Age | Commit message (Collapse) | Author |
|
Net-SNMP through 5.7.3 allows Escalation of Privileges because of UNIX symbolic
link (symlink) following.
Net-SNMP through 5.7.3 has Improper Privilege Management because SNMP WRITE
access to the EXTEND MIB provides the ability to run arbitrary commands as
root.
References:
https://nvd.nist.gov/vuln/detail/CVE-2020-15861
https://nvd.nist.gov/vuln/detail/CVE-2020-15862
Upstream patches:
https://github.com/net-snmp/net-snmp/commit/2b3e300ade4add03b889e61d610b0db77d300fc3
https://github.com/net-snmp/net-snmp/commit/9cfb38b0aa95363da1466ca81dd929989ba27c1f
https://github.com/net-snmp/net-snmp/commit/114e4c2cec2601ca56e8afb1f441520f75a9a312
https://github.com/net-snmp/net-snmp/commit/2968b455e6f182f329746e2bca1043f368618c73
https://github.com/net-snmp/net-snmp/commit/4fd9a450444a434a993bc72f7c3486ccce41f602
https://github.com/net-snmp/net-snmp/commit/77f6c60f57dba0aaea5d8ef1dd94bcd0c8e6d205
CVE-2020-15861-0005.patch is the actual fix for CVE-2020-15861 and
CVE-2020-15861-0001.patch through CVE-2020-15861-0004.patch are context
patches needed by the fix to apply cleanly.
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Source: net-snmp.org
MR: 104509
Type: Security Fix
Disposition: Backport from https://github.com/net-snmp/net-snmp/commit/5f881d3bf24599b90d67a45cae7a3eb099cd71c9
ChangeID: 206d822029d48d904864f23fd1b1af69dffc26c8
Description:
Fixes CVE-2019-20892 which affect net-snmp <= 5.8pre1
Had to fix up some file do to later code restructioning.
"int refcnt;" addition was done in include/net-snmp/library/snmpusm.h
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 96a63b1ecf321c9a63880a963ed257086998133b)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Refreshed patches for 5.8 due to the following:
ERROR: net-snmp-5.8-r0 do_patch: Command Error: 'quilt --quiltrc .../net-snmp/5.8-r0/recipe-sysroot-native/etc/quiltrc push' exited with 0 Output:
Applying patch 0001-Add-pkg-config-support-for-building-applications-and.patch
patching file configure
...
Hunk #1 succeeded at 32248 with fuzz 2 (offset 1826 lines).
Hunk #2 FAILED at 31447.
1 out of 2 hunks FAILED -- rejects in file configure
...
Patch 0001-Add-pkg-config-support-for-building-applications-and.patch does not apply (enforce with -f)
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 9c3b872f846e0a2491fe8bf16ae38db82609938c)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Both STAGING_HOST_DIR and -fmacro-prefix-map path to WORKDIR were
encoded in the config.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
net-snmp/net-snmp-config.h:
- encodes type sizes
- encodes pathing into the libdir
net-snmp-config:
- encodes build configuration data and lib pathing.
Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
* Remove perl-lib since it had been removed by oe-core:
commit 68552c353255188de3d5b42135360a30e7eac535
Author: Alexander Kanavin <alex.kanavin@gmail.com>
Date: Sun Dec 2 12:46:37 2018 +0100
perl: remove the previous version of the recipe
Now the files are in perl pacakge.
* Fix perl paths when perl is enabled.
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Replace source zip ball with tarball for net-snmp to avoid zip bomb issue.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Move net-snmp-config in which contains build path from
package net-snmp to net-snmp-dev.
It refers ubuntu, here are we got from Ubuntu 18.04
$ dpkg -c /var/cache/apt/archives/libsnmp-dev_5.7.3+dfsg-1.8ubuntu3.1_amd64.deb
drwxr-xr-x root/root 0 2018-10-15 22:16 ./usr/bin/
-rwxr-xr-x root/root 43797 2018-10-15 22:16 ./usr/bin/mib2c
-rwxr-xr-x root/root 8780 2018-10-15 22:16 ./usr/bin/mib2c-update
-rwxr-xr-x root/root 29427 2018-10-15 22:16 ./usr/bin/net-snmp-config
-rwxr-xr-x root/root 3688 2018-10-15 22:16 ./usr/bin/net-snmp-create-v3-user
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
A bit of an unholy mixture of MIT, BSD 3-clause,
and too old to really know BSD-style,
with a wide variety of copyright holders.
I'm open to better suggestions on how to handle this.
