#46294 closed defect (fixed)
ntp @4.2.7p476_1: multiple security vulnerabilities
| Reported by: | geekosaur | Owned by: | danielluke (Daniel J. Luke) |
|---|---|---|---|
| Priority: | High | Milestone: | |
| Component: | ports | Version: | 2.3.3 |
| Keywords: | haspatch security | Cc: | neverpanic (Clemens Lang), Schamschula (Marius Schamschula) |
| Port: | ntp |
Description
http://support.ntp.org/bin/view/Main/SecurityNotice#Buffer_overflow_in_ctl_putdata http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9295
4.2.8 has been released upstream to address these vulnerabilities.
Attachments (4)
Change History (11)
comment:1 Changed 10 years ago by larryv (Lawrence Velázquez)
| Cc: | dluke@… removed |
|---|---|
| Owner: | changed from macports-tickets@… to dluke@… |
Changed 10 years ago by neverpanic (Clemens Lang)
| Attachment: | Portfile.diff added |
|---|
Changed 10 years ago by neverpanic (Clemens Lang)
| Attachment: | patch-ntpd-ntp_io.c-fix-build-failure.diff added |
|---|
Patch required to fix build failure in 4.2.8
comment:2 follow-up: 3 Changed 10 years ago by neverpanic (Clemens Lang)
| Cc: | cal@… added |
|---|---|
| Keywords: | haspatch security added |
| Priority: | Normal → High |
Here's a patch that updates the Portfile and a patch against the sources to fix a build failure. The build failure is being tracked upstream in http://bugs.ntp.org/show_bug.cgi?id=2697.
I increased the priority since this is a critical problem and can possibly be used for remote code execution.
Changed 10 years ago by Schamschula (Marius Schamschula)
| Attachment: | patch-ntpd-ntp_io.c.diff added |
|---|
comment:3 Changed 10 years ago by Schamschula (Marius Schamschula)
The patch-ntpd-ntp_io.c-fix-build-failure.diff was backwards.
Changed 10 years ago by Schamschula (Marius Schamschula)
| Attachment: | Portfile-ntp.diff added |
|---|
comment:4 Changed 10 years ago by Schamschula (Marius Schamschula)
Added patchfiles to Portfile-ntp.diff
comment:6 Changed 10 years ago by danielluke (Daniel J. Luke)
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Security issues are considered critical/broken ports, so any committer could have bumped this. Thanks for the patches, though. I've just committed it (r129821).
comment:7 Changed 10 years ago by danielluke (Daniel J. Luke)
For completeness, it's worth noting that our default ntp.conf ships with a restrict default ... noquery line, so the text in the release announcement applies:
The vulnerabilities listed below can be significantly mitigated by following the BCP of putting restrict default ... noquery in the ntp.conf file. With the exception of: receive(): missing return on error References: Sec 2670 / CVE-2014-9296 / VU#852879 below (which is a limited-risk vulnerability), none of the recent vulnerabilities listed below can be exploited if the source IP is restricted from sending a 'query'-class packet by your ntp.conf file.
Patch against the Portfile