[Buildroot] [PATCH] package/netsnmp: revert back to 5.9.3, backport security fix
Yann E. MORIN
yann.morin.1998 at free.fr
Sun Nov 26 17:34:21 UTC 2023
Thomas, All,
On 2023-11-16 14:51 +0100, Thomas Petazzoni via buildroot spake thusly:
> In commit 13fc9dcb34926e9b6310b23662920c55c96d83a1, netsnmp was bumped
> from 5.9.3 to 5.9.4 to fix two CVEs.
>
> However, even though it's a minor version bump, there are actually 163
> commits upstream between those two minor releases, and some of them
> are breaking existing use-cases. In particular upstream
> a2cb167514ac0c7e1b04e8f151e0b015501362e0 now requires that config_()
> macros in MIB files are terminated with a semicolon, causing a build
> breakage with existing MIB files that were totally valid with 5.9.3.
>
> This commit therefore proposes to revert back to 5.9.3, by reverting
> those two commits:
>
> 56caafceab3ec12669ccb7aa6fc8b653778064e1 package/netsnmp: fix musl build
> 13fc9dcb34926e9b6310b23662920c55c96d83a1 package/netsnmp: security bump to version 5.9.4
>
> and instead revert the one upstream commit that fixes both CVEs.
s/revert/backport/ as noticed by Baruch.
> Signed-off-by: Thomas Petazzoni <thomas.petazzoni at bootlin.com>
Applied to master, thanks.
> ---
> Note: for master, we probably want to keep the bump to 5.9.4, as it's
> upstream decision. This commit is really intended for
> 2023.02.x (perhaps other maintenance branches), where we don't want to
> break things for users.
I saw that comment a bit too late, and pushed to master.
However, after reasing the CHANGES file, I noticed that:
IMPORTANT: SNMP over TLS and/or DTLS are not functioning properly
in this release with various versions of OpenSSL and will be fixed
in a future release.
So, it was anyway a good idea to revert (pfeew...)
Regards,
Yann E. MORIN.
> ---
> ...onfiguration-of-NETSNMP_FD_MASK_TYPE.patch | 38 ----------
> ...agent-disallow-SET-with-NULL-varbind.patch | 72 +++++++++++++++++++
> package/netsnmp/netsnmp.hash | 6 +-
> package/netsnmp/netsnmp.mk | 6 +-
> 4 files changed, 80 insertions(+), 42 deletions(-)
> delete mode 100644 package/netsnmp/0001-Fix-configuration-of-NETSNMP_FD_MASK_TYPE.patch
> create mode 100644 package/netsnmp/0001-snmp_agent-disallow-SET-with-NULL-varbind.patch
>
> diff --git a/package/netsnmp/0001-Fix-configuration-of-NETSNMP_FD_MASK_TYPE.patch b/package/netsnmp/0001-Fix-configuration-of-NETSNMP_FD_MASK_TYPE.patch
> deleted file mode 100644
> index 91a00aec27..0000000000
> --- a/package/netsnmp/0001-Fix-configuration-of-NETSNMP_FD_MASK_TYPE.patch
> +++ /dev/null
> @@ -1,38 +0,0 @@
> -From a62169f1fa358be8f330ea8519ade0610fac525b Mon Sep 17 00:00:00 2001
> -From: Adam Gajda <adgajda at users.noreply.github.com>
> -Date: Mon, 2 Oct 2023 16:40:31 +0200
> -Subject: [PATCH] Fix configuration of NETSNMP_FD_MASK_TYPE
> -
> -Upstream: https://github.com/net-snmp/net-snmp/commit/a62169f1fa358be8f330ea8519ade0610fac525b
> -Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
> ----
> - configure | 2 +-
> - configure.d/config_project_types | 2 +-
> - 2 files changed, 2 insertions(+), 2 deletions(-)
> -
> -diff --git a/configure b/configure
> -index 9f0a173d8a..945a27c663 100755
> ---- a/configure
> -+++ b/configure
> -@@ -30871,7 +30871,7 @@ CFLAGS="$CFLAGS -Werror"
> -
> - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for the type of fd_set::fds_bits" >&5
> - printf %s "checking for the type of fd_set::fds_bits... " >&6; }
> --for type in __fd_mask __int32_t unknown; do
> -+for type in __fd_mask __int32_t long\ int unknown; do
> - cat confdefs.h - <<_ACEOF >conftest.$ac_ext
> - /* end confdefs.h. */
> -
> -diff --git a/configure.d/config_project_types b/configure.d/config_project_types
> -index 1b4c66b95e..a78e8ebb06 100644
> ---- a/configure.d/config_project_types
> -+++ b/configure.d/config_project_types
> -@@ -66,7 +66,7 @@ netsnmp_save_CFLAGS=$CFLAGS
> - CFLAGS="$CFLAGS -Werror"
> -
> - AC_MSG_CHECKING([for the type of fd_set::fds_bits])
> --for type in __fd_mask __int32_t unknown; do
> -+for type in __fd_mask __int32_t long\ int unknown; do
> - AC_COMPILE_IFELSE([AC_LANG_PROGRAM([
> - #include <sys/select.h>
> - #include <stddef.h>
> diff --git a/package/netsnmp/0001-snmp_agent-disallow-SET-with-NULL-varbind.patch b/package/netsnmp/0001-snmp_agent-disallow-SET-with-NULL-varbind.patch
> new file mode 100644
> index 0000000000..3a6321d7a7
> --- /dev/null
> +++ b/package/netsnmp/0001-snmp_agent-disallow-SET-with-NULL-varbind.patch
> @@ -0,0 +1,72 @@
> +From b07627fa67c686b07d1eab123cf3e4887a2a93aa Mon Sep 17 00:00:00 2001
> +From: Bill Fenner <fenner at gmail.com>
> +Date: Fri, 25 Nov 2022 08:41:24 -0800
> +Subject: [PATCH] snmp_agent: disallow SET with NULL varbind
> +
> +Upstream: https://github.com/net-snmp/net-snmp/commit/4589352dac3ae111c7621298cf231742209efd9b
> +
> +[Thomas: this commit was merged as part of
> +https://github.com/net-snmp/net-snmp/pull/490/commits, which fixes
> +https://github.com/net-snmp/net-snmp/issues/474 (CVE-2022-44792) and
> +https://github.com/net-snmp/net-snmp/issues/475 (CVE-2022-44793). The
> +other two commits merged as part of this pull request are related to
> +adding a non-regression test for this, which is not relevant for the
> +security fix itself.]
