Browse code
ntp : Upgrade version to 4.2.8p11
CVEs were reported on NTP package version 4.2.8p10.
Hence upgraded ntp to 4.2.8p11.
Fix for CVE-2018-7182, CVE-2018-7183,CVE-2018-7184,CVE-2018-7185.
Change-Id: I747d7ce0682804d4301d9295d3b76a4204564f28
Signed-off-by: srinidhira0 <srinidhir@vmware.com>
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/5413
Reviewed-by: Anish Swaminathan <anishs@vmware.com>
Tested-by: Anish Swaminathan <anishs@vmware.com>
srinidhira0 authored on 2018/07/27 19:46:16Showing 2 changed files
| ... | ... |
@@ -1,27 +1,26 @@ |
| 1 | 1 |
Summary: Network Time Protocol reference implementation |
| 2 | 2 |
Name: ntp |
| 3 |
-Version: 4.2.8p10 |
|
| 4 |
-Release: 4%{?dist}
|
|
| 3 |
+Version: 4.2.8p11 |
|
| 4 |
+Release: 1%{?dist}
|
|
| 5 | 5 |
License: NTP |
| 6 | 6 |
URL: http://www.ntp.org/ |
| 7 | 7 |
Group: System Environment/NetworkingPrograms |
| 8 | 8 |
Vendor: VMware, Inc. |
| 9 | 9 |
Distribution: Photon |
| 10 | 10 |
Source0: https://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/%{name}-%{version}.tar.gz
|
| 11 |
-%define sha1 ntp=503d68cfd3e6a9354e0e28dd38b39d850b1228b2 |
|
| 11 |
+%define sha1 ntp=b20352bb76963a0ef5ec07ba99c2bb97ec6b6aeb |
|
| 12 | 12 |
|
| 13 | 13 |
#https://github.com/darkhelmet/ntpstat |
| 14 | 14 |
Source1: ntpstat-master.zip |
| 15 | 15 |
%define sha1 ntpstat=729cf2c9f10da43554f26875e91e1973d4498761 |
| 16 | 16 |
Source2: ntp.sysconfig |
| 17 |
-Patch0: ntpq-remove-list-digest-call.patch |
|
| 18 | 17 |
BuildRequires: which |
| 19 | 18 |
BuildRequires: libcap-devel |
| 20 | 19 |
BuildRequires: unzip |
| 21 | 20 |
BuildRequires: systemd |
| 22 | 21 |
BuildRequires: openssl-devel |
| 23 | 22 |
Requires: systemd |
| 24 |
-Requires: shadow |
|
| 23 |
+Requires(pre): /usr/sbin/useradd /usr/sbin/groupadd |
|
| 25 | 24 |
Requires: openssl |
| 26 | 25 |
Requires: libcap >= 2.24 |
| 27 | 26 |
%description |
| ... | ... |
@@ -39,7 +38,6 @@ state of the NTP daemon running on the local machine. |
| 39 | 39 |
|
| 40 | 40 |
%prep |
| 41 | 41 |
%setup -q -a 1 |
| 42 |
-%patch0 -p1 |
|
| 43 | 42 |
|
| 44 | 43 |
%build |
| 45 | 44 |
./configure \ |
| ... | ... |
@@ -140,6 +138,9 @@ rm -rf %{buildroot}/*
|
| 140 | 140 |
%{_mandir}/man8/ntpstat.8*
|
| 141 | 141 |
|
| 142 | 142 |
%changelog |
| 143 |
+* Thu Jun 28 2018 Srinidhi Rao <srinidhir@vmware.com> 4.2.8p11-1 |
|
| 144 |
+- Upgrade version to 4.2.8p11. |
|
| 145 |
+- Remove shadow from requires and use explicit tools for post actions. |
|
| 143 | 146 |
* Wed Sep 27 2017 Anish Swaminathan <anishs@vmware.com> 4.2.8p10-4 |
| 144 | 147 |
