From owner-freebsd-security@freebsd.org Mon Oct 26 12:37:10 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5FE718188 for ; Mon, 26 Oct 2015 12:37:10 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from cell.glebius.int.ru (glebius.int.ru [81.19.69.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "cell.glebius.int.ru", Issuer "cell.glebius.int.ru" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id EC6DF1829; Mon, 26 Oct 2015 12:37:09 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from think.nginx.com (think.glebius.int.ru [81.19.69.13]) by cell.glebius.int.ru (8.15.2/8.15.2) with ESMTPS id t9QCb17G032482 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Mon, 26 Oct 2015 15:37:01 +0300 (MSK) (envelope-from security-advisories@freebsd.org) Received: from think.nginx.com (localhost [127.0.0.1]) by think.nginx.com (8.15.2/8.15.2) with ESMTPS id t9QCa252044236 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 26 Oct 2015 15:36:02 +0300 (MSK) (envelope-from security-advisories@freebsd.org) Received: (from glebius@localhost) by think.nginx.com (8.15.2/8.15.2/Submit) id t9QCa2xj044234; Mon, 26 Oct 2015 12:36:02 GMT (envelope-from security-advisories@freebsd.org) Date: Mon, 26 Oct 2015 12:36:02 GMT Message-Id: <201510261236.t9QCa2xj044234@think.nginx.com> X-Authentication-Warning: think.nginx.com: glebius set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-15:25.ntp Reply-To: freebsd-security@freebsd.org Precedence: bulk X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Oct 2015 12:37:10 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-15:25.ntp Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities of ntp Category: contrib Module: ntp Announced: 2015-10-26 Credits: Network Time Foundation Affects: All supported versions of FreeBSD. Corrected: 2015-10-26 11:35:40 UTC (stable/10, 10.2-STABLE) 2015-10-26 11:36:55 UTC (releng/10.2, 10.2-RELEASE-p6) 2015-10-26 11:37:31 UTC (releng/10.1, 10.1-RELEASE-p23) 2015-10-26 11:36:40 UTC (stable/9, 9.3-STABLE) 2015-10-26 11:42:25 UTC (releng/9.3, 9.3-RELEASE-p29) CVE Name: CVE-2015-7701, CVE-2015-7702, CVE-2015-7703, CVE-2015-7704, CVE-2015-7848, CVE-2015-7849, CVE-2015-7850, CVE-2015-7851, CVE-2015-7852, CVE-2015-7853, CVE-2015-7854, CVE-2015-7855, CVE-2015-7871 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/. I. Background The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP) used to synchronize the time of a computer system to a reference time source. II. Problem Description Crypto-NAK packets can be used to cause ntpd(8) to accept time from an unauthenticated ephemeral symmetric peer by bypassing the authentication required to mobilize peer associations. [CVE-2015-7871] FreeBSD 9.3 and 10.1 are not affected. If ntpd(8) is fed a crafted mode 6 or mode 7 packet containing an unusual long data value where a network address is expected, the decodenetnum() function will abort with an assertion failure instead of simply returning a failure condition. [CVE-2015-7855] If ntpd(8) is configured to allow remote configuration, and if the (possibly spoofed) source IP address is allowed to send remote configuration requests, and if the attacker knows the remote configuration password or if ntpd(8) was configured to disable authentication, then an attacker can send a set of packets to ntpd(8) that may cause it to crash, with the hypothetical possibility of a small code injection. [CVE-2015-7854] A negative value for the datalen parameter will overflow a data buffer. NTF's ntpd(8) driver implementations always set this value to 0 and are therefore not vulnerable to this weakness. If you are running a custom refclock driver in ntpd(8) and that driver supplies a negative value for datalen (no custom driver of even minimal competence would do this) then ntpd would overflow a data buffer. It is even hypothetically possible in this case that instead of simply crashing ntpd the attacker could effect a code injection attack. [CVE-2015-7853] If an attacker can figure out the precise moment that ntpq(8) is listening for data and the port number it is listening on or if the attacker can provide a malicious instance ntpd(8) that victims will connect to then an attacker can send a set of crafted mode 6 response packets that, if received by ntpq(8), can cause ntpq(8) to crash. [CVE-2015-7852] If ntpd(8) is configured to allow remote configuration, and if the (possibly spoofed) IP address is allowed to send remote configuration requests, and if the attacker knows the remote configuration password or if ntpd(8) was configured to disable authentication, then an attacker can send a set of packets to ntpd that may cause ntpd(8) to overwrite files. [CVE-2015-7851]. The default configuration of ntpd(8) within FreeBSD does not allow remote configuration. If ntpd(8) is configured to allow remote configuration, and if the (possibly spoofed) source IP address is allowed to send remote configuration requests, and if the attacker knows the remote configuration password or if ntpd(8) was configured to disable authentication, then an attacker can send a set of packets to ntpd that will cause it to crash and/or create a potentially huge log file. Specifically, the attacker could enable extended logging, point the key file at the log file, and cause what amounts to an infinite loop. [CVE-2015-7850]. The default configuration of ntpd(8) within FreeBSD does not allow remote configuration. If ntpd(8) is configured to allow remote configuration, and if the (possibly spoofed) source IP address is allowed to send remote configuration requests, and if the attacker knows the remote configuration password or if ntpd was configured to disable authentication, then an attacker can send a set of packets to ntpd that may cause a crash or theoretically perform a code injection attack. [CVE-2015-7849]. The default configuration of ntpd(8) within FreeBSD does not allow remote configuration. If ntpd(8) is configured to enable mode 7 packets, and if the use of mode 7 packets is not properly protected thru the use of the available mode 7 authentication and restriction mechanisms, and if the (possibly spoofed) source IP address is allowed to send mode 7 queries, then an attacker can send a crafted packet to ntpd that will cause it to crash. [CVE-2015-7848]. The default configuration of ntpd(8) within FreeBSD does not allow mode 7 packets. If ntpd(8) is configured to use autokey, then an attacker can send packets to ntpd that will, after several days of ongoing attack, cause it to run out of memory. [CVE-2015-7701]. The default configuration of ntpd(8) within FreeBSD does not use autokey. If ntpd(8) is configured to allow for remote configuration, and if the (possibly spoofed) source IP address is allowed to send remote configuration requests, and if the attacker knows the remote configuration password, it's possible for an attacker to use the "pidfile" or "driftfile" directives to potentially overwrite other files. [CVE-2015-5196]. The default configuration of ntpd(8) within FreeBSD does not allow remote configuration An ntpd(8) client that honors Kiss-of-Death responses will honor KoD messages that have been forged by an attacker, causing it to delay or stop querying its servers for time updates. Also, an attacker can forge packets that claim to be from the target and send them to servers often enough that a server that implements KoD rate limiting will send the target machine a KoD response to attempt to reduce the rate of incoming packets, or it may also trigger a firewall block at the server for packets from the target machine. For either of these attacks to succeed, the attacker must know what servers the target is communicating with. An attacker can be anywhere on the Internet and can frequently learn the identity of the target's time source by sending the target a time query. [CVE-2015-7704] The fix for CVE-2014-9750 was incomplete in that there were certain code paths where a packet with particular autokey operations that contained malicious data was not always being completely validated. Receipt of these packets can cause ntpd to crash. [CVE-2015-7702]. The default configuration of ntpd(8) within FreeBSD does not use autokey. III. Impact An attacker which can send NTP packets to ntpd(8), which uses cryptographic authentication of NTP data, may be able to inject malicious time data causing the system clock to be set incorrectly. [CVE-2015-7871] An attacker which can send NTP packets to ntpd(8), can block the communication of the daemon with time servers, causing the system clock not being synchronized. [CVE-2015-7704] An attacker which can send NTP packets to ntpd(8), can remotely crash the daemon, sending malicious data packet. [CVE-2015-7855] [CVE-2015-7854] [CVE-2015-7853] [CVE-2015-7852] [CVE-2015-7849] [CVE-2015-7848] An attacker which can send NTP packets to ntpd(8), can remotely trigger the daemon to overwrite its configuration files. [CVE-2015-7851] [CVE-2015-5196] IV. Workaround No workaround is available, but systems not running ntpd(8) are not affected. Network administrators are advised to implement BCP-38, which helps to reduce risk associated with the attacks. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. The ntpd service has to be restarted after the update. A reboot is recommended but not required. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install The ntpd service has to be restarted after the update. A reboot is recommended but not required. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 10.2] # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-102.patch.bz2 # bunzip2 ntp-102.patch.bz2 # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-102.patch.asc # gpg --verify ntp-102.patch.asc [FreeBSD 10.1] # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-101.patch.bz2 # bunzip2 ntp-101.patch.bz2 # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-101.patch.asc # gpg --verify ntp-101.patch.asc [FreeBSD 9.3] # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-93.patch.bz2 # bunzip2 ntp-93.patch.bz2 # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-93.patch.asc # gpg --verify ntp-93.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # find contrib/ntp -type f -empty -delete c) Recompile the operating system using buildworld and installworld as described in https://www.FreeBSD.org/handbook/makeworld.html. d) For 9.3-RELEASE and 10.1-RELEASE an update to /etc/ntp.conf is recommended, which can be done with help of the mergemaster(8) tool on 9.3-RELEASE and with help of the etcupdate(8) tool on 10.1-RELEASE. Restart the ntpd(8) daemon, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/9/ r289998 releng/9.3/ r290001 stable/10/ r289997 releng/10.1/ r290000 releng/10.2/ r289999 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7701 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7702 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7703 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7704 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7848 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7849 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7850 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7851 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7852 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7853 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7854 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7855 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7871 The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-15:25.ntp.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJWLhOJAAoJEO1n7NZdz2rn91wP/2GwEt1boNQq2a7nYzv/mS5D sYKkIi7o+2yr2BLXvtc3O7c9QC3/YeGsza9DTRqndcY572SWvRgtkFstMTTm8IV/ RVlIE40gVR3tex0zo7BiD7uKUrxWxWcpwMbE5dzlE+vSybyyj0dSSkwUHJjrbJoA RmyNuEEUhQn5sRCg6qJv/PLp2G7BcYAasKScukjm7QnLP2kq/tvM9mcqwfh2tadM 7kbf8uq+ykvsRzctaDnxQaB5+zJxBQYJjBelxQfIkNek0XGfdj3sRwISeFznbllq mOLTIBaFiuEtHtusO7MKKavMgS5CQJOvuuvd/l3NY1MnxC6X/1SWig9KIKDIn/hv q8dsnq7LLx+tO6Cv4Dub7EbC2ZP3xXGOC4Ie02z8bTZnbX7iwyPUidQQqtU9ra15 rxzFcZnBxu+yyMNJVsV2qVV/r9OycgKxWlEELC1wYrK9fKfvLdA5aEGjDeU1Z+s6 JS2zKr0t4F2bMrCsjYP1lQD8sHkCVjwJk+IJU/slcwSajDjBNlMH0yBxGYE1ETIZ qMF7/PAkLe8V78pdYmXw9pcaPyhI+ihPLnNrdhX8AI2RX5jDK7IuUNJeUM04UrVB 8N+mMwgamcuCPWNNyXaL0bz21fexZOuhHmU+B8Yn3SFX5O5b/r9gGvrjo8ei8jOk EUlBT3ViDhHNrI7PTaiI =djPm -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Mon Oct 26 15:59:17 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 974CD8821 for ; Mon, 26 Oct 2015 15:59:17 +0000 (UTC) (envelope-from gpalmer@freebsd.org) Received: from mail.in-addr.com (mail.in-addr.com [IPv6:2a01:4f8:191:61e8::2525:2525]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 406001096; Mon, 26 Oct 2015 15:59:17 +0000 (UTC) (envelope-from gpalmer@freebsd.org) Received: from gjp by mail.in-addr.com with local (Exim 4.86 (FreeBSD)) (envelope-from ) id 1ZqkB1-000IGe-4Q; Mon, 26 Oct 2015 15:59:15 +0000 Date: Mon, 26 Oct 2015 15:59:15 +0000 From: Gary Palmer To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:25.ntp Message-ID: <20151026155915.GA39073@in-addr.com> References: <201510261236.t9QCa2cm044240@think.nginx.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <201510261236.t9QCa2cm044240@think.nginx.com> X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: gpalmer@freebsd.org X-SA-Exim-Scanned: No (on mail.in-addr.com); SAEximRunCond expanded to false X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Oct 2015 15:59:17 -0000 Hi, Anyone else done the update on FreeBSD 9.3? After rebuilding the world I'm getting an error when running ntpdc or ntpq % ntpdc -np /usr/src/usr.sbin/ntp/libntp/../../../contrib/ntp/lib/isc/unix/net.c:221: fatal error: RUNTIME_CHECK(((pthread_once((&once), (initialize_action)) == 0) ? 0 : 34) == 0) failed Abort Thanks, Gary On Mon, Oct 26, 2015 at 12:36:02PM +0000, FreeBSD Security Advisories wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > ============================================================================= > FreeBSD-SA-15:25.ntp Security Advisory > The FreeBSD Project > > Topic: Multiple vulnerabilities of ntp > > Category: contrib > Module: ntp > Announced: 2015-10-26 > Credits: Network Time Foundation > Affects: All supported versions of FreeBSD. > Corrected: 2015-10-26 11:35:40 UTC (stable/10, 10.2-STABLE) > 2015-10-26 11:36:55 UTC (releng/10.2, 10.2-RELEASE-p6) > 2015-10-26 11:37:31 UTC (releng/10.1, 10.1-RELEASE-p23) > 2015-10-26 11:36:40 UTC (stable/9, 9.3-STABLE) > 2015-10-26 11:42:25 UTC (releng/9.3, 9.3-RELEASE-p29) > CVE Name: CVE-2015-7701, CVE-2015-7702, CVE-2015-7703, CVE-2015-7704, > CVE-2015-7848, CVE-2015-7849, CVE-2015-7850, CVE-2015-7851, > CVE-2015-7852, CVE-2015-7853, CVE-2015-7854, CVE-2015-7855, > CVE-2015-7871 > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit https://security.FreeBSD.org/. > > I. Background > > The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP) > used to synchronize the time of a computer system to a reference time > source. > > II. Problem Description > > Crypto-NAK packets can be used to cause ntpd(8) to accept time from an > unauthenticated ephemeral symmetric peer by bypassing the authentication > required to mobilize peer associations. [CVE-2015-7871] FreeBSD 9.3 and > 10.1 are not affected. > > If ntpd(8) is fed a crafted mode 6 or mode 7 packet containing an unusual > long data value where a network address is expected, the decodenetnum() > function will abort with an assertion failure instead of simply returning > a failure condition. [CVE-2015-7855] > > If ntpd(8) is configured to allow remote configuration, and if the > (possibly spoofed) source IP address is allowed to send remote > configuration requests, and if the attacker knows the remote > configuration password or if ntpd(8) was configured to disable > authentication, then an attacker can send a set of packets to ntpd(8) that > may cause it to crash, with the hypothetical possibility of a small code > injection. [CVE-2015-7854] > > A negative value for the datalen parameter will overflow a data buffer. > NTF's ntpd(8) driver implementations always set this value to 0 and are > therefore not vulnerable to this weakness. If you are running a custom > refclock driver in ntpd(8) and that driver supplies a negative value for > datalen (no custom driver of even minimal competence would do this) > then ntpd would overflow a data buffer. It is even hypothetically > possible in this case that instead of simply crashing ntpd the > attacker