Signed-off-by: Douglas Royds <douglas.royds@taitradio.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
| scapi.c: In function 'sc_encrypt':
| scapi.c:1256:5: error: 'pad_size' undeclared (first use in this function); did you mean 'dysize'?
| pad_size = pai->pad_size;
| ^~~~~~~~
| dysize
pad_size is defined only without --disable-des
[snip]
int pad, plast, pad_size = 0;
but used when disable-des
[snip]
QUITFUN(SNMPERR_GENERR, sc_encrypt_quit);
}
pad_size = pai->pad_size;
memset(my_iv, 0, sizeof(my_iv));
if (USM_CREATE_USER_PRIV_DES == (pai->type & USM_PRIV_MASK_ALG)) {
/*
fix by move it into #ifndef NETSNMP_DISABLE_DES
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
net-snmp also installs net-snmp-config and gen-variables files
that need to have host paths stripped.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Inherit ptest for net-snmp to create ${PN}-ptest. Update run-ptest as
well to avoid only could be run in the same directory.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Readability.
The existing patterns allowed each pattern to be matched multiple times (with no
intevening spaces), but the "g" modifier achieves this anyway.
Signed-off-by: Douglas Royds <douglas.royds@taitradio.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
To avoid build host paths being written into binaries,
accept a null NETSNMP_CONFIGURE_OPTIONS from the environment.
Upstream-Status: Submitted https://sourceforge.net/p/net-snmp/patches/1384/
Signed-off-by: Douglas Royds <douglas.royds@taitradio.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Don't check for /etc/printcap on the build machine when cross-compiling.
Use AC_CHECK_FILE to set the cached variable ac_cv_file__etc_printcap instead.
When cross-compiling, this variable should be set in the environment to "yes" or
"no" as appropriate for the target platform.
I have taken the simple expedient of setting ac_cv_file__etc_printcap=no.
If this proves to be a problem, we can easily add a new variable, HAS_PRINTCAP.
Upstream-Status: Submitted https://sourceforge.net/p/net-snmp/patches/1385/
Signed-off-by: Douglas Royds <douglas.royds@taitradio.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
PKG_CONFIG_PATH and PKG_CONFIG_LIBDIR point into the net-snmp recipe-sysroot.
Careful not to trim trailing quotes from the CFLAGS
Signed-off-by: Douglas Royds <douglas.royds@taitradio.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Signed-off-by: Douglas Royds <douglas.royds@taitradio.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
This reverts commit 57d8e2c673d5f5686bbf411333f1d39c3e29690e.
Signed-off-by: Douglas Royds <douglas.royds@taitradio.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
- Remoe prefix ${RECIPE_SYSROOT} from net-snmp-config
- Remove configure options from versioninfo
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
By default `net-snmp-libs` contains all compiled libs.
This commit splits `net-snmp-libs` into subpackages for each library.
This allows for smaller resulting image due to finer packaging.
Signed-off-by: Alexander Filippov <a.filippov@yadro.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
If "/usr/local/ssl/include" directory exists on the host machine,
net-snmp will also search the host openssl headers:
x86_64-wrs-linux-libtool: compile: x86_64-wrs-linux-gcc ...
-I/usr/local/ssl/include
Fix this by selecting the proper sysroot headers using
--with-openssl=${STAGING_EXECPREFIXDIR}
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Avoid fuzz warnings
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Patch was copied from [https://sourceforge.net/p/net-snmp/patches/1336].
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
WARNING: net-snmp-5.7.3-r0 do_patch:
Some of the context lines in patches were ignored. This can lead to incorrectly applied patches.
The context lines in the patches can be updated with devtool:
devtool modify <recipe>
devtool finish --force-patch-refresh <recipe> <layer_path>
Then the updated patches and the source tree (in devtool's workspace)
should be reviewed to make sure the patches apply in the correct place
and don't introduce duplicate lines (which can, and does happen
when some of the context is ignored). Further information:
http://lists.openembedded.org/pipermail/openembedded-core/2018-March/148675.html
https://bugzilla.yoctoproject.org/show_bug.cgi?id=10450
Details:
Applying patch 0001-BUG-a2584-Fix-snmptrap-to-use-clientaddr-from-snmp.c.patch
patching file snmplib/transports/snmpUDPIPv6Domain.c
Hunk #1 succeeded at 286 with fuzz 2 (offset 30 lines).
Now at patch 0001-BUG-a2584-Fix-snmptrap-to-use-clientaddr-from-snmp.c.patch
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
options which involve paths into workspace are usually filtered out
with the sed command, however currently it does half the job and the
resulting config file gets partial replacements leaving the compiler
options with bad syntax e.g.
