NTP : Use-after-free in routing socket code after dropping root

Bug #1481388 reported by Eric Desrochers on 2015-08-04
24
This bug affects 3 people
Affects Status Importance Assigned to Milestone
NTP
Fix Released
High
ntp (Debian)
Fix Released
Unknown
ntp (Ubuntu)
Medium
Eric Desrochers
Precise
Medium
Eric Desrochers
Trusty
Medium
Eric Desrochers
Vivid
Medium
Eric Desrochers
Wily
Medium
Eric Desrochers

Bug Description

[Impact]

 * User experienced repeated segfaults at the same instruction pointer

i/o error on routing socket No buffer space available - disabling
segfault at 31 ip 0000000000000031 sp 00007ffff9f11788 error 14 in libpthread-2.15.so[7f967a5d9000+18000]

The remove_ and delete_ functions remove the current element from the asyncio_reader_list, and free it, respectively.

We then return back to the loop at the top, wherein the asyncio_reader variable still points at the now-freed element, whose contents are (in theory) now scrambled
by having link pointers, etc, from internal malloc state overlaying the data.

[Test Case]

You can easily reproduce the bug by :

- Lowering the sysctl value net.core.rmem_max

$ sysctl -w net.core.wmem_max=<LOWER_VALUE>
This sets the max OS send buffer size for all types of connections.

- Adding multiple network interfaces and static routes.

[Regression Potential]

None expected since the fix is already available upstream (https://github.com/ntp-project/ntp.git) and Debian package.

If after installing the patch, user are receiving this kind of message in /var/log/syslog : "routing socket reports: No buffer space available".
The next step, would be to increase the "net.core.rmem_max" and "net.core.wmem_max" values equally until the "routing socket reports: No buffer space available" message no longer showed up.

[Other Info]

NTP upstream (https://github.com/ntp-project/ntp.git)
[Bug 2224] Use-after-free in routing socket code after dropping root. - Commit: d6df9d3
[Bug 2890] Ignore ENOBUFS on routing netlink socket. - Commit: db47bd4

The use-after-free bug has been fix in Debian release (closes: #795315)
Will submit the ignore-ENOBUFS-on-routing-netlink-socket in Debian in the next days.

[Original Description]

We have 1 server (among hundreds) that its ntp service is crashing.

A few minute/seconds after a start attempts we can see the following in syslog:
ntpd[2729]: peers refreshed
ntpd[2729]: Listening on routing socket on fd #49 for interface updates
ntpd[2729]: i/o error on routing socket No buffer space available - disabling
kernel: [157516.495224] ntpd[2729]: segfault at 31 ip 0000000000000031 sp 00007ffff9f11788 error 14 in libpthread-2.15.so[7f967a5d9000+18000]

OS: Ubuntu 12.04.4 LTS
Kernel: 3.11.0-19-generic

I tried to compare it to other servers, and the only thing I could find that is different is that while it's up (before it crashes) I can see the following when running "lsof | grep ntp":
ntpd 2729 ntp 49u sock 0,7 0t0 2473952565 can't identify protocol.

Hello everyone, I want to file a bug.

Run command: ntpd --user=ntpd:ntpd --logfile=/var/log/ntpd.log

It runs for some seconds and then is segfaults.
Happens only when I use both the --user and --logfile parameters.
Happens only when I have configured it with --enable-clockctl alone.
If configured with both --enable-clockctl and --enable-linuxcaps it works OK.

/var/log/ntpd.log: -rw-r--r-- 1 ntpd ntpd 21957 Jun 11 14:49 /var/log/ntpd.log
/etc/passwd: ntpd:x:10:17:ntpd:/dev/null:/bin/false
/etc/group: ntpd:x:1008:
/etc/ntpd.conf is empty.

Strace gives in the end: http://pastebin.com/Bujn2MNn
With more advanced debugging I got: http://pastebin.com/YNWBrRJG
When runs in normal manner, strace gives: http://pastebin.com/2JpzK4jh

In my humble opinion, the error occurs when ntpd tries to do something with the network interfaces.

