From 8f6b9939023c82abfaa430eec4c02a5b78b89130 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C5=A0afr=C3=A1nek?= Date: Tue, 10 Jun 2008 06:02:57 +0000 Subject: [PATCH] fix various flaws (CVE-2008-2292 CVE-2008-0960) --- net-snmp-5.4.1-hmac-check.patch | 18 +++++ net-snmp-5.4.1-perl-snprintf.patch | 106 +++++++++++++++++++++++++++++ net-snmp.spec | 9 ++- 3 files changed, 132 insertions(+), 1 deletion(-) create mode 100644 net-snmp-5.4.1-hmac-check.patch create mode 100644 net-snmp-5.4.1-perl-snprintf.patch diff --git a/net-snmp-5.4.1-hmac-check.patch b/net-snmp-5.4.1-hmac-check.patch new file mode 100644 index 0000000..630573b --- /dev/null +++ b/net-snmp-5.4.1-hmac-check.patch @@ -0,0 +1,18 @@ +447974: CVE-2008-0960 net-snmp SNMPv3 authentication bypass (VU#877044) + +Source: upstream, https://sourceforge.net/tracker/index.php?func=detail&aid=1989089&group_id=12694&atid=456380 +Reviewed-by: Jan Safranek + +diff -up net-snmp-5.0.9/snmplib/scapi.c.orig net-snmp-5.0.9/snmplib/scapi.c +--- net-snmp-5.0.9/snmplib/scapi.c.orig 2008-06-04 10:19:26.000000000 +0200 ++++ net-snmp-5.0.9/snmplib/scapi.c 2008-06-04 10:20:45.000000000 +0200 +@@ -460,6 +460,9 @@ sc_check_keyed_hash(const oid * authtype + QUITFUN(SNMPERR_GENERR, sc_check_keyed_hash_quit); + } + ++ if (maclen != USM_MD5_AND_SHA_AUTH_LEN) { ++ QUITFUN(SNMPERR_GENERR, sc_check_keyed_hash_quit); ++ } + + /* + * Generate a full hash of the message, then compare diff --git a/net-snmp-5.4.1-perl-snprintf.patch b/net-snmp-5.4.1-perl-snprintf.patch new file mode 100644 index 0000000..438694c --- /dev/null +++ b/net-snmp-5.4.1-perl-snprintf.patch @@ -0,0 +1,106 @@ +447262: CVE-2008-2292 net-snmp: buffer overflow in perl module's Perl Module __snprint_value() + +Source: upstream, http://net-snmp.svn.sourceforge.net/viewvc/net-snmp?view=rev&sortby=date&revision=16770 +Reviewed-By: Jan Safranek + +--- branches/V5-4-patches/net-snmp/perl/SNMP/SNMP.xs 2007/12/21 23:19:29 16769 ++++ branches/V5-4-patches/net-snmp/perl/SNMP/SNMP.xs 2007/12/22 19:22:44 16770 +@@ -470,14 +470,16 @@ + if (flag == USE_ENUMS) { + for(ep = tp->enums; ep; ep = ep->next) { + if (ep->value == *var->val.integer) { +- strcpy(buf, ep->label); ++ strncpy(buf, ep->label, buf_len); ++ buf[buf_len-1] = '\0'; + len = strlen(buf); + break; + } + } + } + if (!len) { +- sprintf(buf,"%ld", *var->val.integer); ++ snprintf(buf, buf_len, "%ld", *var->val.integer); ++ buf[buf_len-1] = '\0'; + len = strlen(buf); + } + break; +@@ -486,21 +488,25 @@ + case ASN_COUNTER: + case ASN_TIMETICKS: + case ASN_UINTEGER: +- sprintf(buf,"%lu", (unsigned long) *var->val.integer); ++ snprintf(buf, buf_len, "%lu", (unsigned long) *var->val.integer); ++ buf[buf_len-1] = '\0'; + len = strlen(buf); + break; + + case ASN_OCTET_STR: + case ASN_OPAQUE: +- memcpy(buf, (char*)var->val.string, var->val_len); + len = var->val_len; ++ if ( len > buf_len ) ++ len = buf_len; ++ memcpy(buf, (char*)var->val.string, len); + break; + + case ASN_IPADDRESS: +- ip = (u_char*)var->val.string; +- sprintf(buf, "%d.