From 01511d4cdedb696486f29d328a0289694661448d Mon Sep 17 00:00:00 2001 From: Armin Kuster Date: Fri, 24 Mar 2017 09:22:55 -0700 Subject: ntp: update to 4.2.8.p10 LICENSE_FILE md5 changed do to copyright date change. NTF's NTP Project is releasing ntp-4.2.8p10, which addresses: 6 MEDIUM severity vulnerabilities (1 is about the Windows PPSAPI DLL) 5 LOW severity vulnerabilities (2 are in the Windows Installer) 4 Informational-level vulnerabilities 15 other non-security fixes and improvements All of the security issues in this release are listed in VU#633849. ntp-4.2.8p10 was released on 21 March 2017. Sec 3389 / CVE-2017-6464 / VU#325339: NTP-01-016 NTP: Denial of Service via Malformed Config (Pentest report 01.2017) Sec 3388 / CVE-2017-6462 / VU#325339: NTP-01-014 NTP: Buffer Overflow in DPTS Clock (Pentest report 01.2017) Sec 3387 / CVE-2017-6463 / VU#325339: NTP-01-012 NTP: Authenticated DoS via Malicious Config Option (Pentest report 01.2017) Sec 3386: NTP-01-011 NTP: ntpq_stripquotes() returns incorrect Value (Pentest report 01.2017) Sec 3385: NTP-01-010 NTP: ereallocarray()/eallocarray() underused (Pentest report 01.2017) Sec 3384 / CVE-2017-6455 / VU#325339: NTP-01-009 NTP: Windows: Privileged execution of User Library code (Pentest report 01.2017) Sec 3383 / CVE-2017-6452 / VU#325339: NTP-01-008 NTP: Windows Installer: Stack Buffer Overflow from Command Line (Pentest report 01.2017) Sec 3382 / CVE-2017-6459 / VU#325339: NTP-01-007 NTP: Windows Installer: Data Structure terminated insufficiently (Pentest report 01.2017) Sec 3381: NTP-01-006 NTP: Copious amounts of Unused Code (Pentest report 01.2017) Sec 3380: NTP-01-005 NTP: Off-by-one in Oncore GPS Receiver (Pentest report 01.2017) Sec 3379 / CVE-2017-6458 / VU#325339: NTP-01-004 NTP: Potential Overflows in ctl_put() functions (Pentest report 01.2017) Sec 3378 / CVE-2017-6451 / VU#325339: NTP-01-003 Improper use of snprintf() in mx4200_send() (Pentest report 01.2017) Sec 3377 / CVE-2017-6460 / VU#325339: NTP-01-002 Buffer Overflow in ntpq when fetching reslist (Pentest report 01.2017) Sec 3376: NTP-01-001 Makefile does not enforce Security Flags (Pentest report 01.2017) Sec 3361 / CVE-2016-9042 / VU#325339: 0rigin Signed-off-by: Armin Kuster Signed-off-by: Martin Jansa Signed-off-by: Joe MacDonald --- .../recipes-support/ntp/ntp_4.2.8p10.bb | 170 +++++++++++++++++++++ meta-networking/recipes-support/ntp/ntp_4.2.8p9.bb | 170 --------------------- 2 files changed, 170 insertions(+), 170 deletions(-) create mode 100644 meta-networking/recipes-support/ntp/ntp_4.2.8p10.bb delete mode 100644 meta-networking/recipes-support/ntp/ntp_4.2.8p9.bb (limited to 'meta-networking') diff --git a/meta-networking/recipes-support/ntp/ntp_4.2.8p10.bb b/meta-networking/recipes-support/ntp/ntp_4.2.8p10.bb new file mode 100644 index 000000000..719c60b97 --- /dev/null +++ b/meta-networking/recipes-support/ntp/ntp_4.2.8p10.bb @@ -0,0 +1,170 @@ +SUMMARY = "Network Time Protocol daemon and utilities" +DESCRIPTION = "The Network Time Protocol (NTP) is used to \ +synchronize the time of a computer client or server to \ +another server or reference time source, such as a radio \ +or satellite receiver or modem." +HOMEPAGE = "http://support.ntp.org" +SECTION = "net" +LICENSE = "NTP" +LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=e877a1d567a6a58996d2b66e3e387003" + +DEPENDS = "libevent" + +SRC_URI = "http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-${PV}.tar.gz \ + file://ntp-4.2.4_p6-nano.patch \ + file://ntpd \ + file://ntp.conf \ + file://ntpdate \ + file://ntpdate.default \ + file://ntpdate.service \ + file://ntpd.service \ + file://sntp.service \ + file://sntp \ + file://ntpd.list \ +" + +SRC_URI[md5sum] = "745384ed0dedb3f66b33fe84d66466f9" +SRC_URI[sha256sum] = "ddd2366e64219b9efa0f7438e06800d0db394ac5c88e13c17b70d0dcdf99b99f" + +inherit autotools update-rc.d useradd systemd pkgconfig + +# The ac_cv_header_readline_history is to stop ntpdc depending on either +# readline or curses +EXTRA_OECONF += "--with-net-snmp-config=no \ + --without-ntpsnmpd \ + ac_cv_header_readline_history_h=no \ + --with-yielding_select=yes \ + --with-locfile=redhat \ + --without-rpath \ + " +CFLAGS_append = " -DPTYS_ARE_GETPT -DPTYS_ARE_SEARCHED" + +USERADD_PACKAGES = "${PN}" +NTP_USER_HOME ?= "/var/lib/ntp" +USERADD_PARAM_${PN} = "--system --home-dir ${NTP_USER_HOME} \ + --no-create-home \ + --shell /bin/false --user-group ntp" + +# NB: debug is default-enabled by NTP; keep it default-enabled here. +PACKAGECONFIG ??= "cap debug refclocks openssl \ + ${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} \ +" +PACKAGECONFIG[openssl] = "--with-openssl-libdir=${STAGING_LIBDIR} \ + --with-openssl-incdir=${STAGING_INCDIR} \ + --with-crypto, \ + --without-openssl --without-crypto, \ + openssl" +PACKAGECONFIG[cap] = "--enable-linuxcaps,--disable-linuxcaps,libcap" +PACKAGECONFIG[readline] = "--with-lineeditlibs,--without-lineeditlibs,readline" +PACKAGECONFIG[refclocks] = "--enable-all-clocks,--disable-all-clocks,pps-tools" +PACKAGECONFIG[debug] = "--enable-debugging,--disable-debugging" +PACKAGECONFIG[mdns] = "ac_cv_header_dns_sd_h=yes,ac_cv_header_dns_sd_h=no,mdns" +PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6," + +do_install_append() { + install -d ${D}${sysconfdir}/init.d + install -m 644 ${WORKDIR}/ntp.conf ${D}${sysconfdir} + install -m 755 ${WORKDIR}/ntpd ${D}${sysconfdir}/init.d + install -d ${D}${bindir} + install -m 755 ${WORKDIR}/ntpdate ${D}${bindir}/ntpdate-sync + + install -m 755 -d ${D}${NTP_USER_HOME} + chown ntp:ntp ${D}${NTP_USER_HOME} + + # Fix hardcoded paths in scripts + sed -i 's!/usr/sbin/!${sbindir}/!g' ${D}${sysconfdir}/init.d/ntpd ${D}${bindir}/ntpdate-sync + sed -i 's!/usr/bin/!${bindir}/!g' ${D}${sysconfdir}/init.d/ntpd ${D}${bindir}/ntpdate-sync + sed -i 's!/etc/!${sysconfdir}/!g' ${D}${sysconfdir}/init.d/ntpd ${D}${bindir}/ntpdate-sync + sed -i 's!/var/!${localstatedir}/!g' ${D}${sysconfdir}/init.d/ntpd ${D}${bindir}/ntpdate-sync + sed -i 's!^PATH=.*!PATH=${base_sbindir}:${base_bindir}:${sbindir}:${bindir}!' ${D}${bindir}/ntpdate-sync + sed -i '1s,#!.*perl -w,#! ${bindir}/env perl,' ${D}${sbindir}/ntptrace + sed -i '/use/i use warnings;' ${D}${sbindir}/ntptrace + sed -i '1s,#!.*perl,#! ${bindir}/env perl,' ${D}${sbindir}/ntp-wait + sed -i '/use/i use warnings;' ${D}${sbindir}/ntp-wait + sed -i '1s,#!.