diff options
author | Armin Kuster <akuster808@gmail.com> | 2014-12-28 08:45:57 -0800 |
---|---|---|
committer | Martin Jansa <Martin.Jansa@gmail.com> | 2014-12-29 10:12:51 +0100 |
commit | 200f6cafc878d4c26871fc56d21ecc8eaa9aa61b (patch) | |
tree | 916c5e6e74532e8b9ecbce8f7400697beeb82342 /meta-networking | |
parent | f9f2548e1833de07716c450312810e45d1377f11 (diff) | |
download | meta-openembedded-200f6cafc878d4c26871fc56d21ecc8eaa9aa61b.tar.gz |
ntp: fix several security issues
* CVE-2014-9293, CVE-2014-9294, CVE-2014-9295, and CVE-2014-9296.
For more details please see:
https://ics-cert.us-cert.gov/advisories/ICSA-14-353-01A
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Diffstat (limited to 'meta-networking')
6 files changed, 426 insertions, 3 deletions
diff --git a/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9293.patch b/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9293.patch new file mode 100644 index 0000000000..667b705eaf --- /dev/null +++ b/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9293.patch @@ -0,0 +1,43 @@ +CVE-2014-9293 ntp: automatic generation of weak default key in config_auth() + +Upstream-Status: Backport [Debian] + +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +Index: git/ntpd/ntp_config.c +=================================================================== +--- git.orig/ntpd/ntp_config.c 2014-12-20 18:45:45.232872120 +0100 ++++ git/ntpd/ntp_config.c 2014-12-20 18:45:47.672921968 +0100 +@@ -1866,13 +1866,16 @@ + req_hashlen = digest_len; + #endif + } else { +- int rankey; ++ unsigned char rankey[16]; ++ ++ if (ntp_crypto_random_buf(rankey, sizeof (rankey))) { ++ msyslog(LOG_ERR, "ntp_crypto_random_buf() failed."); ++ exit(1); ++ } + +- rankey = ntp_random(); + req_keytype = NID_md5; + req_hashlen = 16; +- MD5auth_setkey(req_keyid, req_keytype, +- (u_char *)&rankey, sizeof(rankey)); ++ MD5auth_setkey(req_keyid, req_keytype, rankey, sizeof(rankey)); + authtrust(req_keyid, 1); + } + +Index: git/ntpd/ntpd.c +=================================================================== +--- git.orig/ntpd/ntpd.c 2014-12-20 18:45:45.232872120 +0100 ++++ git/ntpd/ntpd.c 2014-12-20 18:45:47.672921968 +0100 +@@ -597,6 +597,7 @@ + get_systime(&now); + + ntp_srandom((int)(now.l_i * now.l_uf)); ++ ntp_crypto_srandom(); + + #if !defined(VMS) + # ifndef NODETACH diff --git a/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9294.patch b/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9294.patch new file mode 100644 index 0000000000..67e532b9d7 --- /dev/null +++ b/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9294.patch @@ -0,0 +1,128 @@ +CVE-2014-9294 ntp: ntp-keygen uses weak random number generator and seed when generating MD5 keys + +Upstream-Status: Backport [Debian] + +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +Index: ntp-4.2.6p5/include/ntp_random.h +=================================================================== +--- ntp-4.2.6p5.orig/include/ntp_random.h ++++ ntp-4.2.6p5/include/ntp_random.h +@@ -1,6 +1,9 @@ + + #include <ntp_types.h> + ++void ntp_crypto_srandom(void); ++int ntp_crypto_random_buf(void *buf, size_t nbytes); ++ + long ntp_random (void); + void ntp_srandom (unsigned long); + void ntp_srandomdev (void); +Index: ntp-4.2.6p5/libntp/ntp_random.c +=================================================================== +--- ntp-4.2.6p5.orig/libntp/ntp_random.c ++++ ntp-4.2.6p5/libntp/ntp_random.c +@@ -481,3 +481,74 @@ ntp_random( void ) + } + return(i); + } ++ ++/* ++ * Crypto-quality random number functions ++ * ++ * Author: Harlan Stenn, 2014 ++ * ++ * This file is Copyright (c) 2014 by Network Time Foundation. ++ * BSD terms apply: see the file COPYRIGHT in the distribution root for details. ++ */ ++ ++#ifdef OPENSSL ++#include <openssl/err.h> ++#include <openssl/rand.h> ++ ++int crypto_rand_init = 0; ++#endif ++ ++/* ++ * ntp_crypto_srandom: ++ * ++ * Initialize the random number generator, if needed by the underlying ++ * crypto random number generation mechanism. ++ */ ++ ++void ++ntp_crypto_srandom( ++ void ++ ) ++{ ++#ifdef OPENSSL ++ if (!crypto_rand_init) { ++ RAND_poll(); ++ crypto_rand_init = 1; ++ } ++#else ++ /* No initialization needed for arc4random() */ ++#endif ++} ++ ++/* ++ * ntp_crypto_random_buf: ++ * ++ * Returns 0 on success, -1 on error. ++ */ ++int ++ntp_crypto_random_buf( ++ void *buf, ++ size_t nbytes ++ ) ++{ ++#ifdef OPENSSL ++ int rc; ++ ++ rc = RAND_bytes(buf, nbytes); ++ if (1 != rc) { ++ unsigned long err; ++ char *err_str; ++ ++ err = ERR_get_error(); ++ err_str = ERR_error_string(err, NULL); ++ /* XXX: Log the error */ ++ ++ return -1; ++ } ++ return 0; ++#else ++ arc4random_buf(buf, nbytes); ++ return 0; ++#endif ++} ++ +Index: ntp-4.2.6p5/util/ntp-keygen.c +=================================================================== +--- ntp-4.2.6p5.orig/util/ntp-keygen.c ++++ ntp-4.2.6p5/util/ntp-keygen.c +@@ -261,6 +261,8 @@ main( + ssl_check_version(); + #endif /* OPENSSL */ + ++ ntp_crypto_srandom(); ++ + /* + * Process options, initialize host name and timestamp. + */ +@@ -727,7 +729,14 @@ gen_md5( + int temp; + + while (1) { +- temp = ntp_random() & 0xff; ++ int rc; ++ ++ rc = ntp_crypto_random_buf(&temp, 1); ++ if (-1 == rc) { ++ fprintf(stderr, "ntp_crypto_random_buf() failed.\n"); ++ exit (-1); ++ } ++ temp &= 0xff; + if (temp == '#') + continue; + diff --git a/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9295.patch b/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9295.patch new file mode 100644 index 0000000000..6143f26e92 --- /dev/null +++ b/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9295.patch @@ -0,0 +1,113 @@ +CVE-2014-9295 ntp: Multiple buffer overflows via specially-crafted packets + +Upstream-Status: Backport [Debian] + +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +2014-12-12 11:06:03+00:00, stenn@psp-fb1.ntp.org +12 -3 + [Sec 2667] buffer overflow in crypto_recv() +2014-12-12 11:13:40+00:00, stenn@psp-fb1.ntp.org +16 -1 + [Sec 2668] buffer overflow in