fixed CVE-2012-2141: Array index error, leading to out-of heap-based buffer read

Resolves: #816549

.gitignore

@@ -2,3 +2,4 @@ net-snmp-5.5.tar.gz
 /net-snmp-5.6.tar.gz
 /net-snmp-5.6.1.tar.gz
 /net-snmp-5.7.tar.gz
+/net-snmp-5.7.1.tar.gz

net-snmp-5.7-CVE-2012-2141.patch

@@ -0,0 +1,21 @@
+commit 4c5633f1603e4bd03ed05c37d782ec8911759c47
+Author: Robert Story <rstory@freesnmp.com>
+Date:   Mon May 14 11:40:06 2012 -0400
+
+    NEWS: snmp: BUG: 3526549: CVE-2012-2141 Array index error leading to crash
+
+diff --git a/agent/mibgroup/agent/extend.c b/agent/mibgroup/agent/extend.c
+index d00475f..1f8586a 100644
+--- a/agent/mibgroup/agent/extend.c
++++ b/agent/mibgroup/agent/extend.c
+@@ -1299,6 +1299,10 @@ handle_nsExtendOutput2Table(netsnmp_mib_handler          *handler,
+                  * Determine which line we've been asked for....
+                  */
+                 line_idx = *table_info->indexes->next_variable->val.integer;
++                if (line_idx < 1 || line_idx > extension->numlines) {
++                    netsnmp_set_request_error(reqinfo, request, SNMP_NOSUCHINSTANCE);
++                    continue;
++                }
+                 cp  = extension->lines[line_idx-1];
+ 
+                 /* 

net-snmp-5.7-hrStorage-units.patch

@@ -0,0 +1,51 @@
+Bug 789441 - net-snmp reports incorrect used disk space for large filesystems
+
+From upstream git:
+
+commit 76ff25d9bf97579e7213102065fd5096f049a4c5
+Author: Bart Van Assche <bvanassche@acm.org>
+Date:   Fri Oct 7 14:13:18 2011 +0200
+
+    CHANGES: snmpd: HOST-RESOURCES-MIB::hrStorageTable: fix bug in handling large filesystems, where large means above 8 TB (= 2**31 * 4096 bytes).
+    
+    This patch fixes a bug introduced in commit
+    71d8293f387a6cd66bb0dbb13c0f50174d2e678b.
+    For the original bug report, see also
+    https://sourceforge.net/tracker/?func=detail&atid=112694&aid=3419825&group_id=12694.
+
+diff --git a/agent/mibgroup/hardware/fsys/hw_fsys.c b/agent/mibgroup/hardware/fsys/hw_fsys.c
+index c96284e..be698b2 100644
+--- a/agent/mibgroup/hardware/fsys/hw_fsys.c
++++ b/agent/mibgroup/hardware/fsys/hw_fsys.c
+@@ -321,19 +321,23 @@ netsnmp_fsys_avail( netsnmp_fsys_info *f) {
+ 
+ /* recalculate f->size_32, used_32, avail_32 and units_32 from f->size & comp.*/
+ void
+-netsnmp_fsys_calculate32( netsnmp_fsys_info *f)
++netsnmp_fsys_calculate32(netsnmp_fsys_info *f)
+ {
+     unsigned long long s = f->size;
+-    unsigned long long u = f->units;
+-    int factor = 0;
++    unsigned shift = 0;
++
+     while (s > INT32_MAX) {
+         s = s >> 1;
+-        u = u << 1;
+-        factor++;
++        shift++;
+     }
+ 
+     f->size_32 = s;
+-    f->units_32 = u;
+-    f->avail_32 = f->avail << factor;
+-    f->used_32 = f->used << factor;
++    f->units_32 = f->units << shift;
++    f->avail_32 = f->avail >> shift;
++    f->used_32 = f->used >> shift;
++
++    DEBUGMSGTL(("fsys", "Results of 32-bit conversion: size %llu -> %lu;"
++		" units %llu -> %lu; avail %llu -> %lu; used %llu -> %lu\n",
++		f->size, f->size_32, f->units, f->units_32,
++		f->avail, f->avail_32, f->used, f->used_32));
+ }

