diff --git a/SOURCES/net-snmp-5.7.2-CVE-2020-15862.patch b/SOURCES/net-snmp-5.7.2-CVE-2020-15862.patch new file mode 100644 index 0000000..394c714 --- /dev/null +++ b/SOURCES/net-snmp-5.7.2-CVE-2020-15862.patch @@ -0,0 +1,70 @@ +diff -urNp old/agent/mibgroup/agent/extend.c new/agent/mibgroup/agent/extend.c +--- old/agent/mibgroup/agent/extend.c 2020-11-11 12:41:46.377115142 +0100 ++++ new/agent/mibgroup/agent/extend.c 2020-11-11 12:50:28.047142105 +0100 +@@ -16,6 +16,12 @@ + #define SHELLCOMMAND 3 + #endif + ++/* This mib is potentially dangerous to turn on by default, since it ++ * allows arbitrary commands to be set by anyone with SNMP WRITE ++ * access to the MIB table. If all of your users are "root" level ++ * users, then it may be safe to turn on. */ ++#define ENABLE_EXTEND_WRITE_ACCESS 0 ++ + netsnmp_feature_require(extract_table_row_data) + netsnmp_feature_require(table_data_delete_table) + #ifndef NETSNMP_NO_WRITE_SUPPORT +@@ -723,7 +729,7 @@ handle_nsExtendConfigTable(netsnmp_mib_h + * + **********/ + +-#ifndef NETSNMP_NO_WRITE_SUPPORT ++#if !defined(NETSNMP_NO_WRITE_SUPPORT) && ENABLE_EXTEND_WRITE_ACCESS + case MODE_SET_RESERVE1: + /* + * Validate the new assignments +@@ -1049,7 +1055,7 @@ handle_nsExtendConfigTable(netsnmp_mib_h + } + } + break; +-#endif /* !NETSNMP_NO_WRITE_SUPPORT */ ++#endif /* !NETSNMP_NO_WRITE_SUPPORT and ENABLE_EXTEND_WRITE_ACCESS */ + + default: + netsnmp_set_request_error(reqinfo, request, SNMP_ERR_GENERR); +@@ -1057,7 +1063,7 @@ handle_nsExtendConfigTable(netsnmp_mib_h + } + } + +-#ifndef NETSNMP_NO_WRITE_SUPPORT ++#if !defined(NETSNMP_NO_WRITE_SUPPORT) && ENABLE_EXTEND_WRITE_ACCESS + /* + * If we're marking a given row as active, + * then we need to check that it's ready. +@@ -1082,7 +1088,7 @@ handle_nsExtendConfigTable(netsnmp_mib_h + } + } + } +-#endif /* !NETSNMP_NO_WRITE_SUPPORT */ ++#endif /* !NETSNMP_NO_WRITE_SUPPORT && ENABLE_EXTEND_WRITE_ACCESS */ + + return SNMP_ERR_NOERROR; + } +@@ -1571,7 +1577,7 @@ fixExec2Error(int action, + idx = name[name_len-1] -1; + exten = &compatability_entries[ idx ]; + +-#ifndef NETSNMP_NO_WRITE_SUPPORT ++#if !defined(NETSNMP_NO_WRITE_SUPPORT) && ENABLE_EXTEND_WRITE_ACCESS + switch (action) { + case MODE_SET_RESERVE1: + if (var_val_type != ASN_INTEGER) { +@@ -1592,7 +1598,7 @@ fixExec2Error(int action, + case MODE_SET_COMMIT: + netsnmp_cache_check_and_reload( exten->efix_entry->cache ); + } +-#endif /* !NETSNMP_NO_WRITE_SUPPORT */ ++#endif /* !NETSNMP_NO_WRITE_SUPPORT && ENABLE_EXTEND_WRITE_ACCESS */ + return SNMP_ERR_NOERROR; + } + #endif /* USING_UCD_SNMP_EXTENSIBLE_MODULE */ diff --git a/SOURCES/net-snmp-5.8-bulk.patch b/SOURCES/net-snmp-5.8-bulk.patch new file mode 100644 index 0000000..6e0a563 --- /dev/null +++ b/SOURCES/net-snmp-5.8-bulk.patch @@ -0,0 +1,51 @@ +diff -urNp a/snmplib/snmp_api.c b/snmplib/snmp_api.c +--- a/snmplib/snmp_api.c 2020-09-29 14:08:09.821479662 +0200 ++++ b/snmplib/snmp_api.c 2020-10-01 10:15:46.607374362 +0200 +@@ -769,7 +769,7 @@ snmp_sess_init(netsnmp_session * session + session->retries = SNMP_DEFAULT_RETRIES; + session->version = SNMP_DEFAULT_VERSION; + session->securityModel = SNMP_DEFAULT_SECMODEL; +- session->rcvMsgMaxSize = SNMP_MAX_MSG_SIZE; ++ session->rcvMsgMaxSize = netsnmp_max_send_msg_size(); + session->sndMsgMaxSize = netsnmp_max_send_msg_size(); + session->flags |= SNMP_FLAGS_DONT_PROBE; + } +@@ -2731,7 +2731,7 @@ snmpv3_packet_build(netsnmp_session * se + /* + * build a scopedPDU structure into spdu_buf + */ +- spdu_buf_len = SNMP_MAX_MSG_SIZE; ++ spdu_buf_len = sizeof(spdu_buf); + DEBUGDUMPSECTION("send", "ScopedPdu"); + cp = snmpv3_scopedPDU_header_build(pdu, spdu_buf, &spdu_buf_len, + &spdu_hdr_e); +@@ -2743,6 +2743,11 @@ snmpv3_packet_build(netsnmp_session * se + */ + DEBUGPRINTPDUTYPE("send", ((pdu_data) ? *pdu_data : 0x00)); + if (pdu_data) { ++ if (cp + pdu_data_len > spdu_buf + sizeof(spdu_buf)) { ++ snmp_log(LOG_ERR, "%s: PDU too big (%" NETSNMP_PRIz "d > %" NETSNMP_PRIz "d)\n", ++ __func__, pdu_data_len, sizeof(spdu_buf)); ++ return -1; ++ } + memcpy(cp, pdu_data, pdu_data_len); + cp += pdu_data_len; + } else { +@@ -2756,7 +2761,7 @@ snmpv3_packet_build(netsnmp_session * se + * re-encode the actual ASN.1 length of the scopedPdu + */ + spdu_len = cp - spdu_hdr_e; /* length of scopedPdu minus ASN.1 headers */ +- spdu_buf_len = SNMP_MAX_MSG_SIZE; ++ spdu_buf_len = sizeof(spdu_buf); + if (asn_build_sequence(spdu_buf, &spdu_buf_len, + (u_char) (ASN_SEQUENCE | ASN_CONSTRUCTOR), + spdu_len) == NULL) +@@ -2769,7 +2774,7 @@ snmpv3_packet_build(netsnmp_session * se + * message - the entire message to transmitted on the wire is returned + */ + cp = NULL; +- *out_length = SNMP_MAX_MSG_SIZE; ++ *out_length = sizeof(spdu_buf); + DEBUGDUMPSECTION("send", "SM msgSecurityParameters"); + sptr = find_sec_mod(pdu->securityModel); + if (sptr && sptr->encode_forward) { diff --git a/SPECS/net-snmp.spec b/SPECS/net-snmp.spec index f85bdff..e26f3d5 100644 --- a/SPECS/net-snmp.spec +++ b/SPECS/net-snmp.spec @@ -10,7 +10,7 @@ Summary: A collection of SNMP protocol tools and libraries Name: net-snmp Version: 5.8 -Release: 17%{?dist} +Release: 18%{?dist}.1 Epoch: 1 License: BSD @@ -56,6 +56,8 @@ Patch27: net-snmp-5.8-ipAddress-faster-load.patch Patch28: net-snmp-5.8-rpm-memory-leak.patch Patch29: net-snmp-5.8-sec-memory-leak.patch Patch30: net-snmp-5.8-aes-config.patch +Patch31: net-snmp-5.7.2-CVE-2020-15862.patch +Patch32: net-snmp-5.8-bulk.patch # Modern RPM API means at least EL6 Patch101: net-snmp-5.8-modern-rpm-api.patch @@ -211,6 +213,8 @@ rm -r python %patch28 -p1 -b .rpm-memory-leak %patch29 -p1 -b .sec-memory-leak %patch30 -p1 -b .aes-config +%patch31 -p1 -b .CVE-2020-15862 +%patch32 -p1 -b .bulk %patch101 -p1 -b .modern-rpm-api @@ -389,8 +393,8 @@ LD_LIBRARY_PATH=%{buildroot}/%{_libdir} make test %doc README.thread AGENT.txt PORTING local/README.mib2c %doc IETF-MIB-LICENSE.txt %dir %{_sysconfdir}/snmp -%config(noreplace) %attr(0650,root,root) %{_sysconfdir}/snmp/snmpd.conf -%config(noreplace) %attr(0650,root,root) %{_sysconfdir}/snmp/snmptrapd.conf +%config(noreplace) %attr(0600,root,root) %{_sysconfdir}/snmp/snmpd.conf +%config(noreplace) %attr(0600,root,root) %{_sysconfdir}/snmp/snmptrapd.conf %{_bindir}/snmpconf %{_bindir}/net-snmp-create-v3-user %{_sbindir}/* @@ -465,6 +469,13 @@ LD_LIBRARY_PATH=%{buildroot}/%{_libdir} make test %{_libdir}/libnetsnmptrapd*.so.%{soname}* %changelog +* Tue Dec 01 2020 Josef Ridky - 1:5.8-18.1 +- revert permission of config files to 600 (#1902662) + +* Wed Nov 11 2020 Josef Ridky - 1:5.8-18 +- fix CVE-2020-15862 (#1886100) +- fix bulk responses for invalid PID (#1896760) + * Tue Aug 11 2020 Josef Ridky - 1:5.8-17 - add math library in LDFLAGS (#1846252) @@ -524,7 +535,7 @@ LD_LIBRARY_PATH=%{buildroot}/%{_libdir} make test * Mon Aug 13 2018 Josef Ridky - 1:5.8-2 - fix default configuration file (#1589480 and #1594147) -- modify permissions for /var/log files (#1601060) +- modify permissions for config files (#1601060) * Thu Aug 09 2018 Josef Ridky - 1:5.8-1 - remove python package and update to the last upstream version (#1584510)