*perl -w,#! ${bindir}/env perl,' ${D}${sbindir}/calc_tickadj + sed -i '/use/i use warnings;' ${D}${sbindir}/calc_tickadj + + install -d ${D}/${sysconfdir}/default + install -m 644 ${WORKDIR}/ntpdate.default ${D}${sysconfdir}/default/ntpdate + install -m 0644 ${WORKDIR}/sntp ${D}${sysconfdir}/default/ + + install -d ${D}/${sysconfdir}/network/if-up.d + ln -s ${bindir}/ntpdate-sync ${D}/${sysconfdir}/network/if-up.d + + install -d ${D}${systemd_unitdir}/system + install -m 0644 ${WORKDIR}/ntpdate.service ${D}${systemd_unitdir}/system/ + install -m 0644 ${WORKDIR}/ntpd.service ${D}${systemd_unitdir}/system/ + install -m 0644 ${WORKDIR}/sntp.service ${D}${systemd_unitdir}/system/ + + install -d ${D}${systemd_unitdir}/ntp-units.d + install -m 0644 ${WORKDIR}/ntpd.list ${D}${systemd_unitdir}/ntp-units.d/60-ntpd.list + + # Remove an empty libexecdir. + rmdir --ignore-fail-on-non-empty ${D}${libexecdir} +} + +PACKAGES += "ntpdate sntp ${PN}-tickadj ${PN}-utils" +# NOTE: you don't need ntpdate, use "ntpd -q -g -x" + +# ntp originally includes tickadj. It's split off for inclusion in small firmware images on platforms +# with wonky clocks (e.g. OpenSlug) +RDEPENDS_${PN} = "${PN}-tickadj" +# Handle move from bin to utils package +RPROVIDES_${PN}-utils = "${PN}-bin" +RREPLACES_${PN}-utils = "${PN}-bin" +RCONFLICTS_${PN}-utils = "${PN}-bin" + +SYSTEMD_PACKAGES = "${PN} ntpdate sntp" +SYSTEMD_SERVICE_${PN} = "ntpd.service" +SYSTEMD_SERVICE_ntpdate = "ntpdate.service" +SYSTEMD_SERVICE_sntp = "sntp.service" + +RPROVIDES_${PN} += "${PN}-systemd" +RREPLACES_${PN} += "${PN}-systemd" +RCONFLICTS_${PN} += "${PN}-systemd" + +RPROVIDES_ntpdate += "ntpdate-systemd" +RREPLACES_ntpdate += "ntpdate-systemd" +RCONFLICTS_ntpdate += "ntpdate-systemd" + +RSUGGESTS_${PN} = "iana-etc" + +FILES_${PN} = "${sbindir}/ntpd.ntp ${sysconfdir}/ntp.conf ${sysconfdir}/init.d/ntpd ${libdir} \ + ${NTP_USER_HOME} \ + ${systemd_unitdir}/ntp-units.d/60-ntpd.list ${libexecdir}\ +" +FILES_${PN}-tickadj = "${sbindir}/tickadj" +FILES_${PN}-utils = "${sbindir} ${datadir}/ntp/lib" +RDEPENDS_${PN}-utils += "perl" +FILES_ntpdate = "${sbindir}/ntpdate \ + ${sysconfdir}/network/if-up.d/ntpdate-sync \ + ${bindir}/ntpdate-sync \ + ${sysconfdir}/default/ntpdate \ + ${systemd_unitdir}/system/ntpdate.service \ +" +FILES_sntp = "${sbindir}/sntp \ + ${sysconfdir}/default/sntp \ + ${systemd_unitdir}/system/sntp.service \ + " + +CONFFILES_${PN} = "${sysconfdir}/ntp.conf" +CONFFILES_ntpdate = "${sysconfdir}/default/ntpdate" + +INITSCRIPT_NAME = "ntpd" +# No dependencies, so just go in at the standard level (20) +INITSCRIPT_PARAMS = "defaults" + +pkg_postinst_ntpdate() { + if ! grep -q -s ntpdate $D/var/spool/cron/root; then + echo "adding crontab" + test -d $D/var/spool/cron || mkdir -p $D/var/spool/cron + echo "30 * * * * ${bindir}/ntpdate-sync silent" >> $D/var/spool/cron/root + fi +} + +inherit update-alternatives + +ALTERNATIVE_PRIORITY = "100" + +ALTERNATIVE_${PN} = "ntpd" +ALTERNATIVE_LINK_NAME[ntpd] = "${sbindir}/ntpd" diff --git a/meta-networking/recipes-support/ntp/ntp_4.2.8p9.bb b/meta-networking/recipes-support/ntp/ntp_4.2.8p9.bb deleted file mode 100644 index 58b31c5ca..000000000 --- a/meta-networking/recipes-support/ntp/ntp_4.2.8p9.bb +++ /dev/null @@ -1,170 +0,0 @@ -SUMMARY = "Network Time Protocol