fix various flaws (CVE-2008-2292 CVE-2008-0960)

net-snmp-5.4.1-hmac-check.patch

@@ -0,0 +1,18 @@
+447974: CVE-2008-0960 net-snmp SNMPv3 authentication bypass (VU#877044)
+
+Source: upstream, https://sourceforge.net/tracker/index.php?func=detail&aid=1989089&group_id=12694&atid=456380
+Reviewed-by: Jan Safranek <jsafrane@redhat.com>
+
+diff -up net-snmp-5.0.9/snmplib/scapi.c.orig net-snmp-5.0.9/snmplib/scapi.c
+--- net-snmp-5.0.9/snmplib/scapi.c.orig	2008-06-04 10:19:26.000000000 +0200
++++ net-snmp-5.0.9/snmplib/scapi.c	2008-06-04 10:20:45.000000000 +0200
+@@ -460,6 +460,9 @@ sc_check_keyed_hash(const oid * authtype
+         QUITFUN(SNMPERR_GENERR, sc_check_keyed_hash_quit);
+     }
+ 
++    if (maclen != USM_MD5_AND_SHA_AUTH_LEN) {
++        QUITFUN(SNMPERR_GENERR, sc_check_keyed_hash_quit);
++    }
+ 
+     /*
+      * Generate a full hash of the message, then compare

net-snmp-5.4.1-perl-snprintf.patch

@@ -0,0 +1,106 @@
+447262: CVE-2008-2292 net-snmp: buffer overflow in perl module's Perl Module __snprint_value()
+
+Source: upstream, http://net-snmp.svn.sourceforge.net/viewvc/net-snmp?view=rev&sortby=date&revision=16770
+Reviewed-By: Jan Safranek <jsafrane@redhat.com>
+
+--- branches/V5-4-patches/net-snmp/perl/SNMP/SNMP.xs	2007/12/21 23:19:29	16769
++++ branches/V5-4-patches/net-snmp/perl/SNMP/SNMP.xs	2007/12/22 19:22:44	16770
+@@ -470,14 +470,16 @@
+            if (flag == USE_ENUMS) {
+               for(ep = tp->enums; ep; ep = ep->next) {
+                  if (ep->value == *var->val.integer) {
+-                    strcpy(buf, ep->label);
++                    strncpy(buf, ep->label, buf_len);
++                    buf[buf_len-1] = '\0';
+                     len = strlen(buf);
+                     break;
+                  }
+               }
+            }
+            if (!len) {
+-              sprintf(buf,"%ld", *var->val.integer);
++              snprintf(buf, buf_len, "%ld", *var->val.integer);
++              buf[buf_len-1] = '\0';
+               len = strlen(buf);
+            }
+            break;
+@@ -486,21 +488,25 @@
+         case ASN_COUNTER:
+         case ASN_TIMETICKS:
+         case ASN_UINTEGER:
+-           sprintf(buf,"%lu", (unsigned long) *var->val.integer);
++           snprintf(buf, buf_len, "%lu", (unsigned long) *var->val.integer);
++           buf[buf_len-1] = '\0';
+            len = strlen(buf);
+            break;
+ 
+         case ASN_OCTET_STR:
+         case ASN_OPAQUE:
+-           memcpy(buf, (char*)var->val.string, var->val_len);
+            len = var->val_len;
++           if ( len > buf_len )
++               len = buf_len;
++           memcpy(buf, (char*)var->val.string, len);
+            break;
+ 
+         case ASN_IPADDRESS:
+-          ip = (u_char*)var->val.string;
+-          sprintf(buf, "%d.%d.%d.%d", ip[0], ip[1], ip[2], ip[3]);
+-          len = strlen(buf);
+-          break;
++           ip = (u_char*)var->val.string;
++           snprintf(buf, buf_len, "%d.%d.%d.%d", ip[0], ip[1], ip[2], ip[3]);
++           buf[buf_len-1] = '\0';
++           len = strlen(buf);
++           break;
+ 
+         case ASN_NULL:
+            break;
+@@ -512,14 +518,14 @@
+           break;
+ 
+ 	case SNMP_ENDOFMIBVIEW:
+-          sprintf(buf,"%s", "ENDOFMIBVIEW");
+-	  break;
++           snprintf(buf, buf_len, "%s", "ENDOFMIBVIEW");
++	   break;
+ 	case SNMP_NOSUCHOBJECT:
+-	  sprintf(buf,"%s", "NOSUCHOBJECT");
+-	  break;
++	   snprintf(buf, buf_len, "%s", "NOSUCHOBJECT");
++	   break;
+ 	case SNMP_NOSUCHINSTANCE:
+-	  sprintf(buf,"%s", "NOSUCHINSTANCE");
+-	  break;
++	   snprintf(buf, buf_len, "%s", "NOSUCHINSTANCE");
++	   break;
+ 
+         case ASN_COUNTER64:
+ #ifdef NETSNMP_WITH_OPAQUE_SPECIAL_TYPES
+@@ -538,19 +544,19 @@
+ #endif
+ 
+         case ASN_BIT_STR:
+-            snprint_bitstring(buf, sizeof(buf), var, NULL, NULL, NULL);
++            snprint_bitstring(buf, buf_len, var, NULL, NULL, NULL);
+             len = strlen(buf);
+             break;
+ #ifdef NETSNMP_WITH_OPAQUE_SPECIAL_TYPES
+         case ASN_OPAQUE_FLOAT:
+-	  if (var->val.floatVal)
+-	    sprintf(buf,"%f", *var->val.floatVal);
+-         break;
++           if (var->val.floatVal)
++              snprintf(buf, buf_len, "%f", *var->val.floatVal);
++           break;
+          
+         case ASN_OPAQUE_DOUBLE:
+-	  if (var->val.doubleVal)
+-	    sprintf(buf,"%f", *var->val.doubleVal);
+-         break;
++           if (var->val.doubleVal)
++              snprintf(buf, buf_len, "%f", *var->val.doubleVal);
++           break;
+ #endif
+          
+         case ASN_NSAP:

net-snmp.spec

@@ -7,7 +7,7 @@
 Summary: A collection of SNMP protocol tools and libraries
 Name: net-snmp
 Version: %{major_ver}
-Release: 18%{?dist}
+Release: 19%{?dist}
 Epoch: 1
 
 License: BSD and MIT
@@ -39,6 +39,8 @@ Patch13: net-snmp-5.4.1-shared-ip.patch
 Patch14: net-snmp-5.4-exec-crash.patch
 Patch15: net-snmp-5.4.1-sensors3.patch
 Patch16: net-snmp-5.4.1-xen-crash.patch
+Patch17: net-snmp-5.4.1-hmac-check.patch
+Patch18: net-snmp-5.4.1-perl-snprintf.patch
 
 Requires(pre): chkconfig
 Requires(post): chkconfig
@@ -169,6 +171,8 @@ and applications.
 %patch14 -p1 -b .exec
 %patch15 -p0 -b .sensors
 %patch16 -p0 -b .xen-crash
+%patch17 -p1 -b .hmac-check
+%patch18 -p3 -b .perl-snprintf
 
 # Do this patch with a perl hack...
 perl -pi -e "s|'\\\$install_libdir'|'%{_libdir}'|" ltmain.sh
@@ -385,6 +389,9 @@ rm -rf ${RPM_BUILD_ROOT}
 %{_libdir}/lib*.so.*
 
 %changelog
+* Tue Jun 10 2008 Jan Safranek <jsafranek@redhat.com> 5.4.1-19
+- fix various flaws (CVE-2008-2292 CVE-2008-0960)
+
 * Sat May 31 2008 Dennis Gilmore <dennis@ausil.us> 5.4.1-18
 - fix sparc handling in /usr/bin/net-snmp-config