[Bug 1812458] Re: Sync ntpsec 1.1.3+dfsg1-1 (universe) from Debian sid (main)

Richard Laager rlaager at wiktel.com
Sat Jan 19 02:27:20 UTC 2019 

I've attached debdiffs for Bionic and Cosmic. This involved adding the
three patches from upstream and running `quilt refresh` on each to get
rid of the offset/fuzz.

I successfully built this in a PPA:
https://launchpad.net/~rlaager/+archive/ubuntu/ntpsec/+packages

I installed the Bionic version from that PPA and it works.

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1812458

Title:
  Sync ntpsec 1.1.3+dfsg1-1 (universe) from Debian sid (main)

Status in ntpsec package in Ubuntu:
  Confirmed

Bug description:
  For the sync request:

  I believe disco currently has 1.1.2+dfsg1-6. (packages.ubuntu.com is
  broken, so it's harder than normal for me to tell.) There are no
  Ubuntu changes for ntpsec in disco. 1.1.3+dfsg1-1 is the immediate
  next release in Debian.

  ntpsec (1.1.3+dfsg1-1) unstable; urgency=high

    * New upstream version (Closes: 919513)
      - Lots of typo fixes, documentation cleanups, test targets.
      - CVE-2019-6442: "An authenticated attacker can write one byte out of
        bounds in ntpd via a malformed config request, related to
        config_remotely in ntp_config.c, yyparse in ntp_parser.tab.c, and
        yyerror in ntp_parser.y."
      - CVE-2019-6443: "Because of a bug in ctl_getitem, there is a stack-based
        buffer over-read in read_sysvars in ntp_control.c in ntpd.
      - CVE-2019-6444: "process_control() in ntp_control.c has a stack-based
        buffer over-read because attacker-controlled data is dereferenced by
        ntohl() in ntpd."
      - CVE-2019-6445: "An authenticated attacker can cause a NULL pointer
        dereference and ntpd crash in ntp_control.c, related to ctl_getitem."
    * Drop debian/patches/fix-ntploggps.patch (merged upstream)
    * Refresh patches
    * Revert "Use python3-gps"
      At this time, python3-gps is only available in experimental.
    * Disable the waf PYTHON_GPS check
    * Update debian/copyright
    * Fix ntpdate.8 documentation of -B
    * Changes as of ntp_4.2.8p12+dfsg-3 have been merged as appropriate:
      - Update ntpdate.8 from ntpdate.html
        Thanks to Bernhard Schmidt <berni at debian.org>
      - Update ntpdate.README.Debian
        Thanks to Bernhard Schmidt <berni at debian.org>
      - As a notable exception, while the ntp package has removed the ntpdate
        hooks, I have not (yet?) done so in ntpsec.
    * Set Rules-Requires-Root: no
    * Sort debian/ntpsec.maintscript

   -- Richard Laager <rlaager at wiktel.com>  Thu, 17 Jan 2019 04:17:46
  -0600

  ----

  NTPsec < 1.1.3 has the following CVEs:
  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6442
  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6443
  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6444
  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6445

  I am the maintainer of ntpsec in Debian. Debian has 1.1.3.

  Ubuntu needs the following:
  - disco needs a sync from Debian.
  - cosmic needs the patches backported.
  - bionic needs the patches backported.

  I'm happy to do the work.

  BTW, these issues may impact the ntp package too, but I'm not sure
  that anyone (the original report, ntp upstream, or ntp in Debian) has
  evaluated that.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntpsec/+bug/1812458/+subscriptions

More information about the Ubuntu-sponsors mailing list