daemon and utilities" -DESCRIPTION = "The Network Time Protocol (NTP) is used to \ -synchronize the time of a computer client or server to \ -another server or reference time source, such as a radio \ -or satellite receiver or modem." -HOMEPAGE = "http://support.ntp.org" -SECTION = "net" -LICENSE = "NTP" -LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=f41fedb22dffefcbfafecc85b0f79cfa" - -DEPENDS = "libevent" - -SRC_URI = "http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-${PV}.tar.gz \ - file://ntp-4.2.4_p6-nano.patch \ - file://ntpd \ - file://ntp.conf \ - file://ntpdate \ - file://ntpdate.default \ - file://ntpdate.service \ - file://ntpd.service \ - file://sntp.service \ - file://sntp \ - file://ntpd.list \ -" - -SRC_URI[md5sum] = "857452b05f5f2e033786f77ade1974ed" -SRC_URI[sha256sum] = "b724287778e1bac625b447327c9851eedef020517a3545625e9f652a90f30b72" - -inherit autotools update-rc.d useradd systemd pkgconfig - -# The ac_cv_header_readline_history is to stop ntpdc depending on either -# readline or curses -EXTRA_OECONF += "--with-net-snmp-config=no \ - --without-ntpsnmpd \ - ac_cv_header_readline_history_h=no \ - --with-yielding_select=yes \ - --with-locfile=redhat \ - --without-rpath \ - " -CFLAGS_append = " -DPTYS_ARE_GETPT -DPTYS_ARE_SEARCHED" - -USERADD_PACKAGES = "${PN}" -NTP_USER_HOME ?= "/var/lib/ntp" -USERADD_PARAM_${PN} = "--system --home-dir ${NTP_USER_HOME} \ - --no-create-home \ - --shell /bin/false --user-group ntp" - -# NB: debug is default-enabled by NTP; keep it default-enabled here. -PACKAGECONFIG ??= "cap debug refclocks openssl \ - ${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} \ -" -PACKAGECONFIG[openssl] = "--with-openssl-libdir=${STAGING_LIBDIR} \ - --with-openssl-incdir=${STAGING_INCDIR} \ - --with-crypto, \ - --without-openssl --without-crypto, \ - openssl" -PACKAGECONFIG[cap] = "--enable-linuxcaps,--disable-linuxcaps,libcap" -PACKAGECONFIG[readline] = "--with-lineeditlibs,--without-lineeditlibs,readline" -PACKAGECONFIG[refclocks] = "--enable-all-clocks,--disable-all-clocks,pps-tools" -PACKAGECONFIG[debug] = "--enable-debugging,--disable-debugging" -PACKAGECONFIG[mdns] = "ac_cv_header_dns_sd_h=yes,ac_cv_header_dns_sd_h=no,mdns" -PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6," - -do_install_append() { - install -d ${D}${sysconfdir}/init.d - install -m 644 ${WORKDIR}/ntp.conf ${D}${sysconfdir} - install -m 755 ${WORKDIR}/ntpd ${D}${sysconfdir}/init.d - install -d ${D}${bindir} - install -m 755 ${WORKDIR}/ntpdate ${D}${bindir}/ntpdate-sync - - install -m 755 -d ${D}${NTP_USER_HOME} - chown ntp:ntp ${D}${NTP_USER_HOME} - - # Fix hardcoded paths in scripts - sed -i 's!/usr/sbin/!${sbindir}/!g' ${D}${sysconfdir}/init.d/ntpd ${D}${bindir}/ntpdate-sync - sed -i 's!/usr/bin/!${bindir}/!g' ${D}${sysconfdir}/init.d/ntpd ${D}${bindir}/ntpdate-sync - sed -i 's!/etc/!${sysconfdir}/!g' ${D}${sysconfdir}/init.d/ntpd ${D}${bindir}/ntpdate-sync - sed -i 's!/var/!${localstatedir}/!g' ${D}${sysconfdir}/init.d/ntpd ${D}${bindir}/ntpdate-sync - sed -i 's!^PATH=.*!PATH=${base_sbindir}:${base_bindir}:${sbindir}:${bindir}!' ${D}${bindir}/ntpdate-sync - sed -i '1s,#!.*perl -w,#! ${bindir}/env perl,' ${D}${sbindir}/ntptrace - sed -i '/use/i use warnings;' ${D}${sbindir}/ntptrace - sed -i '1s,#!.