ntpsec security fixes for bionic & cosmic

I've attached debdiffs for Bionic and Cosmic. This involved adding the three patches from upstream and running `quilt refresh` on each to get rid of the offset/fuzz.

I successfully built this in a PPA: https://launchpad.net/~rlaager/+archive/ubuntu/ntpsec/+packages

I installed the Bionic version from that PPA and it works.

Since this is a security bug and you've provided targeted fixes, I'm subscribing ubuntu-security-sponsors instead of ubuntu-sponsors. You might want to update the series in your patches from bionic-security to cosmic-security.

https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue#Notes%20for%20Contributors

Because the Ubuntu package did not have any changes compared to Debian and because we are in Debian Import Freeze, the version from unstable automatically synced so I removed that request from the bug description so it's easier to read here.

Thanks for the correction. Targeting -security makes obvious sense in hindsight, but I'm new to this. I've attached new debdiffs (bionic-security.debdiff and cosmic-security.debdiff) targeting the correct series.

ACK on the debdiffs in #5 and #6. I will build them as security updates and will release them tomorrow. Thanks!

This bug was fixed in the package ntpsec - 1.1.0+dfsg1-1ubuntu0.2

---------------
ntpsec (1.1.0+dfsg1-1ubuntu0.2) bionic-security; urgency=medium

  * Backport three commits from 1.1.3 to fix (LP: #1812458)
    - CVE-2019-6442: "An authenticated attacker can write one byte out of
      bounds in ntpd via a malformed config request, related to
      config_remotely in ntp_config.c, yyparse in ntp_parser.tab.c, and
      yyerror in ntp_parser.y."
    - CVE-2019-6443: "Because of a bug in ctl_getitem, there is a stack-based
      buffer over-read in read_sysvars in ntp_control.c in ntpd.
    - CVE-2019-6444: "process_control() in ntp_control.c has a stack-based
      buffer over-read because attacker-controlled data is dereferenced by
      ntohl() in ntpd."
    - CVE-2019-6445: "An authenticated attacker can cause a NULL pointer
      dereference and ntpd crash in ntp_control.c, related to ctl_getitem."

 -- Richard Laager <email address hidden> Fri, 18 Jan 2019 20:07:06 -0600

This bug was fixed in the package ntpsec - 1.1.1+dfsg1-2ubuntu0.1

---------------
ntpsec (1.1.1+dfsg1-2ubuntu0.1) cosmic-security; urgency=medium

  * Backport three commits from 1.1.3 to fix (LP: #1812458)
    - CVE-2019-6442: "An authenticated attacker can write one byte out of
      bounds in ntpd via a malformed config request, related to
      config_remotely in ntp_config.c, yyparse in ntp_parser.tab.c, and
      yyerror in ntp_parser.y."
    - CVE-2019-6443: "Because of a bug in ctl_getitem, there is a stack-based
      buffer over-read in read_sysvars in ntp_control.c in ntpd.
    - CVE-2019-6444: "process_control() in ntp_control.c has a stack-based
      buffer over-read because attacker-controlled data is dereferenced by
      ntohl() in ntpd."
    - CVE-2019-6445: "An authenticated attacker can cause a NULL pointer
      dereference and ntpd crash in ntp_control.c, related to ctl_getitem."

 -- Richard Laager <email address hidden> Fri, 18 Jan 2019 19:59:19 -0600