~ubuntu-branches/ubuntu/maverick/ntp/maverick-proposed

Viewing changes to debian/patches/CVE-2009-1252.patch

Committer: Bazaar Package Importer
Author(s): Jamie Strandboge
Date: 2009-05-19 15:26:41 UTC
Revision ID: james.westby@ubuntu.com-20090519152641-ctb02x7tfqv5e9a8

Tags: 1:4.2.4p6+dfsg-1ubuntu2

* SECURITY UPDATE: stack overflow in ntpd when autokey is enabled
  - debian/patches/CVE-2009-1252.patch: update ntpd/ntp_crypto.c to use
    snprintf() with NTP_MAXSTRLEN when writing to statstr. Also defensively
    adjust ntp_peer.c and ntp_timer.c to do the same.
  - CVE-2009-1252
* SECURITY UPDATE: stack overflow in ntpq when contacting malicious ntp
  server
  - debian/patches/CVE-2009-0159.patch: increase size of buffer in
    cookedprint() in ntpq/ntpq.c and adjust to use snprintf()
  - CVE-2009-0159

files added:
debian/patches/CVE-2009-0159.patch

debian/patches/CVE-2009-1252.patch

files modified:
debian/changelog

debian/patches/series

Show diffs side-by-side

added added

removed removed

debian/patches/CVE-2009-1252.patch

# Description: Remote exploit if autokey is enabled. CVE-2009-1252

diff -Nur ntp-4.2.4p6+dfsg/ntpd/ntp_crypto.c ntp-4.2.4p6+dfsg.new/ntpd/ntp_crypto.c

--- ntp-4.2.4p6+dfsg/ntpd/ntp_crypto.c 2009-01-08 03:04:31.000000000 -0600

+++ ntp-4.2.4p6+dfsg.new/ntpd/ntp_crypto.c 2009-05-13 11:33:08.000000000 -0500

@@ -570,7 +570,7 @@

peer->issuer = emalloc(vallen + 1);

strcpy(peer->issuer, peer->subject);

temp32 = (fstamp >> 16) & 0xffff;

- sprintf(statstr,

+ snprintf(statstr, NTP_MAXSTRLEN,

"flags 0x%x host %s signature %s", fstamp,

peer->subject, OBJ_nid2ln(temp32));

record_crypto_stats(&peer->srcadr, statstr);

@@ -636,7 +636,7 @@

}

peer->flash &= ~TEST8;

temp32 = cinfo->nid;

- sprintf(statstr, "cert %s 0x%x %s (%u) fs %u",

+ snprintf(statstr, NTP_MAXSTRLEN, "cert %s 0x%x %s (%u) fs %u",

cinfo->subject, cinfo->flags,

OBJ_nid2ln(temp32), temp32,

ntohl(ep->fstamp));

@@ -685,7 +685,7 @@

peer->crypto |= CRYPTO_FLAG_VRFY |

CRYPTO_FLAG_PROV;

peer->flash &= ~TEST8;

- sprintf(statstr, "iff fs %u",

+ snprintf(statstr, NTP_MAXSTRLEN, "iff fs %u",

ntohl(ep->fstamp));

record_crypto_stats(&peer->srcadr, statstr);

#ifdef DEBUG

@@ -733,7 +733,7 @@

peer->crypto |= CRYPTO_FLAG_VRFY |

CRYPTO_FLAG_PROV;

peer->flash &= ~TEST8;

- sprintf(statstr, "gq fs %u",

+ snprintf(statstr, NTP_MAXSTRLEN, "gq fs %u",

ntohl(ep->fstamp));

record_crypto_stats(&peer->srcadr, statstr);

#ifdef DEBUG

@@ -774,7 +774,7 @@

peer->crypto |= CRYPTO_FLAG_VRFY |

CRYPTO_FLAG_PROV;

peer->flash &= ~TEST8;

- sprintf(statstr, "mv fs %u",

+ snprintf(statstr, NTP_MAXSTRLEN, "mv fs %u",

ntohl(ep->fstamp));

record_crypto_stats(&peer->srcadr, statstr);

#ifdef DEBUG

@@ -828,7 +828,7 @@

peer->crypto &= ~CRYPTO_FLAG_AUTO;

peer->crypto |= CRYPTO_FLAG_AGREE;

peer->flash &= ~TEST8;

- sprintf(statstr, "cook %x ts %u fs %u",

+ snprintf(statstr, NTP_MAXSTRLEN, "cook %x ts %u fs %u",

peer->pcookie, ntohl(ep->tstamp),

ntohl(ep->fstamp));

record_crypto_stats(&peer->srcadr, statstr);

@@ -893,7 +893,7 @@

peer->crypto &= ~CRYPTO_FLAG_AUTO;

peer->crypto |= CRYPTO_FLAG_AGREE;

peer->flash &= ~TEST8;

- sprintf(statstr, "cook %x ts %u fs %u",

+ snprintf(statstr, NTP_MAXSTRLEN, "cook %x ts %u fs %u",

peer->pcookie, ntohl(ep->tstamp),

ntohl(ep->fstamp));

record_crypto_stats(&peer->srcadr, statstr);

@@ -944,7 +944,7 @@

peer->pkeyid = bp->key;

peer->crypto |= CRYPTO_FLAG_AUTO;

peer->flash &= ~TEST8;

- sprintf(statstr,

+ snprintf(statstr, NTP_MAXSTRLEN,

"auto seq %d key %x ts %u fs %u", bp->seq,

bp->key, ntohl(ep->tstamp),

ntohl(ep->fstamp));

@@ -987,7 +987,7 @@

peer->crypto |= CRYPTO_FLAG_SIGN;

peer->flash &= ~TEST8;

temp32 = cinfo->nid;

- sprintf(statstr, "sign %s 0x%x %s (%u) fs %u",

+ snprintf(statstr, NTP_MAXSTRLEN, "sign %s 0x%x %s (%u) fs %u",

cinfo->issuer, cinfo->flags,

OBJ_nid2ln(temp32), temp32,

ntohl(ep->fstamp));

@@ -1071,7 +1071,7 @@

crypto_flags |= CRYPTO_FLAG_TAI;

peer->crypto |= CRYPTO_FLAG_LEAP;

peer->flash &= ~TEST8;

- sprintf(statstr, "leap %u ts %u fs %u", vallen,

+ snprintf(statstr, NTP_MAXSTRLEN, "leap %u ts %u fs %u", vallen,

ntohl(ep->tstamp), ntohl(ep->fstamp));

record_crypto_stats(&peer->srcadr, statstr);

#ifdef DEBUG

@@ -1127,7 +1127,7 @@

* cheerfully ignored, as the message is not sent.

100

if (rval > XEVNT_TSP) {

101

- sprintf(statstr,

102

+ snprintf(statstr, NTP_MAXSTRLEN,

103

"error %x opcode %x ts %u fs %u", rval,

104

code, tstamp, fstamp);

105

record_crypto_stats(&peer->srcadr, statstr);

106

@@ -1453,7 +1453,7 @@

107

108

if (rval != XEVNT_OK) {

109

opcode |= CRYPTO_ERROR;

110

- sprintf(statstr, "error %x opcode %x", rval, opcode);

111

+ snprintf(statstr, NTP_MAXSTRLEN, "error %x opcode %x", rval, opcode);

112

record_crypto_stats(srcadr_sin, statstr);

113

report_event(rval, NULL);

114

#ifdef DEBUG

115

@@ -1952,7 +1952,7 @@

116

if (EVP_SignFinal(&ctx, tai_leap.sig, &len, sign_pkey))

117

tai_leap.siglen = htonl(len);

118

}

119

- sprintf(statstr, "update ts %u", ntohl(hostval.tstamp));

120

+ snprintf(statstr, NTP_MAXSTRLEN, "update ts %u", ntohl(hostval.tstamp));

121

record_crypto_stats(NULL, statstr);

122

#ifdef DEBUG

123

if (debug)

