net-snmp: fix CVE-2014-2285

The perl_trapd_handler function in perl/TrapReceiver/TrapReceiver.xs in Net-SNMP 5.7.3.pre3 and earlier, when using certain Perl versions, allows remote attackers to cause a denial of service (snmptrapd crash) via an empty community string in an SNMP trap, which triggers a NULL pointer dereference within the newSVpv function in Perl. Refer to: https://bugzilla.redhat.com/show_bug.cgi?id=1072044 Signed-off-by: Junling Zheng <zhengjunling@huawei.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
author: Junling Zheng <zhengjunling@huawei.com> 2015-05-04 03:22:26 +0000
committer: Joe MacDonald <joe_macdonald@mentor.com> 2015-05-08 15:40:28 -0400
commit: ff3c52f44da3cd8c2e350677c85d161b9819ddcc (patch)
tree: 15dfe1c1af0d0424bc26d82b7f1e43264c3e16c6 /meta-networking
parent: 2cb54ed8a103c56fcf42d4a363d175dbdc094489 (diff)
download: meta-openembedded-ff3c52f44da3cd8c2e350677c85d161b9819ddcc.tar.gz
2 files changed, 50 insertions, 0 deletions
diff --git a/meta-networking/recipes-protocols/net-snmp/net-snmp/0001-Fix-CVE-2014-2285.patch b/meta-networking/recipes-protocols/net-snmp/net-snmp/0001-Fix-CVE-2014-2285.patch
new file mode 100644
index 0000000000..b1514b97f9
--- /dev/null
+++ b/meta-networking/recipes-protocols/net-snmp/net-snmp/0001-Fix-CVE-2014-2285.patch
@@ -0,0 +1,49 @@
+From 87a0d27102ceffb92e5c1d6fbbd24972a9dd33ac Mon Sep 17 00:00:00 2001
+From: Junling Zheng <zhengjunling@huawei.com>
+Date: Mon, 20 Apr 2015 10:23:08 +0000
+Subject: [PATCH] Fix CVE-2014-2285
+Sending SNMP trap with empty community string crashes snmptrapd if Perl
+handler is enabled.
+Refer to:
+https://bugzilla.redhat.com/show_bug.cgi?id=1072044
+Upstream Status: Backported
+Signed-off-by: Junling Zheng <zhengjunling@huawei.com>
+---
+ perl/TrapReceiver/TrapReceiver.xs | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+diff --git a/perl/TrapReceiver/TrapReceiver.xs b/perl/TrapReceiver/TrapReceiver.xs
+index 531bfa4..ac94370 100644
+--- a/perl/TrapReceiver/TrapReceiver.xs
+++ b/perl/TrapReceiver/TrapReceiver.xs
+@@ -81,18 +81,18 @@ int   perl_trapd_handler( netsnmp_pdu           *pdu,
+         STOREPDUi("securitymodel", pdu->securityModel);
+         STOREPDUi("securitylevel", pdu->securityLevel);
+         STOREPDU("contextName",
+-                 newSVpv(pdu->contextName, pdu->contextNameLen));
+                 newSVpv(pdu->contextName ? pdu->contextName : "", pdu->contextNameLen));
+         STOREPDU("contextEngineID",
+-                 newSVpv((char *) pdu->contextEngineID,
+                 newSVpv((char *)(pdu->contextEngineID ? pdu->contextEngineID : ""),
+                                     pdu->contextEngineIDLen));
+         STOREPDU("securityEngineID",
+-                 newSVpv((char *) pdu->securityEngineID,
+                 newSVpv((char *)(pdu->securityEngineID ? pdu->securityEngineID : ""),
+                                     pdu->securityEngineIDLen));
+         STOREPDU("securityName",
+-                 newSVpv((char *) pdu->securityName, pdu->securityNameLen));
+                 newSVpv((char *)(pdu->securityName ? pdu->securityName : ""), pdu->securityNameLen));
+     } else {
+         STOREPDU("community",
+-                 newSVpv((char *) pdu->community, pdu->community_len));
+                 newSVpv((char *)(pdu->community ? pdu->community : ""), pdu->community_len));
+     }
+ 
+     if (transport && transport->f_fmtaddr) {
+-- 
+1.8.3.4
diff --git a/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.2.1.bb b/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.2.1.bb
index 1baf101d93..c9a692dd6d 100644
--- a/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.2.1.bb
+++ b/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.2.1.bb
@@ -19,6 +19,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/net-snmp/net-snmp-${PV}.zip \
        file://fix-libtool-finish.patch \
        file://net-snmp-testing-add-the-output-format-for-ptest.patch \
        file://run-ptest \
+        file://0001-Fix-CVE-2014-2285.patch \
 "
 SRC_URI[md5sum] = "a2c83518648b0f2a5d378625e45c0e18"
author	Junling Zheng <zhengjunling@huawei.com>	2015-05-04 03:22:26 +0000
committer	Joe MacDonald <joe_macdonald@mentor.com>	2015-05-08 15:40:28 -0400
commit	ff3c52f44da3cd8c2e350677c85d161b9819ddcc (patch)
tree	15dfe1c1af0d0424bc26d82b7f1e43264c3e16c6 /meta-networking
parent	2cb54ed8a103c56fcf42d4a363d175dbdc094489 (diff)
download	meta-openembedded-ff3c52f44da3cd8c2e350677c85d161b9819ddcc.tar.gz