*perl,#! ${bindir}/env perl,' ${D}${sbindir}/ntp-wait - sed -i '/use/i use warnings;' ${D}${sbindir}/ntp-wait - sed -i '1s,#!.*perl -w,#! ${bindir}/env perl,' ${D}${sbindir}/calc_tickadj - sed -i '/use/i use warnings;' ${D}${sbindir}/calc_tickadj - - install -d ${D}/${sysconfdir}/default - install -m 644 ${WORKDIR}/ntpdate.default ${D}${sysconfdir}/default/ntpdate - install -m 0644 ${WORKDIR}/sntp ${D}${sysconfdir}/default/ - - install -d ${D}/${sysconfdir}/network/if-up.d - ln -s ${bindir}/ntpdate-sync ${D}/${sysconfdir}/network/if-up.d - - install -d ${D}${systemd_unitdir}/system - install -m 0644 ${WORKDIR}/ntpdate.service ${D}${systemd_unitdir}/system/ - install -m 0644 ${WORKDIR}/ntpd.service ${D}${systemd_unitdir}/system/ - install -m 0644 ${WORKDIR}/sntp.service ${D}${systemd_unitdir}/system/ - - install -d ${D}${systemd_unitdir}/ntp-units.d - install -m 0644 ${WORKDIR}/ntpd.list ${D}${systemd_unitdir}/ntp-units.d/60-ntpd.list - - # Remove an empty libexecdir. - rmdir --ignore-fail-on-non-empty ${D}${libexecdir} -} - -PACKAGES += "ntpdate sntp ${PN}-tickadj ${PN}-utils" -# NOTE: you don't need ntpdate, use "ntpd -q -g -x" - -# ntp originally includes tickadj. It's split off for inclusion in small firmware images on platforms -# with wonky clocks (e.g. OpenSlug) -RDEPENDS_${PN} = "${PN}-tickadj" -# Handle move from bin to utils package -RPROVIDES_${PN}-utils = "${PN}-bin" -RREPLACES_${PN}-utils = "${PN}-bin" -RCONFLICTS_${PN}-utils = "${PN}-bin" - -SYSTEMD_PACKAGES = "${PN} ntpdate sntp" -SYSTEMD_SERVICE_${PN} = "ntpd.service" -SYSTEMD_SERVICE_ntpdate = "ntpdate.service" -SYSTEMD_SERVICE_sntp = "sntp.service" - -RPROVIDES_${PN} += "${PN}-systemd" -RREPLACES_${PN} += "${PN}-systemd" -RCONFLICTS_${PN} += "${PN}-systemd" - -RPROVIDES_ntpdate += "ntpdate-systemd" -RREPLACES_ntpdate += "ntpdate-systemd" -RCONFLICTS_ntpdate += "ntpdate-systemd" - -RSUGGESTS_${PN} = "iana-etc" - -FILES_${PN} = "${sbindir}/ntpd.ntp ${sysconfdir}/ntp.conf ${sysconfdir}/init.d/ntpd ${libdir} \ - ${NTP_USER_HOME} \ - ${systemd_unitdir}/ntp-units.d/60-ntpd.list ${libexecdir}\ -" -FILES_${PN}-tickadj = "${sbindir}/tickadj" -FILES_${PN}-utils = "${sbindir} ${datadir}/ntp/lib" -RDEPENDS_${PN}-utils += "perl" -FILES_ntpdate = "${sbindir}/ntpdate \ - ${sysconfdir}/network/if-up.d/ntpdate-sync \ - ${bindir}/ntpdate-sync \ - ${sysconfdir}/default/ntpdate \ - ${systemd_unitdir}/system/ntpdate.service \ -" -FILES_sntp = "${sbindir}/sntp \ - ${sysconfdir}/default/sntp \ - ${systemd_unitdir}/system/sntp.service \ - " - -CONFFILES_${PN} = "${sysconfdir}/ntp.conf" -CONFFILES_ntpdate = "${sysconfdir}/default/ntpdate" - -INITSCRIPT_NAME = "ntpd" -# No dependencies, so just go in at the standard level (20) -INITSCRIPT_PARAMS = "defaults" - -pkg_postinst_ntpdate() { - if ! grep -q -s ntpdate $D/var/spool/cron/root; then - echo "adding crontab" - test -d $D/var/spool/cron || mkdir -p $D/var/spool/cron - echo "30 * * * * ${bindir}/ntpdate-sync silent" >> $D/var/spool/cron/root - fi -} - -inherit update-alternatives - -ALTERNATIVE_PRIORITY = "100" - -ALTERNATIVE_${PN} = "ntpd" -ALTERNATIVE_LINK_NAME[ntpd] = "${sbindir}/ntpd" -- cgit v1.2.3-54-g00ecf