Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 493296 (CVE-2012-6151)

Summary: <net-analyzer/net-snmp- crashes/hangs when AgentX subagent times out (CVE-2012-6151)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: bertrand, netmon
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2013-12-04 10:10:58 UTC
From ${URL} :

net-snmp was found to be crashing/hanging due to the heavy load on the subagent AgentX.

Here, snmpd is the master agent, AgentX is the subagent registering to handle a MIB and processing GETNEXT 
requests. When the subagent is under heavy load, requests start to pile up in the queue, replies from the 
subagent arrive too late (per log messages) and eventually the subagent is timed out. When the timeout 
occurs there is a high probability of either a crash (Segfault) or a hang (100% CPU utilisation, tight 
loop in the snmpd code) dependent on the version of the snmpd under test. This also happens when the 
subagent dies unexpectedly with outstanding transactions unserviced.



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2013-12-27 03:30:03 UTC
CVE-2012-6151 (
  Net-SNMP 5.7.1 and earlier, when AgentX is registering to handle a MIB and
  processing GETNEXT requests, allows remote attackers to cause a denial of
  service (crash or infinite loop, CPU consumption, and hang) by causing the
  AgentX subagent to timeout.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2013-12-30 02:32:07 UTC
Bug 494574 is being stabilized now for net-analyzer/net-snmp-5.7.2-r1 does it contain the fix for this?
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2014-08-04 15:18:37 UTC
All other distress have this fixed in 5.7.2, please confirm that this is fixed in the current stable version so that we can release the GLSA.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2014-08-04 15:19:48 UTC
sorry distributions ... hate auto spelling corrections.
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2014-08-15 07:29:14 UTC
The CVE said it should be good.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2014-09-01 21:49:44 UTC
This issue was resolved and addressed in
 GLSA 201409-02 at
by GLSA coordinator Kristian Fiskerstrand (K_F).