From 2489d1deb424f4ba73f8e3250b407189d98edaf3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Josef=20=C5=98=C3=ADdk=C3=BD?= <jridky@redhat.com>
Date: Tue, 9 Apr 2024 11:03:34 +0200
Subject: [PATCH] Resolves: RHEL-26649 - fix various CVEs

---
 net-snmp-5.9-CVE-2022-24805-24810.patch | 163 ++++++++++++++++++++++++
 net-snmp.spec                           |   8 +-
 2 files changed, 170 insertions(+), 1 deletion(-)
 create mode 100644 net-snmp-5.9-CVE-2022-24805-24810.patch

diff --git a/net-snmp-5.9-CVE-2022-24805-24810.patch b/net-snmp-5.9-CVE-2022-24805-24810.patch
new file mode 100644
index 0000000..87efe17
--- /dev/null
+++ b/net-snmp-5.9-CVE-2022-24805-24810.patch
@@ -0,0 +1,163 @@
+From 9a0cd7c00947d5e1c6ceb54558d454f87c3b8341 Mon Sep 17 00:00:00 2001
+From: Bill Fenner <fenner@gmail.com>
+Date: Tue, 24 Aug 2021 07:55:00 -0700
+Subject: [PATCH] CHANGES: snmpd: recover SET status from delegated request
+
+Reported by: Yu Zhang of VARAS@IIE, Nanyu Zhong of VARAS@IIE
+Fixes by: Arista Networks
+
+When a SET request includes a mix of delegated and
+non-delegated requests (e.g., objects handled by master
+agent and agentx sub-agent), the status can get lost while
+waiting for the reply from the sub-agent.  Recover the status
+into the session from the requests even if it has already
+been processed.
+---
+ agent/snmp_agent.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/agent/snmp_agent.c b/agent/snmp_agent.c
+index 84fbb42b47..095ee70985 100644
+--- a/agent/snmp_agent.c
++++ b/agent/snmp_agent.c
+@@ -2965,7 +2965,7 @@ netsnmp_check_requests_status(netsnmp_agent_session *asp,
+         if (requests->status != SNMP_ERR_NOERROR &&
+             (!look_for_specific || requests->status == look_for_specific)
+             && (look_for_specific || asp->index == 0
+-                || requests->index < asp->index)) {
++                || requests->index <= asp->index)) {
+             asp->index = requests->index;
+             asp->status = requests->status;
+         }
+From 67ebb43e9038b2dae6e74ae8838b36fcc10fc937 Mon Sep 17 00:00:00 2001
+From: Bill Fenner <fenner@gmail.com>
+Date: Wed, 30 Jun 2021 14:00:28 -0700
+Subject: [PATCH] CHANGES: snmpd: fix bounds checking in NET-SNMP-AGENT-MIB,
+ NET-SNMP-VACM-MIB, SNMP-VIEW-BASED-ACM-MIB, SNMP-USER-BASED-SM-MIB
+
+Reported by: Yu Zhang of VARAS@IIE, Nanyu Zhong of VARAS@IIE
+Fixes by: Arista Networks
+---
+ agent/mibgroup/agent/nsLogging.c         |  6 ++++++
+ agent/mibgroup/agent/nsVacmAccessTable.c | 16 ++++++++++++++--
+ agent/mibgroup/mibII/vacm_vars.c         |  3 +++
+ agent/mibgroup/snmpv3/usmUser.c          |  2 --
+ 4 files changed, 23 insertions(+), 4 deletions(-)
+
+diff --git a/agent/mibgroup/agent/nsLogging.c b/agent/mibgroup/agent/nsLogging.c
+index 9abdeb5bb7..7f4290490a 100644
+--- a/agent/mibgroup/agent/nsLogging.c
++++ b/agent/mibgroup/agent/nsLogging.c
+@@ -147,6 +147,8 @@ handle_nsLoggingTable(netsnmp_mib_handler *handler,
+                 continue;
+             logh = (netsnmp_log_handler*)netsnmp_extract_iterator_context(request);
+             table_info  =                netsnmp_extract_table_info(request);
++            if (!table_info || !table_info->indexes)
++                continue;
+ 
+             switch (table_info->colnum) {
+             case NSLOGGING_TYPE:
+@@ -201,6 +203,8 @@ handle_nsLoggingTable(netsnmp_mib_handler *handler,
+             }
+             logh = (netsnmp_log_handler*)netsnmp_extract_iterator_context(request);
+             table_info  =                 netsnmp_extract_table_info(request);
++            if (!table_info || !table_info->indexes)
++                continue;
+ 
+             switch (table_info->colnum) {
+             case NSLOGGING_TYPE:
+@@ -394,6 +398,8 @@ handle_nsLoggingTable(netsnmp_mib_handler *handler,
+                 continue;
+             logh = (netsnmp_log_handler*)netsnmp_extract_iterator_context(request);
+             table_info  =                 netsnmp_extract_table_info(request);
++            if (!table_info || !table_info->indexes)
++                continue;
+ 
+             switch (table_info->colnum) {
+             case NSLOGGING_TYPE:
+diff --git a/agent/mibgroup/agent/nsVacmAccessTable.c b/agent/mibgroup/agent/nsVacmAccessTable.c
+index cc61fce7e6..6c43210074 100644
+--- a/agent/mibgroup/agent/nsVacmAccessTable.c
++++ b/agent/mibgroup/agent/nsVacmAccessTable.c
+@@ -170,9 +170,13 @@ nsVacmAccessTable_handler(netsnmp_mib_handler *handler,
