Bug#1016139: For Review: Bug#1016139: (net-snmp: CVE-2022-24810 CVE-2022-24809 CVE-2022-24808 CVE-2022-24807 CVE-2022-24806 CVE-2022-24805)
On Wed, Aug 10, 2022 at 05:05:12PM +1000, Craig Small wrote: > > Do you have capacity to prepare updates for bullseye? > > > Yes, see attached debdiff for review. It's just those two patches. Looks good, thanks! Please upload to security-master. Cheers, Moritz
Bug#1016139: For Review: Bug#1016139: (net-snmp: CVE-2022-24810 CVE-2022-24809 CVE-2022-24808 CVE-2022-24807 CVE-2022-24806 CVE-2022-24805)
On Sun, 7 Aug 2022 at 23:29, Salvatore Bonaccorso wrote: > Did you got confirmation from upstream back if those are the only two > needed ones? > I got no message at all. However, these are the only two that mention the people that found the bug and fixed it (two sets of people). > Do you have capacity to prepare updates for bullseye? > Yes, see attached debdiff for review. It's just those two patches. - Craig diff -Nru net-snmp-5.9+dfsg/debian/changelog net-snmp-5.9+dfsg/debian/changelog --- net-snmp-5.9+dfsg/debian/changelog 2020-09-25 09:10:00.0 +1000 +++ net-snmp-5.9+dfsg/debian/changelog 2022-08-10 16:16:59.0 +1000 @@ -1,3 +1,12 @@ +net-snmp (5.9+dfsg-4+deb11u1) bullseye-security; urgency=high + + * Backport upstream security patches from v5.9.3 Closes: #1016139 + * snmpd_fix_bounds_checking: CVE-2022-24805, CVE-2022-24809 + * snmpd_recover_set_status: CVE-2022-24806, CVE-2022-24807, CVE-2022-24808, +CVE-2022-24810 + + -- Craig Small Wed, 10 Aug 2022 16:16:59 +1000 + net-snmp (5.9+dfsg-3) unstable; urgency=medium * Source only upload - no changes Closes: #970798 diff -Nru net-snmp-5.9+dfsg/debian/patches/series net-snmp-5.9+dfsg/debian/patches/series --- net-snmp-5.9+dfsg/debian/patches/series 2020-09-25 09:10:00.0 +1000 +++ net-snmp-5.9+dfsg/debian/patches/series 2022-08-10 16:16:59.0 +1000 @@ -37,3 +37,5 @@ Link-libnetsnmptrapd-against-MYSQL_LIBS.patch pkgconfig_install_mode perl_makefile_man3pods +snmpd_fix_bounds_checking +snmpd_recover_set_status diff -Nru net-snmp-5.9+dfsg/debian/patches/snmpd_fix_bounds_checking net-snmp-5.9+dfsg/debian/patches/snmpd_fix_bounds_checking --- net-snmp-5.9+dfsg/debian/patches/snmpd_fix_bounds_checking 1970-01-01 10:00:00.0 +1000 +++ net-snmp-5.9+dfsg/debian/patches/snmpd_fix_bounds_checking 2022-08-10 16:16:59.0 +1000 @@ -0,0 +1,123 @@ +Description: snmpd: fix bounds checking in MIBS + Fix bounds checking in NET-SNMP-AGENT-MIB, NET-SNMP-VACM-MIB, + SNMP-VIEW-BASED-ACM-MIB, SNMP-USER-BASED-SM-MIB + + Reported by: Yu Zhang of VARAS@IIE, Nanyu Zhong of VARAS@IIE + Fixes by: Arista Networks + + References: CVE-2022-24805, CVE-2022-24809 +Author: Bill Fenner +Origin: upstream, https://github.com/net-snmp/net-snmp/commit/67ebb43e9038b2dae6e74ae8838b36fcc10fc937` +Bug-Debian: https://bugs.debian.org/1016139 +Reviewed-by: Craig Small +Last-Update: 2022-08-10 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/agent/mibgroup/agent/nsLogging.c b/agent/mibgroup/agent/nsLogging.c +@@ -147,6 +147,8 @@ + continue; + logh = (netsnmp_log_handler*)netsnmp_extract_iterator_context(request); + table_info =netsnmp_extract_table_info(request); ++if (!table_info || !table_info->indexes) ++continue; + + switch (table_info->colnum) { + case NSLOGGING_TYPE: +@@ -201,6 +203,8 @@ + } + logh = (netsnmp_log_handler*)netsnmp_extract_iterator_context(request); + table_info = netsnmp_extract_table_info(request); ++if (!table_info || !table_info->indexes) ++continue; + + switch (table_info->colnum) { + case NSLOGGING_TYPE: +@@ -394,6 +398,8 @@ + continue; + logh = (netsnmp_log_handler*)netsnmp_extract_iterator_context(request); + table_info = netsnmp_extract_table_info(request); ++if (!table_info || !table_info->indexes) ++continue; + + switch (table_info->colnum) { + case NSLOGGING_TYPE: +--- a/agent/mibgroup/agent/nsVacmAccessTable.c b/agent/mibgroup/agent/nsVacmAccessTable.c +@@ -170,9 +170,13 @@ + entry = (struct vacm_accessEntry *) + netsnmp_extract_iterator_context(request); + table_info = netsnmp_extract_table_info(request); ++if (!table_info || !table_info->indexes) ++continue; + + /* Extract the authType token from the list of indexes */ + idx = table_info->indexes->next_variable->next_variable->next_variable->next_variable; ++if (idx->val_len >= sizeof(atype)) ++continue; + memset(atype, 0, sizeof(atype)); + memcpy(atype, (char *)idx->val.string, idx->val_len); + viewIdx = se_find_value_in_slist(VACM_VIEW_ENUM_NAME, atype); +@@ -212,6 +216,8 @@ + entry = (struct vacm_accessEntry *) + netsnmp_extract_iterator_context(request); + table_info = netsnmp_extract_table_info(request); ++if (!table_info || !table_info->indexes) ++continue; + ret = SNMP_ERR_NOERROR; + + switch (table_info->colnum) { +@@ -247,6 +253,8 @@ + * Extract the authType token from the list of indexes + */ +
Bug#1016139: (net-snmp: CVE-2022-24810 CVE-2022-24809 CVE-2022-24808 CVE-2022-24807 CVE-2022-24806 CVE-2022-24805)
Hi Craig, On Fri, Jul 29, 2022 at 04:36:56PM +0200, Moritz Mühlenhoff wrote: > Am Thu, Jul 28, 2022 at 09:25:44PM +1000 schrieb Craig Small: > > I said: > > > > > I had uploaded net-snmp 5.9.3 anyway but I'll add those CVEs to the > > > changelog. > > > I'm trying to find where they've made the changes to see if it is possible > > > to get at least bullseye fixed. > > > > > I've had a look and believe these two commits are the fixes: > > > > snmpd: fix bounds checking in NET-SNMP-AGENT-MIB, NET-SNMP-VACM-MIB, > > SNMP-VIEW-BASED-ACM-MIB, SNMP-USER-BASED-SM-MIB > > https://github.com/net-snmp/net-snmp/commit/67ebb43e9038b2dae6e74ae8838b36fcc10fc937 > > > > snmpd: recover SET status from delegated request > > https://github.com/net-snmp/net-snmp/commit/9a0cd7c00947d5e1c6ceb54558d454f87c3b8341 > > > > Both sets of commits look pretty clear and simple to implement. I've asked > > upstream to confirm these are the only two patches. Did you got confirmation from upstream back if those are the only two needed ones? Do you have capacity to prepare updates for bullseye? Regards, Salvatore
Bug#1016139: (net-snmp: CVE-2022-24810 CVE-2022-24809 CVE-2022-24808 CVE-2022-24807 CVE-2022-24806 CVE-2022-24805)
