[Bug 1912389] Re: [Patch] SIGSEGV: crash when certificate contains extension longer than 512 bytes
This bug was fixed in the package net-snmp - 5.9+dfsg-3ubuntu1.21.04.1 --- net-snmp (5.9+dfsg-3ubuntu1.21.04.1) hirsute; urgency=medium * Fix segmentation fault when certificate contains extension longer than 512 bytes (LP: #1912389) - d/p/lp1912389-libsnmp-Handle-certificate-loading-errors-gracefully.patch: Skip certificate if loading fails. - d/p/lp1912389-libsnmp-SSL-Increase-extension-buffer-size-to-preven.patch: Make sure enough space is allocated for extensions longer than 512 bytes. -- Sergio Durigan Junior Tue, 25 May 2021 19:09:11 -0400 ** Changed in: net-snmp (Ubuntu Hirsute) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1912389 Title: [Patch] SIGSEGV: crash when certificate contains extension longer than 512 bytes To manage notifications about this bug go to: https://bugs.launchpad.net/netsnmp/+bug/1912389/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1912389] Re: [Patch] SIGSEGV: crash when certificate contains extension longer than 512 bytes
Performing the verification for Hirsute:
First, reproducing the bug with the version currently available:
# apt policy snmpd
snmpd:
Installed: 5.9+dfsg-3ubuntu1
Candidate: 5.9+dfsg-3ubuntu1
Version table:
*** 5.9+dfsg-3ubuntu1 500
500 http://archive.ubuntu.com/ubuntu hirsute/main amd64 Packages
100 /var/lib/dpkg/status
# snmpd -DALL
...
9:cert:dump: 5: authorityKeyIdentifier =
keyid:AC:D0:13:2A:98:58:02:02:D2:BA:E9:8A:0B:F3:5A:B8:BD:6C:BB:64
not enough space or error in allocation for extenstion
Segmentation fault (core dumped)
Now, updating the package to the version available in -proposed and making sure
that the bug is fixed:
# apt policy snmpd
snmpd:
Installed: 5.9+dfsg-3ubuntu1.21.04.1
Candidate: 5.9+dfsg-3ubuntu1.21.04.1
Version table:
*** 5.9+dfsg-3ubuntu1.21.04.1 500
500 http://archive.ubuntu.com/ubuntu hirsute-proposed/main amd64
Packages
100 /var/lib/dpkg/status
5.9+dfsg-3ubuntu1 500
500 http://archive.ubuntu.com/ubuntu hirsute/main amd64 Packages
# snmpd -DALL
trace: netsnmp_getaddrinfo(): system.c, 851:
dns:getaddrinfo: looking up "127.0.0.1" with hint ({ ... })
trace: netsnmp_sockaddr_in6_3(): transports/snmpIPv6BaseDomain.c, 314:
netsnmp_sockaddr_in6: failed to parse 127.0.0.1
Error opening specified endpoint "127.0.0.1"
Server Exiting with code 1
#
As can be seen, the segmentation fault doesn't happen anymore. Therefore, the
bug has been fixed and the verification is complete.
** Tags removed: verification-needed verification-needed-hirsute
** Tags added: verification-done-hirsute
** Description changed:
[ Impact ]
Users can experience a segmentation fault on snmpd (part of net-snmp)
when using a certificate that contains an extension longer than 512
bytes and debug output (-D) is enabled. Although this only happens when
debugging, it seems to be pretty common to find certificates whose
extensions are larger than 512 bytes.
[ Test Case ]
Below you can find a step-by-step procedure to reproduce the bug. Bear
in mind that the "sed" command may be mangled due to Launchpad's text
renderization.
