import CS net-snmp-5.8-30.el8

2024-05-22 10:45:17 +00:00 · 2024-05-22 10:45:17 +00:00 · b8ced33253
parent e3bf1b1cee
commit b8ced33253
5 changed files with 418 additions and 1 deletions
--- a/SOURCES/net-snmp-5.8-CVE-2022-24805-24810.patch
+++ b/SOURCES/net-snmp-5.8-CVE-2022-24805-24810.patch
@ -0,0 +1,163 @@
+From 9a0cd7c00947d5e1c6ceb54558d454f87c3b8341 Mon Sep 17 00:00:00 2001
+From: Bill Fenner <fenner@gmail.com>
+Date: Tue, 24 Aug 2021 07:55:00 -0700
+Subject: [PATCH] CHANGES: snmpd: recover SET status from delegated request
+
+Reported by: Yu Zhang of VARAS@IIE, Nanyu Zhong of VARAS@IIE
+Fixes by: Arista Networks
+
+When a SET request includes a mix of delegated and
+non-delegated requests (e.g., objects handled by master
+agent and agentx sub-agent), the status can get lost while
+waiting for the reply from the sub-agent.  Recover the status
+into the session from the requests even if it has already
+been processed.
+---
+ agent/snmp_agent.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/agent/snmp_agent.c b/agent/snmp_agent.c
+index 84fbb42b47..095ee70985 100644
+--- a/agent/snmp_agent.c
+++ b/agent/snmp_agent.c
+@@ -2965,7 +2965,7 @@ netsnmp_check_requests_status(netsnmp_agent_session *asp,
+         if (requests->status != SNMP_ERR_NOERROR &&
+             (!look_for_specific || requests->status == look_for_specific)
+             && (look_for_specific || asp->index == 0
+-                || requests->index < asp->index)) {
+                || requests->index <= asp->index)) {
+             asp->index = requests->index;
+             asp->status = requests->status;
+         }
+From 67ebb43e9038b2dae6e74ae8838b36fcc10fc937 Mon Sep 17 00:00:00 2001
+From: Bill Fenner <fenner@gmail.com>
+Date: Wed, 30 Jun 2021 14:00:28 -0700
+Subject: [PATCH] CHANGES: snmpd: fix bounds checking in NET-SNMP-AGENT-MIB,
+ NET-SNMP-VACM-MIB, SNMP-VIEW-BASED-ACM-MIB, SNMP-USER-BASED-SM-MIB
+
+Reported by: Yu Zhang of VARAS@IIE, Nanyu Zhong of VARAS@IIE
+Fixes by: Arista Networks
+---
+ agent/mibgroup/agent/nsLogging.c         |  6 ++++++
+ agent/mibgroup/agent/nsVacmAccessTable.c | 16 ++++++++++++++--
+ agent/mibgroup/mibII/vacm_vars.c         |  3 +++
+ agent/mibgroup/snmpv3/usmUser.c          |  2 --
+ 4 files changed, 23 insertions(+), 4 deletions(-)
+
+diff --git a/agent/mibgroup/agent/nsLogging.c b/agent/mibgroup/agent/nsLogging.c
+index 9abdeb5bb7..7f4290490a 100644
+--- a/agent/mibgroup/agent/nsLogging.c
+++ b/agent/mibgroup/agent/nsLogging.c
+@@ -147,6 +147,8 @@ handle_nsLoggingTable(netsnmp_mib_handler *handler,
+                 continue;
+             logh = (netsnmp_log_handler*)netsnmp_extract_iterator_context(request);
+             table_info  =                netsnmp_extract_table_info(request);
+            if (!table_info || !table_info->indexes)
+                continue;
+ 
+             switch (table_info->colnum) {
+             case NSLOGGING_TYPE:
+@@ -201,6 +203,8 @@ handle_nsLoggingTable(netsnmp_mib_handler *handler,
+             }
+             logh = (netsnmp_log_handler*)netsnmp_extract_iterator_context(request);
+             table_info  =                 netsnmp_extract_table_info(request);
+            if (!table_info || !table_info->indexes)
+                continue;
+ 
+             switch (table_info->colnum) {
+             case NSLOGGING_TYPE:
