From e882a392e507d627407c28c6198633a5d883642a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C5=A0afr=C3=A1nek?= Date: Tue, 10 Jun 2008 06:02:18 +0000 Subject: [PATCH] fix various flaws (CVE-2008-2292 CVE-2008-0960) --- net-snmp-5.4.1-hmac-check.patch | 18 +++++ net-snmp-5.4.1-perl-snprintf.patch | 106 +++++++++++++++++++++++++++++ net-snmp.spec | 9 ++- 3 files changed, 132 insertions(+), 1 deletion(-) create mode 100644 net-snmp-5.4.1-hmac-check.patch create mode 100644 net-snmp-5.4.1-perl-snprintf.patch diff --git a/net-snmp-5.4.1-hmac-check.patch b/net-snmp-5.4.1-hmac-check.patch new file mode 100644 index 0000000..630573b --- /dev/null +++ b/net-snmp-5.4.1-hmac-check.patch @@ -0,0 +1,18 @@ +447974: CVE-2008-0960 net-snmp SNMPv3 authentication bypass (VU#877044) + +Source: upstream, https://sourceforge.net/tracker/index.php?func=detail&aid=1989089&group_id=12694&atid=456380 +Reviewed-by: Jan Safranek + +diff -up net-snmp-5.0.9/snmplib/scapi.c.orig net-snmp-5.0.9/snmplib/scapi.c +--- net-snmp-5.0.9/snmplib/scapi.c.orig 2008-06-04 10:19:26.000000000 +0200 ++++ net-snmp-5.0.9/snmplib/scapi.c 2008-06-04 10:20:45.000000000 +0200 +@@ -460,6 +460,9 @@ sc_check_keyed_hash(const oid * authtype + QUITFUN(SNMPERR_GENERR, sc_check_keyed_hash_quit); + } + ++ if (maclen != USM_MD5_AND_SHA_AUTH_LEN) { ++ QUITFUN(SNMPERR_GENERR, sc_check_keyed_hash_quit); ++ } + + /* + * Generate a full hash of the message, then compare diff --git a/net-snmp-5.4.1-perl-snprintf.patch b/net-snmp-5.4.1-perl-snprintf.patch new file mode 100644 index 0000000..438694c --- /dev/null +++ b/net-snmp-5.4.1-perl-snprintf.patch @@ -0,0 +1,106 @@ +447262: CVE-2008-2292 net-snmp: buffer overflow in perl module's Perl Module __snprint_value() + +Source: upstream, http://net-snmp.svn.sourceforge.net/viewvc/net-snmp?view=rev&sortby=date&revision=16770 +Reviewed-By: Jan Safranek + +--- branches/V5-4-patches/net-snmp/perl/SNMP/SNMP.xs 2007/12/21 23:19:29 16769 ++++ branches/V5-4-patches/net-snmp/perl/SNMP/SNMP.xs 2007/12/22 19:22:44 16770 +@@ -470,14 +470,16 @@ + if (flag == USE_ENUMS) { + for(ep = tp->enums; ep; ep = ep->next) { + if (ep->value == *var->val.integer) { +- strcpy(buf, ep->label); ++ strncpy(buf, ep->label, buf_len); ++ buf[buf_len-1] = '\0'; + len = strlen(buf); + break; + } + } + } + if (!len) { +- sprintf(buf,"%ld", *var->val.integer); ++ snprintf(buf, buf_len, "%ld", *var->val.integer); ++ buf[buf_len-1] = '\0'; + len = strlen(buf); + } + break; +@@ -486,21 +488,25 @@ + case ASN_COUNTER: + case ASN_TIMETICKS: + case ASN_UINTEGER: +- sprintf(buf,"%lu", (unsigned long) *var->val.integer); ++ snprintf(buf, buf_len, "%lu", (unsigned long) *var->val.integer); ++ buf[buf_len-1] = '\0'; + len = strlen(buf); + break; + + case ASN_OCTET_STR: + case ASN_OPAQUE: +- memcpy(buf, (char*)var->val.string, var->val_len); + len = var->val_len; ++ if ( len > buf_len ) ++ len = buf_len; ++ memcpy(buf, (char*)var->val.string, len); + break; + + case ASN_IPADDRESS: +- ip = (u_char*)var->val.string; +- sprintf(buf, "%d.