On Sun, Dec 21, 2014 at 10:16:37AM -0800, Noah Meyerhans wrote: > I'm putting an NMU targeting sid/jessie together now. Unless someone > beats me to it, I should be uploading today.
Not sure why, but I don't have commit access to the ntp svn repo. Going to upload anyway, and will follow up with svn after. For the record, the diff is attached. Since the upstream version is unchanged between wheezy and sid, the patches from stable applied directly to unstable. changelog | 11 +++++++++ patches/ntp-4.2.6p5-cve-2014-9293.patch | 37 ++++++++++++++++++++++++++++++ patches/ntp-4.2.6p5-cve-2014-9294.patch | 111 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ patches/ntp-4.2.6p5-cve-2014-9295.patch | 107 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ patches/ntp-4.2.6p5-cve-2014-9296.patch | 15 ++++++++++++ patches/series | 4 +++ 6 files changed, 285 insertions(+)
Index: debian/changelog
===================================================================
--- debian/changelog (revision 372)
+++ debian/changelog (working copy)
@@ -1,3 +1,14 @@
+ntp (1:4.2.6.p5+dfsg-5) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Apply fixes for security updates (Closes: 773576)
+ - cve-2014-9293
+ - cve-2014-9294
+ - cve-2014-9295
+ - cve-2014-9296
+
+ -- Noah Meyerhans <no...@debian.org> Sun, 21 Dec 2014 10:13:56 -0800
+
ntp (1:4.2.6.p5+dfsg-4) UNRELEASED; urgency=low
* Fix Lintian warning vcs-field-not-canonical
Index: debian/patches/ntp-4.2.6p5-cve-2014-9293.patch
===================================================================
--- debian/patches/ntp-4.2.6p5-cve-2014-9293.patch (revision 0)
+++ debian/patches/ntp-4.2.6p5-cve-2014-9293.patch (working copy)
@@ -0,0 +1,37 @@
+Index: git/ntpd/ntp_config.c
+===================================================================
+--- git.orig/ntpd/ntp_config.c 2014-12-20 18:45:45.232872120 +0100
++++ git/ntpd/ntp_config.c 2014-12-20 18:45:47.672921968 +0100
+@@ -1866,13 +1866,16 @@
+ req_hashlen = digest_len;
+ #endif
+ } else {
+- int rankey;
++ unsigned char rankey[16];
++
++ if (ntp_crypto_random_buf(rankey, sizeof (rankey))) {
++ msyslog(LOG_ERR, "ntp_crypto_random_buf() failed.");
++ exit(1);
++ }
+
+- rankey = ntp_random();
+ req_keytype = NID_md5;
+ req_hashlen = 16;
+- MD5auth_setkey(req_keyid, req_keytype,
+- (u_char *)&rankey, sizeof(rankey));
++ MD5auth_setkey(req_keyid, req_keytype, rankey, sizeof(rankey));
+ authtrust(req_keyid, 1);
+ }
+
+Index: git/ntpd/ntpd.c
+===================================================================
+--- git.orig/ntpd/ntpd.c 2014-12-20 18:45:45.232872120 +0100
++++ git/ntpd/ntpd.c 2014-12-20 18:45:47.672921968 +0100
+@@ -597,6 +597,7 @@
+ get_systime(&now);
+
+ ntp_srandom((int)(now.l_i * now.l_uf));
++ ntp_crypto_srandom();
+
+ #if !defined(VMS)
+ # ifndef NODETACH
Index: debian/patches/ntp-4.2.6p5-cve-2014-9294.patch
===================================================================
--- debian/patches/ntp-4.2.6p5-cve-2014-9294.patch (revision 0)
+++ debian/patches/ntp-4.2.6p5-cve-2014-9294.patch (working copy)
@@ -0,0 +1,111 @@
+Index: git/include/ntp_random.h
+===================================================================
+--- git.orig/include/ntp_random.h 2014-12-20 18:45:44.712861496 +0100
++++ git/include/ntp_random.h 2014-12-20 18:45:52.817027062 +0100
+@@ -1,6 +1,9 @@
+
+ #include <ntp_types.h>
+
++void ntp_crypto_srandom(void);
++int ntp_crypto_random_buf(void *buf, size_t nbytes);
++
+ long ntp_random (void);
+ void ntp_srandom (unsigned long);
+ void ntp_srandomdev (void);
+Index: git/libntp/ntp_random.c
+===================================================================
+--- git.orig/libntp/ntp_random.c 2014-12-20 18:45:44.712861496 +0100
++++ git/libntp/ntp_random.c 2014-12-20 18:45:52.817027062 +0100
+@@ -481,3 +481,63 @@
+ }
+ return(i);
+ }
++
++/*
++ * Crypto-quality random number functions
++ *
++ * Author: Harlan Stenn, 2014
++ *
++ * This file is Copyright (c) 2014 by Network Time Foundation.
