Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 729458 (CVE-2020-15025) - <net-misc/ntp-4.2.8_p15: Memory leak allowing denial of service (CVE-2020-15025)
Summary: <net-misc/ntp-4.2.8_p15: Memory leak allowing denial of service (CVE-2020-15025)
Alias: CVE-2020-15025
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa+ cve]
Depends on:
Reported: 2020-06-24 15:33 UTC by Sam James
Modified: 2020-07-27 19:05 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---
nattka: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Sam James gentoo-dev Security 2020-06-24 15:33:53 UTC
"MEDIUM: Sec 3661: Memory leak with CMAC keys

    Systems that use a CMAC algorithm in ntp.keys will not release a bit of memory on each packet that uses a CMAC key, eventually causing ntpd to run out of memory and fail. The CMAC cleanup from, part of ntp-4.2.8p11 and ntp-4.3.97, introduced a bug whereby the CMAC data structure was no longer completely removed.
    Reported by Martin Burnicki of Meinberg."
Comment 1 Sam James gentoo-dev Security 2020-06-24 15:36:24 UTC
Please tell us when ready to stable.
Comment 2 Rolf Eike Beer 2020-07-03 20:12:15 UTC
sparc stable
Comment 3 Sam James gentoo-dev Security 2020-07-04 12:58:42 UTC
arm64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2020-07-05 13:36:39 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2020-07-05 13:38:32 UTC
arm stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-07-05 13:41:31 UTC
s390 stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-07-05 13:45:27 UTC
x86 stable
Comment 8 Rolf Eike Beer 2020-07-06 16:52:07 UTC
hppa stable
Comment 9 Sam James gentoo-dev Security 2020-07-12 02:41:30 UTC
ppc stable
Comment 10 Sam James gentoo-dev Security 2020-07-17 10:30:40 UTC
ppc64 stable

Please cleanup.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2020-07-26 23:45:11 UTC
This issue was resolved and addressed in
 GLSA 202007-12 at
by GLSA coordinator Sam James (sam_c).
Comment 12 Sam James gentoo-dev Security 2020-07-27 01:14:25 UTC
(In reply to GLSAMaker/CVETool Bot from comment #11)
> This issue was resolved and addressed in
>  GLSA 202007-12 at
> by GLSA coordinator Sam James (sam_c).

Reopening for cleanup.
Comment 13 Larry the Git Cow gentoo-dev 2020-07-27 19:02:36 UTC
The bug has been referenced in the following commit(s):

commit 2c65d47e903eb2c2b3792563530b12b2321bdc38
Author:     Lars Wendler <>
AuthorDate: 2020-07-27 18:56:04 +0000
Commit:     Lars Wendler <>
CommitDate: 2020-07-27 19:02:30 +0000

    net-misc/ntp: Security cleanup
    Package-Manager: Portage-3.0.1, Repoman-2.3.23
    Signed-off-by: Lars Wendler <>

 net-misc/ntp/Manifest                              |   2 -
 .../ntp/files/ntp-4.2.8-gcc10-fno-common.patch     |  22 ----
 net-misc/ntp/ntp-4.2.8_p14-r2.ebuild               | 145 ---------------------
 3 files changed, 169 deletions(-)
Comment 14 Sam James gentoo-dev Security 2020-07-27 19:05:32 UTC
All done, thanks!