!72 update to ntp-4.2.8p17

From: @chengyechun Reviewed-by: @kircher Signed-off-by: @kircher
2023-07-24 11:40:28 +00:00 · 2023-07-24 11:40:28 +00:00 · b8f396ef22
commit b8f396ef22
parent f6d32aeb3f 941f64deec
9 changed files with 12 additions and 491 deletions
--- a/Do-not-use-PTHREAD_STACK_MIN-on-glibc.patch
+++ b/Do-not-use-PTHREAD_STACK_MIN-on-glibc.patch
@ -1,31 +0,0 @@
 From 082a504cfcc046c3d8adaae1164268bc94e5108a Mon Sep 17 00:00:00 2001
 From: Khem Raj <raj.khem@gmail.com>
 Date: Sat, 31 Jul 2021 10:51:41 -0700
 Subject: [PATCH] libntp: Do not use PTHREAD_STACK_MIN on glibc
 In glibc 2.34+ PTHREAD_STACK_MIN is not a compile-time constant which
 could mean different stack sizes at runtime on different architectures
 and it also causes compile failure. Default glibc thread stack size
 or 64Kb set by ntp should be good in glibc these days.
 Upstream-Status: Pending
 Signed-off-by: Khem Raj <raj.khem@gmail.com>
 ---
 libntp/work_thread.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/libntp/work_thread.c b/libntp/work_thread.c
 index 03a5647..3ddd751 100644
 --- a/libntp/work_thread.c
 +++ b/libntp/work_thread.c
@@ -41,7 +41,7 @@
 #ifndef THREAD_MINSTACKSIZE
 # define THREAD_MINSTACKSIZE	(64U * 1024)
 #endif
 -#ifndef __sun
 +#if !defined(__sun) && !defined(__GLIBC__)
 #if defined(PTHREAD_STACK_MIN) && THREAD_MINSTACKSIZE < PTHREAD_STACK_MIN
 # undef THREAD_MINSTACKSIZE
 # define THREAD_MINSTACKSIZE PTHREAD_STACK_MIN
 --
 2.32.0
--- a/backport-CVE-2023-26551-CVE-2023-26552-CVE-2023-26553-CVE-2023-26554.patch
+++ b/backport-CVE-2023-26551-CVE-2023-26552-CVE-2023-26553-CVE-2023-26554.patch
@ -1,167 +0,0 @@
 From ebd64fcbd4f3858b6986ff1a048e3467d96841ab Mon Sep 17 00:00:00 2001
 From: Harlen Stenn <stenn@ntp.org>
 Date: Sat, 13 May 2023 05:23:33 UTC
 Subject: [PATCH] mstolfp:make sure the buffer has enough room for the input extra characters
 Conflict:NA
 Reference:https://www.eecis.udel.edu/~ntp/ntp_spool//ntp4/ntp-4.2.8p15-3806-3807.patch
 CVE-2023-26552, CVE-2023-26553, and CVE-2023-26554 are marked identical to CVE-2023-26551
 https://github.com/spwpun/ntp-4.2.8p15-cves/issues/1
 ---
 include/ntp_fp.h        |   4 +-
 libntp/mstolfp.c        | 109 +++++++++++++++-------------------------
 2 files changed, 42 insertions(+), 71 deletions(-)
 diff --git a/include/ntp_fp.h b/include/ntp_fp.h
 index afd1f82..fe6e390 100644
 --- a/include/ntp_fp.h
 +++ b/include/ntp_fp.h
@@ -195,9 +195,9 @@ typedef u_int32 u_fp;
 	do { \
 		int32 add_f = (int32)(f); \
 		if (add_f >= 0) \
 -			M_ADD((r_i), (r_f), 0, (uint32)( add_f)); \
 +			M_ADD((r_i), (r_f), 0, (u_int32)( add_f)); \
 		else \
 -			M_SUB((r_i), (r_f), 0, (uint32)(-add_f)); \
 +			M_SUB((r_i), (r_f), 0, (u_int32)(-add_f)); \
 	} while(0)
 #define	M_ISNEG(v_i)			/* v < 0 */ \
 diff --git a/libntp/mstolfp.c b/libntp/mstolfp.c
 index 3dfc4ef..a428d17 100644
 --- a/libntp/mstolfp.c
 +++ b/libntp/mstolfp.c
@@ -14,86 +14,57 @@ mstolfp(
 	l_fp *lfp
 	)
 {
 -	register const char *cp;
 -	register char *bp;
 -	register const char *cpdec;
 -	char buf[100];
 +	int        ch, neg = 0; 
 +	u_int32    q, r;
 	/*
 	 * We understand numbers of the form:
 	 *
 	 * [spaces][-|+][digits][.][digits][spaces|\n|\0]
 	 *
 -	 * This is one enormous hack.  Since I didn't feel like
 -	 * rewriting the decoding routine for milliseconds, what
 -	 * is essentially done here is to make a copy of the string
 -	 * with the decimal moved over three places so the seconds
 -	 * decoding routine can be used.
