From d64778d13978fcb03845ec040d47941ec9887f56 Mon Sep 17 00:00:00 2001 From: Fredrik Rinnestam Date: Sat, 10 Mar 2018 16:59:13 +0100 Subject: [PATCH] [notify] net-snmp: fix for CVE-2018-1000116. Closes FS#1611 --- net-snmp/.md5sum | 1 + net-snmp/.signature | 5 +- net-snmp/CVE-2018-1000116.patch | 117 ++++++++++++++++++++++++++++++++ net-snmp/Pkgfile | 8 ++- 4 files changed, 127 insertions(+), 4 deletions(-) create mode 100644 net-snmp/CVE-2018-1000116.patch diff --git a/net-snmp/.md5sum b/net-snmp/.md5sum index dcb6da710..7b67e526a 100644 --- a/net-snmp/.md5sum +++ b/net-snmp/.md5sum @@ -1,5 +1,6 @@ aea518953798008a1db91951eefd8da8 0001-CHANGES-BUG-2712-Fix-Perl-module-compilation.patch ebbb1fa141e14932882f6c747f3fe4b4 0001-Remove-U64-typedef.patch +fcbab0e8e6c5cc76da637d1d71aaec3b CVE-2018-1000116.patch d4a3459e1577d0efa8d96ca70a885e53 net-snmp-5.7.3.tar.gz 0ac35ebc69c521313cf0c24b9afb3b22 snmpd e75939cb0b4648856d07b9c04610af5d snmpd.conf diff --git a/net-snmp/.signature b/net-snmp/.signature index 5c2ddb246..de275c015 100644 --- a/net-snmp/.signature +++ b/net-snmp/.signature @@ -1,9 +1,10 @@ untrusted comment: verify with /etc/ports/contrib.pub -RWSagIOpLGJF32Zho/UyinbScWY8yuoUMXGJXBPFiQYJSByEeJFvk8IaMq6t7CGAVP3/sP7tEb2udJe3cjfDtjEKaSQlmlDPGAA= -SHA256 (Pkgfile) = ecf9b8008b80c92e2b3fae29d7f54690b19dc454e988b33408d39d819549afc8 +RWSagIOpLGJF35iPFRGPHBp052IZ8HEewZKWqzRTFdF4mLoiWkKVqpMKnfTviYE9OnUgfC4vx26RSXVcn5fB4ZCbzb+kAt+IqAg= +SHA256 (Pkgfile) = 6597db3298de9e37c021ee96851f67e9a349758a8505b536927e6c3beac2644a SHA256 (.footprint) = 2d2151d495c0cefd7ba68f015153e8e75fba53dd10165903220b0fe2c68e27c3 SHA256 (net-snmp-5.7.3.tar.gz) = 12ef89613c7707dc96d13335f153c1921efc9d61d3708ef09f3fc4a7014fb4f0 SHA256 (snmpd) = 2f8945dd66668cccd4ad884bbc1f425dfb5ace1261a5c410182222c928f54a34 SHA256 (snmpd.conf) = fc23c35aa4e275456cb9e7e1a4c2af06a9ec089126932a98aef39093a3c33e3e SHA256 (0001-Remove-U64-typedef.patch) = 5ba67c44ec792c6509e9f91bc2561b7c74231c7123b67e4f45b997ea6b3fa4ec SHA256 (0001-CHANGES-BUG-2712-Fix-Perl-module-compilation.patch) = 77b9bf66b7f4ee6be486c945602fcbcf37d48a7b2514f3c9ba1e49550f4cab96 +SHA256 (CVE-2018-1000116.patch) = 49b1c3509d53b1346c10282c29ac8e2020d40921f7287017ce4f24e06c0a301d diff --git a/net-snmp/CVE-2018-1000116.patch b/net-snmp/CVE-2018-1000116.patch new file mode 100644 index 000000000..f33b075b5 --- /dev/null +++ b/net-snmp/CVE-2018-1000116.patch @@ -0,0 +1,117 @@ +--- a/snmplib/snmp_api.c ++++ b/snmplib/snmp_api.c +@@ -4350,10 +4350,9 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char + u_char type; + u_char msg_type; + u_char *var_val; +- int badtype = 0; + size_t len; + size_t four; +- netsnmp_variable_list *vp = NULL; ++ netsnmp_variable_list *vp = NULL, *vplast = NULL; + oid objid[MAX_OID_LEN]; + u_char *p; + +@@ -4493,38 +4492,24 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char + (ASN_SEQUENCE | ASN_CONSTRUCTOR), + "varbinds"); + if (data == NULL) +- return -1; ++ goto fail; + + /* + * get each varBind sequence + */ + while ((int) *length > 