svn commit: r187194 - head/contrib/ntp/ntpd releng/6.3 releng/6.3/contrib/bind9/lib/dns releng/6.3/contrib/ntp/ntpd releng/6.3/sys/conf releng/6.4 releng/6.4/contrib/bind9/lib/dns releng/6.4/contri...

Simon L. Nielsen simon at FreeBSD.org
Tue Jan 13 13:19:29 PST 2009 

Author: simon
Date: Tue Jan 13 21:19:27 2009
New Revision: 187194
URL: http://svn.freebsd.org/changeset/base/187194

Log:
  Correct ntpd(8) cryptographic signature bypass [SA-09:04].
  
  Correct BIND DNSSEC incorrect checks for malformed signatures
  [SA-09:04].
  
  Security:	FreeBSD-SA-09:03.ntpd
  Security:	FreeBSD-SA-09:04.bind
  Obtained from:	ISC [SA-09:04]
  Approved by:	so (simon)

Modified:
  stable/7/contrib/ntp/ntpd/ntp_crypto.c

Changes in other areas also in this revision:
Modified:
  head/contrib/ntp/ntpd/ntp_crypto.c
  releng/6.3/UPDATING
  releng/6.3/contrib/bind9/lib/dns/openssldsa_link.c
  releng/6.3/contrib/bind9/lib/dns/opensslrsa_link.c
  releng/6.3/contrib/ntp/ntpd/ntp_crypto.c
  releng/6.3/sys/conf/newvers.sh
  releng/6.4/UPDATING
  releng/6.4/contrib/bind9/lib/dns/openssldsa_link.c
  releng/6.4/contrib/bind9/lib/dns/opensslrsa_link.c
  releng/6.4/contrib/ntp/ntpd/ntp_crypto.c
  releng/6.4/sys/conf/newvers.sh
  releng/7.0/UPDATING
  releng/7.0/contrib/bind9/lib/dns/openssldsa_link.c
  releng/7.0/contrib/bind9/lib/dns/opensslrsa_link.c
  releng/7.0/contrib/ntp/ntpd/ntp_crypto.c
  releng/7.0/sys/conf/newvers.sh
  releng/7.1/UPDATING
  releng/7.1/contrib/bind9/lib/dns/openssldsa_link.c
  releng/7.1/contrib/bind9/lib/dns/opensslrsa_link.c
  releng/7.1/contrib/ntp/ntpd/ntp_crypto.c
  releng/7.1/sys/conf/newvers.sh
  stable/6/contrib/ntp/ntpd/ntp_crypto.c

Modified: stable/7/contrib/ntp/ntpd/ntp_crypto.c
==============================================================================
--- stable/7/contrib/ntp/ntpd/ntp_crypto.c	Tue Jan 13 21:19:02 2009	(r187193)
+++ stable/7/contrib/ntp/ntpd/ntp_crypto.c	Tue Jan 13 21:19:27 2009	(r187194)
@@ -1612,7 +1612,7 @@ crypto_verify(
 	 */
 	EVP_VerifyInit(&ctx, peer->digest);
 	EVP_VerifyUpdate(&ctx, (u_char *)&ep->tstamp, vallen + 12);
-	if (!EVP_VerifyFinal(&ctx, (u_char *)&ep->pkt[i], siglen, pkey))
+	if (EVP_VerifyFinal(&ctx, (u_char *)&ep->pkt[i], siglen, pkey) <= 0)
 		return (XEVNT_SIG);
 
 	if (peer->crypto & CRYPTO_FLAG_VRFY) {

More information about the svn-src-stable mailing list