 +	 * This is kinda hack.  We use 'atolfp' to do the basic parsing
 +	 * (after some initial checks) and then divide the result by
 +	 * 1000.  The original implementation avoided that by
 +	 * hacking up the input string to move the decimal point, but
 +	 * that needed string manipulations prone to buffer overruns.
 +	 * To avoid that trouble we do the conversion first and adjust
 +	 * the result.
 	 */
 -	bp = buf;
 -	cp = str;
 -	while (isspace((unsigned char)*cp))
 -	    cp++;
 -	
 -	if (*cp == '-' || *cp == '+') {
 -		*bp++ = *cp++;
 -	}
 -
 -	if (*cp != '.' && !isdigit((unsigned char)*cp))
 -	    return 0;
 -
 -
 -	/*
 -	 * Search forward for the decimal point or the end of the string.
 -	 */
 -	cpdec = cp;
 -	while (isdigit((unsigned char)*cpdec))
 -	    cpdec++;
 -	/*
 -	 * Found something.  If we have more than three digits copy the
 -	 * excess over, else insert a leading 0.
 -	 */
 -	if ((cpdec - cp) > 3) {
 -		do {
 -			*bp++ = (char)*cp++;
 -		} while ((cpdec - cp) > 3);
 -	} else {
 -		*bp++ = '0';
 +	while (isspace(ch = *(const unsigned char*)str))
 +		++str;
 +	switch (ch) {
 +	    case '-': neg = TRUE;
 +	    case '+': ++str;
 +	    default : break;
 	}
 -	/*
 -	 * Stick the decimal in.  If we've got less than three digits in
 -	 * front of the millisecond decimal we insert the appropriate number
 -	 * of zeros.
 -	 */
 -	*bp++ = '.';
 -	if ((cpdec - cp) < 3) {
 -		size_t i = 3 - (cpdec - cp);
 -		do {
 -			*bp++ = '0';
 -		} while (--i > 0);
 -	}
 +	if (!isdigit(ch = *(const unsigned char*)str) && (ch != '.'))
 +		return 0;
 +	if (!atolfp(str, lfp))
 +		return 0;
 -	/*
 -	 * Copy the remainder up to the millisecond decimal.  If cpdec
 -	 * is pointing at a decimal point, copy in the trailing number too.
 +	/* now do a chained/overlapping division by 1000 to get from
 +	 * seconds to msec. 1000 is small enough to go with temporary
 +	 * 32bit accus for Q and R.
 	 */
 -	while (cp < cpdec)
 -	    *bp++ = (char)*cp++;
 -	
 -	if (*cp == '.') {
 -		cp++;
 -		while (isdigit((unsigned char)*cp))
 -		    *bp++ = (char)*cp++;
 -	}
 -	*bp = '\0';
 +	q = lfp->l_ui / 1000u;
 +	r = lfp->l_ui - (q * 1000u);
 +	lfp->l_ui = q;
 -	/*
 -	 * Check to make sure the string is properly terminated.  If
 -	 * so, give the buffer to the decoding routine.
