Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 22 Apr 2015 14:55:16 +0200
From: Martin Prpic <mprpic@...hat.com>
To: "oss-security\@lists.openwall.com" <oss-security@...ts.openwall.com>
CC: "CVE Assignments MITRE" <cve-assign@...re.org>
Subject: Re: CVE request: ntp-keygen may generate non-random symmetric keys on big-endian systems

Hi, this still has no CVE assigned. Thanks!

Martin Prpic writes:

> Hi, the recent NTP update (ntp-4.2.8p2) contains a fix for the following
> issue:
>
> * [Bug 2797] ntp-keygen trapped in endless loop for MD5 keys on big-endian machines.
> https://bugs.ntp.org/show_bug.cgi?id=2797
>
> Patch: http://bk1.ntp.org/ntp-stable/?PAGE=patch&REV=55199296N2gFqH1Hm5GOnhrk9Ypygg
>
> While the endless loop is not a security flaw per se, the fact that
> ntp-keygen generates non-random keys is. If the lowest byte of the temp
> variable happens to be between 0x20 and 0x7f and not #, the generated
> MD5 key will consist of 20 identical characters, meaning only 93
> possible keys can be generated.
>
> Can a CVE be please assigned for this issue?
>
> Thank you!

-- 
Martin Prpič / Red Hat Product Security

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.