First Last Prev Next    This bug is not in your last search results.
Bug 96927 - Buffer overflow in ntpdate.c
Buffer overflow in ntpdate.c
Status: CLOSED ERRATA
Product: Red Hat Linux
Classification: Retired
Component: ntp (Show other bugs)
8.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Harald Hoyer
Brian Brock
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-06-06 12:19 EDT by Peter Benie
Modified: 2007-04-18 12:54 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-10-08 08:04:43 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Peter Benie 2003-06-06 12:19:58 EDT 
Description of problem:

Issue 1: Buffer overflow in ntpdate.c

ntpdate.c includes the following code (lines 613-619):
		if (!authistrusted(sys_authkey)) {
			char buf[10];

			(void) sprintf(buf, "%lu", (unsigned long)sys_authkey);
			msyslog(LOG_ERR, "authentication key %s unknown", buf);
			exit(1);
		}

Assumping a 32 bit system, the number of bytes required for buf is
1+(floor(32*ln(2)/ln(10)) = 10.
Adding one byte for the NULL, the declaration should 'char buf[11]'.

Issue 2: ntpd can write to ntpdate's configuration file.

It's a bad idea for programs to be able to write to their own configuration
files - this can expose quite subtle privilege escalation attacks. A more secure
filesystem layout would be:

drwxr-xr-x   root     root  /etc/ntp
-rw-r--r--   root     root  /etc/ntp/ntp.conf
-rw-r--r--   root     root  /etc/ntp/step-tickers
-rw-r-----   root     ntp   /etc/ntp/keys
drwxr-xr-x   root     ntp   /etc/ntp/data
-rw-r--r--   ntp      ntp   /etc/ntp/data/drift

Version-Release number of selected component (if applicable): 4.1.1a-9
Comment 1 Harald Hoyer 2003-06-27 07:07:07 EDT 
ntp needs to write /etc/ntp/drift.TEMP, so this layout does not completly work..
Comment 2 Peter Benie 2003-06-27 08:20:16 EDT 
In my layout should be writing to /etc/ntp/data/drift.TEMP.
Did you remember to update the driftfile setting in ntp.conf?

I just found another couple of bugs:
When the temporary driftfile is written (ntp_util.c:232-238), it ignores the
value of ferror and the return value from fclose so it won't notice any write
errors. Then it renames stats_temp_file stats_drift_file and ignores the status
from that too.
Comment 3 Harald Hoyer 2003-06-27 08:25:27 EDT 
this should be reported on http://bugzilla.ntp.org/
Comment 4 Harald Hoyer 2003-06-27 08:26:15 EDT 
and you are right.. sorry, just overflew this entry..
Comment 5 John Flanagan 2003-12-19 09:49:59 EST 
An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2003-254.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.