Bug 149652 - CVE-2005-2496 improper group set when running ntpd
CVE-2005-2496 improper group set when running ntpd
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: ntp (Show other bugs)
All Linux
medium Severity low
: ---
: ---
Assigned To: Miroslav Lichvar
Brian Brock
: Security
Depends On:
Blocks: 181409
  Show dependency treegraph
Reported: 2005-02-24 15:48 EST by Josh Bressers
Modified: 2007-11-30 17:07 EST (History)
2 users (show)

See Also:
Fixed In Version: RHSA-2006-0393
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-08-10 14:24:54 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
ntp-4.2.0.a.20050816-10.1.src.rpm (2.40 MB, application/x-rpm)
2006-01-03 07:07 EST, Petr Raszyk
no flags Details

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2006:0393 normal SHIPPED_LIVE Low: ntp security update 2006-08-10 00:00:00 EDT

  None (edit)
Description Josh Bressers 2005-02-24 15:48:06 EST
+++ This bug was initially created as a clone of Bug #147743 +++

When starting xntpd with the -u option and specifying the group
by using a string not a numeric gid the daemon uses the gid of
the user not the group.

        # rcxntpd start
        # ps -C ntpd -o comm,pid,ruser,euser,rgroup,egroup
        verify given and real IDs

The fix for this is in attachment 110943 [details].
Comment 2 Josh Bressers 2005-08-25 11:31:11 EDT
Lifting embargo
Comment 3 Petr Raszyk 2005-10-26 10:43:13 EDT
Fixed (by jryska@redhat.com)  on Thu Apr 14 2005 
with help (bressers@redhat.com) in:
devel, FC-4, FC-3, RHEL-4.

Patch (RHEL-4):  ntp-stable-4.2.0a-20040617-ntpd_guid.patch
Applying this patch -> ntpd/ntp.c (line 889):

                        } else {
                                if ((gr = getgrnam(group)) != NULL) {
                                        sw_gid = gr->gr_gid;
                                } else {
                                        errno = 0;
                                        msyslog(LOG_ERR, "Cannot find group
`%s'", group);
                                        exit (-1);
Comment 4 Gianluca Cecchi 2006-01-03 06:06:57 EST
any source rpm updates on this?
On CentOS4 (but it is the same for RH EL 4, no updates advisories posted on rhn)
I have:
[root@centos4 i386]# rpm -q ntp
 [root@centos4 i386]# ps -ef|grep ntp | grep -v grep
ntp      15683     1  0 12:04 ?        00:00:00 ntpd -u ntp
[root@centos4 i386]# cat /proc/15683/status
Name:   ntpd

Uid:    38      38      38      38
Gid:    0       0       0       0
May I assume -u ntp:ntp as a workaround?
[root@centos4 i386]# ntpd -u ntp:ntp
[root@centos4 i386]# ps -ef|grep ntp | grep -v grep
ntp      15693     1  0 12:06 ?        00:00:00 ntpd -u ntp:ntp
[root@centos4 i386]# cat /proc/15693/status
Name:   ntpd

Uid:    38      38      38      38
Gid:    38      38      38      38

Thanks in advance,
Comment 5 Mark J. Cox 2006-01-03 06:22:48 EST
(This issue was rated as low security severity, therefore it will not trigger
the creation of a security advisory by itself.  A fix has been committed to CVS,
so the fix will be part of any future ntp update)
Comment 6 Petr Raszyk 2006-01-03 07:07:01 EST
Created attachment 122708 [details]

There is the latest *.src.rpm
Comment 8 Jindrich Novy 2006-04-06 09:45:45 EDT
devel ack for U4.
Comment 13 Red Hat Bugzilla 2006-08-10 14:24:54 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.