ntp: fix several security issues

* CVE-2014-9293, CVE-2014-9294, CVE-2014-9295, and CVE-2014-9296. For more details please see: https://ics-cert.us-cert.gov/advisories/ICSA-14-353-01A Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
author: Armin Kuster <akuster808@gmail.com> 2014-12-28 08:45:57 -0800
committer: Martin Jansa <Martin.Jansa@gmail.com> 2014-12-29 10:12:51 +0100
commit: 200f6cafc878d4c26871fc56d21ecc8eaa9aa61b (patch)
tree: 916c5e6e74532e8b9ecbce8f7400697beeb82342
parent: f9f2548e1833de07716c450312810e45d1377f11 (diff)
download: meta-openembedded-200f6cafc878d4c26871fc56d21ecc8eaa9aa61b.tar.gz
6 files changed, 426 insertions, 3 deletions
diff --git a/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9293.patch b/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9293.patch
new file mode 100644
index 0000000000..667b705eaf
--- /dev/null
+++ b/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9293.patch
@@ -0,0 +1,43 @@
+CVE-2014-9293 ntp: automatic generation of weak default key in config_auth()
+Upstream-Status: Backport [Debian]
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+Index: git/ntpd/ntp_config.c
+===================================================================
+--- git.orig/ntpd/ntp_config.c  2014-12-20 18:45:45.232872120 +0100
+++ git/ntpd/ntp_config.c       2014-12-20 18:45:47.672921968 +0100
+@@ -1866,13 +1866,16 @@
+                req_hashlen = digest_len;
+ #endif
+        } else {
+-               int     rankey;
+               unsigned char rankey[16];
+
+               if (ntp_crypto_random_buf(rankey, sizeof (rankey))) {
+                       msyslog(LOG_ERR, "ntp_crypto_random_buf() failed.");
+                       exit(1);
+               }
+ 
+-               rankey = ntp_random();
+                req_keytype = NID_md5;
+                req_hashlen = 16;
+-               MD5auth_setkey(req_keyid, req_keytype,
+-                   (u_char *)&rankey, sizeof(rankey));
+               MD5auth_setkey(req_keyid, req_keytype, rankey, sizeof(rankey));
+                authtrust(req_keyid, 1);
+        }
+ 
+Index: git/ntpd/ntpd.c
+===================================================================
+--- git.orig/ntpd/ntpd.c        2014-12-20 18:45:45.232872120 +0100
+++ git/ntpd/ntpd.c     2014-12-20 18:45:47.672921968 +0100
+@@ -597,6 +597,7 @@
+        get_systime(&now);
+ 
+        ntp_srandom((int)(now.l_i * now.l_uf));
+       ntp_crypto_srandom();
+ 
+ #if !defined(VMS)
+ # ifndef NODETACH
diff --git a/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9294.patch b/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9294.patch
new file mode 100644
index 0000000000..67e532b9d7
--- /dev/null
+++ b/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9294.patch
@@ -0,0 +1,128 @@
+CVE-2014-9294 ntp: ntp-keygen uses weak random number generator and seed when generating MD5 keys 
+Upstream-Status: Backport [Debian]
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+Index: ntp-4.2.6p5/include/ntp_random.h
+===================================================================
+--- ntp-4.2.6p5.orig/include/ntp_random.h
+++ ntp-4.2.6p5/include/ntp_random.h
+@@ -1,6 +1,9 @@
+ 
+ #include <ntp_types.h>
+ 
+void ntp_crypto_srandom(void);
+int ntp_crypto_random_buf(void *buf, size_t nbytes);
+
+ long ntp_random (void);
+ void ntp_srandom (unsigned long);
+ void ntp_srandomdev (void);
+Index: ntp-4.2.6p5/libntp/ntp_random.c
+===================================================================
+--- ntp-4.2.6p5.orig/libntp/ntp_random.c
+++ ntp-4.2.6p5/libntp/ntp_random.c
+@@ -481,3 +481,74 @@ ntp_random( void )
+        }
+        return(i);
+ }
+
+/*
+ * Crypto-quality random number functions
+ *
+ * Author: Harlan Stenn, 2014
+ *
+ * This file is Copyright (c) 2014 by Network Time Foundation.
+ * BSD terms apply: see the file COPYRIGHT in the distribution root for details.
+ */
+
+#ifdef OPENSSL
+#include <openssl/err.h>
+#include <openssl/rand.h>
+
+int crypto_rand_init = 0;
+#endif
+
+/*
+ * ntp_crypto_srandom:
+ *
+ * Initialize the random number generator, if needed by the underlying
+ * crypto random number generation mechanism.
+ */
+
+void
+ntp_crypto_srandom(
+       void
+       )
+{
+#ifdef OPENSSL
+       if (!crypto_rand_init) {
+               RAND_poll();
+               crypto_rand_init = 1;
+       }
+#else
+   /* No initialization needed for arc4random() */
+#endif
+}
+
+/*
+ * ntp_crypto_random_buf:
+ *
+ * Returns 0 on success, -1 on error.