net-snmp-5.7-libtool.patch

@@ -0,0 +1,14 @@
+Fix a typo in libtool, seems to be related to bug #742678
+
+diff -up net-snmp-5.7.1/ltmain.sh.orig net-snmp-5.7.1/ltmain.sh
+--- net-snmp-5.7.1/ltmain.sh.orig	2011-09-28 06:53:47.000000000 +0200
++++ net-snmp-5.7.1/ltmain.sh	2011-10-04 09:48:11.022131513 +0200
+@@ -8051,7 +8051,7 @@ EOF
+ 	    elif test -n "$runpath_var"; then
+ 	      case "$perm_rpath " in
+ 	      *" $libdir "*) ;;
+-	      *) func_apped perm_rpath " $libdir" ;;
++	      *) func_append perm_rpath " $libdir" ;;
+ 	      esac
+ 	    fi
+ 	  done

net-snmp-5.7-mibs-perl-linking.patch

@@ -0,0 +1,16 @@
+742678: libnetsnmpmibs.so.30 is linked against libperl.so
+
+add perl rpath to libnetsnmpmibs.so
+
+diff -up net-snmp-5.7.1/agent/Makefile.in.orig net-snmp-5.7.1/agent/Makefile.in
+--- net-snmp-5.7.1/agent/Makefile.in.orig	2011-10-04 09:49:26.762027506 +0200
++++ net-snmp-5.7.1/agent/Makefile.in	2011-10-04 10:31:48.092899541 +0200
+@@ -302,7 +302,7 @@ libnetsnmpagent.$(LIB_EXTENSION)$(LIB_VE
+ 	$(RANLIB) $(AGENTLIB)
+ 
+ libnetsnmpmibs.$(LIB_EXTENSION)$(LIB_VERSION): ${LMIBOBJS} $(AGENTLIB) $(USELIBS)
+-	$(LIB_LD_CMD) $(MIBLIB) ${LMIBOBJS} $(AGENTLIB) $(USELIBS) @LD_NO_UNDEFINED@ $(LDFLAGS) ${LMIBLIBS} $(LIB_LD_LIBS) @AGENTLIBS@
++	$(LIB_LD_CMD) $(MIBLIB) ${LMIBOBJS} $(AGENTLIB) $(USELIBS) @LD_NO_UNDEFINED@ $(LDFLAGS) ${LMIBLIBS} $(PERLLDOPTS_FOR_LIBS) $(LIB_LD_LIBS) @AGENTLIBS@
+ 	$(RANLIB) $(MIBLIB)
+ 
+ agentlib: $(AGENTLIB)

net-snmp.spec

@@ -10,8 +10,8 @@
 
 Summary: A collection of SNMP protocol tools and libraries
 Name: net-snmp
-Version: 5.7
-Release: 4%{?dist}
+Version: 5.7.1
+Release: 3%{?dist}
 Epoch: 1
 
 License: BSD
@@ -27,6 +27,8 @@ Source6: net-snmp-trapd.redhat.conf
 Source7: net-snmpd.sysconfig
 Source8: net-snmptrapd.sysconfig
 Source9: net-snmp-tmpfs.conf
+Source10: snmpd.service
+Source11: snmptrapd.service
 Patch1: net-snmp-5.6-pie.patch
 Patch2: net-snmp-5.5-dir-fix.patch
 Patch3: net-snmp-5.6-multilib.patch
@@ -35,6 +37,11 @@ Patch5: net-snmp-5.5-apsl-copying.patch
 Patch6: net-snmp-5.5-perl-linking.patch
 Patch7: net-snmp-5.6-test-debug.patch
 Patch8: net-snmp-5.6.1-mysql.patch
+Patch9: net-snmp-5.7.1-systemd.patch
+Patch10: net-snmp-5.7-libtool.patch
+Patch11: net-snmp-5.7-mibs-perl-linking.patch
+Patch12: net-snmp-5.7-hrStorage-units.patch
+Patch13: net-snmp-5.7-CVE-2012-2141.patch
 
