diff --git a/SOURCES/ntp-4.2.6p5-cve-2020-11868.patch b/SOURCES/ntp-4.2.6p5-cve-2020-11868.patch new file mode 100644 index 0000000..705f792 --- /dev/null +++ b/SOURCES/ntp-4.2.6p5-cve-2020-11868.patch @@ -0,0 +1,36 @@ +diff -up ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2020-11868 ntp-4.2.6p5/ntpd/ntp_proto.c +--- ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2020-11868 2020-05-26 13:03:53.778232633 +0200 ++++ ntp-4.2.6p5/ntpd/ntp_proto.c 2020-05-26 13:04:41.367347264 +0200 +@@ -1044,6 +1044,10 @@ receive( + if (L_ISZERO(&p_xmt)) { + peer->flash |= TEST3; /* unsynch */ + ++ /* Don't update the state in client mode. */ ++ if (peer->hmode == MODE_CLIENT) ++ return; ++ + /* + * If the transmit timestamp duplicates a previous one, the + * packet is a replay. This prevents the bad guys from replaying +@@ -1077,6 +1081,11 @@ receive( + if (L_ISZERO(&p_org) || !L_ISEQU(&p_org, &peer->aorg)) { + peer->bogusorg++; + peer->flash |= TEST2; /* bogus */ ++ ++ /* Don't update the state in client mode. */ ++ if (peer->hmode == MODE_CLIENT) ++ return; ++ + if (!L_ISZERO(&peer->dst) && L_ISEQU(&p_org, + &peer->dst)) { + xleave_mismatch = 1; +@@ -1410,7 +1419,8 @@ process_packet( + if (peer->burst > 0) + peer->nextdate = current_time; + } +- poll_update(peer, peer->hpoll); ++ if (!(peer->flash & PKT_TEST_MASK)) ++ poll_update(peer, peer->hpoll); + + /* + * Verify the server is synchronized; that is, the leap bits, diff --git a/SOURCES/ntp-4.2.6p5-randomtx.patch b/SOURCES/ntp-4.2.6p5-randomtx.patch new file mode 100644 index 0000000..7bd2ba7 --- /dev/null +++ b/SOURCES/ntp-4.2.6p5-randomtx.patch @@ -0,0 +1,76 @@ +diff -up ntp-4.2.6p5/include/ntp.h.randomtx ntp-4.2.6p5/include/ntp.h +--- ntp-4.2.6p5/include/ntp.h.randomtx 2020-05-27 16:11:23.206229510 +0200 ++++ ntp-4.2.6p5/include/ntp.h 2020-05-27 16:11:23.217229536 +0200 +@@ -351,6 +351,7 @@ struct peer { + l_fp dst; /* destination timestamp */ + l_fp aorg; /* origin timestamp */ + l_fp borg; /* alternate origin timestamp */ ++ l_fp xorg; /* hidden origin timestamp (client mode) */ + double offset; /* peer clock offset */ + double delay; /* peer roundtrip delay */ + double jitter; /* peer jitter (squares) */ +diff -up ntp-4.2.6p5/ntpd/ntp_proto.c.randomtx ntp-4.2.6p5/ntpd/ntp_proto.c +--- ntp-4.2.6p5/ntpd/ntp_proto.c.randomtx 2020-05-27 16:11:23.216229533 +0200 ++++ ntp-4.2.6p5/ntpd/ntp_proto.c 2020-05-28 09:02:50.973320647 +0200 +@@ -1563,14 +1563,14 @@ process_packet( + /* + * Basic mode, otherwise known as the old fashioned way. + * +- * t1 = p_org, t2 = p_rec, t3 = p_xmt, t4 = peer->dst ++ * t1 = peer->xorg, t2 = p_rec, t3 = p_xmt, t4 = peer->dst + */ + } else { + ci = p_xmt; /* t3 - t4 */ + L_SUB(&ci, &peer->dst); + LFPTOD(&ci, t34); + ci = p_rec; /* t2 - t1 */ +- L_SUB(&ci, &p_org); ++ L_SUB(&ci, &peer->xorg); + LFPTOD(&ci, t21); + p_del = fabs(t21 - t34); + p_offset = (t21 + t34) / 2.; +@@ -2942,6 +2942,16 @@ peer_xmit( + HTONL_FP(&peer->rec, &xpkt.org); + HTONL_FP(&peer->dst, &xpkt.rec); + ++ /* Generate a random