Bug 1435565 (CVE-2017-6459) - CVE-2017-6459 ntp: Data Structure terminated insufficiently
Summary: CVE-2017-6459 ntp: Data Structure terminated insufficiently
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2017-6459
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-03-24 09:02 UTC by Andrej Nemec
Modified: 2021-02-17 02:25 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2017-03-24 09:05:52 UTC
Embargoed:

Attachments (Terms of Use)

Description Andrej Nemec 2017-03-24 09:02:36 UTC 
The Windows installer for NTP calls strcpy() with an argument that specifically contains multiple null bytes. strcpy() only copies a single terminating null character into the target buffer instead of copying the required double null bytes in the addKeysToRegistry() function. As a consequence, a garbage registry entry can be created. The additional arsize parameter is erroneously set to contain two null bytes and the following call to RegSetValueEx() claims to be passing in a multi-string value, though this may not be true.

Upstream bug:

http://support.ntp.org/bin/view/Main/NtpBug3382

References:

http://support.ntp.org/bin/view/Main/SecurityNotice#March_2017_ntp_4_2_8p10_NTP_Secu
Comment 1 Andrej Nemec 2017-03-24 09:04:52 UTC 
Acknowledgments:

Name: the NTP project
Upstream: Cure53
Comment 2 Andrej Nemec 2017-03-24 09:05:52 UTC 
Statement:

This issue did not affect the versions of ntp as shipped with Red Hat Enterprise Linux.
Note You need to log in before you can comment on or make changes to this bug.