 Requires(post): chkconfig
 Requires(preun): chkconfig
@@ -44,6 +51,11 @@ Requires(preun): initscripts
 Requires(preun): coreutils
 Requires: %{name}-libs = %{epoch}:%{version}-%{release}
 Requires: mysql-libs
+# This is actually needed for the %triggerun script but Requires(triggerun)
+# is not valid.  We can use %post because this particular %triggerun script
+# should fire just after this package is installed.
+Requires(post): systemd-sysv
+
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires: openssl-devel, bzip2-devel, elfutils-devel
 BuildRequires: libselinux-devel, elfutils-libelf-devel, rpm-devel
@@ -55,6 +67,7 @@ BuildRequires: mysql-devel
 BuildRequires: net-tools
 # for make test
 BuildRequires: perl(TAP::Harness)
+BuildRequires: systemd-units
 %ifnarch s390 s390x
 BuildRequires: lm_sensors-devel >= 3
 %endif
@@ -137,17 +150,25 @@ Install the net-snmp-gui package, if you want to use this interactive utility.
 
 %package libs
 Group: Development/Libraries
-Summary: The NET-SNMP runtime libraries
+Summary: The NET-SNMP runtime client libraries
+
+%description libs
+The net-snmp-libs package contains the runtime client libraries for shared
+binaries and applications.
+
+%package agent-libs
+Group: Development/Libraries
+Summary: The NET-SNMP runtime agent libraries
 # the libs link against libperl.so:
 Requires:  perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
 
-%description libs
-The net-snmp-libs package contains the runtime libraries for shared binaries
-and applications.
+%description agent-libs
+The net-snmp-agent-libs package contains the runtime agent libraries for shared
+binaries and applications.
 
 %package python
 Group: Development/Libraries
-Summary: The Python 'netsnmp' module for the NET-SNMP
+Summary: The Python 'netsnmp' module for the Net-SNMP
 Requires: %{name}-libs = %{epoch}:%{version}-%{release}
 
 %description python
@@ -155,6 +176,13 @@ The 'netsnmp' module provides a full featured, tri-lingual SNMP (SNMPv3,
 SNMPv2c, SNMPv1) client API. The 'netsnmp' module internals rely on the
 Net-SNMP toolkit library.
 
+%package sysvinit
+Group: System Environment/Daemons
+Summary: Legacy SysV init scripts for Net-SNMP daemons
+Requires: %{name} = %{epoch}:%{version}-%{release}
+
+%description sysvinit
+The net-snmp-sysvinit package provides SysV init scripts for Net-SNMP daemons.
 
 %prep
 %setup -q
@@ -174,8 +202,13 @@ Net-SNMP toolkit library.
 #%patch6 -p1 -b .perl-linking
 %patch7 -p1
 %patch8 -p1 -b .mysql
+%patch9 -p1 -b .systemd
+%patch10 -p1 -b .libtool
+%patch11 -p1 -b .mibs-perl
+%patch12 -p1 -b .hrStorage-units
+%patch13 -p1 -b .CVE-2012-2141
 
-%ifarch sparc64
+%ifarch sparc64 s390 s390x
 # disable failing test - see https://bugzilla.redhat.com/show_bug.cgi?id=680697
 rm testing/fulltests/default/T200*
 %endif
@@ -218,6 +251,7 @@ MIBS="$MIBS ucd-snmp/lmsensorsMib"
     --with-transports="DTLSUDP TLSTCP" \
     --with-security-modules=tsm  \
     --with-mysql \
+    --with-systemd \
     --with-sys-contact="root@localhost" <<EOF
 EOF
 
