From ff3c52f44da3cd8c2e350677c85d161b9819ddcc Mon Sep 17 00:00:00 2001 From: Junling Zheng Date: Mon, 4 May 2015 03:22:26 +0000 Subject: net-snmp: fix CVE-2014-2285 The perl_trapd_handler function in perl/TrapReceiver/TrapReceiver.xs in Net-SNMP 5.7.3.pre3 and earlier, when using certain Perl versions, allows remote attackers to cause a denial of service (snmptrapd crash) via an empty community string in an SNMP trap, which triggers a NULL pointer dereference within the newSVpv function in Perl. Refer to: https://bugzilla.redhat.com/show_bug.cgi?id=1072044 Signed-off-by: Junling Zheng Signed-off-by: Joe MacDonald --- .../net-snmp/net-snmp/0001-Fix-CVE-2014-2285.patch | 49 ++++++++++++++++++++++ .../recipes-protocols/net-snmp/net-snmp_5.7.2.1.bb | 1 + 2 files changed, 50 insertions(+) create mode 100644 meta-networking/recipes-protocols/net-snmp/net-snmp/0001-Fix-CVE-2014-2285.patch diff --git a/meta-networking/recipes-protocols/net-snmp/net-snmp/0001-Fix-CVE-2014-2285.patch b/meta-networking/recipes-protocols/net-snmp/net-snmp/0001-Fix-CVE-2014-2285.patch new file mode 100644 index 0000000000..b1514b97f9 --- /dev/null +++ b/meta-networking/recipes-protocols/net-snmp/net-snmp/0001-Fix-CVE-2014-2285.patch @@ -0,0 +1,49 @@ +From 87a0d27102ceffb92e5c1d6fbbd24972a9dd33ac Mon Sep 17 00:00:00 2001 +From: Junling Zheng +Date: Mon, 20 Apr 2015 10:23:08 +0000 +Subject: [PATCH] Fix CVE-2014-2285 + +Sending SNMP trap with empty community string crashes snmptrapd if Perl +handler is enabled. + +Refer to: +https://bugzilla.redhat.com/show_bug.cgi?id=1072044 + +Upstream Status: Backported + +Signed-off-by: Junling Zheng +--- + perl/TrapReceiver/TrapReceiver.xs | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/perl/TrapReceiver/TrapReceiver.xs b/perl/TrapReceiver/TrapReceiver.xs +index 531bfa4..ac94370 100644 +--- a/perl/TrapReceiver/TrapReceiver.xs ++++ b/perl/TrapReceiver/TrapReceiver.xs +@@ -81,18 +81,18 @@ int perl_trapd_handler( netsnmp_pdu *pdu, + STOREPDUi("securitymodel", pdu->securityModel); + STOREPDUi("securitylevel", pdu->securityLevel); + STOREPDU("contextName", +- newSVpv(pdu->contextName, pdu->contextNameLen)); ++ newSVpv(pdu->contextName ? pdu->contextName : "", pdu->contextNameLen)); + STOREPDU("contextEngineID", +- newSVpv((char *) pdu->contextEngineID, ++ newSVpv((char *)(pdu->contextEngineID ? pdu->contextEngineID : ""), + pdu->contextEngineIDLen)); + STOREPDU("securityEngineID", +- newSVpv((char *) pdu->securityEngineID, ++ newSVpv((char *)(pdu->securityEngineID ? pdu->securityEngineID : ""), + pdu->securityEngineIDLen)); + STOREPDU("securityName", +- newSVpv((char *) pdu->securityName, pdu->securityNameLen)); ++ newSVpv((char *)(pdu->securityName ? pdu->securityName : ""), pdu->securityNameLen)); + } else { + STOREPDU("community", +- newSVpv((char *) pdu->community, pdu->community_len)); ++ newSVpv((char *)(pdu->community ? pdu->community : ""), pdu->community_len)); + } + + if (transport && transport->f_fmtaddr) { +-- +1.8.3.4 + diff --git a/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.2.1.bb b/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.2.1.bb index 1baf101d93..c9a692dd6d 100644 --- a/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.2.1.bb +++ b/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.2.1.bb @@ -19,6 +19,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/net-snmp/net-snmp-${PV}.zip \ file://fix-libtool-finish.patch \ file://net-snmp-testing-add-the-output-format-for-ptest.patch \ file://run-ptest \ + file://0001-Fix-CVE-2014-2285.patch \ " SRC_URI[md5sum] = "a2c83518648b0f2a5d378625e45c0e18" -- cgit 1.2.3-korg