transmit timestamp in the client mode to ++ make the server origin timestamp unpredictable */ ++ if (peer->flip == 0 && peer->hmode == MODE_CLIENT) { ++ if (ntp_crypto_random_buf(&peer->aorg, sizeof (peer->aorg))) { ++ msyslog(LOG_ERR, "ntp_crypto_random_buf() failed."); ++ exit(1); ++ } ++ xpkt.precision = 32; ++ } ++ + /* + * If the received packet contains a MAC, the transmitted packet + * is authenticated and contains a MAC. If not, the transmitted +@@ -2965,9 +2975,11 @@ peer_xmit( + * Transmit a-priori timestamps + */ + get_systime(&xmt_tx); ++ peer->xorg = xmt_tx; + if (peer->flip == 0) { /* basic mode */ +- peer->aorg = xmt_tx; +- HTONL_FP(&xmt_tx, &xpkt.xmt); ++ if (peer->hmode != MODE_CLIENT) ++ peer->aorg = xmt_tx; ++ HTONL_FP(&peer->aorg, &xpkt.xmt); + } else { /* interleaved modes */ + if (peer->hmode == MODE_BROADCAST) { /* bcst */ + HTONL_FP(&xmt_tx, &xpkt.xmt); +@@ -3266,9 +3278,11 @@ peer_xmit( + * Transmit a-priori timestamps + */ + get_systime(&xmt_tx); ++ peer->xorg = xmt_tx; + if (peer->flip == 0) { /* basic mode */ +- peer->aorg = xmt_tx; +- HTONL_FP(&xmt_tx, &xpkt.xmt); ++ if (peer->hmode != MODE_CLIENT) ++ peer->aorg = xmt_tx; ++ HTONL_FP(&peer->aorg, &xpkt.xmt); + } else { /* interleaved modes */ + if (peer->hmode == MODE_BROADCAST) { /* bcst */ + HTONL_FP(&xmt_tx, &xpkt.xmt); diff --git a/SPECS/ntp.spec b/SPECS/ntp.spec index 178a961..a789633 100644 --- a/SPECS/ntp.spec +++ b/SPECS/ntp.spec @@ -1,7 +1,7 @@ Summary: The NTP daemon and utilities Name: ntp Version: 4.2.6p5 -Release: 29%{?dist} +Release: 29%{?dist}.2 # primary license (COPYRIGHT) : MIT # ElectricFence/ (not used) : GPLv2 # kernel/sys/ppsclock.h (not used) : BSD with advertising @@ -200,6 +200,10 @@ Patch76: ntp-4.2.6p5-decodenetnum.patch Patch77: ntp-4.2.6p5-netlinkdrop.patch # ntpbz #2890 Patch78: ntp-4.2.6p5-netlinknobuf.patch +# ntpbz #3592 +Patch79: ntp-4.2.6p5-cve-2020-11868.patch +# ntpbz #3596 +Patch80: ntp-4.2.6p5-randomtx.patch # add bugs for compatibility with original EL7 ntpstat Patch100: ntpstat-compat.patch @@ -273,7 +277,7 @@ This package contains NTP documentation in HTML format. # pool.ntp.org vendor zone which will be used in ntp.conf %if 0%{!?vendorzone:1} %{?fedora: %global vendorzone fedora.} -%{?rhel: %global vendorzone centos.} +%{?rhel: %global vendorzone rhel.} %endif %prep @@ -358,6 +362,8 @@ This package contains NTP documentation in HTML format. %patch76 -p1 -b .decodenetnum %patch77 -p1 -b .netlinkdrop %patch78 -p1 -b .netlinknobuf +%patch79 -p1 -b .cve-2020-11868 +%patch80 -p1 -b .randomtx %patch100 -p1 -b .compat @@ -568,8 +574,9 @@ popd %{ntpdocdir}/html %changelog -* Tue Aug 06 2019 CentOS Sources - 4.2.6p5-29.el7.centos -- rebrand vendorzone +* Mon Jun 01 2020 Miroslav Lichvar 4.2.6p5-29.el7_8.2 +- don't update transmission time on invalid response (CVE-2020-11868) +- randomize transmit timestamp in client requests (CVE-?, #1813787) * Fri Jan 11 2019 Miroslav Lichvar 4.2.6p5-29 - fix CVE-2016-7429 patch to restore default ttl configuration (#1550637)