From a99b865945555ce6ebd876fdbe0e3802e4fe07e7 Mon Sep 17 00:00:00 2001 From: Josef Ridky Date: Thu, 8 Mar 2018 09:59:42 +0100 Subject: [PATCH] Resolves: #1552844 - CVE-2018-1000116 Heap corruption in snmp_pdu_parse --- net-snmp-5.7.3-CVE-2018-1000116.patch | 200 ++++++++++++++++++++++++++ net-snmp.spec | 9 +- 2 files changed, 206 insertions(+), 3 deletions(-) create mode 100644 net-snmp-5.7.3-CVE-2018-1000116.patch diff --git a/net-snmp-5.7.3-CVE-2018-1000116.patch b/net-snmp-5.7.3-CVE-2018-1000116.patch new file mode 100644 index 0000000..e7adffd --- /dev/null +++ b/net-snmp-5.7.3-CVE-2018-1000116.patch @@ -0,0 +1,200 @@ +diff -urNp old/snmplib/snmp_api.c new/snmplib/snmp_api.c +--- old/snmplib/snmp_api.c 2018-03-08 09:08:50.675762351 +0100 ++++ new/snmplib/snmp_api.c 2018-03-08 09:27:13.289076553 +0100 +@@ -4350,12 +4350,10 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char + u_char type; + u_char msg_type; + u_char *var_val; +- int badtype = 0; + size_t len; + size_t four; +- netsnmp_variable_list *vp = NULL; ++ netsnmp_variable_list *vp = NULL, *vplast = NULL; + oid objid[MAX_OID_LEN]; +- u_char *p; + + /* + * Get the PDU type +@@ -4493,38 +4491,24 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char + (ASN_SEQUENCE | ASN_CONSTRUCTOR), + "varbinds"); + if (data == NULL) +- return -1; ++ goto fail; + + /* + * get each varBind sequence + */ + while ((int) *length > 0) { +- netsnmp_variable_list *vptemp; +- vptemp = (netsnmp_variable_list *) malloc(sizeof(*vptemp)); +- if (NULL == vptemp) { +- return -1; +- } +- if (NULL == vp) { +- pdu->variables = vptemp; +- } else { +- vp->next_variable = vptemp; +- } +- vp = vptemp; ++ vp = SNMP_MALLOC_TYPEDEF(netsnmp_variable_list); ++ if (NULL == vp) ++ goto fail; + +- vp->next_variable = NULL; +- vp->val.string = NULL; + vp->name_length = MAX_OID_LEN; +- vp->name = NULL; +- vp->index = 0; +- vp->data = NULL; +- vp->dataFreeHook = NULL; + DEBUGDUMPSECTION("recv", "VarBind"); + data = snmp_parse_var_op(data, objid, &vp->name_length, &vp->type, + &vp->val_len, &var_val, length); + if (data == NULL) +- return -1; ++ goto fail; + if (snmp_set_var_objid(vp, objid, vp->name_length)) +- return -1; ++ goto fail; + + len = MAX_PACKET_LENGTH; + DEBUGDUMPHEADER("recv", "Value"); +@@ -4532,11 +4516,9 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char + case ASN_INTEGER: + vp->val.integer = (long *) vp->buf; + vp->val_len = sizeof(long); +- p = asn_parse_int(var_val, &len, &vp->type, ++ asn_parse_int(var_val, &len, &vp->type, + (long *) vp->val.integer, + sizeof(*vp->val.integer)); +- if (!p) +- return -1; + break; + case ASN_COUNTER: + case ASN_GAUGE: +@@ -4544,11 +4526,9 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char + case ASN_UINTEGER: + vp->val.integer = (long *) vp->buf; + vp->val_len = sizeof(u_long); +- p = asn_parse_unsigned_int(var_val, &len, &vp->type, ++ asn_parse_unsigned_int(var_val, &len, &vp->type, + (u_long *) vp->val.integer, + vp->val_len); +- if (!p) +- return -1; + break; + #ifdef NETSNMP_WITH_OPAQUE_SPECIAL_TYPES + case ASN_OPAQUE_COUNTER64: +@@ -4557,38 +4537,30 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char + case ASN_COUNTER64: + vp->val.counter64 = (struct counter64 *) vp->buf; + vp->val_len = sizeof(struct counter64); +- p = asn_parse_unsigned_int64(var_val, &len, &vp->type, ++ asn_parse_unsigned_int64(var_val, &len, &vp->type, + (struct counter64 *) vp->val. + counter64, vp->val_len); +- if (!p) +- return -1; + break; + #ifdef NETSNMP_WITH_OPAQUE_SPECIAL_TYPES + case ASN_OPAQUE_FLOAT: + vp->val.floatVal = (float *) vp->buf; + vp->val_len = sizeof(float); +- p = asn_parse_float(var_val, &len, &vp->type, ++ asn_parse_float(var_val, &len, &vp->type, + vp->val.floatVal, vp->val_len); +- if (!p) +- return -1; + break; + case ASN_OPAQUE_DOUBLE: + vp->val.doubleVal = (double *) vp->buf; + vp->val_len = sizeof(double); +- p = asn_parse_double(var_val, &len, &vp->type, ++ asn_parse_double(var_val, &len, &vp->type, + vp->val.doubleVal, vp->val_len); +- if (!p) +- return -1; + break; + case ASN_OPAQUE_I64: + vp->val.counter64 = (struct counter64 *) vp->buf; + vp->val_len = sizeof(struct counter64); +- p = asn_parse_signed_int64(var_val, &len, &vp->type, ++ asn_parse_signed_int64(var_val, &len, &vp->type, + (struct counter64 *) vp->val.counter64, + sizeof(*vp->val.counter64)); + +- if (!p) +- return -1; + break; + #endif /* NETSNMP_WITH_OPAQUE_SPECIAL_TYPES */ + case ASN_IPADDRESS: +@@ -4604,22 +4576,18 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char + vp->val.string = (u_char *) malloc(vp->val_len); + } + if (vp->val.string == NULL) { +- return -1; ++ goto fail; + } +- p = asn_parse_string(var_val, &len, &vp->type, vp->val.string, ++ asn_parse_string(var_val, &len, &vp->type, vp->val.string, + &vp->val_len); +- if (!p) +- return -1; + break; + case ASN_OBJECT_ID: + vp->val_len = MAX_OID_LEN; +- p = asn_parse_objid(var_val, &len, &vp->type, objid, &vp->val_len); +- if (!p) +- return -1; ++ asn_parse_objid(var_val, &len, &vp->type, objid, &vp->val_len); + vp->val_len *= sizeof(oid); + vp->val.objid = (oid *) malloc(vp->val_len); + if (vp->val.objid == NULL) { +- return -1; ++ goto fail; + } + memmove(vp->val.objid, objid, vp->val_len); + break; +@@ -4631,21 +4599,34 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char + case ASN_BIT_STR: + vp->val.bitstring = (u_char *) malloc(vp->val_len); + if (vp->val.bitstring == NULL) { +- return -1; ++ goto fail; + } +- p = asn_parse_bitstring(var_val, &len, &vp->type, ++ asn_parse_bitstring(var_val, &len, &vp->type, + vp->val.bitstring, &vp->val_len); +- if (!p) +- return -1; + break; + default: + snmp_log(LOG_ERR, "bad type returned (%x)\n", vp->type); +- badtype = -1; ++ goto fail; + break; + } + DEBUGINDENTADD(-4); +- } +- return badtype; ++ if (NULL == vplast) { ++ pdu->variables = vp; ++ } else { ++ vplast->next_variable = vp; ++ } ++ vplast = vp; ++ vp = NULL; ++ } ++ return 0; ++ ++ fail: ++ DEBUGMSGTL(("recv", "error while parsing VarBindList\n")); ++ /** if we were parsing a var, remove it from the pdu and free it */ ++ if (vp) ++ snmp_free_var(vp); ++ ++ return -1; + } + + /* diff --git a/net-snmp.spec b/net-snmp.spec index 1591da6..45ccfa2 100644 --- a/net-snmp.spec +++ b/net-snmp.spec @@ -1,15 +1,13 @@ # use nestnmp_check 0 to speed up packaging by disabling 'make test' %{!?netsnmp_check: %global netsnmp_check 1} -# allow compilation on Fedora 11 and older -%{!?python3_sitearch: %global python3_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")} # Arches on which we need to prevent arch conflicts on net-snmp-config.h %global multilib_arches %{ix86} ia64 ppc ppc64 s390 s390x x86_64 sparc sparcv9 sparc64 aarch64 Summary: A collection of SNMP protocol tools and libraries Name: net-snmp Version: 5.7.3 -Release: 35%{?dist} +Release: 36%{?dist} Epoch: 1 License: BSD @@ -62,6 +60,7 @@ Patch19: net-snmp-5.7.3-mariadb-connector-c.patch Patch20: net-snmp-5.7.3-strstr.patch Patch21: net-snmp-5.7.3-iterator-fix.patch Patch22: net-snmp-5.7.3-autofs.patch +Patch23: net-snmp-5.7.3-CVE-2018-1000116.patch # This patch fix issue with new OpenSLL library in rawhide (f26+) # !!!WARNING!!! DO NOT USE IT FOR OLDER FEDORA RELEASES (>f26) @@ -227,6 +226,7 @@ cp %{SOURCE10} . %patch20 -p1 -b .strstr %patch21 -p1 -b .iterator-fix %patch22 -p1 -b .autofs-skip +%patch23 -p1 -b .CVE-2018-1000116 %patch100 -p1 -b .openssl %patch101 -p1 -b .modern-rpm-api %patch102 -p1 @@ -494,6 +494,9 @@ LD_LIBRARY_PATH=%{buildroot}/%{_libdir} make test %{_libdir}/libnetsnmptrapd*.so.* %changelog +* Thu Mar 08 2018 Josef Ridky - 1:5.7.3-36 +- CVE-2018-1000116 Heap corruption in snmp_pdu_parse (#1552844) + * Tue Feb 27 2018 Josef Ridky - 1:5.7.3-35 - compile against Python3 - add gcc requirement