Bug 1331469 (CVE-2016-2519) - CVE-2016-2519 ntp: ctl_getitem() return value not always checked
Summary: CVE-2016-2519 ntp: ctl_getitem() return value not always checked
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2016-2519
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1331437
TreeView+ depends on / blocked
 
Reported: 2016-04-28 14:53 UTC by Martin Prpič
Modified: 2021-02-17 03:57 UTC (History)
3 users (show)

Fixed In Version: ntp 4.2.8p7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-05-02 11:49:36 UTC
Embargoed:

Attachments (Terms of Use)

Description Martin Prpič 2016-04-28 14:53:57 UTC 
The following flaw was found in ntpd:

ntpq and ntpdc can be used to store and retrieve information in ntpd. It is possible to store a data value that is larger than the size of the buffer that the ctl_getitem() function of ntpd uses to report the return value. If the length of the requested data value returned by ctl_getitem() is too large, the value NULL is returned instead. There are 2 cases where the return value from ctl_getitem() was not directly checked to make sure it's not NULL, but there are subsequent INSIST() checks that make sure the return value is not NULL. There are no data values ordinarily stored in ntpd that would exceed this buffer length. But if one has permission to store values and one stores a value that is "too large", then ntpd will abort if an attempt is made to read that oversized value. 

Upstream bugs:

http://support.ntp.org/bin/view/Main/NtpBug3008

External References:

http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security
Note You need to log in before you can comment on or make changes to this bug.