On Mon, Oct 26, 2015 at 06:55:06AM +0900, Ben Hutchings wrote: > On Sun, 2015-10-25 at 22:45 +0100, Kurt Roeckx wrote: > > On Mon, Oct 26, 2015 at 06:13:07AM +0900, Ben Hutchings wrote: > [...] > > > > While I have addiotional patches for: > > > > CVE-2014-9750.patch (it was missing 1 patch while it was fixed it > > > > seems) > > > > > > Which is split from CVE-2014-9297. > > > > From what I understand CVE-2014-9297 was changed to CVE-2014-9750 > > and CVE-2014-9298 to CVE-2014-9751 because someone mixed them up. > > There is nothing split. > > > > In any case, there is a patch missing. > > OK, which one is that? I looked through the upstream commits for bug > 2671 and they all seemed to have been included in CVE-2014-9297.patch.
*look confused* At some point 348fc9fa390c7894f589104fbca4d635868b7a45 was missing. But redhat has a diff that looks like: --- ntp_crypto.c +++ ntp_crypto.c @@ -1575,6 +1575,7 @@ EVP_MD_CTX ctx; /* signature context */ tstamp_t tstamp; /* NTP timestamp */ u_int32 temp32; + u_char *puch; /* * Extract the public key from the request. @@ -1596,9 +1597,9 @@ vallen = EVP_PKEY_size(pkey); vp->vallen = htonl(vallen); vp->ptr = emalloc(vallen); - ptr = vp->ptr; + puch = vp->ptr; temp32 = htonl(*cookie); - if (RSA_public_encrypt(4, (u_char *)&temp32, ptr, + if (RSA_public_encrypt(4, (u_char *)&temp32, puch, pkey->pkey.rsa, RSA_PKCS1_OAEP_PADDING) <= 0) { msyslog(LOG_ERR, "crypto_encrypt: %s", ERR_error_string(ERR_get_error(), NULL)); (Didn't look at what that does yet, looks like part of a change of a much older commit.) Kurt