1300267 – (CVE-2015-7975) CVE-2015-7975 ntp: nextvar() missing length check in ntpq

Bug 1300267 (CVE-2015-7975) - CVE-2015-7975 ntp: nextvar() missing length check in ntpq

Summary: CVE-2015-7975 ntp: nextvar() missing length check in ntpq

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2015-7975
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1300277
Blocks:	1297474
TreeView+	depends on / blocked

Reported:	2016-01-20 11:41 UTC by Martin Prpič
Modified:	2021-02-17 04:29 UTC (History)
CC List:	1 user (show)
Fixed In Version:	ntp 4.2.8p6
Clone Of:
Environment:
Last Closed:	2016-01-20 14:34:17 UTC
Embargoed:

Attachments	(Terms of Use)

Description Martin Prpič 2016-01-20 11:41:42 UTC

It was found that ntpq did not implement a proper lenght check when calling nextvar(), which executes a memcpy(), on the name buffer.

A remote attacker could potentially use this flaw to crash an ntpq client instance.

Upstream patch:

https://github.com/ntp-project/ntp/commit/12f1323d18c8d74eb14fb5ac5574183d779794c5

Comment 1 Martin Prpič 2016-01-20 11:50:49 UTC

External References:

http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit
http://www.talosintel.com/reports/TALOS-2016-0072/

Comment 2 Martin Prpič 2016-01-20 12:01:48 UTC

Created ntp tracking bugs for this issue:

Affects: fedora-all [bug 1300277]

Comment 3 Martin Prpič 2016-01-20 14:34:17 UTC

Statement:

This issue did not affect the versions of ntp as shipped with Red Hat Enterprise Linux 5, 6, and 7 as they do not include the affected code, which was introduced in version 4.2.8 of NTP.

Note You need to log in before you can comment on or make changes to this bug.