+             entry = (struct vacm_accessEntry *)
+                 netsnmp_extract_iterator_context(request);
+             table_info = netsnmp_extract_table_info(request);
++            if (!table_info || !table_info->indexes)
++                continue;
+ 
+             /* Extract the authType token from the list of indexes */
+             idx = table_info->indexes->next_variable->next_variable->next_variable->next_variable;
++            if (idx->val_len >= sizeof(atype))
++                continue;
+             memset(atype, 0, sizeof(atype));
+             memcpy(atype, (char *)idx->val.string, idx->val_len);
+             viewIdx = se_find_value_in_slist(VACM_VIEW_ENUM_NAME, atype);
+@@ -212,6 +216,8 @@ nsVacmAccessTable_handler(netsnmp_mib_handler *handler,
+             entry = (struct vacm_accessEntry *)
+                 netsnmp_extract_iterator_context(request);
+             table_info = netsnmp_extract_table_info(request);
++            if (!table_info || !table_info->indexes)
++                continue;
+             ret = SNMP_ERR_NOERROR;
+ 
+             switch (table_info->colnum) {
+@@ -247,6 +253,8 @@ nsVacmAccessTable_handler(netsnmp_mib_handler *handler,
+                  * Extract the authType token from the list of indexes
+                  */
+                 idx = table_info->indexes->next_variable->next_variable->next_variable->next_variable;
++                if (idx->val_len >= sizeof(atype))
++                    continue;
+                 memset(atype, 0, sizeof(atype));
+                 memcpy(atype, (char *)idx->val.string, idx->val_len);
+                 viewIdx = se_find_value_in_slist(VACM_VIEW_ENUM_NAME, atype);
+@@ -294,8 +302,10 @@ nsVacmAccessTable_handler(netsnmp_mib_handler *handler,
+                          idx = idx->next_variable;  model = *idx->val.integer;
+                          idx = idx->next_variable;  level = *idx->val.integer;
+                          entry = vacm_createAccessEntry( gName, cPrefix, model, level );
+-                         entry->storageType = ST_NONVOLATILE;
+-                         netsnmp_insert_iterator_context(request, (void*)entry);
++                         if (entry) {
++                             entry->storageType = ST_NONVOLATILE;
++                             netsnmp_insert_iterator_context(request, (void*)entry);
++                         }
+                     }
+                 }
+             }
+@@ -321,6 +331,8 @@ nsVacmAccessTable_handler(netsnmp_mib_handler *handler,
+ 
+             /* Extract the authType token from the list of indexes */
+             idx = table_info->indexes->next_variable->next_variable->next_variable->next_variable;
++            if (idx->val_len >= sizeof(atype))
++                continue;
+             memset(atype, 0, sizeof(atype));
+             memcpy(atype, (char *)idx->val.string, idx->val_len);
+             viewIdx = se_find_value_in_slist(VACM_VIEW_ENUM_NAME, atype);
+diff --git a/agent/mibgroup/mibII/vacm_vars.c b/agent/mibgroup/mibII/vacm_vars.c
+index 469a1eba59..62c9a3d051 100644
+--- a/agent/mibgroup/mibII/vacm_vars.c
++++ b/agent/mibgroup/mibII/vacm_vars.c
+@@ -997,6 +997,9 @@ access_parse_oid(oid * oidIndex, size_t oidLen,
+         return 1;
+     }
+     groupNameL = oidIndex[0];
++    if ((groupNameL + 1) > (int) oidLen) {
++        return 1;
++    }
+     contextPrefixL = oidIndex[groupNameL + 1];  /* the initial name length */
+     if ((int) oidLen != groupNameL + contextPrefixL + 4) {
+         return 1;
+diff --git a/agent/mibgroup/snmpv3/usmUser.c b/agent/mibgroup/snmpv3/usmUser.c
+index 0f52aaba49..0edea53cfb 100644
+--- a/agent/mibgroup/snmpv3/usmUser.c
++++ b/agent/mibgroup/snmpv3/usmUser.c
+@@ -1505,8 +1505,6 @@ write_usmUserStatus(int action,
+                 if (usmStatusCheck(uptr)) {
+                     uptr->userStatus = RS_ACTIVE;
+                 } else {
+-                    SNMP_FREE(engineID);
+-                    SNMP_FREE(newName);
+                     return SNMP_ERR_INCONSISTENTVALUE;
+                 }
+             } else if (long_ret == RS_CREATEANDWAIT) {
+
diff --git a/net-snmp.spec b/net-snmp.spec
index 3aba2de..191a870 100644
--- a/net-snmp.spec
+++ b/net-snmp.spec
@@ -10,7 +10,7 @@
 Summary:    A collection of SNMP protocol tools and libraries
 Name:       net-snmp
 Version:    5.9.1
-Release:    13%{?dist}
+Release:    14%{?dist}
 Epoch:      1
 
