[ntp:security] [Bug 2671] vallen is not validated, leading to potential info leak

bugzilla-daemon at ntp.org bugzilla-daemon at ntp.org
Sat Jan 3 11:25:40 UTC 2015


http://bugs.ntp.org/show_bug.cgi?id=2671

--- Comment #3 from Harlan Stenn <stenn at ntp.org> 2015-01-03 11:25:40 UTC ---
Stephen,

I'll email you separately with the location of a tarball that has the patches
described below.

The reported problem at line 571 is now at line 601, and I believe the check at
line 529 handles this case.  Do you agree?

The CERT|RESP case that was at 1162 is now near line 1209, and I believe I have
fixed that around line 1198.

The reported problem in crypto_verify() that was at 1461 in the old code is at
(I believe) line 1561 in the current code.  I believe the check at line 1502
handles this case already.  Do you agree?

The reported problem in crypto_encrypt() that was at line 1559 in the original
code is now at line 1599 in the new code.  I think I have this fixed with the
new test at line 1350.  Do you agree?

The reported problem that was at line 2117 of crypto_bob() in the old code is
now around line 2187 of the new code.  I think I have fixed this with the new
test at line 2189.  Do you agree?

-- 
Configure bugmail: http://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


More information about the security mailing list