Hi, Thanks for the review. I think I addressed your comments.
I'm attaching the updated debdiff Regards. El 31/5/26 a les 13:03, Jonathan Wiltshire ha escrit:
Control: tag -1 moreinfo Hi, Please detail the actual changes in the changelog (preferably the patch header as well). A bare CVE ID is insufficient. Thanks,
diff -Nru lwip-2.2.1+dfsg1/debian/changelog lwip-2.2.1+dfsg1/debian/changelog --- lwip-2.2.1+dfsg1/debian/changelog 2025-03-01 19:47:48.000000000 +0100 +++ lwip-2.2.1+dfsg1/debian/changelog 2026-05-29 15:18:47.000000000 +0200 @@ -1,3 +1,17 @@ +lwip (2.2.1+dfsg1-1+deb13u1) trixie; urgency=medium + + * Fix CVE-2026-8836: snmpv3: fix handling packets with invalid + msgAuthenticationParameters length + * A remote attacker can send a crafted msgAuthenticationParameters field + to overflow a stack buffer in snmp_parse_inbound_frame(). + * Re-enables the bounds check on msgAuthenticationParameters length in + snmp_parse_inbound_frame() and clamps the copy length to + SNMP_V3_MAX_AUTH_PARAM_LENGTH instead of using the attacker-controlled + TLV value length + * https://savannah.nongnu.org/bugs/?68194 + + -- Joan Lledó <[email protected]> Fri, 29 May 2026 15:18:47 +0200 + lwip (2.2.1+dfsg1-1) unstable; urgency=medium * New upstream release diff -Nru lwip-2.2.1+dfsg1/debian/patches/CVE_2026_8836 lwip-2.2.1+dfsg1/debian/patches/CVE_2026_8836 --- lwip-2.2.1+dfsg1/debian/patches/CVE_2026_8836 1970-01-01 01:00:00.000000000 +0100 +++ lwip-2.2.1+dfsg1/debian/patches/CVE_2026_8836 2026-05-29 15:18:47.000000000 +0200 @@ -0,0 +1,28 @@ +Description: Fix CVE-2026-8836 +Forwarded: https://savannah.nongnu.org/bugs/?68194 +Author: 0rbitingZer0 <[email protected]> +Last-Update: 2026-05-26 + +--- + src/apps/snmp/snmp_msg.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/apps/snmp/snmp_msg.c b/src/apps/snmp/snmp_msg.c +index f8c75bb7..156b36e3 100644 +--- a/src/apps/snmp/snmp_msg.c ++++ b/src/apps/snmp/snmp_msg.c +@@ -946,9 +946,9 @@ snmp_parse_inbound_frame(struct snmp_request *request) + inbound_msgAuthenticationParameters_offset = pbuf_stream.offset; + LWIP_UNUSED_ARG(inbound_msgAuthenticationParameters_offset); + /* Read auth parameters */ +- /* IF_PARSE_ASSERT(tlv.value_len <= SNMP_V3_MAX_AUTH_PARAM_LENGTH); */ ++ IF_PARSE_ASSERT(tlv.value_len <= SNMP_V3_MAX_AUTH_PARAM_LENGTH); + IF_PARSE_EXEC(snmp_asn1_dec_raw(&pbuf_stream, tlv.value_len, request->msg_authentication_parameters, +- &u16_value, tlv.value_len)); ++ &u16_value, SNMP_V3_MAX_AUTH_PARAM_LENGTH)); + request->msg_authentication_parameters_len = (u8_t)u16_value; + + /* msgPrivacyParameters */ +-- +cgit v1.2.3 + diff -Nru lwip-2.2.1+dfsg1/debian/patches/series lwip-2.2.1+dfsg1/debian/patches/series --- lwip-2.2.1+dfsg1/debian/patches/series 2025-02-08 12:32:42.000000000 +0100 +++ lwip-2.2.1+dfsg1/debian/patches/series 2026-05-29 15:18:47.000000000 +0200 @@ -2,3 +2,4 @@ empty_block_last max_sockets doxygen +CVE_2026_8836
