diff --git a/SOURCES/ntp-4.2.6p5-cve-2016-7426.patch b/SOURCES/ntp-4.2.6p5-cve-2016-7426.patch new file mode 100644 index 0000000..5f24774 --- /dev/null +++ b/SOURCES/ntp-4.2.6p5-cve-2016-7426.patch @@ -0,0 +1,74 @@ +diff -up ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2016-7426 ntp-4.2.6p5/ntpd/ntp_proto.c +--- ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2016-7426 2016-11-21 16:14:42.804048665 +0100 ++++ ntp-4.2.6p5/ntpd/ntp_proto.c 2016-11-21 17:32:45.619107824 +0100 +@@ -473,30 +473,7 @@ receive( + } + + /* +- * Update the MRU list and finger the cloggers. It can be a +- * little expensive, so turn it off for production use. +- */ +- restrict_mask = ntp_monitor(rbufp, restrict_mask); +- if (restrict_mask & RES_LIMITED) { +- sys_limitrejected++; +- if (!(restrict_mask & RES_KOD) || MODE_BROADCAST == +- hismode || MODE_SERVER == hismode) +- return; /* rate exceeded */ +- +- if (hismode == MODE_CLIENT) +- fast_xmit(rbufp, MODE_SERVER, skeyid, +- restrict_mask); +- else +- fast_xmit(rbufp, MODE_ACTIVE, skeyid, +- restrict_mask); +- return; /* rate exceeded */ +- } +- restrict_mask &= ~RES_KOD; +- +- /* +- * We have tossed out as many buggy packets as possible early in +- * the game to reduce the exposure to a clogging attack. now we +- * have to burn some cycles to find the association and ++ * now we have to burn some cycles to find the association and + * authenticate the packet if required. Note that we burn only + * MD5 cycles, again to reduce exposure. There may be no + * matching association and that's okay. +@@ -519,6 +496,27 @@ receive( + NTOHL_FP(&pkt->xmt, &p_xmt); + + /* ++ * Update the MRU list and finger the cloggers. It can be a ++ * little expensive, so turn it off for production use. ++ */ ++ restrict_mask = ntp_monitor(rbufp, restrict_mask); ++ if (restrict_mask & RES_LIMITED && retcode == AM_FXMIT) { ++ sys_limitrejected++; ++ if (!(restrict_mask & RES_KOD) || MODE_BROADCAST == ++ hismode || MODE_SERVER == hismode) ++ return; /* rate exceeded */ ++ ++ if (hismode == MODE_CLIENT) ++ fast_xmit(rbufp, MODE_SERVER, skeyid, ++ restrict_mask); ++ else ++ fast_xmit(rbufp, MODE_ACTIVE, skeyid, ++ restrict_mask); ++ return; /* rate exceeded */ ++ } ++ restrict_mask &= ~RES_KOD; ++ ++ /* + * Authentication is conditioned by three switches: + * + * NOPEER (RES_NOPEER) do not mobilize an association unless +@@ -940,6 +938,10 @@ receive( + case AM_NEWPASS: + if (!AUTH(sys_authenticate | (restrict_mask & + (RES_NOPEER | RES_DONTTRUST)), is_authentic)) { ++ if (restrict_mask & RES_LIMITED) { ++ sys_limitrejected++; ++ return; ++ } + + /* + * If authenticated but cannot mobilize an diff --git a/SOURCES/ntp-4.2.6p5-cve-2016-7429.patch b/SOURCES/ntp-4.2.6p5-cve-2016-7429.patch new file mode 100644 index 0000000..0a8c228 --- /dev/null +++ b/SOURCES/ntp-4.2.6p5-cve-2016-7429.patch @@ -0,0 +1,39 @@ +diff -up ntp-4.2.6p5/ntpd/ntp_peer.c.cve-2016-7429 ntp-4.2.6p5/ntpd/ntp_peer.c +--- ntp-4.2.6p5/ntpd/ntp_peer.c.cve-2016-7429 2016-11-21 16:47:51.738767270 +0100 ++++ ntp-4.2.6p5/ntpd/ntp_peer.c 2016-11-21 16:52:02.434034046 +0100 +@@ -241,7 +241,8 @@ findpeer( + hash = NTP_HASH_ADDR(srcadr); + for (p = peer_hash[hash]; p != NULL; p = p->next) { + if (SOCK_EQ(srcadr, &p->srcadr) && +- NSRCPORT(srcadr) == NSRCPORT(&p->srcadr)) { ++ NSRCPORT(srcadr) == NSRCPORT(&p->srcadr) && ++ p->dstadr == rbufp->dstadr) { + + /* + * if the association matching rules determine +@@ -288,13 +289,6 @@ findpeer( + */ + if (NULL == p) { + *action = MATCH_ASSOC(NO_PEER, pkt_mode); +- } else if (p->dstadr != rbufp->dstadr) { +- set_peerdstadr(p, rbufp->dstadr); +- if (p->dstadr == rbufp->dstadr) { +- DPRINTF(1, ("Changed %s local address to match response\n", +- stoa(&p->srcadr))); +- return findpeer(rbufp, pkt_mode, action); +- } + } + return p; + } +@@ -548,6 +542,11 @@ set_peerdstadr( + { + struct peer * unlinked; + ++ DEBUG_INSIST(p != NULL); ++ ++ if (p == NULL) ++ return; ++ + if (p->dstadr == dstadr) + return; + diff --git a/SOURCES/ntp-4.2.6p5-cve-2016-7433.patch b/SOURCES/ntp-4.2.6p5-cve-2016-7433.patch new file mode 100644 index 0000000..16dba95 --- /dev/null +++ b/SOURCES/ntp-4.2.6p5-cve-2016-7433.patch @@ -0,0 +1,23 @@ +diff -up ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2016-7433 ntp-4.2.6p5/ntpd/ntp_proto.c +--- ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2016-7433 2016-11-21 17:54:29.604704343 +0100 ++++ ntp-4.2.6p5/ntpd/ntp_proto.c 2016-11-21 17:55:04.231569928 +0100 +@@ -2914,8 +2914,7 @@ root_distance( + * where: + * delta is the round-trip delay + * DELTA is the root delay +- * epsilon is the remote server precision + local precision +- * + (15 usec each second) ++ * epsilon is the peer dispersion (15 usec each second) + * EPSILON is the root dispersion + * phi is the peer jitter statistic + * +@@ -2926,8 +2925,7 @@ root_distance( + * other worse choices. + */ + dtemp = (peer->delay + peer->rootdelay) / 2 +- + LOGTOD(peer->precision) +- + LOGTOD(sys_precision) ++ + peer->disp + + clock_phi * (current_time - peer->update) + + peer->rootdisp + + peer->jitter; diff --git a/SOURCES/ntp-4.2.6p5-cve-2016-9310.patch b/SOURCES/ntp-4.2.6p5-cve-2016-9310.patch new file mode 100644 index 0000000..c5eb750 --- /dev/null +++ b/SOURCES/ntp-4.2.6p5-cve-2016-9310.patch @@ -0,0 +1,16 @@ +diff -up ntp-4.2.6p5/ntpd/ntp_control.c.cve-2016-9310 ntp-4.2.6p5/ntpd/ntp_control.c +--- ntp-4.2.6p5/ntpd/ntp_control.c.cve-2016-9310 2016-11-21 16:30:56.826396891 +0100 ++++ ntp-4.2.6p5/ntpd/ntp_control.c 2016-11-21 16:31:54.171830390 +0100 +@@ -88,9 +88,9 @@ static struct ctl_proc control_codes[] = + { CTL_OP_READVAR, NOAUTH, read_variables }, + { CTL_OP_WRITEVAR, AUTH, write_variables }, + { CTL_OP_READCLOCK, NOAUTH, read_clock_status }, +- { CTL_OP_WRITECLOCK, NOAUTH, write_clock_status }, +- { CTL_OP_SETTRAP, NOAUTH, set_trap }, +- { CTL_OP_UNSETTRAP, NOAUTH, unset_trap }, ++ { CTL_OP_WRITECLOCK, AUTH, write_clock_status }, ++ { CTL_OP_SETTRAP, AUTH, set_trap }, ++ { CTL_OP_UNSETTRAP, AUTH, unset_trap }, + { CTL_OP_SAVECONFIG, AUTH, save_config }, + { CTL_OP_CONFIGURE, AUTH, configure }, + { NO_REQUEST, 0 } diff --git a/SOURCES/ntp-4.2.6p5-cve-2016-9311.patch b/SOURCES/ntp-4.2.6p5-cve-2016-9311.patch new file mode 100644 index 0000000..8be2dfd --- /dev/null +++ b/SOURCES/ntp-4.2.6p5-cve-2016-9311.patch @@ -0,0 +1,36 @@ +diff -up ntp-4.2.6p5/ntpd/ntp_control.c.cve-2016-9311 ntp-4.2.6p5/ntpd/ntp_control.c +--- ntp-4.2.6p5/ntpd/ntp_control.c.cve-2016-9311 2016-11-21 16:14:42.800048565 +0100 ++++ ntp-4.2.6p5/ntpd/ntp_control.c 2016-11-21 16:18:24.484590147 +0100 +@@ -3080,6 +3080,22 @@ report_event( + if (num_ctl_traps <= 0) + return; + ++ /* [Bug 3119] ++ * Peer Events should be associated with a peer -- hence the ++ * name. But there are instances where this function is called ++ * *without* a valid peer. This happens e.g. with an unsolicited ++ * CryptoNAK, or when a leap second alarm is going off while ++ * currently without a system peer. ++ * ++ * The most sensible approach to this seems to bail out here if ++ * this happens. Avoiding to call this function would also ++ * bypass the log reporting in the first part of this function, ++ * and this is probably not the best of all options. ++ * -*-perlinger@ntp.org-*- ++ */ ++ if ((err & PEER_EVENT) && !peer) ++ return; ++ + /* + * Set up the outgoing packet variables + */ +@@ -3104,8 +3120,7 @@ report_event( + #endif /* OPENSSL */ + ctl_putsys(i); + } +- } else { +- NTP_INSIST(peer != NULL); ++ } else if (NULL != peer) { /* paranoia -- skip output */ + rpkt.associd = htons(peer->associd); + rpkt.status = htons(ctlpeerstatus(peer)); + diff --git a/SPECS/ntp.spec b/SPECS/ntp.spec index 1a1ce9b..1a74942 100644 --- a/SPECS/ntp.spec +++ b/SPECS/ntp.spec @@ -1,7 +1,7 @@ Summary: The NTP daemon and utilities Name: ntp Version: 4.2.6p5 -Release: 25%{?dist} +Release: 25%{?dist}.1 # primary license (COPYRIGHT) : MIT # ElectricFence/ (not used) : GPLv2 # kernel/sys/ppsclock.h (not used) : BSD with advertising @@ -171,6 +171,16 @@ Patch61: ntp-4.2.6p5-cve-2016-1548.patch Patch62: ntp-4.2.6p5-cve-2016-2518.patch # ntpbz #2879 Patch63: ntp-4.2.6p5-cve-2016-1550.patch +# ntpbz #3071 +Patch64: ntp-4.2.6p5-cve-2016-7426.patch +# ntpbz #3072 +Patch65: ntp-4.2.6p5-cve-2016-7429.patch +# ntpbz #3067 +Patch66: ntp-4.2.6p5-cve-2016-7433.patch +# ntpbz #3118 +Patch67: ntp-4.2.6p5-cve-2016-9310.patch +# ntpbz #3119 +Patch68: ntp-4.2.6p5-cve-2016-9311.patch # handle unknown clock types Patch100: ntpstat-0.2-clksrc.patch @@ -254,7 +264,7 @@ This package contains NTP documentation in HTML format. # pool.ntp.org vendor zone which will be used in ntp.conf %if 0%{!?vendorzone:1} %{?fedora: %global vendorzone fedora.} -%{?rhel: %global vendorzone centos.} +%{?rhel: %global vendorzone rhel.} %endif %prep @@ -324,6 +334,11 @@ This package contains NTP documentation in HTML format. %patch61 -p1 -b .cve-2016-1548 %patch62 -p1 -b .cve-2016-2518 %patch63 -p1 -b .cve-2016-1550 +%patch64 -p1 -b .cve-2016-7426 +%patch65 -p1 -b .cve-2016-7429 +%patch66 -p1 -b .cve-2016-7433 +%patch67 -p1 -b .cve-2016-9310 +%patch68 -p1 -b .cve-2016-9311 # ntpstat patches %patch100 -p1 -b .clksrc @@ -542,8 +557,12 @@ popd %{ntpdocdir}/html %changelog -* Thu Nov 03 2016 CentOS Sources - 4.2.6p5-25.el7.centos -- rebrand vendorzone +* Wed Jan 11 2017 Miroslav Lichvar 4.2.6p5-25.el7_3.1 +- don't limit rate of packets from sources (CVE-2016-7426) +- don't change interface from received packets (CVE-2016-7429) +- fix calculation of root distance again (CVE-2016-7433) +- require authentication for trap commands (CVE-2016-9310) +- fix crash when reporting peer event to trappers (CVE-2016-9311) * Tue May 03 2016 Miroslav Lichvar 4.2.6p5-25 - don't allow spoofed packet to enable symmetric interleaved mode