diff --git a/net-snmp-5.7.3-CVE-2018-1000116.patch b/net-snmp-5.7.3-CVE-2018-1000116.patch new file mode 100644 index 0000000..e7adffd --- /dev/null +++ b/net-snmp-5.7.3-CVE-2018-1000116.patch @@ -0,0 +1,200 @@ +diff -urNp old/snmplib/snmp_api.c new/snmplib/snmp_api.c +--- old/snmplib/snmp_api.c 2018-03-08 09:08:50.675762351 +0100 ++++ new/snmplib/snmp_api.c 2018-03-08 09:27:13.289076553 +0100 +@@ -4350,12 +4350,10 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char + u_char type; + u_char msg_type; + u_char *var_val; +- int badtype = 0; + size_t len; + size_t four; +- netsnmp_variable_list *vp = NULL; ++ netsnmp_variable_list *vp = NULL, *vplast = NULL; + oid objid[MAX_OID_LEN]; +- u_char *p; + + /* + * Get the PDU type +@@ -4493,38 +4491,24 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char + (ASN_SEQUENCE | ASN_CONSTRUCTOR), + "varbinds"); + if (data == NULL) +- return -1; ++ goto fail; + + /* + * get each varBind sequence + */ + while ((int) *length > 0) { +- netsnmp_variable_list *vptemp; +- vptemp = (netsnmp_variable_list *) malloc(sizeof(*vptemp)); +- if (NULL == vptemp) { +- return -1; +- } +- if (NULL == vp) { +- pdu->variables = vptemp; +- } else { +- vp->next_variable = vptemp; +- } +- vp = vptemp; ++ vp = SNMP_MALLOC_TYPEDEF(netsnmp_variable_list); ++ if (NULL == vp) ++ goto fail; + +- vp->next_variable = NULL; +- vp->val.string = NULL; + vp->name_length = MAX_OID_LEN; +- vp->name = NULL; +- vp->index = 0; +- vp->data = NULL; +- vp->dataFreeHook = NULL; + DEBUGDUMPSECTION("recv", "VarBind"); + data = snmp_parse_var_op(data, objid, &vp->name_length, &vp->type, + &vp->val_len, &var_val, length); + if (data == NULL) +- return -1; ++ goto fail; + if (snmp_set_var_objid(vp, objid, vp->name_length)) +- return -1; ++ goto fail; + + len = MAX_PACKET_LENGTH; + DEBUGDUMPHEADER("recv", "Value"); +@@ -4532,11 +4516,9 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char + case ASN_INTEGER: + vp->val.integer = (long *) vp->buf; + vp->val_len = sizeof(long); +- p = asn_parse_int(var_val, &len, &vp->type, ++ asn_parse_int(var_val, &len, &vp->type, + (long *) vp->val.integer, + sizeof(*vp->val.integer)); +- if (!p) +- return -1; + break; + case ASN_COUNTER: + case ASN_GAUGE: +@@ -4544,11 +4526,9 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char + case ASN_UINTEGER: + vp->val.integer = (long *) vp->buf; + vp->val_len = sizeof(u_long); +- p = asn_parse_unsigned_int(var_val, &len, &vp->type, ++ asn_parse_unsigned_int(var_val, &len, &vp->type, + (u_long *) vp->val.integer, + vp->val_len); +- if (!p) +- return -1; + break; + #ifdef NETSNMP_WITH_OPAQUE_SPECIAL_TYPES + case ASN_OPAQUE_COUNTER64: +@@ -4557,38 +4537,30 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char + case ASN_COUNTER64: + vp->val.counter64 = (struct counter64 *) vp->buf; + vp->val_len = sizeof(struct counter64); +- p = asn_parse_unsigned_int64(var_val, &len, &vp->type, ++ asn_parse_unsigned_int64(var_val, &len, &vp->type, + (struct counter64 *) vp->val. + counter64, vp->val_len); +- if (!p) +- return -1; + break; + #ifdef NETSNMP_WITH_OPAQUE_SPECIAL_TYPES + case ASN_OPAQUE_FLOAT: + vp->val.floatVal = (float *) vp->buf; + vp->val_len = sizeof(float); +- p = asn_parse_float(var_val, &len, &vp->type, ++ asn_parse_float(var_val, &len, &vp->type, + vp->val.floatVal, vp->val_len); +- if (!p) +- return -1; + break; + case ASN_OPAQUE_DOUBLE: + vp->val.doubleVal = (double *) vp->buf; + vp->val_len = sizeof(double); +- p = asn_parse_double(var_val, &len, &vp->type, ++ asn_parse_double(var_val, &len, &vp->type, + vp->val.doubleVal, vp->val_len); +- if (!p) +- return -1; + break; + case ASN_OPAQUE_I64: + vp->val.counter64 = (struct counter64 *) vp->buf; + vp->val_len = sizeof(struct counter64); +- p = asn_parse_signed_int64(var_val, &len, &vp->type, ++ asn_parse_signed_int64(var_val, &len, &vp->type, + (struct counter64 *) vp->val.counter64, + sizeof(*vp->val.counter64)); + +- if (!p) +- return -1; + break; + #endif /* NETSNMP_WITH_OPAQUE_SPECIAL_TYPES */ + case ASN_IPADDRESS: +@@ -4604,22 +4576,18 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char + vp->val.string = (u_char *) malloc(vp->val_len); + } + if (vp->val.string == NULL) { +- return -1; ++ goto fail; + } +- p = asn_parse_string(var_val, &len, &vp->type, vp->val.string, ++ asn_parse_string(var_val, &len, &vp->type, vp->val.string, + &vp->val_len); +- if (!p) +- return -1; + break; + case ASN_OBJECT_ID: + vp->val_len = MAX_OID_LEN; +- p = asn_parse_objid(var_val, &len, &vp->type, objid, &vp->val_len); +- if (!p) +- return -1; ++ asn_parse_objid(var_val, &len, &vp->type, objid, &vp->val_len); + vp->val_len *= sizeof(oid); + vp->val.objid = (oid *) malloc(vp->val_len); + if (vp->val.objid == NULL) { +- return -1; ++ goto fail; + } + memmove(vp->val.objid, objid, vp->val_len); + break; +@@ -4631,21 +4599,34 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char + case ASN_BIT_STR: + vp->val.bitstring = (u_char *) malloc(vp->val_len); + if (vp->val.bitstring == NULL) { +- return -1; ++ goto fail; + } +- p = asn_parse_bitstring(var_val, &len, &vp->type, ++ asn_parse_bitstring(var_val, &len, &vp->type, + vp->val.bitstring, &vp->val_len); +- if (!p) +- return -1; + break; + default: + snmp_log(LOG_ERR, "bad type returned (%x)\n", vp->type); +- badtype = -1; ++ goto fail; + break; + } + DEBUGINDENTADD(-4); +- } +- return badtype; ++ if (NULL == vplast) { ++ pdu->variables = vp; ++ } else { ++ vplast->next_variable = vp; ++ } ++ vplast = vp; ++ vp = NULL; ++ } ++ return 0; ++ ++ fail: ++ DEBUGMSGTL(("recv", "error while parsing VarBindList\n")); ++ /** if we were parsing a var, remove it from the pdu and free it */ ++ if (vp) ++ snmp_free_var(vp); ++ ++ return -1; + } + + /* diff --git a/net-snmp.spec b/net-snmp.spec index 590d778..118895f 100644 --- a/net-snmp.spec +++ b/net-snmp.spec @@ -11,7 +11,7 @@ Summary: A collection of SNMP protocol tools and libraries Name: net-snmp Version: 5.7.3 -Release: 26%{?dist} +Release: 27%{?dist} Epoch: 1 License: BSD @@ -62,7 +62,7 @@ Patch17: net-snmp-5.7.3-mariadb102.patch # https://sourceforge.net/p/net-snmp/bugs/2792/attachment/0001-Link-libnetsnmptrapd-against-MYSQL_LIBS.patch # (rebased on 5.7.3) Patch18: 0001-Link-libnetsnmptrapd-against-MYSQL_LIBS.patch - +Patch19: net-snmp-5.7.3-CVE-2018-1000116.patch # This patch fix issue with new OpenSLL library in rawhide (f26+) # !!!WARNING!!! DO NOT USE IT FOR OLDER FEDORA RELEASES (>f26) Patch100: net-snmp-5.7.3-openssl.patch @@ -244,6 +244,7 @@ cp %{SOURCE12} . %patch16 -p1 -b .strtok-r %patch17 -p1 -b .mariadb102 %patch18 -p1 -b .perlfix +%patch19 -p1 -b .CVE-2018-1000116 %patch100 -p1 -b .openssl %patch101 -p1 -b .modern-rpm-api @@ -553,6 +554,9 @@ rm -rf ${RPM_BUILD_ROOT} %endif %changelog +* Thu Mar 08 2018 Josef Ridky - 1:5.7.3-27 +- CVE-2018-1000116 Heap corruption in snmp_pdu_parse (#1552844) + * Fri Feb 16 2018 Josef Ridky - 1:5.7.3-26 - Fix issue in systemd patch (#1545946)