[oe] [meta-networking][dizzy][PATCH] ntp: fix several security issues
Armin Kuster
akuster808 at gmail.com
Sun Dec 28 16:45:57 UTC 2014
* CVE-2014-9293, CVE-2014-9294, CVE-2014-9295, and CVE-2014-9296.
For more details please see:
https://ics-cert.us-cert.gov/advisories/ICSA-14-353-01A
Signed-off-by: Armin Kuster <akuster808 at gmail.com>
---
.../ntp/files/ntp-4.2.6p5-cve-2014-9293.patch | 43 +++++++
.../ntp/files/ntp-4.2.6p5-cve-2014-9294.patch | 128 +++++++++++++++++++++
.../ntp/files/ntp-4.2.6p5-cve-2014-9295.patch | 113 ++++++++++++++++++
.../ntp/files/ntp-4.2.6p5-cve-2014-9296.patch | 21 ++++
.../ntp/files/ntp-keygen_no_openssl.patch | 108 +++++++++++++++++
meta-networking/recipes-support/ntp/ntp.inc | 16 ++-
6 files changed, 426 insertions(+), 3 deletions(-)
create mode 100644 meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9293.patch
create mode 100644 meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9294.patch
create mode 100644 meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9295.patch
create mode 100644 meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9296.patch
create mode 100644 meta-networking/recipes-support/ntp/files/ntp-keygen_no_openssl.patch
diff --git a/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9293.patch b/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9293.patch
new file mode 100644
index 0000000..667b705
--- /dev/null
+++ b/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9293.patch
@@ -0,0 +1,43 @@
+CVE-2014-9293 ntp: automatic generation of weak default key in config_auth()
+
+Upstream-Status: Backport [Debian]
+
+Signed-off-by: Armin Kuster <akuster808 at gmail.com>
+
+Index: git/ntpd/ntp_config.c
+===================================================================
+--- git.orig/ntpd/ntp_config.c 2014-12-20 18:45:45.232872120 +0100
++++ git/ntpd/ntp_config.c 2014-12-20 18:45:47.672921968 +0100
+@@ -1866,13 +1866,16 @@
+ req_hashlen = digest_len;
+ #endif
+ } else {
+- int rankey;
++ unsigned char rankey[16];
++
++ if (ntp_crypto_random_buf(rankey, sizeof (rankey))) {
++ msyslog(LOG_ERR, "ntp_crypto_random_buf() failed.");
++ exit(1);
++ }
+
+- rankey = ntp_random();
+ req_keytype = NID_md5;
+ req_hashlen = 16;
+- MD5auth_setkey(req_keyid, req_keytype,
+- (u_char *)&rankey, sizeof(rankey));
++ MD5auth_setkey(req_keyid, req_keytype, rankey, sizeof(rankey));
+ authtrust(req_keyid, 1);
+ }
+
+Index: git/ntpd/ntpd.c
+===================================================================
+--- git.orig/ntpd/ntpd.c 2014-12-20 18:45:45.232872120 +0100
++++ git/ntpd/ntpd.c 2014-12-20 18:45:47.672921968 +0100
+@@ -597,6 +597,7 @@
+ get_systime(&now);
+
+ ntp_srandom((int)(now.l_i * now.l_uf));
++ ntp_crypto_srandom();
+
+ #if !defined(VMS)
+ # ifndef NODETACH
diff --git a/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9294.patch b/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9294.patch
new file mode 100644
index 0000000..67e532b
--- /dev/null
+++ b/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9294.patch
@@ -0,0 +1,128 @@
+CVE-2014-9294 ntp: ntp-keygen uses weak random number generator and seed when generating MD5 keys
+
+Upstream-Status: Backport [Debian]
+
+Signed-off-by: Armin Kuster <akuster808 at gmail.com>
+
+Index: ntp-4.2.6p5/include/ntp_random.h
+===================================================================
+--- ntp-4.2.6p5.orig/include/ntp_random.h
++++ ntp-4.2.6p5/include/ntp_random.h
+@@ -1,6 +1,9 @@
+
+ #include <ntp_types.h>
+
++void ntp_crypto_srandom(void);
++int ntp_crypto_random_buf(void *buf, size_t nbytes);
++
+ long ntp_random (void);
+ void ntp_srandom (unsigned long);
+ void ntp_srandomdev (void);
+Index: ntp-4.2.6p5/libntp/ntp_random.c
+===================================================================
+--- ntp-4.2.6p5.orig/libntp/ntp_random.c
++++ ntp-4.2.6p5/libntp/ntp_random.c
+@@ -481,3 +481,74 @@ ntp_random( void )
+ }
+ return(i);
+ }
++
++/*
++ * Crypto-quality random number functions
++ *
++ * Author: Harlan Stenn, 2014
++ *
++ * This file is Copyright (c) 2014 by Network Time Foundation.