%d.%d.%d", ip[0], ip[1], ip[2], ip[3]); +- len = strlen(buf); +- break; ++ ip = (u_char*)var->val.string; ++ snprintf(buf, buf_len, "%d.%d.%d.%d", ip[0], ip[1], ip[2], ip[3]); ++ buf[buf_len-1] = '\0'; ++ len = strlen(buf); ++ break; + + case ASN_NULL: + break; +@@ -512,14 +518,14 @@ + break; + + case SNMP_ENDOFMIBVIEW: +- sprintf(buf,"%s", "ENDOFMIBVIEW"); +- break; ++ snprintf(buf, buf_len, "%s", "ENDOFMIBVIEW"); ++ break; + case SNMP_NOSUCHOBJECT: +- sprintf(buf,"%s", "NOSUCHOBJECT"); +- break; ++ snprintf(buf, buf_len, "%s", "NOSUCHOBJECT"); ++ break; + case SNMP_NOSUCHINSTANCE: +- sprintf(buf,"%s", "NOSUCHINSTANCE"); +- break; ++ snprintf(buf, buf_len, "%s", "NOSUCHINSTANCE"); ++ break; + + case ASN_COUNTER64: + #ifdef NETSNMP_WITH_OPAQUE_SPECIAL_TYPES +@@ -538,19 +544,19 @@ + #endif + + case ASN_BIT_STR: +- snprint_bitstring(buf, sizeof(buf), var, NULL, NULL, NULL); ++ snprint_bitstring(buf, buf_len, var, NULL, NULL, NULL); + len = strlen(buf); + break; + #ifdef NETSNMP_WITH_OPAQUE_SPECIAL_TYPES + case ASN_OPAQUE_FLOAT: +- if (var->val.floatVal) +- sprintf(buf,"%f", *var->val.floatVal); +- break; ++ if (var->val.floatVal) ++ snprintf(buf, buf_len, "%f", *var->val.floatVal); ++ break; + + case ASN_OPAQUE_DOUBLE: +- if (var->val.doubleVal) +- sprintf(buf,"%f", *var->val.doubleVal); +- break; ++ if (var->val.doubleVal) ++ snprintf(buf, buf_len, "%f", *var->val.doubleVal); ++ break; + #endif + + case ASN_NSAP: diff --git a/net-snmp.spec b/net-snmp.spec index 32423e1..795e364 100644 --- a/net-snmp.spec +++ b/net-snmp.spec @@ -7,7 +7,7 @@ Summary: A collection of SNMP protocol tools and libraries Name: net-snmp Version: %{major_ver} -Release: 18%{?dist} +Release: 19%{?dist} Epoch: 1 License: BSD and MIT @@ -39,6 +39,8 @@ Patch13: net-snmp-5.4.1-shared-ip.patch Patch14: net-snmp-5.4-exec-crash.patch Patch15: net-snmp-5.4.1-sensors3.patch Patch16: net-snmp-5.4.1-xen-crash.patch +Patch17: net-snmp-5.4.1-hmac-check.patch +Patch18: net-snmp-5.4.1-perl-snprintf.patch Requires(pre): chkconfig Requires(post): chkconfig @@ -169,6 +171,8 @@ and applications. %patch14 -p1 -b .exec %patch15 -p0 -b .sensors %patch16 -p0 -b .xen-crash +%patch17 -p1 -b .hmac-check +%patch18 -p3 -b .perl-snprintf # Do this patch with a perl hack... perl -pi -e "s|'\\\$install_libdir'|'%{_libdir}'|" ltmain.sh @@ -385,6 +389,9 @@ rm -rf ${RPM_BUILD_ROOT} %{_libdir}/lib*.so.* %changelog +* Tue Jun 10 2008 Jan Safranek 5.4.1-19 +- fix various flaws (CVE-2008-2292 CVE-2008-0960) + * Sat May 31 2008 Dennis Gilmore 5.4.1-18 - fix sparc handling in /usr/bin/net-snmp-config