fix various flaws (CVE-2008-2292 CVE-2008-0960)

This commit is contained in:
Jan Šafránek 2008-06-10 06:02:57 +00:00
parent 0b6f258dc7
commit 8f6b993902
3 changed files with 132 additions and 1 deletions

View File

@ -0,0 +1,18 @@
447974: CVE-2008-0960 net-snmp SNMPv3 authentication bypass (VU#877044)
Source: upstream, https://sourceforge.net/tracker/index.php?func=detail&aid=1989089&group_id=12694&atid=456380
Reviewed-by: Jan Safranek <jsafrane@redhat.com>
diff -up net-snmp-5.0.9/snmplib/scapi.c.orig net-snmp-5.0.9/snmplib/scapi.c
--- net-snmp-5.0.9/snmplib/scapi.c.orig 2008-06-04 10:19:26.000000000 +0200
+++ net-snmp-5.0.9/snmplib/scapi.c 2008-06-04 10:20:45.000000000 +0200
@@ -460,6 +460,9 @@ sc_check_keyed_hash(const oid * authtype
QUITFUN(SNMPERR_GENERR, sc_check_keyed_hash_quit);
}
+ if (maclen != USM_MD5_AND_SHA_AUTH_LEN) {
+ QUITFUN(SNMPERR_GENERR, sc_check_keyed_hash_quit);
+ }
/*
* Generate a full hash of the message, then compare

View File

@ -0,0 +1,106 @@
447262: CVE-2008-2292 net-snmp: buffer overflow in perl module's Perl Module __snprint_value()
Source: upstream, http://net-snmp.svn.sourceforge.net/viewvc/net-snmp?view=rev&sortby=date&revision=16770
Reviewed-By: Jan Safranek <jsafrane@redhat.com>
--- branches/V5-4-patches/net-snmp/perl/SNMP/SNMP.xs 2007/12/21 23:19:29 16769
+++ branches/V5-4-patches/net-snmp/perl/SNMP/SNMP.xs 2007/12/22 19:22:44 16770
@@ -470,14 +470,16 @@
if (flag == USE_ENUMS) {
for(ep = tp->enums; ep; ep = ep->next) {
if (ep->value == *var->val.integer) {
- strcpy(buf, ep->label);
+ strncpy(buf, ep->label, buf_len);
+ buf[buf_len-1] = '\0';
len = strlen(buf);
break;
}
}
}
if (!len) {
- sprintf(buf,"%ld", *var->val.integer);
+ snprintf(buf, buf_len, "%ld", *var->val.integer);
+ buf[buf_len-1] = '\0';
len = strlen(buf);
}
break;
@@ -486,21 +488,25 @@
case ASN_COUNTER:
case ASN_TIMETICKS:
case ASN_UINTEGER:
- sprintf(buf,"%lu", (unsigned long) *var->val.integer);
+ snprintf(buf, buf_len, "%lu", (unsigned long) *var->val.integer);
+ buf[buf_len-1] = '\0';
len = strlen(buf);
break;
case ASN_OCTET_STR:
case ASN_OPAQUE:
- memcpy(buf, (char*)var->val.string, var->val_len);
len = var->val_len;
+ if ( len > buf_len )
+ len = buf_len;
+ memcpy(buf, (char*)var->val.string, len);
break;
case ASN_IPADDRESS:
- ip = (u_char*)var->val.string;
- sprintf(buf, "%d.%d.%d.%d", ip[0], ip[1], ip[2], ip[3]);
- len = strlen(buf);
- break;
+ ip = (u_char*)var->val.string;
+ snprintf(buf, buf_len, "%d.%d.%d.%d", ip[0], ip[1], ip[2], ip[3]);
+ buf[buf_len-1] = '\0';
+ len = strlen(buf);
+ break;
case ASN_NULL:
break;
@@ -512,14 +518,14 @@
break;
case SNMP_ENDOFMIBVIEW:
- sprintf(buf,"%s", "ENDOFMIBVIEW");
- break;
+ snprintf(buf, buf_len, "%s", "ENDOFMIBVIEW");
+ break;
case SNMP_NOSUCHOBJECT:
- sprintf(buf,"%s", "NOSUCHOBJECT");
- break;
+ snprintf(buf, buf_len, "%s", "NOSUCHOBJECT");
+ break;
case SNMP_NOSUCHINSTANCE:
- sprintf(buf,"%s", "NOSUCHINSTANCE");
- break;
+ snprintf(buf, buf_len, "%s", "NOSUCHINSTANCE");
+ break;
case ASN_COUNTER64:
#ifdef NETSNMP_WITH_OPAQUE_SPECIAL_TYPES
@@ -538,19 +544,19 @@
#endif
case ASN_BIT_STR:
- snprint_bitstring(buf, sizeof(buf), var, NULL, NULL, NULL);
+ snprint_bitstring(buf, buf_len, var, NULL, NULL, NULL);
len = strlen(buf);
break;
#ifdef NETSNMP_WITH_OPAQUE_SPECIAL_TYPES
case ASN_OPAQUE_FLOAT:
- if (var->val.floatVal)
- sprintf(buf,"%f", *var->val.floatVal);
- break;
+ if (var->val.floatVal)
+ snprintf(buf, buf_len, "%f", *var->val.floatVal);
+ break;
case ASN_OPAQUE_DOUBLE:
- if (var->val.doubleVal)
- sprintf(buf,"%f", *var->val.doubleVal);
- break;
+ if (var->val.doubleVal)
+ snprintf(buf, buf_len, "%f", *var->val.doubleVal);
+ break;
#endif
case ASN_NSAP:

View File

@ -7,7 +7,7 @@
Summary: A collection of SNMP protocol tools and libraries
Name: net-snmp
Version: %{major_ver}
Release: 18%{?dist}
Release: 19%{?dist}
Epoch: 1
License: BSD and MIT
@ -39,6 +39,8 @@ Patch13: net-snmp-5.4.1-shared-ip.patch
Patch14: net-snmp-5.4-exec-crash.patch
Patch15: net-snmp-5.4.1-sensors3.patch
Patch16: net-snmp-5.4.1-xen-crash.patch
Patch17: net-snmp-5.4.1-hmac-check.patch
Patch18: net-snmp-5.4.1-perl-snprintf.patch
Requires(pre): chkconfig
Requires(post): chkconfig
@ -169,6 +171,8 @@ and applications.
%patch14 -p1 -b .exec
%patch15 -p0 -b .sensors
%patch16 -p0 -b .xen-crash
%patch17 -p1 -b .hmac-check
%patch18 -p3 -b .perl-snprintf
# Do this patch with a perl hack...
perl -pi -e "s|'\\\$install_libdir'|'%{_libdir}'|" ltmain.sh
@ -385,6 +389,9 @@ rm -rf ${RPM_BUILD_ROOT}
%{_libdir}/lib*.so.*
%changelog
* Tue Jun 10 2008 Jan Safranek <jsafranek@redhat.com> 5.4.1-19
- fix various flaws (CVE-2008-2292 CVE-2008-0960)
* Sat May 31 2008 Dennis Gilmore <dennis@ausil.us> 5.4.1-18
- fix sparc handling in /usr/bin/net-snmp-config