could effect a code injection attack. [CVE-2015-7853] > > If an attacker can figure out the precise moment that ntpq(8) is listening > for data and the port number it is listening on or if the attacker can > provide a malicious instance ntpd(8) that victims will connect to then an > attacker can send a set of crafted mode 6 response packets that, if > received by ntpq(8), can cause ntpq(8) to crash. [CVE-2015-7852] > > If ntpd(8) is configured to allow remote configuration, and if the > (possibly spoofed) IP address is allowed to send remote configuration > requests, and if the attacker knows the remote configuration password > or if ntpd(8) was configured to disable authentication, then an attacker > can send a set of packets to ntpd that may cause ntpd(8) to overwrite > files. [CVE-2015-7851]. The default configuration of ntpd(8) within > FreeBSD does not allow remote configuration. > > If ntpd(8) is configured to allow remote configuration, and if the > (possibly spoofed) source IP address is allowed to send remote > configuration requests, and if the attacker knows the remote > configuration password or if ntpd(8) was configured to disable > authentication, then an attacker can send a set of packets to ntpd > that will cause it to crash and/or create a potentially huge log > file. Specifically, the attacker could enable extended logging, > point the key file at the log file, and cause what amounts to an > infinite loop. [CVE-2015-7850]. The default configuration of ntpd(8) > within FreeBSD does not allow remote configuration. > > If ntpd(8) is configured to allow remote configuration, and if the > (possibly spoofed) source IP address is allowed to send remote > configuration requests, and if the attacker knows the remote > configuration password or if ntpd was configured to disable > authentication, then an attacker can send a set of packets to > ntpd that may cause a crash or theoretically perform a code > injection attack. [CVE-2015-7849]. The default configuration of ntpd(8) > within FreeBSD does not allow remote configuration. > > If ntpd(8) is configured to enable mode 7 packets, and if the use > of mode 7 packets is not properly protected thru the use of the > available mode 7 authentication and restriction mechanisms, and > if the (possibly spoofed) source IP address is allowed to send > mode 7 queries, then an attacker can send a crafted packet to > ntpd that will cause it to crash. [CVE-2015-7848]. The default > configuration of ntpd(8) within FreeBSD does not allow mode 7 > packets. > > If ntpd(8) is configured to use autokey, then an attacker can send > packets to ntpd that will, after several days of ongoing attack, > cause it to run out of memory. [CVE-2015-7701]. The default > configuration of ntpd(8) within FreeBSD does not use autokey. > > If ntpd(8) is configured to allow for remote configuration, and if > the (possibly spoofed) source IP address is allowed to send > remote configuration requests, and if the attacker knows the > remote configuration password, it's possible for an attacker > to use the "pidfile" or "driftfile" directives to potentially > overwrite other files. [CVE-2015-5196]. The default configuration > of ntpd(8) within FreeBSD does not allow remote configuration > > An ntpd(8) client that honors Kiss-of-Death responses will honor > KoD messages that have been forged by an attacker, causing it > to delay or stop querying its servers for time updates. Also, > an attacker can forge packets that claim to be from the target > and send them to servers often enough that a server that > implements KoD rate limiting will send the target machine a > KoD response to attempt to reduce the rate of incoming packets, > or it may also trigger a firewall block at the server for > packets from the target machine. For either of these attacks > to succeed, the attacker must know what servers the target > is communicating with. An attacker can be anywhere on the > Internet and can frequently learn the identity of the target's > time source by sending the target a time query. [CVE-2015-7704] > > The fix for CVE-2014-9750 was incomplete in that there were > certain code paths where a packet with particular autokey > operations that contained malicious data was not always being > completely validated. Receipt of these packets can cause ntpd > to crash. [CVE-2015-7702]. The default configuration of ntpd(8) > within FreeBSD does not use autokey. > > III. Impact > > An attacker which can send NTP packets to ntpd(8), which uses cryptographic > authentication of NTP data, may be able to inject malicious time data > causing the system clock to be set incorrectly. [CVE-2015-7871] > > An attacker which can send NTP packets to ntpd(8), can block the > communication of the daemon with time servers, causing the system > clock not being synchronized. [CVE-2015-7704] > > An attacker which can send NTP packets to ntpd(8), can remotely crash > the daemon, sending malicious data packet. [CVE-2015-7855] [CVE-2015-7854] > [CVE-2015-7853] [CVE-2015-7852] [CVE-2015-7849] [CVE-2015-7848] > > An attacker which can send NTP packets to ntpd(8), can remotely > trigger the daemon to overwrite its configuration files. [CVE-2015-7851] > [CVE-2015-5196] > > IV. Workaround > > No workaround is available, but systems not running ntpd(8) are not > affected. Network administrators are advised to implement BCP-38, > which helps to reduce risk associated with the attacks. > > V. Solution > > Perform one of the following: > > 1) Upgrade your vulnerable system to a supported FreeBSD stable or > release / security branch (releng) dated after the correction date. > > The ntpd service has to be restarted after the update. A reboot is > recommended but not required. > > 2) To update your vulnerable system via a binary patch: > > Systems running a RELEASE version of FreeBSD on the i386 or amd64 > platforms can be updated via the freebsd-update(8) utility: > > # freebsd-update fetch > # freebsd-update install > > The ntpd service has to be restarted after the update. A reboot is > recommended but not required. > > 3) To update your vulnerable system via a source code patch: > > The following patches have been verified to apply to the applicable > FreeBSD release branches. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > [FreeBSD 10.2] > # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-102.patch.bz2 > # bunzip2 ntp-102.patch.bz2 > # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-102.patch.asc > # gpg --verify ntp-102.patch.asc > > [FreeBSD 10.1] > # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-101.patch.bz2 > # bunzip2 ntp-101.patch.bz2 > # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-101.patch.asc > # gpg --verify ntp-101.patch.asc > > [FreeBSD 9.3] > # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-93.patch.bz2 > # bunzip2 ntp-93.patch.bz2 > # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-93.patch.asc > # gpg --verify ntp-93.patch.asc > > b) Apply the patch. Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > # find contrib/ntp -type f -empty -delete > > c) Recompile the operating system using buildworld and installworld as > described in https://www.FreeBSD.org/handbook/makeworld.html. > > d) For 9.3-RELEASE and 10.1-RELEASE an update to /etc/ntp.conf is recommended, > which can be done with help of the mergemaster(8) tool on 9.3-RELEASE and > with help of the etcupdate(8) tool on 10.1-RELEASE. > > Restart the ntpd(8) daemon, or reboot the system. > > VI. Correction details > > The following list contains the correction revision numbers for each > affected branch. > > Branch/path Revision > - ------------------------------------------------------------------------- > stable/9/ r289998 > releng/9.3/ r290001 > stable/10/ r289997 > releng/10.1/ r290000 > releng/10.2/ r289999 > - ------------------------------------------------------------------------- > > To see which files were modified by a particular revision, run the > following command, replacing NNNNNN with the revision number, on a > machine with Subversion installed: > > # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base > > Or visit the following URL, replacing NNNNNN with the revision number: > > https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN > > VII. References > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7701 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7702 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7703 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7704 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7848 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7849 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7850 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7851 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7852 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7853 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7854 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7855 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7871 > > The latest revision of this advisory is available at > https://security.FreeBSD.org/advisories/FreeBSD-SA-15:25.ntp.asc > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > > iQIcBAEBAgAGBQJWLhOJAAoJEO1n7NZdz2rn91wP/2GwEt1boNQq2a7nYzv/mS5D > sYKkIi7o+2yr2BLXvtc3O7c9QC3/YeGsza9DTRqndcY572SWvRgtkFstMTTm8IV/ > RVlIE40gVR3tex0zo7BiD7uKUrxWxWcpwMbE5dzlE+vSybyyj0dSSkwUHJjrbJoA > RmyNuEEUhQn5sRCg6qJv/PLp2G7BcYAasKScukjm7QnLP2kq/tvM9mcqwfh2tadM > 7kbf8uq+ykvsRzctaDnxQaB5+zJxBQYJjBelxQfIkNek0XGfdj3sRwISeFznbllq > mOLTIBaFiuEtHtusO7MKKavMgS5CQJOvuuvd/l3NY1MnxC6X/1SWig9KIKDIn/hv > q8dsnq7LLx+tO6Cv4Dub7EbC2ZP3xXGOC4Ie02z8bTZnbX7iwyPUidQQqtU9ra15 > rxzFcZnBxu+yyMNJVsV2qVV/r9OycgKxWlEELC1wYrK9fKfvLdA5aEGjDeU1Z+s6 > JS2zKr0t4F2bMrCsjYP1lQD8sHkCVjwJk+IJU/slcwSajDjBNlMH0yBxGYE1ETIZ > qMF7/PAkLe8V78pdYmXw9pcaPyhI+ihPLnNrdhX8AI2RX5jDK7IuUNJeUM04UrVB > 8N+mMwgamcuCPWNNyXaL0bz21fexZOuhHmU+B8Yn3SFX5O5b/r9gGvrjo8ei8jOk > EUlBT3ViDhHNrI7PTaiI > =djPm > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-security-notifications@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications > To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe@freebsd.org" > From owner-freebsd-security@freebsd.org Mon Oct 26 16:14:00 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7DE0D8C17 for ; Mon, 26 Oct 2015 16:14:00 +0000 (UTC) (envelope-from dereks@lifeofadishwasher.com) Received: from mail-qg0-x229.google.com (mail-qg0-x229.google.com [IPv6:2607:f8b0:400d:c04::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 2AD39190C for ; Mon, 26 Oct 2015 16:14:00 +0000 (UTC) (envelope-from dereks@lifeofadishwasher.com) Received: by qgem9 with SMTP id m9so123241202qge.1 for ; Mon, 26 Oct 2015 09:13:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lifeofadishwasher.com; s=google; h=date:from:to:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; bh=0CJc0KsPeZFAmMrmVxoEnwIW5InCs0oF/sIMBpkSYbU=; b=GDBODjpUK4zk2IFlzbhTxDryL/TILPqY8hpvztYfsnDWZ1ctWschbLl9dNKU+OT3bo ynkLmnB4W65tnGclYtTGaMaG0G+eFyIyGa97WK9IdSzWl6TXD7+AYIwXMAnvZBeTIttg Bv8crdqIOJesTGoIvGPT7vv/KunLx9F7hhX6E= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:subject:message-id:references :mime-version:content-type:content-disposition:in-reply-to :user-agent; bh=0CJc0KsPeZFAmMrmVxoEnwIW5InCs0oF/sIMBpkSYbU=; b=M0969ZRUbBgWYjHhxVtfd3hN/rRbtx1gO2XbXKgpH72cg3Opu4S0shf8PC+3QrFbJ6 fTZeD5Rrb/m4OR38HDukjanZUCAKMScctuZl2L7vPAcBMp31noKnfxLPK5NY8v5dKlkM aRkJtHmDtAwL99KlTYGlm63SmuUsxBMmlDXxncFJnVUy0BSoKAU23+xnkmoCGH/CmBKN fLpjhoCig1y30OhcWEc4IXLfUU3BZcgEP7ICLuhO21889vcn7EWxEG4Y0O8ujcRmyuYK l9fUaz8+lZrvZqcEbn2Qu0cg7b6maGQpihGWAnOCEahqYvAUuUsrBTkueZGl8cNfuKJn Gf7w== X-Gm-Message-State: ALoCoQn/VT9AQrRdHczyW29fKKLekyNnIUJlq7PXYmJGXw/iEuEloYjw0OvTfDPZ9LjimNzySmlt X-Received: by 10.140.156.18 with SMTP id c18mr9316572qhc.85.1445876039126; Mon, 26 Oct 2015 09:13:59 -0700 (PDT) Received: from lifeofadishwasher.com (c-71-206-246-125.hsd1.pa.comcast.net. [71.206.246.125]) by smtp.gmail.com with ESMTPSA id m73sm13353443qkl.6.2015.10.26.09.13.57 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 26 Oct 2015 09:13:58 -0700 (PDT) Received: by lifeofadishwasher.com (sSMTP sendmail emulation); Mon, 26 Oct 2015 12:13:56 -0400 Date: Mon, 26 Oct 2015 12:13:56 -0400 From: Derek Schrock To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:25.ntp Message-ID: <20151026161356.GA1264@ircbsd> References: <201510261236.t9QCa2cm044240@think.nginx.com> <20151026155915.GA39073@in-addr.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20151026155915.GA39073@in-addr.com> User-Agent: Mutt/1.5.24 (2015-08-30) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Oct 2015 16:14:00 -0000 On Mon, Oct 26, 2015 at 11:59:15AM EDT, Gary Palmer wrote: > > Hi, > > Anyone else done the update on FreeBSD 9.3? After rebuilding the world > I'm getting an error when running ntpdc or ntpq > > % ntpdc -np > /usr/src/usr.sbin/ntp/libntp/../../../contrib/ntp/lib/isc/unix/net.c:221: fatal error: RUNTIME_CHECK(((pthread_once((&once), (initialize_action)) == 0) ? 0 : 34) == 0) failed > Abort > Yes From owner-freebsd-security@freebsd.org Mon Oct 26 17:23:36 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A115EA1EC27 for ; Mon, 26 Oct 2015 17:23:36 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 2D1BC1D16 for ; Mon, 26 Oct 2015 17:23:36 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from zero-gravitas.local (no-reverse-dns.metronet-uk.com [85.199.232.226] (may be forged)) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.15.2/8.15.2) with ESMTPSA id t9QHNJf7025068 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for ; Mon, 26 Oct 2015 17:23:25 GMT (envelope-from matthew@FreeBSD.org) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none header.from=FreeBSD.org DKIM-Filter: OpenDKIM Filter v2.10.3 smtp.infracaninophile.co.uk t9QHNJf7025068 Authentication-Results: smtp.infracaninophile.co.uk/t9QHNJf7025068; dkim=none; dkim-atps=neutral X-Authentication-Warning: lucid-nonsense.infracaninophile.co.uk: Host no-reverse-dns.metronet-uk.com [85.199.232.226] (may be forged) claimed to be zero-gravitas.local Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:25.ntp To: freebsd-security@freebsd.org References: <201510261236.t9QCa2cm044240@think.nginx.com> <20151026155915.GA39073@in-addr.com> <20151026161356.GA1264@ircbsd> From: Matthew Seaman X-Enigmail-Draft-Status: N1110 Message-ID: <562E6180.5060104@FreeBSD.org> Date: Mon, 26 Oct 2015 17:23:12 +0000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 MIME-Version: 1.0 In-Reply-To: <20151026161356.GA1264@ircbsd> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="M1rhegWLFwXiX1B25wJ1FbhroUgrOLsUu" X-Virus-Scanned: clamav-milter 0.98.7 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.6 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on lucid-nonsense.infracaninophile.co.uk X-Mailman-Approved-At: Mon, 26 Oct 2015 17:35:06 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Oct 2015 17:23:36 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --M1rhegWLFwXiX1B25wJ1FbhroUgrOLsUu Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 2015/10/26 16:13, Derek Schrock wrote: > On Mon, Oct 26, 2015 at 11:59:15AM EDT, Gary Palmer wrote: >> >> Hi, >> >> Anyone else done the update on FreeBSD 9.3? After rebuilding the worl= d >> I'm getting an error when running ntpdc or ntpq >> >> % ntpdc -np >> /usr/src/usr.sbin/ntp/libntp/../../../contrib/ntp/lib/isc/unix/net.c:2= 21: fatal error: RUNTIME_CHECK(((pthread_once((&once), (initialize_action= )) =3D=3D 0) ? 