
+ msyslog(LOG_INFO,
+ "receive: Unexpected origin timestamp from %s",
+ ntoa(&peer->srcadr));
if (!L_ISZERO(&peer->dst) && L_ISEQU(&p_org,
&peer->dst)) {
peer->flip = 1;
Index: ntp-4.2.6.p5+dfsg/include/ntp_stdlib.h
===================================================================
--- ntp-4.2.6.p5+dfsg.orig/include/ntp_stdlib.h
+++ ntp-4.2.6.p5+dfsg/include/ntp_stdlib.h
@@ -46,6 +46,8 @@ extern int msnprintf(char *, size_t, con
__attribute__((__format__(__printf__, 3, 4)));
extern void msyslog(int, const char *, ...)
__attribute__((__format__(__printf__, 2, 3)));
+extern void mvsyslog(int, const char *, va_list)
+ __attribute__((__format__(__printf__, 2, 0)));
/*
* When building without OpenSSL, use a few macros of theirs to
Index: ntp-4.2.6.p5+dfsg/include/ntp_syslog.h
===================================================================
--- ntp-4.2.6.p5+dfsg.orig/include/ntp_syslog.h
+++ ntp-4.2.6.p5+dfsg/include/ntp_syslog.h
@@ -9,6 +9,7 @@
# ifdef VMS
extern void msyslog();
+extern void mvsyslog();
# else
# ifndef SYS_VXWORKS
# include <syslog.h>
Index: ntp-4.2.6.p5+dfsg/libntp/authreadkeys.c
===================================================================
--- ntp-4.2.6.p5+dfsg.orig/libntp/authreadkeys.c
+++ ntp-4.2.6.p5+dfsg/libntp/authreadkeys.c
@@ -61,6 +61,41 @@ nexttok(
}
+/* TALOS-CAN-0055: possibly DoS attack by setting the key file to the
+ * log file. This is hard to prevent (it would need to check two files
+ * to be the same on the inode level, which will not work so easily with
+ * Windows or VMS) but we can avoid the self-amplification loop: We only
+ * log the first 5 errors, silently ignore the next 10 errors, and give
+ * up when when we have found more than 15 errors.
+ *
+ * This avoids the endless file iteration we will end up with otherwise,
+ * and also avoids overflowing the log file.
+ *
+ * Nevertheless, once this happens, the keys are gone since this would
+ * require a save/swap strategy that is not easy to apply due to the
+ * data on global/static level.
+ */
+
+static const size_t nerr_loglimit = 5u;
+static const size_t nerr_maxlimit = 15;
+
+static void log_maybe(size_t*, const char*, ...)
+ __attribute__((__format__(__printf__, 2, 3)));
+
+static void
+log_maybe(
+ size_t *pnerr,
+ const char *fmt ,
+ ...)
+{
+ va_list ap;
+ if (++(*pnerr) <= nerr_loglimit) {
+ va_start(ap, fmt);
+ mvsyslog(LOG_ERR, fmt, ap);
+ va_end(ap);
+ }
+}
+
/*
* authreadkeys - (re)read keys from a file.
*/
@@ -78,6 +113,7 @@ authreadkeys(
u_char keystr[20];
int len;
int j;
+ size_t nerr;
/*
* Open file. Complain and return if it can't be opened.
@@ -98,7 +134,10 @@ authreadkeys(
/*
* Now read lines from the file, looking for key entries
*/
+ nerr = 0;
while ((line = fgets(buf, sizeof buf, fp)) != NULL) {
+ if (nerr > nerr_maxlimit)
+ break;
token = nexttok(&line);
if (token == NULL)
continue;
@@ -108,15 +147,16 @@ authreadkeys(
*/
keyno = atoi(token);
if (keyno == 0) {
- msyslog(LOG_ERR,
- "authreadkeys: cannot change key %s", token);
+ log_maybe(&nerr,
+ "authreadkeys: cannot change key %s",
+ token);
continue;
}
if (keyno > NTP_MAXKEY) {
- msyslog(LOG_ERR,
- "authreadkeys: key %s > %d reserved for Autokey",
- token, NTP_MAXKEY);
+ log_maybe(&nerr,
+ "authreadkeys: key %s > %d reserved for Autokey",
+ token, NTP_MAXKEY);
continue;
}
@@ -125,8 +165,9 @@ authreadkeys(
*/
token = nexttok(&line);
if (token == NULL) {
- msyslog(LOG_ERR,
- "authreadkeys: no key type for key %d", keyno);
+ log_maybe(&nerr,
+ "authreadkeys: no key type for key %d",
+ keyno);
continue;
}
#ifdef OPENSSL
@@ -138,13 +179,15 @@ authreadkeys(
*/
keytype = keytype_from_text(token, NULL);
if (keytype == 0) {
- msyslog(LOG_ERR,
- "authreadkeys: invalid type for key %d", keyno);
+ log_maybe(&nerr,
+ "authreadkeys: invalid type for key %d",
+ keyno);
continue;
}
if (EVP_get_digestbynid(keytype) == NULL) {
- msyslog(LOG_ERR,
- "authreadkeys: no algorithm for key %d", keyno);
+ log_maybe(&nerr,
+ "authreadkeys: no algorithm for key %d",
+ keyno);
continue;
}
#else /* OPENSSL */
@@ -154,8 +197,9 @@ authreadkeys(
* 'm' for compatibility.
