From e986c97b48f5062013cff175995bca7fb2b4f53d Mon Sep 17 00:00:00 2001
From: Miroslav Lichvar <mlichvar@redhat.com>
Date: Jan 21 2016 15:03:00 +0000
Subject: don't allow spoofed packets to demobilize associations using symmetric key (CVE-2015-7979)


---

diff --git a/ntp-4.2.6p5-cve-2015-7979.patch b/ntp-4.2.6p5-cve-2015-7979.patch
new file mode 100644
index 0000000..ac9c006
--- /dev/null
+++ b/ntp-4.2.6p5-cve-2015-7979.patch
@@ -0,0 +1,23 @@
+diff -up ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2015-7979 ntp-4.2.6p5/ntpd/ntp_proto.c
+--- ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2015-7979	2016-01-21 14:20:45.760431895 +0100
++++ ntp-4.2.6p5/ntpd/ntp_proto.c	2016-01-21 14:46:13.027106826 +0100
+@@ -1127,7 +1127,8 @@ receive(
+ 		report_event(PEVNT_AUTH, peer, "crypto_NAK");
+ 		peer->flash |= TEST5;		/* bad auth */
+ 		peer->badauth++;
+-		if (peer->flags & FLAG_PREEMPT) {
++		if (peer->flags & FLAG_PREEMPT && hismode != MODE_BROADCAST &&
++		    !(peer->flash & (TEST2 | TEST3))) {
+ 			unpeer(peer);
+ 			return;
+ 		}
+@@ -1153,7 +1154,8 @@ receive(
+ 		if (has_mac &&
+ 		    (hismode == MODE_ACTIVE || hismode == MODE_PASSIVE))
+ 			fast_xmit(rbufp, MODE_ACTIVE, 0, restrict_mask);
+-		if (peer->flags & FLAG_PREEMPT) {
++		if (peer->flags & FLAG_PREEMPT && hismode != MODE_BROADCAST &&
++		    !(peer->flash & (TEST2 | TEST3))) {
+ 			unpeer(peer);
+ 			return;
+ 		}
diff --git a/ntp.spec b/ntp.spec
index 15ca0b7..b177cc7 100644
--- a/ntp.spec
+++ b/ntp.spec
@@ -169,6 +169,8 @@ Patch59: ntp-4.2.6p5-cve-2015-7977_7978.patch
 Patch60: ntp-4.2.6p5-cve-2015-8158.patch
 # ntpbz #2936
 Patch61: ntp-4.2.6p5-cve-2015-7974.patch
+# ntpbz #2942
+Patch62: ntp-4.2.6p5-cve-2015-7979.patch
 
 # handle unknown clock types
 Patch100: ntpstat-0.2-clksrc.patch
@@ -329,6 +331,7 @@ This package contains NTP documentation in HTML format.
 %patch59 -p1 -b .cve-2015-7977_7978
 %patch60 -p1 -b .cve-2015-8158
 %patch61 -p1 -b .cve-2015-7974
+%patch62 -p1 -b .cve-2015-7979
 
 # ntpstat patches
 %patch100 -p1 -b .clksrc