0 : 34) =3D=3D 0) failed >> Abort >> >=20 > Yes I'm seeing a SEGV on startup of ntpd on 10.2-RELEASE-p6: Oct 26 17:14:33 vhost-2 kernel: pid 35200 (ntpd), uid 0: exited on signal 11 (core dumped) This is from freebsd-update(8). I've a core dump available, but it's not very illuminating without any debug symbols. Cheers, Matthew --M1rhegWLFwXiX1B25wJ1FbhroUgrOLsUu Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQJ8BAEBCgBmBQJWLmGHXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxOUYxNTRFQ0JGMTEyRTUwNTQ0RTNGMzAw MDUxM0YxMEUwQTlFNEU3AAoJEABRPxDgqeTn25MP/3JlfX158TJJHOKkArMrtkd0 1JzH/KmIyBgWRQxicoN88HEek3dxw+CL8+TvIHXv5EWk4vygdrhQAKkOFPv2xHVG ZuRP7JadJYaWjiHv+3EAZ7FntKCtiAKfCekFCtpfqlhD4jlZleUFR29WDFYYkYmJ z5VgKYYq/bKL5lDl02+McuGtdEdqALwV/i7sEaq9cPfkn5utdCF8DUmufBFxhhA+ thyGTQ9BurhvX3UT+jchVTJKGZdExZ/1UHGuMHGUmlxmR5sGkgokyFw8znaXUNzA pkyxa8w652e83V9eqWz8lyBoUwoREpdb68Ku+PvUm3UT0Cg81yzZZSyKRVS28psl ffnmBOusL/D2oKBY/DMBpGjgXyKwrAUA2RcZ8ru0WcLnZT7r9YYkE1/m4Tp/GZ++ ErFq/ii5utaFkHtWeXGrxoHXWlAigYb2wzs9V5sXlxcA355UBaViR4wgayp/Go01 rVfUpy73SKV5hJk07bo04i0HD7CRzfDpXqncavPmBYEBEmmKtBMQizWRfCUZc12T Il33T6E0hspxJnBWS76k+Oc6D5uFA0xMjNKTLU1nPC91B1uxmPAChtwaxSBMg9xi 1Tv8Tmr8PmCJWPYvW2U8sXqiwuzF9P5Ro6qTxvalo+A+zGSnoQ2t/rIpjxmUr6GM nyJjF5QLeIUEUOjs/dcz =74X6 -----END PGP SIGNATURE----- --M1rhegWLFwXiX1B25wJ1FbhroUgrOLsUu-- From owner-freebsd-security@freebsd.org Mon Oct 26 17:54:08 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9F0AF82F0 for ; Mon, 26 Oct 2015 17:54:08 +0000 (UTC) (envelope-from SRS0+BfSK=K6=schulte.org=christopher@briareus.schulte.org) Received: from briareus.schulte.org (briareus.schulte.org [198.204.225.190]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6D24D120B; Mon, 26 Oct 2015 17:54:08 +0000 (UTC) (envelope-from SRS0+BfSK=K6=schulte.org=christopher@briareus.schulte.org) Received: from briareus.schulte.org (localhost [127.0.0.1]) by briareus.schulte.org (Postfix) with ESMTP id 95359277B4; Mon, 26 Oct 2015 12:52:14 -0500 (CDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=schulte.org; h=from:to :cc:subject:date:message-id:references:in-reply-to:content-type :mime-version; s=20130123; i=christopher@schulte.org; bh=wcABAJP 5jDW+lFiJTp2hpHBXFZ2ErPhwHn5y81lE4Iw=; b=GJg9lRHdOLz2sVusgm0awbx LYpur8f0kjgi1awEf9I1bblbDGqQ9hqp6Kqog4ymXygT7w/FankTnCG5gzzKLtp1 byszRaZYtolyY5dyK5pnKlf0hAUYACE/+elyfvgPikbP3xMY6bmZSdvPViV9kNM8 GXkoBStYGCQ58YM2va8E= x-schulte-info1: relayed through postfix client submission Received: from exchange2013.windows2012r2.schulte.org (10.200.1.188) by exchange2013.windows2012r2.schulte.org (10.200.1.188) with Microsoft SMTP Server (TLS) id 15.0.847.32; Mon, 26 Oct 2015 12:52:12 -0500 Received: from exchange2013.windows2012r2.schulte.org ([fe80::695c:2eae:3d60:8cd7]) by exchange2013.windows2012r2.schulte.org ([fe80::695c:2eae:3d60:8cd7%16]) with mapi id 15.00.0847.040; Mon, 26 Oct 2015 12:52:12 -0500 From: Christopher Schulte To: "freebsd-security@freebsd.org" CC: Matthew Seaman Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:25.ntp Thread-Topic: FreeBSD Security Advisory FreeBSD-SA-15:25.ntp Thread-Index: AQHREAdD/aQo17ha00uiNs0MwD8nIp5+RmMAgAATWwCAAAgaAA== Date: Mon, 26 Oct 2015 17:52:12 +0000 Message-ID: <1277A6B4-29F6-44B5-9342-4B2BDC9F7CFB@schulte.org> References: <201510261236.t9QCa2cm044240@think.nginx.com> <20151026155915.GA39073@in-addr.com> <20151026161356.GA1264@ircbsd> <562E6180.5060104@FreeBSD.org> In-Reply-To: <562E6180.5060104@FreeBSD.org> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-schulteexchange-note1: origination IP removed Content-Type: multipart/signed; boundary="Apple-Mail=_38199BAD-5092-438B-96AC-B4AA72718EA0"; protocol="application/pkcs7-signature"; micalg=sha1 MIME-Version: 1.0 X-Virus-Scanned: ClamAV using ClamSMTP X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Oct 2015 17:54:08 -0000 --Apple-Mail=_38199BAD-5092-438B-96AC-B4AA72718EA0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 > On Oct 26, 2015, at 12:23 PM, Matthew Seaman = wrote: >=20 > I'm seeing a SEGV on startup of ntpd on 10.2-RELEASE-p6: >=20 > Oct 26 17:14:33 vhost-2 kernel: pid 35200 (ntpd), uid 0: exited on > signal 11 (core dumped) >=20 > This is from freebsd-update(8). I've a core dump available, but it's > not very illuminating without any debug symbols. >=20 > Cheers, >=20 > Matthew I was seeing the same thing on multiple systems, after running = freebsd-update and then bouncing ntpd. I rebooted one of the = problematic boxes; ntpd then started cleanly. I haven=92t tested this = across the board yet, though. Config: # freebsd-version -uk 10.2-RELEASE 10.2-RELEASE-p6 # uname -a FreeBSD mybox 10.2-RELEASE FreeBSD 10.2-RELEASE #0 r286666: Wed Aug 12 = 15:26:37 UTC 2015 = root@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64= --Apple-Mail=_38199BAD-5092-438B-96AC-B4AA72718EA0 Content-Disposition: attachment; filename="smime.p7s" Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIMvzCCBjQw ggQcoAMCAQICASAwDQYJKoZIhvcNAQEFBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0 Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAn BgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3MTAyNDIxMDI1NVoX DTE3MTAyNDIxMDI1NVowgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSsw KQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFy dENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAMsohUWcASz7GfKrpTOMKqANy9BV7V0igWdGxA8IU77L3aTxErQ+ fcxtDYZ36Z6GH0YFn7fq5RADteP0AYzrCA+EQTfi8q1+kA3m0nwtwXG94M5sIqsvs7lRP1aycBke /s5g9hJHryZ2acScnzczjBCAo7X1v5G3yw8MDP2m2RCye0KfgZ4nODerZJVzhAlOD9YejvAXZqHk sw56HzElVIoYSZ3q4+RJuPXXfIoyby+Y2m1E+YzX5iCZXBx05gk6MKAW1vaw4/v2OOLy6FZH3XHH tOkzUreG//CsFnB9+uaYSlR65cdGzTsmoIK8WH1ygoXhRBm98SD7Hf/r3FELNvUCAwEAAaOCAa0w ggGpMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSuVYNv7DHKufcd +q9rMfPIHeOsuzAfBgNVHSMEGDAWgBROC+8apEBbpRdphzDKNGhD0EGu8jBmBggrBgEFBQcBAQRa MFgwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9jYTAtBggrBgEFBQcwAoYh aHR0cDovL3d3dy5zdGFydHNzbC5jb20vc2ZzY2EuY3J0MFsGA1UdHwRUMFIwJ6AloCOGIWh0dHA6 Ly93d3cuc3RhcnRzc2wuY29tL3Nmc2NhLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5j b20vc2ZzY2EuY3JsMIGABgNVHSAEeTB3MHUGCysGAQQBgbU3AQIBMGYwLgYIKwYBBQUHAgEWImh0 dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cu c3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwDQYJKoZIhvcNAQEFBQADggIBADqpJw3I07QW ke9plNBpxUxcffc7nUrIQpJHDci91DFG7fVhHRkMZ1J+BKg5UNUxIFJ2Z9B90Micc/NXcs7kPBRd n6XGO/vPc87Y6R+cWS9Nc9+fp3Enmsm94OxOwI9wn8qnr/6o3mD4noP9JphwUPTXwHovjavRnhUQ HLfo/i2NG0XXgTHXS2Xm0kVUozXqpYpAdumMiB/vezj1QHQJDmUdPYMcp+reg9901zkyT3fDW/iv JVv6pWtkh6Pw2ytZT7mvg7YhX3V50Nv860cV11mocUVcqBLv0gcT+HBDYtbuvexNftwNQKD5193A 7zN4vG7CTYkXxytSjKuXrpEatEiFPxWgb84nVj25SU5q/r1Xhwby6mLhkbaXslkVtwEWT3Van49r KjlK4XrUKYYWtnfzq6aSak5u0Vpxd1rY79tWhD3EdCvOhNz/QplNa+VkIsrcp7+8ZhP1l1b2U6Ma xIVteuVMD3X0vziIwr7jxYae9FZjbxlpUemqXjcC0QaFfN7qI0JsQMALL7iGRBg7K0CoOBzECdD3 fuZil5kU/LP9cr1BK31U0Uy651bFnAMMMkqhAChIbn0ei72VnbpSsrrSdF0BAGYQ8vyHae5aCg+H 75dVCV33K6FuxZrf09yTz+Vx/PkdRUYkXmZz/OTfyJXsUOUXrym6KvI2rYpccSk5MIIGgzCCBWug AwIBAgICP3swDQYJKoZIhvcNAQEFBQAwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENv bSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYD VQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTAeFw0x MzEyMDEwMDI3MTRaFw0xNTEyMDIxNzE0MjBaMIGaMRkwFwYDVQQNExBUVDlHZDlCNEYyMWg4dlND MQswCQYDVQQGEwJVUzESMBAGA1UECBMJTWlubmVzb3RhMRYwFAYDVQQHEw1Ccm9va2x5biBQYXJr MRwwGgYDVQQDExNDaHJpc3RvcGhlciBTY2h1bHRlMSYwJAYJKoZIhvcNAQkBFhdjaHJpc3RvcGhl ckBzY2h1bHRlLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALKPhuNOCZK0CMSh zn06teQRGkHFnQQ20fIYoX7SpBH2UBMbB9IgqIv1aS87ECnmvZXZM9zEiHyRoOZHJBbX8G/4JBau Cku8AtAfxT+uW3XCqS2gXOsfB8ZNuzAoaDtShdTzEeKuReE6kj0BhsI3oaKXgRcLcOGoelcDZ2wf RZGEpsuW8yiidrhaL815p9Z8+rclqf6WuM/tpKhEs0bUq1PGqQwnW8Pl7ZdpoEGTl4vAHYQRq9rU o6loVnmZ0h3x5equPYQCSz1YMpmqcortPYHKHm1Y42YhV8qtMf7n2C+Q80r83UCMjbtwZY5JuV+u lvpk7dmOmiYuEieJs38X8xECAwEAAaOCAt0wggLZMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgSwMB0G A1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAdBgNVHQ4EFgQUdfOQwtBhqAgHKEOKbClY6XXY 898wHwYDVR0jBBgwFoAUrlWDb+wxyrn3HfqvazHzyB3jrLswIgYDVR0RBBswGYEXY2hyaXN0b3Bo ZXJAc2NodWx0ZS5vcmcwggFMBgNVHSAEggFDMIIBPzCCATsGCysGAQQBgbU3AQIDMIIBKjAuBggr BgEFBQcCARYiaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjCB9wYIKwYBBQUHAgIw geowJxYgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwAwIBARqBvlRoaXMgY2VydGlm aWNhdGUgd2FzIGlzc3VlZCBhY2NvcmRpbmcgdG8gdGhlIENsYXNzIDIgVmFsaWRhdGlvbiByZXF1 aXJlbWVudHMgb2YgdGhlIFN0YXJ0Q29tIENBIHBvbGljeSwgcmVsaWFuY2Ugb25seSBmb3IgdGhl IGludGVuZGVkIHB1cnBvc2UgaW4gY29tcGxpYW5jZSBvZiB0aGUgcmVseWluZyBwYXJ0eSBvYmxp Z2F0aW9ucy4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5zdGFydHNzbC5jb20vY3J0dTIt Y3JsLmNybDCBjgYIKwYBBQUHAQEEgYEwfzA5BggrBgEFBQcwAYYtaHR0cDovL29jc3Auc3RhcnRz c2wuY29tL3N1Yi9jbGFzczIvY2xpZW50L2NhMEIGCCsGAQUFBzAChjZodHRwOi8vYWlhLnN0YXJ0 c3NsLmNvbS9jZXJ0cy9zdWIuY2xhc3MyLmNsaWVudC5jYS5jcnQwIwYDVR0SBBwwGoYYaHR0cDov L3d3dy5zdGFydHNzbC5jb20vMA0GCSqGSIb3DQEBBQUAA4IBAQA5BXUGkSf2khynbNShAG6MVxva 0/GnPhantmNe/Z0YmkEn2nSTYJVuapWpGiJul70rgbe/Y0cx0cF6XaQqlZ4YOPeWIU3CI03vMafp A+8lBF86dXspPTlNmn/XSIqpYv2crkOWIZFKW/GqeSiHwoajiNtvdvvLC0ZFuL7hcMHQD/ahZ8vf a+c8O64WF9VsqhDMSLu0EPvI1pLKWVyj6JPFl4YD57JcXzWU3swJMxL5pPkzwjGU9EFUMdnRmNXD oWEmxVUgmku0cb4yUHynkHG4BBCg+LVnz3GHY5scB9bemvqdfpVH2BCbrclBm2Rzrw9XCdWEx9cU fwNo4w6agw0LMYIDbDCCA2gCAQEwgZMwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENv bSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYD VQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQQICP3sw CQYFKw4DAhoFAKCCAa0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN MTUxMDI2MTc1MjEyWjAjBgkqhkiG9w0BCQQxFgQUv7ZppXwnAGaPrsp1ot1D14kqOTgwgaQGCSsG AQQBgjcQBDGBljCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzAp BgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0YXJ0 Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBAgI/ezCBpgYLKoZIhvcN AQkQAgsxgZaggZMwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYD VQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENv bSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQQICP3swDQYJKoZIhvcNAQEB BQAEggEAdP8RxZ9FbYpc11jNOWyz1vdGBRYyq+vRc9jjkvaUA8F/y4oCv7moIq2it+PvnB13HaPJ l03I+Pb60JODAMuR+gHJvXgwR6D++kmrGXEL2TtxDG7mMxPDd3t7uvpmdCNf6/Ii6Sncc00bx2dw 9b1V2MwN5QSqvV9xtTcJuHh27coFuZ+GgedNunGxLSzS6lxH1vYc9iq6TTD3SyUml4pwaFcZ8UvO cNAtr3ubz3oAYMBoYOkXwGL9FfWlK1dAVQTGur9nKcLjOr/lnot2H3sWKDNmbVLN9QEgQwqick+I eJJN99R9qZjUMNwcyLdFH5kEExickuquwHzcMp8INJ674wAAAAAAAA== --Apple-Mail=_38199BAD-5092-438B-96AC-B4AA72718EA0-- From owner-freebsd-security@freebsd.org Mon Oct 26 18:11:06 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3622186DB for ; Mon, 26 Oct 2015 18:11:06 +0000 (UTC) (envelope-from dereks@lifeofadishwasher.com) Received: from mail-qg0-x229.google.com (mail-qg0-x229.google.com [IPv6:2607:f8b0:400d:c04::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E15041B34 for ; Mon, 26 Oct 2015 18:11:05 +0000 (UTC) (envelope-from dereks@lifeofadishwasher.com) Received: by qgad10 with SMTP id d10so126384729qga.3 for ; Mon, 26 Oct 2015 11:11:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lifeofadishwasher.com; s=google; h=date:from:to:subject:message-id:references:mime-version :content-type:content-disposition:content-transfer-encoding :in-reply-to:user-agent; bh=Y+hP0gPlfBYkjf2Rls11QrjpPW4jWu8NhBoe7jJMENE=; b=cvUZuCOuJtNmqlWLm7D/+y0Iy1cuJiedeRys5Cs98tNC/oY/uIAEBu+7XBsbHKXZy0 /4l+yYwVyz1xyQq+tdmj2xvxuqzCsWPwheh7/B3phgeDDMloEstuFdayURbU78sQD+bJ SywhKQDX+lWWXuM4hodL0x7b/BKx9SbCBDvbM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:subject:message-id:references :mime-version:content-type:content-disposition :content-transfer-encoding:in-reply-to:user-agent; bh=Y+hP0gPlfBYkjf2Rls11QrjpPW4jWu8NhBoe7jJMENE=; b=gaH59ManFsS62i1vJ1pgaiiWh8lIQ7DYqoJ7FwuLRRBN8mCCA6CM9arGF3AUknE2uK 6ExnFrSru/NniiFUEnwDlkqHe9F+6f2Ph4R4hKZ1fuVb8y1AsE4L8y/aLMsLuy3skaWx SVbeK5kOMLTC/GxGT7Jlzo32L4w7Cl8zhu+0hdQTLSCxEYqmGs+RLT3AAt6tO6hTheTl PZ2bPMnefTgmRfAcAgalj56PTFyMfOyV08XdOFaRqE2M8zUkKbOfIy/6USmJ1eU7T1f/ Sz7hV3Hv2Evuc6GpHeN6LXIMtQ6WuX6uBNQQ7jLQVWZ79JUBp8uDFmHujFE9KCebZ/7Q O0HQ== X-Gm-Message-State: ALoCoQnXOLL+G6EYCHi7TKVrk27kjDCFMXXtxFYsg5LHVzovFu9E3GxKIB5OUWRoSqo7CwehJu+F X-Received: by 10.140.31.199 with SMTP id f65mr44036954qgf.22.1445883065051; Mon, 26 Oct 2015 11:11:05 -0700 (PDT) Received: from lifeofadishwasher.com (c-71-206-246-125.hsd1.pa.comcast.net. [71.206.246.125]) by smtp.gmail.com with ESMTPSA id v10sm13506453qgv.32.2015.10.26.11.11.03 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 26 Oct 2015 11:11:04 -0700 (PDT) Received: by lifeofadishwasher.com (sSMTP sendmail emulation); Mon, 26 Oct 2015 14:11:02 -0400 Date: Mon, 26 Oct 2015 14:11:02 -0400 From: Derek Schrock To: "freebsd-security@freebsd.org" Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:25.ntp Message-ID: <20151026181102.GA1889@ircbsd> References: <201510261236.t9QCa2cm044240@think.nginx.com> <20151026155915.GA39073@in-addr.com> <20151026161356.GA1264@ircbsd> <562E6180.5060104@FreeBSD.org> <1277A6B4-29F6-44B5-9342-4B2BDC9F7CFB@schulte.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <1277A6B4-29F6-44B5-9342-4B2BDC9F7CFB@schulte.org> User-Agent: Mutt/1.5.24 (2015-08-30) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Oct 2015 18:11:06 -0000 On Mon, Oct 26, 2015 at 01:52:12PM EDT, Christopher Schulte wrote: > > On Oct 26, 2015, at 12:23 PM, Matthew Seaman wrote: > > > > I'm seeing a SEGV on startup of ntpd on 10.2-RELEASE-p6: > > > > Oct 26 17:14:33 vhost-2 kernel: pid 35200 (ntpd), uid 0: exited on > > signal 11 (core dumped) > > > > This is from freebsd-update(8). I've a core dump available, but it's > > not very illuminating without any debug symbols. > > > > Cheers, > > > > Matthew > > I was seeing the same thing on multiple systems, after running freebsd-update and then bouncing ntpd. I rebooted one of the problematic boxes; ntpd then started cleanly. I haven’t tested this across the board yet, though. > > Config: > > # freebsd-version -uk > 10.2-RELEASE > 10.2-RELEASE-p6 > > # uname -a > FreeBSD mybox 10.2-RELEASE FreeBSD 10.2-RELEASE #0 r286666: Wed Aug 12 15:26:37 UTC 2015 root@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 I'm not having any issues with ntpd on either 10.2 and 9.3 however on 9.3 the ntp query utilities (ntpdc and ntpq) both crash with sig 6: ... Oct 26 11:37:48 host ntpd[49294]: ntpd 4.2.8p4-a (1): Starting ... However 9.3 ntpq and ntpdc: # ntpq /usr/src/usr.sbin/ntp/libntp/../../../contrib/ntp/lib/isc/unix/net.c:221: fatal error: RUNTIME_CHECK(((pthread_once((&once), (initialize_action)) == 0) ? 0 : 34) == 0) failed Abort trap (core dumped) # ntpdc /usr/src/usr.sbin/ntp/libntp/../../../contrib/ntp/lib/isc/unix/net.c:221: fatal error: RUNTIME_CHECK(((pthread_once((&once), (initialize_action)) == 0) ? 0 : 34) == 0) failed Abort trap (core dumped) # I don't know how much value you can get out of a stripped bt for ntpq: #0 0x000000080115004c in kill () from /lib/libc.so.7 #1 0x000000080114ec7b in abort () from /lib/libc.so.7 #2 0x0000000000418ad7 in ?? () #3 0x0000000000418b2f in ?? () #4 0x0000000000413039 in ?? () #5 0x0000000000411e43 in ?? () #6 0x000000000040767b in ?? () #7 0x0000000000403a61 in ?? () #8 0x0000000800658000 in ?? () #9 0x0000000000000000 in ?? () and ntpdc: #0 0x000000080139904c in kill () from /lib/libc.so.7 #1 0x0000000801397c7b in abort () from /lib/libc.so.7 #2 0x0000000000415f27 in ?? () #3 0x0000000000415f7f in ?? () #4 0x0000000000410489 in ?? () #5 0x000000000040f293 in ?? () #6 0x0000000000405f86 in ?? () #7 0x0000000000403991 in ?? () #8 0x0000000800653000 in ?? () #9 0x0000000000000000 in ?? () From owner-freebsd-security@freebsd.org Mon Oct 26 20:46:46 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DBEB7A1ED10 for ; Mon, 26 Oct 2015 20:46:46 +0000 (UTC) (envelope-from gpalmer@freebsd.org) Received: from mail.in-addr.com (mail.in-addr.com [IPv6:2a01:4f8:191:61e8::2525:2525]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A13A21872 for ; Mon, 26 Oct 2015 20:46:46 +0000 (UTC) (envelope-from gpalmer@freebsd.org) Received: from gjp by mail.in-addr.com with local (Exim 4.86 (FreeBSD)) (envelope-from ) id 1ZqofD-000B8r-3w for freebsd-security@freebsd.org; Mon, 26 Oct 2015 20:46:43 +0000 Date: Mon, 26 Oct 2015 20:46:42 +0000 From: Gary Palmer To: "freebsd-security@freebsd.org" Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:25.ntp Message-ID: <20151026204642.GB39073@in-addr.com> References: <201510261236.t9QCa2cm044240@think.nginx.com> <20151026155915.GA39073@in-addr.com> <20151026161356.GA1264@ircbsd> <562E6180.5060104@FreeBSD.org> <1277A6B4-29F6-44B5-9342-4B2BDC9F7CFB@schulte.org> <20151026181102.GA1889@ircbsd> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20151026181102.GA1889@ircbsd> X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: gpalmer@freebsd.org X-SA-Exim-Scanned: No (on mail.in-addr.com); SAEximRunCond expanded to false X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Oct 2015 20:46:47 -0000 On Mon, Oct 26, 2015 at 02:11:02PM -0400, Derek Schrock wrote: > On Mon, Oct 26, 2015 at 01:52:12PM EDT, Christopher Schulte wrote: > > > On Oct 26, 2015, at 12:23 PM, Matthew Seaman wrote: > > > > > > I'm seeing a SEGV on startup of ntpd on 10.2-RELEASE-p6: > > > > > > Oct 26 17:14:33 vhost-2 kernel: pid 35200 (ntpd), uid 0: exited on > > > signal 11 (core dumped) > > > > > > This is from freebsd-update(8). I've a core dump available, but it's > > > not very illuminating without any debug symbols. > > > > > > Cheers, > > > > > > Matthew > > > > I was seeing the same thing on multiple systems, after running freebsd-update and then bouncing ntpd. I rebooted one of the problematic boxes; ntpd then started cleanly. I haven???t tested this across the board yet, though. > > > > Config: > > > > # freebsd-version -uk > > 10.2-RELEASE > > 10.2-RELEASE-p6 > > > > # uname -a > > FreeBSD mybox 10.2-RELEASE FreeBSD 10.2-RELEASE #0 r286666: Wed Aug 12 15:26:37 UTC 2015 root@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 > > I'm not having any issues with ntpd on either 10.2 and 9.3 however on > 9.3 the ntp query utilities (ntpdc and ntpq) both crash with sig 6: > > ... > Oct 26 11:37:48 host ntpd[49294]: ntpd 4.2.8p4-a (1): Starting > ... > > > However 9.3 ntpq and ntpdc: > > # ntpq > /usr/src/usr.sbin/ntp/libntp/../../../contrib/ntp/lib/isc/unix/net.c:221: fatal error: RUNTIME_CHECK(((pthread_once((&once), (initialize_action)) == 0) ? 0 : 34) == 0) failed > Abort trap (core dumped) > # ntpdc > /usr/src/usr.sbin/ntp/libntp/../../../contrib/ntp/lib/isc/unix/net.c:221: fatal error: RUNTIME_CHECK(((pthread_once((&once), (initialize_action)) == 0) ? 0 : 34) == 0) failed > Abort trap (core dumped) > # > > I don't know how much value you can get out of a stripped bt for ntpq: > > #0 0x000000080115004c in kill () from /lib/libc.so.7 > #1 0x000000080114ec7b in abort () from /lib/libc.so.7 > #2 0x0000000000418ad7 in ?? () > #3 0x0000000000418b2f in ?? () > #4 0x0000000000413039 in ?? () > #5 0x0000000000411e43 in ?? () > #6 0x000000000040767b in ?? () > #7 0x0000000000403a61 in ?? () > #8 0x0000000800658000 in ?? () > #9 0x0000000000000000 in ?? () > > and ntpdc: > #0 0x000000080139904c in kill () from /lib/libc.so.7 > #1 0x0000000801397c7b in abort () from /lib/libc.so.7 > #2 0x0000000000415f27 in ?? () > #3 0x0000000000415f7f in ?? () > #4 0x0000000000410489 in ?? () > #5 0x000000000040f293 in ?? () > #6 0x0000000000405f86 in ?? () > #7 0x0000000000403991 in ?? () > #8 0x0000000800653000 in ?? () > #9 0x0000000000000000 in ?? () Here's my backtrace from 9.3 ntpq on amd64 % gdb /usr/obj/usr/src/usr.sbin/ntp/ntpq/ntpq ntpq.core GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "amd64-marcel-freebsd"...(no debugging symbols found)... Core was generated by `ntpq'. Program terminated with signal 6, Aborted. Reading symbols from /lib/libedit.so.7...(no debugging symbols found)...done. Loaded symbols for /lib/libedit.so.7 Reading symbols from /lib/libm.so.5...(no debugging symbols found)...done. Loaded symbols for /lib/libm.so.5 Reading symbols from /lib/libcrypto.so.6...(no debugging symbols found)...done. Loaded symbols for /lib/libcrypto.so.6 Reading symbols from /lib/libc.so.7...(no debugging symbols found)...done. Loaded symbols for /lib/libc.so.7 Reading symbols from /lib/libncurses.so.8...(no debugging symbols found)...done. Loaded symbols for /lib/libncurses.so.8 Reading symbols from /libexec/ld-elf.so.1...(no debugging symbols found)...done. Loaded symbols for /libexec/ld-elf.so.1 #0 0x0000000801147f1c in kill () from /lib/libc.so.7 (gdb) bt #0 0x0000000801147f1c in kill () from /lib/libc.so.7 #1 0x0000000801146b4b in abort () from /lib/libc.so.7 #2 0x0000000000418ad7 in isc_error_fatal () #3 0x0000000000418b2f in isc_error_runtimecheck () #4 0x0000000000413039 in isc_net_probeipv4 () #5 0x0000000000411e43 in init_lib () #6 0x000000000040767b in ntpqmain () #7 0x0000000000403a61 in _start () #8 0x0000000800658000 in ?? () #9 0x0000000000000000 in ?? () (gdb) ntpd is starting OK on the same box, but I have to use a pre-update copy of ntpq to make sure it's synchronised OK. For some reason, a pre-update copy of ntpdc doesn't work, just times out. Regards, Gary From owner-freebsd-security@freebsd.org Mon Oct 26 22:30:51 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5DD208745 for ; Mon, 26 Oct 2015 22:30:51 +0000 (UTC) (envelope-from dereks@lifeofadishwasher.com) Received: from mail-qg0-x229.google.com (mail-qg0-x229.google.com [IPv6:2607:f8b0:400d:c04::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 182AA1DE6 for ; Mon, 26 Oct 2015 22:30:50 +0000 (UTC) (envelope-from dereks@lifeofadishwasher.com) Received: by qgbb65 with SMTP id b65so132304412qgb.2 for ; Mon, 26 Oct 2015 15:30:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lifeofadishwasher.com; s=google; h=date:from:to:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; bh=PvTgq2GqXh13c0heoVh9YXH7IO440C+IiLsQ2XAheEE=; b=b1gWW8WKIQ+XV6syLTiYAI9CywjjtxJcHK/9VgPBWz/xkiAB6op2W4azHNwW+DWeZm jjiG7BdxPV4fAEHupIdCjj8ba65nS49TfDoJbovpQUOMORgoy7yn+jw5vxiK0h4afoOv 24LVzdm8WPDnPx9JD5/ej+ZXKc6uk1rmkmOZs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:subject:message-id:references :mime-version:content-type:content-disposition:in-reply-to :user-agent; bh=PvTgq2GqXh13c0heoVh9YXH7IO440C+IiLsQ2XAheEE=; b=ZAEGwFdEBNeBOnQs44YXP8lEz8Oa7iLLG9wSNJG1re7IJI82Pdk4yUtANbSBWLJNoM krhAuyoRUa+oz5RdfupBbf4B53mFY8fuwfStkVS3LAuWLEtuQnXw0yvkbVKvaROUJSih UBMO5/uYHkAnc2VZEVbYana/VnwuFle3zuIArIV1VO3kM7BkVCYjHYUN09CwepmkTPwE YOlFNdVCZjFcm7/363twrl0VWaLb+2hdAO+T7UhYYM0Ks4Vk2gbVXzqpEddpehvRjgaZ d91J1l+QieRJNHhDKcNdWpYI4BzvfDvbQyiFXY9C9ryO/I3hpdElLXNhfj973P9TO7YS 2CWg== X-Gm-Message-State: ALoCoQleO0YhHsBB4BAD4+ZI5kFMjHrBnUuFfpmjUusS76NRybo6TM1ztxxFm7s3VPiPM9qA/IFJ X-Received: by 10.140.134.211 with SMTP id 202mr49688002qhg.51.1445898649983; Mon, 26 Oct 2015 15:30:49 -0700 (PDT) Received: from lifeofadishwasher.com (c-71-206-246-125.hsd1.pa.comcast.net. [71.206.246.125]) by smtp.gmail.com with ESMTPSA id h198sm13822928qhc.47.2015.10.26.15.30.48 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 26 Oct 2015 15:30:49 -0700 (PDT) Received: by lifeofadishwasher.com (sSMTP sendmail emulation); Mon, 26 Oct 2015 18:30:47 -0400 Date: Mon, 26 Oct 2015 18:30:47 -0400 From: Derek Schrock To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:25.ntp Message-ID: <20151026223047.GA5688@ircbsd> References: <201510261236.t9QCa2cm044240@think.nginx.com> <20151026155915.GA39073@in-addr.com> <20151026161356.GA1264@ircbsd> <562E6180.5060104@FreeBSD.org> <1277A6B4-29F6-44B5-9342-4B2BDC9F7CFB@schulte.org> <20151026181102.GA1889@ircbsd> <20151026204642.GB39073@in-addr.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20151026204642.GB39073@in-addr.com> User-Agent: Mutt/1.5.24 (2015-08-30) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Oct 2015 22:30:51 -0000 On Mon, Oct 26, 2015 at 04:46:42PM EDT, Gary Palmer wrote: > > > Here's my backtrace from 9.3 ntpq on amd64 > > % gdb /usr/obj/usr/src/usr.sbin/ntp/ntpq/ntpq ntpq.core > GNU gdb 6.1.1 [FreeBSD] > Copyright 2004 Free Software Foundation, Inc. > GDB is free software, covered by the GNU General Public License, and you are > welcome to change it and/or distribute copies of it under certain conditions. > Type "show copying" to see the conditions. > There is absolutely no warranty for GDB. Type "show warranty" for details. > This GDB was configured as "amd64-marcel-freebsd"...(no debugging symbols found)... > Core was generated by `ntpq'. > Program terminated with signal 6, Aborted. > Reading symbols from /lib/libedit.so.7...(no debugging symbols found)...done. > Loaded symbols for /lib/libedit.so.7 > Reading symbols from /lib/libm.so.5...(no debugging symbols found)...done. > Loaded symbols for /lib/libm.so.5 > Reading symbols from /lib/libcrypto.so.6...(no debugging symbols found)...done. > Loaded symbols for /lib/libcrypto.so.6 > Reading symbols from /lib/libc.so.7...(no debugging symbols found)...done. > Loaded symbols for /lib/libc.so.7 > Reading symbols from /lib/libncurses.so.8...(no debugging symbols found)...done. > Loaded symbols for /lib/libncurses.so.8 > Reading symbols from /libexec/ld-elf.so.1...(no debugging symbols found)...done. > Loaded symbols for /libexec/ld-elf.so.1 > #0 0x0000000801147f1c in kill () from /lib/libc.so.7 > (gdb) bt > #0 0x0000000801147f1c in kill () from /lib/libc.so.7 > #1 0x0000000801146b4b in abort () from /lib/libc.so.7 > #2 0x0000000000418ad7 in isc_error_fatal () > #3 0x0000000000418b2f in isc_error_runtimecheck () > #4 0x0000000000413039 in isc_net_probeipv4 () > #5 0x0000000000411e43 in init_lib () > #6 0x000000000040767b in ntpqmain () > #7 0x0000000000403a61 in _start () > #8 0x0000000800658000 in ?? () > #9 0x0000000000000000 in ?? () > (gdb) > > ntpd is starting OK on the same box, but I have to use a pre-update > copy of ntpq to make sure it's synchronised OK. For some reason, > a pre-update copy of ntpdc doesn't work, just times out. FYI: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=204046 From owner-freebsd-security@freebsd.org Tue Oct 27 10:48:30 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 93FA5A1ED9E for ; Tue, 27 Oct 2015 10:48:30 +0000 (UTC) (envelope-from freebsd-security@iaelu.net) Received: from mail.iaelu.net (mail.iaelu.net [IPv6:2001:bc8:3b71:ff01::146]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.iaelu.net", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 2D5B01811 for ; Tue, 27 Oct 2015 10:48:29 +0000 (UTC) (envelope-from freebsd-security@iaelu.net) Received: from [172.16.68.12] (societe.hq.reagi.net [195.110.13.68]) (authenticated bits=0) by mail.iaelu.net (8.15.2/8.15.2) with ESMTPSA id t9RAmPg5002830 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 27 Oct 2015 11:48:25 +0100 (CET) (envelope-from freebsd-security@iaelu.net) Authentication-Results: mail.iaelu.net; dmarc=none header.from=iaelu.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=iaelu.net; s=eienni; t=1445942905; bh=aaQ1fPMN67ls4BFQxv5JHIEKpU9S4seLWlMMRFo2q6I=; h=From:Date:Subject:To; b=fapF3o8FgGWRqH9yP1O7a3IPV2kP2NFvYJpUfw4hkLXcr1AkhaB3l/pjeqcgAxCCL 5sl+LOb3UUDUk8W70ENA3ow04jI/K78CTsx9BVM6LDw5l9P44Fxhyh7RIatJwXP1mz VWxUkiJ4xmEuOH8qHW0M9vEWB5Mi/7bV/uGl2BBiaaG9FEijTT7Fu63vI6qtBCVHXS 18yFGgF6go4Ch8nAo82HUSfQIdwyxIgzYgC+hlul8igvTz6rAliku7281b/bOnuj0B 2Ovx1hlVQKb9D7bkKNqtdF/GTnYMYsT45pigDWqS3X3JP2Dwj3kqCsP8MCr8yb9CFb IRO08kKcIi1Hg== From: Guillaume Bibaut Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Date: Tue, 27 Oct 2015 11:48:24 +0100 Subject: Compilation problem since SA-15:25 for FreeBSD 10.2-RELEASE To: freebsd-security@freebsd.org Message-Id: <4D69BAFF-7447-4A1F-ABB8-686CA34090F3@iaelu.net> Mime-Version: 1.0 (Mac OS X Mail 9.1 \(3096.5\)) X-Mailer: Apple Mail (2.3096.5) X-Virus-Scanned: clamav-milter 0.98.7 at mail.iaelu.net X-Virus-Status: Clean X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Oct 2015 10:48:30 -0000 Hello, I=E2=80=99ve been applying NTP patches successfully recently, but when I = try to compile once patches applied, the make fails badly on ntp = folders. I=E2=80=99ve tried to download FreeBSD 10.2-RELEASE sources, and to = reapply patches since that release to be up to date, but the compilation = fails in the same folder: # make -j 10 buildworld [=E2=80=A6] --- depend_subdir_ntp --- = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/rc_cmdlength.c:2:10: = fatal error: 'rc_cmdlength.h' file not found #include ^ 1 error generated. [=E2=80=A6] when I get in this folder: /usr/src/usr.sbin/ntp/ntpd, then type 'make = depend' or 'make' # make clean rm -f .version version.c ntpd cmd_args.o ntp_config.o ntp_control.o = ntp_crypto.o ntp_filegen.o ntp_io.o ntp_leapsec.o ntp_loopfilter.o = ntp_monitor.o ntp_parser.o ntp_peer.o ntp_proto.o ntp_refclock.o = ntp_request.o ntp_restrict.o ntp_scanner.o ntp_signd.o ntp_timer.o = ntp_util.o ntpd-opts.o ntpd.o rc_cmdlength.o refclock_acts.o = refclock_arbiter.o refclock_arc.o refclock_as2201.o refclock_atom.o = refclock_bancomm.o refclock_chronolog.o refclock_chu.o refclock_conf.o = refclock_datum.o refclock_dumbclock.o refclock_fg.o refclock_gpsdjson.o = refclock_gpsvme.o refclock_heath.o refclock_hopfpci.o refclock_hopfser.o = refclock_hpgps.o refclock_irig.o refclock_jjy.o refclock_jupiter.o = refclock_leitch.o refclock_local.o refclock_nmea.o refclock_neoclock4x.o = refclock_oncore.o refclock_palisade.o refclock_parse.o refclock_pcf.o = refclock_pst.o refclock_ripencc.o refclock_shm.o refclock_tpro.o = refclock_true.o refclock_tsyncpci.o refclock_tt560.o refclock_ulink.o = refclock_wwv.o refclock_wwvb.o refclock_zyfer.o version.o # make depend sh -e /usr/src/usr.sbin/ntp/ntpd/../scripts/mkver ntpd Version rm -f .depend mkdep -f .depend -a = -I/usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd = -I/usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/include = -I/usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/lib/isc/include = -I/usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/lib/isc/pthreads/include= -I/usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/lib/isc/unix/include = -I/usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/sntp/libopts = -I/usr/src/usr.sbin/ntp/ntpd/../ -I/usr/src/usr.sbin/ntp/ntpd = -DSYS_FREEBSD -DPARSE -DHAVE_CONFIG_H -DOPENSSL = -DUSE_OPENSSL_CRYPTO_RAND -DAUTOKEY -std=3Dgnu99 = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/cmd_args.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/ntp_config.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/ntp_control.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/ntp_crypto.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/ntp_filegen.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/ntp_io.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/ntp_leapsec.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/ntp_loopfilter.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/ntp_monitor.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/ntp_parser.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/ntp_peer.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/ntp_proto.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/ntp_refclock.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/ntp_request.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/ntp_restrict.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/ntp_scanner.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/ntp_signd.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/ntp_timer.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/ntp_util.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/ntpd-opts.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/ntpd.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/rc_cmdlength.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/refclock_acts.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/refclock_arbiter.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/refclock_arc.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/refclock_as2201.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/refclock_atom.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/refclock_bancomm.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/refclock_chronolog.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/refclock_chu.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/refclock_conf.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/refclock_datum.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/refclock_dumbclock.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/refclock_fg.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/refclock_gpsdjson.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/refclock_gpsvme.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/refclock_heath.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/refclock_hopfpci.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/refclock_hopfser.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/refclock_hpgps.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/refclock_irig.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/refclock_jjy.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/refclock_jupiter.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/refclock_leitch.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/refclock_local.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/refclock_nmea.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/refclock_neoclock4x.c= /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/refclock_oncore.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/refclock_palisade.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/refclock_parse.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/refclock_pcf.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/refclock_pst.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/refclock_ripencc.