[ntp:security] Re: Concerning a possible bug in the 'ntp' package
Danny Mayer
mayer at ntp.isc.org
Sat Sep 3 01:00:37 UTC 2005
David Wagner wrote:
> I just tried it on ntp-dev-4.2.0b-20050827, and MOPS reports no
> warnings. I'm still investigating whether that is because the latest
> version is free of vulnerabilities, or because MOPS missed a real bug.
>
There may well be a problem with MOPS since the bug you reported is
still there. The issue that I raised previously, that ntp_config.c is
part of ntpd and not part of ntp-keygen may be indicative of the issue.
Without reading the code, something is not right, since, if it concludes
that msktemp() is dangerous then it should have hooked it into ntpd as a
possible problem.
> One more note: MOPS works by instrumenting the calls to gcc that occur
> during the build process, after preprocessing. Thus, it will only
> check the code that is compiled for the platform that you build it on;
> everything else that has been #ifdef'd away is ignored by MOPS.
You may want to have the code look at the Makefile to figure out what a
source file is consumed by. ntp-keygen was not one of them, hence my
initial reaction.
I'm in the process of cleaning up other issues before I take another
look at this.
Danny
More information about the security
mailing list