+ */
+int
+ntp_crypto_random_buf(
+       void *buf,
+       size_t nbytes
+       )
+{
+#ifdef OPENSSL
+       int rc;
+
+       rc = RAND_bytes(buf, nbytes);
+       if (1 != rc) {
+               unsigned long err;
+               char *err_str;
+
+               err = ERR_get_error();
+               err_str = ERR_error_string(err, NULL);
+               /* XXX: Log the error */
+
+               return -1;
+       }
+       return 0;
+#else
+   arc4random_buf(buf, nbytes);
+   return 0;
+#endif
+}
+
+Index: ntp-4.2.6p5/util/ntp-keygen.c
+===================================================================
+--- ntp-4.2.6p5.orig/util/ntp-keygen.c
+++ ntp-4.2.6p5/util/ntp-keygen.c
+@@ -261,6 +261,8 @@ main(
+        ssl_check_version();
+ #endif /* OPENSSL */
+ 
+       ntp_crypto_srandom();
+
+        /*
+         * Process options, initialize host name and timestamp.
+         */
+@@ -727,7 +729,14 @@ gen_md5(
+                        int temp;
+ 
+                        while (1) {
+-                               temp = ntp_random() & 0xff;
+                               int rc;
+
+                               rc = ntp_crypto_random_buf(&temp, 1);
+                               if (-1 == rc) {
+                                       fprintf(stderr, "ntp_crypto_random_buf() failed.\n");
+                                       exit (-1);
+                               }
+                               temp &= 0xff;
+                                if (temp == '#')
+                                        continue;
+ 
diff --git a/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9295.patch b/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9295.patch
new file mode 100644
index 0000000000..6143f26e92
--- /dev/null
+++ b/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9295.patch
@@ -0,0 +1,113 @@
+CVE-2014-9295 ntp: Multiple buffer overflows via specially-crafted packets 
+Upstream-Status: Backport [Debian]
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+2014-12-12 11:06:03+00:00, stenn@psp-fb1.ntp.org +12 -3
+  [Sec 2667] buffer overflow in crypto_recv()
+2014-12-12 11:13:40+00:00, stenn@psp-fb1.ntp.org +16 -1
+  [Sec 2668] buffer overflow in ctl_putdata()
+2014-12-12 11:19:37+00:00, stenn@psp-fb1.ntp.org +14 -0
+  [Sec 2669] buffer overflow in configure()
+Index: git/ntpd/ntp_crypto.c
+===================================================================
+--- git.orig/ntpd/ntp_crypto.c  2014-12-20 18:45:44.208851199 +0100
+++ git/ntpd/ntp_crypto.c       2014-12-20 18:45:56.425100776 +0100
+@@ -789,15 +789,24 @@
+                         * errors.
+                         */
+                        if (vallen == (u_int)EVP_PKEY_size(host_pkey)) {
+                               u_int32 *cookiebuf = malloc(
+                                   RSA_size(host_pkey->pkey.rsa));
+                               if (!cookiebuf) {
+                                       rval = XEVNT_CKY;
+                                       break;
+                               }
+
+                                if (RSA_private_decrypt(vallen,
+                                    (u_char *)ep->pkt,
+-                                   (u_char *)&temp32,
+                                   (u_char *)cookiebuf,
+                                    host_pkey->pkey.rsa,
+-                                   RSA_PKCS1_OAEP_PADDING) <= 0) {
+                                   RSA_PKCS1_OAEP_PADDING) != 4) {
+                                        rval = XEVNT_CKY;
+                                       free(cookiebuf);
+                                        break;
+                                } else {
+-                                       cookie = ntohl(temp32);
+                                       cookie = ntohl(*cookiebuf);
+                                       free(cookiebuf);
+                                }
+                        } else {
+                                rval = XEVNT_CKY;
+Index: git/ntpd/ntp_control.c
+===================================================================
+--- git.orig/ntpd/ntp_control.c 2014-12-20 18:45:44.208851199 +0100
+++ git/ntpd/ntp_control.c      2014-12-20 18:45:56.429100859 +0100
+@@ -486,6 +486,10 @@
+ static char *reqpt;
+ static char *reqend;
+ 
+#ifndef MIN
+#define MIN(a, b) (((a) <= (b)) ? (a) : (b))
+#endif
+
+ /*
+  * init_control - initialize request data
+  */
+@@ -995,6 +999,7 @@
+        )
+ {
+        int overhead;
+       unsigned int currentlen;
+ 
+        overhead = 0;
+        if (!bin) {
+@@ -1018,12 +1023,22 @@
+        /*
+         * Save room for trailing junk
+         */
+-       if (dlen + overhead + datapt > dataend) {
+       while (dlen + overhead + datapt > dataend) {
+                /*
+                 * Not enough room in this one, flush it out.
