Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 198346 (CVE-2007-5846)

Summary: net-analyzer/net-snmp < 5.4.1-r1 GETBULK Remote DoS (CVE-2007-5846)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: netmon
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/27558/
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 191550    
Bug Blocks:    

Description Robert Buchholz (RETIRED) gentoo-dev 2007-11-07 12:25:38 UTC
CVE-2007-5846 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5846):
  The SNMP agent in net-snmp 5.4.1 and earlier allows remote attackers to cause
  a denial of service (CPU and memory consumption) via a GETBULK request with a
  large max-repeaters value.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2007-11-07 12:27:16 UTC
Netmon, please advise.
Comment 2 Martin Jackson (RETIRED) gentoo-dev 2007-11-08 01:09:46 UTC
I don't think the CVE entry is correct.  5.4.1 had the patch in question applied already.  (Man snmpd.conf; you see the maxGetbulkRepeats and maxGetbulkResponses tunables, which are part of the patch referenced), also ds_agent.h file, etc).

I'm sure 5.3.1 is vulnerable.  It was released long before the patch was committed.

I think we should stable 5.4.1-r1 and clean up the other releases.  I don't think we need to carry that many versions of net-snmp in the tree.

Any objections?
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2007-11-08 03:17:45 UTC
(In reply to comment #2)
> I don't think the CVE entry is correct.  5.4.1 had the patch in question
> applied already.  (Man snmpd.conf; you see the maxGetbulkRepeats and
> maxGetbulkResponses tunables, which are part of the patch referenced), also
> ds_agent.h file, etc).

5.4 is stable right now, is it affected?
Comment 4 Martin Jackson (RETIRED) gentoo-dev 2007-11-08 03:30:38 UTC
> 5.4 is stable right now, is it affected?

Yes, it is.  The maxreps patch does apply cleanly on that version, though.

I could do a 5.4-r1 with the patch.  5.4.1 is a bit more complex to stable as it introduced python bindings, which require a dep on MIPS to be stabled first (requested, but not yet done).
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-11-08 06:46:57 UTC
Martin it's up to you what fixed version to stable, just we get one to stable:)
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2007-11-08 07:02:35 UTC
Er, so the target is net-analyzer/net-snmp-5.4.1-r1 now?
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-11-08 07:20:32 UTC
Sorry for the spam arches. I forgot to remove you from CC when I discovered there were no clear stable candidate. UnCCing arches for now.

Netmon please advise.
Comment 8 Martin Jackson (RETIRED) gentoo-dev 2007-11-08 12:55:09 UTC
> Netmon please advise.
> 

I think we're better off stabling 5.4.1-r1, but we need to keyword/stable dev-python/setuptools on mips first (191550).  Can someone from mips@ help with that?

If that's not viable (i.e. there's some reason we can't keyword and stable setuptools on mips), I have committed a 5.4-r1 with the maxreps patch.

Thanks, Marty
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2007-11-08 16:59:08 UTC
MIPS, please see the blocker of this bug first.

Arches, please test and mark stable net-analyzer/net-snmp-5.4.1-r1.
Target keywords : "alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sh sparc x86"

Comment 10 Markus Rothe (RETIRED) gentoo-dev 2007-11-08 19:37:11 UTC
ppc64 stable
Comment 11 Dawid Węgliński (RETIRED) gentoo-dev 2007-11-09 14:50:31 UTC
x86 stable
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2007-11-09 15:10:17 UTC
alpha/ia64/sparc stable
Comment 13 Jeroen Roovers (RETIRED) gentoo-dev 2007-11-09 18:12:10 UTC
Stable for HPPA.
Comment 14 Tobias Scherbaum (RETIRED) gentoo-dev 2007-11-13 19:54:59 UTC
ppc stable
Comment 15 Chris Gianelloni (RETIRED) gentoo-dev 2007-11-14 01:07:54 UTC
amd64 done
Comment 16 Robert Buchholz (RETIRED) gentoo-dev 2007-11-14 01:30:45 UTC
Vote is open.

Martin, do I see correctly that this vulnerability can be exploited by authenticated users / hosts in usual setups? Or is the SNMP agent designed to be connected publically?
Comment 17 Robert Buchholz (RETIRED) gentoo-dev 2007-11-16 00:15:01 UTC
According to RedHat this is a DoS for unauthenticated users.

Voting YES.
Comment 18 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-18 22:35:24 UTC
yes too, request filed.
Comment 19 Joshua Kinard gentoo-dev 2007-11-19 06:21:07 UTC
Unstable on mips.
Comment 20 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-20 22:07:24 UTC
GLSA 200711-31