diff --git a/SOURCES/net-snmp-5.7.2-CVE-2020-15862.patch b/SOURCES/net-snmp-5.7.2-CVE-2020-15862.patch new file mode 100644 index 0000000..394c714 --- /dev/null +++ b/SOURCES/net-snmp-5.7.2-CVE-2020-15862.patch @@ -0,0 +1,70 @@ +diff -urNp old/agent/mibgroup/agent/extend.c new/agent/mibgroup/agent/extend.c +--- old/agent/mibgroup/agent/extend.c 2020-11-11 12:41:46.377115142 +0100 ++++ new/agent/mibgroup/agent/extend.c 2020-11-11 12:50:28.047142105 +0100 +@@ -16,6 +16,12 @@ + #define SHELLCOMMAND 3 + #endif + ++/* This mib is potentially dangerous to turn on by default, since it ++ * allows arbitrary commands to be set by anyone with SNMP WRITE ++ * access to the MIB table. If all of your users are "root" level ++ * users, then it may be safe to turn on. */ ++#define ENABLE_EXTEND_WRITE_ACCESS 0 ++ + netsnmp_feature_require(extract_table_row_data) + netsnmp_feature_require(table_data_delete_table) + #ifndef NETSNMP_NO_WRITE_SUPPORT +@@ -723,7 +729,7 @@ handle_nsExtendConfigTable(netsnmp_mib_h + * + **********/ + +-#ifndef NETSNMP_NO_WRITE_SUPPORT ++#if !defined(NETSNMP_NO_WRITE_SUPPORT) && ENABLE_EXTEND_WRITE_ACCESS + case MODE_SET_RESERVE1: + /* + * Validate the new assignments +@@ -1049,7 +1055,7 @@ handle_nsExtendConfigTable(netsnmp_mib_h + } + } + break; +-#endif /* !NETSNMP_NO_WRITE_SUPPORT */ ++#endif /* !NETSNMP_NO_WRITE_SUPPORT and ENABLE_EXTEND_WRITE_ACCESS */ + + default: + netsnmp_set_request_error(reqinfo, request, SNMP_ERR_GENERR); +@@ -1057,7 +1063,7 @@ handle_nsExtendConfigTable(netsnmp_mib_h + } + } + +-#ifndef NETSNMP_NO_WRITE_SUPPORT ++#if !defined(NETSNMP_NO_WRITE_SUPPORT) && ENABLE_EXTEND_WRITE_ACCESS + /* + * If we're marking a given row as active, + * then we need to check that it's ready. +@@ -1082,7 +1088,7 @@ handle_nsExtendConfigTable(netsnmp_mib_h + } + } + } +-#endif /* !NETSNMP_NO_WRITE_SUPPORT */ ++#endif /* !NETSNMP_NO_WRITE_SUPPORT && ENABLE_EXTEND_WRITE_ACCESS */ + + return SNMP_ERR_NOERROR; + } +@@ -1571,7 +1577,7 @@ fixExec2Error(int action, + idx = name[name_len-1] -1; + exten = &compatability_entries[ idx ]; + +-#ifndef NETSNMP_NO_WRITE_SUPPORT ++#if !defined(NETSNMP_NO_WRITE_SUPPORT) && ENABLE_EXTEND_WRITE_ACCESS + switch (action) { + case MODE_SET_RESERVE1: + if (var_val_type != ASN_INTEGER) { +@@ -1592,7 +1598,7 @@ fixExec2Error(int action, + case MODE_SET_COMMIT: + netsnmp_cache_check_and_reload( exten->efix_entry->cache ); + } +-#endif /* !NETSNMP_NO_WRITE_SUPPORT */ ++#endif /* !NETSNMP_NO_WRITE_SUPPORT && ENABLE_EXTEND_WRITE_ACCESS */ + return SNMP_ERR_NOERROR; + } + #endif /* USING_UCD_SNMP_EXTENSIBLE_MODULE */ diff --git a/SOURCES/net-snmp-5.8-bulk.patch b/SOURCES/net-snmp-5.8-bulk.patch new file mode 100644 index 0000000..6e0a563 --- /dev/null +++ b/SOURCES/net-snmp-5.8-bulk.patch @@ -0,0 +1,51 @@ +diff -urNp a/snmplib/snmp_api.c b/snmplib/snmp_api.c +--- a/snmplib/snmp_api.c 2020-09-29 14:08:09.821479662 +0200 ++++ b/snmplib/snmp_api.c 2020-10-01 10:15:46.607374362 +0200 +@@ -769,7 +769,7 @@ snmp_sess_init(netsnmp_session * session + session->retries = SNMP_DEFAULT_RETRIES; + session->version = SNMP_DEFAULT_VERSION; + session->securityModel = SNMP_DEFAULT_SECMODEL; +- session->rcvMsgMaxSize = SNMP_MAX_MSG_SIZE; ++ session->rcvMsgMaxSize = netsnmp_max_send_msg_size(); + session->sndMsgMaxSize = netsnmp_max_send_msg_size(); + session->flags |= SNMP_FLAGS_DONT_PROBE; + } +@@ -2731,7 +2731,7 @@ snmpv3_packet_build(netsnmp_session * se + /* + * build a scopedPDU structure into spdu_buf + */ +- spdu_buf_len = SNMP_MAX_MSG_SIZE; ++ spdu_buf_len = sizeof(spdu_buf); + DEBUGDUMPSECTION("send", "ScopedPdu"); + cp = snmpv3_scopedPDU_header_build(pdu, spdu_buf, &spdu_buf_len, + &spdu_hdr_e); +@@ -2743,6 +2743,11 @@ snmpv3_packet_build(netsnmp_session * se + */ + DEBUGPRINTPDUTYPE("send", ((pdu_data) ? *pdu_data : 0x00)); + if (pdu_data) { ++ if (cp + pdu_data_len > spdu_buf + sizeof(spdu_buf)) { ++ snmp_log(LOG_ERR, "%s: PDU too big (%" NETSNMP_PRIz "d > %" NETSNMP_PRIz "d)\n", ++ __func__, pdu_data_len, sizeof(spdu_buf)); ++ return -1; ++ } + memcpy(cp, pdu_data, pdu_data_len); + cp += pdu_data_len; + } else { +@@ -2756,7 +2761,7 @@ snmpv3_packet_build(netsnmp_session * se + * re-encode the actual ASN.1 length of the scopedPdu + */ + spdu_len = cp - spdu_hdr_e; /* length of scopedPdu minus ASN.1 headers */ +- spdu_buf_len = SNMP_MAX_MSG_SIZE; ++ spdu_buf_len = sizeof(spdu_buf); + if (asn_build_sequence(spdu_buf, &spdu_buf_len, + (u_char) (ASN_SEQUENCE | ASN_CONSTRUCTOR), + spdu_len) == NULL) +@@ -2769,7 +2774,7 @@ snmpv3_packet_build(netsnmp_session * se + * message - the entire message to transmitted on the wire is returned + */ + cp = NULL; +- *out_length = SNMP_MAX_MSG_SIZE; ++ *out_length = sizeof(spdu_buf); + DEBUGDUMPSECTION("send", "SM msgSecurityParameters"); + sptr = find_sec_mod(pdu->securityModel); + if (sptr && sptr->encode_forward) { diff --git a/SOURCES/net-snmp-5.8-clientaddr-error-message.patch b/SOURCES/net-snmp-5.8-clientaddr-error-message.patch new file mode 100644 index 0000000..d90ff9e --- /dev/null +++ b/SOURCES/net-snmp-5.8-clientaddr-error-message.patch @@ -0,0 +1,23 @@ +diff -urNp a/snmplib/snmp_api.c b/snmplib/snmp_api.c +--- a/snmplib/snmp_api.c 2020-11-26 11:05:51.084788775 +0100 ++++ b/snmplib/snmp_api.c 2020-11-26 11:08:27.850751397 +0100 +@@ -235,7 +235,7 @@ static const char *api_errors[-SNMPERR_M + "No error", /* SNMPERR_SUCCESS */ + "Generic error", /* SNMPERR_GENERR */ + "Invalid local port", /* SNMPERR_BAD_LOCPORT */ +- "Unknown host", /* SNMPERR_BAD_ADDRESS */ ++ "Invalid address", /* SNMPERR_BAD_ADDRESS */ + "Unknown session", /* SNMPERR_BAD_SESSION */ + "Too long", /* SNMPERR_TOO_LONG */ + "No socket", /* SNMPERR_NO_SOCKET */ +@@ -1662,7 +1662,9 @@ _sess_open(netsnmp_session * in_session) + DEBUGMSGTL(("_sess_open", "couldn't interpret peername\n")); + in_session->s_snmp_errno = SNMPERR_BAD_ADDRESS; + in_session->s_errno = errno; +- snmp_set_detail(in_session->peername); ++ if (!netsnmp_ds_get_string(NETSNMP_DS_LIBRARY_ID, ++ NETSNMP_DS_LIB_CLIENT_ADDR)) ++ snmp_set_detail(in_session->peername); + return NULL; + } + diff --git a/SOURCES/net-snmp-5.8-empty-passphrase.patch b/SOURCES/net-snmp-5.8-empty-passphrase.patch new file mode 100644 index 0000000..deb0388 --- /dev/null +++ b/SOURCES/net-snmp-5.8-empty-passphrase.patch @@ -0,0 +1,30 @@ +From 09a0c9005fb72102bf4f4499b28282f823e3e526 Mon Sep 17 00:00:00 2001 +From: Josef Ridky +Date: Wed, 18 Nov 2020 20:54:34 -0800 +Subject: [PATCH] net-snmp-create-v3-user: Handle empty passphrases correctly + +See also https://github.com/net-snmp/net-snmp/issues/86. + +Fixes: e5ad10de8e17 ("Quote provided encryption key in createUser line") +Reported-by: Chris Cheney +--- + net-snmp-create-v3-user.in | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net-snmp-create-v3-user.in b/net-snmp-create-v3-user.in +index 452c2699d..31b4c58c1 100644 +--- a/net-snmp-create-v3-user.in ++++ b/net-snmp-create-v3-user.in +@@ -120,7 +120,11 @@ fi + fi + outdir="@PERSISTENT_DIRECTORY@" + outfile="$outdir/snmpd.conf" +-line="createUser $user $Aalgorithm \"$apassphrase\" $Xalgorithm \"$xpassphrase\"" ++if test "x$xpassphrase" = "x" ; then ++ line="createUser $user $Aalgorithm \"$apassphrase\" $Xalgorithm" ++else ++ line="createUser $user $Aalgorithm \"$apassphrase\" $Xalgorithm \"$xpassphrase\"" ++fi + echo "adding the following line to $outfile:" + echo " " $line + # in case it hasn't ever been started yet, start it. diff --git a/SOURCES/net-snmp-5.8-ipv6-disabled.patch b/SOURCES/net-snmp-5.8-ipv6-disabled.patch new file mode 100644 index 0000000..824c09c --- /dev/null +++ b/SOURCES/net-snmp-5.8-ipv6-disabled.patch @@ -0,0 +1,31 @@ +diff -urNp a/agent/mibgroup/ip-mib/data_access/ipaddress_linux.c b/agent/mibgroup/ip-mib/data_access/ipaddress_linux.c +--- a/agent/mibgroup/ip-mib/data_access/ipaddress_linux.c 2020-09-29 14:08:09.742478965 +0200 ++++ b/agent/mibgroup/ip-mib/data_access/ipaddress_linux.c 2020-10-01 14:20:25.575174851 +0200 +@@ -19,6 +19,7 @@ + + #include + #include ++#include + + netsnmp_feature_require(prefix_info) + netsnmp_feature_require(find_prefix_info) +@@ -234,7 +235,18 @@ _load_v6(netsnmp_container *container, i + + #define PROCFILE "/proc/net/if_inet6" + if (!