Opened 10 years ago

Closed 10 years ago

Last modified 10 years ago

#46294 closed defect (fixed)

ntp @4.2.7p476_1: multiple security vulnerabilities

Reported by: geekosaur Owned by: danielluke (Daniel J. Luke)
Priority: High Milestone:
Component: ports Version: 2.3.3
Keywords: haspatch security Cc: neverpanic (Clemens Lang), Schamschula (Marius Schamschula)
Port: ntp

Attachments (4)

Portfile.diff (1015 bytes) - added by neverpanic (Clemens Lang) 10 years ago.
Patch against the Portfile
patch-ntpd-ntp_io.c-fix-build-failure.diff (814 bytes) - added by neverpanic (Clemens Lang) 10 years ago.
Patch required to fix build failure in 4.2.8
patch-ntpd-ntp_io.c.diff (814 bytes) - added by Schamschula (Marius Schamschula) 10 years ago.
Portfile-ntp.diff (1.1 KB) - added by Schamschula (Marius Schamschula) 10 years ago.

Download all attachments as: .zip

Change History (11)

comment:1 Changed 10 years ago by larryv (Lawrence Velázquez)

Cc: dluke@… removed
Owner: changed from macports-tickets@… to dluke@…

Changed 10 years ago by neverpanic (Clemens Lang)

Attachment: Portfile.diff added

Patch against the Portfile

Changed 10 years ago by neverpanic (Clemens Lang)

Patch required to fix build failure in 4.2.8

comment:2 Changed 10 years ago by neverpanic (Clemens Lang)

Cc: cal@… added
Keywords: haspatch security added
Priority: NormalHigh

Here's a patch that updates the Portfile and a patch against the sources to fix a build failure. The build failure is being tracked upstream in http://bugs.ntp.org/show_bug.cgi?id=2697.

I increased the priority since this is a critical problem and can possibly be used for remote code execution.

Changed 10 years ago by Schamschula (Marius Schamschula)

Attachment: patch-ntpd-ntp_io.c.diff added

comment:3 in reply to:  2 Changed 10 years ago by Schamschula (Marius Schamschula)

The patch-ntpd-ntp_io.c-fix-build-failure.diff​ was backwards.

Changed 10 years ago by Schamschula (Marius Schamschula)

Attachment: Portfile-ntp.diff added

comment:4 Changed 10 years ago by Schamschula (Marius Schamschula)

Added patchfiles to Portfile-ntp.diff

comment:5 Changed 10 years ago by Schamschula (Marius Schamschula)

Cc: mschamschula@… added

Cc Me!

comment:6 Changed 10 years ago by danielluke (Daniel J. Luke)

Resolution: fixed
Status: newclosed

Security issues are considered critical/broken ports, so any committer could have bumped this. Thanks for the patches, though. I've just committed it (r129821).

comment:7 Changed 10 years ago by danielluke (Daniel J. Luke)

For completeness, it's worth noting that our default ntp.conf ships with a restrict default ... noquery line, so the text in the release announcement applies:

The vulnerabilities listed below can be significantly mitigated by
following the BCP of putting

restrict default ... noquery

in the ntp.conf file.  With the exception of:

  receive(): missing return on error
  References: Sec 2670 / CVE-2014-9296 / VU#852879

below (which is a limited-risk vulnerability), none of the recent
vulnerabilities listed below can be exploited if the source IP is
restricted from sending a 'query'-class packet by your ntp.conf file.
Note: See TracTickets for help on using tickets.