Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 25 Aug 2015 11:24:01 +0200
From: Florian Weimer <>
Subject: Several low impact ntpd issues

Miroslav Lichvár found several low-impact security issues in our ntp
branch, most of which have already been addressed upstream without
noting their security impact.

The first three issues require authentication.  Considering the low
impact and the availability of upstream fixes for most of the issues,
we'd like to make the issues public as soon as possible, unless there
are any objections.

(Impact may be higher if ntpd runs with root privileges.)

* CVE-2015-5194

It was found that ntpd could crash due to an uninitialized variable when
processing malformed logconfig configuration commands, for example:

ntpq -c ":config logconfig a"

Upstream fix:


* CVE-2015-5195

It was found that ntpd exits with a segmentation fault when a statistics
type that was not enabled during compilation (e.g. timingstats) is
referenced by the statistics or filegen configuration command, for example:

ntpq -c ':config statistics timingstats'
ntpq -c ':config filegen timingstats'

Upstream fix:


* CVE-2015-5196

It was found that the :config command can be used to set the pidfile and
driftfile paths without any restrictions. A remote attacker could use
this flaw to overwrite a file on the file system with a file containing
the pid of the ntpd process (immediately) or the current estimated drift
of the system clock (in hourly intervals). For example:

ntpq -c ':config pidfile /tmp/'
ntpq -c ':config driftfile /tmp/ntp.drift'

No upstream fix, but Miroslav wrote the attached patch.

* CVE-2015-5219

It was discovered that sntp would hang in an infinite loop when a
crafted NTP packet was received, related to the conversion of the
precision value in the packet to double.

Upstream fix:

(Reported to the distros list and upstream last week, no request for an
embargo, hence public disclosure.)

Florian Weimer / Red Hat Product Security

View attachment "ntp-remotewrite.patch" of type "text/x-patch" (1727 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.