Bug 40024

Summary: ntp: Multiple issues (4.1)
Product: UCS Reporter: Arvid Requate <requate>
Component: Security updatesAssignee: Janek Walkenhorst <walkenhorst>
Status: CLOSED FIXED QA Contact: Daniel Tröder <troeder>
Severity: normal    
Priority: P2 CC: gohmann
Version: UCS 4.1Flags: requate: Patch_Available+
Target Milestone: UCS 4.1-0-errata   
Hardware: Other   
OS: Linux   
URL: http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security_Vulner
What kind of report is it?: Security Issue What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional): Security
Max CVSS v3 score:
Bug Depends on:    
Bug Blocks: 39628    

Description Arvid Requate univentionstaff 2015-11-18 18:38:23 CET 
Debian package version 1:4.2.6.p5+dfsg-2+deb7u6 fixes these issues:

* when Autokey Authentication is enabled, ntp_crypto.c allows remote attackers to obtain sensitive information from process memory or cause a denial of service (daemon crash) via a crafted packet (CVE-2014-9750)

* The read_network_packet function in ntp_io.c does not properly determine whether a source IP address is an IPv6 loopback address, which makes it easier for remote attackers to spoof restricted packets, and read or write to the runtime state, by leveraging the ability to reach the ntpd machine's network interface with a packet from the ::1 address (CVE-2014-9751)

* ntp-keygen may generate non-random symmetric keys on big-endian systems (CVE-2015-3405)

* ntpd control message crash: Crafted NUL-byte in configuration directive (CVE-2015-5146)

* crash with crafted logconfig configuration command (CVE-2015-5194)

* ntpd crash when processing config commands with statistics type (CVE-2015-5195)

* infinite loop in sntp processing crafted packet (CVE-2015-5219)

* MITM attacker can force ntpd to make a step larger than the panic threshold (CVE-2015-5300)

 Incomplete autokey data packet length checks (CVE-2015-7691, CVE-2015-7692, CVE-2015-7702)

* Clients that receive a KoD should validate the origin timestamp field (CVE-2015-7704, CVE-2015-7705)

* configuration directives "pidfile" and "driftfile" should only be allowed locally (CVE-2015-7703)

* Slow memory leak in CRYPTO_ASSOC (CVE-2015-7701)

* remote config logfile-keyfile (CVE-2015-7850)

* saveconfig Directory Traversal Vulnerability (CVE-2015-7851)

* ntpq atoascii() Memory Corruption Vulnerability (CVE-2015-7852)

* decodenetnum() will ASSERT botch instead of returning FAIL on some bogus values (CVE-2015-7855)

* NAK to the Future: Symmetric association authentication bypass via crypto-NAK (CVE-2015-7871)

+++ This bug was initially created as a clone of Bug #39628 +++
Comment 1 Janek Walkenhorst univentionstaff 2015-11-25 19:45:21 CET 
Tests (i386): OK
Advisory: ntp.yaml r65914
Comment 2 Daniel Tröder univentionstaff 2015-12-03 11:33:52 CET 
OK: DEBIAN_FRONTEND=noninteractive apt-get install --reinstall -y ntp
OK: Tests:
 # ntptrace 192.168.0.3
 # ntptime
 # ntpd -nNaq
FAIL: advisory: wrong version number in YAML
FAIL: build: patch and build failed on amd64
Comment 3 Janek Walkenhorst univentionstaff 2015-12-03 19:22:20 CET 
(In reply to Daniel Tröder from comment #2)
> FAIL: advisory: wrong version number in YAML
r66102
> FAIL: build: patch and build failed on amd64
rebuilt
Comment 4 Janek Walkenhorst univentionstaff 2015-12-09 16:43:20 CET 
<http://errata.software-univention.de/ucs/4.1/15.html>