Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: pu
Hi, net-snmp 5.4.3~dfsg-2 in Squeeze has a bug (CVE-2012-2141) and fixed in testing/unstable version. It's patch is tiny one, so I would like to upload it to spu. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672492 https://security-tracker.debian.org/tracker/CVE-2012-2141 -- Regards, Hideki Yamane <henr...@debian.org>
diff -Nru net-snmp-5.4.3~dfsg/debian/changelog net-snmp-5.4.3~dfsg/debian/changelog --- net-snmp-5.4.3~dfsg/debian/changelog 2011-01-05 21:12:04.000000000 +0900 +++ net-snmp-5.4.3~dfsg/debian/changelog 2013-04-06 15:07:05.000000000 +0900 @@ -1,3 +1,11 @@ +net-snmp (5.4.3~dfsg-2.1) stable-proposed-updates; urgency=low + + * Non-maintainer upload. + * debian/patches + - apply CVE-2012-2141.patch + + -- Hideki Yamane <henr...@x121e.mithril-linux.org> Sat, 06 Apr 2013 15:06:20 +0900 + net-snmp (5.4.3~dfsg-2) unstable; urgency=high * Add libperl-dev to libsnmp-dev dependencies (Closes: #608794) diff -Nru net-snmp-5.4.3~dfsg/debian/patches/CVE-2012-2141.patch net-snmp-5.4.3~dfsg/debian/patches/CVE-2012-2141.patch --- net-snmp-5.4.3~dfsg/debian/patches/CVE-2012-2141.patch 1970-01-01 09:00:00.000000000 +0900 +++ net-snmp-5.4.3~dfsg/debian/patches/CVE-2012-2141.patch 2013-04-06 15:06:15.000000000 +0900 @@ -0,0 +1,31 @@ +Description: fix denial of service via SNMP GET with non-existent + extension table entry +Bug: http://sourceforge.net/tracker/index.php?func=detail&aid=3526549&group_id=12694&atid=112694 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672492 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=815813 +Origin: upstream, http://net-snmp.git.sourceforge.net/git/gitweb.cgi?p=net-snmp/net-snmp;a=commit;h=4c5633f1603e4bd03ed05c37d782ec8911759c47 + +Index: net-snmp-5.4.3~dfsg/agent/mibgroup/agent/extend.c +=================================================================== +--- net-snmp-5.4.3~dfsg.orig/agent/mibgroup/agent/extend.c 2013-04-06 15:06:10.934136272 +0900 ++++ net-snmp-5.4.3~dfsg/agent/mibgroup/agent/extend.c 2013-04-06 15:06:10.922136274 +0900 +@@ -1124,7 +1124,7 @@ + * ...and check the line requested is valid + */ + line_idx = *table_info->indexes->next_variable->val.integer; +- if (eptr->numlines < line_idx) ++ if (line_idx < 1 || line_idx > eptr->numlines) + return NULL; + } + return eptr; +@@ -1297,6 +1297,10 @@ + * Determine which line we've been asked for.... + */ + line_idx = *table_info->indexes->next_variable->val.integer; ++ if (line_idx < 1 || line_idx > extension->numlines) { ++ netsnmp_set_request_error(reqinfo, request, SNMP_NOSUCHINSTANCE); ++ continue; ++ } + cp = extension->lines[line_idx-1]; + + /* diff -Nru net-snmp-5.4.3~dfsg/debian/patches/series net-snmp-5.4.3~dfsg/debian/patches/series --- net-snmp-5.4.3~dfsg/debian/patches/series 2011-01-05 21:12:04.000000000 +0900 +++ net-snmp-5.4.3~dfsg/debian/patches/series 2013-04-06 15:04:00.000000000 +0900 @@ -12,3 +12,4 @@ 60_libsensors_api.patch 61_vacm_missing_dependency_check.patch 62_add_lib_cflags.patch +CVE-2012-2141.patch
