This version of ntp fixes several vulnerabilities.
CVE-2016-9311
CVE-2016-9310
CVE-2016-7427
CVE-2016-7428
CVE-2016-9312
CVE-2016-7431
CVE-2016-7434
CVE-2016-7429
CVE-2016-7426
CVE-2016-7433
http://www.kb.cert.org/vuls/id/633847
In addition, libssl_compat.h is now included in many files, which
references openssl/evp.h, openssl/dsa.h, and openssl/rsa.h.
Even if a you pass --disable-ssl as a configuration option, these
files are now required.
As such, I have also added openssl as a dependency, and it is now
automatically selected when you select ntp.
Signed-off-by: Adam Duskett <aduskett@codeblue.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
ntpq and ntpdc may depends on libedit and libcap.
$ arm-linux-readelf -d ./usr/bin/ntpdc | grep NEEDED
0x00000001 (NEEDED) Shared library: [libcap.so.2]
0x00000001 (NEEDED) Shared library: [libm.so.6]
0x00000001 (NEEDED) Shared library: [libedit.so.0]
0x00000001 (NEEDED) Shared library: [libncursesw.so.6]
0x00000001 (NEEDED) Shared library: [libssl.so.1.0.0]
0x00000001 (NEEDED) Shared library: [libcrypto.so.1.0.0]
0x00000001 (NEEDED) Shared library: [libpthread.so.0]
0x00000001 (NEEDED) Shared library: [libc.so.6]
However, build order with these libraries is not defined.
In order to keep things simple, we enforce build order even if ntpq/ntpdc are
not selected.
Signed-off-by: Jérôme Pouiller <jezz@sysmic.org>
[Thomas: use --without-lineeditlibs.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
When running ntp it randomly aborts at ntp-4.2.8p8/libntp/recvbuff.c:326
which seems to be a debugging feature. This patch just disables
debugging, it does not fix the root cause of the problem.
Signed-off-by: Vicente Bergas <vicencb@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
In order for gpsd to work with the new version of ntpd, an enable
option must be added to the configure step of ntp that allows for
support of SHM clocks to be attached through shared memory.
Signed-off-by: Yugendra Sai Babu Nadupuru <yugendra.sai.babu.nadupuru@rockwellcollins.com>
Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes:
CVE-2015-5300 - MITM attacker can force ntpd to make a step larger than
the panic threshold.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Allow the `ntptime` utility to be included on a target.
[Peter: add comment why AUTORECONF is needed]
Signed-off-by: James Knight <james.knight@rockwellcollins.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
'echo -n' is not a POSIX construct (no flag support), we shoud use
'printf', especially in init script.
This patch was generated by the following command line:
git grep -l 'echo -n' -- `git ls-files | grep -v 'patch'` | xargs sed -i 's/echo -n/printf/'
Signed-off-by: Maxime Hadjinlian <maxime.hadjinlian@gmail.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
To protect agains 1 falsticker NTP server, the client needs to connect
to at least 4 servers.
Source:
http://support.ntp.org/bin/view/Support/SelectingOffsiteNTPServers
5.3.3. Upstream Time Server Quantity
Signed-off-by: Gergely Imreh <imrehg@gmail.com>
Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
refclock_pcf.c contains code using the tm_gmtoff member of struct tm, which
is only available on uClibc if it is built with __UCLIBC_HAS_TM_EXTENSIONS__.
This change date back to:
commit 7129da009c
Author: Eric Andersen <andersen@codepoet.org>
Date: Sat Jan 18 21:27:22 2003 +0000
Merge a bunch of stuff over from the tuxscreen buildroot, with
many updates to make things be more consistant.
-Erik
But nowadays our uClibc configs DO enable __UCLIBC_HAS_TM_EXTENSIONS__, so
it is no longer needed and can be dropped.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Drop sed line which no longer changes anything as upstream has changed to
use strrchr. Worse, it bumps each ntpd/*.c file's modification time, which
sometimes triggers a strange dependency path causing the makefile to attempt
to run the ntpd keyword-gen app, which fails, because it's been
cross-compiled.
Signed-off-by: Danomi Manchego <danomimanchego123@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Make sure that ntp installs after busybox so that it overrides the busybox
provided ntpd applet.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Now that IPv6 is mandatory remove package dependencies and conditionals
for it.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
This commit doesn't touch infra packages.
Signed-off-by: Jerzy Grzegorek <jerzy.grzegorek@trzebnica.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes:
CVE-2014-9297 - vallen is not validated in several places in ntp_crypto.c,
leading to a potential information leak or possibly a crash
CVE-2014-9298 - ::1 can be spoofed on some OSes (including "some versions" of
Linux), so ACLs based on IPv6 ::1 addresses can be bypassed
Drop a patch applied upstream, along with its accompanied AUTORECONF.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add a space between the hash and filename so the hash can be used.
Signed-off-by: Fabio Porcedda <fabio.porcedda@gmail.com>
Cc: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Use proper status messages, make spacing standard instead of a mix of
spacing/tabbing, drop boringly obvious comment from the header.
Also make reload = restart since ntpd doesn't handle reloading resulting
in the old reload being 'stop'.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Drop redundant IP version and double default restrict.
Tweak KoD and other defaults for properness.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes:
CVE-2014-9293 - ntpd generated a weak key for its internal use, with
full administrative privileges. Attackers could use this key to
reconfigure ntpd (or to exploit other vulnerabilities).
CVE-2014-9294 - The ntp-keygen utility generated weak MD5 keys with
insufficient entropy.
CVE-2014-9295 - ntpd had several buffer overflows (both on the stack and
in the data section), allowing remote authenticated attackers to crash
ntpd or potentially execute arbitrary code.
CVE-2014-9296 - The general packet processing function in ntpd did not
handle an error case correctly.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Added an option for the ntpd application to support pps inputs.
Signed-off-by: Bryan Brinsko <bryan.brinsko@rockwellcollins.com>
Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
Acked-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
To be consistent with the recent change of FOO_MAKE_OPT into FOO_MAKE_OPTS,
make the same change for FOO_CONF_OPT.
Sed command used:
find * -type f | xargs sed -i 's#_CONF_OPT\>#&S#g'
Signed-off-by: Thomas De Schampheleire <thomas.de.schampheleire@gmail.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The variable "$SCRIPTNAME" is undefined; replace with "$0".
Signed-off-by: Danomi Manchego <danomimanchego123@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
BR2_PACKAGE_NTP_SNMPD was pushing netsnmp into dependencies but was
never selected, and since netsnmp requires fork it wasn't filtered out
for nommu. Fixes:
http://autobuild.buildroot.net/results/776/7769afe0da09e3f4f96d9a0f4c0febb0c72cc34f/
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
With the recent change to the init script the default /etc/default/ntpd file
doesn't do anything, so don't install it.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add ntp.conf file to make ntpd syncing.
Starting ntpd daemon with -g to sync time also with big offsets.
Removes the use of deprecated ntpdate command for initial time sync.
[Peter: drop unused NTPDATE_BIN variable]
Signed-off-by: Angelo Compagnucci <angelo.compagnucci@gmail.com>
Acked-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Tested-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Maxime Hadjinlian <maxime.hadjinlian@gmail.com>
Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Jerzy Grzegorek <jerzy.grzegorek@trzebnica.net>
Reviewed-by: Thomas De Schampheleire <thomas.de.schampheleire@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thanks to the pkgparentdir and pkgname functions, we can rewrite the
AUTOTARGETS macro in a way that avoids the need for each package to
repeat its name and the directory in which it is present.
[Peter: pkgdir->pkgparentdir]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>