Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 734994 (CVE-2020-15861, CVE-2020-15862) - <net-analyzer/net-snmp-5.8.1_pre1: Multiple vulnerabilities (CVE-2020-{15861,15862})
Summary: <net-analyzer/net-snmp-5.8.1_pre1: Multiple vulnerabilities (CVE-2020-{15861,...
Alias: CVE-2020-15861, CVE-2020-15862
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
Whiteboard: B1 [glsa+ cve]
Depends on:
Blocks: CVE-2019-20892
  Show dependency tree
Reported: 2020-07-31 22:27 UTC by David Denoncin
Modified: 2020-08-26 21:43 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description David Denoncin 2020-07-31 22:27:59 UTC
* CVE-2020-15861:

"snmpd runs as a low privileged user account. However, in combination with
the *snmp-mibs-downloader package* this protection can be bypassed and it is
possible for this account to elevate permissions to the root user.

This attack happens due to how snmpd handles symlinks."

Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-24 01:05:15 UTC
* CVE-2020-15862

"Net-SNMP through 5.7.3 has Improper Privilege Management because SNMP WRITE access to the EXTEND MIB provides the ability to run arbitrary commands as root."

Patch: (which is in 5.8.1_pre1)

Tree seems clean so just need to glsa.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2020-08-26 21:43:59 UTC
This issue was resolved and addressed in
 GLSA 202008-12 at
by GLSA coordinator Sam James (sam_c).