Red Hat Bugzilla – Bug 1274263
CVE-2015-7854 ntp: password length memory corruption vulnerability
Last modified: 2015-10-30 08:42:43 EDT
The following flaw was found in ntpd:
A potential buffer overflow vulnerability exists in the password management functionality of ntp. A specially crafted key file could cause a buffer overflow potentially resulting in memory being modified. An attacker could provide a malicious password to trigger this vulnerability.
This issue did not affect the versions of ntp as shipped with Red Hat Enterprise Linux 5, 6, and 7.
In version 4.2.6 and earlier of NTP (shipped with RHEL 5, 6, 7), the key size is written in an array rather than dynamically allocated memory (as happens in 4.2.8). The following code handles the size allocation and is not vulnerable to the reported buffer overflow:
sk->keylen = min(len, sizeof(sk->k.MD5_key));
memcpy(sk->k.MD5_key, key, sk->keylen);