Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 729610 (CVE-2019-20892)

Summary: <net-analyzer/net-snmp-5.8.1_pre1: Double free via via an SNMPv3 GetBulk request (CVE-2019-20892)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: netmon
Priority: Normal Flags: nattka: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/net-snmp/net-snmp/commit/5f881d3bf24599b90d67a45cae7a3eb099cd71c9
Whiteboard: B3 [glsa+ cve]
Package list:
net-analyzer/net-snmp-5.8.1_pre1-r1
 Runtime testing required: ---
Bug Depends on: 734994    
Bug Blocks:    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-25 12:30:25 UTC 
Description:
"net-snmp before 5.8.1.pre1 has a double free in usm_free_usmStateReference in snmplib/snmpusm.c via an SNMPv3 GetBulk request. NOTE: this affects net-snmp packages shipped to end users by multiple Linux distributions, but might not affect an upstream release."
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-25 12:30:47 UTC 
Tell us if suitable for stabling or not.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-03 22:33:41 UTC 
(In reply to Sam James (sec padawan) from comment #1)
> Tell us if suitable for stabling or not.

If no objections, I'll CC-ARCHES.
Comment 3 NATTkA bot gentoo-dev 2020-07-18 20:40:39 UTC 
Unable to check for sanity:

> no match for package: net-analyzer/net-snmp-5.8.1_pre1
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-19 00:09:27 UTC 
amd64 stable
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-19 00:10:28 UTC 
x86 stable
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-19 01:07:58 UTC 
sparc stable
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-19 01:49:10 UTC 
ppc stable
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-19 11:53:09 UTC 
arm stable
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-19 11:53:19 UTC 
arm64 stable
Comment 10 Sergei Trofimovich (RETIRED) gentoo-dev 2020-07-19 18:00:47 UTC 
ppc64 stable
Comment 11 Rolf Eike Beer archtester 2020-07-22 15:34:07 UTC 
hppa stable
Comment 12 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-27 18:46:46 UTC 
s390: ping
Comment 13 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-30 01:09:46 UTC 
s390 stable. Please cleanup.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2020-08-26 21:43:55 UTC 
This issue was resolved and addressed in
 GLSA 202008-12 at https://security.gentoo.org/glsa/202008-12
by GLSA coordinator Sam James (sam_c).