Slackware Information for VU#970472

Network Time Protocol ([x]ntpd) daemon contains buffer overflow in ntp_control:ctl_getitem() function

Status

Affected

Vendor Statement

No direct statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

Slackware has issued the following advisory regarding this problem:

http://www.slackware.com/lists/archive/viewer.php?l=slackware-security&y=2001&m=slackware-security.384116

An excerpt:

The version of xntp3 that shipped with Slackware 7.1 as well as the
version that was in Slackware -current contains a buffer overflow bug that
could lead to a root compromise.  Slackware 7.1 and Slackware -current
users are urged to upgrade to the new packages available for their
release.

The updated package available for Slackware 7.1 is a patched version of
xntp3.  The -current tree has been upgraded to ntp4, which also fixes the
problem.  If you want to continue using xntp3 on -current, you can use the
updated package from the Slackware 7.1 tree and it will work.

If you have feedback, comments, or additional information about this vulnerability, please send us email.