* [meta-networking][PATCH 2/2] ntp: fix CVE-2013-5211
2014-08-14 3:14 [meta-networking][PATCH 1/2] ntp: Disable debugging by default rongqing.li
@ 2014-08-14 3:14 ` rongqing.li
2014-08-27 11:38 ` [meta-networking][PATCH 1/2] ntp: Disable debugging by default Peter A. Bigot
1 sibling, 0 replies; 4+ messages in thread
From: rongqing.li @ 2014-08-14 3:14 UTC (permalink / raw)
To: openembedded-devel
From: Zhang Xiao <xiao.zhang@windriver.com>
The monlist feature in ntp_request.c in ntpd in NTP before
4.2.7p26 allows remote attackers to cause a denial of service
(traffic amplification) via forged (1) REQ_MON_GETLIST or
(2) REQ_MON_GETLIST_1 requests, as exploited in the wild
in December 2013.
Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com>
---
.../recipes-support/ntp/files/CVE-2013-5211.patch | 112 ++++++++++++++++++++
meta-networking/recipes-support/ntp/ntp.inc | 1 +
2 files changed, 113 insertions(+)
create mode 100644 meta-networking/recipes-support/ntp/files/CVE-2013-5211.patch
diff --git a/meta-networking/recipes-support/ntp/files/CVE-2013-5211.patch b/meta-networking/recipes-support/ntp/files/CVE-2013-5211.patch
new file mode 100644
index 0000000..ddcb044
--- /dev/null
+++ b/meta-networking/recipes-support/ntp/files/CVE-2013-5211.patch
@@ -0,0 +1,112 @@
+ntp: fix CVE-2013-5211
+
+Upstream-status: Backport
+
+The monlist feature in ntp_request.c in ntpd in NTP before
+4.2.7p26 allows remote attackers to cause a denial of service
+(traffic amplification) via forged (1) REQ_MON_GETLIST or
+(2) REQ_MON_GETLIST_1 requests, as exploited in the wild
+in December 2013.
+
+Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com>
+
+--- a/ntpd/ntp_request.c
++++ b/ntpd/ntp_request.c
+@@ -1912,44 +1912,11 @@ mon_getlist_0(
+ struct req_pkt *inpkt
+ )
+ {
+- register struct info_monitor *im;
+- register struct mon_data *md;
+- extern struct mon_data mon_mru_list;
+- extern int mon_enabled;
+-
+ #ifdef DEBUG
+ if (debug > 2)
+ printf("wants monitor 0 list\n");
+ #endif
+- if (!mon_enabled) {
+- req_ack(srcadr, inter, inpkt, INFO_ERR_NODATA);
+- return;
+- }
+- im = (struct info_monitor *)prepare_pkt(srcadr, inter, inpkt,
+- v6sizeof(struct info_monitor));
+- for (md = mon_mru_list.mru_next; md != &mon_mru_list && im != 0;
+- md = md->mru_next) {
+- im->lasttime = htonl((u_int32)((current_time -
+- md->firsttime) / md->count));
+- im->firsttime = htonl((u_int32)(current_time - md->lasttime));
+- im->restr = htonl((u_int32)md->flags);
+- im->count = htonl((u_int32)(md->count));
+- if (IS_IPV6(&md->rmtadr)) {
+- if (!client_v6_capable)
+- continue;
+- im->addr6 = SOCK_ADDR6(&md->rmtadr);
+- im->v6_flag = 1;
+- } else {
+- im->addr = NSRCADR(&md->rmtadr);
+- if (client_v6_capable)
+- im->v6_flag = 0;
+- }
+- im->port = md->rmtport;
+- im->mode = md->mode;
+- im->version = md->version;
+- im = (struct info_monitor *)more_pkt();
+- }
+- flush_pkt();
++ req_ack(srcadr, inter, inpkt, INFO_ERR_NODATA);
+ }
+
+ /*
+@@ -1962,50 +1929,7 @@ mon_getlist_1(
+ struct req_pkt *inpkt
+ )
+ {
+- register struct info_monitor_1 *im;
+- register struct mon_data *md;
+- extern struct mon_data mon_mru_list;
+- extern int mon_enabled;
+-
+- if (!mon_enabled) {
+- req_ack(srcadr, inter, inpkt, INFO_ERR_NODATA);
+- return;
+- }
+- im = (struct info_monitor_1 *)prepare_pkt(srcadr, inter, inpkt,
+- v6sizeof(struct info_monitor_1));
+- for (md = mon_mru_list.mru_next; md != &mon_mru_list && im != 0;
+- md = md->mru_next) {
+- im->lasttime = htonl((u_int32)((current_time -
+- md->firsttime) / md->count));
+- im->firsttime = htonl((u_int32)(current_time - md->lasttime));
+- im->restr = htonl((u_int32)md->flags);
+- im->count = htonl((u_int32)md->count);
+- if (IS_IPV6(&md->rmtadr)) {
+- if (!client_v6_capable)
+- continue;
+- im->addr6 = SOCK_ADDR6(&md->rmtadr);
+- im->v6_flag = 1;
+- im->daddr6 = SOCK_ADDR6(&md->interface->sin);
+- } else {
+- im->addr = NSRCADR(&md->rmtadr);
+- if (client_v6_capable)
+- im->v6_flag = 0;
+- if (MDF_BCAST == md->cast_flags)
+- im->daddr = NSRCADR(&md->interface->bcast);
+- else if (md->cast_flags) {
+- im->daddr = NSRCADR(&md->interface->sin);
+- if (!im->daddr)
+- im->daddr = NSRCADR(&md->interface->bcast);
+- } else
