Buffer overrun in mac_authencrypt (from libntp/macencrypt.c)
If you setup a slot in your keys file with a keytype that selects a digest with a hash longer than 20 bytes, the memmove at the end of mac_authencrypt will copy the whole digest into a buffer that only has room for 20 bytes.
See MAX_MAC_LEN. (It includes the 4 byte keyID slot.)
There is a similar problem in mac_authdecrypt, but that's reading off the end of the buffer rather than writing. I don't think we will run into troubles there. It's only a few bytes past the packet.
ntpq may have similar problems.