From b19a8db3a6948f79f95bb632b7701b37a9cf9fee Mon Sep 17 00:00:00 2001 From: chengyechun Date: Wed, 24 May 2023 10:58:41 +0800 Subject: [PATCH] change the patch of CVE-2023-26551 --- ...-26552-CVE-2023-26553-CVE-2023-26554.patch | 178 +++++++++++++++--- ...ix-out-write-bounds-in-praecis_parse.patch | 102 ++++++++++ ntp.spec | 9 +- 3 files changed, 259 insertions(+), 30 deletions(-) create mode 100644 backport-CVE-2023-26555-fix-out-write-bounds-in-praecis_parse.patch diff --git a/backport-CVE-2023-26551-CVE-2023-26552-CVE-2023-26553-CVE-2023-26554.patch b/backport-CVE-2023-26551-CVE-2023-26552-CVE-2023-26553-CVE-2023-26554.patch index 10aab4e..7f4f3d7 100644 --- a/backport-CVE-2023-26551-CVE-2023-26552-CVE-2023-26553-CVE-2023-26554.patch +++ b/backport-CVE-2023-26551-CVE-2023-26552-CVE-2023-26553-CVE-2023-26554.patch @@ -1,47 +1,167 @@ -From 562c0cc96b42afce4eeef8da8ac315f03e2e99df Mon Sep 17 00:00:00 2001 -From: Miroslva Lichvar -Date: Thu, 20 Apr 2023 08:27:41 PM GMT+0800 +From ebd64fcbd4f3858b6986ff1a048e3467d96841ab Mon Sep 17 00:00:00 2001 +From: Harlen Stenn +Date: Sat, 13 May 2023 05:23:33 UTC Subject: [PATCH] mstolfp:make sure the buffer has enough room for the input extra characters -Reference:https://build.opensuse.org/package/view_file/openSUSE:Factory/ntp/ntp-CVE-2023-26551.patch?expand=1 Conflict:NA +Reference:https://www.eecis.udel.edu/~ntp/ntp_spool//ntp4/ntp-4.2.8p15-3806-3807.patch -CVE-2023-26552, CVE-2023-26553 and CVE-2023-26554 are marked identical to CVE-2023-26551 -https://github.com/spwpun/ntp-4.2.8p15-cves/issues/1#issuecomment-1507034339 +CVE-2023-26552, CVE-2023-26553, and CVE-2023-26554 are marked identical to CVE-2023-26551 +https://github.com/spwpun/ntp-4.2.8p15-cves/issues/1 --- - libntp/mstolfp.c | 11 ++++++++++- - 1 file changed, 10 insertions(+), 1 deletion(-) + include/ntp_fp.h | 4 +- + libntp/mstolfp.c | 109 +++++++++++++++------------------------- + 2 files changed, 42 insertions(+), 71 deletions(-) +diff --git a/include/ntp_fp.h b/include/ntp_fp.h +index afd1f82..fe6e390 100644 +--- a/include/ntp_fp.h ++++ b/include/ntp_fp.h +@@ -195,9 +195,9 @@ typedef u_int32 u_fp; + do { \ + int32 add_f = (int32)(f); \ + if (add_f >= 0) \ +- M_ADD((r_i), (r_f), 0, (uint32)( add_f)); \ ++ M_ADD((r_i), (r_f), 0, (u_int32)( add_f)); \ + else \ +- M_SUB((r_i), (r_f), 0, (uint32)(-add_f)); \ ++ M_SUB((r_i), (r_f), 0, (u_int32)(-add_f)); \ + } while(0) + + #define M_ISNEG(v_i) /* v < 0 */ \ diff --git a/libntp/mstolfp.c b/libntp/mstolfp.c -index 3dfc4ef..a8defa2 100644 +index 3dfc4ef..a428d17 100644 --- a/libntp/mstolfp.c +++ b/libntp/mstolfp.c -@@ -14,7 +14,7 @@ mstolfp( +@@ -14,86 +14,57 @@ mstolfp( l_fp *lfp ) { - register const char *cp; -+ register const char *cp, *end; - register char *bp; - register const char *cpdec; - char buf[100]; -@@ -42,6 +42,15 @@ mstolfp( - if (*cp != '.' && !isdigit((unsigned char)*cp)) - return 0; - -+ /* -+ * Make sure the buffer has enough room for the input string and the -+ * extra characters, in the worst case replacing "." with "0.000" -+ */ -+ end = cp; -+ while (isdigit((unsigned char)*end) || *end == '.') -+ end++; -+ if (end - cp + 4 >= sizeof (buf) - (bp - buf)) -+ return 0; +- register char *bp; +- register const char *cpdec; +- char buf[100]; ++ int ch, neg = 0; ++ u_int32 q, r; /* - * Search forward for the decimal point or the end of the string. + * We understand numbers of the form: + * + * [spaces][-|+][digits][.][digits][spaces|\n|\0] + * +- * This is one enormous hack. Since