Bug 149652

Summary: CVE-2005-2496 improper group set when running ntpd
Product: Red Hat Enterprise Linux 4 Reporter: Josh Bressers <bressers>
Component: ntpAssignee: Miroslav Lichvar <mlichvar>
Status: CLOSED ERRATA QA Contact: Brian Brock <bbrock>
Severity: low Docs Contact:
Priority: medium    
Version: 4.0CC: jnovy, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,reported=20050210,public=20050825,source=vendorsec
Fixed In Version: RHSA-2006-0393 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-08-10 18:24:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 181409    
Attachments:
Description Flags
ntp-4.2.0.a.20050816-10.1.src.rpm none

Description Josh Bressers 2005-02-24 20:48:06 UTC 
+++ This bug was initially created as a clone of Bug #147743 +++

When starting xntpd with the -u option and specifying the group
by using a string not a numeric gid the daemon uses the gid of
the user not the group.

reproduce:
        # rcxntpd start
        # ps -C ntpd -o comm,pid,ruser,euser,rgroup,egroup
        verify given and real IDs


The fix for this is in attachment 110943 [details].
Comment 2 Josh Bressers 2005-08-25 15:31:11 UTC 
Lifting embargo
Comment 3 Petr Raszyk 2005-10-26 14:43:13 UTC 
Fixed (by jryska)  on Thu Apr 14 2005 
with help (bressers) in:
devel, FC-4, FC-3, RHEL-4.

Patch (RHEL-4):  ntp-stable-4.2.0a-20040617-ntpd_guid.patch
Applying this patch -> ntpd/ntp.c (line 889):
----------------------------------------------------------------------

                        } else {
getgroup:
                                if ((gr = getgrnam(group)) != NULL) {
                                        sw_gid = gr->gr_gid;
                                } else {
                                        errno = 0;
                                        msyslog(LOG_ERR, "Cannot find group
`%s'", group);
                                        exit (-1);
                                }
                        }
--------------------------------------------------------------------------
Comment 4 Gianluca Cecchi 2006-01-03 11:06:57 UTC 
any source rpm updates on this?
On CentOS4 (but it is the same for RH EL 4, no updates advisories posted on rhn)
I have:
[root@centos4 i386]# rpm -q ntp
ntp-4.2.0.a.20040617-4
 [root@centos4 i386]# ps -ef|grep ntp | grep -v grep
ntp      15683     1  0 12:04 ?        00:00:00 ntpd -u ntp
[root@centos4 i386]# cat /proc/15683/status
Name:   ntpd

Uid:    38      38      38      38
Gid:    0       0       0       0
May I assume -u ntp:ntp as a workaround?
Infact
[root@centos4 i386]# ntpd -u ntp:ntp
[root@centos4 i386]# ps -ef|grep ntp | grep -v grep
ntp      15693     1  0 12:06 ?        00:00:00 ntpd -u ntp:ntp
[root@centos4 i386]# cat /proc/15693/status
Name:   ntpd

Uid:    38      38      38      38
Gid:    38      38      38      38

HIH,
Thanks in advance,
Gianluca
Comment 5 Mark J. Cox 2006-01-03 11:22:48 UTC 
(This issue was rated as low security severity, therefore it will not trigger
the creation of a security advisory by itself.  A fix has been committed to CVS,
so the fix will be part of any future ntp update)
Comment 6 Petr Raszyk 2006-01-03 12:07:01 UTC 
Created attachment 122708 [details]
ntp-4.2.0.a.20050816-10.1.src.rpm

There is the latest *.src.rpm
Comment 8 Jindrich Novy 2006-04-06 13:45:45 UTC 
devel ack for U4.
Comment 13 Red Hat Bugzilla 2006-08-10 18:24:54 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2006-0393.html