$ lxc launch images:ubuntu/hirsute net-snmp-bug1912389
$ lxc shell net-snmp-bug1912389
- # apt update && apt install net-snmp -y
+ # apt update && apt install snmpd -y
# sed -i "s@^#\s*nsCertType.*@nsCertType = client,email,objsign@;
s@^#\s*nsCaRevocationUrl.*@nsCaRevocationUrl = http://www.myverylongurl$(printf
'%*s' 512 | tr ' ' 'a').com/ca-crl.pem@;
s@^#\s*extendedKeyUsage.*@extendedKeyUsage =
critical,timeStamping,serverAuth,clientAuth,codeSigning,emailProtection@;
s@^#\s*keyUsage.*@keyUsage = nonRepudiation,digitalSignature,keyEncipherment@"
/etc/ssl/openssl.cnf
# openssl req -x509 -out localhost.crt -keyout localhost.key-newkey
rsa:2048 -nodes -sha256 -extensions usr_cert -subj '/CN=localhost' -config
/etc/ssl/openssl.cnf
# mkdir -p $HOME/.snmp/tls/certs
# cp localhost.crt $HOME/.snmp/tls/certs
# systemctl stop snmpd.service
# snmpd -DALL
...
not enough space or error in allocation for extenstion
Segmentation fault (core dumped)
#
[ Where problems could occur ]
The backported patches are very straightforward and only impact code
that is run when debug (-D) is active. There is not much room for
regression here, especially considering that this is a very recent
version of the package that will very likely not be affected by newer
rebuilds.
[ Original Description ]
When net-snmp is given a certificate with an extension that is longer
than 512 characters, snmp crashes on startup.
Steps to Reproduce:
1. Configure net-snmp using an EV certificate from a CA (in this case
Globalsign).
2. Start snmpd.
3.
Actual results:
[root@localhost tls]# systemctl status snmpd.service
● snmpd.service - Simple Network Management Protocol (SNMP) Daemon.
Loaded: loaded (/usr/lib/systemd/system/snmpd.service; disabled; vendor
preset: disabled)
Active: failed (Result: core-dump) since Wed 2020-12-16 21:21:59 SAST;
16min ago
Process: 53269 ExecStart=/usr/sbin/snmpd $OPTIONS -f (code=dumped,
signal=SEGV)
Main PID: 53269 (code=dumped, signal=SEGV)
Dec 16 21:21:57 localhost systemd[1]: Starting Simple Network Management
Protocol (SNMP) Daemon
Dec 16 21:21:58 localhost snmpd[53269]: refusing to read world readable or
writable key /etc/snmp/tls/certs/snmpd.crt
Dec 16 21:21:58 localhost snmpd[53269]: not enough space or error in
allocation for extenstion
Dec 16 21:21:59 localhost systemd[1]: snmpd.service: Main process exited,
code=dumped, status=11/SEGV
Dec 16 21:21:59 localhost systemd[1]: snmpd.service: Failed with result
'core-dump'.
Dec 16 21:21:59 localhost systemd[1]: Failed to start Simple Network
Management Protocol (SNMP) Daemon..
Expected results:
Deamon starts without a crash.
Additional info:
Fix available here:
[Bug 1912389] Re: [Patch] SIGSEGV: crash when certificate contains extension longer than 512 bytes
** No longer affects: net-snmp (Ubuntu Focal) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1912389 Title: [Patch] SIGSEGV: crash when certificate contains extension longer than 512 bytes To manage notifications about this bug go to: https://bugs.launchpad.net/netsnmp/+bug/1912389/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1912389] Re: [Patch] SIGSEGV: crash when certificate contains extension longer than 512 bytes
Hello Graham, or anyone else affected, Accepted net-snmp into hirsute-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/net-snmp/5.9+dfsg- 3ubuntu1.21.04.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- hirsute to verification-done-hirsute. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-hirsute. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: net-snmp (Ubuntu Hirsute) Status: Triaged => Fix Committed ** Tags added: verification-needed verification-needed-hirsute -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1912389 Title: [Patch] SIGSEGV: crash when certificate contains extension longer than 512 bytes To manage notifications about this bug go to: https://bugs.launchpad.net/netsnmp/+bug/1912389/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1912389] Re: [Patch] SIGSEGV: crash when certificate contains extension longer than 512 bytes
