rpms/ntp/F-10 ntp-4.2.4p7-mode7dos.patch, NONE, 1.1 ntp.spec, 1.85, 1.86
Miroslav Lichvar
mlichvar at fedoraproject.org
Wed Dec 9 11:55:19 UTC 2009
Author: mlichvar
Update of /cvs/pkgs/rpms/ntp/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv32428
Modified Files:
ntp.spec
Added Files:
ntp-4.2.4p7-mode7dos.patch
Log Message:
- fix DoS with mode 7 packets (#545557, CVE-2009-3563)
ntp-4.2.4p7-mode7dos.patch:
ntp_request.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
--- NEW FILE ntp-4.2.4p7-mode7dos.patch ---
# This is a BitKeeper generated diff -Nru style patch.
#
# ntpd/ntp_request.c
# 2009/10/07 01:33:21+00:00 davehart at shiny.ad.hartbrothers.com +9 -2
# [Sec 1331] DoS with mode 7 packets - CVE-2009-3563.
#
diff -Nrpu a/ntpd/ntp_request.c b/ntpd/ntp_request.c
--- a/ntpd/ntp_request.c 2009-10-14 19:52:16 +00:00
+++ b/ntpd/ntp_request.c 2009-10-14 19:52:16 +00:00
@@ -409,6 +409,7 @@ process_private(
int mod_okay
)
{
+ static u_long quiet_until;
struct req_pkt *inpkt;
struct req_pkt_tail *tailinpkt;
struct sockaddr_storage *srcadr;
@@ -444,8 +445,14 @@ process_private(
|| (++ec, INFO_MBZ(inpkt->mbz_itemsize) != 0)
|| (++ec, rbufp->recv_length < REQ_LEN_HDR)
) {
- msyslog(LOG_ERR, "process_private: INFO_ERR_FMT: test %d failed, pkt from %s", ec, stoa(srcadr));
- req_ack(srcadr, inter, inpkt, INFO_ERR_FMT);
+ NLOG(NLOG_SYSEVENT)
+ if (current_time >= quiet_until) {
+ msyslog(LOG_ERR,
+ "process_private: drop test %d"
+ " failed, pkt from %s",
+ ec, stoa(srcadr));
+ quiet_until = current_time + 60;
+ }
return;
}
Index: ntp.spec
===================================================================
RCS file: /cvs/pkgs/rpms/ntp/F-10/ntp.spec,v
retrieving revision 1.85
retrieving revision 1.86
diff -u -p -r1.85 -r1.86
--- ntp.spec 19 May 2009 15:43:28 -0000 1.85
+++ ntp.spec 9 Dec 2009 11:55:19 -0000 1.86
@@ -1,7 +1,7 @@
Summary: The NTP daemon and utilities
Name: ntp
Version: 4.2.4p7
-Release: 1%{?dist}
+Release: 2%{?dist}
# primary license (COPYRIGHT) : MIT
# ElectricFence/ (not used) : GPLv2
# kernel/sys/ppsclock.h (not used) : BSD with advertising
@@ -91,6 +91,8 @@ Patch25: ntp-4.2.4p5-rtnetlink.patch
Patch26: ntp-4.2.4p7-stamode.patch
# ntpbz #808
Patch27: ntp-4.2.4p5-driftonexit.patch
+# fix DoS with mode 7 packets
+Patch31: ntp-4.2.4p7-mode7dos.patch
URL: http://www.ntp.org
Requires(post): /sbin/chkconfig
@@ -157,6 +159,7 @@ NTP servers.
%patch25 -p1 -b .rtnetlink
%patch26 -p1 -b .stamode
%patch27 -p1 -b .driftonexit
+%patch31 -p1 -b .mode7dos
# clock_gettime needs -lrt
sed -i.gettime 's|^LIBS = @LIBS@|& -lrt|' ntp{d,q,dc,date}/Makefile.in
@@ -323,6 +326,9 @@ fi
%{_mandir}/man8/ntpdate.8*
%changelog
+* Wed Dec 09 2009 Miroslav Lichvar <mlichvar at redhat.com> 4.2.4p7-2
+- fix DoS with mode 7 packets (#545557, CVE-2009-3563)
+
* Tue May 19 2009 Miroslav Lichvar <mlichvar at redhat.com> 4.2.4p7-1
- update to 4.2.4p7 (CVE-2009-1252, CVE-2009-0159)
- don't log STA_MODE changes
More information about the scm-commits
mailing list