aboutsummaryrefslogtreecommitdiffstats
path: root/meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15861-0005.patch
diff options
context:
space:
mode:
authorOvidiu Panait <ovidiu.panait@windriver.com>2020-09-01 12:22:00 +0300
committerArmin Kuster <akuster808@gmail.com>2020-09-03 08:28:37 -0700
commitd7b41ced4b9a9a68083b0fcceff3b226298cff8b (patch)
tree03ec3cfb6aa87e35f4fa14fc3af29e0994765c4c /meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15861-0005.patch
parentb72b233d268c51376ecfa277ea8346621f632467 (diff)
downloadmeta-openembedded-contrib-d7b41ced4b9a9a68083b0fcceff3b226298cff8b.tar.gz
meta-openembedded-contrib-d7b41ced4b9a9a68083b0fcceff3b226298cff8b.tar.bz2
meta-openembedded-contrib-d7b41ced4b9a9a68083b0fcceff3b226298cff8b.zip
net-snmp: Fix CVE-2020-15861 and CVE-2020-15862
Net-SNMP through 5.7.3 allows Escalation of Privileges because of UNIX symbolic link (symlink) following. Net-SNMP through 5.7.3 has Improper Privilege Management because SNMP WRITE access to the EXTEND MIB provides the ability to run arbitrary commands as root. References: https://nvd.nist.gov/vuln/detail/CVE-2020-15861 https://nvd.nist.gov/vuln/detail/CVE-2020-15862 Upstream patches: https://github.com/net-snmp/net-snmp/commit/2b3e300ade4add03b889e61d610b0db77d300fc3 https://github.com/net-snmp/net-snmp/commit/9cfb38b0aa95363da1466ca81dd929989ba27c1f https://github.com/net-snmp/net-snmp/commit/114e4c2cec2601ca56e8afb1f441520f75a9a312 https://github.com/net-snmp/net-snmp/commit/2968b455e6f182f329746e2bca1043f368618c73 https://github.com/net-snmp/net-snmp/commit/4fd9a450444a434a993bc72f7c3486ccce41f602 https://github.com/net-snmp/net-snmp/commit/77f6c60f57dba0aaea5d8ef1dd94bcd0c8e6d205 CVE-2020-15861-0005.patch is the actual fix for CVE-2020-15861 and CVE-2020-15861-0001.patch through CVE-2020-15861-0004.patch are context patches needed by the fix to apply cleanly. Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
Diffstat (limited to 'meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15861-0005.patch')
-rw-r--r--meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15861-0005.patch349
1 files changed, 349 insertions, 0 deletions
diff --git a/meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15861-0005.patch b/meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15861-0005.patch
new file mode 100644
index 0000000000..66a16f6dbf
--- /dev/null
+++ b/meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15861-0005.patch
@@ -0,0 +1,349 @@
+From 83d6c5181828921b3731878588b3728de704d490 Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Wed, 22 May 2019 09:56:21 +0200
+Subject: [PATCH 5/5] CHANGES: snmpd: Stop reading and writing the
+ mib_indexes/* files
+
+Caching directory contents is something the operating system should do
+and is not something Net-SNMP should do. Instead of storing a copy of
+the directory contents in ${tmp_dir}/mib_indexes/${n}, always scan a
+MIB directory.
+
+CVE: CVE-2020-15861
+Upstream-Status: Backport [https://github.com/net-snmp/net-snmp/commit/4fd9a450444a434a993bc72f7c3486ccce41f602]
+
+Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
+---
+ .gitignore | 1 -
+ include/net-snmp/library/mib.h | 3 -
+ include/net-snmp/library/parse.h | 2 +-
+ snmplib/mib.c | 148 +------------------------------
+ snmplib/parse.c | 57 +-----------
+ 5 files changed, 4 insertions(+), 207 deletions(-)
+
+diff --git a/.gitignore b/.gitignore
+index 2d37bc6..94da568 100644
+--- a/.gitignore
++++ b/.gitignore
+@@ -75,7 +75,6 @@ Makefile
+ man/*.[1358]
+ man/default_store.3.h
+ man/manaliases
+-mibs/.index
+ mk/
+ module_tmp_header.h
+ net-snmp-5*
+diff --git a/include/net-snmp/library/mib.h b/include/net-snmp/library/mib.h
+index ab36853..3e81634 100644
+--- a/include/net-snmp/library/mib.h
++++ b/include/net-snmp/library/mib.h
+@@ -124,9 +124,6 @@ SOFTWARE.
