busybox: Security fix CVE-2016-6301
ntpd: NTP server denial of service flaw CVE: CVE-2016-6301 (From OE-Core rev: 301dc9df16cce1f4649f90af47159bc21be0de59) Signed-off-by: Andrej Valek <andrej.valek@siemens.com> Signed-off-by: Pascal Bach <pascal.bach@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
parent
74d7d12b37
commit
36b2865318
|
@ -0,0 +1,37 @@
|
||||||
|
busybox1.24.1: Fix CVE-2016-6301
|
||||||
|
|
||||||
|
[No upstream tracking] -- https://bugzilla.redhat.com/show_bug.cgi?id=1363710
|
||||||
|
|
||||||
|
ntpd: NTP server denial of service flaw
|
||||||
|
|
||||||
|
The busybox NTP implementation doesn't check the NTP mode of packets
|
||||||
|
received on the server port and responds to any packet with the right
|
||||||
|
size. This includes responses from another NTP server. An attacker can
|
||||||
|
send a packet with a spoofed source address in order to create an
|
||||||
|
infinite loop of responses between two busybox NTP servers. Adding
|
||||||
|
more packets to the loop increases the traffic between the servers
|
||||||
|
until one of them has a fully loaded CPU and/or network.
|
||||||
|
|
||||||
|
Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=150dc7a2b483b8338a3e185c478b4b23ee884e71]
|
||||||
|
CVE: CVE-2016-6301
|
||||||
|
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
|
||||||
|
Signed-off-by: Pascal Bach <pascal.bach@siemens.com>
|
||||||
|
|
||||||
|
diff --git a/networking/ntpd.c b/networking/ntpd.c
|
||||||
|
index 9732c9b..0f6a55f 100644
|
||||||
|
--- a/networking/ntpd.c
|
||||||
|
+++ b/networking/ntpd.c
|
||||||
|
@@ -1985,6 +1985,13 @@ recv_and_process_client_pkt(void /*int fd*/)
|
||||||
|
goto bail;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /* Respond only to client and symmetric active packets */
|
||||||
|
+ if ((msg.m_status & MODE_MASK) != MODE_CLIENT
|
||||||
|
+ && (msg.m_status & MODE_MASK) != MODE_SYM_ACT
|
||||||
|
+ ) {
|
||||||
|
+ goto bail;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
query_status = msg.m_status;
|
||||||
|
query_xmttime = msg.m_xmttime;
|
||||||
|
|
|
@ -47,6 +47,7 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
|
||||||
file://CVE-2016-2148.patch \
|
file://CVE-2016-2148.patch \
|
||||||
file://CVE-2016-2147.patch \
|
file://CVE-2016-2147.patch \
|
||||||
file://CVE-2016-2147_2.patch \
|
file://CVE-2016-2147_2.patch \
|
||||||
|
file://CVE-2016-6301.patch \
|
||||||
file://ip_fix_problem_on_mips64_n64_big_endian_musl_systems.patch \
|
file://ip_fix_problem_on_mips64_n64_big_endian_musl_systems.patch \
|
||||||
file://makefile-fix-backport.patch \
|
file://makefile-fix-backport.patch \
|
||||||
file://0001-sed-fix-sed-n-flushes-pattern-space-terminates-early.patch \
|
file://0001-sed-fix-sed-n-flushes-pattern-space-terminates-early.patch \
|
||||||
|
|
Loading…
Reference in New Issue