4 changed files with 1 additions and 270 deletions
--- a/SOURCES/net-snmp-5.8-CVE-2022-24805-24810.patch
+++ b/SOURCES/net-snmp-5.8-CVE-2022-24805-24810.patch
@ -1,163 +0,0 @@
 From 9a0cd7c00947d5e1c6ceb54558d454f87c3b8341 Mon Sep 17 00:00:00 2001
 From: Bill Fenner <fenner@gmail.com>
 Date: Tue, 24 Aug 2021 07:55:00 -0700
 Subject: [PATCH] CHANGES: snmpd: recover SET status from delegated request
 Reported by: Yu Zhang of VARAS@IIE, Nanyu Zhong of VARAS@IIE
 Fixes by: Arista Networks
 When a SET request includes a mix of delegated and
 non-delegated requests (e.g., objects handled by master
 agent and agentx sub-agent), the status can get lost while
 waiting for the reply from the sub-agent.  Recover the status
 into the session from the requests even if it has already
 been processed.
 ---
 agent/snmp_agent.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/agent/snmp_agent.c b/agent/snmp_agent.c
 index 84fbb42b47..095ee70985 100644
 --- a/agent/snmp_agent.c
 +++ b/agent/snmp_agent.c
@@ -2965,7 +2965,7 @@ netsnmp_check_requests_status(netsnmp_agent_session *asp,
         if (requests->status != SNMP_ERR_NOERROR &&
             (!look_for_specific || requests->status == look_for_specific)
             && (look_for_specific || asp->index == 0
 -                || requests->index < asp->index)) {
 +                || requests->index <= asp->index)) {
             asp->index = requests->index;
             asp->status = requests->status;
         }
 From 67ebb43e9038b2dae6e74ae8838b36fcc10fc937 Mon Sep 17 00:00:00 2001
 From: Bill Fenner <fenner@gmail.com>
 Date: Wed, 30 Jun 2021 14:00:28 -0700
 Subject: [PATCH] CHANGES: snmpd: fix bounds checking in NET-SNMP-AGENT-MIB,
 NET-SNMP-VACM-MIB, SNMP-VIEW-BASED-ACM-MIB, SNMP-USER-BASED-SM-MIB
 Reported by: Yu Zhang of VARAS@IIE, Nanyu Zhong of VARAS@IIE
 Fixes by: Arista Networks
 ---
 agent/mibgroup/agent/nsLogging.c         |  6 ++++++
 agent/mibgroup/agent/nsVacmAccessTable.c | 16 ++++++++++++++--
 agent/mibgroup/mibII/vacm_vars.c         |  3 +++
 agent/mibgroup/snmpv3/usmUser.c          |  2 --
 4 files changed, 23 insertions(+), 4 deletions(-)
 diff --git a/agent/mibgroup/agent/nsLogging.c b/agent/mibgroup/agent/nsLogging.c
 index 9abdeb5bb7..7f4290490a 100644
 --- a/agent/mibgroup/agent/nsLogging.c
 +++ b/agent/mibgroup/agent/nsLogging.c
@@ -147,6 +147,8 @@ handle_nsLoggingTable(netsnmp_mib_handler *handler,
                 continue;
             logh = (netsnmp_log_handler*)netsnmp_extract_iterator_context(request);
             table_info  =                netsnmp_extract_table_info(request);
 +            if (!table_info || !table_info->indexes)
 +                continue;
             switch (table_info->colnum) {
             case NSLOGGING_TYPE:
@@ -201,6 +203,8 @@ handle_nsLoggingTable(netsnmp_mib_handler *handler,
             }
             logh = (netsnmp_log_handler*)netsnmp_extract_iterator_context(request);
             table_info  =                 netsnmp_extract_table_info(request);
 +            if (!table_info || !table_info->indexes)
 +                continue;
             switch (table_info->colnum) {
             case NSLOGGING_TYPE:
@@ -394,6 +398,8 @@ handle_nsLoggingTable(netsnmp_mib_handler *handler,
                 continue;
             logh = (netsnmp_log_handler*)netsnmp_extract_iterator_context(request);
             table_info  =                 netsnmp_extract_table_info(request);
 +            if (!table_info || !table_info->indexes)