+ NETSNMP_IMPORT
+ char *netsnmp_get_mib_directory(void);
+ void netsnmp_fixup_mib_directory(void);
+- void netsnmp_mibindex_load( void );
+- char * netsnmp_mibindex_lookup( const char * );
+- FILE * netsnmp_mibindex_new( const char * );
+ int sprint_realloc_description(u_char ** buf, size_t * buf_len,
+ size_t * out_len, int allow_realloc,
+ oid * objid, size_t objidlen, int width);
+diff --git a/include/net-snmp/library/parse.h b/include/net-snmp/library/parse.h
+index ce46ab9..7c33d3f 100644
+--- a/include/net-snmp/library/parse.h
++++ b/include/net-snmp/library/parse.h
+@@ -201,7 +201,7 @@ SOFTWARE.
+ #endif
+ void netsnmp_init_mib_internals(void);
+ void unload_all_mibs(void);
+- int add_mibfile(const char*, const char*, FILE *);
++ int add_mibfile(const char*, const char*);
+ int which_module(const char *);
+ NETSNMP_IMPORT
+ char *module_name(int, char *);
+diff --git a/snmplib/mib.c b/snmplib/mib.c
+index 1c875c0..30d6cde 100644
+--- a/snmplib/mib.c
++++ b/snmplib/mib.c
+@@ -2717,7 +2717,6 @@ netsnmp_init_mib(void)
+ env_var = strdup(netsnmp_get_mib_directory());
+ if (!env_var)
+ return;
+- netsnmp_mibindex_load();
+
+ DEBUGMSGTL(("init_mib",
+ "Seen MIBDIRS: Looking in '%s' for mib dirs ...\n",
+@@ -2737,7 +2736,7 @@ netsnmp_init_mib(void)
+ else
+ entry = strtok_r(env_var, ENV_SEPARATOR, &st);
+ while (entry) {
+- add_mibfile(entry, NULL, NULL);
++ add_mibfile(entry, NULL);
+ entry = strtok_r(NULL, ENV_SEPARATOR, &st);
+ }
+ }
+@@ -2888,142 +2887,6 @@ init_mib(void)
+ #endif
+
+
+-/*
+- * Handle MIB indexes centrally
+- */
+-static int _mibindex = 0; /* Last index in use */
+-static int _mibindex_max = 0; /* Size of index array */
+-char **_mibindexes = NULL;
+-
+-int _mibindex_add( const char *dirname, int i );
+-void
+-netsnmp_mibindex_load( void )
+-{
+- DIR *dir;
+- struct dirent *file;
+- FILE *fp;
+- char tmpbuf[ 300];
+- char tmpbuf2[300];
+- int i;
+- char *cp;
+-
+- /*
+- * Open the MIB index directory, or create it (empty)
+- */
+- snprintf( tmpbuf, sizeof(tmpbuf), "%s/mib_indexes",
+- get_persistent_directory());
+- tmpbuf[sizeof(tmpbuf)-1] = 0;
+- dir = opendir( tmpbuf );
+- if ( dir == NULL ) {
+- DEBUGMSGTL(("mibindex", "load: (new)\n"));
+- mkdirhier( tmpbuf, NETSNMP_AGENT_DIRECTORY_MODE, 0);
+- return;
+- }
+-
+- /*
+- * Create a list of which directory each file refers to
+- */
+- while ((file = readdir( dir ))) {
+- if ( !isdigit((unsigned char)(file->d_name[0])))
+- continue;
+- i = atoi( file->d_name );
+-
