Bug #1891953 “CVE-2019-8936” : Bugs : ntp package : Ubuntu

Revision history for this message

Brian Morton (rokclimb15) wrote on 2020-08-18:

#1

Requires security backport for Bionic only.

Changed in ntp (Ubuntu):
assignee:	nobody → Brian Morton (rokclimb15)
status:	New → In Progress

Brian Morton (rokclimb15) on 2020-08-18

information type:

Public → Public Security

Revision history for this message

Brian Morton (rokclimb15) wrote on 2020-08-18:

#2

Debdiff for Bionic Edit (2.7 KiB, text/plain)

Revision history for this message

Alex Murray (alexmurray) wrote on 2020-09-21:

#3

Thanks for the debdiff - I am happy to sponsor this for you - one quick thing, there is no need to reference the debian bug report in the changelog so I have cleaned it up to look like the following:

ntp (1:4.2.8p10+dfsg-5ubuntu7.3) bionic-security; urgency=medium

  * SECURITY UPDATE: Null dereference attack in mode 6 packet (LP: #1891953)
    - debian/patches/CVE-2019-8936.patch: Guard against operations
      on NULL pointer in ntpd/ntp_control.c.
    - CVE-2019-8936

-- Brian Morton <email address hidden> Mon, 17 Aug 2020 21:58:51 -0400

I also notice this CVE is also unresolved in focal and groovy - would you be interested in preparing debdiff's against ntp in those releases as well?

Revision history for this message

Brian Morton (rokclimb15) wrote on 2020-09-21:

#4

Hi Alex, thanks very much for fixing that loose end in the changelog and for sponsoring this fix. I can produce them for the other releases as well.

Mathew Hodson (mhodson) on 2020-09-25

Changed in ntp (Ubuntu):
importance:	Undecided → Medium

Bug Watch Updater (bug-watch-updater) on 2020-09-25

Changed in ntp (Debian):
status:	Unknown → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2020-10-01:

#5

This bug was fixed in the package ntp - 1:4.2.8p10+dfsg-5ubuntu7.3

---------------
ntp (1:4.2.8p10+dfsg-5ubuntu7.3) bionic-security; urgency=medium

  * SECURITY UPDATE: Null dereference attack in mode 6 packet (LP: #1891953)
    - debian/patches/CVE-2019-8936.patch: Guard against operations
      on NULL pointer in ntpd/ntp_control.c.
    - CVE-2019-8936

-- Brian Morton <email address hidden> Mon, 17 Aug 2020 21:58:51 -0400

Changed in ntp (Ubuntu):
status:	In Progress → Fix Released

Emilia Torino (emitorino) on 2020-10-02

Changed in ntp (Ubuntu Bionic):
importance:	Undecided → Medium
Changed in ntp (Ubuntu Focal):
importance:	Undecided → Medium
assignee:	nobody → Brian Morton (rokclimb15)
Changed in ntp (Ubuntu Bionic):
assignee:	nobody → Brian Morton (rokclimb15)
status:	New → Confirmed
Changed in ntp (Ubuntu Focal):
status:	New → Confirmed
Changed in ntp (Ubuntu Bionic):
status:	Confirmed → Fix Released
Changed in ntp (Ubuntu Groovy):
status:	Fix Released → Confirmed

Revision history for this message

Alex Murray (alexmurray) wrote on 2020-11-17:

#6

@rokclimb15 - are you still looking at producing debdiff's for focal + groovy as well?

Revision history for this message

Brian Morton (rokclimb15) wrote on 2020-11-17:

#7

@alexmurray - Yes, I'll work on it this week.

Revision history for this message

Alex Murray (alexmurray) wrote on 2020-11-17:

#8

Excellent - thank you :)

Revision history for this message

Brian Morton (rokclimb15) wrote on 2020-11-27:

#9

Patch for Focal Edit (3.0 KiB, text/plain)

Patch for Focal

Revision history for this message

Brian Morton (rokclimb15) wrote on 2020-11-27:

#10

@alexmurray - The debdiff for Groovy is identical to the one from Focal (same source package version). Let me know if you need a distinct debdiff with the release pocket (groovy-security) identified.

Revision history for this message

Avital Ostromich (avital) wrote on 2021-03-11:

#11

Apologies for the delay on this, it fell off our radar but we're working on the Focal+ updates now. And no need for the separate Groovy debdiff, thanks Brian!

Revision history for this message

Launchpad Janitor (janitor) wrote on 2021-04-20:

#12

This bug was fixed in the package ntp - 1:4.2.8p12+dfsg-3ubuntu4.20.10.1

---------------
ntp (1:4.2.8p12+dfsg-3ubuntu4.20.10.1) groovy-security; urgency=medium

  * SECURITY UPDATE: Null dereference attack in mode 6 packet (LP: #1891953)
    - debian/patches/CVE-2019-8936.patch: Guard against operations
      on NULL pointer in ntpd/ntp_control.c.
    - CVE-2019-8936
  * Fix FTBFS with GCC-10
    - debian/rules: add -fcommon flag to CFLAGS

-- Brian Morton <email address hidden> Fri, 27 Nov 2020 16:10:51 -0500

Changed in ntp (Ubuntu Groovy):
status:	Confirmed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2021-04-20:

#13

This bug was fixed in the package ntp - 1:4.2.8p12+dfsg-3ubuntu4.20.04.1

---------------
ntp (1:4.2.8p12+dfsg-3ubuntu4.20.04.1) focal-security; urgency=medium

  * SECURITY UPDATE: Null dereference attack in mode 6 packet (LP: #1891953)
    - debian/patches/CVE-2019-8936.patch: Guard against operations
      on NULL pointer in ntpd/ntp_control.c.
    - CVE-2019-8936

-- Brian Morton <email address hidden> Fri, 27 Nov 2020 16:10:51 -0500

Changed in ntp (Ubuntu Focal):
status:	Confirmed → Fix Released

Eduardo Barretto (ebarretto) on 2021-04-28

Changed in ntp (Ubuntu):
status:	Confirmed → Fix Released

Ubuntu
ntp package

CVE-2019-8936

Bug Description

CVE References

Other bug subscribers

Patches

Remote bug watches

	Status	Importance	Assigned to
ntp (Debian)	Fix Released	Unknown	debbugs #924228
ntp (Ubuntu)	Fix Released	Medium	Brian Morton
Bionic	Fix Released	Medium	Brian Morton
Focal	Fix Released	Medium	Brian Morton
Groovy	Fix Released	Medium	Brian Morton

Ubuntuntp package

CVE-2019-8936

Bug Description

CVE References

Other bug subscribers

Patches

Remote bug watches

Ubuntu
ntp package