This bug was fixed in the package net-snmp - 5.9+dfsg-3ubuntu2 --- net-snmp (5.9+dfsg-3ubuntu2) impish; urgency=medium * Fix segmentation fault when certificate contains extension longer than 512 bytes (LP: #1912389) - d/p/lp1912389-libsnmp-Handle-certificate-loading-errors-gracefully.patch: Skip certificate if loading fails. - d/p/lp1912389-libsnmp-SSL-Increase-extension-buffer-size-to-preven.patch: Make sure enough space is allocated for extensions longer than 512 bytes. -- Sergio Durigan Junior Tue, 25 May 2021 19:03:31 -0400 ** Changed in: net-snmp (Ubuntu Impish) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1912389 Title: [Patch] SIGSEGV: crash when certificate contains extension longer than 512 bytes To manage notifications about this bug go to: https://bugs.launchpad.net/netsnmp/+bug/1912389/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1912389] Re: [Patch] SIGSEGV: crash when certificate contains extension longer than 512 bytes
Still waiting on the SRU team to address this. I will ping them today. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1912389 Title: [Patch] SIGSEGV: crash when certificate contains extension longer than 512 bytes To manage notifications about this bug go to: https://bugs.launchpad.net/netsnmp/+bug/1912389/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1912389] Re: [Patch] SIGSEGV: crash when certificate contains extension longer than 512 bytes
Same bug at RHEL is here: https://bugzilla.redhat.com/show_bug.cgi?id=1908718 ** Bug watch added: Red Hat Bugzilla #1908718 https://bugzilla.redhat.com/show_bug.cgi?id=1908718 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1912389 Title: [Patch] SIGSEGV: crash when certificate contains extension longer than 512 bytes To manage notifications about this bug go to: https://bugs.launchpad.net/netsnmp/+bug/1912389/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1912389] Re: [Patch] SIGSEGV: crash when certificate contains extension longer than 512 bytes
** Merge proposal linked: https://code.launchpad.net/~sergiodj/ubuntu/+source/net-snmp/+git/net-snmp/+merge/403298 ** Merge proposal linked: https://code.launchpad.net/~sergiodj/ubuntu/+source/net-snmp/+git/net-snmp/+merge/403299 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1912389 Title: [Patch] SIGSEGV: crash when certificate contains extension longer than 512 bytes To manage notifications about this bug go to: https://bugs.launchpad.net/netsnmp/+bug/1912389/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1912389] Re: [Patch] SIGSEGV: crash when certificate contains extension longer than 512 bytes
** Description changed: + [ Impact ] + + Users can experience a segmentation fault on snmpd (part of net-snmp) + when using a certificate that contains an extension longer than 512 + bytes and debug output (-D) is enabled. Although this only happens when + debugging, it seems to be pretty common to find certificates whose + extensions are larger than 512 bytes. + + [ Test Case ] + + Below you can find a step-by-step procedure to reproduce the bug. Bear + in mind that the "sed" command may be mangled due to Launchpad's text + renderization. + + $ lxc launch images:ubuntu/hirsute net-snmp-bug1912389 + $ lxc shell net-snmp-bug1912389 + # apt update && apt install net-snmp -y + # sed -i "s@^#\s*nsCertType.*@nsCertType = client,email,objsign@; s@^#\s*nsCaRevocationUrl.*@nsCaRevocationUrl = http://www.myverylongurl$(printf '%*s' 512 | tr ' ' 'a').com/ca-crl.pem@; s@^#\s*extendedKeyUsage.*@extendedKeyUsage = critical,timeStamping,serverAuth,clientAuth,codeSigning,emailProtection@; s@^#\s*keyUsage.