Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package net-snmp for openSUSE:Factory
checked in at 2023-01-07 17:16:23
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/net-snmp (Old)
and /work/SRC/openSUSE:Factory/.net-snmp.new.1563 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "net-snmp"
Sat Jan 7 17:16:23 2023 rev:107 rq:1056420 version:5.9.3
Changes:
--------
--- /work/SRC/openSUSE:Factory/net-snmp/net-snmp.changes 2022-10-10
18:44:29.142858733 +0200
+++ /work/SRC/openSUSE:Factory/.net-snmp.new.1563/net-snmp.changes
2023-01-07 17:16:54.761153092 +0100
@@ -1,0 +2,11 @@
+Thu Jan 5 11:49:22 UTC 2023 - Alexander Bergmann <abergm...@suse.com>
+
+- Fixed NULL pointer exception issue when handling ipDefaultTTL or
+ pv6IpForwarding (bsc#1205148, CVE-2022-44793, bsc#1205150, CVE-2022-44792).
+ add:
+ * net-snmp-5.9.3-disallow_SET_requests_with_NULL_varbind.patch
+- Enable AES-192 and AES-256 privacy protocol (bsc#1206828).
+- Use new MFD rewrites of mib modules, where available.
+- Disable legacy DES encryption and MD5 authentication protocols.
+
+-------------------------------------------------------------------
New:
----
net-snmp-5.9.3-disallow_SET_requests_with_NULL_varbind.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ net-snmp.spec ++++++
--- /var/tmp/diff_new_pack.uv1mrz/_old 2023-01-07 17:16:55.573157936 +0100
+++ /var/tmp/diff_new_pack.uv1mrz/_new 2023-01-07 17:16:55.581157984 +0100
@@ -1,7 +1,7 @@
#
# spec file for package net-snmp
#
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -65,6 +65,7 @@
Patch15: net-snmp-5.9.1-subagent-set-response.patch
Patch16: net-snmp-5.9.3-fixed-python2-bindings.patch
Patch17: net-snmp-5.9.3-grep.patch
+Patch18: net-snmp-5.9.3-disallow_SET_requests_with_NULL_varbind.patch
BuildRequires: %{python_module devel}
BuildRequires: %{python_module setuptools}
BuildRequires: autoconf
@@ -264,6 +265,8 @@
--with-libwrap="%{_prefix}" \
--with-perl-modules="INSTALLDIRS=vendor" \
--with-defaults \
+ --with-pic \
+ --sysconfdir=%{_sysconfdir} \
--enable-shared \
--disable-static \
--enable-as-needed \
@@ -271,9 +274,14 @@
--enable-local-smux \
--enable-ipv6 \
--enable-ucd-snmp-compatibility \
+ --enable-mfd-rewrites \
--with-security-modules=tsm,usm \
--with-transports=TLSTCP,DTLSUDP \
- --with-systemd
+ --with-systemd \
+ --with-openssl \
+ --enable-blumenthal-aes \
+ --disable-des \
+ --disable-md5
# Parallel build deps not properly stated
%make_build -j1
++++++ net-snmp-5.9.3-disallow_SET_requests_with_NULL_varbind.patch ++++++
diff -Nurp net-snmp-5.9.3-orig/agent/snmp_agent.c
net-snmp-5.9.3/agent/snmp_agent.c
--- net-snmp-5.9.3-orig/agent/snmp_agent.c 2022-07-13 23:14:14.000000000
+0200
+++ net-snmp-5.9.3/agent/snmp_agent.c 2023-01-05 12:44:03.533604744 +0100
@@ -3719,12 +3719,44 @@ netsnmp_handle_request(netsnmp_agent_ses
return 1;
}
+static int
+check_set_pdu_for_null_varbind(netsnmp_agent_session *asp)
+{
+ int i;
+ netsnmp_variable_list *v = NULL;
+
+ for (i = 1, v = asp->pdu->variables; v != NULL; i++, v = v->next_variable)
{
+ if (v->type == ASN_NULL) {
+ /*
+ * Protect SET implementations that do not protect themselves
+ * against wrong type.
+ */
+ DEBUGMSGTL(("snmp_agent", "disallowing SET with NULL var for
varbind %d\n", i));
+ asp->index = i;
+ return SNMP_ERR_WRONGTYPE;
+ }
+ }
+ return SNMP_ERR_NOERROR;
+}
+
int
handle_pdu(netsnmp_agent_session *asp)
{
int status, inclusives = 0;
netsnmp_variable_list *v = NULL;
+#ifndef NETSNMP_NO_WRITE_SUPPORT
+ /*
+ * Check for ASN_NULL in SET request
+ */
+ if (asp->pdu->command == SNMP_MSG_SET) {
+ status = check_set_pdu_for_null_varbind(asp);
+ if (status != SNMP_ERR_NOERROR) {
+ return status;
+ }
+ }
+#endif /* NETSNMP_NO_WRITE_SUPPORT */
+
/*
* for illegal requests, mark all nodes as ASN_NULL
*/
diff -Nurp net-snmp-5.9.3-orig/apps/snmpset.c net-snmp-5.9.3/apps/snmpset.c
--- net-snmp-5.9.3-orig/apps/snmpset.c 2022-07-13 23:14:14.000000000 +0200
+++ net-snmp-5.9.3/apps/snmpset.c 2023-01-05 12:44:06.377533268 +0100
@@ -182,6 +182,7 @@ main(int argc, char *argv[])
case 'x':
case 'd':
case 'b':
+ case 'n': /* undocumented */
#ifdef NETSNMP_WITH_OPAQUE_SPECIAL_TYPES
case 'I':
case 'U':
diff -Nurp
net-snmp-5.9.3-orig/testing/fulltests/default/T0142snmpv2csetnull_simple
net-snmp-5.9.3/testing/fulltests/default/T0142snmpv2csetnull_simple
--- net-snmp-5.9.3-orig/testing/fulltests/default/T0142snmpv2csetnull_simple
1970-01-01 01:00:00.000000000 +0100
+++ net-snmp-5.9.3/testing/fulltests/default/T0142snmpv2csetnull_simple
2023-01-05 12:44:08.701474860 +0100
@@ -0,0 +1,31 @@
+#!/bin/sh
+
+. ../support/simple_eval_tools.sh
+
+HEADER SNMPv2c set of system.sysContact.0 with NULL varbind
+
+SKIPIF NETSNMP_DISABLE_SET_SUPPORT
+SKIPIF NETSNMP_NO_WRITE_SUPPORT
+SKIPIF NETSNMP_DISABLE_SNMPV2C
+SKIPIFNOT USING_MIBII_SYSTEM_MIB_MODULE
+
+#
+# Begin test
+#
+
+# standard V2C configuration: testcomunnity
+snmp_write_access='all'
+. ./Sv2cconfig
+STARTAGENT
+
+CAPTURE "snmpget -On $SNMP_FLAGS -c testcommunity -v 2c
$SNMP_TRANSPORT_SPEC:$SNMP_TEST_DEST$SNMP_SNMPD_PORT .1.3.6.1.2.1.1.4.0"
+
+CHECK ".1.3.6.1.2.1.1.4.0 = STRING:"
+
+CAPTURE "snmpset -On $SNMP_FLAGS -c testcommunity -v 2c
$SNMP_TRANSPORT_SPEC:$SNMP_TEST_DEST$SNMP_SNMPD_PORT .1.3.6.1.2.1.1.4.0 n x"
+
+CHECK "Reason: wrongType"
+
+STOPAGENT
+
+FINISHED
