From owner-freebsd-security@freebsd.org Sun Nov 1 01:15:09 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EF309A1E713 for ; Sun, 1 Nov 2015 01:15:09 +0000 (UTC) (envelope-from dereks@lifeofadishwasher.com) Received: from mail-qg0-x233.google.com (mail-qg0-x233.google.com [IPv6:2607:f8b0:400d:c04::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A8ECA11BD for ; Sun, 1 Nov 2015 01:15:09 +0000 (UTC) (envelope-from dereks@lifeofadishwasher.com) Received: by qgeo38 with SMTP id o38so91644923qge.0 for ; Sat, 31 Oct 2015 18:15:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lifeofadishwasher.com; s=google; h=date:from:to:subject:message-id:mail-followup-to:references :mime-version:content-type:content-disposition :content-transfer-encoding:in-reply-to:user-agent; bh=eGWGHi/Rw4t7ggPh0aX+9p1amuiIqZWzfs2MDA6kamA=; b=P0z4ifumVbs/aHglTIe9LXqyL1FD8lVo6l0DKBEUa9Xv7sv+1JtwUmi7enmZZsGWjY 05ELBuWKyMBD2RFbVR1YhvsZ0nNLVzvokp/6U36I50eFcdwRq4bB0kOMHO/6xDNbOnga 4jMjYb4Mvy9PPcVhuL2JoZnNJRY2d9kx3UeoA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:subject:message-id:mail-followup-to :references:mime-version:content-type:content-disposition :content-transfer-encoding:in-reply-to:user-agent; bh=eGWGHi/Rw4t7ggPh0aX+9p1amuiIqZWzfs2MDA6kamA=; b=T7q6TU5Ehz9+VSrWmmlkP8hkCmCNSefR4dxLLiuCUeS1XogaI+uVFWrCriQtZyD15P OC8wS9nl/Eu1Kmoe4Hwrdv3I2aXg9GFASISPnyveEhhFsHHMsY+ixjzcAI1/D9EwnGWG +G/8f6DOAvStoFLQAsCVfhtADSPA9J7LImxnOU1iX+/ueaLgkqKWq3dmoqlNE96Rp8dJ bszwgnrqecjVHBHv+TOgo7m4Q5c4Capp4Cd1PYJip9u5C/VVfJNsgA+fG93SIeBcCWKQ jNNTV7ISH5Uki0WibOylihX0NAoxzz/Kg4gGJntTfLaDukbv9I9GzI1MWhgAUyNU6M++ iaEw== X-Gm-Message-State: ALoCoQmurFeLEnic1PtaUeY16YQ8ZB6hzJSmwRrdeAOGDhtMkZvV08nSCD9+naN/oYeqX6xf0KlS X-Received: by 10.140.235.84 with SMTP id g81mr21344102qhc.75.1446340508469; Sat, 31 Oct 2015 18:15:08 -0700 (PDT) Received: from lifeofadishwasher.com (c-71-206-246-125.hsd1.pa.comcast.net. [71.206.246.125]) by smtp.gmail.com with ESMTPSA id e51sm5350914qge.46.2015.10.31.18.15.06 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 31 Oct 2015 18:15:07 -0700 (PDT) Received: by lifeofadishwasher.com (sSMTP sendmail emulation); Sat, 31 Oct 2015 21:15:05 -0400 Date: Sat, 31 Oct 2015 21:15:05 -0400 From: Derek Schrock To: freebsd-security@freebsd.org Subject: Re: Compilation problem since SA-15:25 for FreeBSD 10.2-RELEASE Message-ID: <20151101011505.GA5305@ircbsd> Mail-Followup-To: freebsd-security@freebsd.org References: <4D69BAFF-7447-4A1F-ABB8-686CA34090F3@iaelu.net> <86pozwicuj.fsf@desk.des.no> <86wpu21vk5.fsf@desk.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <86wpu21vk5.fsf@desk.des.no> User-Agent: Mutt/1.5.24 (2015-08-30) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Nov 2015 01:15:10 -0000 On Sat, Oct 31, 2015 at 07:12:58PM EDT, Dag-Erling Smørgrav wrote: > Dag-Erling Smørgrav writes: > > Please try these patches instead: > > > > https://people.freebsd.org/~des/SA-15:25/ > > Some people have had issues with these patches due to mismatched > $FreeBSD$ tags. I have uploaded a new set which should work for > everyone. I have tested them on releng/* from right before SA-15:25 and > on release/* with the previous NTP advisories (14:31 and 15:07) applied. 403 on all those files (patch/asc) From owner-freebsd-security@freebsd.org Sun Nov 1 03:56:17 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 280C1A1ED02 for ; Sun, 1 Nov 2015 03:56:17 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id DB37810B8 for ; Sun, 1 Nov 2015 03:56:16 +0000 (UTC) (envelope-from des@des.no) Received: from desk.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 98F122323 for ; Sun, 1 Nov 2015 03:56:13 +0000 (UTC) Received: by desk.des.no (Postfix, from userid 1001) id 46858A823; Sun, 1 Nov 2015 04:56:08 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: freebsd-security@freebsd.org Subject: Re: Compilation problem since SA-15:25 for FreeBSD 10.2-RELEASE References: <4D69BAFF-7447-4A1F-ABB8-686CA34090F3@iaelu.net> <86pozwicuj.fsf@desk.des.no> <86wpu21vk5.fsf@desk.des.no> <20151101011505.GA5305@ircbsd> Date: Sun, 01 Nov 2015 04:56:08 +0100 In-Reply-To: <20151101011505.GA5305@ircbsd> (Derek Schrock's message of "Sat, 31 Oct 2015 21:15:05 -0400") Message-ID: <86oafe1ig7.fsf@desk.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Nov 2015 03:56:17 -0000 Derek Schrock writes: > 403 on all those files (patch/asc) Damnit! The price of paranoia (umask 027 instead of the default 022). Fixed, thanks. