rpms / ntp

Clone
Source Code
GIT

Blame SOURCES/ntp-4.2.6p5-cve-2014-9295.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta
  1.   c7-beta
  2.   SOURCES
  3.   ntp-4.2.6p5-cve-2014-9295.patch
Blob History Raw
2b78f7 
2014-12-12 11:06:03+00:00, stenn@psp-fb1.ntp.org +12 -3
2b78f7 
  [Sec 2667] buffer overflow in crypto_recv()
2b78f7
2b78f7 
--- 1.168/ntpd/ntp_crypto.c	2014-11-15 04:41:02 +00:00
2b78f7 
+++ 1.169/ntpd/ntp_crypto.c	2014-12-12 11:06:03 +00:00
2b78f7 
@@ -820,15 +820,24 @@ crypto_recv(
2b78f7 
 			 * errors.
2b78f7 
 			 */
2b78f7 
 			if (vallen == (u_int)EVP_PKEY_size(host_pkey)) {
2b78f7 
+				u_int32 *cookiebuf = malloc(
2b78f7 
+				    RSA_size(host_pkey->pkey.rsa));
2b78f7 
+				if (!cookiebuf) {
2b78f7 
+					rval = XEVNT_CKY;
2b78f7 
+					break;
2b78f7 
+				}
2b78f7 
+
2b78f7 
 				if (RSA_private_decrypt(vallen,
2b78f7 
 				    (u_char *)ep->pkt,
2b78f7 
-				    (u_char *)&temp32,
2b78f7 
+				    (u_char *)cookiebuf,
2b78f7 
 				    host_pkey->pkey.rsa,
2b78f7 
-				    RSA_PKCS1_OAEP_PADDING) <= 0) {
2b78f7 
+				    RSA_PKCS1_OAEP_PADDING) != 4) {
2b78f7 
 					rval = XEVNT_CKY;
2b78f7 
+					free(cookiebuf);
2b78f7 
 					break;
2b78f7 
 				} else {
2b78f7 
-					cookie = ntohl(temp32);
2b78f7 
+					cookie = ntohl(*cookiebuf);
2b78f7 
+					free(cookiebuf);
2b78f7 
 				}
2b78f7 
 			} else {
2b78f7 
 				rval = XEVNT_CKY;
2b78f7
2b78f7 
2014-12-12 11:13:40+00:00, stenn@psp-fb1.ntp.org +16 -1
2b78f7 
  [Sec 2668] buffer overflow in ctl_putdata()
2b78f7
2b78f7 
--- 1.190/ntpd/ntp_control.c	2014-11-15 04:41:02 +00:00
2b78f7 
+++ 1.191/ntpd/ntp_control.c	2014-12-12 11:13:40 +00:00
2b78f7 
@@ -801,6 +801,10 @@ static	char *reqend;
2b78f7 
 static	char *reqpt;
2b78f7 
 static	char *reqend;
2b78f7
2b78f7 
+#ifndef MIN
2b78f7 
+#define MIN(a, b) (((a) <= (b)) ? (a) : (b))
2b78f7 
+#endif
2b78f7 
+
2b78f7 
 /*
2b78f7 
  * init_control - initialize request data
2b78f7 
  */
2b78f7 
@@ -1316,6 +1320,7 @@ ctl_putdata(
2b78f7 
 	)
2b78f7 
 {
2b78f7 
 	int overhead;
2b78f7 
+	unsigned int currentlen;
2b78f7
2b78f7 
 	overhead = 0;
2b78f7 
 	if (!bin) {
2b78f7 
@@ -1338,12 +1343,22 @@ ctl_putdata(
2b78f7 
 	/*
2b78f7 
 	 * Save room for trailing junk
2b78f7 
 	 */
2b78f7 
-	if (dlen + overhead + datapt > dataend) {
2b78f7 
+	while (dlen + overhead + datapt > dataend) {
2b78f7 
 		/*
2b78f7 
 		 * Not enough room in this one, flush it out.
2b78f7 
 		 */
2b78f7 
+		currentlen = MIN(dlen, dataend - datapt);
2b78f7 
+
2b78f7 
+		memcpy(datapt, dp, currentlen);
2b78f7 
+
2b78f7 
+		datapt += currentlen;
2b78f7 
+		dp += currentlen;
2b78f7 
+		dlen -= currentlen;
2b78f7 
+		datalinelen += currentlen;
2b78f7 
+
2b78f7 
 		ctl_flushpkt(CTL_MORE);
2b78f7 
 	}
2b78f7 
+
2b78f7 
	memmove((char *)datapt, dp, (unsigned)dlen);
2b78f7 
 	datapt += dlen;
2b78f7 
 	datalinelen += dlen;
2b78f7
2b78f7 
2014-12-12 11:19:37+00:00, stenn@psp-fb1.ntp.org +14 -0
2b78f7 
  [Sec 2669] buffer overflow in configure()
2b78f7
2b78f7 
--- 1.191/ntpd/ntp_control.c	2014-12-12 11:13:40 +00:00
2b78f7 
+++ 1.192/ntpd/ntp_control.c	2014-12-12 11:19:37 +00:00
2b78f7 
@@ -3290,6 +3290,20 @@ static void configure(
2b78f7
2b78f7 
 	/* Initialize the remote config buffer */
2b78f7 
 	data_count = reqend - reqpt;
2b78f7 
+
2b78f7 
+	if (data_count > sizeof(remote_config.buffer) - 2) {
2b78f7 
+		snprintf(remote_config.err_msg,
2b78f7 
+			 sizeof(remote_config.err_msg),
2b78f7 
+			 "runtime configuration failed: request too long");
2b78f7 
+		ctl_putdata(remote_config.err_msg,
2b78f7 
+			    strlen(remote_config.err_msg), 0);
2b78f7 
+		ctl_flushpkt(0);
2b78f7 
+		msyslog(LOG_NOTICE,
2b78f7 
+			"runtime config from %s rejected: request too long",
2b78f7 
+			stoa(&rbufp->recv_srcadr));
2b78f7 
+		return;
2b78f7 
+	}
2b78f7 
+
2b78f7 
 	memcpy(remote_config.buffer, reqpt, data_count);
2b78f7 
 	if (data_count > 0
2b78f7 
 	    && '\n' != remote_config.buffer[data_count - 1])
2b78f7

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation