[ntp:security] [Bug 3379] NTP-01-004 NTP: Potential Overflows in ctl_put() functions (Pentest report 01.2017)
bugzilla-daemon at ntp.org
bugzilla-daemon at ntp.org
Wed Mar 22 00:04:12 UTC 2017
http://bugs.ntp.org/show_bug.cgi?id=3379
Harlan Stenn <stenn at ntp.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|STAGED |RESOLVED
Group|Security |
Resolution| |FIXED
--- Comment #4 from Harlan Stenn <stenn at ntp.org> 2017-03-22 00:04:12 UTC ---
Here's a better summary:
ntpd makes use of different wrappers around ctl_putdata() to create name/value
ntpq (mode 6) response strings. For example, ctl_putstr() is usually used to
send string data (variable names or string data). The formatting code was
missing a length check for variable names. If somebody explicitly created any
unusually long variable names in ntpd (longer than 200-512 bytes, depending on
the type of variable), then if any of these variables are added to the response
list it would overflow a buffer.
Pearly, thanks for your work on this.
--
Configure bugmail: http://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
More information about the security
mailing list