*/
if (!(*token == 'M' || *token == 'm')) {
- msyslog(LOG_ERR,
- "authreadkeys: invalid type for key %d", keyno);
+ log_maybe(&nerr,
+ "authreadkeys: invalid type for key %d",
+ keyno);
continue;
}
keytype = KEY_TYPE_MD5;
@@ -169,8 +213,8 @@ authreadkeys(
*/
token = nexttok(&line);
if (token == NULL) {
- msyslog(LOG_ERR,
- "authreadkeys: no key for key %d", keyno);
+ log_maybe(&nerr,
+ "authreadkeys: no key for key %d", keyno);
continue;
}
len = strlen(token);
@@ -186,8 +230,9 @@ authreadkeys(
for (j = 0; j < jlim; j++) {
ptr = strchr(hex, tolower(token[j]));
if (ptr == NULL) {
- msyslog(LOG_ERR,
- "authreadkeys: invalid hex digit for key %d", keyno);
+ log_maybe(&nerr,
+ "authreadkeys: invalid hex digit for key %d",
+ keyno);
continue;
}
temp = (u_char)(ptr - hex);
@@ -200,5 +245,15 @@ authreadkeys(
}
}
fclose(fp);
+ if (nerr > nerr_maxlimit) {
+ msyslog(LOG_ERR,
+ "authreadkeys: emergency break after %u errors",
+ nerr);
+ return (0);
+ } else if (nerr > nerr_loglimit) {
+ msyslog(LOG_ERR,
+ "authreadkeys: found %u more error(s)",
+ nerr - nerr_loglimit);
+ }
return (1);
}
Index: ntp-4.2.6.p5+dfsg/libntp/msyslog.c
===================================================================
--- ntp-4.2.6.p5+dfsg.orig/libntp/msyslog.c
+++ ntp-4.2.6.p5+dfsg/libntp/msyslog.c
@@ -271,6 +271,18 @@ msnprintf(
return rc;
}
+void
+mvsyslog(
+ int level,
+ const char * fmt,
+ va_list ap
+ )
+{
+ char buf[1024];
+ mvsnprintf(buf, sizeof(buf), fmt, ap);
+ addto_syslog(level, buf);
+}
+
void
msyslog(
Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_control.c
===================================================================
--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_control.c
+++ ntp-4.2.6.p5+dfsg/ntpd/ntp_control.c
@@ -561,6 +561,28 @@ save_config(
int restrict_mask
)
{
+ /* block directory traversal by searching for characters that
+ * indicate directory components in a file path.
+ *
+ * Conceptually we should be searching for DIRSEP in filename,
+ * however Windows actually recognizes both forward and
+ * backslashes as equivalent directory separators at the API
+ * level. On POSIX systems we could allow '\\' but such
+ * filenames are tricky to manipulate from a shell, so just
+ * reject both types of slashes on all platforms.
+ */
+ /* TALOS-CAN-0062: block directory traversal for VMS, too */
+ static const char * illegal_in_filename =
+#if defined(VMS)
+ ":[]" /* do not allow drive and path components here */
+#elif defined(SYS_WINNT)
+ ":\\/" /* path and drive separators */
+#else
+ "\\/" /* separator and critical char for POSIX */
+#endif
+ ;
+
+
char reply[128];
#ifdef SAVECONFIG
char filespec[128];
@@ -615,7 +637,9 @@ save_config(
filename[sizeof(filename) - 1] = '\0';
- if (strchr(filename, '\\') || strchr(filename, '/')) {
+ /* block directory/drive traversal */
+ /* TALOS-CAN-0062: block directory traversal for VMS, too */
+ if (NULL != strpbrk(filename, illegal_in_filename)) {
snprintf(reply, sizeof(reply),
"saveconfig does not allow directory in filename");
ctl_putdata(reply, strlen(reply), 0);
Index: ntp-4.2.6.p5+dfsg/ntpq/ntpq.c
===================================================================
--- ntp-4.2.6.p5+dfsg.orig/ntpq/ntpq.c
+++ ntp-4.2.6.p5+dfsg/ntpq/ntpq.c
@@ -3448,12 +3448,17 @@ cookedprint(
char bv[401];
int len;
+ /* TALOS-CAN-0063: avoid buffer overrun */
atoascii(name, MAXVARLEN, bn, sizeof(bn));
- atoascii(value, MAXVARLEN, bv, sizeof(bv));
if (output_raw != '*') {
+ atoascii(value, MAXVALLEN,
+ bv, sizeof(bv) - 1);
len = strlen(bv);
bv[len] = output_raw;
bv[len+1] = '\0';
+ } else {
+ atoascii(value, MAXVALLEN,
+ bv, sizeof(bv));
}
output(fp, bn, bv);
}
Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_io.c
===================================================================
--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_io.c
+++ ntp-4.2.6.p5+dfsg/ntpd/ntp_io.c