0) { +- netsnmp_variable_list *vptemp; +- vptemp = (netsnmp_variable_list *) malloc(sizeof(*vptemp)); +- if (NULL == vptemp) { +- return -1; +- } +- if (NULL == vp) { +- pdu->variables = vptemp; +- } else { +- vp->next_variable = vptemp; +- } +- vp = vptemp; ++ vp = SNMP_MALLOC_TYPEDEF(netsnmp_variable_list); ++ if (NULL == vp) ++ goto fail; + +- vp->next_variable = NULL; +- vp->val.string = NULL; + vp->name_length = MAX_OID_LEN; +- vp->name = NULL; +- vp->index = 0; +- vp->data = NULL; +- vp->dataFreeHook = NULL; + DEBUGDUMPSECTION("recv", "VarBind"); + data = snmp_parse_var_op(data, objid, &vp->name_length, &vp->type, + &vp->val_len, &var_val, length); + if (data == NULL) +- return -1; ++ goto fail; + if (snmp_set_var_objid(vp, objid, vp->name_length)) +- return -1; ++ goto fail; + + len = MAX_PACKET_LENGTH; + DEBUGDUMPHEADER("recv", "Value"); +@@ -4604,7 +4589,7 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char + vp->val.string = (u_char *) malloc(vp->val_len); + } + if (vp->val.string == NULL) { +- return -1; ++ goto fail; + } + p = asn_parse_string(var_val, &len, &vp->type, vp->val.string, + &vp->val_len); +@@ -4619,7 +4604,7 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char + vp->val_len *= sizeof(oid); + vp->val.objid = (oid *) malloc(vp->val_len); + if (vp->val.objid == NULL) { +- return -1; ++ goto fail; + } + memmove(vp->val.objid, objid, vp->val_len); + break; +@@ -4631,7 +4616,7 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char + case ASN_BIT_STR: + vp->val.bitstring = (u_char *) malloc(vp->val_len); + if (vp->val.bitstring == NULL) { +- return -1; ++ goto fail; + } + p = asn_parse_bitstring(var_val, &len, &vp->type, + vp->val.bitstring, &vp->val_len); +@@ -4640,12 +4625,28 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char + break; + default: + snmp_log(LOG_ERR, "bad type returned (%x)\n", vp->type); +- badtype = -1; ++ goto fail; + break; + } + DEBUGINDENTADD(-4); ++ ++ if (NULL == vplast) { ++ pdu->variables = vp; ++ } else { ++ vplast->next_variable = vp; ++ } ++ vplast = vp; ++ vp = NULL; + } +- return badtype; ++ return 0; ++ ++ fail: ++ DEBUGMSGTL(("recv", "error while parsing VarBindList\n")); ++ /** if we were parsing a var, remove it from the pdu and free it */ ++ if (vp) ++ snmp_free_var(vp); ++ ++ return -1; + } + + /* diff --git a/net-snmp/Pkgfile b/net-snmp/Pkgfile index 96809a39d..1f67347a2 100644 --- a/net-snmp/Pkgfile +++ b/net-snmp/Pkgfile @@ -5,16 +5,20 @@ name=net-snmp version=5.7.3 -release=4 +release=5 source=(http://download.sourceforge.net/$name/$name-$version.tar.gz \ snmpd snmpd.conf \ 0001-Remove-U64-typedef.patch \ - 0001-CHANGES-BUG-2712-Fix-Perl-module-compilation.patch) + 0001-CHANGES-BUG-2712-Fix-Perl-module-compilation.patch \ + CVE-2018-1000116.patch) build() { cd $name-$version + patch -p1 -i $SRC/0001-Remove-U64-typedef.patch patch -p1 -i $SRC/0001-CHANGES-BUG-2712-Fix-Perl-module-compilation.patch + patch -p1 -i $SRC/CVE-2018-1000116.patch + export NETSNMP_DONT_CHECK_VERSION=1 ./configure --prefix=/usr \ --sysconfdir=/etc \