[oe] [meta-networking][PATCH] net-snmp: fix CVE-2014-2285
Junling Zheng
zhengjunling at huawei.com
Mon Apr 20 10:37:30 UTC 2015
The perl_trapd_handler function in perl/TrapReceiver/TrapReceiver.xs in
Net-SNMP 5.7.3.pre3 and earlier, when using certain Perl versions, allows
remote attackers to cause a denial of service (snmptrapd crash) via an
empty community string in an SNMP trap, which triggers a NULL pointer
dereference within the newSVpv function in Perl.
Refer to: https://bugzilla.redhat.com/show_bug.cgi?id=1072044
Signed-off-by: Junling Zheng <zhengjunling at huawei.com>
---
.../net-snmp/net-snmp/0001-Fix-CVE-2014-2285.patch | 49 ++++++++++++++++++++++
.../recipes-protocols/net-snmp/net-snmp_5.7.2.1.bb | 1 +
2 files changed, 50 insertions(+)
create mode 100644 meta-networking/recipes-protocols/net-snmp/net-snmp/0001-Fix-CVE-2014-2285.patch
diff --git a/meta-networking/recipes-protocols/net-snmp/net-snmp/0001-Fix-CVE-2014-2285.patch b/meta-networking/recipes-protocols/net-snmp/net-snmp/0001-Fix-CVE-2014-2285.patch
new file mode 100644
index 0000000..b1514b9
--- /dev/null
+++ b/meta-networking/recipes-protocols/net-snmp/net-snmp/0001-Fix-CVE-2014-2285.patch
@@ -0,0 +1,49 @@
+From 87a0d27102ceffb92e5c1d6fbbd24972a9dd33ac Mon Sep 17 00:00:00 2001
+From: Junling Zheng <zhengjunling at huawei.com>
+Date: Mon, 20 Apr 2015 10:23:08 +0000
+Subject: [PATCH] Fix CVE-2014-2285
+
+Sending SNMP trap with empty community string crashes snmptrapd if Perl
+handler is enabled.
+
+Refer to:
+https://bugzilla.redhat.com/show_bug.cgi?id=1072044
+
+Upstream Status: Backported
+
+Signed-off-by: Junling Zheng <zhengjunling at huawei.com>
+---
+ perl/TrapReceiver/TrapReceiver.xs | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/perl/TrapReceiver/TrapReceiver.xs b/perl/TrapReceiver/TrapReceiver.xs
+index 531bfa4..ac94370 100644
+--- a/perl/TrapReceiver/TrapReceiver.xs
++++ b/perl/TrapReceiver/TrapReceiver.xs
+@@ -81,18 +81,18 @@ int perl_trapd_handler( netsnmp_pdu *pdu,
+ STOREPDUi("securitymodel", pdu->securityModel);
+ STOREPDUi("securitylevel", pdu->securityLevel);
+ STOREPDU("contextName",
+- newSVpv(pdu->contextName, pdu->contextNameLen));
++ newSVpv(pdu->contextName ? pdu->contextName : "", pdu->contextNameLen));
+ STOREPDU("contextEngineID",
+- newSVpv((char *) pdu->contextEngineID,
++ newSVpv((char *)(pdu->contextEngineID ? pdu->contextEngineID : ""),
+ pdu->contextEngineIDLen));
+ STOREPDU("securityEngineID",
+- newSVpv((char *) pdu->securityEngineID,
++ newSVpv((char *)(pdu->securityEngineID ? pdu->securityEngineID : ""),
+ pdu->securityEngineIDLen));
+ STOREPDU("securityName",
+- newSVpv((char *) pdu->securityName, pdu->securityNameLen));
++ newSVpv((char *)(pdu->securityName ? pdu->securityName : ""), pdu->securityNameLen));
+ } else {
+ STOREPDU("community",
+- newSVpv((char *) pdu->community, pdu->community_len));
++ newSVpv((char *)(pdu->community ? pdu->community : ""), pdu->community_len));
+ }
+
+ if (transport && transport->f_fmtaddr) {
+--
+1.8.3.4
+
diff --git a/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.2.1.bb b/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.2.1.bb
index 1baf101..c9a692d 100644
--- a/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.2.1.bb
+++ b/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.2.1.bb
@@ -19,6 +19,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/net-snmp/net-snmp-${PV}.zip \
file://fix-libtool-finish.patch \
file://net-snmp-testing-add-the-output-format-for-ptest.patch \
file://run-ptest \
+ file://0001-Fix-CVE-2014-2285.patch \
"
SRC_URI[md5sum] = "a2c83518648b0f2a5d378625e45c0e18"
--
1.8.3.4
More information about the Openembedded-devel
mailing list