 +                continue;
             switch (table_info->colnum) {
             case NSLOGGING_TYPE:
 diff --git a/agent/mibgroup/agent/nsVacmAccessTable.c b/agent/mibgroup/agent/nsVacmAccessTable.c
 index cc61fce7e6..6c43210074 100644
 --- a/agent/mibgroup/agent/nsVacmAccessTable.c
 +++ b/agent/mibgroup/agent/nsVacmAccessTable.c
@@ -170,9 +170,13 @@ nsVacmAccessTable_handler(netsnmp_mib_handler *handler,
             entry = (struct vacm_accessEntry *)
                 netsnmp_extract_iterator_context(request);
             table_info = netsnmp_extract_table_info(request);
 +            if (!table_info || !table_info->indexes)
 +                continue;
             /* Extract the authType token from the list of indexes */
             idx = table_info->indexes->next_variable->next_variable->next_variable->next_variable;
 +            if (idx->val_len >= sizeof(atype))
 +                continue;
             memset(atype, 0, sizeof(atype));
             memcpy(atype, (char *)idx->val.string, idx->val_len);
             viewIdx = se_find_value_in_slist(VACM_VIEW_ENUM_NAME, atype);
@@ -212,6 +216,8 @@ nsVacmAccessTable_handler(netsnmp_mib_handler *handler,
             entry = (struct vacm_accessEntry *)
                 netsnmp_extract_iterator_context(request);
             table_info = netsnmp_extract_table_info(request);
 +            if (!table_info || !table_info->indexes)
 +                continue;
             ret = SNMP_ERR_NOERROR;
             switch (table_info->colnum) {
@@ -247,6 +253,8 @@ nsVacmAccessTable_handler(netsnmp_mib_handler *handler,
                  * Extract the authType token from the list of indexes
                  */
                 idx = table_info->indexes->next_variable->next_variable->next_variable->next_variable;
 +                if (idx->val_len >= sizeof(atype))
 +                    continue;
                 memset(atype, 0, sizeof(atype));
                 memcpy(atype, (char *)idx->val.string, idx->val_len);
                 viewIdx = se_find_value_in_slist(VACM_VIEW_ENUM_NAME, atype);
@@ -294,8 +302,10 @@ nsVacmAccessTable_handler(netsnmp_mib_handler *handler,
                          idx = idx->next_variable;  model = *idx->val.integer;
                          idx = idx->next_variable;  level = *idx->val.integer;
                          entry = vacm_createAccessEntry( gName, cPrefix, model, level );
 -                         entry->storageType = ST_NONVOLATILE;
 -                         netsnmp_insert_iterator_context(request, (void*)entry);
 +                         if (entry) {
 +                             entry->storageType = ST_NONVOLATILE;
 +                             netsnmp_insert_iterator_context(request, (void*)entry);
 +                         }
                     }
                 }
             }
@@ -321,6 +331,8 @@ nsVacmAccessTable_handler(netsnmp_mib_handler *handler,
             /* Extract the authType token from the list of indexes */
             idx = table_info->indexes->next_variable->next_variable->next_variable->next_variable;
 +            if (idx->val_len >= sizeof(atype))
 +                continue;
             memset(atype, 0, sizeof(atype));
             memcpy(atype, (char *)idx->val.string, idx->val_len);
             viewIdx = se_find_value_in_slist(VACM_VIEW_ENUM_NAME, atype);
 diff --git a/agent/mibgroup/mibII/vacm_vars.c b/agent/mibgroup/mibII/vacm_vars.c
 index 469a1eba59..62c9a3d051 100644
