PLSA-2009-55 Ntp: Buffer Overflow - Pardus Security Information

[PLSA 2009-55] Ntp: Buffer Overflow

Severity: 2
Type: Remote
Release Date: 2009-04-12

Summary

Apple discovered a stack-based buffer overflow in the ntpq program.

Description

When the ntpq program is used to request peer information from a remote time server, a maliciously crafted response may lead to an unexpected application termination or arbitrary code execution.

The buffer overflow is limited to two bytes, so a code execution impact is unlikely, but this is dependent on the stack layout generated by cc.

Packages

Pardus 2008

ntp-client, all before 4.2.4_p6-10-4
ntp-server, all before 4.2.4_p6-10-4

Resolution

There are update(s) for ntp-client, ntp-server. You can update them via Package Manager or with a single command from console:

Pardus 2008

pisi up ntp-client ntp-server

References

http://bugs.pardus.org.tr/show_bug.cgi?id=9532
https://support.ntp.org/bugs/show_bug.cgi?id=1144