[Buildroot] [V2 1/1] ntp: security bump to verserion 4.2.8p9

[Buildroot] [V2 1/1] ntp: security bump to verserion 4.2.8p9

[Adam Duskett]

This version of ntp fixes several vulnerabilities.

CVE-2016-9311
CVE-2016-9310
CVE-2016-7427
CVE-2016-7428
CVE-2016-9312
CVE-2016-7431
CVE-2016-7434
CVE-2016-7429
CVE-2016-7426
CVE-2016-7433

http://www.kb.cert.org/vuls/id/633847

In addition, libssl_compat.h is now included in many files, which
references openssl/evp.h, openssl/dsa.h, and openssl/rsa.h.
Even if a you pass --disable-ssl as a configuration option, these
files are now required.

As such, I have also added openssl as a dependency, and it is now
automatically selected when you select ntp.

Signed-off-by: Adam Duskett <aduskett@codeblue.com>
---
v1 -> v2:
  - Changed subject to indicate a security bump. (suggested by Baruch)
  - Removed check to see if openssl is enabled (suggested by Baruch)
  - Added the option --with-crypto to the configuration options by default. 

 package/ntp/Config.in |  1 +
 package/ntp/ntp.hash  |  6 +++---
 package/ntp/ntp.mk    | 15 +++++----------
 3 files changed, 9 insertions(+), 13 deletions(-)

diff --git a/package/ntp/Config.in b/package/ntp/Config.in
index 8ce9a5b..1af02db 100644
--- a/package/ntp/Config.in
+++ b/package/ntp/Config.in
@@ -1,6 +1,7 @@
 config BR2_PACKAGE_NTP
 	bool "ntp"
 	select BR2_PACKAGE_LIBEVENT
+	select BR2_PACKAGE_OPENSSL
 	help
 	  Network Time Protocol suite/programs.
 	  Provides things like ntpd, ntpdate, ntpq, etc...
diff --git a/package/ntp/ntp.hash b/package/ntp/ntp.hash
index 2a1155b..c6838d8 100644
--- a/package/ntp/ntp.hash
+++ b/package/ntp/ntp.hash
@@ -1,4 +1,4 @@
-# From http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-4.2.8p8.tar.gz.md5
-md5	4a8636260435b230636f053ffd070e34	ntp-4.2.8p8.tar.gz
+# From http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-4.2.8p9.tar.gz.md5
+md5	857452b05f5f2e033786f77ade1974ed	ntp-4.2.8p9.tar.gz
 # Calculated based on the hash above
-sha256	2ab3d0b5f0456e6311dda1cc27ab75da108762773a19e46abd938bd9407b97ee	ntp-4.2.8p8.tar.gz
+sha256	b724287778e1bac625b447327c9851eedef020517a3545625e9f652a90f30b72	ntp-4.2.8p9.tar.gz
diff --git a/package/ntp/ntp.mk b/package/ntp/ntp.mk
index 7f9e0d6..45e2a64 100644
--- a/package/ntp/ntp.mk
+++ b/package/ntp/ntp.mk
@@ -5,9 +5,9 @@
 ################################################################################
 
 NTP_VERSION_MAJOR = 4.2
-NTP_VERSION = $(NTP_VERSION_MAJOR).8p8
+NTP_VERSION = $(NTP_VERSION_MAJOR).8p9
 NTP_SITE = http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-$(NTP_VERSION_MAJOR)
-NTP_DEPENDENCIES = host-pkgconf libevent $(if $(BR2_PACKAGE_BUSYBOX),busybox)
+NTP_DEPENDENCIES = host-pkgconf libevent openssl $(if $(BR2_PACKAGE_BUSYBOX),busybox)
 NTP_LICENSE = ntp license
 NTP_LICENSE_FILES = COPYRIGHT
 NTP_CONF_ENV = ac_cv_lib_md5_MD5Init=no
@@ -17,17 +17,12 @@ NTP_CONF_OPTS = \
 	--disable-tickadj \
 	--disable-debugging \
 	--with-yielding-select=yes \
-	--disable-local-libevent
+	--disable-local-libevent \
+	--with-crypto
+
 # 0002-ntp-syscalls-fallback.patch
 NTP_AUTORECONF = YES
 
-ifeq ($(BR2_PACKAGE_OPENSSL),y)
-NTP_CONF_OPTS += --with-crypto
-NTP_DEPENDENCIES += openssl
-else
-NTP_CONF_OPTS += --without-crypto --disable-openssl-random
-endif
-
 ifeq ($(BR2_PACKAGE_LIBCAP),y)
 NTP_CONF_OPTS += --enable-linuxcaps
 NTP_DEPENDENCIES += libcap
-- 
2.9.3

[Buildroot] [V2 1/1] ntp: security bump to verserion 4.2.8p9

[Thomas Petazzoni]

Hello,

On Mon,  6 Feb 2017 09:12:25 -0500, Adam Duskett wrote:

> In addition, libssl_compat.h is now included in many files, which
> references openssl/evp.h, openssl/dsa.h, and openssl/rsa.h.
> Even if a you pass --disable-ssl as a configuration option, these
> files are now required.

