Fedora has issued an advisory on August 30: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/437XM4CMBCMPK7D2RSEUZIRLFZD5ZNRD/ Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package. Also CC'ing some who worked on ntp before.
Assignee: bugsquad => pkg-bugsSource RPM: (none) => ntpCC: (none) => guichard.adrien, guillomovitch, lists.jjorge, marja11
Suggested advisory: ======================== The updated packages fix a security vulnerability: Stack-based buffer overflow in ntpq and ntpdc of NTP version 4.2.8p11 allows an attacker to achieve code execution or escalate to higher privileges via a long string as the argument for an IPv4 or IPv6 command-line parameter. NOTE: It is unclear whether there are any common situations in which ntpq or ntpdc is used with a command line from an untrusted source. (CVE-2018-12327) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12327 ======================== Updated packages in core/updates_testing: ======================== ntp-4.2.8p12-1.mga6 ntp-perl-4.2.8p12-1.mga6 ntpdate-4.2.8p12-1.mga6 sntp-4.2.8p12-1.mga6 ntp-doc-4.2.8p12-1.mga6 from SRPMS: ntp-4.2.8p12-1.mga6.src.rpm
Assignee: pkg-bugs => qa-bugsStatus: NEW => ASSIGNEDCC: (none) => nicolas.salgueroWhiteboard: MGA6TOO => (none)Version: Cauldron => 6Source RPM: ntp => ntp-4.2.8p11-1.1.mga6.src.rpm
CVE: (none) => CVE-2018-12327
CC: (none) => tmbKeywords: (none) => advisory
In VirtualBox, M6, Mate, 64-bit Test procedure per: https://bugs.mageia.org/show_bug.cgi?id=22978#c9 Package(s) under test: ntp ntpdata default install of ntp & ntpdate [root@localhost wilcal]# urpmi ntp Package ntp-4.2.8p11-1.1.mga6.x86_64 is already installed [root@localhost wilcal]# urpmi ntpdate Package ntpdate-4.2.8p11-1.1.mga6.x86_64 is already installed [root@localhost wilcal]# systemctl stop ntpd [root@localhost wilcal]# systemctl start ntpdate [root@localhost wilcal]# systemctl status ntpdate ● ntpdate.service - Set time via NTP Loaded: loaded (/usr/lib/systemd/system/ntpdate.service; disabled; vendor preset: enabled) Active: active (exited) since Thu 2018-09-06 09:43:33 PDT; 23s ago Process: 3859 ExecStart=/usr/libexec/ntpdate-wrapper (code=exited, status=0/SUCCESS) Main PID: 3859 (code=exited, status=0/SUCCESS) Sep 06 09:43:30 localhost systemd[1]: Starting Set time via NTP... Sep 06 09:43:33 localhost systemd[1]: Started Set time via NTP. Packages work, time from network updated install ntp & ntpdate from updates_testing [root@localhost wilcal]# urpmi ntp Package ntp-4.2.8p12-1.mga6.x86_64 is already installed [root@localhost wilcal]# urpmi ntpdate Package ntpdate-4.2.8p12-1.mga6.x86_64 is already installed reboot system [root@localhost wilcal]# systemctl stop ntpd [root@localhost wilcal]# systemctl start ntpdate [root@localhost wilcal]# systemctl status ntpdate ● ntpdate.service - Set time via NTP Loaded: loaded (/usr/lib/systemd/system/ntpdate.service; disabled; vendor preset: enabled) Active: active (exited) since Thu 2018-09-06 09:51:56 PDT; 8s ago Process: 2912 ExecStart=/usr/libexec/ntpdate-wrapper (code=exited, status=0/SUCCESS) Main PID: 2912 (code=exited, status=0/SUCCESS) Sep 06 09:51:53 localhost systemd[1]: Starting Set time via NTP... Sep 06 09:51:56 localhost systemd[1]: Started Set time via NTP. Packages work, time from network updated
Whiteboard: (none) => MGA6-64-OKCC: (none) => wilcal.int
In VirtualBox, M6, Mate, 32-bit Test procedure per: https://bugs.mageia.org/show_bug.cgi?id=22978#c9 Package(s) under test: ntp ntpdata default install of ntp & ntpdate [root@localhost wilcal]# urpmi ntp Package ntp-4.2.8p11-1.1.mga6.i586 is already installed [root@localhost wilcal]# urpmi ntpdate Package ntpdate-4.2.8p11-1.1.mga6.i586 is already installed [root@localhost wilcal]# systemctl stop ntpd [root@localhost wilcal]# systemctl start ntpdate [root@localhost wilcal]# systemctl status ntpdate Job for ntpdate.service failed because the control process exited with error code. See "systemctl status ntpdate.service" and "journalctl -xe" for details. [root@localhost wilcal]# systemctl status ntpdate ● ntpdate.service - Set time via NTP Loaded: loaded (/usr/lib/systemd/system/ntpdate.service; disabled; vendor preset: enabled) Active: failed (Result: exit-code) since Thu 2018-09-06 10:26:56 PDT; 31s ago Process: 4614 ExecStart=/usr/libexec/ntpdate-wrapper (code=exited, status=6) Main PID: 4614 (code=exited, status=6)........ Looks like I have a fail to start on this. The "journalctl -xe" listing is attached as "ntpdate fail systemctl code"
Created attachment 10357 [details] ntpdate fail systemctl code
Make sure chronyd is stopped before starting ntpdate.