+@@ -394,6 +398,8 @@ handle_nsLoggingTable(netsnmp_mib_handler *handler,
+                 continue;
+             logh = (netsnmp_log_handler*)netsnmp_extract_iterator_context(request);
+             table_info  =                 netsnmp_extract_table_info(request);
+            if (!table_info || !table_info->indexes)
+                continue;
+ 
+             switch (table_info->colnum) {
+             case NSLOGGING_TYPE:
+diff --git a/agent/mibgroup/agent/nsVacmAccessTable.c b/agent/mibgroup/agent/nsVacmAccessTable.c
+index cc61fce7e6..6c43210074 100644
+--- a/agent/mibgroup/agent/nsVacmAccessTable.c
+++ b/agent/mibgroup/agent/nsVacmAccessTable.c
+@@ -170,9 +170,13 @@ nsVacmAccessTable_handler(netsnmp_mib_handler *handler,
+             entry = (struct vacm_accessEntry *)
+                 netsnmp_extract_iterator_context(request);
+             table_info = netsnmp_extract_table_info(request);
+            if (!table_info || !table_info->indexes)
+                continue;
+ 
+             /* Extract the authType token from the list of indexes */
+             idx = table_info->indexes->next_variable->next_variable->next_variable->next_variable;
+            if (idx->val_len >= sizeof(atype))
+                continue;
+             memset(atype, 0, sizeof(atype));
+             memcpy(atype, (char *)idx->val.string, idx->val_len);
+             viewIdx = se_find_value_in_slist(VACM_VIEW_ENUM_NAME, atype);
+@@ -212,6 +216,8 @@ nsVacmAccessTable_handler(netsnmp_mib_handler *handler,
+             entry = (struct vacm_accessEntry *)
+                 netsnmp_extract_iterator_context(request);
+             table_info = netsnmp_extract_table_info(request);
+            if (!table_info || !table_info->indexes)
+                continue;
+             ret = SNMP_ERR_NOERROR;
+ 
+             switch (table_info->colnum) {
+@@ -247,6 +253,8 @@ nsVacmAccessTable_handler(netsnmp_mib_handler *handler,
+                  * Extract the authType token from the list of indexes
+                  */
+                 idx = table_info->indexes->next_variable->next_variable->next_variable->next_variable;
+                if (idx->val_len >= sizeof(atype))
+                    continue;
+                 memset(atype, 0, sizeof(atype));
+                 memcpy(atype, (char *)idx->val.string, idx->val_len);
+                 viewIdx = se_find_value_in_slist(VACM_VIEW_ENUM_NAME, atype);
+@@ -294,8 +302,10 @@ nsVacmAccessTable_handler(netsnmp_mib_handler *handler,
+                          idx = idx->next_variable;  model = *idx->val.integer;
+                          idx = idx->next_variable;  level = *idx->val.integer;
+                          entry = vacm_createAccessEntry( gName, cPrefix, model, level );
+-                         entry->storageType = ST_NONVOLATILE;
+-                         netsnmp_insert_iterator_context(request, (void*)entry);
+                         if (entry) {
+                             entry->storageType = ST_NONVOLATILE;
+                             netsnmp_insert_iterator_context(request, (void*)entry);
+                         }
+                     }
+                 }
+             }
+@@ -321,6 +331,8 @@ nsVacmAccessTable_handler(netsnmp_mib_handler *handler,
+ 
+             /* Extract the authType token from the list of indexes */
+             idx = table_info->indexes->next_variable->next_variable->next_variable->next_variable;
