From owner-freebsd-ports  Thu Apr  5 10:50:15 2001
Delivered-To: freebsd-ports@hub.freebsd.org
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id E91B737B496
	for <freebsd-ports@hub.freebsd.org>; Thu,  5 Apr 2001 10:50:04 -0700 (PDT)
	(envelope-from gnats@FreeBSD.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.11.1/8.11.1) id f35Ho4c71044;
	Thu, 5 Apr 2001 10:50:04 -0700 (PDT)
	(envelope-from gnats)
Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44])
	by hub.freebsd.org (Postfix) with ESMTP id F3EB437B43C
	for <FreeBSD-gnats-submit@freebsd.org>; Thu,  5 Apr 2001 10:44:16 -0700 (PDT)
	(envelope-from Cy.Schubert@uumail.gov.bc.ca)
Received: (from daemon@localhost)
	by point.osg.gov.bc.ca (8.8.7/8.8.8) id KAA02216
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 5 Apr 2001 10:44:16 -0700
Received: from passer.osg.gov.bc.ca(142.32.110.29)
 via SMTP by point.osg.gov.bc.ca, id smtpda02212; Thu Apr  5 10:44:08 2001
Received: (from uucp@localhost)
	by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f35Hi3742985
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 5 Apr 2001 10:44:03 -0700 (PDT)
Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com"
 via SMTP by passer9.cwsent.com, id smtpdv42983; Thu Apr  5 10:43:23 2001
Received: (from cy@localhost)
	by cwsys.cwsent.com (8.11.3/8.9.1) id f35HhLe30358;
	Thu, 5 Apr 2001 10:43:21 -0700 (PDT)
Message-Id: <200104051743.f35HhLe30358@cwsys.cwsent.com>
Date: Thu, 5 Apr 2001 10:43:21 -0700 (PDT)
From: Cy.Schubert@uumail.gov.bc.ca
Reply-To: Cy.Schubert@uumail.gov.bc.ca
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.113
Subject: ports/26369: (SECURITY) NTPD Remotely Exploitable Buffer Overrun
Sender: owner-freebsd-ports@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>Number:         26369
>Category:       ports
>Synopsis:       NTPD Buffer Overrun
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-ports
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Apr 05 10:50:03 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator:     
>Release:        FreeBSD 4.3-RC i386
>Organization:
ITSD Open Systems Group, Government of British Columbia
>Environment:
System: FreeBSD cwsys 4.3-RC FreeBSD 4.3-RC #0: Tue Apr 3 16:56:41 PDT 2001 root@cwsys:/export/obj/opt/cvs-430b/src/sys/CWSYS i386


>Description:
Ntpd <= 4.0.99k (currently latest release) has a buffer overrun condition.
>How-To-Repeat:
See BUGTRAQ archives for details.
>Fix:

diff -urPN --exclude=CVS --exclude=00_TRANS.TBL /home/src/cvs-ports/ports/net/ntp/Makefile /usr/local/ports-local/ntp-010404/Makefile
--- /home/src/cvs-ports/ports/net/ntp/Makefile	Thu Mar 29 04:03:56 2001
+++ /usr/local/ports-local/ntp-010404/Makefile	Sat Nov 18 17:25:21 2000
@@ -1,8 +1,9 @@
 # New ports collection makefile for:	ntp
+# Version required:	4.0.99g
 # Date created:		Di   5 Mai 1998 21:31:03 CEST
 # Whom:			andreas
 #
-# $FreeBSD: ports/net/ntp/Makefile,v 1.16 2001/03/29 12:03:56 sf Exp $
+# $FreeBSD: ports/net/ntp/Makefile,v 1.11 2000/04/01 04:27:57 mharo Exp $
 #
 
 PORTNAME=	ntp
diff -urPN --exclude=CVS --exclude=00_TRANS.TBL /home/src/cvs-ports/ports/net/ntp/files/patch-sec1 /usr/local/ports-local/ntp-010404/files/patch-sec1
--- /home/src/cvs-ports/ports/net/ntp/files/patch-sec1	Wed Dec 31 16:00:00 1969
+++ /usr/local/ports-local/ntp-010404/files/patch-sec1	Wed Apr  4 17:22:18 2001
@@ -0,0 +1,25 @@
+--- ntpd/ntp_control.c.orig	Sat Jul 15 07:46:05 2000
++++ ntpd/ntp_control.c	Wed Apr  4 17:12:50 2001
+@@ -1822,8 +1822,21 @@
+ 					    isspace((int)*cp))
+ 						cp++;
+ 					while (cp < reqend && *cp !=
+-					    ',')
++					    ',') {
+ 						*tp++ = *cp++;
++						if (tp > buf + sizeof(buf)) {
++							 msyslog(LOG_WARNING, "Attempted \"ntpdx\" exploit from IP %d.%d.%d.%d:%d (possibly spoofed)\n", 
++								(ntohl(rmt_addr->sin_addr.s_addr) >> 24) & 0xff,
++								(ntohl(rmt_addr->sin_addr.s_addr) >> 16) & 0xff,
++								(ntohl(rmt_addr->sin_addr.s_addr) >> 8) & 0xff,
++								(ntohl(rmt_addr->sin_addr.s_addr) >> 0) & 0xff,
++								ntohs(rmt_addr->sin_port)
++							);
++
++							return (0);
++						}
++					}
++
+ 					if (cp < reqend)
+ 						cp++;
+ 					*tp = '\0';
diff -urPN --exclude=CVS --exclude=00_TRANS.TBL /home/src/cvs-ports/ports/net/ntp/pkg-plist /usr/local/ports-local/ntp-010404/pkg-plist
--- /home/src/cvs-ports/ports/net/ntp/pkg-plist	Sat Apr 29 16:55:43 2000
+++ /usr/local/ports-local/ntp-010404/pkg-plist	Sat Apr  1 04:16:45 2000
@@ -51,14 +51,12 @@
 share/doc/ntp/exec.htm
 share/doc/ntp/extern.htm
 share/doc/ntp/gadget.htm
-share/doc/ntp/genkeys.htm
 share/doc/ntp/hints/a-ux
 share/doc/ntp/hints/aix
 share/doc/ntp/hints/bsdi
 share/doc/ntp/hints/changes
 share/doc/ntp/hints/decosf1
 share/doc/ntp/hints/decosf2
-share/doc/ntp/hints/freebsd
 share/doc/ntp/hints/hpux
 share/doc/ntp/hints/linux
 share/doc/ntp/hints/notes-xntp-v3

I see this port has no maintainer.  I'm willing to maintain this port
for FreeBSD.
>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message