From 5adc16a15958205340b87a6fcd88c8522ff8205f Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Mon, 7 Oct 2024 21:01:48 +0300 Subject: [PATCH] import net-snmp-5.9.1-17.el9 --- .../net-snmp-5.9-CVE-2022-24805-24810.patch | 163 ++++++++++++++++++ SOURCES/net-snmp-5.9-deleted-iface.patch | 43 +++++ SOURCES/net-snmp-5.9.4-kernel-6.7.patch | 120 +++++++++++++ SPECS/net-snmp.spec | 21 ++- 4 files changed, 346 insertions(+), 1 deletion(-) create mode 100644 SOURCES/net-snmp-5.9-CVE-2022-24805-24810.patch create mode 100644 SOURCES/net-snmp-5.9-deleted-iface.patch create mode 100644 SOURCES/net-snmp-5.9.4-kernel-6.7.patch diff --git a/SOURCES/net-snmp-5.9-CVE-2022-24805-24810.patch b/SOURCES/net-snmp-5.9-CVE-2022-24805-24810.patch new file mode 100644 index 0000000..87efe17 --- /dev/null +++ b/SOURCES/net-snmp-5.9-CVE-2022-24805-24810.patch @@ -0,0 +1,163 @@ +From 9a0cd7c00947d5e1c6ceb54558d454f87c3b8341 Mon Sep 17 00:00:00 2001 +From: Bill Fenner +Date: Tue, 24 Aug 2021 07:55:00 -0700 +Subject: [PATCH] CHANGES: snmpd: recover SET status from delegated request + +Reported by: Yu Zhang of VARAS@IIE, Nanyu Zhong of VARAS@IIE +Fixes by: Arista Networks + +When a SET request includes a mix of delegated and +non-delegated requests (e.g., objects handled by master +agent and agentx sub-agent), the status can get lost while +waiting for the reply from the sub-agent. Recover the status +into the session from the requests even if it has already +been processed. +--- + agent/snmp_agent.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/agent/snmp_agent.c b/agent/snmp_agent.c +index 84fbb42b47..095ee70985 100644 +--- a/agent/snmp_agent.c ++++ b/agent/snmp_agent.c +@@ -2965,7 +2965,7 @@ netsnmp_check_requests_status(netsnmp_agent_session *asp, + if (requests->status != SNMP_ERR_NOERROR && + (!look_for_specific || requests->status == look_for_specific) + && (look_for_specific || asp->index == 0 +- || requests->index < asp->index)) { ++ || requests->index <= asp->index)) { + asp->index = requests->index; + asp->status = requests->status; + } +From 67ebb43e9038b2dae6e74ae8838b36fcc10fc937 Mon Sep 17 00:00:00 2001 +From: Bill Fenner +Date: Wed, 30 Jun 2021 14:00:28 -0700 +Subject: [PATCH] CHANGES: snmpd: fix bounds checking in NET-SNMP-AGENT-MIB, + NET-SNMP-VACM-MIB, SNMP-VIEW-BASED-ACM-MIB, SNMP-USER-BASED-SM-MIB + +Reported by: Yu Zhang of VARAS@IIE, Nanyu Zhong of VARAS@IIE +Fixes by: Arista Networks +--- + agent/mibgroup/agent/nsLogging.c | 6 ++++++ + agent/mibgroup/agent/nsVacmAccessTable.c | 16 ++++++++++++++-- + agent/mibgroup/mibII/vacm_vars.c | 3 +++ + agent/mibgroup/snmpv3/usmUser.c | 2 -- + 4 files changed, 23 insertions(+), 4 deletions(-) + +diff --git a/agent/mibgroup/agent/nsLogging.c b/agent/mibgroup/agent/nsLogging.c +index 9abdeb5bb7..7f4290490a 100644 +--- a/agent/mibgroup/agent/nsLogging.c ++++ b/agent/mibgroup/agent/nsLogging.c +@@ -147,6 +147,8 @@ handle_nsLoggingTable(netsnmp_mib_handler *handler, + continue; + logh = (netsnmp_log_handler*)netsnmp_extract_iterator_context(request); + table_info = netsnmp_extract_table_info(request); ++ if (!table_info || !table_info->indexes) ++ continue; + + switch (table_info->colnum) { + case NSLOGGING_TYPE: +@@ -201,6 +203,8 @@ handle_nsLoggingTable(netsnmp_mib_handler *handler, + } + logh = (netsnmp_log_handler*)netsnmp_extract_iterator_context(request); + table_info = netsnmp_extract_table_info(request); ++ if (!table_info || !table_info->indexes) ++ continue; + + switch (table_info->colnum) { + case NSLOGGING_TYPE: +@@ -394,6 +398,8 @@ handle_nsLoggingTable(netsnmp_mib_handler *handler, + continue; + logh = (netsnmp_log_handler*)netsnmp_extract_iterator_context(request); + table_info = netsnmp_extract_table_info(request); ++ if (!table_info || !table_info->indexes) ++ continue; + + switch (table_info->colnum) { + case NSLOGGING_TYPE: +diff --git a/agent/mibgroup/agent/nsVacmAccessTable.c b/agent/mibgroup/agent/nsVacmAccessTable.c +index cc61fce7e6..6c43210074 100644 +--- a/agent/mibgroup/agent/nsVacmAccessTable.c ++++ b/agent/mibgroup/agent/nsVacmAccessTable.c +@@ -170,9 +170,13 @@ nsVacmAccessTable_handler(netsnmp_mib_handler *handler, + entry = (struct vacm_accessEntry *) + netsnmp_extract_iterator_context(request); + table_info = netsnmp_extract_table_info(request); ++ if (!table_info || !table_info->indexes) ++ continue; + + /* Extract the authType token from the list of indexes */ + idx = table_info->indexes->next_variable->next_variable->next_variable->next_variable; ++ if (idx->val_len >= sizeof(atype)) ++ continue; + memset(atype, 0, sizeof(atype)); + memcpy(atype, (char *)idx->val.string, idx->val_len); + viewIdx = se_find_value_in_slist(VACM_VIEW_ENUM_NAME, atype); +@@ -212,6 +216,8 @@ nsVacmAccessTable_handler(netsnmp_mib_handler *handler, + entry = (struct vacm_accessEntry *) + netsnmp_extract_iterator_context(request); + table_info = netsnmp_extract_table_info(request); ++ if (!table_info || !table_info->indexes) ++ continue; + ret = SNMP_ERR_NOERROR; + + switch (table_info->colnum) { +@@ -247,6 +253,8 @@ nsVacmAccessTable_handler(netsnmp_mib_handler *handler, + * Extract the authType token from the list of indexes + */ + idx = table_info->indexes->next_variable->next_variable->next_variable->next_variable; ++ if (idx->val_len >= sizeof(atype)) ++ continue; + memset(atype, 0, sizeof(atype)); + memcpy(atype, (char *)idx->val.string, idx->val_len); + viewIdx = se_find_value_in_slist(VACM_VIEW_ENUM_NAME, atype); +@@ -294,8 +302,10 @@ nsVacmAccessTable_handler(netsnmp_mib_handler *handler, + idx = idx->next_variable; model = *idx->val.integer; + idx = idx->next_variable; level = *idx->val.integer; + entry = vacm_createAccessEntry( gName, cPrefix, model, level ); +- entry->storageType = ST_NONVOLATILE; +- netsnmp_insert_iterator_context(request, (void*)entry); ++ if (entry) { ++ entry->storageType = ST_NONVOLATILE; ++ netsnmp_insert_iterator_context(request, (void*)entry); ++ } + } + } + } +@@ -321,6 +331,8 @@ nsVacmAccessTable_handler(netsnmp_mib_handler *handler, + + /* Extract the authType token from the list of indexes */ + idx = table_info->indexes->next_variable->next_variable->next_variable->next_variable; ++ if (idx->val_len >= sizeof(atype)) ++ continue; + memset(atype, 0, sizeof(atype)); + memcpy(atype, (char *)idx->val.string, idx->val_len); + viewIdx = se_find_value_in_slist(VACM_VIEW_ENUM_NAME, atype); +diff --git a/agent/mibgroup/mibII/vacm_vars.c b/agent/mibgroup/mibII/vacm_vars.c +index 469a1eba59..62c9a3d051 100644 +--- a/agent/mibgroup/mibII/vacm_vars.c ++++ b/agent/mibgroup/mibII/vacm_vars.c +@@ -997,6 +997,9 @@ access_parse_oid(oid * oidIndex, size_t oidLen, + return 1; + } + groupNameL = oidIndex[0]; ++ if ((groupNameL + 1) > (int) oidLen) { ++ return 1; ++ } + contextPrefixL = oidIndex[groupNameL + 1]; /* the initial name length */ + if ((int) oidLen != groupNameL + contextPrefixL + 4) { + return 1; +diff --git a/agent/mibgroup/snmpv3/usmUser.c b/agent/mibgroup/snmpv3/usmUser.c +index 0f52aaba49..0edea53cfb 100644 +--- a/agent/mibgroup/snmpv3/usmUser.c ++++ b/agent/mibgroup/snmpv3/usmUser.c +@@ -1505,8 +1505,6 @@ write_usmUserStatus(int action, + if (usmStatusCheck(uptr)) { + uptr->userStatus = RS_ACTIVE; + } else { +- SNMP_FREE(engineID); +- SNMP_FREE(newName); + return SNMP_ERR_INCONSISTENTVALUE; + } + } else if (long_ret == RS_CREATEANDWAIT) { + diff --git a/SOURCES/net-snmp-5.9-deleted-iface.patch b/SOURCES/net-snmp-5.9-deleted-iface.patch new file mode 100644 index 0000000..cb54152 --- /dev/null +++ b/SOURCES/net-snmp-5.9-deleted-iface.patch @@ -0,0 +1,43 @@ +diff -urNp a/agent/mibgroup/if-mib/data_access/interface_linux.c b/agent/mibgroup/if-mib/data_access/interface_linux.c +--- a/agent/mibgroup/if-mib/data_access/interface_linux.c 2024-07-16 10:05:43.294653089 +0200 ++++ b/agent/mibgroup/if-mib/data_access/interface_linux.c 2024-07-16 10:23:55.392041022 +0200 +@@ -609,7 +609,6 @@ netsnmp_arch_interface_container_load(ne + { + FILE *devin; + char line[256]; +- netsnmp_interface_entry *entry = NULL; + static char scan_expected = 0; + int fd; + int interfaces = 0; +@@ -690,6 +689,7 @@ netsnmp_arch_interface_container_load(ne + * and retrieve (or create) the corresponding data structure. + */ + while (fgets(line, sizeof(line), devin)) { ++ netsnmp_interface_entry *entry = NULL; + char *stats, *ifstart = line; + u_int flags; + oid if_index; +@@ -733,8 +733,13 @@ netsnmp_arch_interface_container_load(ne + * ip version is to look for ip addresses. If anyone + * knows a better way, put it here! + */ +-#ifdef NETSNMP_ENABLE_IPV6 + if_index = netsnmp_arch_interface_index_find(ifstart); ++ if (if_index == 0) { ++ DEBUGMSGTL(("access:interface", "network interface %s is gone", ++ ifstart)); ++ continue; ++ } ++#ifdef NETSNMP_ENABLE_IPV6 + _arch_interface_has_ipv6(if_index, &flags, addr_container); + #endif + netsnmp_access_interface_ioctl_has_ipv4(fd, ifstart, 0, &flags, &ifc); +@@ -752,7 +757,7 @@ netsnmp_arch_interface_container_load(ne + continue; + } + +- entry = netsnmp_access_interface_entry_create(ifstart, 0); ++ entry = netsnmp_access_interface_entry_create(ifstart, if_index); + if(NULL == entry) { + #ifdef NETSNMP_ENABLE_IPV6 + netsnmp_access_ipaddress_container_free(addr_container, 0); diff --git a/SOURCES/net-snmp-5.9.4-kernel-6.7.patch b/SOURCES/net-snmp-5.9.4-kernel-6.7.patch new file mode 100644 index 0000000..089f23b --- /dev/null +++ b/SOURCES/net-snmp-5.9.4-kernel-6.7.patch @@ -0,0 +1,120 @@ +From f5ae6baf0018abda9dedc368fe6d52c0d7a8ab8f Mon Sep 17 00:00:00 2001 +From: Philippe Troin +Date: Sat, 3 Feb 2024 10:30:30 -0800 +Subject: [PATCH] Add Linux 6.7 compatibility parsing /proc/net/snmp + +Linux 6.7 adds a new OutTransmits field to Ip in /proc/net/snmp. +This breaks the hard-coded assumptions about the Ip line length. +Add compatibility to parse Linux 6.7 Ip header while keep support +for previous