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Sun Nov 1 20:35:08 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2D208A23886 for ; Sun, 1 Nov 2015 20:35:08 +0000 (UTC) (envelope-from news@mips.inka.de) Received: from mail.inka.de (quechua.inka.de [IPv6:2001:7c0:407:1001:217:a4ff:fe3b:e77c]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E81041314 for ; Sun, 1 Nov 2015 20:35:07 +0000 (UTC) (envelope-from news@mips.inka.de) Received: from mips.inka.de (news@[127.0.0.1]) by mail.inka.de with uucp (rmailwrap 0.5) id 1ZszLE-0006uD-ET; Sun, 01 Nov 2015 21:35:04 +0100 Received: from lorvorc.mips.inka.de (localhost [127.0.0.1]) by lorvorc.mips.inka.de (8.15.2/8.15.2) with ESMTP id tA1KYtuY019364 for ; Sun, 1 Nov 2015 21:34:55 +0100 (CET) (envelope-from news@lorvorc.mips.inka.de) Received: (from news@localhost) by lorvorc.mips.inka.de (8.15.2/8.15.2/Submit) id tA1KYtq1019363 for freebsd-security@freebsd.org; Sun, 1 Nov 2015 21:34:55 +0100 (CET) (envelope-from news) To: freebsd-security@freebsd.org From: Christian Weisgerber Newsgroups: list.freebsd.security Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:25.ntp Date: Sun, 1 Nov 2015 20:34:55 +0000 (UTC) Lines: 31 Message-ID: References: <201510261236.t9QCa2xj044234@think.nginx.com> X-Trace: lorvorc.mips.inka.de 1446410095 19331 ::1 (1 Nov 2015 20:34:55 GMT) X-Complaints-To: usenet@mips.inka.de User-Agent: slrn/1.0.2 (FreeBSD) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Nov 2015 20:35:08 -0000 >============================================================================= > FreeBSD-SA-15:25.ntp Security Advisory > The FreeBSD Project > > Topic: Multiple vulnerabilities of ntp > > Category: contrib > Module: ntp > Announced: 2015-10-26 > Credits: Network Time Foundation > Affects: All supported versions of FreeBSD. > Corrected: 2015-10-26 11:35:40 UTC (stable/10, 10.2-STABLE) > 2015-10-26 11:36:55 UTC (releng/10.2, 10.2-RELEASE-p6) > 2015-10-26 11:37:31 UTC (releng/10.1, 10.1-RELEASE-p23) Unfortunately, this update has now lost support for RAWDCF refclocks in 10.1. > # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-101.patch.bz2 It's right there in /usr.sbin/ntp/config.h: /* DCF77 raw time code */ -#define CLOCK_RAWDCF 1 +/* #undef CLOCK_RAWDCF */ I have opened bug #204203 about this. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=204203 -- Christian "naddy" Weisgerber naddy@mips.inka.de From owner-freebsd-security@freebsd.org Mon Nov 2 08:47:32 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 81973A23C87 for ; Mon, 2 Nov 2015 08:47:32 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from cell.glebius.int.ru (glebius.int.ru [81.19.69.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "cell.glebius.int.ru", Issuer "cell.glebius.int.ru" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 0C3521DA4 for ; Mon, 2 Nov 2015 08:47:31 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from cell.glebius.int.ru (localhost [127.0.0.1]) by cell.glebius.int.ru (8.15.2/8.15.2) with ESMTPS id tA28lMrw084019 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 2 Nov 2015 11:47:22 +0300 (MSK) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.glebius.int.ru (8.15.2/8.15.2/Submit) id tA28lMm2084018; Mon, 2 Nov 2015 11:47:22 +0300 (MSK) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.glebius.int.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Mon, 2 Nov 2015 11:47:22 +0300 From: Gleb Smirnoff To: Christian Weisgerber Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:25.ntp Message-ID: <20151102084722.GC78469@FreeBSD.org> References: <201510261236.t9QCa2xj044234@think.nginx.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Nov 2015 08:47:32 -0000 On Sun, Nov 01, 2015 at 08:34:55PM +0000, Christian Weisgerber wrote: C> >============================================================================= C> > FreeBSD-SA-15:25.ntp Security Advisory C> > The FreeBSD Project C> > C> > Topic: Multiple vulnerabilities of ntp C> > C> > Category: contrib C> > Module: ntp C> > Announced: 2015-10-26 C> > Credits: Network Time Foundation C> > Affects: All supported versions of FreeBSD. C> > Corrected: 2015-10-26 11:35:40 UTC (stable/10, 10.2-STABLE) C> > 2015-10-26 11:36:55 UTC (releng/10.2, 10.2-RELEASE-p6) C> > 2015-10-26 11:37:31 UTC (releng/10.1, 10.1-RELEASE-p23) C> C> Unfortunately, this update has now lost support for RAWDCF refclocks C> in 10.1. C> C> > # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-101.patch.bz2 C> C> It's right there in /usr.sbin/ntp/config.h: C> C> /* DCF77 raw time code */ C> -#define CLOCK_RAWDCF 1 C> +/* #undef CLOCK_RAWDCF */ C> C> I have opened bug #204203 about this. C> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=204203 That actually was broken at import of 4.2.8p3. Looks like we need yet another Errata :( -- Totus tuus, Glebius. From owner-freebsd-security@freebsd.org Mon Nov 2 08:53:08 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9B232A23EA2 for ; Mon, 2 Nov 2015 08:53:08 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from cell.glebius.int.ru (glebius.int.ru [81.19.69.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "cell.glebius.int.ru", Issuer "cell.glebius.int.ru" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 2200611C2 for ; Mon, 2 Nov 2015 08:53:07 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from cell.glebius.int.ru (localhost [127.0.0.1]) by cell.glebius.int.ru (8.15.2/8.15.2) with ESMTPS id tA28r5SX084044 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 2 Nov 2015 11:53:05 +0300 (MSK) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.glebius.int.ru (8.15.2/8.15.2/Submit) id tA28r5it084043; Mon, 2 Nov 2015 11:53:05 +0300 (MSK) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.glebius.int.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Mon, 2 Nov 2015 11:53:05 +0300 From: Gleb Smirnoff To: Christian Weisgerber Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:25.ntp Message-ID: <20151102085305.GD78469@FreeBSD.org> References: <201510261236.t9QCa2xj044234@think.nginx.com> <20151102084722.GC78469@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20151102084722.GC78469@FreeBSD.org> User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Nov 2015 08:53:08 -0000 On Mon, Nov 02, 2015 at 11:47:22AM +0300, Gleb Smirnoff wrote: T> C> Unfortunately, this update has now lost support for RAWDCF refclocks T> C> in 10.1. T> C> T> C> > # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-101.patch.bz2 T> C> T> C> It's right there in /usr.sbin/ntp/config.h: T> C> T> C> /* DCF77 raw time code */ T> C> -#define CLOCK_RAWDCF 1 T> C> +/* #undef CLOCK_RAWDCF */ T> C> T> C> I have opened bug #204203 about this. T> C> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=204203 T> T> That actually was broken at import of 4.2.8p3. Not really. Somehow I screwed things up undefining it only in releng/ branches. -- Totus tuus, Glebius. From owner-freebsd-security@freebsd.org Mon Nov 2 11:50:06 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6F4FBA23540 for ; Mon, 2 Nov 2015 11:50:06 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id E53FA19A1 for ; Mon, 2 Nov 2015 11:50:05 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from ox-dell39.ox.adestra.com (no-reverse-dns.metronet-uk.com [85.199.232.226] (may be forged)) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.15.2/8.15.2) with ESMTPSA id tA2Bo0uG088859 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for ; Mon, 2 Nov 2015 11:50:00 GMT (envelope-from m.seaman@infracaninophile.co.uk) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none header.from=infracaninophile.co.uk DKIM-Filter: OpenDKIM Filter v2.10.3 smtp.infracaninophile.co.uk tA2Bo0uG088859 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=infracaninophile.co.uk; s=201001-infracaninophile; t=1446465000; bh=n940zhXCQHr2+sMEWIfZE66sKrGxae3kgEwd21olCvM=; h=Subject:To:References:From:Date:In-Reply-To; z=Subject:=20Re:=20segfault=20in=20ntpd|To:=20freebsd-security@free bsd.org|References:=20<86bnbgbqa6.fsf@desk.des.no>=20<5633A728.700 0904@FreeBSD.org>|From:=20Matthew=20Seaman=20|Date:=20Mon,=202=20Nov=202015=2011:49:59=20+0000|In-R eply-To:=20<5633A728.7000904@FreeBSD.org>; b=iJ1Op3TOIS+SwKdj+Qeu7XyKxc/uz9MkneW3tNtshJKHxTNsHUPoV4JDHmsvZUVyM h916g0qJ9j5bjbrp2PdrEod69Dp45JYlxBzlkU853PGyon/W5QRkw7eFvoE6WGD3/W Uz0FnA+B6cBC1TNrm4Otdx5u9+CadCDCuUHzxvNo= X-Authentication-Warning: lucid-nonsense.infracaninophile.co.uk: Host no-reverse-dns.metronet-uk.com [85.199.232.226] (may be forged) claimed to be ox-dell39.ox.adestra.com Subject: Re: segfault in ntpd To: freebsd-security@freebsd.org References: <86bnbgbqa6.fsf@desk.des.no> <5633A728.7000904@FreeBSD.org> From: Matthew Seaman Message-ID: <56374DE7.7030909@infracaninophile.co.uk> Date: Mon, 2 Nov 2015 11:49:59 +0000 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <5633A728.7000904@FreeBSD.org> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="rC1cmQmlTvirokEfA2CmhaRaUK9Ws4nR8" X-Virus-Scanned: clamav-milter 0.98.7 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-1.5 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU autolearn=ham autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on lucid-nonsense.infracaninophile.co.uk X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Nov 2015 11:50:06 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --rC1cmQmlTvirokEfA2CmhaRaUK9Ws4nR8 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 10/30/15 17:21, Matthew Seaman wrote: > On 2015/10/30 10:32, Dag-Erling Sm=C3=B8rgrav wrote: >> Can those of you who are experiencing this bug on 10 please try to bui= ld >> and run a kernel from head@287591 or newer (with your 10 userland) and= >> report back? >> >> # svnlite co svn://svn.freebsd.org/base/head@287591 /tmp/head >> # cd /tmp/head >> # make buildkernel KERNCONF=3DGENERIC >> # make installkernel KERNCONF=3DGENERIC KODIR=3D/boot/head >> # nextboot -k head >> # shutdown -r now >> >> DES >> >=20 > Hi, Dag-Erling, >=20 > I'm not able to reboot machines where I've seen this crash right now, > but I can report: >=20 > * Can't reproduce the problem in a VirtualBox VM running > 10.2-RELEASE-p6 amd64. >=20 > * But I can get a back trace after compiling the 10.2-RELEASE-p6 > sources and a core dump from one of the machines where the problem happ= ens: >=20 > (gdb) bt full > #0 mutex_lock_common (m=3D0x801c33100, abstime=3D0x0, cvattach=3D0) at= > atomic.h:143 > No locals. > #1 0x0000000801263557 in __sfp () at /usr/src/lib/libc/stdio/findfp.c:= 148 > n =3D > fp =3D > g =3D > #2 0x00000008012470ab in _BIG5_mbrtowc (pwc=3D, > s=3D, n=3DCannot access memory at address 0x1 > ) at /usr/src/lib/libc/locale/big5.c:113 > wc =3D > #3 0x0000000801211cc0 in serv_unmarshal_func (buffer=3D0x801c33100 "",= > buffer_size=3D0, retval=3D0x8014c6130, ap=3D0x18b95, > cache_mdata=3D) > at /usr/src/lib/libc/net/getservent.c:1071 > serv =3D (struct servent *) 0x0 > orig_buf =3D 0x802031040 "0aL\001\b" > orig_buf_size =3D > ret_errno =3D > p =3D > alias =3D > #4 0x0000000801234cff in _nsdispatch (retval=3D0x7fffdfdfca70, > disp_tab=3D0x801498680, database=3D0x80126de7c "\"%s\", \"%s\")...\= n", > method_name=3D0x80126de24 ".conf", defaults=3D0x2) > at /usr/src/lib/libc/net/nsdispatch.c:541 > ap =3D {{gp_offset =3D 48, fp_offset =3D 48, > overflow_arg_area =3D 0x7fffdfdfca38, reg_save_area =3D 0x7fffdfdfc= 870}} > mdata =3D (void *) 0x80126ddfc > cache_data =3D {key =3D 0x17d0