*@keyUsage = nonRepudiation,digitalSignature,keyEncipherment@" /etc/ssl/openssl.cnf + # openssl req -x509 -out localhost.crt -keyout localhost.key-newkey rsa:2048 -nodes -sha256 -extensions usr_cert -subj '/CN=localhost' -config /etc/ssl/openssl.cnf + # mkdir -p $HOME/.snmp/tls/certs + # cp localhost.crt $HOME/.snmp/tls/certs + # systemctl stop snmpd.service + # snmpd -DALL + ... + not enough space or error in allocation for extenstion + Segmentation fault (core dumped) + # + + [ Where problems could occur ] + + The backported patches are very straightforward and only impact code + that is run when debug (-D) is active. There is not much room for + regression here, especially considering that this is a very recent + version of the package that will very likely not be affected by newer + rebuilds. + + [ Original Description ] + When net-snmp is given a certificate with an extension that is longer than 512 characters, snmp crashes on startup. Steps to Reproduce: 1. Configure net-snmp using an EV certificate from a CA (in this case Globalsign). 2. Start snmpd. 3. Actual results: [root@localhost tls]# systemctl status snmpd.service ● snmpd.service - Simple Network Management Protocol (SNMP) Daemon. -Loaded: loaded (/usr/lib/systemd/system/snmpd.service; disabled; vendor preset: disabled) -Active: failed (Result: core-dump) since Wed 2020-12-16 21:21:59 SAST; 16min ago - Process: 53269 ExecStart=/usr/sbin/snmpd $OPTIONS -f (code=dumped, signal=SEGV) - Main PID: 53269 (code=dumped, signal=SEGV) + Loaded: loaded (/usr/lib/systemd/system/snmpd.service; disabled; vendor preset: disabled) + Active: failed (Result: core-dump) since Wed 2020-12-16 21:21:59 SAST; 16min ago + Process: 53269 ExecStart=/usr/sbin/snmpd $OPTIONS -f (code=dumped, signal=SEGV) + Main PID: 53269 (code=dumped, signal=SEGV) Dec 16 21:21:57 localhost systemd[1]: Starting Simple Network Management Protocol (SNMP) Daemon Dec 16 21:21:58 localhost snmpd[53269]: refusing to read world readable or writable key /etc/snmp/tls/certs/snmpd.crt Dec 16 21:21:58 localhost snmpd[53269]: not enough space or error in allocation for extenstion Dec 16 21:21:59 localhost systemd[1]: snmpd.service: Main process exited, code=dumped, status=11/SEGV Dec 16 21:21:59 localhost systemd[1]: snmpd.service: Failed with result 'core-dump'. Dec 16 21:21:59 localhost systemd[1]: Failed to start Simple Network Management Protocol (SNMP) Daemon.. Expected results: Deamon starts without a crash. Additional info: Fix available here: https://github.com/net-snmp/net-snmp/pull/234 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1912389 Title: [Patch] SIGSEGV: crash when certificate contains extension longer than 512 bytes To manage notifications about this bug go to: https://bugs.launchpad.net/netsnmp/+bug/1912389/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1912389] Re: [Patch] SIGSEGV: crash when certificate contains extension longer than 512 bytes
OK, finally I was able to trigger the bug locally using a self-signed cert. I am going to start writing the SRU template for it. Thanks. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1912389 Title: [Patch] SIGSEGV: crash when certificate contains extension longer than 512 bytes To manage notifications about this bug go to: https://bugs.launchpad.net/netsnmp/+bug/1912389/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1912389] Re: [Patch] SIGSEGV: crash when certificate contains extension longer than 512 bytes
Thanks, Graham. This issue impacts Hirsute and Impish. For Impish, the best course of action here would be to wait for Debian to pick up this fix, which would then mean that Ubuntu would automatically pick it up as well. Given that Debian is in freeze right now, I don't know if the net-snmp maintainers there are planning to work on it anytime soon. For Hirsute, we'd need to go through the SRU process. The first step here would be to come up with a reliable set of steps to reproduce this issue, which I haven't been able to do so far (I confess I haven't had the time to test your Let's Encrypt suggestion, though). I will see if I can reproduce it locally and then start the SRU process. If you already have a detailed set of steps to reproduce the