From b8ced33253a5a24f9dde4fe210885765006cfbad Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 22 May 2024 10:45:17 +0000 Subject: [PATCH] import CS net-snmp-5.8-30.el8 --- .../net-snmp-5.8-CVE-2022-24805-24810.patch | 163 ++++++++++++++++++ SOURCES/net-snmp-5.8-memavailable.patch | 143 +++++++++++++++ SOURCES/net-snmp-5.8-proxy.patch | 46 +++++ .../net-snmp-5.8-truncating-log-once.patch | 48 ++++++ SPECS/net-snmp.spec | 19 +- 5 files changed, 418 insertions(+), 1 deletion(-) create mode 100644 SOURCES/net-snmp-5.8-CVE-2022-24805-24810.patch create mode 100644 SOURCES/net-snmp-5.8-memavailable.patch create mode 100644 SOURCES/net-snmp-5.8-proxy.patch create mode 100644 SOURCES/net-snmp-5.8-truncating-log-once.patch diff --git a/SOURCES/net-snmp-5.8-CVE-2022-24805-24810.patch b/SOURCES/net-snmp-5.8-CVE-2022-24805-24810.patch new file mode 100644 index 0000000..87efe17 --- /dev/null +++ b/SOURCES/net-snmp-5.8-CVE-2022-24805-24810.patch @@ -0,0 +1,163 @@ +From 9a0cd7c00947d5e1c6ceb54558d454f87c3b8341 Mon Sep 17 00:00:00 2001 +From: Bill Fenner +Date: Tue, 24 Aug 2021 07:55:00 -0700 +Subject: [PATCH] CHANGES: snmpd: recover SET status from delegated request + +Reported by: Yu Zhang of VARAS@IIE, Nanyu Zhong of VARAS@IIE +Fixes by: Arista Networks + +When a SET request includes a mix of delegated and +non-delegated requests (e.g., objects handled by master +agent and agentx sub-agent), the status can get lost while +waiting for the reply from the sub-agent. Recover the status +into the session from the requests even if it has already +been processed. +--- + agent/snmp_agent.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/agent/snmp_agent.c b/agent/snmp_agent.c +index 84fbb42b47..095ee70985 100644 +--- a/agent/snmp_agent.c ++++ b/agent/snmp_agent.c +@@ -2965,7 +2965,7 @@ netsnmp_check_requests_status(netsnmp_agent_session *asp, + if (requests->status != SNMP_ERR_NOERROR && + (!look_for_specific || requests->status == look_for_specific) + && (look_for_specific || asp->index == 0 +- || requests->index < asp->index)) { ++ || requests->index <= asp->index)) { + asp->index = requests->index; + asp->status = requests->status; + } +From 67ebb43e9038b2dae6e74ae8838b36fcc10fc937 Mon Sep 17 00:00:00 2001 +From: Bill Fenner +Date: Wed, 30 Jun 2021 14:00:28 -0700 +Subject: [PATCH] CHANGES: snmpd: fix bounds checking in NET-SNMP-AGENT-MIB, + NET-SNMP-VACM-MIB, SNMP-VIEW-BASED-ACM-MIB, SNMP-USER-BASED-SM-MIB + +Reported by: Yu Zhang of VARAS@IIE, Nanyu Zhong of VARAS@IIE +Fixes by: Arista Networks +--- + agent/mibgroup/agent/nsLogging.c | 6 ++++++ + agent/mibgroup/agent/nsVacmAccessTable.c | 16 ++++++++++++++-- + agent/mibgroup/mibII/vacm_vars.c | 3 +++ + agent/mibgroup/snmpv3/usmUser.c | 2 -- + 4 files changed, 23 insertions(+), 4 deletions(-) + +diff --git a/agent/mibgroup/agent/nsLogging.c b/agent/mibgroup/agent/nsLogging.c +index 9abdeb5bb7..7f4290490a 100644 +--- a/agent/mibgroup/agent/nsLogging.c ++++ b/agent/mibgroup/agent/nsLogging.c +@@ -147,6 +147,8 @@ handle_nsLoggingTable(netsnmp_mib_handler *handler, + continue; + logh = (netsnmp_log_handler*)netsnmp_extract_iterator_context(request); + table_info = netsnmp_extract_table_info(request); ++ if (!table_info || !table_info->indexes) ++ continue; + + switch (table_info->colnum) { + case NSLOGGING_TYPE: +@@ -201,6 +203,8 @@ handle_nsLoggingTable(netsnmp_mib_handler *handler, + } + logh = (netsnmp_log_handler*)netsnmp_extract_iterator_context(request); + table_info = netsnmp_extract_table_info(request); ++ if (!table_info || !table_info->indexes) ++ continue; + + switch (table_info->colnum) { + case NSLOGGING_TYPE: +@@ -394,6 +398,8 @@ handle_nsLoggingTable(netsnmp_mib_handler *handler, + continue; + logh = (netsnmp_log_handler*)netsnmp_extract_iterator_context(request); + table_info = netsnmp_extract_table_info(request); ++ if (!table_info || !table_info->indexes) ++ continue; + + switch (table_info->colnum) { + case NSLOGGING_TYPE: +diff --git a/agent/mibgroup/agent/nsVacmAccessTable.c b/agent/mibgroup/agent/nsVacmAccessTable.c +index cc61fce7e6..6c43210074 100644 +--- a/agent/mibgroup/agent/nsVacmAccessTable.c ++++ b/agent/mibgroup/agent/nsVacmAccessTable.c +@@ -170,9 +170,13 @@ nsVacmAccessTable_handler(netsnmp_mib_handler *handler, + entry = (struct vacm_accessEntry *) + netsnmp_extract_iterator_context(request); + table_info = netsnmp_extract_table_info(request); ++ if (!table_info || !table_info->indexes) ++ continue; + + /* Extract the authType token from the list of indexes */ + idx = table_info->indexes->next_variable->next_variable->next_variable->next_variable; ++ if (idx->val_len >= sizeof(atype)) ++ continue; + memset(atype, 0, sizeof(atype)); + memcpy(atype, (char *)idx->val.string, idx->val_len); + viewIdx = se_find_value_in_slist(VACM_VIEW_ENUM_NAME, atype); +@@ -212,6 +216,8 @@ nsVacmAccessTable_handler(netsnmp_mib_handler *handler, + entry = (struct vacm_accessEntry *) + netsnmp_extract_iterator_context(request); + table_info = netsnmp_extract_table_info(request); ++ if (!table_info || !table_info->indexes) ++ continue; + ret = SNMP_ERR_NOERROR; + + switch (table_info->colnum) { +@@ -247,6 +253,8 @@ nsVacmAccessTable_handler(netsnmp_mib_handler *handler, + * Extract the authType token from the list of indexes + */ + idx = table_info->indexes->next_variable->next_variable->next_variable->next_variable; ++ if (idx->val_len >= sizeof(atype)) ++ continue; + memset(atype, 0, sizeof(atype)); + memcpy(atype, (char *)idx->val.string, idx->val_len); + viewIdx = se_find_value_in_slist(VACM_VIEW_ENUM_NAME, atype); +@@ -294,8 +302,10 @@ nsVacmAccessTable_handler(netsnmp_mib_handler *handler, + idx = idx->next_variable; model = *idx->val.integer; + idx = idx->next_variable; level = *idx->val.integer; + entry = vacm_createAccessEntry( gName, cPrefix, model, level ); +- entry->storageType = ST_NONVOLATILE; +- netsnmp_insert_iterator_context(request, (void*)entry); ++ if (entry) { ++ entry->storageType = ST_NONVOLATILE; ++ netsnmp_insert_iterator_context(request, (void*)entry); ++ } + } + } + } +@@ -321,6 +331,8 @@ nsVacmAccessTable_handler(netsnmp_mib_handler *handler, + + /* Extract the authType token from the list of indexes */ + idx = table_info->indexes->next_variable->next_variable->next_variable->next_variable; ++ if (idx->val_len >= sizeof(atype)) ++ continue; + memset(atype, 0, sizeof(atype)); + memcpy(atype, (char *)idx->val.string, idx->val_len); + viewIdx = se_find_value_in_slist(VACM_VIEW_ENUM_NAME, atype); +diff --git a/agent/mibgroup/mibII/vacm_vars.c b/agent/mibgroup/mibII/vacm_vars.c +index 469a1eba59..62c9a3d051 100644 +--- a/agent/mibgroup/mibII/vacm_vars.c ++++ b/agent/mibgroup/mibII/vacm_vars.c +@@ -997,6 +997,9 @@ access_parse_oid(oid * oidIndex, size_t oidLen, + return 1; + } + groupNameL = oidIndex[0]; ++ if ((groupNameL + 1) > (int) oidLen) { ++ return 1; ++ } + contextPrefixL = oidIndex[groupNameL + 1]; /* the initial name length */ + if ((int) oidLen != groupNameL + contextPrefixL + 4) { + return 1; +diff --git a/agent/mibgroup/snmpv3/usmUser.c b/agent/mibgroup/snmpv3/usmUser.c +index 0f52aaba49..0edea53cfb 100644 +--- a/agent/mibgroup/snmpv3/usmUser.c ++++ b/agent/mibgroup/snmpv3/usmUser.c +@@ -1505,8 +1505,6 @@ write_usmUserStatus(int action, + if (usmStatusCheck(uptr)) { + uptr->userStatus = RS_ACTIVE; + } else { +- SNMP_FREE(engineID); +- SNMP_FREE(newName); + return SNMP_ERR_INCONSISTENTVALUE; + } + } else if (long_ret == RS_CREATEANDWAIT) { + diff --git a/SOURCES/net-snmp-5.8-memavailable.patch b/SOURCES/net-snmp-5.8-memavailable.patch new file mode 100644 index 0000000..e740695 --- /dev/null +++ b/SOURCES/net-snmp-5.8-memavailable.patch @@ -0,0 +1,143 @@ +From 5b8bf5d4130761c3374f9ad618e8a76bb75eb634 Mon Sep 17 00:00:00 2001 +From: Yuwei Ba +Date: Fri, 21 Aug 2020 15:06:10 +0800 +Subject: [PATCH] snmpd: support MemAvailable on Linux + +See also https://github.com/net-snmp/net-snmp/pull/167 . + +[bvanassche: modified the behavior of this patch] +--- + agent/mibgroup/hardware/memory/memory_linux.c | 20 ++++++++++++++++++- + agent/mibgroup/ucd-snmp/memory.c | 12 ++++++++++- + agent/mibgroup/ucd-snmp/memory.h | 1 + + include/net-snmp/agent/hardware/memory.h | 1 + + mibs/UCD-SNMP-MIB.txt | 16 +++++++++++++++ + 5 files changed, 48 insertions(+), 2 deletions(-) + +diff --git a/agent/mibgroup/hardware/memory/memory_linux.c b/agent/mibgroup/hardware/memory/memory_linux.c +index 6d5e86cde4..4ae235c2d0 100644 +--- a/agent/mibgroup/hardware/memory/memory_linux.c ++++ b/agent/mibgroup/hardware/memory/memory_linux.c +@@ -24,7 +24,8 @@ int netsnmp_mem_arch_load( netsnmp_cache *cache, void *magic ) { + static int first = 1; + ssize_t bytes_read; + char *b; +- unsigned long memtotal = 0, memfree = 0, memshared = 0, ++ int have_memavail = 0; ++ unsigned long memtotal = 0, memavail = 0, memfree = 0, memshared = 0, + buffers = 0, cached = 0, sreclaimable = 0, + swaptotal = 0, swapfree = 0; + +@@ -81,6 +82,11 @@ int netsnmp_mem_arch_load( netsnmp_cache *cache, void *magic ) { + if (first) + snmp_log(LOG_ERR, "No MemTotal line in /proc/meminfo\n"); + } ++ b = strstr(buff, "MemAvailable: "); ++ if (b) { ++ have_memavail = 1; ++ sscanf(b, "MemAvailable: %lu", &memavail); ++ } + b = strstr(buff, "MemFree: "); + if (b) + sscanf(b, "MemFree: %lu", &memfree); +@@ -151,6 +157,18 @@ int netsnmp_mem_arch_load( netsnmp_cache *cache, void *magic ) { + mem->other = -1; + } + ++ if (have_memavail) { ++ mem = netsnmp_memory_get_byIdx(NETSNMP_MEM_TYPE_AVAILMEM, 1); ++ if (mem) { ++ if (!mem->descr) ++ mem->descr = strdup("Available memory"); ++ mem->units = 1024; ++ mem->size = memavail; ++ mem->free = memavail; ++ mem->other = -1; ++ } ++ } ++ + mem = netsnmp_memory_get_byIdx( NETSNMP_MEM_TYPE_VIRTMEM, 1 ); + if (!mem) { + snmp_log_perror("No Virtual Memory info entry"); +diff --git a/agent/mibgroup/ucd-snmp/memory.c b/agent/mibgroup/ucd-snmp/memory.c +index 371a77e9a5..158b28e67b 100644 +--- a/agent/mibgroup/ucd-snmp/memory.c ++++ b/agent/mibgroup/ucd-snmp/memory.c +@@ -26,7 +26,7 @@ init_memory(void) + netsnmp_create_handler_registration("memory", handle_memory, + memory_oid, OID_LENGTH(memory_oid), + HANDLER_CAN_RONLY), +- 1, 26); ++ 1, 27); + netsnmp_register_scalar( + netsnmp_create_handler_registration("memSwapError", handle_memory, + memSwapError_oid, OID_LENGTH(memSwapError_oid), +@@ -272,6 +272,16 @@ handle_memory(netsnmp_mib_handler *handler, + c64.low = val & 0xFFFFFFFF; + c64.high = val >>32; + break; ++ case MEMORY_SYS_AVAIL: ++ type = ASN_COUNTER64; ++ mem_info = netsnmp_memory_get_byIdx(NETSNMP_MEM_TYPE_AVAILMEM, 0); ++ if (!mem_info) ++ goto NOSUCH; ++ val = mem_info->size; /* memavail */ ++ val *= (mem_info->units/1024); ++ c64.low = val & 0xFFFFFFFF; ++ c64.high = val >> 32; ++ break; + case MEMORY_SWAP_ERROR: + mem_info = netsnmp_memory_get_byIdx( NETSNMP_MEM_TYPE_SWAP, 0 ); + if (!mem_info) +diff --git a/agent/mibgroup/ucd-snmp/memory.h b/agent/mibgroup/ucd-snmp/memory.h +index ded2140227..54a56a2fdb 100644 +--- a/agent/mibgroup/ucd-snmp/memory.h ++++ b/agent/mibgroup/ucd-snmp/memory.h +@@ -41,6 +41,7 @@ Netsnmp_Node_Handler handle_memory; + #define MEMORY_SHARED_X 24 + #define MEMORY_BUFFER_X 25 + #define MEMORY_CACHED_X 26 ++#define MEMORY_SYS_AVAIL 27 + #define MEMORY_SWAP_ERROR 100 + #define MEMORY_SWAP_ERRMSG 101 + #endif /* MEMORY_H */ +diff --git a/include/net-snmp/agent/hardware/memory.h b/include/net-snmp/agent/hardware/memory.h +index 54265cf22a..aca3a4d00d 100644 +--- a/include/net-snmp/agent/hardware/memory.h ++++ b/include/net-snmp/agent/hardware/memory.h +@@ -10,6 +10,7 @@ typedef struct netsnmp_memory_info_s netsnmp_memory_info; + #define NETSNMP_MEM_TYPE_SHARED 8 + #define NETSNMP_MEM_TYPE_SHARED2 9 + #define NETSNMP_MEM_TYPE_SWAP 10 ++#define NETSNMP_MEM_TYPE_AVAILMEM 11 + /* Leave space for individual swap devices */ + #define NETSNMP_MEM_TYPE_MAX 30 + +diff --git a/mibs/UCD-SNMP-MIB.txt b/mibs/UCD-SNMP-MIB.txt +index cde67feb50..d360bad025 100644 +--- a/mibs/UCD-SNMP-MIB.txt ++++ b/mibs/UCD-SNMP-MIB.txt +@@ -746,6 +746,22 @@ memCachedX OBJECT-TYPE + memory as specifically reserved for this purpose." + ::= { memory 26 } + ++memSysAvail OBJECT-TYPE ++ SYNTAX CounterBasedGauge64 ++ UNITS "kB" ++ MAX-ACCESS read-only ++ STATUS current ++ DESCRIPTION ++ "The total amount of available memory, which is an estimate ++ of how much memory is available for starting new applications, ++ without swapping. ++ ++ This object will not be implemented on hosts where the ++ underlying operating system does not explicitly identify ++ memory as specifically reserved for this purpose." ++ ::= { memory 27 } ++ ++ + memSwapError OBJECT-TYPE + SYNTAX UCDErrorFlag + MAX-ACCESS read-only + diff --git a/SOURCES/net-snmp-5.8-proxy.patch b/SOURCES/net-snmp-5.8-proxy.patch new file mode 100644 index 0000000..3e80acd --- /dev/null +++ b/SOURCES/net-snmp-5.8-proxy.patch @@ -0,0 +1,46 @@ +From b67afb81eb0f7ad89496cd3e672654bfd8c55d0e Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Sat, 21 Mar 2020 20:03:13 -0700 +Subject: [PATCH] snmpd: UCD-SNMP proxy: Fix a crash triggered by a wrong + passphrase + +See also https://github.com/net-snmp/net-snmp/issues/82 . +--- + agent/mibgroup/ucd-snmp/proxy.c | 9 --------- + 1 file changed, 9 deletions(-) + +diff --git a/agent/mibgroup/ucd-snmp/proxy.c b/agent/mibgroup/ucd-snmp/proxy.c +index f4eb03ef6f..548ae7588f 100644 +--- a/agent/mibgroup/ucd-snmp/proxy.c ++++ b/agent/mibgroup/ucd-snmp/proxy.c +@@ -698,8 +698,6 @@ proxy_got_response(int operation, netsnmp_session * sess, int reqid, + "proxy OID return length too long.\n"); + netsnmp_set_request_error(cache->reqinfo, requests, + SNMP_ERR_GENERR); +- if (pdu) +- snmp_free_pdu(pdu); + netsnmp_free_delegated_cache(cache); + return 1; + } +@@ -723,8 +721,6 @@ proxy_got_response(int operation, netsnmp_session * sess, int reqid, + * ack, this is bad. The # of varbinds don't match and + * there is no way to fix the problem + */ +- if (pdu) +- snmp_free_pdu(pdu); + snmp_log(LOG_ERR, + "response to proxy request illegal. We're screwed.\n"); + netsnmp_set_request_error(cache->reqinfo, requests, +@@ -735,11 +731,6 @@ proxy_got_response(int operation, netsnmp_session * sess, int reqid, + if (cache->reqinfo->mode == MODE_GETBULK) + netsnmp_bulk_to_next_fix_requests(requests); + +- /* +- * free the response +- */ +- if (pdu && 0) +- snmp_free_pdu(pdu); + break; + + default: + diff --git a/SOURCES/net-snmp-5.8-truncating-log-once.patch b/SOURCES/net-snmp-5.8-truncating-log-once.patch new file mode 100644 index 0000000..02bbf54 --- /dev/null +++ b/SOURCES/net-snmp-5.8-truncating-log-once.patch @@ -0,0 +1,48 @@ +From 7330e3e3e08d9baff23332e764f9a53561939fff Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Thu, 2 Sep 2021 21:06:54 -0700 +Subject: [PATCH] libsnmp: Log "Truncating integer value >32 bits" once + +Log this message once instead of every time sysUpTime and/or +hrSystemUptime are accessed after snmpd is running for more than 497 days. + +Fixes: https://github.com/net-snmp/net-snmp/issues/144 +--- + snmplib/snmp_client.