, > key_size =3D 34369025376, info =3D 0x7fffdfdfc9e0} > isthreaded =3D 1 > serrno =3D 22 > result =3D > st =3D > fb_method =3D > srclist =3D > srclistsize =3D > cache_flag =3D > method =3D > saved_depth =3D > #5 0x0000000801213121 in nis_setservent (result=3D0x801c33100, > mdata=3D, ap=3D0x0) > at /usr/src/lib/libc/net/getservent.c:812 > st =3D (struct nis_state *) 0x0 > st =3D (struct nis_state *) 0x0 > st =3D (struct nis_state *) 0x0 > st =3D (struct nis_state *) 0x0 > rv =3D > #6 0x0000000801213029 in files_setservent (retval=3D0x801c33100, > mdata=3D, ap=3D) > at /usr/src/lib/libc/net/getservent.c:451 > st =3D (struct files_state *) 0x1 > st =3D (struct files_state *) 0x1 > st =3D (struct files_state *) 0x1 > st =3D (struct files_state *) 0x1 > st =3D (struct files_state *) 0x1 > st =3D (struct files_state *) 0x1 > st =3D (struct files_state *) 0x1 > rv =3D > f =3D 0 > #7 0x000000080120f373 in _dns_getaddrinfo (rv=3D,= > ---Type to continue, or q to quit--- > cb_data=3D, ap=3D) > at /usr/src/lib/libc/net/getaddrinfo.c:2266 > sentinel =3D {ai_flags =3D 3, ai_family =3D 0, ai_socktype =3D 2171684= 8, > ai_protocol =3D 8, ai_addrlen =3D 21795400, ai_canonname =3D 0x8014c6= 130 "", > ai_addr =3D 0x802031040, ai_next =3D 0x2} > q =3D {next =3D 0x7fffdfdfc690, name =3D 0x800b11e08 "E\211.1??P1?\213= 5yj!", > qclass =3D -538982744, qtype =3D 32767, answer =3D 0x801c06c00 "\225\= 213\001", > anslen =3D 11616604, n =3D 8} > q2 =3D {next =3D 0x8014b5f80, > name =3D 0x801213590 "D$\020L\211D$\bH\211\f$H\2155}S(", qclass =3D > -538982832, > qtype =3D 32767, answer =3D 0x800b12a85 "\203??", anslen =3D 101269, = n =3D 0} > cur =3D (struct addrinfo *) 0x3 > pai =3D > hostname =3D > res =3D > ai =3D > #8 0x000000080120ca61 in strcspn (s=3D0x801c33100 "", > charset=3D) at /usr/src/lib/libc/string/strcsp= n.c:59 > tbl =3D {34393355264, 34389385984, 34389386167, 34389386056} > bit =3D > s1 =3D > #9 0x0000000000478a86 in blocking_getaddrinfo (c=3D0x801c66700, > req=3D0x801c46300) > at > /usr/src/usr.sbin/ntp/libntp/../../../contrib/ntp/libntp/ntp_intres.c:3= 52 > ai_res =3D (struct addrinfo *) 0x0 > node =3D 0x7fffdfdfcbe8 "\002" > service =3D 0xc
> worker_ctx =3D (dnsworker_ctx *) 0x80200e060 > resp_octets =3D Cannot access memory at address 0x600 > (gdb) >=20 > Cheers, >=20 > Matthew >=20 > Thanks to Andre Albsmeier a work-around seems to be turning off memlock in ntp.conf: > I have just posted my observations to the freebsd-stable list: >=20 > http://lists.freebsd.org/pipermail/freebsd-stable/2015-November/083574.= html >=20 > What happens if you add "rlimit memlock -1" to ntp.conf? Cheers, Matthew --rC1cmQmlTvirokEfA2CmhaRaUK9Ws4nR8 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJWN03nAAoJEABRPxDgqeTnHUsQAI53qKrjkXhDvqXp0JUKEt/n HtFQu6xssv06MXXXFvNHUQsa3Zb+NtBGVF6OAzc/ZacHmlsT+dbSfOhh3v9OKC87 xbHeVVh5mutW2O4L8J7vdrIKVng4YRHFWyQYD1uaJn4SwPFokrNImXVGgYNygnjI AjFZtGSujC4moREoMLYwU9XTJGZCbWbSPD8UonItzzuLIf/W0mLCPeuWbIvrz/4w Q59veTJ57jPC2/rfxDCYqL8Q3m05iJ/zcfMh1Sps+XWxPTA6iKO5u66XjSm62zu1 ADlyQRR2lWHmpLni+ZVUKQviPo+r6wSH6HUDLkeyWx1VcS6XkrNkl9ATdCeEeZ7R 2W6vTOmwrED475y++5PZ/+ViFsaMybkW5CrgaeLq81PGt8wpgIW6kPrcOvoabajW hYV1dJqmzX6EliI5tRNqzhLAmfsPIZepEzom4BXJgwFYrXf/GphElMUBYNFIpOr3 ZDRrSv7EvulU2zBr0u6m2VM9k1fN/C2OaitZw4Z117Z4kAm3WNTE1Kezwfsv0V77 ofBTp9+3Kwy80nNqJuoD00dFR6wNvsiW2hIlaTEcMtOPMc50A7D4H0Mimo1jSRXj Rg8AxCoq5GEDltRvljSRQqQoV65SDtzZxCjKiLQsOKDQbgD6l/C2lLyVl2XRR6Ge e9nVh8KxaVFpdJA+8JtF =068m -----END PGP SIGNATURE----- --rC1cmQmlTvirokEfA2CmhaRaUK9Ws4nR8-- From owner-freebsd-security@freebsd.org Mon Nov 2 10:44:24 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E0E18A24688; Mon, 2 Nov 2015 10:44:24 +0000 (UTC) (envelope-from brueffer@FreeBSD.org) Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.17.24]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mout.kundenserver.de", Issuer "TeleSec ServerPass DE-2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 3CC051CF4; Mon, 2 Nov 2015 10:44:20 +0000 (UTC) (envelope-from brueffer@FreeBSD.org) Received: from [130.235.5.34] ([130.235.5.34]) by mrelayeu.kundenserver.de (mreue102) with ESMTPSA (Nemesis) id 0M1WmX-1am7Kd2jbl-00tTo5; Mon, 02 Nov 2015 11:31:14 +0100 To: trustedbsd-announce@freebsd.org, trustedbsd-audit@freebsd.org, freebsd-security@freebsd.org From: Christian Brueffer Subject: OpenBSM 1.2 alpha 4 released