-fdebug-prefix-map option is left with -fdebug-prefix-map=
which is not correct syntax, the effect of this is seen in other
recipes which then invoke net-snmp-config script and add the
flags obtained from this script into its own configure scripts
and then tries to execute tests, these tests fail because of
bad compiler options e.g. keepalived where configure tests fails like
| configure: error: *** incorrect CFLAGS from net-snmp-config
this is because of wrong compiler options that it got from
recipe-sysroot/usr/bin/crossscripts/net-snmp-config
This patch tries to be specific about which options should
be skimmed and removes the options completely
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|
The previous path value to -fdebug-prefix-map
is null which may result in other package such as
quagga do_config error as below:
====================================================
add DISTRO_FEATURES_append = " snmp" to conf/local.conf
test@buildserver@ bitbake quagga
| checking for i586-poky-linux-net-snmp-config... no
| checking for net-snmp-config... $Prj/tmp/work/i586-poky-linux/quagga/1.2.1-r0/recipe-sysroot/usr/bin/crossscripts/net-snmp-config
| checking whether we can link to Net-SNMP... no
| configure: error: --enable-snmp given but not usable
| NOTE: The following config.log files may provide further information.
| NOTE: $Prj/tmp/work/i586-poky-linux/quagga/1.2.1-r0/build/config.log
| ERROR: configure failed
| WARNING: $Prj/tmp/work/i586-poky-linux/quagga/1.2.1-r0/temp/run.do_configure.80493:1 exit 1 from 'exit 1'
| ERROR: Function failed: do_configure (log file is located at $Prj/tmp/work/i586-poky-linux/quagga/1.2.1-r0/temp/log.do_configure.80493)
====================================================
Signed-off-by: Yu Mingli <mingli.yu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|
This allows us to build perl modules with recent versions
of perl.
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
Remove build host paths form target net-snmp-config.
Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|
net-snmp enables 3des support by default and fails to build with distro
feature openssl-no-weak-ciphers:
| ../../net-snmp-5.7.3/snmplib/scapi.c:82:25: fatal error: openssl/des.h: No such file or directory
| #include <openssl/des.h>
To fix the issue:
* add a patch to include des.h only if it's found in openssl
* disable des when openssl-no-weak-ciphers is enabled
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|
The recipe for net-snmp has snmpd and snmptrapd in seperate packages, so one or the other
or both could be installed. In a common case where only snmpd is installed, the startup
script will fail to run because the snmptrapd executable does not exist.
This patch simply qualifies the test by first checking to see if the executable is to
be used.
-Bill
Signed-off-by: Bill Randle <bill.randle@gmail.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|
Store the incremented engineBoots value on SIGHUP.
And don't reset engineBoots to 1 when oldEngineIDLength is 0.
For the first run, the oldEngineIDLength is 0.
When we say first run of the daemon, we talk about the
first run ever on the machine, not only first run of every boot.
Signed-off-by: Marian Florea <marian.florea@windriver.com>
Reviewed-by: Wenkuan Wang <Wenkuan.Wang@windriver.com>
Reviewed-by: Zhaolong Zhang <Zhaolong.Zhang@windriver.com>
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|
The patch solves two issues:
1. Supported cross compile for the perl embedded and perl modules.
2. Solved runtime depend issue.
Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
Backport a succeeding commit from net-snmp upstream to fix the issue
introduced by commit
<BUG#a2584: Fix snmptrap to use clientaddr from snmp.conf>.
The missing return will cause crash when binding to a non-exist IPv6
address.
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|
Under IPv6 IP-multihomed environment, the socket does not bind to the
clientaddr indicated in snmp.conf when sending snmptrap and it might
choose a random one.
Backport the patch from net-snmp upstream to fix it.
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|
limits.h is needed for PATH_MAX and NAME_MAX
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
The net-snmp-server package is a meta-package requiring
net-snmp-server-snmpd and net-snmp-server-snmptrapd package.
The net-snmp-server-snmpd package provides the startup scripts
not the meta net-snmp-server package.
Signed-off-by: Anders Wallin <anders.wallin@windriver.com>
Signed-off-by: Li Wang <li.wang@windriver.com>
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|
backport a patch to fixed snmpd crashing when an AgentX
subagent disconnect in the middle of processing of a request.
Signed-off-by: Zhu Yanjun <yanjun.zhu@windriver.com>
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|
base_contains() is a compatibility wrapper and may warn in the future, so
replace all instances with bb.utils.contains().
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|
Add packageconfig for ipv6 and enable it when it's defined in distro_features.
Signed-off-by: Zhu Yanjun <yanjun.zhu@windriver.com>
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
Because the package is not built in place @srcdir@ is
an absolute path to the source directory instead of ".".
Because of this some target scripts like net-snmp-create-v3-user
and net-snmp-config that are using thisvariable in their *.in
files (NSC_SRCDIR=@srcdir@) contain invalid paths.
Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|
Only net-snmp-config used for sysroot should have sysroot
specific paths.
Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|
* Using "cp -a" leaks UID of user running the builds, causing
many QA warnings.
* See this thread for details:
http://lists.openembedded.org/pipermail/openembedded-core/2015-November/112904.html
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
This patch enhances a previously unapplied patch on jethro, plus adds
some flexibility in terms of required deps and a few cleanups.
Signed-off-by: Stephen Arnold <stephen.arnold42@gmail.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|
when net-snmp-config is used to configure by other package, and fail since
/libnl3 is not found, in fact, it should be -I/usr/include/libnl3, and is
modified as /libnl3 incorrectly.
instead of modify the net-snmp-config for target, the one under
${bindir_crossscripts} should be replaced with ${TAGING_INCDIR}
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|