diff --git a/meta-networking/recipes-protocols/net-snmp/net-snmp/0001-Fix-CVE-2014-2285.patch b/meta-networking/recipes-protocols/net-snmp/net-snmp/0001-Fix-CVE-2014-2285.patch new file mode 100644 index 0000000000..b1514b97f9 --- /dev/null +++ b/meta-networking/recipes-protocols/net-snmp/net-snmp/0001-Fix-CVE-2014-2285.patch
@@ -0,0 +1,49 @@
		1	From 87a0d27102ceffb92e5c1d6fbbd24972a9dd33ac Mon Sep 17 00:00:00 2001
		2	From: Junling Zheng <zhengjunling@huawei.com>
		3	Date: Mon, 20 Apr 2015 10:23:08 +0000
		4	Subject: [PATCH] Fix CVE-2014-2285
		5
		6	Sending SNMP trap with empty community string crashes snmptrapd if Perl
		7	handler is enabled.
		8
		9	Refer to:
		10	https://bugzilla.redhat.com/show_bug.cgi?id=1072044
		11
		12	Upstream Status: Backported
		13
		14	Signed-off-by: Junling Zheng <zhengjunling@huawei.com>
		15	---
		16	perl/TrapReceiver/TrapReceiver.xs \| 10 +++++-----
		17	1 file changed, 5 insertions(+), 5 deletions(-)
		18
		19	diff --git a/perl/TrapReceiver/TrapReceiver.xs b/perl/TrapReceiver/TrapReceiver.xs
		20	index 531bfa4..ac94370 100644
		21	--- a/perl/TrapReceiver/TrapReceiver.xs
		22	+++ b/perl/TrapReceiver/TrapReceiver.xs
		23	@@ -81,18 +81,18 @@ int perl_trapd_handler( netsnmp_pdu *pdu,
		24	STOREPDUi("securitymodel", pdu->securityModel);
		25	STOREPDUi("securitylevel", pdu->securityLevel);
		26	STOREPDU("contextName",
		27	- newSVpv(pdu->contextName, pdu->contextNameLen));
		28	+ newSVpv(pdu->contextName ? pdu->contextName : "", pdu->contextNameLen));
		29	STOREPDU("contextEngineID",
		30	- newSVpv((char *) pdu->contextEngineID,
		31	+ newSVpv((char *)(pdu->contextEngineID ? pdu->contextEngineID : ""),
		32	pdu->contextEngineIDLen));
		33	STOREPDU("securityEngineID",
		34	- newSVpv((char *) pdu->securityEngineID,
		35	+ newSVpv((char *)(pdu->securityEngineID ? pdu->securityEngineID : ""),
		36	pdu->securityEngineIDLen));
		37	STOREPDU("securityName",
		38	- newSVpv((char *) pdu->securityName, pdu->securityNameLen));
		39	+ newSVpv((char *)(pdu->securityName ? pdu->securityName : ""), pdu->securityNameLen));
		40	} else {
		41	STOREPDU("community",
		42	- newSVpv((char *) pdu->community, pdu->community_len));
		43	+ newSVpv((char *)(pdu->community ? pdu->community : ""), pdu->community_len));
		44	}
		45
		46	if (transport && transport->f_fmtaddr) {
		47	--
		48	1.8.3.4
		49


diff --git a/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.2.1.bb b/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.2.1.bb index 1baf101d93..c9a692dd6d 100644 --- a/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.2.1.bb +++ b/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.2.1.bb
@@ -19,6 +19,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/net-snmp/net-snmp-${PV}.zip \
19	file://fix-libtool-finish.patch \	19	file://fix-libtool-finish.patch \
20	file://net-snmp-testing-add-the-output-format-for-ptest.patch \	20	file://net-snmp-testing-add-the-output-format-for-ptest.patch \
21	file://run-ptest \	21	file://run-ptest \
		22	file://0001-Fix-CVE-2014-2285.patch \
22	"	23	"
23		24
24	SRC_URI[md5sum] = "a2c83518648b0f2a5d378625e45c0e18"	25	SRC_URI[md5sum] = "a2c83518648b0f2a5d378625e45c0e18"