From 91f3ae6c9e6f41c2fdd8fb95450a6165db51c4a9 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: May 09 2023 05:33:45 +0000 Subject: import net-snmp-5.9.1-9.el9 --- diff --git a/SOURCES/net-snmp-5.9-CVE-2022-44792-44793.patch b/SOURCES/net-snmp-5.9-CVE-2022-44792-44793.patch new file mode 100644 index 0000000..4b48b14 --- /dev/null +++ b/SOURCES/net-snmp-5.9-CVE-2022-44792-44793.patch @@ -0,0 +1,129 @@ +From 4589352dac3ae111c7621298cf231742209efd9b Mon Sep 17 00:00:00 2001 +From: Bill Fenner +Date: Fri, 25 Nov 2022 08:41:24 -0800 +Subject: [PATCH 1/3] snmp_agent: disallow SET with NULL varbind + +--- + agent/snmp_agent.c | 32 ++++++++++++++++++++++++++++++++ + 1 file changed, 32 insertions(+) + +diff --git a/agent/snmp_agent.c b/agent/snmp_agent.c +index 867d0c166f..3f678fe2df 100644 +--- a/agent/snmp_agent.c ++++ b/agent/snmp_agent.c +@@ -3719,12 +3719,44 @@ netsnmp_handle_request(netsnmp_agent_session *asp, int status) + return 1; + } + ++static int ++check_set_pdu_for_null_varbind(netsnmp_agent_session *asp) ++{ ++ int i; ++ netsnmp_variable_list *v = NULL; ++ ++ for (i = 1, v = asp->pdu->variables; v != NULL; i++, v = v->next_variable) { ++ if (v->type == ASN_NULL) { ++ /* ++ * Protect SET implementations that do not protect themselves ++ * against wrong type. ++ */ ++ DEBUGMSGTL(("snmp_agent", "disallowing SET with NULL var for varbind %d\n", i)); ++ asp->index = i; ++ return SNMP_ERR_WRONGTYPE; ++ } ++ } ++ return SNMP_ERR_NOERROR; ++} ++ + int + handle_pdu(netsnmp_agent_session *asp) + { + int status, inclusives = 0; + netsnmp_variable_list *v = NULL; + ++#ifndef NETSNMP_NO_WRITE_SUPPORT ++ /* ++ * Check for ASN_NULL in SET request ++ */ ++ if (asp->pdu->command == SNMP_MSG_SET) { ++ status = check_set_pdu_for_null_varbind(asp); ++ if (status != SNMP_ERR_NOERROR) { ++ return status; ++ } ++ } ++#endif /* NETSNMP_NO_WRITE_SUPPORT */ ++ + /* + * for illegal requests, mark all nodes as ASN_NULL + */ + +From 7f4ac4051cc7fec6a5944661923acb95cec359c7 Mon Sep 17 00:00:00 2001 +From: Bill Fenner +Date: Fri, 25 Nov 2022 08:41:46 -0800 +Subject: [PATCH 2/3] apps: snmpset: allow SET with NULL varbind for testing + +--- + apps/snmpset.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/apps/snmpset.c b/apps/snmpset.c +index 48e14bd513..d542713e1b 100644 +--- a/apps/snmpset.c ++++ b/apps/snmpset.c +@@ -182,6 +182,7 @@ main(int argc, char *argv[]) + case 'x': + case 'd': + case 'b': ++ case 'n': /* undocumented */ + #ifdef NETSNMP_WITH_OPAQUE_SPECIAL_TYPES + case 'I': + case 'U': + +From 15f9d7f7e5b90c9b419832ed8e6413feb6570d83 Mon Sep 17 00:00:00 2001 +From: Bill Fenner +Date: Fri, 25 Nov 2022 10:23:32 -0800 +Subject: [PATCH 3/3] Add test for NULL varbind set + +--- + .../default/T0142snmpv2csetnull_simple | 31 +++++++++++++++++++ + 1 file changed, 31 insertions(+) + create mode 100644 testing/fulltests/default/T0142snmpv2csetnull_simple + +diff --git a/testing/fulltests/default/T0142snmpv2csetnull_simple b/testing/fulltests/default/T0142snmpv2csetnull_simple +new file mode 100644 +index 0000000000..0f1b8f386b +--- /dev/null ++++ b/testing/fulltests/default/T0142snmpv2csetnull_simple +@@ -0,0 +1,31 @@ ++#!