@@ -283,6 +317,8 @@ rm -f ${RPM_BUILD_ROOT}/%{_bindir}/fixproc
 rm -f ${RPM_BUILD_ROOT}/%{_mandir}/man1/fixproc*
 rm -f ${RPM_BUILD_ROOT}/%{_bindir}/ipf-mod.pl
 rm -f ${RPM_BUILD_ROOT}/%{_libdir}/*.la
+rm -f ${RPM_BUILD_ROOT}/%{_libdir}/libsnmp*
+
 # remove special perl files
 find $RPM_BUILD_ROOT -name perllocal.pod \
     -o -name .packlist \
@@ -318,8 +354,11 @@ chmod 644 local/passtest local/ipf-mod.pl
 install -m 755 -d $RPM_BUILD_ROOT/usr/include/net-snmp/agent/util_funcs
 install -m 644  agent/mibgroup/util_funcs/*.h $RPM_BUILD_ROOT/usr/include/net-snmp/agent/util_funcs
 
-mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/tmpfiles.d/
+# systemd stuff
+install -m 755 -d $RPM_BUILD_ROOT/%{_sysconfdir}/tmpfiles.d/
 install -m 644 %SOURCE9 $RPM_BUILD_ROOT/%{_sysconfdir}/tmpfiles.d/net-snmp.conf
+install -m 755 -d $RPM_BUILD_ROOT/%{_unitdir}
+install -m 644 %SOURCE10 %SOURCE11 $RPM_BUILD_ROOT/%{_unitdir}/
 
 %check
 %if %{netsnmp_check}
@@ -330,33 +369,53 @@ LD_LIBRARY_PATH=${RPM_BUILD_ROOT}/%{_libdir} make test
 
 
 %post
-/sbin/chkconfig --add snmpd
-/sbin/chkconfig --add snmptrapd
-
-# move local state files from /var/net-snmp to new location when updating the package
-# (Fedora 11: /var/net-snmp, Fedora 12: /var/lib/net-snmp)
-/bin/mv %{_localstatedir}/net-snmp/* %{_localstatedir}/lib/net-snmp/ &>/dev/null || :
-
+if [ $1 -eq 1 ] ; then 
+    # Initial installation 
+    /bin/systemctl daemon-reload >/dev/null 2>&1 || :
+fi
 
 %preun
 if [ $1 = 0 ]; then
-    service snmpd stop >/dev/null 2>&1
-    /sbin/chkconfig --del snmpd
-    service snmptrapd stop >/dev/null 2>&1
-    /sbin/chkconfig --del snmptrapd
+    /bin/systemctl --no-reload disable snmpd.service > /dev/null 2>&1 || :
+    /bin/systemctl --no-reload disable snmptrapd.service > /dev/null 2>&1 || :
+    /bin/systemctl stop snmpd.service > /dev/null 2>&1 || :
+    /bin/systemctl stop snmptrapd.service > /dev/null 2>&1 || :
 fi
 
 
 %postun
 if [ "$1" -ge "1" ]; then
-    service snmpd condrestart >/dev/null 2>&1 || :
-    service snmptrapd condrestart >/dev/null 2>&1 || :
+    /bin/systemctl try-restart snmpd.service >/dev/null 2>&1 || :
+    /bin/systemctl try-restart snmptrapd.service >/dev/null 2>&1 || :
 fi
 
