rpms/net-snmp/F-9 net-snmp-5.4.1-hmac-check.patch, NONE, 1.1 net-snmp-5.4.1-perl-snprintf.patch, NONE, 1.1 net-snmp.spec, 1.149, 1.150

Tue Jun 10 06:04:22 UTC 2008

Author: jsafrane

Update of /cvs/pkgs/rpms/net-snmp/F-9
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv9084

Modified Files:
	net-snmp.spec 
Added Files:
	net-snmp-5.4.1-hmac-check.patch 
	net-snmp-5.4.1-perl-snprintf.patch 
Log Message:
fix various flaws (CVE-2008-2292 CVE-2008-0960)

net-snmp-5.4.1-hmac-check.patch:

--- NEW FILE net-snmp-5.4.1-hmac-check.patch ---
447974: CVE-2008-0960 net-snmp SNMPv3 authentication bypass (VU#877044)

Source: upstream, https://sourceforge.net/tracker/index.php?func=detail&aid=1989089&group_id=12694&atid=456380
Reviewed-by: Jan Safranek <jsafrane at redhat.com>

diff -up net-snmp-5.0.9/snmplib/scapi.c.orig net-snmp-5.0.9/snmplib/scapi.c
--- net-snmp-5.0.9/snmplib/scapi.c.orig	2008-06-04 10:19:26.000000000 +0200
+++ net-snmp-5.0.9/snmplib/scapi.c	2008-06-04 10:20:45.000000000 +0200
@@ -460,6 +460,9 @@ sc_check_keyed_hash(const oid * authtype
         QUITFUN(SNMPERR_GENERR, sc_check_keyed_hash_quit);
     }
 
+    if (maclen != USM_MD5_AND_SHA_AUTH_LEN) {
+        QUITFUN(SNMPERR_GENERR, sc_check_keyed_hash_quit);
+    }
 
     /*
      * Generate a full hash of the message, then compare

net-snmp-5.4.1-perl-snprintf.patch:

--- NEW FILE net-snmp-5.4.1-perl-snprintf.patch ---
447262: CVE-2008-2292 net-snmp: buffer overflow in perl module's Perl Module __snprint_value()

Source: upstream, http://net-snmp.svn.sourceforge.net/viewvc/net-snmp?view=rev&sortby=date&revision=16770
Reviewed-By: Jan Safranek <jsafrane at redhat.com>

--- branches/V5-4-patches/net-snmp/perl/SNMP/SNMP.xs	2007/12/21 23:19:29	16769
+++ branches/V5-4-patches/net-snmp/perl/SNMP/SNMP.xs	2007/12/22 19:22:44	16770
@@ -470,14 +470,16 @@
            if (flag == USE_ENUMS) {
               for(ep = tp->enums; ep; ep = ep->next) {
                  if (ep->value == *var->val.integer) {
-                    strcpy(buf, ep->label);
+                    strncpy(buf, ep->label, buf_len);
+                    buf[buf_len-1] = '\0';
                     len = strlen(buf);
                     break;
                  }
               }
            }
            if (!len) {
-              sprintf(buf,"%ld", *var->val.integer);
+              snprintf(buf, buf_len, "%ld", *var->val.integer);
+              buf[buf_len-1] = '\0';
               len = strlen(buf);
            }
            break;
@@ -486,21 +488,25 @@
         case ASN_COUNTER:
         case ASN_TIMETICKS:
         case ASN_UINTEGER:
-           sprintf(buf,"%lu", (unsigned long) *var->val.integer);
+           snprintf(buf, buf_len, "%lu", (unsigned long) *var->val.integer);
+           buf[buf_len-1] = '\0';
            len = strlen(buf);
            break;
 
         case ASN_OCTET_STR:
         case ASN_OPAQUE:
-           memcpy(buf, (char*)var->val.string, var->val_len);
            len = var->val_len;
+           if ( len > buf_len )
+               len = buf_len;
+           memcpy(buf, (char*)var->val.string, len);
            break;
 
         case ASN_IPADDRESS:
-          ip = (u_char*)var->val.string;
-          sprintf(buf, "%d.%d.%d.%d", ip[0], ip[1], ip[2], ip[3]);
-          len = strlen(buf);
-          break;
+           ip = (u_char*)var->val.string;
+           snprintf(buf, buf_len, "%d.%d.%d.%d", ip[0], ip[1], ip[2], ip[3]);
+           buf[buf_len-1] = '\0';
+           len = strlen(buf);
+           break;
 