Message-ID: <563739CD.8010001@FreeBSD.org> Date: Mon, 2 Nov 2015 11:24:13 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Provags-ID: V03:K0:73GLjiUneOJGJ/CCHVvnF94jn8bn87TvZWtmo2vSCuBgXHtasrz b3J5AIlY8jvaGpI4BfUGv7/VNusehOSxy+k9+MLzfd09Xo6t/7VI7/fUNzSj4dMUlJq2/Zu 7qOtqk9+3O+1kYKWvdDJqul73RfLjIvh9pvWYr8lkqd8jD1PbW5myEXm6+BrowW0sZb8zfq yzLmlvShwnJs8Q0QSmjMQ== X-UI-Out-Filterresults: notjunk:1;V01:K0:pin8kB7sXnQ=:+AKNnjiBMYuU+TKwa0Fi7j z4PTRt5jKdn1Z2USY6U6rNVL0VvhTAv4/lziS349ifX1/v7vyLK9C7JaDSmk5cpXxbnpfo4dO eTvuc7aJb55fA2PabVzlaxJhK5zKZ8ZdksWXCIYnFolGXVHWUyCGLZn4bDtSzJKcHGYlKtQje I9YTqM+vCEHzsNwYG35lP8VrIzLLucCNgmCLdIVwLpLWqJVcVsjB8HK3bxBKgMdrCkvWqB272 2LQsrE0zEIha8XteN4Rz+/ebRFscI0++Do6MHT9I//FYeVn1+VJql5DyGsVeWdFhIl4nEEMDv DJTGSEypU49Au5GYm4Tzw0N0uVzw7t2u9XrdrglXnEtCdDwF3/hWjVWhDPywzVW8ZW94LyPdH HyfFNI9FQiuEz1IWkTUPkknBCfgXS//cHddYtCNugLYk2miBcGU2+XZhLwL/iz7kQ0Cu83p+/ nhUD54YtG/l2RZQ6ljyN52yMfhvF/1VPPHyJ/oSAPRkgD6nBPcIKs93aeU7E5ye9MfRUHwkeD 9OMh+bpeJzPkUGSCpMrWT+e4yO3SwXG3pBM5RMsEmWjfpujHotaKMdiB2//MIcQeMUI1vf27u VSfJIVfGz2yJtN1KcrLOAyepozcxTBFMHwGKBEXwrUDlWNEloE1fBWgo4oPYxcnPai/+ye6ZC RzpJ/lQ4TK1qp4LwzPuVGVyD0J9M5g6uZoW3YSe5l0Cj7ijLM14aMs/sXG0bhzm8Kjz/ZSHIo fO2e0BjOgiu6OXh5 X-Mailman-Approved-At: Mon, 02 Nov 2015 12:28:01 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Nov 2015 10:44:25 -0000 After almost three years since the last OpenBSM test release I'm pleased to announce the availability of OpenBSM 1.2 alpha 4. This release contains the following changes: - Fix praudit to emit correct XML. - Fix auditdistd bugs related to IPv6 support, locking, and a kqueue-related descriptor leak. - Add audit event definitions for Capsicum-related syscalls, as well as AUE_BINDAT and AUE_CONNECTAT. - Manpage symlinks for all libbsm functions are installed again after the move to autotools in OpenBSM 1.0 Alpha 5. - A variety of minor documentation cleanups. You can download OpenBSM releases and snapshots from the following places: The OpenBSM project web page http://www.OpenBSM.org/ The OpenBSM GitHub repository https://github.com/openbsm/openbsm This test release is known to build and run (to varying degrees) on FreeBSD 9.x, 10.x, 11.x, Mac OS X Mountain Lion and Mavericks, and Ubuntu Linux 14.04 LTS. Especially testing on newer Mac OS X releases (Mavericks, Yosemite, El Capitan) would be greatly appreciated. If you encounter a problem, please open an issue report on GitHub. Christian Brueffer From owner-freebsd-security@freebsd.org Mon Nov 2 18:40:58 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1A28AA24E97 for ; Mon, 2 Nov 2015 18:40:58 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id D619F1348 for ; Mon, 2 Nov 2015 18:40:57 +0000 (UTC) (envelope-from des@des.no) Received: from desk.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 9DA7B2706 for ; Mon, 2 Nov 2015 18:40:55 +0000 (UTC) Received: by desk.des.no (Postfix, from userid 1001) id 22E414697A; Mon, 2 Nov 2015 19:40:43 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: freebsd-security@freebsd.org Subject: Re: Compilation problem since SA-15:25 for FreeBSD 10.2-RELEASE References: <4D69BAFF-7447-4A1F-ABB8-686CA34090F3@iaelu.net> <86pozwicuj.fsf@desk.des.no> <86wpu21vk5.fsf@desk.des.no> Date: Mon, 02 Nov 2015 19:40:43 +0100 In-Reply-To: <86wpu21vk5.fsf@desk.des.no> ("Dag-Erling =?utf-8?Q?Sm=C3=B8r?= =?utf-8?Q?grav=22's?= message of "Sun, 01 Nov 2015 00:12:58 +0100") Message-ID: <86y4egp7mc.fsf@desk.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Nov 2015 18:40:58 -0000 Dag-Erling Sm=C3=B8rgrav writes: > Please try these patches instead: > https://people.freebsd.org/~des/SA-15:25/ New patches out with RAWDCF re-enabled. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Wed Nov 4 13:14:49 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 39712A245B7 for ; Wed, 4 Nov 2015 13:14:49 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 2830B1E75; Wed, 4 Nov 2015 13:14:49 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1025) id 2777E1ACB; Wed, 4 Nov 2015 13:14:49 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-15:25.ntp [REVISED] Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20151104131449.2777E1ACB@freefall.freebsd.org> Date: Wed, 4 Nov 2015 13:14:49 +0000 (UTC) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Nov 2015 13:14:49 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-15:25.ntp Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities of ntp [REVISED] Category: contrib Module: ntp Announced: 2015-10-26, revised on 2015-11-04 Credits: Network Time Foundation Affects: All supported versions of FreeBSD. Corrected: 2015-10-26 11:35:40 UTC (stable/10, 10.2-STABLE) 2015-11-04 11:27:13 UTC (releng/10.2, 10.2-RELEASE-p7) 2015-11-04 11:27:21 UTC (releng/10.1, 10.1-RELEASE-p24) 2015-11-02 10:39:26 UTC (stable/9, 9.3-STABLE) 2015-11-04 11:27:30 UTC (releng/9.3, 9.3-RELEASE-p30) CVE Name: CVE-2015-7701, CVE-2015-7702, CVE-2015-7703, CVE-2015-7704, CVE-2015-7848, CVE-2015-7849, CVE-2015-7850, CVE-2015-7851, CVE-2015-7852, CVE-2015-7853, CVE-2015-7854, CVE-2015-7855, CVE-2015-7871 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/. 