** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **
Apple discovered a stack-based buffer overflow in the ntpq program. When
the ntpq program is used to request peer information from a remote
time server, a maliciously crafted response may lead to an unexpected
application termination or arbitrary code execution.
The buffer overflow is limited to two bytes, so a code execution impact is unlikely, but this is dependent on the stack layout generated by cc.
As usual, no CVS commits. We can do prestable testing on this bug.
Created attachment 185510 [details, diff]
Patch went upstream here:
Stack-based buffer overflow in the cookedprint function in
ntpq/ntpq.c in ntpq in NTP before 4.2.4p7-RC2 allows remote NTP
servers to execute arbitrary code via a crafted response.
ntp-4.2.4_p7 is now in the tree
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
I am not able to fetch ntp-4.2.4p7-manpages.tar.bz2
Just rolls out to mirrors, if needed fetch manually from peckers distfiles-local
Sparc stable. ntpd can run and seems to set up a working ntp, at least according to 'ntpq -p' which still works as expected. Tested by use, because I use this on all my systems.
Stable for HPPA.
GLSA draft filed.