Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 225105 (CVE-2008-0960) - net-analyzer/net-snmp < truncated HMAC authentication code (CVE-2008-0960)
Summary: net-analyzer/net-snmp < truncated HMAC authentication code (CVE-2008-0...
Alias: CVE-2008-0960
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa]
Depends on: 227603
Blocks: 222265
  Show dependency tree
Reported: 2008-06-06 10:50 UTC by Matthias Geerdsen (RETIRED)
Modified: 2020-04-09 06:40 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

patch for CVE-2008-0960 (CVE-2008-0960.patch,404 bytes, patch)
2008-06-06 10:51 UTC, Matthias Geerdsen (RETIRED)
no flags Details | Diff
net-snmp-5.4.1-CVE-2008-0960.patch (net-snmp-5.4.1-CVE-2008-0960.patch,368 bytes, patch)
2008-06-06 19:26 UTC, Peter Volkov (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Geerdsen (RETIRED) gentoo-dev 2008-06-06 10:50:14 UTC
** Please note that this issue is confidential at the moment and no information
should be disclosed until it is made public **

We have been contacted by CERT/CC about the following issue:
According to net-snmp project:

"The quick technical summary is that the SNMPv3 packet contains a
truncated HMAC authentication code.  The author that wrote the code
very very long ago to check that HMAC code used the length of the
packet's version of the HMAC code to do the check.  Thus if you send a
single byte HMAC code, it'll only check it against the first byte of
HMAC output.  Thus it's fairly easy to spoof an authenticated SNMPv3
Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev 2008-06-06 10:51:54 UTC
Created attachment 155709 [details, diff]
patch for CVE-2008-0960
Comment 2 Matthias Geerdsen (RETIRED) gentoo-dev 2008-06-06 10:53:44 UTC
pva/falco/vapier since you are all in netmon herd anyways, please prepare an ebuild with the patch and attach it here.

Do not commit anything to the tree until this issue is made public.
Comment 3 Peter Volkov (RETIRED) gentoo-dev 2008-06-06 19:26:32 UTC
Created attachment 155745 [details, diff]

Thank you Matthias. Attached patch was corrupted one. Attaching correct one.
Comment 4 Peter Volkov (RETIRED) gentoo-dev 2008-06-06 19:30:09 UTC
BTW, I don't see any rush with this security fix. I'm going to bump net-snmp now to fix quite a number of bugs, after that I'd like to have at least 2 weeks for feedback on patches I've backported from upstream and only after that stabilize this package... Also we have another security fix for this package in queue so it's better to test stabilize them together, I suppose.
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-06-10 01:07:25 UTC
Now public via URL.
"Fixed version:
Net-SNMP >=, >=, >="

Peter, take the time you want to test this issue, 
Comment 6 Peter Volkov (RETIRED) gentoo-dev 2008-06-21 06:40:30 UTC is ready to go stable together with autoconf-2.61-r2 (which should be stabilized in bug 227603).

Target keywords:
net-analyzer/net-snmp- alpha amd64 arm hppa ia64 ppc64 ppc s390 sh sparc x86
Comment 7 Christian Faulhammer (RETIRED) gentoo-dev 2008-06-21 09:25:10 UTC
x86 stable
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2008-06-21 13:49:55 UTC
pva, I'm adding release@, or did you handle this yourself already?
Comment 9 Markus Rothe (RETIRED) gentoo-dev 2008-06-21 19:39:10 UTC
ppc64 stable
Comment 10 Markus Meier gentoo-dev 2008-06-22 11:08:45 UTC
amd64 stable
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2008-06-22 18:11:38 UTC
alpha/ia64/sparc stable
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2008-06-23 17:14:05 UTC
Stable for HPPA.
Comment 13 Brent Baude (RETIRED) gentoo-dev 2008-06-23 19:00:07 UTC
ppc done
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2008-06-24 01:05:00 UTC
GLSA vote, YES for me.
Comment 15 Tobias Heinlein (RETIRED) gentoo-dev 2008-07-02 11:15:08 UTC
YES too, filing request.
Comment 16 Chris Gianelloni (RETIRED) gentoo-dev 2008-08-01 17:49:17 UTC
2008.0 is out, so no need to keep release on the CC list.
Comment 17 Robert Buchholz (RETIRED) gentoo-dev 2008-08-06 00:30:47 UTC
GLSA 200808-02