rpms/net-snmp/F-8 net-snmp-5.4.1-getbulk-crash.patch, NONE, 1.1 net-snmp.spec, 1.137, 1.138
Jan Šafránek
jsafrane at fedoraproject.org
Mon Nov 3 08:54:20 UTC 2008
- Previous message (by thread): rpms/net-snmp/F-9 net-snmp-5.4.1-getbulk-crash.patch, NONE, 1.1 net-snmp.spec, 1.152, 1.153
- Next message (by thread): rpms/net-snmp/devel .cvsignore, 1.24, 1.25 net-snmp.spec, 1.162, 1.163 sources, 1.24, 1.25
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: jsafrane
Update of /cvs/pkgs/rpms/net-snmp/F-8
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv16040
Modified Files:
net-snmp.spec
Added Files:
net-snmp-5.4.1-getbulk-crash.patch
Log Message:
fix CVE-2008-4309
Resolves: CVE-2008-4309
net-snmp-5.4.1-getbulk-crash.patch:
--- NEW FILE net-snmp-5.4.1-getbulk-crash.patch ---
CVE-2008-4309: net-snmp: numresponses calculation integer overflow in snmp_agent.c
Source: upstream, http://net-snmp.svn.sourceforge.net/viewvc/net-snmp?view=rev&revision=17272
Index: clean/agent/snmp_agent.c
===================================================================
--- clean.orig/agent/snmp_agent.c 2008-10-28 23:12:10.000000000 +0100
+++ clean/agent/snmp_agent.c 2008-10-28 23:15:11.000000000 +0100
@@ -2234,7 +2234,6 @@
r = 0;
asp->bulkcache = NULL;
} else {
- int numresponses;
int maxbulk =
netsnmp_ds_get_int(NETSNMP_DS_APPLICATION_ID,
NETSNMP_DS_AGENT_MAX_GETBULKREPEATS);
@@ -2245,28 +2244,31 @@
if (maxresponses == 0)
maxresponses = 100; /* more than reasonable default */
- if (maxbulk == 0)
- maxbulk = -1;
+ /* ensure that the total number of responses fits in a mallocable
+ * result vector
+ */
+ if (maxresponses < 0 ||
+ maxresponses > INT_MAX / sizeof(struct varbind_list *))
+ maxresponses = INT_MAX / sizeof(struct varbind_list *);
+
+ /* ensure that the maximum number of repetitions will fit in the
+ * result vector
+ */
+ if (maxbulk <= 0 || maxbulk > maxresponses / r)
+ maxbulk = maxresponses / r;
/* limit getbulk number of repeats to a configured size */
- if (asp->pdu->errindex > maxbulk && maxbulk != -1) {
+ if (asp->pdu->errindex > maxbulk) {
asp->pdu->errindex = maxbulk;
- }
-
- numresponses = asp->pdu->errindex * r;
-
- /* limit getbulk number of getbulk responses to a configured size */
- if (maxresponses != -1 && numresponses > maxresponses) {
- /* attempt to truncate this */
- asp->pdu->errindex = maxresponses/r;
- numresponses = asp->pdu->errindex * r;
- DEBUGMSGTL(("snmp_agent", "truncating number of getbulk repeats to %d\n", asp->pdu->errindex));
+ DEBUGMSGTL(("snmp_agent",
+ "truncating number of getbulk repeats to %d\n",
+ asp->pdu->errindex));
}
asp->bulkcache =
- (netsnmp_variable_list **) malloc(numresponses *
- sizeof(struct
- varbind_list *));
+ (netsnmp_variable_list **) malloc(
+ asp->pdu->errindex * r * sizeof(struct varbind_list *));
+
if (!asp->bulkcache) {
DEBUGMSGTL(("snmp_agent", "Bulkcache malloc failed\n"));
return SNMP_ERR_GENERR;
Index: net-snmp.spec
===================================================================
RCS file: /cvs/pkgs/rpms/net-snmp/F-8/net-snmp.spec,v
retrieving revision 1.137
retrieving revision 1.138
diff -u -r1.137 -r1.138
--- net-snmp.spec 3 Nov 2008 08:32:56 -0000 1.137
+++ net-snmp.spec 3 Nov 2008 08:53:50 -0000 1.138
@@ -40,7 +40,7 @@
Patch16: net-snmp-5.4.1-xen-crash.patch
Patch17: net-snmp-5.4.1-hmac-check.patch
Patch18: net-snmp-5.4.1-perl-snprintf.patch
-
+Patch19: net-snmp-5.4.1-getbulk-crash.patch
Requires(pre): /sbin/chkconfig
Requires(post): /sbin/chkconfig
@@ -157,6 +157,7 @@
%patch16 -p0 -b .xen-crash
%patch17 -p1 -b .hmac-check
%patch18 -p3 -b .perl-snprintf
+%patch19 -p1 -b .getbulk-crash
# Do this patch with a perl hack...
perl -pi -e "s|'\\\$install_libdir'|'%{_libdir}'|" ltmain.sh
@@ -369,6 +370,7 @@
* Mon Jun 23 2008 Jan Safranek <jsafranek at redhat.com> 5.4.1-8
- explicitly require the right version and release of net-snmp and
net-snmp-libs (#451225)
+- fix CVE-2008-4309
* Tue Jun 10 2008 Jan Safranek <jsafranek at redhat.com> 5.4.1-7
- fix various flaws (CVE-2008-2292 CVE-2008-0960)
- Previous message (by thread): rpms/net-snmp/F-9 net-snmp-5.4.1-getbulk-crash.patch, NONE, 1.1 net-snmp.spec, 1.152, 1.153
- Next message (by thread): rpms/net-snmp/devel .cvsignore, 1.24, 1.25 net-snmp.spec, 1.162, 1.163 sources, 1.24, 1.25
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list