CVS commit: pkgsrc/net/ntp4

["Takahiro Kambe" <taca%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   taca
Date:           Sat Dec 20 09:45:46 UTC 2014

Modified Files:
        pkgsrc/net/ntp4: Makefile PLIST distinfo
        pkgsrc/net/ntp4/patches: patch-configure patch-sntp_configure
Added Files:
        pkgsrc/net/ntp4/patches: patch-ntpd_ntp__io.c

Log Message:
Update ntpd4 pacakge to 4.2.8, here is summary for security related fixes.

NTP 4.2.8 (Harlan Stenn <stenn%ntp.org@localhost>, 2014/12/18)

Focus: Security and Bug fixes, enhancements.

Severity: HIGH

In addition to bug fixes and enhancements, this release fixes the
following high-severity vulnerabilities:

* Weak default key in config_auth().

  References: [Sec 2665] / CVE-2014-9293 / VU#852879
  CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
  Vulnerable Versions: all releases prior to 4.2.7p11
  Date Resolved: 28 Jan 2010

  Summary: If no 'auth' key is set in the configuration file, ntpd
        would generate a random key on the fly.  There were two
        problems with this: 1) the generated key was 31 bits in size,
        and 2) it used the (now weak) ntp_random() function, which was
        seeded with a 32-bit value and could only provide 32 bits of
        entropy.  This was sufficient back in the late 1990s when the
        code was written.  Not today.

  Mitigation: Upgrade to 4.2.7p11 or later.

  Credit: This vulnerability was noticed in ntp-4.2.6 by Neel Mehta
        of the Google Security Team.

* Non-cryptographic random number generator with weak seed used by
  ntp-keygen to generate symmetric keys.

  References: [Sec 2666] / CVE-2014-9294 / VU#852879
  CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
  Vulnerable Versions: All NTP4 releases before 4.2.7p230
  Date Resolved: Dev (4.2.7p230) 01 Nov 2011

  Summary: Prior to ntp-4.2.7p230 ntp-keygen used a weak seed to
        prepare a random number generator that was of good quality back
        in the late 1990s. The random numbers produced was then used to
        generate symmetric keys. In ntp-4.2.8 we use a current-technology
        cryptographic random number generator, either RAND_bytes from
        OpenSSL, or arc4random().

  Mitigation: Upgrade to 4.2.7p230 or later.

  Credit:  This vulnerability was discovered in ntp-4.2.6 by
        Stephen Roettger of the Google Security Team.

* Buffer overflow in crypto_recv()

  References: Sec 2667 / CVE-2014-9295 / VU#852879
  CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
  Versions: All releases before 4.2.8
  Date Resolved: Stable (4.2.8) 18 Dec 2014

  Summary: When Autokey Authentication is enabled (i.e. the ntp.conf
        file contains a 'crypto pw ...' directive) a remote attacker
        can send a carefully crafted packet that can overflow a stack
        buffer and potentially allow malicious code to be executed
        with the privilege level of the ntpd process.

  Mitigation: Upgrade to 4.2.8, or later, or
        Disable Autokey Authentication by removing, or commenting out,
        all configuration directives beginning with the crypto keyword
        in your ntp.conf file.

  Credit: This vulnerability was discovered by Stephen Roettger of the
        Google Security Team.

* Buffer overflow in ctl_putdata()

  References: Sec 2668 / CVE-2014-9295 / VU#852879
  CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
  Versions: All NTP4 releases before 4.2.8
  Date Resolved: Stable (4.2.8) 18 Dec 2014

  Summary: A remote attacker can send a carefully crafted packet that
        can overflow a stack buffer and potentially allow malicious
        code to be executed with the privilege level of the ntpd process.

  Mitigation: Upgrade to 4.2.8, or later.

  Credit: This vulnerability was discovered by Stephen Roettger of the
        Google Security Team.

* Buffer overflow in configure()

  References: Sec 2669 / CVE-2014-9295 / VU#852879
  CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
  Versions: All NTP4 releases before 4.2.8
  Date Resolved: Stable (4.2.8) 18 Dec 2014

  Summary: A remote attacker can send a carefully crafted packet that
        can overflow a stack buffer and potentially allow malicious
        code to be executed with the privilege level of the ntpd process.

  Mitigation: Upgrade to 4.2.8, or later.

  Credit: This vulnerability was discovered by Stephen Roettger of the
        Google Security Team.

* receive(): missing return on error

  References: Sec 2670 / CVE-2014-9296 / VU#852879
  CVSS: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Base Score: 5.0
  Versions: All NTP4 releases before 4.2.8
  Date Resolved: Stable (4.2.8) 18 Dec 2014

  Summary: Code in ntp_proto.c:receive() was missing a 'return;' in
        the code path where an error was detected, which meant
        processing did not stop when a specific rare error occurred.
        We haven't found a way for this bug to affect system integrity.
        If there is no way to affect system integrity the base CVSS
        score for this bug is 0. If there is one avenue through which
        system integrity can be partially affected, the base score
        becomes a 5. If system integrity can be partially affected
        via all three integrity metrics, the CVSS base score become 7.5.

  Mitigation:
        Upgrade to 4.2.8, or later,
        or Remove or comment out all configuration directives
        beginning with the crypto keyword in your ntp.conf file.

  Credit: This vulnerability was discovered by Stephen Roettger of the
        Google Security Team.

See http://support.ntp.org/security for more information.


To generate a diff of this commit:
cvs rdiff -u -r1.80 -r1.81 pkgsrc/net/ntp4/Makefile
cvs rdiff -u -r1.15 -r1.16 pkgsrc/net/ntp4/PLIST
cvs rdiff -u -r1.18 -r1.19 pkgsrc/net/ntp4/distinfo
cvs rdiff -u -r1.1 -r1.2 pkgsrc/net/ntp4/patches/patch-configure \
    pkgsrc/net/ntp4/patches/patch-sntp_configure
cvs rdiff -u -r0 -r1.1 pkgsrc/net/ntp4/patches/patch-ntpd_ntp__io.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.