diff --git a/SOURCES/net-snmp-5.8-CVE-2022-44792-44793.patch b/SOURCES/net-snmp-5.8-CVE-2022-44792-44793.patch new file mode 100644 index 0000000..4b48b14 --- /dev/null +++ b/SOURCES/net-snmp-5.8-CVE-2022-44792-44793.patch @@ -0,0 +1,129 @@ +From 4589352dac3ae111c7621298cf231742209efd9b Mon Sep 17 00:00:00 2001 +From: Bill Fenner +Date: Fri, 25 Nov 2022 08:41:24 -0800 +Subject: [PATCH 1/3] snmp_agent: disallow SET with NULL varbind + +--- + agent/snmp_agent.c | 32 ++++++++++++++++++++++++++++++++ + 1 file changed, 32 insertions(+) + +diff --git a/agent/snmp_agent.c b/agent/snmp_agent.c +index 867d0c166f..3f678fe2df 100644 +--- a/agent/snmp_agent.c ++++ b/agent/snmp_agent.c +@@ -3719,12 +3719,44 @@ netsnmp_handle_request(netsnmp_agent_session *asp, int status) + return 1; + } + ++static int ++check_set_pdu_for_null_varbind(netsnmp_agent_session *asp) ++{ ++ int i; ++ netsnmp_variable_list *v = NULL; ++ ++ for (i = 1, v = asp->pdu->variables; v != NULL; i++, v = v->next_variable) { ++ if (v->type == ASN_NULL) { ++ /* ++ * Protect SET implementations that do not protect themselves ++ * against wrong type. ++ */ ++ DEBUGMSGTL(("snmp_agent", "disallowing SET with NULL var for varbind %d\n", i)); ++ asp->index = i; ++ return SNMP_ERR_WRONGTYPE; ++ } ++ } ++ return SNMP_ERR_NOERROR; ++} ++ + int + handle_pdu(netsnmp_agent_session *asp) + { + int status, inclusives = 0; + netsnmp_variable_list *v = NULL; + ++#ifndef NETSNMP_NO_WRITE_SUPPORT ++ /* ++ * Check for ASN_NULL in SET request ++ */ ++ if (asp->pdu->command == SNMP_MSG_SET) { ++ status = check_set_pdu_for_null_varbind(asp); ++ if (status != SNMP_ERR_NOERROR) { ++ return status; ++ } ++ } ++#endif /* NETSNMP_NO_WRITE_SUPPORT */ ++ + /* + * for illegal requests, mark all nodes as ASN_NULL + */ + +From 7f4ac4051cc7fec6a5944661923acb95cec359c7 Mon Sep 17 00:00:00 2001 +From: Bill Fenner +Date: Fri, 25 Nov 2022 08:41:46 -0800 +Subject: [PATCH 2/3] apps: snmpset: allow SET with NULL varbind for testing + +--- + apps/snmpset.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/apps/snmpset.c b/apps/snmpset.c +index 48e14bd513..d542713e1b 100644 +--- a/apps/snmpset.c ++++ b/apps/snmpset.c +@@ -182,6 +182,7 @@ main(int argc, char *argv[]) + case 'x': + case 'd': + case 'b': ++ case 'n': /* undocumented */ + #ifdef NETSNMP_WITH_OPAQUE_SPECIAL_TYPES + case 'I': + case 'U': + +From 15f9d7f7e5b90c9b419832ed8e6413feb6570d83 Mon Sep 17 00:00:00 2001 +From: Bill Fenner +Date: Fri, 25 Nov 2022 10:23:32 -0800 +Subject: [PATCH 3/3] Add test for NULL varbind set + +--- + .../default/T0142snmpv2csetnull_simple | 31 +++++++++++++++++++ + 1 file changed, 31 insertions(+) + create mode 100644 testing/fulltests/default/T0142snmpv2csetnull_simple + +diff --git a/testing/fulltests/default/T0142snmpv2csetnull_simple b/testing/fulltests/default/T0142snmpv2csetnull_simple +new file mode 100644 +index 0000000000..0f1b8f386b +--- /dev/null ++++ b/testing/fulltests/default/T0142snmpv2csetnull_simple +@@ -0,0 +1,31 @@ ++#!/bin/sh ++ ++. ../support/simple_eval_tools.sh ++ ++HEADER SNMPv2c set of system.sysContact.0 with NULL varbind ++ ++SKIPIF NETSNMP_DISABLE_SET_SUPPORT ++SKIPIF NETSNMP_NO_WRITE_SUPPORT ++SKIPIF NETSNMP_DISABLE_SNMPV2C ++SKIPIFNOT USING_MIBII_SYSTEM_MIB_MODULE ++ ++# ++# Begin test ++# ++ ++# standard V2C configuration: testcomunnity ++snmp_write_access='all' ++. ./Sv2cconfig ++STARTAGENT ++ ++CAPTURE "snmpget -On $SNMP_FLAGS -c testcommunity -v 2c $SNMP_TRANSPORT_SPEC:$SNMP_TEST_DEST$SNMP_SNMPD_PORT .1.3.6.1.2.1.1.4.0" ++ ++CHECK ".1.3.6.1.2.1.1.4.0 = STRING:" ++ ++CAPTURE "snmpset -On $SNMP_FLAGS -c testcommunity -v 2c $SNMP_TRANSPORT_SPEC:$SNMP_TEST_DEST$SNMP_SNMPD_PORT .1.3.6.1.2.1.1.4.0 n x" ++ ++CHECK "Reason: wrongType" ++ ++STOPAGENT ++ ++FINISHED + diff --git a/SOURCES/net-snmp-5.8-dev-mem-leak.patch b/SOURCES/net-snmp-5.8-dev-mem-leak.patch new file mode 100644 index 0000000..9833f9c --- /dev/null +++ b/SOURCES/net-snmp-5.8-dev-mem-leak.patch @@ -0,0 +1,35 @@ +From 8bb544fbd2d6986a9b73d3fab49235a4baa96c23 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Sat, 31 Jul 2021 16:21:16 -0700 +Subject: [PATCH] Linux: IF-MIB: Fix a memory leak + +The Linux kernel regenerates proc files in their entirety every time a 4 KiB +boundary is crossed. This can result in reading the same network interface +twice if network information changes while it is being read. Fix a memory +leak that can be triggered if /proc/net/dev changes while being read. +--- + agent/mibgroup/if-mib/data_access/interface_linux.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/agent/mibgroup/if-mib/data_access/interface_linux.c b/agent/mibgroup/if-mib/data_access/interface_linux.c +index e99360a216..215b30e806 100644 +--- a/agent/mibgroup/if-mib/data_access/interface_linux.c ++++ b/agent/mibgroup/if-mib/data_access/interface_linux.c +@@ -921,7 +921,15 @@ netsnmp_arch_interface_container_load(netsnmp_container* container, + /* + * add to container + */ +- CONTAINER_INSERT(container, entry); ++ if (CONTAINER_INSERT(container, entry) != 0) { ++ netsnmp_interface_entry *existing = ++ CONTAINER_FIND(container, entry); ++ NETSNMP_LOGONCE((LOG_WARNING, ++ "Encountered interface with index %" NETSNMP_PRIz "u twice: %s <> %s", ++ entry->index, existing ? existing->name : "(?)", ++ entry->name)); ++ netsnmp_access_interface_entry_free(entry); ++ } + } + #ifdef NETSNMP_ENABLE_IPV6 + netsnmp_access_ipaddress_container_free(addr_container, 0); + diff --git a/SOURCES/net-snmp-5.8-ipv6-disable-leak.patch b/SOURCES/net-snmp-5.8-ipv6-disable-leak.patch new file mode 100644 index 0000000..aa9718f --- /dev/null +++ b/SOURCES/net-snmp-5.8-ipv6-disable-leak.patch @@ -0,0 +1,38 @@ +diff -up net-snmp-5.7.2/agent/mibgroup/ip-mib/data_access/systemstats_linux.c.rhbz2134359 net-snmp-5.7.2/agent/mibgroup/ip-mib/data_access/systemstats_linux.c +--- net-snmp-5.7.2/agent/mibgroup/ip-mib/data_access/systemstats_linux.c.rhbz2134359 2022-10-13 11:10:12.206072210 +0200 ++++ net-snmp-5.7.2/agent/mibgroup/ip-mib/data_access/systemstats_linux.c 2022-10-13 11:10:40.893111569 +0200 +@@ -566,6 +566,7 @@ _systemstats_v6_load_systemstats(netsnmp + DEBUGMSGTL(("access:systemstats", + "Failed to load Systemstats Table (linux1), cannot open %s\n", + filename)); ++ netsnmp_access_systemstats_entry_free(entry); + return 0; + } + +diff --git a/agent/mibgroup/ucd-snmp/lmsensorsMib.c b/agent/mibgroup/ucd-snmp/lmsensorsMib.c +index f709812fdc..ef93eeedc9 100644 +--- a/agent/mibgroup/ucd-snmp/lmsensorsMib.c ++++ b/agent/mibgroup/ucd-snmp/lmsensorsMib.c +@@ -94,7 +94,9 @@ initialize_lmSensorsTable(const char *tableName, const oid *tableOID, + netsnmp_table_helper_add_indexes(table_info, ASN_INTEGER, 0); + table_info->min_column = COLUMN_LMSENSORS_INDEX; + table_info->max_column = COLUMN_LMSENSORS_VALUE; +- netsnmp_container_table_register( reg, table_info, container, 0 ); ++ if (netsnmp_container_table_register(reg, table_info, container, 0) != ++ SNMPERR_SUCCESS) ++ return; + + /* + * If the HAL sensors module was configured as an on-demand caching +diff -up net-snmp-5.7.2/snmplib/snmp_logging.c.rhbz2134359 net-snmp-5.7.2/snmplib/snmp_logging.c +--- net-snmp-5.7.2/snmplib/snmp_logging.c.rhbz2134359 2022-10-13 11:11:25.599172905 +0200 ++++ net-snmp-5.7.2/snmplib/snmp_logging.c 2022-10-13 11:12:26.986257126 +0200 +@@ -534,7 +534,7 @@ snmp_log_options(char *optarg, int argc, + char * + snmp_log_syslogname(const char *pstr) + { +- if (pstr) ++ if (pstr && (pstr != syslogname)) + strlcpy (syslogname, pstr, sizeof(syslogname)); + + return syslogname; diff --git a/SOURCES/net-snmp-5.8-memleak-backport.patch b/SOURCES/net-snmp-5.8-memleak-backport.patch new file mode 100644 index 0000000..90b6835 --- /dev/null +++ b/SOURCES/net-snmp-5.8-memleak-backport.patch @@ -0,0 +1,92 @@ +From c6facf2f080c9e1ea803e4884dc92889ec83d990 Mon Sep 17 00:00:00 2001 +From: Drew A Roedersheimer +Date: Wed, 10 Oct 2018 21:42:35 -0700 +Subject: [PATCH] snmplib/keytools: Fix a memory leak + +Avoid that Valgrind reports the following memory leak: + +17,328 bytes in 361 blocks are definitely lost in loss record 696 of 704 + at 0x4C29BE3: malloc (vg_replace_malloc.c:299) + by 0x52223B7: CRYPTO_malloc (in /usr/lib64/libcrypto.so.1.0.2k) + by 0x52DDB06: EVP_MD_CTX_create (in /usr/lib64/libcrypto.so.1.0.2k) + by 0x4E9885D: generate_Ku (keytools.c:186) + by 0x40171F: asynchronous (leaktest.c:276) + by 0x400FE7: main (leaktest.c:356) +--- + snmplib/keytools.