My machine is a kernel 2.6.35.14 with glibc 2.14.1.
ntpd - NTP daemon program - Ver. 4.2.6p5

Greetings.

Thanks for the report. The additional debugging paste is short enough to include directly in the comments:

==24767== Invalid read of size 8
==24767== at 0x411048: input_handler (ntp_io.c:3621)
==24767== by 0x414B84: ntpdmain (ntpd.c:1078)
==24767== by 0x406448: main (ntpd.c:356)
==24767== Address 0x5e897f0 is 0 bytes inside a block of size 32 free'd
==24767== at 0x4C26649: free (in /lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==24767== by 0x411072: input_handler (ntp_io.c:3619)
==24767== by 0x414B84: ntpdmain (ntpd.c:1078)
==24767== by 0x406448: main (ntpd.c:356)

The code in question is:

#ifdef HAS_ROUTING_SOCKET
 /*
  * scan list of asyncio readers - currently only used for routing sockets
  */
 asyncio_reader = asyncio_reader_list;

 while (asyncio_reader != NULL) {
  if (FD_ISSET(asyncio_reader->fd, &fds)) {
   ++select_count;
   (asyncio_reader->receiver)(asyncio_reader); /*3619 */
  }
  asyncio_reader = asyncio_reader->link; /* 3621 */
 }
#endif /* HAS_ROUTING_SOCKET */

line 3619 is calling process_routing_msgs() which, after root is dropped, is noticing a failed read or other error and removing the entry from asyncio_reader_list and free()ing it, triggering the valgrind catch.

I bet can be worked around by adding -U 0 to the command line to disable dynamic interface updates, I suspect (I could be wrong, too). To patch it, we need to add a "next_asyncio_reader" local variable of the same type as asyncio_reader, and assign to it asyncio_reader->link before if (FD_ISSET(..., and change the asyncio_reader assignment to use the saved next_asyncio_reader. I will get that ready for ntp-dev, and am requesting 4.2.6 blocking in case we do another release of that stable version.

Ready in:

~hart/ntp-dev-2224

(In reply to comment #2)
> Ready in:
>
> ~hart/ntp-dev-2224

How can I see the code difference?

Created attachment 883
pending patch for Bug 2224

With a bit of luck it'll be in 4.2.7p280 before too long.

(In reply to comment #4)
> Created attachment 883 [details]
> pending patch for Bug 2224
>
> With a bit of luck it'll be in 4.2.7p280 before too long.

We consider 4.2.7p XXX stable revisions ?

(In reply to comment #5)
> (In reply to comment #4)
> > Created attachment 883 [details]
> > pending patch for Bug 2224
> >
> > With a bit of luck it'll be in 4.2.7p280 before too long.
>
> We consider 4.2.7p XXX stable revisions ?

Some of we do. I've always preferred ntp-dev snapshots to -stable releases as the -stable releases are years apart and a lot of interesting changes happen in between.

Speaking of which, it's been 2.5 years since 4.2.7 forked from 4.2.6. I'm anxious, as are others, to get 4.2.8 out as the next stable release, rather than spend more time patching 4.2.6. Given the relatively small impact of this bug, I'm still inclined to prefer avoiding another 4.2.6 release.

In , Stenn (stenn) wrote :

nosebleed,

Thanks for the report. Please check 4.2.7p280 and mark this bug as VERIFIED or REOPENED, as appropriate.

If there is another 4.2.6pX release this patch will be backported.

Dave, thanks for your work on this.

Eric Desrochers (slashd) on 2015-08-04
Changed in ntp (Ubuntu):
assignee: nobody → eric.desrochers (eric-desrochers-z)
summary: - Use-after-free in routing socket code after dropping root
+ NTP : Use-after-free in routing socket code after dropping root
Eric Desrochers (slashd) on 2015-08-04
Changed in ntp (Ubuntu):
importance: Undecided → Low
milestone: none → ubuntu-12.04.5
Eric Desrochers (slashd) wrote :

The remove_ and delete_ functions remove the current element from the asyncio_reader_list, and free it, respectively.

