Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package ntp for openSUSE:Factory checked in at 2023-05-06 22:09:41 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ntp (Old) and /work/SRC/openSUSE:Factory/.ntp.new.1533 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ntp" Sat May 6 22:09:41 2023 rev:136 rq:1085150 version:4.2.8p15 Changes: -------- --- /work/SRC/openSUSE:Factory/ntp/ntp.changes 2023-02-11 21:57:41.747761646 +0100 +++ /work/SRC/openSUSE:Factory/.ntp.new.1533/ntp.changes 2023-05-06 22:09:42.756890724 +0200 @@ -1,0 +2,7 @@ +Fri May 5 13:55:24 UTC 2023 - Reinhard Max <m...@suse.com> + +- bsc#1210386: out-of-bounds writes in mstolfp() + * CVE-2023-26551, CVE-2023-26552, CVE-2023-26553, CVE-2023-26554 + * Add ntp-CVE-2023-26551.patch + +------------------------------------------------------------------- New: ---- ntp-CVE-2023-26551.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ntp.spec ++++++ --- /var/tmp/diff_new_pack.7QyNDt/_old 2023-05-06 22:09:43.572895266 +0200 +++ /var/tmp/diff_new_pack.7QyNDt/_new 2023-05-06 22:09:43.580895311 +0200 @@ -60,6 +60,7 @@ Patch33: ntp-sntp-libevent.patch Patch34: testdcf-gude.diff Patch35: ntp-clarify-interface.patch +Patch36: ntp-CVE-2023-26551.patch BuildRequires: avahi-compat-mDNSResponder-devel BuildRequires: fdupes @@ -148,6 +149,7 @@ %patch33 %patch34 -p1 %patch35 +%patch36 # fix DOS line breaks sed -i 's/\r//g' html/scripts/{footer.txt,style.css} ++++++ ntp-CVE-2023-26551.patch ++++++ --- libntp/mstolfp.c.orig +++ libntp/mstolfp.c @@ -14,7 +14,7 @@ mstolfp( l_fp *lfp ) { - register const char *cp; + register const char *cp, *end; register char *bp; register const char *cpdec; char buf[100]; @@ -42,6 +42,15 @@ mstolfp( if (*cp != '.' && !isdigit((unsigned char)*cp)) return 0; + /* + * Make sure the buffer has enough room for the input string and the + * extra characters, in the worst case replacing "." with "0.000" + */ + end = cp; + while (isdigit((unsigned char)*end) || *end == '.') + end++; + if (end - cp + 4 >= sizeof (buf) - (bp - buf)) + return 0; /* * Search forward for the decimal point or the end of the string.