aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJunling Zheng <zhengjunling@huawei.com>2015-05-04 03:22:26 +0000
committerJoe MacDonald <joe_macdonald@mentor.com>2015-05-08 15:40:28 -0400
commitff3c52f44da3cd8c2e350677c85d161b9819ddcc (patch)
tree15dfe1c1af0d0424bc26d82b7f1e43264c3e16c6
parent2cb54ed8a103c56fcf42d4a363d175dbdc094489 (diff)
downloadmeta-openembedded-contrib-ff3c52f44da3cd8c2e350677c85d161b9819ddcc.tar.gz
net-snmp: fix CVE-2014-2285
The perl_trapd_handler function in perl/TrapReceiver/TrapReceiver.xs in Net-SNMP 5.7.3.pre3 and earlier, when using certain Perl versions, allows remote attackers to cause a denial of service (snmptrapd crash) via an empty community string in an SNMP trap, which triggers a NULL pointer dereference within the newSVpv function in Perl. Refer to: https://bugzilla.redhat.com/show_bug.cgi?id=1072044 Signed-off-by: Junling Zheng <zhengjunling@huawei.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
-rw-r--r--meta-networking/recipes-protocols/net-snmp/net-snmp/0001-Fix-CVE-2014-2285.patch49
-rw-r--r--meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.2.1.bb1
2 files changed, 50 insertions, 0 deletions
diff --git a/meta-networking/recipes-protocols/net-snmp/net-snmp/0001-Fix-CVE-2014-2285.patch b/meta-networking/recipes-protocols/net-snmp/net-snmp/0001-Fix-CVE-2014-2285.patch
new file mode 100644
index 0000000000..b1514b97f9
--- /dev/null
+++ b/meta-networking/recipes-protocols/net-snmp/net-snmp/0001-Fix-CVE-2014-2285.patch
@@ -0,0 +1,49 @@
+From 87a0d27102ceffb92e5c1d6fbbd24972a9dd33ac Mon Sep 17 00:00:00 2001
+From: Junling Zheng <zhengjunling@huawei.com>
+Date: Mon, 20 Apr 2015 10:23:08 +0000
+Subject: [PATCH] Fix CVE-2014-2285
+
+Sending SNMP trap with empty community string crashes snmptrapd if Perl
+handler is enabled.
+
+Refer to:
+https://bugzilla.redhat.com/show_bug.cgi?id=1072044
+
+Upstream Status: Backported
+
+Signed-off-by: Junling Zheng <zhengjunling@huawei.com>
+---
+ perl/TrapReceiver/TrapReceiver.xs | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/perl/TrapReceiver/TrapReceiver.xs b/perl/TrapReceiver/TrapReceiver.xs
+index 531bfa4..ac94370 100644
+--- a/perl/TrapReceiver/TrapReceiver.xs
++++ b/perl/TrapReceiver/TrapReceiver.xs
+@@ -81,18 +81,18 @@ int perl_trapd_handler( netsnmp_pdu *pdu,
+ STOREPDUi("securitymodel", pdu->securityModel);
+ STOREPDUi("securitylevel", pdu->securityLevel);
+ STOREPDU("contextName",
+- newSVpv(pdu->contextName, pdu->contextNameLen));
++ newSVpv(pdu->contextName ? pdu->contextName : "", pdu->contextNameLen));
+ STOREPDU("contextEngineID",
+- newSVpv((char *) pdu->contextEngineID,
++ newSVpv((char *)(pdu->contextEngineID ? pdu->contextEngineID : ""),
+ pdu->contextEngineIDLen));
+ STOREPDU("securityEngineID",
+- newSVpv((char *) pdu->securityEngineID,
++ newSVpv((char *)(pdu->securityEngineID ? pdu->securityEngineID : ""),
+ pdu->securityEngineIDLen));
+ STOREPDU("securityName",
+- newSVpv((char *) pdu->securityName, pdu->securityNameLen));
++ newSVpv((char *)(pdu->securityName ? pdu->securityName : ""), pdu->securityNameLen));
+ } else {
+ STOREPDU("community",
+- newSVpv((char *) pdu->community, pdu->community_len));
++ newSVpv((char *)(pdu->community ? pdu->community : ""), pdu->community_len));
+ }
+
+ if (transport && transport->f_fmtaddr) {
+--
+1.8.3.4
+
diff --git a/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.2.1.bb b/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.2.1.bb
index 1baf101d93..c9a692dd6d 100644
--- a/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.2.1.bb
+++ b/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.2.1.bb
@@ -19,6 +19,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/net-snmp/net-snmp-${PV}.zip \
file://fix-libtool-finish.patch \
file://net-snmp-testing-add-the-output-format-for-ptest.patch \
file://run-ptest \
+ file://0001-Fix-CVE-2014-2285.patch \
"
SRC_URI[md5sum] = "a2c83518648b0f2a5d378625e45c0e18"