A statically allocated buffer is overwritter in the case that a very long Object Identifier is specified in stringified dotted notation to the smiGetNode function of libsmi. This may result in arbitraty code execution by cleverly overwriting key pointers in memory.
4. Vulnerable packages
* libsmi 0.4.8.
* Any software that uses the vulnerable function to find a definition from an Object Indentifier specified in stringified dotted notation that is given by the user. The SNMP packets from the protocol that travel over the network do not use this notation for OIDs.
5. Non-vulnerable packages
* libsmi 0.4.8 patched with the supplied patch.
* Any future release of libsmi, or current SVN head revision, since this patch was already commited to their repositories.
Rating B2 (and not B1) as I don't believe we use this in any server-type packages.
There's a patch here:
Arch teams, please test and mark stable:
Target KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Oops, those aren't stable.
It fails tests but it is not a regression over the current stable. amd64 done
Stable for HPPA.
Builds fine on x86. Rdeps build and run fine on x86.
Please mark stable for x86.
stable x86, thanks Myckel
Stable on alpha.
Stable for PPC.
Thanks, folks. GLSA request filed.
Buffer overflow in the smiGetNode function in lib/smi.c in libsmi 0.4.8
allows context-dependent attackers to execute arbitrary code via an Object
Identifier (aka OID) represented as a numerical string containing many
components separated by . (dot) characters.
This issue was resolved and addressed in
GLSA 201312-10 at http://security.gentoo.org/glsa/glsa-201312-10.xml
by GLSA coordinator Chris Reffett (creffett).