 -	 */
 -	if (*cp != '\0' && !isspace((unsigned char)*cp))
 -	    return 0;
 -	return atolfp(buf, lfp);
 +	r = (r << 16) | (lfp->l_uf >> 16);
 +	q = r / 1000u;
 +	r = ((r - q * 1000) << 16) | (lfp->l_uf & 0x0FFFFu);
 +	lfp->l_uf = q << 16;
 +	q = r / 1000;
 +	lfp->l_uf |= q;
 +	r -= q * 1000u;
 +
 +	/* fix sign */
 +	if (neg)
 +		L_NEG(lfp);
 +	/* round */
 +	if (r >= 500)
 +		L_ADDF(lfp, (neg ? -1 : 1));
 +	return 1;
 }
 -- 
 2.33.0
--- a/backport-CVE-2023-26555-fix-out-write-bounds-in-praecis_parse.patch
+++ b/backport-CVE-2023-26555-fix-out-write-bounds-in-praecis_parse.patch
@ -1,102 +0,0 @@
 From 1e6893546c526c0961930b6b60a6aba42692dba9 Mon Sep 17 00:00:00 2001
 From: Harlan Stenn <stenn@ntp.org>
 Date: Sat, 13 May 2023 05:23:33 UTC
 Subject: [PATCH] refclock_palisade:fix an out-of-bounds write in praecis_parse
 Conflict:NA
 Reference:https://www.eecis.udel.edu/~ntp/ntp_spool//ntp4/ntp-4.2.8p15-3806-3807.patch
 ---
 ntpd/refclock_palisade.c | 50 ++++++++++++++++++++++++++++++++++------
 1 file changed, 43 insertions(+), 7 deletions(-)
 diff --git a/ntpd/refclock_palisade.c b/ntpd/refclock_palisade.c
 index cb68255..66bfbc8 100644
 --- a/ntpd/refclock_palisade.c
 +++ b/ntpd/refclock_palisade.c
@@ -1225,9 +1225,9 @@ palisade_poll (
 		return;  /* using synchronous packet input */
 	if(up->type == CLK_PRAECIS) {
 -		if(write(peer->procptr->io.fd,"SPSTAT\r\n",8) < 0)
 +		if (write(peer->procptr->io.fd,"SPSTAT\r\n",8) < 0) {
 			msyslog(LOG_ERR, "Palisade(%d) write: %m:",unit);
 -		else {
 +		} else {
 			praecis_msg = 1;
 			return;
 		}
@@ -1249,20 +1249,53 @@ praecis_parse (
 	pp = peer->procptr;
 -	memcpy(buf+p,rbufp->recv_space.X_recv_buffer, rbufp->recv_length);
 +	if (p + rbufp->recv_length >= sizeof buf) {
 +		struct palisade_unit *up;
 +		up = pp->unitptr;
 +
 +		/*
 +		 * We COULD see if there is a \r\n in the incoming
 +		 * buffer before it overflows, and then process the
 +		 * current line.
 +		 *
 +		 * Similarly, if we already have a hunk of data that
 +		 * we're now flushing, that will cause the line of
 +		 * data we're in the process of collecting to be garbage.
 +		 *
 +		 * Since we now check for this overflow and log when it
 +		 * happens, we're now in a better place to easily see
 +		 * what's going on and perhaps better choices can be made.
 +		 */
 +
 +		/* Do we need to log the size of the overflow? */
 +		msyslog(LOG_ERR, "Palisade(%d) praecis_parse(): input buffer overflow",
 +			up->unit);
 +
 +		p = 0;
 +		praecis_msg = 0;
 +
 +		refclock_report(peer, CEVNT_BADREPLY);
 +
 +		return;
 +	}
 +
 +	memcpy(buf+p, rbufp->recv_buffer, rbufp->recv_length);
 	p += rbufp->recv_length;
 -	if(buf[p-2] == '\r' && buf[p-1] == '\n') {
 +	if (   p >= 2
 +	    && buf[p-2] == '\r' 
 +	    && buf[p-1] == '\n') {
 		buf[p-2] = '\0';
 		record_clock_stats(&peer->srcadr, buf);
 		p = 0;
 		praecis_msg = 0;
 -		if (HW_poll(pp) < 0)
 +		if (HW_poll(pp) < 0) {
 			refclock_report(peer, CEVNT_FAULT);
 -
 +		}
 	}
 +	return;
 }
 static void
@@ -1407,7 +1440,10 @@ HW_poll (
 	/* Edge trigger */
 	if (up->type == CLK_ACUTIME)
 -		write (pp->io.fd, "", 1);
 +		if (write (pp->io.fd, "", 1) != 1)
 +			msyslog(LOG_WARNING,
 +				"Palisade(%d) HW_poll: failed to send trigger: %m",
 +				up->unit);
 	if (ioctl(pp->io.fd, TIOCMSET, &x) < 0) { 
 #ifdef DEBUG
 -- 
 2.33.0
--- a/bugfix-fix-ifindex-length.patch
+++ b/bugfix-fix-ifindex-length.patch
@ -1,5 +1,5 @@
--- ntp-4.2.6p5/lib/isc/unix/interfaceiter.c.orig	2018-10-15 15:16:00.414796346 +0800