0. Revision history. v1.0 2015-10-26 Initial release. v1.1 2015-11-04 Revised patches to address regression in ntpq(8), ntpdc(8) utilities and lack of RAWDCF reference clock support in ntpd(8). I. Background The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP) used to synchronize the time of a computer system to a reference time source. II. Problem Description Crypto-NAK packets can be used to cause ntpd(8) to accept time from an unauthenticated ephemeral symmetric peer by bypassing the authentication required to mobilize peer associations. [CVE-2015-7871] FreeBSD 9.3 and 10.1 are not affected. If ntpd(8) is fed a crafted mode 6 or mode 7 packet containing an unusually long data value where a network address is expected, the decodenetnum() function will abort with an assertion failure instead of simply returning a failure condition. [CVE-2015-7855] If ntpd(8) is configured to allow remote configuration, and if the (possibly spoofed) source IP address is allowed to send remote configuration requests, and if the attacker knows the remote configuration password or if ntpd(8) was configured to disable authentication, then an attacker can send a set of packets to ntpd(8) that may cause it to crash, with the hypothetical possibility of a small code injection. [CVE-2015-7854] A negative value for the datalen parameter will overflow a data buffer. The NTF ntpd(8) driver implementation always sets this value to 0 and are therefore not vulnerable to this weakness. If the system runs a custom refclock driver in ntpd(8) and that driver supplies a negative value for datalen (no custom driver of even minimal competence would do this), then ntpd(8) would overflow the data buffer. It is even hypothetically possible in this case that instead of simply crashing ntpd(8), the attacker could effect a code injection attack. [CVE-2015-7853] If an attacker can figure out the precise moment that ntpq(8) is listening for data and the port number on which it is listening, or if the attacker can provide a malicious instance ntpd(8) that victims will connect to, then an attacker can send a set of crafted mode 6 response packets that, if received by ntpq(8), can cause ntpq(8) to crash. [CVE-2015-7852] If ntpd(8) is configured to allow remote configuration, and if the (possibly spoofed) IP address is allowed to send remote configuration requests, and if the attacker knows the remote configuration password or if ntpd(8) was configured to disable authentication, then an attacker can send a set of packets to ntpd that may cause ntpd(8) to overwrite files. [CVE-2015-7851] The default configuration of ntpd(8) within FreeBSD does not allow remote configuration. If ntpd(8) is configured to allow remote configuration, and if the (possibly spoofed) source IP address is allowed to send remote configuration requests, and if the attacker knows the remote configuration password or if ntpd(8) was configured to disable authentication, then an attacker can send a set of packets to ntpd that will cause it to crash and/or create a potentially huge log file. Specifically, the attacker could enable extended logging, point the key file at the log file, and cause what amounts to an infinite loop. [CVE-2015-7850] The default configuration of ntpd(8) within FreeBSD does not allow remote configuration. If ntpd(8) is configured to allow remote configuration, and if the (possibly spoofed) source IP address is allowed to send remote configuration requests, and if the attacker knows the remote configuration password or if ntpd(8) was configured to disable authentication, then an attacker can send a set of packets to ntpd(8) that may cause a crash or theoretically perform a code injection attack. [CVE-2015-7849] The default configuration of ntpd(8) within FreeBSD does not allow remote configuration. If ntpd(8) is configured to enable mode 7 packets, and if the use of mode 7 packets is not properly protected through the use of the available mode 7 authentication and restriction mechanisms, and if the (possibly spoofed) source IP address is allowed to send mode 7 queries, then an attacker can send a crafted packet to ntpd that will cause it to crash. [CVE-2015-7848] The default configuration of ntpd(8) within FreeBSD does not allow mode 7 packets. If ntpd(8) is configured to use autokey, then an attacker can send packets to ntpd that will, after several days of ongoing attack, cause it to run out of memory. [CVE-2015-7701] The default configuration of ntpd(8) within FreeBSD does not use autokey. If ntpd(8) is configured to allow for remote configuration, and if the (possibly spoofed) source IP address is allowed to send remote configuration requests, and if the attacker knows the remote configuration password, it is possible for an attacker to use the "pidfile" or "driftfile" directives to potentially overwrite other files. [CVE-2015-5196] The default configuration of ntpd(8) within FreeBSD does not allow remote configuration An ntpd(8) client that honors