+
+%triggerun -- net-snmp < 1:5.7-5
+# Convert SysV -> systemd.
+# Save the current service runlevel info,
+# User must manually run systemd-sysv-convert --apply snmpd
+# to migrate them to systemd targets
+echo "hello world" >> /tmp/snmp
+echo date >>/tmp/snmp
+/usr/bin/systemd-sysv-convert --save snmpd >/dev/null 2>&1 ||:
+/usr/bin/systemd-sysv-convert --save snmptrapd >/dev/null 2>&1 ||:
+/sbin/chkconfig --del snmpd >/dev/null 2>&1 || :
+/sbin/chkconfig --del snmptrapd >/dev/null 2>&1 || :
+/bin/systemctl try-restart snmpd.service >/dev/null 2>&1 || :
+/bin/systemctl try-restart snmptrapd.service >/dev/null 2>&1 || :
+
+%triggerpostun -n net-snmp-sysvinit -- net-snmp < 1:5.7-5
+/sbin/chkconfig --add snmpd >/dev/null 2>&1 || :
+/sbin/chkconfig --add snmptrapd >/dev/null 2>&1 || :
+
 %post libs -p /sbin/ldconfig
 
 %postun libs -p /sbin/ldconfig
 
+%post agent-libs -p /sbin/ldconfig
+
+%postun agent-libs -p /sbin/ldconfig
+
 %clean
 rm -rf ${RPM_BUILD_ROOT}
 
@@ -365,15 +424,12 @@ rm -rf ${RPM_BUILD_ROOT}
 %doc COPYING ChangeLog.trimmed EXAMPLE.conf FAQ NEWS TODO
 %doc README README.agent-mibs README.agentx README.krb5 README.snmpv3
 %doc local/passtest local/ipf-mod.pl
-%doc README.thread AGENT.txt PORTING local/README.mib2c
-%{_initrddir}/snmpd
-%{_initrddir}/snmptrapd
-%config(noreplace,missingok) %{_sysconfdir}/sysconfig/snmpd
-%config(noreplace,missingok) %{_sysconfdir}/sysconfig/snmptrapd
+%doc README.thread AGENT.txt PORTING local/README.mib2c README.systemd
 %dir %{_sysconfdir}/snmp
 %config(noreplace,missingok) %{_sysconfdir}/snmp/snmpd.conf
 %config(noreplace,missingok) %{_sysconfdir}/snmp/snmptrapd.conf
 %{_bindir}/snmpconf
+%{_bindir}/agentxtrap
 %{_bindir}/net-snmp-create-v3-user
 %{_sbindir}/*
 %attr(0644,root,root) %{_mandir}/man[58]/snmp*d*
@@ -386,11 +442,11 @@ rm -rf ${RPM_BUILD_ROOT}
 %dir %{_localstatedir}/lib/net-snmp
 %dir %{_localstatedir}/run/net-snmp
 %config(noreplace) %{_sysconfdir}/tmpfiles.d/net-snmp.conf
+%{_unitdir}/snmp*
 
 %files utils
 %defattr(-,root,root,-)
 %{_bindir}/encode_keychange
-%{_bindir}/agentxtrap
 %{_bindir}/snmp[^c-]*
 %attr(0644,root,root) %{_mandir}/man1/snmp[^-]*.1*
 %attr(0644,root,root) %{_mandir}/man1/encode_keychange*.1*
@@ -398,7 +454,6 @@ rm -rf ${RPM_BUILD_ROOT}
 %attr(0644,root,root) %{_mandir}/man5/snmp.conf.5.gz
 %attr(0644,root,root) %{_mandir}/man5/variables.5.gz
 
-
 %files devel
 %defattr(0644,root,root,0755)
 %{_libdir}/lib*.so
@@ -438,12 +493,54 @@ rm -rf ${RPM_BUILD_ROOT}
 %files libs
 %defattr(-,root,root)
 %doc COPYING README ChangeLog.trimmed FAQ NEWS TODO
-%{_libdir}/lib*.so.*
+%{_libdir}/libnetsnmp.so.*
 %dir %{_datadir}/snmp
 %dir %{_datadir}/snmp/mibs
 %{_datadir}/snmp/mibs/*
 
