diff -Nru ntp-4.2.8p4+dfsg/debian/changelog ntp-4.2.8p4+dfsg/debian/changelog --- ntp-4.2.8p4+dfsg/debian/changelog 2017-01-19 11:06:04.000000000 +0000 +++ ntp-4.2.8p4+dfsg/debian/changelog 2017-06-28 14:25:51.000000000 +0000 @@ -1,3 +1,69 @@ +ntp (1:4.2.8p4+dfsg-3ubuntu5.5) xenial-security; urgency=medium + + * SECURITY UPDATE: DoS via large request data value + - debian/patches/CVE-2016-2519.patch: check packet in + ntpd/ntp_control.c. + - CVE-2016-2519 + * SECURITY UPDATE: DoS via responses with a spoofed source address + - debian/patches/CVE-2016-7426.patch: improve rate limiting in + ntpd/ntp_proto.c. + - CVE-2016-7426 + * SECURITY UPDATE: DoS via crafted broadcast mode packet + - debian/patches/CVE-2016-7427-1.patch: improve replay prevention + logic in ntpd/ntp_proto.c. + - CVE-2016-7427 + * SECURITY UPDATE: DoS via poll interval in a broadcast packet + - debian/patches/CVE-2016-7428.patch: ensure at least one poll interval + has elapsed in ntpd/ntp_proto.c, include/ntp.h. + - CVE-2016-7428 + * SECURITY UPDATE: DoS via response for a source to an interface the + source does not use + - debian/patches/CVE-2016-7429-1.patch: add extra checks to + ntpd/ntp_peer.c. + - debian/patches/CVE-2016-7429-2.patch: check for NULL first in + ntpd/ntp_peer.c. + - debian/patches/CVE-2016-7429-3.patch: fix multicastclient regression + in ntpd/ntp_peer.c. + - CVE-2016-7429 + * SECURITY UPDATE: incorrect initial sync calculations + - debian/patches/CVE-2016-7433.patch: use peer dispersion in + ntpd/ntp_proto.c. + - CVE-2016-7433 + * SECURITY UPDATE: DoS via crafted mrulist query + - debian/patches/CVE-2016-7434.patch: added missing parameter + validation to ntpd/ntp_control.c. + - CVE-2016-7434 + * SECURITY UPDATE: traps can be set or unset via a crafted control mode + packet + - debian/patches/CVE-2016-9310.patch: require AUTH in + ntpd/ntp_control.c. + - CVE-2016-9310 + * SECURITY UPDATE: DoS when trap service is enabled + - debian/patches/CVE-2016-9311.patch: make sure peer events are + associated with a peer in ntpd/ntp_control.c. + - CVE-2016-9311 + * SECURITY UPDATE: potential Overflows in ctl_put() functions + - debian/patches/CVE-2017-6458.patch: check lengths in + ntpd/ntp_control.c. + - CVE-2017-6458 + * SECURITY UPDATE: overflow via long flagstr variable + - debian/patches/CVE-2017-6460.patch: check length in ntpq/ntpq-subs.c. + - CVE-2017-6460 + * SECURITY UPDATE: buffer overflow in DPTS refclock driver + - debian/patches/CVE-2017-6462.patch: don't overrun buffer in + ntpd/refclock_datum.c. + - CVE-2017-6462 + * SECURITY UPDATE: DoS via invalid setting in a :config directive + - debian/patches/CVE-2017-6463.patch: protect against overflow in + ntpd/ntp_config.c. + - CVE-2017-6463 + * SECURITY UPDATE: Dos via malformed mode configuration directive + - debian/patches/CVE-2017-6464.patch: validate directives in + ntpd/ntp_config.c, ntpd/ntp_proto.c. + - CVE-2017-6464 + + -- Marc Deslauriers Wed, 28 Jun 2017 10:23:27 -0400 + ntp (1:4.2.8p4+dfsg-3ubuntu5.4) xenial; urgency=medium * Fix ntp.dhcp to also check for pool and better handle spaces and tabs. diff -Nru ntp-4.2.8p4+dfsg/debian/patches/CVE-2016-2519.patch ntp-4.2.8p4+dfsg/debian/patches/CVE-2016-2519.patch --- ntp-4.2.8p4+dfsg/debian/patches/CVE-2016-2519.patch 1970-01-01 00:00:00.000000000 +0000 +++ ntp-4.2.8p4+dfsg/debian/patches/CVE-2016-2519.patch 2017-06-28 13:22:11.000000000 +0000 @@ -0,0 +1,237 @@ + + + TOPntp-stable1.3639 changes + +NTP - Network Time Protocol +#### ChangeSet #### + +2016-02-17 09:30:05+01:00, jnperlin@hydra.localnet + [Bug 3008] ctl_getitem() return value not always checked + +==== ChangeLog ==== + +2016-02-17 09:30:05+01:00, jnperlin@hydra.localnet +3 -0 + [Bug 3008] ctl_getitem() return value not always checked +#--- 1.1801/ChangeLog 2016-02-06 07:43:23 +00:00 +#+++ 1.1802/ChangeLog 2016-02-17 08:30:05 +00:00 +#@@ -10,6 +10,9 @@ +# with some modifications & unit tests +# * [Bug 2994] Systems with HAVE_SIGNALED_IO fail to compile. perlinger@ntp.org +# * [Bug 2995] Fixes to compile on Windows +#+* [Bug 3008] ctl_getitem() return value not always checked. +#+ - initial work by HSten +#+ - cleanup of ctl_getitem by perlinger@ntp.org +# * Document ntp.key's optional IP list in authenetic.html. Harlan Stenn. +# * Update html/xleave.html documentation. Harlan Stenn. +# * Update ntp.conf documentation. Harlan Stenn. +# +#==== ntpd/ntp_control.c ==== +# +#2016-02-17 09:30:05+01:00, jnperlin@hydra.localnet +101 -58 +# [Bug 3008] ctl_getitem() return value not always checked +# - also some cleanup of ctl_getitem +Index: ntp-4.2.8p4+dfsg/ntpd/ntp_control.c +=================================================================== +--- ntp-4.2.8p4+dfsg.orig/ntpd/ntp_control.c 2017-06-28 09:22:09.366334350 -0400 ++++ ntp-4.2.8p4+dfsg/ntpd/ntp_control.c 2017-06-28 09:22:09.346334086 -0400 +@@ -3064,83 +3064,117 @@ ctl_getitem( + char **data + ) + { ++ /* [Bug 3008] First check the packet data sanity, then search ++ * the key. This improves the consistency of result values: If ++ * the result is NULL once, it will never be EOV again for this ++ * packet; If it's EOV, it will never be NULL again until the ++ * variable is found and processed in a given 'var_list'. (That ++ * is, a result is returned that is neither NULL nor EOV). ++ */ + static const struct ctl_var eol = { 0, EOV, NULL }; + static char buf[128]; + static u_long quiet_until; + const struct ctl_var *v; +- const char *pch; + char *cp; + char *tp; + + /* +- * Delete leading commas and white space ++ * Part One: Validate the packet state + */ ++ ++ /* Delete leading commas and white space */ + while (reqpt < reqend && (*reqpt == ',' || + isspace((unsigned char)*reqpt))) + reqpt++; + if (reqpt >= reqend) + return NULL; + ++ /* Scan the string in the packet until we hit comma or ++ * EoB. Register position of first '=' on the fly. */ ++ for (tp = NULL, cp = reqpt; cp != reqend; ++cp) { ++ if (*cp == '=' && tp == NULL) ++ tp = cp; ++ if (*cp == ',') ++ break; ++ } ++ ++ /* Process payload, if any. */ ++ *data = NULL; ++ if (NULL != tp) { ++ /* eventually strip white space from argument. */ ++ const char *plhead = tp + 1; /* skip the '=' */ ++ const char *pltail = cp; ++ size_t plsize; ++ ++ while (plhead != pltail && isspace((u_char)plhead[0])) ++ ++plhead; ++ while (plhead != pltail && isspace((u_char)pltail[-1])) ++ --pltail; ++ ++ /* check payload size, terminate packet on overflow */ ++ plsize = (size_t)(pltail - plhead); ++ if (plsize >= sizeof(buf)) ++ goto badpacket; ++ ++ /* copy data, NUL terminate, and set result data ptr */ ++ memcpy(buf, plhead, plsize); ++ buf[plsize] = '\0'; ++ *data = buf; ++ } else { ++ /* no payload, current end --> current name termination */ ++ tp = cp; ++ } ++ ++ /* Part Two ++ * ++ * Now we're sure that the packet data itself is sane. Scan the ++ * list now. Make sure a NULL list is properly treated by ++ * returning a synthetic End-Of-Values record. We must not ++ * return NULL pointers after this point, or the behaviour would ++ * become inconsistent if called several times with different ++ * variable lists after an EoV was returned. (Such a behavior ++ * actually caused Bug 3008.) ++ */ ++ + if (NULL == var_list) + return &eol; + +- /* +- * Look for a first character match on the tag. If we find +- * one, see if it is a full match. +- */ +- cp = reqpt; +- for (v = var_list; !(EOV & v->flags); v++) { +- if (!(PADDING & v->flags) && *cp == *(v->text)) { +- pch = v->text; +- while ('\0' != *pch && '=' != *pch && cp < reqend +- && *cp == *pch) { +- cp++; +- pch++; +- } +- if ('\0' == *pch || '=' == *pch) { +- while (cp < reqend && isspace((u_char)*cp)) +- cp++; +- if (cp == reqend || ',' == *cp) { +- buf[0] = '\0'; +- *data = buf; +- if (cp < reqend) +- cp++; +- reqpt = cp; +- return v; +- } +- if ('=' == *cp) { +- cp++; +- tp = buf; +- while (cp < reqend && isspace((u_char)*cp)) +- cp++; +- while (cp < reqend && *cp != ',') { +- *tp++ = *cp++; +- if ((size_t)(tp - buf) >= sizeof(buf)) { +- ctl_error(CERR_BADFMT); +- numctlbadpkts++; +- NLOG(NLOG_SYSEVENT) +- if (quiet_until <= current_time) { +- quiet_until = current_time + 300; +- msyslog(LOG_WARNING, +-"Possible 'ntpdx' exploit from %s#%u (possibly spoofed)", stoa(rmt_addr), SRCPORT(rmt_addr)); +- } +- return NULL; +- } +- } +- if (cp < reqend) +- cp++; +- *tp-- = '\0'; +- while (tp >= buf && isspace((u_char)*tp)) +- *tp-- = '\0'; +- reqpt = cp; +- *data = buf; +- return v; +- } ++ for (v = var_list; !