fix various flaws (CVE-2008-2292 CVE-2008-0960)
This commit is contained in:
parent
7349a8ee47
commit
e882a392e5
18
net-snmp-5.4.1-hmac-check.patch
Normal file
18
net-snmp-5.4.1-hmac-check.patch
Normal file
@ -0,0 +1,18 @@
|
||||
447974: CVE-2008-0960 net-snmp SNMPv3 authentication bypass (VU#877044)
|
||||
|
||||
Source: upstream, https://sourceforge.net/tracker/index.php?func=detail&aid=1989089&group_id=12694&atid=456380
|
||||
Reviewed-by: Jan Safranek <jsafrane@redhat.com>
|
||||
|
||||
diff -up net-snmp-5.0.9/snmplib/scapi.c.orig net-snmp-5.0.9/snmplib/scapi.c
|
||||
--- net-snmp-5.0.9/snmplib/scapi.c.orig 2008-06-04 10:19:26.000000000 +0200
|
||||
+++ net-snmp-5.0.9/snmplib/scapi.c 2008-06-04 10:20:45.000000000 +0200
|
||||
@@ -460,6 +460,9 @@ sc_check_keyed_hash(const oid * authtype
|
||||
QUITFUN(SNMPERR_GENERR, sc_check_keyed_hash_quit);
|
||||
}
|
||||
|
||||
+ if (maclen != USM_MD5_AND_SHA_AUTH_LEN) {
|
||||
+ QUITFUN(SNMPERR_GENERR, sc_check_keyed_hash_quit);
|
||||
+ }
|
||||
|
||||
/*
|
||||
* Generate a full hash of the message, then compare
|
106
net-snmp-5.4.1-perl-snprintf.patch
Normal file
106
net-snmp-5.4.1-perl-snprintf.patch
Normal file
@ -0,0 +1,106 @@
|
||||
447262: CVE-2008-2292 net-snmp: buffer overflow in perl module's Perl Module __snprint_value()
|
||||
|
||||
Source: upstream, http://net-snmp.svn.sourceforge.net/viewvc/net-snmp?view=rev&sortby=date&revision=16770
|
||||
Reviewed-By: Jan Safranek <jsafrane@redhat.com>
|
||||
|
||||
--- branches/V5-4-patches/net-snmp/perl/SNMP/SNMP.xs 2007/12/21 23:19:29 16769
|
||||
+++ branches/V5-4-patches/net-snmp/perl/SNMP/SNMP.xs 2007/12/22 19:22:44 16770
|
||||
@@ -470,14 +470,16 @@
|
||||
if (flag == USE_ENUMS) {
|
||||
for(ep = tp->enums; ep; ep = ep->next) {
|
||||
if (ep->value == *var->val.integer) {
|
||||
- strcpy(buf, ep->label);
|
||||
+ strncpy(buf, ep->label, buf_len);
|
||||
+ buf[buf_len-1] = '\0';
|
||||
len = strlen(buf);
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
if (!len) {
|
||||
- sprintf(buf,"%ld", *var->val.integer);
|
||||
+ snprintf(buf, buf_len, "%ld", *var->val.integer);
|
||||
+ buf[buf_len-1] = '\0';
|
||||
len = strlen(buf);
|
||||
}
|
||||
break;
|
||||
@@ -486,21 +488,25 @@
|
||||
case ASN_COUNTER:
|
||||
case ASN_TIMETICKS:
|
||||
case ASN_UINTEGER:
|
||||
- sprintf(buf,"%lu", (unsigned long) *var->val.integer);
|
||||
+ snprintf(buf, buf_len, "%lu", (unsigned long) *var->val.integer);
|
||||
+ buf[buf_len-1] = '\0';
|
||||
len = strlen(buf);
|
||||
break;
|
||||
|
||||
case ASN_OCTET_STR:
|
||||
case ASN_OPAQUE:
|
||||
- memcpy(buf, (char*)var->val.string, var->val_len);
|
||||
len = var->val_len;
|
||||
+ if ( len > buf_len )
|
||||
+ len = buf_len;
|
||||
+ memcpy(buf, (char*)var->val.string, len);
|
||||
break;
|
||||
|
||||
case ASN_IPADDRESS:
|
||||
- ip = (u_char*)var->val.string;
|
||||
- sprintf(buf, "%d.%d.%d.%d", ip[0], ip[1], ip[2], ip[3]);
|
||||
- len = strlen(buf);
|
||||
- break;
|
||||
+ ip = (u_char*)var->val.string;
|
||||
