ntpd makes use of different wrappers around ctl_putdata() to create name/value ntpq (mode 6) response strings. For example, ctl_putstr() is usually used to send string data (variable names or string data). The formatting code was missing a length check for variable names. If somebody explicitly created any unusually long variable names in ntpd (longer than 200-512 bytes, depending on the type of variable), then if any of these variables are added to the response list it would overflow a buffer. Mitigation: Implement BCP-38. If you don't want to upgrade, then don't setvar variable names longer than 200-512 bytes in your ntp.conf file. Properly monitor your ntpd instances, and auto-restart ntpd (without -g) if it stops running.
Acknowledgments: Name: the NTP project Upstream: Cure53
Created ntp tracking bugs for this issue: Affects: fedora-all [bug 1435163]
Statement: The security assessment from cure53 clarifies that this issue (identified as NTP-01-0004) is not a vulnerability per se, but a weakness in ntp's internal coding style that may cause a vulnerability if particularly long variable names are defined at compile time. No such variable names are defined in upstream source code, nor in Fedora or Red Hat Enterprise Linux versions of ntp.