Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 263033 (CVE-2009-0159)

Summary: <net-misc/ntp-4.2.4_p7 ntpq peer information buffer overflow (CVE-2009-0159)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: base-system, dennis, fmccor
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://support.ntp.org/bugs/show_bug.cgi?id=1144
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 268962    
Attachments:
Description Flags
ntp-CVE-2009-0159.patch none

Description Robert Buchholz (RETIRED) gentoo-dev 2009-03-19 13:03:26 UTC 
** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

Apple discovered a stack-based buffer overflow in the ntpq program. When  
the ntpq program is used to request peer information from a remote  
time server, a maliciously crafted response may lead to an unexpected  
application termination or arbitrary code execution.

The buffer overflow is limited to two bytes, so a code execution impact is unlikely, but this is dependent on the stack layout generated by cc.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-03-19 13:04:23 UTC 
As usual, no CVS commits. We can do prestable testing on this bug.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-03-19 13:08:10 UTC 
Created attachment 185510 [details, diff]
ntp-CVE-2009-0159.patch
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-04-09 09:45:15 UTC 
Patch went upstream here:

http://ntp.bkbits.net:8080/ntp-stable/?PAGE=gnupatch&REV=1.1565
Comment 4 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-04-14 21:36:09 UTC 
CVE-2009-0159 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0159):
  Stack-based buffer overflow in the cookedprint function in
  ntpq/ntpq.c in ntpq in NTP before 4.2.4p7-RC2 allows remote NTP
  servers to execute arbitrary code via a crafted response.
Comment 5 SpanKY gentoo-dev 2009-05-19 23:09:57 UTC 
ntp-4.2.4_p7 is now in the tree
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2009-05-20 07:56:20 UTC 
Arches, please test and mark stable:
=net-misc/ntp-4.2.4_p7
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 7 Christian Faulhammer (RETIRED) gentoo-dev 2009-05-20 10:02:41 UTC 
I am not able to fetch ntp-4.2.4p7-manpages.tar.bz2
Comment 8 Markus Ullmann (RETIRED) gentoo-dev 2009-05-20 12:39:28 UTC 
Just rolls out to mirrors, if needed fetch manually from peckers distfiles-local
Comment 9 Ferris McCormick (RETIRED) gentoo-dev 2009-05-20 13:25:05 UTC 
Sparc stable.  ntpd can run and seems to set up a working ntp, at least according to 'ntpq -p' which still works as expected.  Tested by use, because I use this on all my systems.
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2009-05-20 19:32:59 UTC 
Stable for HPPA.
Comment 11 Richard Freeman gentoo-dev 2009-05-21 17:52:29 UTC 
amd64 stable
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2009-05-21 18:34:28 UTC 
alpha/arm/ia64/s390/sh/x86 stable
Comment 13 Brent Baude (RETIRED) gentoo-dev 2009-05-25 16:05:46 UTC 
ppc64 done
Comment 14 Brent Baude (RETIRED) gentoo-dev 2009-05-25 16:05:56 UTC 
ppc done
Comment 15 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-05-25 17:28:12 UTC 
GLSA draft filed.
Comment 16 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-05-26 16:09:42 UTC 
GLSA 200905-08