[meta-networking][PATCH 1/2] ntp: Disable debugging by default

[meta-networking][PATCH 1/2] ntp: Disable debugging by default

[rongqing.li]

From: Xufeng Zhang <xufeng.zhang@windriver.com>

There is a problem in configure.ac file that whether or not
'--enable-debugging' is specified in configure cmdline, debugging
is always enabled.
We should disable ntp debugging by default.

Signed-off-by: Xufeng Zhang <xufeng.zhang@windriver.com>
---
 .../ntp/files/ntp-disable-debugging.patch          |   23 ++++++++++++++++++++
 meta-networking/recipes-support/ntp/ntp.inc        |    1 +
 2 files changed, 24 insertions(+)
 create mode 100644 meta-networking/recipes-support/ntp/files/ntp-disable-debugging.patch

diff --git a/meta-networking/recipes-support/ntp/files/ntp-disable-debugging.patch b/meta-networking/recipes-support/ntp/files/ntp-disable-debugging.patch
new file mode 100644
index 0000000..3c94d8d
--- /dev/null
+++ b/meta-networking/recipes-support/ntp/files/ntp-disable-debugging.patch
@@ -0,0 +1,23 @@
+set ntp_ok to no if ntp debugging is not enabled.
+
+Upstream-status: Pending
+
+There is a problem in configure.ac file that whether or not
+'--enable-debugging' is specified in configure cmdline, debugging
+is always enabled.
+We should disable ntp debugging by default.
+
+Signed-off-by: Xufeng Zhang <xufeng.zhang@windriver.com>
+
+---
+--- a/configure.ac
++++ b/configure.ac
+@@ -2458,7 +2458,7 @@
+         [+ include ntpd debugging code]
+     )],
+     [ntp_ok=$enableval],
+-    [ntp_ok=yes]
++    [ntp_ok=no]
+ )
+ case "$ntp_ok" in
+  yes)
diff --git a/meta-networking/recipes-support/ntp/ntp.inc b/meta-networking/recipes-support/ntp/ntp.inc
index 49f9901..2c8f488 100644
--- a/meta-networking/recipes-support/ntp/ntp.inc
+++ b/meta-networking/recipes-support/ntp/ntp.inc
@@ -23,6 +23,7 @@ SRC_URI = "http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-${PV}.tar.g
            file://sntp.service \
            file://sntp \
            file://ntpd.list \
+           file://ntp-disable-debugging.patch \
 "
 
 inherit autotools update-rc.d useradd systemd
-- 
1.7.10.4

[meta-networking][PATCH 2/2] ntp: fix CVE-2013-5211

[rongqing.li]

From: Zhang Xiao <xiao.zhang@windriver.com>

The monlist feature in ntp_request.c in ntpd in NTP before
4.2.7p26 allows remote attackers to cause a denial of service
(traffic amplification) via forged (1) REQ_MON_GETLIST or
(2) REQ_MON_GETLIST_1 requests, as exploited in the wild
in December 2013.

Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com>
---
 .../recipes-support/ntp/files/CVE-2013-5211.patch  |  112 ++++++++++++++++++++
 meta-networking/recipes-support/ntp/ntp.inc        |    1 +
 2 files changed, 113 insertions(+)
 create mode 100644 meta-networking/recipes-support/ntp/files/CVE-2013-5211.patch

