Hi, On Thu, Jun 25, 2020 at 10:29:20PM +0200, Salvatore Bonaccorso wrote: > Source: net-snmp > Version: 5.8+dfsg-2 > Severity: grave > Tags: security upstream > Justification: user security hole > > Hi, > > The following vulnerability was published for net-snmp. > > CVE-2019-20892[0]: > | net-snmp before 5.8.1.pre1 has a double free in > | usm_free_usmStateReference in snmplib/snmpusm.c via an SNMPv3 GetBulk > | request. NOTE: this affects net-snmp packages shipped to end users by > | multiple Linux distributions, but might not affect an upstream > | release. > > See [1] for the CVE heads-up post, and [2] the Launchpad Bug where the > issue originally is tracked from. The issue can be verified with: > > | # systemctl stop snmpd.service > | # cat >> /var/lib/snmp/snmpd.conf << __EOF__ > | createUser testuser SHA "testpass" AES "testpass" > | __EOF__ > | # cat >> /etc/snmp/snmpd.conf << __EOF__ > | rwuser testuser > | __EOF__ > | # systemctl start snmpd.service > | # snmpbulkget -v3 -Cn1 -Cr1472 -l authPriv -u testuser -a SHA -A testpass > -x AES -X testpass 127.0.0.1 1.3.6.1.2.1.1.5 1.3.6.1.2.1.1.7 > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2019-20892 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20892 > [1] https://www.openwall.com/lists/oss-security/2020/06/25/4 > [2] https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1877027 > > Please adjust the affected versions in the BTS as needed, I'm not sure > where the issue has been introduced, but possibly does not affect > indeed older suites (please do double check).
In Ubuntu https://launchpad.net/~sergiodj/+archive/ubuntu/net-snmp-bug1877027 was prepared containing a set of commits which seem to adress the issue (cf. the LP: 1877027 reference). Regards, Salvatore
