mlichvar pushed to ntp (f20). "reject packets without MAC when authentication is enabled (CVE-2015-1798)"

notifications at fedoraproject.org notifications at fedoraproject.org
Wed Apr 8 12:01:22 UTC 2015 

>From 30d6f937e8c8e3aa86ff128783f65dd9d49d98e3 Mon Sep 17 00:00:00 2001
From: Miroslav Lichvar <mlichvar at redhat.com>
Date: Wed, 8 Apr 2015 12:58:02 +0200
Subject: reject packets without MAC when authentication is enabled
 (CVE-2015-1798)


diff --git a/ntp-4.2.6p5-cve-2015-1798.patch b/ntp-4.2.6p5-cve-2015-1798.patch
new file mode 100644
index 0000000..413573d
--- /dev/null
+++ b/ntp-4.2.6p5-cve-2015-1798.patch
@@ -0,0 +1,28 @@
+diff -up ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2015-1798 ntp-4.2.6p5/ntpd/ntp_proto.c
+--- ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2015-1798	2015-04-08 12:50:57.997021032 +0200
++++ ntp-4.2.6p5/ntpd/ntp_proto.c	2015-04-08 12:50:58.005021047 +0200
+@@ -1130,18 +1130,20 @@ receive(
+ 		return;
+ 
+ 	/* 
+-	 * If the digest fails, the client cannot authenticate a server
++	 * If the digest fails or it's missing for authenticated
++	 * associations, the client cannot authenticate a server
+ 	 * reply to a client packet previously sent. The loopback check
+ 	 * is designed to avoid a bait-and-switch attack, which was
+ 	 * possible in past versions. If symmetric modes, return a
+ 	 * crypto-NAK. The peer should restart the protocol.
+ 	 */
+-	} else if (!AUTH(has_mac || (restrict_mask & RES_DONTTRUST),
+-	    is_authentic)) {
++	} else if (!AUTH(peer->keyid || has_mac ||
++			 (restrict_mask & RES_DONTTRUST), is_authentic)) {
+ 		report_event(PEVNT_AUTH, peer, "digest");
+ 		peer->flash |= TEST5;		/* bad auth */
+ 		peer->badauth++;
+-		if (hismode == MODE_ACTIVE || hismode == MODE_PASSIVE)
++		if (has_mac &&
++		    (hismode == MODE_ACTIVE || hismode == MODE_PASSIVE))
+ 			fast_xmit(rbufp, MODE_ACTIVE, 0, restrict_mask);
+ 		if (peer->flags & FLAG_PREEMPT) {
+ 			unpeer(peer);
diff --git a/ntp.spec b/ntp.spec
index f3b2391..7079a45 100644
--- a/ntp.spec
+++ b/ntp.spec
@@ -101,6 +101,8 @@ Patch27: ntp-4.2.6p5-cve-2014-9296.patch
 Patch28: ntp-4.2.6p5-cve-2014-9297.patch
 # ntpbz #2672
 Patch29: ntp-4.2.6p5-cve-2014-9298.patch
+# ntpbz #2779
+Patch36: ntp-4.2.6p5-cve-2015-1798.patch
 
 # handle unknown clock types
 Patch50: ntpstat-0.2-clksrc.patch
@@ -215,6 +217,7 @@ This package contains NTP documentation in HTML format.
 %patch27 -p1 -b .cve-2014-9296
 %patch28 -p1 -b .cve-2014-9297
 %patch29 -p1 -b .cve-2014-9298
+%patch36 -p1 -b .cve-2015-1798
 
 # ntpstat patches
 %patch50 -p1 -b .clksrc
-- 
cgit v0.10.2


	http://pkgs.fedoraproject.org/cgit/ntp.git/commit/?h=f20&id=30d6f937e8c8e3aa86ff128783f65dd9d49d98e3

More information about the scm-commits mailing list