(in = fopen(PROCFILE, "r"))) { +- NETSNMP_LOGONCE((LOG_ERR, "ipaddress_linux: could not open " PROCFILE)); ++ ++ /* ++ * If PROCFILE exists, but isn't readable, file ERROR message. ++ * Otherwise log nothing, due of IPv6 support on this machine is ++ * intentionaly disabled/unavailable. ++ */ ++ ++ struct stat filestat; ++ ++ if(stat(PROCFILE, &filestat) == 0){ ++ NETSNMP_LOGONCE((LOG_ERR, "ipaddress_linux: could not open " PROCFILE)); ++ } + return -2; + } + diff --git a/SPECS/net-snmp.spec b/SPECS/net-snmp.spec index f85bdff..01e46f7 100644 --- a/SPECS/net-snmp.spec +++ b/SPECS/net-snmp.spec @@ -10,7 +10,7 @@ Summary: A collection of SNMP protocol tools and libraries Name: net-snmp Version: 5.8 -Release: 17%{?dist} +Release: 19%{?dist} Epoch: 1 License: BSD @@ -56,6 +56,11 @@ Patch27: net-snmp-5.8-ipAddress-faster-load.patch Patch28: net-snmp-5.8-rpm-memory-leak.patch Patch29: net-snmp-5.8-sec-memory-leak.patch Patch30: net-snmp-5.8-aes-config.patch +Patch31: net-snmp-5.7.2-CVE-2020-15862.patch +Patch32: net-snmp-5.8-bulk.patch +Patch33: net-snmp-5.8-clientaddr-error-message.patch +Patch34: net-snmp-5.8-ipv6-disabled.patch +Patch35: net-snmp-5.8-empty-passphrase.patch # Modern RPM API means at least EL6 Patch101: net-snmp-5.8-modern-rpm-api.patch @@ -211,6 +216,11 @@ rm -r python %patch28 -p1 -b .rpm-memory-leak %patch29 -p1 -b .sec-memory-leak %patch30 -p1 -b .aes-config +%patch31 -p1 -b .CVE-2020-15862 +%patch32 -p1 -b .bulk +%patch33 -p1 -b .clientaddr-error-message +%patch34 -p1 -b .ipv6-disabled +%patch35 -p1 -b .empty-passphrase %patch101 -p1 -b .modern-rpm-api @@ -389,8 +399,8 @@ LD_LIBRARY_PATH=%{buildroot}/%{_libdir} make test %doc README.thread AGENT.txt PORTING local/README.mib2c %doc IETF-MIB-LICENSE.txt %dir %{_sysconfdir}/snmp -%config(noreplace) %attr(0650,root,root) %{_sysconfdir}/snmp/snmpd.conf -%config(noreplace) %attr(0650,root,root) %{_sysconfdir}/snmp/snmptrapd.conf +%config(noreplace) %attr(0600,root,root) %{_sysconfdir}/snmp/snmpd.conf +%config(noreplace) %attr(0600,root,root) %{_sysconfdir}/snmp/snmptrapd.conf %{_bindir}/snmpconf %{_bindir}/net-snmp-create-v3-user %{_sbindir}/* @@ -465,6 +475,17 @@ LD_LIBRARY_PATH=%{buildroot}/%{_libdir} make test %{_libdir}/libnetsnmptrapd*.so.%{soname}* %changelog +* Tue Dec 01 2020 Josef Ridky - 1:5.8-19 +- revert permission of config files to 600 (#1601060) +- fix error message when the address specified by clientaddr option + is wrong or cannot be bound (#1877375) +- log error with /proc/net/if_inet6 only when IPv6 is enabled (#1824367) +- fix issue with quoting empty passphrase (#1817225) + +* Wed Nov 11 2020 Josef Ridky - 1:5.8-18 +- fix CVE-2020-15862 (#1875497) +- fix bulk responses for invalid PID (#1817190) + * Tue Aug 11 2020 Josef Ridky - 1:5.8-17 - add math library in LDFLAGS (#1846252) @@ -524,7 +545,7 @@ LD_LIBRARY_PATH=%{buildroot}/%{_libdir} make test * Mon Aug 13 2018 Josef Ridky - 1:5.8-2 - fix default configuration file (#1589480 and #1594147) -- modify permissions for /var/log files (#1601060) +- modify permissions for config files (#1601060) * Thu Aug 09 2018 Josef Ridky - 1:5.8-1 - remove python package and update to the last upstream version (#1584510)