1 files changed, 128 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9294.patch b/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9294.patch
new file mode 100644
index 000000000..67e532b9d
--- /dev/null
+++ b/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9294.patch
@@ -0,0 +1,128 @@
+CVE-2014-9294 ntp: ntp-keygen uses weak random number generator and seed when generating MD5 keys 
+Upstream-Status: Backport [Debian]
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+Index: ntp-4.2.6p5/include/ntp_random.h
+===================================================================
+--- ntp-4.2.6p5.orig/include/ntp_random.h
+++ ntp-4.2.6p5/include/ntp_random.h
+@@ -1,6 +1,9 @@
+ 
+ #include <ntp_types.h>
+ 
+void ntp_crypto_srandom(void);
+int ntp_crypto_random_buf(void *buf, size_t nbytes);
+
+ long ntp_random (void);
+ void ntp_srandom (unsigned long);
+ void ntp_srandomdev (void);
+Index: ntp-4.2.6p5/libntp/ntp_random.c
+===================================================================
+--- ntp-4.2.6p5.orig/libntp/ntp_random.c
+++ ntp-4.2.6p5/libntp/ntp_random.c
+@@ -481,3 +481,74 @@ ntp_random( void )
+        }
+        return(i);
+ }
+
+/*
+ * Crypto-quality random number functions
+ *
+ * Author: Harlan Stenn, 2014
+ *
+ * This file is Copyright (c) 2014 by Network Time Foundation.
+ * BSD terms apply: see the file COPYRIGHT in the distribution root for details.
+ */
+
+#ifdef OPENSSL
+#include <openssl/err.h>
+#include <openssl/rand.h>
+
+int crypto_rand_init = 0;
+#endif
+
+/*
+ * ntp_crypto_srandom:
+ *
+ * Initialize the random number generator, if needed by the underlying
+ * crypto random number generation mechanism.
+ */
+
+void
+ntp_crypto_srandom(
+       void
+       )
+{
+#ifdef OPENSSL
+       if (!crypto_rand_init) {
+               RAND_poll();
+               crypto_rand_init = 1;
+       }
+#else
+   /* No initialization needed for arc4random() */
+#endif
+}
+
+/*
+ * ntp_crypto_random_buf:
+ *
+ * Returns 0 on success, -1 on error.
+ */
+int
+ntp_crypto_random_buf(
+       void *buf,
+       size_t nbytes
+       )
+{
+#ifdef OPENSSL
+       int rc;
+
+       rc = RAND_bytes(buf, nbytes);
+       if (1 != rc) {
+               unsigned long err;
+               char *err_str;
+
+               err = ERR_get_error();
+               err_str = ERR_error_string(err, NULL);
+               /* XXX: Log the error */
+
+               return -1;
+       }
+       return 0;
+#else
+   arc4random_buf(buf, nbytes);
+   return 0;
+#endif
+}
+
+Index: ntp-4.2.6p5/util/ntp-keygen.c
+===================================================================
+--- ntp-4.2.6p5.orig/util/ntp-keygen.c
+++ ntp-4.2.6p5/util/ntp-keygen.c
+@@ -261,6 +261,8 @@ main(
+        ssl_check_version();
+ #endif /* OPENSSL */
+ 
+       ntp_crypto_srandom();
+
+        /*
+         * Process options, initialize host name and timestamp.
