Bug 19128

Summary: busybox, openntpd new security issue CVE-2016-6301
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: davidwhodgins, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/696815/
Whiteboard: advisory
Source RPM: busybox-1.22.1-5.mga5.src.rpm, openntpd-3.9p1-11.mga5.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 17071    

Description David Walser 2016-08-04 14:21:50 CEST 
A security issue affecting busybox's ntpd implementation was announced:
https://bugzilla.redhat.com/show_bug.cgi?id=1363710

Apparently the code came from openntpd, which fixed the issue in 2009, but the fix never made it into busybox until recently.  It also never made it into our openntpd package, because apparently it's an old version and an unmaintained package.

Patched packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated busybox and openntpd packages fix security vulnerability:

The busybox NTP implementation doesn't check the NTP mode of packets received
on the server port and responds to any packet with the right size. This
includes responses from another NTP server. An attacker can send a packet with
a spoofed source address in order to create an infinite loop of responses
between two busybox NTP servers. Adding more packets to the loop increases the
traffic between the servers until one of them has a fully loaded CPU and/or
network (CVE-2016-6301).

The affected code originated from openntpd, which had fixed it upstream, but
the fix had not made it into Mageia's openntpd package.  It has also been
patched with the fix in this update.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6301
https://bugzilla.redhat.com/show_bug.cgi?id=1363710
========================

Updated packages in core/updates_testing:
========================
busybox-1.22.1-5.3.mga5
busybox-static-1.22.1-5.3.mga5
openntpd-3.9p1-11.1.mga5

from SRPMS:
busybox-1.22.1-5.3.mga5.src.rpm
openntpd-3.9p1-11.1.mga5.src.rpm
Comment 1 Dave Hodgins 2016-08-08 12:57:38 CEST 
Tested busybox using "busybox ntpd -d -q -p pool.ntp.org", but openntpd
hangs on start with
PID file /var/run/ntpd.pid not readable (yet?) after start.

The /etc/rc.d/init.d/ntpd script has
# pidfile: /var/run/ntpd.pid

No ntpd.pid file is created in /var/run/

Removing the pidfile line from the chkconfig settings in the start script
fixes the problem.

I haven't checked to see if this is a regression.

CC: (none) => davidwhodgins
Whiteboard: (none) => feedback

Comment 2 David Walser 2016-08-08 15:42:47 CEST 
Let's just pass this along.  openntpd has never been maintained since it was imported into Mageia and probably has other bugs too.  I added it to task-obsolete in Cauldron SVN.

Whiteboard: feedback => (none)

Dave Hodgins 2016-08-09 05:07:09 CEST

Keywords: (none) => validated_update
Whiteboard: (none) => advisory
CC: (none) => sysadmin-bugs

Comment 3 Mageia Robot 2016-08-09 10:59:23 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0277.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2016-08-09 20:11:56 CEST

URL: (none) => http://lwn.net/Vulnerabilities/696815/

Comment 4 David Walser 2016-08-11 22:53:54 CEST 
Oops, forgot to note that this update also fixed Bug 17071 for busybox.

Blocks: (none) => 17071