Debian Bug report logs - #525373
ntp: multiple security issues

version graph

Package: ntp; Maintainer for ntp is Debian NTP Team <pkg-ntp-maintainers@lists.alioth.debian.org>; Source for ntp is src:ntp.

Reported by: Steffen Joeris <steffen.joeris@skolelinux.de>

Date: Fri, 24 Apr 2009 03:19:31 UTC

Severity: grave

Tags: patch, security

Fixed in version ntp/1:4.2.4p6+dfsg-2

Done: Peter Eisentraut <petere@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian NTP Team <pkg-ntp-maintainers@lists.alioth.debian.org>:
Bug#525373; Package ntp. (Fri, 24 Apr 2009 03:19:33 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
New Bug report received and forwarded. Copy sent to Debian NTP Team <pkg-ntp-maintainers@lists.alioth.debian.org>. (Fri, 24 Apr 2009 03:19:46 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2009-0159: buffer overflow in ntpq
Date: Fri, 24 Apr 2009 13:15:53 +1000
Package: ntp
Severity: important
Tags: patch, security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for ntp.

CVE-2009-0159[0]:
| Stack-based buffer overflow in the cookedprint function in ntpq/ntpq.c
| in ntpq in NTP before 4.2.4p7-RC2 allows remote NTP servers to execute
| arbitrary code via a crafted response.

The upstream bug together with the patch can be found here[1]. The issue
can only be exploited by querying a malicious server and even then the
overflow is fairly limited.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

Cheers
Steffen

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0159
    http://security-tracker.debian.net/tracker/CVE-2009-0159
[1] https://support.ntp.org/bugs/show_bug.cgi?id=1144




Information forwarded to debian-bugs-dist@lists.debian.org, Debian NTP Team <pkg-ntp-maintainers@lists.alioth.debian.org>:
Bug#525373; Package ntp. (Fri, 24 Apr 2009 07:06:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Peter Eisentraut <petere@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian NTP Team <pkg-ntp-maintainers@lists.alioth.debian.org>. (Fri, 24 Apr 2009 07:06:02 GMT) Full text and rfc822 format available.

Message #10 received at 525373@bugs.debian.org (full text, mbox):

From: Peter Eisentraut <petere@debian.org>
To: Steffen Joeris <steffen.joeris@skolelinux.de>, 525373@bugs.debian.org
Subject: Re: [pkg-ntp-maintainers] Bug#525373: CVE-2009-0159: buffer overflow in ntpq
Date: Fri, 24 Apr 2009 10:03:02 +0300
On Friday 24 April 2009 06:15:53 Steffen Joeris wrote:
> CVE-2009-0159[0]:
> | Stack-based buffer overflow in the cookedprint function in ntpq/ntpq.c
> | in ntpq in NTP before 4.2.4p7-RC2 allows remote NTP servers to execute
> | arbitrary code via a crafted response.
>
> The upstream bug together with the patch can be found here[1]. The issue
> can only be exploited by querying a malicious server and even then the
> overflow is fairly limited.

For unstable, I suggest that we wait for the p7 upstream release, which 
appears to be not far away.  For stable and oldstable we need to do the 
security dance.





Information forwarded to debian-bugs-dist@lists.debian.org, Debian NTP Team <pkg-ntp-maintainers@lists.alioth.debian.org>:
Bug#525373; Package ntp. (Fri, 05 Jun 2009 18:39:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
Extra info received and forwarded to list. Copy sent to Debian NTP Team <pkg-ntp-maintainers@lists.alioth.debian.org>. (Fri, 05 Jun 2009 18:39:05 GMT) Full text and rfc822 format available.

Message #15 received at 525373@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@sfritsch.de>
To: 525373@bugs.debian.org
Subject: also CVE-2009-1252: remote arbitrary code execution in ntpd
Date: Fri, 5 Jun 2009 20:37:34 +0200
retitle 525373 ntp: multiple security issues
severity 525373 grave
thanks

CVE-2009-1252:
Stack-based buffer overflow in the crypto_recv function in 
ntp_crypto.c in ntpd in NTP before 4.2.4p7 and 4.2.5 before 4.2.5p74, 
when OpenSSL and autokey are enabled, allows remote attackers to 
execute arbitrary code via a crafted packet containing an extension 
field.






Changed Bug title to `ntp: multiple security issues' from `CVE-2009-0159: buffer overflow in ntpq'. Request was from Stefan Fritsch <sf@sfritsch.de> to control@bugs.debian.org. (Sat, 06 Jun 2009 07:36:04 GMT) Full text and rfc822 format available.

Severity set to `grave' from `important' Request was from Stefan Fritsch <sf@sfritsch.de> to control@bugs.debian.org. (Sat, 06 Jun 2009 07:36:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian NTP Team <pkg-ntp-maintainers@lists.alioth.debian.org>:
Bug#525373; Package ntp. (Thu, 11 Jun 2009 13:42:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
Extra info received and forwarded to list. Copy sent to Debian NTP Team <pkg-ntp-maintainers@lists.alioth.debian.org>. (Thu, 11 Jun 2009 13:42:04 GMT) Full text and rfc822 format available.

Message #24 received at 525373@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@sfritsch.de>
To: 525373@bugs.debian.org
Subject: security fix
Date: Thu, 11 Jun 2009 15:39:22 +0200
Hi,

is an upload expected soon? If not, I will NMU when I have time.

Cheers,
Stefan




Tags added: pending Request was from Peter Eisentraut <petere@debian.org> to control@bugs.debian.org. (Fri, 12 Jun 2009 07:36:03 GMT) Full text and rfc822 format available.