+                 */
+               currentlen = MIN(dlen, dataend - datapt);
+
+               memcpy(datapt, dp, currentlen);
+
+               datapt += currentlen;
+               dp += currentlen;
+               dlen -= currentlen;
+               datalinelen += currentlen;
+
+                ctl_flushpkt(CTL_MORE);
+        }
+
+        memmove((char *)datapt, dp, (unsigned)dlen);
+        datapt += dlen;
+        datalinelen += dlen;
+@@ -2492,6 +2507,20 @@
+ 
+        /* Initialize the remote config buffer */
+        data_count = reqend - reqpt;
+
+       if (data_count > sizeof(remote_config.buffer) - 2) {
+               snprintf(remote_config.err_msg,
+                        sizeof(remote_config.err_msg),
+                        "runtime configuration failed: request too long");
+               ctl_putdata(remote_config.err_msg,
+                           strlen(remote_config.err_msg), 0);
+               ctl_flushpkt(0);
+               msyslog(LOG_NOTICE,
+                       "runtime config from %s rejected: request too long",
+                       stoa(&rbufp->recv_srcadr));
+               return;
+       }
+
+        memcpy(remote_config.buffer, reqpt, data_count);
+        if (data_count > 0
+            && '\n' != remote_config.buffer[data_count - 1])
diff --git a/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9296.patch b/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9296.patch
new file mode 100644
index 0000000000..a85f65d2aa
--- /dev/null
+++ b/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9296.patch
@@ -0,0 +1,21 @@
+CVE-2014-9296 ntp: receive() missing return on error
+Upstream-Status: Backport [Debian]
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+2014-12-12 11:24:22+00:00, stenn@psp-fb1.ntp.org +1 -0
+  [Sec 2670] Missing return; from error clause
+Index: git/ntpd/ntp_proto.c
+===================================================================
+--- git.orig/ntpd/ntp_proto.c   2014-12-20 18:45:42.760821618 +0100
+++ git/ntpd/ntp_proto.c        2014-12-20 18:46:00.153176945 +0100
+@@ -947,6 +947,7 @@
+                                fast_xmit(rbufp, MODE_ACTIVE, 0,
+                                    restrict_mask);
+                                sys_restricted++;
+                               return;
+                        }
+                }
+ 
diff --git a/meta-networking/recipes-support/ntp/files/ntp-keygen_no_openssl.patch b/meta-networking/recipes-support/ntp/files/ntp-keygen_no_openssl.patch
new file mode 100644
index 0000000000..f576e2ee8b
--- /dev/null
+++ b/meta-networking/recipes-support/ntp/files/ntp-keygen_no_openssl.patch
@@ -0,0 +1,108 @@
+Fix ntp-keygen build without OpenSSL
+Patch borrowed from Gentoo, originally from upstream
+Added --enable-libenvent to config since this version
+does not have local libevent support but we need the 
+functions from the lib.
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+Upstream-Status: Backport
+Upstream commit:
+http://bk1.ntp.org/ntp-stable/?PAGE=patch&REV=5497b345z5MNTuNvJWuqPSje25NQTg
+Gentoo bugzilla: https://bugs.gentoo.org/show_bug.cgi?id=533238
+Signed-off-by: Markos Chandras <hwoarang@gentoo.org>
+Index: ntp-4.2.6p5/libntp/ntp_random.c
+===================================================================
+--- ntp-4.2.6p5.orig/libntp/ntp_random.c
+++ ntp-4.2.6p5/libntp/ntp_random.c
+@@ -498,6 +498,21 @@ ntp_random( void )
+ int crypto_rand_init = 0;
+ #endif
+ 
+#ifndef HAVE_ARC4RANDOM_BUF
+static void
+arc4random_buf(void *buf, size_t nbytes);
+
+void
+evutil_secure_rng_get_bytes(void *buf, size_t nbytes);
+
+static void
+arc4random_buf(void *buf, size_t nbytes)
+{
+  evutil_secure_rng_get_bytes(buf, nbytes);
+  return;
+}
+#endif
+
+ /*
+  * ntp_crypto_srandom:
+  *
+Index: ntp-4.2.6p5/util/Makefile.am
+===================================================================
+--- ntp-4.2.6p5.orig/util/Makefile.am
+++ ntp-4.2.6p5/util/Makefile.am
+@@ -21,6 +21,7 @@ AM_CPPFLAGS= -I$(top_srcdir)/include -I$
+ LDADD=         ../libntp/libntp.a
+ ntp_keygen_SOURCES = ntp-keygen.c ntp-keygen-opts.c ntp-keygen-opts.h
+ ntp_keygen_LDADD= version.o $(LIBOPTS_LDADD) ../libntp/libntp.a @LCRYPTO@
+ntp_keygen_LDADD += $(LDADD_LIBEVENT)
+ 
+ ETAGS_ARGS=    Makefile.am
+ #EXTRA_DIST=   README TAGS
+Index: ntp-4.2.6p5/configure.ac
+===================================================================
+--- ntp-4.2.6p5.orig/configure.ac
+++ ntp-4.2.6p5/configure.ac
+@@ -376,6 +376,8 @@ AC_CHECK_FUNC([openlog], ,
+ AC_SEARCH_LIBS([MD5Init], [md5 md])
+ AC_CHECK_FUNCS(MD5Init)
+ 
+AC_CHECK_FUNC([arc4random_buf])
+
+ NTP_LINEEDITLIBS
+ 
+ dnl Digital UNIX V4.0 and Solaris 7 have POSIX.1c functions in -lrt
+@@ -5205,6 +5207,39 @@ AC_MSG_RESULT([$ntp_use_dev_clockctl])
+ 
+ AC_CHECK_HEADERS([sys/capability.h sys/prctl.h])
+ 
+AC_MSG_CHECKING([if we have libevent capabilities (libevent)])
+
+case "$ac_cv_header_event2_event-config_h" in
+ yes)
+    case "$host" in
+     *) ntp_have_linuxcaps=yes
+       ;;
+    esac
+    ;;
+ *)
+    ntp_have_linuxcaps=no
+    ;;
+esac
+
+AC_ARG_ENABLE(
+    [libevent],
+    [AS_HELP_STRING(
+       [--enable-libevent],
+       [+ Use libevent capabilities for arc4random]
+    )],
+    [ntp_have_libevent=$enableval]
+)
+
+AC_MSG_RESULT([$ntp_have_libevent])
+
+case "$ntp_have_libevent" in
+ yes)
+    AC_DEFINE([HAVE_LIBEVENT], [1],
+       [Do we have libevent capabilities?])
