225105 CVE-2008-0960 2008-06-06 10:50 0000 net-analyzer/net-snmp <5.4.1.1 truncated HMAC authentication code (CVE-2008-0960) 2008-08-06 00:30:47 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://www.ocert.org/advisories/ocert-2008-006.html B3 [glsa] P2 normal --- 227603 222265 1 vorlon@gentoo.org security@gentoo.org arm@gentoo.org netmon@gentoo.org s390@gentoo.org sh@gentoo.org wolf31o2@wolf31o2.org vorlon@gentoo.org 2008-06-06 10:50:14 0000 ** Please note that this issue is confidential at the moment and no information should be disclosed until it is made public ** We have been contacted by CERT/CC about the following issue: <quote> According to net-snmp project: "The quick technical summary is that the SNMPv3 packet contains a truncated HMAC authentication code. The author that wrote the code very very long ago to check that HMAC code used the length of the packet's version of the HMAC code to do the check. Thus if you send a single byte HMAC code, it'll only check it against the first byte of HMAC output. Thus it's fairly easy to spoof an authenticated SNMPv3 packet. </quote> vorlon@gentoo.org 2008-06-06 10:51:54 0000 Created an attachment (id=155709) patch for CVE-2008-0960 vorlon@gentoo.org 2008-06-06 10:53:44 0000 pva/falco/vapier since you are all in netmon herd anyways, please prepare an ebuild with the patch and attach it here. Do not commit anything to the tree until this issue is made public. pva@gentoo.org 2008-06-06 19:26:32 0000 Created an attachment (id=155745) net-snmp-5.4.1-CVE-2008-0960.patch Thank you Matthias. Attached patch was corrupted one. Attaching correct one. pva@gentoo.org 2008-06-06 19:30:09 0000 BTW, I don't see any rush with this security fix. I'm going to bump net-snmp now to fix quite a number of bugs, after that I'd like to have at least 2 weeks for feedback on patches I've backported from upstream and only after that stabilize this package... Also we have another security fix for this package in queue so it's better to test stabilize them together, I suppose. rbu@gentoo.org 2008-06-10 01:07:25 0000 Now public via URL. "Fixed version: Net-SNMP >= 5.4.1.1, >= 5.3.2.1, >= 5.2.4.1" Peter, take the time you want to test this issue, pva@gentoo.org 2008-06-21 06:40:30 0000 5.4.1.1 is ready to go stable together with autoconf-2.61-r2 (which should be stabilized in bug 227603). Target keywords: net-analyzer/net-snmp-5.4.1.1: alpha amd64 arm hppa ia64 ppc64 ppc s390 sh sparc x86 fauli@gentoo.org 2008-06-21 09:25:10 0000 x86 stable rbu@gentoo.org 2008-06-21 13:49:55 0000 pva, I'm adding release@, or did you handle this yourself already? corsair@gentoo.org 2008-06-21 19:39:10 0000 ppc64 stable maekke@gentoo.org 2008-06-22 11:08:45 0000 amd64 stable armin76@gentoo.org 2008-06-22 18:11:38 0000 alpha/ia64/sparc stable jer@gentoo.org 2008-06-23 17:14:05 0000 Stable for HPPA. ranger@gentoo.org 2008-06-23 19:00:07 0000 ppc done rbu@gentoo.org 2008-06-24 01:05:00 0000 GLSA vote, YES for me. keytoaster@gentoo.org 2008-07-02 11:15:08 0000 YES too, filing request. wolf31o2@gentoo.org 2008-08-01 17:49:17 0000 2008.0 is out, so no need to keep release on the CC list. rbu@gentoo.org 2008-08-06 00:30:47 0000 GLSA 200808-02 155709 2008-06-06 10:51 0000 patch for CVE-2008-0960 CVE-2008-0960.patch text/plain LS0tIG5ldC1zbm1wLTUuNC4xL3NubXBsaWIvc2NhcGkuYyAgICAgIDIwMDYtMDktMTUgMDU6NDc6 MDEuMDAwMDAwMDAwIC0wNzAwCisrKyBuZXQtc25tcC01LjQuMS4xL3NubXBsaWIvc2NhcGkuYyAg ICAyMDA4LTA1LTEzIDE3OjQzOjE3LjAwMDAwMDAwMCAtMDcwMApAQCAtNTYzLDYgKzU2MywxMCBA QAoKfQoKCisgICAgaWYgKG1hY2xlbiAhPSBVU01fTUQ1X0FORF9TSEFfQVVUSF9MRU4pIHsKKyAg ICAgICAgUVVJVEZVTihTTk1QRVJSX0dFTkVSUiwgc2NfY2hlY2tfa2V5ZWRfaGFzaF9xdWl0KTsK KyAgICB9CisKLyoKKiBHZW5lcmF0ZSBhIGZ1bGwgaGFzaCBvZiB0aGUgbWVzc2FnZSwgdGhlbiBj b21wYXJlCiogdGhlIHJlc3VsdCB3aXRoIHRoZSBnaXZlbiBNQUMgd2hpY2ggbWF5IHNob3J0ZXIg dGhhbgo= 155745 2008-06-06 19:26 0000 net-snmp-5.4.1-CVE-2008-0960.patch net-snmp-5.4.1-CVE-2008-0960.patch text/plain LS0tIHNubXBsaWIvc2NhcGkuYwkyMDA4LTA2LTA2IDE1OjQ0OjMwICswMDAwCisrKyBzbm1wbGli L3NjYXBpLmMJMjAwOC0wNi0wNiAxNTo0NzoxNiArMDAwMApAQCAtNTYzLDYgKzU2MywxMCBAQAog ICAgIH0KIAogCisgICAgaWYgKG1hY2xlbiAhPSBVU01fTUQ1X0FORF9TSEFfQVVUSF9MRU4pIHsK KyAgICAgICAgUVVJVEZVTihTTk1QRVJSX0dFTkVSUiwgc2NfY2hlY2tfa2V5ZWRfaGFzaF9xdWl0 KTsKKyAgICB9CisKICAgICAvKgogICAgICAqIEdlbmVyYXRlIGEgZnVsbCBoYXNoIG9mIHRoZSBt ZXNzYWdlLCB0aGVuIGNvbXBhcmUKICAgICAgKiB0aGUgcmVzdWx0IHdpdGggdGhlIGdpdmVuIE1B QyB3aGljaCBtYXkgc2hvcnRlciB0aGFuCgo=