ctl_putdata() +2014-12-12 11:19:37+00:00, stenn@psp-fb1.ntp.org +14 -0 + [Sec 2669] buffer overflow in configure() + +Index: git/ntpd/ntp_crypto.c +=================================================================== +--- git.orig/ntpd/ntp_crypto.c 2014-12-20 18:45:44.208851199 +0100 ++++ git/ntpd/ntp_crypto.c 2014-12-20 18:45:56.425100776 +0100 +@@ -789,15 +789,24 @@ + * errors. + */ + if (vallen == (u_int)EVP_PKEY_size(host_pkey)) { ++ u_int32 *cookiebuf = malloc( ++ RSA_size(host_pkey->pkey.rsa)); ++ if (!cookiebuf) { ++ rval = XEVNT_CKY; ++ break; ++ } ++ + if (RSA_private_decrypt(vallen, + (u_char *)ep->pkt, +- (u_char *)&temp32, ++ (u_char *)cookiebuf, + host_pkey->pkey.rsa, +- RSA_PKCS1_OAEP_PADDING) <= 0) { ++ RSA_PKCS1_OAEP_PADDING) != 4) { + rval = XEVNT_CKY; ++ free(cookiebuf); + break; + } else { +- cookie = ntohl(temp32); ++ cookie = ntohl(*cookiebuf); ++ free(cookiebuf); + } + } else { + rval = XEVNT_CKY; +Index: git/ntpd/ntp_control.c +=================================================================== +--- git.orig/ntpd/ntp_control.c 2014-12-20 18:45:44.208851199 +0100 ++++ git/ntpd/ntp_control.c 2014-12-20 18:45:56.429100859 +0100 +@@ -486,6 +486,10 @@ + static char *reqpt; + static char *reqend; + ++#ifndef MIN ++#define MIN(a, b) (((a) <= (b)) ? (a) : (b)) ++#endif ++ + /* + * init_control - initialize request data + */ +@@ -995,6 +999,7 @@ + ) + { + int overhead; ++ unsigned int currentlen; + + overhead = 0; + if (!bin) { +@@ -1018,12 +1023,22 @@ + /* + * Save room for trailing junk + */ +- if (dlen + overhead + datapt > dataend) { ++ while (dlen + overhead + datapt > dataend) { + /* + * Not enough room in this one, flush it out. + */ ++ currentlen = MIN(dlen, dataend - datapt); ++ ++ memcpy(datapt, dp, currentlen); ++ ++ datapt += currentlen; ++ dp += currentlen; ++ dlen -= currentlen; ++ datalinelen += currentlen; ++ + ctl_flushpkt(CTL_MORE); + } ++ + memmove((char *)datapt, dp, (unsigned)dlen); + datapt += dlen; + datalinelen += dlen; +@@ -2492,6 +2507,20 @@ + + /* Initialize the remote config buffer */ + data_count = reqend - reqpt; ++ ++ if (data_count > sizeof(remote_config.buffer) - 2) { ++ snprintf(remote_config.err_msg, ++ sizeof(remote_config.err_msg), ++ "runtime configuration failed: request too long"); ++ ctl_putdata(remote_config.err_msg, ++ strlen(remote_config.err_msg), 0); ++ ctl_flushpkt(0); ++ msyslog(LOG_NOTICE, ++ "runtime config from %s rejected: request too long", ++ stoa(&rbufp->recv_srcadr)); ++ return; ++ } ++ + memcpy(remote_config.buffer, reqpt, data_count); + if (data_count > 0 + && '\n' != remote_config.buffer[data_count - 1]) diff --git a/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9296.patch b/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9296.patch new file mode 100644 index 0000000000..a85f65d2aa --- /dev/null +++ b/meta-networking/recipes-support/ntp/files/ntp-4.2.6p5-cve-2014-9296.patch @@ -0,0 +1,21 @@ +CVE-2014-9296 ntp: receive() missing return on error + +Upstream-Status: Backport [Debian] + +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +2014-12-12 11:24:22+00:00, stenn@psp-fb1.ntp.org +1 -0 + [Sec 2670] Missing return; from error clause + +Index: git/ntpd/ntp_proto.c +=================================================================== +--- git.orig/ntpd/ntp_proto.c 2014-12-20 18:45:42.760821618 +0100 ++++ git/ntpd/ntp_proto.c 2014-12-20 18:46:00.153176945 +0100 +@@ -947,6 +947,7 @@ + fast_xmit(rbufp, MODE_ACTIVE, 0, + restrict_mask); + sys_restricted++; ++ return; + } + } + diff --git a/meta-networking/recipes-support/ntp/files/ntp-keygen_no_openssl.patch b/meta-networking/recipes-support/ntp/files/ntp-keygen_no_openssl.patch new file mode 100644 index 0000000000..f576e2ee8b --- /dev/null +++ b/meta-networking/recipes-support/ntp/files/ntp-keygen_no_openssl.patch @@ -0,0 +1,108 @@ +Fix ntp-keygen build without OpenSSL + +Patch borrowed from Gentoo, originally from upstream +Added --enable-libenvent to config since this version +does not have local libevent support but we need the +functions from the lib. + +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +Upstream-Status: Backport + +Upstream commit: +http://bk1.ntp.org/ntp-stable/?PAGE=patch&REV=5497b345z5MNTuNvJWuqPSje25NQTg +Gentoo bugzilla: https://bugs.gentoo.org/show_bug.cgi?id=533238 + +Signed-off-by: Markos Chandras <hwoarang@gentoo.org> + +Index: ntp-4.2.6p5/libntp/ntp_random.c +=================================================================== +--- ntp-4.2.6p5.orig/libntp/ntp_random.c ++++ ntp-4.2.6p5/libntp/ntp_random.c +@@ -498,6 +498,21 @@ ntp_random( void ) + int crypto_rand_init = 0; + #endif + ++#ifndef HAVE_ARC4RANDOM_BUF ++static void ++arc4random_buf(void *buf, size_t nbytes); ++ ++void ++evutil_secure_rng_get_bytes(void *buf, size_t nbytes); ++ ++static void ++arc4random_buf(void *buf, size_t nbytes) ++{ ++ evutil_secure_rng_get_bytes(buf, nbytes); ++ return; ++} ++#endif ++ + /* + * ntp_crypto_srandom: + * +Index: ntp-4.2.6p5/util/Makefile.am +=================================================================== +--- ntp-4.2.6p5.orig/util/Makefile.am ++++ ntp-4.2.6p5/util/Makefile.am +@@ -21,6 +21,7 @@ AM_CPPFLAGS= -I$(top_srcdir)/include -I$ + LDADD= ../libntp/libntp.a + ntp_keygen_SOURCES = ntp-keygen.c ntp-keygen-opts.c ntp-keygen-opts.h + ntp_keygen_LDADD= version.o $(LIBOPTS_LDADD) ../libntp/libntp.a @LCRYPTO@ ++ntp_keygen_LDADD += $(LDADD_LIBEVENT) + + ETAGS_ARGS= Makefile.am + #EXTRA_DIST= README TAGS +Index: ntp-4.2.6p5/configure.ac +=================================================================== +--- ntp-4.2.6p5.orig/configure.ac ++++ ntp-4.2.6p5/configure.ac +@@ -376,6 +376,8 @@ AC_CHECK_FUNC([openlog], , + AC_SEARCH_LIBS([MD5Init], [md5 md]) + AC_CHECK_FUNCS(MD5Init) + ++AC_CHECK_FUNC([arc4random_buf]) ++ + NTP_LINEEDITLIBS + + dnl Digital UNIX V4.0 and Solaris 7 have POSIX.1c functions in -lrt +@@ -5205,6 +5207,39 @@ AC_MSG_RESULT([$ntp_use_dev_clockctl]) + + AC_CHECK_HEADERS([sys/capability.h sys/prctl.h]) + ++AC_MSG_CHECKING([if we have libevent capabilities (libevent)]) ++ ++case "$ac_cv_header_event2_event-config_h" in ++ yes) ++ case "$host" in ++ *) ntp_have_linuxcaps=yes ++ ;; ++ esac ++ ;; ++ *) ++ ntp_have_linuxcaps=no ++ ;; ++esac ++ ++AC_ARG_ENABLE( ++ [libevent], ++ [AS_HELP_STRING( ++ [--enable-libevent], ++ [+ Use libevent capabilities for arc4random] ++ )], ++ [ntp_have_libevent=$enableval] ++) ++ ++AC_MSG_RESULT([$ntp_have_libevent]) ++ ++case "$ntp_have_libevent" in ++ yes) ++ AC_DEFINE([HAVE_LIBEVENT], [1], ++ [Do we have libevent capabilities?]) ++ LIBS="$LIBS -levent" ++esac ++ ++ + AC_MSG_CHECKING([if we have linux capabilities (libcap)]) + + case "$ac_cv_header_sys_capability_h$ac_cv_header_sys_prctl_h" in diff --git a/meta-networking/recipes-support/ntp/ntp.inc b/meta-networking/recipes-support/ntp/ntp.inc index fd29a78cfa..ab7bd9c539 100644 --- a/meta-networking/recipes-support/ntp/ntp.inc +++ b/meta-networking/recipes-support/ntp/ntp.inc @@ -26,13 +26,22 @@ SRC_URI = "http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-${PV}.tar.g file://sntp \ file://ntpd.list \ file://CVE-2013-5211.patch \ + file://ntp-4.2.6p5-cve-2014-9293.patch \ + file://ntp-4.2.6p5-cve-2014-9294.patch \ + file://ntp-4.2.6p5-cve-2014-9295.patch \ + file://ntp-4.2.6p5-cve-2014-9296.patch \ + file://ntp-keygen_no_openssl.patch \ " inherit autotools update-rc.d useradd systemd # The ac_cv_header_readline_history is to stop ntpdc depending on either # readline or curses -EXTRA_OECONF += "--with-net-snmp-config=no --without-ntpsnmpd ac_cv_header_readline_history_h=no --with-binsubdir=sbin" +EXTRA_OECONF += "--with-net-snmp-config=no \ + --without-ntpsnmpd \ + ac_cv_header_readline_history_h=no \ + --with-binsubdir=sbin" + CFLAGS_append = " -DPTYS_ARE_GETPT -DPTYS_ARE_SEARCHED" USERADD_PACKAGES = "${PN}" @@ -42,7 +51,7 @@ USERADD_PARAM_${PN} = "--system --home-dir ${NTP_USER_HOME} \ --shell /bin/false --user-group ntp" # NB: debug is default-enabled by NTP; keep it default-enabled here. -PACKAGECONFIG ??= "cap debug" +PACKAGECONFIG ??= "event cap debug" PACKAGECONFIG[openssl] = "--with-openssl-libdir=${STAGING_LIBDIR} \ --with-openssl-incdir=${STAGING_INCDIR} \ --with-crypto, \ @@ -51,6 +60,7 @@ PACKAGECONFIG[openssl] = "--with-openssl-libdir=${STAGING_LIBDIR} \ PACKAGECONFIG[cap] = "--enable-linuxcaps,--disable-linuxcaps,libcap" PACKAGECONFIG[readline] = "--with-lineeditlibs,--without-lineeditlibs,readline" PACKAGECONFIG[debug] = "--enable-debugging,--disable-debugging" +PACKAGECONFIG[event] = "--enable-libevent,--disable-libevent, libevent" do_install_append() { install -d ${D}${sysconfdir}/init.d @@ -94,7 +104,7 @@ PACKAGES += "ntpdate sntp ${PN}-tickadj ${PN}-utils" # ntp originally includes tickadj. It's split off for inclusion in small firmware images on platforms # with wonky clocks (e.g. OpenSlug) -RDEPENDS_${PN} = "${PN}-tickadj" +RDEPENDS_${PN} = "${PN}-tickadj libbsd" # Handle move from bin to utils package RPROVIDES_${PN}-utils = "${PN}-bin" RREPLACES_${PN}-utils = "${PN}-bin" |