103719 – net-misc/ntp small security issue (CAN-2005-2496)

Bug 103719 - net-misc/ntp small security issue (CAN-2005-2496)

Summary: net-misc/ntp small security issue (CAN-2005-2496)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:	https://ntp.isc.org/bugs/show_bug.cgi...
Whiteboard:	A4 [noglsa] jaervosz
Keywords:

Depends on:
Blocks:

Reported:	2005-08-25 09:48 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified:	2005-08-26 00:34 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
ntpd-using_wrong_group.diff (ntpd-using_wrong_group.diff,339 bytes, patch) 2005-08-25 09:49 UTC, Sune Kloppenborg Jeppesen (RETIRED)	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-08-25 09:48:23 UTC

When starting xntpd with the -u option and specifying the group 
by using a string not a numeric gid the daemon uses the gid of 
the user not the group. 
 
reproduce: 
        # rcxntpd start  
        # ps -C ntpd -o comm,pid,ruser,euser,rgroup,egroup 
        verify given and real IDs

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-08-25 09:49:19 UTC

Created attachment 66876 [details, diff]
ntpd-using_wrong_group.diff

SUSE patch.

Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-08-25 09:51:18 UTC

Mike please verify and patch as needed.

Comment 3 SpanKY gentoo-dev

2005-08-25 10:16:04 UTC

no point in restricting this, it's been public knowledge for like 6 months now ;)

Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-08-25 11:01:37 UTC

heh, anyways I just want an updated ebuild:-)

Comment 5 SpanKY gentoo-dev

2005-08-25 11:20:47 UTC

it's been fixed in upstream dev branch ... i want to see about stable branch
too, but i'll prob do ebuilds in the meantime

Comment 6 SpanKY gentoo-dev

2005-08-25 15:10:36 UTC

added fixed ebuilds to portage

do a glsa if you want ;)

Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-08-25 21:21:21 UTC

Thx SpanKY. 
 
Time for GLSA decision, I vote NO.

Comment 8 Thierry Carrez (RETIRED) gentoo-dev

2005-08-26 00:34:46 UTC

Voting NO too, I can't see this being provoked and/or exploited in any way.