 --- a/agent/mibgroup/mibII/vacm_vars.c
 +++ b/agent/mibgroup/mibII/vacm_vars.c
@@ -997,6 +997,9 @@ access_parse_oid(oid * oidIndex, size_t oidLen,
         return 1;
     }
     groupNameL = oidIndex[0];
 +    if ((groupNameL + 1) > (int) oidLen) {
 +        return 1;
 +    }
     contextPrefixL = oidIndex[groupNameL + 1];  /* the initial name length */
     if ((int) oidLen != groupNameL + contextPrefixL + 4) {
         return 1;
 diff --git a/agent/mibgroup/snmpv3/usmUser.c b/agent/mibgroup/snmpv3/usmUser.c
 index 0f52aaba49..0edea53cfb 100644
 --- a/agent/mibgroup/snmpv3/usmUser.c
 +++ b/agent/mibgroup/snmpv3/usmUser.c
@@ -1505,8 +1505,6 @@ write_usmUserStatus(int action,
                 if (usmStatusCheck(uptr)) {
                     uptr->userStatus = RS_ACTIVE;
                 } else {
 -                    SNMP_FREE(engineID);
 -                    SNMP_FREE(newName);
                     return SNMP_ERR_INCONSISTENTVALUE;
                 }
             } else if (long_ret == RS_CREATEANDWAIT) {
--- a/SOURCES/net-snmp-5.8-proxy.patch
+++ b/SOURCES/net-snmp-5.8-proxy.patch
@ -1,46 +0,0 @@
 From b67afb81eb0f7ad89496cd3e672654bfd8c55d0e Mon Sep 17 00:00:00 2001
 From: Bart Van Assche <bvanassche@acm.org>
 Date: Sat, 21 Mar 2020 20:03:13 -0700
 Subject: [PATCH] snmpd: UCD-SNMP proxy: Fix a crash triggered by a wrong
 passphrase
 See also https://github.com/net-snmp/net-snmp/issues/82 .
 ---
 agent/mibgroup/ucd-snmp/proxy.c | 9 ---------
 1 file changed, 9 deletions(-)
 diff --git a/agent/mibgroup/ucd-snmp/proxy.c b/agent/mibgroup/ucd-snmp/proxy.c
 index f4eb03ef6f..548ae7588f 100644
 --- a/agent/mibgroup/ucd-snmp/proxy.c
 +++ b/agent/mibgroup/ucd-snmp/proxy.c
@@ -698,8 +698,6 @@ proxy_got_response(int operation, netsnmp_session * sess, int reqid,
                                  "proxy OID return length too long.\n");
                         netsnmp_set_request_error(cache->reqinfo, requests,
                                                   SNMP_ERR_GENERR);
 -                        if (pdu)
 -                            snmp_free_pdu(pdu);
                         netsnmp_free_delegated_cache(cache);
                         return 1;
                     }
@@ -723,8 +721,6 @@ proxy_got_response(int operation, netsnmp_session * sess, int reqid,
              * ack, this is bad.  The # of varbinds don't match and
              * there is no way to fix the problem 
              */
 -            if (pdu)
 -                snmp_free_pdu(pdu);
             snmp_log(LOG_ERR,
                      "response to proxy request illegal.  We're screwed.\n");
             netsnmp_set_request_error(cache->reqinfo, requests,
@@ -735,11 +731,6 @@ proxy_got_response(int operation, netsnmp_session * sess, int reqid,
         if (cache->reqinfo->mode == MODE_GETBULK)
             netsnmp_bulk_to_next_fix_requests(requests);
 -        /*
 -         * free the response 
 -         */
 -        if (pdu && 0)
 -            snmp_free_pdu(pdu);
 	break;
     default:
--- a/SOURCES/net-snmp-5.8-truncating-log-once.patch
+++ b/SOURCES/net-snmp-5.8-truncating-log-once.patch
@ -1,48 +0,0 @@
 From 7330e3e3e08d9baff23332e764f9a53561939fff Mon Sep 17 00:00:00 2001
 From: Bart Van Assche <bvanassche@acm.org>
 Date: Thu, 2 Sep 2021 21:06:54 -0700
 Subject: [PATCH] libsnmp: Log "Truncating integer value >32 bits" once
 Log this message once instead of every time sysUpTime and/or
 hrSystemUptime are accessed after snmpd is running for more than 497 days.