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/snmplib/snmp_client.c b/snmplib/snmp_client.c +index 0f539c63fe..b00670d973 100644 +--- a/snmplib/snmp_client.c ++++ b/snmplib/snmp_client.c +@@ -853,7 +853,8 @@ snmp_set_var_value(netsnmp_variable_list * vars, + = (const u_long *) value; + *(vars->val.integer) = *val_ulong; + if (*(vars->val.integer) > 0xffffffff) { +- snmp_log(LOG_ERR,"truncating integer value > 32 bits\n"); ++ NETSNMP_LOGONCE((LOG_INFO, ++ "truncating integer value > 32 bits\n")); + *(vars->val.integer) &= 0xffffffff; + } + } +@@ -865,7 +866,8 @@ snmp_set_var_value(netsnmp_variable_list * vars, + = (const unsigned long long *) value; + *(vars->val.integer) = (long) *val_ullong; + if (*(vars->val.integer) > 0xffffffff) { +- snmp_log(LOG_ERR,"truncating integer value > 32 bits\n"); ++ NETSNMP_LOGONCE((LOG_INFO, ++ "truncating integer value > 32 bits\n")); + *(vars->val.integer) &= 0xffffffff; + } + } +@@ -877,7 +879,8 @@ snmp_set_var_value(netsnmp_variable_list * vars, + = (const uintmax_t *) value; + *(vars->val.integer) = (long) *val_uintmax_t; + if (*(vars->val.integer) > 0xffffffff) { +- snmp_log(LOG_ERR,"truncating integer value > 32 bits\n"); ++ NETSNMP_LOGONCE((LOG_INFO, ++ "truncating integer value > 32 bits\n")); + *(vars->val.integer) &= 0xffffffff; + } + } + diff --git a/SPECS/net-snmp.spec b/SPECS/net-snmp.spec index 0d221a2..514feed 100644 --- a/SPECS/net-snmp.spec +++ b/SPECS/net-snmp.spec @@ -10,7 +10,7 @@ Summary: A collection of SNMP protocol tools and libraries Name: net-snmp Version: 5.8 -Release: 28%{?dist} +Release: 30%{?dist} Epoch: 1 License: BSD @@ -77,6 +77,10 @@ Patch48: net-snmp-5.8-CVE-2022-44792-44793.patch Patch49: net-snmp-5.8-ipv6-disable-leak.patch Patch50: net-snmp-5.8-proxy-time-out.patch Patch51: net-snmp-5.8-sendmsg-error-code.patch +Patch52: net-snmp-5.8-memavailable.patch +Patch53: net-snmp-5.8-proxy.patch +Patch54: net-snmp-5.8-truncating-log-once.patch +Patch55: net-snmp-5.8-CVE-2022-24805-24810.patch # Modern RPM API means at least EL6 Patch101: net-snmp-5.8-modern-rpm-api.patch @@ -253,6 +257,10 @@ rm -r python %patch49 -p1 -b .ipv6-disable-leak %patch50 -p1 -b .proxy-time-out %patch51 -p1 -b .sendmsg-error-code +%patch52 -p1 -b .memavailable +%patch53 -p1 -b .proxy +%patch54 -p1 -b .truncating-log-once +%patch55 -p1 -b .CVE-2022-24805-24810 %patch101 -p1 -b .modern-rpm-api @@ -507,6 +515,15 @@ LD_LIBRARY_PATH=%{buildroot}/%{_libdir} make test %{_libdir}/libnetsnmptrapd*.so.%{soname}* %changelog +* Mon Mar 04 2024 Josef Ridky - 1:5.8-30 +- fix crash when configured as proxy - issue 82 (RHEL-14454) +- log once truncating issue (RHEL-13597) +- fix CVE-2022-24805, CVE-2022-24806, CVE-2022-24807, CVE-2022-24808, + CVE-2022-24809 and CVE-2022-24810 (RHEL-26650) + +* Tue Jan 23 2024 Josef Ridky - 1:5.8-29 +- backport MemAvailable report from upstream (RHEL-21780) + * Wed Aug 02 2023 Josef Ridky - 1:5.8-28 - fix sendmsg error code for new kernel (#2185787)