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/snmplib/keytools.c b/snmplib/keytools.c +index 2cf0240abf..dcdae044ac 100644 +--- a/snmplib/keytools.c ++++ b/snmplib/keytools.c +@@ -186,11 +186,15 @@ generate_Ku(const oid * hashtype, u_int hashtype_len, + ctx = EVP_MD_CTX_create(); + #else + ctx = malloc(sizeof(*ctx)); +- if (!EVP_MD_CTX_init(ctx)) +- return SNMPERR_GENERR; ++ if (!EVP_MD_CTX_init(ctx)) { ++ rval = SNMPERR_GENERR; ++ goto generate_Ku_quit; ++ } + #endif +- if (!EVP_DigestInit(ctx, hashfn)) +- return SNMPERR_GENERR; ++ if (!EVP_DigestInit(ctx, hashfn)) { ++ rval = SNMPERR_GENERR; ++ goto generate_Ku_quit; ++ } + + #elif NETSNMP_USE_INTERNAL_CRYPTO + #ifndef NETSNMP_DISABLE_MD5 +From 67726f2a74007b5b4117fe49ca1e02c86110b624 Mon Sep 17 00:00:00 2001 +From: Drew A Roedersheimer +Date: Tue, 9 Oct 2018 23:28:25 +0000 +Subject: [PATCH] snmplib: Fix a memory leak in scapi.c + +This patch avoids that Valgrind reports the following leak: + +==1069== 3,456 bytes in 72 blocks are definitely lost in loss record 1,568 of 1,616 +==1069== at 0x4C29BE3: malloc (vg_replace_malloc.c:299) +==1069== by 0x70A63B7: CRYPTO_malloc (in /usr/lib64/libcrypto.so.1.0.2k) +==1069== by 0x7161B06: EVP_MD_CTX_create (in /usr/lib64/libcrypto.so.1.0.2k) +==1069== by 0x4EA3017: sc_hash (in /usr/lib64/libnetsnmp.so.31.0.2) +==1069== by 0x4EA1CD8: hash_engineID (in /usr/lib64/libnetsnmp.so.31.0.2) +==1069== by 0x4EA1DEC: search_enginetime_list (in /usr/lib64/libnetsnmp.so.31.0.2) +==1069== by 0x4EA2256: set_enginetime (in /usr/lib64/libnetsnmp.so.31.0.2) +==1069== by 0x4EC495E: usm_process_in_msg (in /usr/lib64/libnetsnmp.so.31.0.2) +==1069== by 0x4EC58CA: usm_secmod_process_in_msg (in /usr/lib64/libnetsnmp.so.31.0.2) +==1069== by 0x4E7B91D: snmpv3_parse (in /usr/lib64/libnetsnmp.so.31.0.2) +==1069== by 0x4E7C1F6: ??? (in /usr/lib64/libnetsnmp.so.31.0.2) +==1069== by 0x4E7CE94: ??? (in /usr/lib64/libnetsnmp.so.31.0.2) + +[ bvanassche: minimized diffs / edited commit message ] +--- + snmplib/scapi.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/snmplib/scapi.c b/snmplib/scapi.c +index 8ad1d70d90..54310099d8 100644 +--- a/snmplib/scapi.c ++++ b/snmplib/scapi.c +@@ -967,7 +967,8 @@ sc_hash_type(int auth_type, const u_char * buf, size_t buf_len, u_char * MAC, + #endif + if (!EVP_DigestInit(cptr, hashfn)) { + /* requested hash function is not available */ +- return SNMPERR_SC_NOT_CONFIGURED; ++ rval = SNMPERR_SC_NOT_CONFIGURED; ++ goto sc_hash_type_quit; + } + + /** pass the data */ +@@ -976,6 +977,8 @@ sc_hash_type(int auth_type, const u_char * buf, size_t buf_len, u_char * MAC, + /** do the final pass */ + EVP_DigestFinal(cptr, MAC, &tmp_len); + *MAC_len = tmp_len; ++ ++sc_hash_type_quit: + #if defined(HAVE_EVP_MD_CTX_FREE) + EVP_MD_CTX_free(cptr); + #elif defined(HAVE_EVP_MD_CTX_DESTROY) + diff --git a/SOURCES/net-snmp-5.8-proxy-time-out.patch b/SOURCES/net-snmp-5.8-proxy-time-out.patch new file mode 100644 index 0000000..3a9d0f7 --- /dev/null +++ b/SOURCES/net-snmp-5.8-proxy-time-out.patch @@ -0,0 +1,33 @@ +From 6fd7499ccaafdf244a74306972562b2091cb91b1 Mon Sep 17 00:00:00 2001 +From: fisabelle +Date: Thu, 9 Jul 2020 15:49:35 -0400 +Subject: [PATCH] Issue#147: Net-SNMP not responding when proxy requests times + out + +--- + agent/mibgroup/ucd-snmp/proxy.