[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#972149: marked as done (buster-pu: package net-snmp/5.7.3+dfsg-5+deb10u1)

Your message dated Sat, 06 Feb 2021 10:39:26 +0000
with message-id <6425525e38201ecf9a2d3e0f1e63c0d3b08e0fc0.camel@adam-barratt.org.uk>
and subject line Closing p-u bugs for updates in 10.8
has caused the Debian Bug report #972149,
regarding buster-pu: package net-snmp/5.7.3+dfsg-5+deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
972149: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972149
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

[ Reason ]
The security release in deb10u1 made EXTEND-MIB read-only
to close a security hole (CVE-2020-15862/Bug #9651166)
However this meant the cacheTime and execType could not be
changed which caused problems with some SNMP managers or setups.

[ Impact ]
The cachetime and execType cannot be set anywhere as these
parameters appear in net-snmp 5.8 which is in sid but not
buster.

[ Tests ]
Tested with Ubuntu
https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1892980
Upstream have the patch and their tests:
https://sourceforge.net/p/net-snmp/patches/1290/

My tests.
Install the candidate snmpd on a Debian10 VM
Configuration file is:
rocommunity public default
extend -cacheTime 10 test /usr/bin/date

Run snmpd using this configuration file

On a different host, run
watch -d snmpwalk -v 1 -c public  {test_server_ip} .1.3.6.1.4.1.8072.1.3.2.3.1.1.4

Notice the date only changes approximately every 10 seconds as the
result is cached.

[ Risks ]
The patch is about 30 additional lines.  Most users probably don't
use the "extend" option so won't exercise this or the buggy setup.

[ Checklist ]
  [*] *all* changes are documented in the d/changelog
  [*] I reviewed all changes and I approve them
  [*] attach debdiff against the package in (old)stable
  [*] the issue is verified as fixed in unstable

[ Changes ]
Adds two options to the extend command line parameter

[ Other info ]
None

- -- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.8.0-3-amd64 (SMP w/8 CPU threads)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

-----BEGIN PGP SIGNATURE-----

iQJGBAEBCgAwFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAl+FgaoSHGNzbWFsbEBk
ZWJpYW4ub3JnAAoJEAIhZsD/PITjmX8P/1fCfD2sAxLcc+eC+e5PiIyBVSog2YuI
qytA2SxzXYLXQtOUJeafAM/zqB1qNGvRbTYSPSo9HxRM1L5gUWKIdnENBAoJv4Pd
xnv9Sfsay5Hn+MGecZDkOOybRDK0KrJpPhYg2lO3sZeuilwEKPMnIJ7xoHZD8gDO
V4t+kOFS0AF/EYgAs18NmgemRTjqvCllTiHsrLRLWIdsE7X2N7C44l5Bg5BQAk/V
s/cAuIzZsMxDlMlofLmbWy6yahQiV8UwtG8DTewx4j9seVRUXHgp7i5ibR3yMffS
BbcA4OhBjCe0VHVUcvqSBvEkZY8+v68ifRXQZ9A4M4whQqyICws9MM3Z4HbGxAwc
j67VH9cL6wt9c4vNu+cxW8fts9GeGmOAMJoriqS/+w1rmzlO9Rza2krDcrBLbJQx
5Nc0YYk9TtwRhaeNK2vaIZM8Mj37mq6EbJh9lQ3oP3CR3goWIb9P2n2II/ICvbIY
llQC6fa8V8G/Hv2qOVTqU/qdwCgIeMnjl6nV66Sb64CjkCfa5Adj1z7lXkQvVezt
omCmi+AwdbJLWPxjL8hPoZzSzBTphKcz3D+RxSh6RbIf5wtnm4zD5+eHe1mP21Gs
4QLWjq9RDDSawmH2qWl4EQ4Fba7xJGaw6vkMLiLhAPEPQ+yBjwMdHvd91PdeyMHS
u6+o1BU2BGmq
=gGjJ
-----END PGP SIGNATURE-----

diff -Nru net-snmp-5.7.3+dfsg/debian/changelog net-snmp-5.7.3+dfsg/debian/changelog
--- net-snmp-5.7.3+dfsg/debian/changelog	2020-07-31 20:53:22.000000000 +1000
+++ net-snmp-5.7.3+dfsg/debian/changelog	2020-09-07 07:16:17.000000000 +1000
@@ -1,3 +1,13 @@
+net-snmp (5.7.3+dfsg-5+deb10u2) buster-security; urgency=high
+
+  * snmpd: Add cacheTime and execType flags to EXTEND-MIB.
+    Previous security release made EXTEND-MIB read-only which meant
+    it was not possible to set the timeout of the cache. This patch
+    allows administrator to set the value in the snmpd.conf file.
+    Closes: #969508
+
+ -- Craig Small <csmall@debian.org>  Mon, 07 Sep 2020 07:16:17 +1000
+
 net-snmp (5.7.3+dfsg-5+deb10u1) buster-security; urgency=high
 
   * snmpd: Make EXTEND-MIB readonly access
diff -Nru net-snmp-5.7.3+dfsg/debian/patches/series net-snmp-5.7.3+dfsg/debian/patches/series
--- net-snmp-5.7.3+dfsg/debian/patches/series	2020-07-31 20:53:22.000000000 +1000
+++ net-snmp-5.7.3+dfsg/debian/patches/series	2020-09-07 07:16:17.000000000 +1000
@@ -44,3 +44,4 @@
 snmpd_stop_mib_indexes_files
 snmp_snmptrapd_disallow_user_change
 
