Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 880231 (CVE-2022-44792, CVE-2022-44793)

Summary: <net-analyzer/net-snmp-5.9.4: multiple vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: minor CC: netmon
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [stable?]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-07 17:00:35 UTC 
CVE-2022-44792 (https://github.com/net-snmp/net-snmp/issues/474):
https://gist.github.com/menglong2234/b7bc13ae1a144f47cc3c95a7ea062428

handle_ipDefaultTTL in agent/mibgroup/ip-mib/ip_scalars.c in Net-SNMP 5.8 through 5.9.3 has a NULL Pointer Exception bug that can be used by a remote attacker (who has write access) to cause the instance to crash via a crafted UDP packet, resulting in Denial of Service.

CVE-2022-44793 (https://github.com/net-snmp/net-snmp/issues/475):
https://gist.github.com/menglong2234/d07a65b5028145c9f4e1d1db8c4c202f

handle_ipv6IpForwarding in agent/mibgroup/ip-mib/ip_scalars.c in Net-SNMP 5.4.3 through 5.9.3 has a NULL Pointer Exception bug that can be used by a remote attacker to cause the instance to crash via a crafted UDP packet, resulting in Denial of Service.

No patches yet, but upstream seems active.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-30 21:29:03 UTC 
The two issues are said to be fixed by: https://github.com/net-snmp/net-snmp/commit/be804106fd0771a7d05236cff36e199af077af57