[ntp:security] [FICORA #829967] ntpd control message crash

Harlan Stenn stenn at nwtime.org
Sun Jun 21 06:14:42 UTC 2015

Hi folks,

Who do we "credit" for finding this problem?  Pasi and Aleksis?

When we publish, what URL do we use for FICORA #829967 ?

By my calculations, the CVSS score for this issue is between 1.4 (or
less) and 4.9 (at likely worst).  Do you agree?

While we have not yet duplicated the issue, I'm confident I know how to
fix it.  I'd like that fix to be part of the upcoming 4.2.8p3 release,
before the leap second.  Probably later this week, most likely on the 25th.

Do you see any need to delay the publication or release of this issue?



On 6/18/15 6:43 AM, Pasi Korhonen wrote:
> On 18/06/15 04:10, Harlan Stenn wrote:
>> Aleksis and Pasi,
>> Thanks for the report.
>> Do you folks have PGP/GPG keys?
>     hi Harlan,
> in general, we don't have PGP keys in use, but use another comms
> strategy: we just invited you to our wiki-based collaboration
> environment (accessed over TLS/SSL), the same that we use to forward
> found issues to NCSC-FI. I hope this will be sufficient for our
> communication needs.
> You can found our findings there, add your commentary to the wiki page,
> upload files if necessary, and we can even do an XMPP chat inside the
> collab, if there's any need for realtime discussion.
> You should already have received credentials in a separate email, please
> try out the collab and ask for additional help if needed.
> ---
> If you'd like to discuss the mechanics or reproduction of the issue at
> hand, our developer Aleksis Kauppinen is the right contact person, he
> can answer to your questions about the reported issue.
> Personally, I'll be on vacation for the next 4 weeks, starting now, as
> midsummer is upon us. While I'm out of office, feel free to engage into
> a conversation with Aleksis in order to proceed with the issue.
> Please let us know what you would need from our direction, and we'll
> work along from that?
>     best regards,
>     Pasi Korhonen
>     Codenomicon
>> Thanks!
>> H
>> On 6/16/15 2:21 AM, NCSC-FI Vulnerability Co-ordination wrote:
>>> Hello,
>>> There seems to be a problem with ntpd 4.2.8 crashing with specific
>>> control message input. Please see the attached html file for a
>>> description of the problem, more information is included in the pcap
>>> and zip files. If you have any questions, don't hesitate to contact
>>> us, thanks.
>>>    Tapio
>>> _______________________________________________
>>> security mailing list
>>> security at lists.ntp.org
>>> http://lists.ntp.org/listinfo/security

Harlan Stenn <stenn at nwtime.org>
http://networktimefoundation.org - be a member!

More information about the security mailing list