From: Zhang Xiao Date: Thu, 14 Aug 2014 03:14:46 +0000 (+0800) Subject: ntp: fix CVE-2013-5211 X-Git-Tag: rev_ivi_2015_02_04~1509 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=940fbfeba4a5faf1e55f1018980f4437a5d93cb1;p=scm%2Fbb%2Ftizen-distro.git ntp: fix CVE-2013-5211 The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests, as exploited in the wild in December 2013. (From meta-openembedded rev: 622ad1538bd931e3bda6c8a9c4cd879db454d15d) Signed-off-by: Zhang Xiao Signed-off-by: Martin Jansa Signed-off-by: Patrick Ohly --- diff --git a/meta-openembedded/meta-networking/recipes-support/ntp/files/CVE-2013-5211.patch b/meta-openembedded/meta-networking/recipes-support/ntp/files/CVE-2013-5211.patch new file mode 100644 index 0000000..ddcb044 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/ntp/files/CVE-2013-5211.patch @@ -0,0 +1,112 @@ +ntp: fix CVE-2013-5211 + +Upstream-status: Backport + +The monlist feature in ntp_request.c in ntpd in NTP before +4.2.7p26 allows remote attackers to cause a denial of service +(traffic amplification) via forged (1) REQ_MON_GETLIST or +(2) REQ_MON_GETLIST_1 requests, as exploited in the wild +in December 2013. + +Signed-off-by: Zhang Xiao + +--- a/ntpd/ntp_request.c ++++ b/ntpd/ntp_request.c +@@ -1912,44 +1912,11 @@ mon_getlist_0( + struct req_pkt *inpkt + ) + { +- register struct info_monitor *im; +- register struct mon_data *md; +- extern struct mon_data mon_mru_list; +- extern int mon_enabled; +- + #ifdef DEBUG + if (debug > 2) + printf("wants monitor 0 list\n"); + #endif +- if (!mon_enabled) { +- req_ack(srcadr, inter, inpkt, INFO_ERR_NODATA); +- return; +- } +- im = (struct info_monitor *)prepare_pkt(srcadr, inter, inpkt, +- v6sizeof(struct info_monitor)); +- for (md = mon_mru_list.mru_next; md != &mon_mru_list && im != 0; +- md = md->mru_next) { +- im->lasttime = htonl((u_int32)((current_time - +- md->firsttime) / md->count)); +- im->firsttime = htonl((u_int32)(current_time - md->lasttime)); +- im->restr = htonl((u_int32)md->flags); +- im->count = htonl((u_int32)(md->count)); +- if (IS_IPV6(&md->rmtadr)) { +- if (!client_v6_capable) +- continue; +- im->addr6 = SOCK_ADDR6(&md->rmtadr); +- im->v6_flag = 1; +- } else { +- im->addr = NSRCADR(&md->rmtadr); +- if (client_v6_capable) +- im->v6_flag = 0; +- } +- im->port = md->rmtport; +- im->mode = md->mode; +- im->version = md->version; +- im = (struct info_monitor *)more_pkt(); +- } +- flush_pkt(); ++ req_ack(srcadr, inter, inpkt, INFO_ERR_NODATA); + } + + /* +@@ -1962,50 +1929,7 @@ mon_getlist_1( + struct req_pkt *inpkt + ) + { +- register struct info_monitor_1 *im; +- register struct mon_data *md; +- extern struct mon_data mon_mru_list; +- extern int mon_enabled; +- +- if (!mon_enabled) { +- req_ack(srcadr, inter, inpkt, INFO_ERR_NODATA); +- return; +- } +- im = (struct info_monitor_1 *)prepare_pkt(srcadr, inter, inpkt, +- v6sizeof(struct info_monitor_1)); +- for (md = mon_mru_list.mru_next; md != &mon_mru_list && im != 0; +- md = md->mru_next) { +- im->lasttime = htonl((u_int32)((current_time - +- md->firsttime) / md->count)); +- im->firsttime = htonl((u_int32)(current_time - md->lasttime)); +- im->restr = htonl((u_int32)md->flags); +- im->count = htonl((u_int32)md->count); +- if (IS_IPV6(&md->rmtadr)) { +- if (!client_v6_capable) +- continue; +- im->addr6 = SOCK_ADDR6(&md->rmtadr); +- im->v6_flag = 1; +- im->daddr6 = SOCK_ADDR6(&md->interface->sin); +- } else { +- im->addr = NSRCADR(&md->rmtadr); +- if (client_v6_capable) +- im->v6_flag = 0; +- if (MDF_BCAST == md->cast_flags) +- im->daddr = NSRCADR(&md->interface->bcast); +- else if (md->cast_flags) { +- im->daddr = NSRCADR(&md->interface->sin); +- if (!im->daddr) +- im->daddr = NSRCADR(&md->interface->bcast); +- } else +- im->daddr = 4; +- } +- im->flags = htonl(md->cast_flags); +- im->port = md->rmtport; +- im->mode = md->mode; +- im->version = md->version; +- im = (struct info_monitor_1 *)more_pkt(); +- } +- flush_pkt(); ++ req_ack(srcadr, inter, inpkt, INFO_ERR_NODATA); + } + + /* diff --git a/meta-openembedded/meta-networking/recipes-support/ntp/ntp.inc b/meta-openembedded/meta-networking/recipes-support/ntp/ntp.inc index 2c8f488..b63f202 100644 --- a/meta-openembedded/meta-networking/recipes-support/ntp/ntp.inc +++ b/meta-openembedded/meta-networking/recipes-support/ntp/ntp.inc @@ -24,6 +24,7 @@ SRC_URI = "http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-${PV}.tar.g file://sntp \ file://ntpd.list \ file://ntp-disable-debugging.patch \ + file://CVE-2013-5211.patch \ " inherit autotools update-rc.d useradd systemd