Bug 149652 - CVE-2005-2496 improper group set when running ntpd
CVE-2005-2496 improper group set when running ntpd
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: ntp (Show other bugs)
4.0
All Linux
medium Severity low
: ---
: ---
Assigned To: Miroslav Lichvar
Brian Brock
impact=low,reported=20050210,public=2...
: Security
Depends On:
Blocks: 181409
  Show dependency treegraph
 
Reported: 2005-02-24 15:48 EST by Josh Bressers
Modified: 2007-11-30 17:07 EST (History)
2 users (show)

See Also:
Fixed In Version: RHSA-2006-0393
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-08-10 14:24:54 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
ntp-4.2.0.a.20050816-10.1.src.rpm (2.40 MB, application/x-rpm)
2006-01-03 07:07 EST, Petr Raszyk
no flags Details

  None (edit)
Description Josh Bressers 2005-02-24 15:48:06 EST
+++ This bug was initially created as a clone of Bug #147743 +++

When starting xntpd with the -u option and specifying the group
by using a string not a numeric gid the daemon uses the gid of
the user not the group.

reproduce:
        # rcxntpd start
        # ps -C ntpd -o comm,pid,ruser,euser,rgroup,egroup
        verify given and real IDs


The fix for this is in attachment 110943 [details].
Comment 2 Josh Bressers 2005-08-25 11:31:11 EDT
Lifting embargo
Comment 3 Petr Raszyk 2005-10-26 10:43:13 EDT
Fixed (by jryska@redhat.com)  on Thu Apr 14 2005 
with help (bressers@redhat.com) in:
devel, FC-4, FC-3, RHEL-4.

Patch (RHEL-4):  ntp-stable-4.2.0a-20040617-ntpd_guid.patch
Applying this patch -> ntpd/ntp.c (line 889):
----------------------------------------------------------------------

                        } else {
getgroup:
                                if ((gr = getgrnam(group)) != NULL) {
                                        sw_gid = gr->gr_gid;
                                } else {
                                        errno = 0;
                                        msyslog(LOG_ERR, "Cannot find group
`%s'", group);
                                        exit (-1);
                                }
                        }
--------------------------------------------------------------------------
Comment 4 Gianluca Cecchi 2006-01-03 06:06:57 EST
any source rpm updates on this?
On CentOS4 (but it is the same for RH EL 4, no updates advisories posted on rhn)
I have:
[root@centos4 i386]# rpm -q ntp
ntp-4.2.0.a.20040617-4
 [root@centos4 i386]# ps -ef|grep ntp | grep -v grep
ntp      15683     1  0 12:04 ?        00:00:00 ntpd -u ntp
[root@centos4 i386]# cat /proc/15683/status
Name:   ntpd

Uid:    38      38      38      38
Gid:    0       0       0       0
May I assume -u ntp:ntp as a workaround?
Infact
[root@centos4 i386]# ntpd -u ntp:ntp
[root@centos4 i386]# ps -ef|grep ntp | grep -v grep
ntp      15693     1  0 12:06 ?        00:00:00 ntpd -u ntp:ntp
[root@centos4 i386]# cat /proc/15693/status
Name:   ntpd

Uid:    38      38      38      38
Gid:    38      38      38      38

HIH,
Thanks in advance,
Gianluca
Comment 5 Mark J. Cox (Product Security) 2006-01-03 06:22:48 EST
(This issue was rated as low security severity, therefore it will not trigger
the creation of a security advisory by itself.  A fix has been committed to CVS,
so the fix will be part of any future ntp update)
Comment 6 Petr Raszyk 2006-01-03 07:07:01 EST
Created attachment 122708 [details]
ntp-4.2.0.a.20050816-10.1.src.rpm

There is the latest *.src.rpm
Comment 8 Jindrich Novy 2006-04-06 09:45:45 EDT
devel ack for U4.
Comment 13 Red Hat Bugzilla 2006-08-10 14:24:54 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2006-0393.html

Note You need to log in before you can comment on or make changes to this bug.