@@ -3256,6 +3256,7 @@ static inline int
read_refclock_packet(SOCKET fd, struct refclockio *rp, l_fp ts)
{
int i;
+ u_int read_count;
int buflen;
register struct recvbuf *rb;
@@ -3272,11 +3273,14 @@ read_refclock_packet(SOCKET fd, struct r
return (buflen);
}
- i = (rp->datalen == 0
- || rp->datalen > sizeof(rb->recv_space))
- ? sizeof(rb->recv_space)
- : rp->datalen;
- buflen = read(fd, (char *)&rb->recv_space, (unsigned)i);
+ /* TALOS-CAN-0064: avoid signed/unsigned clashes that can lead
+ * to buffer overrun and memory corruption
+ */
+ if (rp->datalen <= 0 || rp->datalen > sizeof(rb->recv_space))
+ read_count = sizeof(rb->recv_space);
+ else
+ read_count = (u_int)rp->datalen;
+ buflen = read(fd, (char *)&rb->recv_space, read_count);
if (buflen < 0) {
if (errno != EINTR && errno != EAGAIN)
Index: ntp-4.2.6.p5+dfsg/libntp/decodenetnum.c
===================================================================
--- ntp-4.2.6.p5+dfsg.orig/libntp/decodenetnum.c
+++ ntp-4.2.6.p5+dfsg/libntp/decodenetnum.c
@@ -36,7 +36,10 @@ decodenetnum(
char name[80];
NTP_REQUIRE(num != NULL);
- NTP_REQUIRE(strlen(num) < sizeof(name));
+
+ if (strlen(num) >= sizeof(name)) {
+ return 0;
+ }
port_str = NULL;
if ('[' != num[0]) {
Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_proto.c
===================================================================
--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_proto.c
+++ ntp-4.2.6.p5+dfsg/ntpd/ntp_proto.c
@@ -998,6 +998,24 @@ receive(
sys_restricted++;
return;
}
+ /* [Bug 2941]
+ * If we got here, the packet isn't part of an
+ * existing association, it isn't correctly
+ * authenticated, and it didn't meet either of
+ * the previous two special cases so we should
+ * just drop it on the floor. For example,
+ * crypto-NAKs (is_authentic == AUTH_CRYPTO)
+ * will make it this far. This is just
+ * debug-printed and not logged to avoid log
+ * flooding.
+ */
+ DPRINTF(1, ("receive: at %ld refusing to mobilize passive association"
+ " with unknown peer %s mode %d keyid %08x len %d auth %d\n",
+ current_time, stoa(&rbufp->recv_srcadr),
+ hismode, skeyid, (authlen + has_mac),
+ is_authentic));
+ sys_declined++;
+ return;
}
/*
diff -up ntp-4.2.6p5/ntpd/ntp_control.c.cve-2015-5146 ntp-4.2.6p5/ntpd/ntp_control.c
--- ntp-4.2.6p5/ntpd/ntp_control.c.cve-2015-5146 2015-07-16 15:37:02.297977248 +0200
+++ ntp-4.2.6p5/ntpd/ntp_control.c 2015-07-16 15:37:02.403977575 +0200
@@ -2471,6 +2471,35 @@ write_variables(
ctl_flushpkt(0);
}
+/* Bug 2853 */
+/* evaluate the length of the command sequence. This breaks at the first
+ * char that is not >= SPACE and <= 127 after trimming from the right.
+ */
+static size_t
+cmdlength(
+ const char *src_buf,
+ const char *src_end
+ )
+{
+ const char *scan;
+ unsigned char ch;
+
+ /* trim whitespace & garbage from the right */
+ while (src_end != src_buf) {
+ ch = src_end[-1];
+ if (ch > ' ' && ch < 128)
+ break;
+ --src_end;
+ }
+ /* now do a forward scan */
+ for (scan = src_buf; scan != src_end; ++scan) {
+ ch = scan[0];
+ if ((ch < ' ' || ch >= 128) && ch != '\t')
+ break;
+ }
+ return (size_t)(scan - src_buf);
+}
+
/*
* configure() processes ntpq :config/config-from-file, allowing
* generic runtime reconfiguration.
@@ -2482,7 +2511,6 @@ static void configure(
{
size_t data_count;
int retval;
- int replace_nl;
/* I haven't yet implemented changes to an existing association.
* Hence check if the association id is 0
@@ -2506,7 +2534,7 @@ static void configure(
}
/* Initialize the remote config buffer */
- data_count = reqend - reqpt;
+ data_count = cmdlength(reqpt, reqend);
if (data_count > sizeof(remote_config.buffer) - 2) {
snprintf(remote_config.err_msg,
@@ -2520,33 +2548,41 @@ static void configure(
stoa(&rbufp->recv_srcadr));
return;
}
+ /* Bug 2853 -- check if all characters were acceptable */
+ if (data_count != (size_t)(reqend - reqpt)) {
+ snprintf(remote_config.err_msg,