diff --git a/meta-networking/recipes-support/ntp/files/CVE-2013-5211.patch b/meta-networking/recipes-support/ntp/files/CVE-2013-5211.patch
new file mode 100644
index 0000000..ddcb044
--- /dev/null
+++ b/meta-networking/recipes-support/ntp/files/CVE-2013-5211.patch
@@ -0,0 +1,112 @@
+ntp: fix CVE-2013-5211
+
+Upstream-status: Backport
+
+The monlist feature in ntp_request.c in ntpd in NTP before
+4.2.7p26 allows remote attackers to cause a denial of service
+(traffic amplification) via forged (1) REQ_MON_GETLIST or
+(2) REQ_MON_GETLIST_1 requests, as exploited in the wild
+in December 2013.
+
+Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com>
+
+--- a/ntpd/ntp_request.c
++++ b/ntpd/ntp_request.c
+@@ -1912,44 +1912,11 @@ mon_getlist_0(
+ 	struct req_pkt *inpkt
+ 	)
+ {
+-	register struct info_monitor *im;
+-	register struct mon_data *md;
+-	extern struct mon_data mon_mru_list;
+-	extern int mon_enabled;
+-
+ #ifdef DEBUG
+ 	if (debug > 2)
+ 	    printf("wants monitor 0 list\n");
+ #endif
+-	if (!mon_enabled) {
+-		req_ack(srcadr, inter, inpkt, INFO_ERR_NODATA);
+-		return;
+-	}
+-	im = (struct info_monitor *)prepare_pkt(srcadr, inter, inpkt,
+-	    v6sizeof(struct info_monitor));
+-	for (md = mon_mru_list.mru_next; md != &mon_mru_list && im != 0;
+-	     md = md->mru_next) {
+-		im->lasttime = htonl((u_int32)((current_time -
+-		    md->firsttime) / md->count));
+-		im->firsttime = htonl((u_int32)(current_time - md->lasttime));
+-		im->restr = htonl((u_int32)md->flags);
+-		im->count = htonl((u_int32)(md->count));
+-		if (IS_IPV6(&md->rmtadr)) {
+-			if (!client_v6_capable)
+-				continue;
+-			im->addr6 = SOCK_ADDR6(&md->rmtadr);
+-			im->v6_flag = 1;
+-		} else {
+-			im->addr = NSRCADR(&md->rmtadr);
+-			if (client_v6_capable)
+-				im->v6_flag = 0;
+-		}
+-		im->port = md->rmtport;
+-		im->mode = md->mode;
+-		im->version = md->version;
+-		im = (struct info_monitor *)more_pkt();
+-	}
+-	flush_pkt();
++	req_ack(srcadr, inter, inpkt, INFO_ERR_NODATA);
+ }
+ 
+ /*
+@@ -1962,50 +1929,7 @@ mon_getlist_1(
+ 	struct req_pkt *inpkt
+ 	)
+ {
+-	register struct info_monitor_1 *im;
+-	register struct mon_data *md;
+-	extern struct mon_data mon_mru_list;
+-	extern int mon_enabled;
+-
+-	if (!mon_enabled) {
+-		req_ack(srcadr, inter, inpkt, INFO_ERR_NODATA);
+-		return;
+-	}
+-	im = (struct info_monitor_1 *)prepare_pkt(srcadr, inter, inpkt,
+-	    v6sizeof(struct info_monitor_1));
+-	for (md = mon_mru_list.mru_next; md != &mon_mru_list && im != 0;
+-	     md = md->mru_next) {
+-		im->lasttime = htonl((u_int32)((current_time -
+-		    md->firsttime) / md->count));
+-		im->firsttime = htonl((u_int32)(current_time - md->lasttime));
+-		im->restr = htonl((u_int32)md->flags);
+-		im->count = htonl((u_int32)md->count);
+-		if (IS_IPV6(&md->rmtadr)) {
+-			if (!client_v6_capable)
+-				continue;
+-			im->addr6 = SOCK_ADDR6(&md->rmtadr);
+-			im->v6_flag = 1;
+-			im->daddr6 = SOCK_ADDR6(&md->interface->sin);
+-		} else {
+-			im->addr = NSRCADR(&md->rmtadr);
+-			if (client_v6_capable)
+-				im->v6_flag = 0;
+-			if (MDF_BCAST == md->cast_flags)
+-				im->daddr = NSRCADR(&md->interface->bcast);
+-			else if (md->cast_flags) {
+-				im->daddr = NSRCADR(&md->interface->sin);
+-				if (!im->daddr)
+-					im->daddr = NSRCADR(&md->interface->bcast);
+-			} else
+-				im->daddr = 4;
+-		}
+-		im->flags = htonl(md->cast_flags);
+-		im->port = md->rmtport;
+-		im->mode = md->mode;
+-		im->version = md->version;
+-		im = (struct info_monitor_1 *)more_pkt();
+-	}
+-	flush_pkt();
++	req_ack(srcadr, inter, inpkt, INFO_ERR_NODATA);
+ }
+ 
+ /*
diff --git a/meta-networking/recipes-support/ntp/ntp.inc b/meta-networking/recipes-support/ntp/ntp.inc
index 2c8f488..b63f202 100644
--- a/meta-networking/recipes-support/ntp/ntp.inc
+++ b/meta-networking/recipes-support/ntp/ntp.inc
@@ -24,6 +24,7 @@ SRC_URI = "http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-${PV}.tar.g
            file://sntp \
            file://ntpd.list \
            file://ntp-disable-debugging.patch \
+           file://CVE-2013-5211.patch \
 "
 
