~ubuntu-branches/ubuntu/lucid/ntp/lucid-updates

« back to all changes in this revision

Viewing changes to debian/patches/CVE-2014-9298.patch

  • Committer: Package Import Robot
  • Author(s): Marc Deslauriers
  • Date: 2015-02-06 09:32:14 UTC
  • mfrom: (39.1.2 lucid-security)
  • Revision ID: package-import@ubuntu.com-20150206093214-a003rn8voc3uzmca
Tags: 1:4.2.4p8+dfsg-1ubuntu2.3
* SECURITY UPDATE: denial of service and possible info leakage via
  extension fields
  - debian/patches/CVE-2014-9297.patch: properly check lengths in
    ntpd/ntp_crypto.c, ntpd/ntp_proto.c.
  - CVE-2014-9297
* SECURITY UPDATE: IPv6 ACL bypass
  - debian/patches/CVE-2014-9298.patch: check for spoofed ::1 in
    ntpd/ntp_io.c.
  - CVE-2014-9298

Show diffs side-by-side

added added

removed removed

Lines of Context:
 
1
Description: fix IPv6 ACL bypass
 
2
Origin: backport, http://bk1.ntp.org/ntp-stable/?PAGE=patch&REV=54922b65gDSbE4G7c3JjkuK1Tv33qQ
 
3
Origin: backport, http://bk1.ntp.org/ntp-stable/?PAGE=patch&REV=5492d2879rotbnnuVch_ZC3RAfS8AA
 
4
Origin: backport, http://bk1.ntp.org/ntp-stable/?PAGE=patch&REV=5493f333hALqPcXLR4-76bC6j-16xQ
 
5
Origin: backport, http://bk1.ntp.org/ntp-stable/?PAGE=patch&REV=5496213frLaEz5PHLZVhuYjM7Lalkw
 
6
Origin: backport, http://bk1.ntp.org/ntp-stable/ntpd/ntp_io.c?PAGE=diffs&REV=54a0f621LdfQSkkWKUKN6PaFbH25_Q
 
7
Origin: backport, http://bk1.ntp.org/ntp-stable/?PAGE=patch&REV=54c2228bpOp4_zrX9aGXdMEZJEGzkg
 
8
Bug: http://bugs.ntp.org/show_bug.cgi?id=2672
 
9
 
 
10
Index: ntp-4.2.4p8+dfsg/ntpd/ntp_io.c
 
11
===================================================================
 
12
--- ntp-4.2.4p8+dfsg.orig/ntpd/ntp_io.c 2015-02-06 10:48:44.561593712 -0500
 
13
+++ ntp-4.2.4p8+dfsg/ntpd/ntp_io.c      2015-02-06 11:15:25.106346591 -0500
 
14
@@ -3021,6 +3021,29 @@
 
15
 #endif
 
16
 
 
17
        /*
 
18
+       ** Bug 2672: Some OSes (MacOSX and Linux) don't block spoofed ::1
 
19
+       */
 
20
+
 
21
+       if (AF_INET6 == itf->family) {
 
22
+               DPRINTF(2, ("Got an IPv6 packet, from <%s> (%d) to <%s> (%d)\n",
 
23
+                       stoa(&rb->recv_srcadr),
 
24
+                       IN6_IS_ADDR_LOOPBACK(&rb->recv_srcadr),
 
25
+                       stoa(&itf->sin),
 
26
+                       !IN6_IS_ADDR_LOOPBACK(&itf->sin)
 
27
+                       ));
 
28
+
 
29
+               if (   IN6_IS_ADDR_LOOPBACK(&rb->recv_srcadr)
 
30
+                   && !IN6_IS_ADDR_LOOPBACK(&itf->sin)
 
31
+                  ) {
 
32
+                       packets_dropped++;
 
33
+                       DPRINTF(2, ("DROPPING that packet\n"));
 
34
+                       freerecvbuf(rb);
 
35
+                       return buflen;
 
36
+               }
 
37
+               DPRINTF(2, ("processing that packet\n"));
 
38
+       }
 
39
+
 
40
+       /*
 
41
         * Got one.  Mark how and when it got here,
 
42
         * put it on the full list and do bookkeeping.
 
43
         */