(EOV & v->flags); ++v) ++ if (!(PADDING & v->flags)) { ++ /* check if the var name matches the buffer */ ++ const char *sp1 = reqpt; ++ const char *sp2 = v->text; ++ ++ while ((sp1 != tp) && *sp2 && (*sp1 == *sp2)) { ++ ++sp1; ++ ++sp2; + } +- cp = reqpt; ++ if (sp1 == tp && !*sp2) ++ break; + } +- } ++ ++ /* See if we have found a valid entry or not. If found, advance ++ * the request pointer for the next round; if not, clear the ++ * data pointer so we have no dangling garbage here. ++ */ ++ if (EOV & v->flags) ++ *data = NULL; ++ else ++ reqpt = cp + (cp != reqend); + return v; ++ ++ badpacket: ++ /*TODO? somehow indicate this packet was bad, apart from syslog? */ ++ numctlbadpkts++; ++ NLOG(NLOG_SYSEVENT) ++ if (quiet_until <= current_time) { ++ quiet_until = current_time + 300; ++ msyslog(LOG_WARNING, ++ "Possible 'ntpdx' exploit from %s#%u (possibly spoofed)", ++ stoa(rmt_addr), SRCPORT(rmt_addr)); ++ } ++ reqpt = reqend; /* never again for this packet! */ ++ return NULL; + } + + +@@ -3317,7 +3351,11 @@ read_sysvars(void) + gotvar = 1; + } else { + v = ctl_getitem(ext_sys_var, &valuep); +- INSIST(v != NULL); ++ if (NULL == v) { ++ ctl_error(CERR_BADVALUE); ++ free(wants); ++ return; ++ } + if (EOV & v->flags) { + ctl_error(CERR_UNKNOWNVAR); + free(wants); +@@ -4558,7 +4596,12 @@ read_clockstatus( + gotvar = TRUE; + } else { + v = ctl_getitem(kv, &valuep); +- INSIST(NULL != v); ++ if (NULL == v) { ++ ctl_error(CERR_BADVALUE); ++ free(wants); ++ free_varlist(cs.kv_list); ++ return; ++ } + if (EOV & v->flags) { + ctl_error(CERR_UNKNOWNVAR); + free(wants); diff -Nru ntp-4.2.8p4+dfsg/debian/patches/CVE-2016-7426.patch ntp-4.2.8p4+dfsg/debian/patches/CVE-2016-7426.patch --- ntp-4.2.8p4+dfsg/debian/patches/CVE-2016-7426.patch 1970-01-01 00:00:00.000000000 +0000 +++ ntp-4.2.8p4+dfsg/debian/patches/CVE-2016-7426.patch 2017-06-28 13:34:37.000000000 +0000 @@ -0,0 +1,85 @@ +Description: fix DoS via responses with a spoofed source address +Origin: based on https://git.centos.org/blob/rpms!ntp.git/4eb1db127a6177011bd913bf4f446e8f701179d6/SOURCES!ntp-4.2.6p5-cve-2016-7426.patch +Bug: http://support.ntp.org/bin/view/Main/NtpBug3071 + +Index: ntp-4.2.8p4+dfsg/ntpd/ntp_proto.c +=================================================================== +--- ntp-4.2.8p4+dfsg.orig/ntpd/ntp_proto.c 2017-06-28 09:34:35.100254099 -0400 ++++ ntp-4.2.8p4+dfsg/ntpd/ntp_proto.c 2017-06-28 09:34:35.096254043 -0400 +@@ -593,36 +593,7 @@ receive( + } + + /* +- * Update the MRU list and finger the cloggers. It can be a +- * little expensive, so turn it off for production use. +- * RES_LIMITED and RES_KOD will be cleared in the returned +- * restrict_mask unless one or both actions are warranted. +- */ +- restrict_mask = ntp_monitor(rbufp, restrict_mask); +- if (restrict_mask & RES_LIMITED) { +- sys_limitrejected++; +- if ( !(restrict_mask & RES_KOD) +- || MODE_BROADCAST == hismode +- || MODE_SERVER == hismode) { +- if (MODE_SERVER == hismode) +- DPRINTF(1, ("Possibly self-induced rate limiting of MODE_SERVER from %s\n", +- stoa(&rbufp->recv_srcadr))); +- return; /* rate exceeded */ +- } +- if (hismode == MODE_CLIENT) +- fast_xmit(rbufp, MODE_SERVER, skeyid, +- restrict_mask); +- else +- fast_xmit(rbufp, MODE_ACTIVE, skeyid, +- restrict_mask); +- return; /* rate exceeded */ +- } +- restrict_mask &= ~RES_KOD; +- +- /* +- * We have tossed out as many buggy packets as possible early in +- * the game to reduce the exposure to a clogging attack. Now we +- * have to burn some cycles to find the association and ++ * now we have to burn some cycles to find the association and + * authenticate the packet if required. Note that we burn only + * digest cycles, again to reduce exposure. There may be no + * matching association and that's okay. +@@ -645,6 +616,27 @@ receive( + NTOHL_FP(&pkt->xmt, &p_xmt); + + /* ++ * Update the MRU list and finger the cloggers. It can be a ++ * little expensive, so turn it off for production use. ++ */ ++ restrict_mask = ntp_monitor(rbufp, restrict_mask); ++ if (restrict_mask & RES_LIMITED && retcode == AM_FXMIT) { ++ sys_limitrejected++; ++ if (!(restrict_mask & RES_KOD) || MODE_BROADCAST == ++ hismode || MODE_SERVER == hismode) ++ return; /* rate exceeded */ ++ ++ if (hismode == MODE_CLIENT) ++ fast_xmit(rbufp, MODE_SERVER, skeyid, ++ restrict_mask); ++ else ++ fast_xmit(rbufp, MODE_ACTIVE, skeyid, ++ restrict_mask); ++ return; /* rate exceeded */ ++ } ++ restrict_mask &= ~RES_KOD; ++ ++ /* + * Authentication is conditioned by three switches: + * + * NOPEER (RES_NOPEER) do not mobilize an association unless +@@ -1126,6 +1118,10 @@ receive( + #endif /* AUTOKEY */ + if (!AUTH(sys_authenticate | (restrict_mask & + (RES_NOPEER | RES_DONTTRUST)), is_authentic)) { ++ if (restrict_mask & RES_LIMITED) { ++ sys_limitrejected++; ++ return; ++ } + + /* + * If authenticated but cannot mobilize an diff -Nru ntp-4.2.8p4+dfsg/debian/patches/CVE-2016-7427-1.patch ntp-4.2.8p4+dfsg/debian/patches/CVE-2016-7427-1.patch --- ntp-4.2.8p4+dfsg/debian/patches/CVE-2016-7427-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ ntp-4.2.8p4+dfsg/debian/patches/CVE-2016-7427-1.patch 2017-06-28 15:43:22.000000000 +0000 @@ -0,0 +1,113 @@ +Backport of: + + + TOPntp-stable1.3686.20.1 changes + +NTP - Network Time Protocol +#### ChangeSet #### + +2016-10-20 20:13:40+02:00, perlinger@ntp.org + [Sec 3114] Broadcast Mode Replay Prevention DoS + +#==== ChangeLog ==== +# +#2016-10-20 20:13:40+02:00, perlinger@ntp.org +4 -0 +# [Sec 3114] Broadcast Mode Replay Prevention DoS +#--- 1.1834/ChangeLog 2016-06-02 11:39:59 +00:00 +#+++ 1.1834.20.1/ChangeLog 2016-10-20 18:13:40 +00:00 +#@@ -1,3 +1,7 @@ +#+--- +#+* [Sec 3114] Broadcast Mode Replay Prevention DoS +#+ - applied patches by Matthew Van Gundy. +#+ +# --- +# (4.2.8p8) 2016/06/02 Released by Harlan Stenn +# +# +#==== ntpd/ntp_proto.c ==== +# +#2016-10-20 20:13:40+02:00, perlinger@ntp.org +39 -6 +# [Sec 3114] Broadcast Mode Replay Prevention DoS +# - applied patches by Matthew Van Gundy, with some rework. +Index: ntp-4.2.8p4+dfsg/ntpd/ntp_proto.c +=================================================================== +--- ntp-4.2.8p4+dfsg.orig/ntpd/ntp_proto.c 2017-06-28 11:41:56.448296802 -0400 ++++ ntp-4.2.8p4+dfsg/ntpd/ntp_proto.c 2017-06-28 11:42:27.808679806 -0400 +@@ -1253,9 +1253,32 @@ receive( + ++bail; + } + +- tdiff = p_xmt; +- L_SUB(&tdiff, &peer->bxmt); +- if (tdiff.l_i < 0) { ++ /* Alert if time from the server is non-monotonic. ++ * ++ * Note this check will not trigger for ++ * backsteps smaller than the poll interval. ++ * ++ * [Bug 3114] But watch for the the initial ++ * state, when peer->bxmt is all-zero! ++ * ++ * Another gotcha to avoid here: After some ++ * time, we must heed to time stamps, even when ++ * they are in the past. Otherwise we would ++ * never be able to catch up with a backstep of ++ * our broadcast server until the server has ++ * revored the backstep: The last bxmt now ++ * survives a cleanout of the peer structure and ++ * would create another form of DoS. ++ */ ++ if (L_ISZERO(&peer->bxmt)) { ++ tdiff.l_ui = tdiff.l_uf = 0; ++ } else { ++ tdiff = p_xmt; ++ L_SUB(&tdiff, &peer->bxmt); ++ } ++ if (tdiff.l_i < 0 && ++ (current_time - peer->timereceived) < (1u << (pkt->ppoll + 2))) ++ { + msyslog(LOG_INFO, "receive: broadcast packet from %s contains non-monotonic timestamp: %#010x.%08x -> %#010x.