Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 502968 (CVE-2014-2284) - <net-analyzer/net-snmp- denial of service flaw in Linux implementation of ICMP-MIB (CVE-2014-2284)
Summary: <net-analyzer/net-snmp- denial of service flaw in Linux implementatio...
Alias: CVE-2014-2284
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa]
Depends on:
Reported: 2014-02-27 13:42 UTC by Agostino Sarubbo
Modified: 2014-09-01 21:49 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-02-27 13:42:49 UTC
From ${URL} :

It was reported [1] that Net-SNMP releases 5.5 through 5.7.2 were vulnerable to a potential 
remotely-triggerable denial of service attack on the Linux platform, when the ICMP-MIB is in use.  
Net-SNMP 5.4.x users, and those who do not make use of the ICMP-MIB table objects, are not vulnerable.

This is fixed in git [2].


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2014-03-01 16:46:48 UTC
      - SECURITY: a denial of service attack vector was discovered on
        the linux implementation of the ICMP-MIB.  This release fixes
        this bug and all users are encouraged to update their SNMP
        agent if they make use of the ICMP-MIB table objects.
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2014-03-01 18:01:14 UTC
The tarball contains all of the binaries pre-built, and has some other problems. For instance, it second-guesses perl's ARCH_LIB (which is easy to fix) but more importantly, it has developed some new parallel make problems.
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2014-03-01 19:40:08 UTC
(In reply to Jeroen Roovers from comment #2)
> The tarball contains all of the binaries pre-built, and has some
> other problems.

> For instance, it second-guesses perl's ARCH_LIB (which is
> easy to fix)

That appears to be because it has pre-generated Makefiles in perl/. I'll roll a fresh tarball. Saves around 20 megabytes in downloading.
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2014-03-01 19:58:40 UTC
Arch teams, please test and mark stable:
Targeted stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2014-03-02 15:52:58 UTC
Stable for HPPA.
Comment 6 Agostino Sarubbo gentoo-dev 2014-03-04 14:30:28 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2014-03-04 14:30:34 UTC
x86 stable
Comment 8 Agostino Sarubbo gentoo-dev 2014-03-12 10:21:59 UTC
sparc stable
Comment 9 Markus Meier gentoo-dev 2014-03-12 20:49:24 UTC
arm stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-03-16 11:08:15 UTC
ppc stable
Comment 11 Agostino Sarubbo gentoo-dev 2014-03-18 16:08:12 UTC
ia64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2014-03-19 14:14:01 UTC
alpha stable
Comment 13 Agostino Sarubbo gentoo-dev 2014-03-24 14:29:25 UTC
ppc64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 14 Yury German Gentoo Infrastructure gentoo-dev 2014-03-24 23:00:15 UTC
Arches and Maintainer(s), Thank you for your work.

Security please Vote.
Comment 15 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-04-07 08:35:07 UTC
GLSA vote: no
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2014-04-08 20:18:52 UTC
CVE-2014-2284 (
  The Linux implementation of the ICMP-MIB in Net-SNMP 5.5 before,
  5.6.x before, and 5.7.x before does not properly validate
  input, which allows remote attackers to cause a denial of service via
  unspecified vectors.
Comment 17 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-04-08 20:38:33 UTC
(In reply to Mikle Kolyada from comment #15)
> GLSA vote: no

nvmd. Added to existing glsa draft.
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2014-09-01 21:49:51 UTC
This issue was resolved and addressed in
 GLSA 201409-02 at
by GLSA coordinator Kristian Fiskerstrand (K_F).