From ${URL} : It was discovered that the snmp_pdu_parse() function could leave incompletely parsed varBind variables in the list of variables in case the parsing of the SNMP PDU failed. If later processing tries to operate on the stale and incompletely processed varBind (e.g. when printing the variables), this can lead to e.g. crashes or, possibly, execution of arbitrary code (although I've only seen NULL pointer dereferences during my testing, I currently can't rule out code execution completely). The snmp_pdu_parse() function stores varBind variables in a list of netsnmp_variable_list structures. Each time the function parses a new varBind, a new netsnmp_variable_list item is allocated on the heap and linked to the list of variables. The problem is that this item is not removed from the list, even if snmp_pdu_parse() fails to complete the parsing. The "type" member of the stale netsnmp_variable_list is not properly initialized in case snmp_pdu_parse() returns early from the parsing. However, the "type" member is used to determine later code paths, which is why we see crashes in a variety of functions, although the root cause for all of these is the same. References: Upstream patch: https://sourceforge.net/p/net-snmp/code/ci/f23bcd3ac6ddee5d0a48f9703007ccc738914791/ Upstream bug: https://sourceforge.net/p/net-snmp/bugs/2615/ (possibly restricted) Reporter's mail to oss-security: http://www.openwall.com/lists/oss-security/2015/04/13/1 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Mh, looks like the patch was lost: $ git tag --contains f23bcd3ac6ddee5d0a48f9703007ccc738914791 | sort v5.4.5.pre1 I ping'ed upstream: https://sourceforge.net/p/net-snmp/bugs/2759/
Created attachment 495486 [details, diff] Patch extracted from branch 5-7-patches From https://sourceforge.net/p/net-snmp/bugs/2759/ Patch is available at branch 5-7-patches @Maintainers could you test it and see if it fixes the error till next official release from upstream? Gentoo Security Padawan ChrisADR
@security, are we good here? Keywords for net-analyzer/net-snmp: | a | | | m | | | d x | | | 6 8 | | | 4 6 | u | | a a a p r s | | | n | | l m r i p i h m s p m f f | e u s | r | p d a m a p c s x p 6 3 a i b b | a s l | e | h 6 r 6 6 p 6 c 8 p 8 9 s r p s s | p e o | p | a 4 m 4 4 c 4 v 6 a k 0 h c s d d | i d t | o ------------+-----------------------------------+----------+------- 5.7.3-r5 | + + + + + + + o + + o + ~ + ~ o o | 5 o 0 | gentoo 5.7.3-r6 | ~ ~ ~ ~ ~ ~ ~ o ~ ~ o ~ ~ ~ ~ o o | 5 # | gentoo 5.7.3_p3-r1 | ~ ~ ~ ~ ~ ~ ~ o ~ ~ o ~ ~ ~ ~ o o | 6 o | gentoo ------------+-----------------------------------+----------+------- 5.8-r1 | + + + + + + + o + + o + ~ + ~ o o | 6 o 0/35 | gentoo 99999999 | o o o o o o o o o o o o o o o o o | 6 o | gent
code review shows the patches are present in 5.8-r1
