NTP BUG 2937: nextvar() missing length check in ntpq
Last update: June 28, 2022 20:06 UTC (57417e17c)
ntpq may call
nextvar() which executes a
memcpy() into the name buffer without a proper length check against its maximum length of 256 bytes. Note well that we’re taking about
ntpq here. The usual worst-case effect of this vulnerability is that the specific instance of
ntpq will crash and the person or process that did this will have stopped themselves.
- Upgrade to 4.2.8p6 or later.](/downloads/)
- If you are unable to upgrade:
- If you have scripts that feed input to
ntpq make sure there are some sanity checks on the input received from the “outside”.
- This is potentially more dangerous if
ntpq is run as root.
This weakness was discovered by Jonathan Gardner of Cisco ASIG.