CVE-2009-1252

Publication date 19 May 2009

Last updated 24 July 2024

Ubuntu priority

Medium

Why this priority?

Stack-based buffer overflow in the crypto_recv function in ntp_crypto.c in ntpd in NTP before 4.2.4p7 and 4.2.5 before 4.2.5p74, when OpenSSL and autokey are enabled, allows remote attackers to execute arbitrary code via a crafted packet containing an extension field.

Read the notes from the security team

Status

Package Ubuntu Release Status
ntp 9.04 jaunty
Fixed 1:4.2.4p4+dfsg-7ubuntu5.1
8.10 intrepid
Fixed 1:4.2.4p4+dfsg-6ubuntu2.3
8.04 LTS hardy
Fixed 1:4.2.4p4+dfsg-3ubuntu2.2
6.06 LTS dapper
Fixed 1:4.2.0a+stable-8.1ubuntu6.2

Notes

jdstrand

from CERT: If autokey is enabled (the ntp.conf file contains the line "crypto pw whatever" a remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow for malicious code to be executed with the privilege level of the ntpd process.

References

Related Ubuntu Security Notices (USN)

Other references