CVE-2019-8936

Bug #1891953 reported by Brian Morton
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ntp (Debian)
Fix Released
Unknown
ntp (Ubuntu)
Medium
Brian Morton
Bionic
Medium
Brian Morton
Focal
Medium
Brian Morton
Groovy
Medium
Brian Morton

Bug Description

It was discovered that the fix for CVE-2018-7182 introduced a NULL pointer
dereference into NTP. An attacker could use this vulnerability to cause a
denial of service (crash).

https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-8936.html

CVE References

Revision history for this message
Brian Morton (rokclimb15) wrote :

Requires security backport for Bionic only.

Changed in ntp (Ubuntu):
assignee: nobody → Brian Morton (rokclimb15)
status: New → In Progress
information type: Public → Public Security
Revision history for this message
Brian Morton (rokclimb15) wrote :
Revision history for this message
Alex Murray (alexmurray) wrote :

Thanks for the debdiff - I am happy to sponsor this for you - one quick thing, there is no need to reference the debian bug report in the changelog so I have cleaned it up to look like the following:

ntp (1:4.2.8p10+dfsg-5ubuntu7.3) bionic-security; urgency=medium

  * SECURITY UPDATE: Null dereference attack in mode 6 packet (LP: #1891953)
    - debian/patches/CVE-2019-8936.patch: Guard against operations
      on NULL pointer in ntpd/ntp_control.c.
    - CVE-2019-8936

 -- Brian Morton <email address hidden> Mon, 17 Aug 2020 21:58:51 -0400

I also notice this CVE is also unresolved in focal and groovy - would you be interested in preparing debdiff's against ntp in those releases as well?

Revision history for this message
Brian Morton (rokclimb15) wrote :

Hi Alex, thanks very much for fixing that loose end in the changelog and for sponsoring this fix. I can produce them for the other releases as well.

Mathew Hodson (mhodson)
Changed in ntp (Ubuntu):
importance: Undecided → Medium
Changed in ntp (Debian):
status: Unknown → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ntp - 1:4.2.8p10+dfsg-5ubuntu7.3

---------------
ntp (1:4.2.8p10+dfsg-5ubuntu7.3) bionic-security; urgency=medium

  * SECURITY UPDATE: Null dereference attack in mode 6 packet (LP: #1891953)
    - debian/patches/CVE-2019-8936.patch: Guard against operations
      on NULL pointer in ntpd/ntp_control.c.
    - CVE-2019-8936

 -- Brian Morton <email address hidden> Mon, 17 Aug 2020 21:58:51 -0400

Changed in ntp (Ubuntu):
status: In Progress → Fix Released
Changed in ntp (Ubuntu Bionic):
importance: Undecided → Medium
Changed in ntp (Ubuntu Focal):
importance: Undecided → Medium
assignee: nobody → Brian Morton (rokclimb15)
Changed in ntp (Ubuntu Bionic):
assignee: nobody → Brian Morton (rokclimb15)
status: New → Confirmed
Changed in ntp (Ubuntu Focal):
status: New → Confirmed
Changed in ntp (Ubuntu Bionic):
status: Confirmed → Fix Released
Changed in ntp (Ubuntu Groovy):
status: Fix Released → Confirmed
Revision history for this message
Alex Murray (alexmurray) wrote :

@rokclimb15 - are you still looking at producing debdiff's for focal + groovy as well?

Revision history for this message
Brian Morton (rokclimb15) wrote :

@alexmurray - Yes, I'll work on it this week.

Revision history for this message
Alex Murray (alexmurray) wrote :

Excellent - thank you :)

Revision history for this message
Brian Morton (rokclimb15) wrote :

Patch for Focal

Revision history for this message
Brian Morton (rokclimb15) wrote :

@alexmurray - The debdiff for Groovy is identical to the one from Focal (same source package version). Let me know if you need a distinct debdiff with the release pocket (groovy-security) identified.

Revision history for this message
Avital Ostromich (avital) wrote :

Apologies for the delay on this, it fell off our radar but we're working on the Focal+ updates now. And no need for the separate Groovy debdiff, thanks Brian!

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ntp - 1:4.2.8p12+dfsg-3ubuntu4.20.10.1

---------------
ntp (1:4.2.8p12+dfsg-3ubuntu4.20.10.1) groovy-security; urgency=medium

  * SECURITY UPDATE: Null dereference attack in mode 6 packet (LP: #1891953)
    - debian/patches/CVE-2019-8936.patch: Guard against operations
      on NULL pointer in ntpd/ntp_control.c.
    - CVE-2019-8936
  * Fix FTBFS with GCC-10
    - debian/rules: add -fcommon flag to CFLAGS

 -- Brian Morton <email address hidden> Fri, 27 Nov 2020 16:10:51 -0500

Changed in ntp (Ubuntu Groovy):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ntp - 1:4.2.8p12+dfsg-3ubuntu4.20.04.1

---------------
ntp (1:4.2.8p12+dfsg-3ubuntu4.20.04.1) focal-security; urgency=medium

  * SECURITY UPDATE: Null dereference attack in mode 6 packet (LP: #1891953)
    - debian/patches/CVE-2019-8936.patch: Guard against operations
      on NULL pointer in ntpd/ntp_control.c.
    - CVE-2019-8936

 -- Brian Morton <email address hidden> Fri, 27 Nov 2020 16:10:51 -0500

Changed in ntp (Ubuntu Focal):
status: Confirmed → Fix Released
Changed in ntp (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.