[ntp:security] Re: Concerning a possible bug in the 'ntp' package

Danny Mayer mayer at ntp.isc.org
Sat Sep 3 01:00:37 UTC 2005

David Wagner wrote:
> I just tried it on ntp-dev-4.2.0b-20050827, and MOPS reports no
> warnings.  I'm still investigating whether that is because the latest
> version is free of vulnerabilities, or because MOPS missed a real bug.

There may well be a problem with MOPS since the bug you reported is 
still there. The issue that I raised previously, that ntp_config.c is 
part of ntpd and not part of ntp-keygen may be indicative of the issue.
Without reading the code, something is not right, since, if it concludes 
that msktemp() is dangerous then it should have hooked it into ntpd as a 
possible problem.

> One more note: MOPS works by instrumenting the calls to gcc that occur
> during the build process, after preprocessing.  Thus, it will only
> check the code that is compiled for the platform that you build it on;
> everything else that has been #ifdef'd away is ignored by MOPS.

You may want to have the code look at the Makefile to figure out what a 
source file is consumed by. ntp-keygen was not one of them, hence my 
initial reaction.

I'm in the process of cleaning up other issues before I take another 
look at this.


More information about the security mailing list