From: Gustavo Zacarias Date: Mon, 22 Dec 2014 14:26:59 +0000 (-0300) Subject: ntp: security bump to version 4.2.8 X-Git-Url: https://git.libre-soc.org/?a=commitdiff_plain;h=5d5c9a8;p=buildroot.git ntp: security bump to version 4.2.8 Fixes: CVE-2014-9293 - ntpd generated a weak key for its internal use, with full administrative privileges. Attackers could use this key to reconfigure ntpd (or to exploit other vulnerabilities). CVE-2014-9294 - The ntp-keygen utility generated weak MD5 keys with insufficient entropy. CVE-2014-9295 - ntpd had several buffer overflows (both on the stack and in the data section), allowing remote authenticated attackers to crash ntpd or potentially execute arbitrary code. CVE-2014-9296 - The general packet processing function in ntpd did not handle an error case correctly. Signed-off-by: Gustavo Zacarias Signed-off-by: Thomas Petazzoni --- diff --git a/package/ntp/0001-fix-ntp-keygen-without-openssl.patch b/package/ntp/0001-fix-ntp-keygen-without-openssl.patch new file mode 100644 index 0000000000..b9883be1ee --- /dev/null +++ b/package/ntp/0001-fix-ntp-keygen-without-openssl.patch @@ -0,0 +1,153 @@ +Fix build breakage without openssl. +From upstream: http://bk1.ntp.org/ntp-stable/?PAGE=patch&REV=5497b345z5MNTuNvJWuqPSje25NQTg + +Signed-off-by: Gustavo Zacarias + +diff -Nura ntp-4.2.8.orig/configure.ac ntp-4.2.8/configure.ac +--- ntp-4.2.8.orig/configure.ac 2014-12-22 10:16:10.449311393 -0300 ++++ ntp-4.2.8/configure.ac 2014-12-22 10:17:30.757215905 -0300 +@@ -102,7 +102,7 @@ + enable_nls=no + LIBOPTS_CHECK_NOBUILD([sntp/libopts]) + +-NTP_ENABLE_LOCAL_LIBEVENT ++NTP_LIBEVENT_CHECK_NOBUILD([2], [sntp/libevent]) + + NTP_LIBNTP + +@@ -771,6 +771,10 @@ + + #### + ++AC_CHECK_FUNCS([arc4random_buf]) ++ ++#### ++ + saved_LIBS="$LIBS" + LIBS="$LIBS $LDADD_LIBNTP" + AC_CHECK_FUNCS([daemon]) +diff -Nura ntp-4.2.8.orig/libntp/ntp_crypto_rnd.c ntp-4.2.8/libntp/ntp_crypto_rnd.c +--- ntp-4.2.8.orig/libntp/ntp_crypto_rnd.c 2014-12-22 10:16:10.430301237 -0300 ++++ ntp-4.2.8/libntp/ntp_crypto_rnd.c 2014-12-22 10:18:04.921468163 -0300 +@@ -24,6 +24,21 @@ + int crypto_rand_init = 0; + #endif + ++#ifndef HAVE_ARC4RANDOM_BUF ++static void ++arc4random_buf(void *buf, size_t nbytes); ++ ++void ++evutil_secure_rng_get_bytes(void *buf, size_t nbytes); ++ ++static void ++arc4random_buf(void *buf, size_t nbytes) ++{ ++ evutil_secure_rng_get_bytes(buf, nbytes); ++ return; ++} ++#endif ++ + /* + * As of late 2014, here's how we plan to provide cryptographic-quality + * random numbers: +diff -Nura ntp-4.2.8.orig/Makefile.am ntp-4.2.8/Makefile.am +--- ntp-4.2.8.orig/Makefile.am 2014-12-22 10:16:10.441307117 -0300 ++++ ntp-4.2.8/Makefile.am 2014-12-22 10:16:49.403122474 -0300 +@@ -3,6 +3,7 @@ + NULL = + + SUBDIRS = \ ++ sntp \ + scripts \ + include \ + libntp \ +@@ -17,7 +18,6 @@ + clockstuff \ + kernel \ + util \ +- sntp \ + tests \ + $(NULL) + +@@ -64,7 +64,6 @@ + .gcc-warning \ + libtool \ + html/.datecheck \ +- sntp/built-sources-only \ + $(srcdir)/COPYRIGHT \ + $(srcdir)/.checkChangeLog \ + $(NULL) +diff -Nura ntp-4.2.8.orig/sntp/configure.ac ntp-4.2.8/sntp/configure.ac +--- ntp-4.2.8.orig/sntp/configure.ac 2014-12-22 10:16:10.428300168 -0300 ++++ ntp-4.2.8/sntp/configure.ac 2014-12-22 10:24:11.238172928 -0300 +@@ -97,11 +97,14 @@ + enable_nls=no + LIBOPTS_CHECK + +-AM_COND_IF( +- [BUILD_SNTP], +- [NTP_LIBEVENT_CHECK], +- [NTP_LIBEVENT_CHECK_NOBUILD] +-) ++# From when we only used libevent for sntp: ++#AM_COND_IF( ++# [BUILD_SNTP], ++# [NTP_LIBEVENT_CHECK], ++# [NTP_LIBEVENT_CHECK_NOBUILD] ++#) ++ ++NTP_LIBEVENT_CHECK([2]) + + # Checks for libraries. + +diff -Nura ntp-4.2.8.orig/sntp/m4/ntp_libevent.m4 ntp-4.2.8/sntp/m4/ntp_libevent.m4 +--- ntp-4.2.8.orig/sntp/m4/ntp_libevent.m4 2014-12-22 10:16:10.417294288 -0300 ++++ ntp-4.2.8/sntp/m4/ntp_libevent.m4 2014-12-22 10:20:31.757915561 -0300 +@@ -1,4 +1,25 @@ +-dnl NTP_ENABLE_LOCAL_LIBEVENT -*- Autoconf -*- ++# SYNOPSIS -*- Autoconf -*- ++# ++# NTP_ENABLE_LOCAL_LIBEVENT ++# NTP_LIBEVENT_CHECK([MINVERSION [, DIR]]) ++# NTP_LIBEVENT_CHECK_NOBUILD([MINVERSION [, DIR]]) ++# ++# DESCRIPTION ++# ++# AUTHOR ++# ++# Harlan Stenn ++# ++# LICENSE ++# ++# This file is Copyright (c) 2014 Network Time Foundation ++# ++# Copying and distribution of this file, with or without modification, are ++# permitted in any medium without royalty provided the copyright notice, ++# author attribution and this notice are preserved. This file is offered ++# as-is, without any warranty. ++ ++dnl NTP_ENABLE_LOCAL_LIBEVENT + dnl + dnl Provide only the --enable-local-libevent command-line option. + dnl +@@ -29,7 +50,7 @@ + dnl but DO NOT invoke DIR/configure if we are going to use our bundled + dnl version. This may be the case for nested packages. + dnl +-dnl provide --enable-local-libevent . ++dnl provides --enable-local-libevent . + dnl + dnl Examples: + dnl +diff -Nura ntp-4.2.8.orig/util/Makefile.am ntp-4.2.8/util/Makefile.am +--- ntp-4.2.8.orig/util/Makefile.am 2014-12-22 10:16:10.435303910 -0300 ++++ ntp-4.2.8/util/Makefile.am 2014-12-22 10:21:02.500339706 -0300 +@@ -19,6 +19,7 @@ + LDADD= ../libntp/libntp.a $(LDADD_LIBNTP) $(LIBM) $(PTHREAD_LIBS) + tg2_LDADD= ../libntp/libntp.a $(LDADD_LIBNTP) $(LIBM) + ntp_keygen_LDADD = version.o $(LIBOPTS_LDADD) ../libntp/libntp.a ++ntp_keygen_LDADD += $(LDADD_LIBEVENT) + ntp_keygen_LDADD += $(LDADD_LIBNTP) $(PTHREAD_LIBS) $(LDADD_NTP) $(LIBM) + ntp_keygen_SOURCES = ntp-keygen.c ntp-keygen-opts.c ntp-keygen-opts.h + diff --git a/package/ntp/0002-nano.patch b/package/ntp/0002-nano.patch new file mode 100644 index 0000000000..d16046cb03 --- /dev/null +++ b/package/ntp/0002-nano.patch @@ -0,0 +1,23 @@ +Fixes issues with glibc header files, see +http://bugs.gentoo.org/show_bug.cgi?id=270483 + +Signed-off-by: Gustavo Zacarias + +diff -Nura ntp-4.2.6p2.orig/include/ntp_syscall.h ntp-4.2.6p2/include/ntp_syscall.h +--- ntp-4.2.6p2.orig/include/ntp_syscall.h 2009-12-09 04:36:37.000000000 -0300 ++++ ntp-4.2.6p2/include/ntp_syscall.h 2011-01-27 13:09:05.072336628 -0300 +@@ -14,6 +14,14 @@ + # include + #endif + ++#if defined(ADJ_NANO) && !defined(MOD_NANO) ++#define MOD_NANO ADJ_NANO ++#endif ++ ++#if defined(ADJ_TAI) && !defined(MOD_TAI) ++#define MOD_TAI ADJ_TAI ++#endif ++ + #ifndef NTP_SYSCALLS_LIBC + #ifdef NTP_SYSCALLS_STD + # define ntp_adjtime(t) syscall(SYS_ntp_adjtime, (t)) diff --git a/package/ntp/Config.in b/package/ntp/Config.in index c92ae93e1d..d4caddfd0a 100644 --- a/package/ntp/Config.in +++ b/package/ntp/Config.in @@ -1,5 +1,6 @@ config BR2_PACKAGE_NTP bool "ntp" + select BR2_PACKAGE_LIBEVENT help Network Time Protocol