+%files agent-libs
+%defattr(-,root,root)
+%{_libdir}/libnetsnmpagent*.so.*
+%{_libdir}/libnetsnmphelpers*.so.*
+%{_libdir}/libnetsnmpmibs*.so.*
+%{_libdir}/libnetsnmptrapd*.so.*
+
+%files sysvinit
+%defattr(-,root,root)
+%{_initrddir}/snmpd
+%{_initrddir}/snmptrapd
+%config(noreplace,missingok) %{_sysconfdir}/sysconfig/snmpd
+%config(noreplace,missingok) %{_sysconfdir}/sysconfig/snmptrapd
+
 %changelog
+* Mon Oct 22 2012 Jan Safranek <jsafrane@redhat.com> - 1:5.7.1-3
+- fixed units in hrStorageTable and hrFSTable (#789441)
+- fixed CVE-2012-2141: Array index error, leading to out-of heap-based
+  buffer read
+
+* Wed Oct  5 2011 Jan Safranek <jsafrane@redhat.com> - 1:5.7.1-2
+- fixed perl linking (#742678)
+
+* Tue Oct  4 2011 Jan Safranek <jsafrane@redhat.com> - 1:5.7.1-1
+- updated to 5.7.1:
+  - Fixed the mib-parsing-bug introduced shortly before 5.7
+  - fixed rounding errors for disk percentage calculations
+  - Many other miscellaneous minor bug fixes
+
+* Tue Sep 06 2011 Dan Horák <dan[at]danny.cz> - 1:5.7-7
+- disable failing test on s390(x) (#680697)
+
+* Thu Aug 11 2011 Jan Safranek <jsafrane@redhat.com> - 1:5.7-6
+- added new net-snmp-agent-libs subpackage with agent libraries
+  -> net-snmp-libs do not need perl and lm_sensors libs
+- removed libsnmp.so, it's not used in Fedora (#729811)
+- added README.systemd
+- added new net-snmp-sysvinit subpackage with legacy init scripts
+  (#718183)
+
+* Tue Aug  9 2011 Jan Safranek <jsafrane@redhat.com> - 1:5.7-5
+- integrated with systemd (#718183)
+
 * Thu Jul 21 2011 Petr Sabata <contyk@redhat.com> - 1:5.7-4
 - Perl mass rebuild
 

net-snmpd.sysconfig

@@ -1,2 +1,6 @@
+# WARNING:
+# This file is only for compatibility with SysV init scripts if someone uses
+# them! systemd does not use this file when starting snmpd!
+#
 # snmpd command line options
 # OPTIONS="-LS0-6d -Lf /dev/null -p /var/run/snmpd.pid"

net-snmptrapd.sysconfig

@@ -1,2 +1,6 @@
+# WARNING:
+# This file is only for compatibility with SysV init scripts if someone uses
+# them! systemd does not use this file when starting snmpd!
+#
 # snmptrapd command line options
 # OPTIONS="-Lsd -p /var/run/snmptrapd.pid"

snmpd.service

@@ -0,0 +1,11 @@
+[Unit]
+Description=Simple Network Management Protocol (SNMP) Daemon.
+After=syslog.target network.target
+
+[Service]
+Type=notify
+ExecStart=/usr/sbin/snmpd -LS0-6d -f
+ExecReload=/bin/kill -HUP $MAINPID
+
+[Install]
+WantedBy=multi-user.target

snmptrapd.service

@@ -0,0 +1,11 @@
+[Unit]
+Description=Simple Network Management Protocol (SNMP) Trap Daemon.
+After=syslog.target network.target
+
+[Service]
+Type=notify
+ExecStart=/usr/sbin/snmptrapd -Lsd -f
+ExecReload=/bin/kill -HUP $MAINPID
+
+[Install]
+WantedBy=multi-user.target

sources

@@ -1 +1 @@
-1038e960d6d616c64c0979180daf0e19  net-snmp-5.7.tar.gz
+c95d08fd5d93df0c11a2e1bdf0e01e0b  net-snmp-5.7.1.tar.gz