%08x", + stoa(&rbufp->recv_srcadr), + peer->bxmt.l_ui, peer->bxmt.l_uf, +@@ -1264,8 +1287,6 @@ receive( + ++bail; + } + +- peer->bxmt = p_xmt; +- + if (bail) { + peer->timelastrec = current_time; + sys_declined++; +@@ -1466,6 +1487,13 @@ receive( + peer->xmt = p_xmt; + + /* ++ * Now that we know the packet is correctly authenticated, ++ * update peer->bxmt if needed ++ */ ++ if (MODE_BROADCAST == hismode) ++ peer->bxmt = p_xmt; ++ ++ /* + * Set the peer ppoll to the maximum of the packet ppoll and the + * peer minpoll. If a kiss-o'-death, set the peer minpoll to + * this maximum and advance the headway to give the sender some +@@ -2281,6 +2309,7 @@ peer_clear( + ) + { + u_char u; ++ l_fp bxmt = peer->bxmt; /* bcast clients retain this! */ + + #ifdef AUTOKEY + /* +@@ -2317,6 +2346,10 @@ peer_clear( + peer->flash = peer_unfit(peer); + peer->jitter = LOGTOD(sys_precision); + ++ /* Don't throw away our broadcast replay protection */ ++ if (peer->hmode == MODE_BCLIENT) ++ peer->bxmt = bxmt; ++ + /* + * If interleave mode, initialize the alternate origin switch. + */ diff -Nru ntp-4.2.8p4+dfsg/debian/patches/CVE-2016-7428.patch ntp-4.2.8p4+dfsg/debian/patches/CVE-2016-7428.patch --- ntp-4.2.8p4+dfsg/debian/patches/CVE-2016-7428.patch 1970-01-01 00:00:00.000000000 +0000 +++ ntp-4.2.8p4+dfsg/debian/patches/CVE-2016-7428.patch 2017-06-28 14:10:33.000000000 +0000 @@ -0,0 +1,70 @@ +Backport of: + + TOPntp-stable1.3686.19.1 changes + +NTP - Network Time Protocol +#### ChangeSet #### + +2016-10-20 09:21:04+02:00, perlinger@ntp.org + [Sec 3113] Broadcast Mode Poll Interval Enforcement DoS + +#==== ChangeLog ==== +# +#2016-10-20 09:21:04+02:00, perlinger@ntp.org +4 -0 +# [Sec 3113] Broadcast Mode Poll Interval Enforcement DoS +#--- 1.1834/ChangeLog 2016-06-02 11:39:59 +00:00 +#+++ 1.1834.19.1/ChangeLog 2016-10-20 07:21:04 +00:00 +#@@ -1,3 +1,7 @@ +#+--- +#+* [Sec 3113] Broadcast Mode Poll Interval Enforcement DoS +#+ - applied fix as suggested by Matthew Van Gundy +#+ +# --- +# (4.2.8p8) 2016/06/02 Released by Harlan Stenn +# +# +#==== include/ntp.h ==== +# +#2016-10-20 09:21:04+02:00, perlinger@ntp.org +1 -1 +# [Sec 3113] Broadcast Mode Poll Interval Enforcement DoS +Index: ntp-4.2.8p4+dfsg/include/ntp.h +=================================================================== +--- ntp-4.2.8p4+dfsg.orig/include/ntp.h 2017-06-28 10:09:17.326110081 -0400 ++++ ntp-4.2.8p4+dfsg/include/ntp.h 2017-06-28 10:09:17.326110081 -0400 +@@ -383,7 +383,7 @@ struct peer { + * Statistic counters + */ + u_long timereset; /* time stat counters were reset */ +- u_long timelastrec; /* last packet received time */ ++ u_long timelastrec; /* last packet received time, incl. trash */ + u_long timereceived; /* last (clean) packet received time */ + u_long timereachable; /* last reachable/unreachable time */ + +Index: ntp-4.2.8p4+dfsg/ntpd/ntp_proto.c +=================================================================== +--- ntp-4.2.8p4+dfsg.orig/ntpd/ntp_proto.c 2017-06-28 10:09:17.314109908 -0400 ++++ ntp-4.2.8p4+dfsg/ntpd/ntp_proto.c 2017-06-28 10:10:10.014848722 -0400 +@@ -1243,11 +1243,21 @@ receive( + ++bail; + } + +- if ( (current_time - peer->timelastrec) ++ /* too early? worth an error, too! ++ * ++ * [Bug 3113] Ensure that at least one poll ++ * interval has elapsed since the last **clean** ++ * packet was received. We limit the check to ++ * **clean** packets to prevent replayed packets ++ * and incorrectly authenticated packets, which ++ * we'll discard, from being used to create a ++ * denial of service condition. ++ */ ++ if ( (current_time - peer->timereceived) + < (1 << pkt->ppoll)) { + msyslog(LOG_INFO, "receive: broadcast packet from %s arrived after %ld, not %d seconds!", + stoa(&rbufp->recv_srcadr), +- (current_time - peer->timelastrec), ++ (current_time - peer->timereceived), + (1 << pkt->ppoll) + ); + ++bail; diff -Nru ntp-4.2.8p4+dfsg/debian/patches/CVE-2016-7429-1.patch ntp-4.2.8p4+dfsg/debian/patches/CVE-2016-7429-1.patch --- ntp-4.2.8p4+dfsg/debian/patches/CVE-2016-7429-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ ntp-4.2.8p4+dfsg/debian/patches/CVE-2016-7429-1.patch 2017-06-28 14:10:55.000000000 +0000 @@ -0,0 +1,199 @@ + + + TOPntp-stable1.3686.13.1 changes + +NTP - Network Time Protocol +#### ChangeSet #### + +2016-09-13 07:26:06+02:00, perlinger@ntp.org + [Bug 3072] Attack on interface selection + +==== ChangeLog ==== + +#2016-09-13 07:26:06+02:00, perlinger@ntp.org +6 -1 +# [Bug 3072] Attack on interface selection +#--- 1.1834/ChangeLog 2016-06-02 11:39:59 +00:00 +#+++ 1.1834.13.1/ChangeLog 2016-09-13 05:26:06 +00:00 +#@@ -1,3 +1,8 @@ +#+--- +#+* [Bug 3072] Attack on interface selection +#+ - implemented Miroslav Lichvars suggestion +#+ to skip interface updates based on incoming packets +#+ +# --- +# (4.2.8p8) 2016/06/02 Released by Harlan Stenn +# +#@@ -19,7 +24,7 @@ +# * Fix typo in ntp-wait and plot_summary. HStenn. +# * Make sure we have an "author" file for git imports. HStenn. +# * Update the sntp problem tests for MacOS. HStenn. +#- +#+ +# --- +# (4.2.8p7) 2016/04/26 Released by Harlan Stenn +# +# +#==== ntpd/ntp_peer.c ==== +# +#2016-09-13 07:26:06+02:00, perlinger@ntp.org +61 -50 +# [Bug 3072] Attack on interface selection +# - implemented Miroslav Lichvars suggestion to skip interface updates +# based on incoming packets +--- 1.158/ntpd/ntp_peer.c 2015-07-20 07:32:03 +00:00 ++++ 1.159/ntpd/ntp_peer.c 2016-09-13 05:26:06 +00:00 +@@ -273,6 +273,22 @@ findexistingpeer( + /* + * findpeer - find and return a peer match for a received datagram in + * the peer_hash table. ++ * ++ * [Bug 3072] To faciliate a faster reorganisation after routing changes ++ * the original code re-assigned the peer address to be the destination ++ * of the received packet and initiated another round on a mismatch. ++ * Unfortunately this leaves us wide open for a DoS attack where the ++ * attacker directs a packet with forged destination address to us -- ++ * this results in a wrong interface assignment, actually creating a DoS ++ * situation. ++ * ++ * This condition would persist until the next update of the interface ++ * list, but a continued attack would put us out of business again soon ++ * enough. Authentication alone does not help here, since it does not ++ * protect the UDP layer and leaves us open for a replay attack. ++ * ++ * So we do not update the adresses and wait until the next interface ++ * list update does the right thing for us. + */ + struct peer * + findpeer( +@@ -291,61 +307,50 @@ findpeer( + srcadr = &rbufp->recv_srcadr; + hash = NTP_HASH_ADDR(srcadr); + for (p = peer_hash[hash]; p != NULL; p = p->adr_link) { +- if (ADDR_PORT_EQ(srcadr, &p->srcadr)) { + +- /* +- * if the association matching rules determine +- * that this is not a valid combination, then +- * look for the next valid peer association. +- */ +- *action = MATCH_ASSOC(p->hmode, pkt_mode); ++ /* [Bug 3072] ensure interface of peer matches */ ++ if (p->dstadr != rbufp->dstadr) ++ continue; ++ ++ /* ensure peer source address matches */ ++ if ( ! ADDR_PORT_EQ(srcadr, &p->srcadr)) ++ continue; ++ ++ /* If the association matching rules determine that this ++ * is not a valid combination, then look for the next ++ * valid peer association. ++ */ ++ *action = MATCH_ASSOC(p->hmode, pkt_mode); + +- /* +- * A response to our manycastclient solicitation +- * might be misassociated with an ephemeral peer +- * already spun for the server. If the packet's +- * org timestamp doesn't match the peer's, check +- * if it matches the ACST prototype peer's. If +- * so it is a redundant solicitation response, +- * return AM_ERR to discard it. [Bug 1762] +- */ +- if (MODE_SERVER == pkt_mode && +- AM_PROCPKT == *action) { +- pkt = &rbufp->recv_pkt; +- NTOHL_FP(&pkt->org, &pkt_org); +- if (!L_ISEQU(&p->aorg, &pkt_org) && +- findmanycastpeer(rbufp)) +- *action = AM_ERR; +- } ++ /* A response to our manycastclient solicitation might ++ * be misassociated with an ephemeral peer already spun ++ * for the server. If the packet's org timestamp ++ * doesn't match the peer's, check if it matches the ++ * ACST prototype peer's. If so it is a redundant ++ * solicitation