103719 2005-08-25 09:48 0000 net-misc/ntp small security issue (CAN-2005-2496) 2005-08-26 00:34:46 0000 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED https://ntp.isc.org/bugs/show_bug.cgi?id=392 A4 [noglsa] jaervosz P2 minor --- 1 jaervosz@gentoo.org security@gentoo.org jaervosz@gentoo.org 2005-08-25 09:48:23 0000 When starting xntpd with the -u option and specifying the group by using a string not a numeric gid the daemon uses the gid of the user not the group. reproduce: # rcxntpd start # ps -C ntpd -o comm,pid,ruser,euser,rgroup,egroup verify given and real IDs jaervosz@gentoo.org 2005-08-25 09:49:19 0000 Created an attachment (id=66876) ntpd-using_wrong_group.diff SUSE patch. jaervosz@gentoo.org 2005-08-25 09:51:18 0000 Mike please verify and patch as needed. vapier@gentoo.org 2005-08-25 10:16:04 0000 no point in restricting this, it's been public knowledge for like 6 months now ;) jaervosz@gentoo.org 2005-08-25 11:01:37 0000 heh, anyways I just want an updated ebuild:-) vapier@gentoo.org 2005-08-25 11:20:47 0000 it's been fixed in upstream dev branch ... i want to see about stable branch too, but i'll prob do ebuilds in the meantime vapier@gentoo.org 2005-08-25 15:10:36 0000 added fixed ebuilds to portage do a glsa if you want ;) jaervosz@gentoo.org 2005-08-25 21:21:21 0000 Thx SpanKY. Time for GLSA decision, I vote NO. koon@gentoo.org 2005-08-26 00:34:46 0000 Voting NO too, I can't see this being provoked and/or exploited in any way. 66876 2005-08-25 09:49 0000 ntpd-using_wrong_group.diff ntpd-using_wrong_group.diff text/plain LS0tIG50cGQvbnRwZC5jLm9yaWcJMjAwNS0wMi0xMCAxMjoyMDoyOC4wMDAwMDAwMDAgKzAxMDAK KysrIG50cGQvbnRwZC5jCTIwMDUtMDItMTAgMTI6MjE6MDMuMDAwMDAwMDAwICswMTAwCkBAIC04 ODEsNyArODgxLDcgQEAKIAkJCX0gZWxzZSB7CiBnZXRncm91cDoJCiAJCQkJaWYgKChnciA9IGdl dGdybmFtKGdyb3VwKSkgIT0gTlVMTCkgewotCQkJCQlzd19naWQgPSBwdy0+cHdfZ2lkOworCQkJ CQlzd19naWQgPSBnci0+Z3JfZ2lkOwogCQkJCX0gZWxzZSB7CiAJCQkJCWVycm5vID0gMDsKIAkJ CQkJbXN5c2xvZyhMT0dfRVJSLCAiQ2Fubm90IGZpbmQgZ3JvdXAgYCVzJyIsIGdyb3VwKTsK