Bug 149652 - CVE-2005-2496 improper group set when running ntpd
Summary: CVE-2005-2496 improper group set when running ntpd
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: ntp
Version: 4.0
Hardware: All
OS: Linux
Target Milestone: ---
: ---
Assignee: Miroslav Lichvar
QA Contact: Brian Brock
Whiteboard: impact=low,reported=20050210,public=2...
Keywords: Security
Depends On:
Blocks: 181409
TreeView+ depends on / blocked
Reported: 2005-02-24 20:48 UTC by Josh Bressers
Modified: 2007-11-30 22:07 UTC (History)
2 users (show)

Clone Of:
Last Closed: 2006-08-10 18:24:54 UTC

Attachments (Terms of Use)
ntp-4.2.0.a.20050816-10.1.src.rpm (2.40 MB, application/x-rpm)
2006-01-03 12:07 UTC, Petr Raszyk
no flags Details

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2006:0393 normal SHIPPED_LIVE Low: ntp security update 2006-08-10 04:00:00 UTC

Description Josh Bressers 2005-02-24 20:48:06 UTC
+++ This bug was initially created as a clone of Bug #147743 +++

When starting xntpd with the -u option and specifying the group
by using a string not a numeric gid the daemon uses the gid of
the user not the group.

        # rcxntpd start
        # ps -C ntpd -o comm,pid,ruser,euser,rgroup,egroup
        verify given and real IDs

The fix for this is in attachment 110943 [details].

Comment 2 Josh Bressers 2005-08-25 15:31:11 UTC
Lifting embargo

Comment 3 Petr Raszyk 2005-10-26 14:43:13 UTC
Fixed (by jryska@redhat.com)  on Thu Apr 14 2005 
with help (bressers@redhat.com) in:
devel, FC-4, FC-3, RHEL-4.

Patch (RHEL-4):  ntp-stable-4.2.0a-20040617-ntpd_guid.patch
Applying this patch -> ntpd/ntp.c (line 889):

                        } else {
                                if ((gr = getgrnam(group)) != NULL) {
                                        sw_gid = gr->gr_gid;
                                } else {
                                        errno = 0;
                                        msyslog(LOG_ERR, "Cannot find group
`%s'", group);
                                        exit (-1);

Comment 4 Gianluca Cecchi 2006-01-03 11:06:57 UTC
any source rpm updates on this?
On CentOS4 (but it is the same for RH EL 4, no updates advisories posted on rhn)
I have:
[root@centos4 i386]# rpm -q ntp
 [root@centos4 i386]# ps -ef|grep ntp | grep -v grep
ntp      15683     1  0 12:04 ?        00:00:00 ntpd -u ntp
[root@centos4 i386]# cat /proc/15683/status
Name:   ntpd

Uid:    38      38      38      38
Gid:    0       0       0       0
May I assume -u ntp:ntp as a workaround?
[root@centos4 i386]# ntpd -u ntp:ntp
[root@centos4 i386]# ps -ef|grep ntp | grep -v grep
ntp      15693     1  0 12:06 ?        00:00:00 ntpd -u ntp:ntp
[root@centos4 i386]# cat /proc/15693/status
Name:   ntpd

Uid:    38      38      38      38
Gid:    38      38      38      38

Thanks in advance,

Comment 5 Mark J. Cox 2006-01-03 11:22:48 UTC
(This issue was rated as low security severity, therefore it will not trigger
the creation of a security advisory by itself.  A fix has been committed to CVS,
so the fix will be part of any future ntp update)

Comment 6 Petr Raszyk 2006-01-03 12:07:01 UTC
Created attachment 122708 [details]

There is the latest *.src.rpm

Comment 8 Jindrich Novy 2006-04-06 13:45:45 UTC
devel ack for U4.

Comment 13 Red Hat Bugzilla 2006-08-10 18:24:54 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.