[patch] ntpd rejects source UDP ports less than 123 as bogus

The attachment "Patch from upstream, made suitable for debian/patches" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

According to the Debian bug, this was fixed upstream in 4.2.8p1 and Debian sid is now on 1:4.2.8p4+dfsg-3 so I think that means this is fixed in Debian. Ubuntu will pick it up on the next merge which I am expecting to be done this cycle.

I have build a test package for the community to validate it solve the bug before starting the SRU process [1].
The goal of this testfix is only to confirm that this solve the bug and it is not a final solution.

Here's what has been brought to my attention about the test package I have provided.

---
I confirm that the proposed testfix package resolved the issue.

The test were made on test machines where the client had an iptable postrouting nat forcing the source port to be under 123.
- ntpdate command performed on the client machine was successful
- tcpdump on the server side confirmed that the source port was under 123.

Please advise for the next steps

Thank-you
---

[1] - https://launchpad.net/~slashd/+archive/ubuntu/bug1479652

Patch
--
Distribution : Trusty (14.04)
Package version : ntp_4.2.6.p5+dfsg-3ubuntu2.14.04.8
--

Note: kick-d is currently working on a merge for Xenial, including this patch.
I'm including the .debdiffs for the other distributions (W/T/P) for once the merge for Xenial will be completed.

Patch
--
Distribution : Wily (15.10)
Package version : 4.2.6.p5+dfsg-3ubuntu8.2
--

Patch
--
Distribution : Precise (12.04)
Package version : 4.2.6.p3+dfsg-1ubuntu3.9
--

Thanks Eric, the debdiffs look good to me. I added Origin and Bug-Ubuntu dep3 headers as discussed on IRC. Apart from that I've uploaded all three unmodified. Now awaiting SRU team review.

Hello Richard, or anyone else affected,

Accepted ntp into wily-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ntp/1:4.2.6.p5+dfsg-3ubuntu8.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello Richard, or anyone else affected,

Accepted ntp into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ntp/1:4.2.6.p5+dfsg-3ubuntu2.14.04.8 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello Richard, or anyone else affected,

Accepted ntp into precise-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ntp/1:4.2.6.p3+dfsg-1ubuntu3.9 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

It has been brought to my attention ...

--
I confirm that the proposed testfix package resolved the issue on Trusty.

The test were made on test machines where the client had an iptable postrouting nat forcing the source port to be under 123.
- ntpdate command performed on the client machine was successful
- tcpdump on the server side confirmed that the source port was under 123.
--

I confirmed the package"4.2.6.p3+dfsg-1ubuntu3.9" solved the problem in Ubuntu Precise

NTP Version : 1:4.2.6.p3+dfsg-1ubuntu3.1

With no IPTABLES rule ==> Working
$ ntpdate x.x.x.x
11 Feb 16:15:19 ntpdate[1243]: adjust time server x.x.x.x offset 0.190571 sec

With IPTABLES rule ==> Not working
$ iptables -t nat -A POSTROUTING -p UDP --dport 123 -j SNAT --to-source y.y.y.y:100-122

$ntpdate x.x.x.x
11 Feb 16:15:36 ntpdate[1253]: no server suitable for synchronization found

With ntp (precise-proposed) + IPTABLE rules ==> Now working

NTP version: 1:4.2.6.p3+dfsg-1ubuntu3.9

$ iptables -t nat -A POSTROUTING -p UDP --dport 123 -j SNAT --to-source y.y.y.y:100-122

$ ntpdate x.x.x.x
11 Feb 16:21:26 ntpdate[1986]: adjust time server x.x.x.x offset 0.005394 sec

Eric

I confirmed the package "4.2.6.p5+dfsg-3ubuntu8.2" solve the bug in Ubuntu Wily

# With port <123 using ntpdate (without patch)
11 Feb 20:30:09 ntpdate[2348]: no server suitable for synchronization found

# With port <123 using ntpdate (including patch)
11 Feb 20:32:18 ntpdate[3243]: adjust time server 10.10.10.107 offset 0.002017 sec

Eric

This bug was fixed in the package ntp - 1:4.2.6.p5+dfsg-3ubuntu2.14.04.8

---------------
ntp (1:4.2.6.p5+dfsg-3ubuntu2.14.04.8) trusty; urgency=medium

  * ntpd rejects source UDP ports less than 123 as bogus (closes: #691412)
    - d/p/reject-UDP-ports-less-than-123-as-bogus.patch (LP: #1479652)

