From 7d730d5ced775f0c2ce33d121aa136232a96f56d Mon Sep 17 00:00:00 2001
From: eabdullin <ed.abdullin.1@gmail.com>
Date: Mon, 19 Jan 2026 06:58:50 +0000
Subject: [PATCH] import UBI net-snmp-5.8-33.el8_10

---
 ...snmp-5.8-perl-modern-auth-enablement.patch | 108 ++++++++++++++++++
 SOURCES/net-snmp-5.9.4-oob-access.patch       |  54 +++++++++
 SPECS/net-snmp.spec                           |  10 +-
 3 files changed, 171 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/net-snmp-5.8-perl-modern-auth-enablement.patch
 create mode 100644 SOURCES/net-snmp-5.9.4-oob-access.patch

diff --git a/SOURCES/net-snmp-5.8-perl-modern-auth-enablement.patch b/SOURCES/net-snmp-5.8-perl-modern-auth-enablement.patch
new file mode 100644
index 0000000..c71b081
--- /dev/null
+++ b/SOURCES/net-snmp-5.8-perl-modern-auth-enablement.patch
@@ -0,0 +1,108 @@
+diff -up net-snmp-5.8/include/net-snmp/library/scapi.h.rhcase04340580 net-snmp-5.8/include/net-snmp/library/scapi.h
+--- net-snmp-5.8/include/net-snmp/library/scapi.h.rhcase04340580	2026-01-07 09:24:59.756322331 +0100
++++ net-snmp-5.8/include/net-snmp/library/scapi.h	2026-01-07 09:25:38.665568566 +0100
+@@ -87,9 +87,9 @@ typedef struct netsnmp_priv_alg_info_s {
+     NETSNMP_IMPORT
+     oid *           sc_get_auth_oid(int auth_type, size_t *oid_len);
+     NETSNMP_IMPORT
+-    netsnmp_auth_alg_info * sc_get_auth_alg_byoid(const oid *oid, u_int len);
++    netsnmp_auth_alg_info * sc_find_auth_alg_byoid(const oid *oid, u_int len);
+     NETSNMP_IMPORT
+-    netsnmp_auth_alg_info * sc_get_auth_alg_bytype(u_int type);
++    netsnmp_auth_alg_info * sc_find_auth_alg_bytype(u_int type);
+     NETSNMP_IMPORT
+     netsnmp_auth_alg_info * sc_get_auth_alg_byindex(u_int index);
+ 
+diff -up net-snmp-5.8/perl/SNMP/SNMP.xs.rhcase04340580 net-snmp-5.8/perl/SNMP/SNMP.xs
+--- net-snmp-5.8/perl/SNMP/SNMP.xs.rhcase04340580	2026-01-05 11:30:22.717000136 +0100
++++ net-snmp-5.8/perl/SNMP/SNMP.xs	2026-01-05 11:44:27.466329639 +0100
+@@ -2633,6 +2633,7 @@ snmp_new_v3_session(version, peer, retri
+ 	   SnmpSession session = {0};
+ 	   SnmpSession *ss = NULL;
+            int verbose = SvIV(perl_get_sv("SNMP::verbose", 0x01 | 0x04));
++           int auth_type, priv_type;
+ 
+            snmp_sess_init(&session);
+ 
+@@ -2664,25 +2665,25 @@ snmp_new_v3_session(version, peer, retri
+                              (char **) &session.contextEngineID);
+            session.engineBoots = eng_boots;
+            session.engineTime = eng_time;
+-#ifndef NETSNMP_DISABLE_MD5
+-           if (!strcmp(auth_proto, "MD5")) {
+-               session.securityAuthProto = 
+-                  snmp_duplicate_objid(usmHMACMD5AuthProtocol,
+-                                          OID_LENGTH(usmHMACMD5AuthProtocol));
+-              session.securityAuthProtoLen = OID_LENGTH(usmHMACMD5AuthProtocol);
+-           } else
+-#endif
+-               if (!strcmp(auth_proto, "SHA")) {
+-               session.securityAuthProto = 
+-                   snmp_duplicate_objid(usmHMACSHA1AuthProtocol,
+-                                        OID_LENGTH(usmHMACSHA1AuthProtocol));
+-              session.securityAuthProtoLen = OID_LENGTH(usmHMACSHA1AuthProtocol);
+-           } else if (!strcmp(auth_proto, "DEFAULT")) {
++           /* NETSNMP_USMAUTH_* */
++           auth_type = usm_lookup_auth_type(auth_proto);
++           if (auth_type >= 0) {
++               const netsnmp_auth_alg_info *auth_alg_info =
++                   sc_find_auth_alg_bytype(auth_type);
++               if (auth_alg_info) {
++                   session.securityAuthProto =
++                       snmp_duplicate_objid(auth_alg_info->alg_oid,
++                                            auth_alg_info->oid_len);
++                   session.securityAuthProtoLen = auth_alg_info->oid_len;
++               }
++           }
++           if (strcmp(auth_proto, "DEFAULT") == 0) {
+                const oid *theoid =
+                    get_default_authtype(&session.securityAuthProtoLen);
+                session.securityAuthProto = 
+                    snmp_duplicate_objid(theoid, session.securityAuthProtoLen);
+-           } else {
++           }
++           if (session.securityAuthProto == NULL) {
+               if (verbose)
+                  warn("error:snmp_new_v3_session:Unsupported authentication protocol(%s)\n", auth_proto);
+               goto end;
+@@ -2714,25 +2715,24 @@ snmp_new_v3_session(version, peer, retri
+                    }
+                }
+            }
+-#ifndef NETSNMP_DISABLE_DES
+-           if (!strcmp(priv_proto, "DES")) {
+-              session.securityPrivProto =
+-                  snmp_duplicate_objid(usmDESPrivProtocol,
+-                                       OID_LENGTH(usmDESPrivProtocol));
+-              session.securityPrivProtoLen = OID_LENGTH(usmDESPrivProtocol);
+-           } else
+-#endif
+-               if (!strncmp(priv_proto, "AES", 3)) {
+-              session.securityPrivProto =
+-                  snmp_duplicate_objid(usmAESPrivProtocol,
+-                                       OID_LENGTH(usmAESPrivProtocol));
+-              session.securityPrivProtoLen = OID_LENGTH(usmAESPrivProtocol);
+-           } else if (!strcmp(priv_proto, "DEFAULT")) {
++           priv_type = usm_lookup_priv_type(priv_proto);
++           if (priv_type >= 0) {
++               const netsnmp_priv_alg_info *priv_alg_info =
++                   sc_get_priv_alg_bytype(priv_type);
++               if (priv_alg_info) {
++                   session.securityPrivProto =
++                       snmp_duplicate_objid(priv_alg_info->alg_oid,
++                                            priv_alg_info->oid_len);
++                   session.securityPrivProtoLen = priv_alg_info->oid_len;
++               }
++           }
++           if (strcmp(priv_proto, "DEFAULT") == 0) {
+                const oid *theoid =
+                    get_default_privtype(&session.securityPrivProtoLen);
+                session.securityPrivProto = 
+                    snmp_duplicate_objid(theoid, session.securityPrivProtoLen);
+-           } else {
++           }
++           if (session.securityPrivProto == NULL) {
+               if (verbose)
+                  warn("error:snmp_new_v3_session:Unsupported privacy protocol(%s)\n", priv_proto);
+               goto end;
+
diff --git a/SOURCES/net-snmp-5.9.4-oob-access.patch b/SOURCES/net-snmp-5.9.4-oob-access.patch
new file mode 100644
index 0000000..426f8a8
--- /dev/null
+++ b/SOURCES/net-snmp-5.9.4-oob-access.patch
@@ -0,0 +1,54 @@
+From b4e6f826d9ddcc2d72eac432746807e1234266db Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Sun, 2 Nov 2025 14:48:55 -0800
+Subject: [PATCH] snmptrapd: Fix out-of-bounds trapOid[] accesses
+
+Fixes: https://issues.oss-fuzz.com/issues/457106694
+Fixes: https://issues.oss-fuzz.com/issues/458668421
+Fixes: https://issues.oss-fuzz.com/issues/458876071
+---
+ apps/snmptrapd_handlers.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/apps/snmptrapd_handlers.c b/apps/snmptrapd_handlers.c
+index 6cd126f266..afd93ed0fb 100644
+--- a/apps/snmptrapd_handlers.c
++++ b/apps/snmptrapd_handlers.c
+@@ -1112,6 +1112,12 @@ snmp_input(int op, netsnmp_session *session,
+ 	     */
+             if (pdu->trap_type == SNMP_TRAP_ENTERPRISESPECIFIC) {
+                 trapOidLen = pdu->enterprise_length;
++                /*
++                 * Drop packets that would trigger an out-of-bounds trapOid[]
++                 * access.
++                 */
++                if (trapOidLen < 1 || trapOidLen > OID_LENGTH(trapOid) - 2)
++                    return 1;
+                 memcpy(trapOid, pdu->enterprise, sizeof(oid) * trapOidLen);
+                 if (trapOid[trapOidLen - 1] != 0) {
+                     trapOid[trapOidLen++] = 0;
+From 35d216b57ea2e9abf1cc42077bcf60a4bae0b29e Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Sat, 1 Nov 2025 13:47:37 -0700
+Subject: [PATCH] snmptrapd: Do not write outside the bounds of trapOid[]
+
+---
+ apps/snmptrapd_handlers.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/apps/snmptrapd_handlers.c b/apps/snmptrapd_handlers.c
+index 0b8038f5d1..6cd126f266 100644
+--- a/apps/snmptrapd_handlers.c
++++ b/apps/snmptrapd_handlers.c
+@@ -1155,8 +1155,8 @@ snmp_input(int op, netsnmp_session *session,
+ 		    return 1;		/* ??? */
+ 		}
+ 	    }
+-            memcpy(trapOid, vars->val.objid, vars->val_len);
+-            trapOidLen = vars->val_len /sizeof(oid);
++            trapOidLen = SNMP_MIN(sizeof(trapOid), vars->val_len) / sizeof(oid);
++            memcpy(trapOid, vars->val.objid, trapOidLen * sizeof(oid));
+             break;
+ 
+         default:
+
diff --git a/SPECS/net-snmp.spec b/SPECS/net-snmp.spec
index ff8d454..9a1d6dd 100644
--- a/SPECS/net-snmp.spec
+++ b/SPECS/net-snmp.spec
@@ -10,7 +10,7 @@
 Summary:    A collection of SNMP protocol tools and libraries
 Name:       net-snmp
 Version:    5.8
-Release:    32%{?dist}
+Release:    33%{?dist}
 Epoch:      1
 
 License:    BSD
@@ -83,6 +83,8 @@ Patch54:    net-snmp-5.8-truncating-log-once.patch
 Patch55:    net-snmp-5.8-CVE-2022-24805-24810.patch
 Patch56:    net-snmp-5.8-callback-fix.patch
 Patch57:    net-snmp-5.8-engine-evaluation.patch
+Patch58:    net-snmp-5.9.4-oob-access.patch
+Patch59:    net-snmp-5.8-perl-modern-auth-enablement.patch
 
 # Modern RPM API means at least EL6
 Patch101:   net-snmp-5.8-modern-rpm-api.patch
@@ -265,6 +267,8 @@ rm -r python
 %patch55 -p1 -b .CVE-2022-24805-24810
 %patch56 -p1 -b .callback-fix
 %patch57 -p1 -b .engine-evaluation
+%patch58 -p1 -b .oob-access
+%patch59 -p1 -b .perl-auth-enablement
 
 %patch101 -p1 -b .modern-rpm-api
 
@@ -519,6 +523,10 @@ LD_LIBRARY_PATH=%{buildroot}/%{_libdir} make test
 %{_libdir}/libnetsnmptrapd*.so.%{soname}*
 
 %changelog
+* Wed Jan 14 2026 Josef Ridky <jridky@redhat.com> - 1:5.8-33
+- fix out of bound access (RHEL-137501)
+- perl modern auth enablement (RHEL-137310)
+
 * Wed Oct 29 2025 Josef Ridky <jridky@redhat.com> - 1:5.8-32
 - fix engine order of evaluation (RHEL-116089)