diff options
author | taca <taca@pkgsrc.org> | 2014-12-20 09:45:46 +0000 |
---|---|---|
committer | taca <taca@pkgsrc.org> | 2014-12-20 09:45:46 +0000 |
commit | b6fd40f75cfc98df0df36cbcf51c0c5f70bb56bf (patch) | |
tree | e2779c174640e2c3c43de5d30d36761f5b30ed83 /net/ntp4 | |
parent | 88f1a63c69f40b8ec00d7d3c5c6bfc0c5805b90e (diff) | |
download | pkgsrc-b6fd40f75cfc98df0df36cbcf51c0c5f70bb56bf.tar.gz |
Update ntpd4 pacakge to 4.2.8, here is summary for security related fixes.
NTP 4.2.8 (Harlan Stenn <stenn@ntp.org>, 2014/12/18)
Focus: Security and Bug fixes, enhancements.
Severity: HIGH
In addition to bug fixes and enhancements, this release fixes the
following high-severity vulnerabilities:
* Weak default key in config_auth().
References: [Sec 2665] / CVE-2014-9293 / VU#852879
CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
Vulnerable Versions: all releases prior to 4.2.7p11
Date Resolved: 28 Jan 2010
Summary: If no 'auth' key is set in the configuration file, ntpd
would generate a random key on the fly. There were two
problems with this: 1) the generated key was 31 bits in size,
and 2) it used the (now weak) ntp_random() function, which was
seeded with a 32-bit value and could only provide 32 bits of
entropy. This was sufficient back in the late 1990s when the
code was written. Not today.
Mitigation: Upgrade to 4.2.7p11 or later.
Credit: This vulnerability was noticed in ntp-4.2.6 by Neel Mehta
of the Google Security Team.
* Non-cryptographic random number generator with weak seed used by
ntp-keygen to generate symmetric keys.
References: [Sec 2666] / CVE-2014-9294 / VU#852879
CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
Vulnerable Versions: All NTP4 releases before 4.2.7p230
Date Resolved: Dev (4.2.7p230) 01 Nov 2011
Summary: Prior to ntp-4.2.7p230 ntp-keygen used a weak seed to
prepare a random number generator that was of good quality back
in the late 1990s. The random numbers produced was then used to
generate symmetric keys. In ntp-4.2.8 we use a current-technology
cryptographic random number generator, either RAND_bytes from
OpenSSL, or arc4random().
Mitigation: Upgrade to 4.2.7p230 or later.
Credit: This vulnerability was discovered in ntp-4.2.6 by
Stephen Roettger of the Google Security Team.
* Buffer overflow in crypto_recv()
References: Sec 2667 / CVE-2014-9295 / VU#852879
CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
Versions: All releases before 4.2.8
Date Resolved: Stable (4.2.8) 18 Dec 2014
Summary: When Autokey Authentication is enabled (i.e. the ntp.conf
file contains a 'crypto pw ...' directive) a remote attacker
can send a carefully crafted packet that can overflow a stack
buffer and potentially allow malicious code to be executed
with the privilege level of the ntpd process.
Mitigation: Upgrade to 4.2.8, or later, or
Disable Autokey Authentication by removing, or commenting out,
all configuration directives beginning with the crypto keyword
in your ntp.conf file.
Credit: This vulnerability was discovered by Stephen Roettger of the
Google Security Team.
* Buffer overflow in ctl_putdata()
References: Sec 2668 / CVE-2014-9295 / VU#852879
CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
Versions: All NTP4 releases before 4.2.8
Date Resolved: Stable (4.2.8) 18 Dec 2014
Summary: A remote attacker can send a carefully crafted packet that
can overflow a stack buffer and potentially allow malicious
code to be executed with the privilege level of the ntpd process.
Mitigation: Upgrade to 4.2.8, or later.
Credit: This vulnerability was discovered by Stephen Roettger of the
Google Security Team.
