From b112298fad07a91d0ef17e1a1dc294f35d22453f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C5=A0afr=C3=A1nek?= <jsafrane@fedoraproject.org>
Date: Mon, 16 Feb 2009 13:27:40 +0000
Subject: [PATCH] fix tcp_wrappers integration Resolves: CVE-2008-6123

---
 net-snmp-5.4.1-libwrap.patch | 25 +++++++++++++++++++++++++
 net-snmp.spec                |  7 ++++++-
 2 files changed, 31 insertions(+), 1 deletion(-)
 create mode 100644 net-snmp-5.4.1-libwrap.patch

diff --git a/net-snmp-5.4.1-libwrap.patch b/net-snmp-5.4.1-libwrap.patch
new file mode 100644
index 0000000..a754571
--- /dev/null
+++ b/net-snmp-5.4.1-libwrap.patch
@@ -0,0 +1,25 @@
+CVE-2008-6123: snmp queries allowed from each remote host regardless of
+/etc/hosts.allow configuration
+
+Source: upstream, SVN rev. 17367
+
+diff -up net-snmp-5.4.2.1/snmplib/snmpUDPDomain.c.libwrap net-snmp-5.4.2.1/snmplib/snmpUDPDomain.c
+--- net-snmp-5.4.2.1/snmplib/snmpUDPDomain.c.libwrap	2007-10-11 22:46:30.000000000 +0200
++++ net-snmp-5.4.2.1/snmplib/snmpUDPDomain.c	2009-02-16 11:57:19.000000000 +0100
+@@ -104,12 +104,12 @@ netsnmp_udp_fmtaddr(netsnmp_transport *t
+ 	char tmp[64];
+         to = (struct sockaddr_in *) &(addr_pair->remote_addr);
+         if (to == NULL) {
+-            sprintf(tmp, "UDP: [%s]->unknown",
++            sprintf(tmp, "UDP: unknown->[%s]",
+                     inet_ntoa(addr_pair->local_addr));
+         } else {
+-            sprintf(tmp, "UDP: [%s]->", inet_ntoa(addr_pair->local_addr));
+-            sprintf(tmp + strlen(tmp), "[%s]:%hd",
+-                    inet_ntoa(to->sin_addr), ntohs(to->sin_port));
++            sprintf(tmp, "UDP: [%s]:%hu->",
++                inet_ntoa(to->sin_addr), ntohs(to->sin_port));
++            sprintf(tmp + strlen(tmp), "[%s]", inet_ntoa(addr_pair->local_addr));
+         }
+         return strdup(tmp);
+     }
diff --git a/net-snmp.spec b/net-snmp.spec
index dd2f351..7433681 100644
--- a/net-snmp.spec
+++ b/net-snmp.spec
@@ -8,7 +8,7 @@
 Summary: A collection of SNMP protocol tools and libraries
 Name: net-snmp
 Version: %{major_ver}
-Release: 7%{?dist}
+Release: 8%{?dist}
 Epoch: 1
 
 License: BSD and MIT
@@ -34,6 +34,7 @@ Patch9: net-snmp-5.4.1-strange_libpath.patch
 Patch10: net-snmp-5.4.1-shared-ip.patch
 Patch11: net-snmp-5.4.1-sensors3.patch
 Patch12: net-snmp-5.4.1-xen-crash.patch
+Patch13: net-snmp-5.4.1-libwrap.patch
 
 Requires(pre): chkconfig
 Requires(post): chkconfig
@@ -171,6 +172,7 @@ Net-SNMP toolkit library.
 #%patch10 -p1 -b .shared-ip
 %patch11 -p1 -b .sensors
 %patch12 -p1 -b .xen-crash
+%patch13 -p1 -b .libwrap
 
 # Do this patch with a perl hack...
 perl -pi -e "s|'\\\$install_libdir'|'%{_libdir}'|" ltmain.sh
@@ -419,6 +421,9 @@ rm -rf ${RPM_BUILD_ROOT}
 %{_datadir}/snmp/mibs
 
 %changelog
+* Mon Feb 16 2009 Jan Safranek <jsafranek@redhat.com> 5.4.2.1-8
+- fix tcp_wrappers integration (CVE-2008-6123)
+
 * Fri Jan 30 2009 Karsten Hopp <karsten@redhat.com> 5.4.2.1-7
 - fix build on s390x which has no libsensors