+            if (idx->val_len >= sizeof(atype))
+                continue;
+             memset(atype, 0, sizeof(atype));
+             memcpy(atype, (char *)idx->val.string, idx->val_len);
+             viewIdx = se_find_value_in_slist(VACM_VIEW_ENUM_NAME, atype);
+diff --git a/agent/mibgroup/mibII/vacm_vars.c b/agent/mibgroup/mibII/vacm_vars.c
+index 469a1eba59..62c9a3d051 100644
+--- a/agent/mibgroup/mibII/vacm_vars.c
+++ b/agent/mibgroup/mibII/vacm_vars.c
+@@ -997,6 +997,9 @@ access_parse_oid(oid * oidIndex, size_t oidLen,
+         return 1;
+     }
+     groupNameL = oidIndex[0];
+    if ((groupNameL + 1) > (int) oidLen) {
+        return 1;
+    }
+     contextPrefixL = oidIndex[groupNameL + 1];  /* the initial name length */
+     if ((int) oidLen != groupNameL + contextPrefixL + 4) {
+         return 1;
+diff --git a/agent/mibgroup/snmpv3/usmUser.c b/agent/mibgroup/snmpv3/usmUser.c
+index 0f52aaba49..0edea53cfb 100644
+--- a/agent/mibgroup/snmpv3/usmUser.c
+++ b/agent/mibgroup/snmpv3/usmUser.c
+@@ -1505,8 +1505,6 @@ write_usmUserStatus(int action,
+                 if (usmStatusCheck(uptr)) {
+                     uptr->userStatus = RS_ACTIVE;
+                 } else {
+-                    SNMP_FREE(engineID);
+-                    SNMP_FREE(newName);
+                     return SNMP_ERR_INCONSISTENTVALUE;
+                 }
+             } else if (long_ret == RS_CREATEANDWAIT) {
+
--- a/SOURCES/net-snmp-5.8-memavailable.patch
+++ b/SOURCES/net-snmp-5.8-memavailable.patch
@ -0,0 +1,143 @@
+From 5b8bf5d4130761c3374f9ad618e8a76bb75eb634 Mon Sep 17 00:00:00 2001
+From: Yuwei Ba <i@xiaoba.me>
+Date: Fri, 21 Aug 2020 15:06:10 +0800
+Subject: [PATCH] snmpd: support MemAvailable on Linux
+
+See also https://github.com/net-snmp/net-snmp/pull/167 .
+
+[bvanassche: modified the behavior of this patch]
+---
+ agent/mibgroup/hardware/memory/memory_linux.c | 20 ++++++++++++++++++-
+ agent/mibgroup/ucd-snmp/memory.c              | 12 ++++++++++-
+ agent/mibgroup/ucd-snmp/memory.h              |  1 +
+ include/net-snmp/agent/hardware/memory.h      |  1 +
+ mibs/UCD-SNMP-MIB.txt                         | 16 +++++++++++++++
+ 5 files changed, 48 insertions(+), 2 deletions(-)
+
+diff --git a/agent/mibgroup/hardware/memory/memory_linux.c b/agent/mibgroup/hardware/memory/memory_linux.c
+index 6d5e86cde4..4ae235c2d0 100644
+--- a/agent/mibgroup/hardware/memory/memory_linux.c
+++ b/agent/mibgroup/hardware/memory/memory_linux.c
+@@ -24,7 +24,8 @@ int netsnmp_mem_arch_load( netsnmp_cache *cache, void *magic ) {
+     static int   first = 1;
+     ssize_t      bytes_read;
+     char        *b;
+-    unsigned long memtotal = 0,  memfree = 0, memshared = 0,
+    int          have_memavail = 0;
+    unsigned long memtotal = 0,  memavail = 0, memfree = 0, memshared = 0,
+                   buffers = 0,   cached = 0, sreclaimable = 0,
+                   swaptotal = 0, swapfree = 0;
+ 
+@@ -81,6 +82,11 @@ int netsnmp_mem_arch_load( netsnmp_cache *cache, void *magic ) {
+         if (first)
+             snmp_log(LOG_ERR, "No MemTotal line in /proc/meminfo\n");
+     }
+    b = strstr(buff, "MemAvailable: ");
+    if (b) {
+        have_memavail = 1;
+        sscanf(b, "MemAvailable: %lu", &memavail);
+    }
+     b = strstr(buff, "MemFree: ");
+     if (b) 