 License:    BSD
@@ -57,6 +57,7 @@ Patch27:    net-snmp-5.9-ipv6-disable-leak.patch
 Patch28:    net-snmp-5.9-sendmsg-error-code.patch
 Patch29:    net-snmp-5.9-message-severity.patch
 Patch30:    net-snmp-5.9-rpmdb.patch
+Patch31:    net-snmp-5.9-CVE-2022-24805-24810.patch
 
 # Modern RPM API means at least EL6
 Patch101:   net-snmp-5.8-modern-rpm-api.patch
@@ -239,6 +240,7 @@ cp %{SOURCE10} .
 %patch28 -p1 -b .sendmsg-error-code
 %patch29 -p1 -b .message-severity
 %patch30 -p1 -b .rpmdb
+%patch31 -p1 -b .CVE-2022-24805-24810
 
 %patch101 -p1 -b .modern-rpm-api
 %patch102 -p1
@@ -508,6 +510,10 @@ LD_LIBRARY_PATH=%{buildroot}/%{_libdir} make test
 %{_libdir}/libnetsnmptrapd*.so.%{soname}*
 
 %changelog
+* Tue Apr 09 Josef Ridky <jridky@redhat.com> - 1:5.9.1-14
+- fix CVE-2022-24805, CVE-2022-24806, CVE-2022-24807, CVE-2022-24808,
+  CVE-2022-24809 and CVE-2022-24810 (RHEL-26649)
+
 * Thu Oct 19 2023 Josef Ridky <jridky@redhat.com> - 1:5.9.1-13
 - add support for SQLite db background of rpm (RHEL-6854)