On Sun, 7 Aug 2022 at 23:29, Salvatore Bonaccorso <car...@debian.org> wrote:
> Did you got confirmation from upstream back if those are the only two > needed ones? > I got no message at all. However, these are the only two that mention the people that found the bug and fixed it (two sets of people). > Do you have capacity to prepare updates for bullseye? > Yes, see attached debdiff for review. It's just those two patches. - Craig
diff -Nru net-snmp-5.9+dfsg/debian/changelog net-snmp-5.9+dfsg/debian/changelog --- net-snmp-5.9+dfsg/debian/changelog 2020-09-25 09:10:00.000000000 +1000 +++ net-snmp-5.9+dfsg/debian/changelog 2022-08-10 16:16:59.000000000 +1000 @@ -1,3 +1,12 @@ +net-snmp (5.9+dfsg-4+deb11u1) bullseye-security; urgency=high + + * Backport upstream security patches from v5.9.3 Closes: #1016139 + * snmpd_fix_bounds_checking: CVE-2022-24805, CVE-2022-24809 + * snmpd_recover_set_status: CVE-2022-24806, CVE-2022-24807, CVE-2022-24808, + CVE-2022-24810 + + -- Craig Small <csm...@debian.org> Wed, 10 Aug 2022 16:16:59 +1000 + net-snmp (5.9+dfsg-3) unstable; urgency=medium * Source only upload - no changes Closes: #970798 diff -Nru net-snmp-5.9+dfsg/debian/patches/series net-snmp-5.9+dfsg/debian/patches/series --- net-snmp-5.9+dfsg/debian/patches/series 2020-09-25 09:10:00.000000000 +1000 +++ net-snmp-5.9+dfsg/debian/patches/series 2022-08-10 16:16:59.000000000 +1000 @@ -37,3 +37,5 @@ Link-libnetsnmptrapd-against-MYSQL_LIBS.patch pkgconfig_install_mode perl_makefile_man3pods +snmpd_fix_bounds_checking +snmpd_recover_set_status diff -Nru net-snmp-5.9+dfsg/debian/patches/snmpd_fix_bounds_checking net-snmp-5.9+dfsg/debian/patches/snmpd_fix_bounds_checking --- net-snmp-5.9+dfsg/debian/patches/snmpd_fix_bounds_checking 1970-01-01 10:00:00.000000000 +1000 +++ net-snmp-5.9+dfsg/debian/patches/snmpd_fix_bounds_checking 2022-08-10 16:16:59.000000000 +1000 @@ -0,0 +1,123 @@ +Description: snmpd: fix bounds checking in MIBS + Fix bounds checking in NET-SNMP-AGENT-MIB, NET-SNMP-VACM-MIB, + SNMP-VIEW-BASED-ACM-MIB, SNMP-USER-BASED-SM-MIB + + Reported by: Yu Zhang of VARAS@IIE, Nanyu Zhong of VARAS@IIE + Fixes by: Arista Networks + + References: CVE-2022-24805, CVE-2022-24809 +Author: Bill Fenner <fen...@gmail.com> +Origin: upstream, https://github.com/net-snmp/net-snmp/commit/67ebb43e9038b2dae6e74ae8838b36fcc10fc937` +Bug-Debian: https://bugs.debian.org/1016139 +Reviewed-by: Craig Small <csm...@debian.org> +Last-Update: 2022-08-10 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/agent/mibgroup/agent/nsLogging.c ++++ b/agent/mibgroup/agent/nsLogging.c +@@ -147,6 +147,8 @@ + continue; + logh = (netsnmp_log_handler*)netsnmp_extract_iterator_context(request); + table_info = netsnmp_extract_table_info(request); ++ if (!table_info || !table_info->indexes) ++ continue; + + switch (table_info->colnum) { + case NSLOGGING_TYPE: +@@ -201,6 +203,8 @@ + } + logh = (netsnmp_log_handler*)netsnmp_extract_iterator_context(request); + table_info = netsnmp_extract_table_info(request); ++ if (!table_info || !table_info->indexes) ++ continue; + + switch (table_info->colnum) { + case NSLOGGING_TYPE: +@@ -394,6 +398,8 @@ + continue; + logh = (netsnmp_log_handler*)netsnmp_extract_iterator_context(request); + table_info = netsnmp_extract_table_info(request); ++ if (!table_info || !table_info->indexes) ++ continue; + + switch (table_info->colnum) { + case NSLOGGING_TYPE: +--- a/agent/mibgroup/agent/nsVacmAccessTable.c ++++ b/agent/mibgroup/agent/nsVacmAccessTable.c +@@ -170,9 +170,13 @@ + entry = (struct vacm_accessEntry *) + netsnmp_extract_iterator_context(request); + table_info = netsnmp_extract_table_info(request); ++ if (!table_info || !table_info->indexes) ++ continue; + + /* Extract the authType token from the list of indexes */ + idx = table_info->indexes->next_variable->next_variable->next_variable->next_variable; ++ if (idx->val_len >= sizeof(atype)) ++ continue; + memset(atype, 0, sizeof(atype)); + memcpy(atype, (char *)idx->val.string, idx->val_len); + viewIdx = se_find_value_in_slist(VACM_VIEW_ENUM_NAME, atype); +@@ -212,6 +216,8 @@ + entry = (struct vacm_accessEntry *) + netsnmp_extract_iterator_context(request); + table_info = netsnmp_extract_table_info(request); ++ if (!table_info || !table_info->indexes) ++ continue; + ret = SNMP_ERR_NOERROR; + + switch (table_info->colnum) { +@@ -247,6 +253,8 @@ + * Extract the authType token from the list of indexes + */ + idx = table_info->indexes->next_variable->next_variable->next_variable->next_variable; ++ if (idx->val_len >= sizeof(atype)) ++ continue; + memset(atype, 0, sizeof(atype)); + memcpy(atype, (char *)idx->val.string, idx->val_len); + viewIdx = se_find_value_in_slist(VACM_VIEW_ENUM_NAME, atype); +@@ -294,8 +302,10 @@ + idx = idx->next_variable; model = *idx->val.integer; + idx = idx->next_variable; level = *idx->val.integer; + entry = vacm_createAccessEntry( gName, cPrefix, model, level ); +- entry->storageType = ST_NONVOLATILE; +- netsnmp_insert_iterator_context(request, (void*)entry); ++ if (entry) { ++ entry->storageType = ST_NONVOLATILE; ++ netsnmp_insert_iterator_context(request, (void*)entry); ++ } + } + } + } +@@ -321,6 +331,8 @@ + + /* Extract the authType token from the list of indexes */ + idx = table_info->indexes->next_variable->next_variable->next_variable->next_variable; ++ if (idx->val_len >= sizeof(atype)) ++ continue; + memset(atype, 0, sizeof(atype)); + memcpy(atype, (char *)idx->val.string, idx->val_len); + viewIdx = se_find_value_in_slist(VACM_VIEW_ENUM_NAME, atype); +--- a/agent/mibgroup/mibII/vacm_vars.c ++++ b/agent/mibgroup/mibII/vacm_vars.c +@@ -997,6 +997,9 @@ + return 1; + } + groupNameL = oidIndex[0]; ++ if ((groupNameL + 1) > (int) oidLen) { ++ return 1; ++ } + contextPrefixL = oidIndex[groupNameL + 1]; /* the initial name length */ + if ((int) oidLen != groupNameL + contextPrefixL + 4) { + return 1; +--- a/agent/mibgroup/snmpv3/usmUser.c ++++ b/agent/mibgroup/snmpv3/usmUser.c +@@ -1505,8 +1505,6 @@ + if (usmStatusCheck(uptr)) { + uptr->userStatus = RS_ACTIVE; + } else { +- SNMP_FREE(engineID); +- SNMP_FREE(newName); + return SNMP_ERR_INCONSISTENTVALUE; + } + } else if (long_ret == RS_CREATEANDWAIT) { diff -Nru net-snmp-5.9+dfsg/debian/patches/snmpd_recover_set_status net-snmp-5.9+dfsg/debian/patches/snmpd_recover_set_status --- net-snmp-5.9+dfsg/debian/patches/snmpd_recover_set_status 1970-01-01 10:00:00.000000000 +1000 +++ net-snmp-5.9+dfsg/debian/patches/snmpd_recover_set_status 2022-08-10 16:16:59.000000000 +1000 @@ -0,0 +1,31 @@ +Description: snmpd: recover SET status from delegated request + Reported by: Yu Zhang of VARAS@IIE, Nanyu Zhong of VARAS@IIE + Fixes by: Arista Networks + . + When a SET request includes a mix of delegated and + non-delegated requests (e.g., objects handled by master + agent and agentx sub-agent), the status can get lost while + waiting for the reply from the sub-agent. Recover the status + into the session from the requests even if it has already + been processed. + . + CVE-2022-24806 CVE-2022-24807 CVE-2022-24808 CVE-2022-24810 +Author: Bill Fenner <fen...@gmail.com> +Origin: upstream, https://github.com/net-snmp/net-snmp/commit/9a0cd7c00947d5e1c6ceb54558d454f87c3b8341 +Bug-Debian: https://bugs.debian.org/1016139 +Applied-Upstream: 5.9.3 +Reviewed-by: Craig Small <csm...@debian.org> +Last-Update: 2022-08-10 <YYYY-MM-DD, last update of the meta-information, optional> +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/agent/snmp_agent.c ++++ b/agent/snmp_agent.c +@@ -2965,7 +2965,7 @@ + if (requests->status != SNMP_ERR_NOERROR && + (!look_for_specific || requests->status == look_for_specific) + && (look_for_specific || asp->index == 0 +- || requests->index < asp->index)) { ++ || requests->index <= asp->index)) { + asp->index = requests->index; + asp->status = requests->status; + }