CVE-2018-12327 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Medium
Remote	No
Type	Arbitrary code execution
Description	Stack-based buffer overflow in ntpq and ntpdc of NTP version 4.2.8p11 allows an attacker to achieve code execution or escalate to higher privileges via a long string as the argument for an IPv4 or IPv6 command-line parameter.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-723	ntp	4.2.8.p11-2	4.2.8.p12-1	Medium	Fixed

Date	Advisory	Group	Package	Severity	Type
01 Oct 2018	ASA-201810-2	AVG-723	ntp	Medium	arbitrary code execution

References
https://gist.github.com/fakhrizulkifli/9b58ed8e0354e8deee50b0eebd1c011f http://bk.ntp.org/ntp-stable/?PAGE=patch&REV=5b3ba863G-42Ac2TFzCy-PZ8vqNfVA

Notes
NOTE: It is unclear whether there are any common situations in which ntpq or ntpdc is used with a command line from an untrusted source. Reproducer: /usr/bin/ntpdc -4 \[`python2 -c 'print "A" * 300'`\] Note that ntpdc aborts due to stack smashing being detected.

Notes

NOTE: It is unclear whether there are any common situations in which ntpq or ntpdc is used with a command line from an untrusted source.

Reproducer:
/usr/bin/ntpdc -4 \[`python2 -c 'print "A" * 300'`\]

Note that ntpdc aborts due to stack smashing being detected.