diff --git a/SOURCES/ntp-4.2.6p5-clockstate.patch b/SOURCES/ntp-4.2.6p5-clockstate.patch new file mode 100644 index 0000000..487cf62 --- /dev/null +++ b/SOURCES/ntp-4.2.6p5-clockstate.patch @@ -0,0 +1,118 @@ +diff -up ntp-4.2.6p5/ntpd/ntp_loopfilter.c.clockstate ntp-4.2.6p5/ntpd/ntp_loopfilter.c +--- ntp-4.2.6p5/ntpd/ntp_loopfilter.c.clockstate 2015-12-04 13:42:45.807689201 +0100 ++++ ntp-4.2.6p5/ntpd/ntp_loopfilter.c 2015-12-04 15:21:34.252296997 +0100 +@@ -189,6 +189,51 @@ init_loopfilter(void) + clock_jitter = LOGTOD(sys_precision); + } + ++#ifdef KERNEL_PLL ++/* ++ * ntp_adjtime_wrapper - call ntp_adjtime() and print errors and clock state ++ * changes related to leap seconds ++ */ ++static int ++ntp_adjtime_wrapper(struct timex *timex) ++{ ++ static int last_ret = TIME_OK; ++ int ret; ++ ++ ret = ntp_adjtime(timex); ++ ++ if (ret < 0) { ++ msyslog(LOG_ERR, "ntp_adjtime() failed: %s", strerror(errno)); ++ return ret; ++ } ++ ++ if (ret == last_ret || ret == TIME_ERROR) ++ return ret; ++ ++ switch (ret) { ++ case TIME_OK: ++ if (last_ret != TIME_INS && last_ret != TIME_DEL) ++ break; ++ msyslog(LOG_INFO, "kernel leap second %s cancelled", ++ last_ret == TIME_INS ? "insertion" : "deletion"); ++ break; ++ case TIME_INS: ++ msyslog(LOG_INFO, "kernel reports leap second insertion scheduled"); ++ break; ++ case TIME_DEL: ++ msyslog(LOG_INFO, "kernel reports leap second deletion scheduled"); ++ break; ++ case TIME_WAIT: ++ msyslog(LOG_INFO, "kernel reports leap second has occurred"); ++ break; ++ } ++ ++ last_ret = ret; ++ ++ return ret; ++} ++#endif ++ + /* + * local_clock - the NTP logical clock loop filter. + * +@@ -566,7 +611,7 @@ local_clock( + * the pps. In any case, fetch the kernel offset, + * frequency and jitter. + */ +- if (ntp_adjtime(&ntv) == TIME_ERROR) { ++ if (ntp_adjtime_wrapper(&ntv) == TIME_ERROR) { + if (!(ntv.status & STA_PPSSIGNAL)) + report_event(EVNT_KERN, NULL, + "PPS no signal"); +@@ -598,7 +643,7 @@ local_clock( + loop_tai = sys_tai; + ntv.modes = MOD_TAI; + ntv.constant = sys_tai; +- ntp_adjtime(&ntv); ++ ntp_adjtime_wrapper(&ntv); + } + #endif /* STA_NANO */ + } +@@ -775,7 +820,7 @@ direct_freq( + */ + if (pll_control && kern_enable) { + memset(&ntv, 0, sizeof(ntv)); +- ntp_adjtime(&ntv); ++ ntp_adjtime_wrapper(&ntv); + #ifdef STA_NANO + clock_offset = ntv.offset / 1e9; + #else /* STA_NANO */ +@@ -811,7 +856,7 @@ set_freq( + memset(&ntv, 0, sizeof(ntv)); + ntv.modes = MOD_FREQUENCY; + ntv.freq = DTOFREQ(drift_comp); +- ntp_adjtime(&ntv); ++ ntp_adjtime_wrapper(&ntv); + snprintf(tbuf, sizeof(tbuf), "kernel %.3f PPM", + drift_comp * 1e6); + report_event(EVNT_FSET, NULL, tbuf); +@@ -905,7 +950,7 @@ loop_config( + pll_control = 0; + } + if (sigsetjmp(env, 1) == 0) +- ntp_adjtime(&ntv); ++ ntp_adjtime_wrapper(&ntv); + if ((sigaction(SIGSYS, &sigsys, + (struct sigaction *)NULL))) { + msyslog(LOG_ERR, +@@ -913,7 +958,7 @@ loop_config( + pll_control = 0; + } + #else /* SIGSYS */ +- ntp_adjtime(&ntv); ++ ntp_adjtime_wrapper(&ntv); + #endif /* SIGSYS */ + + /* +@@ -964,7 +1009,7 @@ loop_config( + memset((char *)&ntv, 0, sizeof(ntv)); + ntv.modes = MOD_STATUS; + ntv.status = STA_UNSYNC; +- ntp_adjtime(&ntv); ++ ntp_adjtime_wrapper(&ntv); + report_event(EVNT_KERN, NULL, + "kernel time sync disabledx"); + } diff --git a/SOURCES/ntp-4.2.6p5-cve-2015-5194.patch b/SOURCES/ntp-4.2.6p5-cve-2015-5194.patch new file mode 100644 index 0000000..a774749 --- /dev/null +++ b/SOURCES/ntp-4.2.6p5-cve-2015-5194.patch @@ -0,0 +1,42 @@ +commit 553f2fa65865c31c5e3c48812cfd46176cffdd27 +Author: +Date: Wed Jul 28 05:33:53 2010 +0000 + + [Bug 1593] ntpd abort in free() with logconfig syntax error. + +diff --git a/ntpd/ntp_parser.y b/ntpd/ntp_parser.y +index b3f7ac3..cf8942f 100644 +--- a/ntpd/ntp_parser.y ++++ b/ntpd/ntp_parser.y +@@ -995,14 +995,24 @@ log_config_list + log_config_command + : T_String + { +- char prefix = $1[0]; +- char *type = $1 + 1; ++ char prefix; ++ char * type; + +- if (prefix != '+' && prefix != '-' && prefix != '=') { +- yyerror("Logconfig prefix is not '+', '-' or '='\n"); +- } +- else +- $$ = create_attr_sval(prefix, estrdup(type)); ++ switch ($1[0]) { ++ ++ case '+': ++ case '-': ++ case '=': ++ prefix = $1[0]; ++ type = $1 + 1; ++ break; ++ ++ default: ++ prefix = '='; ++ type = $1; ++ } ++ ++ $$ = create_attr_sval(prefix, estrdup(type)); + YYFREE($1); + } + ; diff --git a/SOURCES/ntp-4.2.6p5-cve-2015-5195.patch b/SOURCES/ntp-4.2.6p5-cve-2015-5195.patch new file mode 100644 index 0000000..3b2d9c3 --- /dev/null +++ b/SOURCES/ntp-4.2.6p5-cve-2015-5195.patch @@ -0,0 +1,31 @@ +diff -up ntp-4.2.6p5/ntpd/ntp_config.c.cve-2015-5195 ntp-4.2.6p5/ntpd/ntp_config.c +--- ntp-4.2.6p5/ntpd/ntp_config.c.cve-2015-5195 2015-08-20 12:14:23.911585026 +0200 ++++ ntp-4.2.6p5/ntpd/ntp_config.c 2015-08-20 12:15:14.850462173 +0200 +@@ -2019,6 +2019,13 @@ config_monitor( + while (pfilegen_token != NULL) { + filegen_string = keyword(*pfilegen_token); + filegen = filegen_get(filegen_string); ++ if (NULL == filegen) { ++ msyslog(LOG_ERR, ++ "stats %s unrecognized", ++ filegen_string); ++ pfilegen_token = next_node(pfilegen_token); ++ continue; ++ } + + DPRINTF(4, ("enabling filegen