* Buffer overflow in configure()
References: Sec 2669 / CVE-2014-9295 / VU#852879
CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
Versions: All NTP4 releases before 4.2.8
Date Resolved: Stable (4.2.8) 18 Dec 2014
Summary: A remote attacker can send a carefully crafted packet that
can overflow a stack buffer and potentially allow malicious
code to be executed with the privilege level of the ntpd process.
Mitigation: Upgrade to 4.2.8, or later.
Credit: This vulnerability was discovered by Stephen Roettger of the
Google Security Team.
* receive(): missing return on error
References: Sec 2670 / CVE-2014-9296 / VU#852879
CVSS: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Base Score: 5.0
Versions: All NTP4 releases before 4.2.8
Date Resolved: Stable (4.2.8) 18 Dec 2014
Summary: Code in ntp_proto.c:receive() was missing a 'return;' in
the code path where an error was detected, which meant
processing did not stop when a specific rare error occurred.
We haven't found a way for this bug to affect system integrity.
If there is no way to affect system integrity the base CVSS
score for this bug is 0. If there is one avenue through which
system integrity can be partially affected, the base score
becomes a 5. If system integrity can be partially affected
via all three integrity metrics, the CVSS base score become 7.5.
Mitigation:
Upgrade to 4.2.8, or later,
or Remove or comment out all configuration directives
beginning with the crypto keyword in your ntp.conf file.
Credit: This vulnerability was discovered by Stephen Roettger of the
Google Security Team.
See http://support.ntp.org/security for more information.
Diffstat (limited to 'net/ntp4')
-rw-r--r-- | net/ntp4/Makefile | 7 | ||||
-rw-r--r-- | net/ntp4/PLIST | 11 | ||||
-rw-r--r-- | net/ntp4/distinfo | 13 | ||||
-rw-r--r-- | net/ntp4/patches/patch-configure | 14 | ||||
-rw-r--r-- | net/ntp4/patches/patch-ntpd_ntp__io.c | 204 | ||||
-rw-r--r-- | net/ntp4/patches/patch-sntp_configure | 14 |
6 files changed, 238 insertions, 25 deletions
diff --git a/net/ntp4/Makefile b/net/ntp4/Makefile index 659df77f68a..87e2fdbf4ec 100644 --- a/net/ntp4/Makefile +++ b/net/ntp4/Makefile @@ -1,11 +1,10 @@ -# $NetBSD: Makefile,v 1.80 2014/10/09 14:06:45 wiz Exp $ +# $NetBSD: Makefile,v 1.81 2014/12/20 09:45:46 taca Exp $ # -DISTNAME= ntp-dev-4.2.7p410 +DISTNAME= ntp-4.2.8 PKGNAME= ${DISTNAME:S/-dev-/-/} -PKGREVISION= 2 CATEGORIES= net time -MASTER_SITES= http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-dev/ +MASTER_SITES= http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ MAINTAINER= pkgsrc-users@NetBSD.org HOMEPAGE= http://www.ntp.org/ diff --git a/net/ntp4/PLIST b/net/ntp4/PLIST index 4dd99124d41..0ee2160db9a 100644 --- a/net/ntp4/PLIST +++ b/net/ntp4/PLIST @@ -1,12 +1,15 @@ -@comment $NetBSD: PLIST,v 1.15 2014/03/11 14:05:09 jperkin Exp $ +@comment $NetBSD: PLIST,v 1.16 2014/12/20 09:45:46 taca Exp $ bin/sntp man/man1/sntp.1 man/man5/ntp.conf.5 man/man5/ntp.keys.5 +${PLIST.tickadj}man/man8/calc_tickadj.8 man/man8/ntp-keygen.8 +man/man8/ntp-wait.8 man/man8/ntpd.8 man/man8/ntpdc.8 man/man8/ntpq.8 +man/man8/ntptrace.8 ${PLIST.tickadj}sbin/calc_tickadj sbin/ntp-keygen sbin/ntp-wait @@ -68,6 +71,7 @@ share/doc/ntp4/drivers/driver42.html share/doc/ntp4/drivers/driver43.html share/doc/ntp4/drivers/driver44.html share/doc/ntp4/drivers/driver45.html +share/doc/ntp4/drivers/driver46.html share/doc/ntp4/drivers/driver5.html share/doc/ntp4/drivers/driver6.html share/doc/ntp4/drivers/driver7.html @@ -163,6 +167,7 @@ share/doc/ntp4/html/drivers/driver42.html share/doc/ntp4/html/drivers/driver43.html share/doc/ntp4/html/drivers/driver44.html share/doc/ntp4/html/drivers/driver45.html +share/doc/ntp4/html/drivers/driver46.html share/doc/ntp4/html/drivers/driver5.html share/doc/ntp4/html/drivers/driver6.html share/doc/ntp4/html/drivers/driver7.html @@ -303,8 +308,10 @@ share/doc/ntp4/html/pic/rabbit.gif share/doc/ntp4/html/pic/radio2.jpg share/doc/ntp4/html/pic/sheepb.jpg share/doc/ntp4/html/pic/stack1a.jpg +share/doc/ntp4/html/pic/stats.gif share/doc/ntp4/html/pic/sx5.gif share/doc/ntp4/html/pic/thunderbolt.jpg +share/doc/ntp4/html/pic/time1.gif share/doc/ntp4/html/pic/tonea.gif share/doc/ntp4/html/pic/tribeb.gif share/doc/ntp4/html/pic/wingdorothy.gif @@ -441,8 +448,10 @@ share/doc/ntp4/pic/rabbit.gif share/doc/ntp4/pic/radio2.jpg share/doc/ntp4/pic/sheepb.jpg share/doc/ntp4/pic/stack1a.jpg +share/doc/ntp4/pic/stats.gif share/doc/ntp4/pic/sx5.gif share/doc/ntp4/pic/thunderbolt.jpg +share/doc/ntp4/pic/time1.gif share/doc/ntp4/pic/tonea.gif share/doc/ntp4/pic/tribeb.gif share/doc/ntp4/pic/wingdorothy.gif diff --git a/net/ntp4/distinfo b/net/ntp4/distinfo index 9d98ee2120d..45b4e095e31 100644 --- a/net/ntp4/distinfo +++ b/net/ntp4/distinfo @@ -1,9 +1,10 @@ -$NetBSD: distinfo,v 1.18 2014/02/18 22:18:48 joerg Exp $ +$NetBSD: distinfo,v 1.19 2014/12/20 09:45:46 taca Exp $ -SHA1 (ntp-dev-4.2.7p410.tar.gz) = d93719047fdd9e67287edaabb1653735ffaf28f3 -RMD160 (ntp-dev-4.2.7p410.tar.gz) = 309f7c6ba088b9c4ac0b2bd018ea3918fb837d4f -Size (ntp-dev-4.2.7p410.tar.gz) = 6334536 bytes +SHA1 (ntp-4.2.8.tar.gz) = 6d1c017a8a0e97d5cf8bf4e5e38333973ffd22d5 +RMD160 (ntp-4.2.8.tar.gz) = d68edfca4dd65ccca8ccc40a90b0ec1110982dc3 +Size (ntp-4.2.8.tar.gz) = 6750364 bytes SHA1 (patch-aa) = b247569339d09a88f2e143e355033ce7635ffe92 -SHA1 (patch-configure) = a244467f886a8fedfa7a84864898fa6d84e0a6a3 -SHA1 (patch-sntp_configure) = c0c3d8bc9a23f3ef3ecfc369298df71f0da55943 +SHA1 (patch-configure) = 21466ffa5d0334957a1a93b2a99087e7edaaa4d5 +SHA1 (patch-ntpd_ntp__io.c) = 261e35988107de1c49d1723eb47de9c50a1642ae +SHA1 (patch-sntp_configure) = 38357046af0f0c1aeb8b57bb9c653e330d3feadd SHA1 (patch-sntp_loc_pkgsrc) = 6e46ffc0cc2afcfdc1d01297cbe04cb80d103575 diff --git a/net/ntp4/patches/patch-configure b/net/ntp4/patches/patch-configure index b4482564506..6854caef32f 100644 --- a/net/ntp4/patches/patch-configure +++ b/net/ntp4/patches/patch-configure @@ -1,15 +1,15 @@ -$NetBSD: patch-configure,v 1.1 2014/02/18 22:18:48 joerg Exp $ +$NetBSD: patch-configure,v 1.2 2014/12/20 09:45:46 taca Exp $ ---- configure.orig 2014-02-18 19:22:37.000000000 +0000 +--- configure.orig 2014-12-19 12:42:27.000000000 +0000 +++ configure -@@ -26457,8 +26457,8 @@ done - # because thread cancellation fails to load libgcc_s with dlopen(). +@@ -26556,8 +26556,8 @@ done + # thread cancellation fails to load libgcc_s with dlopen(). # We have to pass this all as linker options to avoid argument # reordering by libtool. - case "$GCC$with_gnu_ld" in - yesyes) + case "$GCC,$with_gnu_ld,$host_os" in + yes,yes,linux) - PTHREAD_LIBS="$LTHREAD_LIBS -Wl,--no-as-needed,-lgcc_s,--as-needed" - ;; - esac + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for exit in -lgcc_s" >&5 + $as_echo_n "checking for exit in -lgcc_s... " >&6; } + if ${ac_cv_lib_gcc_s_exit+:} false; then : diff --git a/net/ntp4/patches/patch-ntpd_ntp__io.c b/net/ntp4/patches/patch-ntpd_ntp__io.c new file mode 100644 index 00000000000..ab9db009760 --- /dev/null +++ b/net/ntp4/patches/patch-ntpd_ntp__io.c @@ -0,0 +1,204 @@ +$NetBSD: patch-ntpd_ntp__io.c,v 1.1 2014/12/20 09:45:46 taca Exp $ + +Fix from NetBSD base. + +--- ntpd/ntp_io.c.orig 2014-12-19 11:56:55.000000000 +0000 ++++ ntpd/ntp_io.c +@@ -217,7 +217,7 @@ static isc_boolean_t socket_multicast_di + #ifdef DEBUG + static void interface_dump (const endpt *); + static void sockaddr_dump (const sockaddr_u *); +-static void print_interface (const endpt *, char *, char *); ++static void print_interface (const endpt *, const char *, const char *); + #define DPRINT_INTERFACE(level, args) do { if (debug >= (level)) { print_interface args; } } while (0) + #else + #define DPRINT_INTERFACE(level, args) do {} while (0) +@@ -550,7 +550,7 @@ sockaddr_dump(const sockaddr_u *psau) + * print_interface - helper to output debug information + */ + static void +-print_interface(const endpt *iface, char *pfx, char *sfx) ++print_interface(const endpt *iface, const char *pfx, const char *sfx) + { + printf("%sinterface #%d: fd=%d, bfd=%d, name=%s, flags=0x%x, ifindex=%u, sin=%s", + pfx, +@@ -1647,16 +1647,15 @@ set_wildcard_reuse( + + + static isc_boolean_t +-is_anycast( ++check_flags6( + sockaddr_u *psau, +- const char *name ++ const char *name, ++ u_int32 flags6 + ) + { +-#if defined(INCLUDE_IPV6_SUPPORT) && defined(SIOCGIFAFLAG_IN6) && \ +- defined(IN6_IFF_ANYCAST) ++#if defined(INCLUDE_IPV6_SUPPORT) && defined(SIOCGIFAFLAG_IN6) + struct in6_ifreq ifr6; + int fd; +- u_int32 flags6; + + if (psau->sa.sa_family != AF_INET6) + return ISC_FALSE; +@@ -1670,13 +1669,45 @@ is_anycast( + return ISC_FALSE; + } + close(fd); +- flags6 = ifr6.ifr_ifru.ifru_flags6; +- if ((flags6 & IN6_IFF_ANYCAST) != 0) ++ if ((ifr6.ifr_ifru.ifru_flags6 & flags6) != 0) + return ISC_TRUE; +-#endif /* INCLUDE_IPV6_SUPPORT && SIOCGIFAFLAG_IN6 && IN6_IFF_ANYCAST */ ++#endif /* INCLUDE_IPV6_SUPPORT && SIOCGIFAFLAG_IN6 */ + return ISC_FALSE; + } + ++static isc_boolean_t ++is_anycast( ++ sockaddr_u *psau, ++ const char *name ++ ) ++{ ++#ifdef IN6_IFF_ANYCAST ++ return check_flags6(psau, name, IN6_IFF_ANYCAST); ++#else ++ return ISC_FALSE; ++#endif ++} ++ ++static isc_boolean_t ++is_valid( ++ sockaddr_u *psau, ++ const char *name ++ ) ++{ ++ u_int32 flags6; ++ ++ flags6 = 0; ++#ifdef IN6_IFF_DEPARTED ++ flags6 |= IN6_IFF_DEPARTED; ++#endif ++#ifdef IN6_IFF_DETACHED ++ flags6 |= IN6_IFF_DETACHED; ++#endif ++#ifdef IN6_IFF_TENTATIVE ++ flags6 |= IN6_IFF_TENTATIVE; ++#endif ++ return check_flags6(psau, name, flags6) ? ISC_FALSE : ISC_TRUE; ++} + + /* + * update_interface strategy +@@ -1810,6 +1841,12 @@ update_interfaces( + continue; + + /* ++ * skip any address that is an invalid state to be used ++ */ ++ if (!is_valid(&enumep.sin, isc_if.name)) ++ continue; ++ ++ /* + * map to local *address* in order to map all duplicate + * interfaces to an endpt structure with the appropriate + * socket. Our name space is (ip-address), NOT +@@ -1969,6 +2006,9 @@ update_interfaces( + if (broadcast_client_enabled) + io_setbclient(); + ++ if (sys_bclient) ++ io_setbclient(); ++ + return new_interface_found; + } + +@@ -2795,7 +2835,6 @@ open_socket( + { + SOCKET fd; + int errval; +- char scopetext[16]; + /* + * int is OK for REUSEADR per + * http://www.kohala.com/start/mcast.api.txt +@@ -2945,16 +2984,10 @@ open_socket( + || debug > 1 + #endif + ) { +- if (SCOPE(addr)) +- snprintf(scopetext, sizeof(scopetext), +- "%%%d", SCOPE(addr)); +- else +- scopetext[0] = 0; +- + msyslog(LOG_ERR, +- "bind(%d) AF_INET%s %s%s#%d%s flags 0x%x failed: %m", ++ "bind(%d) AF_INET%s %s#%d%s flags 0x%x failed: %m", + fd, IS_IPV6(addr) ? "6" : "", +- stoa(addr), scopetext, SRCPORT(addr), ++ stoa(addr), SRCPORT(addr), + IS_MCAST(addr) ? " (multicast)" : "", + interf->flags); + } +@@ -3198,8 +3231,8 @@ read_refclock_packet( + } + + i = (rp->datalen == 0 +- || rp->datalen > sizeof(rb->recv_space)) +- ? sizeof(rb->recv_space) ++ || rp->datalen > (int)sizeof(rb->recv_space)) ++ ? (int)sizeof(rb->recv_space) + : rp->datalen; + do { + buflen = read(fd, (char *)&rb->recv_space, (u_int)i); +@@ -3321,8 +3354,8 @@ fetch_timestamp( + tvp->tv_usec = (long)(ticks * 1e6 * + sys_tick); + } +- DPRINTF(4, ("fetch_timestamp: system usec network time stamp: %ld.