Bug 19128 - busybox, openntpd new security issue CVE-2016-6301
Summary: busybox, openntpd new security issue CVE-2016-6301
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/696815/
Whiteboard: advisory
Keywords: validated_update
Depends on:
Blocks: 17071
  Show dependency treegraph
 
Reported: 2016-08-04 14:21 CEST by David Walser
Modified: 2016-08-11 22:53 CEST (History)
2 users (show)

See Also:
Source RPM: busybox-1.22.1-5.mga5.src.rpm, openntpd-3.9p1-11.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2016-08-04 14:21:50 CEST 
A security issue affecting busybox's ntpd implementation was announced:
https://bugzilla.redhat.com/show_bug.cgi?id=1363710

Apparently the code came from openntpd, which fixed the issue in 2009, but the fix never made it into busybox until recently.  It also never made it into our openntpd package, because apparently it's an old version and an unmaintained package.

Patched packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated busybox and openntpd packages fix security vulnerability:

The busybox NTP implementation doesn't check the NTP mode of packets received
on the server port and responds to any packet with the right size. This
includes responses from another NTP server. An attacker can send a packet with
a spoofed source address in order to create an infinite loop of responses
between two busybox NTP servers. Adding more packets to the loop increases the
traffic between the servers until one of them has a fully loaded CPU and/or
network (CVE-2016-6301).

The affected code originated from openntpd, which had fixed it upstream, but
the fix had not made it into Mageia's openntpd package.  It has also been
patched with the fix in this update.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6301
https://bugzilla.redhat.com/show_bug.cgi?id=1363710
========================

Updated packages in core/updates_testing:
========================
busybox-1.22.1-5.3.mga5
busybox-static-1.22.1-5.3.mga5
openntpd-3.9p1-11.1.mga5

from SRPMS:
busybox-1.22.1-5.3.mga5.src.rpm
openntpd-3.9p1-11.1.mga5.src.rpm
Comment 1 Dave Hodgins 2016-08-08 12:57:38 CEST 
Tested busybox using "busybox ntpd -d -q -p pool.ntp.org", but openntpd
hangs on start with
PID file /var/run/ntpd.pid not readable (yet?) after start.

The /etc/rc.d/init.d/ntpd script has
# pidfile: /var/run/ntpd.pid

No ntpd.pid file is created in /var/run/

Removing the pidfile line from the chkconfig settings in the start script
fixes the problem.

I haven't checked to see if this is a regression.

CC: (none) => davidwhodgins
Whiteboard: (none) => feedback

Comment 2 David Walser 2016-08-08 15:42:47 CEST 
Let's just pass this along.  openntpd has never been maintained since it was imported into Mageia and probably has other bugs too.  I added it to task-obsolete in Cauldron SVN.

Whiteboard: feedback => (none)

Dave Hodgins 2016-08-09 05:07:09 CEST

Keywords: (none) => validated_update
Whiteboard: (none) => advisory
CC: (none) => sysadmin-bugs

Comment 3 Mageia Robot 2016-08-09 10:59:23 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0277.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2016-08-09 20:11:56 CEST

URL: (none) => http://lwn.net/Vulnerabilities/696815/

Comment 4 David Walser 2016-08-11 22:53:54 CEST 
Oops, forgot to note that this update also fixed Bug 17071 for busybox.

Blocks: (none) => 17071
Note You need to log in before you can comment on or make changes to this bug.