Hi, I intent do upload a 0-day NMU to fix this bug. Attached is a debdiff for the fix which also includes a fix for the same issue in the python module.
It will be also archived on: http://people.debian.org/~nion/nmu-diff/net-snmp-5.4.1~dfsg-1_5.4.1~dfsg-7.1.patch Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -u net-snmp-5.4.1~dfsg/debian/changelog net-snmp-5.4.1~dfsg/debian/changelog --- net-snmp-5.4.1~dfsg/debian/changelog +++ net-snmp-5.4.1~dfsg/debian/changelog @@ -1,3 +1,13 @@ +net-snmp (5.4.1~dfsg-7.1) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * Fix buffer overflow in the python and perl module (__snprint_value + function)that can be exploited via large OCTETSTRING in an + attribute value pair (AVP) leading to arbitrary code + execution (CVE-2008-2292; Closes: #482333). + + -- Nico Golde <[EMAIL PROTECTED]> Sat, 24 May 2008 13:12:16 +0200 + net-snmp (5.4.1~dfsg-7) unstable; urgency=low * Add some more Conflicts: and Replaces: magic to allow moving only in patch2: unchanged: --- net-snmp-5.4.1~dfsg.orig/debian/patches/48-CVE-2008-2292.patch +++ net-snmp-5.4.1~dfsg/debian/patches/48-CVE-2008-2292.patch @@ -0,0 +1,170 @@ +diff -Nurad net-snmp-5.4.1~dfsg.orig/perl/SNMP/SNMP.xs net-snmp-5.4.1~dfsg/perl/SNMP/SNMP.xs +--- net-snmp-5.4.1~dfsg.orig/perl/SNMP/SNMP.xs 2008-05-24 11:53:07.000000000 +0200 ++++ net-snmp-5.4.1~dfsg/perl/SNMP/SNMP.xs 2008-05-24 12:48:16.000000000 +0200 +@@ -470,14 +470,15 @@ + if (flag == USE_ENUMS) { + for(ep = tp->enums; ep; ep = ep->next) { + if (ep->value == *var->val.integer) { +- strcpy(buf, ep->label); ++ strncpy(buf, ep->label, buf_len); ++ buf[buf_len -1] = 0; + len = strlen(buf); + break; + } + } + } + if (!len) { +- sprintf(buf,"%ld", *var->val.integer); ++ snprintf(buf, buf_len, "%ld", *var->val.integer); + len = strlen(buf); + } + break; +@@ -486,19 +487,21 @@ + case ASN_COUNTER: + case ASN_TIMETICKS: + case ASN_UINTEGER: +- sprintf(buf,"%lu", (unsigned long) *var->val.integer); ++ snprintf(buf, buf_len, "%lu", (unsigned long) *var->val.integer); + len = strlen(buf); + break; + + case ASN_OCTET_STR: + case ASN_OPAQUE: +- memcpy(buf, (char*)var->val.string, var->val_len); ++ if (len > buf_len) ++ len = buf_len; ++ memcpy(buf, (char*)var->val.string, len); + len = var->val_len; + break; + + case ASN_IPADDRESS: + ip = (u_char*)var->val.string; +- sprintf(buf, "%d.%d.%d.%d", ip[0], ip[1], ip[2], ip[3]); ++ snprintf(buf, buf_len, "%d.%d.%d.%d", ip[0], ip[1], ip[2], ip[3]); + len = strlen(buf); + break; + +@@ -512,13 +515,13 @@ + break; + + case SNMP_ENDOFMIBVIEW: +- sprintf(buf,"%s", "ENDOFMIBVIEW"); ++ snprintf(buf, buf_len, "%s", "ENDOFMIBVIEW"); + break; + case SNMP_NOSUCHOBJECT: +- sprintf(buf,"%s", "NOSUCHOBJECT"); ++ snprintf(buf, buf_len, "%s", "NOSUCHOBJECT"); + break; + case SNMP_NOSUCHINSTANCE: +- sprintf(buf,"%s", "NOSUCHINSTANCE"); ++ snprintf(buf, buf_len, "%s", "NOSUCHINSTANCE"); + break; + + case ASN_COUNTER64: +@@ -538,18 +541,18 @@ + #endif + + case ASN_BIT_STR: +- snprint_bitstring(buf, sizeof(buf), var, NULL, NULL, NULL); ++ snprint_bitstring(buf, buf_len, var, NULL, NULL, NULL); + len = strlen(buf); + break; + #ifdef NETSNMP_WITH_OPAQUE_SPECIAL_TYPES + case ASN_OPAQUE_FLOAT: + if (var->val.floatVal) +- sprintf(buf,"%f", *var->val.floatVal); ++ snprintf(buf, buf_len, "%f", *var->val.floatVal); + break; + + case ASN_OPAQUE_DOUBLE: + if (var->val.doubleVal) +- sprintf(buf,"%f", *var->val.doubleVal); ++ snprintf(buf, buf_len, "%f", *var->val.doubleVal); + break; + #endif + +diff -Nurad net-snmp-5.4.1~dfsg.orig/python/netsnmp/client_intf.c net-snmp-5.4.1~dfsg/python/netsnmp/client_intf.c +--- net-snmp-5.4.1~dfsg.orig/python/netsnmp/client_intf.c 2008-05-24 11:53:07.000000000 +0200 ++++ net-snmp-5.4.1~dfsg/python/netsnmp/client_intf.c 2008-05-24 12:30:51.000000000 +0200 +@@ -330,14 +330,15 @@ + if (flag == USE_ENUMS) { + for(ep = tp->enums; ep; ep = ep->next) { + if (ep->value == *var->val.integer) { +- strcpy(buf, ep->label); ++ strncpy(buf, ep->label, buf_len); ++ buf[buf_len -1] = 0; + len = STRLEN(buf); + break; + } + } + } + if (!len) { +- sprintf(buf,"%ld", *var->val.integer); ++ snprintf(buf, buf_len, "%ld", *var->val.integer); + len = STRLEN(buf); + } + break; +@@ -346,19 +347,21 @@ + case ASN_COUNTER: + case ASN_TIMETICKS: + case ASN_UINTEGER: +- sprintf(buf,"%lu", (unsigned long) *var->val.integer); ++ snprintf(buf, buf_len, "%lu", (unsigned long) *var->val.integer); + len = STRLEN(buf); + break; + + case ASN_OCTET_STR: + case ASN_OPAQUE: +- memcpy(buf, (char*)var->val.string, var->val_len); ++ if(len > buf_len) ++ len = buf_len; ++ memcpy(buf, (char*)var->val.string, len); + len = var->val_len; + break; + + case ASN_IPADDRESS: + ip = (u_char*)var->val.string; +- sprintf(buf, "%d.%d.%d.%d", ip[0], ip[1], ip[2], ip[3]); ++ snprintf(buf, buf_len, "%d.%d.%d.%d", ip[0], ip[1], ip[2], ip[3]); + len = STRLEN(buf); + break; + +@@ -372,13 +375,13 @@ + break; + + case SNMP_ENDOFMIBVIEW: +- sprintf(buf,"%s", "ENDOFMIBVIEW"); ++ snprintf(buf, buf_len, "%s", "ENDOFMIBVIEW"); + break; + case SNMP_NOSUCHOBJECT: +- sprintf(buf,"%s", "NOSUCHOBJECT"); ++ snprintf(buf, buf_len, "%s", "NOSUCHOBJECT"); + break; + case SNMP_NOSUCHINSTANCE: +- sprintf(buf,"%s", "NOSUCHINSTANCE"); ++ snprintf(buf, buf_len, "%s", "NOSUCHINSTANCE"); + break; + + case ASN_COUNTER64: +@@ -398,18 +401,18 @@ + #endif + + case ASN_BIT_STR: +- snprint_bitstring(buf, sizeof(buf), var, NULL, NULL, NULL); ++ snprint_bitstring(buf, buf_len, var, NULL, NULL, NULL); + len = STRLEN(buf); + break; + #ifdef OPAQUE_SPECIAL_TYPES + case ASN_OPAQUE_FLOAT: + if (var->val.floatVal) +- sprintf(buf,"%f", *var->val.floatVal); ++ snprintf(buf, buf_len, "%f", *var->val.floatVal); + break; + + case ASN_OPAQUE_DOUBLE: + if (var->val.doubleVal) +- sprintf(buf,"%f", *var->val.doubleVal); ++ snprintf(buf, buf_len, "%f", *var->val.doubleVal); + break; + #endif +
pgp80hyeKB1qA.pgp
Description: PGP signature