+ snprintf(buf, buf_len, "%d.%d.%d.%d", ip[0], ip[1], ip[2], ip[3]);
|
||||
+ buf[buf_len-1] = '\0';
|
||||
+ len = strlen(buf);
|
||||
+ break;
|
||||
|
||||
case ASN_NULL:
|
||||
break;
|
||||
@@ -512,14 +518,14 @@
|
||||
break;
|
||||
|
||||
case SNMP_ENDOFMIBVIEW:
|
||||
- sprintf(buf,"%s", "ENDOFMIBVIEW");
|
||||
- break;
|
||||
+ snprintf(buf, buf_len, "%s", "ENDOFMIBVIEW");
|
||||
+ break;
|
||||
case SNMP_NOSUCHOBJECT:
|
||||
- sprintf(buf,"%s", "NOSUCHOBJECT");
|
||||
- break;
|
||||
+ snprintf(buf, buf_len, "%s", "NOSUCHOBJECT");
|
||||
+ break;
|
||||
case SNMP_NOSUCHINSTANCE:
|
||||
- sprintf(buf,"%s", "NOSUCHINSTANCE");
|
||||
- break;
|
||||
+ snprintf(buf, buf_len, "%s", "NOSUCHINSTANCE");
|
||||
+ break;
|
||||
|
||||
case ASN_COUNTER64:
|
||||
#ifdef NETSNMP_WITH_OPAQUE_SPECIAL_TYPES
|
||||
@@ -538,19 +544,19 @@
|
||||
#endif
|
||||
|
||||
case ASN_BIT_STR:
|
||||
- snprint_bitstring(buf, sizeof(buf), var, NULL, NULL, NULL);
|
||||
+ snprint_bitstring(buf, buf_len, var, NULL, NULL, NULL);
|
||||
len = strlen(buf);
|
||||
break;
|
||||
#ifdef NETSNMP_WITH_OPAQUE_SPECIAL_TYPES
|
||||
case ASN_OPAQUE_FLOAT:
|
||||
- if (var->val.floatVal)
|
||||
- sprintf(buf,"%f", *var->val.floatVal);
|
||||
- break;
|
||||
+ if (var->val.floatVal)
|
||||
+ snprintf(buf, buf_len, "%f", *var->val.floatVal);
|
||||
+ break;
|
||||
|
||||
case ASN_OPAQUE_DOUBLE:
|
||||
- if (var->val.doubleVal)
|
||||
- sprintf(buf,"%f", *var->val.doubleVal);
|
||||
- break;
|
||||
+ if (var->val.doubleVal)
|
||||
+ snprintf(buf, buf_len, "%f", *var->val.doubleVal);
|
||||
+ break;
|
||||
#endif
|
||||
|
||||
case ASN_NSAP:
|
@ -7,7 +7,7 @@
|
||||
Summary: A collection of SNMP protocol tools and libraries
|
||||
Name: net-snmp
|
||||
Version: %{major_ver}
|
||||
Release: 17%{?dist}
|
||||
Release: 18%{?dist}
|
||||
Epoch: 1
|
||||
|
||||
License: BSD and CMU
|
||||
@ -46,6 +46,8 @@ Patch21: net-snmp-5.4-exec-crash.patch
|
||||
Patch22: net-snmp-5.4-smux-password.patch
|
||||
Patch23: net-snmp-5.4-udp-leak.patch
|
||||
Patch24: net-snmp-5.4-maxreps.patch
|
||||
Patch25: net-snmp-5.4.1-hmac-check.patch
|
||||
Patch26: net-snmp-5.4.1-perl-snprintf.patch
|
||||
|
||||
Requires(pre): /sbin/chkconfig
|
||||
Requires(post): /sbin/chkconfig
|
||||
@ -171,6 +173,8 @@ and applications.
|
||||
%patch22 -p0 -b .smux-password
|
||||
%patch23 -p0 -b .udp-leak
|
||||
%patch24 -p0 -b .maxreps
|
||||
%patch25 -p1 -b .hmac-check
|
||||
%patch26 -p3 -b .perl-snprintf
|
||||
|
||||
# Do this patch with a perl hack...
|
||||
perl -pi -e "s|'\\\$install_libdir'|'%{_libdir}'|" ltmain.sh
|
||||
@ -375,6 +379,9 @@ rm -rf ${RPM_BUILD_ROOT}
|
||||
%{_libdir}/lib*.so.*
|
||||
|
||||
%changelog
|
||||
* Tue Jun 10 2008 Jan Safranek <jsafranek@redhat.com> 5.4-18
|
||||
- fix various flaws (CVE-2008-2292 CVE-2008-0960)
|
||||
|
||||
* Thu Feb 14 2008 Jan Safranek <jsafranek@redhat.com> 5.4-17
|
||||
- fixing ipNetToMediaNetAddress to show IP address (#432780)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user