From 3064522d5513ea7e21a198d4cab335db22d68629 Mon Sep 17 00:00:00 2001 From: eaglegai Date: Sat, 27 Aug 2022 03:55:47 +0000 Subject: [PATCH] fix CVE-2022-24805 CVE-2022-24806 CVE-2022-24807 CVE-2022-24808 CVE-2022-24809 CVE-2022-24810 --- ...-24805-24806-24807-24808-24809-24810.patch | 131 ++++++++++++++++++ ...-24805-24806-24807-24808-24809-24810.patch | 31 +++++ net-snmp.spec | 11 +- 3 files changed, 172 insertions(+), 1 deletion(-) create mode 100644 backport-0001-CVE-2022-24805-24806-24807-24808-24809-24810.patch create mode 100644 backport-0002-CVE-2022-24805-24806-24807-24808-24809-24810.patch diff --git a/backport-0001-CVE-2022-24805-24806-24807-24808-24809-24810.patch b/backport-0001-CVE-2022-24805-24806-24807-24808-24809-24810.patch new file mode 100644 index 0000000..8e39f87 --- /dev/null +++ b/backport-0001-CVE-2022-24805-24806-24807-24808-24809-24810.patch @@ -0,0 +1,131 @@ +From 67ebb43e9038b2dae6e74ae8838b36fcc10fc937 Mon Sep 17 00:00:00 2001 +From: Bill Fenner +Date: Wed, 30 Jun 2021 14:00:28 -0700 +Subject: [PATCH] CHANGES: snmpd: fix bounds checking in NET-SNMP-AGENT-MIB, + NET-SNMP-VACM-MIB, SNMP-VIEW-BASED-ACM-MIB, SNMP-USER-BASED-SM-MIB + +Reported by: Yu Zhang of VARAS@IIE, Nanyu Zhong of VARAS@IIE +Fixes by: Arista Networks +--- + agent/mibgroup/agent/nsLogging.c | 6 ++++++ + agent/mibgroup/agent/nsVacmAccessTable.c | 16 ++++++++++++++-- + agent/mibgroup/mibII/vacm_vars.c | 3 +++ + agent/mibgroup/snmpv3/usmUser.c | 2 -- + 4 files changed, 23 insertions(+), 4 deletions(-) + +diff --git a/agent/mibgroup/agent/nsLogging.c b/agent/mibgroup/agent/nsLogging.c +index 9abdeb5bb7..7f4290490a 100644 +--- a/agent/mibgroup/agent/nsLogging.c ++++ b/agent/mibgroup/agent/nsLogging.c +@@ -147,6 +147,8 @@ handle_nsLoggingTable(netsnmp_mib_handler *handler, + continue; + logh = (netsnmp_log_handler*)netsnmp_extract_iterator_context(request); + table_info = netsnmp_extract_table_info(request); ++ if (!table_info || !table_info->indexes) ++ continue; + + switch (table_info->colnum) { + case NSLOGGING_TYPE: +@@ -201,6 +203,8 @@ handle_nsLoggingTable(netsnmp_mib_handler *handler, + } + logh = (netsnmp_log_handler*)netsnmp_extract_iterator_context(request); + table_info = netsnmp_extract_table_info(request); ++ if (!table_info || !table_info->indexes) ++ continue; + + switch (table_info->colnum) { + case NSLOGGING_TYPE: +@@ -394,6 +398,8 @@ handle_nsLoggingTable(netsnmp_mib_handler *handler, + continue; + logh = (netsnmp_log_handler*)netsnmp_extract_iterator_context(request); + table_info = netsnmp_extract_table_info(request); ++ if (!table_info || !table_info->indexes) ++ continue; + + switch (table_info->colnum) { + case NSLOGGING_TYPE: +diff --git a/agent/mibgroup/agent/nsVacmAccessTable.c b/agent/mibgroup/agent/nsVacmAccessTable.c +index cc61fce7e6..6c43210074 100644 +--- a/agent/mibgroup/agent/nsVacmAccessTable.c ++++ b/agent/mibgroup/agent/nsVacmAccessTable.c +@@ -170,9 +170,13 @@ nsVacmAccessTable_handler(netsnmp_mib_handler *handler, + entry = (struct vacm_accessEntry *) + netsnmp_extract_iterator_context(request); + table_info = netsnmp_extract_table_info(request); ++ if (!table_info || !table_info->indexes) ++ continue; + + /* Extract the authType token from the list of indexes */ + idx = table_info->indexes->next_variable->next_variable->next_variable->next_variable; ++ if (idx->val_len >= sizeof(atype)) ++ continue; + memset(atype, 0, sizeof(atype)); + memcpy(atype, (char *)idx->val.string, idx->val_len); + viewIdx = se_find_value_in_slist(VACM_VIEW_ENUM_NAME, atype); +@@ -212,6 +216,8 @@ nsVacmAccessTable_handler(netsnmp_mib_handler *handler, + entry = (struct vacm_accessEntry *) + netsnmp_extract_iterator_context(request); + table_info = netsnmp_extract_table_info(request); ++ if (!table_info || !table_info->indexes) ++ continue; + ret = SNMP_ERR_NOERROR; + + switch (table_info->colnum) { +@@ -247,6 +253,8 @@ nsVacmAccessTable_handler(netsnmp_mib_handler *handler, + * Extract the authType token from the list of indexes + */ + idx = table_info->indexes->next_variable->next_variable->next_variable->next_variable; ++ if (idx->val_len >= sizeof(atype)) ++ continue; + memset(atype, 0, sizeof(atype)); + memcpy(atype, (char *)idx->val.string, idx->val_len); + viewIdx = se_find_value_in_slist(VACM_VIEW_ENUM_NAME, atype); +@@ -294,8 +302,10 @@ nsVacmAccessTable_handler(netsnmp_mib_handler *handler, + idx = idx->next_variable; model = *idx->val.integer; + idx = idx->next_variable; level = *idx->val.integer; + entry = vacm_createAccessEntry( gName, cPrefix, model, level ); +- entry->storageType = ST_NONVOLATILE; +- netsnmp_insert_iterator_context(request, (void*)entry); ++ if (entry) { ++ entry->storageType = ST_NONVOLATILE; ++ netsnmp_insert_iterator_context(request, (void*)entry); ++ } + } + } + } +@@ -321,6 +331,8 @@ nsVacmAccessTable_handler(netsnmp_mib_handler *handler, + + /* Extract the authType token from the list of indexes */ + idx = table_info->indexes->next_variable->next_variable->next_variable->next_variable; ++ if (idx->val_len >= sizeof(atype)) ++ continue; + memset(atype, 0, sizeof(atype)); + memcpy(atype, (char *)idx->val.string, idx->val_len); + viewIdx = se_find_value_in_slist(VACM_VIEW_ENUM_NAME, atype); +diff --git a/agent/mibgroup/mibII/vacm_vars.c b/agent/mibgroup/mibII/vacm_vars.c +index 469a1eba59..62c9a3d051 100644 +--- a/agent/mibgroup/mibII/vacm_vars.c ++++ b/agent/mibgroup/mibII/vacm_vars.c +@@ -997,6 +997,9 @@ access_parse_oid(oid * oidIndex, size_t oidLen, + return 1; + } + groupNameL = oidIndex[0]; ++ if ((groupNameL + 1) > (int) oidLen) { ++ return 1; ++ } + contextPrefixL = oidIndex[groupNameL + 1]; /* the initial name length */ + if ((int) oidLen != groupNameL + contextPrefixL + 4) { + return 1; +diff --git a/agent/mibgroup/snmpv3/usmUser.c b/agent/mibgroup/snmpv3/usmUser.c +index 0f52aaba49..0edea53cfb 100644 +--- a/agent/mibgroup/snmpv3/usmUser.c ++++ b/agent/mibgroup/snmpv3/usmUser.c +@@ -1505,8 +1505,6 @@ write_usmUserStatus(int action, + if (usmStatusCheck(uptr)) { + uptr->userStatus = RS_ACTIVE; + } else { +- SNMP_FREE(engineID); +- SNMP_FREE(newName); + return SNMP_ERR_INCONSISTENTVALUE; + } + } else if (long_ret == RS_CREATEANDWAIT) { diff --git a/backport-0002-CVE-2022-24805-24806-24807-24808-24809-24810.patch b/backport-0002-CVE-2022-24805-24806-24807-24808-24809-24810.patch new file mode 100644 index 0000000..cf95e48 --- /dev/null +++ b/backport-0002-CVE-2022-24805-24806-24807-24808-24809-24810.patch @@ -0,0 +1,31 @@ +From 9a0cd7c00947d5e1c6ceb54558d454f87c3b8341 Mon Sep 17 00:00:00 2001 +From: Bill Fenner +Date: Tue, 24 Aug 2021 07:55:00 -0700 +Subject: [PATCH] CHANGES: snmpd: recover SET status from delegated request + +Reported by: Yu Zhang of VARAS@IIE, Nanyu Zhong of VARAS@IIE +Fixes by: Arista Networks + +When a SET request includes a mix of delegated and +non-delegated requests (e.g., objects handled by master +agent and agentx sub-agent), the status can get lost while +waiting for the reply from the sub-agent. Recover the status +into the session from the requests even if it has already +been processed. +--- + agent/snmp_agent.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/agent/snmp_agent.c b/agent/snmp_agent.c +index 84fbb42b47..095ee70985 100644 +--- a/agent/snmp_agent.c ++++ b/agent/snmp_agent.c +@@ -2965,7 +2965,7 @@ netsnmp_check_requests_status(netsnmp_agent_session *asp, + if (requests->status != SNMP_ERR_NOERROR && + (!look_for_specific || requests->status == look_for_specific) + && (look_for_specific || asp->index == 0 +- || requests->index < asp->index)) { ++ || requests->index <= asp->index)) { + asp->index = requests->index; + asp->status = requests->status; + } diff --git a/net-snmp.spec b/net-snmp.spec index eb9d730..453890e 100644 --- a/net-snmp.spec +++ b/net-snmp.spec @@ -3,7 +3,7 @@ Name: net-snmp Version: 5.9.1 -Release: 3 +Release: 4 Epoch: 1 Summary: SNMP Daemon License: BSD @@ -47,6 +47,8 @@ Patch30: backport-libsnmp-Fix-a-memory-leak-in-a-MIB-parser-error-path.p Patch31: backport-libsnmp-Fix-the-getoid-error-path.patch Patch32: backport-Python-Fix-snmpwalk-with-UseNumeric-1.patch Patch33: backport-net-snmp-5.9.1-autoconf.patch +Patch34: backport-0001-CVE-2022-24805-24806-24807-24808-24809-24810.patch +Patch35: backport-0002-CVE-2022-24805-24806-24807-24808-24809-24810.patch %{?systemd_requires} BuildRequires: systemd gcc openssl-devel bzip2-devel elfutils-devel libselinux-devel @@ -326,6 +328,13 @@ LD_LIBRARY_PATH=%{buildroot}/%{_libdir} make test %{_mandir}/man1/fixproc* %changelog +* Sat Aug 27 2022 gaihuiying - 1:5.9.1-4 +- Type:CVE +- CVE:CVE-2022-24805 CVE-2022-24806 CVE-2022-24807 CVE-2022-24808 CVE-2022-24809 CVE-2022-24810 +- SUG:NA +- DESC:fix CVE-2022-24805 CVE-2022-24806 CVE-2022-24807 + CVE-2022-24808 CVE-2022-24809 CVE-2022-24810 + * Mon Aug 08 2022 gaihuiying - 5.9.1-3 - Type:bugfix - CVE:NA -- Gitee