aboutsummaryrefslogtreecommitdiffstats
path: root/meta-networking
diff options
context:
space:
mode:
authorZhang Xiao <xiao.zhang@windriver.com>2014-08-14 11:14:46 +0800
committerMartin Jansa <Martin.Jansa@gmail.com>2014-08-21 21:35:05 +0200
commit622ad1538bd931e3bda6c8a9c4cd879db454d15d (patch)
tree9e543f3135672dedc45062f84c69de6d44026756 /meta-networking
parent55ebea4bb0909e936ad89c17abfeb3549937aefa (diff)
downloadmeta-openembedded-contrib-622ad1538bd931e3bda6c8a9c4cd879db454d15d.tar.gz
meta-openembedded-contrib-622ad1538bd931e3bda6c8a9c4cd879db454d15d.tar.bz2
meta-openembedded-contrib-622ad1538bd931e3bda6c8a9c4cd879db454d15d.zip
ntp: fix CVE-2013-5211
The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests, as exploited in the wild in December 2013. Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Diffstat (limited to 'meta-networking')
-rw-r--r--meta-networking/recipes-support/ntp/files/CVE-2013-5211.patch112
-rw-r--r--meta-networking/recipes-support/ntp/ntp.inc1
2 files changed, 113 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/ntp/files/CVE-2013-5211.patch b/meta-networking/recipes-support/ntp/files/CVE-2013-5211.patch
new file mode 100644
index 0000000000..ddcb044e60
--- /dev/null
+++ b/meta-networking/recipes-support/ntp/files/CVE-2013-5211.patch
@@ -0,0 +1,112 @@
+ntp: fix CVE-2013-5211
+
+Upstream-status: Backport
+
+The monlist feature in ntp_request.c in ntpd in NTP before
+4.2.7p26 allows remote attackers to cause a denial of service
+(traffic amplification) via forged (1) REQ_MON_GETLIST or
+(2) REQ_MON_GETLIST_1 requests, as exploited in the wild
+in December 2013.
+
+Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com>
+
+--- a/ntpd/ntp_request.c
++++ b/ntpd/ntp_request.c
+@@ -1912,44 +1912,11 @@ mon_getlist_0(
+ struct req_pkt *inpkt
+ )
+ {
+- register struct info_monitor *im;
+- register struct mon_data *md;
+- extern struct mon_data mon_mru_list;
+- extern int mon_enabled;
+-
+ #ifdef DEBUG
+ if (debug > 2)
+ printf("wants monitor 0 list\n");
+ #endif
+- if (!mon_enabled) {
+- req_ack(srcadr, inter, inpkt, INFO_ERR_NODATA);
+- return;
+- }
+- im = (struct info_monitor *)prepare_pkt(srcadr, inter, inpkt,
+- v6sizeof(struct info_monitor));
+- for (md = mon_mru_list.mru_next; md != &mon_mru_list && im != 0;
+- md = md->mru_next) {
+- im->lasttime = htonl((u_int32)((current_time -
+- md->firsttime) / md->count));
+- im->firsttime = htonl((u_int32)(current_time - md->lasttime));
+- im->restr = htonl((u_int32)md->flags);
+- im->count = htonl((u_int32)(md->count));
+- if (IS_IPV6(&md->rmtadr)) {
+- if (!client_v6_capable)
+- continue;
+- im->addr6 = SOCK_ADDR6(&md->rmtadr);
+- im->v6_flag = 1;
+- } else {
+- im->addr = NSRCADR(&md->rmtadr);
+- if (client_v6_capable)
+- im->v6_flag = 0;
+- }
+- im->port = md->rmtport;
+- im->mode = md->mode;
+- im->version = md->version;
+- im = (struct info_monitor *)more_pkt();
+- }
+- flush_pkt();
++ req_ack(srcadr, inter, inpkt, INFO_ERR_NODATA);
+ }
+
+ /*
+@@ -1962,50 +1929,7 @@ mon_getlist_1(
+ struct req_pkt *inpkt
+ )
+ {
+- register struct info_monitor_1 *im;
+- register struct mon_data *md;
+- extern struct mon_data mon_mru_list;
+- extern int mon_enabled;
+-
+- if (!mon_enabled) {
+- req_ack(srcadr, inter, inpkt, INFO_ERR_NODATA);
+- return;
+- }
+- im = (struct info_monitor_1 *)prepare_pkt(srcadr, inter, inpkt,
+- v6sizeof(struct info_monitor_1));
+- for (md = mon_mru_list.mru_next; md != &mon_mru_list && im != 0;
+- md = md->mru_next) {
+- im->lasttime = htonl((u_int32)((current_time -
+- md->firsttime) / md->count));
+- im->firsttime = htonl((u_int32)(current_time - md->lasttime));
+- im->restr = htonl((u_int32)md->flags);
+- im->count = htonl((u_int32)md->count);
+- if (IS_IPV6(&md->rmtadr)) {
+- if (!client_v6_capable)
+- continue;
+- im->addr6 = SOCK_ADDR6(&md->rmtadr);
+- im->v6_flag = 1;
+- im->daddr6 = SOCK_ADDR6(&md->interface->sin);
+- } else {
+- im->addr = NSRCADR(&md->rmtadr);
+- if (client_v6_capable)
+- im->v6_flag = 0;
+- if (MDF_BCAST == md->cast_flags)
+- im->daddr = NSRCADR(&md->interface->bcast);
+- else if (md->cast_flags) {
+- im->daddr = NSRCADR(&md->interface->sin);
+- if (!im->daddr)
+- im->daddr = NSRCADR(&md->interface->bcast);
+- } else
+- im->daddr = 4;
+- }
+- im->flags = htonl(md->cast_flags);
+- im->port = md->rmtport;
+- im->mode = md->mode;
+- im->version = md->version;
+- im = (struct info_monitor_1 *)more_pkt();
+- }
+- flush_pkt();
++ req_ack(srcadr, inter, inpkt, INFO_ERR_NODATA);
+ }
+
+ /*
diff --git a/meta-networking/recipes-support/ntp/ntp.inc b/meta-networking/recipes-support/ntp/ntp.inc
index 2c8f48864f..b63f202fe5 100644
--- a/meta-networking/recipes-support/ntp/ntp.inc
+++ b/meta-networking/recipes-support/ntp/ntp.inc
@@ -24,6 +24,7 @@ SRC_URI = "http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-${PV}.tar.g
file://sntp \
file://ntpd.list \
file://ntp-disable-debugging.patch \
+ file://CVE-2013-5211.patch \
"
inherit autotools update-rc.d useradd systemd