Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 697024 (CVE-2015-5300)

Summary: <net-misc/ntpsec-1.1.7-r1: outdated systemd unit file allows for (CVE-2015-5300)
Product: Gentoo Security Reporter: Alessandro Barbieri <lssndrbarbieri>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: blueness, nerdboy
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/ntpsec/ntpsec/commit/8459d15f8cf19a54cf149779d0d967883aa5c6b4
Whiteboard: B3 [noglsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 694748    
Bug Blocks:    

Description Alessandro Barbieri 2019-10-09 00:15:23 UTC
Upstream provides a systemd unit that fixes the vulnerability since v1.1.0
https://github.com/ntpsec/ntpsec/commit/8459d15f8cf19a54cf149779d0d967883aa5c6b4
but the ebuild installs the old one
https://github.com/gentoo/gentoo/blob/master/net-misc/ntpsec/ntpsec-1.1.6.ebuild#L134

see https://bugs.gentoo.org/696896#c3 for a possible patch
Comment 1 Larry the Git Cow gentoo-dev 2019-10-26 17:51:01 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=def2c6ace829ce9e98c8963802a0b3baf916ac72

commit def2c6ace829ce9e98c8963802a0b3baf916ac72
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-10-26 17:49:47 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-10-26 17:50:54 +0000

    net-misc/ntpsec: update unit file to avoid CVE-2015-5300
    
    Bug: https://bugs.gentoo.org/697024
    Package-Manager: Portage-2.3.78, Repoman-2.3.17
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 net-misc/ntpsec/files/ntpd-r1.service                 | 19 +++++++++++++++++++
 .../{ntpsec-1.1.7.ebuild => ntpsec-1.1.7-r1.ebuild}   |  2 +-
 net-misc/ntpsec/ntpsec-9999.ebuild                    |  2 +-
 3 files changed, 21 insertions(+), 2 deletions(-)
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2020-03-19 20:32:22 UTC
Maintainer(s), please drop the vulnerable version(s).

GLSA Vote: No
Comment 3 NATTkA bot gentoo-dev 2020-04-12 19:29:21 UTC
Unable to check for sanity:

> dependent bug #694748 is missing keywords
Comment 4 NATTkA bot gentoo-dev 2020-04-13 14:40:53 UTC
Resetting sanity check; package list is empty or all packages are done.
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2020-04-16 07:49:06 UTC
Cleanup is part of bug 694748
Thank you all for you work. 
Closing as [noglsa].