Package: release.debian.org Severity: normal Tags: wheezy User: release.debian....@packages.debian.org Usertags: pu
Dear Release team, Bug#684388 important bug affects both stable and oldstable. It breaks SNMP communication in the case a single snmp has the length of oids increasing, longer oids won't be communicated to subagent. Example at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684388#5 debian-security team prefers this to be addressed using a upload in spu instead of issuing a DSA. The attached fix is very localized, and already present in testing, see http://sources.debian.net/src/net-snmp/5.7.2~dfsg-8.1/agent/mibgroup/agentx/protocol.c#L1774 Please find a debdiff against wheezy 5.4.3~dfsg-2.7. -- Simon Paillard
diffstat for net-snmp-5.4.3~dfsg net-snmp-5.4.3~dfsg changelog | 8 ++++++++ patches/67_CVE-2014-2310.patch | 22 ++++++++++++++++++++++ patches/series | 1 + 3 files changed, 31 insertions(+) diff -Nru net-snmp-5.4.3~dfsg/debian/changelog net-snmp-5.4.3~dfsg/debian/changelog --- net-snmp-5.4.3~dfsg/debian/changelog 2012-11-24 14:06:46.000000000 +0100 +++ net-snmp-5.4.3~dfsg/debian/changelog 2014-03-17 21:02:49.000000000 +0100 @@ -1,3 +1,11 @@ +net-snmp (5.4.3~dfsg-2.8) stable; urgency=medium + + * Non-maintainer upload. + * Fix agentx subagent issues with multiple-object requests and increasing + object length (CVE-2014-2310) (Closes: #684388) + + -- Simon Paillard <spaill...@debian.org> Mon, 17 Mar 2014 20:56:52 +0100 + net-snmp (5.4.3~dfsg-2.7) unstable; urgency=low * Non-maintainer upload. diff -Nru net-snmp-5.4.3~dfsg/debian/patches/67_CVE-2014-2310.patch net-snmp-5.4.3~dfsg/debian/patches/67_CVE-2014-2310.patch --- net-snmp-5.4.3~dfsg/debian/patches/67_CVE-2014-2310.patch 1970-01-01 01:00:00.000000000 +0100 +++ net-snmp-5.4.3~dfsg/debian/patches/67_CVE-2014-2310.patch 2014-03-17 20:51:06.000000000 +0100 @@ -0,0 +1,22 @@ +Description: Patch 3141462: from fenner: fix agentx subagent issues with multiple-object requests +Bug: http://sourceforge.net/p/net-snmp/patches/1113/ +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684388 +Origin: upstream, http://sourceforge.net/p/net-snmp/code/ci/8d160ac04e7087c10fbda1d1d76d5f2854d58057 +Index: net-snmp-5.4.3~dfsg/agent/mibgroup/agentx/protocol.c +=================================================================== +--- net-snmp-5.4.3~dfsg.orig/agent/mibgroup/agentx/protocol.c 2014-03-17 20:51:06.668331699 +0100 ++++ net-snmp-5.4.3~dfsg/agent/mibgroup/agentx/protocol.c 2014-03-17 20:51:06.660331611 +0100 +@@ -1765,11 +1765,11 @@ + (u_char *) end_oid_buf, + end_oid_buf_len); + } ++ oid_buf_len = MAX_OID_LEN; ++ end_oid_buf_len = MAX_OID_LEN; + } + + DEBUGINDENTLESS(); +- oid_buf_len = MAX_OID_LEN; +- end_oid_buf_len = MAX_OID_LEN; + break; + + diff -Nru net-snmp-5.4.3~dfsg/debian/patches/series net-snmp-5.4.3~dfsg/debian/patches/series --- net-snmp-5.4.3~dfsg/debian/patches/series 2012-11-24 13:30:03.000000000 +0100 +++ net-snmp-5.4.3~dfsg/debian/patches/series 2014-03-17 21:33:32.000000000 +0100 @@ -17,3 +17,4 @@ 64_missing_lib.patch 65_CVE-2012-2141.patch 66_formatstrings.patch +67_CVE-2014-2310.patch