- Add patch to remove call to OpenSSL's list digest method in ntpq |
| 145 | 148 |
* Thu Jul 27 2017 Dheeraj Shetty <dheerajs@vmware.com> 4.2.8p10-3 |
| 146 | 149 |
deleted file mode 100644 |
| ... | ... |
@@ -1,199 +0,0 @@ |
| 1 |
-diff -rup ntp-4.2.8p10/ntpq/ntpq.c ntp-4.2.8p10-new/ntpq/ntpq.c |
|
| 2 |
-+++ ntp-4.2.8p10-new/ntpq/ntpq.c 2017-09-28 14:50:29.501452148 -0700 |
|
| 3 |
-@@ -33,7 +33,6 @@ |
|
| 4 |
- #ifdef OPENSSL |
|
| 5 |
- #include "openssl/evp.h" |
|
| 6 |
- #include "openssl/objects.h" |
|
| 7 |
--#include "openssl/err.h" |
|
| 8 |
- #include "libssl_compat.h" |
|
| 9 |
- #endif |
|
| 10 |
- #include <ssl_applink.c> |
|
| 11 |
-@@ -227,13 +226,6 @@ static void on_ctrlc (void); |
|
| 12 |
- static int my_easprintf (char**, const char *, ...) NTP_PRINTF(2, 3); |
|
| 13 |
- void ntpq_custom_opt_handler (tOptions *, tOptDesc *); |
|
| 14 |
- |
|
| 15 |
--#ifdef OPENSSL |
|
| 16 |
--# ifdef HAVE_EVP_MD_DO_ALL_SORTED |
|
| 17 |
--static void list_md_fn(const EVP_MD *m, const char *from, |
|
| 18 |
-- const char *to, void *arg ); |
|
| 19 |
--# endif |
|
| 20 |
--#endif |
|
| 21 |
--static char *list_digest_names(void); |
|
| 22 |
- |
|
| 23 |
- /* |
|
| 24 |
- * Built-in commands we understand |
|
| 25 |
-@@ -294,8 +286,8 @@ struct xcmd builtins[] = {
|
|
| 26 |
- { "version number", "", "", "" },
|
|
| 27 |
- "set the NTP version number to use for requests" }, |
|
| 28 |
- { "keytype", keytype, { OPT|NTP_STR, NO, NO, NO },
|
|
| 29 |
-- { "key type %s", "", "", "" },
|
|
| 30 |
-- NULL }, |
|
| 31 |
-+ { "key type (md5|des)", "", "", "" },
|
|
| 32 |
-+ "set key type to use for authenticated requests (des|md5)" }, |
|
| 33 |
- { 0, 0, { NO, NO, NO, NO },
|
|
| 34 |
- { "", "", "", "" }, "" }
|
|
| 35 |
- }; |
|
| 36 |
-@@ -477,37 +469,6 @@ ntpqmain( |
|
| 37 |
- if (!ipv6_works) |
|
| 38 |
- ai_fam_default = AF_INET; |
|
| 39 |
- |
|
| 40 |
-- /* Fixup keytype's help based on available digest names */ |
|
| 41 |
-- |
|
| 42 |
-- {
|
|
| 43 |
-- char *list; |
|
| 44 |
-- char *msg; |
|
| 45 |
-- |
|
| 46 |
-- list = list_digest_names(); |
|
| 47 |
-- for (icmd = 0; icmd < sizeof(builtins)/sizeof(builtins[0]); icmd++) {
|
|
| 48 |
-- if (strcmp("keytype", builtins[icmd].keyword) == 0)
|
|
| 49 |
-- break; |
|
| 50 |
-- } |
|
| 51 |
-- |
|
| 52 |
-- /* CID: 1295478 */ |
|
| 53 |
-- /* This should only "trip" if "keytype" is removed from builtins */ |
|
| 54 |
-- INSIST(icmd < sizeof(builtins)/sizeof(builtins[0])); |
|
| 55 |
-- |
|
| 56 |
--#ifdef OPENSSL |
|
| 57 |
-- builtins[icmd].desc[0] = "digest-name"; |
|
| 58 |
