Hi, Update ntp to 4.2.8p10. This fixes: CVE-2016-9042, CVE-2017-6451, CVE-2017-6452, CVE-2017-6455, CVE-2017-6458, CVE-2017-6459, CVE-2017-6460, CVE-2017-6462, CVE-2017-6463, CVE-2017-6464
They introduced a bunch of #ifdef OPENSSL_VERSION_NUMBER < 0x10100000L, I have added a defined(LIBRESSL_VERSION_NUMBER) to all of them. One patch is to prevent their regression tests from dumping core, then they pass. ok? bluhm Index: net/ntp/Makefile =================================================================== RCS file: /data/mirror/openbsd/cvs/ports/net/ntp/Makefile,v retrieving revision 1.71 diff -u -p -r1.71 Makefile --- net/ntp/Makefile 14 Dec 2016 20:05:37 -0000 1.71 +++ net/ntp/Makefile 23 Mar 2017 21:56:24 -0000 @@ -6,7 +6,7 @@ COMMENT= Network Time Protocol reference # to confuse with the ports system's 'pN' convention, so convert it to # 'pl' for local use. -VERSION= 4.2.8p9 +VERSION= 4.2.8p10 DISTNAME= ntp-${VERSION} PKGNAME= ntp-${VERSION:S/p/pl/} CATEGORIES= net @@ -43,8 +43,11 @@ post-extract: @touch ${WRKDIR}/timestamp @find ${WRKSRC} -type f -print0 | xargs -0 touch -r ${WRKDIR}/timestamp +# patch-sntp_tests_packetProcessing_c triggers a ruby script to regenerate +# run-packetProcessing.c. Avoid ruby, run file does not change anyway. post-patch: cp ${WRKSRC}/sntp/loc/freebsd ${WRKSRC}/sntp/loc/openbsd + touch ${WRKSRC}/sntp/tests/run-packetProcessing.c post-install: ${INSTALL_DATA_DIR} ${PREFIX}/share/examples/ntp Index: net/ntp/distinfo =================================================================== RCS file: /data/mirror/openbsd/cvs/ports/net/ntp/distinfo,v retrieving revision 1.23 diff -u -p -r1.23 distinfo --- net/ntp/distinfo 14 Dec 2016 20:05:37 -0000 1.23 +++ net/ntp/distinfo 23 Mar 2017 18:36:52 -0000 @@ -1,2 +1,2 @@ -SHA256 (ntp-4.2.8p9.tar.gz) = tyQod3jhusYltEcyfJhR7t7wIFF6NUViXp9lKpDzC3I= -SIZE (ntp-4.2.8p9.tar.gz) = 7231884 +SHA256 (ntp-4.2.8p10.tar.gz) = 3dI2bmQhm576D3Q44GgA0Ns5SsXIjhPBe3DQ3N+ZuZ8= +SIZE (ntp-4.2.8p10.tar.gz) = 6998648 Index: net/ntp/patches/patch-include_libssl_compat_h =================================================================== RCS file: /data/mirror/openbsd/cvs/ports/net/ntp/patches/patch-include_libssl_compat_h,v retrieving revision 1.1 diff -u -p -r1.1 patch-include_libssl_compat_h --- net/ntp/patches/patch-include_libssl_compat_h 14 Dec 2016 20:05:37 -0000 1.1 +++ net/ntp/patches/patch-include_libssl_compat_h 23 Mar 2017 20:47:57 -0000 @@ -1,8 +1,8 @@ $OpenBSD: patch-include_libssl_compat_h,v 1.1 2016/12/14 20:05:37 naddy Exp $ ---- include/libssl_compat.h.orig Mon Nov 21 13:28:40 2016 -+++ include/libssl_compat.h Wed Dec 14 00:01:48 2016 -@@ -25,7 +25,7 @@ - #include "openssl/rsa.h" +--- include/libssl_compat.h.orig Thu Mar 23 19:36:53 2017 ++++ include/libssl_compat.h Thu Mar 23 19:58:13 2017 +@@ -37,7 +37,7 @@ + #endif /* ----------------------------------------------------------------- */ -#if OPENSSL_VERSION_NUMBER < 0x10100000L Index: net/ntp/patches/patch-include_ssl_applink_c =================================================================== RCS file: net/ntp/patches/patch-include_ssl_applink_c