+    LIBS="$LIBS -levent"
+esac
+
+
+ AC_MSG_CHECKING([if we have linux capabilities (libcap)])
+ 
+ case "$ac_cv_header_sys_capability_h$ac_cv_header_sys_prctl_h" in
diff --git a/meta-networking/recipes-support/ntp/ntp.inc b/meta-networking/recipes-support/ntp/ntp.inc
index fd29a78cfa..ab7bd9c539 100644
--- a/meta-networking/recipes-support/ntp/ntp.inc
+++ b/meta-networking/recipes-support/ntp/ntp.inc
@@ -26,13 +26,22 @@ SRC_URI = "http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-${PV}.tar.g
           file://sntp \
           file://ntpd.list \
           file://CVE-2013-5211.patch \
+           file://ntp-4.2.6p5-cve-2014-9293.patch \
+           file://ntp-4.2.6p5-cve-2014-9294.patch \
+           file://ntp-4.2.6p5-cve-2014-9295.patch \
+           file://ntp-4.2.6p5-cve-2014-9296.patch  \
+           file://ntp-keygen_no_openssl.patch  \
 "
 inherit autotools update-rc.d useradd systemd
 # The ac_cv_header_readline_history is to stop ntpdc depending on either
 # readline or curses
-EXTRA_OECONF += "--with-net-snmp-config=no --without-ntpsnmpd ac_cv_header_readline_history_h=no --with-binsubdir=sbin"
+EXTRA_OECONF += "--with-net-snmp-config=no \
+                --without-ntpsnmpd \
+                ac_cv_header_readline_history_h=no \
+                --with-binsubdir=sbin"
 CFLAGS_append = " -DPTYS_ARE_GETPT -DPTYS_ARE_SEARCHED"
 USERADD_PACKAGES = "${PN}"
@@ -42,7 +51,7 @@ USERADD_PARAM_${PN} = "--system --home-dir ${NTP_USER_HOME} \
                       --shell /bin/false --user-group ntp"
 # NB: debug is default-enabled by NTP; keep it default-enabled here.
-PACKAGECONFIG ??= "cap debug"
+PACKAGECONFIG ??= "event cap debug"
 PACKAGECONFIG[openssl] = "--with-openssl-libdir=${STAGING_LIBDIR} \
                          --with-openssl-incdir=${STAGING_INCDIR} \
                          --with-crypto, \
@@ -51,6 +60,7 @@ PACKAGECONFIG[openssl] = "--with-openssl-libdir=${STAGING_LIBDIR} \
 PACKAGECONFIG[cap] = "--enable-linuxcaps,--disable-linuxcaps,libcap"
 PACKAGECONFIG[readline] = "--with-lineeditlibs,--without-lineeditlibs,readline"
 PACKAGECONFIG[debug] = "--enable-debugging,--disable-debugging"
+PACKAGECONFIG[event] = "--enable-libevent,--disable-libevent, libevent"
 do_install_append() {
    install -d ${D}${sysconfdir}/init.d
@@ -94,7 +104,7 @@ PACKAGES += "ntpdate sntp ${PN}-tickadj ${PN}-utils"
 # ntp originally includes tickadj. It's split off for inclusion in small firmware images on platforms
 # with wonky clocks (e.g. OpenSlug)
-RDEPENDS_${PN} = "${PN}-tickadj"
+RDEPENDS_${PN} = "${PN}-tickadj libbsd"
 # Handle move from bin to utils package
 RPROVIDES_${PN}-utils = "${PN}-bin"
 RREPLACES_${PN}-utils = "${PN}-bin"
author	Armin Kuster <akuster808@gmail.com>	2014-12-28 08:45:57 -0800
committer	Martin Jansa <Martin.Jansa@gmail.com>	2014-12-29 10:12:51 +0100
commit	200f6cafc878d4c26871fc56d21ecc8eaa9aa61b (patch)
tree	916c5e6e74532e8b9ecbce8f7400697beeb82342
parent	f9f2548e1833de07716c450312810e45d1377f11 (diff)
download	meta-openembedded-200f6cafc878d4c26871fc56d21ecc8eaa9aa61b.tar.gz

diff --git a/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9293.patch b/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9293.patch new file mode 100644 index 0000000000..667b705eaf --- /dev/null +++ b/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9293.patch
@@ -0,0 +1,43 @@
		1	CVE-2014-9293 ntp: automatic generation of weak default key in config_auth()
		2
		3	Upstream-Status: Backport [Debian]
		4
		5	Signed-off-by: Armin Kuster <akuster808@gmail.com>
		6
		7	Index: git/ntpd/ntp_config.c
		8	===================================================================
		9	--- git.orig/ntpd/ntp_config.c 2014-12-20 18:45:45.232872120 +0100
		10	+++ git/ntpd/ntp_config.c 2014-12-20 18:45:47.672921968 +0100
		11	@@ -1866,13 +1866,16 @@
		12	req_hashlen = digest_len;
		13	#endif
		14	} else {
		15	- int rankey;
		16	+ unsigned char rankey[16];
		17	+
		18	+ if (ntp_crypto_random_buf(rankey, sizeof (rankey))) {
