Advisories ยป MGASA-2015-0348

Updated ntp packages fix security vulnerabilities

Publication date: 08 Sep 2015
Type: security
Affected Mageia releases : 4 , 5
CVE: CVE-2015-5146 , CVE-2015-5194 , CVE-2015-5195 , CVE-2015-5196 , CVE-2015-5219


Updated ntp packages fix security vulnerability:

A flaw was found in the way ntpd processed certain remote configuration
packets. An attacker could use a specially crafted package to cause ntpd to
crash if the attacker had authenticated access to remote ntpd configuration

It was found that ntpd could crash due to an uninitialized variable when
processing malformed logconfig configuration commands, for example,
ntpq -c ":config logconfig a" (CVE-2015-5194).

It was found that ntpd exits with a segmentation fault when a statistics
type that was not enabled during compilation (e.g. timingstats) is
referenced by the statistics or filegen configuration command, for example,
ntpq -c ':config statistics timingstats'
ntpq -c ':config filegen timingstats' (CVE-2015-5195).

It was found that the :config command can be used to set the pidfile and
driftfile paths without any restrictions. A remote attacker could use
this flaw to overwrite a file on the file system with a file containing
the pid of the ntpd process (immediately) or the current estimated drift
of the system clock (in hourly intervals). For example,
ntpq -c ':config pidfile /tmp/'
ntpq -c ':config driftfile /tmp/ntp.drift' (CVE-2015-5196).

It was discovered that sntp would hang in an infinite loop when a
crafted NTP packet was received, related to the conversion of the
precision value in the packet to double (CVE-2015-5219).