On Mon, Oct 26, 2015 at 06:13:07AM +0900, Ben Hutchings wrote: > > Your bug-2899.patch patch looks a little different. You have: > > @@ -2207,8 +2221,8 @@ crypto_bob( > > vp->sig = emalloc(sign_siglen); > > EVP_SignInit(&ctx, sign_digest); > > EVP_SignUpdate(&ctx, (u_char *)&vp->tstamp, 12); > > - EVP_SignUpdate(&ctx, vp->ptr, vallen); > > - if (EVP_SignFinal(&ctx, vp->sig, &vallen, sign_pkey)) > > + EVP_SignUpdate(&ctx, vp->ptr, len); > > + if (EVP_SignFinal(&ctx, vp->sig, &len, sign_pkey)) > > vp->siglen = htonl(sign_siglen); > > return (XEVNT_OK); > > } > > > > The patch from upstream and the one from redhat has: > > @@ -2214,9 +2228,9 @@ crypto_bob( > > vp->sig = emalloc(sign_siglen); > > EVP_SignInit(&ctx, sign_digest); > > EVP_SignUpdate(&ctx, (u_char *)&vp->tstamp, 12); > > - EVP_SignUpdate(&ctx, vp->ptr, vallen); > > - if (EVP_SignFinal(&ctx, vp->sig, &vallen, sign_pkey)) > > - vp->siglen = htonl(sign_siglen); > > + EVP_SignUpdate(&ctx, vp->ptr, len); > > + if (EVP_SignFinal(&ctx, vp->sig, &len, sign_pkey)) > > + vp->siglen = htonl(len); > > return (XEVNT_OK); > > } > > > > > > As in, the htonl() call changes sign_siglen to len. > > No, it changes vallen to len. But in 4.2.6 vallen is ignored and the > previously calculated sign_siglen is assumed to be correct. I didn't > want to change that.
Will take a look at this. > > While I have addiotional patches for: > > CVE-2014-9750.patch (it was missing 1 patch while it was fixed it > > seems) > > Which is split from CVE-2014-9297. >From what I understand CVE-2014-9297 was changed to CVE-2014-9750 and CVE-2014-9298 to CVE-2014-9751 because someone mixed them up. There is nothing split. In any case, there is a patch missing. > > ntp-4.2.6p5-cve-2015-5219.patch > > ntp-4.2.6p5-cve-2015-5195.patch > > ntp-4.2.6p5-cve-2015-5194.patch > > ntp-4.2.6p5-cve-2015-5146.patch > > These were already marked as no-DSA-required in the security tracker. I don't see why we shouldn't fix them. > > CVE-2015-7705.patch > > Where does this come from? That's a good question. It just seems to be about logging, so that seems to be wrong. > > CVE-2015-7851.patch > > VMS only, so I didn't bother. > > > CVE-2015-7853.patch > > This really isn't needed because 4.2.6 doesn't have the incorrect cast > from size_t to int. Please revert your change in the security tracker. You're right, I somehow missed the casts. Kurt