%06ld\n", +- tvp->tv_sec, tvp->tv_usec)); ++ DPRINTF(4, ("fetch_timestamp: system usec network time stamp: %jd.%06ld\n", ++ (intmax_t)tvp->tv_sec, (long)tvp->tv_usec)); + nts = tval_stamp_to_lfp(*tvp); + break; + #endif /* HAVE_TIMESTAMP */ +@@ -3454,15 +3487,15 @@ read_network_packet( + if (AF_INET6 == itf->family) { + DPRINTF(1, ("Got an IPv6 packet, from <%s> (%d) to <%s> (%d)\n", + stoa(&rb->recv_srcadr), +- IN6_IS_ADDR_LOOPBACK(&rb->recv_srcadr), ++ IN6_IS_ADDR_LOOPBACK(&SOCK_ADDR6(&rb->recv_srcadr)), + stoa(&itf->sin), +- !IN6_IS_ADDR_LOOPBACK(&itf->sin) ++ !IN6_IS_ADDR_LOOPBACK(&SOCK_ADDR6(&itf->sin)) + )); + } + + if ( AF_INET6 == itf->family +- && IN6_IS_ADDR_LOOPBACK(&rb->recv_srcadr) +- && !IN6_IS_ADDR_LOOPBACK(&itf->sin) ++ && IN6_IS_ADDR_LOOPBACK(&SOCK_ADDR6(&rb->recv_srcadr)) ++ && !IN6_IS_ADDR_LOOPBACK(&SOCK_ADDR6(&itf->sin)) + ) { + packets_dropped++; + DPRINTF(1, ("DROPPING that packet\n")); +@@ -4040,7 +4073,7 @@ calc_addr_distance( + + found_greater = FALSE; + a1_greater = FALSE; /* suppress pot. uninit. warning */ +- for (i = 0; i < sizeof(NSRCADR6(a1)); i++) { ++ for (i = 0; i < (int)sizeof(NSRCADR6(a1)); i++) { + if (!found_greater && + NSRCADR6(a1)[i] != NSRCADR6(a2)[i]) { + found_greater = TRUE; +@@ -4083,7 +4116,7 @@ cmp_addr_distance( + return 1; + } + +- for (i = 0; i < sizeof(NSRCADR6(d1)); i++) { ++ for (i = 0; i < (int)sizeof(NSRCADR6(d1)); i++) { + if (NSRCADR6(d1)[i] < NSRCADR6(d2)[i]) + return -1; + else if (NSRCADR6(d1)[i] > NSRCADR6(d2)[i]) diff --git a/net/ntp4/patches/patch-sntp_configure b/net/ntp4/patches/patch-sntp_configure index 01ff3df41f3..c067f2e28a3 100644 --- a/net/ntp4/patches/patch-sntp_configure +++ b/net/ntp4/patches/patch-sntp_configure @@ -1,15 +1,15 @@ -$NetBSD: patch-sntp_configure,v 1.1 2014/02/18 22:18:48 joerg Exp $ +$NetBSD: patch-sntp_configure,v 1.2 2014/12/20 09:45:46 taca Exp $ ---- sntp/configure.orig 2014-02-18 19:31:21.000000000 +0000 +--- sntp/configure.orig 2014-12-19 12:40:10.000000000 +0000 +++ sntp/configure -@@ -14368,8 +14368,8 @@ done - # because thread cancellation fails to load libgcc_s with dlopen(). +@@ -14394,8 +14394,8 @@ done + # thread cancellation fails to load libgcc_s with dlopen(). # We have to pass this all as linker options to avoid argument # reordering by libtool. - case "$GCC$with_gnu_ld" in - yesyes) + case "$GCC,$with_gnu_ld,$host_os" in + yes,yes,linux) - PTHREAD_LIBS="$LTHREAD_LIBS -Wl,--no-as-needed,-lgcc_s,--as-needed" - ;; - esac + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for exit in -lgcc_s" >&5 + $as_echo_n "checking for exit in -lgcc_s... " >&6; } + if ${ac_cv_lib_gcc_s_exit+:} false; then : |