import net-snmp-5.8-18.el8_3.1

2020-12-15 10:59:37 -05:00 · 2020-12-15 10:59:37 -05:00 · d21b2d74cd
parent 102cd86e60
commit d21b2d74cd
3 changed files with 136 additions and 4 deletions
--- a/SOURCES/net-snmp-5.7.2-CVE-2020-15862.patch
+++ b/SOURCES/net-snmp-5.7.2-CVE-2020-15862.patch
@ -0,0 +1,70 @@
+diff -urNp old/agent/mibgroup/agent/extend.c new/agent/mibgroup/agent/extend.c
+--- old/agent/mibgroup/agent/extend.c	2020-11-11 12:41:46.377115142 +0100
+++ new/agent/mibgroup/agent/extend.c	2020-11-11 12:50:28.047142105 +0100
+@@ -16,6 +16,12 @@
+ #define SHELLCOMMAND 3
+ #endif
+ 
+/*  This mib is potentially dangerous to turn on by default, since it
+ *  allows arbitrary commands to be set by anyone with SNMP WRITE
+ *  access to the MIB table.  If all of your users are "root" level
+ *  users, then it may be safe to turn on. */
+#define ENABLE_EXTEND_WRITE_ACCESS 0
+
+ netsnmp_feature_require(extract_table_row_data)
+ netsnmp_feature_require(table_data_delete_table)
+ #ifndef NETSNMP_NO_WRITE_SUPPORT
+@@ -723,7 +729,7 @@ handle_nsExtendConfigTable(netsnmp_mib_h
+          *
+          **********/
+ 
+-#ifndef NETSNMP_NO_WRITE_SUPPORT
+#if !defined(NETSNMP_NO_WRITE_SUPPORT) && ENABLE_EXTEND_WRITE_ACCESS
+         case MODE_SET_RESERVE1:
+             /*
+              * Validate the new assignments
+@@ -1049,7 +1055,7 @@ handle_nsExtendConfigTable(netsnmp_mib_h
+                 }
+             }
+             break;
+-#endif /* !NETSNMP_NO_WRITE_SUPPORT */ 
+#endif /* !NETSNMP_NO_WRITE_SUPPORT and ENABLE_EXTEND_WRITE_ACCESS */
+ 
+         default:
+             netsnmp_set_request_error(reqinfo, request, SNMP_ERR_GENERR);
+@@ -1057,7 +1063,7 @@ handle_nsExtendConfigTable(netsnmp_mib_h
+         }
+     }
+ 
+-#ifndef NETSNMP_NO_WRITE_SUPPORT
+#if !defined(NETSNMP_NO_WRITE_SUPPORT) && ENABLE_EXTEND_WRITE_ACCESS
+     /*
+      * If we're marking a given row as active,
+      *  then we need to check that it's ready.
+@@ -1082,7 +1088,7 @@ handle_nsExtendConfigTable(netsnmp_mib_h
+             }
+         }
+     }
+-#endif /* !NETSNMP_NO_WRITE_SUPPORT */
+#endif /* !NETSNMP_NO_WRITE_SUPPORT && ENABLE_EXTEND_WRITE_ACCESS */
+     
+     return SNMP_ERR_NOERROR;
+ }
+@@ -1571,7 +1577,7 @@ fixExec2Error(int action,
+     idx = name[name_len-1] -1;
+     exten = &compatability_entries[ idx ];
+ 
+-#ifndef NETSNMP_NO_WRITE_SUPPORT
+#if !defined(NETSNMP_NO_WRITE_SUPPORT) && ENABLE_EXTEND_WRITE_ACCESS
+     switch (action) {
+     case MODE_SET_RESERVE1:
+         if (var_val_type != ASN_INTEGER) {
+@@ -1592,7 +1598,7 @@ fixExec2Error(int action,
+     case MODE_SET_COMMIT:
+         netsnmp_cache_check_and_reload( exten->efix_entry->cache );
+     }
+-#endif /* !NETSNMP_NO_WRITE_SUPPORT */
+#endif /* !NETSNMP_NO_WRITE_SUPPORT && ENABLE_EXTEND_WRITE_ACCESS */
+     return SNMP_ERR_NOERROR;
+ }
+ #endif /* USING_UCD_SNMP_EXTENSIBLE_MODULE */
--- a/SOURCES/net-snmp-5.8-bulk.patch
+++ b/SOURCES/net-snmp-5.8-bulk.patch
@ -0,0 +1,51 @@
+diff -urNp a/snmplib/snmp_api.c b/snmplib/snmp_api.c
+--- a/snmplib/snmp_api.c	2020-09-29 14:08:09.821479662 +0200
+++ b/snmplib/snmp_api.c	2020-10-01 10:15:46.607374362 +0200
+@@ -769,7 +769,7 @@ snmp_sess_init(netsnmp_session * session
+     session->retries = SNMP_DEFAULT_RETRIES;
+     session->version = SNMP_DEFAULT_VERSION;
+     session->securityModel = SNMP_DEFAULT_SECMODEL;
+-    session->rcvMsgMaxSize = SNMP_MAX_MSG_SIZE;
+    session->rcvMsgMaxSize = netsnmp_max_send_msg_size();
+     session->sndMsgMaxSize = netsnmp_max_send_msg_size();
+     session->flags |= SNMP_FLAGS_DONT_PROBE;
+ }
+@@ -2731,7 +2731,7 @@ snmpv3_packet_build(netsnmp_session * se
+     /*
+      * build a scopedPDU structure into spdu_buf
+      */
+-    spdu_buf_len = SNMP_MAX_MSG_SIZE;
+    spdu_buf_len = sizeof(spdu_buf);
+     DEBUGDUMPSECTION("send", "ScopedPdu");
+     cp = snmpv3_scopedPDU_header_build(pdu, spdu_buf, &spdu_buf_len,
+                                        &spdu_hdr_e);
+@@ -2743,6 +2743,11 @@ snmpv3_packet_build(netsnmp_session * se
+      */
+     DEBUGPRINTPDUTYPE("send", ((pdu_data) ? *pdu_data : 0x00));
+     if (pdu_data) {
+        if (cp + pdu_data_len > spdu_buf + sizeof(spdu_buf)) {
+            snmp_log(LOG_ERR, "%s: PDU too big (%" NETSNMP_PRIz "d > %" NETSNMP_PRIz "d)\n",
+                     __func__, pdu_data_len, sizeof(spdu_buf));
+            return -1;
+        }
+         memcpy(cp, pdu_data, pdu_data_len);
+         cp += pdu_data_len;
+     } else {
+@@ -2756,7 +2761,7 @@ snmpv3_packet_build(netsnmp_session * se
+      * re-encode the actual ASN.1 length of the scopedPdu
+      */
+     spdu_len = cp - spdu_hdr_e; /* length of scopedPdu minus ASN.1 headers */
+-    spdu_buf_len = SNMP_MAX_MSG_SIZE;
+    spdu_buf_len = sizeof(spdu_buf);
+     if (asn_build_sequence(spdu_buf, &spdu_buf_len,
+                            (u_char) (ASN_SEQUENCE | ASN_CONSTRUCTOR),
+                            spdu_len) == NULL)
+@@ -2769,7 +2774,7 @@ snmpv3_packet_build(netsnmp_session * se
+      * message - the entire message to transmitted on the wire is returned
+      */
+     cp = NULL;
+-    *out_length = SNMP_MAX_MSG_SIZE;
+    *out_length = sizeof(spdu_buf);
+     DEBUGDUMPSECTION("send", "SM msgSecurityParameters");
+     sptr = find_sec_mod(pdu->securityModel);
+     if (sptr && sptr->encode_forward) {
--- a/SPECS/net-snmp.spec
+++ b/SPECS/net-snmp.spec
@ -10,7 +10,7 @@
 Summary:    A collection of SNMP protocol tools and libraries
 Name:       net-snmp
 Version:    5.8
-Release:    17%{?dist}
+Release:    18%{?dist}.1
 Epoch:      1

 License:    BSD
@ -56,6 +56,8 @@ Patch27:    net-snmp-5.8-ipAddress-faster-load.patch
 Patch28:    net-snmp-5.8-rpm-memory-leak.patch
 Patch29:    net-snmp-5.8-sec-memory-leak.patch
 Patch30:    net-snmp-5.8-aes-config.patch
+Patch31:    net-snmp-5.7.2-CVE-2020-15862.patch
+Patch32:    net-snmp-5.8-bulk.patch

 # Modern RPM API means at least EL6
 Patch101:   net-snmp-5.8-modern-rpm-api.patch
@ -211,6 +213,8 @@ rm -r python
 %patch28 -p1 -b .rpm-memory-leak
 %patch29 -p1 -b .sec-memory-leak
 %patch30 -p1 -b .aes-config
+%patch31 -p1 -b .CVE-2020-15862
+%patch32 -p1 -b .bulk

 %patch101 -p1 -b .modern-rpm-api

@ -389,8 +393,8 @@ LD_LIBRARY_PATH=%{buildroot}/%{_libdir} make test
 %doc README.thread AGENT.txt PORTING local/README.mib2c
 %doc IETF-MIB-LICENSE.txt
 %dir %{_sysconfdir}/snmp
-%config(noreplace) %attr(0650,root,root) %{_sysconfdir}/snmp/snmpd.conf
-%config(noreplace) %attr(0650,root,root) %{_sysconfdir}/snmp/snmptrapd.conf
+%config(noreplace) %attr(0600,root,root) %{_sysconfdir}/snmp/snmpd.conf
+%config(noreplace) %attr(0600,root,root) %{_sysconfdir}/snmp/snmptrapd.conf
 %{_bindir}/snmpconf
 %{_bindir}/net-snmp-create-v3-user
 %{_sbindir}/*
@ -465,6 +469,13 @@ LD_LIBRARY_PATH=%{buildroot}/%{_libdir} make test
 %{_libdir}/libnetsnmptrapd*.so.%{soname}*

 %changelog
+* Tue Dec 01 2020 Josef Ridky <jridky@redhat.com> - 1:5.8-18.1
+- revert permission of config files to 600 (#1902662)
+
+* Wed Nov 11 2020 Josef Ridky <jridky@redhat.com> - 1:5.8-18
+- fix CVE-2020-15862 (#1886100)
+- fix bulk responses for invalid PID (#1896760)
+
 * Tue Aug 11 2020 Josef Ridky <jridky@redhat.com> - 1:5.8-17
 - add math library in LDFLAGS (#1846252)

@ -524,7 +535,7 @@ LD_LIBRARY_PATH=%{buildroot}/%{_libdir} make test

 * Mon Aug 13 2018 Josef Ridky <jridky@redhat.com> - 1:5.8-2
 - fix default configuration file (#1589480 and #1594147)
- modify permissions for /var/log files (#1601060)
+- modify permissions for config files (#1601060)

 * Thu Aug 09 2018 Josef Ridky <jridky@redhat.com> - 1:5.8-1
 - remove python package and update to the last upstream version (#1584510)