(In reply to David Walser from comment #6) > Make sure chronyd is stopped before starting ntpdate. [root@localhost wilcal]# systemctl stop chronyd [root@localhost wilcal]# systemctl stop ntpd [root@localhost wilcal]# systemctl start ntpdate Job for ntpdate.service failed because the control process exited with error code. See "systemctl status ntpdate.service" and "journalctl -xe" for details. [root@localhost wilcal]# systemctl status ntpdate ● ntpdate.service - Set time via NTP Loaded: loaded (/usr/lib/systemd/system/ntpdate.service; disabled; vendor preset: enabled) Active: failed (Result: exit-code) since Thu 2018-09-06 16:12:34 PDT; 1min 6s ago Process: 6495 ExecStart=/usr/libexec/ntpdate-wrapper (code=exited, status=6) Main PID: 6495 (code=exited, status=6) Sep 06 16:12:34 localhost systemd[1]: Starting Set time via NTP... Sep 06 16:12:34 localhost ntpdate-wrapper[6495]: NTP server not specified in /etc/ntp/step-tickers or /etc/ntp.conf Sep 06 16:12:34 localhost systemd[1]: ntpdate.service: Main process exited, code=exited, status=6/NOTCONFIGURED Sep 06 16:12:34 localhost systemd[1]: Failed to start Set time via NTP. Sep 06 16:12:34 localhost systemd[1]: ntpdate.service: Unit entered failed state. Sep 06 16:12:34 localhost systemd[1]: ntpdate.service: Failed with result 'exit-code'.
It tells you the problem right there in the output. You forgot to configure it.
(In reply to David Walser from comment #8) > It tells you the problem right there in the output. You forgot to configure > it. Why does the 64-bit run without being configured while the32-bit fails.
I also have no idea how to configure this.
This is what happens with the POC: CVE-2018-12327 https://www.exploit-db.com/exploits/44909/ Before: # ntpq -4 [`python -c 'print "A" * 300’`] bash: command substitution: line 1: unexpected EOF while looking for matching `'' bash: command substitution: line 2: syntax error: unexpected end of file Name or service not known ntpq> quit # ntpdc -4 [`python -c 'print "A" * 300'`] Name or service not known *** stack smashing detected ***: ntpdc terminated [...] 7ffebd5f9000-7ffebd5fc000 r--p 00000000 00:00 0 [vvar] 7ffebd5fc000-7ffebd5fe000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] Aborted (core dumped) Afterwards: # ntpq -4 [`python -c 'print "A" * 300’`] Same result as before. # ntpdc -4 [`python -c 'print "A" * 300'`] ntpdc: bad hostname/address: Invalid argument ntpdc> quit The second test dealt with the exploit cleanly.
CC: (none) => tarazed25
@wilcal re comment 10. Just tried the 64-bit after update and ntpdate did not start. The journal indicated that there was a problem in /etc/ntp/step-tickers. That file was empty but there was step-tickers.rpmnew so tried copying that. # cp step-tickers.rpmnew step-tickers # systemctl start ntpdate [root@difda ntp]# systemctl status ntpdate ● ntpdate.service - Set time via NTP Loaded: loaded (/usr/lib/systemd/system/ntpdate.service; enabled; vendor preset: enabled) Active: active (exited) since Fri 2018-09-07 01:26:36 BST; 8s ago Process: 20940 ExecStart=/usr/libexec/ntpdate-wrapper (code=exited, status=0/SUCCESS) Main PID: 20940 (code=exited, status=0/SUCCESS) Sep 07 01:26:33 difda systemd[1]: Starting Set time via NTP... Sep 07 01:26:36 difda systemd[1]: Started Set time via NTP. So try that.
Where do we stand on this?
Whiteboard: MGA6-64-OK => (none)
It works just fine if you configure it correctly. /etc/ntp.conf and /etc/ntp/step-tickers are the config files. I think our drak tools can even still configure it if chrony isn't installed. I don't understand what your difficulty is. ntpd hasn't changed in forever.
Whiteboard: (none) => MGA6-64-OK
+1. Just go ahead an OK it wilcal.
It's outta here. Thanks guys
CC: (none) => sysadmin-bugsWhiteboard: MGA6-64-OK => MGA6-32-OK MGA6-64-OKKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0371.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED