Performing the verification for Hirsute:
First, reproducing the bug with the version currently available:
# apt policy snmpd
snmpd:
Installed: 5.9+dfsg-3ubuntu1
Candidate: 5.9+dfsg-3ubuntu1
Version table:
*** 5.9+dfsg-3ubuntu1 500
500 http://archive.ubuntu.com/ubuntu hirsute/main amd64 Packages
100 /var/lib/dpkg/status
# snmpd -DALL
...
9:cert:dump: 5: authorityKeyIdentifier =
keyid:AC:D0:13:2A:98:58:02:02:D2:BA:E9:8A:0B:F3:5A:B8:BD:6C:BB:64
not enough space or error in allocation for extenstion
Segmentation fault (core dumped)
Now, updating the package to the version available in -proposed and making sure
that the bug is fixed:
# apt policy snmpd
snmpd:
Installed: 5.9+dfsg-3ubuntu1.21.04.1
Candidate: 5.9+dfsg-3ubuntu1.21.04.1
Version table:
*** 5.9+dfsg-3ubuntu1.21.04.1 500
500 http://archive.ubuntu.com/ubuntu hirsute-proposed/main amd64
Packages
100 /var/lib/dpkg/status
5.9+dfsg-3ubuntu1 500
500 http://archive.ubuntu.com/ubuntu hirsute/main amd64 Packages
# snmpd -DALL
trace: netsnmp_getaddrinfo(): system.c, 851:
dns:getaddrinfo: looking up "127.0.0.1" with hint ({ ... })
trace: netsnmp_sockaddr_in6_3(): transports/snmpIPv6BaseDomain.c, 314:
netsnmp_sockaddr_in6: failed to parse 127.0.0.1
Error opening specified endpoint "127.0.0.1"
Server Exiting with code 1
#
As can be seen, the segmentation fault doesn't happen anymore. Therefore, the
bug has been fixed and the verification is complete.
** Tags removed: verification-needed verification-needed-hirsute
** Tags added: verification-done-hirsute
** Description changed:
[ Impact ]
Users can experience a segmentation fault on snmpd (part of net-snmp)
when using a certificate that contains an extension longer than 512
bytes and debug output (-D) is enabled. Although this only happens when
debugging, it seems to be pretty common to find certificates whose
extensions are larger than 512 bytes.
[ Test Case ]
Below you can find a step-by-step procedure to reproduce the bug. Bear
in mind that the "sed" command may be mangled due to Launchpad's text
renderization.
$ lxc launch images:ubuntu/hirsute net-snmp-bug1912389
$ lxc shell net-snmp-bug1912389
- # apt update && apt install net-snmp -y
+ # apt update && apt install snmpd -y
# sed -i "s@^#\s*nsCertType.*@nsCertType = client,email,objsign@;
s@^#\s*nsCaRevocationUrl.*@nsCaRevocationUrl = http://www.myverylongurl$(printf
'%*s' 512 | tr ' ' 'a').com/ca-crl.pem@;
s@^#\s*extendedKeyUsage.*@extendedKeyUsage =
critical,timeStamping,serverAuth,clientAuth,codeSigning,emailProtection@;
s@^#\s*keyUsage.*@keyUsage = nonRepudiation,digitalSignature,keyEncipherment@"
/etc/ssl/openssl.cnf
# openssl req -x509 -out localhost.crt -keyout localhost.key -newkey
rsa:2048 -nodes -sha256 -extensions usr_cert -subj '/CN=localhost' -config
/etc/ssl/openssl.cnf
# mkdir -p $HOME/.snmp/tls/certs
# cp localhost.crt $HOME/.snmp/tls/certs
# systemctl stop snmpd.service
# snmpd -DALL
...
not enough space or error in allocation for extenstion
Segmentation fault (core dumped)
#
[ Where problems could occur ]
The backported patches are very straightforward and only impact code
that is run when debug (-D) is active. There is not much room for
regression here, especially considering that this is a very recent
version of the package that will very likely not be affected by newer
rebuilds.
[ Original Description ]
When net-snmp is given a certificate with an extension that is longer
than 512 characters, snmp crashes on startup.
Steps to Reproduce:
1. Configure net-snmp using an EV certificate from a CA (in this case
Globalsign).
2. Start snmpd.
3.
Actual results:
[root@localhost tls]# systemctl status snmpd.service
● snmpd.service - Simple Network Management Protocol (SNMP) Daemon.
Loaded: loaded (/usr/lib/systemd/system/snmpd.service; disabled; vendor
preset: disabled)
Active: failed (Result: core-dump) since Wed 2020-12-16 21:21:59 SAST;
16min ago
Process: 53269 ExecStart=/usr/sbin/snmpd $OPTIONS -f (code=dumped,
signal=SEGV)
Main PID: 53269 (code=dumped, signal=SEGV)
Dec 16 21:21:57 localhost systemd[1]: Starting Simple Network Management
Protocol (SNMP) Daemon....
Dec 16 21:21:58 localhost snmpd[53269]: refusing to read world readable or
writable key /etc/snmp/tls/certs/snmpd.crt
Dec 16 21:21:58 localhost snmpd[53269]: not enough space or error in
allocation for extenstion
Dec 16 21:21:59 localhost systemd[1]: snmpd.service: Main process exited,
code=dumped, status=11/SEGV
Dec 16 21:21:59 localhost systemd[1]: snmpd.service: Failed with result
'core-dump'.
Dec 16 21:21:59 localhost systemd[1]: Failed to start Simple Network
Management Protocol (SNMP) Daemon..
Expected results:
Deamon starts without a crash.
Additional info:
Fix available here:
https://github.com/net-snmp/net-snmp/pull/234
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1912389
Title:
[Patch] SIGSEGV: crash when certificate contains extension longer
than 512 bytes
To manage notifications about this bug go to:
https://bugs.launchpad.net/netsnmp/+bug/1912389/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
