Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 733478 (CVE-2020-24361)

Summary: <net-analyzer/snmptt-1.4.1: Security issue in EXEC / PREXEC / unknown_trap_exec allowing possible code execution (CVE-2020-24361)
Product: Gentoo Security Reporter: Jeroen Roovers (RETIRED) <jer>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: netmon
Priority: Normal Flags: nattka: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.snmptt.org/changelog.shtml
Whiteboard: B1 [glsa+ cve]
Package list:
=net-analyzer/snmptt-1.4.2 x86
Runtime testing required: ---

Description Jeroen Roovers (RETIRED) gentoo-dev 2020-07-22 07:04:27 UTC
v1.4.1 - July 21st, 2020
* Fixed a security issue with EXEC / PREXEC / unknown_trap_exec that could allow malicious shell code to be executed.
* Fixed a bug with EXEC / PREXEC / unknown_trap_exec that caused commands to be run as root instead of the user defined in daemon_uid.
* Added the snmptt.ini option daemon_gid to allow the gid to be set in addition to the uid.  Defaults to 'nobody' if not defined.
Comment 1 Larry the Git Cow gentoo-dev 2020-07-22 07:04:56 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b2e5927463dcd8e1cb8fb49e14cb9636631a8039

commit b2e5927463dcd8e1cb8fb49e14cb9636631a8039
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2020-07-22 06:55:06 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2020-07-22 07:04:50 +0000

    net-analyzer/snmptt: Version 1.4.1
    
    Package-Manager: Portage-3.0.0, Repoman-2.3.23
    Bug: https://bugs.gentoo.org/733478
    Closes: https://bugs.gentoo.org/show_bug.cgi?id=433443
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 net-analyzer/snmptt/Manifest            |  1 +
 net-analyzer/snmptt/snmptt-1.4.1.ebuild | 60 +++++++++++++++++++++++++++++++++
 2 files changed, 61 insertions(+)
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-25 00:47:06 UTC
x86 stable. Please cleanup.
Comment 3 Larry the Git Cow gentoo-dev 2020-07-25 09:38:21 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ec104869262c49683a690bfa0b2409c48afe2a1e

commit ec104869262c49683a690bfa0b2409c48afe2a1e
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2020-07-25 09:36:58 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2020-07-25 09:38:16 +0000

    net-analyzer/snmptt: Old
    
    Package-Manager: Portage-3.0.0, Repoman-2.3.23
    Bug: https://bugs.gentoo.org/733478
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 net-analyzer/snmptt/Manifest          |  1 -
 net-analyzer/snmptt/snmptt-1.4.ebuild | 52 -----------------------------------
 2 files changed, 53 deletions(-)
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-26 00:44:32 UTC
We need to stabilise 1.4.2 instead. 1.4.1 has been yanked due to a problem and the maintainer put out 1.4.2 shortly after instead.
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-26 01:11:39 UTC
x86 stable. I guess we should cleanup again in case the problem was an incomplete fix.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2020-07-31 17:13:44 UTC
This issue was resolved and addressed in
 GLSA 202007-63 at https://security.gentoo.org/glsa/202007-63
by GLSA coordinator Sam James (sam_c).
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-16 05:29:29 UTC
Assigned: CVE-2020-24361

Description:
"SNMPTT before 1.4.2 allows attackers to execute shell code via EXEC, PREXEC, or unknown_trap_exec."
Comment 9 Larry the Git Cow gentoo-dev 2020-08-16 05:38:07 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=9e88e4d3add589d3e6068027d614349f1675a506

commit 9e88e4d3add589d3e6068027d614349f1675a506
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-08-16 05:37:37 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-08-16 05:37:37 +0000

    [ GLSA 202007-63 ] Add now-assigned CVE-2020-24361
    
    Bug: https://bugs.gentoo.org/733478
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202007-63.xml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)