Bug 15214

Summary: ntp new security issues CVE-2014-9297 and CVE-2014-9298 (aka CVE-2014-9750 and CVE-2014-9751)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: olchal, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/632252/
Whiteboard: has_procedure advisory MGA4-64-OK MGA4-32-OK
Source RPM: ntp-4.2.6p5-15.2.mga4.src.rpm CVE:
Status comment:

Description David Walser 2015-02-06 14:21:54 CET 
Debian has issued an advisory on February 5:
https://www.debian.org/security/2015/dsa-3154

Patched packages uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated ntp packages fix security vulnerabilities:

Stephen Roettger of the Google Security Team, Sebastian Krahmer of the SUSE
Security Team and Harlan Stenn of Network Time Foundation discovered that the
length value in extension fields is not properly validated in several code
paths in ntp_crypto.c, which could lead to information leakage or denial of
service (CVE-2014-9297).

Stephen Roettger of the Google Security Team reported that ACLs based on IPv6
::1 (localhost) addresses can be bypassed (CVE-2014-9298).

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9297
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9298
http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities
https://www.debian.org/security/2015/dsa-3154
========================

Updated packages in core/updates_testing:
========================
ntp-4.2.6p5-15.3.mga4
ntp-client-4.2.6p5-15.3.mga4
ntp-doc-4.2.6p5-15.3.mga4

from ntp-4.2.6p5-15.3.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2015-02-06 17:25:06 CET

URL: (none) => http://lwn.net/Vulnerabilities/632252/

Comment 1 olivier charles 2015-02-07 11:36:37 CET 
Testing on Mageia 4x64 real hardware

From current packages :
---------------------
ntp-4.2.6p5-15.2.mga4
ntp-client-4.2.6p5-15.2.mga4

Stopped ntpd service, changed time, restarted ntpd and verified it corrected wrong time set.

To updated packages :
-------------------
ntp-4.2.6p5-15.3.mga4
ntp-client-4.2.6p5-15.3.mga4

Restarted ntpd service, verified its status, stopped ntpd, set wrong time, restarted ntpd, verified it set time correctly.

OK on Mageia4x64.

CC: (none) => olchal
Whiteboard: (none) => MGA4-64-OK

claire robinson 2015-02-09 20:00:05 CET

Whiteboard: MGA4-64-OK => has_procedure MGA4-64-OK

Comment 2 David Walser 2015-02-10 15:21:37 CET 
Updated packages running on our main server here.  Once installed (which restarts the service), waited a while and checked with ntpq -p to verify that it found remote servers and was synchronizing with them (* before one of them).

Note that I had to add this to ntp.conf for ntpq to work:
# Permit all access over the loopback interface.  This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1 
restrict ::1


I've added that in SVN and it will be included in the next update.  I should have added this in the CVE-2013-5211 update and didn't at the time unfortunately.


Testing complete Mageia 4 i586.

Whiteboard: has_procedure MGA4-64-OK => has_procedure MGA4-64-OK MGA4-32-OK

Comment 3 claire robinson 2015-02-11 12:53:54 CET 
Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OK
CC: (none) => sysadmin-bugs

Comment 4 Mageia Robot 2015-02-11 21:48:48 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0063.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 5 David Walser 2015-11-04 23:00:25 CET 
These CVEs have been replaced with CVE-2014-9750 and CVE-2014-9751 for some reason:
https://bugzilla.redhat.com/show_bug.cgi?id=1184573#c22
https://bugzilla.redhat.com/show_bug.cgi?id=1184572#c12

LWN reference for CVE-2014-9750:
http://lwn.net/Vulnerabilities/663111/

Summary: ntp new security issues CVE-2014-9297 and CVE-2014-9298 => ntp new security issues CVE-2014-9297 and CVE-2014-9298 (aka CVE-2014-9750 and CVE-2014-9751)

Comment 6 David Walser 2015-11-20 18:36:00 CET 
LWN reference for CVE-2014-9751:
http://lwn.net/Vulnerabilities/665250/