Reply sent to Peter Eisentraut <petere@debian.org>:
You have taken responsibility. (Fri, 12 Jun 2009 15:55:53 GMT) Full text and rfc822 format available.

Notification sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer. (Fri, 12 Jun 2009 15:56:17 GMT) Full text and rfc822 format available.

Message #31 received at 525373-close@bugs.debian.org (full text, mbox):

From: Peter Eisentraut <petere@debian.org>
To: 525373-close@bugs.debian.org
Subject: Bug#525373: fixed in ntp 1:4.2.4p6+dfsg-2
Date: Fri, 12 Jun 2009 15:33:00 +0000
Source: ntp
Source-Version: 1:4.2.4p6+dfsg-2

We believe that the bug you reported is fixed in the latest version of
ntp, which is due to be installed in the Debian FTP archive:

ntp-doc_4.2.4p6+dfsg-2_all.deb
  to pool/main/n/ntp/ntp-doc_4.2.4p6+dfsg-2_all.deb
ntp_4.2.4p6+dfsg-2.diff.gz
  to pool/main/n/ntp/ntp_4.2.4p6+dfsg-2.diff.gz
ntp_4.2.4p6+dfsg-2.dsc
  to pool/main/n/ntp/ntp_4.2.4p6+dfsg-2.dsc
ntp_4.2.4p6+dfsg-2_i386.deb
  to pool/main/n/ntp/ntp_4.2.4p6+dfsg-2_i386.deb
ntpdate_4.2.4p6+dfsg-2_i386.deb
  to pool/main/n/ntp/ntpdate_4.2.4p6+dfsg-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 525373@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Peter Eisentraut <petere@debian.org> (supplier of updated ntp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 12 Jun 2009 17:24:22 +0300
Source: ntp
Binary: ntp ntpdate ntp-doc
Architecture: source all i386
Version: 1:4.2.4p6+dfsg-2
Distribution: unstable
Urgency: medium
Maintainer: Debian NTP Team <pkg-ntp-maintainers@lists.alioth.debian.org>
Changed-By: Peter Eisentraut <petere@debian.org>
Description: 
 ntp        - Network Time Protocol daemon and utility programs
 ntp-doc    - Network Time Protocol documentation
 ntpdate    - client for setting system time from NTP servers
Closes: 524035 525373 525373 526086
Changes: 
 ntp (1:4.2.4p6+dfsg-2) unstable; urgency=medium
 .
   * Fixed typo in ntpdate man page (closes: #526086)
   * Updated standards version
   * Moved .dhcp version of configuration files to /var/lib/ntp and
     /var/lib/ntpdate (closes: #524035)
   * Cleaned up man pages to satisfy lintian's hyphen-used-as-minus-sign
     complaint
   * Fixed limited buffer overflow in ntpq (CVE-2009-0159) (closes: #525373)
   * Fixed stack buffer overflow in ntpd (CVE-2009-1252) (closes: #525373)
   * Use new status_of_proc function to report status in ntp init script
   * Updated the config.guess/sub handling as recommended by autotools-dev to
     not clutter the diff, added autotools-dev to build dependencies
Checksums-Sha1: 
 fef3ca75d0c840934237347bc5cd9bbfc1d5c4e6 1451 ntp_4.2.4p6+dfsg-2.dsc
 c8a04b1085d921acc6df2f0650a291529b7afc1f 332372 ntp_4.2.4p6+dfsg-2.diff.gz
 f8336f3b66ab42f07d4e896914703e1f4bdb8672 925866 ntp-doc_4.2.4p6+dfsg-2_all.deb
 6231792e33463fd8ee9d36108d69c3c4f94964d5 431464 ntp_4.2.4p6+dfsg-2_i386.deb
 58339a137c89a881b1b62673671ee8afb9b8d504 60198 ntpdate_4.2.4p6+dfsg-2_i386.deb
Checksums-Sha256: 
 afe6252b6a414e1a2b8b1a3f6f765944a49d1ae7647cfa00699ca9baf2131747 1451 ntp_4.2.4p6+dfsg-2.dsc
 5890047cd5520ae93ff0e2fcc5a49d6bdce8980d501b71c7dc212daf2e10f00c 332372 ntp_4.2.4p6+dfsg-2.diff.gz
 3a48df53132cbce85f29bb56c9dad686b523966de9b56b377e2c32138562a817 925866 ntp-doc_4.2.4p6+dfsg-2_all.deb
 2eb8dfea7a8cf914c4abed50a76d4c5d75a9e87c38d2eb66da5aab22daef09b0 431464 ntp_4.2.4p6+dfsg-2_i386.deb
 ba46b7945cf8f9eb9467f2230d6b5c895e923c10ae59a5d504ca135bc1749b56 60198 ntpdate_4.2.4p6+dfsg-2_i386.deb
Files: 
 0f7fcfeaddb0cae72345a4cd13d34eb1 1451 net optional ntp_4.2.4p6+dfsg-2.dsc
 aa313cacbe56c3772e577ebe4fd88df8 332372 net optional ntp_4.2.4p6+dfsg-2.diff.gz
 f7dba9542286af149e439028b13fdd47 925866 doc optional ntp-doc_4.2.4p6+dfsg-2_all.deb
 47cc18ef4027f63f47258f15c681e98c 431464 net optional ntp_4.2.4p6+dfsg-2_i386.deb
 cca431ded14df4a7383da5ff40842ac0 60198 net optional ntpdate_4.2.4p6+dfsg-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkoyZgEACgkQTTx8oVVPtMb8QQCgujD+TFruchkwKBWkOHhAvxCz
4tkAoK9e9/GVy2E3iuoql0hU1C8AKZJz
=XNYo
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 26 Jul 2009 07:36:58 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 12:29:25 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.