response, return AM_ERR to discard it. ++ * [Bug 1762] ++ */ ++ if (MODE_SERVER == pkt_mode && AM_PROCPKT == *action) { ++ pkt = &rbufp->recv_pkt; ++ NTOHL_FP(&pkt->org, &pkt_org); ++ if (!L_ISEQU(&p->aorg, &pkt_org) && ++ findmanycastpeer(rbufp)) ++ *action = AM_ERR; ++ } + +- /* +- * if an error was returned, exit back right +- * here. +- */ +- if (*action == AM_ERR) +- return NULL; ++ /* if an error was returned, exit back right here. */ ++ if (*action == AM_ERR) ++ return NULL; + +- /* +- * if a match is found, we stop our search. +- */ +- if (*action != AM_NOMATCH) +- break; +- } ++ /* if a match is found, we stop our search. */ ++ if (*action != AM_NOMATCH) ++ break; + } + +- /* +- * If no matching association is found +- */ +- if (NULL == p) { ++ /* If no matching association is found... */ ++ if (NULL == p) + *action = MATCH_ASSOC(NO_PEER, pkt_mode); +- } else if (p->dstadr != rbufp->dstadr) { +- set_peerdstadr(p, rbufp->dstadr); +- if (p->dstadr == rbufp->dstadr) { +- DPRINTF(1, ("Changed %s local address to match response\n", +- stoa(&p->srcadr))); +- return findpeer(rbufp, pkt_mode, action); +- } +- } ++ + return p; + } + +@@ -621,7 +626,8 @@ set_peerdstadr( + { + struct peer * unlinked; + +- if (p->dstadr == dstadr) ++ /* check for impossible or identical assignment */ ++ if (p == NULL || p->dstadr == dstadr) + return; + + /* +@@ -632,6 +638,8 @@ set_peerdstadr( + (INT_MCASTIF & dstadr->flags) && MODE_CLIENT == p->hmode) { + return; + } ++ ++ /* unlink from list if we have an address prior to assignment */ + if (p->dstadr != NULL) { + p->dstadr->peercnt--; + UNLINK_SLIST(unlinked, p->dstadr->peers, p, ilink, +@@ -640,8 +648,11 @@ set_peerdstadr( + stoa(&p->srcadr), latoa(p->dstadr), + latoa(dstadr)); + } ++ + p->dstadr = dstadr; +- if (dstadr != NULL) { ++ ++ /* link to list if we have an address after assignment */ ++ if (p->dstadr != NULL) { + LINK_SLIST(dstadr->peers, p, ilink); + dstadr->peercnt++; + } + + diff -Nru ntp-4.2.8p4+dfsg/debian/patches/CVE-2016-7429-2.patch ntp-4.2.8p4+dfsg/debian/patches/CVE-2016-7429-2.patch --- ntp-4.2.8p4+dfsg/debian/patches/CVE-2016-7429-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ ntp-4.2.8p4+dfsg/debian/patches/CVE-2016-7429-2.patch 2017-06-28 14:11:04.000000000 +0000 @@ -0,0 +1,64 @@ + + + TOPntp-stable1.3688.1.33 changes + +NTP - Network Time Protocol +#### ChangeSet #### + +2016-10-01 08:32:28+00:00, stenn@psp-deb1.ntp.org + [Bug 3072] tweaks + +#==== NEWS ==== +# +#2016-10-01 08:31:51+00:00, stenn@psp-deb1.ntp.org +16 -1 +# [Bug 3072] tweaks +#--- 1.188/NEWS 2016-09-29 12:03:11 +00:00 +#+++ 1.189/NEWS 2016-10-01 08:31:51 +00:00 +#@@ -8,7 +8,22 @@ following X high- and Y low-severity vul +# In addition to bug fixes and enhancements, this release fixes the +# following X high- and Y low-severity vulnerabilities: +# +#-* +#+* Attack on interface selection +#+ Date Resolved: xx October 2016; Dev (4.3.94) XX October 2016 +#+X References: Sec 3072 / CVE-2016-XXXX / VU#XXXXX +#+X Affects: ntp-4.2.8p7, and ntp-4.3.92. +#+X CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) +#+X CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H +#+X Summary: +#+X Mitigation: +#+ Implement BCP-38. +#+ Upgrade to 4.2.8p8, or later, from the NTP Project Download Page +#+ or the NTP Public Services Project Download Page +#+ If you cannot upgrade from 4.2.8p7, the only other alternatives +#+ are to patch your code or filter CRYPTO_NAK packets. +#+ Properly monitor your ntpd instances, and auto-restart ntpd +#+ (without -g) if it stops running. +#+ Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. +# +# Other fixes: +# +# +#==== ntpd/ntp_peer.c ==== +# +#2016-10-01 08:28:25+00:00, stenn@psp-deb1.ntp.org +6 -1 +# [Bug 3072] tweaks +--- 1.159/ntpd/ntp_peer.c 2016-09-13 05:26:06 +00:00 ++++ 1.160/ntpd/ntp_peer.c 2016-10-01 08:28:25 +00:00 +@@ -626,8 +626,13 @@ set_peerdstadr( + { + struct peer * unlinked; + ++ DEBUG_INSIST(p != NULL); ++ ++ if (p == NULL) ++ return; ++ + /* check for impossible or identical assignment */ +- if (p == NULL || p->dstadr == dstadr) ++ if (p->dstadr == dstadr) + return; + + /* + + diff -Nru ntp-4.2.8p4+dfsg/debian/patches/CVE-2016-7429-3.patch ntp-4.2.8p4+dfsg/debian/patches/CVE-2016-7429-3.patch --- ntp-4.2.8p4+dfsg/debian/patches/CVE-2016-7429-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ ntp-4.2.8p4+dfsg/debian/patches/CVE-2016-7429-3.patch 2017-06-28 14:11:09.000000000 +0000 @@ -0,0 +1,43 @@ + + + TOPntp-stable1.3720.8.1 changes + +NTP - Network Time Protocol +#### ChangeSet #### + +2016-12-30 10:39:31+01:00, jnperlin@hydra.localnet + [Bug 3356] Bugfix 3072 breaks multicastclient + +#==== ChangeLog ==== +# +#2016-12-30 10:39:31+01:00, jnperlin@hydra.localnet +3 -0 +# [Bug 3356] Bugfix 3072 breaks multicastclient +#--- 1.1852/ChangeLog 2016-11-21 13:08:15 +00:00 +#+++ 1.1852.8.1/ChangeLog 2016-12-30 09:39:31 +00:00 +#@@ -1,3 +1,6 @@ +#+--- +#+* [Bug 3356] Bugfix 3072 breaks multicastclient +#+ +# --- +# (4.2.8p9) 2016/11/21 Released by Harlan Stenn +# (4.2.8p9) 2016/MM/DD Released by Harlan Stenn +# +#==== ntpd/ntp_peer.c ==== +# +#2016-12-30 10:39:31+01:00, jnperlin@hydra.localnet +2 -1 +# [Bug 3356] Bugfix 3072 breaks multicastclient +# (see bugs.ntp.org for details) +--- 1.160/ntpd/ntp_peer.c 2016-10-01 08:28:25 +00:00 ++++ 1.161/ntpd/ntp_peer.c 2016-12-30 09:39:31 +00:00 +@@ -309,7 +309,8 @@ findpeer( + for (p = peer_hash[hash]; p != NULL; p = p->adr_link) { + + /* [Bug 3072] ensure interface of peer matches */ +- if (p->dstadr != rbufp->dstadr) ++ /* [Bug 3356] ... if NOT a broadcast peer! */ ++ if (p->hmode != MODE_BCLIENT && p->dstadr != rbufp->dstadr) + continue; + + /* ensure peer source address matches */ + + diff -Nru ntp-4.2.8p4+dfsg/debian/patches/CVE-2016-7433.patch ntp-4.2.8p4+dfsg/debian/patches/CVE-2016-7433.patch --- ntp-4.2.8p4+dfsg/debian/patches/CVE-2016-7433.patch 1970-01-01 00:00:00.000000000 +0000 +++ ntp-4.2.8p4+dfsg/debian/patches/CVE-2016-7433.patch 2017-06-28 15:43:53.000000000 +0000 @@ -0,0 +1,28 @@ +Description: fix incorrect initial sync calculations +Origin: vendor, https://git.centos.org/blob/rpms!ntp.git/4eb1db127a6177011bd913bf4f446e8f701179d6/SOURCES!ntp-4.2.6p5-cve-2016-7433.patch +Bug: http://bugs.ntp.org/show_bug.cgi?id=2085 + +Index: ntp-4.2.8p4+dfsg/ntpd/ntp_proto.c +=================================================================== +--- ntp-4.2.8p4+dfsg.orig/ntpd/ntp_proto.c 2017-06-28 11:43:51.801705923 -0400 ++++ ntp-4.2.8p4+dfsg/ntpd/ntp_proto.c 2017-06-28 11:43:51.801705923 -0400 +@@ -3176,8 +3176,7 @@ root_distance( + * where: + * delta is the round-trip delay + * DELTA is the root delay +- * epsilon is the remote server precision + local precision +- * + (15 usec each second) ++ * epsilon is the peer dispersion (15 usec each second) + * EPSILON is the root dispersion + * phi is the peer jitter statistic + * +@@ -3188,8 +3187,7 @@ root_distance( + * other worse choices. + */ + dtemp = (peer->delay + peer->rootdelay) / 2 +- + LOGTOD(peer->precision) +- + LOGTOD(sys_precision) ++ + peer->disp + + clock_phi * (current_time - peer->update) + + peer->rootdisp + + peer->jitter; diff -Nru ntp-4.2.8p4+dfsg/debian/patches/CVE-2016-7434.patch ntp-4.2.8p4+dfsg/debian/patches/CVE-2016-7434.patch --- ntp-4.2.8p4+dfsg/debian/patches/CVE-2016-7434.patch 1970-01-01 00:00:00.000000000 +0000 +++ ntp-4.2.8p4+dfsg/debian/patches/CVE-2016-7434.patch 2017-06-28 14:17:09.000000000 +0000 @@ -0,0 +1,178 @@ + + + TOPntp-stable1.3686.1.1 changes + +NTP - Network Time Protocol +#### ChangeSet #### + +2016-07-05 23:15:20+02:00, perlinger@ntp.org + [Sec 3075] Core Dump. Added missing paramter validation in read_mru_list(). + [Sec 3082] (title too long -- Variation of [Sec 3075].) + - more hardening to read_mru_list(). + +#==== ChangeLog ==== +# +#2016-07-05 23:15:20+02:00, perlinger@ntp.org +7 -1 +# [Sec 3075] Core Dump. Added missing paramter validation in read_mru_list() +# [Sec 3082] (title too long -- Variation of [Sec 3075].) +# - more