The following flaw was found in ntpd: A potential buffer overflow vulnerability exists in the password management functionality of ntp. A specially crafted key file could cause a buffer overflow potentially resulting in memory being modified. An attacker could provide a malicious password to trigger this vulnerability. External References: http://talosintel.com/reports/TALOS-2015-0065/ http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security_Vulner
Statement: This issue did not affect the versions of ntp as shipped with Red Hat Enterprise Linux 5, 6, and 7.
In version 4.2.6 and earlier of NTP (shipped with RHEL 5, 6, 7), the key size is written in an array rather than dynamically allocated memory (as happens in 4.2.8). The following code handles the size allocation and is not vulnerable to the reported buffer overflow: sk->keylen = min(len, sizeof(sk->k.MD5_key)); memcpy(sk->k.MD5_key, key, sk->keylen);
Upstream patch: https://github.com/ntp-project/ntp/commit/9c22e66c8f2be6aa0c846f0d9804db20f93c105d