+         sscanf(b, "MemFree: %lu", &memfree);
+@@ -151,6 +157,18 @@ int netsnmp_mem_arch_load( netsnmp_cache *cache, void *magic ) {
+         mem->other = -1;
+     }
+ 
+    if (have_memavail) {
+        mem = netsnmp_memory_get_byIdx(NETSNMP_MEM_TYPE_AVAILMEM, 1);
+        if (mem) {
+            if (!mem->descr)
+                mem->descr = strdup("Available memory");
+            mem->units = 1024;
+            mem->size  = memavail;
+            mem->free  = memavail;
+            mem->other = -1;
+        }
+    }
+
+     mem = netsnmp_memory_get_byIdx( NETSNMP_MEM_TYPE_VIRTMEM, 1 );
+     if (!mem) {
+         snmp_log_perror("No Virtual Memory info entry");
+diff --git a/agent/mibgroup/ucd-snmp/memory.c b/agent/mibgroup/ucd-snmp/memory.c
+index 371a77e9a5..158b28e67b 100644
+--- a/agent/mibgroup/ucd-snmp/memory.c
+++ b/agent/mibgroup/ucd-snmp/memory.c
+@@ -26,7 +26,7 @@ init_memory(void)
+         netsnmp_create_handler_registration("memory", handle_memory,
+                                  memory_oid, OID_LENGTH(memory_oid),
+                                              HANDLER_CAN_RONLY),
+-                                 1, 26);
+                                 1, 27);
+     netsnmp_register_scalar(
+         netsnmp_create_handler_registration("memSwapError", handle_memory,
+                            memSwapError_oid, OID_LENGTH(memSwapError_oid),
+@@ -272,6 +272,16 @@ handle_memory(netsnmp_mib_handler *handler,
+ 	    c64.low = val & 0xFFFFFFFF;
+ 	    c64.high = val >>32;
+             break;
+        case MEMORY_SYS_AVAIL:
+	    type = ASN_COUNTER64;
+            mem_info = netsnmp_memory_get_byIdx(NETSNMP_MEM_TYPE_AVAILMEM, 0);
+            if (!mem_info)
+                goto NOSUCH;
+            val = mem_info->size;       /* memavail */
+            val *= (mem_info->units/1024);
+	    c64.low = val & 0xFFFFFFFF;
+	    c64.high = val >> 32;
+            break;
+         case MEMORY_SWAP_ERROR:
+             mem_info = netsnmp_memory_get_byIdx( NETSNMP_MEM_TYPE_SWAP, 0 );
+             if (!mem_info)
+diff --git a/agent/mibgroup/ucd-snmp/memory.h b/agent/mibgroup/ucd-snmp/memory.h
+index ded2140227..54a56a2fdb 100644
+--- a/agent/mibgroup/ucd-snmp/memory.h
+++ b/agent/mibgroup/ucd-snmp/memory.h
+@@ -41,6 +41,7 @@ Netsnmp_Node_Handler handle_memory;
+ #define MEMORY_SHARED_X     24
+ #define MEMORY_BUFFER_X     25
+ #define MEMORY_CACHED_X     26
+#define MEMORY_SYS_AVAIL    27
+ #define MEMORY_SWAP_ERROR  100
+ #define MEMORY_SWAP_ERRMSG 101
+ #endif                          /* MEMORY_H */
+diff --git a/include/net-snmp/agent/hardware/memory.h b/include/net-snmp/agent/hardware/memory.h
+index 54265cf22a..aca3a4d00d 100644
+--- a/include/net-snmp/agent/hardware/memory.h
+++ b/include/net-snmp/agent/hardware/memory.h
+@@ -10,6 +10,7 @@ typedef struct netsnmp_memory_info_s netsnmp_memory_info;
+ #define NETSNMP_MEM_TYPE_SHARED   8
+ #define NETSNMP_MEM_TYPE_SHARED2  9
+ #define NETSNMP_MEM_TYPE_SWAP    10
+#define NETSNMP_MEM_TYPE_AVAILMEM 11
+     /* Leave space for individual swap devices */
+ #define NETSNMP_MEM_TYPE_MAX     30
+ 
+diff --git a/mibs/UCD-SNMP-MIB.txt b/mibs/UCD-SNMP-MIB.txt
+index cde67feb50..d360bad025 100644
+--- a/mibs/UCD-SNMP-MIB.txt
+++ b/mibs/UCD-SNMP-MIB.txt
+@@ -746,6 +746,22 @@ memCachedX OBJECT-TYPE
+          memory as specifically reserved for this purpose."