We then return back to the loop at the top, wherein the asyncio_reader variable still points at the now-freed element,
whose contents are now scrambled by having link pointers, etc, from internal malloc state overlaying the data.

This loop should probably extract the ->link pointer prior to calling ->receiver(), as that function can free the asyncio_reader object in question. (LP: #1481388)

Eric Desrochers (slashd) on 2015-08-05
Changed in ntp (Ubuntu):
milestone: ubuntu-12.04.5 → trusty-updates
milestone: trusty-updates → none
information type: Public → Private
Eric Desrochers (slashd) on 2015-08-06
description: updated
information type: Private → Public
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in ntp (Ubuntu Trusty):
status: New → Confirmed
Changed in ntp (Ubuntu):
status: New → Confirmed
Eric Desrochers (slashd) on 2015-08-08
Changed in ntp (Ubuntu Trusty):
assignee: nobody → eric.desrochers (eric-desrochers-z)
Eric Desrochers (slashd) wrote :

Unfortunately, I can't reproduce the behaviour on my side.
I'm providing a hotfix[1] based on the upstream commit[2] that addressed the issue.

If you can reproduce the problem, please test the hotfix and provide feedbacks.

[1] https://launchpad.net/~eric-desrochers-z/+archive/ubuntu/lp1481388/+packages
[2] d6df9d3 [Bug 2224] Use-after-free in routing socket code after dropping root

Thanks !

Eric Desrochers (slashd) wrote :

I was able to reproduce the problem on PRECISE (12.04) by lowering the kernel parameter value "net.core.rmem_max".

And then test my .deb build on my PPA[1] with the following upstream commits :

- d6df9d3 [Bug 2224] Use-after-free in routing socket code after dropping root.
- db47bd4 [Bug 2890] Ignore ENOBUFS on routing netlink socket.

What the patch does ?
===
The program first "read" from the fd. On success, the number of bytes written into buf is
returned. On error, the call returns −1 and sets errno

If the call returns -1, then there is a verification to validate if the errno == ENOBUFS

and then send to syslog the following message : "routing socket reports: No buffer space available"

Otherwise, if errno is NOT ENOBUFS, then it close the socket (remove_asyncio_reader(reader);) and free the memory space (delete_asyncio_reader(reader);)

And send to syslog the following message : i/o error on routing socket No buffer space available - disabling

Before this patch, no matter what was the errno, it was automatically close() and free() without validation if ENOBUFS or not.

To summarize, the patch allow the program to not close() and free() the socket when the a errno == ENOBUFS occur, but still send a message in syslog to notify the administrator.
===

If after installing the patch, you are receiving this kind of message in /var/log/syslog : "routing socket reports: No buffer space available" The next step, would be to increase the "net.core.rmem_max" and "net.core.wmem_max"values equally until the "routing socket reports: No buffer space available" message no longer showed up.

[1] 1:4.2.6.p3+dfsg-1ubuntu3.4+20150820lp1481388~2
https://launchpad.net/~eric-desrochers-z/+archive/ubuntu/lp1481388

Eric Desrochers (slashd) on 2015-08-26
Changed in ntp (Ubuntu Precise):
assignee: nobody → Eric Desrochers (eric-desrochers-z)
Changed in ntp (Ubuntu Vivid):
assignee: nobody → Eric Desrochers (eric-desrochers-z)
Changed in ntp (Ubuntu Precise):
status: New → Confirmed
Eric Desrochers (slashd) on 2015-08-26
Changed in ntp (Ubuntu Precise):
importance: Undecided → Medium
Changed in ntp (Ubuntu Vivid):
status: New → Confirmed
Eric Desrochers (slashd) on 2015-08-26
description: updated
tags: added: verification-done
Changed in ntp (Ubuntu Precise):
status: Confirmed → In Progress

The attachment "debdiff for precise" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Eric Desrochers (slashd) wrote :

I also noticed the situation can be reproduced at boot if the value of "net.core.rmem_default" is too low.