diff -N net/ntp/patches/patch-include_ssl_applink_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ net/ntp/patches/patch-include_ssl_applink_c 23 Mar 2017 20:55:56 -0000 @@ -0,0 +1,21 @@ +$OpenBSD$ +--- include/ssl_applink.c.orig Thu Mar 23 21:54:28 2017 ++++ include/ssl_applink.c Thu Mar 23 21:55:47 2017 +@@ -14,7 +14,7 @@ + # include "msvc_ssl_autolib.h" + # endif + # endif +-# if OPENSSL_VERSION_NUMBER < 0x10100000L ++# if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + # include <openssl/applink.c> + # endif + # ifdef _MSC_VER +@@ -41,7 +41,7 @@ void ssl_applink(void); + void + ssl_applink(void) + { +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && ! defined(LIBRESSL_VERSION_NUMBER) + # ifdef WRAP_DBG_MALLOC + CRYPTO_set_mem_functions(wrap_dbg_malloc, wrap_dbg_realloc, wrap_dbg_free_ex); + # else Index: net/ntp/patches/patch-libntp_libssl_compat_c =================================================================== RCS file: /data/mirror/openbsd/cvs/ports/net/ntp/patches/patch-libntp_libssl_compat_c,v retrieving revision 1.1 diff -u -p -r1.1 patch-libntp_libssl_compat_c --- net/ntp/patches/patch-libntp_libssl_compat_c 14 Dec 2016 20:05:37 -0000 1.1 +++ net/ntp/patches/patch-libntp_libssl_compat_c 23 Mar 2017 20:48:00 -0000 @@ -1,12 +1,12 @@ $OpenBSD: patch-libntp_libssl_compat_c,v 1.1 2016/12/14 20:05:37 naddy Exp $ ---- libntp/libssl_compat.c.orig Mon Nov 21 13:28:40 2016 -+++ libntp/libssl_compat.c Wed Dec 14 00:02:37 2016 -@@ -23,7 +23,7 @@ - #include "ntp_types.h" +--- libntp/libssl_compat.c.orig Thu Mar 23 19:36:53 2017 ++++ libntp/libssl_compat.c Thu Mar 23 21:47:42 2017 +@@ -26,7 +26,7 @@ + /* ----------------------------------------------------------------- */ /* ----------------------------------------------------------------- */ --#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) +-#if defined(OPENSSL) && OPENSSL_VERSION_NUMBER < 0x10100000L ++#if defined(OPENSSL) && OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) /* ----------------------------------------------------------------- */ #include "libssl_compat.h" Index: net/ntp/patches/patch-libntp_ssl_init_c =================================================================== RCS file: net/ntp/patches/patch-libntp_ssl_init_c diff -N net/ntp/patches/patch-libntp_ssl_init_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ net/ntp/patches/patch-libntp_ssl_init_c 23 Mar 2017 20:59:47 -0000 @@ -0,0 +1,12 @@ +$OpenBSD$ +--- libntp/ssl_init.c.orig Thu Mar 23 21:54:28 2017 ++++ libntp/ssl_init.c Thu Mar 23 21:56:59 2017 +@@ -21,7 +21,7 @@ + + int ssl_init_done; + +-#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + + static void + atexit_ssl_cleanup(void) Index: net/ntp/patches/patch-ports_winnt_include_msvc_ssl_autolib_h =================================================================== RCS file: net/ntp/patches/patch-ports_winnt_include_msvc_ssl_autolib_h diff -N net/ntp/patches/patch-ports_winnt_include_msvc_ssl_autolib_h --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ net/ntp/patches/patch-ports_winnt_include_msvc_ssl_autolib_h 23 Mar 