Am Thu, Jul 28, 2022 at 09:25:44PM +1000 schrieb Craig Small: > I said: > > > I had uploaded net-snmp 5.9.3 anyway but I'll add those CVEs to the > > changelog. > > I'm trying to find where they've made the changes to see if it is possible > > to get at least bullseye fixed. > > > I've had a look and believe these two commits are the fixes: > > snmpd: fix bounds checking in NET-SNMP-AGENT-MIB, NET-SNMP-VACM-MIB, > SNMP-VIEW-BASED-ACM-MIB, SNMP-USER-BASED-SM-MIB > https://github.com/net-snmp/net-snmp/commit/67ebb43e9038b2dae6e74ae8838b36fcc10fc937 > > snmpd: recover SET status from delegated request > https://github.com/net-snmp/net-snmp/commit/9a0cd7c00947d5e1c6ceb54558d454f87c3b8341 > > Both sets of commits look pretty clear and simple to implement. I've asked > upstream to confirm these are the only two patches. Ack, thanks! Cheers, Moritz
Bug#1016139: (net-snmp: CVE-2022-24810 CVE-2022-24809 CVE-2022-24808 CVE-2022-24807 CVE-2022-24806 CVE-2022-24805)
I said: > I had uploaded net-snmp 5.9.3 anyway but I'll add those CVEs to the > changelog. > I'm trying to find where they've made the changes to see if it is possible > to get at least bullseye fixed. > I've had a look and believe these two commits are the fixes: snmpd: fix bounds checking in NET-SNMP-AGENT-MIB, NET-SNMP-VACM-MIB, SNMP-VIEW-BASED-ACM-MIB, SNMP-USER-BASED-SM-MIB https://github.com/net-snmp/net-snmp/commit/67ebb43e9038b2dae6e74ae8838b36fcc10fc937 snmpd: recover SET status from delegated request https://github.com/net-snmp/net-snmp/commit/9a0cd7c00947d5e1c6ceb54558d454f87c3b8341 Both sets of commits look pretty clear and simple to implement. I've asked upstream to confirm these are the only two patches. - Craig
Bug#1016139: net-snmp: CVE-2022-24810 CVE-2022-24809 CVE-2022-24808 CVE-2022-24807 CVE-2022-24806 CVE-2022-24805
Source: net-snmp X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for net-snmp. 5.9.3 fixes the following issues: - These two CVEs can be exploited by a user with read-only credentials: - CVE-2022-24805 A buffer overflow in the handling of the INDEX of NET-SNMP-VACM-MIB can cause an out-of-bounds memory access. - CVE-2022-24809 A malformed OID in a GET-NEXT to the nsVacmAccessTable can cause a NULL pointer dereference. - These CVEs can be exploited by a user with read-write credentials: - CVE-2022-24806 Improper Input Validation when SETing malformed OIDs in master agent and subagent simultaneously - CVE-2022-24807 A malformed OID in a SET request to SNMP-VIEW-BASED-ACM-MIB::vacmAccessTable can cause an out-of-bounds memory access. - CVE-2022-24808 A malformed OID in a SET request to NET-SNMP-AGENT-MIB::nsLogTable can cause a NULL pointer dereference - CVE-2022-24810 A malformed OID in a SET to the nsVacmAccessTable can cause a NULL pointer dereference. - To avoid these flaws, use strong SNMPv3 credentials and do not share them. If you must use SNMPv1 or SNMPv2c, use a complex community string and enhance the protection by restricting access to a given IP address range. - Thanks are due to Yu Zhang of VARAS@IIE and Nanyu Zhong of VARAS@IIE for reporting the following CVEs that have been fixed in this release, and to Arista Networks for providing fixes. Please adjust the affected versions in the BTS as needed.