694748 – <net-misc/ntpsec-1.1.7-r1: buffer overflow in alpn processing (only in debug mode)

Bug 694748 - <net-misc/ntpsec-1.1.7-r1: buffer overflow in alpn processing (only in debug mode)

Summary: <net-misc/ntpsec-1.1.7-r1: buffer overflow in alpn processing (only in debug ...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://blog.ntpsec.org/2019/06/30/ve...
Whiteboard:	C3 [noglsa]
Keywords:

Depends on:
Blocks:	CVE-2015-5300
	Show dependency tree

Reported:	2019-09-17 18:06 UTC by Hanno Böck
Modified:	2020-06-20 00:42 UTC (History)
CC List:	2 users (show)

See Also:
Package list:	net-misc/ntpsec-1.1.7-r1
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Hanno Böck gentoo-dev

2019-09-17 18:06:57 UTC

From
https://blog.ntpsec.org/2019/06/30/version-1.1.5.html

"We have added ALPN to be consistent with the NTS draft. And we have discovered and fixed a buffer overrun in debug compile of ALPN implementation."

While this "only" affects debug compiles, we have a debug use flag on the ebuild, so this should be treated as a security bug.

We already have ntpsec 1.1.6 in the tree, but 1.1.4 is the current stable version.

Comment 1 Agostino Sarubbo gentoo-dev

2019-10-28 09:44:19 UTC

amd64 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 2 Steve Arnold archtester

2019-12-19 17:58:40 UTC

All current ebuilds are using the new service file; all we need now is x86 stable and the old versions can be nuked.

Comment 3 Sam James archtester

2020-03-15 22:05:04 UTC

(In reply to Steve Arnold from comment #2)
> All current ebuilds are using the new service file; all we need now is x86
> stable and the old versions can be nuked.

x86 isn't stable for any versions atm: do we need to CC x86 and request it, or can we just cleanup?

Comment 4 Steve Arnold archtester

2020-03-17 21:16:46 UTC

If we can get x86 stable that would be great, otherwise security has the ball.

Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev

2020-03-19 20:20:15 UTC

No, no need to stabilize x86. x86 never set stable keyword. If you want x86 for some reason, file an own bug and request normal stabilization. But that's not part  of this security bug.

@ maintainer(s): Please cleanup and drop <net-misc/ntpsec-1.1.7-r1!

Comment 6 NATTkA bot gentoo-dev

2020-04-06 15:06:30 UTC

Resetting sanity check; keywords are not fully specified and arches are not CC-ed.

Comment 7 Yury German Gentoo Infrastructure

2020-04-16 07:47:27 UTC

Maintainer(s), please drop the vulnerable version(s).

Comment 8 Yury German Gentoo Infrastructure

2020-05-21 23:55:51 UTC

Maintainer(s), it has been 30 days + since request for cleanup. 
Please drop the vulnerable version(s).

Comment 9 Sam James archtester

2020-06-18 02:32:46 UTC

@maintainer(s), ping, please cleanup

Comment 10 Larry the Git Cow gentoo-dev

2020-06-20 00:42:08 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fd1a7b82b201c4a2f1a72eeb8c52f226be22e2c0

commit fd1a7b82b201c4a2f1a72eeb8c52f226be22e2c0
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2020-06-20 00:41:33 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2020-06-20 00:41:33 +0000

    net-misc/ntpsec: drop vulnerable
    
    Bug: https://bugs.gentoo.org/694748
    Signed-off-by: Aaron Bauman <bman@gentoo.org>

 net-misc/ntpsec/Manifest            |   2 -
 net-misc/ntpsec/ntpsec-1.1.4.ebuild | 160 ------------------------------------
 net-misc/ntpsec/ntpsec-1.1.6.ebuild | 159 -----------------------------------
 3 files changed, 321 deletions(-)