-- my_easprintf(&msg, |
|
| 59 |
-- "set key type to use for authenticated requests, one of:%s", |
|
| 60 |
-- list); |
|
| 61 |
--#else |
|
| 62 |
-- builtins[icmd].desc[0] = "md5"; |
|
| 63 |
-- my_easprintf(&msg, |
|
| 64 |
-- "set key type to use for authenticated requests (%s)", |
|
| 65 |
-- list); |
|
| 66 |
--#endif |
|
| 67 |
-- builtins[icmd].comment = msg; |
|
| 68 |
-- free(list); |
|
| 69 |
-- } |
|
| 70 |
-- |
|
| 71 |
- progname = argv[0]; |
|
| 72 |
- |
|
| 73 |
- {
|
|
| 74 |
-@@ -2558,11 +2519,11 @@ keytype( |
|
| 75 |
- key_type = keytype_from_text(digest_name, &digest_len); |
|
| 76 |
- |
|
| 77 |
- if (!key_type) {
|
|
| 78 |
-- fprintf(fp, "keytype is not valid. " |
|
| 79 |
-+ fprintf(fp, "keytype must be 'md5'%s\n", |
|
| 80 |
- #ifdef OPENSSL |
|
| 81 |
-- "Type \"help keytype\" for the available digest types.\n"); |
|
| 82 |
-+ " or a digest type provided by OpenSSL"); |
|
| 83 |
- #else |
|
| 84 |
-- "Only \"md5\" is available.\n"); |
|
| 85 |
-+ ""); |
|
| 86 |
- #endif |
|
| 87 |
- return; |
|
| 88 |
- } |
|
| 89 |
-@@ -3580,109 +3541,6 @@ ntpq_custom_opt_handler( |
|
| 90 |
- break; |
|
| 91 |
- } |
|
| 92 |
- } |
|
| 93 |
--/* |
|
| 94 |
-- * Obtain list of digest names |
|
| 95 |
-- */ |
|
| 96 |
-- |
|
| 97 |
--#ifdef OPENSSL |
|
| 98 |
--# ifdef HAVE_EVP_MD_DO_ALL_SORTED |
|
| 99 |
--struct hstate {
|
|
| 100 |
-- char *list; |
|
| 101 |
-- const char **seen; |
|
| 102 |
-- int idx; |
|
| 103 |
--}; |
|
| 104 |
--#define K_PER_LINE 8 |
|
| 105 |
--#define K_NL_PFX_STR "\n " |
|
| 106 |
--#define K_DELIM_STR ", " |
|
| 107 |
--static void list_md_fn(const EVP_MD *m, const char *from, const char *to, void *arg ) |
|
| 108 |
--{
|
|
| 109 |
-- size_t len, n; |
|
| 110 |
-- const char *name, *cp, **seen; |
|
| 111 |
-- struct hstate *hstate = arg; |
|
| 112 |
-- EVP_MD_CTX *ctx; |
|
| 113 |
-- u_int digest_len; |
|
| 114 |
-- u_char digest[EVP_MAX_MD_SIZE]; |
|
| 115 |
-- |
|
| 116 |
-- if (!m) |
|
| 117 |
-- return; /* Ignore aliases */ |
|
| 118 |
-- |
|
| 119 |
-- name = EVP_MD_name(m); |
|
| 120 |
-- |
|
| 121 |
-- /* Lowercase names aren't accepted by keytype_from_text in ssl_init.c */ |
|
| 122 |
-- |
|
| 123 |
-- for( cp = name; *cp; cp++ ) {
|
|
| 124 |
-- if( islower((unsigned char)*cp) ) |
|
| 125 |
-- return; |
|
| 126 |
-- } |
|
| 127 |
-- len = (cp - name) + 1; |
|
| 128 |
-- |
|
| 129 |
-- /* There are duplicates. Discard if name has been seen. */ |
|
| 130 |
-- |
|
| 131 |
-- for (seen = hstate->seen; *seen; seen++) |
|
| 132 |
-- if (!strcmp(*seen, name)) |
|
| 133 |
-- return; |
|
| 134 |
