From 401c2d01c1ea76d0a2b986e99a88bde11daaf468 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Tue, 18 May 2021 02:37:46 -0400
Subject: [PATCH] import net-snmp-5.8-20.el8

---
 SOURCES/net-snmp-5.8-asn-parse-nlength.patch  | 86 +++++++++++++++++++
 ...et-snmp-5.8-clientaddr-error-message.patch | 35 ++++++++
 SOURCES/net-snmp-5.8-empty-passphrase.patch   | 30 +++++++
 SOURCES/net-snmp-5.8-ipv6-disabled.patch      | 31 +++++++
 SPECS/net-snmp.spec                           | 26 ++++--
 5 files changed, 203 insertions(+), 5 deletions(-)
 create mode 100644 SOURCES/net-snmp-5.8-asn-parse-nlength.patch
 create mode 100644 SOURCES/net-snmp-5.8-clientaddr-error-message.patch
 create mode 100644 SOURCES/net-snmp-5.8-empty-passphrase.patch
 create mode 100644 SOURCES/net-snmp-5.8-ipv6-disabled.patch

diff --git a/SOURCES/net-snmp-5.8-asn-parse-nlength.patch b/SOURCES/net-snmp-5.8-asn-parse-nlength.patch
new file mode 100644
index 0000000..23823f5
--- /dev/null
+++ b/SOURCES/net-snmp-5.8-asn-parse-nlength.patch
@@ -0,0 +1,86 @@
+From 92f0fe9e0dc3cf7ab6e8cc94d7962df83d0ddbec Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Mon, 4 Jan 2021 12:21:59 -0800
+Subject: [PATCH] libsnmp: Fix asn_parse_nlength()
+
+Handle length zero correctly.
+
+Fixes: https://github.com/net-snmp/net-snmp/issues/253
+Fixes: a9850f4445cf ("asn parse: add NULL checks, check length lengths")
+---
+ snmplib/asn1.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/snmplib/asn1.c b/snmplib/asn1.c
+index e983500e7..33c272768 100644
+--- a/snmplib/asn1.c
++++ b/snmplib/asn1.c
+@@ -345,7 +345,7 @@ asn_parse_nlength(u_char *pkt, size_t pkt_len, u_long *data_len)
+          * long length; first byte is length of length (after masking high bit)
+          */
+         len_len = (int) ((*pkt & ~0x80) + 1);
+-        if ((int) pkt_len <= len_len )
++        if (pkt_len < len_len)
+             return NULL;           /* still too short for length and data */
+ 
+         /* now we know we have enough data to parse length */
+From baef04f9c6fe0eb3ac74dd4d26a19264eeaf7fa1 Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Mon, 4 Jan 2021 10:00:33 -0800
+Subject: [PATCH] testing/fulltests/unit-tests/T105trap_parse_clib: Add this
+ test
+
+Add a reproducer for the bug fixed by the previous patch.
+---
+ .../unit-tests/T105trap_parse_clib.c          | 41 +++++++++++++++++++
+ 1 file changed, 41 insertions(+)
+ create mode 100644 testing/fulltests/unit-tests/T105trap_parse_clib.c
+
+diff --git a/testing/fulltests/unit-tests/T105trap_parse_clib.c b/testing/fulltests/unit-tests/T105trap_parse_clib.c
+new file mode 100644
+index 000000000..5c21ccdc7
+--- /dev/null
++++ b/testing/fulltests/unit-tests/T105trap_parse_clib.c
+@@ -0,0 +1,41 @@
++/* HEADER Parsing of an SNMP trap with no varbinds */
++netsnmp_pdu pdu;
++int rc;
++static u_char trap_pdu[] = {
++    /* Sequence with length of 0x2d = 45 bytes. */
++    [ 0] = 0x30, [ 1] = 0x82, [ 2] = 0x00, [ 3] = 0x2d,
++    /* version = INTEGER 0 */
++    [ 4] = 0x02, [ 5] = 0x01, [ 6] = 0x00,
++    /* community = public (OCTET STRING 0x70 0x75 0x62 0x6c 0x69 0x63) */
++    [ 7] = 0x04, [ 8] = 0x06, [ 9] = 0x70, [10] = 0x75,
++    [11] = 0x62, [12] = 0x6c, [13] = 0x69, [14] = 0x63,
