NTP users are strongly urged to take immediate action to ensure that their NTP daemons are not susceptible to being used in distributed denial-of-service (DDoS) attacks. Please also take this opportunity to defeat denial-of-service attacks by implementing Ingress and Egress filtering through BCP38.

ntp-4.2.8p18 was released on 25 May 2024 and addresses 40 bugs and provides 40 improvements.

Please see the NTP 4.2.8p18 Changelog for details.

Bug 1144 - limited buffer overflow in ntpq. CVE-2009-0159
Summary: limited buffer overflow in ntpq. CVE-2009-0159
Status: VERIFIED FIXED
Alias: None
Product: ntp
Classification: Unclassified
Component: ntpq (show other bugs)
Version: 4.2.4
Hardware: All All
: P3 normal
Assignee: Harlan Stenn
URL:
Depends on:
Blocks:
 
Reported: 2009-03-30 22:15 UTC by Harlan Stenn
Modified: 2009-10-15 20:29 UTC (History)
1 user (show)

See Also:
stenn: blocking4.2.4+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Harlan Stenn 2009-03-30 22:15:06 UTC
Impact: Requesting peer information from a malicious remote time  
server may lead to an unexpected application termination or arbitrary  
code execution.

Description: A stack buffer overflow exists in the ntpq program. When  
the ntpq program is used to request peer information from a remote  
time server, a maliciously crafted response may lead to an unexpected  
application termination or arbitrary code execution. This update  
addresses the issue through improved bounds checking.

Credit: Apple.

Embargo date: 7 April 2009

Proposed patch:

--- ntpq/ntpq.c~        2006-06-06 13:17:02.000000000 -0700
+++ ntpq/ntpq.c 2008-02-06 12:12:22.000000000 -0800
@@ -3140,9 +3140,9 @@ cookedprint(
                                if (!decodeuint(value, &uval))
                                    output_raw = '?';
                                else {
-                                       char b[10];
+                                       char b[12];

-                                       (void) sprintf(b, "%03lo", uval);
+                                       (void) snprintf(b, sizeof(b), "%03lo",
uval);
                                        output(fp, name, b);
                                }
                                break;
Comment 1 Harlan Stenn 2009-04-09 09:04:22 UTC
The patch for this issue is in 4.2.4p7-RC2.
Comment 2 Steve Kostecke 2009-10-15 16:17:00 UTC
Please mark this bug as VERIFIED if you agree that it is fixed.

Or reopen it if further work is required.