Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 880231 (CVE-2022-44792, CVE-2022-44793) - <net-analyzer/net-snmp-5.9.4: multiple vulnerabilities
Summary: <net-analyzer/net-snmp-5.9.4: multiple vulnerabilities
Status: CONFIRMED
Alias: CVE-2022-44792, CVE-2022-44793
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL:
Whiteboard: B3 [cleanup glsa?]
Keywords:
Depends on: 924175
Blocks:
  Show dependency tree
 
Reported: 2022-11-07 17:00 UTC by John Helmert III
Modified: 2024-07-17 06:07 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-07 17:00:35 UTC
CVE-2022-44792 (https://github.com/net-snmp/net-snmp/issues/474):
https://gist.github.com/menglong2234/b7bc13ae1a144f47cc3c95a7ea062428

handle_ipDefaultTTL in agent/mibgroup/ip-mib/ip_scalars.c in Net-SNMP 5.8 through 5.9.3 has a NULL Pointer Exception bug that can be used by a remote attacker (who has write access) to cause the instance to crash via a crafted UDP packet, resulting in Denial of Service.

CVE-2022-44793 (https://github.com/net-snmp/net-snmp/issues/475):
https://gist.github.com/menglong2234/d07a65b5028145c9f4e1d1db8c4c202f

handle_ipv6IpForwarding in agent/mibgroup/ip-mib/ip_scalars.c in Net-SNMP 5.4.3 through 5.9.3 has a NULL Pointer Exception bug that can be used by a remote attacker to cause the instance to crash via a crafted UDP packet, resulting in Denial of Service.

No patches yet, but upstream seems active.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-30 21:29:03 UTC
The two issues are said to be fixed by: https://github.com/net-snmp/net-snmp/commit/be804106fd0771a7d05236cff36e199af077af57