suite/programs. Provides things like ntpd, ntpdate, ntpq, etc... diff --git a/package/ntp/ntp-001-adjtimex.patch b/package/ntp/ntp-001-adjtimex.patch deleted file mode 100644 index 40625fa18f..0000000000 --- a/package/ntp/ntp-001-adjtimex.patch +++ /dev/null @@ -1,33 +0,0 @@ -https://support.ntp.org/bugs/show_bug.cgi?id=769 -http://bugs.gentoo.org/254030 - ---- ntp/util/tickadj.c -+++ ntp/util/tickadj.c -@@ -21,7 +21,8 @@ - # include - #endif /* HAVE_UNISTD_H */ - --#ifdef HAVE___ADJTIMEX /* Linux */ -+/* proper handling here has been moved to upstream ntp bugzilla */ -+#ifdef linux - - #include - struct timex txc; -@@ -91,7 +92,7 @@ - } - - if (!errflg) { -- if (__adjtimex(&txc) < 0) -+ if (adjtimex(&txc) < 0) - perror("adjtimex"); - else if (!quiet) - printf("tick = %ld\ntick_adj = %d\n", -@@ -146,7 +147,7 @@ - #endif - } - -- if (__adjtimex(&txc) < 0) -+ if (adjtimex(&txc) < 0) - { - perror("adjtimex"); - } diff --git a/package/ntp/ntp-002-nano.patch b/package/ntp/ntp-002-nano.patch deleted file mode 100644 index d16046cb03..0000000000 --- a/package/ntp/ntp-002-nano.patch +++ /dev/null @@ -1,23 +0,0 @@ -Fixes issues with glibc header files, see -http://bugs.gentoo.org/show_bug.cgi?id=270483 - -Signed-off-by: Gustavo Zacarias - -diff -Nura ntp-4.2.6p2.orig/include/ntp_syscall.h ntp-4.2.6p2/include/ntp_syscall.h ---- ntp-4.2.6p2.orig/include/ntp_syscall.h 2009-12-09 04:36:37.000000000 -0300 -+++ ntp-4.2.6p2/include/ntp_syscall.h 2011-01-27 13:09:05.072336628 -0300 -@@ -14,6 +14,14 @@ - # include - #endif - -+#if defined(ADJ_NANO) && !defined(MOD_NANO) -+#define MOD_NANO ADJ_NANO -+#endif -+ -+#if defined(ADJ_TAI) && !defined(MOD_TAI) -+#define MOD_TAI ADJ_TAI -+#endif -+ - #ifndef NTP_SYSCALLS_LIBC - #ifdef NTP_SYSCALLS_STD - # define ntp_adjtime(t) syscall(SYS_ntp_adjtime, (t)) diff --git a/package/ntp/ntp.hash b/package/ntp/ntp.hash new file mode 100644 index 0000000000..2ff6449815 --- /dev/null +++ b/package/ntp/ntp.hash @@ -0,0 +1,2 @@ +# From http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-4.2.8.tar.gz.md5 +md5 6972a626be6150db8cfbd0b63d8719e7ntp-4.2.8.tar.gz diff --git a/package/ntp/ntp.mk b/package/ntp/ntp.mk index bb950a1c6a..1708978f32 100644 --- a/package/ntp/ntp.mk +++ b/package/ntp/ntp.mk @@ -5,25 +5,29 @@ ################################################################################ NTP_VERSION_MAJOR = 4.2 -NTP_VERSION = $(NTP_VERSION_MAJOR).6p5 +NTP_VERSION = $(NTP_VERSION_MAJOR).8 NTP_SITE = http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-$(NTP_VERSION_MAJOR) +NTP_DEPENDENCIES = host-pkgconf libevent +# For 0001-fix-ntp-keygen-without-openssl.patch +NTP_AUTORECONF = YES NTP_LICENSE = ntp license NTP_LICENSE_FILES = COPYRIGHT NTP_CONF_ENV = ac_cv_lib_md5_MD5Init=no +NTP_CONF_OPTS = --with-shared \ + --program-transform-name=s,,, \ + --disable-tickadj \ + --with-yielding-select=yes \ + --disable-local-libevent ifneq ($(BR2_INET_IPV6),y) NTP_CONF_ENV += isc_cv_have_in6addr_any=no endif -NTP_CONF_OPTS = --with-shared \ - --program-transform-name=s,,, \ - --disable-tickadj - ifeq ($(BR2_PACKAGE_OPENSSL),y) NTP_CONF_OPTS += --with-crypto NTP_DEPENDENCIES += openssl else - NTP_CONF_OPTS += --without-crypto + NTP_CONF_OPTS += --without-crypto --disable-openssl-random endif ifeq ($(BR2_PACKAGE_NTP_NTPSNMPD),y)