1 files changed, 113 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9295.patch b/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9295.patch
new file mode 100644
index 000000000..6143f26e9
--- /dev/null
+++ b/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9295.patch
@@ -0,0 +1,113 @@
+CVE-2014-9295 ntp: Multiple buffer overflows via specially-crafted packets 
+Upstream-Status: Backport [Debian]
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+2014-12-12 11:06:03+00:00, stenn@psp-fb1.ntp.org +12 -3
+  [Sec 2667] buffer overflow in crypto_recv()
+2014-12-12 11:13:40+00:00, stenn@psp-fb1.ntp.org +16 -1
+  [Sec 2668] buffer overflow in ctl_putdata()
+2014-12-12 11:19:37+00:00, stenn@psp-fb1.ntp.org +14 -0
+  [Sec 2669] buffer overflow in configure()
+Index: git/ntpd/ntp_crypto.c
+===================================================================
+--- git.orig/ntpd/ntp_crypto.c  2014-12-20 18:45:44.208851199 +0100
+++ git/ntpd/ntp_crypto.c       2014-12-20 18:45:56.425100776 +0100
+@@ -789,15 +789,24 @@
+                         * errors.
+                         */
+                        if (vallen == (u_int)EVP_PKEY_size(host_pkey)) {
+                               u_int32 *cookiebuf = malloc(
+                                   RSA_size(host_pkey->pkey.rsa));
+                               if (!cookiebuf) {
+                                       rval = XEVNT_CKY;
+                                       break;
+                               }
+
+                                if (RSA_private_decrypt(vallen,
+                                    (u_char *)ep->pkt,
+-                                   (u_char *)&temp32,
+                                   (u_char *)cookiebuf,
+                                    host_pkey->pkey.rsa,
+-                                   RSA_PKCS1_OAEP_PADDING) <= 0) {
+                                   RSA_PKCS1_OAEP_PADDING) != 4) {
+                                        rval = XEVNT_CKY;
+                                       free(cookiebuf);
+                                        break;
+                                } else {
+-                                       cookie = ntohl(temp32);
+                                       cookie = ntohl(*cookiebuf);
+                                       free(cookiebuf);
+                                }
+                        } else {
+                                rval = XEVNT_CKY;
+Index: git/ntpd/ntp_control.c
+===================================================================
+--- git.orig/ntpd/ntp_control.c 2014-12-20 18:45:44.208851199 +0100
+++ git/ntpd/ntp_control.c      2014-12-20 18:45:56.429100859 +0100
+@@ -486,6 +486,10 @@
+ static char *reqpt;
+ static char *reqend;
+ 
+#ifndef MIN
+#define MIN(a, b) (((a) <= (b)) ? (a) : (b))
+#endif
+
+ /*
+  * init_control - initialize request data
+  */
+@@ -995,6 +999,7 @@
+        )
+ {
+        int overhead;
+       unsigned int currentlen;
+ 
+        overhead = 0;
+        if (!bin) {
+@@ -1018,12 +1023,22 @@
+        /*
+         * Save room for trailing junk
+         */
+-       if (dlen + overhead + datapt > dataend) {
+       while (dlen + overhead + datapt > dataend) {
+                /*
+                 * Not enough room in this one, flush it out.
+                 */
+               currentlen = MIN(dlen, dataend - datapt);
+
+               memcpy(datapt, dp, currentlen);
+
+               datapt += currentlen;
+               dp += currentlen;
+               dlen -= currentlen;
+               datalinelen += currentlen;
+
+                ctl_flushpkt(CTL_MORE);
+        }
+
+        memmove((char *)datapt, dp, (unsigned)dlen);
+        datapt += dlen;
+        datalinelen += dlen;
+@@ -2492,6 +2507,20 @@
+ 
+        /* Initialize the remote config buffer */
+        data_count = reqend - reqpt;
+
+       if (data_count > sizeof(remote_config.buffer) - 2) {
+               snprintf(remote_config.err_msg,
+                        sizeof(remote_config.err_msg),
+                        "runtime configuration failed: request too long");
+               ctl_putdata(remote_config.err_msg,
+                           strlen(remote_config.err_msg), 0);
+               ctl_flushpkt(0);
+               msyslog(LOG_NOTICE,
+                       "runtime config from %s rejected: request too long",
+                       stoa(&rbufp->recv_srcadr));
+               return;
+       }
+
+        memcpy(remote_config.buffer, reqpt, data_count);
+        if (data_count > 0
+            && '\n' != remote_config.buffer[data_count - 1])

diff --git a/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9295.patch b/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9295.patch new file mode 100644 index 000000000..6143f26e9 --- /dev/null +++ b/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9295.patch
@@ -0,0 +1,113 @@
	1	CVE-2014-9295 ntp: Multiple buffer overflows via specially-crafted packets
	2
	3	Upstream-Status: Backport [Debian]
	4
	5	Signed-off-by: Armin Kuster <akuster808@gmail.com>
	6
	7	2014-12-12 11:06:03+00:00, stenn@psp-fb1.ntp.org +12 -3
	8	[Sec 2667] buffer overflow in crypto_recv()
	9	2014-12-12 11:13:40+00:00, stenn@psp-fb1.ntp.org +16 -1
	10	[Sec 2668] buffer overflow in ctl_putdata()
	11	2014-12-12 11:19:37+00:00, stenn@psp-fb1.ntp.org +14 -0
	12	[Sec 2669] buffer overflow in configure()
	13
	14	Index: git/ntpd/ntp_crypto.c
	15	===================================================================
	16	--- git.orig/ntpd/ntp_crypto.c 2014-12-20 18:45:44.208851199 +0100
	17	+++ git/ntpd/ntp_crypto.c 2014-12-20 18:45:56.425100776 +0100
	18	@@ -789,15 +789,24 @@
	19	* errors.
