File ntp-CVE-2014-9298.patch of Package ntp.500

--- ntpd/ntp_io.c
+++ ntpd/ntp_io.c
@@ -3472,6 +3472,30 @@ read_network_packet(
 	DPRINTF(3, ("read_network_packet: fd=%d length %d from %s\n",
 		    fd, buflen, stoa(&rb->recv_srcadr)));
 
+
+	/*
+	 ** Bug 2672: Some OSes (MacOSX and Linux) don't block spoofed ::1
+	 */
+
+	if (AF_INET6 == itf->family) {
+		DPRINTF(2, ("Got an IPv6 packet, from <%s> (%d) to <%s> (%d)\n",
+		        stoa(&rb->recv_srcadr),
+		        IN6_IS_ADDR_LOOPBACK(PSOCK_ADDR6(&rb->recv_srcadr)),
+		        stoa(&itf->sin),
+		        !IN6_IS_ADDR_LOOPBACK(PSOCK_ADDR6(&itf->sin))
+		        ));
+
+		if (   IN6_IS_ADDR_LOOPBACK(PSOCK_ADDR6(&rb->recv_srcadr))
+		    && !IN6_IS_ADDR_LOOPBACK(PSOCK_ADDR6(&itf->sin))
+		   ) {
+			packets_dropped++;
+			DPRINTF(2, ("DROPPING that packet\n"));
+			freerecvbuf(rb);
+			return buflen;
+		}
+		DPRINTF(2, ("processing that packet\n"));
+	}
+
 	/*
 	 * Got one.  Mark how and when it got here,
 	 * put it on the full list and do bookkeeping.
openSUSE Build Service is sponsored by