** Please note that this issue is confidential and no information should be disclosed until it is made public, see "Whiteboard" for a date ** Apple discovered a stack-based buffer overflow in the ntpq program. When the ntpq program is used to request peer information from a remote time server, a maliciously crafted response may lead to an unexpected application termination or arbitrary code execution. The buffer overflow is limited to two bytes, so a code execution impact is unlikely, but this is dependent on the stack layout generated by cc.
As usual, no CVS commits. We can do prestable testing on this bug.
Created attachment 185510 [details, diff] ntp-CVE-2009-0159.patch
Patch went upstream here: http://ntp.bkbits.net:8080/ntp-stable/?PAGE=gnupatch&REV=1.1565
CVE-2009-0159 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0159): Stack-based buffer overflow in the cookedprint function in ntpq/ntpq.c in ntpq in NTP before 4.2.4p7-RC2 allows remote NTP servers to execute arbitrary code via a crafted response.
ntp-4.2.4_p7 is now in the tree
Arches, please test and mark stable: =net-misc/ntp-4.2.4_p7 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
I am not able to fetch ntp-4.2.4p7-manpages.tar.bz2
Just rolls out to mirrors, if needed fetch manually from peckers distfiles-local
Sparc stable. ntpd can run and seems to set up a working ntp, at least according to 'ntpq -p' which still works as expected. Tested by use, because I use this on all my systems.
Stable for HPPA.
amd64 stable
alpha/arm/ia64/s390/sh/x86 stable
ppc64 done
ppc done
GLSA draft filed.
GLSA 200905-08