		19	+ msyslog(LOG_ERR, "ntp_crypto_random_buf() failed.");
		20	+ exit(1);
		21	+ }
		22
		23	- rankey = ntp_random();
		24	req_keytype = NID_md5;
		25	req_hashlen = 16;
		26	- MD5auth_setkey(req_keyid, req_keytype,
		27	- (u_char *)&rankey, sizeof(rankey));
		28	+ MD5auth_setkey(req_keyid, req_keytype, rankey, sizeof(rankey));
		29	authtrust(req_keyid, 1);
		30	}
		31
		32	Index: git/ntpd/ntpd.c
		33	===================================================================
		34	--- git.orig/ntpd/ntpd.c 2014-12-20 18:45:45.232872120 +0100
		35	+++ git/ntpd/ntpd.c 2014-12-20 18:45:47.672921968 +0100
		36	@@ -597,6 +597,7 @@
		37	get_systime(&now);
		38
		39	ntp_srandom((int)(now.l_i * now.l_uf));
		40	+ ntp_crypto_srandom();
		41
		42	#if !defined(VMS)
		43	# ifndef NODETACH


diff --git a/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9294.patch b/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9294.patch new file mode 100644 index 0000000000..67e532b9d7 --- /dev/null +++ b/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9294.patch
@@ -0,0 +1,128 @@
		1	CVE-2014-9294 ntp: ntp-keygen uses weak random number generator and seed when generating MD5 keys
		2
		3	Upstream-Status: Backport [Debian]
		4
		5	Signed-off-by: Armin Kuster <akuster808@gmail.com>
		6
		7	Index: ntp-4.2.6p5/include/ntp_random.h
		8	===================================================================
		9	--- ntp-4.2.6p5.orig/include/ntp_random.h
		10	+++ ntp-4.2.6p5/include/ntp_random.h
		11	@@ -1,6 +1,9 @@
		12
		13	#include <ntp_types.h>
		14
		15	+void ntp_crypto_srandom(void);
		16	+int ntp_crypto_random_buf(void *buf, size_t nbytes);
		17	+
		18	long ntp_random (void);
		19	void ntp_srandom (unsigned long);
		20	void ntp_srandomdev (void);
		21	Index: ntp-4.2.6p5/libntp/ntp_random.c
		22	===================================================================
		23	--- ntp-4.2.6p5.orig/libntp/ntp_random.c
		24	+++ ntp-4.2.6p5/libntp/ntp_random.c
		25	@@ -481,3 +481,74 @@ ntp_random( void )
		26	}
		27	return(i);
		28	}
		29	+
		30	+/*
		31	+ * Crypto-quality random number functions
		32	+ *
		33	+ * Author: Harlan Stenn, 2014
		34	+ *
		35	+ * This file is Copyright (c) 2014 by Network Time Foundation.
		36	+ * BSD terms apply: see the file COPYRIGHT in the distribution root for details.
		37	+ */
		38	+
		39	+#ifdef OPENSSL
		40	+#include <openssl/err.h>
		41	+#include <openssl/rand.h>
		42	+
		43	+int crypto_rand_init = 0;
		44	+#endif
		45	+
		46	+/*
		47	+ * ntp_crypto_srandom:
		48	+ *
		49	+ * Initialize the random number generator, if needed by the underlying
		50	+ * crypto random number generation mechanism.
		51	+ */
		52	+
		53	+void
		54	+ntp_crypto_srandom(
		55	+ void
		56	+ )
		57	+{
		58	+#ifdef OPENSSL
		59	+ if (!crypto_rand_init) {
		60	+ RAND_poll();
		61	+ crypto_rand_init = 1;
		62	+ }
		63	+#else
		64	+ /* No initialization needed for arc4random() */
		65	+#endif
		66	+}
		67	+
		68	+/*
		69	+ * ntp_crypto_random_buf:
		70	+ *
		71	+ * Returns 0 on success, -1 on error.
		72	+ */
		73	+int
		74	+ntp_crypto_random_buf(
		75	+ void *buf,
		76	+ size_t nbytes
		77	+ )
		78	+{
		79	+#ifdef OPENSSL
		80	+ int rc;
		81	+
		82	+ rc = RAND_bytes(buf, nbytes);
		83	+ if (1 != rc) {
		84	+ unsigned long err;
		85	+ char *err_str;
		86	+
		87	+ err = ERR_get_error();
		88	+ err_str = ERR_error_string(err, NULL);
		89	+ /* XXX: Log the error */
		90	+
		91	+ return -1;
		92	+ }
		93	+ return 0;
		94	+#else
		95	+ arc4random_buf(buf, nbytes);
		96	+ return 0;
		97	+#endif
		98	+}
		99	+
		100	Index: ntp-4.2.6p5/util/ntp-keygen.c
		101	===================================================================
		102	--- ntp-4.2.6p5.orig/util/ntp-keygen.c
		103	+++ ntp-4.2.6p5/util/ntp-keygen.c
		104	@@ -261,6 +261,8 @@ main(
		105	ssl_check_version();
		106	#endif /* OPENSSL */
		107
		108	+ ntp_crypto_srandom();
		109	+
		110	/*
		111	* Process options, initialize host name and timestamp.
