Package: release.debian.org Severity: normal Tags: buster User: [email protected] Usertags: pu
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 [ Reason ] The security release in deb10u1 made EXTEND-MIB read-only to close a security hole (CVE-2020-15862/Bug #9651166) However this meant the cacheTime and execType could not be changed which caused problems with some SNMP managers or setups. [ Impact ] The cachetime and execType cannot be set anywhere as these parameters appear in net-snmp 5.8 which is in sid but not buster. [ Tests ] Tested with Ubuntu https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1892980 Upstream have the patch and their tests: https://sourceforge.net/p/net-snmp/patches/1290/ My tests. Install the candidate snmpd on a Debian10 VM Configuration file is: rocommunity public default extend -cacheTime 10 test /usr/bin/date Run snmpd using this configuration file On a different host, run watch -d snmpwalk -v 1 -c public {test_server_ip} .1.3.6.1.4.1.8072.1.3.2.3.1.1.4 Notice the date only changes approximately every 10 seconds as the result is cached. [ Risks ] The patch is about 30 additional lines. Most users probably don't use the "extend" option so won't exercise this or the buggy setup. [ Checklist ] [*] *all* changes are documented in the d/changelog [*] I reviewed all changes and I approve them [*] attach debdiff against the package in (old)stable [*] the issue is verified as fixed in unstable [ Changes ] Adds two options to the extend command line parameter [ Other info ] None - -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.8.0-3-amd64 (SMP w/8 CPU threads) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled -----BEGIN PGP SIGNATURE----- iQJGBAEBCgAwFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAl+FgaoSHGNzbWFsbEBk ZWJpYW4ub3JnAAoJEAIhZsD/PITjmX8P/1fCfD2sAxLcc+eC+e5PiIyBVSog2YuI qytA2SxzXYLXQtOUJeafAM/zqB1qNGvRbTYSPSo9HxRM1L5gUWKIdnENBAoJv4Pd xnv9Sfsay5Hn+MGecZDkOOybRDK0KrJpPhYg2lO3sZeuilwEKPMnIJ7xoHZD8gDO V4t+kOFS0AF/EYgAs18NmgemRTjqvCllTiHsrLRLWIdsE7X2N7C44l5Bg5BQAk/V s/cAuIzZsMxDlMlofLmbWy6yahQiV8UwtG8DTewx4j9seVRUXHgp7i5ibR3yMffS BbcA4OhBjCe0VHVUcvqSBvEkZY8+v68ifRXQZ9A4M4whQqyICws9MM3Z4HbGxAwc j67VH9cL6wt9c4vNu+cxW8fts9GeGmOAMJoriqS/+w1rmzlO9Rza2krDcrBLbJQx 5Nc0YYk9TtwRhaeNK2vaIZM8Mj37mq6EbJh9lQ3oP3CR3goWIb9P2n2II/ICvbIY llQC6fa8V8G/Hv2qOVTqU/qdwCgIeMnjl6nV66Sb64CjkCfa5Adj1z7lXkQvVezt omCmi+AwdbJLWPxjL8hPoZzSzBTphKcz3D+RxSh6RbIf5wtnm4zD5+eHe1mP21Gs 4QLWjq9RDDSawmH2qWl4EQ4Fba7xJGaw6vkMLiLhAPEPQ+yBjwMdHvd91PdeyMHS u6+o1BU2BGmq =gGjJ -----END PGP SIGNATURE-----
diff -Nru net-snmp-5.7.3+dfsg/debian/changelog net-snmp-5.7.3+dfsg/debian/changelog --- net-snmp-5.7.3+dfsg/debian/changelog 2020-07-31 20:53:22.000000000 +1000 +++ net-snmp-5.7.3+dfsg/debian/changelog 2020-09-07 07:16:17.000000000 +1000 @@ -1,3 +1,13 @@ +net-snmp (5.7.3+dfsg-5+deb10u2) buster-security; urgency=high + + * snmpd: Add cacheTime and execType flags to EXTEND-MIB. + Previous security release made EXTEND-MIB read-only which meant + it was not possible to set the timeout of the cache. This patch + allows administrator to set the value in the snmpd.conf file. + Closes: #969508 + + -- Craig Small <[email protected]> Mon, 07 Sep 2020 07:16:17 +1000 + net-snmp (5.7.3+dfsg-5+deb10u1) buster-security; urgency=high * snmpd: Make EXTEND-MIB readonly access diff -Nru net-snmp-5.7.3+dfsg/debian/patches/series net-snmp-5.7.3+dfsg/debian/patches/series --- net-snmp-5.7.3+dfsg/debian/patches/series 2020-07-31 20:53:22.000000000 +1000 +++ net-snmp-5.7.3+dfsg/debian/patches/series 2020-09-07 07:16:17.000000000 +1000 @@ -44,3 +44,4 @@ snmpd_stop_mib_indexes_files snmp_snmptrapd_disallow_user_change +snmpd_cachetime_exectype diff -Nru net-snmp-5.7.3+dfsg/debian/patches/snmpd_cachetime_exectype net-snmp-5.7.3+dfsg/debian/patches/snmpd_cachetime_exectype --- net-snmp-5.7.3+dfsg/debian/patches/snmpd_cachetime_exectype 1970-01-01 10:00:00.000000000 +1000 +++ net-snmp-5.7.3+dfsg/debian/patches/snmpd_cachetime_exectype 2020-09-07 07:16:17.000000000 +1000 @@ -0,0 +1,85 @@ +Description: Add a couple of optional flags to the "extend" config + directive, enabling non-volatile configuration of a couple of aspects that so + far have been configurable only temporarily via SETs: + -cacheTime specifies the cache timeout +Author: Jeff Gehlbach <[email protected]> +Origin: upstream, https://github.com/net-snmp/net-snmp/commit/d8b12900629ed73a78b27535f08c4f0a721a93be +Bug-Debian: https://bugs.debian.org/969508 +Applied-Upstream: 5.8 +Reviewed-by: Craig Small <[email protected]> +Last-Update: 2020-09-05 +--- a/agent/mibgroup/agent/extend.c ++++ b/agent/mibgroup/agent/extend.c +@@ -528,8 +528,27 @@ + size_t oid_len; + extend_registration_block *eptr; + int flags; ++ char cache_timeout_str[STRMAX]; ++ int cache_timeout = 0; ++ char exec_type_str[STRMAX]; ++ int exec_type = NS_EXTEND_ETYPE_EXEC; + + cptr = copy_nword(cptr, exec_name, sizeof(exec_name)); ++ if ( !strcmp( exec_name, "-cacheTime") ) { ++ cptr = copy_nword(cptr, cache_timeout_str, sizeof(cache_timeout_str)); ++ /* If atoi can't do the conversion, it returns 0 */ ++ cache_timeout = atoi(cache_timeout_str); ++ cptr = copy_nword(cptr, exec_name, sizeof(exec_name)); ++ } ++ if ( !strcmp( exec_name, "-execType") ) { ++ cptr = copy_nword(cptr, exec_type_str, sizeof(exec_type_str)); ++ if ( !strcmp( exec_type_str, "sh" ) ) { ++ exec_type = NS_EXTEND_ETYPE_SHELL; ++ } else { ++ exec_type = NS_EXTEND_ETYPE_EXEC; ++ } ++ cptr = copy_nword(cptr, exec_name, sizeof(exec_name)); ++ } + if ( *exec_name == '.' ) { + oid_len = MAX_OID_LEN - 2; + if (0 == read_objid( exec_name, oid_buf, &oid_len )) { +@@ -551,7 +570,8 @@ + flags = (NS_EXTEND_FLAGS_ACTIVE | NS_EXTEND_FLAGS_CONFIG); + if (!strcmp( token, "sh" ) || + !strcmp( token, "extend-sh" ) || +- !strcmp( token, "sh2" )) ++ !strcmp( token, "sh2" ) || ++ exec_type == NS_EXTEND_ETYPE_SHELL) + flags |= NS_EXTEND_FLAGS_SHELL; + if (!strcmp( token, "execFix" ) || + !strcmp( token, "extendfix" ) || +@@ -572,6 +592,8 @@ + extension->command = strdup( exec_command ); + if (cptr) + extension->args = strdup( cptr ); ++ if (cache_timeout != 0) ++ extension->cache->timeout = cache_timeout; + } else { + snmp_log(LOG_ERR, "Failed to register extend entry '%s' - possibly duplicate name.\n", exec_name ); + return; +--- a/man/snmpd.conf.5.def ++++ b/man/snmpd.conf.5.def +@@ -1284,7 +1284,7 @@ + .PP + \fIexec\fR and \fIsh\fR extensions can only be configured via the + snmpd.conf file. They cannot be set up via SNMP SET requests. +-.IP "extend [MIBOID] NAME PROG ARGS" ++.IP "extend [-cacheTime TIME] [-execType TYPE] [MIBOID] NAME PROG ARGS" + works in a similar manner to the \fIexec\fR directive, but with a number + of improvements. The MIB tables (\fInsExtendConfigTable\fR + etc) are indexed by the NAME token, so are unaffected by the order in +@@ -1294,6 +1294,14 @@ + for each \fIextend\fR entry, and the other (\fInsExtendOutput2Table\fR) + containing the complete output as a series of separate lines. + .IP ++If -cacheTime is specified, then its argument is used as the cache timeout ++(in whole seconds) for this \fIextend\fR entry. This mechanism provides a ++non-volatile way to specify the cache timeout. ++.IP ++If -execType is specified and has a value of \fIsh\fR, then this \fIextend\fR ++entry will be run in a shell. Otherwise it will be run in the default \fIexec\fR ++fashion. This mechanism provides a non-volatile way to specify the exec type. ++.IP + If MIBOID is specified, then the configuration and result tables will be rooted + at this point in the OID tree, but are otherwise structured in exactly + the same way. This means that several separate \fIextend\fR