I reproduced it by only lowering the "net.core.rmem_default = 2000" value with 6 network interface at boot.

ntpd[851]: ntp_io: estimated max descriptors: 1024, initial socket boundary: 16
ntpd[851]: Listen and drop on 0 v4wildcard 0.0.0.0 UDP 123
ntpd[851]: Listen and drop on 1 v6wildcard :: UDP 123
ntpd[851]: Listen normally on 2 eth1 192.168.1.10 UDP 123
ntpd[851]: Listen normally on 3 eth2 192.168.2.10 UDP 123
ntpd[851]: Listen normally on 4 eth3 192.168.3.10 UDP 123
ntpd[851]: Listen normally on 5 eth4 192.168.4.10 UDP 123
ntpd[851]: Listen normally on 6 eth5 192.168.5.10 UDP 123
ntpd[851]: Listen normally on 7 eth6 192.168.6.10 UDP 123
ntpd[851]: peers refreshed
ntpd[851]: Listening on routing socket on fd #24 for interface updates
ntpd[851]: Deferring DNS for 0.ubuntu.pool.ntp.org 1
ntpd[851]: Deferring DNS for 1.ubuntu.pool.ntp.org 1
ntpd[851]: Deferring DNS for 2.ubuntu.pool.ntp.org 1
ntpd[851]: Deferring DNS for 3.ubuntu.pool.ntp.org 1
ntpd[851]: Deferring DNS for ntp.ubuntu.com 1
ntpd[864]: signal_no_reset: signal 17 had flags 4000000
===> ntpd[851]: i/o error on routing socket No buffer space available - disabling <===

Eric Desrochers (slashd) wrote :

debdiff for trusty

Changed in ntp (Ubuntu Trusty):
status: Confirmed → In Progress
importance: Undecided → Medium
Eric Desrochers (slashd) on 2015-09-01
Changed in ntp (Ubuntu Vivid):
status: Confirmed → In Progress
importance: Undecided → Medium
Eric Desrochers (slashd) wrote :

debdiff for vivid

Eric Desrochers (slashd) wrote :

debdiff for wily

Changed in ntp (Ubuntu Wily):
status: Confirmed → In Progress
Eric Desrochers (slashd) on 2015-09-02
Changed in ntp (Ubuntu Wily):
importance: Low → Medium
Marc Deslauriers (mdeslaur) wrote :

ACK on the debdiffs, thanks!

I've slightly modified the whitespace in the changelog and have added the bug number, and have uploaded it to wily, and to the other releases for processing by the SRU team.

tags: removed: verification-done
Changed in ntp (Ubuntu Wily):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ntp - 1:4.2.6.p5+dfsg-3ubuntu7

---------------
ntp (1:4.2.6.p5+dfsg-3ubuntu7) wily; urgency=medium

  * Fix use-after-free in routing socket code (LP: #1481388)
    - debian/patches/use-after-free-in-routing-socket.patch
      fix logic in ntpd/ntp_io.c
  * Fix to ignore ENOBUFS on routing netlink socket
    - debian/patches/ignore-ENOBUFS-on-routing-netlink-socket.patch
      fix logic in ntpd/ntp_io.c

 -- Eric Desrochers <email address hidden> Wed, 02 Sep 2015 09:57:16 -0400

Changed in ntp (Ubuntu Wily):
status: Fix Committed → Fix Released
Changed in ntp:
importance: Unknown → High
status: Unknown → Fix Released

Hello Eric, or anyone else affected,

Accepted ntp into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ntp/1:4.2.6.p5+dfsg-3ubuntu2.14.04.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in ntp (Ubuntu Trusty):
status: In Progress → Fix Committed
tags: added: verification-needed
Changed in ntp (Ubuntu Precise):
status: In Progress → Fix Committed
Chris J Arges (arges) wrote :

