On Sun, Oct 25, 2015 at 11:51:24AM +0100, Kurt Roeckx wrote: > On Sun, Oct 25, 2015 at 11:19:03AM +0100, Kurt Roeckx wrote: > > On Sun, Oct 25, 2015 at 01:30:18PM +0900, Ben Hutchings wrote: > > > I've looked through the upstream repository for the patches that fix he > > > recently announced issues. Quite a few of them turned out not to apply > > > to squeeze, or the newer stable releases, and I've updated the security > > > tracker accordingly. > > > > > > I backported the remaining fixes as best I can, and uploaded the source > > > package to: > > > https://people.debian.org/~benh/packages/squeeze-lts/ > > > > > > Would you be willing to review this package? > > > > > > I noticed that you entirely reverted the upstream patch that was > > > supposed to fix CVE-2015-7704 and -7705, and then applied a different > > > fix for -7704. I think this means -7705 isn't fixed in sid, though the > > > security tracker currently says it is. Who's right? > > > > I can't seem to ge getting much information out of anything from > > upstream. Lots of things don't seem to be affecting the 4.2.6 > > version. > > > > From what I currently understand the following don't apply to the > > 4.2.6 versions: > > CVE-2015-5196 > > So it seems they renamed CVE-2015-5196 to CVE-2015-7703. Your > patch probably makes sense and I should get that fixed in jessie > and wheezy too.
I actually got that fixed, the patch is just named ntp-4.2.6p5-cve-2015-5196.patch and note -7703. > I'm just wondering why you didn't move the T_Pidfile like upstream > did, that part seems to apply. > > (I have to go now, will look at it later again.) Your bug-2899.patch patch looks a little different. You have: @@ -2207,8 +2221,8 @@ crypto_bob( vp->sig = emalloc(sign_siglen); EVP_SignInit(&ctx, sign_digest); EVP_SignUpdate(&ctx, (u_char *)&vp->tstamp, 12); - EVP_SignUpdate(&ctx, vp->ptr, vallen); - if (EVP_SignFinal(&ctx, vp->sig, &vallen, sign_pkey)) + EVP_SignUpdate(&ctx, vp->ptr, len); + if (EVP_SignFinal(&ctx, vp->sig, &len, sign_pkey)) vp->siglen = htonl(sign_siglen); return (XEVNT_OK); } The patch from upstream and the one from redhat has: @@ -2214,9 +2228,9 @@ crypto_bob( vp->sig = emalloc(sign_siglen); EVP_SignInit(&ctx, sign_digest); EVP_SignUpdate(&ctx, (u_char *)&vp->tstamp, 12); - EVP_SignUpdate(&ctx, vp->ptr, vallen); - if (EVP_SignFinal(&ctx, vp->sig, &vallen, sign_pkey)) - vp->siglen = htonl(sign_siglen); + EVP_SignUpdate(&ctx, vp->ptr, len); + if (EVP_SignFinal(&ctx, vp->sig, &len, sign_pkey)) + vp->siglen = htonl(len); return (XEVNT_OK); } As in, the htonl() call changes sign_siglen to len. Your CVE-2015-7850 patch, in mvsyslog() calls vsnprintf() while mine calls mvsnprintf(). You somehow seems to have the patches applied, you have a .pc directory in it ... So you applied the following patches: CVE-2015-5300.patch bug-2899.patch (CVE-2015-7691, CVE-2015-7692, CVE-2015-7702) CVE-2015-7701.patch CVE-2015-7703.patch CVE-2015-7704.patch CVE-2015-7850.patch CVE-2015-7852.patch CVE-2015-7855.patch CVE-2015-7871.patch While I have addiotional patches for: CVE-2014-9750.patch (it was missing 1 patch while it was fixed it seems) ntp-4.2.6p5-cve-2015-5219.patch ntp-4.2.6p5-cve-2015-5195.patch ntp-4.2.6p5-cve-2015-5194.patch ntp-4.2.6p5-cve-2015-5146.patch CVE-2015-7705.patch CVE-2015-7851.patch CVE-2015-7853.patch Which leaves, which I think really don't affect 4.2.6: CVE-2015-7848 CVE-2015-7849 CVE-2015-7854 Should I just upload my patches? Kurt