diff options
Diffstat (limited to 'meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9295.patch')
-rw-r--r-- | meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9295.patch | 113 |
1 files changed, 113 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9295.patch b/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9295.patch new file mode 100644 index 000000000..6143f26e9 --- /dev/null +++ b/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9295.patch | |||
@@ -0,0 +1,113 @@ | |||
1 | CVE-2014-9295 ntp: Multiple buffer overflows via specially-crafted packets | ||
2 | |||
3 | Upstream-Status: Backport [Debian] | ||
4 | |||
5 | Signed-off-by: Armin Kuster <akuster808@gmail.com> | ||
6 | |||
7 | 2014-12-12 11:06:03+00:00, stenn@psp-fb1.ntp.org +12 -3 | ||
8 | [Sec 2667] buffer overflow in crypto_recv() | ||
9 | 2014-12-12 11:13:40+00:00, stenn@psp-fb1.ntp.org +16 -1 | ||
10 | [Sec 2668] buffer overflow in ctl_putdata() | ||
11 | 2014-12-12 11:19:37+00:00, stenn@psp-fb1.ntp.org +14 -0 | ||
12 | [Sec 2669] buffer overflow in configure() | ||
13 | |||
14 | Index: git/ntpd/ntp_crypto.c | ||
15 | =================================================================== | ||
16 | --- git.orig/ntpd/ntp_crypto.c 2014-12-20 18:45:44.208851199 +0100 | ||
17 | +++ git/ntpd/ntp_crypto.c 2014-12-20 18:45:56.425100776 +0100 | ||
18 | @@ -789,15 +789,24 @@ | ||
19 | * errors. | ||
20 | */ | ||
21 | if (vallen == (u_int)EVP_PKEY_size(host_pkey)) { | ||
22 | + u_int32 *cookiebuf = malloc( | ||
23 | + RSA_size(host_pkey->pkey.rsa)); | ||
24 | + if (!cookiebuf) { | ||
25 | + rval = XEVNT_CKY; | ||
26 | + break; | ||
27 | + } | ||
28 | + | ||
29 | if (RSA_private_decrypt(vallen, | ||
30 | (u_char *)ep->pkt, | ||
31 | - (u_char *)&temp32, | ||
32 | + (u_char *)cookiebuf, | ||
33 | host_pkey->pkey.rsa, | ||
34 | - RSA_PKCS1_OAEP_PADDING) <= 0) { | ||
35 | + RSA_PKCS1_OAEP_PADDING) != 4) { | ||
36 | rval = XEVNT_CKY; | ||
37 | + free(cookiebuf); | ||
38 | break; | ||
39 | } else { | ||
40 | - cookie = ntohl(temp32); | ||
41 | + cookie = ntohl(*cookiebuf); | ||
42 | + free(cookiebuf); | ||
43 | } | ||
44 | } else { | ||
45 | rval = XEVNT_CKY; | ||
46 | Index: git/ntpd/ntp_control.c | ||
47 | =================================================================== | ||
48 | --- git.orig/ntpd/ntp_control.c 2014-12-20 18:45:44.208851199 +0100 | ||
49 | +++ git/ntpd/ntp_control.c 2014-12-20 18:45:56.429100859 +0100 | ||
50 | @@ -486,6 +486,10 @@ | ||
51 | static char *reqpt; | ||
52 | static char *reqend; | ||
53 | |||
54 | +#ifndef MIN | ||
55 | +#define MIN(a, b) (((a) <= (b)) ? (a) : (b)) | ||
56 | +#endif | ||
57 | + | ||
58 | /* | ||
59 | * init_control - initialize request data | ||
60 | */ | ||
61 | @@ -995,6 +999,7 @@ | ||
62 | ) | ||
63 | { | ||
64 | int overhead; | ||
65 | + unsigned int currentlen; | ||
66 | |||
67 | overhead = 0; | ||
68 | if (!bin) { | ||
69 | @@ -1018,12 +1023,22 @@ | ||
70 | /* | ||
71 | * Save room for trailing junk | ||
72 | */ | ||
73 | - if (dlen + overhead + datapt > dataend) { | ||
74 | + while (dlen + overhead + datapt > dataend) { | ||
75 | /* | ||
76 | * Not enough room in this one, flush it out. | ||
77 | */ | ||
78 | + currentlen = MIN(dlen, dataend - datapt); | ||
79 | + | ||
80 | + memcpy(datapt, dp, currentlen); | ||
81 | + | ||
82 | + datapt += currentlen; | ||
83 | + dp += currentlen; | ||
84 | + dlen -= currentlen; | ||
85 | + datalinelen += currentlen; | ||
86 | + | ||
87 | ctl_flushpkt(CTL_MORE); | ||
88 | } | ||
89 | + | ||
90 | memmove((char *)datapt, dp, (unsigned)dlen); | ||
91 | datapt += dlen; | ||
92 | datalinelen += dlen; | ||
93 | @@ -2492,6 +2507,20 @@ | ||
94 | |||
95 | /* Initialize the remote config buffer */ | ||
96 | data_count = reqend - reqpt; | ||
97 | + | ||
98 | + if (data_count > sizeof(remote_config.buffer) - 2) { | ||
99 | + snprintf(remote_config.err_msg, | ||
100 | + sizeof(remote_config.err_msg), | ||
101 | + "runtime configuration failed: request too long"); | ||
102 | + ctl_putdata(remote_config.err_msg, | ||
103 | + strlen(remote_config.err_msg), 0); | ||
104 | + ctl_flushpkt(0); | ||
105 | + msyslog(LOG_NOTICE, | ||
106 | + "runtime config from %s rejected: request too long", | ||
107 | + stoa(&rbufp->recv_srcadr)); | ||
108 | + return; | ||
109 | + } | ||
110 | + | ||
111 | memcpy(remote_config.buffer, reqpt, data_count); | ||
112 | if (data_count > 0 | ||
113 | && '\n' != remote_config.buffer[data_count - 1]) | ||