		112	*/
		113	@@ -727,7 +729,14 @@ gen_md5(
		114	int temp;
		115
		116	while (1) {
		117	- temp = ntp_random() & 0xff;
		118	+ int rc;
		119	+
		120	+ rc = ntp_crypto_random_buf(&temp, 1);
		121	+ if (-1 == rc) {
		122	+ fprintf(stderr, "ntp_crypto_random_buf() failed.\n");
		123	+ exit (-1);
		124	+ }
		125	+ temp &= 0xff;
		126	if (temp == '#')
		127	continue;
		128


diff --git a/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9295.patch b/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9295.patch new file mode 100644 index 0000000000..6143f26e92 --- /dev/null +++ b/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9295.patch
@@ -0,0 +1,113 @@
		1	CVE-2014-9295 ntp: Multiple buffer overflows via specially-crafted packets
		2
		3	Upstream-Status: Backport [Debian]
		4
		5	Signed-off-by: Armin Kuster <akuster808@gmail.com>
		6
		7	2014-12-12 11:06:03+00:00, stenn@psp-fb1.ntp.org +12 -3
		8	[Sec 2667] buffer overflow in crypto_recv()
		9	2014-12-12 11:13:40+00:00, stenn@psp-fb1.ntp.org +16 -1
		10	[Sec 2668] buffer overflow in ctl_putdata()
		11	2014-12-12 11:19:37+00:00, stenn@psp-fb1.ntp.org +14 -0
		12	[Sec 2669] buffer overflow in configure()
		13
		14	Index: git/ntpd/ntp_crypto.c
		15	===================================================================
		16	--- git.orig/ntpd/ntp_crypto.c 2014-12-20 18:45:44.208851199 +0100
		17	+++ git/ntpd/ntp_crypto.c 2014-12-20 18:45:56.425100776 +0100
		18	@@ -789,15 +789,24 @@
		19	* errors.
		20	*/
		21	if (vallen == (u_int)EVP_PKEY_size(host_pkey)) {
		22	+ u_int32 *cookiebuf = malloc(
		23	+ RSA_size(host_pkey->pkey.rsa));
		24	+ if (!cookiebuf) {
		25	+ rval = XEVNT_CKY;
		26	+ break;
		27	+ }
		28	+
		29	if (RSA_private_decrypt(vallen,
		30	(u_char *)ep->pkt,
		31	- (u_char *)&temp32,
		32	+ (u_char *)cookiebuf,
		33	host_pkey->pkey.rsa,
		34	- RSA_PKCS1_OAEP_PADDING) <= 0) {
		35	+ RSA_PKCS1_OAEP_PADDING) != 4) {
		36	rval = XEVNT_CKY;
		37	+ free(cookiebuf);
		38	break;
		39	} else {
		40	- cookie = ntohl(temp32);
		41	+ cookie = ntohl(*cookiebuf);
		42	+ free(cookiebuf);
		43	}
		44	} else {
		45	rval = XEVNT_CKY;
		46	Index: git/ntpd/ntp_control.c
		47	===================================================================
		48	--- git.orig/ntpd/ntp_control.c 2014-12-20 18:45:44.208851199 +0100
		49	+++ git/ntpd/ntp_control.c 2014-12-20 18:45:56.429100859 +0100
		50	@@ -486,6 +486,10 @@
		51	static char *reqpt;
		52	static char *reqend;
		53
		54	+#ifndef MIN
		55	+#define MIN(a, b) (((a) <= (b)) ? (a) : (b))
		56	+#endif
		57	+
		58	/*
		59	* init_control - initialize request data
		60	*/
		61	@@ -995,6 +999,7 @@
		62	)
		63	{
		64	int overhead;
		65	+ unsigned int currentlen;
		66
		67	overhead = 0;
		68	if (!bin) {
		69	@@ -1018,12 +1023,22 @@
		70	/*
		71	* Save room for trailing junk
		72	*/
		73	- if (dlen + overhead + datapt > dataend) {
		74	+ while (dlen + overhead + datapt > dataend) {
		75	/*
		76	* Not enough room in this one, flush it out.
		77	*/
		78	+ currentlen = MIN(dlen, dataend - datapt);
		79	+
		80	+ memcpy(datapt, dp, currentlen);
		81	+
		82	+ datapt += currentlen;
		83	+ dp += currentlen;
		84	+ dlen -= currentlen;
		85	+ datalinelen += currentlen;
		86	+
		87	ctl_flushpkt(CTL_MORE);
		88	}
		89	+
		90	memmove((char *)datapt, dp, (unsigned)dlen);
		91	datapt += dlen;
		92	datalinelen += dlen;
		93	@@ -2492,6 +2507,20 @@
		94
		95	/* Initialize the remote config buffer */
		96	data_count = reqend - reqpt;
		97	+
		98	+ if (data_count > sizeof(remote_config.buffer) - 2) {
		99	+ snprintf(remote_config.err_msg,
		100	+ sizeof(remote_config.err_msg),
		101	+ "runtime configuration failed: request too long");
		102	+ ctl_putdata(remote_config.err_msg,
		103	+ strlen(remote_config.err_msg), 0);
		104	+ ctl_flushpkt(0);
		105	+ msyslog(LOG_NOTICE,
		106	+ "runtime config from %s rejected: request too long",
		107	+ stoa(&rbufp->recv_srcadr));
		108	+ return;
		109	+ }
		110	+
		111	memcpy(remote_config.buffer, reqpt, data_count);
		112	if (data_count > 0
		113	&& '\n' != remote_config.buffer[data_count - 1])


diff --git a/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9296.patch b/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9296.patch new file mode 100644 index 0000000000..a85f65d2aa --- /dev/null +++ b/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9296.patch
@@ -0,0 +1,21 @@
		1	CVE-2014-9296 ntp: receive() missing return on error
		2
		3	Upstream-Status: Backport [Debian]
		4
		5	Signed-off-by: Armin Kuster <akuster808@gmail.com>
		6
		7	2014-12-12 11:24:22+00:00, stenn@psp-fb1.ntp.org +1 -0
		8	[Sec 2670] Missing return; from error clause
		9
		10	Index: git/ntpd/ntp_proto.c
		11	===================================================================
		12	--- git.orig/ntpd/ntp_proto.c 2014-12-20 18:45:42.760821618 +0100
		13	+++ git/ntpd/ntp_proto.c 2014-12-20 18:46:00.153176945 +0100
		14	@@ -947,6 +947,7 @@
		15	fast_xmit(rbufp, MODE_ACTIVE, 0,
		16	restrict_mask);
		17	sys_restricted++;
		18	+ return;
		19	}
		20	}
		21


diff --git a/meta-networking/recipes-support/ntp/files/ntp-keygen_no_openssl.patch b/meta-networking/recipes-support/ntp/files/ntp-keygen_no_openssl.patch new file mode 100644 index 0000000000..f576e2ee8b --- /dev/null +++ b/meta-networking/recipes-support/ntp/files/ntp-keygen_no_openssl.patch
@@ -0,0 +1,108 @@
		1	Fix ntp-keygen build without OpenSSL
		2
		3	Patch borrowed from Gentoo, originally from upstream
		4	Added --enable-libenvent to config since this version
		5	does not have local libevent support but we need the
		6	functions from the lib.
