From 72fc977c41bbfc63caf1cd22bd262ebdb6a271c6 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: May 31 2016 05:05:22 +0000 Subject: import ntp-4.2.6p5-22.el7_2.2 --- diff --git a/SOURCES/ntp-4.2.6p5-cve-2015-7979.patch b/SOURCES/ntp-4.2.6p5-cve-2015-7979.patch new file mode 100644 index 0000000..ac9c006 --- /dev/null +++ b/SOURCES/ntp-4.2.6p5-cve-2015-7979.patch @@ -0,0 +1,23 @@ +diff -up ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2015-7979 ntp-4.2.6p5/ntpd/ntp_proto.c +--- ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2015-7979 2016-01-21 14:20:45.760431895 +0100 ++++ ntp-4.2.6p5/ntpd/ntp_proto.c 2016-01-21 14:46:13.027106826 +0100 +@@ -1127,7 +1127,8 @@ receive( + report_event(PEVNT_AUTH, peer, "crypto_NAK"); + peer->flash |= TEST5; /* bad auth */ + peer->badauth++; +- if (peer->flags & FLAG_PREEMPT) { ++ if (peer->flags & FLAG_PREEMPT && hismode != MODE_BROADCAST && ++ !(peer->flash & (TEST2 | TEST3))) { + unpeer(peer); + return; + } +@@ -1153,7 +1154,8 @@ receive( + if (has_mac && + (hismode == MODE_ACTIVE || hismode == MODE_PASSIVE)) + fast_xmit(rbufp, MODE_ACTIVE, 0, restrict_mask); +- if (peer->flags & FLAG_PREEMPT) { ++ if (peer->flags & FLAG_PREEMPT && hismode != MODE_BROADCAST && ++ !(peer->flash & (TEST2 | TEST3))) { + unpeer(peer); + return; + } diff --git a/SOURCES/ntp-4.2.6p5-cve-2016-1548.patch b/SOURCES/ntp-4.2.6p5-cve-2016-1548.patch new file mode 100644 index 0000000..f273c99 --- /dev/null +++ b/SOURCES/ntp-4.2.6p5-cve-2016-1548.patch @@ -0,0 +1,63 @@ +diff -up ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2016-1548 ntp-4.2.6p5/ntpd/ntp_proto.c +--- ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2016-1548 2016-04-28 08:37:42.513561354 +0200 ++++ ntp-4.2.6p5/ntpd/ntp_proto.c 2016-04-28 09:30:59.450347729 +0200 +@@ -306,6 +306,7 @@ receive( + int authlen; /* offset of MAC field */ + int is_authentic = 0; /* cryptosum ok */ + int retcode = AM_NOMATCH; /* match code */ ++ int xleave_mismatch = 0; /* mismatch in xleave mode */ + keyid_t skeyid = 0; /* key IDs */ + u_int32 opcode = 0; /* extension field opcode */ + sockaddr_u *dstadr_sin; /* active runway */ +@@ -1067,9 +1068,8 @@ receive( + } + + /* +- * Check for bogus packet in basic mode. If found, switch to +- * interleaved mode and resynchronize, but only after confirming +- * the packet is not bogus in symmetric interleaved mode. ++ * Check for bogus packet in basic mode. If found, check if it's not ++ * a valid packet in symmetric interleaved mode. + */ + } else if (peer->flip == 0) { + if (L_ISZERO(&p_org) || !L_ISEQU(&p_org, &peer->aorg)) { +@@ -1077,8 +1077,7 @@ receive( + peer->flash |= TEST2; /* bogus */ + if (!L_ISZERO(&peer->dst) && L_ISEQU(&p_org, + &peer->dst)) { +- peer->flip = 1; +- report_event(PEVNT_XLEAVE, peer, NULL); ++ xleave_mismatch = 1; + } + } else { + L_CLR(&peer->aorg); +@@ -1152,6 +1151,16 @@ receive( + } + + /* ++ * If the packet is bogus in basic mode but not in symmetric ++ * interleaved mode and it passed the authentication check, ++ * enable the mode and resynchronize. ++ */ ++ if (xleave_mismatch && hismode == MODE_ACTIVE) { ++ peer->flip = 1; ++ report_event(PEVNT_XLEAVE, peer, NULL); ++ } ++ ++ /* + * Update the state variables. + */ + if (peer->flip == 0) { +@@ -1715,5 +1723,12 @@ clock_update( + sys_rootdelay = peer->delay + peer->rootdelay; + sys_reftime = peer->dst; ++ ++ /* Randomize the fraction part of the reference time to not reveal ++ peer->dst to NTP clients as it could be used in a DoS attack ++ enabling the symmetric interleaved mode with spoofed packets */ ++ ntp_crypto_random_buf(&sys_reftime.l_uf, sizeof (sys_reftime.l_uf)); ++ if (L_ISHIS(&sys_reftime, &peer->dst)) ++ sys_reftime.l_ui--; + + #ifdef DEBUG + if (debug) diff --git a/SOURCES/ntp-4.2.6p5-cve-2016-1550.patch b/SOURCES/ntp-4.2.6p5-cve-2016-1550.patch new file mode 100644 index 0000000..22dbfb9 --- /dev/null +++ b/SOURCES/ntp-4.2.6p5-cve-2016-1550.patch @@ -0,0 +1,24 @@ +diff -up ntp-4.2.6p5/libntp/a_md5encrypt.c.cve-2016-1550 ntp-4.2.6p5/libntp/a_md5encrypt.c +--- ntp-4.2.6p5/libntp/a_md5encrypt.c.cve-2016-1550 2016-04-27 15:11:40.955168086 +0200 ++++ ntp-4.2.6p5/libntp/a_md5encrypt.c 2016-04-27 15:13:41.126499861 +0200 +@@ -88,7 +88,7 @@ MD5authdecrypt( + "MAC decrypt: MAC length error"); + return (0); + } +- return (!memcmp(digest, (char *)pkt + length + 4, len)); ++ return (!CRYPTO_memcmp(digest, (char *)pkt + length + 4, len)); + } + + /* +diff -up ntp-4.2.6p5/sntp/crypto.c.cve-2016-1550 ntp-4.2.6p5/sntp/crypto.c +--- ntp-4.2.6p5/sntp/crypto.c.cve-2016-1550 2010-11-14 09:47:00.000000000 +0100 ++++ ntp-4.2.6p5/sntp/crypto.c 2016-04-27 15:13:41.126499861 +0200 +@@ -58,7 +58,7 @@ auth_md5( + if (!hash_len) + authentic = FALSE; + else +- authentic = !memcmp(digest, pkt_data + pkt_size + 4, ++ authentic = !CRYPTO_memcmp(digest, pkt_data + pkt_size + 4, + hash_len); + return authentic; + } diff --git a/SOURCES/ntp-4.2.6p5-cve-2016-2518.patch b/SOURCES/ntp-4.2.6p5-cve-2016-2518.patch new file mode 100644 index 0000000..ed68938 --- /dev/null +++ b/SOURCES/ntp-4.2.6p5-cve-2016-2518.patch @@ -0,0 +1,19 @@ +diff -up ntp-4.2.6p5/ntpd/ntp_request.c.cve-2016-2518 ntp-4.2.6p5/ntpd/ntp_request.c +--- ntp-4.2.6p5/ntpd/ntp_request.c.cve-2016-2518 2016-04-29 13:41:22.690006470 +0200 ++++ ntp-4.2.6p5/ntpd/ntp_request.c 2016-04-29 13:56:12.039936978 +0200 +@@ -1342,7 +1342,6 @@ do_conf( + memset(&temp_cp, 0, sizeof(struct conf_peer)); + memcpy(&temp_cp, (char *)cp, INFO_ITEMSIZE(inpkt->mbz_itemsize)); + +-#if 0 /* paranoid checking - these are done in newpeer() */ + fl = 0; + while (items-- > 0 && !fl) { + if (((temp_cp.version) > NTP_VERSION) +@@ -1363,7 +1362,6 @@ do_conf( + req_ack(srcadr, inter, inpkt, INFO_ERR_FMT); + return; + } +-#endif /* end paranoid checking */ + + /* + * Looks okay, try it out diff --git a/SPECS/ntp.spec b/SPECS/ntp.spec index 4f83b9f..8167f88 100644 --- a/SPECS/ntp.spec +++ b/SPECS/ntp.spec @@ -1,7 +1,7 @@ Summary: The NTP daemon and utilities Name: ntp Version: 4.2.6p5 -Release: 22%{?dist}.1 +Release: 22%{?dist}.2 # primary license (COPYRIGHT) : MIT # ElectricFence/ (not used) : GPLv2 # kernel/sys/ppsclock.h (not used) : BSD with advertising @@ -135,6 +135,14 @@ Patch43: ntp-4.2.6p5-cve-2015-7704.patch Patch44: ntp-4.2.6p5-cve-2015-5300.patch # ntpbz #2945 Patch45: ntp-4.2.6p5-cve-2015-8138.patch +# ntpbz #2942, ntpbz #3007 +Patch46: ntp-4.2.6p5-cve-2015-7979.patch +# ntpbz #2978 +Patch47: ntp-4.2.6p5-cve-2016-1548.patch +# ntpbz #3009 +Patch48: ntp-4.2.6p5-cve-2016-2518.patch +# ntpbz #2879 +Patch49: ntp-4.2.6p5-cve-2016-1550.patch # handle unknown clock types Patch50: ntpstat-0.2-clksrc.patch @@ -216,7 +224,7 @@ This package contains NTP documentation in HTML format. # pool.ntp.org vendor zone which will be used in ntp.conf %if 0%{!?vendorzone:1} %{?fedora: %global vendorzone fedora.} -%{?rhel: %global vendorzone centos.} +%{?rhel: %global vendorzone rhel.} %endif %prep @@ -268,6 +276,10 @@ This package contains NTP documentation in HTML format. %patch43 -p1 -b .cve-2015-7704 %patch44 -p1 -b .cve-2015-5300 %patch45 -p1 -b .cve-2015-8138 +%patch46 -p1 -b .cve-2015-7979 +%patch47 -p1 -b .cve-2016-1548 +%patch48 -p1 -b .cve-2016-2518 +%patch49 -p1 -b .cve-2016-1550 # ntpstat patches %patch50 -p1 -b .clksrc @@ -485,8 +497,13 @@ popd %{ntpdocdir}/html %changelog -* Mon Jan 25 2016 CentOS Sources - 4.2.6p5-22.el7.centos.1 -- rebrand vendorzone +* Tue May 03 2016 Miroslav Lichvar 4.2.6p5-22.el7_2.2 +- don't allow spoofed packets to demobilize associations (CVE-2015-7979, + CVE-2016-1547) +- don't allow spoofed packet to enable symmetric interleaved mode + (CVE-2016-1548) +- check mode of new source in config command (CVE-2016-2518) +- make MAC check resilient against timing attack (CVE-2016-1550) * Wed Jan 20 2016 Miroslav Lichvar 4.2.6p5-22.el7_2.1 - don't accept server/peer packets with zero origin timestamp (CVE-2015-8138)