versions. +--- + .../ip-mib/data_access/systemstats_linux.c | 46 +++++++++++++++---- + 1 file changed, 37 insertions(+), 9 deletions(-) + +diff --git a/agent/mibgroup/ip-mib/data_access/systemstats_linux.c b/agent/mibgroup/ip-mib/data_access/systemstats_linux.c +index 49e0a34d5c..f04e828a94 100644 +--- a/agent/mibgroup/ip-mib/data_access/systemstats_linux.c ++++ b/agent/mibgroup/ip-mib/data_access/systemstats_linux.c +@@ -36,7 +36,7 @@ netsnmp_access_systemstats_arch_init(void) + } + + /* +- /proc/net/snmp ++ /proc/net/snmp - Linux 6.6 and lower + + Ip: Forwarding DefaultTTL InReceives InHdrErrors InAddrErrors ForwDatagrams InUnknownProtos InDiscards InDelivers OutRequests OutDiscards OutNoRoutes ReasmTimeout ReasmReqds ReasmOKs ReasmFails FragOKs FragFails FragCreates + Ip: 2 64 7083534 0 0 0 0 0 6860233 6548963 0 0 1 286623 63322 1 259920 0 0 +@@ -49,6 +49,26 @@ netsnmp_access_systemstats_arch_init(void) + + Udp: InDatagrams NoPorts InErrors OutDatagrams + Udp: 1491094 122 0 1466178 ++* ++ /proc/net/snmp - Linux 6.7 and higher ++ ++ Ip: Forwarding DefaultTTL InReceives InHdrErrors InAddrErrors ForwDatagrams InUnknownProtos InDiscards InDelivers OutRequests OutDiscards OutNoRoutes ReasmTimeout ReasmReqds ReasmOKs ReasmFails FragOKs FragFails FragCreates OutTransmits ++ Ip: 1 64 50859058 496 0 37470604 0 0 20472980 7515791 1756 0 0 7264 3632 0 3548 0 7096 44961424 ++ ++ Icmp: InMsgs InErrors InCsumErrors InDestUnreachs InTimeExcds InParmProbs InSrcQuenchs InRedirects InEchos InEchoReps InTimestamps InTimestampReps InAddrMasks InAddrMaskReps OutMsgs OutErrors OutRateLimitGlobal OutRateLimitHost OutDestUnreachs OutTimeExcds OutParmProbs OutSrcQuenchs OutRedirects OutEchos OutEchoReps OutTimestamps OutTimestampReps OutAddrMasks OutAddrMaskReps ++ Icmp: 114447 2655 0 17589 0 0 0 0 66905 29953 0 0 0 0 143956 0 0 572 16610 484 0 0 0 59957 66905 0 0 0 0 ++ ++ IcmpMsg: InType0 InType3 InType8 OutType0 OutType3 OutType8 OutType11 ++ IcmpMsg: 29953 17589 66905 66905 16610 59957 484 ++ ++ Tcp: RtoAlgorithm RtoMin RtoMax MaxConn ActiveOpens PassiveOpens AttemptFails EstabResets CurrEstab InSegs OutSegs RetransSegs InErrs OutRsts InCsumErrors ++ Tcp: 1 200 120000 -1 17744 13525 307 3783 6 18093137 9277788 3499 8 7442 0 ++ ++ Udp: InDatagrams NoPorts InErrors OutDatagrams RcvbufErrors SndbufErrors InCsumErrors IgnoredMulti MemErrors ++ Udp: 2257832 1422 0 2252835 0 0 0 84 0 ++ ++ UdpLite: InDatagrams NoPorts InErrors OutDatagrams RcvbufErrors SndbufErrors InCsumErrors IgnoredMulti MemErrors ++ UdpLite: 0 0 0 0 0 0 0 0 0 + */ + + +@@ -101,10 +121,10 @@ _systemstats_v4(netsnmp_container* container, u_int load_flags) + FILE *devin; + char line[1024]; + netsnmp_systemstats_entry *entry = NULL; +- int scan_count; ++ int scan_count, expected_scan_count; + char *stats, *start = line; + int len; +- unsigned long long scan_vals[19]; ++ unsigned long long scan_vals[20]; + + DEBUGMSGTL(("access:systemstats:container:arch", "load v4 (flags %x)\n", + load_flags)); +@@ -126,10 +146,17 @@ _systemstats_v4(netsnmp_container* container, u_int load_flags) + */ + NETSNMP_IGNORE_RESULT(fgets(line, sizeof(line), devin)); + len = strlen(line); +- if (224 != len) { ++ switch (len) { ++ case 224: ++ expected_scan_count = 19; ++ break; ++ case 237: ++ expected_scan_count = 20; ++ break; ++ default: + fclose(devin); + snmp_log(LOG_ERR, "systemstats_linux: unexpected header length in /proc/net/snmp." +- " %d != 224\n", len); ++ " %d not in { 224, 237 } \n", len); + return -4; + } + +@@ -178,20 +205,20 @@ _systemstats_v4(netsnmp_container* container, u_int load_flags) + memset(scan_vals, 0x0, sizeof(scan_vals)); + scan_count = sscanf(stats, + "%llu %llu %llu %llu %llu %llu %llu %llu %llu %llu" +- "%llu %llu %llu %llu %llu %llu %llu %llu %llu", ++ "%llu %llu %llu %llu %llu %llu %llu %llu %llu %llu", + &scan_vals[0],&scan_vals[1],&scan_vals[2], + &scan_vals[3],&scan_vals[4],&scan_vals[5], + &scan_vals[6],&scan_vals[7],&scan_vals[8], + &scan_vals[9],&scan_vals[10],&scan_vals[11], + &scan_vals[12],&scan_vals[13],&scan_vals[14], + &scan_vals[15],&scan_vals[16],&scan_vals[17], +- &scan_vals[18]); ++ &scan_vals[18],&scan_vals[19]); + DEBUGMSGTL(("access:systemstats", " read %d values\n", scan_count)); + +- if(scan_count != 19) { ++ if(scan_count != expected_scan_count) { + snmp_log(LOG_ERR, + "error scanning systemstats data (expected %d, got %d)\n", +- 19, scan_count); ++ expected_scan_count, scan_count); + netsnmp_access_systemstats_entry_free(entry); + return -4; + } +@@ -223,6 +250,7 @@ _systemstats_v4(netsnmp_container* container, u_int load_flags) + entry->stats.HCOutFragFails.high = scan_vals[17] >> 32; + entry->stats.HCOutFragCreates.low = scan_vals[18] & 0xffffffff; + entry->stats.HCOutFragCreates.high = scan_vals[18] >> 32; ++ /* entry->stats. = scan_vals[19]; / * OutTransmits */ + + entry->stats.columnAvail[IPSYSTEMSTATSTABLE_HCINRECEIVES] = 1; + entry->stats.columnAvail[IPSYSTEMSTATSTABLE_INHDRERRORS] = 1; + diff --git a/SPECS/net-snmp.spec b/SPECS/net-snmp.spec index 3aba2de..65f1475 100644 --- a/SPECS/net-snmp.spec +++ b/SPECS/net-snmp.spec @@ -10,7 +10,7 @@ Summary: A collection of SNMP protocol tools and libraries Name: net-snmp Version: 5.9.1 -Release: 13%{?dist} +Release: 17%{?dist} Epoch: 1 License: BSD @@ -57,6 +57,9 @@ Patch27: net-snmp-5.9-ipv6-disable-leak.patch Patch28: net-snmp-5.9-sendmsg-error-code.patch Patch29: net-snmp-5.9-message-severity.patch Patch30: net-snmp-5.9-rpmdb.patch +Patch31: net-snmp-5.9-CVE-2022-24805-24810.patch +Patch32: net-snmp-5.9.4-kernel-6.7.patch +Patch33: net-snmp-5.9-deleted-iface.patch # Modern RPM API means at least EL6 Patch101: net-snmp-5.8-modern-rpm-api.patch @@ -239,6 +242,9 @@ cp %{SOURCE10} . %patch28 -p1 -b .sendmsg-error-code %patch29 -p1 -b .message-severity %patch30 -p1 -b .rpmdb +%patch31 -p1 -b .CVE-2022-24805-24810 +%patch32 -p1 -b .kernel-6.7-fix +%patch33 -p1 -b .iface %patch101 -p1 -b .modern-rpm-api %patch102 -p1 @@ -508,6 +514,19 @@ LD_LIBRARY_PATH=%{buildroot}/%{_libdir} make test %{_libdir}/libnetsnmptrapd*.so.%{soname}* %changelog +* Tue Jul 16 2024 Josef Ridky - 1:5.9.1-17 +- fix segfault with error on subcontainer (RHEL-46033) + +* Fri Jun 21 2024 Josef Ridky - 1:5.9.1-16 +- fix unexpected header length in /proc/net/snmp (RHEL-44357) + +* Tue Apr 09 2024 Josef Ridky - 1:5.9.1-15 +- fix changelog issue + +* Tue Apr 09 2024 Josef Ridky - 1:5.9.1-14 +- fix CVE-2022-24805, CVE-2022-24806, CVE-2022-24807, CVE-2022-24808, + CVE-2022-24809 and CVE-2022-24810 (RHEL-26649) + * Thu Oct 19 2023 Josef Ridky - 1:5.9.1-13 - add support for SQLite db background of rpm (RHEL-6854)