Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 502968 (CVE-2014-2284)

Summary: <net-analyzer/net-snmp-5.7.2.1: denial of service flaw in Linux implementation of ICMP-MIB (CVE-2014-2284)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: netmon
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1070396
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2014-02-27 13:42:49 UTC
From ${URL} :

It was reported [1] that Net-SNMP releases 5.5 through 5.7.2 were vulnerable to a potential 
remotely-triggerable denial of service attack on the Linux platform, when the ICMP-MIB is in use.  
Net-SNMP 5.4.x users, and those who do not make use of the ICMP-MIB table objects, are not vulnerable.

This is fixed in git [2].


[1] http://sourceforge.net/p/net-snmp/mailman/message/32026655/
[2] http://sourceforge.net/p/net-snmp/code/ci/a1fd64716f6794c55c34d77e618210238a73bfa1/


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2014-03-01 16:46:48 UTC
*5.7.2.1*
    snmpd:
      - SECURITY: a denial of service attack vector was discovered on
        the linux implementation of the ICMP-MIB.  This release fixes
        this bug and all users are encouraged to update their SNMP
        agent if they make use of the ICMP-MIB table objects.
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2014-03-01 18:01:14 UTC
The 5.7.2.1 tarball contains all of the binaries pre-built, and has some other problems. For instance, it second-guesses perl's ARCH_LIB (which is easy to fix) but more importantly, it has developed some new parallel make problems.
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2014-03-01 19:40:08 UTC
(In reply to Jeroen Roovers from comment #2)
> The 5.7.2.1 tarball contains all of the binaries pre-built, and has some
> other problems.

> For instance, it second-guesses perl's ARCH_LIB (which is
> easy to fix)

That appears to be because it has pre-generated Makefiles in perl/. I'll roll a fresh tarball. Saves around 20 megabytes in downloading.
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2014-03-01 19:58:40 UTC
Arch teams, please test and mark stable:
=net-analyzer/net-snmp-5.7.2.1
Targeted stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2014-03-02 15:52:58 UTC
Stable for HPPA.
Comment 6 Agostino Sarubbo gentoo-dev 2014-03-04 14:30:28 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2014-03-04 14:30:34 UTC
x86 stable
Comment 8 Agostino Sarubbo gentoo-dev 2014-03-12 10:21:59 UTC
sparc stable
Comment 9 Markus Meier gentoo-dev 2014-03-12 20:49:24 UTC
arm stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-03-16 11:08:15 UTC
ppc stable
Comment 11 Agostino Sarubbo gentoo-dev 2014-03-18 16:08:12 UTC
ia64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2014-03-19 14:14:01 UTC
alpha stable
Comment 13 Agostino Sarubbo gentoo-dev 2014-03-24 14:29:25 UTC
ppc64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 14 Yury German Gentoo Infrastructure gentoo-dev 2014-03-24 23:00:15 UTC
Arches and Maintainer(s), Thank you for your work.

Security please Vote.
Comment 15 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2014-04-07 08:35:07 UTC
GLSA vote: no
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2014-04-08 20:18:52 UTC
CVE-2014-2284 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2284):
  The Linux implementation of the ICMP-MIB in Net-SNMP 5.5 before 5.5.2.1,
  5.6.x before 5.6.2.1, and 5.7.x before 5.7.2.1 does not properly validate
  input, which allows remote attackers to cause a denial of service via
  unspecified vectors.
Comment 17 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2014-04-08 20:38:33 UTC
(In reply to Mikle Kolyada from comment #15)
> GLSA vote: no

nvmd. Added to existing glsa draft.
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2014-09-01 21:49:51 UTC
This issue was resolved and addressed in
 GLSA 201409-02 at http://security.gentoo.org/glsa/glsa-201409-02.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).