** Description changed: + [ Impact ] + + Users can experience a segmentation fault on snmpd (part of net-snmp) + when using a certificate that contains an extension longer than 512 + bytes and debug output (-D) is enabled. Although this only happens when + debugging, it seems to be pretty common to find certificates whose + extensions are larger than 512 bytes. + + [ Test Case ] + + Below you can find a step-by-step procedure to reproduce the bug. Bear + in mind that the "sed" command may be mangled due to Launchpad's text + renderization. + + $ lxc launch images:ubuntu/hirsute net-snmp-bug1912389 + $ lxc shell net-snmp-bug1912389 + # apt update && apt install net-snmp -y + # sed -i "s@^#\s*nsCertType.*@nsCertType = client,email,objsign@; s@^#\s*nsCaRevocationUrl.*@nsCaRevocationUrl = http://www.myverylongurl$(printf '%*s' 512 | tr ' ' 'a').com/ca-crl.pem@; s@^#\s*extendedKeyUsage.*@extendedKeyUsage = critical,timeStamping,serverAuth,clientAuth,codeSigning,emailProtection@; s@^#\s*keyUsage.*@keyUsage = nonRepudiation,digitalSignature,keyEncipherment@" /etc/ssl/openssl.cnf + # openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:2048 -nodes -sha256 -extensions usr_cert -subj '/CN=localhost' -config /etc/ssl/openssl.cnf + # mkdir -p $HOME/.snmp/tls/certs + # cp localhost.crt $HOME/.snmp/tls/certs + # systemctl stop snmpd.service + # snmpd -DALL + ... + not enough space or error in allocation for extenstion + Segmentation fault (core dumped) + # + + [ Where problems could occur ] + + The backported patches are very straightforward and only impact code + that is run when debug (-D) is active. There is not much room for + regression here, especially considering that this is a very recent + version of the package that will very likely not be affected by newer + rebuilds. + + [ Original Description ] + When net-snmp is given a certificate with an extension that is longer than 512 characters, snmp crashes on startup. Steps to Reproduce: 1. Configure net-snmp using an EV certificate from a CA (in this case Globalsign). 2. Start snmpd. 3. Actual results: [root@localhost tls]# systemctl status snmpd.service ● snmpd.service - Simple Network Management Protocol (SNMP) Daemon. - Loaded: loaded (/usr/lib/systemd/system/snmpd.service; disabled; vendor preset: disabled) - Active: failed (Result: core-dump) since Wed 2020-12-16 21:21:59 SAST; 16min ago - Process: 53269 ExecStart=/usr/sbin/snmpd $OPTIONS -f (code=dumped, signal=SEGV) - Main PID: 53269 (code=dumped, signal=SEGV) + Loaded: loaded (/usr/lib/systemd/system/snmpd.service; disabled; vendor preset: disabled) + Active: failed (Result: core-dump) since Wed 2020-12-16 21:21:59 SAST; 16min ago + Process: 53269 ExecStart=/usr/sbin/snmpd $OPTIONS -f (code=dumped, signal=SEGV) + Main PID: 53269 (code=dumped, signal=SEGV) Dec 16 21:21:57 localhost systemd[1]: Starting Simple Network Management Protocol (SNMP) Daemon.... Dec 16 21:21:58 localhost snmpd[53269]: refusing to read world readable or writable key /etc/snmp/tls/certs/snmpd.crt Dec 16 21:21:58 localhost snmpd[53269]: not enough space or error in allocation for extenstion Dec 16 21:21:59 localhost systemd[1]: snmpd.service: Main process exited, code=dumped, status=11/SEGV Dec 16 21:21:59 localhost systemd[1]: snmpd.service: Failed with result 'core-dump'. Dec 16 21:21:59 localhost systemd[1]: Failed to start Simple Network Management Protocol (SNMP) Daemon.. Expected results: Deamon starts without a crash. Additional info: Fix available here: https://github.com/net-snmp/net-snmp/pull/234
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1912389 Title: [Patch] SIGSEGV: crash when certificate contains extension longer than 512 bytes To manage notifications about this bug go to: https://bugs.launchpad.net/netsnmp/+bug/1912389/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