 inherit autotools update-rc.d useradd systemd
-- 
1.7.10.4

Re: [meta-networking][PATCH 1/2] ntp: Disable debugging by default

[Peter A. Bigot]

On 08/13/2014 10:14 PM, rongqing.li@windriver.com wrote:
> From: Xufeng Zhang<xufeng.zhang@windriver.com>
>
> There is a problem in configure.ac file that whether or not
> '--enable-debugging' is specified in configure cmdline, debugging
> is always enabled.

 From my testing this is incorrect.  Both --disable-debugging and 
--enable-debugging=no correctly override the upstream decision to enable 
debugging by default.

> We should disable ntp debugging by default.

Could we have more of an explanation why this is a good thing?  It 
doesn't seem relevant to the security patch it accompanied.

I've got a patch I'm validating that will revert this fix and use 
PACKAGECONFIG to control whether debugging is supported. Personally, I'd 
rather have the default be to keep debugging enabled.

Upstream ntp enables debugging support by default, and OE's build has 
never disabled it before.  ntp is a tricky beast and is very terse about 
what it's doing.  Having the ability to make it explain why (for 
example) it's disabling a reference clock is very useful in 
diagnostics.  Disabling debugging during the build makes it impossible 
to get that information out of an installed system.

Peter

>
> Signed-off-by: Xufeng Zhang<xufeng.zhang@windriver.com>
> ---
>   .../ntp/files/ntp-disable-debugging.patch          |   23 ++++++++++++++++++++
>   meta-networking/recipes-support/ntp/ntp.inc        |    1 +
>   2 files changed, 24 insertions(+)
>   create mode 100644 meta-networking/recipes-support/ntp/files/ntp-disable-debugging.patch
>
> diff --git a/meta-networking/recipes-support/ntp/files/ntp-disable-debugging.patch b/meta-networking/recipes-support/ntp/files/ntp-disable-debugging.patch
> new file mode 100644
> index 0000000..3c94d8d
> --- /dev/null
> +++ b/meta-networking/recipes-support/ntp/files/ntp-disable-debugging.patch
> @@ -0,0 +1,23 @@
> +set ntp_ok to no if ntp debugging is not enabled.
> +
> +Upstream-status: Pending
> +
> +There is a problem in configure.ac file that whether or not
> +'--enable-debugging' is specified in configure cmdline, debugging
> +is always enabled.
> +We should disable ntp debugging by default.
> +
> +Signed-off-by: Xufeng Zhang<xufeng.zhang@windriver.com>
> +
> +---
> +--- a/configure.ac
> ++++ b/configure.ac
> +@@ -2458,7 +2458,7 @@
> +         [+ include ntpd debugging code]
> +     )],
> +     [ntp_ok=$enableval],
> +-    [ntp_ok=yes]
> ++    [ntp_ok=no]
> + )
> + case "$ntp_ok" in
> +  yes)
> diff --git a/meta-networking/recipes-support/ntp/ntp.inc b/meta-networking/recipes-support/ntp/ntp.inc
> index 49f9901..2c8f488 100644
> --- a/meta-networking/recipes-support/ntp/ntp.inc
> +++ b/meta-networking/recipes-support/ntp/ntp.inc
> @@ -23,6 +23,7 @@ SRC_URI ="http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-${PV}.tar.g
>              file://sntp.service \
>              file://sntp \
>              file://ntpd.list \
> +           file://ntp-disable-debugging.patch \
>   "
>   
>   inherit autotools update-rc.d useradd systemd

