Summary: | <net-misc/ntp-4.2.8_p12: Stack-based buffer overflow in ntpq and ntpdc allows denial of service or code execution (CVE-2018-12327) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Florian Schuhmacher <mynt1aa> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | base-system |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://gist.github.com/fakhrizulkifli/9b58ed8e0354e8deee50b0eebd1c011f | ||
Whiteboard: | A2 [glsa+ cve] | ||
Package list: |
net-misc/ntp-4.2.8_p12
|
Runtime testing required: | --- |
Description
Florian Schuhmacher
2018-06-20 15:24:24 UTC
upstream reference: http://support.ntp.org/bin/view/Main/NtpBug3505 Note: This problem affects only command line tools and not the server. As these command line tools are usually not run with attacker input A2 is probably overrated. sparc stable x86 stable alpha stable amd64 stable ia64 stable If you want faster stabilization next time please consider fixing testsuite on platforms that don't support -Wl,gc-sections (has a reproducer for amd64): https://bugs.gentoo.org/564018#c11 ppc64 stable ppc stable arm stable hppa stable arm64 stable base-system is done here (In reply to Mikle Kolyada from comment #14) > base-system is done here And yet it's still a base-sysdtem package, so I'd like to keep b-s in CC. This issue was resolved and addressed in GLSA 201903-15 at https://security.gentoo.org/glsa/201903-15 by GLSA coordinator Aaron Bauman (b-man). |