net-snmp: Security fix CVE-2019-20892

Source: net-snmp.org MR: 104509 Type: Security Fix Disposition: Backport from https://github.com/net-snmp/net-snmp/commit/5f881d3bf24599b90d67a45cae7a3eb099cd71c9 ChangeID: 206d822029d48d904864f23fd1b1af69dffc26c8 Description: Fixes CVE-2019-20892 which affect net-snmp <= 5.8pre1 Had to fix up some file do to later code restructioning. "int refcnt;" addition was done in include/net-snmp/library/snmpusm.h Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
author: Armin Kuster <akuster@mvista.com> 2020-06-26 16:14:10 -0700
committer: Khem Raj <raj.khem@gmail.com> 2020-06-26 22:06:19 -0700
commit: 96a63b1ecf321c9a63880a963ed257086998133b (patch)
tree: 6889c7dfe3f694be4268ab7ee5f52909b97a2852 /meta-networking
parent: 5c39cf1d9e70820c7e42b0f36873d723912229e4 (diff)
download: meta-openembedded-96a63b1ecf321c9a63880a963ed257086998133b.tar.gz
2 files changed, 119 insertions, 0 deletions
diff --git a/meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2019-20892.patch b/meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2019-20892.patch
new file mode 100644
index 000000000..3e2637eaa
--- /dev/null
+++ b/meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2019-20892.patch
@@ -0,0 +1,118 @@
+From 5f881d3bf24599b90d67a45cae7a3eb099cd71c9 Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Sat, 27 Jul 2019 19:34:09 -0700
+Subject: [PATCH] libsnmp, USM: Introduce a reference count in struct
+ usmStateReference
+This patch fixes https://sourceforge.net/p/net-snmp/bugs/2956/.
+Upstream-Status: Backport
+[ak: fixup for 5.8 context, changes to library/snmpusm.h]
+CVE:CVE-2019-20892
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ snmplib/snmp_client.c | 22 +++----------
+ snmplib/snmpusm.c     | 73 ++++++++++++++++++++++++++++---------------
+ 2 files changed, 53 insertions(+), 42 deletions(-)
+Index: net-snmp-5.8/snmplib/snmpusm.c
+===================================================================
+--- net-snmp-5.8.orig/snmplib/snmpusm.c
+++ net-snmp-5.8/snmplib/snmpusm.c
+@@ -285,12 +285,35 @@ free_enginetime_on_shutdown(int majorid,
+ struct usmStateReference *
+ usm_malloc_usmStateReference(void)
+ {
+-    struct usmStateReference *retval = (struct usmStateReference *)
+-        calloc(1, sizeof(struct usmStateReference));
+   struct usmStateReference *retval;
+ 
+    retval = calloc(1, sizeof(struct usmStateReference));
+    if (retval)
+        retval->refcnt = 1;
+     return retval;
+ }                               /* end usm_malloc_usmStateReference() */
+ 
+static int
+usm_clone(netsnmp_pdu *pdu, netsnmp_pdu *new_pdu)
+{
+    struct usmStateReference *ref = pdu->securityStateRef;
+    struct usmStateReference **new_ref =
+        (struct usmStateReference **)&new_pdu->securityStateRef;
+    int ret = 0;
+
+    if (!ref)
+        return ret;
+
+    if (pdu->command == SNMP_MSG_TRAP2) {
+        netsnmp_assert(pdu->securityModel == SNMP_DEFAULT_SECMODEL);
+        ret = usm_clone_usmStateReference(ref, new_ref);
+    } else {
+        netsnmp_assert(ref == *new_ref);
+        ref->refcnt++;
+    }
+
+    return ret;
+}
+ 
+ void
+ usm_free_usmStateReference(void *old)
+@@ -3345,6 +3368,7 @@ init_usm(void)
+     def->encode_reverse = usm_secmod_rgenerate_out_msg;
+     def->encode_forward = usm_secmod_generate_out_msg;
+     def->decode = usm_secmod_process_in_msg;
+    def->pdu_clone = usm_clone;
+     def->pdu_free_state_ref = usm_free_usmStateReference;
+     def->session_setup = usm_session_init;
+     def->handle_report = usm_handle_report;
+Index: net-snmp-5.8/snmplib/snmp_client.c
+===================================================================
+--- net-snmp-5.8.orig/snmplib/snmp_client.c
+++ net-snmp-5.8/snmplib/snmp_client.c
+@@ -402,27 +402,15 @@ _clone_pdu_header(netsnmp_pdu *pdu)
+         return NULL;
+     }
+ 
+-    if (pdu->securityStateRef &&
+-        pdu->command == SNMP_MSG_TRAP2) {
+-
+-        ret = usm_clone_usmStateReference((struct usmStateReference *) pdu->securityStateRef,
+-                (struct usmStateReference **) &newpdu->securityStateRef );
+-
+-        if (ret)
+-        {
+    sptr = find_sec_mod(newpdu->securityModel);
+    if (sptr && sptr->pdu_clone) {
+        /* call security model if it needs to know about this */
+        ret = sptr->pdu_clone(pdu, newpdu);
+        if (ret) {
+             snmp_free_pdu(newpdu);
+             return NULL;
+         }
+     }
+-
+-    if ((sptr = find_sec_mod(newpdu->securityModel)) != NULL &&
+-        sptr->pdu_clone != NULL) {
+-        /*
+-         * call security model if it needs to know about this 
+-         */
+-        (*sptr->pdu_clone) (pdu, newpdu);
+-    }
+-
+     return newpdu;
+ }
+ 
+Index: net-snmp-5.8/include/net-snmp/library/snmpusm.h
+===================================================================
+--- net-snmp-5.8.orig/include/net-snmp/library/snmpusm.h
+++ net-snmp-5.8/include/net-snmp/library/snmpusm.h
+@@ -43,6 +43,7 @@ extern          "C" {
+      * Structures.