+- im->daddr = 4;
+- }
+- im->flags = htonl(md->cast_flags);
+- im->port = md->rmtport;
+- im->mode = md->mode;
+- im->version = md->version;
+- im = (struct info_monitor_1 *)more_pkt();
+- }
+- flush_pkt();
++ req_ack(srcadr, inter, inpkt, INFO_ERR_NODATA);
+ }
+
+ /*
diff --git a/meta-networking/recipes-support/ntp/ntp.inc b/meta-networking/recipes-support/ntp/ntp.inc
index 2c8f488..b63f202 100644
--- a/meta-networking/recipes-support/ntp/ntp.inc
+++ b/meta-networking/recipes-support/ntp/ntp.inc
@@ -24,6 +24,7 @@ SRC_URI = "http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-${PV}.tar.g
file://sntp \
file://ntpd.list \
file://ntp-disable-debugging.patch \
+ file://CVE-2013-5211.patch \
"
inherit autotools update-rc.d useradd systemd
--
1.7.10.4
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [meta-networking][PATCH 1/2] ntp: Disable debugging by default
2014-08-14 3:14 [meta-networking][PATCH 1/2] ntp: Disable debugging by default rongqing.li
2014-08-14 3:14 ` [meta-networking][PATCH 2/2] ntp: fix CVE-2013-5211 rongqing.li
@ 2014-08-27 11:38 ` Peter A. Bigot
2014-08-29 1:02 ` Rongqing Li
1 sibling, 1 reply; 4+ messages in thread
From: Peter A. Bigot @ 2014-08-27 11:38 UTC (permalink / raw)
To: openembedded-devel, xufeng.zhang, rongqing.li
On 08/13/2014 10:14 PM, rongqing.li@windriver.com wrote:
> From: Xufeng Zhang<xufeng.zhang@windriver.com>
>
> There is a problem in configure.ac file that whether or not
> '--enable-debugging' is specified in configure cmdline, debugging
> is always enabled.
From my testing this is incorrect. Both --disable-debugging and
--enable-debugging=no correctly override the upstream decision to enable
debugging by default.
> We should disable ntp debugging by default.
Could we have more of an explanation why this is a good thing? It
doesn't seem relevant to the security patch it accompanied.
I've got a patch I'm validating that will revert this fix and use
PACKAGECONFIG to control whether debugging is supported. Personally, I'd
rather have the default be to keep debugging enabled.
Upstream ntp enables debugging support by default, and OE's build has
never disabled it before. ntp is a tricky beast and is very terse about
what it's doing. Having the ability to make it explain why (for
example) it's disabling a reference clock is very useful in
diagnostics. Disabling debugging during the build makes it impossible
to get that information out of an installed system.
Peter
>
> Signed-off-by: Xufeng Zhang<xufeng.zhang@windriver.com>
> ---
> .../ntp/files/ntp-disable-debugging.patch | 23 ++++++++++++++++++++
> meta-networking/recipes-support/ntp/ntp.inc | 1 +
> 2 files changed, 24 insertions(+)
> create mode 100644 meta-networking/recipes-support/ntp/files/ntp-disable-debugging.patch
>
> diff --git a/meta-networking/recipes-support/ntp/files/ntp-disable-debugging.patch b/meta-networking/recipes-support/ntp/files/ntp-disable-debugging.patch
> new file mode 100644
> index 0000000..3c94d8d
> --- /dev/null
> +++ b/meta-networking/recipes-support/ntp/files/ntp-disable-debugging.patch
> @@ -0,0 +1,23 @@
> +set ntp_ok to no if ntp debugging is not enabled.
> +
> +Upstream-status: Pending
> +
> +There is a problem in configure.ac file that whether or not
> +'--enable-debugging' is specified in configure cmdline, debugging
> +is always enabled.
> +We should disable ntp debugging by default.
> +
> +Signed-off-by: Xufeng Zhang<xufeng.zhang@windriver.com>
> +
> +---
> +--- a/configure.ac
> ++++ b/configure.ac
> +@@ -2458,7 +2458,7 @@
> + [+ include ntpd debugging code]
> + )],
> + [ntp_ok=$enableval],
> +- [ntp_ok=yes]
> ++ [ntp_ok=no]
> + )
> + case "$ntp_ok" in
> + yes)
> diff --git a/meta-networking/recipes-support/ntp/ntp.inc b/meta-networking/recipes-support/ntp/ntp.inc
> index 49f9901..2c8f488 100644
> --- a/meta-networking/recipes-support/ntp/ntp.inc
> +++ b/meta-networking/recipes-support/ntp/ntp.inc
> @@ -23,6 +23,7 @@ SRC_URI ="http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-${PV}.tar.g
> file://sntp.service \
> file://sntp \
> file://ntpd.list \
> + file://ntp-disable-debugging.patch \
> "
>
> inherit autotools update-rc.d useradd systemd
^ permalink raw reply [flat|nested] 4+ messages in thread