Bug 1300267 (CVE-2015-7975) - CVE-2015-7975 ntp: nextvar() missing length check in ntpq
Summary: CVE-2015-7975 ntp: nextvar() missing length check in ntpq
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2015-7975
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1300277
Blocks: 1297474
TreeView+ depends on / blocked
 
Reported: 2016-01-20 11:41 UTC by Martin Prpič
Modified: 2021-02-17 04:29 UTC (History)
1 user (show)

Fixed In Version: ntp 4.2.8p6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-01-20 14:34:17 UTC


Attachments (Terms of Use)

Description Martin Prpič 2016-01-20 11:41:42 UTC
It was found that ntpq did not implement a proper lenght check when calling nextvar(), which executes a memcpy(), on the name buffer.

A remote attacker could potentially use this flaw to crash an ntpq client instance.

Upstream patch:

https://github.com/ntp-project/ntp/commit/12f1323d18c8d74eb14fb5ac5574183d779794c5

Comment 2 Martin Prpič 2016-01-20 12:01:48 UTC
Created ntp tracking bugs for this issue:

Affects: fedora-all [bug 1300277]

Comment 3 Martin Prpič 2016-01-20 14:34:17 UTC
Statement:

This issue did not affect the versions of ntp as shipped with Red Hat Enterprise Linux 5, 6, and 7 as they do not include the affected code, which was introduced in version 4.2.8 of NTP.


Note You need to log in before you can comment on or make changes to this bug.