From c054b85192ea340529fc9a659cac7ea6b893b50e Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Sat, 20 Dec 2014 00:39:43 +0000
Subject: [PATCH] debrand ntp-4.2.6p5-19.el7_0

---
 SOURCES/ntp-4.2.6p5-cve-2014-9295.patch |  110 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 110 insertions(+), 0 deletions(-)

diff --git a/SOURCES/ntp-4.2.6p5-cve-2014-9295.patch b/SOURCES/ntp-4.2.6p5-cve-2014-9295.patch
new file mode 100644
index 0000000..97fcc3a
--- /dev/null
+++ b/SOURCES/ntp-4.2.6p5-cve-2014-9295.patch
@@ -0,0 +1,110 @@
+2014-12-12 11:06:03+00:00, stenn@psp-fb1.ntp.org +12 -3
+  [Sec 2667] buffer overflow in crypto_recv()
+
+--- 1.168/ntpd/ntp_crypto.c	2014-11-15 04:41:02 +00:00
++++ 1.169/ntpd/ntp_crypto.c	2014-12-12 11:06:03 +00:00
+@@ -820,15 +820,24 @@ crypto_recv(
+ 			 * errors.
+ 			 */
+ 			if (vallen == (u_int)EVP_PKEY_size(host_pkey)) {
++				u_int32 *cookiebuf = malloc(
++				    RSA_size(host_pkey->pkey.rsa));
++				if (!cookiebuf) {
++					rval = XEVNT_CKY;
++					break;
++				}
++
+ 				if (RSA_private_decrypt(vallen,
+ 				    (u_char *)ep->pkt,
+-				    (u_char *)&temp32,
++				    (u_char *)cookiebuf,
+ 				    host_pkey->pkey.rsa,
+-				    RSA_PKCS1_OAEP_PADDING) <= 0) {
++				    RSA_PKCS1_OAEP_PADDING) != 4) {
+ 					rval = XEVNT_CKY;
++					free(cookiebuf);
+ 					break;
+ 				} else {
+-					cookie = ntohl(temp32);
++					cookie = ntohl(*cookiebuf);
++					free(cookiebuf);
+ 				}
+ 			} else {
+ 				rval = XEVNT_CKY;
+
+2014-12-12 11:13:40+00:00, stenn@psp-fb1.ntp.org +16 -1
+  [Sec 2668] buffer overflow in ctl_putdata()
+
+--- 1.190/ntpd/ntp_control.c	2014-11-15 04:41:02 +00:00
++++ 1.191/ntpd/ntp_control.c	2014-12-12 11:13:40 +00:00
+@@ -801,6 +801,10 @@ static	char *reqend;
+ static	char *reqpt;
+ static	char *reqend;
+ 
++#ifndef MIN
++#define MIN(a, b) (((a) <= (b)) ? (a) : (b))
++#endif
++
+ /*
+  * init_control - initialize request data
+  */
+@@ -1316,6 +1320,7 @@ ctl_putdata(
+ 	)
+ {
+ 	int overhead;
++	unsigned int currentlen;
+ 
+ 	overhead = 0;
+ 	if (!bin) {
+@@ -1338,12 +1343,22 @@ ctl_putdata(
+ 	/*
+ 	 * Save room for trailing junk
+ 	 */
+-	if (dlen + overhead + datapt > dataend) {
++	while (dlen + overhead + datapt > dataend) {
+ 		/*
+ 		 * Not enough room in this one, flush it out.
+ 		 */
++		currentlen = MIN(dlen, dataend - datapt);
++
++		memcpy(datapt, dp, currentlen);
++
++		datapt += currentlen;
++		dp += currentlen;
++		dlen -= currentlen;
++		datalinelen += currentlen;
++
+ 		ctl_flushpkt(CTL_MORE);
+ 	}
++
+	memmove((char *)datapt, dp, (unsigned)dlen);
+ 	datapt += dlen;
+ 	datalinelen += dlen;
+
+2014-12-12 11:19:37+00:00, stenn@psp-fb1.ntp.org +14 -0
+  [Sec 2669] buffer overflow in configure()
+
+--- 1.191/ntpd/ntp_control.c	2014-12-12 11:13:40 +00:00
++++ 1.192/ntpd/ntp_control.c	2014-12-12 11:19:37 +00:00
+@@ -3290,6 +3290,20 @@ static void configure(
+ 
+ 	/* Initialize the remote config buffer */
+ 	data_count = reqend - reqpt;
++
++	if (data_count > sizeof(remote_config.buffer) - 2) {
++		snprintf(remote_config.err_msg,
++			 sizeof(remote_config.err_msg),
++			 "runtime configuration failed: request too long");
++		ctl_putdata(remote_config.err_msg,
++			    strlen(remote_config.err_msg), 0);
++		ctl_flushpkt(0);
++		msyslog(LOG_NOTICE,
++			"runtime config from %s rejected: request too long",
++			stoa(&rbufp->recv_srcadr));
++		return;
++	}
++
+ 	memcpy(remote_config.buffer, reqpt, data_count);
+ 	if (data_count > 0
+ 	    && '\n' != remote_config.buffer[data_count - 1])
+

--
Gitblit v1.8.0