hardening to read_mru_list(). +#--- 1.1834/ChangeLog 2016-06-02 11:39:59 +00:00 +#+++ 1.1834.1.1/ChangeLog 2016-07-05 21:15:20 +00:00 +#@@ -1,3 +1,9 @@ +#+--- +#+* [Sec 3075] Malicious crafted read_mru_list() packet will crash ntpd. +#+ - added missing paramter validation in read_mru_list(). perlinger@ntp.org +#+* [Sec 3082] (title too long -- Variation of [Sec 3075].) +#+ - more hardening to read_mru_list(). perlinger@ntp.org +#+ +# --- +# (4.2.8p8) 2016/06/02 Released by Harlan Stenn +# +#@@ -19,7 +25,7 @@ +# * Fix typo in ntp-wait and plot_summary. HStenn. +# * Make sure we have an "author" file for git imports. HStenn. +# * Update the sntp problem tests for MacOS. HStenn. +#- +#+ +# --- +# (4.2.8p7) 2016/04/26 Released by Harlan Stenn +# +# +#==== ntpd/ntp_control.c ==== +# +#2016-07-05 23:15:20+02:00, perlinger@ntp.org +57 -33 +# [Sec 3075] Core Dump. Added missing paramter validation in read_mru_list(). +# [Sec 3082] (title too long -- Variation of [Sec 3075].) +# - more hardening to read_mru_list(). +Index: ntp-4.2.8p4+dfsg/ntpd/ntp_control.c +=================================================================== +--- ntp-4.2.8p4+dfsg.orig/ntpd/ntp_control.c 2017-06-28 10:17:07.592103760 -0400 ++++ ntp-4.2.8p4+dfsg/ntpd/ntp_control.c 2017-06-28 10:17:07.588103710 -0400 +@@ -3937,15 +3937,17 @@ static void read_mru_list( + int restrict_mask + ) + { +- const char nonce_text[] = "nonce"; +- const char frags_text[] = "frags"; +- const char limit_text[] = "limit"; +- const char mincount_text[] = "mincount"; +- const char resall_text[] = "resall"; +- const char resany_text[] = "resany"; +- const char maxlstint_text[] = "maxlstint"; +- const char laddr_text[] = "laddr"; +- const char resaxx_fmt[] = "0x%hx"; ++ static const char nulltxt[1] = { '\0' }; ++ static const char nonce_text[] = "nonce"; ++ static const char frags_text[] = "frags"; ++ static const char limit_text[] = "limit"; ++ static const char mincount_text[] = "mincount"; ++ static const char resall_text[] = "resall"; ++ static const char resany_text[] = "resany"; ++ static const char maxlstint_text[] = "maxlstint"; ++ static const char laddr_text[] = "laddr"; ++ static const char resaxx_fmt[] = "0x%hx"; ++ + u_int limit; + u_short frags; + u_short resall; +@@ -3962,7 +3964,7 @@ static void read_mru_list( + char buf[128]; + struct ctl_var * in_parms; + const struct ctl_var * v; +- char * val; ++ const char * val; + const char * pch; + char * pnonce; + int nonce_valid; +@@ -4014,46 +4016,68 @@ static void read_mru_list( + ZERO(last); + ZERO(addr); + +- while (NULL != (v = ctl_getitem(in_parms, &val)) && ++ /* have to go through '(void*)' to drop 'const' property from pointer. ++ * ctl_getitem()' needs some cleanup, too.... perlinger@ntp.org ++ */ ++ while (NULL != (v = ctl_getitem(in_parms, (void*)&val)) && + !(EOV & v->flags)) { + int si; + ++ if (NULL == val) ++ val = nulltxt; ++ + if (!strcmp(nonce_text, v->text)) { +- if (NULL != pnonce) +- free(pnonce); +- pnonce = estrdup(val); ++ free(pnonce); ++ pnonce = (*val) ? estrdup(val) : NULL; + } else if (!strcmp(frags_text, v->text)) { +- sscanf(val, "%hu", &frags); ++ if (1 != sscanf(val, "%hu", &frags)) ++ goto blooper; + } else if (!strcmp(limit_text, v->text)) { +- sscanf(val, "%u", &limit); ++ if (1 != sscanf(val, "%u", &limit)) ++ goto blooper; + } else if (!strcmp(mincount_text, v->text)) { +- if (1 != sscanf(val, "%d", &mincount) || +- mincount < 0) ++ if (1 != sscanf(val, "%d", &mincount)) ++ goto blooper; ++ if (mincount < 0) + mincount = 0; + } else if (!strcmp(resall_text, v->text)) { +- sscanf(val, resaxx_fmt, &resall); ++ if (1 != sscanf(val, resaxx_fmt, &resall)) ++ goto blooper; + } else if (!strcmp(resany_text, v->text)) { +- sscanf(val, resaxx_fmt, &resany); ++ if (1 != sscanf(val, resaxx_fmt, &resany)) ++ goto blooper; + } else if (!strcmp(maxlstint_text, v->text)) { +- sscanf(val, "%u", &maxlstint); ++ if (1 != sscanf(val, "%u", &maxlstint)) ++ goto blooper; + } else if (!strcmp(laddr_text, v->text)) { +- if (decodenetnum(val, &laddr)) +- lcladr = getinterface(&laddr, 0); ++ if (!decodenetnum(val, &laddr)) ++ goto blooper; ++ lcladr = getinterface(&laddr, 0); + } else if (1 == sscanf(v->text, last_fmt, &si) && + (size_t)si < COUNTOF(last)) { +- if (2 == sscanf(val, "0x%08x.%08x", &ui, &uf)) { +- last[si].l_ui = ui; +- last[si].l_uf = uf; +- if (!SOCK_UNSPEC(&addr[si]) && +- si == priors) +- priors++; +- } ++ if (2 != sscanf(val, "0x%08x.%08x", &ui, &uf)) ++ goto blooper; ++ last[si].l_ui = ui; ++ last[si].l_uf = uf; ++ if (!SOCK_UNSPEC(&addr[si]) && si == priors) ++ priors++; + } else if (1 == sscanf(v->text, addr_fmt, &si) && + (size_t)si < COUNTOF(addr)) { +- if (decodenetnum(val, &addr[si]) +- && last[si].l_ui && last[si].l_uf && +- si == priors) ++ if (!decodenetnum(val, &addr[si])) ++ goto blooper; ++ if (last[si].l_ui && last[si].l_uf && si == priors) + priors++; ++ } else { ++ DPRINTF(1, ("read_mru_list: invalid key item: '%s' (ignored)\n", ++ v->text)); ++ continue; ++ ++ blooper: ++ DPRINTF(1, ("read_mru_list: invalid param for '%s': '%s' (bailing)\n", ++ v->text, val)); ++ free(pnonce); ++ pnonce = NULL; ++ break; + } + } + free_varlist(in_parms); diff -Nru ntp-4.2.8p4+dfsg/debian/patches/CVE-2016-9310.patch ntp-4.2.8p4+dfsg/debian/patches/CVE-2016-9310.patch --- ntp-4.2.8p4+dfsg/debian/patches/CVE-2016-9310.patch 1970-01-01 00:00:00.000000000 +0000 +++ ntp-4.2.8p4+dfsg/debian/patches/CVE-2016-9310.patch 2017-06-28 14:17:41.000000000 +0000 @@ -0,0 +1,53 @@ + + + TOPntp-stable1.3686.17.1 changes + +NTP - Network Time Protocol +#### ChangeSet #### + +2016-09-24 20:38:17+02:00, perlinger@ntp.org + [Sec 3118] Mode 6 information disclosure and DDoS vector + +#==== ChangeLog ==== +# +#2016-09-24 20:38:17+02:00, perlinger@ntp.org +4 -0 +# [Sec 3118] Mode 6 information disclosure and DDoS vector +#--- 1.1834/ChangeLog 2016-06-02 11:39:59 +00:00 +#+++ 1.1834.17.1/ChangeLog 2016-09-24 18:38:17 +00:00 +#@@ -1,3 +1,7 @@ +#+--- +#+* [Sec 3118] Mode 6 information disclosure and DDoS vector +#+ - TRAP config via mode 6 packet requires AUTH now. +#+ +# --- +# (4.2.8p8) 2016/06/02 Released by Harlan Stenn +# +# +#==== ntpd/ntp_control.c ==== +# +#2016-09-24 20:38:17+02:00, perlinger@ntp.org +3 -3 +# [Sec 3118] Mode 6 information disclosure and DDoS vector +# - TRAP config via mode 6 packet requires AUTH now +# - writing the clock status should require AUTH, too. +--- 1.209/ntpd/ntp_control.c 2016-02-22 06:34:05 +00:00 ++++ 1.209.5.1/ntpd/ntp_control.c 2016-09-24 18:38:17 +00:00 +@@ -120,14 +120,14 @@ static const struct ctl_proc control_cod + { CTL_OP_READVAR, NOAUTH, read_variables }, + { CTL_OP_WRITEVAR, AUTH, write_variables }, + { CTL_OP_READCLOCK, NOAUTH, read_clockstatus }, +- { CTL_OP_WRITECLOCK, NOAUTH, write_clockstatus }, +- { CTL_OP_SETTRAP, NOAUTH, set_trap }, ++ { CTL_OP_WRITECLOCK, AUTH, write_clockstatus }, ++ { CTL_OP_SETTRAP, AUTH, set_trap }, + { CTL_OP_CONFIGURE, AUTH, configure }, + { CTL_OP_SAVECONFIG, AUTH, save_config }, + { CTL_OP_READ_MRU, NOAUTH, read_mru_list }, + { CTL_OP_READ_ORDLIST_A, AUTH, read_ordlist }, + { CTL_OP_REQ_NONCE, NOAUTH, req_nonce }, +- { CTL_OP_UNSETTRAP, NOAUTH, unset_trap }, ++ { CTL_OP_UNSETTRAP, AUTH, unset_trap }, + { NO_REQUEST, 0, NULL } + }; + + + diff -Nru ntp-4.2.8p4+dfsg/debian/patches/CVE-2016-9311.patch ntp-4.2.8p4+dfsg/debian/patches/CVE-2016-9311.patch --- ntp-4.2.8p4+dfsg/debian/patches/CVE-2016-9311.patch 1970-01-01 00:00:00.000000000 +0000 +++ ntp-4.2.8p4+dfsg/debian/patches/CVE-2016-9311.patch 2017-06-28 14:22:11.000000000 +0000 @@ -0,0 +1,83 @@ + + + TOPntp-stable1.3686.16.1 changes + +NTP - Network Time Protocol +#### ChangeSet #### + +2016-09-23 20:00:55+02:00, perlinger@ntp.org + [Sec 3119] Trap crash + +#==== ChangeLog ==== +# +#2016-09-23 20:00:55+02:00, perlinger@ntp.org +3 -0 +# [Sec 3119] Trap crash +#--- 1.1834/ChangeLog 2016-06-02 11:39:59 +00:00 +#+++ 1.1834.16.1/ChangeLog 2016-09-23 18:00:55 +00:00 +#@@ -1,3 +1,6 @@ +#+--- +#+* [Sec 3119] Trap crash +#+ +# --- +# (4.2.8p8) 2016/06/02 Released by Harlan Stenn +# +# +#==== ntpd/ntp_control.c ==== +# +#2016-09-23 20:00:55+02:00, perlinger@ntp.org +19 -4 +# [Sec 3119] Trap crash +# - bail out if we hit a Peer Event without a peer. +Index: ntp-4.2.8p4+dfsg/ntpd/ntp_control.c +=================================================================== +--- ntp-4.2.8p4+dfsg.orig/ntpd/ntp_control.c 2017-06-28 10:22:07.403869783 -0400 ++++ ntp-4.2.8p4+dfsg/ntpd/ntp_control.c 2017-06-28 10:22:07.399869733 -0400 +@@ -5004,6 +5004,22 @@ report_event( + if (num_ctl_traps <= 0) + return; + ++ /* [Bug 3119] ++ * Peer Events should be associated with a peer -- hence the ++ * name. But there are instances where this function is called ++ * *without* a valid peer. This happens e.g. with an unsolicited ++ * CryptoNAK, or when a leap second alarm is going off while ++ * currently without a system peer. ++ * ++ * The most sensible approach to this seems to bail out here if ++ * this happens. Avoiding to call this function would also ++ * bypass the log reporting in the first part of this function, ++ * and this is probably not the best of all options. ++ * -*-perlinger@ntp.org-*- ++ */ ++ if ((err & PEER_EVENT) && !peer) ++ return; ++ + /* + * Set up the outgoing packet variables + */ +@@ -5020,15 +5036,14 @@ report_event( + /* Include the core system variables and the list. */ + for (i = 1; i <= CS_VARLIST; i++) + ctl_putsys(i); +- } else { +- INSIST(peer != NULL); ++ } else if (NULL != peer) { /* paranoia -- skip output */ + rpkt.associd = htons(peer->associd); + rpkt.status = htons(ctlpeerstatus(peer)); + + /* Dump it all. Later, maybe less. */ + for (i = 1; i <= CP_MAX_NOAUTOKEY; i++) + ctl_putpeer(i, peer); +-#ifdef REFCLOCK ++# ifdef REFCLOCK + /* + * for clock exception events: add clock variables to + * reflect info on exception +@@ -5054,7 +5069,7 @@ report_event( + FALSE); + free_varlist(cs.kv_list); + } +-#endif /* REFCLOCK */ ++# endif /* REFCLOCK */ + } + + /* diff -Nru ntp-4.2.8p4+dfsg/debian/patches/CVE-2017-6458.patch ntp-4.2.8p4+dfsg/debian/patches/CVE-2017-6458.patch --- ntp-4.2.8p4+dfsg/debian/patches/CVE-2017-6458.patch 1970-01-01 00:00:00.000000000 +0000 +++ ntp-4.2.8p4+dfsg/debian/patches/CVE-2017-6458.patch 2017-06-28 14:22:23.000000000 +0000 @@ -0,0 +1,419 @@ +Backport of: + + TOPntp-stable1.3722.4.1 changes + +NTP - Network Time Protocol +#### ChangeSet #### + +2017-02-12 08:03:30+01:00, perlinger@ntp.org + [Sec 3379] NTP-01-004 Potential Overflows in ctl_put() functions + +#==== ChangeLog ==== +# +#2017-02-12 08:03:30+01:00, perlinger@ntp.org +4 -0 +# [Sec 3379] NTP-01-004 Potential Overflows in ctl_put() functions +#--- 1.1853.2.5/ChangeLog 2017-02-01 13:07:08 +00:00 +#+++ 1.1853.4.1/ChangeLog 2017-02-12 07:03:30 +00:00 +#@@ -1,3 +1,7 @@ +#+--- +#+* [Sec 3379] NTP-01-004 Potential Overflows in ctl_put() functions +#+ (Pentest report 01.2017) +#+ +# --- +# (4.2.8p9-win) 2017/02/01 Released by Harlan Stenn +# +# +#==== ntpd/ntp_control.c ==== +# +#2017-02-12 08:03:30+01:00, perlinger@ntp.org +99 -174 +# [Sec 3379] NTP-01-004 Potential Overflows in ctl_put() functions +Index: ntp-4.2.8p4+dfsg/ntpd/ntp_control.c +=================================================================== +--- ntp-4.2.8p4+dfsg.orig/ntpd/ntp_control.c 2017-06-28 10:22:21.752049884 -0400 ++++ ntp-4.2.8p4+dfsg/ntpd/ntp_control.c 2017-06-28 10:22:21.752049884 -0400 +@@ -1531,21 +1531,15 @@ ctl_putstr( + ) + { + char buffer[512]; +- char *cp; +- size_t tl; ++ int rc; + +- tl = strlen(tag); +- memcpy(buffer, tag, tl); +- cp = buffer + tl; +- if (len > 0) { +- INSIST(tl + 3 + len <= sizeof(buffer)); +- *cp++ = '='; +- *cp++ = '"'; +- memcpy(cp, data, len); +- cp += len; +- *cp++ = '"'; +- } +- ctl_putdata(buffer, (u_int)(cp - buffer), 0); ++ INSIST(len < sizeof(buffer)); ++ if (len) ++ rc = snprintf(buffer, sizeof(buffer), "%s=\"%.*s\"", tag, (int)len, data); ++ else ++ rc = snprintf(buffer, sizeof(buffer), "%s", tag); ++ INSIST(rc >= 0 && (size_t)rc < sizeof(buffer)); ++ ctl_putdata(buffer, (u_int)rc, 0); + } + + +@@ -1566,19 +1560,15 @@ ctl_putunqstr( + ) + { + char buffer[512]; +- char *cp; +- size_t tl; ++ int rc; + +- tl = strlen(tag); +- memcpy(buffer, tag, tl); +- cp = buffer + tl; +- if (len > 0) { +- INSIST(tl + 1 + len <= sizeof(buffer)); +- *cp++ = '='; +- memcpy(cp, data, len); +- cp += len; +- } +- ctl_putdata(buffer, (u_int)(cp - buffer), 0); ++ INSIST(len < sizeof(buffer)); ++ if (len) ++ rc = snprintf(buffer, sizeof(buffer), "%s=%.*s", tag, (int)len, data); ++ else ++ rc = snprintf(buffer, sizeof(buffer), "%s", tag); ++ INSIST(rc >= 0 && (size_t)rc < sizeof(buffer)); ++ ctl_putdata(buffer, (u_int)rc, 0); + } + + +@@ -1593,20 +1583,14 @@ ctl_putdblf( + double d + ) + { +- char *cp; +- const char *cq; + char buffer[200]; +- +- cp = buffer; +- cq = tag; +- while (*cq != '\0') +- *cp++ = *cq++; +- *cp++ = '='; +- INSIST((size_t)(cp - buffer) < sizeof(buffer)); +- snprintf(cp, sizeof(buffer) - (cp - buffer), use_f ? "%.*f" : "%.*g", +- precision, d); +- cp += strlen(cp); +- ctl_putdata(buffer, (unsigned)(cp - buffer), 0); ++ int rc; ++ ++ rc = snprintf(buffer, sizeof(buffer), ++ (use_f ? "%s=%.*f" : "%s=%.*g"), ++ tag, precision, d); ++ INSIST(rc >= 0 && (size_t)rc < sizeof(buffer)); ++ ctl_putdata(buffer, (u_int)rc, 0); + } + + /* +@@ -1618,20 +1602,12 @@ ctl_putuint( + u_long uval + ) + { +- register char *cp; +- register const char *cq; + char buffer[200]; ++ int rc; + +- cp = buffer; +- cq = tag; +- while (*cq != '\0') +- *cp++ = *cq++; +- +- *cp++ = '='; +- INSIST((cp - buffer) < (int)sizeof(buffer)); +- snprintf(cp, sizeof(buffer) - (cp - buffer), "%lu", uval); +- cp += strlen(cp); +- ctl_putdata(buffer, (unsigned)( cp - buffer ), 0); ++ rc = snprintf(buffer, sizeof(buffer), "%s=%lu", tag, uval); ++ INSIST(rc >= 0 && rc < sizeof(buffer)); ++ ctl_putdata(buffer, (u_int)rc, 0); + } + + /* +@@ -1644,21 +1620,16 @@ ctl_putcal( + ) + { + char buffer[100]; +- unsigned numch; ++ int rc; + +- numch = snprintf(buffer, sizeof(buffer), +- "%s=%04d%02d%02d%02d%02d", +- tag, +- pcal->year, +- pcal->month, +- pcal->monthday, +- pcal->hour, +- pcal->minute +- ); +- INSIST(numch < sizeof(buffer)); +- ctl_putdata(buffer, numch, 0); +- +- return; ++ rc = snprintf(buffer, sizeof(buffer), ++ "%s=%04d%02d%02d%02d%02d", ++ tag, ++ pcal->year, pcal->month, pcal->monthday, ++ pcal->hour, pcal->minute ++ ); ++ INSIST(rc >= 0 && (size_t)rc < sizeof(buffer)); ++ ctl_putdata(buffer, (u_int)rc, 0); + } + + /* +@@ -1670,28 +1641,23 @@ ctl_putfs( + tstamp_t uval + ) + { +- register char *cp; +- register const char *cq; + char buffer[200]; + struct tm *tm = NULL; + time_t fstamp; +- +- cp = buffer; +- cq = tag; +- while (*cq != '\0') +- *cp++ = *cq++; +- +- *cp++ = '='; +- fstamp = uval - JAN_1970; ++ int rc; ++ ++ fstamp = (time_t)uval - JAN_1970; + tm = gmtime(&fstamp); +- if (NULL == tm) ++ if (NULL == tm) + return; +- INSIST((cp - buffer) < (int)sizeof(buffer)); +- snprintf(cp, sizeof(buffer) - (cp - buffer), +- "%04d%02d%02d%02d%02d", tm->tm_year + 1900, +- tm->tm_mon + 1, tm->tm_mday, tm->tm_hour, tm->tm_min); +- cp += strlen(cp); +- ctl_putdata(buffer, (unsigned)( cp - buffer ), 0); ++ ++ rc = snprintf(buffer, sizeof(buffer), ++ "%s=%04d%02d%02d%02d%02d", ++ tag, ++ tm->tm_year + 1900, tm->tm_mon + 1, tm->tm_mday, ++ tm->tm_hour, tm->tm_min); ++ INSIST(rc >= 0 && (size_t)rc < sizeof(buffer)); ++ ctl_putdata(buffer, (u_int)rc, 0); + } + + +@@ -1705,20 +1671,12 @@ ctl_puthex( + u_long uval + ) + { +- register char *cp; +- register const char *cq; + char buffer[200]; +- +- cp = buffer; +- cq = tag; +- while (*cq != '\0') +- *cp++ = *cq++; +- +- *cp++ = '='; +- INSIST((cp - buffer) < (int)sizeof(buffer)); +- snprintf(cp, sizeof(buffer) - (cp - buffer), "0x%lx", uval); +- cp += strlen(cp); +- ctl_putdata(buffer,(unsigned)( cp - buffer ), 0); ++ int rc; ++ ++ rc = snprintf(buffer, sizeof(buffer), "%s=0x%lx", tag, uval); ++ INSIST(rc >= 0 && (size_t)rc < sizeof(buffer)); ++ ctl_putdata(buffer, (u_int)rc, 0); + } + + +@@ -1731,20 +1689,12 @@ ctl_putint( + long ival + ) + { +- register char *cp; +- register const char *cq; + char buffer[200]; +- +- cp = buffer; +- cq = tag; +- while (*cq != '\0') +- *cp++ = *cq++; +- +- *cp++ = '='; +- INSIST((cp - buffer) < (int)sizeof(buffer)); +- snprintf(cp, sizeof(buffer) - (cp - buffer), "%ld", ival); +- cp += strlen(cp); +- ctl_putdata(buffer, (unsigned)( cp - buffer ), 0); ++ int rc; ++ ++ rc = snprintf(buffer, sizeof(buffer), "%s=%ld", tag, ival); ++ INSIST(rc >= 0 && rc < sizeof(buffer)); ++ ctl_putdata(buffer, (u_int)rc, 0); + } + + +@@ -1757,21 +1707,14 @@ ctl_putts( + l_fp *ts + ) + { +- register char *cp; +- register const char *cq; + char buffer[200]; +- +- cp = buffer; +- cq = tag; +- while (*cq != '\0') +- *cp++ = *cq++; +- +- *cp++ = '='; +- INSIST((size_t)(cp - buffer) < sizeof(buffer)); +- snprintf(cp, sizeof(buffer) - (cp - buffer), "0x%08x.