The net-snmp 4.1.1.1 ebuild applies a patch named net-snmp-5.4.1-CVE-2008-2292.patch which patches python/netsnmp/client_intf.c line -330,14 +330,15 from sprintf(buf,"%ld", *var->val.integer); to snprintf(buf,"%ld", buf_len, *var->val.integer); This may produce a SEGFAULT, cause it's the wrong order of arguments for snprintf (buf_len needs to be the second arg, and the format string is the third). The correct line is: snprintf(buf, buf_len, "%ld", *var->val.integer); Reproducible: Always Steps to Reproduce: Actual Results: A SEGFAULT happens for ASN_INTEGER values. Expected Results: no SEGFAULT obviously :)
I'm sure you meant 5.4.1.1 not 4.1.1.1. :) @pva: Please review this patch to the patch. :) Index: files/net-snmp-5.4.1-CVE-2008-2292.patch =================================================================== RCS file: /var/cvsroot/gentoo-x86/net-analyzer/net-snmp/files/net-snmp-5.4.1-CVE-2008-2292.patch,v retrieving revision 1.1 diff -u -B -r1.1 net-snmp-5.4.1-CVE-2008-2292.patch --- files/net-snmp-5.4.1-CVE-2008-2292.patch 6 Jun 2008 20:06:33 -0000 1.1 +++ files/net-snmp-5.4.1-CVE-2008-2292.patch 2 Oct 2008 15:40:25 -0000 @@ -122,7 +122,7 @@ } if (!len) { - sprintf(buf,"%ld", *var->val.integer); -+ snprintf(buf,"%ld", buf_len, *var->val.integer); ++ snprintf(buf, buf_len, "%ld", *var->val.integer); len = STRLEN(buf); } break;
Thank you for report Oliver. This is not an issue with 5.4.2.1 which is most secure and should be used anyway. So this bug is already FIXED and we have nothing to do (well, I'll remove all old versions and this patch very soon). So resolving this bug as WONTFIX since I'm not going to update patch which nobody should use at the moment. Please open new reports for issues you find with 5.4.2.1.