++    /* SNMP_MSG_TRAP; 32 bytes. */
++    [15] = 0xa4, [16] = 0x20,
++    /* enterprise = OBJECT IDENTIFIER .1.3.6.1.6.3.1.1.5 = snmpTraps */
++    [17] = 0x06, [18] = 0x08,
++    [19] = 0x2b, [20] = 0x06, [21] = 0x01, [22] = 0x06,
++    [23] = 0x03, [24] = 0x01, [25] = 0x01, [26] = 0x05,
++    /* agent-addr = ASN_IPADDRESS 192.168.1.34 */
++    [27] = 0x40, [28] = 0x04, [29] = 0xc0, [30] = 0xa8,
++    [31] = 0x01, [32] = 0x22,
++    /* generic-trap = INTEGER 0 */
++    [33] = 0x02, [34] = 0x01, [35] = 0x00,
++    /* specific-trap = INTEGER 0 */
++    [36] = 0x02, [37] = 0x01, [38] = 0x00,
++    /* ASN_TIMETICKS 0x117f243a */
++    [39] = 0x43, [40] = 0x04, [41] = 0x11, [42] = 0x7f,
++    [43] = 0x24, [44] = 0x3a,
++    /* varbind list */
++    [45] = 0x30, [46] = 0x82, [47] = 0x00, [48] = 0x00,
++};
++static size_t trap_pdu_length = sizeof(trap_pdu);
++netsnmp_session session;
++
++snmp_set_do_debugging(TRUE);
++debug_register_tokens("dumpv_recv,dumpv_send,asn,recv");
++memset(&session, 0, sizeof(session));
++snmp_sess_init(&session);
++memset(&pdu, 0, sizeof(pdu));
++rc = snmp_parse(NULL, &session, &pdu, trap_pdu, trap_pdu_length);
++
++OKF((rc == 0), ("Parsing of a trap PDU"));
+
diff --git a/SOURCES/net-snmp-5.8-clientaddr-error-message.patch b/SOURCES/net-snmp-5.8-clientaddr-error-message.patch
new file mode 100644
index 0000000..c423f21
--- /dev/null
+++ b/SOURCES/net-snmp-5.8-clientaddr-error-message.patch
@@ -0,0 +1,35 @@
+diff -urNp a/snmplib/snmp_api.c b/snmplib/snmp_api.c
+--- a/snmplib/snmp_api.c	2020-11-26 11:05:51.084788775 +0100
++++ b/snmplib/snmp_api.c	2020-11-26 11:08:27.850751397 +0100
+@@ -235,7 +235,7 @@ static const char *api_errors[-SNMPERR_M
+     "No error",                 /* SNMPERR_SUCCESS */
+     "Generic error",            /* SNMPERR_GENERR */
+     "Invalid local port",       /* SNMPERR_BAD_LOCPORT */
+-    "Unknown host",             /* SNMPERR_BAD_ADDRESS */
++    "Invalid address",          /* SNMPERR_BAD_ADDRESS */
+     "Unknown session",          /* SNMPERR_BAD_SESSION */
+     "Too long",                 /* SNMPERR_TOO_LONG */
+     "No socket",                /* SNMPERR_NO_SOCKET */
+@@ -1662,7 +1662,9 @@ _sess_open(netsnmp_session * in_session)
+         DEBUGMSGTL(("_sess_open", "couldn't interpret peername\n"));
+         in_session->s_snmp_errno = SNMPERR_BAD_ADDRESS;
+         in_session->s_errno = errno;
+-        snmp_set_detail(in_session->peername);
++        if (!netsnmp_ds_get_string(NETSNMP_DS_LIBRARY_ID,
++                                    NETSNMP_DS_LIB_CLIENT_ADDR))
++            snmp_set_detail(in_session->peername);
+         return NULL;
+     }
+ 
+diff -ruNp a/snmplib/transports/snmpUDPIPv4BaseDomain.c b/snmplib/transports/snmpUDPIPv4BaseDomain.c
+--- a/snmplib/transports/snmpUDPIPv4BaseDomain.c	2021-01-06 12:51:51.948106797 +0100
++++ b/snmplib/transports/snmpUDPIPv4BaseDomain.c	2021-01-06 14:17:31.029745744 +0100
+@@ -209,6 +209,8 @@ netsnmp_udpipv4base_transport_bind(netsn
+         DEBUGMSGTL(("netsnmp_udpbase",
+                     "failed to bind for clientaddr: %d %s\n",
+                     errno, strerror(errno)));
++        NETSNMP_LOGONCE((LOG_ERR, "Cannot bind for clientaddr: %s\n",
