From: Juergen Perlinger Date: Fri, 6 Nov 2015 07:56:33 +0000 (+0100) Subject: Merge perlinger@psp-deb1.ntp.org:ntp-stable-2945 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6a3243ab8ea3e820e54d3ddb8d2234c131dd1df5;p=thirdparty%2Fntp.git Merge perlinger@psp-deb1.ntp.org:ntp-stable-2945 into hydra.localnet:/home/jnperlin/Projects/Packages/NTP-DEV/src/ntp-stable-2945 bk: 563c5d31y3Be2MkRpaaahN4cI0Y1Eg --- 6a3243ab8ea3e820e54d3ddb8d2234c131dd1df5 diff --cc ChangeLog index b170d63fd,e8ad1cc62..54f3247d0 --- a/ChangeLog +++ b/ChangeLog @@@ -1,34 -1,8 +1,33 @@@ --- - +* [Sec 2956] small-step/big-step. Close the panic gate earlier. HStenn. +* [Bug 2934] tests/ntpd/t-ntp_scanner.c has a magic constant wired in. HMurray + * [Bug 2945] Zero Origin Timestamp Bypass. perlinger@ntp.org +* [Bug 2954] Version 4.2.8p4 crashes on startup with sig fault + - fixed data race conditions in threaded DNS worker. perlinger@ntp.org + - limit threading warm-up to linux; FreeBSD bombs on it. perlinger@ntp.org --- -(4.2.8p4-RC1) 2015/10/06 Released by Harlan Stenn +(4.2.8p4) 2015/10/21 Released by Harlan Stenn - (4.2.8p4-RC1) 2015/10/06 Released by Harlan Stenn +* [Sec 2899] CVE-2014-9297 perlinger@ntp.org +* [Sec 2901] Drop invalid packet before checking KoD. Check for all KoD's. + Danny Mayer. Log incoming packets that fail TEST2. Harlan Stenn. +* [Sec 2902] configuration directives "pidfile" and "driftfile" + should be local-only. perlinger@ntp.org (patch by Miroslav Lichvar) +* [Sec 2909] added missing call to 'free()' in ntp_crypto.c. perlinger@ntp.org +* [Sec 2913] TALOS-CAN-0052: crash by loop counter underrun. perlinger@ntp.org +* [Sec 2916] TALOS-CAN-0054: memory corruption in password store. JPerlinger +* [Sec 2917] TALOS-CAN-0055: Infinite loop if extended logging enabled and + the logfile and keyfile are the same. perlinger@ntp.org +* [Sec 1918] TALOS-CAN-0062: prevent directory traversal for VMS, too, when + using 'saveconfig' command. perlinger@ntp.org +* [Bug 2919] TALOS-CAN-0063: avoid buffer overrun in ntpq. perlinger@ntp.org +* [Sec 2020] TALOS-CAN-0064: signed/unsiged clash could lead to buffer overun + and memory corruption. perlinger@ntp.org +* [Sec 2921] TALOS-CAN-0065: password length memory corruption. JPerlinger. +* [Sec 2922] decodenetnum() will ASSERT botch instead of returning FAIL + on some bogus values. Harlan Stenn. +* [Sec 2941] NAK to the Future: Symmetric association authentication + bypass via crypto-NAK. Patch applied. perlinger@ntp.org * [Bug 2332] (reopened) Exercise thread cancellation once before dropping privileges and limiting resources in NTPD removes the need to link forcefully against 'libgcc_s' which does not always work. J.Perlinger diff --cc ntpd/ntp_proto.c index 2a15d7242,ad5d5925a..cfd7f3c53 --- a/ntpd/ntp_proto.c +++ b/ntpd/ntp_proto.c @@@ -1325,18 -1257,20 +1325,26 @@@ receive * interleaved mode and resynchronize, but only after confirming * the packet is not bogus in symmetric interleaved mode. * + * Since a cleared 'aorg' is the indication for 'no response + * pending' we have to test this explicitely. Of course, should + * 'aorg' be all-zero because this was the original transmit + * time stamp, we will drop the reply. There's a sub-second slot + * every 136 years where this *might* happen, so we ignore this + * possible drop of a valid response. ++ * + * This could also mean somebody is forging packets claiming to + * be from us, attempting to cause our server to KoD us. */ } else if (peer->flip == 0) { - if (!L_ISEQU(&p_org, &peer->aorg)) { + if (L_ISZERO(&peer->aorg) || + !L_ISEQU(&p_org, &peer->aorg)) { peer->bogusorg++; peer->flash |= TEST2; /* bogus */ - if (!L_ISZERO(&peer->dst) && L_ISEQU(&p_org, - &peer->dst)) { + msyslog(LOG_INFO, + "receive: Unexpected origin timestamp from %s", + ntoa(&peer->srcadr)); + if ( !L_ISZERO(&peer->dst) + && L_ISEQU(&p_org, &peer->dst)) { peer->flip = 1; report_event(PEVNT_XLEAVE, peer, NULL); }