Hello Eric, or anyone else affected,

Accepted ntp into precise-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ntp/1:4.2.6.p3+dfsg-1ubuntu3.5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in ntp (Ubuntu Vivid):
status: In Progress → Fix Committed
Chris J Arges (arges) wrote :

Hello Eric, or anyone else affected,

Accepted ntp into vivid-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ntp/1:4.2.6.p5+dfsg-3ubuntu6.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in ntp (Debian):
status: Unknown → Fix Released
Simon Déziel (sdeziel) wrote :

I tried to reproduce the problem by lowering {r,w}mem_max on Precise and Trusty's *unpatched* version to no avail. On the up side, I couldn't find any regression with the update version.

Simon Déziel (sdeziel) wrote :

Err, I meant I couldn't reproduce the issue with and without the patch.

Eric Desrochers (slashd) wrote :

Simon, you may want to add a few ethernet interfaces and static routes.

I was able to reproduce it with ~6 network interface.

Simon Déziel (sdeziel) wrote :

Eric, I don't know if that's a good test case but on my patched Trusty box:

  root@xeon:~# uname -a
  Linux xeon 3.13.0-63-generic #103-Ubuntu SMP Fri Aug 14 21:42:59 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
  root@xeon:~# sysctl net.core.wmem_max=4650
  net.core.wmem_max = 4700
  root@xeon:~# sysctl net.core.rmem_max=2400
  net.core.rmem_max = 2400
  root@xeon:~# (ip -4 ro ; ip -6 ro) | wc -l
  43
  root@xeon:~# (ip -4 a; ip -6 a) | grep -c inet
  34
  root@xeon:~# ip link | grep -c link
  23
  root@xeon:~# dpkg -l | awk '{if ($2 == "ntp") print $3}'
  1:4.2.6.p5+dfsg-3ubuntu2.14.04.4
  root@xeon:~# /etc/init.d/ntp restart
  root@xeon:~# netstat -puant | grep -c ntpd
  36

Then syslog shows nothing abnormal. It says "Listen normally on {2..35}". FYI, many of those interfaces a vnetX interfaces belonging to VMs so I don't know if they really count. Trying to lower {r,w}mem_max even more result in "Invalid argument". Please let me know if I'm doing something wrong.

Simon Déziel (sdeziel) wrote :

Eric, I've been running the proposed version on many systems and haven't found any regression. Do you think this would be ready to move on to -updates now?

Eric Desrochers (slashd) on 2015-10-27
tags: added: verification-done
removed: verification-needed
Chris Halse Rogers (raof) wrote :

Has anyone who was able to reproduce the original crash tested the packages from trusty-proposed (or precise or vivid) to check that the crash is actually fixed?

It's good that it doesn't seem to regress anything, but we also want to know whether it *fixes* anything :)

Eric Desrochers (slashd) wrote :

Good evening Chris,

This bug has been brought to my attention by someone in the community. Unfortunately, I never had a confirmation from him if the fix solve his issue or not... but as state in comment #5 & #11, I've been able to reproduce the problem and make sure it addressed the situation.

The reproducer is basically to lower down the value of "net.core.[m-r]mem_default" and adding multiples network interface + static route.

FYI, the same fix has been also applied in Debian

ref: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=795315

Let me know if you need anything else.

Thanks !

Mathew Hodson (mathew-hodson) wrote :

This SRU has been shadowed by a security update and needs to be re-merged.

Changed in ntp (Ubuntu Precise):
status: Fix Committed → In Progress
Changed in ntp (Ubuntu Trusty):
status: Fix Committed → In Progress
Changed in ntp (Ubuntu Vivid):
status: Fix Committed → In Progress
Eric Desrochers (slashd) wrote :

Good evening Mathew,

Does it mean I need to re-do the debdiffs ?

