[ntp:security] [oCERT-2008-016 draft] OpenSSL incorrect checks for malformed signatures

Andrea Barisani lcars at ocert.org
Mon Jan 5 11:45:26 UTC 2009


On Mon, Jan 05, 2009 at 10:47:31AM +0000, Harlan Stenn wrote:
> Hi Andrea,
>

Hi,

> I'm planning to install the "obvious" patch to both ntp-stable
> (which will be released as ntp-4.2.4p6) and ntp-dev (which might be
> 4.2.5p152 or it could be p153).  (Dave, this will include updating the
> year in the copyright file.)
> 

Thanks, I will include this info in our advisory.

Can you send us the "obvious" patch so that we can relay an official one to
some vendors beforehand ?

> I believe there will be Windows installer releases of the patched NTP
> code available as well.
> 
> At what time (GMT) is it OK for me to release these patches?  I have to
> get the code into our repositories and then notify our Windows packaging
> folks so they can begin to build the windows versions.
> 

OpenSSL did not specify a specific time I'm afraid, I will ask them but I'm
not sure if they will reply in time.

> As soon as I put these patches into our repositories they will, in
> effect, "go public".
> 
> It's very late for me - I hope I covered all the points and did not miss
> anything.
> 

Thanks!

> H
> --
> > On Tue, Dec 16, 2008 at 08:46:00PM +0000, Harlan Stenn wrote:
> > > Andrea,
> > > 
> > > Thanks for the heads-up.
> > > 
> > > Dave, the code is in one place in ntp_crypto.c .  Do you agree with the
> > > patch?  If so, I would prefer to make the fix myself as on January 7th I
> > > would make the fix in ntp-stable and then "pull it forward" to ntp-dev,
> > > but it's no big deal to me either way.
> > > 
> > > As I read the notice from ocert.org, the do not want fixes for this bug
> > > to be published before 7 Jan.
> > >
> > 
> > Heya,
> > 
> > If you can send us the patch beforehand we would pre-notify it to affected
> > vendors if you like, so that they can promptly release patched packages at
> > embargo time.
> > 
> > Also if you can tell me the NTP version which will fix this issue that is
> > going to be released on January 7th I can reference it in the advisory
> > (unless you plan to commit it only in your repository and not make a release,
> > in which case I'll reference it as "fixed in CVS|SVN" or something).
> > 
> > Thanks!
> > 
> > > H
> > > 
> > > 
> > > 
> > 
> > -- 
> > Andrea Barisani |                Founder & Project Coordinator
> >           oCERT | Open Source Computer Emergency Response Team
> > 
> > <lcars at ocert.org>                         http://www.ocert.org
> >  0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
> >         "Pluralitas non est ponenda sine necessitate"

-- 
Andrea Barisani |                Founder & Project Coordinator
          oCERT | Open Source Computer Emergency Response Team

<lcars at ocert.org>                         http://www.ocert.org
 0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
        "Pluralitas non est ponenda sine necessitate"


More information about the security mailing list