 Fixes: https://github.com/net-snmp/net-snmp/issues/144
 ---
 snmplib/snmp_client.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)
 diff --git a/snmplib/snmp_client.c b/snmplib/snmp_client.c
 index 0f539c63fe..b00670d973 100644
 --- a/snmplib/snmp_client.c
 +++ b/snmplib/snmp_client.c
@@ -853,7 +853,8 @@ snmp_set_var_value(netsnmp_variable_list * vars,
                 = (const u_long *) value;
             *(vars->val.integer) = *val_ulong;
             if (*(vars->val.integer) > 0xffffffff) {
 -                snmp_log(LOG_ERR,"truncating integer value > 32 bits\n");
 +                NETSNMP_LOGONCE((LOG_INFO,
 +                                 "truncating integer value > 32 bits\n"));
                 *(vars->val.integer) &= 0xffffffff;
             }
         }
@@ -865,7 +866,8 @@ snmp_set_var_value(netsnmp_variable_list * vars,
                 = (const unsigned long long *) value;
             *(vars->val.integer) = (long) *val_ullong;
             if (*(vars->val.integer) > 0xffffffff) {
 -                snmp_log(LOG_ERR,"truncating integer value > 32 bits\n");
 +                NETSNMP_LOGONCE((LOG_INFO,
 +                                 "truncating integer value > 32 bits\n"));
                 *(vars->val.integer) &= 0xffffffff;
             }
         }
@@ -877,7 +879,8 @@ snmp_set_var_value(netsnmp_variable_list * vars,
                 = (const uintmax_t *) value;
             *(vars->val.integer) = (long) *val_uintmax_t;
             if (*(vars->val.integer) > 0xffffffff) {
 -                snmp_log(LOG_ERR,"truncating integer value > 32 bits\n");
 +                NETSNMP_LOGONCE((LOG_INFO,
 +                                 "truncating integer value > 32 bits\n"));
                 *(vars->val.integer) &= 0xffffffff;
             }
         }
--- a/SPECS/net-snmp.spec
+++ b/SPECS/net-snmp.spec
@ -10,7 +10,7 @@
 Summary:    A collection of SNMP protocol tools and libraries
 Name:       net-snmp
 Version:    5.8
-Release:    30%{?dist}
+Release:    29%{?dist}
 Epoch:      1
 License:    BSD
@ -78,9 +78,6 @@ Patch49:    net-snmp-5.8-ipv6-disable-leak.patch
 Patch50:    net-snmp-5.8-proxy-time-out.patch
 Patch51:    net-snmp-5.8-sendmsg-error-code.patch
 Patch52:    net-snmp-5.8-memavailable.patch
 Patch53:    net-snmp-5.8-proxy.patch
 Patch54:    net-snmp-5.8-truncating-log-once.patch
 Patch55:    net-snmp-5.8-CVE-2022-24805-24810.patch
 # Modern RPM API means at least EL6
 Patch101:   net-snmp-5.8-modern-rpm-api.patch
@ -258,9 +255,6 @@ rm -r python
 %patch50 -p1 -b .proxy-time-out
 %patch51 -p1 -b .sendmsg-error-code
 %patch52 -p1 -b .memavailable
 %patch53 -p1 -b .proxy
 %patch54 -p1 -b .truncating-log-once
 %patch55 -p1 -b .CVE-2022-24805-24810
 %patch101 -p1 -b .modern-rpm-api
@ -515,12 +509,6 @@ LD_LIBRARY_PATH=%{buildroot}/%{_libdir} make test
 %{_libdir}/libnetsnmptrapd*.so.%{soname}*
 %changelog
 * Mon Mar 04 2024 Josef Ridky <jridky@redhat.com> - 1:5.8-30
 - fix crash when configured as proxy - issue 82 (RHEL-14454)
 - log once truncating issue (RHEL-13597)
 - fix CVE-2022-24805, CVE-2022-24806, CVE-2022-24807, CVE-2022-24808,
  CVE-2022-24809 and CVE-2022-24810 (RHEL-26650)
 * Tue Jan 23 2024 Josef Ridky <jridky@redhat.com> - 1:5.8-29
 - backport MemAvailable report from upstream (RHEL-21780)