NTP BUG 3808: ntpq will abort with an assertion failure if given a malformed RT-11 date

Last update: April 22, 2024 18:49 UTC (7e7bd5857)

Summary

Resolved	4.2.8p16	30 May 2023
References	Bug 3808
Affects	`ntpq` from ntp-4.2.6 up to, but not including ntp-4.2.8p16.	Resolved in 4.2.8p16.
CVSS3.1 Score:	Unsure - this vulnerability requires conditions that do not seem to exist.

Description

Ancient versions of NTP (pre-dating ntp3, which first came out in June of 1993) used an RT-11 date format for certain limited purposes. This date format hasn’t been used in 30 years' time. If ntpq were to receive an RT-11 date format with out-of-range values (which has never been reported), then ntpq would abort with an assertion failure.

Mitigation

Upgrade to 4.2.8p16, or later, from the NTP Project download site.

Credit

Reported by Miroslav Lichvar.

Timeline

2023 May 30: Public release
2023 May 10: Hotfix release to Advance Security Partners: Premier and Partner Institutional Members
2023 May 10: Notification to Institutional Members
2023 Apr 20: Notification from reporter