Re: [meta-networking][PATCH 1/2] ntp: Disable debugging by default

[Rongqing Li]

On 08/27/2014 07:38 PM, Peter A. Bigot wrote:
> On 08/13/2014 10:14 PM, rongqing.li@windriver.com wrote:
>> From: Xufeng Zhang<xufeng.zhang@windriver.com>
>>
>> There is a problem in configure.ac file that whether or not
>> '--enable-debugging' is specified in configure cmdline, debugging
>> is always enabled.
>
>  From my testing this is incorrect.  Both --disable-debugging and
> --enable-debugging=no correctly override the upstream decision to enable
> debugging by default.
>
>> We should disable ntp debugging by default.
>
> Could we have more of an explanation why this is a good thing?  It
> doesn't seem relevant to the security patch it accompanied.
>
> I've got a patch I'm validating that will revert this fix and use
> PACKAGECONFIG to control whether debugging is supported. Personally, I'd
> rather have the default be to keep debugging enabled.
>
> Upstream ntp enables debugging support by default, and OE's build has
> never disabled it before.  ntp is a tricky beast and is very terse about
> what it's doing.  Having the ability to make it explain why (for
> example) it's disabling a reference clock is very useful in
> diagnostics.  Disabling debugging during the build makes it impossible
> to get that information out of an installed system.
>

Ok, Please send your patch out, thanks

-Roy


> Peter
>
>>
>> Signed-off-by: Xufeng Zhang<xufeng.zhang@windriver.com>
>> ---
>>   .../ntp/files/ntp-disable-debugging.patch          |   23
>> ++++++++++++++++++++
>>   meta-networking/recipes-support/ntp/ntp.inc        |    1 +
>>   2 files changed, 24 insertions(+)
>>   create mode 100644
>> meta-networking/recipes-support/ntp/files/ntp-disable-debugging.patch
>>
>> diff --git
>> a/meta-networking/recipes-support/ntp/files/ntp-disable-debugging.patch b/meta-networking/recipes-support/ntp/files/ntp-disable-debugging.patch
>>
>> new file mode 100644
>> index 0000000..3c94d8d
>> --- /dev/null
>> +++
>> b/meta-networking/recipes-support/ntp/files/ntp-disable-debugging.patch
>> @@ -0,0 +1,23 @@
>> +set ntp_ok to no if ntp debugging is not enabled.
>> +
>> +Upstream-status: Pending
>> +
>> +There is a problem in configure.ac file that whether or not
>> +'--enable-debugging' is specified in configure cmdline, debugging
>> +is always enabled.
>> +We should disable ntp debugging by default.
>> +
>> +Signed-off-by: Xufeng Zhang<xufeng.zhang@windriver.com>
>> +
>> +---
>> +--- a/configure.ac
>> ++++ b/configure.ac
>> +@@ -2458,7 +2458,7 @@
>> +         [+ include ntpd debugging code]
>> +     )],
>> +     [ntp_ok=$enableval],
>> +-    [ntp_ok=yes]
>> ++    [ntp_ok=no]
>> + )
>> + case "$ntp_ok" in
>> +  yes)
>> diff --git a/meta-networking/recipes-support/ntp/ntp.inc
>> b/meta-networking/recipes-support/ntp/ntp.inc
>> index 49f9901..2c8f488 100644
>> --- a/meta-networking/recipes-support/ntp/ntp.inc
>> +++ b/meta-networking/recipes-support/ntp/ntp.inc
>> @@ -23,6 +23,7 @@ SRC_URI
>> ="http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-${PV}.tar.g
>>              file://sntp.service \
>>              file://sntp \
>>              file://ntpd.list \
>> +           file://ntp-disable-debugging.patch \
>>   "
>>   inherit autotools update-rc.d useradd systemd
>
>
>

-- 
Best Reagrds,
Roy | RongQing Li