553682 – (CVE-2015-5146) <net-misc/ntp-4.2.8_p3: remote code execution in some configs, and a leap second issue (CVE-2015-5146)

Bug 553682 (CVE-2015-5146) - <net-misc/ntp-4.2.8_p3: remote code execution in some configs, and a leap second issue (CVE-2015-5146)

Summary: <net-misc/ntp-4.2.8_p3: remote code execution in some configs, and a leap sec...

Status:	RESOLVED FIXED

Alias:	CVE-2015-5146

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	http://bugs.ntp.org/show_bug.cgi?id=2853
Whiteboard:	A3 [glsa cve]
Keywords:

Duplicates (1):	553686 (view as bug list)
Depends on:
Blocks:	545836
	Show dependency tree

Reported:	2015-06-30 22:49 UTC by Sam James
Modified:	2016-02-25 08:18 UTC (History)
CC List:	1 user (show)

See Also:	http://bugs.ntp.org/show_bug.cgi?id=2853
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2015-06-30 22:49:40 UTC

From URL:
----
NTF's NTP Project has been notified of a minor vulnerability in the processing of a crafted remote-configuration packet. Remote configuration is disabled by default. This issue was discovered and reported by Aleksis Kauppinen of Codenomicon. 
Summary: Under limited and specific circumstances an attacker can send a crafted packet to cause a vulnerable ntpd instance to crash. This requires each of the following to be true:
    ntpd set up to allow for remote configuration (not allowed by default), and
    knowledge of the configuration password, and
    access to a computer entrusted to perform remote configuration. 
----
Affects: 4.2.5p3 up to, but not including 4.2.8p3-RC1, and 4.3.0 up to, but not including 4.3.25 
The site reads: "ntp-4.2.8p3 was released on 29 June 2015, and addresses leap-second issues and a minor security issue." There may be leap-second bugs in previous versions of ntp fixed by the new release.

Maintainers, please import 4.2.8p3. Thanks.

Reproducible: Always

Comment 1 Mike Gilbert gentoo-dev

2015-07-01 17:26:00 UTC

*** Bug 553686 has been marked as a duplicate of this bug. ***

Comment 2 SpanKY gentoo-dev

2015-07-06 15:54:00 UTC

Commit message: Version bump
http://sources.gentoo.org/net-misc/ntp/ntp-4.2.8_p3.ebuild?rev=1.1

Comment 3 Mikle Kolyada (RETIRED) archtester

2015-07-06 16:08:49 UTC

(In reply to SpanKY from comment #2)
> Commit message: Version bump
> http://sources.gentoo.org/net-misc/ntp/ntp-4.2.8_p3.ebuild?rev=1.1

is it ok to go stable?

Comment 4 SpanKY gentoo-dev

2015-07-06 16:33:50 UTC

yes, should be fine

Comment 5 Mikle Kolyada (RETIRED) archtester

2015-07-06 16:41:14 UTC

Please test and mark stable:

=net-misc/ntp-4.2.8_p3

target KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"

Comment 6 Mikle Kolyada (RETIRED) archtester

2015-07-06 16:58:37 UTC

amd64 stable

Comment 7 Jeroen Roovers (RETIRED) gentoo-dev

2015-07-07 04:56:05 UTC

Stable for HPPA PPC64.

Comment 8 Mikle Kolyada (RETIRED) archtester

2015-07-07 12:46:54 UTC

x86 stable

Comment 9 Tobias Klausmann (RETIRED) gentoo-dev

2015-07-14 18:36:52 UTC

Stable on alpha.

Comment 10 Mikle Kolyada (RETIRED) archtester

2015-07-15 16:52:06 UTC

arm stable

Comment 11 Agostino Sarubbo gentoo-dev

2015-07-23 09:03:02 UTC

ppc stable

Comment 12 Agostino Sarubbo gentoo-dev

2015-07-23 09:39:16 UTC

sparc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.

Comment 13 Yury German Gentoo Infrastructure

2015-08-05 06:32:34 UTC

Arches, Thank you for your work.
New GLSA Request filed.

Maintainer(s), please drop the vulnerable version(s).

Comment 14 Yury German Gentoo Infrastructure

2015-09-23 11:47:19 UTC

Maintainer(s), please drop the vulnerable version(s).

Comment 15 GLSAMaker/CVETool Bot gentoo-dev

2015-09-24 16:46:04 UTC

This issue was resolved and addressed in
 GLSA 201509-01 at https://security.gentoo.org/glsa/201509-01
by GLSA coordinator Kristian Fiskerstrand (K_F).

Comment 16 Yury German Gentoo Infrastructure

2015-09-27 02:45:12 UTC

Re-Opening for cleanup.

Maintainer(s), please drop the vulnerable version(s).

Comment 17 Yury German Gentoo Infrastructure

2015-11-02 19:33:59 UTC

With base-system owning this, can this be cleaned up. Or can security clean up. We have quite a few vulnerable versions in tree.

Comment 18 Yury German Gentoo Infrastructure

2016-02-25 08:18:49 UTC

Arches and Maintainer(s), Thank you for your work.
Closing