Kiss-of-Death responses will honor Kiss-of-Death messages that have been forged by an attacker, causing it to delay or stop querying its servers for time updates. Also, an attacker can forge packets that claim to be from the target and send them to servers often enough that a server that implements Kiss-of-Death rate limiting will send the target machine a Kiss-of-Death response to attempt to reduce the rate of incoming packets, or it may also trigger a firewall block at the server for packets from the target machine. For either of these attacks to succeed, the attacker must know what servers the target is communicating with. An attacker can be anywhere on the Internet and can frequently learn the identity of the time source of a target by sending the target a time query. [CVE-2015-7704] The fix for CVE-2014-9750 was incomplete in that there were certain code paths where a packet with particular autokey operations that contained malicious data was not always being completely validated. Receipt of these packets can cause ntpd to crash. [CVE-2015-7702]. The default configuration of ntpd(8) within FreeBSD does not use autokey. III. Impact An attacker which can send NTP packets to ntpd(8) which uses cryptographic authentication of NTP data, may be able to inject malicious time data causing the system clock to be set incorrectly. [CVE-2015-7871] An attacker which can send NTP packets to ntpd(8) can block the communication of the daemon with time servers, causing the system clock not being synchronized. [CVE-2015-7704] An attacker which can send NTP packets to ntpd(8) can remotely crash the daemon, sending malicious data packet. [CVE-2015-7855] [CVE-2015-7854] [CVE-2015-7853] [CVE-2015-7852] [CVE-2015-7849] [CVE-2015-7848] An attacker which can send NTP packets to ntpd(8) can remotely trigger the daemon to overwrite its configuration files. [CVE-2015-7851] [CVE-2015-5196] IV. Workaround No workaround is available, but systems not running ntpd(8) are not affected. Network administrators are advised to implement BCP-38, which helps to reduce risk associated with the attacks. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. The ntpd service has to be restarted after the update. A reboot is recommended but not required. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install The ntpd service has to be restarted after the update. A reboot is recommended but not required. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [*** v1.1 NOTE ***] If your sources are not yet patched using initial advisory patches, then you need to apply full patches named ntp-NNN.patch, where NNN stands for the release version. If your sources are already updated, or patched with patches from initial advisory, then you need to apply incremental patches, named ntp-NNN-inc.patch, where NNN stands for the release version. [FreeBSD 10.2-RELEASE-p5, not patched with initial SA-15:25 patch] # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-102.patch.xz # unxz ntp-102.patch.xz # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-102.patch.asc # gpg --verify ntp-102.patch.asc [FreeBSD 10.1-RELEASE-p22, not patched with initial SA-15:25 patch] # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-101.patch.xz # unxz ntp-101.patch.xz # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-101.patch.asc # gpg --verify ntp-101.patch.asc [FreeBSD 9.3-RELEASE-p28, not patched with initial SA-15:25 patch] # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-93.patch.xz # unxz ntp-93.patch.xz # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-93.patch.asc # gpg --verify ntp-93.patch.asc [FreeBSD 10.2-RELEASE-p6, initial SA-15:25 patch applied] # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-102-inc.patch # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-102-inc.patch.asc # gpg --verify ntp-102-inc.patch.asc [FreeBSD 10.1-RELEASE-p23, initial SA-15:25 patch applied] # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-101-inc.patch # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-101-inc.patch.asc # gpg --verify ntp-101-inc.patch.asc [FreeBSD 9.3-RELEASE-p29, initial SA-15:25 patch applied] # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-93-inc.patch # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-93-inc.patch.asc # gpg --verify ntp-93-inc.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch -p0 < /path/to/patch # find contrib/ntp -type f -empty -delete c) Recompile the operating system using buildworld and installworld as described in https://www.FreeBSD.org/handbook/makeworld.html. d) For 9.3-RELEASE and 10.1-RELEASE an update to /etc/ntp.conf is recommended, which can be done with help of the mergemaster(8) tool on 9.3-RELEASE and with help of the etcupdate(8) tool on 10.1-RELEASE. Restart the ntpd(8) daemon, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/9/ r290269 releng/9.3/ r290363 stable/10/ r289997 releng/10.1/ r290362 releng/10.2/ r290361 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7701 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7702 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7703 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7704 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7848 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7849 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7850 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7851 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7852 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7853 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7854 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7855 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7871 The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-15:25.ntp.