+--- a/libntp/lib/isc/unix/interfaceiter.c	2018-10-15 15:16:00.414796346 +0800
-+++ ntp-4.2.6p5/lib/isc/unix/interfaceiter.c	2018-10-15 15:16:26.605794341 +0800
+++ a/libntp/lib/isc/unix/interfaceiter.c	2018-10-15 15:16:26.605794341 +0800
@@ -151,7 +151,7 @@ get_addr(unsigned int family, isc_netadd
 #ifdef __linux
--- a/fix-multiple-defination-with-gcc-10.patch
+++ b/fix-multiple-defination-with-gcc-10.patch
@ -1,155 +0,0 @@
 From bac29f25f063d3a2a87f2b824179df6fbd54334f Mon Sep 17 00:00:00 2001
 From: renmingshuai <renmingshuai@huawei.com>
 Date: Fri, 30 Jul 2021 22:26:26 +0800
 Subject: [PATCH] Fix multiple defination with gcc 10
 ---
 sntp/tests/run-crypto.c           | 2 +-
 sntp/tests/run-keyFile.c          | 2 +-
 sntp/tests/run-kodDatabase.c      | 2 +-
 sntp/tests/run-kodFile.c          | 2 +-
 sntp/tests/run-networking.c       | 2 +-
 sntp/tests/run-packetHandling.c   | 2 +-
 sntp/tests/run-packetProcessing.c | 2 +-
 sntp/tests/run-t-log.c            | 2 +-
 sntp/tests/run-utilities.c        | 2 +-
 tests/libntp/test-libntp.h        | 5 ++++-
 10 files changed, 13 insertions(+), 10 deletions(-)
 diff --git a/sntp/tests/run-crypto.c b/sntp/tests/run-crypto.c
 index a486f86..5d7d02e 100644
 --- a/sntp/tests/run-crypto.c
 +++ b/sntp/tests/run-crypto.c
@@ -57,7 +57,7 @@ void resetTest(void)
   setUp();
 }
 -char const *progname;
 +extern char const *progname;
 //=======MAIN=====
 diff --git a/sntp/tests/run-keyFile.c b/sntp/tests/run-keyFile.c
 index 5b25519..4321002 100644
 --- a/sntp/tests/run-keyFile.c
 +++ b/sntp/tests/run-keyFile.c
@@ -55,7 +55,7 @@ void resetTest(void)
   setUp();
 }
 -char const *progname;
 +extern char const *progname;
 //=======MAIN=====
 diff --git a/sntp/tests/run-kodDatabase.c b/sntp/tests/run-kodDatabase.c
 index 67b7fc2..b591a0b 100644
 --- a/sntp/tests/run-kodDatabase.c
 +++ b/sntp/tests/run-kodDatabase.c
@@ -58,7 +58,7 @@ void resetTest(void)
   setUp();
 }
 -char const *progname;
 +extern char const *progname;
 //=======MAIN=====
 diff --git a/sntp/tests/run-kodFile.c b/sntp/tests/run-kodFile.c
 index a3af218..96d0075 100644
 --- a/sntp/tests/run-kodFile.c
 +++ b/sntp/tests/run-kodFile.c
@@ -56,7 +56,7 @@ void resetTest(void)
   setUp();
 }
 -char const *progname;
 +extern char const *progname;
 //=======MAIN=====
 diff --git a/sntp/tests/run-networking.c b/sntp/tests/run-networking.c
 index 1c1364f..3e1b4cd 100644
 --- a/sntp/tests/run-networking.c
 +++ b/sntp/tests/run-networking.c
@@ -48,7 +48,7 @@ void resetTest(void)
   setUp();
 }
 -char const *progname;
 +extern char const *progname;
 //=======MAIN=====
 diff --git a/sntp/tests/run-packetHandling.c b/sntp/tests/run-packetHandling.c
 index 7790b20..c58380c 100644
 --- a/sntp/tests/run-packetHandling.c
 +++ b/sntp/tests/run-packetHandling.c
@@ -64,7 +64,7 @@ void resetTest(void)
   setUp();
 }
 -char const *progname;
 +extern char const *progname;
 //=======MAIN=====
 diff --git a/sntp/tests/run-packetProcessing.c b/sntp/tests/run-packetProcessing.c
 index c91a6d3..221c88c 100644
 --- a/sntp/tests/run-packetProcessing.c
 +++ b/sntp/tests/run-packetProcessing.c
@@ -68,7 +68,7 @@ void resetTest(void)
   setUp();
 }
 -char const *progname;
 +extern char const *progname;
 //=======MAIN=====
 diff --git a/sntp/tests/run-t-log.c b/sntp/tests/run-t-log.c
 index 268bf41..cd835bc 100644
 --- a/sntp/tests/run-t-log.c
 +++ b/sntp/tests/run-t-log.c
@@ -50,7 +50,7 @@ void resetTest(void)
   setUp();
 }
 -char const *progname;
 +extern char const *progname;
 //=======MAIN=====
 diff --git a/sntp/tests/run-utilities.c b/sntp/tests/run-utilities.c