-- n = (seen - hstate->seen) + 2; |
|
| 135 |
-- hstate->seen = erealloc(hstate->seen, n * sizeof(*seen)); |
|
| 136 |
-- hstate->seen[n-2] = name; |
|
| 137 |
-- hstate->seen[n-1] = NULL; |
|
| 138 |
-- |
|
| 139 |
-- /* Discard MACs that NTP won't accept. |
|
| 140 |
-- * Keep this consistent with keytype_from_text() in ssl_init.c. |
|
| 141 |
-- */ |
|
| 142 |
-- |
|
| 143 |
-- ctx = EVP_MD_CTX_new(); |
|
| 144 |
-- EVP_DigestInit(ctx, EVP_get_digestbyname(name)); |
|
| 145 |
-- EVP_DigestFinal(ctx, digest, &digest_len); |
|
| 146 |
-- EVP_MD_CTX_free(ctx); |
|
| 147 |
-- if (digest_len > (MAX_MAC_LEN - sizeof(keyid_t))) |
|
| 148 |
-- return; |
|
| 149 |
-- |
|
| 150 |
-- if (hstate->list != NULL) |
|
| 151 |
-- len += strlen(hstate->list); |
|
| 152 |
-- len += (hstate->idx >= K_PER_LINE)? strlen(K_NL_PFX_STR): strlen(K_DELIM_STR); |
|
| 153 |
-- |
|
| 154 |
-- if (hstate->list == NULL) {
|
|
| 155 |
-- hstate->list = (char *)emalloc(len); |
|
| 156 |
-- hstate->list[0] = '\0'; |
|
| 157 |
-- } else |
|
| 158 |
-- hstate->list = (char *)erealloc(hstate->list, len); |
|
| 159 |
-- |
|
| 160 |
-- sprintf(hstate->list + strlen(hstate->list), "%s%s", |
|
| 161 |
-- ((hstate->idx >= K_PER_LINE)? K_NL_PFX_STR : K_DELIM_STR), |
|
| 162 |
-- name); |
|
| 163 |
-- if (hstate->idx >= K_PER_LINE) |
|
| 164 |
-- hstate->idx = 1; |
|
| 165 |
-- else |
|
| 166 |
-- hstate->idx++; |
|
| 167 |
--} |
|
| 168 |
--# endif |
|
| 169 |
--#endif |
|
| 170 |
-- |
|
| 171 |
--static char *list_digest_names(void) |
|
| 172 |
--{
|
|
| 173 |
-- char *list = NULL; |
|
| 174 |
-- |
|
| 175 |
--#ifdef OPENSSL |
|
| 176 |
--# ifdef HAVE_EVP_MD_DO_ALL_SORTED |
|
| 177 |
-- struct hstate hstate = { NULL, NULL, K_PER_LINE+1 };
|
|
| 178 |
-- |
|
| 179 |
-- hstate.seen = (const char **) emalloc_zero(1*sizeof( const char * )); // replaces -> calloc(1, sizeof( const char * )); |
|
| 180 |
-- |
|
| 181 |
-- INIT_SSL(); |
|
| 182 |
-- EVP_MD_do_all_sorted(list_md_fn, &hstate); |
|
| 183 |
-- list = hstate.list; |
|
| 184 |
-- free(hstate.seen); |
|
| 185 |
--# else |
|
| 186 |
-- list = (char *)emalloc(sizeof("md5, others (upgrade to OpenSSL-1.0 for full list)"));
|
|
| 187 |
-- strcpy(list, "md5, others (upgrade to OpenSSL-1.0 for full list)"); |
|
| 188 |
--# endif |
|
| 189 |
--#else |
|
| 190 |
-- list = (char *)emalloc(sizeof("md5"));
|
|
| 191 |
-- strcpy(list, "md5"); |
|
| 192 |
--#endif |
|
| 193 |
-- |
|
| 194 |
-- return list; |
|
| 195 |
--} |
|
| 196 |
- |
|
| 197 |
- #define CTRLC_STACK_MAX 4 |
|
| 198 |
- static volatile size_t ctrlc_stack_len = 0; |