Hi, I intent do upload a 0-day NMU to fix this bug. Attached is a debdiff for the fix which also includes a fix for the same issue in the python module.
It will be also archived on: http://people.debian.org/~nion/nmu-diff/net-snmp-5.4.1~dfsg-1_5.4.1~dfsg-7.1.patch Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -u net-snmp-5.4.1~dfsg/debian/changelog net-snmp-5.4.1~dfsg/debian/changelog
--- net-snmp-5.4.1~dfsg/debian/changelog
+++ net-snmp-5.4.1~dfsg/debian/changelog
@@ -1,3 +1,13 @@
+net-snmp (5.4.1~dfsg-7.1) unstable; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Fix buffer overflow in the python and perl module (__snprint_value
+ function)that can be exploited via large OCTETSTRING in an
+ attribute value pair (AVP) leading to arbitrary code
+ execution (CVE-2008-2292; Closes: #482333).
+
+ -- Nico Golde <[EMAIL PROTECTED]> Sat, 24 May 2008 13:12:16 +0200
+
net-snmp (5.4.1~dfsg-7) unstable; urgency=low
* Add some more Conflicts: and Replaces: magic to allow moving
only in patch2:
unchanged:
--- net-snmp-5.4.1~dfsg.orig/debian/patches/48-CVE-2008-2292.patch
+++ net-snmp-5.4.1~dfsg/debian/patches/48-CVE-2008-2292.patch
@@ -0,0 +1,170 @@
+diff -Nurad net-snmp-5.4.1~dfsg.orig/perl/SNMP/SNMP.xs net-snmp-5.4.1~dfsg/perl/SNMP/SNMP.xs
+--- net-snmp-5.4.1~dfsg.orig/perl/SNMP/SNMP.xs 2008-05-24 11:53:07.000000000 +0200
++++ net-snmp-5.4.1~dfsg/perl/SNMP/SNMP.xs 2008-05-24 12:48:16.000000000 +0200
+@@ -470,14 +470,15 @@
+ if (flag == USE_ENUMS) {
+ for(ep = tp->enums; ep; ep = ep->next) {
+ if (ep->value == *var->val.integer) {
+- strcpy(buf, ep->label);
++ strncpy(buf, ep->label, buf_len);
++ buf[buf_len -1] = 0;
+ len = strlen(buf);
+ break;
+ }
+ }
+ }
+ if (!len) {
+- sprintf(buf,"%ld", *var->val.integer);
++ snprintf(buf, buf_len, "%ld", *var->val.integer);
+ len = strlen(buf);
+ }
+ break;
+@@ -486,19 +487,21 @@
+ case ASN_COUNTER:
+ case ASN_TIMETICKS:
+ case ASN_UINTEGER:
+- sprintf(buf,"%lu", (unsigned long) *var->val.integer);
++ snprintf(buf, buf_len, "%lu", (unsigned long) *var->val.integer);
+ len = strlen(buf);
+ break;
+
+ case ASN_OCTET_STR:
+ case ASN_OPAQUE:
+- memcpy(buf, (char*)var->val.string, var->val_len);
++ if (len > buf_len)
++ len = buf_len;
++ memcpy(buf, (char*)var->val.string, len);
+ len = var->val_len;
+ break;
+
+ case ASN_IPADDRESS:
+ ip = (u_char*)var->val.string;
+- sprintf(buf, "%d.%d.%d.%d", ip[0], ip[1], ip[2], ip[3]);
++ snprintf(buf, buf_len, "%d.%d.%d.%d", ip[0], ip[1], ip[2], ip[3]);
+ len = strlen(buf);
+ break;
+
+@@ -512,13 +515,13 @@
+ break;
+
+ case SNMP_ENDOFMIBVIEW:
+- sprintf(buf,"%s", "ENDOFMIBVIEW");
++ snprintf(buf, buf_len, "%s", "ENDOFMIBVIEW");
+ break;
+ case SNMP_NOSUCHOBJECT:
+- sprintf(buf,"%s", "NOSUCHOBJECT");
++ snprintf(buf, buf_len, "%s", "NOSUCHOBJECT");
+ break;
+ case SNMP_NOSUCHINSTANCE:
+- sprintf(buf,"%s", "NOSUCHINSTANCE");
++ snprintf(buf, buf_len, "%s", "NOSUCHINSTANCE");
+ break;
+
+ case ASN_COUNTER64:
+@@ -538,18 +541,18 @@
+ #endif
+
+ case ASN_BIT_STR:
+- snprint_bitstring(buf, sizeof(buf), var, NULL, NULL, NULL);
++ snprint_bitstring(buf, buf_len, var, NULL, NULL, NULL);
+ len = strlen(buf);
+ break;
+ #ifdef NETSNMP_WITH_OPAQUE_SPECIAL_TYPES
+ case ASN_OPAQUE_FLOAT:
+ if (var->val.floatVal)
+- sprintf(buf,"%f", *var->val.floatVal);
++ snprintf(buf, buf_len, "%f", *var->val.floatVal);
+ break;
+
+ case ASN_OPAQUE_DOUBLE:
+ if (var->val.doubleVal)
+- sprintf(buf,"%f", *var->val.doubleVal);
++ snprintf(buf, buf_len, "%f", *var->val.doubleVal);
+ break;
+ #endif
+
+diff -Nurad net-snmp-5.4.1~dfsg.orig/python/netsnmp/client_intf.c net-snmp-5.4.1~dfsg/python/netsnmp/client_intf.c
+--- net-snmp-5.4.1~dfsg.orig/python/netsnmp/client_intf.c 2008-05-24 11:53:07.000000000 +0200
++++ net-snmp-5.4.1~dfsg/python/netsnmp/client_intf.c 2008-05-24 12:30:51.000000000 +0200
+@@ -330,14 +330,15 @@
+ if (flag == USE_ENUMS) {
+ for(ep = tp->enums; ep; ep = ep->next) {
+ if (ep->value == *var->val.integer) {
+- strcpy(buf, ep->label);
++ strncpy(buf, ep->label, buf_len);
++ buf[buf_len -1] = 0;
+ len = STRLEN(buf);
+ break;
+ }
+ }
+ }
+ if (!len) {
+- sprintf(buf,"%ld", *var->val.integer);
++ snprintf(buf, buf_len, "%ld", *var->val.integer);
+ len = STRLEN(buf);
+ }
+ break;
+@@ -346,19 +347,21 @@
+ case ASN_COUNTER:
+ case ASN_TIMETICKS:
+ case ASN_UINTEGER:
+- sprintf(buf,"%lu", (unsigned long) *var->val.integer);
++ snprintf(buf, buf_len, "%lu", (unsigned long) *var->val.integer);
+ len = STRLEN(buf);
+ break;
+
+ case ASN_OCTET_STR:
+ case ASN_OPAQUE:
+- memcpy(buf, (char*)var->val.string, var->val_len);
++ if(len > buf_len)
++ len = buf_len;
++ memcpy(buf, (char*)var->val.string, len);
+ len = var->val_len;
+ break;
+
+ case ASN_IPADDRESS:
+ ip = (u_char*)var->val.string;
+- sprintf(buf, "%d.%d.%d.%d", ip[0], ip[1], ip[2], ip[3]);
++ snprintf(buf, buf_len, "%d.%d.%d.%d", ip[0], ip[1], ip[2], ip[3]);
+ len = STRLEN(buf);
+ break;
+
+@@ -372,13 +375,13 @@
+ break;
+
+ case SNMP_ENDOFMIBVIEW:
+- sprintf(buf,"%s", "ENDOFMIBVIEW");
++ snprintf(buf, buf_len, "%s", "ENDOFMIBVIEW");
+ break;
+ case SNMP_NOSUCHOBJECT:
+- sprintf(buf,"%s", "NOSUCHOBJECT");
++ snprintf(buf, buf_len, "%s", "NOSUCHOBJECT");
+ break;
+ case SNMP_NOSUCHINSTANCE:
+- sprintf(buf,"%s", "NOSUCHINSTANCE");
++ snprintf(buf, buf_len, "%s", "NOSUCHINSTANCE");
+ break;
+
+ case ASN_COUNTER64:
+@@ -398,18 +401,18 @@
+ #endif
+
+ case ASN_BIT_STR:
+- snprint_bitstring(buf, sizeof(buf), var, NULL, NULL, NULL);
++ snprint_bitstring(buf, buf_len, var, NULL, NULL, NULL);
+ len = STRLEN(buf);
+ break;
+ #ifdef OPAQUE_SPECIAL_TYPES
+ case ASN_OPAQUE_FLOAT:
+ if (var->val.floatVal)
+- sprintf(buf,"%f", *var->val.floatVal);
++ snprintf(buf, buf_len, "%f", *var->val.floatVal);
+ break;
+
+ case ASN_OPAQUE_DOUBLE:
+ if (var->val.doubleVal)
+- sprintf(buf,"%f", *var->val.doubleVal);
++ snprintf(buf, buf_len, "%f", *var->val.doubleVal);
+ break;
+ #endif
+
pgp80hyeKB1qA.pgp
Description: PGP signature