		7
		8	Signed-off-by: Armin Kuster <akuster808@gmail.com>
		9
		10	Upstream-Status: Backport
		11
		12	Upstream commit:
		13	http://bk1.ntp.org/ntp-stable/?PAGE=patch&REV=5497b345z5MNTuNvJWuqPSje25NQTg
		14	Gentoo bugzilla: https://bugs.gentoo.org/show_bug.cgi?id=533238
		15
		16	Signed-off-by: Markos Chandras <hwoarang@gentoo.org>
		17
		18	Index: ntp-4.2.6p5/libntp/ntp_random.c
		19	===================================================================
		20	--- ntp-4.2.6p5.orig/libntp/ntp_random.c
		21	+++ ntp-4.2.6p5/libntp/ntp_random.c
		22	@@ -498,6 +498,21 @@ ntp_random( void )
		23	int crypto_rand_init = 0;
		24	#endif
		25
		26	+#ifndef HAVE_ARC4RANDOM_BUF
		27	+static void
		28	+arc4random_buf(void *buf, size_t nbytes);
		29	+
		30	+void
		31	+evutil_secure_rng_get_bytes(void *buf, size_t nbytes);
		32	+
		33	+static void
		34	+arc4random_buf(void *buf, size_t nbytes)
		35	+{
		36	+ evutil_secure_rng_get_bytes(buf, nbytes);
		37	+ return;
		38	+}
		39	+#endif
		40	+
		41	/*
		42	* ntp_crypto_srandom:
		43	*
		44	Index: ntp-4.2.6p5/util/Makefile.am
		45	===================================================================
		46	--- ntp-4.2.6p5.orig/util/Makefile.am
		47	+++ ntp-4.2.6p5/util/Makefile.am
		48	@@ -21,6 +21,7 @@ AM_CPPFLAGS= -I$(top_srcdir)/include -I$
		49	LDADD= ../libntp/libntp.a
		50	ntp_keygen_SOURCES = ntp-keygen.c ntp-keygen-opts.c ntp-keygen-opts.h
		51	ntp_keygen_LDADD= version.o $(LIBOPTS_LDADD) ../libntp/libntp.a @LCRYPTO@
		52	+ntp_keygen_LDADD += $(LDADD_LIBEVENT)
		53
		54	ETAGS_ARGS= Makefile.am
		55	#EXTRA_DIST= README TAGS
		56	Index: ntp-4.2.6p5/configure.ac
		57	===================================================================
		58	--- ntp-4.2.6p5.orig/configure.ac
		59	+++ ntp-4.2.6p5/configure.ac
		60	@@ -376,6 +376,8 @@ AC_CHECK_FUNC([openlog], ,
		61	AC_SEARCH_LIBS([MD5Init], [md5 md])
		62	AC_CHECK_FUNCS(MD5Init)
		63
		64	+AC_CHECK_FUNC([arc4random_buf])
		65	+
		66	NTP_LINEEDITLIBS
		67
		68	dnl Digital UNIX V4.0 and Solaris 7 have POSIX.1c functions in -lrt
		69	@@ -5205,6 +5207,39 @@ AC_MSG_RESULT([$ntp_use_dev_clockctl])
		70
		71	AC_CHECK_HEADERS([sys/capability.h sys/prctl.h])
		72
		73	+AC_MSG_CHECKING([if we have libevent capabilities (libevent)])
		74	+
		75	+case "$ac_cv_header_event2_event-config_h" in
		76	+ yes)
		77	+ case "$host" in
		78	+ *) ntp_have_linuxcaps=yes
		79	+ ;;
		80	+ esac
		81	+ ;;
		82	+ *)
		83	+ ntp_have_linuxcaps=no
		84	+ ;;
		85	+esac
		86	+
		87	+AC_ARG_ENABLE(
		88	+ [libevent],
		89	+ [AS_HELP_STRING(
		90	+ [--enable-libevent],
		91	+ [+ Use libevent capabilities for arc4random]
		92	+ )],
		93	+ [ntp_have_libevent=$enableval]
		94	+)
		95	+
		96	+AC_MSG_RESULT([$ntp_have_libevent])
		97	+
		98	+case "$ntp_have_libevent" in
		99	+ yes)
		100	+ AC_DEFINE([HAVE_LIBEVENT], [1],
		101	+ [Do we have libevent capabilities?])
