Bug 1435564 (CVE-2017-6452) - CVE-2017-6452 ntp: Stack Buffer Overflow from Command Line
Summary: CVE-2017-6452 ntp: Stack Buffer Overflow from Command Line
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2017-6452
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-03-24 09:01 UTC by Andrej Nemec
Modified: 2021-02-17 02:25 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-03-24 09:05:47 UTC
Embargoed:

Attachments (Terms of Use)

Description Andrej Nemec 2017-03-24 09:01:15 UTC 
The Windows installer for NTP calls strcat(), blindly appending the string passed to the stack buffer in the addSourceToRegistry() function. The stack buffer is 70 bytes smaller than the buffer in the calling main() function. Together with the initially copied Registry path, the combination causes a stack buffer overflow and effectively overwrites the stack frame. The passed application path is actually limited to 256 bytes by the operating system, but this is not sufficient to assure that the affected stack buffer is consistently protected against overflowing at all times. 

Upstream bug:

http://support.ntp.org/bin/view/Main/NtpBug3383

References:

http://support.ntp.org/bin/view/Main/SecurityNotice#March_2017_ntp_4_2_8p10_NTP_Secu
Comment 1 Andrej Nemec 2017-03-24 09:04:49 UTC 
Acknowledgments:

Name: the NTP project
Upstream: Cure53
Comment 2 Andrej Nemec 2017-03-24 09:05:47 UTC 
Statement:

This issue did not affect the versions of ntp as shipped with Red Hat Enterprise Linux.
Note You need to log in before you can comment on or make changes to this bug.