for %s statistics '%s%s'\n", + filegen_string, filegen->prefix, +@@ -2032,6 +2039,13 @@ config_monitor( + while (my_node != NULL) { + filegen_file = keyword(my_node->filegen_token); + filegen = filegen_get(filegen_file); ++ if (NULL == filegen) { ++ msyslog(LOG_ERR, ++ "filegen category '%s' unrecognized", ++ filegen_file); ++ my_node = next_node(my_node); ++ continue; ++ } + + /* Initialize the filegen variables to their pre-configurtion states */ + filegen_flag = filegen->flag; diff --git a/SOURCES/ntp-4.2.6p5-cve-2015-5219.patch b/SOURCES/ntp-4.2.6p5-cve-2015-5219.patch new file mode 100644 index 0000000..fba2051 --- /dev/null +++ b/SOURCES/ntp-4.2.6p5-cve-2015-5219.patch @@ -0,0 +1,23 @@ +commit 5f295cd05c3c136d39f5b3e500a2d781bdbb59c8 +Author: +Date: Wed Apr 24 19:13:53 2013 -0400 + + [Bug 2382] Implement LOGTOD using ldexp() instead of shifting + +diff --git a/include/ntp.h b/include/ntp.h +index aa45e16..95b2542 100644 +--- a/include/ntp.h ++++ b/include/ntp.h +@@ -156,10 +156,9 @@ typedef char s_char; + #define SQUARE(x) ((x) * (x)) + #define SQRT(x) (sqrt(x)) + #define DIFF(x, y) (SQUARE((x) - (y))) +-#define LOGTOD(a) ((a) < 0 ? 1. / (1L << -(a)) : \ +- 1L << (int)(a)) /* log2 to double */ ++#define LOGTOD(a) ldexp(1., (int)(a)) /* log2 to double */ + #define UNIVAR(x) (SQUARE(.28867513 * LOGTOD(x))) /* std uniform distr */ +-#define ULOGTOD(a) (1L << (int)(a)) /* ulog2 to double */ ++#define ULOGTOD(a) ldexp(1., (int)(a)) /* ulog2 to double */ + + #define EVENT_TIMEOUT 0 /* one second, that is */ + diff --git a/SOURCES/ntp-4.2.6p5-cve-2015-7691_7692_7702.patch b/SOURCES/ntp-4.2.6p5-cve-2015-7691_7692_7702.patch new file mode 100644 index 0000000..d920200 --- /dev/null +++ b/SOURCES/ntp-4.2.6p5-cve-2015-7691_7692_7702.patch @@ -0,0 +1,217 @@ +diff -up ntp-4.2.6p5/ntpd/ntp_crypto.c.cve-2015-7691_7692_7702 ntp-4.2.6p5/ntpd/ntp_crypto.c +--- ntp-4.2.6p5/ntpd/ntp_crypto.c.cve-2015-7691_7692_7702 2015-10-22 13:05:34.696482937 +0200 ++++ ntp-4.2.6p5/ntpd/ntp_crypto.c 2015-10-22 13:14:12.473848919 +0200 +@@ -170,6 +170,7 @@ static void cert_free (struct cert_info + static struct pkey_info *crypto_key (char *, char *, sockaddr_u *); + static void bighash (BIGNUM *, BIGNUM *); + static struct cert_info *crypto_cert (char *); ++static u_int exten_payload_size(const struct exten *); + + #ifdef SYS_WINNT + int +@@ -389,7 +390,7 @@ crypto_recv( + struct autokey *ap, *bp; /* autokey pointer */ + struct exten *ep, *fp; /* extension pointers */ + struct cert_info *xinfo; /* certificate info pointer */ +- int has_mac; /* length of MAC field */ ++ int macbytes; /* length of MAC field, signed by intention */ + int authlen; /* offset of MAC field */ + associd_t associd; /* association ID */ + tstamp_t tstamp = 0; /* timestamp */ +@@ -417,7 +418,11 @@ crypto_recv( + */ + authlen = LEN_PKT_NOMAC; + hismode = (int)PKT_MODE((&rbufp->recv_pkt)->li_vn_mode); +- while ((has_mac = rbufp->recv_length - authlen) > MAX_MAC_LEN) { ++ while ((macbytes = rbufp->recv_length - authlen) > (int)MAX_MAC_LEN) { ++ /* We can be reasonably sure that we can read at least ++ * the opcode and the size field here. More stringent ++ * checks follow up shortly. ++ */ + pkt = (u_int32 *)&rbufp->recv_pkt + authlen / 4; + ep = (struct exten *)pkt; + code = ntohl(ep->opcode) & 0xffff0000; +@@ -441,6 +446,18 @@ crypto_recv( + code |= CRYPTO_ERROR; + } + ++ /* Check if the declared size fits into the remaining ++ * buffer. ++ */ ++ if (len > macbytes) { ++ DPRINTF(1, ("crypto_recv: possible attack detected, associd %d\n", ++ associd)); ++ return XEVNT_LEN; ++ } ++ ++ /* Check if the paylod of the extension fits into the ++ * declared frame. ++ */ + if (len >= VALUE_LEN) { + tstamp = ntohl(ep->tstamp); + fstamp = ntohl(ep->fstamp); +@@ -1170,9 +1187,8 @@ crypto_xmit( + * choice. + */ + case CRYPTO_CERT | CRYPTO_RESP: +- vallen = ntohl(ep->vallen); /* Must be <64k */ +- if (vallen == 0 || vallen > MAXHOSTNAME || +- len - VALUE_LEN < vallen) { ++ vallen = exten_payload_size(ep); /* Must be <64k */ ++ if (vallen == 0 || vallen >= sizeof(certname) ) { + rval = XEVNT_LEN; + break; + } else { +@@ -2134,8 +2150,7 @@ crypto_bob( + tstamp_t tstamp; /* NTP timestamp */ + BIGNUM *bn, *bk, *r; + u_char *ptr; +- u_int len; /* extension field length */ +- u_int vallen = 0; /* value length */ ++ u_int len; /* extension field value length */ + + /* + * If the IFF parameters are not valid, something awful +@@ -2150,11 +2165,10 @@ crypto_bob( + /* + * Extract r from the challenge. + */ +- vallen = ntohl(ep->vallen); +- len = ntohl(ep->opcode) & 0x0000ffff; +- if (vallen == 0 || len < VALUE_LEN || len - VALUE_LEN < vallen) +- return XEVNT_LEN; +- if ((r = BN_bin2bn((u_char *)ep->pkt, vallen, NULL)) == NULL) { ++ len = exten_payload_size(ep); ++ if (len == 0 || len > MAX_VALLEN) ++ return (XEVNT_LEN); ++ if ((r = BN_bin2bn((u_char *)ep->pkt, len, NULL)) == NULL) { + msyslog(LOG_ERR, "crypto_bob: %s", + ERR_error_string(ERR_get_error(), NULL)); + return (XEVNT_ERR); +@@ -2166,7 +2180,7 @@ crypto_bob( + */ + bctx = BN_CTX_new(); bk = BN_new(); bn = BN_new(); + sdsa = DSA_SIG_new(); +- BN_rand(bk, vallen * 8, -1, 1); /* k */ ++ BN_rand(bk, len * 8, -1, 1); /* k */ + BN_mod_mul(bn, dsa->priv_key, r, dsa->q, bctx); /* b r mod q */ + BN_add(bn, bn, bk); + BN_mod(bn, bn, dsa->q, bctx); /* k + b r mod q */ +@@ -2185,16 +2199,16 @@ crypto_bob( + * Encode the values in ASN.1 and sign. The filestamp is from + * the local file. + */ +- vallen = i2d_DSA_SIG(sdsa, NULL); +- if (vallen == 0) { ++ len = i2d_DSA_SIG(sdsa, NULL); ++ if (len == 0) { + msyslog(LOG_ERR, "crypto_bob: %s", + ERR_error_string(ERR_get_error(), NULL)); + DSA_SIG_free(sdsa); + return (XEVNT_ERR); + } +- if (vallen > MAX_VALLEN) { +- msyslog(LOG_ERR, "crypto_bob: signature is too big: %d", +- vallen); ++ if (len > MAX_VALLEN) { ++ msyslog(LOG_ERR, "crypto_bob: signature is too big: %u", ++ len); + DSA_SIG_free(sdsa); + return (XEVNT_LEN); + } +@@ -2202,8 +2216,8 @@ crypto_bob( + tstamp = crypto_time(); + vp->tstamp = htonl(tstamp); + vp->fstamp = htonl(iffkey_info->fstamp); +- vp->vallen = htonl(vallen); +- ptr = emalloc(vallen); ++ vp->vallen = htonl(len); ++ ptr = emalloc(len); + vp->ptr = ptr; + i2d_DSA_SIG(sdsa, &ptr); + DSA_SIG_free(sdsa); +@@ -2214,9 +2228,9 @@ crypto_bob( + vp->sig = emalloc(sign_siglen); + EVP_SignInit(&ctx, sign_digest); + EVP_SignUpdate(&ctx, (u_char *)&vp->tstamp, 12); +- EVP_SignUpdate(&ctx, vp->ptr, vallen); +- if (EVP_SignFinal(&ctx, vp->sig, &vallen, sign_pkey)) +- vp->siglen = htonl(sign_siglen); ++ EVP_SignUpdate(&ctx, vp->ptr, len); ++ if (EVP_SignFinal(&ctx, vp->sig, &len, sign_pkey)) ++ vp->siglen = htonl(len); + return (XEVNT_OK); + } + +@@ -2462,7 +2476,9 @@ crypto_bob2( + /* + * Extract r from the challenge. + */ +- len = ntohl(ep->vallen); ++ len = exten_payload_size(ep); ++ if (len == 0 || len > MAX_VALLEN) ++ return (XEVNT_LEN); + if ((r = BN_bin2bn((u_char *)ep->pkt, len, NULL)) == NULL) { + msyslog(LOG_ERR, "crypto_bob2: %s", + ERR_error_string(ERR_get_error(), NULL)); +@@ -2787,7 +2803,9 @@ crypto_bob3( + /* + * Extract r from the challenge. + */ +- len = ntohl(ep->vallen); ++ len = exten_payload_size(ep); ++ if (len == 0 || len > MAX_VALLEN) ++ return (XEVNT_LEN); + if ((r = BN_bin2bn((u_char *)ep->pkt, len, NULL)) == NULL) { + msyslog(LOG_ERR, "crypto_bob3: %s", + ERR_error_string(ERR_get_error(), NULL)); +@@ -3002,8 +3020,11 @@ cert_sign( + if (tstamp == 0) + return (XEVNT_TSP); + ++ len = exten_payload_size(ep); ++ if (len == 0 || len > MAX_VALLEN) ++ return (XEVNT_LEN); + ptr = (u_char *)ep->pkt; +- if ((req = d2i_X509(NULL, &ptr, ntohl(ep->vallen))) == NULL) { ++ if ((req = d2i_X509(NULL, &ptr, len)) == NULL) { + msyslog(LOG_ERR, "cert_sign: %s", + ERR_error_string(ERR_get_error(), NULL)); + return (XEVNT_CRT); +@@ -3968,6 +3989,36 @@ crypto_config( + break; + } + } ++ ++/* ++ * Get payload size (internal value length) of an extension packet. If ++ * the inner value length does not match the outer packet length (that ++ * is, the value would end behind the frame given by the opcode/size ++ * field) the function will efectively return UINT_MAX. If the frame is ++ * too short to holda variable-sized value, the return value is zero. ++ */ ++static u_int ++exten_payload_size( ++ const struct exten * ep) ++{ ++ typedef const u_char *BPTR; ++ ++ size_t extn_size; ++ size_t data_size; ++ size_t head_size; ++ ++ data_size = 0; ++ if (NULL != ep) { ++ head_size = (BPTR)(&ep->vallen + 1) - (BPTR)ep; ++ extn_size = (uint16_t)(ntohl(ep->opcode) & 0x0000ffff); ++ if (extn_size >= head_size) { ++ data_size = (uint32_t)ntohl(ep->vallen); ++ if (data_size > extn_size - head_size) ++ data_size = ~(size_t)0u; ++ } ++ } ++ return (u_int)data_size; ++} + # else + int ntp_crypto_bs_pubkey; + # endif /* OPENSSL */ diff --git a/SOURCES/ntp-4.2.6p5-cve-2015-7701.patch b/SOURCES/ntp-4.2.6p5-cve-2015-7701.patch new file mode 100644 index 0000000..2015c9a --- /dev/null +++ b/SOURCES/ntp-4.2.6p5-cve-2015-7701.patch @@ -0,0 +1,19 @@ +commit d7cd5e186034340402f1393e0813c7d2b14ea6ca +Author: +Date: Mon Sep 28 18:22:06 2015 +0200 + + [Bug 2909] - Slow memory leak in CRYPTO_ASSOC + - added missing call to 'free()' in ntp_crypto.c. + +diff --git a/ntpd/ntp_crypto.c b/ntpd/ntp_crypto.c +index e9cd6c2..a7b693f 100644 +--- a/ntpd/ntp_crypto.c ++++ b/ntpd/ntp_crypto.c +@@ -508,6 +508,7 @@ crypto_recv( + rval = XEVNT_ERR; + break; + } ++ free(peer->cmmd); /* will be set again! */ + } + fp = emalloc(len); + memcpy(fp, ep, len); diff --git a/SOURCES/ntp-4.2.6p5-cve-2015-7703.patch b/SOURCES/ntp-4.2.6p5-cve-2015-7703.patch new file mode 100644 index 0000000..2b0cb00 --- /dev/null +++ b/SOURCES/ntp-4.2.6p5-cve-2015-7703.patch @@ -0,0 +1,52 @@ +diff -up ntp-4.2.6p5/ntpd/ntp_parser.y.cve-2015-7703 ntp-4.2.6p5/ntpd/ntp_parser.y +--- ntp-4.2.6p5/ntpd/ntp_parser.y.cve-2015-7703 2015-08-20 12:21:43.206525550 +0200 ++++ ntp-4.2.6p5/ntpd/ntp_parser.y 2015-08-20 12:31:04.223172507 +0200 +@@ -1005,23 +1005,43 @@ misc_cmd_int_keyword + + misc_cmd_str_keyword + : T_Leapfile +- | T_Pidfile + | T_Qos + ; + + misc_cmd_str_lcl_keyword + : T_Logfile ++ | T_Pidfile + | T_Saveconfigdir + ; + + drift_parm + : T_String +- { enqueue(cfgt.vars, create_attr_sval(T_Driftfile, $1)); } ++ { ++ if (input_from_file) { ++ enqueue(cfgt.vars, create_attr_sval(T_Driftfile, $1)); ++ } else { ++ YYFREE($1); ++ yyerror("driftfile remote configuration ignored"); ++ } ++ } + | T_String T_Double +- { enqueue(cfgt.vars, create_attr_dval(T_WanderThreshold, $2)); +- enqueue(cfgt.vars, create_attr_sval(T_Driftfile, $1)); } ++ { ++ if (input_from_file) { ++ enqueue(cfgt.vars, create_attr_dval(T_WanderThreshold, $2)); ++ enqueue(cfgt.vars, create_attr_sval(T_Driftfile, $1)); ++ } else { ++ YYFREE($1); ++ yyerror("driftfile remote configuration ignored"); ++ } ++ } + | /* Null driftfile, indicated by null string "\0" */ +- { enqueue(cfgt.vars, create_attr_sval(T_Driftfile, "\0")); } ++ { ++ if (input_from_file) { ++ enqueue(cfgt.vars, create_attr_sval(T_Driftfile, estrdup(""))); ++ } else { ++ yyerror("driftfile remote configuration ignored"); ++ } ++ } + ; + + variable_assign diff --git a/SOURCES/ntp-4.2.6p5-cve-2015-7852.patch b/SOURCES/ntp-4.2.6p5-cve-2015-7852.patch new file mode 100644 index 0000000..1bac599 --- /dev/null +++ b/SOURCES/ntp-4.2.6p5-cve-2015-7852.patch @@ -0,0 +1,22 @@ +diff -up ntp-4.2.6p5/ntpq/ntpq.c.cve-2015-7852 ntp-4.2.6p5/ntpq/ntpq.c +--- ntp-4.2.6p5/ntpq/ntpq.c.cve-2015-7852 2015-10-21 19:38:34.008129649 +0200 ++++ ntp-4.2.6p5/ntpq/ntpq.c 2015-10-21 19:39:40.207742621 +0200 +@@ -3449,12 +3449,17 @@ cookedprint( + char bv[401]; + int len; + ++ /* TALOS-CAN-0063: avoid buffer overrun */ + atoascii(name, MAXVARLEN, bn, sizeof(bn)); +- atoascii(value, MAXVARLEN, bv, sizeof(bv)); + if (output_raw != '*') { ++ atoascii(value, MAXVALLEN, ++ bv, sizeof(bv) - 1); + len = strlen(bv); + bv[len] = output_raw; + bv[len+1] = '\0'; ++ } else { ++ atoascii(value, MAXVALLEN, ++ bv, sizeof(bv)); + } + output(fp, bn, bv); + } diff --git a/SOURCES/ntp-4.2.6p5-cve-2015-7974.patch b/SOURCES/ntp-4.2.6p5-cve-2015-7974.patch new file mode 100644 index 0000000..2f05130 --- /dev/null +++ b/SOURCES/ntp-4.2.6p5-cve-2015-7974.patch @@ -0,0 +1,20 @@ +diff -up ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2015-7974 ntp-4.2.6p5/ntpd/ntp_proto.c +--- ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2015-7974 2016-01-21 14:06:18.958346184 +0100 ++++ ntp-4.2.6p5/ntpd/ntp_proto.c 2016-01-21 14:16:34.894828262 +0100 +@@ -674,10 +674,13 @@ receive( + * succeed in bloating the key cache. If an autokey, + * purge it immediately, since we won't be needing it + * again. If the packet is authentic, it can mobilize an +- * association. Note that there is no key zero. ++ * association. If it's a persistent association using a ++ * symmetric key, the key ID has to match the configured ++ * value. Note that there is no key zero. + */ +- if (!authdecrypt(skeyid, (u_int32 *)pkt, authlen, +- has_mac)) ++ if ((peer && !(peer->flags & FLAG_PREEMPT) && ++ peer->keyid <= NTP_MAXKEY && skeyid != peer->keyid) || ++ !authdecrypt(skeyid, (u_int32 *)pkt, authlen, has_mac)) + is_authentic = AUTH_ERROR; + else + is_authentic = AUTH_OK; diff --git a/SOURCES/ntp-4.2.6p5-cve-2015-7977_7978.patch b/SOURCES/ntp-4.2.6p5-cve-2015-7977_7978.patch new file mode 100644 index 0000000..ddcd91a --- /dev/null +++ b/SOURCES/ntp-4.2.6p5-cve-2015-7977_7978.patch @@ -0,0 +1,183 @@ +diff -up ntp-4.2.6p5/ntpd/ntp_request.c.cve-2015-7977_7978 ntp-4.2.6p5/ntpd/ntp_request.c +--- ntp-4.2.6p5/ntpd/ntp_request.c.cve-2015-7977_7978 2011-12-01 03:55:17.000000000 +0100 ++++ ntp-4.2.6p5/ntpd/ntp_request.c 2016-01-20 11:14:20.855586406 +0100 +@@ -1730,56 +1730,143 @@ setclr_flags( + loop_config(LOOP_DRIFTCOMP, drift_comp); + } + ++/* There have been some issues with the restrict list processing, ++ * ranging from problems with deep recursion (resulting in stack ++ * overflows) and overfull reply buffers. ++ * ++ * To avoid this trouble the list reversal is done iteratively using a ++ * scratch pad. ++ */ ++typedef struct RestrictStack RestrictStackT; ++struct RestrictStack { ++ RestrictStackT *link; ++ size_t fcnt; ++ const restrict_u *pres[63]; ++}; ++ ++static size_t ++getStackSheetSize( ++ RestrictStackT *sp ++ ) ++{ ++ if (sp) ++ return sizeof(sp->pres)/sizeof(sp->pres[0]); ++ return 0u; ++} ++ ++static int/*BOOL*/ ++pushRestriction( ++ RestrictStackT **spp, ++ const restrict_u *ptr ++ ) ++{ ++ RestrictStackT *sp; ++ ++ if (NULL == (sp = *spp) || 0 == sp->fcnt) { ++ /* need another sheet in the scratch pad */ ++ sp = emalloc(sizeof(*sp)); ++ sp->link = *spp; ++ sp->fcnt = getStackSheetSize(sp); ++ *spp = sp; ++ } ++ sp->pres[--sp->fcnt] = ptr; ++ return TRUE; ++} ++ ++static int/*BOOL*/ ++popRestriction( ++ RestrictStackT **spp, ++ const restrict_u **opp ++ ) ++{ ++ RestrictStackT *sp; ++ ++ if (NULL == (sp = *spp) || sp->fcnt >= getStackSheetSize(sp)) ++ return FALSE; ++ ++ *opp = sp->pres[sp->fcnt++]; ++ if (sp->fcnt >= getStackSheetSize(sp)) { ++ /* discard sheet from scratch pad */ ++ *spp = sp->link; ++ free(sp); ++ } ++ return TRUE; ++} ++ ++static void ++flushRestrictionStack( ++ RestrictStackT **spp ++ ) ++{ ++ RestrictStackT *sp; ++ ++ while (NULL != (sp = *spp)) { ++ *spp = sp->link; ++ free(sp); ++ } ++} ++ + /* +- * list_restrict4 - recursive helper for list_restrict dumps IPv4 ++ * list_restrict4 - iterative helper for list_restrict dumps IPv4 + * restriction list in reverse order. + */ + static void + list_restrict4( +- restrict_u * res, ++ const restrict_u * res, + struct info_restrict ** ppir + ) + { ++ RestrictStackT * rpad; + struct info_restrict * pir; + +- if (res->link != NULL) +- list_restrict4(res->link, ppir); +- + pir = *ppir; +- pir->addr = htonl(res->u.v4.addr); +- if (client_v6_capable) +- pir->v6_flag = 0; +- pir->mask = htonl(res->u.v4.mask); +- pir->count = htonl(res->count); +- pir->flags = htons(res->flags); +- pir->mflags = htons(res->mflags); +- *ppir = (struct info_restrict *)more_pkt(); ++ for (rpad = NULL; res; res = res->link) ++ if (!pushRestriction(&rpad, res)) ++ break; ++ ++ while (pir && popRestriction(&rpad, &res)) { ++ pir->addr = htonl(res->u.v4.addr); ++ if (client_v6_capable) ++ pir->v6_flag = 0; ++ pir->mask = htonl(res->u.v4.mask); ++ pir->count = htonl(res->count); ++ pir->flags = htons(res->flags); ++ pir->mflags = htons(res->mflags); ++ pir = (struct info_restrict *)more_pkt(); ++ } ++ flushRestrictionStack(&rpad); ++ *ppir = pir; + } + +- + /* +- * list_restrict6 - recursive helper for list_restrict dumps IPv6 ++ * list_restrict6 - iterative helper for list_restrict dumps IPv6 + * restriction list in reverse order. + */ + static void + list_restrict6( +- restrict_u * res, ++ const restrict_u * res, + struct info_restrict ** ppir + ) + { ++ RestrictStackT * rpad; + struct info_restrict * pir; + +- if (res->link != NULL) +- list_restrict6(res->link, ppir); +- + pir = *ppir; +- pir->addr6 = res->u.v6.addr; +- pir->mask6 = res->u.v6.mask; +- pir->v6_flag = 1; +- pir->count = htonl(res->count); +- pir->flags = htons(res->flags); +- pir->mflags = htons(res->mflags); +- *ppir = (struct info_restrict *)more_pkt(); ++ for (rpad = NULL; res; res = res->link) ++ if (!pushRestriction(&rpad, res)) ++ break; ++ ++ while (pir && popRestriction(&rpad, &res)) { ++ pir->addr6 = res->u.v6.addr; ++ pir->mask6 = res->u.v6.mask; ++ pir->v6_flag = 1; ++ pir->count = htonl(res->count); ++ pir->flags = htons(res->flags); ++ pir->mflags = htons(res->mflags); ++ pir = (struct info_restrict *)more_pkt(); ++ } ++ flushRestrictionStack(&rpad); ++ *ppir = pir; + } + + +@@ -1803,8 +1890,7 @@ list_restrict( + /* + * The restriction lists are kept sorted in the reverse order + * than they were originally. To preserve the output semantics, +- * dump each list in reverse order. A recursive helper function +- * achieves that. ++ * dump each list in reverse order. The workers take care of that. + */ + list_restrict4(restrictlist4, &ir); + if (client_v6_capable) diff --git a/SOURCES/ntp-4.2.6p5-cve-2015-8158.patch b/SOURCES/ntp-4.2.6p5-cve-2015-8158.patch new file mode 100644 index 0000000..0767b30 --- /dev/null +++ b/SOURCES/ntp-4.2.6p5-cve-2015-8158.patch @@ -0,0 +1,126 @@ +diff -U0 ntp-4.2.6p5/ChangeLog.cve-2015-8158 ntp-4.2.6p5/ChangeLog +diff -up ntp-4.2.6p5/ntpdc/ntpdc.c.cve-2015-8158 ntp-4.2.6p5/ntpdc/ntpdc.c +--- ntp-4.2.6p5/ntpdc/ntpdc.c.cve-2015-8158 2016-01-20 14:06:21.035659659 +0100 ++++ ntp-4.2.6p5/ntpdc/ntpdc.c 2016-01-20 14:25:39.734622168 +0100 +@@ -657,6 +657,10 @@ getresponse( + fd_set fds; + int n; + int pad; ++ /* absolute timeout checks. Not 'time_t' by intention! */ ++ uint32_t tobase; /* base value for timeout */ ++ uint32_t tospan; /* timeout span (max delay) */ ++ uint32_t todiff; /* current delay */ + + /* + * This is pretty tricky. We may get between 1 and many packets +@@ -673,12 +677,14 @@ getresponse( + lastseq = 999; /* too big to be a sequence number */ + memset(haveseq, 0, sizeof(haveseq)); + FD_ZERO(&fds); ++ tobase = (uint32_t)time(NULL); + + again: + if (firstpkt) + tvo = tvout; + else + tvo = tvsout; ++ tospan = (uint32_t)tvo.tv_sec + (tvo.tv_usec != 0); + + FD_SET(sockfd, &fds); + n = select(sockfd+1, &fds, (fd_set *)0, (fd_set *)0, &tvo); +@@ -687,6 +693,17 @@ getresponse( + warning("select fails", "", ""); + return -1; + } ++ ++ /* ++ * Check if this is already too late. Trash the data and fake a ++ * timeout if this is so. ++ */ ++ todiff = (((uint32_t)time(NULL)) - tobase) & 0x7FFFFFFFu; ++ if ((n > 0) && (todiff > tospan)) { ++ n = recv(sockfd, (char *)&rpkt, sizeof(rpkt), 0); ++ n = 0; /* faked timeout return from 'select()'*/ ++ } ++ + if (n == 0) { + /* + * Timed out. Return what we have +@@ -831,8 +848,10 @@ getresponse( + } + + /* +- * So far, so good. Copy this data into the output array. ++ * So far, so good. Copy this data into the output array. Bump ++ * the timeout base, in case we expect more data. + */ ++ tobase = (uint32_t)time(NULL); + if ((datap + datasize + (pad * items)) > (pktdata + pktdatasize)) { + int offset = datap - pktdata; + growpktdata(); +diff -up ntp-4.2.6p5/ntpq/ntpq.c.cve-2015-8158 ntp-4.2.6p5/ntpq/ntpq.c +--- ntp-4.2.6p5/ntpq/ntpq.c.cve-2015-8158 2016-01-20 14:06:21.493660755 +0100 ++++ ntp-4.2.6p5/ntpq/ntpq.c 2016-01-20 14:13:56.132819820 +0100 +@@ -836,6 +836,10 @@ getresponse( + int len; + int first; + char *data; ++ /* absolute timeout checks. Not 'time_t' by intention! */ ++ uint32_t tobase; /* base value for timeout */ ++ uint32_t tospan; /* timeout span (max delay) */ ++ uint32_t todiff; /* current delay */ + + /* + * This is pretty tricky. We may get between 1 and