Bug 39628 - ntp: Multiple issues (4.0)
ntp: Multiple issues (4.0)
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.0
Other Linux
: P2 normal (vote)
: UCS 4.0-4-errata
Assigned To: Janek Walkenhorst
Daniel Tröder
Depends on: 40024
Blocks: 39783
  Show dependency treegraph
Reported: 2015-10-24 11:03 CEST by Arvid Requate
Modified: 2015-12-09 13:26 CET (History)
1 user (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score:
requate: Patch_Available+


Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2015-10-24 11:03:40 CEST
A new upstream release fixes a couple of issues, the jury is still out on which issues also affect 4.2.6 in wheezy, but I expect most of them affect UCS 4.0 too:

ntp (1:4.2.8p4+dfsg-1) unstable; urgency=high

  * New upstream release.
    - Fixes CVE-2015-7850 CVE-2015-7704 CVE-2015-7701 CVE-2015-5196
      CVE-2015-7848 CVE-2015-7849 CVE-2015-7854 CVE-2015-7852 CVE-2015-7853
      CVE-2015-7851 CVE-2015-7705 CVE-2015-7855 CVE-2015-7871

* Incomplete autokey data packet length checks (CVE-2015-7691, CVE-2015-7692, CVE-2015-7702)

* Clients that receive a KoD should validate the origin timestamp field (CVE-2015-7704, CVE-2015-7705)

* configuration directives "pidfile" and "driftfile" should only be allowed locally (CVE-2015-7703)

* Slow memory leak in CRYPTO_ASSOC (CVE-2015-7701)

* CVE-2015-7848 mode 7 loop counter underrun

* trusted key use-after-free (CVE-2015-7849)

* remote config logfile-keyfile (CVE-2015-7850)

* saveconfig Directory Traversal Vulnerability (CVE-2015-7851)

* ntpq atoascii() Memory Corruption Vulnerability (CVE-2015-7852)

* Invalid length data provided by a custom refclock driver could cause a buffer overflow (CVE-2015-7853)

* Password Length Memory Corruption Vulnerability (CVE-2015-7854)

* decodenetnum() will ASSERT botch instead of returning FAIL on some bogus values (CVE-2015-7855)

* NAK to the Future: Symmetric association authentication bypass via crypto-NAK (CVE-2015-7871)

An then the Debian tracker also lists this one:

 * MITM attacker can force ntpd to make a step larger than the panic threshold (CVE-2015-5300)

CVE-2015-5196 mentioned in the changelog looks like a typo currently.
Comment 1 Arvid Requate univentionstaff 2015-11-04 20:47:10 CET
UCS 4.0 is not affected by these:

* CVE-2015-7848 CVE-2015-7849 CVE-2015-7854 (Vulnerable code introduced in 4.2.7)
* CVE-2015-7853 (Vulnerable code introduced in 4.2.8)

Applicability CVE-2015-7705 is still a bit unclear to me, see https://lists.debian.org/debian-lts/2015/10/msg00028.html, the tracker currently says "Default config not affected". So let's postpone that.

So upstream Debian package version 1:4.2.6.p5+dfsg-2+deb7u6 fixes these issues:

CVE ID         : CVE-2014-9750 CVE-2014-9751 CVE-2015-3405 CVE-2015-5146
                 CVE-2015-5194 CVE-2015-5195 CVE-2015-5219 CVE-2015-5300
                 CVE-2015-7691 CVE-2015-7692 CVE-2015-7701 CVE-2015-7702
                 CVE-2015-7703 CVE-2015-7704 CVE-2015-7850 CVE-2015-7852
                 CVE-2015-7855 CVE-2015-7871
Comment 2 Arvid Requate univentionstaff 2015-11-04 21:03:28 CET
Descriptions for the additional minor issues fixed in the DSA:

* when Autokey Authentication is enabled, ntp_crypto.c allows remote attackers to obtain sensitive information from process memory or cause a denial of service (daemon crash) via a crafted packet (CVE-2014-9750)

* The read_network_packet function in ntp_io.c does not properly determine whether a source IP address is an IPv6 loopback address, which makes it easier for remote attackers to spoof restricted packets, and read or write to the runtime state, by leveraging the ability to reach the ntpd machine's network interface with a packet from the ::1 address (CVE-2014-9751)

* ntp-keygen may generate non-random symmetric keys on big-endian systems (CVE-2015-3405)

* ntpd control message crash: Crafted NUL-byte in configuration directive (CVE-2015-5146)

* crash with crafted logconfig configuration command (CVE-2015-5194)

* ntpd crash when processing config commands with statistics type (CVE-2015-5195)

* infinite loop in sntp processing crafted packet (CVE-2015-5219)
Comment 3 Janek Walkenhorst univentionstaff 2015-11-25 19:35:41 CET
Tests (i386): OK
Advisory: ntp.yaml r65913
Comment 4 Daniel Tröder univentionstaff 2015-12-09 11:39:47 CET
OK: DEBIAN_FRONTEND=noninteractive apt-get install --reinstall -y ntp
OK: Tests:
 # ntptrace
 # ntptime
 # ntpdate -u
Comment 5 Janek Walkenhorst univentionstaff 2015-12-09 13:26:49 CET