Summary: | <net-misc/ntp-4.2.4_p7 ntpq peer information buffer overflow (CVE-2009-0159) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | normal | CC: | base-system, dennis, fmccor | ||||
Priority: | High | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | https://support.ntp.org/bugs/show_bug.cgi?id=1144 | ||||||
Whiteboard: | A2 [glsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Bug Depends on: | |||||||
Bug Blocks: | 268962 | ||||||
Attachments: |
|
Description
Robert Buchholz (RETIRED)
2009-03-19 13:03:26 UTC
As usual, no CVS commits. We can do prestable testing on this bug. Created attachment 185510 [details, diff]
ntp-CVE-2009-0159.patch
Patch went upstream here: http://ntp.bkbits.net:8080/ntp-stable/?PAGE=gnupatch&REV=1.1565 CVE-2009-0159 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0159): Stack-based buffer overflow in the cookedprint function in ntpq/ntpq.c in ntpq in NTP before 4.2.4p7-RC2 allows remote NTP servers to execute arbitrary code via a crafted response. ntp-4.2.4_p7 is now in the tree Arches, please test and mark stable: =net-misc/ntp-4.2.4_p7 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" I am not able to fetch ntp-4.2.4p7-manpages.tar.bz2 Just rolls out to mirrors, if needed fetch manually from peckers distfiles-local Sparc stable. ntpd can run and seems to set up a working ntp, at least according to 'ntpq -p' which still works as expected. Tested by use, because I use this on all my systems. Stable for HPPA. amd64 stable alpha/arm/ia64/s390/sh/x86 stable ppc64 done ppc done GLSA draft filed. GLSA 200905-08 |