		102	+ LIBS="$LIBS -levent"
		103	+esac
		104	+
		105	+
		106	AC_MSG_CHECKING([if we have linux capabilities (libcap)])
		107
		108	case "$ac_cv_header_sys_capability_h$ac_cv_header_sys_prctl_h" in


diff --git a/meta-networking/recipes-support/ntp/ntp.inc b/meta-networking/recipes-support/ntp/ntp.inc index fd29a78cfa..ab7bd9c539 100644 --- a/meta-networking/recipes-support/ntp/ntp.inc +++ b/meta-networking/recipes-support/ntp/ntp.inc
@@ -26,13 +26,22 @@ SRC_URI = "http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-${PV}.tar.g
26	file://sntp \	26	file://sntp \
27	file://ntpd.list \	27	file://ntpd.list \
28	file://CVE-2013-5211.patch \	28	file://CVE-2013-5211.patch \
		29	file://ntp-4.2.6p5-cve-2014-9293.patch \
		30	file://ntp-4.2.6p5-cve-2014-9294.patch \
		31	file://ntp-4.2.6p5-cve-2014-9295.patch \
		32	file://ntp-4.2.6p5-cve-2014-9296.patch \
		33	file://ntp-keygen_no_openssl.patch \
29	"	34	"
30		35
31	inherit autotools update-rc.d useradd systemd	36	inherit autotools update-rc.d useradd systemd
32		37
33	# The ac_cv_header_readline_history is to stop ntpdc depending on either	38	# The ac_cv_header_readline_history is to stop ntpdc depending on either
34	# readline or curses	39	# readline or curses
35	EXTRA_OECONF += "--with-net-snmp-config=no --without-ntpsnmpd ac_cv_header_readline_history_h=no --with-binsubdir=sbin"	40	EXTRA_OECONF += "--with-net-snmp-config=no \
		41	--without-ntpsnmpd \
		42	ac_cv_header_readline_history_h=no \
		43	--with-binsubdir=sbin"
		44
36	CFLAGS_append = " -DPTYS_ARE_GETPT -DPTYS_ARE_SEARCHED"	45	CFLAGS_append = " -DPTYS_ARE_GETPT -DPTYS_ARE_SEARCHED"
37		46
38	USERADD_PACKAGES = "${PN}"	47	USERADD_PACKAGES = "${PN}"
@@ -42,7 +51,7 @@ USERADD_PARAM_${PN} = "--system --home-dir ${NTP_USER_HOME} \
42	--shell /bin/false --user-group ntp"	51	--shell /bin/false --user-group ntp"
43		52
44	# NB: debug is default-enabled by NTP; keep it default-enabled here.	53	# NB: debug is default-enabled by NTP; keep it default-enabled here.
45	PACKAGECONFIG ??= "cap debug"	54	PACKAGECONFIG ??= "event cap debug"
46	PACKAGECONFIG[openssl] = "--with-openssl-libdir=${STAGING_LIBDIR} \	55	PACKAGECONFIG[openssl] = "--with-openssl-libdir=${STAGING_LIBDIR} \
47	--with-openssl-incdir=${STAGING_INCDIR} \	56	--with-openssl-incdir=${STAGING_INCDIR} \
48	--with-crypto, \	57	--with-crypto, \
@@ -51,6 +60,7 @@ PACKAGECONFIG[openssl] = "--with-openssl-libdir=${STAGING_LIBDIR} \
51	PACKAGECONFIG[cap] = "--enable-linuxcaps,--disable-linuxcaps,libcap"	60	PACKAGECONFIG[cap] = "--enable-linuxcaps,--disable-linuxcaps,libcap"
52	PACKAGECONFIG[readline] = "--with-lineeditlibs,--without-lineeditlibs,readline"	61	PACKAGECONFIG[readline] = "--with-lineeditlibs,--without-lineeditlibs,readline"
53	PACKAGECONFIG[debug] = "--enable-debugging,--disable-debugging"	62	PACKAGECONFIG[debug] = "--enable-debugging,--disable-debugging"
		63	PACKAGECONFIG[event] = "--enable-libevent,--disable-libevent, libevent"
54		64
55	do_install_append() {	65	do_install_append() {
56	install -d ${D}${sysconfdir}/init.d	66	install -d ${D}${sysconfdir}/init.d
@@ -94,7 +104,7 @@ PACKAGES += "ntpdate sntp ${PN}-tickadj ${PN}-utils"
94		104
95	# ntp originally includes tickadj. It's split off for inclusion in small firmware images on platforms	105	# ntp originally includes tickadj. It's split off for inclusion in small firmware images on platforms
96	# with wonky clocks (e.g. OpenSlug)	106	# with wonky clocks (e.g. OpenSlug)
97	RDEPENDS_${PN} = "${PN}-tickadj"	107	RDEPENDS_${PN} = "${PN}-tickadj libbsd"
98	# Handle move from bin to utils package	108	# Handle move from bin to utils package
99	RPROVIDES_${PN}-utils = "${PN}-bin"	109	RPROVIDES_${PN}-utils = "${PN}-bin"
100	RREPLACES_${PN}-utils = "${PN}-bin"	110	RREPLACES_${PN}-utils = "${PN}-bin"