Bug 1274263 (CVE-2015-7854)
| Summary: | CVE-2015-7854 ntp: password length memory corruption vulnerability | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Martin Prpič <mprpic> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | jrusnack, mlichvar, sardella |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | ntp 4.2.8p4 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-10-23 07:53:27 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1260670 | ||
|
Description
Martin Prpič
2015-10-22 11:32:09 UTC
Statement: This issue did not affect the versions of ntp as shipped with Red Hat Enterprise Linux 5, 6, and 7. In version 4.2.6 and earlier of NTP (shipped with RHEL 5, 6, 7), the key size is written in an array rather than dynamically allocated memory (as happens in 4.2.8). The following code handles the size allocation and is not vulnerable to the reported buffer overflow: sk->keylen = min(len, sizeof(sk->k.MD5_key)); memcpy(sk->k.MD5_key, key, sk->keylen); |