++ * BSD terms apply: see the file COPYRIGHT in the distribution root for details.
++ */
++
++#ifdef OPENSSL
++#include <openssl/err.h>
++#include <openssl/rand.h>
++
++int crypto_rand_init = 0;
++#endif
++
++/*
++ * ntp_crypto_srandom:
++ *
++ * Initialize the random number generator, if needed by the underlying
++ * crypto random number generation mechanism.
++ */
++
++void
++ntp_crypto_srandom(
++ void
++ )
++{
++#ifdef OPENSSL
++ if (!crypto_rand_init) {
++ RAND_poll();
++ crypto_rand_init = 1;
++ }
++#else
++ /* No initialization needed for arc4random() */
++#endif
++}
++
++/*
++ * ntp_crypto_random_buf:
++ *
++ * Returns 0 on success, -1 on error.
++ */
++int
++ntp_crypto_random_buf(
++ void *buf,
++ size_t nbytes
++ )
++{
++#ifdef OPENSSL
++ int rc;
++
++ rc = RAND_bytes(buf, nbytes);
++ if (1 != rc) {
++ unsigned long err;
++ char *err_str;
++
++ err = ERR_get_error();
++ err_str = ERR_error_string(err, NULL);
++ /* XXX: Log the error */
++
++ return -1;
++ }
++ return 0;
++#else
++ arc4random_buf(buf, nbytes);
++ return 0;
++#endif
++}
++
+Index: ntp-4.2.6p5/util/ntp-keygen.c
+===================================================================
+--- ntp-4.2.6p5.orig/util/ntp-keygen.c
++++ ntp-4.2.6p5/util/ntp-keygen.c
+@@ -261,6 +261,8 @@ main(
+ ssl_check_version();
+ #endif /* OPENSSL */
+
++ ntp_crypto_srandom();
++
+ /*
+ * Process options, initialize host name and timestamp.
+ */
+@@ -727,7 +729,14 @@ gen_md5(
+ int temp;
+
+ while (1) {
+- temp = ntp_random() & 0xff;
++ int rc;
++
++ rc = ntp_crypto_random_buf(&temp, 1);
++ if (-1 == rc) {
++ fprintf(stderr, "ntp_crypto_random_buf() failed.\n");
++ exit (-1);
++ }
++ temp &= 0xff;
+ if (temp == '#')
+ continue;
+
diff --git a/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9295.patch b/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9295.patch
new file mode 100644
index 0000000..6143f26
--- /dev/null
+++ b/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9295.patch
@@ -0,0 +1,113 @@
+CVE-2014-9295 ntp: Multiple buffer overflows via specially-crafted packets
+
+Upstream-Status: Backport [Debian]
+
+Signed-off-by: Armin Kuster <akuster808 at gmail.com>
+
+2014-12-12 11:06:03+00:00, stenn at psp-fb1.ntp.org +12 -3
+ [Sec 2667] buffer overflow in crypto_recv()
+2014-12-12 11:13:40+00:00, stenn at psp-fb1.ntp.org +16 -1
+ [Sec 2668] buffer overflow in ctl_putdata()
+2014-12-12 11:19:37+00:00, stenn at psp-fb1.ntp.org +14 -0
+ [Sec 2669] buffer overflow in configure()
+
+Index: git/ntpd/ntp_crypto.c
+===================================================================
+--- git.orig/ntpd/ntp_crypto.c 2014-12-20 18:45:44.208851199 +0100
++++ git/ntpd/ntp_crypto.c 2014-12-20 18:45:56.425100776 +0100
+@@ -789,15 +789,24 @@
+ * errors.
