Bug 1274264 - (CVE-2015-7855) CVE-2015-7855 ntp: ASSERT in decodenetnum() on invalid values
CVE-2015-7855 ntp: ASSERT in decodenetnum() on invalid values
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20151021,reported=2...
: Security
Depends On: 1296162
Blocks: 1260670
  Show dependency treegraph
 
Reported: 2015-10-22 07:32 EDT by Martin Prpič
Modified: 2016-05-09 21:53 EDT (History)
7 users (show)

See Also:
Fixed In Version: ntp 4.2.8p4
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-01-07 08:22:05 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 2024443 None None None Never

  None (edit)
Description Martin Prpič 2015-10-22 07:32:33 EDT
It was found that NTP's decodenetnum() would abort with an assertion failure when processing a mode 6 or mode 7 packet containing an unusually long data value where a network address was expected. This could allow an authenticated attacker to crash ntpd.

External References:

https://github.com/ntp-project/ntp/blob/stable/NEWS#L295
http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security_Vulner
Comment 5 Martin Prpič 2016-01-06 08:54:04 EST
Created ntp tracking bugs for this issue:

Affects: fedora-all [bug 1296162]
Comment 7 Martin Prpič 2016-01-07 08:22:05 EST
Statement:

This issue did not affect the versions of ntp as shipped with Red Hat Enterprise Linux 5, 6, and 7 as they do not include support for the mrulist feature, which exposes the decodenetnum() function.

Note You need to log in before you can comment on or make changes to this bug.