++                    strerror(errno)));
+         netsnmp_socketbase_close(t);
+         return 1;
+     }
diff --git a/SOURCES/net-snmp-5.8-empty-passphrase.patch b/SOURCES/net-snmp-5.8-empty-passphrase.patch
new file mode 100644
index 0000000..deb0388
--- /dev/null
+++ b/SOURCES/net-snmp-5.8-empty-passphrase.patch
@@ -0,0 +1,30 @@
+From 09a0c9005fb72102bf4f4499b28282f823e3e526 Mon Sep 17 00:00:00 2001
+From: Josef Ridky <jridky@redhat.com>
+Date: Wed, 18 Nov 2020 20:54:34 -0800
+Subject: [PATCH] net-snmp-create-v3-user: Handle empty passphrases correctly
+
+See also https://github.com/net-snmp/net-snmp/issues/86.
+
+Fixes: e5ad10de8e17 ("Quote provided encryption key in createUser line")
+Reported-by: Chris Cheney
+---
+ net-snmp-create-v3-user.in | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/net-snmp-create-v3-user.in b/net-snmp-create-v3-user.in
+index 452c2699d..31b4c58c1 100644
+--- a/net-snmp-create-v3-user.in
++++ b/net-snmp-create-v3-user.in
+@@ -120,7 +120,11 @@ fi
+ fi
+ outdir="@PERSISTENT_DIRECTORY@"
+ outfile="$outdir/snmpd.conf"
+-line="createUser $user $Aalgorithm \"$apassphrase\" $Xalgorithm \"$xpassphrase\""
++if test "x$xpassphrase" = "x" ; then
++    line="createUser $user $Aalgorithm \"$apassphrase\" $Xalgorithm"
++else
++    line="createUser $user $Aalgorithm \"$apassphrase\" $Xalgorithm \"$xpassphrase\""
++fi
+ echo "adding the following line to $outfile:"
+ echo "  " $line
+ # in case it hasn't ever been started yet, start it.
diff --git a/SOURCES/net-snmp-5.8-ipv6-disabled.patch b/SOURCES/net-snmp-5.8-ipv6-disabled.patch
new file mode 100644
index 0000000..824c09c
--- /dev/null
+++ b/SOURCES/net-snmp-5.8-ipv6-disabled.patch
@@ -0,0 +1,31 @@
+diff -urNp a/agent/mibgroup/ip-mib/data_access/ipaddress_linux.c b/agent/mibgroup/ip-mib/data_access/ipaddress_linux.c
+--- a/agent/mibgroup/ip-mib/data_access/ipaddress_linux.c	2020-09-29 14:08:09.742478965 +0200
++++ b/agent/mibgroup/ip-mib/data_access/ipaddress_linux.c	2020-10-01 14:20:25.575174851 +0200
+@@ -19,6 +19,7 @@
+ 
+ #include <errno.h>
+ #include <sys/ioctl.h>
++#include <sys/stat.h>
+ 
+ netsnmp_feature_require(prefix_info)
+ netsnmp_feature_require(find_prefix_info)
+@@ -234,7 +235,18 @@ _load_v6(netsnmp_container *container, i
+ 
+ #define PROCFILE "/proc/net/if_inet6"
+     if (!(in = fopen(PROCFILE, "r"))) {
+-        NETSNMP_LOGONCE((LOG_ERR, "ipaddress_linux: could not open " PROCFILE));
++
++        /* 
++         * If PROCFILE exists, but isn't readable, file ERROR message.
++         * Otherwise log nothing, due of IPv6 support on this machine is
++         * intentionaly disabled/unavailable.
++         */
++
++        struct stat filestat;
++
++        if(stat(PROCFILE, &filestat) == 0){
++            NETSNMP_LOGONCE((LOG_ERR, "ipaddress_linux: could not open " PROCFILE));
++        }
+         return -2;
+     }
+ 
diff --git a/SPECS/net-snmp.spec b/SPECS/net-snmp.spec
index e26f3d5..7fa1420 100644
--- a/SPECS/net-snmp.spec
+++ b/SPECS/net-snmp.spec
@@ -10,7 +10,7 @@
 Summary:    A collection of SNMP protocol tools and libraries
 Name:       net-snmp
 Version:    5.8
-Release:    18%{?dist}.1
+Release:    20%{?dist}
 Epoch:      1
 