 -- Eric Desrochers <email address hidden> Mon, 25 Jan 2016 11:39:44 -0500

The verification of the Stable Release Update for ntp has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package ntp - 1:4.2.6.p5+dfsg-3ubuntu8.2

---------------
ntp (1:4.2.6.p5+dfsg-3ubuntu8.2) wily; urgency=medium

  * ntpd rejects source UDP ports less than 123 as bogus (closes: #691412)
    - d/p/reject-UDP-ports-less-than-123-as-bogus.patch (LP: #1479652)

 -- Eric Desrochers <email address hidden> Mon, 25 Jan 2016 12:05:25 -0500

This bug was fixed in the package ntp - 1:4.2.8p4+dfsg-3ubuntu1

---------------
ntp (1:4.2.8p4+dfsg-3ubuntu1) xenial; urgency=medium

  * Merge from Debian testing. Remaining changes:
    + debian/rules: enable debugging. Ask debian to add this.
    + debian/rules, debian/ntp.dirs, debian/source_ntp.py: Add apport hook.
    + Add enforcing AppArmor profile:
      - debian/control: Add Conflicts/Replaces on apparmor-profiles.
      - debian/control: Add Suggests on apparmor.
      - debian/control: Build-Depends on dh-apparmor.
      - add debian/apparmor-profile*.
      - debian/ntp.dirs: Add apparmor directories.
      - debian/rules: Install apparmor-profile and apparmor-profile.tunable.
      - debian/source_ntp.py: Add filter on AppArmor profile names to prevent
        false positives from denials originating in other packages.
      - debian/README.Debian: Add note on AppArmor.
    + debian/ntpdate.if-up: Fix interaction with openntpd. Stop ntp before
      running ntpdate when an interface comes up, then start again afterwards.
    + debian/ntp.init, debian/rules: Only stop when entering single user mode,
      don't use /var/lib/ntp/ntp.conf.dhcp if /etc/ntp.conf is newer - it can
      get stale. Patch by Simon Déziel.
    + debian/ntp.conf, debian/ntpdate.default: Change default server to
      ntp.ubuntu.com.
    + debian/control: Add bison to Build-Depends (for ntpd/ntp_parser.y).
  * Includes fix for requests with source ports < 123, fixed upstream in
    4.2.8p1 (LP: #1479652).
  * Add PPS support (LP: #1512980):
    + debian/README.Debian: Add a PPS section to the README.Debian,
      removed all PPSkit one.
    + debian/ntp.conf: Add some configuration examples from the offical
      documentation.
    + debian/control: Add Build-Depends on pps-tools
  * Drop Changes:
    + debian/rules: Update config.{guess,sub} for AArch64, because upstream use
      dh_autoreconf now.
    + debian/{control,rules}: Add and enable hardened build for PIE.
      Upstream use fPIC. Options -fPIC and -fPIE are uncompatible, thus this is
      never applied, (cf. dpkg-buildflags manual), checked with Marc
      Deslauriers on freenode #ubuntu-hardened, 2016-01-20~13:11 UTC.
    + debian/rules: Remove update-rcd-params in dh_installinit command. When
      setting up ntp package, the following message is presented to the user
      due to deprecated use:
      "update-rc.d: warning: start and stop actions are no longer
      supported; falling back to defaults". The defaults are taken from the
      init.d script LSB comment header, which contain what we need anyway.
    + debian/rules: Remove ntp/ntp_parser.{c,h} or they don't get properly
      regenerated for some reason. Seems to have been due to ntpd/ntp_parser.y
      patches from CVE-2015-5194 and CVE-2015-5196, already upstreamed.
    + debian/ntpdate.if-up: Drop lockfile mechanism as upstream is using flock
      now.
    + Remove natty timeframe old deltas (transitional code not needed since
      Trusty): Those patches were for an incorrect behaviour of
      system-tools-backend, around natty time
      (https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/83604/comments/23)
      - debi...

This bug was fixed in the package ntp - 1:4.2.6.p3+dfsg-1ubuntu3.9

---------------
ntp (1:4.2.6.p3+dfsg-1ubuntu3.9) precise; urgency=medium

  * ntpd rejects source UDP ports less than 123 as bogus (closes: #691412)
    - d/p/reject-UDP-ports-less-than-123-as-bogus.patch (LP: #1479652)

 -- Eric Desrochers <email address hidden> Mon, 25 Jan 2016 12:28:25 -0500