First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 225105
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Matthias Geerdsen <vorlon@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
CVE-2008-0960.patch patch for CVE-2008-0960 patch Matthias Geerdsen 2008-06-06 10:51 0000 404 bytes Details | Diff
net-snmp-5.4.1-CVE-2008-0960.patch net-snmp-5.4.1-CVE-2008-0960.patch patch Peter Volkov 2008-06-06 19:26 0000 368 bytes Details | Diff
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 225105 depends on: 227603 Show dependency tree
Show dependency graph
Bug 225105 blocks: 222265

Additional Comments: (this is where you put emerge --info)







View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2008-06-06 10:50 0000 
** Please note that this issue is confidential at the moment and no information
should be disclosed until it is made public **

We have been contacted by CERT/CC about the following issue:
<quote>
According to net-snmp project:

"The quick technical summary is that the SNMPv3 packet contains a
truncated HMAC authentication code.  The author that wrote the code
very very long ago to check that HMAC code used the length of the
packet's version of the HMAC code to do the check.  Thus if you send a
single byte HMAC code, it'll only check it against the first byte of
HMAC output.  Thus it's fairly easy to spoof an authenticated SNMPv3
packet.
</quote>

------- Comment #1 From Matthias Geerdsen 2008-06-06 10:51:54 0000 ------- 
Created an attachment (id=155709) [edit]
patch for CVE-2008-0960

------- Comment #2 From Matthias Geerdsen 2008-06-06 10:53:44 0000 ------- 
pva/falco/vapier since you are all in netmon herd anyways, please prepare an
ebuild with the patch and attach it here.

Do not commit anything to the tree until this issue is made public.

------- Comment #3 From Peter Volkov 2008-06-06 19:26:32 0000 ------- 
Created an attachment (id=155745) [edit]
net-snmp-5.4.1-CVE-2008-0960.patch

Thank you Matthias. Attached patch was corrupted one. Attaching correct one.

------- Comment #4 From Peter Volkov 2008-06-06 19:30:09 0000 ------- 
BTW, I don't see any rush with this security fix. I'm going to bump net-snmp
now to fix quite a number of bugs, after that I'd like to have at least 2 weeks
for feedback on patches I've backported from upstream and only after that
stabilize this package... Also we have another security fix for this package in
queue so it's better to test stabilize them together, I suppose.

------- Comment #5 From Robert Buchholz 2008-06-10 01:07:25 0000 ------- 
Now public via URL.
"Fixed version:
Net-SNMP >= 5.4.1.1, >= 5.3.2.1, >= 5.2.4.1"

Peter, take the time you want to test this issue,

------- Comment #6 From Peter Volkov 2008-06-21 06:40:30 0000 ------- 
5.4.1.1 is ready to go stable together with autoconf-2.61-r2 (which should be
stabilized in bug 227603).

Target keywords:
net-analyzer/net-snmp-5.4.1.1: alpha amd64 arm hppa ia64 ppc64 ppc s390 sh
sparc x86

------- Comment #7 From Christian Faulhammer 2008-06-21 09:25:10 0000 ------- 
x86 stable

------- Comment #8 From Robert Buchholz 2008-06-21 13:49:55 0000 ------- 
pva, I'm adding release@, or did you handle this yourself already?

------- Comment #9 From Markus Rothe 2008-06-21 19:39:10 0000 ------- 
ppc64 stable

------- Comment #10 From Markus Meier 2008-06-22 11:08:45 0000 ------- 
amd64 stable

------- Comment #11 From Raúl Porcel 2008-06-22 18:11:38 0000 ------- 
alpha/ia64/sparc stable

------- Comment #12 From Jeroen Roovers 2008-06-23 17:14:05 0000 ------- 
Stable for HPPA.

------- Comment #13 From Brent Baude 2008-06-23 19:00:07 0000 ------- 
ppc done

------- Comment #14 From Robert Buchholz 2008-06-24 01:05:00 0000 ------- 
GLSA vote, YES for me.

------- Comment #15 From Tobias Heinlein 2008-07-02 11:15:08 0000 ------- 
YES too, filing request.

------- Comment #16 From Chris Gianelloni (RETIRED) 2008-08-01 17:49:17 0000 ------- 
2008.0 is out, so no need to keep release on the CC list.

------- Comment #17 From Robert Buchholz 2008-08-06 00:30:47 0000 ------- 
GLSA 200808-02
First Last Prev Next    No search results available      Search page      Enter new bug