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJWOe7GAAoJEO1n7NZdz2rnzLUQAOugJiyGHZFYllUnCF/EBFoo UIKc3RjWAqreJ5Mg0upKqI7i2oHw4/VjxVjdvwdp7E5t6b+/LYA5jDCfO/RcuMMS SZDyC2BWGq8kkSuwNZmo1js1WRUsdpTQPr3TLvoTh/o1w5D0ncLgqJz7IeuqlHer 2VG5yJP30OUyF1cdk4E9LJcDXx24u8iP0DN5e/0XJGST5/trp/+VYpMy7Vm8dv1l IQks3wtU4tI574rQKjmAiQyRnvLq0TJ4v/eHHKP4PkMC6FNFUyJx0OhVqZdqWJXz ynT28JY5d1SsiPlhUDfSRKGjdpi4kC4szv7ceCuAwmWiDlsNqinKadu9bz4Rwudt qlgJZRmtoFcyeReHckZmEwcmW9hPT3i98kjWs83vZqGD9bw7Zt05HfZ/TPyTk3tg ec1Dmvhx4s9jprypuThPgs3W7KlgnvdpYdc2aagiU/dqvTArzVuWeLP0ryo269CD ZWbgVrfFZjhvi+/nUJD+eMoVLsJYBhNZoJEv7NvUSWizVE4bfD4oFkAxEHBpXxVo VKt5V6edVR0rdmI3xFkiP8372UPbYN8KUfa1R5y4GWPbORv/Z5Wb/XAVmGlvkHNj U0bmAWv5XOw3CtwFJnRaATl/H5+WqQOVthxvT9EHvt8fHczAq8HvDHS7bIrFDEdN gVRXzv6oTlBVGq6sP17H =Jtlu -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Wed Nov 4 17:38:40 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id ABC81A26525 for ; Wed, 4 Nov 2015 17:38:40 +0000 (UTC) (envelope-from dan@obluda.cz) Received: from smtp1.ms.mff.cuni.cz (smtp1.ms.mff.cuni.cz [IPv6:2001:718:1e03:801::4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 47CCB1873 for ; Wed, 4 Nov 2015 17:38:39 +0000 (UTC) (envelope-from dan@obluda.cz) X-SubmittedBy: id 100000045929 subject /DC=org/DC=terena/DC=tcs/C=CZ/O=Charles+20University+20in+20Prague/CN=Dan+20Lukes+20100000045929+20332603 issued by /C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA+20eScience+20Personal+20CA+203 auth type TLS.MFF Received: from [10.20.12.2] ([194.108.204.138]) (authenticated) by smtp1.ms.mff.cuni.cz (8.14.9/8.14.9) with ESMTP id tA4HcYn1044164 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=OK) for ; Wed, 4 Nov 2015 18:38:36 +0100 (CET) (envelope-from dan@obluda.cz) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:25.ntp [REVISED] To: freebsd-security@freebsd.org References: <20151104131449.2777E1ACB@freefall.freebsd.org> From: Dan Lukes Message-ID: <563A429C.406@obluda.cz> Date: Wed, 4 Nov 2015 18:38:36 +0100 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0 SeaMonkey/2.38 MIME-Version: 1.0 In-Reply-To: <20151104131449.2777E1ACB@freefall.freebsd.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Nov 2015 17:38:40 -0000 Even after latest patch the NTP code still doesn't compile cleanly. > ===> usr.sbin/ntp/libntp (all) > /usr/src/usr.sbin/ntp/libntp/../../../contrib/ntp/libntp/authreadkeys.c:252:4: warning: format specifies type 'unsigned int' but the argument has type 'size_t' > (aka 'unsigned long') [-Wformat] > nerr); > ^~~~ > /usr/src/usr.sbin/ntp/libntp/../../../contrib/ntp/libntp/authreadkeys.c:257:4: warning: format specifies type 'unsigned int' but the argument has type 'unsigned long' [-Wformat] > nerr - nerr_loglimit); > ^~~~~~~~~~~~~~~~~~~~ Fortunately, it seems not to cause severe security issue. Dan From owner-freebsd-security@freebsd.org Thu Nov 5 08:19:48 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CC817A25678 for ; Thu, 5 Nov 2015 08:19:48 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 880B011E3 for ; Thu, 5 Nov 2015 08:19:48 +0000 (UTC) (envelope-from des@des.no) Received: from desk.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 139F72B34; Thu, 5 Nov 2015 08:19:40 +0000 (UTC) Received: by desk.des.no (Postfix, from userid 1001) id 826E53F489; Thu, 5 Nov 2015 09:19:34 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Dan Lukes Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:25.ntp [REVISED] References: <20151104131449.2777E1ACB@freefall.freebsd.org> <563A429C.406@obluda.cz> Date: Thu, 05 Nov 2015 09:19:34 +0100 In-Reply-To: <563A429C.406@obluda.cz> (Dan Lukes's message of "Wed, 4 Nov 2015 18:38:36 +0100") Message-ID: <86mvusx3hl.fsf@desk.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Nov 2015 08:19:48 -0000 Dan Lukes writes: > Even after latest patch the NTP code still doesn't compile cleanly. > > /usr/src/usr.sbin/ntp/libntp/../../../contrib/ntp/libntp/authreadkeys.c= :252:4: warning: format specifies type 'unsigned int' but the argument has = type 'size_t' (aka 'unsigned long') [-Wformat] > > /usr/src/usr.sbin/ntp/libntp/../../../contrib/ntp/libntp/authreadkeys.c= :257:4: warning: format specifies type 'unsigned int' but the argument has = type 'unsigned long' [-Wformat] Feel free to submit a patch upstream. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no