Bug#742150: wheezy-pu: package net-snmp/5.4.3~dfsg-2.7
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu
Dear Release team,
Bug#684388 important bug affects both stable and oldstable.
It breaks SNMP communication in the case a single snmp has the length of
oids increasing, longer oids won't be communicated to subagent.
Example at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684388#5
debian-security team prefers this to be addressed using a upload in spu
instead of issuing a DSA.
The attached fix is very localized, and already present in testing, see
http://sources.debian.net/src/net-snmp/5.7.2~dfsg-8.1/agent/mibgroup/agentx/protocol.c#L1774
Please find a debdiff against wheezy 5.4.3~dfsg-2.7.
--
Simon Paillard
diffstat for net-snmp-5.4.3~dfsg net-snmp-5.4.3~dfsg
changelog | 8 ++++++++
patches/67_CVE-2014-2310.patch | 22 ++++++++++++++++++++++
patches/series | 1 +
3 files changed, 31 insertions(+)
diff -Nru net-snmp-5.4.3~dfsg/debian/changelog net-snmp-5.4.3~dfsg/debian/changelog
--- net-snmp-5.4.3~dfsg/debian/changelog 2012-11-24 14:06:46.000000000 +0100
+++ net-snmp-5.4.3~dfsg/debian/changelog 2014-03-17 21:02:49.000000000 +0100
@@ -1,3 +1,11 @@
+net-snmp (5.4.3~dfsg-2.8) stable; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix agentx subagent issues with multiple-object requests and increasing
+ object length (CVE-2014-2310) (Closes: #684388)
+
+ -- Simon Paillard <spaillard@debian.org> Mon, 17 Mar 2014 20:56:52 +0100
+
net-snmp (5.4.3~dfsg-2.7) unstable; urgency=low
* Non-maintainer upload.
diff -Nru net-snmp-5.4.3~dfsg/debian/patches/67_CVE-2014-2310.patch net-snmp-5.4.3~dfsg/debian/patches/67_CVE-2014-2310.patch
--- net-snmp-5.4.3~dfsg/debian/patches/67_CVE-2014-2310.patch 1970-01-01 01:00:00.000000000 +0100
+++ net-snmp-5.4.3~dfsg/debian/patches/67_CVE-2014-2310.patch 2014-03-17 20:51:06.000000000 +0100
@@ -0,0 +1,22 @@
+Description: Patch 3141462: from fenner: fix agentx subagent issues with multiple-object requests
+Bug: http://sourceforge.net/p/net-snmp/patches/1113/
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684388
+Origin: upstream, http://sourceforge.net/p/net-snmp/code/ci/8d160ac04e7087c10fbda1d1d76d5f2854d58057
+Index: net-snmp-5.4.3~dfsg/agent/mibgroup/agentx/protocol.c
+===================================================================
+--- net-snmp-5.4.3~dfsg.orig/agent/mibgroup/agentx/protocol.c 2014-03-17 20:51:06.668331699 +0100
++++ net-snmp-5.4.3~dfsg/agent/mibgroup/agentx/protocol.c 2014-03-17 20:51:06.660331611 +0100
+@@ -1765,11 +1765,11 @@
+ (u_char *) end_oid_buf,
+ end_oid_buf_len);
+ }
++ oid_buf_len = MAX_OID_LEN;
++ end_oid_buf_len = MAX_OID_LEN;
+ }
+
+ DEBUGINDENTLESS();
+- oid_buf_len = MAX_OID_LEN;
+- end_oid_buf_len = MAX_OID_LEN;
+ break;
+
+
diff -Nru net-snmp-5.4.3~dfsg/debian/patches/series net-snmp-5.4.3~dfsg/debian/patches/series
--- net-snmp-5.4.3~dfsg/debian/patches/series 2012-11-24 13:30:03.000000000 +0100
+++ net-snmp-5.4.3~dfsg/debian/patches/series 2014-03-17 21:33:32.000000000 +0100
@@ -17,3 +17,4 @@
64_missing_lib.patch
65_CVE-2012-2141.patch
66_formatstrings.patch
+67_CVE-2014-2310.patch
Reply to: