From: Armin Kuster <[email protected]> Source: net-snmp.org MR: 104509 Type: Security Fix Disposition: Backport from https://github.com/net-snmp/net-snmp/commit/5f881d3bf24599b90d67a45cae7a3eb099cd71c9 ChangeID: 206d822029d48d904864f23fd1b1af69dffc26c8 Description:
Fixes CVE-2019-20892 which affect net-snmp <= 5.8pre1 Had to fix up some file do to later code restructioning. "int refcnt;" addition was done in include/net-snmp/library/snmpusm.h Signed-off-by: Armin Kuster <[email protected]> --- .../net-snmp/net-snmp/CVE-2019-20892.patch | 118 ++++++++++++++++++ .../net-snmp/net-snmp_5.8.bb | 1 + 2 files changed, 119 insertions(+) create mode 100644 meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2019-20892.patch diff --git a/meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2019-20892.patch b/meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2019-20892.patch new file mode 100644 index 0000000000..3e2637eaa5 --- /dev/null +++ b/meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2019-20892.patch @@ -0,0 +1,118 @@ +From 5f881d3bf24599b90d67a45cae7a3eb099cd71c9 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche <[email protected]> +Date: Sat, 27 Jul 2019 19:34:09 -0700 +Subject: [PATCH] libsnmp, USM: Introduce a reference count in struct + usmStateReference + +This patch fixes https://sourceforge.net/p/net-snmp/bugs/2956/. + +Upstream-Status: Backport +[ak: fixup for 5.8 context, changes to library/snmpusm.h] +CVE:CVE-2019-20892 + +Signed-off-by: Armin Kuster <[email protected]> + +--- + snmplib/snmp_client.c | 22 +++---------- + snmplib/snmpusm.c | 73 ++++++++++++++++++++++++++++--------------- + 2 files changed, 53 insertions(+), 42 deletions(-) + +Index: net-snmp-5.8/snmplib/snmpusm.c +=================================================================== +--- net-snmp-5.8.orig/snmplib/snmpusm.c ++++ net-snmp-5.8/snmplib/snmpusm.c +@@ -285,12 +285,35 @@ free_enginetime_on_shutdown(int majorid, + struct usmStateReference * + usm_malloc_usmStateReference(void) + { +- struct usmStateReference *retval = (struct usmStateReference *) +- calloc(1, sizeof(struct usmStateReference)); ++ struct usmStateReference *retval; + ++ retval = calloc(1, sizeof(struct usmStateReference)); ++ if (retval) ++ retval->refcnt = 1; + return retval; + } /* end usm_malloc_usmStateReference() */ + ++static int ++usm_clone(netsnmp_pdu *pdu, netsnmp_pdu *new_pdu) ++{ ++ struct usmStateReference *ref = pdu->securityStateRef; ++ struct usmStateReference **new_ref = ++ (struct usmStateReference **)&new_pdu->securityStateRef; ++ int ret = 0; ++ ++ if (!ref) ++ return ret; ++ ++ if (pdu->command == SNMP_MSG_TRAP2) { ++ netsnmp_assert(pdu->securityModel == SNMP_DEFAULT_SECMODEL); ++ ret = usm_clone_usmStateReference(ref, new_ref); ++ } else { ++ netsnmp_assert(ref == *new_ref); ++ ref->refcnt++; ++ } ++ ++ return ret; ++} + + void + usm_free_usmStateReference(void *old) +@@ -3345,6 +3368,7 @@ init_usm(void) + def->encode_reverse = usm_secmod_rgenerate_out_msg; + def->encode_forward = usm_secmod_generate_out_msg; + def->decode = usm_secmod_process_in_msg; ++ def->pdu_clone = usm_clone; + def->pdu_free_state_ref = usm_free_usmStateReference; + def->session_setup = usm_session_init; + def->handle_report = usm_handle_report; +Index: net-snmp-5.8/snmplib/snmp_client.c +=================================================================== +--- net-snmp-5.8.orig/snmplib/snmp_client.c ++++ net-snmp-5.8/snmplib/snmp_client.c +@@ -402,27 +402,15 @@ _clone_pdu_header(netsnmp_pdu *pdu) + return NULL; + } + +- if (pdu->securityStateRef && +- pdu->command == SNMP_MSG_TRAP2) { +- +- ret = usm_clone_usmStateReference((struct usmStateReference *) pdu->securityStateRef, +- (struct usmStateReference **) &newpdu->securityStateRef ); +- +- if (ret) +- { ++ sptr = find_sec_mod(newpdu->securityModel); ++ if (sptr && sptr->pdu_clone) { ++ /* call security model if it needs to know about this */ ++ ret = sptr->pdu_clone(pdu, newpdu); ++ if (ret) { + snmp_free_pdu(newpdu); + return NULL; + } + } +- +- if ((sptr = find_sec_mod(newpdu->securityModel)) != NULL && +- sptr->pdu_clone != NULL) { +- /* +- * call security model if it needs to know about this +- */ +- (*sptr->pdu_clone) (pdu, newpdu); +- } +- + return newpdu; + } + +Index: net-snmp-5.8/include/net-snmp/library/snmpusm.h +=================================================================== +--- net-snmp-5.8.orig/include/net-snmp/library/snmpusm.h ++++ net-snmp-5.8/include/net-snmp/library/snmpusm.h +@@ -43,6 +43,7 @@ extern "C" { + * Structures. + */ + struct usmStateReference { ++ int refcnt; + char *usr_name; + size_t usr_name_length; + u_char *usr_engine_id; diff --git a/meta-networking/recipes-protocols/net-snmp/net-snmp_5.8.bb b/meta-networking/recipes-protocols/net-snmp/net-snmp_5.8.bb index 5466649a82..67316db0d2 100644 --- a/meta-networking/recipes-protocols/net-snmp/net-snmp_5.8.bb +++ b/meta-networking/recipes-protocols/net-snmp/net-snmp_5.8.bb @@ -28,6 +28,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/net-snmp/net-snmp-${PV}.tar.gz \ file://reproducibility-accept-configure-options-from-env.patch \ file://0001-net-snmp-fix-compile-error-disable-des.patch \ file://0001-Add-pkg-config-support-for-building-applications-and.patch \ + file://CVE-2019-20892.patch \ " SRC_URI[md5sum] = "63bfc65fbb86cdb616598df1aff6458a" SRC_URI[sha256sum] = "b2fc3500840ebe532734c4786b0da4ef0a5f67e51ef4c86b3345d697e4976adf" -- 2.17.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#85403): https://lists.openembedded.org/g/openembedded-devel/message/85403 Mute This Topic: https://lists.openembedded.org/mt/75144272/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
