Date: Thu, 5 Apr 2001 10:43:21 -0700 (PDT) From: Cy.Schubert@uumail.gov.bc.ca To: FreeBSD-gnats-submit@freebsd.org Subject: ports/26369: (SECURITY) NTPD Remotely Exploitable Buffer Overrun Message-ID: <200104051743.f35HhLe30358@cwsys.cwsent.com>
next in thread | raw e-mail | index | archive | help
>Number: 26369
>Category: ports
>Synopsis: NTPD Buffer Overrun
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-ports
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Apr 05 10:50:03 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator:
>Release: FreeBSD 4.3-RC i386
>Organization:
ITSD Open Systems Group, Government of British Columbia
>Environment:
System: FreeBSD cwsys 4.3-RC FreeBSD 4.3-RC #0: Tue Apr 3 16:56:41 PDT 2001 root@cwsys:/export/obj/opt/cvs-430b/src/sys/CWSYS i386
>Description:
Ntpd <= 4.0.99k (currently latest release) has a buffer overrun condition.
>How-To-Repeat:
See BUGTRAQ archives for details.
>Fix:
diff -urPN --exclude=CVS --exclude=00_TRANS.TBL /home/src/cvs-ports/ports/net/ntp/Makefile /usr/local/ports-local/ntp-010404/Makefile
--- /home/src/cvs-ports/ports/net/ntp/Makefile Thu Mar 29 04:03:56 2001
+++ /usr/local/ports-local/ntp-010404/Makefile Sat Nov 18 17:25:21 2000
@@ -1,8 +1,9 @@
# New ports collection makefile for: ntp
+# Version required: 4.0.99g
# Date created: Di 5 Mai 1998 21:31:03 CEST
# Whom: andreas
#
-# $FreeBSD: ports/net/ntp/Makefile,v 1.16 2001/03/29 12:03:56 sf Exp $
+# $FreeBSD: ports/net/ntp/Makefile,v 1.11 2000/04/01 04:27:57 mharo Exp $
#
PORTNAME= ntp
diff -urPN --exclude=CVS --exclude=00_TRANS.TBL /home/src/cvs-ports/ports/net/ntp/files/patch-sec1 /usr/local/ports-local/ntp-010404/files/patch-sec1
--- /home/src/cvs-ports/ports/net/ntp/files/patch-sec1 Wed Dec 31 16:00:00 1969
+++ /usr/local/ports-local/ntp-010404/files/patch-sec1 Wed Apr 4 17:22:18 2001
@@ -0,0 +1,25 @@
+--- ntpd/ntp_control.c.orig Sat Jul 15 07:46:05 2000
++++ ntpd/ntp_control.c Wed Apr 4 17:12:50 2001
+@@ -1822,8 +1822,21 @@
+ isspace((int)*cp))
+ cp++;
+ while (cp < reqend && *cp !=
+- ',')
++ ',') {
+ *tp++ = *cp++;
++ if (tp > buf + sizeof(buf)) {
++ msyslog(LOG_WARNING, "Attempted \"ntpdx\" exploit from IP %d.%d.%d.%d:%d (possibly spoofed)\n",
++ (ntohl(rmt_addr->sin_addr.s_addr) >> 24) & 0xff,
++ (ntohl(rmt_addr->sin_addr.s_addr) >> 16) & 0xff,
++ (ntohl(rmt_addr->sin_addr.s_addr) >> 8) & 0xff,
++ (ntohl(rmt_addr->sin_addr.s_addr) >> 0) & 0xff,
++ ntohs(rmt_addr->sin_port)
++ );
++
++ return (0);
++ }
++ }
++
+ if (cp < reqend)
+ cp++;
+ *tp = '\0';
diff -urPN --exclude=CVS --exclude=00_TRANS.TBL /home/src/cvs-ports/ports/net/ntp/pkg-plist /usr/local/ports-local/ntp-010404/pkg-plist
--- /home/src/cvs-ports/ports/net/ntp/pkg-plist Sat Apr 29 16:55:43 2000
+++ /usr/local/ports-local/ntp-010404/pkg-plist Sat Apr 1 04:16:45 2000
@@ -51,14 +51,12 @@
share/doc/ntp/exec.htm
share/doc/ntp/extern.htm
share/doc/ntp/gadget.htm
-share/doc/ntp/genkeys.htm
share/doc/ntp/hints/a-ux
share/doc/ntp/hints/aix
share/doc/ntp/hints/bsdi
share/doc/ntp/hints/changes
share/doc/ntp/hints/decosf1
share/doc/ntp/hints/decosf2
-share/doc/ntp/hints/freebsd
share/doc/ntp/hints/hpux
share/doc/ntp/hints/linux
share/doc/ntp/hints/notes-xntp-v3
I see this port has no maintainer. I'm willing to maintain this port
for FreeBSD.
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200104051743.f35HhLe30358>