diff --git a/backport-CVE-2023-26555-fix-out-write-bounds-in-praecis_parse.patch b/backport-CVE-2023-26555-fix-out-write-bounds-in-praecis_parse.patch new file mode 100644 index 0000000000000000000000000000000000000000..b28b09d4dc2b281fc421e9c3c10c747afa19419e --- /dev/null +++ b/backport-CVE-2023-26555-fix-out-write-bounds-in-praecis_parse.patch @@ -0,0 +1,102 @@ +From 1e6893546c526c0961930b6b60a6aba42692dba9 Mon Sep 17 00:00:00 2001 +From: Harlan Stenn +Date: Sat, 13 May 2023 05:23:33 UTC +Subject: [PATCH] refclock_palisade:fix an out-of-bounds write in praecis_parse + +Conflict:NA +Reference:https://www.eecis.udel.edu/~ntp/ntp_spool//ntp4/ntp-4.2.8p15-3806-3807.patch + +--- + ntpd/refclock_palisade.c | 50 ++++++++++++++++++++++++++++++++++------ + 1 file changed, 43 insertions(+), 7 deletions(-) + +diff --git a/ntpd/refclock_palisade.c b/ntpd/refclock_palisade.c +index cb68255..66bfbc8 100644 +--- a/ntpd/refclock_palisade.c ++++ b/ntpd/refclock_palisade.c +@@ -1225,9 +1225,9 @@ palisade_poll ( + return; /* using synchronous packet input */ + + if(up->type == CLK_PRAECIS) { +- if(write(peer->procptr->io.fd,"SPSTAT\r\n",8) < 0) ++ if (write(peer->procptr->io.fd,"SPSTAT\r\n",8) < 0) { + msyslog(LOG_ERR, "Palisade(%d) write: %m:",unit); +- else { ++ } else { + praecis_msg = 1; + return; + } +@@ -1249,20 +1249,53 @@ praecis_parse ( + + pp = peer->procptr; + +- memcpy(buf+p,rbufp->recv_space.X_recv_buffer, rbufp->recv_length); ++ if (p + rbufp->recv_length >= sizeof buf) { ++ struct palisade_unit *up; ++ up = pp->unitptr; ++ ++ /* ++ * We COULD see if there is a \r\n in the incoming ++ * buffer before it overflows, and then process the ++ * current line. ++ * ++ * Similarly, if we already have a hunk of data that ++ * we're now flushing, that will cause the line of ++ * data we're in the process of collecting to be garbage. ++ * ++ * Since we now check for this overflow and log when it ++ * happens, we're now in a better place to easily see ++ * what's going on and perhaps better choices can be made. ++ */ ++ ++ /* Do we need to log the size of the overflow? */ ++ msyslog(LOG_ERR, "Palisade(%d) praecis_parse(): input buffer overflow", ++ up->unit); ++ ++ p = 0; ++ praecis_msg = 0; ++ ++ refclock_report(peer, CEVNT_BADREPLY); ++ ++ return; ++ } ++ ++ memcpy(buf+p, rbufp->recv_buffer, rbufp->recv_length); + p += rbufp->recv_length; + +- if(buf[p-2] == '\r' && buf[p-1] == '\n') { ++ if ( p >= 2 ++ && buf[p-2] == '\r' ++ && buf[p-1] == '\n') { + buf[p-2] = '\0'; + record_clock_stats(&peer->srcadr, buf); + + p = 0; + praecis_msg = 0; + +- if (HW_poll(pp) < 0) ++ if (HW_poll(pp) < 0) { + refclock_report(peer, CEVNT_FAULT); +- ++ } + } ++ return; + } + + static void +@@ -1407,7 +1440,10 @@ HW_poll ( + + /* Edge trigger */ + if (up->type == CLK_ACUTIME) +- write (pp->io.fd, "", 1); ++ if (write (pp->io.fd, "", 1) != 1) ++ msyslog(LOG_WARNING, ++ "Palisade(%d) HW_poll: failed to send trigger: %m", ++ up->unit); + + if (ioctl(pp->io.fd, TIOCMSET, &x) < 0) { + #ifdef DEBUG +-- +2.33.0 + + diff --git a/ntp.spec b/ntp.spec index b8f02ea6df02a9c7b1ada26da3786100d701b091..8713d486df005bb9f04ca40d30a3bac2f645a74c 100644 --- a/ntp.spec +++ b/ntp.spec @@ -2,7 +2,7 @@ Name: ntp Version: 4.2.8p15 -Release: 8 +Release: 9 Summary: A protocol designed to synchronize the clocks of computers over a network License: MIT and BSD and BSD with advertising URL: https://www.ntp.org/ @@ -28,6 +28,7 @@ Patch5: Do-not-use-PTHREAD_STACK_MIN-on-glibc.patch Patch6: fix-MD5-manpage.patch Patch7: backport-CVE-2023-26551-CVE-2023-26552-CVE-2023-26553-CVE-2023-26554.patch Patch8: backport-add-NULL-pointer-check-when-ntpd-deletes-the-last-interface.patch +Patch9: backport-CVE-2023-26555-fix-out-write-bounds-in-praecis_parse.patch BuildRequires: libcap-devel openssl-devel libedit-devel libevent-devel pps-tools-devel BuildRequires: autogen autogen-libopts-devel systemd gcc perl-generators perl-HTML-Parser @@ -211,6 +212,12 @@ make check %{_mandir}/man8/*.8* %changelog +* Wed Jul 12 2023 chengyechun - 4.2.8p15-9 +- Type:CVE +- ID:CVE-2023-26555 +- SUG:NA +- DESC:fix out write bounds in praecis_parse + * Wed Jun 21 2023 liubo - 4.2.8p15-8 - Type:bugfix - ID: