ports/contrib (3.4): [notify] net-snmp: fix for CVE-2018-1000116. Closes FS#1611

crux at crux.nu crux at crux.nu
Sat Mar 10 16:00:15 UTC 2018


commit d64778d13978fcb03845ec040d47941ec9887f56
Author: Fredrik Rinnestam <fredrik at crux.nu>
Date:   Sat Mar 10 16:59:13 2018 +0100

    [notify] net-snmp: fix for CVE-2018-1000116. Closes FS#1611

diff --git a/net-snmp/.md5sum b/net-snmp/.md5sum
index dcb6da71..7b67e526 100644
--- a/net-snmp/.md5sum
+++ b/net-snmp/.md5sum
@@ -1,5 +1,6 @@
 aea518953798008a1db91951eefd8da8  0001-CHANGES-BUG-2712-Fix-Perl-module-compilation.patch
 ebbb1fa141e14932882f6c747f3fe4b4  0001-Remove-U64-typedef.patch
+fcbab0e8e6c5cc76da637d1d71aaec3b  CVE-2018-1000116.patch
 d4a3459e1577d0efa8d96ca70a885e53  net-snmp-5.7.3.tar.gz
 0ac35ebc69c521313cf0c24b9afb3b22  snmpd
 e75939cb0b4648856d07b9c04610af5d  snmpd.conf
diff --git a/net-snmp/.signature b/net-snmp/.signature
index 5c2ddb24..de275c01 100644
--- a/net-snmp/.signature
+++ b/net-snmp/.signature
@@ -1,9 +1,10 @@
 untrusted comment: verify with /etc/ports/contrib.pub
-RWSagIOpLGJF32Zho/UyinbScWY8yuoUMXGJXBPFiQYJSByEeJFvk8IaMq6t7CGAVP3/sP7tEb2udJe3cjfDtjEKaSQlmlDPGAA=
-SHA256 (Pkgfile) = ecf9b8008b80c92e2b3fae29d7f54690b19dc454e988b33408d39d819549afc8
+RWSagIOpLGJF35iPFRGPHBp052IZ8HEewZKWqzRTFdF4mLoiWkKVqpMKnfTviYE9OnUgfC4vx26RSXVcn5fB4ZCbzb+kAt+IqAg=
+SHA256 (Pkgfile) = 6597db3298de9e37c021ee96851f67e9a349758a8505b536927e6c3beac2644a
 SHA256 (.footprint) = 2d2151d495c0cefd7ba68f015153e8e75fba53dd10165903220b0fe2c68e27c3
 SHA256 (net-snmp-5.7.3.tar.gz) = 12ef89613c7707dc96d13335f153c1921efc9d61d3708ef09f3fc4a7014fb4f0
 SHA256 (snmpd) = 2f8945dd66668cccd4ad884bbc1f425dfb5ace1261a5c410182222c928f54a34
 SHA256 (snmpd.conf) = fc23c35aa4e275456cb9e7e1a4c2af06a9ec089126932a98aef39093a3c33e3e
 SHA256 (0001-Remove-U64-typedef.patch) = 5ba67c44ec792c6509e9f91bc2561b7c74231c7123b67e4f45b997ea6b3fa4ec
 SHA256 (0001-CHANGES-BUG-2712-Fix-Perl-module-compilation.patch) = 77b9bf66b7f4ee6be486c945602fcbcf37d48a7b2514f3c9ba1e49550f4cab96
+SHA256 (CVE-2018-1000116.patch) = 49b1c3509d53b1346c10282c29ac8e2020d40921f7287017ce4f24e06c0a301d
diff --git a/net-snmp/CVE-2018-1000116.patch b/net-snmp/CVE-2018-1000116.patch
new file mode 100644
index 00000000..f33b075b
--- /dev/null
+++ b/net-snmp/CVE-2018-1000116.patch
@@ -0,0 +1,117 @@
+--- a/snmplib/snmp_api.c
++++ b/snmplib/snmp_api.c
+@@ -4350,10 +4350,9 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char
+     u_char          type;
+     u_char          msg_type;
+     u_char         *var_val;
+-    int             badtype = 0;
+     size_t          len;
+     size_t          four;
+-    netsnmp_variable_list *vp = NULL;
++    netsnmp_variable_list *vp = NULL, *vplast = NULL;
+     oid             objid[MAX_OID_LEN];
+     u_char         *p;
+ 
+@@ -4493,38 +4492,24 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char
+                               (ASN_SEQUENCE | ASN_CONSTRUCTOR),
+                               "varbinds");
+     if (data == NULL)
+-        return -1;
++        goto fail;
+ 
+     /*
+      * get each varBind sequence 
+      */
+     while ((int) *length > 0) {
+-        netsnmp_variable_list *vptemp;
+-        vptemp = (netsnmp_variable_list *) malloc(sizeof(*vptemp));
+-        if (NULL == vptemp) {
+-            return -1;
+-        }
+-        if (NULL == vp) {
+-            pdu->variables = vptemp;
+-        } else {
+-            vp->next_variable = vptemp;
+-        }
+-        vp = vptemp;
++        vp = SNMP_MALLOC_TYPEDEF(netsnmp_variable_list);
++        if (NULL == vp)
++            goto fail;
+ 
+-        vp->next_variable = NULL;
+-        vp->val.string = NULL;
+         vp->name_length = MAX_OID_LEN;
+-        vp->name = NULL;
+-        vp->index = 0;
+-        vp->data = NULL;
+-        vp->dataFreeHook = NULL;
+         DEBUGDUMPSECTION("recv", "VarBind");
+         data = snmp_parse_var_op(data, objid, &vp->name_length, &vp->type,
+                                  &vp->val_len, &var_val, length);
+         if (data == NULL)
+-            return -1;
++            goto fail;
+         if (snmp_set_var_objid(vp, objid, vp->name_length))
+-            return -1;
++            goto fail;
+ 
+         len = MAX_PACKET_LENGTH;
+         DEBUGDUMPHEADER("recv", "Value");
+@@ -4604,7 +4589,7 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char
+                 vp->val.string = (u_char *) malloc(vp->val_len);
+             }
+             if (vp->val.string == NULL) {
+-                return -1;
++                goto fail;
+             }
+             p = asn_parse_string(var_val, &len, &vp->type, vp->val.string,
+                              &vp->val_len);
+@@ -4619,7 +4604,7 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char
+             vp->val_len *= sizeof(oid);
+             vp->val.objid = (oid *) malloc(vp->val_len);
+             if (vp->val.objid == NULL) {
+-                return -1;
++                goto fail;
+             }
+             memmove(vp->val.objid, objid, vp->val_len);
+             break;
+@@ -4631,7 +4616,7 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char
+         case ASN_BIT_STR:
+             vp->val.bitstring = (u_char *) malloc(vp->val_len);
+             if (vp->val.bitstring == NULL) {
+-                return -1;
++                goto fail;
+             }
+             p = asn_parse_bitstring(var_val, &len, &vp->type,
+                                 vp->val.bitstring, &vp->val_len);
+@@ -4640,12 +4625,28 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char
+             break;
+         default:
+             snmp_log(LOG_ERR, "bad type returned (%x)\n", vp->type);
+-            badtype = -1;
++            goto fail;
+             break;
+         }
+         DEBUGINDENTADD(-4);
++
++        if (NULL == vplast) {
++            pdu->variables = vp;
++        } else {
++            vplast->next_variable = vp;
++        }
++        vplast = vp;
++        vp = NULL;
+     }
+-    return badtype;
++    return 0;
++
++  fail:
++    DEBUGMSGTL(("recv", "error while parsing VarBindList\n"));
++    /** if we were parsing a var, remove it from the pdu and free it */
++    if (vp)
++        snmp_free_var(vp);
++
++    return -1;
+ }
+ 
+ /*
diff --git a/net-snmp/Pkgfile b/net-snmp/Pkgfile
index 96809a39..1f67347a 100644
--- a/net-snmp/Pkgfile
+++ b/net-snmp/Pkgfile
@@ -5,16 +5,20 @@
 
 name=net-snmp
 version=5.7.3
-release=4
+release=5
 source=(http://download.sourceforge.net/$name/$name-$version.tar.gz \
 	snmpd snmpd.conf \
 	0001-Remove-U64-typedef.patch \
-	0001-CHANGES-BUG-2712-Fix-Perl-module-compilation.patch)
+	0001-CHANGES-BUG-2712-Fix-Perl-module-compilation.patch \
+	CVE-2018-1000116.patch)
 
 build() {
 	cd $name-$version
+
 	patch -p1 -i $SRC/0001-Remove-U64-typedef.patch
 	patch -p1 -i $SRC/0001-CHANGES-BUG-2712-Fix-Perl-module-compilation.patch
+	patch -p1 -i $SRC/CVE-2018-1000116.patch
+
 	export NETSNMP_DONT_CHECK_VERSION=1
 	./configure --prefix=/usr \
 				--sysconfdir=/etc \


More information about the CRUX mailing list