Is this a bug in 4.2.8p9, or a real decision from upstream that OpenSSL
is now mandatory in ntp?

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux and Kernel engineering
http://free-electrons.com

[Buildroot] [V2 1/1] ntp: security bump to verserion 4.2.8p9

[Thomas Petazzoni]

Hello,

On Mon, 6 Feb 2017 15:00:16 +0000, Adam Duskett wrote:

> That's the million dollar question!  As far as I can tell, it's a
> real decision from upstream, as many of the files now include
> libssl_compat.h, however if you want, I can try to play around
> with them and see if they are 100% mandatory or not.

That would be useful, yes.

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux and Kernel engineering
http://free-electrons.com

[Buildroot] [V2 1/1] ntp: security bump to verserion 4.2.8p9

[Arnout Vandecappelle]

On 06-02-17 16:02, Thomas Petazzoni wrote:
> Hello,
> 
> On Mon, 6 Feb 2017 15:00:16 +0000, Adam Duskett wrote:
> 
>> That's the million dollar question!  As far as I can tell, it's a
>> real decision from upstream, as many of the files now include
>> libssl_compat.h, however if you want, I can try to play around
>> with them and see if they are 100% mandatory or not.
> 
> That would be useful, yes.

 It's really weird that they introduce such a dependency in a p8 -> p9 bump...

 Regards,
 Arnout

-- 
Arnout Vandecappelle                          arnout at mind be
Senior Embedded Software Architect            +32-16-286500
Essensium/Mind                                http://www.mind.be
G.Geenslaan 9, 3001 Leuven, Belgium           BE 872 984 063 RPR Leuven
LinkedIn profile: http://www.linkedin.com/in/arnoutvandecappelle
GPG fingerprint:  7493 020B C7E3 8618 8DEC 222C 82EB F404 F9AC 0DDF

[Buildroot] [V2 1/1] ntp: security bump to verserion 4.2.8p9

[Adam Duskett]

After doing some digging into the source code, it looks like there
are two new files: include/libssl_compat.h and libssl_compat.c

These files are now referenced in quite a few places, all of which
would take quite a bit of time to unwind.

I would suggest leaving openssl as a dependency unless somebody else
wants to take a crack at cleaning it up.

On Mon, Feb 6, 2017 at 10:23 AM, Arnout Vandecappelle <arnout@mind.be> wrote:
>
>
> On 06-02-17 16:02, Thomas Petazzoni wrote:
>> Hello,
>>
>> On Mon, 6 Feb 2017 15:00:16 +0000, Adam Duskett wrote:
>>
>>> That's the million dollar question!  As far as I can tell, it's a
>>> real decision from upstream, as many of the files now include
>>> libssl_compat.h, however if you want, I can try to play around
>>> with them and see if they are 100% mandatory or not.
>>
>> That would be useful, yes.
>
>  It's really weird that they introduce such a dependency in a p8 -> p9 bump...
>
>  Regards,
>  Arnout
>
Oh I agree! But it looks like that's exactly what has happened, even if
by accident!

> --
> Arnout Vandecappelle                          arnout at mind be
> Senior Embedded Software Architect            +32-16-286500
> Essensium/Mind                                http://www.mind.be
> G.Geenslaan 9, 3001 Leuven, Belgium           BE 872 984 063 RPR Leuven
> LinkedIn profile: http://www.linkedin.com/in/arnoutvandecappelle
> GPG fingerprint:  7493 020B C7E3 8618 8DEC 222C 82EB F404 F9AC 0DDF

Adam

[Buildroot] [V2 1/1] ntp: security bump to verserion 4.2.8p9

[Peter Korsgaard]

>>>>> "Adam" == Adam Duskett <aduskett@gmail.com> writes:

 > After doing some digging into the source code, it looks like there
 > are two new files: include/libssl_compat.h and libssl_compat.c

 > These files are now referenced in quite a few places, all of which
 > would take quite a bit of time to unwind.

 > I would suggest leaving openssl as a dependency unless somebody else
 > wants to take a crack at cleaning it up.

Yes, I had a look as well. Most can be handled by a #ifdef OPENSSL
around the openssl specific stuff, but a number of places now use more
EVP_MD_CTX_* functions that aren't covered by the emulation functions in
ntp_md5.h.

