Re: net/ntp CVE

Sun, 26 Mar 2017 13:15:07 -0700 

On Thu, Mar 23, 2017 at 11:09:37PM +0100, Alexander Bluhm wrote:
> Update ntp to 4.2.8p10.  This fixes:

anyone?  If noone objects I will commit this.

bluhm

> CVE-2016-9042, CVE-2017-6451, CVE-2017-6452, CVE-2017-6455,
> CVE-2017-6458, CVE-2017-6459, CVE-2017-6460, CVE-2017-6462,
> CVE-2017-6463, CVE-2017-6464
> 
> They introduced a bunch of #ifdef OPENSSL_VERSION_NUMBER < 0x10100000L,
> I have added a defined(LIBRESSL_VERSION_NUMBER) to all of them.
> 
> One patch is to prevent their regression tests from dumping core,
> then they pass.
> 
> ok?
> 
> bluhm
> 
> Index: net/ntp/Makefile
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/ports/net/ntp/Makefile,v
> retrieving revision 1.71
> diff -u -p -r1.71 Makefile
> --- net/ntp/Makefile  14 Dec 2016 20:05:37 -0000      1.71
> +++ net/ntp/Makefile  23 Mar 2017 21:56:24 -0000
> @@ -6,7 +6,7 @@ COMMENT=      Network Time Protocol reference
>  # to confuse with the ports system's 'pN' convention, so convert it to
>  # 'pl' for local use.
>  
> -VERSION=     4.2.8p9
> +VERSION=     4.2.8p10
>  DISTNAME=    ntp-${VERSION}
>  PKGNAME=     ntp-${VERSION:S/p/pl/}
>  CATEGORIES=  net
> @@ -43,8 +43,11 @@ post-extract:
>       @touch ${WRKDIR}/timestamp
>       @find ${WRKSRC} -type f -print0 | xargs -0 touch -r ${WRKDIR}/timestamp
>  
> +# patch-sntp_tests_packetProcessing_c triggers a ruby script to regenerate
> +# run-packetProcessing.c.  Avoid ruby, run file does not change anyway.
>  post-patch:
>       cp ${WRKSRC}/sntp/loc/freebsd ${WRKSRC}/sntp/loc/openbsd
> +     touch ${WRKSRC}/sntp/tests/run-packetProcessing.c
>  
>  post-install:
>       ${INSTALL_DATA_DIR} ${PREFIX}/share/examples/ntp
> Index: net/ntp/distinfo
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/ports/net/ntp/distinfo,v
> retrieving revision 1.23
> diff -u -p -r1.23 distinfo
> --- net/ntp/distinfo  14 Dec 2016 20:05:37 -0000      1.23
> +++ net/ntp/distinfo  23 Mar 2017 18:36:52 -0000
> @@ -1,2 +1,2 @@
> -SHA256 (ntp-4.2.8p9.tar.gz) = tyQod3jhusYltEcyfJhR7t7wIFF6NUViXp9lKpDzC3I=
> -SIZE (ntp-4.2.8p9.tar.gz) = 7231884
> +SHA256 (ntp-4.2.8p10.tar.gz) = 3dI2bmQhm576D3Q44GgA0Ns5SsXIjhPBe3DQ3N+ZuZ8=
> +SIZE (ntp-4.2.8p10.tar.gz) = 6998648
> Index: net/ntp/patches/patch-include_libssl_compat_h
> ===================================================================
> RCS file: 
> /data/mirror/openbsd/cvs/ports/net/ntp/patches/patch-include_libssl_compat_h,v
> retrieving revision 1.1
> diff -u -p -r1.1 patch-include_libssl_compat_h
> --- net/ntp/patches/patch-include_libssl_compat_h     14 Dec 2016 20:05:37 
> -0000      1.1
> +++ net/ntp/patches/patch-include_libssl_compat_h     23 Mar 2017 20:47:57 
> -0000
> @@ -1,8 +1,8 @@
>  $OpenBSD: patch-include_libssl_compat_h,v 1.1 2016/12/14 20:05:37 naddy Exp $
> ---- include/libssl_compat.h.orig     Mon Nov 21 13:28:40 2016
> -+++ include/libssl_compat.h  Wed Dec 14 00:01:48 2016
> -@@ -25,7 +25,7 @@
> - #include "openssl/rsa.h"
> +--- include/libssl_compat.h.orig     Thu Mar 23 19:36:53 2017
> ++++ include/libssl_compat.h  Thu Mar 23 19:58:13 2017
> +@@ -37,7 +37,7 @@
> + #endif
>   
>   /* ----------------------------------------------------------------- */
>  -#if OPENSSL_VERSION_NUMBER < 0x10100000L
> Index: net/ntp/patches/patch-include_ssl_applink_c
> ===================================================================
> RCS file: net/ntp/patches/patch-include_ssl_applink_c