+snmpd_cachetime_exectype
diff -Nru net-snmp-5.7.3+dfsg/debian/patches/snmpd_cachetime_exectype net-snmp-5.7.3+dfsg/debian/patches/snmpd_cachetime_exectype
--- net-snmp-5.7.3+dfsg/debian/patches/snmpd_cachetime_exectype	1970-01-01 10:00:00.000000000 +1000
+++ net-snmp-5.7.3+dfsg/debian/patches/snmpd_cachetime_exectype	2020-09-07 07:16:17.000000000 +1000
@@ -0,0 +1,85 @@
+Description: Add a couple of optional flags to the "extend" config
+ directive, enabling non-volatile configuration of a couple of aspects that so
+ far have been configurable only temporarily via SETs:
+ -cacheTime specifies the cache timeout
+Author: Jeff Gehlbach <jeffg@opennms.org>
+Origin: upstream, https://github.com/net-snmp/net-snmp/commit/d8b12900629ed73a78b27535f08c4f0a721a93be
+Bug-Debian: https://bugs.debian.org/969508
+Applied-Upstream: 5.8
+Reviewed-by: Craig Small <csmall@debian.org>
+Last-Update: 2020-09-05
+--- a/agent/mibgroup/agent/extend.c
++++ b/agent/mibgroup/agent/extend.c
+@@ -528,8 +528,27 @@
+     size_t oid_len;
+     extend_registration_block *eptr;
+     int  flags;
++    char cache_timeout_str[STRMAX];
++    int cache_timeout = 0;
++    char exec_type_str[STRMAX];
++    int exec_type = NS_EXTEND_ETYPE_EXEC;
+ 
+     cptr = copy_nword(cptr, exec_name,    sizeof(exec_name));
++    if ( !strcmp( exec_name, "-cacheTime") ) {
++        cptr = copy_nword(cptr, cache_timeout_str, sizeof(cache_timeout_str));
++        /* If atoi can't do the conversion, it returns 0 */
++        cache_timeout = atoi(cache_timeout_str);
++        cptr = copy_nword(cptr, exec_name,    sizeof(exec_name));
++    }
++    if ( !strcmp( exec_name, "-execType") ) {
++        cptr = copy_nword(cptr, exec_type_str, sizeof(exec_type_str));
++        if ( !strcmp( exec_type_str, "sh" ) ) {
++            exec_type = NS_EXTEND_ETYPE_SHELL;
++        } else {
++            exec_type = NS_EXTEND_ETYPE_EXEC;
++        }
++        cptr = copy_nword(cptr, exec_name,    sizeof(exec_name));
++    }
+     if ( *exec_name == '.' ) {
+         oid_len = MAX_OID_LEN - 2;
+         if (0 == read_objid( exec_name, oid_buf, &oid_len )) {
+@@ -551,7 +570,8 @@
+     flags = (NS_EXTEND_FLAGS_ACTIVE | NS_EXTEND_FLAGS_CONFIG);
+     if (!strcmp( token, "sh"        ) ||
+         !strcmp( token, "extend-sh" ) ||
+-        !strcmp( token, "sh2" ))
++        !strcmp( token, "sh2" ) ||
++        exec_type == NS_EXTEND_ETYPE_SHELL)
+         flags |= NS_EXTEND_FLAGS_SHELL;
+     if (!strcmp( token, "execFix"   ) ||
+         !strcmp( token, "extendfix" ) ||
+@@ -572,6 +592,8 @@
+         extension->command  = strdup( exec_command );
+         if (cptr)
+             extension->args = strdup( cptr );
++        if (cache_timeout != 0)
++            extension->cache->timeout = cache_timeout;
+     } else {
+         snmp_log(LOG_ERR, "Failed to register extend entry '%s' - possibly duplicate name.\n", exec_name );
+         return;
+--- a/man/snmpd.conf.5.def
++++ b/man/snmpd.conf.5.def
+@@ -1284,7 +1284,7 @@
+ .PP
+ \fIexec\fR and \fIsh\fR extensions can only be configured via the
+ snmpd.conf file.  They cannot be set up via SNMP SET requests.
+-.IP "extend [MIBOID] NAME PROG ARGS"
++.IP "extend [-cacheTime TIME] [-execType TYPE] [MIBOID] NAME PROG ARGS"
+ works in a similar manner to the \fIexec\fR directive, but with a number
+ of improvements.  The MIB tables (\fInsExtendConfigTable\fR
+ etc) are indexed by the NAME token, so are unaffected by the order in
+@@ -1294,6 +1294,14 @@
+ for each \fIextend\fR entry, and the other (\fInsExtendOutput2Table\fR)
+ containing the complete output as a series of separate lines.
+ .IP
++If -cacheTime is specified, then its argument is used as the cache timeout
++(in whole seconds) for this \fIextend\fR entry. This mechanism provides a
++non-volatile way to specify the cache timeout.
++.IP
++If -execType is specified and has a value of \fIsh\fR, then this \fIextend\fR
++entry will be run in a shell. Otherwise it will be run in the default \fIexec\fR
++fashion. This mechanism provides a non-volatile way to specify the exec type.
++.IP
+ If MIBOID is specified, then the configuration and result tables will be rooted
+ at this point in the OID tree, but are otherwise structured in exactly
+ the same way. This means that several separate \fIextend\fR

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.8

Hi,

Each of the updates referenced by these bugs was included in today's
10.8 point release.

Regards,

Adam

--- End Message ---
Reply to: