Description of problem: Issue 1: Buffer overflow in ntpdate.c ntpdate.c includes the following code (lines 613-619): if (!authistrusted(sys_authkey)) { char buf[10]; (void) sprintf(buf, "%lu", (unsigned long)sys_authkey); msyslog(LOG_ERR, "authentication key %s unknown", buf); exit(1); } Assumping a 32 bit system, the number of bytes required for buf is 1+(floor(32*ln(2)/ln(10)) = 10. Adding one byte for the NULL, the declaration should 'char buf[11]'. Issue 2: ntpd can write to ntpdate's configuration file. It's a bad idea for programs to be able to write to their own configuration files - this can expose quite subtle privilege escalation attacks. A more secure filesystem layout would be: drwxr-xr-x root root /etc/ntp -rw-r--r-- root root /etc/ntp/ntp.conf -rw-r--r-- root root /etc/ntp/step-tickers -rw-r----- root ntp /etc/ntp/keys drwxr-xr-x root ntp /etc/ntp/data -rw-r--r-- ntp ntp /etc/ntp/data/drift Version-Release number of selected component (if applicable): 4.1.1a-9
ntp needs to write /etc/ntp/drift.TEMP, so this layout does not completly work..
In my layout should be writing to /etc/ntp/data/drift.TEMP. Did you remember to update the driftfile setting in ntp.conf? I just found another couple of bugs: When the temporary driftfile is written (ntp_util.c:232-238), it ignores the value of ferror and the return value from fclose so it won't notice any write errors. Then it renames stats_temp_file stats_drift_file and ignores the status from that too.
this should be reported on http://bugzilla.ntp.org/
and you are right.. sorry, just overflew this entry..
An errata has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2003-254.html