+     ::= { memory 26 }
+ 
+memSysAvail OBJECT-TYPE
+    SYNTAX	CounterBasedGauge64
+    UNITS       "kB"
+    MAX-ACCESS	read-only
+    STATUS	current
+    DESCRIPTION
+        "The total amount of available memory, which is an estimate
+         of how much memory is available for starting new applications,
+         without swapping.
+
+         This object will not be implemented on hosts where the
+         underlying operating system does not explicitly identify
+         memory as specifically reserved for this purpose."
+    ::= { memory 27 }
+
+
+ memSwapError OBJECT-TYPE
+     SYNTAX	UCDErrorFlag
+     MAX-ACCESS	read-only
+
--- a/SOURCES/net-snmp-5.8-proxy.patch
+++ b/SOURCES/net-snmp-5.8-proxy.patch
@ -0,0 +1,46 @@
+From b67afb81eb0f7ad89496cd3e672654bfd8c55d0e Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Sat, 21 Mar 2020 20:03:13 -0700
+Subject: [PATCH] snmpd: UCD-SNMP proxy: Fix a crash triggered by a wrong
+ passphrase
+
+See also https://github.com/net-snmp/net-snmp/issues/82 .
+---
+ agent/mibgroup/ucd-snmp/proxy.c | 9 ---------
+ 1 file changed, 9 deletions(-)
+
+diff --git a/agent/mibgroup/ucd-snmp/proxy.c b/agent/mibgroup/ucd-snmp/proxy.c
+index f4eb03ef6f..548ae7588f 100644
+--- a/agent/mibgroup/ucd-snmp/proxy.c
+++ b/agent/mibgroup/ucd-snmp/proxy.c
+@@ -698,8 +698,6 @@ proxy_got_response(int operation, netsnmp_session * sess, int reqid,
+                                  "proxy OID return length too long.\n");
+                         netsnmp_set_request_error(cache->reqinfo, requests,
+                                                   SNMP_ERR_GENERR);
+-                        if (pdu)
+-                            snmp_free_pdu(pdu);
+                         netsnmp_free_delegated_cache(cache);
+                         return 1;
+                     }
+@@ -723,8 +721,6 @@ proxy_got_response(int operation, netsnmp_session * sess, int reqid,
+              * ack, this is bad.  The # of varbinds don't match and
+              * there is no way to fix the problem 
+              */
+-            if (pdu)
+-                snmp_free_pdu(pdu);
+             snmp_log(LOG_ERR,
+                      "response to proxy request illegal.  We're screwed.\n");
+             netsnmp_set_request_error(cache->reqinfo, requests,
+@@ -735,11 +731,6 @@ proxy_got_response(int operation, netsnmp_session * sess, int reqid,
+         if (cache->reqinfo->mode == MODE_GETBULK)
+             netsnmp_bulk_to_next_fix_requests(requests);
+         
+-        /*
+-         * free the response 
+-         */
+-        if (pdu && 0)
+-            snmp_free_pdu(pdu);
+ 	break;
+ 
+     default:
+
--- a/SOURCES/net-snmp-5.8-truncating-log-once.patch
+++ b/SOURCES/net-snmp-5.8-truncating-log-once.patch
@ -0,0 +1,48 @@
+From 7330e3e3e08d9baff23332e764f9a53561939fff Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Thu, 2 Sep 2021 21:06:54 -0700
+Subject: [PATCH] libsnmp: Log "Truncating integer value >32 bits" once
+
+Log this message once instead of every time sysUpTime and/or
+hrSystemUptime are accessed after snmpd is running for more than 497 days.