 index f717882..98d9bf1 100644
 --- a/sntp/tests/run-utilities.c
 +++ b/sntp/tests/run-utilities.c
@@ -58,7 +58,7 @@ void resetTest(void)
   setUp();
 }
 -char const *progname;
 +extern char const *progname;
 //=======MAIN=====
 diff --git a/tests/libntp/test-libntp.h b/tests/libntp/test-libntp.h
 index 93050b3..2f386f6 100644
 --- a/tests/libntp/test-libntp.h
 +++ b/tests/libntp/test-libntp.h
@@ -1,3 +1,5 @@
 +#ifndef TEST_LIBNTP_H
 +#define TEST_LIBNTP_H
 #include "config.h"
 #include "ntp_stdlib.h"
@@ -5,4 +7,5 @@
 time_t timefunc(time_t *ptr);
 void settime(int y, int m, int d, int H, int M, int S);
 -time_t nowtime;
 +extern time_t nowtime;
 +#endif
 -- 
 1.8.3.1
--- a/modify-DSA-key-generation-parameters-base-on-openssl3.patch
+++ b/modify-DSA-key-generation-parameters-base-on-openssl3.patch
@ -1,25 +0,0 @@
 From 0494312d943d70f45e45e8e41f659318e88c8e52 Mon Sep 17 00:00:00 2001
 From: chengyechun <chengyechun1@huawei.com>
 Date: Tue, 14 Mar 2023 15:16:47 +0800
 Subject: [PATCH] modify DSA key generation parameters base on openssl3
 ---
 util/ntp-keygen.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/util/ntp-keygen.c b/util/ntp-keygen.c
 index eb2cb34..732c073 100644
 --- a/util/ntp-keygen.c
 +++ b/util/ntp-keygen.c
@@ -121,7 +121,7 @@
 #define	MD5SIZE		20	/* maximum key size */
 #ifdef AUTOKEY
 #define	PLEN		512	/* default prime modulus size (bits) */
 -#define	ILEN		256	/* default identity modulus size (bits) */
 +#define	ILEN		512	/* default identity modulus size (bits) */
 #define	MVMAX		100	/* max MV parameters */
 /*
 -- 
 2.27.0
--- a/ntp-4.2.8p15.tar.gz
+++ b/ntp-4.2.8p15.tar.gz
--- a/ntp-4.2.8p17.tar.gz
+++ b/ntp-4.2.8p17.tar.gz
--- a/ntp.spec
+++ b/ntp.spec
@ -1,8 +1,8 @@
 %global _hardened_build 1
 Name:                  ntp
-Version:               4.2.8p15
+Version:               4.2.8p17
-Release:               11
+Release:               1
 Summary:               A protocol designed to synchronize the clocks of computers over a network
 License:               MIT and BSD and BSD with advertising
 URL:                   https://www.ntp.org/
@ -23,13 +23,8 @@ Source16:              sntp.sysconfig
 Patch1:                ntp-ssl-libs.patch
 Patch2:                bugfix-fix-bind-port-in-debug-mode.patch
 Patch3:                bugfix-fix-ifindex-length.patch
-Patch4:                fix-multiple-defination-with-gcc-10.patch
+Patch4:                fix-MD5-manpage.patch
-Patch5:                Do-not-use-PTHREAD_STACK_MIN-on-glibc.patch
+Patch5:                backport-add-NULL-pointer-check-when-ntpd-deletes-the-last-interface.patch
 Patch6:                fix-MD5-manpage.patch
 Patch7:                modify-DSA-key-generation-parameters-base-on-openssl3.patch
 Patch8:                backport-CVE-2023-26551-CVE-2023-26552-CVE-2023-26553-CVE-2023-26554.patch
 Patch9:                backport-CVE-2023-26555-fix-out-write-bounds-in-praecis_parse.patch
 Patch10:               backport-add-NULL-pointer-check-when-ntpd-deletes-the-last-interface.patch
 BuildRequires:	       libcap-devel openssl-devel libedit-devel libevent-devel pps-tools-devel
 BuildRequires:         autogen autogen-libopts-devel systemd gcc perl-generators perl-HTML-Parser
@ -212,6 +207,12 @@ make check
 %{_mandir}/man8/*.8*
 %changelog
 * Fri Jul 21 2023 chengyechun <chengyechun1@huawei.com> - 4.2.8p17-1
 - Type:enhancement
 - ID:
 - SUG:NA
 - DESC:update to 4.2.8p17
 * Wed Jun 21 2023 chengyechun <chengyechun1@huawei.com> - 4.2.8p15-11
 - Type:bugfix
 - ID: