2
# Description: Remote exploit if autokey is enabled. CVE-2009-1252
4
diff -Nur ntp-4.2.4p6+dfsg/ntpd/ntp_crypto.c ntp-4.2.4p6+dfsg.new/ntpd/ntp_crypto.c
5
--- ntp-4.2.4p6+dfsg/ntpd/ntp_crypto.c 2009-01-08 03:04:31.000000000 -0600
6
+++ ntp-4.2.4p6+dfsg.new/ntpd/ntp_crypto.c 2009-05-13 11:33:08.000000000 -0500
8
peer->issuer = emalloc(vallen + 1);
9
strcpy(peer->issuer, peer->subject);
10
temp32 = (fstamp >> 16) & 0xffff;
12
+ snprintf(statstr, NTP_MAXSTRLEN,
13
"flags 0x%x host %s signature %s", fstamp,
14
peer->subject, OBJ_nid2ln(temp32));
15
record_crypto_stats(&peer->srcadr, statstr);
18
peer->flash &= ~TEST8;
20
- sprintf(statstr, "cert %s 0x%x %s (%u) fs %u",
21
+ snprintf(statstr, NTP_MAXSTRLEN, "cert %s 0x%x %s (%u) fs %u",
22
cinfo->subject, cinfo->flags,
23
OBJ_nid2ln(temp32), temp32,
26
peer->crypto |= CRYPTO_FLAG_VRFY |
28
peer->flash &= ~TEST8;
29
- sprintf(statstr, "iff fs %u",
30
+ snprintf(statstr, NTP_MAXSTRLEN, "iff fs %u",
32
record_crypto_stats(&peer->srcadr, statstr);
35
peer->crypto |= CRYPTO_FLAG_VRFY |
37
peer->flash &= ~TEST8;
38
- sprintf(statstr, "gq fs %u",
39
+ snprintf(statstr, NTP_MAXSTRLEN, "gq fs %u",
41
record_crypto_stats(&peer->srcadr, statstr);
44
peer->crypto |= CRYPTO_FLAG_VRFY |
46
peer->flash &= ~TEST8;
47
- sprintf(statstr, "mv fs %u",
48
+ snprintf(statstr, NTP_MAXSTRLEN, "mv fs %u",
50
record_crypto_stats(&peer->srcadr, statstr);
53
peer->crypto &= ~CRYPTO_FLAG_AUTO;
54
peer->crypto |= CRYPTO_FLAG_AGREE;
55
peer->flash &= ~TEST8;
56
- sprintf(statstr, "cook %x ts %u fs %u",
57
+ snprintf(statstr, NTP_MAXSTRLEN, "cook %x ts %u fs %u",
58
peer->pcookie, ntohl(ep->tstamp),
60
record_crypto_stats(&peer->srcadr, statstr);
62
peer->crypto &= ~CRYPTO_FLAG_AUTO;
63
peer->crypto |= CRYPTO_FLAG_AGREE;
64
peer->flash &= ~TEST8;
65
- sprintf(statstr, "cook %x ts %u fs %u",
66
+ snprintf(statstr, NTP_MAXSTRLEN, "cook %x ts %u fs %u",
67
peer->pcookie, ntohl(ep->tstamp),
69
record_crypto_stats(&peer->srcadr, statstr);
71
peer->pkeyid = bp->key;
72
peer->crypto |= CRYPTO_FLAG_AUTO;
73
peer->flash &= ~TEST8;
75
+ snprintf(statstr, NTP_MAXSTRLEN,
76
"auto seq %d key %x ts %u fs %u", bp->seq,
77
bp->key, ntohl(ep->tstamp),
80
peer->crypto |= CRYPTO_FLAG_SIGN;
81
peer->flash &= ~TEST8;
83
- sprintf(statstr, "sign %s 0x%x %s (%u) fs %u",
84
+ snprintf(statstr, NTP_MAXSTRLEN, "sign %s 0x%x %s (%u) fs %u",
85
cinfo->issuer, cinfo->flags,
86
OBJ_nid2ln(temp32), temp32,
89
crypto_flags |= CRYPTO_FLAG_TAI;
90
peer->crypto |= CRYPTO_FLAG_LEAP;
91
peer->flash &= ~TEST8;
92
- sprintf(statstr, "leap %u ts %u fs %u", vallen,
93
+ snprintf(statstr, NTP_MAXSTRLEN, "leap %u ts %u fs %u", vallen,
94
ntohl(ep->tstamp), ntohl(ep->fstamp));
95
record_crypto_stats(&peer->srcadr, statstr);
98
* cheerfully ignored, as the message is not sent.
100
if (rval > XEVNT_TSP) {
102
+ snprintf(statstr, NTP_MAXSTRLEN,
103
"error %x opcode %x ts %u fs %u", rval,
104
code, tstamp, fstamp);
105
record_crypto_stats(&peer->srcadr, statstr);
106
@@ -1453,7 +1453,7 @@
108
if (rval != XEVNT_OK) {
109
opcode |= CRYPTO_ERROR;
110
- sprintf(statstr, "error %x opcode %x", rval, opcode);
111
+ snprintf(statstr, NTP_MAXSTRLEN, "error %x opcode %x", rval, opcode);
112
record_crypto_stats(srcadr_sin, statstr);
113
report_event(rval, NULL);
115
@@ -1952,7 +1952,7 @@
116
if (EVP_SignFinal(&ctx, tai_leap.sig, &len, sign_pkey))
117
tai_leap.siglen = htonl(len);
119
- sprintf(statstr, "update ts %u", ntohl(hostval.tstamp));
120
+ snprintf(statstr, NTP_MAXSTRLEN, "update ts %u", ntohl(hostval.tstamp));
121
record_crypto_stats(NULL, statstr);
124
@@ -3606,7 +3606,7 @@
126
if ((ptr = strrchr(linkname, '\n')) != NULL)
128
- sprintf(statstr, "%s mod %d", &linkname[2],
129
+ snprintf(statstr, NTP_MAXSTRLEN, "%s mod %d", &linkname[2],
130
EVP_PKEY_size(pkey) * 8);
131
record_crypto_stats(NULL, statstr);
133
@@ -3715,7 +3715,7 @@
135
if ((ptr = strrchr(linkname, '\n')) != NULL)
137
- sprintf(statstr, "%s 0x%x len %lu", &linkname[2], ret->flags,
138
+ snprintf(statstr, NTP_MAXSTRLEN, "%s 0x%x len %lu", &linkname[2], ret->flags,
140
record_crypto_stats(NULL, statstr);
142
@@ -3832,7 +3832,7 @@
143
for (j = 0; j < i; j++)
144
*ptr++ = htonl(leapsec[j]);
145
crypto_flags |= CRYPTO_FLAG_TAI;
146
- sprintf(statstr, "%s fs %u leap %u len %u", cp, fstamp,
147
+ snprintf(statstr, NTP_MAXSTRLEN, "%s fs %u leap %u len %u", cp, fstamp,
149
record_crypto_stats(NULL, statstr);
151
diff -Nur ntp-4.2.4p6+dfsg/ntpd/ntp_peer.c ntp-4.2.4p6+dfsg.new/ntpd/ntp_peer.c
152
--- ntp-4.2.4p6+dfsg/ntpd/ntp_peer.c 2008-08-10 06:02:40.000000000 -0500
153
+++ ntp-4.2.4p6+dfsg.new/ntpd/ntp_peer.c 2009-05-13 11:34:51.000000000 -0500
155
char statstr[NTP_MAXSTRLEN]; /* statistics for filegen */
157
if (peer_to_remove->flags & FLAG_SKEY) {
158
- sprintf(statstr, "unpeer %d flash %x reach %03o flags %04x",
159
+ snprintf(statstr, NTP_MAXSTRLEN, "unpeer %d flash %x reach %03o flags %04x",
160
peer_to_remove->associd, peer_to_remove->flash,
161
peer_to_remove->reach, peer_to_remove->flags);
162
record_crypto_stats(&peer_to_remove->srcadr, statstr);
166
if (peer->flags & FLAG_SKEY) {
167
- sprintf(statstr, "newpeer %d", peer->associd);
168
+ snprintf(statstr, NTP_MAXSTRLEN, "newpeer %d", peer->associd);
169
record_crypto_stats(&peer->srcadr, statstr);
170
DPRINTF(1, ("peer: %s\n", statstr));
172
diff -Nur ntp-4.2.4p6+dfsg/ntpd/ntp_timer.c ntp-4.2.4p6+dfsg.new/ntpd/ntp_timer.c
173
--- ntp-4.2.4p6+dfsg/ntpd/ntp_timer.c 2006-12-28 06:03:34.000000000 -0600
174
+++ ntp-4.2.4p6+dfsg.new/ntpd/ntp_timer.c 2009-05-13 11:35:23.000000000 -0500
176
if (revoke_timer <= current_time) {
177
revoke_timer += RANDPOLL(sys_revoke);
179
- sprintf(statstr, "refresh ts %u", ntohl(hostval.tstamp));
180
+ snprintf(statstr, NTP_MAXSTRLEN, "refresh ts %u", ntohl(hostval.tstamp));
181
record_crypto_stats(NULL, statstr);