Bug 149652 - CVE-2005-2496 improper group set when running ntpd
Summary: CVE-2005-2496 improper group set when running ntpd
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: ntp
Version: 4.0
Hardware: All
OS: Linux
medium
low
Target Milestone: ---
: ---
Assignee: Miroslav Lichvar
QA Contact: Brian Brock
URL:
Whiteboard: impact=low,reported=20050210,public=2...
Keywords: Security
Depends On:
Blocks: 181409
TreeView+ depends on / blocked
 
Reported: 2005-02-24 20:48 UTC by Josh Bressers
Modified: 2007-11-30 22:07 UTC (History)
2 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2006-08-10 18:24:54 UTC


Attachments (Terms of Use)
ntp-4.2.0.a.20050816-10.1.src.rpm (2.40 MB, application/x-rpm)
2006-01-03 12:07 UTC, Petr Raszyk
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2006:0393 normal SHIPPED_LIVE Low: ntp security update 2006-08-10 04:00:00 UTC

Description Josh Bressers 2005-02-24 20:48:06 UTC
+++ This bug was initially created as a clone of Bug #147743 +++

When starting xntpd with the -u option and specifying the group
by using a string not a numeric gid the daemon uses the gid of
the user not the group.

reproduce:
        # rcxntpd start
        # ps -C ntpd -o comm,pid,ruser,euser,rgroup,egroup
        verify given and real IDs


The fix for this is in attachment 110943 [details].

Comment 2 Josh Bressers 2005-08-25 15:31:11 UTC
Lifting embargo

Comment 3 Petr Raszyk 2005-10-26 14:43:13 UTC
Fixed (by jryska@redhat.com)  on Thu Apr 14 2005 
with help (bressers@redhat.com) in:
devel, FC-4, FC-3, RHEL-4.

Patch (RHEL-4):  ntp-stable-4.2.0a-20040617-ntpd_guid.patch
Applying this patch -> ntpd/ntp.c (line 889):
----------------------------------------------------------------------

                        } else {
getgroup:
                                if ((gr = getgrnam(group)) != NULL) {
                                        sw_gid = gr->gr_gid;
                                } else {
                                        errno = 0;
                                        msyslog(LOG_ERR, "Cannot find group
`%s'", group);
                                        exit (-1);
                                }
                        }
--------------------------------------------------------------------------

Comment 4 Gianluca Cecchi 2006-01-03 11:06:57 UTC
any source rpm updates on this?
On CentOS4 (but it is the same for RH EL 4, no updates advisories posted on rhn)
I have:
[root@centos4 i386]# rpm -q ntp
ntp-4.2.0.a.20040617-4
 [root@centos4 i386]# ps -ef|grep ntp | grep -v grep
ntp      15683     1  0 12:04 ?        00:00:00 ntpd -u ntp
[root@centos4 i386]# cat /proc/15683/status
Name:   ntpd

Uid:    38      38      38      38
Gid:    0       0       0       0
May I assume -u ntp:ntp as a workaround?
Infact
[root@centos4 i386]# ntpd -u ntp:ntp
[root@centos4 i386]# ps -ef|grep ntp | grep -v grep
ntp      15693     1  0 12:06 ?        00:00:00 ntpd -u ntp:ntp
[root@centos4 i386]# cat /proc/15693/status
Name:   ntpd

Uid:    38      38      38      38
Gid:    38      38      38      38

HIH,
Thanks in advance,
Gianluca

Comment 5 Mark J. Cox 2006-01-03 11:22:48 UTC
(This issue was rated as low security severity, therefore it will not trigger
the creation of a security advisory by itself.  A fix has been committed to CVS,
so the fix will be part of any future ntp update)

Comment 6 Petr Raszyk 2006-01-03 12:07:01 UTC
Created attachment 122708 [details]
ntp-4.2.0.a.20050816-10.1.src.rpm

There is the latest *.src.rpm

Comment 8 Jindrich Novy 2006-04-06 13:45:45 UTC
devel ack for U4.

Comment 13 Red Hat Bugzilla 2006-08-10 18:24:54 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2006-0393.html



Note You need to log in before you can comment on or make changes to this bug.