/usr/bin/timeadj doesn't appear to have stack protection
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ntp (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: ntp
For some reason, the timeadj binary in the ntp package doesn't appear to get built with gcc's stack protector option. Running the hardening check from the qa-regression-
ubuntu@
ntp:
Installed: 1:4.2.4p8+
Candidate: 1:4.2.4p8+
Version table:
*** 1:4.2.4p8+
500 http://
100 /var/lib/
ubuntu@
ntp: /usr/bin/tickadj
ubuntu@
/usr/bin/tickadj:
Position Independent Executable: yes
Stack protected: no, not found!
Fortify Source functions: yes
Read-only relocations: yes
Immediate binding: yes
ProblemType: Bug
Architecture: i386
Date: Wed Feb 3 15:13:35 2010
DistroRelease: Ubuntu 10.04
InstallationMedia: Error: [Errno 13] Permission denied: '/var/log/
NtpStatus: ntpq: read: Connection refused
Package: ntp 1:4.2.4p8+
ProcEnviron:
LANG=en_US.UTF-8
SHELL=/bin/bash
ProcVersionSign
SourcePackage: ntp
Uname: Linux 2.6.32-
Ah-ha, yes, it's a tiny helper that has no arrays to protect in any functions. I've blacklisted that ELF for now.