Package: net-snmp
Version: 5.4.3~dfsg-2.4
Followup-For: Bug #672492
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu quantal ubuntu-patch
*** /tmp/tmp7KXNLG/bug_body
In Ubuntu, the attached patch was applied to achieve the following:
* SECURITY UPDATE: denial of service via SNMP GET with non-existent
extension table entry
- debian/patches/CVE-2012-2141.patch: validate line_idx in
agent/mibgroup/agent/extend.c.
- CVE-2012-2141
Thanks for considering the patch.
-- System Information:
Debian Release: wheezy/sid
APT prefers precise-updates
APT policy: (500, 'precise-updates'), (500, 'precise-security'), (500,
'precise-proposed'), (500, 'precise')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-24-generic (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru net-snmp-5.4.3~dfsg/debian/patches/CVE-2012-2141.patch net-snmp-5.4.3~dfsg/debian/patches/CVE-2012-2141.patch
--- net-snmp-5.4.3~dfsg/debian/patches/CVE-2012-2141.patch 1969-12-31 19:00:00.000000000 -0500
+++ net-snmp-5.4.3~dfsg/debian/patches/CVE-2012-2141.patch 2012-05-22 16:33:46.000000000 -0400
@@ -0,0 +1,31 @@
+Description: fix denial of service via SNMP GET with non-existent
+ extension table entry
+Bug: http://sourceforge.net/tracker/index.php?func=detail&aid=3526549&group_id=12694&atid=112694
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672492
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=815813
+Origin: upstream, http://net-snmp.git.sourceforge.net/git/gitweb.cgi?p=net-snmp/net-snmp;a=commit;h=4c5633f1603e4bd03ed05c37d782ec8911759c47
+
+Index: net-snmp-5.4.3~dfsg/agent/mibgroup/agent/extend.c
+===================================================================
+--- net-snmp-5.4.3~dfsg.orig/agent/mibgroup/agent/extend.c 2009-04-22 19:49:21.000000000 -0400
++++ net-snmp-5.4.3~dfsg/agent/mibgroup/agent/extend.c 2012-05-22 16:30:35.596256644 -0400
+@@ -1124,7 +1124,7 @@
+ * ...and check the line requested is valid
+ */
+ line_idx = *table_info->indexes->next_variable->val.integer;
+- if (eptr->numlines < line_idx)
++ if (line_idx < 1 || line_idx > eptr->numlines)
+ return NULL;
+ }
+ return eptr;
+@@ -1297,6 +1297,10 @@
+ * Determine which line we've been asked for....
+ */
+ line_idx = *table_info->indexes->next_variable->val.integer;
++ if (line_idx < 1 || line_idx > extension->numlines) {
++ netsnmp_set_request_error(reqinfo, request, SNMP_NOSUCHINSTANCE);
++ continue;
++ }
+ cp = extension->lines[line_idx-1];
+
+ /*
diff -Nru net-snmp-5.4.3~dfsg/debian/patches/series net-snmp-5.4.3~dfsg/debian/patches/series
--- net-snmp-5.4.3~dfsg/debian/patches/series 2012-01-05 02:29:32.000000000 -0500
+++ net-snmp-5.4.3~dfsg/debian/patches/series 2012-05-22 16:30:12.000000000 -0400
@@ -15,3 +15,4 @@
63_fix_shell.patch
64_missing_lib.patch
ubuntu-fix-lp-587828.patch
+CVE-2012-2141.patch