	20	*/
	21	if (vallen == (u_int)EVP_PKEY_size(host_pkey)) {
	22	+ u_int32 *cookiebuf = malloc(
	23	+ RSA_size(host_pkey->pkey.rsa));
	24	+ if (!cookiebuf) {
	25	+ rval = XEVNT_CKY;
	26	+ break;
	27	+ }
	28	+
	29	if (RSA_private_decrypt(vallen,
	30	(u_char *)ep->pkt,
	31	- (u_char *)&temp32,
	32	+ (u_char *)cookiebuf,
	33	host_pkey->pkey.rsa,
	34	- RSA_PKCS1_OAEP_PADDING) <= 0) {
	35	+ RSA_PKCS1_OAEP_PADDING) != 4) {
	36	rval = XEVNT_CKY;
	37	+ free(cookiebuf);
	38	break;
	39	} else {
	40	- cookie = ntohl(temp32);
	41	+ cookie = ntohl(*cookiebuf);
	42	+ free(cookiebuf);
	43	}
	44	} else {
	45	rval = XEVNT_CKY;
	46	Index: git/ntpd/ntp_control.c
	47	===================================================================
	48	--- git.orig/ntpd/ntp_control.c 2014-12-20 18:45:44.208851199 +0100
	49	+++ git/ntpd/ntp_control.c 2014-12-20 18:45:56.429100859 +0100
	50	@@ -486,6 +486,10 @@
	51	static char *reqpt;
	52	static char *reqend;
	53
	54	+#ifndef MIN
	55	+#define MIN(a, b) (((a) <= (b)) ? (a) : (b))
	56	+#endif
	57	+
	58	/*
	59	* init_control - initialize request data
	60	*/
	61	@@ -995,6 +999,7 @@
	62	)
	63	{
	64	int overhead;
	65	+ unsigned int currentlen;
	66
	67	overhead = 0;
	68	if (!bin) {
	69	@@ -1018,12 +1023,22 @@
	70	/*
	71	* Save room for trailing junk
	72	*/
	73	- if (dlen + overhead + datapt > dataend) {
	74	+ while (dlen + overhead + datapt > dataend) {
	75	/*
	76	* Not enough room in this one, flush it out.
	77	*/
	78	+ currentlen = MIN(dlen, dataend - datapt);
	79	+
	80	+ memcpy(datapt, dp, currentlen);
	81	+
	82	+ datapt += currentlen;
	83	+ dp += currentlen;
	84	+ dlen -= currentlen;
	85	+ datalinelen += currentlen;
	86	+
	87	ctl_flushpkt(CTL_MORE);
	88	}
	89	+
	90	memmove((char *)datapt, dp, (unsigned)dlen);
	91	datapt += dlen;
	92	datalinelen += dlen;
	93	@@ -2492,6 +2507,20 @@
	94
	95	/* Initialize the remote config buffer */
	96	data_count = reqend - reqpt;
	97	+
	98	+ if (data_count > sizeof(remote_config.buffer) - 2) {
	99	+ snprintf(remote_config.err_msg,
	100	+ sizeof(remote_config.err_msg),
	101	+ "runtime configuration failed: request too long");
	102	+ ctl_putdata(remote_config.err_msg,
	103	+ strlen(remote_config.err_msg), 0);
	104	+ ctl_flushpkt(0);
	105	+ msyslog(LOG_NOTICE,
	106	+ "runtime config from %s rejected: request too long",
	107	+ stoa(&rbufp->recv_srcadr));
	108	+ return;
	109	+ }
	110	+
	111	memcpy(remote_config.buffer, reqpt, data_count);
	112	if (data_count > 0
	113	&& '\n' != remote_config.buffer[data_count - 1])