%d.%d.%d", ip[0], ip[1], ip[2], ip[3]); +- len = strlen(buf); +- break; ++ ip = (u_char*)var->val.string; ++ snprintf(buf, buf_len, "%d.%d.%d.%d", ip[0], ip[1], ip[2], ip[3]); ++ buf[buf_len-1] = '\0'; ++ len = strlen(buf); ++ break; + + case ASN_NULL: + break; +@@ -512,14 +518,14 @@ + break; + + case SNMP_ENDOFMIBVIEW: +- sprintf(buf,"%s", "ENDOFMIBVIEW"); +- break; ++ snprintf(buf, buf_len, "%s", "ENDOFMIBVIEW"); ++ break; + case SNMP_NOSUCHOBJECT: +- sprintf(buf,"%s", "NOSUCHOBJECT"); +- break; ++ snprintf(buf, buf_len, "%s", "NOSUCHOBJECT"); ++ break; + case SNMP_NOSUCHINSTANCE: +- sprintf(buf,"%s", "NOSUCHINSTANCE"); +- break; ++ snprintf(buf, buf_len, "%s", "NOSUCHINSTANCE"); ++ break; + + case ASN_COUNTER64: + #ifdef NETSNMP_WITH_OPAQUE_SPECIAL_TYPES +@@ -538,19 +544,19 @@ + #endif + + case ASN_BIT_STR: +- snprint_bitstring(buf, sizeof(buf), var, NULL, NULL, NULL); ++ snprint_bitstring(buf, buf_len, var, NULL, NULL, NULL); + len = strlen(buf); + break; + #ifdef NETSNMP_WITH_OPAQUE_SPECIAL_TYPES + case ASN_OPAQUE_FLOAT: +- if (var->val.floatVal) +- sprintf(buf,"%f", *var->val.floatVal); +- break; ++ if (var->val.floatVal) ++ snprintf(buf, buf_len, "%f", *var->val.floatVal); ++ break; + + case ASN_OPAQUE_DOUBLE: +- if (var->val.doubleVal) +- sprintf(buf,"%f", *var->val.doubleVal); +- break; ++ if (var->val.doubleVal) ++ snprintf(buf, buf_len, "%f", *var->val.doubleVal); ++ break; + #endif + + case ASN_NSAP: diff --git a/net-snmp.spec b/net-snmp.spec index 92bdf99..f45cfe8 100644 --- a/net-snmp.spec +++ b/net-snmp.spec @@ -7,7 +7,7 @@ Summary: A collection of SNMP protocol tools and libraries Name: net-snmp Version: %{major_ver} -Release: 17%{?dist} +Release: 18%{?dist} Epoch: 1 License: BSD and CMU @@ -46,6 +46,8 @@ Patch21: net-snmp-5.4-exec-crash.patch Patch22: net-snmp-5.4-smux-password.patch Patch23: net-snmp-5.4-udp-leak.patch Patch24: net-snmp-5.4-maxreps.patch +Patch25: net-snmp-5.4.1-hmac-check.patch +Patch26: net-snmp-5.4.1-perl-snprintf.patch Requires(pre): /sbin/chkconfig Requires(post): /sbin/chkconfig @@ -171,6 +173,8 @@ and applications. %patch22 -p0 -b .smux-password %patch23 -p0 -b .udp-leak %patch24 -p0 -b .maxreps +%patch25 -p1 -b .hmac-check +%patch26 -p3 -b .perl-snprintf # Do this patch with a perl hack... perl -pi -e "s|'\\\$install_libdir'|'%{_libdir}'|" ltmain.sh @@ -375,6 +379,9 @@ rm -rf ${RPM_BUILD_ROOT} %{_libdir}/lib*.so.* %changelog +* Tue Jun 10 2008 Jan Safranek 5.4-18 +- fix various flaws (CVE-2008-2292 CVE-2008-0960) + * Thu Feb 14 2008 Jan Safranek 5.4-17 - fixing ipNetToMediaNetAddress to show IP address (#432780)