From 050f6a442d3c820eb42080f96e3725ec1a220b40 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Jan 02 2024 13:24:25 +0000 Subject: drop patch for detecting weak keys generated by 1.2.0 Many Fedora releases passed since the vulnerable ntp-keygen. --- diff --git a/ntpsec-weakkeys.patch b/ntpsec-weakkeys.patch deleted file mode 100644 index 7d63b2f..0000000 --- a/ntpsec-weakkeys.patch +++ /dev/null @@ -1,36 +0,0 @@ -diff -up ntpsec-1.2.1/libntp/authreadkeys.c.weakkeys ntpsec-1.2.1/libntp/authreadkeys.c ---- ntpsec-1.2.1/libntp/authreadkeys.c.weakkeys 2021-06-07 06:03:11.000000000 +0200 -+++ ntpsec-1.2.1/libntp/authreadkeys.c 2021-06-17 12:19:41.555693047 +0200 -@@ -249,6 +249,7 @@ authreadkeys( - char namebuf[NAMEBUFSIZE]; - size_t len; - int keys = 0; -+ char * hashchr = NULL; - - /* - * Open file. Complain and return if it can't be opened. -@@ -348,7 +349,7 @@ msyslog(LOG_ERR, "AUTH: authreadkeys: re - continue; - } - -- -+ hashchr = strchr(line, '#'); - - /* - * Finally, get key and insert it. -@@ -364,6 +365,15 @@ msyslog(LOG_ERR, "AUTH: authreadkeys: re - } - len = strlen(token); - if (len <= 20) { /* Bug 2537 */ -+ /* Detect weak keys generated by ntpkeygen -+ (CVE-2021-22212). False positives are possible. */ -+ if (token + len == hashchr) { -+ msyslog(LOG_ERR, -+ "AUTH: authreadkeys: key %u is followed by '#' (CVE-2021-22212)", -+ keyno); -+ exit(1); -+ } -+ - len = check_key_length(keyno, type, name, upcased, len); - check_mac_length(keyno, type, name, upcased); - auth_setkey(keyno, type, name, (uint8_t *)token, len); diff --git a/ntpsec.spec b/ntpsec.spec index c074e2a..300a24f 100644 --- a/ntpsec.spec +++ b/ntpsec.spec @@ -10,9 +10,6 @@ Source1: https://ftp.ntpsec.org/pub/releases/ntpsec-%{version}.tar.gz.asc Source2: https://ftp.ntpsec.org/pub/releases/ntpsec.gpg.pub.asc Source3: ntp.conf -# Detect weak keys generated by ntpkeygen (CVE-2021-22212) -Patch1: ntpsec-weakkeys.patch - BuildRequires: bison BuildRequires: gcc BuildRequires: gnupg2