2017 21:17:34 -0000 @@ -0,0 +1,12 @@ +$OpenBSD$ +--- ports/winnt/include/msvc_ssl_autolib.h.orig Thu Mar 23 22:03:03 2017 ++++ ports/winnt/include/msvc_ssl_autolib.h Thu Mar 23 22:17:23 2017 +@@ -85,7 +85,7 @@ + * request in the object file, depending on the SSL version and the + * build variant. + */ +-# if OPENSSL_VERSION_NUMBER >= 0x10100000L ++# if OPENSSL_VERSION_NUMBER >= 0x10100000L && ! defined(LIBRESSL_VERSION_NUMBER) + # pragma comment(lib, "libcrypto" LTAG_SIZE LTAG_RTLIB LTAG_DEBUG ".lib") + # else + # pragma comment(lib, "libeay32" LTAG_RTLIB LTAG_DEBUG ".lib") Index: net/ntp/patches/patch-sntp_libevent_test_regress_ssl_c =================================================================== RCS file: net/ntp/patches/patch-sntp_libevent_test_regress_ssl_c diff -N net/ntp/patches/patch-sntp_libevent_test_regress_ssl_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ net/ntp/patches/patch-sntp_libevent_test_regress_ssl_c 23 Mar 2017 20:59:43 -0000 @@ -0,0 +1,21 @@ +$OpenBSD$ +--- sntp/libevent/test/regress_ssl.c.orig Thu Mar 23 21:54:28 2017 ++++ sntp/libevent/test/regress_ssl.c Thu Mar 23 21:59:01 2017 +@@ -61,7 +61,7 @@ + + #include <string.h> + +-#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + #define OpenSSL_version_num SSLeay + #endif /* OPENSSL_VERSION_NUMBER */ + +@@ -130,7 +130,7 @@ getcert(void) + X509_set_subject_name(x509, name); + X509_set_issuer_name(x509, name); + +-#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + X509_time_adj(X509_get_notBefore(x509), 0, &now); + now += 3600; + X509_time_adj(X509_get_notAfter(x509), 0, &now); Index: net/ntp/patches/patch-sntp_tests_packetProcessing_c =================================================================== RCS file: net/ntp/patches/patch-sntp_tests_packetProcessing_c diff -N net/ntp/patches/patch-sntp_tests_packetProcessing_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ net/ntp/patches/patch-sntp_tests_packetProcessing_c 23 Mar 2017 21:42:26 -0000 @@ -0,0 +1,12 @@ +$OpenBSD$ +--- sntp/tests/packetProcessing.c.orig Thu Mar 23 22:30:58 2017 ++++ sntp/tests/packetProcessing.c Thu Mar 23 22:42:11 2017 +@@ -76,7 +76,7 @@ PrepareAuthenticationTest( + key_ptr->next = NULL; + key_ptr->key_id = key_id; + key_ptr->key_len = key_len; +- memcpy(key_ptr->type, "MD5", 3); ++ strlcpy(key_ptr->type, "MD5", sizeof(key_ptr->type)); + + TEST_ASSERT_TRUE(key_len < sizeof(key_ptr->key_seq)); + Index: net/ntp/patches/patch-util_ntp-keygen_c =================================================================== RCS file: net/ntp/patches/patch-util_ntp-keygen_c diff -N net/ntp/patches/patch-util_ntp-keygen_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ net/ntp/patches/patch-util_ntp-keygen_c 23 Mar 2017 20:59:45 -0000 @@ -0,0 +1,12 @@ +$OpenBSD$ +--- util/ntp-keygen.c.orig Thu Mar 23 21:54:28 2017 ++++ util/ntp-keygen.c Thu Mar 23 21:59:33 2017 +@@ -474,7 +474,7 @@ main( + /* + * Seed random number generator and grow weeds. + */ +-#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + ERR_load_crypto_strings(); + OpenSSL_add_all_algorithms(); + #endif /* OPENSSL_VERSION_NUMBER */