+         */
+@@ -727,7 +729,14 @@ gen_md5(
+                        int temp;
+ 
+                        while (1) {
+-                               temp = ntp_random() & 0xff;
+                               int rc;
+
+                               rc = ntp_crypto_random_buf(&temp, 1);
+                               if (-1 == rc) {
+                                       fprintf(stderr, "ntp_crypto_random_buf() failed.\n");
+                                       exit (-1);
+                               }
+                               temp &= 0xff;
+                                if (temp == '#')
+                                        continue;
+

diff --git a/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9294.patch b/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9294.patch new file mode 100644 index 000000000..67e532b9d --- /dev/null +++ b/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9294.patch
@@ -0,0 +1,128 @@
	1	CVE-2014-9294 ntp: ntp-keygen uses weak random number generator and seed when generating MD5 keys
	2
	3	Upstream-Status: Backport [Debian]
	4
	5	Signed-off-by: Armin Kuster <akuster808@gmail.com>
	6
	7	Index: ntp-4.2.6p5/include/ntp_random.h
	8	===================================================================
	9	--- ntp-4.2.6p5.orig/include/ntp_random.h
	10	+++ ntp-4.2.6p5/include/ntp_random.h
	11	@@ -1,6 +1,9 @@
	12
	13	#include <ntp_types.h>
	14
	15	+void ntp_crypto_srandom(void);
	16	+int ntp_crypto_random_buf(void *buf, size_t nbytes);
	17	+
	18	long ntp_random (void);
	19	void ntp_srandom (unsigned long);
	20	void ntp_srandomdev (void);
	21	Index: ntp-4.2.6p5/libntp/ntp_random.c
	22	===================================================================
	23	--- ntp-4.2.6p5.orig/libntp/ntp_random.c
	24	+++ ntp-4.2.6p5/libntp/ntp_random.c
	25	@@ -481,3 +481,74 @@ ntp_random( void )
	26	}
	27	return(i);
	28	}
	29	+
	30	+/*
	31	+ * Crypto-quality random number functions
	32	+ *
	33	+ * Author: Harlan Stenn, 2014
	34	+ *
	35	+ * This file is Copyright (c) 2014 by Network Time Foundation.
	36	+ * BSD terms apply: see the file COPYRIGHT in the distribution root for details.
	37	+ */
	38	+
	39	+#ifdef OPENSSL
	40	+#include <openssl/err.h>
	41	+#include <openssl/rand.h>
	42	+
	43	+int crypto_rand_init = 0;
	44	+#endif
	45	+
	46	+/*
	47	+ * ntp_crypto_srandom:
	48	+ *
	49	+ * Initialize the random number generator, if needed by the underlying
	50	+ * crypto random number generation mechanism.
	51	+ */
	52	+
	53	+void
	54	+ntp_crypto_srandom(
	55	+ void
	56	+ )
	57	+{
	58	+#ifdef OPENSSL
	59	+ if (!crypto_rand_init) {
	60	+ RAND_poll();
	61	+ crypto_rand_init = 1;
	62	+ }
	63	+#else
	64	+ /* No initialization needed for arc4random() */
	65	+#endif
	66	+}
	67	+
	68	+/*
	69	+ * ntp_crypto_random_buf:
	70	+ *
	71	+ * Returns 0 on success, -1 on error.
	72	+ */
	73	+int
	74	+ntp_crypto_random_buf(
	75	+ void *buf,
	76	+ size_t nbytes
	77	+ )
	78	+{
	79	+#ifdef OPENSSL
	80	+ int rc;
	81	+
	82	+ rc = RAND_bytes(buf, nbytes);
	83	+ if (1 != rc) {
	84	+ unsigned long err;
	85	+ char *err_str;
	86	+
	87	+ err = ERR_get_error();
	88	+ err_str = ERR_error_string(err, NULL);
	89	+ /* XXX: Log the error */
	90	+
	91	+ return -1;
	92	+ }
	93	+ return 0;
	94	+#else
	95	+ arc4random_buf(buf, nbytes);
	96	+ return 0;
	97	+#endif
	98	+}
	99	+
	100	Index: ntp-4.2.6p5/util/ntp-keygen.c
	101	===================================================================
	102	--- ntp-4.2.6p5.orig/util/ntp-keygen.c
	103	+++ ntp-4.2.6p5/util/ntp-keygen.c
	104	@@ -261,6 +261,8 @@ main(
	105	ssl_check_version();
	106	#endif /* OPENSSL */
	107
	108	+ ntp_crypto_srandom();
	109	+
	110	/*
	111	* Process options, initialize host name and timestamp.
	112	*/
	113	@@ -727,7 +729,14 @@ gen_md5(
	114	int temp;
	115
	116	while (1) {
	117	- temp = ntp_random() & 0xff;
	118	+ int rc;
	119	+
	120	+ rc = ntp_crypto_random_buf(&temp, 1);
	121	+ if (-1 == rc) {
	122	+ fprintf(stderr, "ntp_crypto_random_buf() failed.\n");
	123	+ exit (-1);
	124	+ }
	125	+ temp &= 0xff;
	126	if (temp == '#')
	127	continue;
	128