# NTP: Please advice to locate NTP missing security patches: Sec 2671, Sec 2672 in FreeBSD repository



## JGhosh (Oct 28, 2015)

Hi FreeBSD Team,

Myself JGhosh, an open source developer, working on NTP cherry pick integration
from specific CERT: VU#852879 into a FreeBSD stable/10 private view.

Myself facing one NTP to FreeBSD patch integration issue as two (2671 and 2672) out of eight CERT bugs are still missing integration across all FreeBSD branches, however these two issues are already reportedly fixed and closed in the NTP GitHub/BugZilla (Sec 2671, Sec 2672) as per their commit log and NEWS revision.


Would you please kindly advise me how we can get the missing revisions from NTP bug patches repo into FreeBSD head repository.

Missing NTP to FreeBSD bugs, not found across all the FreeBSD repository:
1. Sec 2671 / CVE-2014-9297 / VU#852879
2. Sec 2672 / CVE-2014-9298 / VU#852879


These above missing bugs as already fixed in NTP original base: GitHub / BugZilla (Sec 2671, Sec 2672) :

Git Logs:

```
1.1. Sec 2671:
$ git log --grep="Sec 2671"
commit 5e08c9af76a5e4214bc8369ddf01ee0e86747b3a
Author:  <stenn@psp-deb1.ntp.org>
Date:   Tue Jan 6 10:01:10 2015 +0000
    [Sec 2671] vallen in extension fields are not validated

commit 158d5aa33f5ce3c10f99cdef364ce8e2cb05c4c5
Author:  <stenn@psp-deb1.ntp.org>
Date:   Sat Jan 3 10:33:57 2015 +0000
    [Sec 2671] vallen in extension fields are not validated

commit 348fc9fa390c7894f589104fbca4d635868b7a45
Author:  <stenn@psp-deb1.ntp.org>
Date:   Thu Dec 18 13:14:59 2014 +0000
    [Sec 2671] vallen in extension fields are not validated


1.2. Sec 2672:
$ git log --grep="Sec 2672"
commit e3b048acc50689de3069ff09c272108902d82566
Author:  <stenn@psp-fb1.ntp.org>
Date:   Fri Jan 23 10:29:31 2015 +0000
    [Sec 2672] Code cleanup: On some OSes ::1 can be spoofed...

commit 2fb392987ee930becfec6d8843ce96ba9b465dec
Author:  <stenn@psp-deb1.ntp.org>
Date:   Sun Dec 21 01:24:15 2014 +0000
    [Sec 2672] On some OSes ::1 can be spoofed, bypassing source IP ACLs

commit 9ebcc199749f89056cf0c5acb82bc5256395102c
Author:  <stenn@deacon.udel.edu>
Date:   Fri Dec 19 04:43:15 2014 -0500
    Disable Sec 2672 interim fix for now

commit 96e106df5925c7d4c51b73b2f03ac403e8e1beb2
Author:  <stenn@psp-deb1.ntp.org>
Date:   Thu Dec 18 13:11:35 2014 +0000
    [Sec 2672] On some OSes ::1 can be spoofed, bypassing source IP ACLs: debug output tweaking

commit 96c37aa51d3033a4b552de3c31d0fc1cc66d1f9b
Author:  <stenn@psp-deb1.ntp.org>
Date:   Thu Dec 18 01:18:29 2014 +0000
    [Sec 2672] On some OSes ::1 can be spoofed, bypassing source IP ACLs




Resolved and Identified bugfixes as in svn.freebsd.org/base/head branch :
$ svn log -v -r r276071
------------------------------------------------------------------------
r276071 | delphij | 2014-12-22 10:54:55 -0800 (Pr, 22 Dec 2014) | 9 lines
Changed paths:
   M /head/contrib/ntp/ntpd/ntp_config.c
   M /head/contrib/ntp/ntpd/ntp_control.c
   M /head/contrib/ntp/ntpd/ntp_crypto.c
   M /head/contrib/ntp/ntpd/ntp_proto.c
   M /head/contrib/ntp/util/ntp-keygen.c

Fix multiple ntp vulnerabilities.

Reviewed by:    roberto (earlier revision), philip
Security:    CVE-2014-9293, CVE-2014-9294
Security:    CVE-2014-9295, CVE-2014-9296
Security:    FreeBSD-SA-14:31.ntp

Differential Revision: [URL]https://reviews.freebsd.org/D1343[/URL]
```

References:
1. http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities
2. http://bugs.ntp.org/show_bug.cgi?id=2671#c8
3. http://bugs.ntp.org/show_bug.cgi?id=2672#c6


----------



## SirDice (Oct 28, 2015)

https://www.freebsd.org/security/

I haven't looked at the exact details but most, if not all, is already fixed: https://www.freebsd.org/security/advisories/FreeBSD-SA-15:25.ntp.asc

If you feel there's something missing I suggest you contact the security officer.


----------



## JGhosh (Oct 28, 2015)

Hi SirDice,

Thank you for sharing the useful links, just verified that CVE-2014-9297 is enlisted in https://www.freebsd.org/security/advisories/FreeBSD-SA-15:07.ntp.asc however CVE-2014-9298 still missing in the entire https://www.freebsd.org/security/advisories/*

DO I need to go through entire https://www.freebsd.org/security/patches/* logs ?

Also, now as I identified https://www.freebsd.org/security/advisories/FreeBSD-SA-15:07.ntp.asc is useful for CVE-2014-9297, how we can apply that patch in FreeBSD 10.1 release system. Do we have any reference documents of the same ?

Thank you in advance.
JGhosh


----------



## SirDice (Oct 28, 2015)

Not everything may apply, as I recall we have our "own" implementation of NTP. So it's possible some of the security advisories don't apply. 



JGhosh said:


> Also, now as I identified https://www.freebsd.org/security/advisories/FreeBSD-SA-15:07.ntp.asc is useful for CVE-2014-9297, how we can apply that patch in FreeBSD 10.1 release system. Do we have any reference documents of the same ?


It's in the same document.


```
V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

2) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

3) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/SA-15:07/ntp.patch
# fetch https://security.FreeBSD.org/patches/SA-15:07/ntp.patch.asc
# gpg --verify ntp.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.

Restart the applicable daemons, or reboot the system.
```


----------



## JGhosh (Oct 29, 2015)

Hi SirDice,

Thank you very much for detailed advisory and reference, indeed!

Best wishes,
JGhosh


----------