I didn't feel like +- * rewriting the decoding routine for milliseconds, what +- * is essentially done here is to make a copy of the string +- * with the decimal moved over three places so the seconds +- * decoding routine can be used. ++ * This is kinda hack. We use 'atolfp' to do the basic parsing ++ * (after some initial checks) and then divide the result by ++ * 1000. The original implementation avoided that by ++ * hacking up the input string to move the decimal point, but ++ * that needed string manipulations prone to buffer overruns. ++ * To avoid that trouble we do the conversion first and adjust ++ * the result. + */ +- bp = buf; +- cp = str; +- while (isspace((unsigned char)*cp)) +- cp++; +- +- if (*cp == '-' || *cp == '+') { +- *bp++ = *cp++; +- } +- +- if (*cp != '.' && !isdigit((unsigned char)*cp)) +- return 0; +- +- +- /* +- * Search forward for the decimal point or the end of the string. +- */ +- cpdec = cp; +- while (isdigit((unsigned char)*cpdec)) +- cpdec++; + +- /* +- * Found something. If we have more than three digits copy the +- * excess over, else insert a leading 0. +- */ +- if ((cpdec - cp) > 3) { +- do { +- *bp++ = (char)*cp++; +- } while ((cpdec - cp) > 3); +- } else { +- *bp++ = '0'; ++ while (isspace(ch = *(const unsigned char*)str)) ++ ++str; ++ switch (ch) { ++ case '-': neg = TRUE; ++ case '+': ++str; ++ default : break; + } + +- /* +- * Stick the decimal in. If we've got less than three digits in +- * front of the millisecond decimal we insert the appropriate number +- * of zeros. +- */ +- *bp++ = '.'; +- if ((cpdec - cp) < 3) { +- size_t i = 3 - (cpdec - cp); +- do { +- *bp++ = '0'; +- } while (--i > 0); +- } ++ if (!isdigit(ch = *(const unsigned char*)str) && (ch != '.')) ++ return 0; ++ if (!atolfp(str, lfp)) ++ return 0; + +- /* +- * Copy the remainder up to the millisecond decimal. If cpdec +- * is pointing at a decimal point, copy in the trailing number too. ++ /* now do a chained/overlapping division by 1000 to get from ++ * seconds to msec. 1000 is small enough to go with temporary ++ * 32bit accus for Q and R. + */ +- while (cp < cpdec) +- *bp++ = (char)*cp++; +- +- if (*cp == '.') { +- cp++; +- while (isdigit((unsigned char)*cp)) +- *bp++ = (char)*cp++; +- } +- *bp = '\0'; ++ q = lfp->l_ui / 1000u; ++ r = lfp->l_ui - (q * 1000u); ++ lfp->l_ui = q; + +- /* +- * Check to make sure the string is properly terminated. If +- * so, give the buffer to the decoding routine. +- */ +- if (*cp != '\0' && !isspace((unsigned char)*cp)) +- return 0; +- return atolfp(buf, lfp); ++ r = (r << 16) | (lfp->l_uf >> 16); ++ q = r / 1000u; ++ r = ((r - q * 1000) << 16) | (lfp->l_uf & 0x0FFFFu); ++ lfp->l_uf = q << 16; ++ q = r / 1000; ++ lfp->l_uf |= q; ++ r -= q * 1000u; ++ ++ /* fix sign */ ++ if (neg) ++ L_NEG(lfp); ++ /* round */ ++ if (r >= 500) ++ L_ADDF(lfp, (neg ? -1 : 1)); ++ return 1; + } -- -2.27.0 +2.33.0 + diff --git a/backport-CVE-2023-26555-fix-out-write-bounds-in-praecis_parse.patch b/backport-CVE-2023-26555-fix-out-write-bounds-in-praecis_parse.patch new file mode 100644 index 0000000..b28b09d --- /dev/null +++ b/backport-CVE-2023-26555-fix-out-write-bounds-in-praecis_parse.patch @@ -0,0 +1,102 @@ +From 1e6893546c526c0961930b6b60a6aba42692dba9 Mon Sep 17 00:00:00 2001 +From: Harlan Stenn +Date: Sat, 13 May 2023 05:23:33 UTC +Subject: [PATCH] refclock_palisade:fix an out-of-bounds write in praecis_parse + +Conflict:NA +Reference:https://www.eecis.udel.edu/~ntp/ntp_spool//ntp4/ntp-4.2.8p15-3806-3807.patch + +--- + ntpd/refclock_palisade.c | 50 ++++++++++++++++++++++++++++++++++------ + 1 file changed, 43 insertions(+), 7 deletions(-) + +diff --git a/ntpd/refclock_palisade.c b/ntpd/refclock_palisade.c +index cb68255..66bfbc8 100644 +--- a/ntpd/refclock_palisade.c ++++ b/ntpd/refclock_palisade.c +@@ -1225,9 +1225,9 @@ palisade_poll ( + return; /* using synchronous packet input */ + + if(up->type == CLK_PRAECIS) { +- if(write(peer->procptr->io.fd,"SPSTAT\r\n",8) < 0) ++ if (write(peer->procptr->io.fd,"SPSTAT\r\n",8) < 0) { + msyslog(LOG_ERR, "Palisade(%d) write: %m:",unit); +- else { ++ } else { + praecis_msg = 1; + return; + } +@@ -1249,20 +1249,53 @@ praecis_parse ( + + pp = peer->procptr; + +- memcpy(buf+p,rbufp->recv_space.X_recv_buffer, rbufp->recv_length); ++ if (p + rbufp->recv_length >= sizeof buf) { ++ struct palisade_unit *up; ++ up = pp->unitptr; ++ ++ /* ++ * We COULD see if there is a \r\n in the incoming ++ * buffer before it overflows, and then process the ++ * current line. ++ * ++ * Similarly, if we already have a hunk of data that ++ * we're now flushing, that will cause the line of ++ * data we're in the process of collecting to be garbage. ++ * ++ * Since we now check for this overflow and log when it ++ * happens, we're now in a better place to easily see ++ * what's going on and perhaps better choices can be made. ++ */ ++ ++ /* Do we need to log the size of the overflow? */ ++ msyslog(LOG_ERR, "Palisade(%d) praecis_parse(): input buffer overflow", ++ up->unit); ++ ++ p = 0; ++ praecis_msg = 0; ++ ++ refclock_report(peer, CEVNT_BADREPLY); ++ ++ return; ++ } ++ ++ memcpy(buf+p, rbufp->recv_buffer, rbufp->recv_length); + p += rbufp->recv_length; + +- if(buf[p-2] == '\r' && buf[p-1] == '\n') { ++ if ( p >= 2 ++ && buf[p-2] == '\r' ++ && buf[p-1] == '\n') { + buf[p-2] = '\0'; + record_clock_stats(&peer->srcadr, buf); + + p = 0; + praecis_msg = 0; + +- if (HW_poll(pp) < 0) ++ if (HW_poll(pp) < 0) { + refclock_report(peer, CEVNT_FAULT); +- ++ } + } ++ return; + } + + static void +@@ -1407,7 +1440,10 @@ HW_poll ( + + /* Edge trigger */ + if (up->type == CLK_ACUTIME) +- write (pp->io.fd, "", 1); ++ if (write (pp->io.fd, "", 1) != 1) ++ msyslog(LOG_WARNING, ++ "Palisade(%d) HW_poll: failed to send trigger: %m", ++ up->unit); + + if (ioctl(pp->io.fd, TIOCMSET, &x) < 0) { + #ifdef DEBUG +-- +2.33.0 + + diff --git a/ntp.spec b/ntp.spec index 945acd8..d2cac5e 100644 --- a/ntp.spec +++ b/ntp.spec @@ -2,7 +2,7 @@ Name: ntp Version: 4.2.8p14 -Release: 7 +Release: 8 Summary: A protocol designed to synchronize the clocks of computers over a network License: MIT and BSD and BSD with advertising URL: https://www.ntp.org/ @@ -26,6 +26,7 @@ Patch3: bugfix-fix-bind-port-in-debug-mode.patch Patch4: bugfix-fix-ifindex-length.patch Patch5: backport-CVE-2020-15025.patch Patch6: backport-CVE-2023-26551-CVE-2023-26552-CVE-2023-26553-CVE-2023-26554.patch +Patch7: backport-CVE-2023-26555-fix-out-write-bounds-in-praecis_parse.patch BuildRequires: libcap-devel openssl-devel libedit-devel libevent-devel pps-tools-devel BuildRequires: autogen autogen-libopts-devel systemd gcc perl-generators perl-HTML-Parser @@ -209,6 +210,12 @@ make check %{_mandir}/man8/*.8* %changelog +* Wed May 24 2023 chengyechun - 4.2.8p14-8 +- Type:CVE +- ID:CVE-2023-26551,CVE-2023-26552,CVE-2023-26553,CVE-2023-26554,CVE-2023-26555 +- SUG:NA +- DESC:change the patch of CVE-2023-26551 and fix CVE-2023-26555 + * Fri May 12 2023 chengyechun - 4.2.8p14-7 - Type:bugfix - ID:NA -- Gitee