+- snprintf( tmpbuf, sizeof(tmpbuf), "%s/mib_indexes/%d",
+- get_persistent_directory(), i );
+- tmpbuf[sizeof(tmpbuf)-1] = 0;
+- fp = fopen( tmpbuf, "r" );
+- if (!fp)
+- continue;
+- cp = fgets( tmpbuf2, sizeof(tmpbuf2), fp );
+- fclose( fp );
+- if ( !cp ) {
+- DEBUGMSGTL(("mibindex", "Empty MIB index (%d)\n", i));
+- continue;
+- }
+- if ( strncmp( tmpbuf2, "DIR ", 4 ) != 0 ) {
+- DEBUGMSGTL(("mibindex", "Malformed MIB index (%d)\n", i));
+- continue;
+- }
+- tmpbuf2[strlen(tmpbuf2)-1] = 0;
+- DEBUGMSGTL(("mibindex", "load: (%d) %s\n", i, tmpbuf2));
+- (void)_mibindex_add( tmpbuf2+4, i ); /* Skip 'DIR ' */
+- }
+- closedir( dir );
+-}
+-
+-char *
+-netsnmp_mibindex_lookup( const char *dirname )
+-{
+- int i;
+- static char tmpbuf[300];
+-
+- for (i=0; i<_mibindex; i++) {
+- if ( _mibindexes[i] &&
+- strcmp( _mibindexes[i], dirname ) == 0) {
+- snprintf(tmpbuf, sizeof(tmpbuf), "%s/mib_indexes/%d",
+- get_persistent_directory(), i);
+- tmpbuf[sizeof(tmpbuf)-1] = 0;
+- DEBUGMSGTL(("mibindex", "lookup: %s (%d) %s\n", dirname, i, tmpbuf ));
+- return tmpbuf;
+- }
+- }
+- DEBUGMSGTL(("mibindex", "lookup: (none)\n"));
+- return NULL;
+-}
+-
+-int
+-_mibindex_add( const char *dirname, int i )
+-{
+- const int old_mibindex_max = _mibindex_max;
+-
+- DEBUGMSGTL(("mibindex", "add: %s (%d)\n", dirname, i ));
+- if ( i == -1 )
+- i = _mibindex++;
+- if ( i >= _mibindex_max ) {
+- /*
+- * If the index array is full (or non-existent)
+- * then expand (or create) it
+- */
+- _mibindex_max = i + 10;
+- _mibindexes = realloc(_mibindexes,
+- _mibindex_max * sizeof(_mibindexes[0]));
+- netsnmp_assert(_mibindexes);
+- memset(_mibindexes + old_mibindex_max, 0,
+- (_mibindex_max - old_mibindex_max) * sizeof(_mibindexes[0]));
+- }
+-
+- _mibindexes[ i ] = strdup( dirname );
+- if ( i >= _mibindex )
+- _mibindex = i+1;
+-
+- DEBUGMSGTL(("mibindex", "add: %d/%d/%d\n", i, _mibindex, _mibindex_max ));
+- return i;
+-}
+-
+-FILE *
+-netsnmp_mibindex_new( const char *dirname )
+-{
+- FILE *fp;
+- char tmpbuf[300];
+- char *cp;
+- int i;
+-
+- cp = netsnmp_mibindex_lookup( dirname );
+- if (!cp) {
+- i = _mibindex_add( dirname, -1 );
+- snprintf( tmpbuf, sizeof(tmpbuf), "%s/mib_indexes/%d",
+- get_persistent_directory(), i );
+- tmpbuf[sizeof(tmpbuf)-1] = 0;
+- cp = tmpbuf;
+- }
+- DEBUGMSGTL(("mibindex", "new: %s (%s)\n", dirname, cp ));
+- fp = fopen( cp, "w" );
+- if (fp)
+- fprintf( fp, "DIR %s\n", dirname );
+- return fp;
+-}
+-
+-
+ /**
+ * Unloads all mibs.