+ */
+ if (vallen == (u_int)EVP_PKEY_size(host_pkey)) {
++ u_int32 *cookiebuf = malloc(
++ RSA_size(host_pkey->pkey.rsa));
++ if (!cookiebuf) {
++ rval = XEVNT_CKY;
++ break;
++ }
++
+ if (RSA_private_decrypt(vallen,
+ (u_char *)ep->pkt,
+- (u_char *)&temp32,
++ (u_char *)cookiebuf,
+ host_pkey->pkey.rsa,
+- RSA_PKCS1_OAEP_PADDING) <= 0) {
++ RSA_PKCS1_OAEP_PADDING) != 4) {
+ rval = XEVNT_CKY;
++ free(cookiebuf);
+ break;
+ } else {
+- cookie = ntohl(temp32);
++ cookie = ntohl(*cookiebuf);
++ free(cookiebuf);
+ }
+ } else {
+ rval = XEVNT_CKY;
+Index: git/ntpd/ntp_control.c
+===================================================================
+--- git.orig/ntpd/ntp_control.c 2014-12-20 18:45:44.208851199 +0100
++++ git/ntpd/ntp_control.c 2014-12-20 18:45:56.429100859 +0100
+@@ -486,6 +486,10 @@
+ static char *reqpt;
+ static char *reqend;
+
++#ifndef MIN
++#define MIN(a, b) (((a) <= (b)) ? (a) : (b))
++#endif
++
+ /*
+ * init_control - initialize request data
+ */
+@@ -995,6 +999,7 @@
+ )
+ {
+ int overhead;
++ unsigned int currentlen;
+
+ overhead = 0;
+ if (!bin) {
+@@ -1018,12 +1023,22 @@
+ /*
+ * Save room for trailing junk
+ */
+- if (dlen + overhead + datapt > dataend) {
++ while (dlen + overhead + datapt > dataend) {
+ /*
+ * Not enough room in this one, flush it out.
+ */
++ currentlen = MIN(dlen, dataend - datapt);
++
++ memcpy(datapt, dp, currentlen);
++
++ datapt += currentlen;
++ dp += currentlen;
++ dlen -= currentlen;
++ datalinelen += currentlen;
++
+ ctl_flushpkt(CTL_MORE);
+ }
++
+ memmove((char *)datapt, dp, (unsigned)dlen);
+ datapt += dlen;
+ datalinelen += dlen;
+@@ -2492,6 +2507,20 @@
+
+ /* Initialize the remote config buffer */
+ data_count = reqend - reqpt;
++
++ if (data_count > sizeof(remote_config.buffer) - 2) {
++ snprintf(remote_config.err_msg,
++ sizeof(remote_config.err_msg),
++ "runtime configuration failed: request too long");
++ ctl_putdata(remote_config.err_msg,
++ strlen(remote_config.err_msg), 0);
++ ctl_flushpkt(0);
++ msyslog(LOG_NOTICE,
++ "runtime config from %s rejected: request too long",
++ stoa(&rbufp->recv_srcadr));
++ return;
++ }
++
+ memcpy(remote_config.buffer, reqpt, data_count);
+ if (data_count > 0
+ && '\n' != remote_config.buffer[data_count - 1])
diff --git a/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9296.patch b/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9296.patch
new file mode 100644
index 0000000..a85f65d
--- /dev/null
+++ b/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9296.patch
@@ -0,0 +1,21 @@
+CVE-2014-9296 ntp: receive() missing return on error
+
+Upstream-Status: Backport [Debian]
+
+Signed-off-by: Armin Kuster <akuster808 at gmail.com>
+
+2014-12-12 11:24:22+00:00, stenn at psp-fb1.ntp.org +1 -0
+ [Sec 2670] Missing return; from error clause
+
+Index: git/ntpd/ntp_proto.c
+===================================================================
+--- git.orig/ntpd/ntp_proto.c 2014-12-20 18:45:42.760821618 +0100
++++ git/ntpd/ntp_proto.c 2014-12-20 18:46:00.153176945 +0100
+@@ -947,6 +947,7 @@
+ fast_xmit(rbufp, MODE_ACTIVE, 0,
+ restrict_mask);
+ sys_restricted++;
++ return;
+ }
+ }
+
diff --git a/meta-networking/recipes-support/ntp/files/ntp-keygen_no_openssl.patch b/meta-networking/recipes-support/ntp/files/ntp-keygen_no_openssl.patch
new file mode 100644
index 0000000..f576e2e
--- /dev/null
+++ b/meta-networking/recipes-support/ntp/files/ntp-keygen_no_openssl.patch
@@ -0,0 +1,108 @@
+Fix ntp-keygen build without OpenSSL
+
+Patch borrowed from Gentoo, originally from upstream
+Added --enable-libenvent to config since this version
+does not have local libevent support but we need the
+functions from the lib.
+
+Signed-off-by: Armin Kuster <akuster808 at gmail.com>
+
+Upstream-Status: Backport
+
+Upstream commit:
+http://bk1.ntp.org/ntp-stable/?PAGE=patch&REV=5497b345z5MNTuNvJWuqPSje25NQTg
+Gentoo bugzilla: https://bugs.gentoo.org/show_bug.cgi?id=533238
+
+Signed-off-by: Markos Chandras <hwoarang at gentoo.org>
+
+Index: ntp-4.2.6p5/libntp/ntp_random.c
+===================================================================
+--- ntp-4.2.6p5.orig/libntp/ntp_random.c
++++ ntp-4.2.6p5/libntp/ntp_random.c
+@@ -498,6 +498,21 @@ ntp_random( void )
+ int crypto_rand_init = 0;
+ #endif
+
++#ifndef HAVE_ARC4RANDOM_BUF
++static void
++arc4random_buf(void *buf, size_t nbytes);
++
++void
++evutil_secure_rng_get_bytes(void *buf, size_t nbytes);
++
++static void
++arc4random_buf(void *buf, size_t nbytes)
++{
++ evutil_secure_rng_get_bytes(buf, nbytes);
++ return;
++}
++#endif
++
+ /*
+ * ntp_crypto_srandom:
+ *
+Index: ntp-4.2.6p5/util/Makefile.am
+===================================================================
+--- ntp-4.2.6p5.orig/util/Makefile.am
++++ ntp-4.2.6p5/util/Makefile.am
+@@ -21,6 +21,7 @@ AM_CPPFLAGS= -I$(top_srcdir)/include -I$
+ LDADD= ../libntp/libntp.a
+ ntp_keygen_SOURCES = ntp-keygen.c ntp-keygen-opts.c ntp-keygen-opts.h
+ ntp_keygen_LDADD= version.o $(LIBOPTS_LDADD) ../libntp/libntp.a @LCRYPTO@
++ntp_keygen_LDADD += $(LDADD_LIBEVENT)
+
+ ETAGS_ARGS= Makefile.am
+ #EXTRA_DIST= README TAGS
+Index: ntp-4.2.6p5/configure.ac
+===================================================================
+--- ntp-4.2.6p5.orig/configure.ac
++++ ntp-4.2.6p5/configure.ac
+@@ -376,6 +376,8 @@ AC_CHECK_FUNC([openlog], ,
+ AC_SEARCH_LIBS([MD5Init], [md5 md])
+ AC_CHECK_FUNCS(MD5Init)
+
++AC_CHECK_FUNC([arc4random_buf])
++
+ NTP_LINEEDITLIBS
+
+ dnl Digital UNIX V4.0 and Solaris 7 have POSIX.1c functions in -lrt
+@@ -5205,6 +5207,39 @@ AC_MSG_RESULT([$ntp_use_dev_clockctl])
+
+ AC_CHECK_HEADERS([sys/capability.h sys/prctl.h])
+
++AC_MSG_CHECKING([if we have libevent capabilities (libevent)])
++
++case "$ac_cv_header_event2_event-config_h" in
++ yes)
++ case "$host" in
++ *) ntp_have_linuxcaps=yes
++ ;;
++ esac
++ ;;
++ *)
++ ntp_have_linuxcaps=no
++ ;;
++esac
++
++AC_ARG_ENABLE(
++ [libevent],
++ [AS_HELP_STRING(
++ [--enable-libevent],
++ [+ Use libevent capabilities for arc4random]
++ )],
++ [ntp_have_libevent=$enableval]
++)
++
++AC_MSG_RESULT([$ntp_have_libevent])
++
++case "$ntp_have_libevent" in
++ yes)
++ AC_DEFINE([HAVE_LIBEVENT], [1],
++ [Do we have libevent capabilities?])