> diff -N net/ntp/patches/patch-include_ssl_applink_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ net/ntp/patches/patch-include_ssl_applink_c       23 Mar 2017 20:55:56 
> -0000
> @@ -0,0 +1,21 @@
> +$OpenBSD$
> +--- include/ssl_applink.c.orig       Thu Mar 23 21:54:28 2017
> ++++ include/ssl_applink.c    Thu Mar 23 21:55:47 2017
> +@@ -14,7 +14,7 @@
> + #   include "msvc_ssl_autolib.h"
> + #  endif
> + # endif
> +-# if OPENSSL_VERSION_NUMBER < 0x10100000L
> ++# if OPENSSL_VERSION_NUMBER < 0x10100000L || 
> defined(LIBRESSL_VERSION_NUMBER)
> + #  include <openssl/applink.c>
> + # endif
> + # ifdef _MSC_VER
> +@@ -41,7 +41,7 @@ void ssl_applink(void);
> + void
> + ssl_applink(void)
> + {
> +-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
> ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && ! 
> defined(LIBRESSL_VERSION_NUMBER)
> + #   ifdef WRAP_DBG_MALLOC
> +     CRYPTO_set_mem_functions(wrap_dbg_malloc, wrap_dbg_realloc, 
> wrap_dbg_free_ex);
> + #   else
> Index: net/ntp/patches/patch-libntp_libssl_compat_c
> ===================================================================
> RCS file: 
> /data/mirror/openbsd/cvs/ports/net/ntp/patches/patch-libntp_libssl_compat_c,v
> retrieving revision 1.1
> diff -u -p -r1.1 patch-libntp_libssl_compat_c
> --- net/ntp/patches/patch-libntp_libssl_compat_c      14 Dec 2016 20:05:37 
> -0000      1.1
> +++ net/ntp/patches/patch-libntp_libssl_compat_c      23 Mar 2017 20:48:00 
> -0000
> @@ -1,12 +1,12 @@
>  $OpenBSD: patch-libntp_libssl_compat_c,v 1.1 2016/12/14 20:05:37 naddy Exp $
> ---- libntp/libssl_compat.c.orig      Mon Nov 21 13:28:40 2016
> -+++ libntp/libssl_compat.c   Wed Dec 14 00:02:37 2016
> -@@ -23,7 +23,7 @@
> - #include "ntp_types.h"
> +--- libntp/libssl_compat.c.orig      Thu Mar 23 19:36:53 2017
> ++++ libntp/libssl_compat.c   Thu Mar 23 21:47:42 2017
> +@@ -26,7 +26,7 @@
> + /* ----------------------------------------------------------------- */
>   
>   /* ----------------------------------------------------------------- */
> --#if OPENSSL_VERSION_NUMBER < 0x10100000L
> -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
> +-#if defined(OPENSSL) && OPENSSL_VERSION_NUMBER < 0x10100000L
> ++#if defined(OPENSSL) && OPENSSL_VERSION_NUMBER < 0x10100000L || 
> defined(LIBRESSL_VERSION_NUMBER)
>   /* ----------------------------------------------------------------- */
>   
>   #include "libssl_compat.h"
> Index: net/ntp/patches/patch-libntp_ssl_init_c
> ===================================================================
> RCS file: net/ntp/patches/patch-libntp_ssl_init_c
> diff -N net/ntp/patches/patch-libntp_ssl_init_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ net/ntp/patches/patch-libntp_ssl_init_c   23 Mar 2017 20:59:47 -0000
> @@ -0,0 +1,12 @@
> +$OpenBSD$
> +--- libntp/ssl_init.c.orig   Thu Mar 23 21:54:28 2017
> ++++ libntp/ssl_init.c        Thu Mar 23 21:56:59 2017
> +@@ -21,7 +21,7 @@
> + 
> + int ssl_init_done;
> + 
> +-#if OPENSSL_VERSION_NUMBER < 0x10100000L
> ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
> + 
> + static void
> + atexit_ssl_cleanup(void)
> Index: net/ntp/patches/patch-ports_winnt_include_msvc_ssl_autolib_h
> ===================================================================
> RCS file: net/ntp/patches/patch-ports_winnt_include_msvc_ssl_autolib_h
> diff -N net/ntp/patches/patch-ports_winnt_include_msvc_ssl_autolib_h
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ net/ntp/patches/patch-ports_winnt_include_msvc_ssl_autolib_h      23 Mar 
> 2017 21:17:34 -0000
> @@ -0,0 +1,12 @@
> +$OpenBSD$