bug, please let me know. Thanks. ** Also affects: net-snmp (Ubuntu Impish) Importance: Medium Assignee: Sergio Durigan Junior (sergiodj) Status: Triaged ** Also affects: net-snmp (Ubuntu Hirsute) Importance: Undecided Status: New ** Changed in: net-snmp (Ubuntu Hirsute) Assignee: (unassigned) => Sergio Durigan Junior (sergiodj) ** Changed in: net-snmp (Ubuntu Hirsute) Status: New => Triaged ** Changed in: net-snmp (Ubuntu Hirsute) Importance: Undecided => Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1912389 Title: [Patch] SIGSEGV: crash when certificate contains extension longer than 512 bytes To manage notifications about this bug go to: https://bugs.launchpad.net/netsnmp/+bug/1912389/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1912389] Re: [Patch] SIGSEGV: crash when certificate contains extension longer than 512 bytes
** Changed in: net-snmp (Ubuntu) Assignee: (unassigned) => Sergio Durigan Junior (sergiodj) ** Changed in: net-snmp (Ubuntu) Importance: Undecided => Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1912389 Title: [Patch] SIGSEGV: crash when certificate contains extension longer than 512 bytes To manage notifications about this bug go to: https://bugs.launchpad.net/netsnmp/+bug/1912389/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1912389] Re: [Patch] SIGSEGV: crash when certificate contains extension longer than 512 bytes
Thanks for the heads-up Graham. Our team will be taking a look at it. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1912389 Title: [Patch] SIGSEGV: crash when certificate contains extension longer than 512 bytes To manage notifications about this bug go to: https://bugs.launchpad.net/netsnmp/+bug/1912389/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1912389] Re: [Patch] SIGSEGV: crash when certificate contains extension longer than 512 bytes
Quick ping on this one. Latest net-snmp with this fixed is https://github.com/net-snmp/net- snmp/releases/tag/v5.9.1.rc1. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1912389 Title: [Patch] SIGSEGV: crash when certificate contains extension longer than 512 bytes To manage notifications about this bug go to: https://bugs.launchpad.net/netsnmp/+bug/1912389/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1912389] Re: [Patch] SIGSEGV: crash when certificate contains extension longer than 512 bytes
In theory, any Let's Encrypt certificate should cause this crash. The serialised certificate transparency of the certificate at redwax.eu is 1577 bytes, three times higher than the 512 byte limit that triggers the crash. CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1(0) Log ID: 5C:DC:43:92:FE:E6:AB:45:44:B1:5E:9A:D4:56:E6:10: 37:FB:D5:FA:47:DC:A1:73:94:B2:5E:E6:F6:C7:0E:CA Timestamp : Jan 11 03:13:53.345 2021 GMT Extensions: none Signature : ecdsa-with-SHA256 30:46:02:21:00:E3:F3:7C:A3:71:D1:57:DD:76:1E:01: AA:61:7D:E2:39:6B:0F:2B:93:B3:3A:B2:90:8F:EE:D5: 04:92:12:BD:8B:02:21:00:D0:8C:15:42:F5:E7:6C:D0: FC:B4:25:E2:57:5E:C1:EB:F8:7A:4A:06:5B:AD:4C:6E: B0:25:96:45:DF:A9:97:41 Signed Certificate Timestamp: Version : v1(0) Log ID: F6:5C:94:2F:D1:77:30:22:14:54:18:08:30:94:56:8E: E3:4D:13:19:33:BF:DF:0C:2F:20:0B:CC:4E:F1:64:E3 Timestamp : Jan 11 03:13:53.322 2021 GMT Extensions: none Signature : ecdsa-with-SHA256 30:44:02:20:3E:CC:F8:39:7E:27:5F:20:D7:77:DC:75: 9D:D2:F2:C8:09:F4:86:1C:26:FF:76:DF:21:A0:BD:90: 8A:26:FA:59:02:20:75:69:90:93:B2:F4:76:BC:1A:D3: 63:B7:1C:D0:72:56:13:97:7D:37:B3:8B:E2:6E:8C:71: 1A:72:4D:7E:86:F4 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1912389 Title: [Patch] SIGSEGV: crash when certificate contains extension longer than 512 bytes To manage notifications about this bug go to: https://bugs.launchpad.net/netsnmp/+bug/1912389/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1912389] Re: [Patch] SIGSEGV: crash when certificate contains extension longer than 512 bytes