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/refclock_shm.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/refclock_tpro.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/refclock_true.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/refclock_tsyncpci.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/refclock_tt560.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/refclock_ulink.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/refclock_wwv.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/refclock_wwvb.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/refclock_zyfer.c = version.c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/ntp_control.c:31:10: = fatal error: 'rc_cmdlength.h' file not found #include ^ 1 error generated. = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/rc_cmdlength.c:2:10: = fatal error: 'rc_cmdlength.h' file not found #include ^ 1 error generated. mkdep: compile failed *** Error code 1 Stop. make: stopped in /usr/src/usr.sbin/ntp/ntpd # make cc -O2 -pipe -I/usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd = -I/usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/include = -I/usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/lib/isc/include = -I/usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/lib/isc/pthreads/include= -I/usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/lib/isc/unix/include = -I/usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/sntp/libopts = -I/usr/src/usr.sbin/ntp/ntpd/../ -I/usr/src/usr.sbin/ntp/ntpd = -DSYS_FREEBSD -DPARSE -DHAVE_CONFIG_H -DOPENSSL = -DUSE_OPENSSL_CRYPTO_RAND -DAUTOKEY -std=3Dgnu99 -Qunused-arguments = -fstack-protector -Wno-pointer-sign -Wno-empty-body -Wno-string-plus-int = -Wno-unused-const-variable -Wno-tautological-compare -Wno-unused-value = -Wno-parentheses-equality -Wno-unused-function -Wno-enum-conversion = -Wno-switch -Wno-switch-enum -Wno-knr-promoted-parameter = -Wno-parentheses -c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/cmd_args.c -o = cmd_args.o cc -O2 -pipe -I/usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd = -I/usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/include = -I/usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/lib/isc/include = -I/usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/lib/isc/pthreads/include= -I/usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/lib/isc/unix/include = -I/usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/sntp/libopts = -I/usr/src/usr.sbin/ntp/ntpd/../ -I/usr/src/usr.sbin/ntp/ntpd = -DSYS_FREEBSD -DPARSE -DHAVE_CONFIG_H -DOPENSSL = -DUSE_OPENSSL_CRYPTO_RAND -DAUTOKEY -std=3Dgnu99 -Qunused-arguments = -fstack-protector -Wno-pointer-sign -Wno-empty-body -Wno-string-plus-int = -Wno-unused-const-variable -Wno-tautological-compare -Wno-unused-value = -Wno-parentheses-equality -Wno-unused-function -Wno-enum-conversion = -Wno-switch -Wno-switch-enum -Wno-knr-promoted-parameter = -Wno-parentheses -c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/ntp_config.c -o = ntp_config.o cc -O2 -pipe -I/usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd = -I/usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/include = -I/usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/lib/isc/include = -I/usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/lib/isc/pthreads/include= -I/usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/lib/isc/unix/include = -I/usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/sntp/libopts = -I/usr/src/usr.sbin/ntp/ntpd/../ -I/usr/src/usr.sbin/ntp/ntpd = -DSYS_FREEBSD -DPARSE -DHAVE_CONFIG_H -DOPENSSL = -DUSE_OPENSSL_CRYPTO_RAND -DAUTOKEY -std=3Dgnu99 -Qunused-arguments = -fstack-protector -Wno-pointer-sign -Wno-empty-body -Wno-string-plus-int = -Wno-unused-const-variable -Wno-tautological-compare -Wno-unused-value = -Wno-parentheses-equality -Wno-unused-function -Wno-enum-conversion = -Wno-switch -Wno-switch-enum -Wno-knr-promoted-parameter = -Wno-parentheses -c = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/ntp_control.c -o = ntp_control.o = /usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/ntpd/ntp_control.c:31:10: = fatal error: 'rc_cmdlength.h' file not found #include ^ 1 error generated. *** Error code 1 Stop. make: stopped in /usr/src/usr.sbin/ntp/ntpd Did I miss anything ? Accordingly, Guillaume BIBAUT= From owner-freebsd-security@freebsd.org Tue Oct 27 11:46:45 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1F147A1F919 for ; Tue, 27 Oct 2015 11:46:45 +0000 (UTC) (envelope-from herbert@oslo.ath.cx) Received: from oslo.ath.cx (oslo.ath.cx [IPv6:2a01:4f8:200:42e4::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D976F1175 for ; Tue, 27 Oct 2015 11:46:44 +0000 (UTC) (envelope-from herbert@oslo.ath.cx) Received: from oslo.ath.cx (localhost [IPv6:::1]) by oslo.ath.cx (Postfix) with ESMTP id 8E7A413D8; Tue, 27 Oct 2015 12:46:42 +0100 (CET) Date: Tue, 27 Oct 2015 12:46:42 +0100 From: "Herbert J. Skuhra" To: Guillaume Bibaut Cc: freebsd-security@freebsd.org Subject: Re: Compilation problem since SA-15:25 for FreeBSD 10.2-RELEASE Message-ID: <20151027114642.GA7848@oslo.ath.cx> References: <4D69BAFF-7447-4A1F-ABB8-686CA34090F3@iaelu.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <4D69BAFF-7447-4A1F-ABB8-686CA34090F3@iaelu.net> User-Agent: Mutt/1.5.24+24 (41af5a753d6f) (2015-08-30) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Oct 2015 11:46:45 -0000 On Tue, Oct 27, 2015 at 11:48:24AM +0100, Guillaume Bibaut wrote: > Hello, > > I’ve been applying NTP patches successfully recently, but when I try > to compile once patches applied, the make fails badly on ntp folders. > I’ve tried to download FreeBSD 10.2-RELEASE sources, and to reapply > patches since that release to be up to date, but the compilation fails > in the same folder: > > # make -j 10 buildworld > […] Did the patch apply cleanly? Or do you have some *.rej files in the source tree? Somehow I don't manage to do this. Does the build complete if you do: # svnlite co https://svn.freebsd.org/base/releng/10.2/ src # cd src # make -j 10 buildworld -- Herbert From owner-freebsd-security@freebsd.org Tue Oct 27 12:36:01 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4A4418E94 for ; Tue, 27 Oct 2015 12:36:01 +0000 (UTC) (envelope-from freebsd-security@iaelu.net) Received: from mail.iaelu.net (mail.iaelu.net [IPv6:2001:bc8:3b71:ff01::146]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.iaelu.net", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id F05821FBF for ; Tue, 27 Oct 2015 12:36:00 +0000 (UTC) (envelope-from freebsd-security@iaelu.net) Received: from [172.16.68.12] (societe.hq.reagi.net [195.110.13.68]) (authenticated bits=0) by mail.iaelu.net (8.15.2/8.15.2) with ESMTPSA id t9RCZv15007792 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 27 Oct 2015 13:35:57 +0100 (CET) (envelope-from freebsd-security@iaelu.net) Authentication-Results: mail.iaelu.net; dmarc=none header.from=iaelu.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=iaelu.net; s=eienni; t=1445949357; bh=8Vydltm+Aaw8KA0bQgZOvgd8is0/AGbnljJ75BY/CdA=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=d+J0N5TrJDceIV3dGb4ifH2IbS2p3pzWEx3JFygl8OeZvi5whRnK9JVbPnOzbiccm 9tiO1JknrQ5JbvNZGWbHgwVc6uoLAm5WLhNJg5nWzI0hnDi0nkjdOUHFu38MEoItJy DR2Cp7g4PR0CFgGKjIEuv1xAH1XD6cSEMVnr0WnKHpFiJ2/K11Aw8U4SyyOaoZUMjm 2l2xCLYUYGZkDZttbyWG2lGrCT4YOYn3wO4Z/92ck82jV9JKca0LUc6YalIh4GbJlh UsGldramos8HXqrb24pRhCRjsxVxPWhAsNA6ombwiwxUzGDhtFf3MYAh0sdwy2qj2r ZvJuPwsLC5Ktg== Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 9.1 \(3096.5\)) Subject: Re: Compilation problem since SA-15:25 for FreeBSD 10.2-RELEASE From: Guillaume Bibaut In-Reply-To: <20151027114642.GA7848@oslo.ath.cx> Date: Tue, 27 Oct 2015 13:35:56 +0100 Cc: freebsd-security@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <4043BA45-F5A5-4218-93F2-C320DE65EB6D@iaelu.net> References: <4D69BAFF-7447-4A1F-ABB8-686CA34090F3@iaelu.net> <20151027114642.GA7848@oslo.ath.cx> To: "Herbert J. Skuhra" X-Mailer: Apple Mail (2.3096.5) X-Virus-Scanned: clamav-milter 0.98.7 at mail.iaelu.net X-Virus-Status: Clean X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Oct 2015 12:36:01 -0000 > Le 27 oct. 2015 =C3=A0 12:46, Herbert J. Skuhra = a =C3=A9crit : >=20 > On Tue, Oct 27, 2015 at 11:48:24AM +0100, Guillaume Bibaut wrote: >> Hello, >>=20 >> I=E2=80=99ve been applying NTP patches successfully recently, but = when I try >> to compile once patches applied, the make fails badly on ntp folders. >> I=E2=80=99ve tried to download FreeBSD 10.2-RELEASE sources, and to = reapply >> patches since that release to be up to date, but the compilation = fails >> in the same folder: >>=20 >> # make -j 10 buildworld >> [=E2=80=A6] >=20 > Did the patch apply cleanly? Or do you have some *.rej files in the > source tree? Somehow I don't manage to do this. >=20 > Does the build complete if you do: >=20 > # svnlite co https://svn.freebsd.org/base/releng/10.2/ src > # cd src > # make -j 10 buildworld >=20 > --=20 > Herbert > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org" >=20 Here is what I=E2=80=99ve done: cd /usr mv src src-bak mkdir src cd # src.txz is the tarball for FreeBSD 10.2-RELEASE sources tar =E2=80=94unlink -xvpJf src.txz -C / cd /usr/src # for all patches since 10.2-RELEASE (taking shortcuts here because I = don=E2=80=99t want to spam) patch Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1BDAEA1E77C for ; Tue, 27 Oct 2015 12:59:24 +0000 (UTC) (envelope-from herbert@oslo.ath.cx) Received: from oslo.ath.cx (oslo.ath.cx [IPv6:2a01:4f8:200:42e4::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D7B621F2A for ; Tue, 27 Oct 2015 12:59:23 +0000 (UTC) (envelope-from herbert@oslo.ath.cx) Received: from oslo.ath.cx (localhost [IPv6:::1]) by oslo.ath.cx (Postfix) with ESMTP id CB86D144D; Tue, 27 Oct 2015 13:59:13 +0100 (CET) Date: Tue, 27 Oct 2015 13:59:13 +0100 From: "Herbert J. Skuhra" To: Guillaume Bibaut Cc: freebsd-security@freebsd.org Subject: Re: Compilation problem since SA-15:25 for FreeBSD 10.2-RELEASE Message-ID: <20151027125913.GB7848@oslo.ath.cx> References: <4D69BAFF-7447-4A1F-ABB8-686CA34090F3@iaelu.net> <20151027114642.GA7848@oslo.ath.cx> <4043BA45-F5A5-4218-93F2-C320DE65EB6D@iaelu.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <4043BA45-F5A5-4218-93F2-C320DE65EB6D@iaelu.net> User-Agent: Mutt/1.5.24+24 (41af5a753d6f) (2015-08-30) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Oct 2015 12:59:24 -0000 On Tue, Oct 27, 2015 at 01:35:56PM +0100, Guillaume Bibaut wrote: > > > Le 27 oct. 2015 à 12:46, Herbert J. Skuhra a écrit : > > > > On Tue, Oct 27, 2015 at 11:48:24AM +0100, Guillaume Bibaut wrote: > >> Hello, > >> > >> I’ve been applying NTP patches successfully recently, but when I try > >> to compile once patches applied, the make fails badly on ntp folders. > >> I’ve tried to download FreeBSD 10.2-RELEASE sources, and to reapply > >> patches since that release to be up to date, but the compilation fails > >> in the same folder: > >> > >> # make -j 10 buildworld > >> […] > > > > Did the patch apply cleanly? Or do you have some *.rej files in the > > source tree? Somehow I don't manage to do this. > > > > Does the build complete if you do: > > > > # svnlite co https://svn.freebsd.org/base/releng/10.2/ src > > # cd src > > # make -j 10 buildworld > > > > -- > > Herbert > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > https://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > > > Here is what I’ve done: > cd /usr > mv src src-bak > mkdir src > cd > # src.txz is the tarball for FreeBSD 10.2-RELEASE sources > tar —unlink -xvpJf src.txz -C / > cd /usr/src > # for all patches since 10.2-RELEASE (taking shortcuts here because I don’t want to spam) > patch patch > For this last patch, I’m getting some question from the patch command about 2 files that are in some test folder, telling they are reversed or something like that, assumes yes per default. > After the patch, here is what looks like my /usr/src folder: > > # ls -al > total 1167 > [...] > > > So there are 2 files marked .rej, but I think it’s the ones from the reversed messages during the patch command, and there are also quite a few files that get into the /usr/src folder, I just do not understand why. > I’ve only applied patches just like it’s adviced in the security advisories. I had the same issue. > I guess that checking out releng/10.2 and compiling it would succeed, because it’s a clean pull, but I’m not sure that releng/10.2 and applying patches to 10.2-RELEASE is the same. Check https://www.freebsd.org/releng/ : releng/10.2 | Frozen | security-officer@ | FreeBSD 10.2 supported errata fix branch. So I would say it's the same: release + security fixes. -- Herbert From owner-freebsd-security@freebsd.org Tue Oct 27 13:15:20 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2F562A1ECA7 for ; Tue, 27 Oct 2015 13:15:20 +0000 (UTC) (envelope-from herbert@oslo.ath.cx) Received: from oslo.ath.cx (oslo.ath.cx [IPv6:2a01:4f8:200:42e4::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id EB3201AA0 for ; Tue, 27 Oct 2015 13:15:19 +0000 (UTC) (envelope-from herbert@oslo.ath.cx) Received: from oslo.ath.cx (localhost [IPv6:::1]) by oslo.ath.cx (Postfix) with ESMTP id 93BE6145E; Tue, 27 Oct 2015 14:15:17 +0100 (CET) Date: Tue, 27 Oct 2015 14:15:17 +0100 From: "Herbert J. Skuhra" To: Guillaume Bibaut Cc: freebsd-security@freebsd.org Subject: Re: Compilation problem since SA-15:25 for FreeBSD 10.2-RELEASE Message-ID: <20151027131517.GC7848@oslo.ath.cx> References: <4D69BAFF-7447-4A1F-ABB8-686CA34090F3@iaelu.net> <20151027114642.GA7848@oslo.ath.cx> <4043BA45-F5A5-4218-93F2-C320DE65EB6D@iaelu.net> <20151027125913.GB7848@oslo.ath.cx> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20151027125913.GB7848@oslo.ath.cx> User-Agent: Mutt/1.5.24+24 (41af5a753d6f) (2015-08-30) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Oct 2015 13:15:20 -0000 On Tue, Oct 27, 2015 at 01:59:13PM +0100, Herbert J. Skuhra wrote: > >> I guess that checking out releng/10.2 and compiling it would >> succeed, because it’s a clean pull, but I’m not sure that releng/10.2 >> and applying patches to 10.2-RELEASE is the same > > Check https://www.freebsd.org/releng/ : > > releng/10.2 | Frozen | security-officer@ | FreeBSD 10.2 supported errata fix branch. > > So I would say it's the same: release + security fixes. Sorry, I am wrong. ENs are also included in releng. -- Herbert From owner-freebsd-security@freebsd.org Tue Oct 27 15:01:51 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CD544A1FB3F for ; Tue, 27 Oct 2015 15:01:51 +0000 (UTC) (envelope-from herbert@oslo.ath.cx) Received: from oslo.ath.cx (oslo.ath.cx [144.76.166.229]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8FEAC1395 for ; Tue, 27 Oct 2015 15:01:51 +0000 (UTC) (envelope-from herbert@oslo.ath.cx) Received: from oslo.ath.cx (localhost [IPv6:::1]) by oslo.ath.cx (Postfix) with ESMTP id 773881530 for ; Tue, 27 Oct 2015 16:01:44 +0100 (CET) Date: Tue, 27 Oct 2015 16:01:44 +0100 From: "Herbert J. Skuhra" To: freebsd-security@freebsd.org Subject: Re: Compilation problem since SA-15:25 for FreeBSD 10.2-RELEASE Message-ID: <20151027150144.GD7848@oslo.ath.cx> References: <4D69BAFF-7447-4A1F-ABB8-686CA34090F3@iaelu.net> <20151027114642.GA7848@oslo.ath.cx> <4043BA45-F5A5-4218-93F2-C320DE65EB6D@iaelu.net> <20151027125913.GB7848@oslo.ath.cx> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20151027125913.GB7848@oslo.ath.cx> User-Agent: Mutt/1.5.24+24 (41af5a753d6f) (2015-08-30) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Oct 2015 15:01:51 -0000 On Tue, Oct 27, 2015 at 01:59:13PM +0100, Herbert J. Skuhra wrote: > On Tue, Oct 27, 2015 at 01:35:56PM +0100, Guillaume Bibaut wrote: > > > > > Le 27 oct. 2015 à 12:46, Herbert J. Skuhra a écrit : > > > > > > On Tue, Oct 27, 2015 at 11:48:24AM +0100, Guillaume Bibaut wrote: > > >> Hello, > > >> > > >> I’ve been applying NTP patches successfully recently, but when I try > > >> to compile once patches applied, the make fails badly on ntp folders. > > >> I’ve tried to download FreeBSD 10.2-RELEASE sources, and to reapply > > >> patches since that release to be up to date, but the compilation fails > > >> in the same folder: > > >> > > >> # make -j 10 buildworld > > >> […] > > > > > > Did the patch apply cleanly? Or do you have some *.rej files in the > > > source tree? Somehow I don't manage to do this. > > > > > > Does the build complete if you do: > > > > > > # svnlite co https://svn.freebsd.org/base/releng/10.2/ src > > > # cd src > > > # make -j 10 buildworld > > > > > > -- > > > Herbert > > > _______________________________________________ > > > freebsd-security@freebsd.org mailing list > > > https://lists.freebsd.org/mailman/listinfo/freebsd-security > > > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > > > > > > Here is what I’ve done: > > cd /usr > > mv src src-bak > > mkdir src > > cd > > # src.txz is the tarball for FreeBSD 10.2-RELEASE sources > > tar —unlink -xvpJf src.txz -C / > > cd /usr/src > > # for all patches since 10.2-RELEASE (taking shortcuts here because I don’t want to spam) > > patch > patch Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C2E5CA1F122 for ; Tue, 27 Oct 2015 15:21:20 +0000 (UTC) (envelope-from freebsd-security@iaelu.net) Received: from mail.iaelu.net (mail.iaelu.net [IPv6:2001:bc8:3b71:ff01::146]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.iaelu.net", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 58B661E90 for ; Tue, 27 Oct 2015 15:21:20 +0000 (UTC) (envelope-from freebsd-security@iaelu.net) Received: from [172.16.68.12] (societe.hq.reagi.net [195.110.13.68]) (authenticated bits=0) by mail.iaelu.net (8.15.2/8.15.2) with ESMTPSA id t9RFLH6r005382 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 27 Oct 2015 16:21:17 +0100 (CET) (envelope-from freebsd-security@iaelu.net) Authentication-Results: mail.iaelu.net; dmarc=none header.from=iaelu.