         case ASN_NULL:
            break;
@@ -512,14 +518,14 @@
           break;
 
 	case SNMP_ENDOFMIBVIEW:
-          sprintf(buf,"%s", "ENDOFMIBVIEW");
-	  break;
+           snprintf(buf, buf_len, "%s", "ENDOFMIBVIEW");
+	   break;
 	case SNMP_NOSUCHOBJECT:
-	  sprintf(buf,"%s", "NOSUCHOBJECT");
-	  break;
+	   snprintf(buf, buf_len, "%s", "NOSUCHOBJECT");
+	   break;
 	case SNMP_NOSUCHINSTANCE:
-	  sprintf(buf,"%s", "NOSUCHINSTANCE");
-	  break;
+	   snprintf(buf, buf_len, "%s", "NOSUCHINSTANCE");
+	   break;
 
         case ASN_COUNTER64:
 #ifdef NETSNMP_WITH_OPAQUE_SPECIAL_TYPES
@@ -538,19 +544,19 @@
 #endif
 
         case ASN_BIT_STR:
-            snprint_bitstring(buf, sizeof(buf), var, NULL, NULL, NULL);
+            snprint_bitstring(buf, buf_len, var, NULL, NULL, NULL);
             len = strlen(buf);
             break;
 #ifdef NETSNMP_WITH_OPAQUE_SPECIAL_TYPES
         case ASN_OPAQUE_FLOAT:
-	  if (var->val.floatVal)
-	    sprintf(buf,"%f", *var->val.floatVal);
-         break;
+           if (var->val.floatVal)
+              snprintf(buf, buf_len, "%f", *var->val.floatVal);
+           break;
          
         case ASN_OPAQUE_DOUBLE:
-	  if (var->val.doubleVal)
-	    sprintf(buf,"%f", *var->val.doubleVal);
-         break;
+           if (var->val.doubleVal)
+              snprintf(buf, buf_len, "%f", *var->val.doubleVal);
+           break;
 #endif
          
         case ASN_NSAP:


Index: net-snmp.spec
===================================================================
RCS file: /cvs/pkgs/rpms/net-snmp/F-9/net-snmp.spec,v
retrieving revision 1.149
retrieving revision 1.150
diff -u -r1.149 -r1.150
--- net-snmp.spec	31 May 2008 05:34:16 -0000	1.149
+++ net-snmp.spec	10 Jun 2008 06:03:37 -0000	1.150
@@ -7,7 +7,7 @@
 Summary: A collection of SNMP protocol tools and libraries
 Name: net-snmp
 Version: %{major_ver}
-Release: 17%{?dist}
+Release: 18%{?dist}
 Epoch: 1
 
 License: BSD and MIT
@@ -40,6 +40,8 @@
 Patch15: net-snmp-5.1.2-snmpconf-selinux.patch
 Patch16: net-snmp-5.4.1-sensors3.patch
 Patch17: net-snmp-5.4.1-xen-crash.patch
+Patch18: net-snmp-5.4.1-hmac-check.patch
+Patch19: net-snmp-5.4.1-perl-snprintf.patch
 
 Requires(pre): chkconfig
 Requires(post): chkconfig
@@ -171,6 +173,8 @@
 %patch15 -p1 -b .selinux
 %patch16 -p0 -b .sensors
 %patch17 -p0 -b .xen-crash
+%patch18 -p1 -b .hmac-check
+%patch19 -p3 -b .perl-snprintf
 
 # Do this patch with a perl hack...
 perl -pi -e "s|'\\\$install_libdir'|'%{_libdir}'|" ltmain.sh
@@ -387,6 +391,10 @@
 %{_libdir}/lib*.so.*
 
 %changelog
+* Tue Jun 10 2008 Jan Safranek <jsafranek at redhat.com> 5.4.1-18
+- explicitly require lm_sensor > 3 for build (#442718)
+- fix various flaws (CVE-2008-2292 CVE-2008-0960)
+
 * Sat May 31 2008 Dennis Gilmore <dennis at ausil.us> 5.4.1-17
 - fix sparc handling in /usr/bin/net-snmp-config
 