Hi Paride, Thanks for further investigating. I assumed that the crash was indeed reproducible by hacking the package, but I think it's important to get a reproducer that doesn't involve rebuilding anything if we're thinking about an SRU (for Groovy, for example). In any case, I think it's possible to proceed with the upstream fix. I'll see if I have time later to look into this. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1912389 Title: [Patch] SIGSEGV: crash when certificate contains extension longer than 512 bytes To manage notifications about this bug go to: https://bugs.launchpad.net/netsnmp/+bug/1912389/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1912389] Re: [Patch] SIGSEGV: crash when certificate contains extension longer than 512 bytes
** Changed in: netsnmp Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1912389 Title: [Patch] SIGSEGV: crash when certificate contains extension longer than 512 bytes To manage notifications about this bug go to: https://bugs.launchpad.net/netsnmp/+bug/1912389/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1912389] Re: [Patch] SIGSEGV: crash when certificate contains extension longer than 512 bytes
Hi Sergio, I did manage to reproduce the crash by lowering SNMP_MAXBUF_SMALL and rebuilding the package, as Graham suggested. I couldn't generate a certificate crashing snmpd with the default value of 512, but most likely I didn't manage to add a very long extension to the certs I generated. In my previous comment I mentioned Focal. I think this is an Invalid bug in Focal, as Focal's snmp doesn't support TLS at all, see LP: 1880724. I'm going to change this bug tasks according to this. Paride ** Also affects: net-snmp (Ubuntu Focal) Importance: Undecided Status: New ** Changed in: net-snmp (Ubuntu Focal) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1912389 Title: [Patch] SIGSEGV: crash when certificate contains extension longer than 512 bytes To manage notifications about this bug go to: https://bugs.launchpad.net/netsnmp/+bug/1912389/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1912389] Re: [Patch] SIGSEGV: crash when certificate contains extension longer than 512 bytes
** Changed in: netsnmp Status: Unknown => New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1912389 Title: [Patch] SIGSEGV: crash when certificate contains extension longer than 512 bytes To manage notifications about this bug go to: https://bugs.launchpad.net/netsnmp/+bug/1912389/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1912389] Re: [Patch] SIGSEGV: crash when certificate contains extension longer than 512 bytes
diff --git a/snmplib/snmp_openssl.c b/snmplib/snmp_openssl.c
index e0e6615f0..dd202f440 100644
--- a/snmplib/snmp_openssl.c
+++ b/snmplib/snmp_openssl.c
@@ -499,6 +499,8 @@ netsnmp_openssl_cert_dump_extensions(X509 *ocert)
extension_name = OBJ_nid2sn(nid);
buf_len = sizeof(buf);
str = _cert_get_extension_str_at(ocert, i, _ptr, _len, 0);
+if (!str)
+continue;
lf = strchr(str, '\n'); /* look for multiline strings */
if (NULL != lf)
*lf = '\0'; /* only log first line of multiline here */
diff --git a/snmplib/snmp_openssl.c b/snmplib/snmp_openssl.c
index 01d72afb2..e0e6615f0 100644
--- a/snmplib/snmp_openssl.c
+++ b/snmplib/snmp_openssl.c
@@ -300,7 +300,7 @@ _cert_get_extension(X509_EXTENSION *oext, char **buf, int
*len, int flags)
if (!buf_ptr) {
snmp_log(LOG_ERR,
- "not enough space or error in allocation for extenstion\n");
+ "not enough space or error in allocation for extension\n");
BIO_vfree(bio);
return NULL;
}
diff --git a/snmplib/snmp_openssl.c b/snmplib/snmp_openssl.c
index dd202f440..7d6db6ae6 100644
--- a/snmplib/snmp_openssl.c
+++ b/snmplib/snmp_openssl.c
@@ -290,8 +290,11 @@ _cert_get_extension(X509_EXTENSION *oext, char **buf, int
*len, int flags)
space = BIO_get_mem_data(bio, );
if (buf && *buf) {
-if (*len < space)
-buf_ptr = NULL;
+if (*len < space + 1) {
+snmp_log(LOG_ERR, "not enough buffer space to print extension\n");
+BIO_vfree(bio);
+return NULL;
+}
else
buf_ptr = *buf;
}
