It was found that ntpq did not implement a proper lenght check when calling nextvar(), which executes a memcpy(), on the name buffer. A remote attacker could potentially use this flaw to crash an ntpq client instance. Upstream patch: https://github.com/ntp-project/ntp/commit/12f1323d18c8d74eb14fb5ac5574183d779794c5
External References: http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit http://www.talosintel.com/reports/TALOS-2016-0072/
Created ntp tracking bugs for this issue: Affects: fedora-all [bug 1300277]
Statement: This issue did not affect the versions of ntp as shipped with Red Hat Enterprise Linux 5, 6, and 7 as they do not include the affected code, which was introduced in version 4.2.8 of NTP.