 License:    BSD
@@ -58,6 +58,10 @@ Patch29:    net-snmp-5.8-sec-memory-leak.patch
 Patch30:    net-snmp-5.8-aes-config.patch
 Patch31:    net-snmp-5.7.2-CVE-2020-15862.patch
 Patch32:    net-snmp-5.8-bulk.patch
+Patch33:    net-snmp-5.8-clientaddr-error-message.patch
+Patch34:    net-snmp-5.8-ipv6-disabled.patch
+Patch35:    net-snmp-5.8-empty-passphrase.patch
+Patch36:    net-snmp-5.8-asn-parse-nlength.patch
 
 # Modern RPM API means at least EL6
 Patch101:   net-snmp-5.8-modern-rpm-api.patch
@@ -215,6 +219,10 @@ rm -r python
 %patch30 -p1 -b .aes-config
 %patch31 -p1 -b .CVE-2020-15862
 %patch32 -p1 -b .bulk
+%patch33 -p1 -b .clientaddr-error-message
+%patch34 -p1 -b .ipv6-disabled
+%patch35 -p1 -b .empty-passphrase
+%patch36 -p1 -b .asn-parse-nlength
 
 %patch101 -p1 -b .modern-rpm-api
 
@@ -469,12 +477,20 @@ LD_LIBRARY_PATH=%{buildroot}/%{_libdir} make test
 %{_libdir}/libnetsnmptrapd*.so.%{soname}*
 
 %changelog
-* Tue Dec 01 2020 Josef Ridky <jridky@redhat.com> - 1:5.8-18.1
-- revert permission of config files to 600 (#1902662)
+* Tue Jan 05 2021 Josef Ridky <jridky@redhat.com> - 1:5.8-20
+- fix issue with parsing of long traps (#1912242)
+- modify fix for #1877375
+
+* Tue Dec 01 2020 Josef Ridky <jridky@redhat.com> - 1:5.8-19
+- revert permission of config files to 600 (#1601060)
+- fix error message when the address specified by clientaddr option
+  is wrong or cannot be bound (#1877375)
+- log error with /proc/net/if_inet6 only when IPv6 is enabled (#1824367)
+- fix issue with quoting empty passphrase (#1817225)
 
 * Wed Nov 11 2020 Josef Ridky <jridky@redhat.com> - 1:5.8-18
-- fix CVE-2020-15862 (#1886100)
-- fix bulk responses for invalid PID (#1896760)
+- fix CVE-2020-15862 (#1875497)
+- fix bulk responses for invalid PID (#1817190)
 
 * Tue Aug 11 2020 Josef Ridky <jridky@redhat.com> - 1:5.8-17
 - add math library in LDFLAGS (#1846252)