i sent the following email nearly 48 hours ago to secur...@ubuntu.com and have received no response or even an acknowledgment, so i'm following up as a comment to this bug. (i also sent the bug to debian's pkg-net-snmp-de...@lists.alioth.debian.org, but it never made it through to the archives, so i just added a comment to debian's bug #516801.)
i'll attach the below referenced patch to this bug (#331410). SUMMARY ------- snmpd in lucid (5.4.2.1~dfsg0ubuntu1-0ubuntu2) is vulnerable to CVE-2008-6123 contrary to what its changelog says. the attached patch was applied to the aforementioned version, compiled in a pbuilder lucid chroot (on lenny), and the resulting packages (libsnmp-base, libsnmp15, snmp, snmpd) were successfully tested on lucid-i386. i also downloaded sid's 5.4.2.1~dfsg-5 source and it appears to be vulnerable based on its snmplib/snmpUDPDomain.c and the lack of any applicable patch(es) in debian/patches. REFERENCES ---------- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=516801 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6123 http://net-snmp.svn.sourceforge.net/viewvc/net-snmp?view=rev&revision=17367 http://net-snmp.svn.sourceforge.net/viewvc/net-snmp/branches/V5-4-patches/net-snmp/snmplib/snmpUDPDomain.c?r1=17367&r2=17366&pathrev=17367 BACKGROUND ---------- i recently upgraded a netbook from hardy to lucid by installing lucid to a new hard drive and copying/merging the old configuration. after installing snmpd and merging/copying the associated configuration files (/etc/default/snmpd, /etc/snmp/snmpd.conf, /etc/hosts.allow, & /etc/hosts.deny) it rejected connections from my cacti installation residing on the network (the only IP allowed to connect to it based on the tcp-wrapper's ACL). i also noticed that the syslog output was incorrect: snmpd[$PID]: Connection from UDP: [$LOCAL_IP]->[$REMOTE_IP]:-13093 REFUSED yes, the remote port is negative due to "%hd" in the packages' snmplib/snmpUDPDomain.c, but is "%hu" upstream and fixed in the attached patch. PROBLEM ------- snmpd improperly applies tcp-wrapper ACLs because it calls tcp-wrapper's hosts_ctl (see netsnmp_agent_check_packet() in agent/snmp_agent.c) with it's local IP address as the "client_addr" (instead of the snmp client's remote IP address) because of incorrect string assembly (see netsnmp_udp_fmtaddr() in snmplib/snmpUDPDomain.c). SOLUTION -------- searching for snmpd bugs related to tcp wrappers, i found debian bug #516801. i downloaded and browsed the ubuntu source package, reviewed agent/snmp_agent.c where tcp-wrappers' hosts_ctl() is called, backtracked to snmplib/snmpUDPDomain.c where the string is constructed that snmp_agent.c deconstructs for hosts_ctl(), and verified that upstream's CVE-2008-6123 patch for v5.4 is still applicable (though compensating for "%hd" in debian/ubuntu source). i added the patch to the package using quilt, rebuilt the package, installed it, and it works correctly: snmpd[$PID]: Connection from UDP: [$REMOTE_IP]:53735->[$LOCAL_IP] thanks for providing the net-snmp packages! ** Bug watch added: Debian Bug tracker #516801 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=516801 -- CVE-2008-6123: not fixed in latest security releases https://bugs.launchpad.net/bugs/331410 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to net-snmp in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