MAXFRAG packets +@@ -852,6 +856,8 @@ getresponse( + numfrags = 0; + seenlastfrag = 0; + ++ tobase = (uint32_t)time(NULL); ++ + FD_ZERO(&fds); + + /* +@@ -864,7 +870,8 @@ getresponse( + tvo = tvout; + else + tvo = tvsout; +- ++ tospan = (uint32_t)tvo.tv_sec + (tvo.tv_usec != 0); ++ + FD_SET(sockfd, &fds); + n = select(sockfd + 1, &fds, NULL, NULL, &tvo); + +@@ -872,6 +879,17 @@ getresponse( + warning("select fails", "", ""); + return -1; + } ++ ++ /* ++ * Check if this is already too late. Trash the data and ++ * fake a timeout if this is so. ++ */ ++ todiff = (((uint32_t)time(NULL)) - tobase) & 0x7FFFFFFFu; ++ if ((n > 0) && (todiff > tospan)) { ++ n = recv(sockfd, (char *)&rpkt, sizeof(rpkt), 0); ++ n = 0; /* faked timeout return from 'select()'*/ ++ } ++ + if (n == 0) { + /* + * Timed out. Return what we have +@@ -1166,10 +1184,13 @@ getresponse( + } + + /* +- * Copy the data into the data buffer. ++ * Copy the data into the data buffer, and bump the ++ * timout base in case we need more. + */ + memcpy((char *)pktdata + offset, rpkt.data, count); + ++ tobase = (uint32_t)time(NULL); ++ + /* + * If we've seen the last fragment, look for holes in the sequence. + * If there aren't any, we're done. diff --git a/SOURCES/ntp-4.2.6p5-leapreset.patch b/SOURCES/ntp-4.2.6p5-leapreset.patch new file mode 100644 index 0000000..81722fb --- /dev/null +++ b/SOURCES/ntp-4.2.6p5-leapreset.patch @@ -0,0 +1,18 @@ +commit 5f0420ad1ee3528bf83a28ea54c51af2b09ecfa5 +Author: +Date: Mon Nov 19 20:17:35 2012 -0800 + + [Bug 2246] Clear sys_leap when voting says to disarm the leap + +diff --git a/ntpd/ntp_proto.c b/ntpd/ntp_proto.c +index 1259d52..397a80f 100644 +--- a/ntpd/ntp_proto.c ++++ b/ntpd/ntp_proto.c +@@ -1948,6 +1948,7 @@ clock_update( + } else if (leapsec > 0) { + report_event(EVNT_DISARMED, NULL, NULL); + leapsec = 0; ++ sys_leap = LEAP_NOWARNING; + } + break; + diff --git a/SOURCES/ntp-4.2.6p5-rawstats.patch b/SOURCES/ntp-4.2.6p5-rawstats.patch new file mode 100644 index 0000000..3e6fe67 --- /dev/null +++ b/SOURCES/ntp-4.2.6p5-rawstats.patch @@ -0,0 +1,142 @@ +commit 63b405a67040ad6545abb102bf0714ccb5a50558 +Author: +Date: Thu Dec 27 20:09:00 2012 -0500 + + ntp_util.c, ntpd.h, ChangeLog, ntp_proto.c: + Fix for bug 2081 + +diff -up ntp-4.2.6p5/include/ntpd.h.rawstats ntp-4.2.6p5/include/ntpd.h +--- ntp-4.2.6p5/include/ntpd.h.rawstats 2015-07-22 14:19:37.220167860 +0200 ++++ ntp-4.2.6p5/include/ntpd.h 2015-07-22 14:20:52.819392212 +0200 +@@ -244,7 +244,7 @@ extern void record_peer_stats (sockaddr_ + extern void record_proto_stats (char *); + extern void record_loop_stats (double, double, double, double, int); + extern void record_clock_stats (sockaddr_u *, const char *); +-extern void record_raw_stats (sockaddr_u *, sockaddr_u *, l_fp *, l_fp *, l_fp *, l_fp *); ++extern void record_raw_stats (sockaddr_u *srcadr, sockaddr_u *dstadr, l_fp *t1, l_fp *t2, l_fp *t3, l_fp *t4, int leap, int version, int mode, int stratum, int poll, int precision, double root_delay, double root_dispersion, u_int32 refid); + extern u_long leap_month(u_long); + extern void record_crypto_stats (sockaddr_u *, const char *); + #ifdef DEBUG +diff -up ntp-4.2.6p5/ntpd/ntp_proto.c.rawstats ntp-4.2.6p5/ntpd/ntp_proto.c +--- ntp-4.2.6p5/ntpd/ntp_proto.c.rawstats 2015-07-22 14:19:37.218167854 +0200 ++++ ntp-4.2.6p5/ntpd/ntp_proto.c 2015-07-22 14:19:37.221167862 +0200 +@@ -1341,7 +1341,7 @@ process_packet( + double t34, t21; + double p_offset, p_del, p_disp; + l_fp p_rec, p_xmt, p_org, p_reftime, ci; +- u_char pmode, pleap, pstratum; ++ u_char pmode, pleap, pversion, pstratum; + char statstr[NTP_MAXSTRLEN]; + #ifdef ASSYM + int itemp; +@@ -1359,14 +1359,17 @@ process_packet( + NTOHL_FP(&pkt->xmt, &p_xmt); + pmode = PKT_MODE(pkt->li_vn_mode); + pleap = PKT_LEAP(pkt->li_vn_mode); ++ pversion = PKT_VERSION(pkt->li_vn_mode); + pstratum = PKT_TO_STRATUM(pkt->stratum); + + /* + * Capture the header values in the client/peer association.. + */ + record_raw_stats(&peer->srcadr, peer->dstadr ? +- &peer->dstadr->sin : NULL, &p_org, &p_rec, &p_xmt, +- &peer->dst); ++ &peer->dstadr->sin : NULL, ++ &p_org, &p_rec, &p_xmt, &peer->dst, ++ pleap, pversion, pmode, pstratum, pkt->ppoll, pkt->precision, ++ p_del, p_disp, pkt->refid); + peer->leap = pleap; + peer->stratum = min(pstratum, STRATUM_UNSPEC); + peer->pmode = pmode; +diff -up ntp-4.2.6p5/ntpd/ntp_util.c.rawstats ntp-4.2.6p5/ntpd/ntp_util.c +--- ntp-4.2.6p5/ntpd/ntp_util.c.rawstats 2010-10-22 09:37:31.000000000 +0200 ++++ ntp-4.2.6p5/ntpd/ntp_util.c 2015-07-22 14:19:37.221167862 +0200 +@@ -707,7 +707,16 @@ record_raw_stats( + l_fp *t1, /* originate timestamp */ + l_fp *t2, /* receive timestamp */ + l_fp *t3, /* transmit timestamp */ +- l_fp *t4 /* destination timestamp */ ++ l_fp *t4, /* destination timestamp */ ++ int leap, ++ int version, ++ int mode, ++ int stratum, ++ int poll, ++ int precision, ++ double root_delay, /* seconds */ ++ double root_dispersion,/* seconds */ ++ u_int32 refid + ) + { + l_fp now; +@@ -721,10 +730,13 @@ record_raw_stats( + day = now.l_ui / 86400 + MJD_1900; + now.l_ui %= 86400; + if (rawstats.fp != NULL) { +- fprintf(rawstats.fp, "%lu %s %s %s %s %s %s %s\n", day, +- ulfptoa(&now, 3), stoa(srcadr), dstadr ? +- stoa(dstadr) : "-", ulfptoa(t1, 9), ulfptoa(t2, 9), +- ulfptoa(t3, 9), ulfptoa(t4, 9)); ++ fprintf(rawstats.fp, "%lu %s %s %s %s %s %s %s %d %d %d %d %d %d %.6f %.6f %s\n", ++ day, ulfptoa(&now, 3), ++ stoa(srcadr), dstadr ? stoa(dstadr) : "-", ++ ulfptoa(t1, 9), ulfptoa(t2, 9), ++ ulfptoa(t3, 9), ulfptoa(t4, 9), ++ leap, version, mode, stratum, poll, precision, ++ root_delay, root_dispersion, refid_str(refid, stratum)); + fflush(rawstats.fp); + } + } + +commit f626c563dbf6c00c40f9d12e8200b427759ed0bf +Author: +Date: Sat Dec 25 06:12:51 2010 +0000 + + Add ntpq sysinfo command, similar to ntpdc's sysinfo. + +diff --git a/libntp/numtoa.c b/libntp/numtoa.c +index 36a7c58..0fbbab7 100644 +--- a/libntp/numtoa.c ++++ b/libntp/numtoa.c +@@ -31,3 +31,29 @@ numtoa( + (u_long)netnum & 0xff); + return buf; + } ++ ++ ++/* Convert a refid & stratum to a string */ ++const char * ++refid_str( ++ u_int32 refid, ++ int stratum ++ ) ++{ ++ char * text; ++ size_t tlen; ++ ++ if (stratum > 1) ++ return numtoa(refid); ++ ++ LIB_GETBUF(text); ++ text[0] = '.'; ++ strncpy(&text[1], (void *)&refid, sizeof(refid)); ++ text[1 + sizeof(refid)] = '\0'; ++ tlen = strlen(text); ++ text[tlen] = '.'; ++ text[tlen + 1] = '\0'; ++ ++ return text; ++} ++ +diff -up ntp-4.2.6p5/include/ntp_stdlib.h.rawstats ntp-4.2.6p5/include/ntp_stdlib.h +--- ntp-4.2.6p5/include/ntp_stdlib.h.rawstats 2015-07-22 15:13:16.870503486 +0200 ++++ ntp-4.2.6p5/include/ntp_stdlib.h 2015-07-22 15:14:21.893714802 +0200 +@@ -134,6 +134,7 @@ extern char * socktohost (const sockaddr + extern int octtoint (const char *, u_long *); + extern u_long ranp2 (int); + extern char * refnumtoa (sockaddr_u *); ++extern const char *refid_str (u_int32, int); + extern int tsftomsu (u_long, int); + extern char * uinttoa (u_long); + diff --git a/SOURCES/ntp-4.2.6p5-restrict46.patch b/SOURCES/ntp-4.2.6p5-restrict46.patch new file mode 100644 index 0000000..7add549 --- /dev/null +++ b/SOURCES/ntp-4.2.6p5-restrict46.patch @@ -0,0 +1,12 @@ +diff -up ntp-4.2.6p5/ntpd/ntp_parser.y.restrict46 ntp-4.2.6p5/ntpd/ntp_parser.y +--- ntp-4.2.6p5/ntpd/ntp_parser.y.restrict46 2015-12-03 18:14:32.378326330 +0100 ++++ ntp-4.2.6p5/ntpd/ntp_parser.y 2015-12-03 18:21:08.369300132 +0100 +@@ -734,7 +734,7 @@ access_control_command + $4, + ip_file->line_no)); + } +- | T_Restrict ip_address T_Mask ip_address ac_flag_list ++ | T_Restrict address T_Mask ip_address ac_flag_list + { + enqueue(cfgt.restrict_opts, + create_restrict_node($2, $4, $5, ip_file->line_no)); diff --git a/SOURCES/ntpstat-0.2-manual.patch b/SOURCES/ntpstat-0.2-manual.patch new file mode 100644 index 0000000..99dbb6a --- /dev/null +++ b/SOURCES/ntpstat-0.2-manual.patch @@ -0,0 +1,41 @@ +diff -up ntp-4.2.6p5/ntpstat-0.2/ntpstat.1.manual ntp-4.2.6p5/ntpstat-0.2/ntpstat.1 +--- ntp-4.2.6p5/ntpstat-0.2/ntpstat.1.manual 2002-06-10 08:02:12.000000000 +0200 ++++ ntp-4.2.6p5/ntpstat-0.2/ntpstat.1 2015-12-04 17:28:23.379793604 +0100 +@@ -1,4 +1,4 @@ +-.TH ntpstat 1 "$Date: 2001/06/22 03:27:10 $" ++.TH ntpstat 1 + .UC 4 + .SH NAME + ntpstat \- show network time synchronisation status +@@ -6,12 +6,18 @@ ntpstat \- show network time synchronisa + .B ntpstat + .SH DESCRIPTION + .I ntpstat +-will report the synchronisation state of the NTP daemon ++will report the synchronisation state of the NTP daemon (ntpd) + running on the local machine. If the local system is found to be + synchronised to a reference time source, + .I ntpstat + will report the approximate time accuracy. + ++When the synchronised state is reported, it means the system clock was updated ++at some point. There is no timeout for this state. It will stay there even ++when the source becomes unreachable and there are no other sources available. ++However, the reported accuracy will be slowly increasing, in the default ntpd ++configuration by 15 microseconds per second. ++ + .SH RETURNS + .I ntpstat + returns 0 if clock is synchronised. +@@ -22,7 +28,10 @@ returns 2 if clock state is indeterminan + if ntpd is not contactable. + + .SH SEE ALSO +-ntpdc, ntpdq ++.BR ntp_misc (5), ++.BR ntpd (8), ++.BR ntpq (8), ++.BR ntpdc (8) + + .SH AUTHOR + G. Richard Keech (rkeech@redhat.com) diff --git a/SPECS/ntp.spec b/SPECS/ntp.spec index 02b1f82..4bc1756 100644 --- a/SPECS/ntp.spec +++ b/SPECS/ntp.spec @@ -1,7 +1,7 @@ Summary: The NTP daemon and utilities Name: ntp Version: 4.2.6p5 -Release: 22%{?dist}.2 +Release: 25%{?dist} # primary license (COPYRIGHT) : MIT # ElectricFence/ (not used) : GPLv2 # kernel/sys/ppsclock.h (not used) : BSD with advertising @@ -133,27 +133,57 @@ Patch42: ntp-4.2.6p5-dscp.patch Patch43: ntp-4.2.6p5-cve-2015-7704.patch # allow only one step larger than panic threshold with -g Patch44: ntp-4.2.6p5-cve-2015-5300.patch +# ntpbz #2246 +Patch45: ntp-4.2.6p5-leapreset.patch +# ntpbz #2081 +Patch46: ntp-4.2.6p5-rawstats.patch +# ntpbz #2639, #2880 +Patch47: ntp-4.2.6p5-clockstate.patch +# ntpbz #2851 +Patch48: ntp-4.2.6p5-restrict46.patch +# ntpbz #1593 +Patch49: ntp-4.2.6p5-cve-2015-5194.patch +# fix crash when referencing disabled statistic type +Patch50: ntp-4.2.6p5-cve-2015-5195.patch +# don't hang in sntp with crafted reply +Patch51: ntp-4.2.6p5-cve-2015-5219.patch +# ntpbz #2909 +Patch52: ntp-4.2.6p5-cve-2015-7701.patch +# ntpbz #2899 +Patch53: ntp-4.2.6p5-cve-2015-7691_7692_7702.patch +# ntpbz #2919 +Patch54: ntp-4.2.6p5-cve-2015-7852.patch +# ntpbz #2902 +Patch55: ntp-4.2.6p5-cve-2015-7703.patch # ntpbz #2945 -Patch45: ntp-4.2.6p5-cve-2015-8138.patch +Patch56: ntp-4.2.6p5-cve-2015-8138.patch +# ntpbz #2939, #2940 +Patch57: ntp-4.2.6p5-cve-2015-7977_7978.patch +# ntpbz #2948 +Patch58: ntp-4.2.6p5-cve-2015-8158.patch +# ntpbz #2936 +Patch59: ntp-4.2.6p5-cve-2015-7974.patch # ntpbz #2942, ntpbz #3007 -Patch46: ntp-4.2.6p5-cve-2015-7979.patch +Patch60: ntp-4.2.6p5-cve-2015-7979.patch # ntpbz #2978 -Patch47: ntp-4.2.6p5-cve-2016-1548.patch +Patch61: ntp-4.2.6p5-cve-2016-1548.patch # ntpbz #3009 -Patch48: ntp-4.2.6p5-cve-2016-2518.patch +Patch62: ntp-4.2.6p5-cve-2016-2518.patch # ntpbz #2879 -Patch49: ntp-4.2.6p5-cve-2016-1550.patch +Patch63: ntp-4.2.6p5-cve-2016-1550.patch # handle unknown clock types -Patch50: ntpstat-0.2-clksrc.patch +Patch100: ntpstat-0.2-clksrc.patch # process first packet in multipacket response -Patch51: ntpstat-0.2-multipacket.patch +Patch101: ntpstat-0.2-multipacket.patch # use current system variable names -Patch52: ntpstat-0.2-sysvars.patch +Patch102: ntpstat-0.2-sysvars.patch # print synchronization distance instead of dispersion -Patch53: ntpstat-0.2-maxerror.patch +Patch103: ntpstat-0.2-maxerror.patch # fix error bit checking -Patch54: ntpstat-0.2-errorbit.patch +Patch104: ntpstat-0.2-errorbit.patch +# improve man page +Patch105: ntpstat-0.2-manual.patch URL: http://www.ntp.org Requires(post): systemd-units @@ -224,7 +254,7 @@ This package contains NTP documentation in HTML format. # pool.ntp.org vendor zone which will be used in ntp.conf %if 0%{!?vendorzone:1} %{?fedora: %global vendorzone fedora.} -%{?rhel: %global vendorzone centos.} +%{?rhel: %global vendorzone rhel.} %endif %prep @@ -275,18 +305,33 @@ This package contains NTP documentation in HTML format. %patch42 -p1 -b .dscp %patch43 -p1 -b .cve-2015-7704 %patch44 -p1 -b .cve-2015-5300 -%patch45 -p1 -b .cve-2015-8138 -%patch46 -p1 -b .cve-2015-7979 -%patch47 -p1 -b .cve-2016-1548 -%patch48 -p1 -b .cve-2016-2518 -%patch49 -p1 -b .cve-2016-1550 +%patch45 -p1 -b .leapreset +%patch46 -p1 -b .rawstats +%patch47 -p1 -b .clockstate +%patch48 -p1 -b .restrict46 +%patch49 -p1 -b .cve-2015-5194 +%patch50 -p1 -b .cve-2015-5195 +%patch51 -p1 -b .cve-2015-5219 +%patch52 -p1 -b .cve-2015-7701 +%patch53 -p1 -b .cve-2015-7691_7692_7702 +%patch54 -p1 -b .cve-2015-7852 +%patch55 -p1 -b .cve-2015-7703 +%patch56 -p1 -b .cve-2015-8138 +%patch57 -p1 -b .cve-2015-7977_7978 +%patch58 -p1 -b .cve-2015-8158 +%patch59 -p1 -b .cve-2015-7974 +%patch60 -p1 -b .cve-2015-7979 +%patch61 -p1 -b .cve-2016-1548 +%patch62 -p1 -b .cve-2016-2518 +%patch63 -p1 -b .cve-2016-1550 # ntpstat patches -%patch50 -p1 -b .clksrc -%patch51 -p1 -b .multipacket -%patch52 -p1 -b .sysvars -%patch53 -p1 -b .maxerror -%patch54 -p1 -b .errorbit +%patch100 -p1 -b .clksrc +%patch101 -p1 -b .multipacket +%patch102 -p1 -b .sysvars +%patch103 -p1 -b .maxerror +%patch104 -p1 -b .errorbit +%patch105 -p1 -b .manual # set default path to sntp KoD database sed -i 's|/var/db/ntp-kod|%{_localstatedir}/lib/sntp/kod|' sntp/{sntp.1,main.c} @@ -497,19 +542,32 @@ popd %{ntpdocdir}/html %changelog -* Tue May 31 2016 CentOS Sources - 4.2.6p5-22.el7.centos.2 -- rebrand vendorzone - -* Tue May 03 2016 Miroslav Lichvar 4.2.6p5-22.el7_2.2 -- don't allow spoofed packets to demobilize associations (CVE-2015-7979, - CVE-2016-1547) +* Tue May 03 2016 Miroslav Lichvar 4.2.6p5-25 - don't allow spoofed packet to enable symmetric interleaved mode (CVE-2016-1548) - check mode of new source in config command (CVE-2016-2518) - make MAC check resilient against timing attack (CVE-2016-1550) -* Wed Jan 20 2016 Miroslav Lichvar 4.2.6p5-22.el7_2.1 +* Tue Mar 15 2016 Miroslav Lichvar 4.2.6p5-24 +- fix crash with invalid logconfig command (CVE-2015-5194) +- fix crash when referencing disabled statistic type (CVE-2015-5195) +- don't hang in sntp with crafted reply (CVE-2015-5219) +- don't crash with crafted autokey packet (CVE-2015-7691, CVE-2015-7692, + CVE-2015-7702) +- fix memory leak with autokey (CVE-2015-7701) +- don't allow setting driftfile and pidfile remotely (CVE-2015-7703) +- don't crash in ntpq with crafted packet (CVE-2015-7852) +- check key ID in packets authenticated with symmetric key (CVE-2015-7974) +- fix crash with reslist command (CVE-2015-7977, CVE-2015-7978) +- don't allow spoofed packets to demobilize associations (CVE-2015-7979, + CVE-2016-1547) - don't accept server/peer packets with zero origin timestamp (CVE-2015-8138) +- fix infinite loop in ntpq/ntpdc (CVE-2015-8158) +- fix resetting of leap status (#1242553) +- extend rawstats log (#1242877) +- report clock state changes related to leap seconds (#1242935) +- allow -4/-6 on restrict lines with mask (#1304492) +- explain synchronised state in ntpstat man page (#1309594) * Fri Oct 16 2015 Miroslav Lichvar 4.2.6p5-22 - check origin timestamp before accepting KoD RATE packet (CVE-2015-7704)