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/agent/mibgroup/ucd-snmp/proxy.c b/agent/mibgroup/ucd-snmp/proxy.c +index 24ae9322bd..e0ee96b29a 100644 +--- a/agent/mibgroup/ucd-snmp/proxy.c ++++ b/agent/mibgroup/ucd-snmp/proxy.c +@@ -572,6 +572,17 @@ proxy_got_response(int operation, netsnmp_session * sess, int reqid, + } + + switch (operation) { ++ case NETSNMP_CALLBACK_OP_RESEND: ++ /* ++ * Issue#147: Net-SNMP not responding when proxy requests times out ++ * ++ * When snmp_api issue a resend, the default case was hit and the ++ * delagated cache was freed. ++ * As a result, the NETSNMP_CALLBACK_OP_TIMED_OUT never came in. ++ */ ++ DEBUGMSGTL(("proxy", "pdu has been resent for request = %8p\n", requests)); ++ return SNMP_ERR_NOERROR; ++ + case NETSNMP_CALLBACK_OP_TIMED_OUT: + /* + * WWWXXX: don't leave requests delayed if operation is + diff --git a/SPECS/net-snmp.spec b/SPECS/net-snmp.spec index e0dfd5a..9c7f998 100644 --- a/SPECS/net-snmp.spec +++ b/SPECS/net-snmp.spec @@ -10,7 +10,7 @@ Summary: A collection of SNMP protocol tools and libraries Name: net-snmp Version: 5.8 -Release: 25%{?dist} +Release: 27%{?dist} Epoch: 1 License: BSD @@ -71,6 +71,11 @@ Patch42: net-snmp-5.8-engine-id.patch Patch43: net-snmp-5.8-certs.patch Patch44: net-snmp-5.8-util-fix.patch Patch45: net-snmp-5.8-deleted-iface.patch +Patch46: net-snmp-5.8-memleak-backport.patch +Patch47: net-snmp-5.8-dev-mem-leak.patch +Patch48: net-snmp-5.8-CVE-2022-44792-44793.patch +Patch49: net-snmp-5.8-ipv6-disable-leak.patch +Patch50: net-snmp-5.8-proxy-time-out.patch # Modern RPM API means at least EL6 Patch101: net-snmp-5.8-modern-rpm-api.patch @@ -241,6 +246,11 @@ rm -r python %patch43 -p1 -b .certs %patch44 -p1 -b .utils %patch45 -p1 -b .ifaces +%patch46 -p1 -b .memleak-backport +%patch47 -p1 -b .dev-mem-leak +%patch48 -p1 +%patch49 -p1 -b .ipv6-disable-leak +%patch50 -p1 -b .proxy-time-out %patch101 -p1 -b .modern-rpm-api @@ -495,6 +505,15 @@ LD_LIBRARY_PATH=%{buildroot}/%{_libdir} make test %{_libdir}/libnetsnmptrapd*.so.%{soname}* %changelog +* Tue Jan 31 2023 Josef Ridky - 1:5.8-27 +- fix memory leak due of proc file creating (#2105957) +- fix CVE-2022-44792 and CVE-2022-44793 (#2141901) and (#2141905) +- fix memory leak when ipv6 disable set to 1 (#2151537) +- fix proxy timeout issue (#2160723) + +* Mon Oct 17 2022 Josef Ridky - 1:5.8-26 +- backport two memory leaks from upstream (#2134635) + * Mon Feb 21 2022 Josef Ridky - 1:5.8-25 - fix segfault with error on subcontainer (#2051370)