+      */
+     struct usmStateReference {
+        int             refcnt;
+         char           *usr_name;
+         size_t          usr_name_length;
+         u_char         *usr_engine_id;
diff --git a/meta-networking/recipes-protocols/net-snmp/net-snmp_5.8.bb b/meta-networking/recipes-protocols/net-snmp/net-snmp_5.8.bb
index 5466649a8..67316db0d 100644
--- a/meta-networking/recipes-protocols/net-snmp/net-snmp_5.8.bb
+++ b/meta-networking/recipes-protocols/net-snmp/net-snmp_5.8.bb
@@ -28,6 +28,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/net-snmp/net-snmp-${PV}.tar.gz \
           file://reproducibility-accept-configure-options-from-env.patch \
           file://0001-net-snmp-fix-compile-error-disable-des.patch \
           file://0001-Add-pkg-config-support-for-building-applications-and.patch \
+           file://CVE-2019-20892.patch \
           "
 SRC_URI[md5sum] = "63bfc65fbb86cdb616598df1aff6458a"
 SRC_URI[sha256sum] = "b2fc3500840ebe532734c4786b0da4ef0a5f67e51ef4c86b3345d697e4976adf"
author	Armin Kuster <akuster@mvista.com>	2020-06-26 16:14:10 -0700
committer	Khem Raj <raj.khem@gmail.com>	2020-06-26 22:06:19 -0700
commit	96a63b1ecf321c9a63880a963ed257086998133b (patch)
tree	6889c7dfe3f694be4268ab7ee5f52909b97a2852 /meta-networking
parent	5c39cf1d9e70820c7e42b0f36873d723912229e4 (diff)
download	meta-openembedded-96a63b1ecf321c9a63880a963ed257086998133b.tar.gz

diff --git a/meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2019-20892.patch b/meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2019-20892.patch new file mode 100644 index 000000000..3e2637eaa --- /dev/null +++ b/meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2019-20892.patch
@@ -0,0 +1,118 @@
		1	From 5f881d3bf24599b90d67a45cae7a3eb099cd71c9 Mon Sep 17 00:00:00 2001
		2	From: Bart Van Assche <bvanassche@acm.org>
		3	Date: Sat, 27 Jul 2019 19:34:09 -0700
		4	Subject: [PATCH] libsnmp, USM: Introduce a reference count in struct
		5	usmStateReference
		6
		7	This patch fixes https://sourceforge.net/p/net-snmp/bugs/2956/.
		8
		9	Upstream-Status: Backport
		10	[ak: fixup for 5.8 context, changes to library/snmpusm.h]
		11	CVE:CVE-2019-20892
		12
		13	Signed-off-by: Armin Kuster <akuster@mvista.com>
		14
		15	---
		16	snmplib/snmp_client.c \| 22 +++----------
		17	snmplib/snmpusm.c \| 73 ++++++++++++++++++++++++++++---------------
		18	2 files changed, 53 insertions(+), 42 deletions(-)
		19
		20	Index: net-snmp-5.8/snmplib/snmpusm.c
		21	===================================================================
		22	--- net-snmp-5.8.orig/snmplib/snmpusm.c
		23	+++ net-snmp-5.8/snmplib/snmpusm.c
		24	@@ -285,12 +285,35 @@ free_enginetime_on_shutdown(int majorid,
		25	struct usmStateReference *
		26	usm_malloc_usmStateReference(void)
		27	{
		28	- struct usmStateReference retval = (struct usmStateReference )
		29	- calloc(1, sizeof(struct usmStateReference));
		30	+ struct usmStateReference *retval;
		31
		32	+ retval = calloc(1, sizeof(struct usmStateReference));
		33	+ if (retval)
		34	+ retval->refcnt = 1;
		35	return retval;
		36	} /* end usm_malloc_usmStateReference() */
		37
		38	+static int
		39	+usm_clone(netsnmp_pdu pdu, netsnmp_pdu new_pdu)
		40	+{
		41	+ struct usmStateReference *ref = pdu->securityStateRef;
		42	+ struct usmStateReference **new_ref =
		43	+ (struct usmStateReference **)&new_pdu->securityStateRef;
		44	+ int ret = 0;
		45	+
		46	+ if (!ref)
		47	+ return ret;
		48	+
