Backport a patch from openLDAP to fix the configure errors with clang-22 -std=gnu23
Fix another issue by dropping C89 signatures in favor of C99 function prototypes
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Set UPSTREAM_CHECK_REGEX to skip RC/beta version.
Before the fix:
$ devtool latest-version ntp
INFO: Current version: 4.2.8p18
INFO: Latest version: 4.2.8p18-RC1
After the fix:
$ devtool latest-version ntp
INFO: Current version: 4.2.8p18
INFO: Latest version: 4.2.8p18
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Recent changes in to the autotools class in core means that it no longer
sets CONFIG_SITE for compile tasks. However, ntp decides to reconfigure
itself mid-build, so the CONFIG_SITE values are lost.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The "status" function called by this script calls "pidof" to get the process id. "pidof" does not expect or operate with a full path.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Replace references of WORKDIR with UNPACKDIR where it makes sense to do
so in preparation for changing the default value of UNPACKDIR.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Some perl modules are required by ntptrace:
$ ntptrace
Can't locate lib.pm in @INC (you may need to install the lib module)
(@INC contains: /usr/lib/perl5/site_perl/5.36.0/x86_64-linux
/usr/lib/perl5/site_perl/5.36.0
/usr/lib/perl5/vendor_perl/5.36.0/x86_64-linux
/usr/lib/perl5/vendor_perl/5.36.0 /usr/lib/perl5/5.36.0/x86_64-linux
/usr/lib/perl5/5.36.0) at /usr/sbin/ntptrace line 10.
BEGIN failed--compilation aborted at /usr/sbin/ntptrace line 10.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
- Try to add convert and apply statuses for old CVEs
- Drop some obsolete ignores, while they are not relevant for current
version
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
There is new patch-status QA check in oe-core:
https://git.openembedded.org/openembedded-core/commit/?id=76a685bfcf927593eac67157762a53259089ea8a
This is temporary work around just to hide _many_ warnings from
optional patch-status (if you add it to WARN_QA).
This just added
Upstream-Status: Pending
everywhere without actually investigating what's the proper status.
This is just to hide current QA warnings and to catch new .patch files being
added without Upstream-Status, but the number of Pending patches is now terrible:
5 (26%) meta-xfce
6 (50%) meta-perl
15 (42%) meta-webserver
21 (36%) meta-gnome
25 (57%) meta-filesystems
26 (43%) meta-initramfs
45 (45%) meta-python
47 (55%) meta-multimedia
312 (63%) meta-networking
756 (61%) meta-oe
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Type=forking means systemd waits untill the main process, /usr/sbin/ntpd
in this case, has exited. However, the ntpd daemon does not seem to call
fork() or vfork() and runs endlessly untill killed. Eventually, this
causes systemd to trigger a timeout, and the ntpd service is killed. All
the while, "systemctl status ntpd" shows "activating (start)" instead of
"active (running)". This is fixed by switching Type=forking to
Type=simple.
Reading ntpd(8) shows that the "-n" option requests ntpd not to fork, so
also use that to be safe.
Finally, there is no need anymore to keep a pidfile around.
Signed-off-by: Johannes Kauffmann <johanneskauffmann@hotmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
0001-libntp-Do-not-use-PTHREAD_STACK_MIN-on-glibc.patch
0001-test-Fix-build-with-new-compiler-defaults-to-fno-com.patch
refreshed for new version.
Changelog
=========
- fixes 4 vulnerabilities (3 LOW and 1 None severity),
- fixes 46 bugs
- includes 15 general improvements
- adds support for OpenSSL-3.0
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The combination of ntpd and sntp now implements the functions of
ntpdate, which has been deprecated.
Now we don't need ntpdate anymore, and we can use the following
command 'ntpd -q -g -x' instead.
So drop the related section of ntpdate now.
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This runtime dependency was already added for ntpd but not yet for the
sntp binary. This will result in an error when pthread_exit() is called:
"libgcc_s.so.1 must be installed for pthread_cancel to work"
Signed-off-by: Frank de Brabander <debrabander@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
cve-check is not able to correctly identify many of the patched
CVEs because of the non standard version number. All the ignored
CVEs were manually checked with the NVD database and deemed not
applicable to the current version.
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This is the result of automated script (0.9.1) conversion:
oe-core/scripts/contrib/convert-overrides.py .
converting the metadata to use ":" as the override character instead of "_".
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
When using systemd, ntpdate-sync script will start in background
triggering the start of ntpd without actually exiting.
This results in an bind error in ntpd startup.
Add wait at the end of ntpdate script to ensure that when the ntpdate.service
is marked as finished the oneshot script ntpdate-sync finished and unbind the
ntp port
Fixes#386
Signed-off-by: Adrian Zaharia <Adrian.Zaharia@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
License has been changed due to date time, no new stuff added.
delete source patch reproducibility-respect-source-date-epoch.patch
for new version source tree contains it.
Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The current NTP server responds to mode 6 queries from any clients.
Devices that respond to these queries have the potential to be used in
NTP amplification attacks. An unauthenticated, remote attacker could
potentially exploit this, via a specially crafted mode 6 query, to cause
a reflected denial of service condition.
See: https://www.tenable.com/plugins/nessus/97861https://scan.shadowserver.org/ntpversion/
Update ntp.conf to restrict NTP mode 6 queries.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
A ntpdc is a special NTP query program. It shouldn't be part of ntp-utils
which is depending on perl.