+
+Fixes: https://github.com/net-snmp/net-snmp/issues/144
+---
+ snmplib/snmp_client.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/snmplib/snmp_client.c b/snmplib/snmp_client.c
+index 0f539c63fe..b00670d973 100644
+--- a/snmplib/snmp_client.c
+++ b/snmplib/snmp_client.c
+@@ -853,7 +853,8 @@ snmp_set_var_value(netsnmp_variable_list * vars,
+                 = (const u_long *) value;
+             *(vars->val.integer) = *val_ulong;
+             if (*(vars->val.integer) > 0xffffffff) {
+-                snmp_log(LOG_ERR,"truncating integer value > 32 bits\n");
+                NETSNMP_LOGONCE((LOG_INFO,
+                                 "truncating integer value > 32 bits\n"));
+                 *(vars->val.integer) &= 0xffffffff;
+             }
+         }
+@@ -865,7 +866,8 @@ snmp_set_var_value(netsnmp_variable_list * vars,
+                 = (const unsigned long long *) value;
+             *(vars->val.integer) = (long) *val_ullong;
+             if (*(vars->val.integer) > 0xffffffff) {
+-                snmp_log(LOG_ERR,"truncating integer value > 32 bits\n");
+                NETSNMP_LOGONCE((LOG_INFO,
+                                 "truncating integer value > 32 bits\n"));
+                 *(vars->val.integer) &= 0xffffffff;
+             }
+         }
+@@ -877,7 +879,8 @@ snmp_set_var_value(netsnmp_variable_list * vars,
+                 = (const uintmax_t *) value;
+             *(vars->val.integer) = (long) *val_uintmax_t;
+             if (*(vars->val.integer) > 0xffffffff) {
+-                snmp_log(LOG_ERR,"truncating integer value > 32 bits\n");
+                NETSNMP_LOGONCE((LOG_INFO,
+                                 "truncating integer value > 32 bits\n"));
+                 *(vars->val.integer) &= 0xffffffff;
+             }
+         }
+
--- a/SPECS/net-snmp.spec
+++ b/SPECS/net-snmp.spec
@ -10,7 +10,7 @@
 Summary:    A collection of SNMP protocol tools and libraries
 Name:       net-snmp
 Version:    5.8
-Release:    28%{?dist}
+Release:    30%{?dist}
 Epoch:      1

 License:    BSD
@ -77,6 +77,10 @@ Patch48:    net-snmp-5.8-CVE-2022-44792-44793.patch
 Patch49:    net-snmp-5.8-ipv6-disable-leak.patch
 Patch50:    net-snmp-5.8-proxy-time-out.patch
 Patch51:    net-snmp-5.8-sendmsg-error-code.patch
+Patch52:    net-snmp-5.8-memavailable.patch
+Patch53:    net-snmp-5.8-proxy.patch
+Patch54:    net-snmp-5.8-truncating-log-once.patch
+Patch55:    net-snmp-5.8-CVE-2022-24805-24810.patch

 # Modern RPM API means at least EL6
 Patch101:   net-snmp-5.8-modern-rpm-api.patch
@ -253,6 +257,10 @@ rm -r python
 %patch49 -p1 -b .ipv6-disable-leak
 %patch50 -p1 -b .proxy-time-out
 %patch51 -p1 -b .sendmsg-error-code
+%patch52 -p1 -b .memavailable
+%patch53 -p1 -b .proxy
+%patch54 -p1 -b .truncating-log-once
+%patch55 -p1 -b .CVE-2022-24805-24810

 %patch101 -p1 -b .modern-rpm-api

@ -507,6 +515,15 @@ LD_LIBRARY_PATH=%{buildroot}/%{_libdir} make test
 %{_libdir}/libnetsnmptrapd*.so.%{soname}*

 %changelog
+* Mon Mar 04 2024 Josef Ridky <jridky@redhat.com> - 1:5.8-30
+- fix crash when configured as proxy - issue 82 (RHEL-14454)
+- log once truncating issue (RHEL-13597)
+- fix CVE-2022-24805, CVE-2022-24806, CVE-2022-24807, CVE-2022-24808,
+  CVE-2022-24809 and CVE-2022-24810 (RHEL-26650)
+
+* Tue Jan 23 2024 Josef Ridky <jridky@redhat.com> - 1:5.8-29
+- backport MemAvailable report from upstream (RHEL-21780)
+
 * Wed Aug 02 2023 Josef Ridky <jridky@redhat.com> - 1:5.8-28
 - fix sendmsg error code for new kernel (#2185787)