+ */
+@@ -3038,15 +2901,6 @@ shutdown_mib(void)
+ }
+ tree_head = NULL;
+ Mib = NULL;
+- if (_mibindexes) {
+- int i;
+- for (i = 0; i < _mibindex; ++i)
+- SNMP_FREE(_mibindexes[i]);
+- free(_mibindexes);
+- _mibindex = 0;
+- _mibindex_max = 0;
+- _mibindexes = NULL;
+- }
+ if (Prefix != NULL && Prefix != &Standard_Prefix[0])
+ SNMP_FREE(Prefix);
+ if (Prefix)
+diff --git a/snmplib/parse.c b/snmplib/parse.c
+index 7f98542..58d777e 100644
+--- a/snmplib/parse.c
++++ b/snmplib/parse.c
+@@ -607,8 +607,6 @@ static int read_module_replacements(const char *);
+ static int read_import_replacements(const char *,
+ struct module_import *);
+
+-static void new_module(const char *, const char *);
+-
+ static struct node *merge_parse_objectid(struct node *, FILE *, char *);
+ static struct index_list *getIndexes(FILE * fp, struct index_list **);
+ static struct varbind_list *getVarbinds(FILE * fp, struct varbind_list **);
+@@ -4859,7 +4857,7 @@ snmp_get_token(FILE * fp, char *token, int maxtlen)
+ #endif /* NETSNMP_FEATURE_REMOVE_PARSE_GET_TOKEN */
+
+ int
+-add_mibfile(const char* tmpstr, const char* d_name, FILE *ip )
++add_mibfile(const char* tmpstr, const char* d_name)
+ {
+ FILE *fp;
+ char token[MAXTOKEN], token2[MAXTOKEN];
+@@ -4884,8 +4882,6 @@ add_mibfile(const char* tmpstr, const char* d_name, FILE *ip )
+ */
+ if (get_token(fp, token2, MAXTOKEN) == DEFINITIONS) {
+ new_module(token, tmpstr);
+- if (ip)
+- fprintf(ip, "%s %s\n", token, d_name);
+ fclose(fp);
+ return 0;
+ } else {
+@@ -4977,71 +4973,22 @@ static int scan_directory(char ***result, const char *dirname)
+ int
+ add_mibdir(const char *dirname)
+ {
+- FILE *ip;
+ const char *oldFile = File;
+ char **filenames;
+ int count = 0;
+ int filename_count, i;
+-#if !(defined(WIN32) || defined(cygwin))
+- char *token;
+- char space;
+- char newline;
+- struct stat dir_stat, idx_stat;
+- char tmpstr[300];
+- char tmpstr1[300];
+-#endif
+
+ DEBUGMSGTL(("parse-mibs", "Scanning directory %s\n", dirname));
+-#if !(defined(WIN32) || defined(cygwin))
+- token = netsnmp_mibindex_lookup( dirname );
+- if (token && stat(token, &idx_stat) == 0 && stat(dirname, &dir_stat) == 0) {
+- if (dir_stat.st_mtime < idx_stat.st_mtime) {
+- DEBUGMSGTL(("parse-mibs", "The index is good\n"));
+- if ((ip = fopen(token, "r")) != NULL) {
+- fgets(tmpstr, sizeof(tmpstr), ip); /* Skip dir line */
+- while (fscanf(ip, "%127s%c%299[^\n]%c", token, &space, tmpstr,
+- &newline) == 4) {
+-
+- /*
+- * If an overflow of the token or tmpstr buffers has been
+- * found log a message and break out of the while loop,
+- * thus the rest of the file tokens will be ignored.
+- */
+- if (space != ' ' || newline != '\n') {
+- snmp_log(LOG_ERR,
+- "add_mibdir: strings scanned in from %s/%s " \
+- "are too large. count = %d\n ", dirname,
+- ".index", count);
+- break;
+- }
+-
+- snprintf(tmpstr1, sizeof(tmpstr1), "%s/%s", dirname, tmpstr);
+- tmpstr1[ sizeof(tmpstr1)-1 ] = 0;
+- new_module(token, tmpstr1);
+- count++;
+- }
+- fclose(ip);
+- return count;
+- } else
+- DEBUGMSGTL(("parse-mibs", "Can't read index\n"));
+- } else
+- DEBUGMSGTL(("parse-mibs", "Index outdated\n"));
+- } else
+- DEBUGMSGTL(("parse-mibs", "No index\n"));
+-#endif
+
+ filename_count = scan_directory(&filenames, dirname);
+
+ if (filename_count >= 0) {
+- ip = netsnmp_mibindex_new(dirname);
+ for (i = 0; i < filename_count; i++) {
+- if (add_mibfile(filenames[i], strrchr(filenames[i], '/'), ip) == 0)
++ if (add_mibfile(filenames[i], strrchr(filenames[i], '/')) == 0)
+ count++;
+ free(filenames[i]);
+ }
+ File = oldFile;
+- if (ip)
+- fclose(ip);
+ free(filenames);
+ return (count);
+ }
+--
+2.17.1
+