%08x", +- (u_int)ts->l_ui, (u_int)ts->l_uf); +- cp += strlen(cp); +- ctl_putdata(buffer, (unsigned)( cp - buffer ), 0); ++ int rc; ++ ++ rc = snprintf(buffer, sizeof(buffer), ++ "%s=0x%08lx.%08lx", ++ tag, (u_long)ts->l_ui, (u_long)ts->l_uf); ++ INSIST(rc >= 0 && (size_t)rc < sizeof(buffer)); ++ ctl_putdata(buffer, (u_int)rc, 0); + } + + +@@ -1785,24 +1728,17 @@ ctl_putadr( + sockaddr_u *addr + ) + { +- register char *cp; +- register const char *cq; ++ const char *cq; + char buffer[200]; +- +- cp = buffer; +- cq = tag; +- while (*cq != '\0') +- *cp++ = *cq++; +- +- *cp++ = '='; ++ int rc; ++ + if (NULL == addr) + cq = numtoa(addr32); + else + cq = stoa(addr); +- INSIST((cp - buffer) < (int)sizeof(buffer)); +- snprintf(cp, sizeof(buffer) - (cp - buffer), "%s", cq); +- cp += strlen(cp); +- ctl_putdata(buffer, (unsigned)(cp - buffer), 0); ++ rc = snprintf(buffer, sizeof(buffer), "%s=%s", tag, cq); ++ INSIST(rc >= 0 && (size_t)rc < sizeof(buffer)); ++ ctl_putdata(buffer, (u_int)rc, 0); + } + + +@@ -1815,34 +1751,22 @@ ctl_putrefid( + u_int32 refid + ) + { +- char output[16]; +- char * optr; +- char * oplim; +- char * iptr; +- char * iplim; +- char * past_eq; +- +- optr = output; +- oplim = output + sizeof(output); +- while (optr < oplim && '\0' != *tag) +- *optr++ = *tag++; +- if (optr < oplim) { +- *optr++ = '='; +- past_eq = optr; +- } +- if (!(optr < oplim)) +- return; +- iptr = (char *)&refid; +- iplim = iptr + sizeof(refid); +- for ( ; optr < oplim && iptr < iplim && '\0' != *iptr; +- iptr++, optr++) +- if (isprint((int)*iptr)) +- *optr = *iptr; +- else +- *optr = '.'; +- if (!(optr <= oplim)) +- optr = past_eq; +- ctl_putdata(output, (u_int)(optr - output), FALSE); ++ char buffer[128]; ++ int rc, i; ++ ++ union { ++ uint32_t w; ++ uint8_t b[sizeof(uint32_t)]; ++ } bytes; ++ ++ bytes.w = refid; ++ for (i = 0; i < sizeof(bytes.b); ++i) ++ if (bytes.b[i] && !isprint(bytes.b[i])) ++ bytes.b[i] = '.'; ++ rc = snprintf(buffer, sizeof(buffer), "%s=%.*s", ++ tag, (int)sizeof(bytes.b), bytes.b); ++ INSIST(rc >= 0 && (size_t)rc < sizeof(buffer)); ++ ctl_putdata(buffer, (u_int)rc, FALSE); + } + + +@@ -1856,26 +1780,27 @@ ctl_putarray( + int start + ) + { +- register char *cp; +- register const char *cq; ++ char *cp, *ep; + char buffer[200]; +- int i; ++ int i, rc; ++ + cp = buffer; +- cq = tag; +- while (*cq != '\0') +- *cp++ = *cq++; +- *cp++ = '='; ++ ep = buffer + sizeof(buffer); ++ ++ rc = snprintf(cp, (size_t)(ep - cp), "%s=", tag); ++ INSIST(rc >= 0 && rc < (ep - cp)); ++ cp += rc; ++ + i = start; + do { + if (i == 0) + i = NTP_SHIFT; + i--; +- INSIST((cp - buffer) < (int)sizeof(buffer)); +- snprintf(cp, sizeof(buffer) - (cp - buffer), +- " %.2f", arr[i] * 1e3); +- cp += strlen(cp); ++ rc = snprintf(cp, (size_t)(ep - cp), " %.2f", arr[i] * 1e3); ++ INSIST(rc >= 0 && rc < (ep - cp)); ++ cp += rc; + } while (i != start); +- ctl_putdata(buffer, (unsigned)(cp - buffer), 0); ++ ctl_putdata(buffer, (u_int)(cp - buffer), 0); + } + + /* diff -Nru ntp-4.2.8p4+dfsg/debian/patches/CVE-2017-6460.patch ntp-4.2.8p4+dfsg/debian/patches/CVE-2017-6460.patch --- ntp-4.2.8p4+dfsg/debian/patches/CVE-2017-6460.patch 1970-01-01 00:00:00.000000000 +0000 +++ ntp-4.2.8p4+dfsg/debian/patches/CVE-2017-6460.patch 2017-06-28 14:22:35.000000000 +0000 @@ -0,0 +1,49 @@ + + + TOPntp-stable1.3722.2.10 changes + +NTP - Network Time Protocol +#### ChangeSet #### + +2017-02-11 19:30:47+01:00, perlinger@ntp.org + [Sec 3377] NTP-01-002 Buffer Overflow in ntpq when fetching reslist + +#==== ChangeLog ==== +# +#2017-02-11 19:30:47+01:00, perlinger@ntp.org +4 -0 +# [Sec 3377] NTP-01-002 Buffer Overflow in ntpq when fetching reslist +#--- 1.1853.2.5/ChangeLog 2017-02-01 13:07:08 +00:00 +#+++ 1.1853.2.6/ChangeLog 2017-02-11 18:30:47 +00:00 +#@@ -1,3 +1,7 @@ +#+--- +#+* [Sec 3377] NTP-01-002 Buffer Overflow in ntpq when fetching reslist +#+ (Pentest report 01.2017) +# +# +#==== ntpq/ntpq-subs.c ==== +# +#2017-02-11 19:30:47+01:00, perlinger@ntp.org +4 -2 +# [Sec 3377] NTP-01-002 Buffer Overflow in ntpq when fetching reslist +Index: ntp-4.2.8p4+dfsg/ntpq/ntpq-subs.c +=================================================================== +--- ntp-4.2.8p4+dfsg.orig/ntpq/ntpq-subs.c 2017-06-28 10:22:33.020191317 -0400 ++++ ntp-4.2.8p4+dfsg/ntpq/ntpq-subs.c 2017-06-28 10:22:33.016191267 -0400 +@@ -3577,11 +3577,13 @@ reslist( + if (NULL == val) { + row.flagstr[0] = '\0'; + comprende = TRUE; +- } else { +- len = strlen(val); ++ } else if ((len = strlen(val)) < sizeof(row.flagstr)) { + memcpy(row.flagstr, val, len); + row.flagstr[len] = '\0'; + comprende = TRUE; ++ } else { ++ /* no flags, and still !comprende */ ++ row.flagstr[0] = '\0'; + } + } + break; diff -Nru ntp-4.2.8p4+dfsg/debian/patches/CVE-2017-6462.patch ntp-4.2.8p4+dfsg/debian/patches/CVE-2017-6462.patch --- ntp-4.2.8p4+dfsg/debian/patches/CVE-2017-6462.patch 1970-01-01 00:00:00.000000000 +0000 +++ ntp-4.2.8p4+dfsg/debian/patches/CVE-2017-6462.patch 2017-06-28 14:22:40.000000000 +0000 @@ -0,0 +1,74 @@ + + + TOPntp-stable1.3722.8.1 changes + +NTP - Network Time Protocol +#### ChangeSet #### + +2017-02-12 13:46:35+01:00, perlinger@ntp.org + [Sec 3388] NTP-01-014: Buffer Overflow in DPTS Clock + +#==== ChangeLog ==== +# +#2017-02-12 13:46:35+01:00, perlinger@ntp.org +4 -0 +# [Sec 3388] NTP-01-014: Buffer Overflow in DPTS Clock +#--- 1.1853.2.5/ChangeLog 2017-02-01 13:07:08 +00:00 +#+++ 1.1853.8.1/ChangeLog 2017-02-12 12:46:35 +00:00 +#@@ -1,3 +1,7 @@ +#+--- +#+* [Sec 3388] NTP-01-014: Buffer Overflow in DPTS Clock +#+ (Pentest report 01.2017) +#+ +# --- +# (4.2.8p9-win) 2017/02/01 Released by Harlan Stenn +# +# +#==== ntpd/refclock_datum.c ==== +# +#2017-02-12 13:46:35+01:00, perlinger@ntp.org +10 -9 +# [Sec 3388] NTP-01-014: Buffer Overflow in DPTS Clock +--- 1.22/ntpd/refclock_datum.c 2013-07-06 05:36:11 +00:00 ++++ 1.23/ntpd/refclock_datum.c 2017-02-12 12:46:35 +00:00 +@@ -485,7 +485,7 @@ datum_pts_receive( + struct recvbuf *rbufp + ) + { +- int i; ++ int i, nb; + l_fp tstmp; + struct peer *p; + struct datum_pts_unit *datum_pts; +@@ -526,22 +526,23 @@ datum_pts_receive( + ** received to reduce the jitter. + */ + +- if (datum_pts->nbytes == 0) { ++ nb = datum_pts->nbytes; ++ if (nb == 0) { + datum_pts->lastrec = rbufp->recv_time; + } + + /* + ** Increment our count to the number of bytes received so far. Return if we + ** haven't gotten all seven bytes yet. ++ ** [Sec 3388] make sure we do not overrun the buffer. ++ ** TODO: what to do with excessive bytes, if we ever get them? + */ +- +- for (i=0; iretbuf[datum_pts->nbytes+i] = dpt[i]; ++ for (i=0; (i < dpend) && (nb < sizeof(datum_pts->retbuf)); i++, nb++) { ++ datum_pts->retbuf[nb] = dpt[i]; + } +- +- datum_pts->nbytes += dpend; +- +- if (datum_pts->nbytes != 7) { ++ datum_pts->nbytes = nb; ++ ++ if (nb < 7) { + return; + } + + + diff -Nru ntp-4.2.8p4+dfsg/debian/patches/CVE-2017-6463.patch ntp-4.2.8p4+dfsg/debian/patches/CVE-2017-6463.patch --- ntp-4.2.8p4+dfsg/debian/patches/CVE-2017-6463.patch 1970-01-01 00:00:00.000000000 +0000 +++ ntp-4.2.8p4+dfsg/debian/patches/CVE-2017-6463.patch 