		49	+ if (pdu->command == SNMP_MSG_TRAP2) {
		50	+ netsnmp_assert(pdu->securityModel == SNMP_DEFAULT_SECMODEL);
		51	+ ret = usm_clone_usmStateReference(ref, new_ref);
		52	+ } else {
		53	+ netsnmp_assert(ref == *new_ref);
		54	+ ref->refcnt++;
		55	+ }
		56	+
		57	+ return ret;
		58	+}
		59
		60	void
		61	usm_free_usmStateReference(void *old)
		62	@@ -3345,6 +3368,7 @@ init_usm(void)
		63	def->encode_reverse = usm_secmod_rgenerate_out_msg;
		64	def->encode_forward = usm_secmod_generate_out_msg;
		65	def->decode = usm_secmod_process_in_msg;
		66	+ def->pdu_clone = usm_clone;
		67	def->pdu_free_state_ref = usm_free_usmStateReference;
		68	def->session_setup = usm_session_init;
		69	def->handle_report = usm_handle_report;
		70	Index: net-snmp-5.8/snmplib/snmp_client.c
		71	===================================================================
		72	--- net-snmp-5.8.orig/snmplib/snmp_client.c
		73	+++ net-snmp-5.8/snmplib/snmp_client.c
		74	@@ -402,27 +402,15 @@ _clone_pdu_header(netsnmp_pdu *pdu)
		75	return NULL;
		76	}
		77
		78	- if (pdu->securityStateRef &&
		79	- pdu->command == SNMP_MSG_TRAP2) {
		80	-
		81	- ret = usm_clone_usmStateReference((struct usmStateReference *) pdu->securityStateRef,
		82	- (struct usmStateReference **) &newpdu->securityStateRef );
		83	-
		84	- if (ret)
		85	- {
		86	+ sptr = find_sec_mod(newpdu->securityModel);
		87	+ if (sptr && sptr->pdu_clone) {
		88	+ /* call security model if it needs to know about this */
		89	+ ret = sptr->pdu_clone(pdu, newpdu);
		90	+ if (ret) {
		91	snmp_free_pdu(newpdu);
		92	return NULL;
		93	}
		94	}
		95	-
		96	- if ((sptr = find_sec_mod(newpdu->securityModel)) != NULL &&
		97	- sptr->pdu_clone != NULL) {
		98	- /*
		99	- * call security model if it needs to know about this
		100	- */
		101	- (*sptr->pdu_clone) (pdu, newpdu);
		102	- }
		103	-
		104	return newpdu;
		105	}
		106
		107	Index: net-snmp-5.8/include/net-snmp/library/snmpusm.h
		108	===================================================================
		109	--- net-snmp-5.8.orig/include/net-snmp/library/snmpusm.h
		110	+++ net-snmp-5.8/include/net-snmp/library/snmpusm.h
		111	@@ -43,6 +43,7 @@ extern "C" {
		112	* Structures.
		113	*/
		114	struct usmStateReference {
		115	+ int refcnt;
		116	char *usr_name;
		117	size_t usr_name_length;
		118	u_char *usr_engine_id;


diff --git a/meta-networking/recipes-protocols/net-snmp/net-snmp_5.8.bb b/meta-networking/recipes-protocols/net-snmp/net-snmp_5.8.bb index 5466649a8..67316db0d 100644 --- a/meta-networking/recipes-protocols/net-snmp/net-snmp_5.8.bb +++ b/meta-networking/recipes-protocols/net-snmp/net-snmp_5.8.bb
@@ -28,6 +28,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/net-snmp/net-snmp-${PV}.tar.gz \
28	file://reproducibility-accept-configure-options-from-env.patch \	28	file://reproducibility-accept-configure-options-from-env.patch \
29	file://0001-net-snmp-fix-compile-error-disable-des.patch \	29	file://0001-net-snmp-fix-compile-error-disable-des.patch \
30	file://0001-Add-pkg-config-support-for-building-applications-and.patch \	30	file://0001-Add-pkg-config-support-for-building-applications-and.patch \
		31	file://CVE-2019-20892.patch \
31	"	32	"
32	SRC_URI[md5sum] = "63bfc65fbb86cdb616598df1aff6458a"	33	SRC_URI[md5sum] = "63bfc65fbb86cdb616598df1aff6458a"
33	SRC_URI[sha256sum] = "b2fc3500840ebe532734c4786b0da4ef0a5f67e51ef4c86b3345d697e4976adf"	34	SRC_URI[sha256sum] = "b2fc3500840ebe532734c4786b0da4ef0a5f67e51ef4c86b3345d697e4976adf"