@@ -299,8 +302,7 @@ _cert_get_extension(X509_EXTENSION *oext, char **buf, int
*len, int flags)
buf_ptr = calloc(1,space + 1);
if (!buf_ptr) {
-snmp_log(LOG_ERR,
- "not enough space or error in allocation for extension\n");
+snmp_log(LOG_ERR, "error in allocation for extension\n");
BIO_vfree(bio);
return NULL;
}
@@ -479,7 +481,7 @@ netsnmp_openssl_cert_dump_extensions(X509 *ocert)
{
X509_EXTENSION *extension;
const char *extension_name;
-char buf[SNMP_MAXBUF_SMALL], *buf_ptr = buf, *str, *lf;
+char buf[SNMP_MAXBUF], *buf_ptr = buf, *str, *lf;
int i, num_extensions, buf_len, nid;
if (NULL == ocert)
@@ -499,8 +501,11 @@ netsnmp_openssl_cert_dump_extensions(X509 *ocert)
extension_name = OBJ_nid2sn(nid);
buf_len = sizeof(buf);
str = _cert_get_extension_str_at(ocert, i, _ptr, _len, 0);
-if (!str)
+if (!str) {
+DEBUGMSGT(("9:cert:dump", "%2d: %s\n", i,
+extension_name));
continue;
+}
lf = strchr(str, '\n'); /* look for multiline strings */
if (NULL != lf)
*lf = '\0'; /* only log first line of multiline here */
diff --git a/snmplib/snmp_openssl.c b/snmplib/snmp_openssl.c
index 7d6db6ae6..c092a007a 100644
--- a/snmplib/snmp_openssl.c
+++ b/snmplib/snmp_openssl.c
@@ -284,33 +284,30 @@ _cert_get_extension(X509_EXTENSION *oext, char **buf,
int *len, int flags)
}
if (X509V3_EXT_print(bio, oext, 0, 0) != 1) {
snmp_log(LOG_ERR, "could not print extension!\n");
-BIO_vfree(bio);
-return NULL;
+goto out;
}
space = BIO_get_mem_data(bio, );
if (buf && *buf) {
if (*len < space + 1) {
snmp_log(LOG_ERR, "not enough buffer space to print extension\n");
-BIO_vfree(bio);
-return NULL;
+goto out;
}
-else
-buf_ptr = *buf;
+buf_ptr = *buf;
+} else {
+buf_ptr = calloc(1, space + 1);
}
-else
-buf_ptr = calloc(1,space + 1);
if (!buf_ptr) {
snmp_log(LOG_ERR, "error in allocation for extension\n");
-BIO_vfree(bio);
-return NULL;
+goto out;
}
memcpy(buf_ptr, data, space);
buf_ptr[space] = 0;
if (len)
*len = space;
+out:
BIO_vfree(bio);
return buf_ptr;
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1912389
Title:
[Patch] SIGSEGV: crash when certificate contains extension longer
than 512 bytes
To manage notifications about this bug go to:
https://bugs.launchpad.net/netsnmp/+bug/1912389/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1912389] Re: [Patch] SIGSEGV: crash when certificate contains extension longer than 512 bytes
Thanks, Paride. I had also found the same bug yesterday, but I decided not to mark the bug as Triaged because I still cannot reproduce it. As noted previously, I would like to be able to reproduce the issue before moving forward. This will prove useful if we have to SRU the patch. I still could not successfully generate a TLS cert with an extension bigger than 512 bytes, but I haven't tried again after Graham's last comment. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1912389 Title: [Patch] SIGSEGV: crash when certificate contains extension longer than 512 bytes To manage notifications about this bug go to: https://bugs.launchpad.net/netsnmp/+bug/1912389/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1912389] Re: [Patch] SIGSEGV: crash when certificate contains extension longer than 512 bytes
I found the upstream bug for this issue: https://github.com/net-snmp/net-snmp/issues/233 The fix landed in the upstream master and V5-9-patches branches [1], but the issue is still open lacking verification. The patch doesn't apply cleanly on version 5.8, the version currently in Focal, Groovy and Hirsute, so this is not a SRU "patch on a plate" scenario, at least not for the moment. For Hirsute: I had a look at the past upstream release history and I think it's unlikely that we'll get 5.9.1 released in time. However we do have a patch ready for the version in Hirsute, so this should be an easy fix. Before proceeding I'd wait for the upstream issue to be closed as fixed, confirming that the patch works as expected. I poked the issue on GitHub. [1] https://github.com/net-snmp/net- snmp/commit/bb30f8ee0075750fd3648a6bf3fab543f46152ed ** Changed in: net-snmp (Ubuntu) Status: New => Triaged -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1912389 Title: [Patch] SIGSEGV: crash when certificate contains extension longer than 512 bytes To manage notifications about this bug go to: https://bugs.launchpad.net/netsnmp/+bug/1912389/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1912389] Re: [Patch] SIGSEGV: crash when certificate contains extension longer than 512 bytes
