Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 263033 (CVE-2009-0159) - <net-misc/ntp-4.2.4_p7 ntpq peer information buffer overflow (CVE-2009-0159)
Summary: <net-misc/ntp-4.2.4_p7 ntpq peer information buffer overflow (CVE-2009-0159)
Alias: CVE-2009-0159
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa]
Depends on:
Blocks: CVE-2009-1252
  Show dependency tree
Reported: 2009-03-19 13:03 UTC by Robert Buchholz (RETIRED)
Modified: 2009-05-26 16:09 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

ntp-CVE-2009-0159.patch (ntp-CVE-2009-0159.patch,446 bytes, patch)
2009-03-19 13:08 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-03-19 13:03:26 UTC
** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

Apple discovered a stack-based buffer overflow in the ntpq program. When  
the ntpq program is used to request peer information from a remote  
time server, a maliciously crafted response may lead to an unexpected  
application termination or arbitrary code execution.

The buffer overflow is limited to two bytes, so a code execution impact is unlikely, but this is dependent on the stack layout generated by cc.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-03-19 13:04:23 UTC
As usual, no CVS commits. We can do prestable testing on this bug.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-03-19 13:08:10 UTC
Created attachment 185510 [details, diff]
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-04-09 09:45:15 UTC
Patch went upstream here:
Comment 4 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-04-14 21:36:09 UTC
CVE-2009-0159 (
  Stack-based buffer overflow in the cookedprint function in
  ntpq/ntpq.c in ntpq in NTP before 4.2.4p7-RC2 allows remote NTP
  servers to execute arbitrary code via a crafted response.

Comment 5 SpanKY gentoo-dev 2009-05-19 23:09:57 UTC
ntp-4.2.4_p7 is now in the tree
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2009-05-20 07:56:20 UTC
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 7 Christian Faulhammer (RETIRED) gentoo-dev 2009-05-20 10:02:41 UTC
I am not able to fetch ntp-4.2.4p7-manpages.tar.bz2
Comment 8 Markus Ullmann (RETIRED) gentoo-dev 2009-05-20 12:39:28 UTC
Just rolls out to mirrors, if needed fetch manually from peckers distfiles-local
Comment 9 Ferris McCormick (RETIRED) gentoo-dev 2009-05-20 13:25:05 UTC
Sparc stable.  ntpd can run and seems to set up a working ntp, at least according to 'ntpq -p' which still works as expected.  Tested by use, because I use this on all my systems.
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2009-05-20 19:32:59 UTC
Stable for HPPA.
Comment 11 Richard Freeman gentoo-dev 2009-05-21 17:52:29 UTC
amd64 stable
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2009-05-21 18:34:28 UTC
alpha/arm/ia64/s390/sh/x86 stable
Comment 13 Brent Baude (RETIRED) gentoo-dev 2009-05-25 16:05:46 UTC
ppc64 done
Comment 14 Brent Baude (RETIRED) gentoo-dev 2009-05-25 16:05:56 UTC
ppc done
Comment 15 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-05-25 17:28:12 UTC
GLSA draft filed.
Comment 16 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-05-26 16:09:42 UTC
GLSA 200905-08