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
* when usrmerge is enabled, ${libdir} is /usr/lib, and
${systemd_unitdir} is /usr/lib/systemd, sine PACKAGE
ntpdate is after ntp in variable PACKAGES, so file
${systemd_unitdir}/system/ntpdate.service will be populated
into PACKAGE ntp, but actually we have add it into FILES_ntpdate
when usrmerge is disabled, ${libdir} is empty, and usrmerge is
enabled, files under ${libdir} have been covered by other FILES
config, so fix by remove ${libdir}
* libexecdir is empty, so remove it FILES_${PN}
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
ntpq is the standard query program for ntp,
but ntp-utils depends on perl.
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
At configure time, the ntp build goes looking on the build machine for a posix
shell, using `which` to find it. Under OE, it settles on hosttools/bash,
resulting in this build host path being written into several binaries.
This did not affect the Debian reproducibility project, presumably because it
consistently found bash at /bin/bash.
Don't go looking, just use a fixed path to /bin/sh instead.
Upstream-Status: Submitted http://bugs.ntp.org/show_bug.cgi?id=3551
Signed-off-by: Douglas Royds <douglas.royds@taitradio.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
If a SOURCE_DATE_EPOCH is set in the environment, use that date in the build
version string, otherwise use the current build date.
See https://reproducible-builds.org/docs/source-date-epoch/
Should GNU date options fail, try BSD date options as a fall-back.
This patch can potentially be pushed upstream for use on Mac OSX or OpenBSD,
though it has not been tested on OSX or any BSD platform.
Upstream-Status: Submitted http://bugs.ntp.org/show_bug.cgi?id=3550
Signed-off-by: Douglas Royds <douglas.royds@taitradio.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
1. Upgrade ntp to 4.2.8p12
2. Disable sntp service by default.
Default NTPSERVER in config sntp is "ntpserver.example.org",
just an example, not a valid address, if enable sntp service
by default, it will startup failed during boot. It should be
enabled after user set the correct config for sntp according
to current config of ntpd.
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
WARNING: ntp-4.2.8p10-r0 do_patch:
Some of the context lines in patches were ignored. This can lead to incorrectly applied patches.
The context lines in the patches can be updated with devtool:
devtool modify <recipe>
devtool finish --force-patch-refresh <recipe> <layer_path>
Then the updated patches and the source tree (in devtool's workspace)
should be reviewed to make sure the patches apply in the correct place
and don't introduce duplicate lines (which can, and does happen
when some of the context is ignored). Further information:
http://lists.openembedded.org/pipermail/openembedded-core/2018-March/148675.htmlhttps://bugzilla.yoctoproject.org/show_bug.cgi?id=10450
Details:
Applying patch ntp-4.2.4_p6-nano.patch
patching file include/ntp_syscall.h
Hunk #1 succeeded at 10 with fuzz 2 (offset -4 lines).
Now at patch ntp-4.2.4_p6-nano.patch
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
libgcc is required by ntpd for execution, so add it as runtime dependency.
ntpd execution ref. log.
~# /etc/init.d/ntpd start
Starting ntpd: libgcc_s.so.1 must be installed for pthread_cancel to work
Aborted
done
~#
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Depending on the configuration used to build ntp it is possible to
have an empty libexecdir. This can cause QA issues. Add a test at the
end of install() to remove libexecdir if it is empty, thus avoiding
the possibility of QA issues, regardless of configuration.
Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
QA error fix:
ERROR: QA Issue: ntp: Files/directories were installed but not shipped in any package:
/usr/libexec
CVES addressed:
Bug 2948 / CVE-2015-8158
Bug 2945 / CVE-2015-8138: origin: Zero Origin Timestamp Bypass
Bug 2942 / CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode
Bug 2940 / CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list
Bug 2939 / CVE-2015-7977: reslist NULL pointer dereference
Bug 2938 / CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames
Bug 2937 / CVE-2015-7975: nextvar() missing length check
Bug 2936 / CVE-2015-7974: Skeleton Key: Missing key check allows impersonation between authenticated peers
Bug 2935 / CVE-2015-7973: Deja Vu: Replay attack on authenticated broadcast mode
Bug 2947 / CVE-2015-8140: ntpq vulnerable to replay attacks
Bug 2946 / CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin
NTP-4.2.8p5
NtpBug2956: Small-step/Big-step CVE-2015-5300
Bug #2829 Clean up pipe_fds in ntpd.c
Bug #2887 stratum -1 config results as showing value 99.
Bug #2932 Update leapsecond file info in miscopt.html.
Bug #2934 tests/ntpd/t-ntp_scanner.c has a magic constant wired in.
Bug #2944 errno is not preserved properly in ntpdate after sendto call.
Bug #2952 peer associations were broken by the fix for NtpBug2901 CVE-2015-7704
Bug #2954 Version 4.2.8p4 crashes on startup on some OSes.
Bug #2957 'unsigned int' vs 'size_t' format clash.
Bug #2958 ntpq: fatal error messages need a final newline.
Bug #2962 truncation of size_t/ptrdiff_t on 64bit targets.
Bug #2965 Local clock didn't work since 4.2.8p4.
Bug #2967 ntpdate command suffers an assertion failure
Bug #2969 Seg fault from ntpq/mrulist when looking at server with lots of clients.
Bug #2971 ntpq bails on ^C: select fails: Interrupted system call
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Khem Raj
Peter Marko
Yi Zhao
Ross Burton
Keith McRae
Wang Mingyu
Khem Raj
Yi Zhao
Andrej Valek
Martin Jansa
Johannes Kauffmann
Zhixiong Chi
Frank de Brabander
Davide Gardenal
Adrian Zaharia
Sekine Shigeki
Armin Kuster
zhangxiao
Changqing Li
Adrian Bunk
douglas.royds
Armin Kuster
Shrikant Bobade
Peter Kjellerstedt
Joe Slater
Jackie Huang
Pascal Bach
fan.xin
Andre McCurdy
Mark Asselstine
Wenzong Fan