2017-06-28 14:22:51.000000000 +0000 @@ -0,0 +1,98 @@ + + + TOPntp-stable1.3722.6.1 changes + +NTP - Network Time Protocol +#### ChangeSet #### + +2017-02-12 11:08:16+01:00, perlinger@ntp.org + [Sec 3387] NTP-01-012: Authenticated DoS via Malicious Config Option + +==== ChangeLog ==== + +2017-02-12 11:08:15+01:00, perlinger@ntp.org +4 -0 + [Sec 3387] NTP-01-012: Authenticated DoS via Malicious Config Option +#--- 1.1853.2.5/ChangeLog 2017-02-01 13:07:08 +00:00 +#+++ 1.1853.6.1/ChangeLog 2017-02-12 10:08:15 +00:00 +#@@ -1,3 +1,7 @@ +#+--- +#+ * [Sec 3387] NTP-01-012: Authenticated DoS via Malicious Config Option +#+ (Pentest report 01.2017) +#+ + --- + (4.2.8p9-win) 2017/02/01 Released by Harlan Stenn + + +==== ntpd/ntp_config.c ==== + +2017-02-12 11:08:16+01:00, perlinger@ntp.org +12 -15 + [Sec 3387] NTP-01-012: Authenticated DoS via Malicious Config Option +Index: ntp-4.2.8p4+dfsg/ntpd/ntp_config.c +=================================================================== +--- ntp-4.2.8p4+dfsg.orig/ntpd/ntp_config.c 2017-06-28 10:22:49.516398358 -0400 ++++ ntp-4.2.8p4+dfsg/ntpd/ntp_config.c 2017-06-28 10:22:49.512398308 -0400 +@@ -1320,8 +1320,8 @@ create_unpeer_node( + ) + { + unpeer_node * my_node; +- u_int u; +- char * pch; ++ u_long u; ++ const u_char * pch; + + my_node = emalloc_zero(sizeof(*my_node)); + +@@ -1330,16 +1330,15 @@ create_unpeer_node( + * its generic T_String definition of a name/address "address". + * We treat all valid 16-bit numbers as association IDs. + */ +- pch = addr->address; +- while (*pch && isdigit((unsigned char)*pch)) +- pch++; +- +- if (!*pch +- && 1 == sscanf(addr->address, "%u", &u) +- && u <= ASSOCID_MAX) { ++ for (u = 0, pch = (u_char*)addr->address; isdigit(*pch); ++pch) { ++ /* accumulate with overflow retention */ ++ u = (10 * u + *pch - '0') | (u & 0xFF000000u); ++ } ++ ++ if (!*pch && u <= ASSOCID_MAX) { + my_node->assocID = (associd_t)u; +- destroy_address_node(addr); + my_node->addr = NULL; ++ destroy_address_node(addr); + } else { + my_node->assocID = 0; + my_node->addr = addr; +@@ -4006,10 +4005,10 @@ config_unpeers( + curr_unpeer = HEAD_PFIFO(ptree->unpeers); + for (; curr_unpeer != NULL; curr_unpeer = curr_unpeer->link) { + /* +- * Either AssocID will be zero, and we unpeer by name/ +- * address addr, or it is nonzero and addr NULL. ++ * If we have no address attached, assume we have to ++ * unpeer by AssocID. + */ +- if (curr_unpeer->assocID) { ++ if (!curr_unpeer->addr) { + p = findpeerbyassoc(curr_unpeer->assocID); + if (p != NULL) { + msyslog(LOG_NOTICE, "unpeered %s", +@@ -4017,7 +4016,6 @@ config_unpeers( + peer_clear(p, "GONE"); + unpeer(p); + } +- + continue; + } + +@@ -4036,7 +4034,6 @@ config_unpeers( + peer_clear(p, "GONE"); + unpeer(p); + } +- + continue; + } + /* diff -Nru ntp-4.2.8p4+dfsg/debian/patches/CVE-2017-6464.patch ntp-4.2.8p4+dfsg/debian/patches/CVE-2017-6464.patch --- ntp-4.2.8p4+dfsg/debian/patches/CVE-2017-6464.patch 1970-01-01 00:00:00.000000000 +0000 +++ ntp-4.2.8p4+dfsg/debian/patches/CVE-2017-6464.patch 2017-06-28 15:43:56.000000000 +0000 @@ -0,0 +1,140 @@ + + + TOPntp-stable1.3722.5.1 changes + +NTP - Network Time Protocol +#### ChangeSet #### + +2017-02-12 09:49:29+01:00, perlinger@ntp.org + [Sec 3389] NTP-01-016: Denial of Service via Malformed Config + +==== ChangeLog ==== + +2017-02-12 09:49:29+01:00, perlinger@ntp.org +4 -0 + [Sec 3389] NTP-01-016: Denial of Service via Malformed Config +#--- 1.1853.2.5/ChangeLog 2017-02-01 13:07:08 +00:00 +#+++ 1.1853.5.1/ChangeLog 2017-02-12 08:49:29 +00:00 +#@@ -1,3 +1,7 @@ +#+--- +#+* [Sec 3389] NTP-01-016: Denial of Service via Malformed Config +#+ (Pentest report 01.2017) +#+ + --- + (4.2.8p9-win) 2017/02/01 Released by Harlan Stenn + + +==== ntpd/ntp_config.c ==== + +2017-02-12 09:49:29+01:00, perlinger@ntp.org +23 -2 + [Sec 3389] NTP-01-016: Denial of Service via Malformed Config + - allow 'ttl' only for network peers and 'mode' only for refclocks +Index: ntp-4.2.8p4+dfsg/ntpd/ntp_config.c +=================================================================== +--- ntp-4.2.8p4+dfsg.orig/ntpd/ntp_config.c 2017-06-28 11:43:54.649740725 -0400 ++++ ntp-4.2.8p4+dfsg/ntpd/ntp_config.c 2017-06-28 11:43:54.645740676 -0400 +@@ -353,6 +353,9 @@ static char * normal_dtoa(double); + static u_int32 get_pfxmatch(const char **, struct masks *); + static u_int32 get_match(const char *, struct masks *); + static u_int32 get_logmask(const char *); ++static int/*BOOL*/ is_refclk_addr(const address_node * addr); ++ ++ + #ifndef SIM + static int getnetnum(const char *num, sockaddr_u *addr, int complain, + enum gnn_type a_type); +@@ -1258,7 +1261,10 @@ create_peer_node( + break; + + case T_Ttl: +- if (option->value.u >= MAX_TTL) { ++ if (is_refclk_addr(addr)) { ++ msyslog(LOG_ERR, "'ttl' does not apply for refclocks"); ++ errflag = 1; ++ } else if (option->value.u >= MAX_TTL) { + msyslog(LOG_ERR, "ttl: invalid argument"); + errflag = 1; + } else { +@@ -1267,7 +1273,12 @@ create_peer_node( + break; + + case T_Mode: +- my_node->ttl = option->value.u; ++ if (is_refclk_addr(addr)) { ++ my_node->ttl = option->value.u; ++ } else { ++ msyslog(LOG_ERR, "'mode' does not apply for network peers"); ++ errflag = 1; ++ } + break; + + case T_Key: +@@ -4599,6 +4610,16 @@ save_and_apply_config_tree(int/*BOOL*/ i + #endif + } + ++/* Hack to disambiguate 'server' statements for refclocks and network peers. ++ * Please note the qualification 'hack'. It's just that. ++ */ ++static int/*BOOL*/ ++is_refclk_addr( ++ const address_node * addr ++ ) ++{ ++ return addr && addr->address && !strncmp(addr->address, "127.127.", 6); ++} + + static void + ntpd_set_tod_using( +Index: ntp-4.2.8p4+dfsg/ntpd/ntp_proto.c +=================================================================== +--- ntp-4.2.8p4+dfsg.orig/ntpd/ntp_proto.c 2017-06-28 11:43:54.649740725 -0400 ++++ ntp-4.2.8p4+dfsg/ntpd/ntp_proto.c 2017-06-28 11:43:54.645740676 -0400 +@@ -3277,8 +3277,9 @@ peer_xmit( + } + } + peer->t21_bytes = sendlen; +- sendpkt(&peer->srcadr, peer->dstadr, sys_ttl[peer->ttl], +- &xpkt, sendlen); ++ sendpkt(&peer->srcadr, peer->dstadr, ++ sys_ttl[(peer->ttl >= sys_ttlmax) ? sys_ttlmax : peer->ttl], ++ &xpkt, sendlen); + peer->sent++; + peer->throttle += (1 << peer->minpoll) - 2; + +@@ -3590,8 +3591,9 @@ peer_xmit( + exit (-1); + } + peer->t21_bytes = sendlen; +- sendpkt(&peer->srcadr, peer->dstadr, sys_ttl[peer->ttl], &xpkt, +- sendlen); ++ sendpkt(&peer->srcadr, peer->dstadr, ++ sys_ttl[(peer->ttl >= sys_ttlmax) ? sys_ttlmax : peer->ttl], ++ &xpkt, sendlen); + peer->sent++; + peer->throttle += (1 << peer->minpoll) - 2; + +@@ -3911,8 +3913,9 @@ pool_xmit( + get_systime(&xmt_tx); + pool->aorg = xmt_tx; + HTONL_FP(&xmt_tx, &xpkt.xmt); +- sendpkt(rmtadr, lcladr, sys_ttl[pool->ttl], &xpkt, +- LEN_PKT_NOMAC); ++ sendpkt(rmtadr, lcladr, ++ sys_ttl[(pool->ttl >= sys_ttlmax) ? sys_ttlmax : pool->ttl], ++ &xpkt, LEN_PKT_NOMAC); + pool->sent++; + pool->throttle += (1 << pool->minpoll) - 2; + #ifdef DEBUG +@@ -4281,10 +4284,9 @@ init_proto(void) + sys_stattime = current_time; + orphwait = current_time + sys_orphwait; + proto_clr_stats(); +- for (i = 0; i < MAX_TTL; i++) { ++ for (i = 0; i < MAX_TTL; ++i) + sys_ttl[i] = (u_char)((i * 256) / MAX_TTL); +- sys_ttlmax = i; +- } ++ sys_ttlmax = (MAX_TTL - 1); + hardpps_enable = 0; + stats_control = 1; + } diff -Nru ntp-4.2.8p4+dfsg/debian/patches/series ntp-4.2.8p4+dfsg/debian/patches/series --- ntp-4.2.8p4+dfsg/debian/patches/series 2016-10-05 12:11:45.000000000 +0000 +++ ntp-4.2.8p4+dfsg/debian/patches/series 2017-06-28 14:22:57.000000000 +0000 @@ -27,3 +27,19 @@ CVE-2016-4954.patch CVE-2016-4955.patch CVE-2016-4956.patch +CVE-2016-2519.patch +CVE-2016-7426.patch +CVE-2016-7427-1.patch +CVE-2016-7428.patch +CVE-2016-7429-1.patch +CVE-2016-7429-2.patch +CVE-2016-7429-3.patch +CVE-2016-7433.patch +CVE-2016-7434.patch +CVE-2016-9310.patch +CVE-2016-9311.patch +CVE-2017-6458.patch +CVE-2017-6460.patch +CVE-2017-6462.patch +CVE-2017-6463.patch +CVE-2017-6464.patch