++ * BSD terms apply: see the file COPYRIGHT in the distribution root for details.
++ */
++
++#include <openssl/err.h>
++#include <openssl/rand.h>
++
++int crypto_rand_init = 0;
++
++/*
++ * ntp_crypto_srandom:
++ *
++ * Initialize the random number generator, if needed by the underlying
++ * crypto random number generation mechanism.
++ */
++
++void
++ntp_crypto_srandom(
++ void
++ )
++{
++ if (!crypto_rand_init) {
++ RAND_poll();
++ crypto_rand_init = 1;
++ }
++}
++
++/*
++ * ntp_crypto_random_buf:
++ *
++ * Returns 0 on success, -1 on error.
++ */
++int
++ntp_crypto_random_buf(
++ void *buf,
++ size_t nbytes
++ )
++{
++ int rc;
++
++ rc = RAND_bytes(buf, nbytes);
++ if (1 != rc) {
++ unsigned long err;
++ char *err_str;
++
++ err = ERR_get_error();
++ err_str = ERR_error_string(err, NULL);
++ /* XXX: Log the error */
++
++ return -1;
++ }
++ return 0;
++}
++
+Index: git/util/ntp-keygen.c
+===================================================================
+--- git.orig/util/ntp-keygen.c 2014-12-20 18:45:44.712861496 +0100
++++ git/util/ntp-keygen.c 2014-12-20 18:45:52.817027062 +0100
+@@ -261,6 +261,8 @@
+ ssl_check_version();
+ #endif /* OPENSSL */
+
++ ntp_crypto_srandom();
++
+ /*
+ * Process options, initialize host name and timestamp.
+ */
+@@ -727,7 +729,14 @@
+ int temp;
+
+ while (1) {
+- temp = ntp_random() & 0xff;
++ int rc;
++
++ rc = ntp_crypto_random_buf(&temp, 1);
++ if (-1 == rc) {
++ fprintf(stderr, "ntp_crypto_random_buf() failed.\n");
++ exit (-1);
++ }
++ temp &= 0xff;
+ if (temp == '#')
+ continue;
+
Index: debian/patches/ntp-4.2.6p5-cve-2014-9295.patch
===================================================================
--- debian/patches/ntp-4.2.6p5-cve-2014-9295.patch (revision 0)
+++ debian/patches/ntp-4.2.6p5-cve-2014-9295.patch (working copy)
@@ -0,0 +1,107 @@
+2014-12-12 11:06:03+00:00, st...@psp-fb1.ntp.org +12 -3
+ [Sec 2667] buffer overflow in crypto_recv()
+2014-12-12 11:13:40+00:00, st...@psp-fb1.ntp.org +16 -1
+ [Sec 2668] buffer overflow in ctl_putdata()
+2014-12-12 11:19:37+00:00, st...@psp-fb1.ntp.org +14 -0
+ [Sec 2669] buffer overflow in configure()
+
+Index: git/ntpd/ntp_crypto.c
+===================================================================
+--- git.orig/ntpd/ntp_crypto.c 2014-12-20 18:45:44.208851199 +0100
++++ git/ntpd/ntp_crypto.c 2014-12-20 18:45:56.425100776 +0100
+@@ -789,15 +789,24 @@
+ * errors.
