Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 342127 (CVE-2010-2891)

Summary: <net-libs/libsmi-0.4.8-r1: Remote Arbitrary Code Execution Vulnerability (CVE-2010-2891)
Product: Gentoo Security Reporter: Tim Sammut (RETIRED) <underling>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: netmon
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.coresecurity.com/content/libsmi-smigetnode-buffer-overflow
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---

Description Tim Sammut (RETIRED) gentoo-dev 2010-10-22 07:00:26 UTC 
From $url:

Vulnerability Description

A statically allocated buffer is overwritter in the case that a very long Object Identifier is specified in stringified dotted notation to the smiGetNode function of libsmi[1]. This may result in arbitraty code execution by cleverly overwriting key pointers in memory.

4. Vulnerable packages

    * libsmi 0.4.8.
    * Any software that uses the vulnerable function to find a definition from an Object Indentifier specified in stringified dotted notation that is given by the user. The SNMP packets from the protocol that travel over the network do not use this notation for OIDs.

5. Non-vulnerable packages

    * libsmi 0.4.8 patched with the supplied patch.
    * Any future release of libsmi, or current SVN head revision, since this patch was already commited to their repositories.
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2010-10-22 07:01:35 UTC 
Rating B2 (and not B1) as I don't believe we use this in any server-type packages.
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2010-10-22 16:30:27 UTC 
There's a patch here:

http://www.coresecurity.com/content/libsmi-smigetnode-buffer-overflow
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2010-10-22 16:51:54 UTC 
Arch teams, please test and mark stable:
=net-libs/libsmi-0.4.8-r1
Target KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2010-10-22 16:57:07 UTC 
Oops, those aren't stable.
Comment 5 Markos Chandras (RETIRED) gentoo-dev 2010-10-23 00:58:38 UTC 
It fails tests but it is not a regression over the current stable. amd64 done
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2010-10-23 06:04:48 UTC 
Stable for HPPA.
Comment 7 Myckel Habets 2010-10-23 20:02:46 UTC 
Builds fine on x86. Rdeps build and run fine on x86.

Please mark stable for x86.
Comment 8 Christian Faulhammer (RETIRED) gentoo-dev 2010-10-24 13:30:42 UTC 
stable x86, thanks Myckel
Comment 9 Tobias Klausmann (RETIRED) gentoo-dev 2010-10-24 14:54:51 UTC 
Stable on alpha.
Comment 10 Mark Loeser (RETIRED) gentoo-dev 2010-10-25 19:06:25 UTC 
ppc64 done
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2010-10-27 04:40:13 UTC 
Stable for PPC.
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2010-10-30 16:15:07 UTC 
ia64/sparc stable
Comment 13 Tim Sammut (RETIRED) gentoo-dev 2010-10-30 16:38:49 UTC 
Thanks, folks. GLSA request filed.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2011-06-24 19:33:07 UTC 
CVE-2010-2891 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2891):
  Buffer overflow in the smiGetNode function in lib/smi.c in libsmi 0.4.8
  allows context-dependent attackers to execute arbitrary code via an Object
  Identifier (aka OID) represented as a numerical string containing many
  components separated by . (dot) characters.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2013-12-14 22:56:39 UTC 
This issue was resolved and addressed in
 GLSA 201312-10 at http://security.gentoo.org/glsa/glsa-201312-10.xml
by GLSA coordinator Chris Reffett (creffett).