[ntp:security] Re: Concerning a possible bug in the 'ntp' package

Danny Mayer mayer at ntp.isc.net
Tue Aug 30 13:37:36 UTC 2005


David A Wagner wrote:
> 
> ------------------------------------------------------------------------
> 
> Subject:
> Concerning a possible bug in the 'ntp' package
> From:
> Ben Schwarz <bschwarz at EECS.berkeley.EDU>
> Date:
> Mon, 29 Aug 2005 15:07:27 -0700 (PDT)
> To:
> bugs at ntp.org
> 
> To:
> bugs at ntp.org
> CC:
> David A Wagner <daw at EECS.berkeley.EDU>
> 
> ----------------------------
> 
> URL with program traces for this package:
> https://taverner.cs.berkeley.edu/traces/tmpfile/ntp-4.1.2-0.rc1.2/HTMLtrace/ 
> 
> 
> Programs with bugs:
> ntp-genkeys (ntp_config.c line 2088)
> 
> We believe this program re-uses the template from mkstemp(),
> and suspect there may be a race condition with another system call.
> 

I reviewed this report. The are a large number of erroneous assumptions
made in this report. I will enumerate the obvious ones:

1) ntp 4.1.2 is ancient and hasn't been shipped by the NTP project for
years.

2) Never use a release candidate (rc1.2) for testing. That's not what
gets shipped.

3) The NTP project has no control over what Redhat ships. All such
problem reports should go first to the vendor.

4) There is no program named ntp-genkeys in ntp. There IS a program
named ntp-keygen but this is a command-line-only app that generates keys
and is never used as a server app.

5) ntp_config.c is not used by ntp-keygen, but is a part of ntpd which
is a server app.

6) automatic generation of a bug report should be followed by a manual
analysis of the problem to ensure that it's accurate. The results above
show that it was wildly off and raises questions of the methodology used
to analyze the code.

7) You finding of mkstemp() is not followed up by an analysis of how and
why it is used. Just because it's being used does not indicate a
problem. Please send an analysis of why it is incorrect to use this
function in the context of the application and function calling it.

Danny
NTP Public Services Project



More information about the security mailing list