/bin/sh ++ ++. ../support/simple_eval_tools.sh ++ ++HEADER SNMPv2c set of system.sysContact.0 with NULL varbind ++ ++SKIPIF NETSNMP_DISABLE_SET_SUPPORT ++SKIPIF NETSNMP_NO_WRITE_SUPPORT ++SKIPIF NETSNMP_DISABLE_SNMPV2C ++SKIPIFNOT USING_MIBII_SYSTEM_MIB_MODULE ++ ++# ++# Begin test ++# ++ ++# standard V2C configuration: testcomunnity ++snmp_write_access='all' ++. ./Sv2cconfig ++STARTAGENT ++ ++CAPTURE "snmpget -On $SNMP_FLAGS -c testcommunity -v 2c $SNMP_TRANSPORT_SPEC:$SNMP_TEST_DEST$SNMP_SNMPD_PORT .1.3.6.1.2.1.1.4.0" ++ ++CHECK ".1.3.6.1.2.1.1.4.0 = STRING:" ++ ++CAPTURE "snmpset -On $SNMP_FLAGS -c testcommunity -v 2c $SNMP_TRANSPORT_SPEC:$SNMP_TEST_DEST$SNMP_SNMPD_PORT .1.3.6.1.2.1.1.4.0 n x" ++ ++CHECK "Reason: wrongType" ++ ++STOPAGENT ++ ++FINISHED + diff --git a/SOURCES/net-snmp-5.9-ipv6-disable-leak.patch b/SOURCES/net-snmp-5.9-ipv6-disable-leak.patch new file mode 100644 index 0000000..f8c20fd --- /dev/null +++ b/SOURCES/net-snmp-5.9-ipv6-disable-leak.patch @@ -0,0 +1,12 @@ +diff -urNp a/snmplib/snmp_logging.c b/snmplib/snmp_logging.c +--- a/snmplib/snmp_logging.c 2023-02-15 10:19:15.691827254 +0100 ++++ b/snmplib/snmp_logging.c 2023-02-15 10:24:41.006642974 +0100 +@@ -490,7 +490,7 @@ snmp_log_options(char *optarg, int argc, + char * + snmp_log_syslogname(const char *pstr) + { +- if (pstr) ++ if (pstr && (pstr != syslogname)) + strlcpy (syslogname, pstr, sizeof(syslogname)); + + return syslogname; diff --git a/SPECS/net-snmp.spec b/SPECS/net-snmp.spec index 09566af..d7b1491 100644 --- a/SPECS/net-snmp.spec +++ b/SPECS/net-snmp.spec @@ -10,7 +10,7 @@ Summary: A collection of SNMP protocol tools and libraries Name: net-snmp Version: 5.9.1 -Release: 7%{?dist}.1 +Release: 9%{?dist} Epoch: 1 License: BSD @@ -52,6 +52,8 @@ Patch22: net-snmp-5.9-ECC-cert.patch Patch23: net-snmp-5.9-intermediate-certs.patch Patch24: net-snmp-5.9-twice-IP-parsing.patch Patch25: net-snmp-5.9-openssl-3.0.patch +Patch26: net-snmp-5.9-CVE-2022-44792-44793.patch +Patch27: net-snmp-5.9-ipv6-disable-leak.patch # Modern RPM API means at least EL6 Patch101: net-snmp-5.8-modern-rpm-api.patch @@ -229,6 +231,8 @@ cp %{SOURCE10} . %patch23 -p1 -b .intermediate-certs %patch24 -p1 -b .twice-IP-parsing %patch25 -p1 -b .openssl-3-0 +%patch26 -p1 +%patch27 -p1 -b .ipv6-disable-leak %patch101 -p1 -b .modern-rpm-api %patch102 -p1 @@ -498,8 +502,12 @@ LD_LIBRARY_PATH=%{buildroot}/%{_libdir} make test %{_libdir}/libnetsnmptrapd*.so.%{soname}* %changelog -* Tue Apr 19 2022 Josef Ridky - 1:5.9.1-7.1 -- fix default snmpd.conf file content (#2075537) +* Wed Feb 15 2023 Josef Ridky - 1:5.9.1-9 +- fix CVE-2022-44792 and CVE-2022-44793 (#2141902) and (#2141906) +- fix memory leak when ipv6 disable set to 1 (#2151540) + +* Thu Apr 07 2022 Josef Ridky - 1:5.9.1-8 +- fix default snmpd.conf file content (#2067954) * Wed Oct 13 2021 Josef Ridky - 1:5.9.1-7 - fix FTBFS due of OpenSSL update (#2001430)