Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 553682 (CVE-2015-5146)

Summary: <net-misc/ntp-4.2.8_p3: remote code execution in some configs, and a leap second issue (CVE-2015-5146)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: base-system
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://bugs.ntp.org/show_bug.cgi?id=2853
See Also: http://bugs.ntp.org/show_bug.cgi?id=2853
Whiteboard: A3 [glsa cve]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 545836    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2015-06-30 22:49:40 UTC
From URL:
----
NTF's NTP Project has been notified of a minor vulnerability in the processing of a crafted remote-configuration packet. Remote configuration is disabled by default. This issue was discovered and reported by Aleksis Kauppinen of Codenomicon. 
Summary: Under limited and specific circumstances an attacker can send a crafted packet to cause a vulnerable ntpd instance to crash. This requires each of the following to be true:
    ntpd set up to allow for remote configuration (not allowed by default), and
    knowledge of the configuration password, and
    access to a computer entrusted to perform remote configuration. 
----
Affects: 4.2.5p3 up to, but not including 4.2.8p3-RC1, and 4.3.0 up to, but not including 4.3.25 
The site reads: "ntp-4.2.8p3 was released on 29 June 2015, and addresses leap-second issues and a minor security issue." There may be leap-second bugs in previous versions of ntp fixed by the new release.

Maintainers, please import 4.2.8p3. Thanks.

Reproducible: Always
Comment 1 Mike Gilbert gentoo-dev 2015-07-01 17:26:00 UTC
*** Bug 553686 has been marked as a duplicate of this bug. ***
Comment 2 SpanKY gentoo-dev 2015-07-06 15:54:00 UTC
Commit message: Version bump
http://sources.gentoo.org/net-misc/ntp/ntp-4.2.8_p3.ebuild?rev=1.1
Comment 3 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-07-06 16:08:49 UTC
(In reply to SpanKY from comment #2)
> Commit message: Version bump
> http://sources.gentoo.org/net-misc/ntp/ntp-4.2.8_p3.ebuild?rev=1.1

is it ok to go stable?
Comment 4 SpanKY gentoo-dev 2015-07-06 16:33:50 UTC
yes, should be fine
Comment 5 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-07-06 16:41:14 UTC
Please test and mark stable:

=net-misc/ntp-4.2.8_p3

target KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 6 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-07-06 16:58:37 UTC
amd64 stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2015-07-07 04:56:05 UTC
Stable for HPPA PPC64.
Comment 8 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-07-07 12:46:54 UTC
x86 stable
Comment 9 Tobias Klausmann (RETIRED) gentoo-dev 2015-07-14 18:36:52 UTC
Stable on alpha.
Comment 10 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-07-15 16:52:06 UTC
arm stable
Comment 11 Agostino Sarubbo gentoo-dev 2015-07-23 09:03:02 UTC
ppc stable
Comment 12 Agostino Sarubbo gentoo-dev 2015-07-23 09:39:16 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 13 Yury German Gentoo Infrastructure gentoo-dev 2015-08-05 06:32:34 UTC
Arches, Thank you for your work.
New GLSA Request filed.

Maintainer(s), please drop the vulnerable version(s).
Comment 14 Yury German Gentoo Infrastructure gentoo-dev 2015-09-23 11:47:19 UTC
Maintainer(s), please drop the vulnerable version(s).
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2015-09-24 16:46:04 UTC
This issue was resolved and addressed in
 GLSA 201509-01 at https://security.gentoo.org/glsa/201509-01
by GLSA coordinator Kristian Fiskerstrand (K_F).
Comment 16 Yury German Gentoo Infrastructure gentoo-dev 2015-09-27 02:45:12 UTC
Re-Opening for cleanup.

Maintainer(s), please drop the vulnerable version(s).
Comment 17 Yury German Gentoo Infrastructure gentoo-dev 2015-11-02 19:33:59 UTC
With base-system owning this, can this be cleaned up. Or can security clean up. We have quite a few vulnerable versions in tree.
Comment 18 Yury German Gentoo Infrastructure gentoo-dev 2016-02-25 08:18:49 UTC
Arches and Maintainer(s), Thank you for your work.
Closing