124

@@ -3606,7 +3606,7 @@

125

126

if ((ptr = strrchr(linkname, '\n')) != NULL)

127

*ptr = '\0';

128

- sprintf(statstr, "%s mod %d", &linkname[2],

129

+ snprintf(statstr, NTP_MAXSTRLEN, "%s mod %d", &linkname[2],

130

EVP_PKEY_size(pkey) * 8);

131

record_crypto_stats(NULL, statstr);

132

#ifdef DEBUG

133

@@ -3715,7 +3715,7 @@

134

135

if ((ptr = strrchr(linkname, '\n')) != NULL)

136

*ptr = '\0';

137

- sprintf(statstr, "%s 0x%x len %lu", &linkname[2], ret->flags,

138

+ snprintf(statstr, NTP_MAXSTRLEN, "%s 0x%x len %lu", &linkname[2], ret->flags,

139

len);

140

record_crypto_stats(NULL, statstr);

141

#ifdef DEBUG

142

@@ -3832,7 +3832,7 @@

143

for (j = 0; j < i; j++)

144

*ptr++ = htonl(leapsec[j]);

145

crypto_flags |= CRYPTO_FLAG_TAI;

146

- sprintf(statstr, "%s fs %u leap %u len %u", cp, fstamp,

147

+ snprintf(statstr, NTP_MAXSTRLEN, "%s fs %u leap %u len %u", cp, fstamp,

148

leapsec[--j], len);

149

record_crypto_stats(NULL, statstr);

150

#ifdef DEBUG

151

diff -Nur ntp-4.2.4p6+dfsg/ntpd/ntp_peer.c ntp-4.2.4p6+dfsg.new/ntpd/ntp_peer.c

152

--- ntp-4.2.4p6+dfsg/ntpd/ntp_peer.c 2008-08-10 06:02:40.000000000 -0500

153

+++ ntp-4.2.4p6+dfsg.new/ntpd/ntp_peer.c 2009-05-13 11:34:51.000000000 -0500

154

@@ -333,7 +333,7 @@

155

char statstr[NTP_MAXSTRLEN]; /* statistics for filegen */

156

157

if (peer_to_remove->flags & FLAG_SKEY) {

158

- sprintf(statstr, "unpeer %d flash %x reach %03o flags %04x",

159

+ snprintf(statstr, NTP_MAXSTRLEN, "unpeer %d flash %x reach %03o flags %04x",

160

peer_to_remove->associd, peer_to_remove->flash,

161

peer_to_remove->reach, peer_to_remove->flags);

162

record_crypto_stats(&peer_to_remove->srcadr, statstr);

163

@@ -862,7 +862,7 @@

164

165

#ifdef OPENSSL

166

if (peer->flags & FLAG_SKEY) {

167

- sprintf(statstr, "newpeer %d", peer->associd);

168

+ snprintf(statstr, NTP_MAXSTRLEN, "newpeer %d", peer->associd);

169

record_crypto_stats(&peer->srcadr, statstr);

170

DPRINTF(1, ("peer: %s\n", statstr));

171

}

172

diff -Nur ntp-4.2.4p6+dfsg/ntpd/ntp_timer.c ntp-4.2.4p6+dfsg.new/ntpd/ntp_timer.c

173

--- ntp-4.2.4p6+dfsg/ntpd/ntp_timer.c 2006-12-28 06:03:34.000000000 -0600

174

+++ ntp-4.2.4p6+dfsg.new/ntpd/ntp_timer.c 2009-05-13 11:35:23.000000000 -0500

175

@@ -330,7 +330,7 @@

176

if (revoke_timer <= current_time) {

177

revoke_timer += RANDPOLL(sys_revoke);

178

expire_all();

179

- sprintf(statstr, "refresh ts %u", ntohl(hostval.tstamp));

180

+ snprintf(statstr, NTP_MAXSTRLEN, "refresh ts %u", ntohl(hostval.tstamp));

181

record_crypto_stats(NULL, statstr);

182

#ifdef DEBUG

183

if (debug)

Older »