> +--- ports/winnt/include/msvc_ssl_autolib.h.orig      Thu Mar 23 22:03:03 2017
> ++++ ports/winnt/include/msvc_ssl_autolib.h   Thu Mar 23 22:17:23 2017
> +@@ -85,7 +85,7 @@
> +  * request in the object file, depending on the SSL version and the
> +  * build variant.
> +  */
> +-# if OPENSSL_VERSION_NUMBER >= 0x10100000L
> ++# if OPENSSL_VERSION_NUMBER >= 0x10100000L && ! 
> defined(LIBRESSL_VERSION_NUMBER)
> + #  pragma comment(lib, "libcrypto" LTAG_SIZE LTAG_RTLIB LTAG_DEBUG ".lib")
> + # else
> + #  pragma comment(lib, "libeay32" LTAG_RTLIB LTAG_DEBUG ".lib")
> Index: net/ntp/patches/patch-sntp_libevent_test_regress_ssl_c
> ===================================================================
> RCS file: net/ntp/patches/patch-sntp_libevent_test_regress_ssl_c
> diff -N net/ntp/patches/patch-sntp_libevent_test_regress_ssl_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ net/ntp/patches/patch-sntp_libevent_test_regress_ssl_c    23 Mar 2017 
> 20:59:43 -0000
> @@ -0,0 +1,21 @@
> +$OpenBSD$
> +--- sntp/libevent/test/regress_ssl.c.orig    Thu Mar 23 21:54:28 2017
> ++++ sntp/libevent/test/regress_ssl.c Thu Mar 23 21:59:01 2017
> +@@ -61,7 +61,7 @@
> + 
> + #include <string.h>
> + 
> +-#if OPENSSL_VERSION_NUMBER < 0x10100000L
> ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
> + #define OpenSSL_version_num SSLeay
> + #endif /* OPENSSL_VERSION_NUMBER */
> + 
> +@@ -130,7 +130,7 @@ getcert(void)
> +     X509_set_subject_name(x509, name);
> +     X509_set_issuer_name(x509, name);
> + 
> +-#if OPENSSL_VERSION_NUMBER < 0x10100000L
> ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
> +     X509_time_adj(X509_get_notBefore(x509), 0, &now);
> +     now += 3600;
> +     X509_time_adj(X509_get_notAfter(x509), 0, &now);
> Index: net/ntp/patches/patch-sntp_tests_packetProcessing_c
> ===================================================================
> RCS file: net/ntp/patches/patch-sntp_tests_packetProcessing_c
> diff -N net/ntp/patches/patch-sntp_tests_packetProcessing_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ net/ntp/patches/patch-sntp_tests_packetProcessing_c       23 Mar 2017 
> 21:42:26 -0000
> @@ -0,0 +1,12 @@
> +$OpenBSD$
> +--- sntp/tests/packetProcessing.c.orig       Thu Mar 23 22:30:58 2017
> ++++ sntp/tests/packetProcessing.c    Thu Mar 23 22:42:11 2017
> +@@ -76,7 +76,7 @@ PrepareAuthenticationTest(
> +     key_ptr->next = NULL;
> +     key_ptr->key_id = key_id;
> +     key_ptr->key_len = key_len;
> +-    memcpy(key_ptr->type, "MD5", 3);
> ++    strlcpy(key_ptr->type, "MD5", sizeof(key_ptr->type));
> + 
> +     TEST_ASSERT_TRUE(key_len < sizeof(key_ptr->key_seq));
> + 
> Index: net/ntp/patches/patch-util_ntp-keygen_c
> ===================================================================
> RCS file: net/ntp/patches/patch-util_ntp-keygen_c
> diff -N net/ntp/patches/patch-util_ntp-keygen_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ net/ntp/patches/patch-util_ntp-keygen_c   23 Mar 2017 20:59:45 -0000
> @@ -0,0 +1,12 @@
> +$OpenBSD$
> +--- util/ntp-keygen.c.orig   Thu Mar 23 21:54:28 2017
> ++++ util/ntp-keygen.c        Thu Mar 23 21:59:33 2017
> +@@ -474,7 +474,7 @@ main(
> +     /*
> +      * Seed random number generator and grow weeds.
> +      */
> +-#if OPENSSL_VERSION_NUMBER < 0x10100000L
> ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
> +     ERR_load_crypto_strings();
> +     OpenSSL_add_all_algorithms();
> + #endif /* OPENSSL_VERSION_NUMBER */
  • net/ntp CVE Alexander Bluhm
    • Re: net/ntp CVE Alexander Bluhm

Reply via email to