Mathew Hodson (mathew-hodson) wrote :

I think it is probably necessary to rebase the debdiffs on the new versions in case there are any confilcts. There were a lot of changes as you can see here http://www.ubuntu.com/usn/usn-2783-1/ .

I don't have direct knowledge of the code though.

Eric Desrochers (slashd) wrote :

Hi Mathew,

I have the knowledge of the code, I will rebase the debdiffs for V/T/P

Note: I checked and Xenial has the patch already.

Eric Desrochers (slashd) wrote :

Here is the rebase debdiff for Trusty

Eric Desrochers (slashd) wrote :

Here is the rebase debdiff for Precise

Eric Desrochers (slashd) wrote :

Here is the rebase debdiff for Vivid

Eric Desrochers (slashd) on 2015-11-05
tags: added: sts
Sebastien Bacher (seb128) wrote :

sponsored to precise/trusty/vivid (though i'm unsure vivid is useful since it's not the current stable)

Chris J Arges (arges) wrote :

Hello Eric, or anyone else affected,

Accepted ntp into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ntp/1:4.2.6.p5+dfsg-3ubuntu2.14.04.6 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in ntp (Ubuntu Trusty):
status: In Progress → Fix Committed
tags: removed: verification-done
tags: added: verification-needed
Changed in ntp (Ubuntu Precise):
status: In Progress → Fix Committed
Chris J Arges (arges) wrote :

Hello Eric, or anyone else affected,

Accepted ntp into precise-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ntp/1:4.2.6.p3+dfsg-1ubuntu3.7 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Chris J Arges (arges) wrote :

Hello Eric, or anyone else affected,

Accepted ntp into vivid-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ntp/1:4.2.6.p5+dfsg-3ubuntu6.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in ntp (Ubuntu Vivid):
status: In Progress → Fix Committed
Simon Déziel (sdeziel) wrote :

I've been using the -proposed package on 15 Trusty machines since it was published. Again, I never was able to reproduce the original problem but I saw no regression either.

Eric Desrochers (slashd) on 2015-11-16
tags: added: verification-done
removed: verification-needed
tags: added: verification-done-trusty verification-needed
removed: verification-done
Eric Desrochers (slashd) on 2015-12-10
tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ntp - 1:4.2.6.p5+dfsg-3ubuntu6.3

---------------
ntp (1:4.2.6.p5+dfsg-3ubuntu6.3) vivid; urgency=medium

  * Fix use-after-free in routing socket code (closes: #795315)
    - debian/patches/use-after-free-in-routing-socket.patch:
      fix logic in ntpd/ntp_io.c (LP: #1481388)

 -- Eric Desrochers <email address hidden> Thu, 29 Oct 2015 09:18:12 -0400

Changed in ntp (Ubuntu Vivid):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for ntp has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ntp - 1:4.2.6.p3+dfsg-1ubuntu3.7

---------------
ntp (1:4.2.6.p3+dfsg-1ubuntu3.7) precise; urgency=medium

  * Fix use-after-free in routing socket code (closes: #795315)
    - debian/patches/use-after-free-in-routing-socket.patch:
      fix logic in ntpd/ntp_io.c (LP: #1481388)

 -- Eric Desrochers <email address hidden> Thu, 29 Oct 2015 09:47:20 -0400

Changed in ntp (Ubuntu Precise):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ntp - 1:4.2.6.p5+dfsg-3ubuntu2.14.04.6

---------------
ntp (1:4.2.6.p5+dfsg-3ubuntu2.14.04.6) trusty; urgency=medium

  * Fix use-after-free in routing socket code (closes: #795315)
    - debian/patches/use-after-free-in-routing-socket.patch:
      fix logic in ntpd/ntp_io.c (LP: #1481388)

 -- Eric Desrochers <email address hidden> Thu, 29 Oct 2015 09:34:22 -0400

Changed in ntp (Ubuntu Trusty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.