** Bug watch added: github.com/net-snmp/net-snmp/issues #233 https://github.com/net-snmp/net-snmp/issues/233 ** Also affects: netsnmp via https://github.com/net-snmp/net-snmp/issues/233 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1912389 Title: [Patch] SIGSEGV: crash when certificate contains extension longer than 512 bytes To manage notifications about this bug go to: https://bugs.launchpad.net/netsnmp/+bug/1912389/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1912389] Re: [Patch] SIGSEGV: crash when certificate contains extension longer than 512 bytes
Launchpad always seems to get the package wrong, it's odd. To make net-snmp crash: - Turn debugging on (the crashing happens when dumping the certificate as part of debug logging). - Include a cert with an extension that, when printed, is longer than 512 bytes. - The cert I was using is an EV certificate issued by Globalsign, the certificate transparency section is really large. I think (need to check) that nsComment isn't technically an extension, and so won't be printed by net-snmp's certificate dump code. Another way to force the bug is reduce SNMP_MAXBUF_SMALL to something tiny, like 1 byte. It will crash on any extension. https://github.com/net-snmp/net- snmp/blob/V5-7-patches/snmplib/snmp_openssl.c#L482 This is the crash in an old branch that is unpatched: https://github.com/net-snmp/net- snmp/blob/V5-7-patches/snmplib/snmp_openssl.c#L502 If the extension is too long, the _cert_get_extension_str_at() function returns NULL. This NULL is fed into strchr(), and boom. The fix is in two parts - first, use a proper sized buffer that an extension can fit in, and if that's not enough, check str for NULL before trying to strchr() on it. There were two attempts at a fix, one to stop the crash, and the second to fix the buffer length and stop the crash while also printing the name of the extension (but not value). Could potentially be confusing. Two fixes were developed at the same time. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1912389 Title: [Patch] SIGSEGV: crash when certificate contains extension longer than 512 bytes To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1912389/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1912389] Re: [Patch] SIGSEGV: crash when certificate contains extension longer than 512 bytes
Thanks for the bug report. This should have been opened against net-snmp, and not nagios-plugins, right? I'm reassigning it to the proper package. It seems to me that it's a valid bug, but it would be great to have a more detailed reproducer. I tried editing /etc/ssl/openssl.cnf and extend the "usr_cert" extension's "nsComment" field to a string that is really long. Then, I generated a self-signed x509 certificate using the "usr_cert" extension: # openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -extensions usr_cert Then I edited /etc/snmp/snmpd.conf and included a "localCert" parameter there: [snmp] localCert /usr/local/share/ca-certificates/cert.crt Finally, restarting the snmpd.service doesn't seem to trigger the bug. I wonder what I'm doing wrong here... Pointers and advices are appreciated. Thanks. ** Package changed: nagios-plugins (Ubuntu) => net-snmp (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1912389 Title: [Patch] SIGSEGV: crash when certificate contains extension longer than 512 bytes To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1912389/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