+ */
+ if (vallen == (u_int)EVP_PKEY_size(host_pkey)) {
++ u_int32 *cookiebuf = malloc(
++ RSA_size(host_pkey->pkey.rsa));
++ if (!cookiebuf) {
++ rval = XEVNT_CKY;
++ break;
++ }
++
+ if (RSA_private_decrypt(vallen,
+ (u_char *)ep->pkt,
+- (u_char *)&temp32,
++ (u_char *)cookiebuf,
+ host_pkey->pkey.rsa,
+- RSA_PKCS1_OAEP_PADDING) <= 0) {
++ RSA_PKCS1_OAEP_PADDING) != 4) {
+ rval = XEVNT_CKY;
++ free(cookiebuf);
+ break;
+ } else {
+- cookie = ntohl(temp32);
++ cookie = ntohl(*cookiebuf);
++ free(cookiebuf);
+ }
+ } else {
+ rval = XEVNT_CKY;
+Index: git/ntpd/ntp_control.c
+===================================================================
+--- git.orig/ntpd/ntp_control.c 2014-12-20 18:45:44.208851199 +0100
++++ git/ntpd/ntp_control.c 2014-12-20 18:45:56.429100859 +0100
+@@ -486,6 +486,10 @@
+ static char *reqpt;
+ static char *reqend;
+
++#ifndef MIN
++#define MIN(a, b) (((a) <= (b)) ? (a) : (b))
++#endif
++
+ /*
+ * init_control - initialize request data
+ */
+@@ -995,6 +999,7 @@
+ )
+ {
+ int overhead;
++ unsigned int currentlen;
+
+ overhead = 0;
+ if (!bin) {
+@@ -1018,12 +1023,22 @@
+ /*
+ * Save room for trailing junk
+ */
+- if (dlen + overhead + datapt > dataend) {
++ while (dlen + overhead + datapt > dataend) {
+ /*
+ * Not enough room in this one, flush it out.
+ */
++ currentlen = MIN(dlen, dataend - datapt);
++
++ memcpy(datapt, dp, currentlen);
++
++ datapt += currentlen;
++ dp += currentlen;
++ dlen -= currentlen;
++ datalinelen += currentlen;
++
+ ctl_flushpkt(CTL_MORE);
+ }
++
+ memmove((char *)datapt, dp, (unsigned)dlen);
+ datapt += dlen;
+ datalinelen += dlen;
+@@ -2492,6 +2507,20 @@
+
+ /* Initialize the remote config buffer */
+ data_count = reqend - reqpt;
++
++ if (data_count > sizeof(remote_config.buffer) - 2) {
++ snprintf(remote_config.err_msg,
++ sizeof(remote_config.err_msg),
++ "runtime configuration failed: request too long");
++ ctl_putdata(remote_config.err_msg,
++ strlen(remote_config.err_msg), 0);
++ ctl_flushpkt(0);
++ msyslog(LOG_NOTICE,
++ "runtime config from %s rejected: request too long",
++ stoa(&rbufp->recv_srcadr));
++ return;
++ }
++
+ memcpy(remote_config.buffer, reqpt, data_count);
+ if (data_count > 0
+ && '\n' != remote_config.buffer[data_count - 1])
Index: debian/patches/ntp-4.2.6p5-cve-2014-9296.patch
===================================================================
--- debian/patches/ntp-4.2.6p5-cve-2014-9296.patch (revision 0)
+++ debian/patches/ntp-4.2.6p5-cve-2014-9296.patch (working copy)
@@ -0,0 +1,15 @@
+2014-12-12 11:24:22+00:00, st...@psp-fb1.ntp.org +1 -0
+ [Sec 2670] Missing return; from error clause
+
+Index: git/ntpd/ntp_proto.c
+===================================================================
+--- git.orig/ntpd/ntp_proto.c 2014-12-20 18:45:42.760821618 +0100
++++ git/ntpd/ntp_proto.c 2014-12-20 18:46:00.153176945 +0100
+@@ -947,6 +947,7 @@
+ fast_xmit(rbufp, MODE_ACTIVE, 0,
+ restrict_mask);
+ sys_restricted++;
++ return;
+ }
+ }
+
Index: debian/patches/series
===================================================================
--- debian/patches/series (revision 372)
+++ debian/patches/series (working copy)
@@ -10,3 +10,7 @@
sntp-manpage.patch
openssl-headers.patch
autotools.patch
+ntp-4.2.6p5-cve-2014-9293.patch
+ntp-4.2.6p5-cve-2014-9294.patch
+ntp-4.2.6p5-cve-2014-9295.patch
+ntp-4.2.6p5-cve-2014-9296.patch
signature.asc
Description: Digital signature