++ LIBS="$LIBS -levent"
++esac
++
++
+ AC_MSG_CHECKING([if we have linux capabilities (libcap)])
+
+ case "$ac_cv_header_sys_capability_h$ac_cv_header_sys_prctl_h" in
diff --git a/meta-networking/recipes-support/ntp/ntp.inc b/meta-networking/recipes-support/ntp/ntp.inc
index fd29a78..ab7bd9c 100644
--- a/meta-networking/recipes-support/ntp/ntp.inc
+++ b/meta-networking/recipes-support/ntp/ntp.inc
@@ -26,13 +26,22 @@ SRC_URI = "http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-${PV}.tar.g
file://sntp \
file://ntpd.list \
file://CVE-2013-5211.patch \
+ file://ntp-4.2.6p5-cve-2014-9293.patch \
+ file://ntp-4.2.6p5-cve-2014-9294.patch \
+ file://ntp-4.2.6p5-cve-2014-9295.patch \
+ file://ntp-4.2.6p5-cve-2014-9296.patch \
+ file://ntp-keygen_no_openssl.patch \
"
inherit autotools update-rc.d useradd systemd
# The ac_cv_header_readline_history is to stop ntpdc depending on either
# readline or curses
-EXTRA_OECONF += "--with-net-snmp-config=no --without-ntpsnmpd ac_cv_header_readline_history_h=no --with-binsubdir=sbin"
+EXTRA_OECONF += "--with-net-snmp-config=no \
+ --without-ntpsnmpd \
+ ac_cv_header_readline_history_h=no \
+ --with-binsubdir=sbin"
+
CFLAGS_append = " -DPTYS_ARE_GETPT -DPTYS_ARE_SEARCHED"
USERADD_PACKAGES = "${PN}"
@@ -42,7 +51,7 @@ USERADD_PARAM_${PN} = "--system --home-dir ${NTP_USER_HOME} \
--shell /bin/false --user-group ntp"
# NB: debug is default-enabled by NTP; keep it default-enabled here.
-PACKAGECONFIG ??= "cap debug"
+PACKAGECONFIG ??= "event cap debug"
PACKAGECONFIG[openssl] = "--with-openssl-libdir=${STAGING_LIBDIR} \
--with-openssl-incdir=${STAGING_INCDIR} \
--with-crypto, \
@@ -51,6 +60,7 @@ PACKAGECONFIG[openssl] = "--with-openssl-libdir=${STAGING_LIBDIR} \
PACKAGECONFIG[cap] = "--enable-linuxcaps,--disable-linuxcaps,libcap"
PACKAGECONFIG[readline] = "--with-lineeditlibs,--without-lineeditlibs,readline"
PACKAGECONFIG[debug] = "--enable-debugging,--disable-debugging"
+PACKAGECONFIG[event] = "--enable-libevent,--disable-libevent, libevent"
do_install_append() {
install -d ${D}${sysconfdir}/init.d
@@ -94,7 +104,7 @@ PACKAGES += "ntpdate sntp ${PN}-tickadj ${PN}-utils"
# ntp originally includes tickadj. It's split off for inclusion in small firmware images on platforms
# with wonky clocks (e.g. OpenSlug)
-RDEPENDS_${PN} = "${PN}-tickadj"
+RDEPENDS_${PN} = "${PN}-tickadj libbsd"
# Handle move from bin to utils package
RPROVIDES_${PN}-utils = "${PN}-bin"
RREPLACES_${PN}-utils = "${PN}-bin"
--
1.9.1
More information about the Openembedded-devel
mailing list