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=iaelu.net; s=eienni; t=1445959278; bh=FcHc5OcnMDm6mgHoyaG3HzLV33arxTeCj/vT3HUsJbk=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=Vtz6lAVlyqtqCViITngBgoWPL+KY4tvXgcNPkoRk2q3n3QcMDApLTmTcdrOWl6gth /Q05HmOI/EpdiGjOyeZTS23oze3eTv6TLpzb1RV57q4m2eQ7pUUKQ9ipAa3As4P1ft z+ZK6XsFftQD1zExypqz35MflG/3TAM1hoMJcd9qhXaETBOZcY/KEB+Ws+xaiLmGtj tKijUv+cNS2sAqxvWG4jvQhu6/NJ5G8oy6VtFeJJtYs2E22aJW72N8S9kqEouqRwPg RNARWYUd9qkq0JM2jGD0WJ3XEKX4aHNQxlZFg62ILP06F3lWmQw3CRHsw+QXaKe8/D GnX/XD+MKPpBg== Mime-Version: 1.0 (Mac OS X Mail 9.1 \(3096.5\)) Subject: Re: Compilation problem since SA-15:25 for FreeBSD 10.2-RELEASE From: Guillaume Bibaut In-Reply-To: <20151027150144.GD7848@oslo.ath.cx> Date: Tue, 27 Oct 2015 16:21:16 +0100 Cc: freebsd-security@freebsd.org Message-Id: References: <4D69BAFF-7447-4A1F-ABB8-686CA34090F3@iaelu.net> <20151027114642.GA7848@oslo.ath.cx> <4043BA45-F5A5-4218-93F2-C320DE65EB6D@iaelu.net> <20151027125913.GB7848@oslo.ath.cx> <20151027150144.GD7848@oslo.ath.cx> To: "Herbert J. Skuhra" X-Mailer: Apple Mail (2.3096.5) X-Virus-Scanned: clamav-milter 0.98.7 at mail.iaelu.net X-Virus-Status: Clean Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Oct 2015 15:21:20 -0000 Ok thank you for that. As far as I know, the SA does not mention 'patch -p0'. Shouldn=E2=80=99t = this be mentioned? Or does it mean every SA or EN have to be applied this way ? I=E2=80=99m just wondering so that I can do it right next time. -- Guillaume > Le 27 oct. 2015 =C3=A0 16:01, Herbert J. Skuhra = a =C3=A9crit : >=20 > On Tue, Oct 27, 2015 at 01:59:13PM +0100, Herbert J. Skuhra wrote: >> On Tue, Oct 27, 2015 at 01:35:56PM +0100, Guillaume Bibaut wrote: >>>=20 >>>> Le 27 oct. 2015 =C3=A0 12:46, Herbert J. Skuhra = a =C3=A9crit : >>>>=20 >>>> On Tue, Oct 27, 2015 at 11:48:24AM +0100, Guillaume Bibaut wrote: >>>>> Hello, >>>>>=20 >>>>> I=E2=80=99ve been applying NTP patches successfully recently, but = when I try >>>>> to compile once patches applied, the make fails badly on ntp = folders. >>>>> I=E2=80=99ve tried to download FreeBSD 10.2-RELEASE sources, and = to reapply >>>>> patches since that release to be up to date, but the compilation = fails >>>>> in the same folder: >>>>>=20 >>>>> # make -j 10 buildworld >>>>> [=E2=80=A6] >>>>=20 >>>> Did the patch apply cleanly? Or do you have some *.rej files in the >>>> source tree? Somehow I don't manage to do this. >>>>=20 >>>> Does the build complete if you do: >>>>=20 >>>> # svnlite co https://svn.freebsd.org/base/releng/10.2/ src >>>> # cd src >>>> # make -j 10 buildworld >>>>=20 >>>> --=20 >>>> Herbert >>>> _______________________________________________ >>>> freebsd-security@freebsd.org mailing list >>>> https://lists.freebsd.org/mailman/listinfo/freebsd-security >>>> To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org" >>>>=20 >>>=20 >>> Here is what I=E2=80=99ve done: >>> cd /usr >>> mv src src-bak >>> mkdir src >>> cd >>> # src.txz is the tarball for FreeBSD 10.2-RELEASE sources >>> tar =E2=80=94unlink -xvpJf src.txz -C / >>> cd /usr/src >>> # for all patches since 10.2-RELEASE (taking shortcuts here because = I don=E2=80=99t want to spam) >>> patch >> patch =20 > OK, with 'patch -p0 < /path/to/ntp-102.patch' I get only >=20 > ./usr.sbin/ntp/doc/ntp.conf.5.rej > ./usr.sbin/ntp/doc/sntp.8.rej > ./usr.sbin/ntp/doc/ntpd.8.rej > ./usr.sbin/ntp/doc/ntpq.8.rej > ./usr.sbin/ntp/doc/ntpdc.8.rej > ./usr.sbin/ntp/doc/ntp-keygen.8.rej > ./usr.sbin/ntp/doc/ntp.keys.5.rej >=20 > and buildworld completes. >=20 > --=20 > Herbert > _______________________________________________ > freebsd-security@freebsd.org = mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security = > To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org = " From owner-freebsd-security@freebsd.org Tue Oct 27 23:01:13 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2D7AFA1FA7A for ; Tue, 27 Oct 2015 23:01:13 +0000 (UTC) (envelope-from robtsgt@sgt.com) Received: from diablo.sgt.com (diablo.SGT.COM [204.107.130.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "diablo.sgt.com", Issuer "SGT Certificate Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id CDDBF123A; Tue, 27 Oct 2015 23:01:12 +0000 (UTC) (envelope-from robtsgt@sgt.com) Received: from w245.sgt.com (w245.sgt.com [192.168.1.245]) by diablo.sgt.com (8.15.2/8.15.2) with ESMTPS id t9RMpAP6080322 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Tue, 27 Oct 2015 22:51:13 GMT (envelope-from robtsgt@sgt.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sgt.com; s=tyiovccnntkuduv0ufufynlc0uskpdsgt; t=1445986273; bh=S3C4SbyeHm5eD8qIAXb8V8FNh0NaEQgnyzfYq42PDXQ=; h=Subject:Mime-Version:Content-Type:From:In-Reply-To:Date: Content-Transfer-Encoding:References:To; b=qRL4Ogyg0aRFsubauojVlCDr4Hvv1roPhXcphpUBvJRl5trIq8LLaJtKiWhwwoy9x 06VG2NP1jVdnJB8XPoqVPsfZ75BP06L+TEqvR3ILz/DTOGE4UoSG1fdCKXvNfT9aEA tYA7vnIyPmGP9X3qXYRG4O8MqbLM7ZJg2z/dUl00= Message-Id: <201510272251.t9RMpAP6080322@sgt.com> Received: from sgtlaptop1-en1.sgt.com (sgtlaptop1-en1.sgt.com [192.168.1.42]) (authenticated bits=0) by w245.sgt.com (8.15.2/8.15.2) with ESMTPSA id t9RMpAZQ040738 (version=TLSv1 cipher=AES128-SHA bits=128 verify=NO); Tue, 27 Oct 2015 22:51:10 GMT (envelope-from robtsgt@sgt.com) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:25.ntp Mime-Version: 1.0 (Apple Message framework v1085) Content-Type: text/plain; charset=us-ascii From: Robert Sargent In-Reply-To: <201510261236.t9QCa2cm044240@think.nginx.com> Date: Tue, 27 Oct 2015 18:51:09 -0400 Cc: FreeBSD Security Advisories , cy@FreeBSD.org Content-Transfer-Encoding: quoted-printable References: <201510261236.t9QCa2cm044240@think.nginx.com> To: freebsd-security@freebsd.org X-Mailer: Apple Mail (2.1085) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (diablo.sgt.com [192.168.1.202]); Tue, 27 Oct 2015 22:51:13 +0000 (UTC) X-Virus-Scanned: clamav-milter 0.98.7 at diablo.sgt.com X-Virus-Status: Clean X-Mailman-Approved-At: Tue, 27 Oct 2015 23:36:33 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Oct 2015 23:01:13 -0000 there is a simple workaround if you don't want to or can't reboot your = machines: install the ntp pkg=20 pkg install ntp and add the following line to /etc/rc.conf =20 ntpd_program=3D"/usr/local/sbin/ntpd" then kill the original /usr/sbin/ntpd process and run this command: /etc/rc.d/ntpd start Rob -- Robert Sargent "We must be willing to get rid of the life we've planned, so as to have = the life that is waiting for us." Joseph Campbell On Oct 26, 2015, at 8:36 AM, FreeBSD Security Advisories wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D FreeBSD-SA-15:25.ntp Security = Advisory The FreeBSD = Project Topic: Multiple vulnerabilities of ntp Category: contrib Module: ntp Announced: 2015-10-26 Credits: Network Time Foundation Affects: All supported versions of FreeBSD. Corrected: 2015-10-26 11:35:40 UTC (stable/10, 10.2-STABLE) 2015-10-26 11:36:55 UTC (releng/10.2, 10.2-RELEASE-p6) 2015-10-26 11:37:31 UTC (releng/10.1, 10.1-RELEASE-p23) 2015-10-26 11:36:40 UTC (stable/9, 9.3-STABLE) 2015-10-26 11:42:25 UTC (releng/9.3, 9.3-RELEASE-p29) CVE Name: CVE-2015-7701, CVE-2015-7702, CVE-2015-7703, = CVE-2015-7704, CVE-2015-7848, CVE-2015-7849, CVE-2015-7850, = CVE-2015-7851, CVE-2015-7852, CVE-2015-7853, CVE-2015-7854, = CVE-2015-7855, CVE-2015-7871 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/. I. Background The ntpd(8) daemon is an implementation of the Network Time Protocol = (NTP) used to synchronize the time of a computer system to a reference time source. II. Problem Description Crypto-NAK packets can be used to cause ntpd(8) to accept time from an unauthenticated ephemeral symmetric peer by bypassing the authentication required to mobilize peer associations. [CVE-2015-7871] FreeBSD 9.3 and 10.1 are not affected. If ntpd(8) is fed a crafted mode 6 or mode 7 packet containing an = unusual long data value where a network address is expected, the decodenetnum() function will abort with an assertion failure instead of simply = returning a failure condition. [CVE-2015-7855] If ntpd(8) is configured to allow remote configuration, and if the (possibly spoofed) source IP address is allowed to send remote configuration requests, and if the attacker knows the remote configuration password or if ntpd(8) was configured to disable authentication, then an attacker can send a set of packets to ntpd(8) = that may cause it to crash, with the hypothetical possibility of a small code injection. [CVE-2015-7854] A negative value for the datalen parameter will overflow a data buffer. NTF's ntpd(8) driver implementations always set this value to 0 and are therefore not vulnerable to this weakness. If you are running a custom refclock driver in ntpd(8) and that driver supplies a negative value for datalen (no custom driver of even minimal competence would do this) then ntpd would overflow a data buffer. It is even hypothetically possible in this case that instead of simply crashing ntpd the attacker could effect a code injection attack. [CVE-2015-7853] If an attacker can figure out the precise moment that ntpq(8) is = listening for data and the port number it is listening on or if the attacker can provide a malicious instance ntpd(8) that victims will connect to then = an attacker can send a set of crafted mode 6 response packets that, if received by ntpq(8), can cause ntpq(8) to crash. [CVE-2015-7852] If ntpd(8) is configured to allow remote configuration, and if the (possibly spoofed) IP address is allowed to send remote configuration requests, and if the attacker knows the remote configuration password or if ntpd(8) was configured to disable authentication, then an attacker can send a set of packets to ntpd that may cause ntpd(8) to overwrite files. [CVE-2015-7851]. The default configuration of ntpd(8) within FreeBSD does not allow remote configuration. If ntpd(8) is configured to allow remote configuration, and if the (possibly spoofed) source IP address is allowed to send remote configuration requests, and if the attacker knows the remote configuration password or if ntpd(8) was configured to disable authentication, then an attacker can send a set of packets to ntpd that will cause it to crash and/or create a potentially huge log file. Specifically, the attacker could enable extended logging, point the key file at the log file, and cause what amounts to an infinite loop. [CVE-2015-7850]. The default configuration of ntpd(8) within FreeBSD does not allow remote configuration. If ntpd(8) is configured to allow remote configuration, and if the (possibly spoofed) source IP address is allowed to send remote configuration requests, and if the attacker knows the remote configuration password or if ntpd was configured to disable authentication, then an attacker can send a set of packets to ntpd that may cause a crash or theoretically perform a code injection attack. [CVE-2015-7849]. The default configuration of ntpd(8) within FreeBSD does not allow remote configuration. If ntpd(8) is configured to enable mode 7 packets, and if the use of mode 7 packets is not properly protected thru the use of the available mode 7 authentication and restriction mechanisms, and if the (possibly spoofed) source IP address is allowed to send mode 7 queries, then an attacker can send a crafted packet to ntpd that will cause it to crash. [CVE-2015-7848]. The default configuration of ntpd(8) within FreeBSD does not allow mode 7 packets. If ntpd(8) is configured to use autokey, then an attacker can send packets to ntpd that will, after several days of ongoing attack, cause it to run out of memory. [CVE-2015-7701]. The default configuration of ntpd(8) within FreeBSD does not use autokey. If ntpd(8) is configured to allow for remote configuration, and if the (possibly spoofed) source IP address is allowed to send remote configuration requests, and if the attacker knows the remote configuration password, it's possible for an attacker to use the "pidfile" or "driftfile" directives to potentially overwrite other files. [CVE-2015-5196]. The default configuration of ntpd(8) within FreeBSD does not allow remote configuration An ntpd(8) client that honors Kiss-of-Death responses will honor KoD messages that have been forged by an attacker, causing it to delay or stop querying its servers for time updates. Also, an attacker can forge packets that claim to be from the target and send them to servers often enough that a server that implements KoD rate limiting will send the target machine a KoD response to attempt to reduce the rate of incoming packets, or it may also trigger a firewall block at the server for packets from the target machine. For either of these attacks to succeed, the attacker must know what servers the target is communicating with. An attacker can be anywhere on the Internet and can frequently learn the identity of the target's time source by sending the target a time query. [CVE-2015-7704] The fix for CVE-2014-9750 was incomplete in that there were certain code paths where a packet with particular autokey operations that contained malicious data was not always being completely validated. Receipt of these packets can cause ntpd to crash. [CVE-2015-7702]. The default configuration of ntpd(8) within FreeBSD does not use autokey. III. Impact An attacker which can send NTP packets to ntpd(8), which uses = cryptographic authentication of NTP data, may be able to inject malicious time data causing the system clock to be set incorrectly. [CVE-2015-7871] An attacker which can send NTP packets to ntpd(8), can block the communication of the daemon with time servers, causing the system clock not being synchronized. [CVE-2015-7704] An attacker which can send NTP packets to ntpd(8), can remotely crash the daemon, sending malicious data packet. [CVE-2015-7855] = [CVE-2015-7854] [CVE-2015-7853] [CVE-2015-7852] [CVE-2015-7849] [CVE-2015-7848] An attacker which can send NTP packets to ntpd(8), can remotely trigger the daemon to overwrite its configuration files. [CVE-2015-7851] [CVE-2015-5196] IV. Workaround No workaround is available, but systems not running ntpd(8) are not affected. Network administrators are advised to implement BCP-38, which helps to reduce risk associated with the attacks. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. The ntpd service has to be restarted after the update. A reboot is recommended but not required. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install The ntpd service has to be restarted after the update. A reboot is recommended but not required. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 10.2] # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-102.patch.bz2 # bunzip2 ntp-102.patch.bz2 # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-102.patch.asc # gpg --verify ntp-102.patch.asc [FreeBSD 10.1] # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-101.patch.bz2 # bunzip2 ntp-101.patch.bz2 # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-101.patch.asc # gpg --verify ntp-101.patch.asc [FreeBSD 9.3] # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-93.patch.bz2 # bunzip2 ntp-93.patch.bz2 # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-93.patch.asc # gpg --verify ntp-93.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # find contrib/ntp -type f -empty -delete c) Recompile the operating system using buildworld and installworld as described in https://www.FreeBSD.org/handbook/makeworld.html. d) For 9.3-RELEASE and 10.1-RELEASE an update to /etc/ntp.conf is = recommended, which can be done with help of the mergemaster(8) tool on 9.3-RELEASE = and with help of the etcupdate(8) tool on 10.1-RELEASE. Restart the ntpd(8) daemon, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path = Revision - = ------------------------------------------------------------------------- stable/9/ = r289998 releng/9.3/ = r290001 stable/10/ = r289997 releng/10.1/ = r290000 releng/10.2/ = r289999 - = ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: https://svnweb.freebsd.org/base?view=3Drevision&revision=3DNNNNNN VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2015-7701 https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2015-7702 https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2015-7703 https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2015-7704 https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2015-7848 https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2015-7849 https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2015-7850 https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2015-7851 https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2015-7852 https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2015-7853 https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2015-7854 https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2015-7855 https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2015-7871 The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-15:25.ntp.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJWLhOJAAoJEO1n7NZdz2rn91wP/2GwEt1boNQq2a7nYzv/mS5D sYKkIi7o+2yr2BLXvtc3O7c9QC3/YeGsza9DTRqndcY572SWvRgtkFstMTTm8IV/ RVlIE40gVR3tex0zo7BiD7uKUrxWxWcpwMbE5dzlE+vSybyyj0dSSkwUHJjrbJoA RmyNuEEUhQn5sRCg6qJv/PLp2G7BcYAasKScukjm7QnLP2kq/tvM9mcqwfh2tadM 7kbf8uq+ykvsRzctaDnxQaB5+zJxBQYJjBelxQfIkNek0XGfdj3sRwISeFznbllq mOLTIBaFiuEtHtusO7MKKavMgS5CQJOvuuvd/l3NY1MnxC6X/1SWig9KIKDIn/hv q8dsnq7LLx+tO6Cv4Dub7EbC2ZP3xXGOC4Ie02z8bTZnbX7iwyPUidQQqtU9ra15 rxzFcZnBxu+yyMNJVsV2qVV/r9OycgKxWlEELC1wYrK9fKfvLdA5aEGjDeU1Z+s6 JS2zKr0t4F2bMrCsjYP1lQD8sHkCVjwJk+IJU/slcwSajDjBNlMH0yBxGYE1ETIZ qMF7/PAkLe8V78pdYmXw9pcaPyhI+ihPLnNrdhX8AI2RX5jDK7IuUNJeUM04UrVB 8N+mMwgamcuCPWNNyXaL0bz21fexZOuhHmU+B8Yn3SFX5O5b/r9gGvrjo8ei8jOk EUlBT3ViDhHNrI7PTaiI =3DdjPm -----END PGP SIGNATURE----- _______________________________________________ freebsd-security-notifications@freebsd.org mailing list = https://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications To unsubscribe, send any mail to = "freebsd-security-notifications-unsubscribe@freebsd.org" From owner-freebsd-security@freebsd.org Wed Oct 28 11:39:22 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E465AA1F94F for ; Wed, 28 Oct 2015 11:39:21 +0000 (UTC) (envelope-from matthew@freebsd.org) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 89DC115F7 for ; Wed, 28 Oct 2015 11:39:21 +0000 (UTC) (envelope-from matthew@freebsd.org) Received: from ox-dell39.ox.adestra.com (no-reverse-dns.metronet-uk.com [85.199.232.226] (may be forged)) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.15.2/8.15.2) with ESMTPSA id t9SBcshj025782 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for ; Wed, 28 Oct 2015 11:39:11 GMT (envelope-from matthew@freebsd.org) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none header.from=freebsd.org DKIM-Filter: OpenDKIM Filter v2.10.3 smtp.infracaninophile.co.uk t9SBcshj025782 Authentication-Results: smtp.infracaninophile.co.uk/t9SBcshj025782; dkim=none; dkim-atps=neutral X-Authentication-Warning: lucid-nonsense.infracaninophile.co.uk: Host no-reverse-dns.metronet-uk.com [85.199.232.226] (may be forged) claimed to be ox-dell39.ox.adestra.com Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:25.ntp To: freebsd-security@freebsd.org References: <201510261236.t9QCa2cm044240@think.nginx.com> <201510272251.t9RMpAP6080322@sgt.com> From: Matthew Seaman X-Enigmail-Draft-Status: N1110 Message-ID: <5630B3CC.2060505@freebsd.org> Date: Wed, 28 Oct 2015 11:38:52 +0000 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <201510272251.t9RMpAP6080322@sgt.com> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="NjTDsHeA1gXcMEHGXJdtMwJsW7lHvnw0q" X-Virus-Scanned: clamav-milter 0.98.7 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.5 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on lucid-nonsense.infracaninophile.co.uk X-Mailman-Approved-At: Wed, 28 Oct 2015 12:06:55 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Oct 2015 11:39:22 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --NjTDsHeA1gXcMEHGXJdtMwJsW7lHvnw0q Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 10/27/15 22:51, Robert Sargent via freebsd-security wrote: > there is a simple workaround if you don't want to or can't reboot your = machines: install the ntp pkg=20 >=20 > pkg install ntp >=20 > and add the following line to /etc/rc.conf =20 >=20 > ntpd_program=3D"/usr/local/sbin/ntpd" >=20 > then kill the original /usr/sbin/ntpd process and run this command: >=20 > /etc/rc.d/ntpd start This is very frustrating. Installing the ntp package as above will give you a working ntpd the first time you start it. But attempting to restart ntpd after that will result in the same sort of SEGV as seen with the ntpd from freebsd-update. So far I've found that ntp-4.2.8p3 or above -- whether installed via freebsd-updates or via package -- installed on 10.1-RELEASE-p14 or 10.2-RELEASE-p{3,4,5} will startup and run at most one time (presumably, that's one time between successive system reboots, but I haven't tested that.) Worse: it seems you get at most one successful startup out of both of those variants together. Exactly the same ntp package installed on 10.2-STABLE built yesterday will run perfectly well, and restart just fine. Similarly the base ntpd in 10.2-STABLE runs and restarts just fine. Cheers, Matthew --NjTDsHeA1gXcMEHGXJdtMwJsW7lHvnw0q Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJWMLPMAAoJEABRPxDgqeTnhWkP/1f4uAOpu56EeK+Q/D9MY3ya BX5JfgMdZRo2GWfU1jE7r2LM8YsVTAPcBPCQk0UehvqJ55i5YUAsFWbbQws0niLv MjsVupNsmfr8LtY0tWn5jdzLlynPeLFx6OQRIufTRcmPIPuBxYiAyZtJNP/lGBif SUDMu3dh/Z32WtSmODJsHXM195njcrSt40H4sCaxABKHzvi9JLAnSQOD/Th7l+y2 4Zffg7hpCdqRItr0k+XH+wMvjobFxISY+pKHptjqv8y+YkzntWkwGwAuMNsG2YpA vCLbAES0JbP7n+y+/ecrB35L7E/oJeoxRSg+9Tov040Bdr+epYU2hlPSMoIVU6vl yHFtZ8m2s+4dJxCrXXXkqIZLje04KIx3EbI5O8FBWZVsppgc4MV9ito+yKNJZu/h 9mGtXGkUx9JoijmArVeSQ/pMOvWQy9U0wV6wUu0LzEfqkh+SRTGDX43Cz8VIXmt/ Fe7p1cshmz5NyA29MUfpHlSbhLH5im0yqdnCbUnduQVJ5Ygp0owRb9KwMRuFizYO 7/HtxmnH2bLSX1Fj3+aqweYw2RS7UaKhPM4grHRPKpALdasCjNURU874tHy3QMoi 4D4j53sBJmxQBr/+nWrUz3c1VB7HpSjQ/ey8ZUjjFT37MdCFW33qDRFO2b+2TeKd LXzTB9GzkD7ddfRWa5/Y =9BZX -----END PGP SIGNATURE----- --NjTDsHeA1gXcMEHGXJdtMwJsW7lHvnw0q-- From owner-freebsd-security@freebsd.org Fri Oct 30 08:24:15 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B4199A2074E for ; Fri, 30 Oct 2015 08:24:15 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 78A2C1508 for ; Fri, 30 Oct 2015 08:24:15 +0000 (UTC) (envelope-from des@des.no) Received: from desk.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id B9EA32A47; Fri, 30 Oct 2015 08:24:07 +0000 (UTC) Received: by desk.des.no (Postfix, from userid 1001) id 95CF8A660; Fri, 30 Oct 2015 09:24:03 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Guillaume Bibaut Cc: "Herbert J. Skuhra" , freebsd-security@freebsd.org Subject: Re: Compilation problem since SA-15:25 for FreeBSD 10.2-RELEASE References: <4D69BAFF-7447-4A1F-ABB8-686CA34090F3@iaelu.net> <20151027114642.GA7848@oslo.ath.cx> <4043BA45-F5A5-4218-93F2-C320DE65EB6D@iaelu.net> <20151027125913.GB7848@oslo.ath.cx> <20151027150144.GD7848@oslo.ath.cx> Date: Fri, 30 Oct 2015 09:24:03 +0100 In-Reply-To: (Guillaume Bibaut's message of "Tue, 27 Oct 2015 16:21:16 +0100") Message-ID: <86wpu4bw7w.fsf@desk.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Oct 2015 08:24:15 -0000 Guillaume Bibaut writes: > Herbert J. Skuhra writes: > > OK, with 'patch -p0 < /path/to/ntp-102.patch' I get only [...] > As far as I know, the SA does not mention 'patch -p0'. Shouldn=E2=80=99t = this > be mentioned? BSD patch(1) assumes -p0. GNU patch(1) does not. I assume Herbert is used to GNU patch(1) and used -p0 out of habit. It is harmless, but not necessary. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Fri Oct 30 10:18:19 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 95155A207DD for ; Fri, 30 Oct 2015 10:18:19 +0000 (UTC) (envelope-from herbert@oslo.ath.cx) Received: from oslo.ath.cx (oslo.ath.cx [144.76.166.229]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5BD7F1934 for ; Fri, 30 Oct 2015 10:18:19 +0000 (UTC) (envelope-from herbert@oslo.ath.cx) Received: from oslo.ath.cx (localhost [IPv6:::1]) by oslo.ath.cx (Postfix) with ESMTP id 6EECF142A; Fri, 30 Oct 2015 11:18:11 +0100 (CET) Date: Fri, 30 Oct 2015 11:18:11 +0100 From: "Herbert J. Skuhra" To: Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= Cc: freebsd-security@freebsd.org Subject: Re: Compilation problem since SA-15:25 for FreeBSD 10.2-RELEASE Message-ID: <20151030101811.GA27206@oslo.ath.cx> References: <4D69BAFF-7447-4A1F-ABB8-686CA34090F3@iaelu.net> <20151027114642.GA7848@oslo.ath.cx> <4043BA45-F5A5-4218-93F2-C320DE65EB6D@iaelu.net> <20151027125913.GB7848@oslo.ath.cx> <20151027150144.GD7848@oslo.ath.cx> <86wpu4bw7w.fsf@desk.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <86wpu4bw7w.fsf@desk.des.no> User-Agent: Mutt/1.5.24+24 (41af5a753d6f) (2015-08-30) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Oct 2015 10:18:19 -0000 On Fri, Oct 30, 2015 at 09:24:03AM +0100, Dag-Erling Smørgrav wrote: > Guillaume Bibaut writes: > > Herbert J. Skuhra writes: > > > OK, with 'patch -p0 < /path/to/ntp-102.patch' I get only [...] > > As far as I know, the SA does not mention 'patch -p0'. Shouldn’t this > > be mentioned? > > BSD patch(1) assumes -p0. GNU patch(1) does not. I assume Herbert is > used to GNU patch(1) and used -p0 out of habit. It is harmless, but not > necessary. I simply tried '-p0' because the instructions in the SA didn't work at all! With '-p0' I end up with a src tree that builds at least (only a few man pages failed to patch). Tested on stable/10 and head. % fetch ftp.freebsd.org/pub/FreeBSD/releases/amd64/amd64/10.2-RELEASE/src.txz % fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-102.patch.bz2 % tar xfJ src.txz % bunzip2 ntp-102.patch.bz2 % cd usr/src Apply the patches from the other SAs (doesn't make any difference). They apply cleanly. % patch < ../../ntp-102.patch A lot of *.c, *.h and *.orig files are created in the wrong place! So can anyone confirm that the ntp patches in the SA are correct and we are just too stupid to use patch? Thanks. -- Herbert From owner-freebsd-security@freebsd.org Fri Oct 30 10:28:09 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E7CC9A20AD4 for ; Fri, 30 Oct 2015 10:28:09 +0000 (UTC) (envelope-from franco@lastsummer.de) Received: from host64.kissl.de (host64.kissl.de [213.239.241.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "*.shmhost.net", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A74CD1DBD for ; Fri, 30 Oct 2015 10:28:09 +0000 (UTC) (envelope-from franco@lastsummer.de) Received: from localhost (localhost.localdomain [127.0.0.1]) by host64.kissl.de (Postfix) with ESMTP id B86D5B07E85; Fri, 30 Oct 2015 11:28:06 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at host64.kissl.de Received: from host64.kissl.de ([127.0.0.1]) by localhost (host64.kissl.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id InKtjcKB_7Hu; Fri, 30 Oct 2015 11:28:06 +0100 (CET) Received: from [10.0.100.2] (ip5f5ad30f.dynamic.kabel-deutschland.de [95.90.211.15]) (Authenticated sender: web104p1) by host64.kissl.de (Postfix) with ESMTPSA id 94150B07E84; Fri, 30 Oct 2015 11:28:06 +0100 (CET) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) Subject: Re: Compilation problem since SA-15:25 for FreeBSD 10.2-RELEASE From: Franco Fichtner In-Reply-To: <20151030101811.GA27206@oslo.ath.cx> Date: Fri, 30 Oct 2015 11:28:05 +0100 Cc: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= , freebsd-security@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <2B49DF34-2500-48FA-83F8-0D81EB5A0A84@lastsummer.de> References: <4D69BAFF-7447-4A1F-ABB8-686CA34090F3@iaelu.net> <20151027114642.GA7848@oslo.ath.cx> <4043BA45-F5A5-4218-93F2-C320DE65EB6D@iaelu.net> <20151027125913.GB7848@oslo.ath.cx> <20151027150144.GD7848@oslo.ath.cx> <86wpu4bw7w.fsf@desk.des.no> <20151030101811.GA27206@oslo.ath.cx> To: "Herbert J. Skuhra" X-Mailer: Apple Mail (2.2104) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Oct 2015 10:28:10 -0000 I had a similar issue with git-format-patch and git-am (on 10.1) where the generated patch output was mangled or could not be imported = correctly. I ended up omitting the actual text patch extraction by going directly = to the git objects with git-cherry-pick. No idea how to fix this though, sorry. > On 30 Oct 2015, at 11:18 am, Herbert J. Skuhra = wrote: >=20 > On Fri, Oct 30, 2015 at 09:24:03AM +0100, Dag-Erling Sm=C3=B8rgrav = wrote: >> Guillaume Bibaut writes: >>> Herbert J. Skuhra writes: >>>> OK, with 'patch -p0 < /path/to/ntp-102.patch' I get only [...] >>> As far as I know, the SA does not mention 'patch -p0'. Shouldn=E2=80=99= t this >>> be mentioned? >>=20 >> BSD patch(1) assumes -p0. GNU patch(1) does not. I assume Herbert = is >> used to GNU patch(1) and used -p0 out of habit. It is harmless, but = not >> necessary. >=20 > I simply tried '-p0' because the instructions in the SA didn't work at > all! With '-p0' I end up with a src tree that builds at least (only a > few man pages failed to patch). Tested on stable/10 and head. >=20 > % fetch = ftp.freebsd.org/pub/FreeBSD/releases/amd64/amd64/10.2-RELEASE/src.txz > % fetch = https://security.FreeBSD.org/patches/SA-15:25/ntp-102.patch.bz2 > % tar xfJ src.txz > % bunzip2 ntp-102.patch.bz2 > % cd usr/src >=20 > Apply the patches from the other SAs (doesn't make any difference). = They > apply cleanly. >=20 > % patch < ../../ntp-102.patch >=20 > A lot of *.c, *.h and *.orig files are created in the wrong place! >=20 > So can anyone confirm that the ntp patches in the SA are correct and = we > are just too stupid to use patch? >=20 > Thanks. >=20 > --=20 > Herbert > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@freebsd.org Fri Oct 30 10:29:10 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2C3B8A20B87 for ; Fri, 30 Oct 2015 10:29:10 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from cell.glebius.int.ru (glebius.int.ru [81.19.69.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "cell.glebius.int.ru", Issuer "cell.glebius.int.ru" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id A86EE1EBE for ; Fri, 30 Oct 2015 10:29:08 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from cell.glebius.int.ru (localhost [127.0.0.1]) by cell.glebius.int.ru (8.15.2/8.15.2) with ESMTPS id t9UAT4O9062419 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 30 Oct 2015 13:29:04 +0300 (MSK) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.glebius.int.ru (8.15.2/8.15.2/Submit) id t9UAT4Oh062418; Fri, 30 Oct 2015 13:29:04 +0300 (MSK) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.glebius.int.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Fri, 30 Oct 2015 13:29:03 +0300 From: Gleb Smirnoff To: "Herbert J. Skuhra" Cc: Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= , freebsd-security@freebsd.org Subject: Re: Compilation problem since SA-15:25 for FreeBSD 10.2-RELEASE Message-ID: <20151030102903.GT97830@glebius.int.ru> References: <4D69BAFF-7447-4A1F-ABB8-686CA34090F3@iaelu.net> <20151027114642.GA7848@oslo.ath.cx> <4043BA45-F5A5-4218-93F2-C320DE65EB6D@iaelu.net> <20151027125913.GB7848@oslo.ath.cx> <20151027150144.GD7848@oslo.ath.cx> <86wpu4bw7w.fsf@desk.des.no> <20151030101811.GA27206@oslo.ath.cx> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20151030101811.GA27206@oslo.ath.cx> User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Oct 2015 10:29:10 -0000 Herbert, On Fri, Oct 30, 2015 at 11:18:11AM +0100, Herbert J. Skuhra wrote: H> On Fri, Oct 30, 2015 at 09:24:03AM +0100, Dag-Erling Smørgrav wrote: H> > Guillaume Bibaut writes: H> > > Herbert J. Skuhra writes: H> > > > OK, with 'patch -p0 < /path/to/ntp-102.patch' I get only [...] H> > > As far as I know, the SA does not mention 'patch -p0'. Shouldn’t this H> > > be mentioned? H> > H> > BSD patch(1) assumes -p0. GNU patch(1) does not. I assume Herbert is H> > used to GNU patch(1) and used -p0 out of habit. It is harmless, but not H> > necessary. H> H> I simply tried '-p0' because the instructions in the SA didn't work at H> all! With '-p0' I end up with a src tree that builds at least (only a H> few man pages failed to patch). Tested on stable/10 and head. H> H> % fetch ftp.freebsd.org/pub/FreeBSD/releases/amd64/amd64/10.2-RELEASE/src.txz H> % fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-102.patch.bz2 H> % tar xfJ src.txz H> % bunzip2 ntp-102.patch.bz2 H> % cd usr/src H> H> Apply the patches from the other SAs (doesn't make any difference). They H> apply cleanly. H> H> % patch < ../../ntp-102.patch H> H> A lot of *.c, *.h and *.orig files are created in the wrong place! H> H> So can anyone confirm that the ntp patches in the SA are correct and we H> are just too stupid to use patch? What does patch -v say for you? -- Totus tuus, Glebius. From owner-freebsd-security@freebsd.org Fri Oct 30 10:32:23 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 414FEA20DD6 for ; Fri, 30 Oct 2015 10:32:23 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 0CA8F118A for ; Fri, 30 Oct 2015 10:32:22 +0000 (UTC) (envelope-from des@des.no) Received: from desk.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id D636A2C12 for ; Fri, 30 Oct 2015 10:32:21 +0000 (UTC) Received: by desk.des.no (Postfix, from userid 1001) id BE3AFA673; Fri, 30 Oct 2015 11:32:17 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: freebsd-security@freebsd.org Subject: segfault in ntpd Date: Fri, 30 Oct 2015 11:32:17 +0100 Message-ID: <86bnbgbqa6.fsf@desk.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Oct 2015 10:32:23 -0000 Can those of you who are experiencing this bug on 10 please try to build and run a kernel from head@287591 or newer (with your 10 userland) and report back? # svnlite co svn://svn.freebsd.org/base/head@287591 /tmp/head # cd /tmp/head # make buildkernel KERNCONF=3DGENERIC # make installkernel KERNCONF=3DGENERIC KODIR=3D/boot/head # nextboot -k head # shutdown -r now DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Fri Oct 30 10:39:55 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 56E4BA2104C for ; Fri, 30 Oct 2015 10:39:55 +0000 (UTC) (envelope-from herbert@oslo.ath.cx) Received: from oslo.ath.cx (oslo.ath.cx [144.76.166.229]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1C9CF1515; Fri, 30 Oct 2015 10:39:54 +0000 (UTC) (envelope-from herbert@oslo.ath.cx) Received: from oslo.ath.cx (localhost [IPv6:::1]) by oslo.ath.cx (Postfix) with ESMTP id 539BC144F; Fri, 30 Oct 2015 11:39:53 +0100 (CET) Date: Fri, 30 Oct 2015 11:39:53 +0100 From: "Herbert J. Skuhra" To: Gleb Smirnoff Cc: Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= , freebsd-security@freebsd.org Subject: Re: Compilation problem since SA-15:25 for FreeBSD 10.2-RELEASE Message-ID: <20151030103953.GB27206@oslo.ath.cx> References: <4D69BAFF-7447-4A1F-ABB8-686CA34090F3@iaelu.net> <20151027114642.GA7848@oslo.ath.cx> <4043BA45-F5A5-4218-93F2-C320DE65EB6D@iaelu.net> <20151027125913.GB7848@oslo.ath.cx> <20151027150144.GD7848@oslo.ath.cx> <86wpu4bw7w.fsf@desk.des.no> <20151030101811.GA27206@oslo.ath.cx> <20151030102903.GT97830@glebius.int.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20151030102903.GT97830@glebius.int.ru> User-Agent: Mutt/1.5.24+24 (41af5a753d6f) (2015-08-30) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Oct 2015 10:39:55 -0000 On Fri, Oct 30, 2015 at 01:29:03PM +0300, Gleb Smirnoff wrote: > Herbert, > > On Fri, Oct 30, 2015 at 11:18:11AM +0100, Herbert J. Skuhra wrote: > H> On Fri, Oct 30, 2015 at 09:24:03AM +0100, Dag-Erling Smørgrav wrote: > H> > Guillaume Bibaut writes: > H> > > Herbert J. Skuhra writes: > H> > > > OK, with 'patch -p0 < /path/to/ntp-102.patch' I get only [...] > H> > > As far as I know, the SA does not mention 'patch -p0'. Shouldn’t this > H> > > be mentioned? > H> > > H> > BSD patch(1) assumes -p0. GNU patch(1) does not. I assume Herbert is > H> > used to GNU patch(1) and used -p0 out of habit. It is harmless, but not > H> > necessary. > H> > H> I simply tried '-p0' because the instructions in the SA didn't work at > H> all! With '-p0' I end up with a src tree that builds at least (only a > H> few man pages failed to patch). Tested on stable/10 and head. > H> > H> % fetch ftp.freebsd.org/pub/FreeBSD/releases/amd64/amd64/10.2-RELEASE/src.txz > H> % fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-102.patch.bz2 > H> % tar xfJ src.txz > H> % bunzip2 ntp-102.patch.bz2 > H> % cd usr/src > H> > H> Apply the patches from the other SAs (doesn't make any difference). They > H> apply cleanly. > H> > H> % patch < ../../ntp-102.patch > H> > H> A lot of *.c, *.h and *.orig files are created in the wrong place! > H> > H> So can anyone confirm that the ntp patches in the SA are correct and we > H> are just too stupid to use patch? > > What does patch -v say for you? stable/10 (r290017): % patch -v patch 2.0-12u10 FreeBSD head (r289783): % patch -v patch 2.0-12u11 FreeBSD -- Herbert From owner-freebsd-security@freebsd.org Fri Oct 30 10:46:57 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 48728A213F0 for ; Fri, 30 Oct 2015 10:46:57 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 0DED21BF0 for ; Fri, 30 Oct 2015 10:46:56 +0000 (UTC) (envelope-from des@des.no) Received: from desk.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 9D8C62C48; Fri, 30 Oct 2015 10:46:53 +0000 (UTC) Received: by desk.des.no (Postfix, from userid 1001) id AA438A677; Fri, 30 Oct 2015 11:46:51 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: "Herbert J. Skuhra" Cc: freebsd-security@freebsd.org Subject: Re: Compilation problem since SA-15:25 for FreeBSD 10.2-RELEASE References: <4D69BAFF-7447-4A1F-ABB8-686CA34090F3@iaelu.net> <20151027114642.GA7848@oslo.ath.cx> <4043BA45-F5A5-4218-93F2-C320DE65EB6D@iaelu.net> <20151027125913.GB7848@oslo.ath.cx> <20151027150144.GD7848@oslo.ath.cx> <86wpu4bw7w.fsf@desk.des.no> <20151030101811.GA27206@oslo.ath.cx> Date: Fri, 30 Oct 2015 11:46:51 +0100 In-Reply-To: <20151030101811.GA27206@oslo.ath.cx> (Herbert J. Skuhra's message of "Fri, 30 Oct 2015 11:18:11 +0100") Message-ID: <867fm4bplw.fsf@desk.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Oct 2015 10:46:57 -0000 "Herbert J. Skuhra" writes: > So can anyone confirm that the ntp patches in the SA are correct and we > are just too stupid to use patch? I looked at the SA-15:25 patch, and it is incorrect. I will work with the so@ to get correct patches released. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Fri Oct 30 15:40:43 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 190C2A2087A for ; Fri, 30 Oct 2015 15:40:43 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id D4CDA1E63 for ; Fri, 30 Oct 2015 15:40:42 +0000 (UTC) (envelope-from des@des.no) Received: from desk.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 050ED2FAE; Fri, 30 Oct 2015 15:40:39 +0000 (UTC) Received: by desk.des.no (Postfix, from userid 1001) id 1A549A69D; Fri, 30 Oct 2015 16:40:36 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Guillaume Bibaut Cc: freebsd-security@freebsd.org Subject: Re: Compilation problem since SA-15:25 for FreeBSD 10.2-RELEASE References: <4D69BAFF-7447-4A1F-ABB8-686CA34090F3@iaelu.net> Date: Fri, 30 Oct 2015 16:40:36 +0100 In-Reply-To: <4D69BAFF-7447-4A1F-ABB8-686CA34090F3@iaelu.net> (Guillaume Bibaut's message of "Tue, 27 Oct 2015 11:48:24 +0100") Message-ID: <86pozwicuj.fsf@desk.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Oct 2015 15:40:43 -0000 Please try these patches instead: https://people.freebsd.org/~des/SA-15:25/ DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Fri Oct 30 17:23:09 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 345A4A22104 for ; Fri, 30 Oct 2015 17:23:09 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id C6E56131F for ; Fri, 30 Oct 2015 17:23:08 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from zero-gravitas.local (no-reverse-dns.metronet-uk.com [85.199.232.226] (may be forged)) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.15.2/8.15.2) with ESMTPSA id t9UHMvJX094189 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for ; Fri, 30 Oct 2015 17:22:57 GMT (envelope-from matthew@FreeBSD.org) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none header.from=FreeBSD.org DKIM-Filter: OpenDKIM Filter v2.10.3 smtp.infracaninophile.co.uk t9UHMvJX094189 Authentication-Results: smtp.infracaninophile.co.uk/t9UHMvJX094189; dkim=none; dkim-atps=neutral X-Authentication-Warning: lucid-nonsense.infracaninophile.co.uk: Host no-reverse-dns.metronet-uk.com [85.199.232.226] (may be forged) claimed to be zero-gravitas.local Subject: Re: segfault in ntpd To: freebsd-security@freebsd.org References: <86bnbgbqa6.fsf@desk.des.no> From: Matthew Seaman Message-ID: <5633A728.7000904@FreeBSD.org> Date: Fri, 30 Oct 2015 17:21:44 +0000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 MIME-Version: 1.0 In-Reply-To: <86bnbgbqa6.fsf@desk.des.no> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="3oGN0v363aKSPxEcvxlOPrHfIBrSNQILU" X-Virus-Scanned: clamav-milter 0.98.7 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.6 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on lucid-nonsense.infracaninophile.co.uk X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Oct 2015 17:23:09 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --3oGN0v363aKSPxEcvxlOPrHfIBrSNQILU Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 2015/10/30 10:32, Dag-Erling Sm=C3=B8rgrav wrote: > Can those of you who are experiencing this bug on 10 please try to buil= d > and run a kernel from head@287591 or newer (with your 10 userland) and > report back? >=20 > # svnlite co svn://svn.freebsd.org/base/head@287591 /tmp/head > # cd /tmp/head > # make buildkernel KERNCONF=3DGENERIC > # make installkernel KERNCONF=3DGENERIC KODIR=3D/boot/head > # nextboot -k head > # shutdown -r now >=20 > DES >=20 Hi, Dag-Erling, I'm not able to reboot machines where I've seen this crash right now, but I can report: * Can't reproduce the problem in a VirtualBox VM running 10.2-RELEASE-p6 amd64. * But I can get a back trace after compiling the 10.2-RELEASE-p6 sources and a core dump from one of the machines where the problem happen= s: (gdb) bt full #0 mutex_lock_common (m=3D0x801c33100, abstime=3D0x0, cvattach=3D0) at atomic.h:143 No locals. #1 0x0000000801263557 in __sfp () at /usr/src/lib/libc/stdio/findfp.c:14= 8 n =3D fp =3D g =3D #2 0x00000008012470ab in _BIG5_mbrtowc (pwc=3D, s=3D, n=3DCannot access memory at address 0x1 ) at /usr/src/lib/libc/locale/big5.c:113 wc =3D #3 0x0000000801211cc0 in serv_unmarshal_func (buffer=3D0x801c33100 "", buffer_size=3D0, retval=3D0x8014c6130, ap=3D0x18b95, cache_mdata=3D) at /usr/src/lib/libc/net/getservent.c:1071 serv =3D (struct servent *) 0x0 orig_buf =3D 0x802031040 "0aL\001\b" orig_buf_size =3D ret_errno =3D p =3D alias =3D #4 0x0000000801234cff in _nsdispatch (retval=3D0x7fffdfdfca70, disp_tab=3D0x801498680, database=3D0x80126de7c "\"%s\", \"%s\")...\n"= , method_name=3D0x80126de24 ".conf", defaults=3D0x2) at /usr/src/lib/libc/net/nsdispatch.c:541 ap =3D {{gp_offset =3D 48, fp_offset =3D 48, overflow_arg_area =3D 0x7fffdfdfca38, reg_save_area =3D 0x7fffdfdfc87= 0}} mdata =3D (void *) 0x80126ddfc cache_data =3D {key =3D 0x17d0
, key_size =3D 34369025376, info =3D 0x7fffdfdfc9e0} isthreaded =3D 1 serrno =3D 22 result =3D st =3D fb_method =3D srclist =3D srclistsize =3D cache_flag =3D method =3D saved_depth =3D #5 0x0000000801213121 in nis_setservent (result=3D0x801c33100, mdata=3D, ap=3D0x0) at /usr/src/lib/libc/net/getservent.c:812 st =3D (struct nis_state *) 0x0 st =3D (struct nis_state *) 0x0 st =3D (struct nis_state *) 0x0 st =3D (struct nis_state *) 0x0 rv =3D #6 0x0000000801213029 in files_setservent (retval=3D0x801c33100, mdata=3D, ap=3D) at /usr/src/lib/libc/net/getservent.c:451 st =3D (struct files_state *) 0x1 st =3D (struct files_state *) 0x1 st =3D (struct files_state *) 0x1 st =3D (struct files_state *) 0x1 st =3D (struct files_state *) 0x1 st =3D (struct files_state *) 0x1 st =3D (struct files_state *) 0x1 rv =3D f =3D 0 #7 0x000000080120f373 in _dns_getaddrinfo (rv=3D, ---Type to continue, or q to quit--- cb_data=3D, ap=3D) at /usr/src/lib/libc/net/getaddrinfo.c:2266 sentinel =3D {ai_flags =3D 3, ai_family =3D 0, ai_socktype =3D 21716848,= ai_protocol =3D 8, ai_addrlen =3D 21795400, ai_canonname =3D 0x8014c613= 0 "", ai_addr =3D 0x802031040, ai_next =3D 0x2} q =3D {next =3D 0x7fffdfdfc690, name =3D 0x800b11e08 "E\211.1??P1?\2135y= j!", qclass =3D -538982744, qtype =3D 32767, answer =3D 0x801c06c00 "\225\21= 3\001", anslen =3D 11616604, n =3D 8} q2 =3D {next =3D 0x8014b5f80, name =3D 0x801213590 "D$\020L\211D$\bH\211\f$H\2155}S(", qclass =3D -538982832, qtype =3D 32767, answer =3D 0x800b12a85 "\203??", anslen =3D 101269, n = =3D 0} cur =3D (struct addrinfo *) 0x3 pai =3D hostname =3D res =3D ai =3D #8 0x000000080120ca61 in strcspn (s=3D0x801c33100 "", charset=3D) at /usr/src/lib/libc/string/strcspn.= c:59 tbl =3D {34393355264, 34389385984, 34389386167, 34389386056} bit =3D s1 =3D #9 0x0000000000478a86 in blocking_getaddrinfo (c=3D0x801c66700, req=3D0x801c46300) at /usr/src/usr.sbin/ntp/libntp/../../../contrib/ntp/libntp/ntp_intres.c:352= ai_res =3D (struct addrinfo *) 0x0 node =3D 0x7fffdfdfcbe8 "\002" service =3D 0xc
worker_ctx =3D (dnsworker_ctx *) 0x80200e060 resp_octets =3D Cannot access memory at address 0x600 (gdb) Cheers, Matthew --3oGN0v363aKSPxEcvxlOPrHfIBrSNQILU Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQJ8BAEBCgBmBQJWM6dwXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxOUYxNTRFQ0JGMTEyRTUwNTQ0RTNGMzAw MDUxM0YxMEUwQTlFNEU3AAoJEABRPxDgqeTnzRcP/i7bptsQ844SBaqjSqbzuh3f jbSm+1C8vRX5yH/UDfTr7q+eFmNxN1+hYBAcDP123OrPTG8ScmMZTM3ZBfau3r2E XtZxxrc0Vw6K4Utlqtf2vQQuDPVrt3RQe2T8Et/U4LrqPU5pxDF/LuOk7KnmiKct NFljZegm2Wng/mU+JGgCmn6Tn2SzG8Zf9LVyOxucQKRIq1g9K/6nagL2TfC3CnsO nBvrw/KMhdsqdyc9o5OUGwc+JldEnVOgvXO4DNOwg2MPgPnZA3vpMOAzvpOYDJZv ++aXz+Cw2XtUQ0NmBJovpk4O5FJPnGcUNS+R4vWumnHONBl9ZrPHDkC9NcApdZSB zjgKFQ5kiTBXhKVcJMZVjAm96dZgMRh2hFx3V29WdcrFwc87sQmI6h7IAqQpMF8G ql0B0oR2T0iBMMmvOFQwCPAYn6EYJfE/84BG66DhnOOdHoCIluJf5Rg0pfk//UZl 1HNl5Lh/d+D2MWp94c5vHDsNCzDFo/pasyVrR8nNNsNviyF1JxFkB6DSOcBRmijg WYyvptjx2Bcqi3LuMBlhU27ZGlz0QnHmZs86KMflLgql9+yD+n+ESuM2Zl7x7qed 44Otlbp75zFmD/DxxpS0LSlVhdiVFnacQAE4+/sHa1JXZWDIiiZYTAfyJhtkbp0J m45s4JzAIUgbFkrCG82R =8ZWf -----END PGP SIGNATURE----- --3oGN0v363aKSPxEcvxlOPrHfIBrSNQILU-- From owner-freebsd-security@freebsd.org Sat Oct 31 23:13:10 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F0DDDA22AC3 for ; Sat, 31 Oct 2015 23:13:10 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id B5D961A82 for ; Sat, 31 Oct 2015 23:13:10 +0000 (UTC) (envelope-from des@des.no) Received: from desk.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 8D6992042 for ; Sat, 31 Oct 2015 23:13:00 +0000 (UTC) Received: by desk.des.no (Postfix, from userid 1001) id 5A67EA7F8; Sun, 1 Nov 2015 00:12:58 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: freebsd-security@freebsd.org Subject: Re: Compilation problem since SA-15:25 for FreeBSD 10.2-RELEASE References: <4D69BAFF-7447-4A1F-ABB8-686CA34090F3@iaelu.net> <86pozwicuj.fsf@desk.des.no> Date: Sun, 01 Nov 2015 00:12:58 +0100 In-Reply-To: <86pozwicuj.fsf@desk.des.no> ("Dag-Erling =?utf-8?Q?Sm=C3=B8r?= =?utf-8?Q?grav=22's?= message of "Fri, 30 Oct 2015 16:40:36 +0100") Message-ID: <86wpu21vk5.fsf@desk.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Oct 2015 23:13:11 -0000 Dag-Erling Sm=C3=B8rgrav writes: > Please try these patches instead: > > https://people.freebsd.org/~des/SA-15:25/ Some people have had issues with these patches due to mismatched $FreeBSD$ tags. I have uploaded a new set which should work for everyone. I have tested them on releng/* from right before SA-15:25 and on release/* with the previous NTP advisories (14:31 and 15:07) applied. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no