NTP BUG 3376: Makefile does not enforce Security Flags

Last update: June 27, 2022 20:45 UTC (51d68a4aa)


Summary

Resolved 4.2.8p10 21 Mar 2017
References Bug 3376
Affects All versions of NTP, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not including ntp-4.3.94. Resolved in 4.2.8p10.
CVSS2 Score N/A
CVSS3 Score N/A

Description

The build process for NTP has not, by default, provided compile or link flags to offer “hardened” security options. Package maintainers have always been able to provide hardening security flags for their builds. As of ntp-4.2.8p10, the NTP build system has a way to provide OS-specific hardening flags. Please note that this is still not a really great solution because it is specific to NTP builds. It’s inefficient to have every package supply, track and maintain this information for every target build. It would be much better if there was a common way for OSes to provide this information in a way that arbitrary packages could benefit from it.


Mitigation


Credit

This weakness was discovered by Cure53.


Timeline