-- 
Bye, Peter Korsgaard

[Buildroot] [V2 1/1] ntp: security bump to verserion 4.2.8p9

[Peter Korsgaard]

>>>>> "Adam" == Adam Duskett <aduskett@gmail.com> writes:

 > This version of ntp fixes several vulnerabilities.
 > CVE-2016-9311
 > CVE-2016-9310
 > CVE-2016-7427
 > CVE-2016-7428
 > CVE-2016-9312
 > CVE-2016-7431
 > CVE-2016-7434
 > CVE-2016-7429
 > CVE-2016-7426
 > CVE-2016-7433

 > http://www.kb.cert.org/vuls/id/633847

 > In addition, libssl_compat.h is now included in many files, which
 > references openssl/evp.h, openssl/dsa.h, and openssl/rsa.h.
 > Even if a you pass --disable-ssl as a configuration option, these
 > files are now required.

 > As such, I have also added openssl as a dependency, and it is now
 > automatically selected when you select ntp.

 > Signed-off-by: Adam Duskett <aduskett@codeblue.com>
 > ---
 > v1 -> v2:
 >   - Changed subject to indicate a security bump. (suggested by Baruch)
 >   - Removed check to see if openssl is enabled (suggested by Baruch)
 >   - Added the option --with-crypto to the configuration options by default. 

It's a bit of a pain that openssl no longer is optional, but fixing that
seems to be nontrivial. Committed, thanks.

-- 
Bye, Peter Korsgaard

[Buildroot] [V2 1/1] ntp: security bump to verserion 4.2.8p9

[Thomas Petazzoni]

Hello,

On Mon,  6 Feb 2017 09:12:25 -0500, Adam Duskett wrote:
> This version of ntp fixes several vulnerabilities.
> 
> CVE-2016-9311
> CVE-2016-9310
> CVE-2016-7427
> CVE-2016-7428
> CVE-2016-9312
> CVE-2016-7431
> CVE-2016-7434
> CVE-2016-7429
> CVE-2016-7426
> CVE-2016-7433
> 
> http://www.kb.cert.org/vuls/id/633847
> 
> In addition, libssl_compat.h is now included in many files, which
> references openssl/evp.h, openssl/dsa.h, and openssl/rsa.h.
> Even if a you pass --disable-ssl as a configuration option, these
> files are now required.
> 
> As such, I have also added openssl as a dependency, and it is now
> automatically selected when you select ntp.
> 
> Signed-off-by: Adam Duskett <aduskett@codeblue.com>

This patch raised a comment on Github:
https://github.com/buildroot/buildroot/commit/ebf6f64b76059e31a85f982cb04f80ad5982dac3#commitcomment-25458671.
Apparently, building without OpenSSL is still possible (perhaps has
been fixed in 4.2.8p10 ?), and some users would like ntp without
OpenSSL support.

Adam, could you have a look into this ?

Thanks!

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux and Kernel engineering
http://free-electrons.com

[Buildroot] [V2 1/1] ntp: security bump to verserion 4.2.8p9

[Adam Duskett]

Thomas;



On Tue, Nov 7, 2017 at 12:26 PM, Thomas Petazzoni
<thomas.petazzoni@free-electrons.com> wrote:
> Hello,
>
> On Mon,  6 Feb 2017 09:12:25 -0500, Adam Duskett wrote:
>> This version of ntp fixes several vulnerabilities.
>>
>> CVE-2016-9311
>> CVE-2016-9310
>> CVE-2016-7427
>> CVE-2016-7428
>> CVE-2016-9312
>> CVE-2016-7431
>> CVE-2016-7434
>> CVE-2016-7429
>> CVE-2016-7426
>> CVE-2016-7433
>>
>> http://www.kb.cert.org/vuls/id/633847
>>
>> In addition, libssl_compat.h is now included in many files, which
>> references openssl/evp.h, openssl/dsa.h, and openssl/rsa.h.
>> Even if a you pass --disable-ssl as a configuration option, these
>> files are now required.
>>
>> As such, I have also added openssl as a dependency, and it is now
>> automatically selected when you select ntp.
>>
>> Signed-off-by: Adam Duskett <aduskett@codeblue.com>
>
> This patch raised a comment on Github:
> https://github.com/buildroot/buildroot/commit/ebf6f64b76059e31a85f982cb04f80ad5982dac3#commitcomment-25458671.
> Apparently, building without OpenSSL is still possible (perhaps has
> been fixed in 4.2.8p10 ?), and some users would like ntp without
> OpenSSL support.
>
> Adam, could you have a look into this ?
>
Looks like p10 fixed the issue! I will submit a patch to revert the
new dependency.

> Thanks!
>
> Thomas
> --
> Thomas Petazzoni, CTO, Free Electrons
> Embedded Linux and Kernel engineering
> http://free-electrons.com