> +
> +Signed-off-by: Thomas Petazzoni <thomas.petazzoni at bootlin.com>
> +---
> + agent/snmp_agent.c | 32 ++++++++++++++++++++++++++++++++
> + 1 file changed, 32 insertions(+)
> +
> +diff --git a/agent/snmp_agent.c b/agent/snmp_agent.c
> +index 867d0c166f..3f678fe2df 100644
> +--- a/agent/snmp_agent.c
> ++++ b/agent/snmp_agent.c
> +@@ -3719,12 +3719,44 @@ netsnmp_handle_request(netsnmp_agent_session *asp, int status)
> + return 1;
> + }
> +
> ++static int
> ++check_set_pdu_for_null_varbind(netsnmp_agent_session *asp)
> ++{
> ++ int i;
> ++ netsnmp_variable_list *v = NULL;
> ++
> ++ for (i = 1, v = asp->pdu->variables; v != NULL; i++, v = v->next_variable) {
> ++ if (v->type == ASN_NULL) {
> ++ /*
> ++ * Protect SET implementations that do not protect themselves
> ++ * against wrong type.
> ++ */
> ++ DEBUGMSGTL(("snmp_agent", "disallowing SET with NULL var for varbind %d\n", i));
> ++ asp->index = i;
> ++ return SNMP_ERR_WRONGTYPE;
> ++ }
> ++ }
> ++ return SNMP_ERR_NOERROR;
> ++}
> ++
> + int
> + handle_pdu(netsnmp_agent_session *asp)
> + {
> + int status, inclusives = 0;
> + netsnmp_variable_list *v = NULL;
> +
> ++#ifndef NETSNMP_NO_WRITE_SUPPORT
> ++ /*
> ++ * Check for ASN_NULL in SET request
> ++ */
> ++ if (asp->pdu->command == SNMP_MSG_SET) {
> ++ status = check_set_pdu_for_null_varbind(asp);
> ++ if (status != SNMP_ERR_NOERROR) {
> ++ return status;
> ++ }
> ++ }
> ++#endif /* NETSNMP_NO_WRITE_SUPPORT */
> ++
> + /*
> + * for illegal requests, mark all nodes as ASN_NULL
> + */
> +--
> +2.41.0
> +
> diff --git a/package/netsnmp/netsnmp.hash b/package/netsnmp/netsnmp.hash
> index 7898941271..e1e9d10898 100644
> --- a/package/netsnmp/netsnmp.hash
> +++ b/package/netsnmp/netsnmp.hash
> @@ -1,7 +1,7 @@
> # Locally calculated after checking pgp signature at
> -# https://sourceforge.net/projects/net-snmp/files/net-snmp/5.9.4/net-snmp-5.9.4.tar.gz.asc
> -# using key 6E6718AEF1EB5C65C32D1B2A356BC0B552D53CAB
> -sha256 8b4de01391e74e3c7014beb43961a2d6d6fa03acc34280b9585f4930745b0544 net-snmp-5.9.4.tar.gz
> +# https://sourceforge.net/projects/net-snmp/files/net-snmp/5.9.3/net-snmp-5.9.3.tar.gz.asc
> +# using key D0F8F495DA6160C44EFFBF10F07B9D2DACB19FD6
> +sha256 2097f29b7e1bf3f1300b4bae52fa2308d0bb8d5d3998dbe02f9462a413a2ef0a net-snmp-5.9.3.tar.gz
>
> # Hash for license file
> sha256 ed869ea395a1f125819a56676385ab0557a21507764bf56f2943302011381e59 COPYING
> diff --git a/package/netsnmp/netsnmp.mk b/package/netsnmp/netsnmp.mk
> index b5cda30a7b..fafd604879 100644
> --- a/package/netsnmp/netsnmp.mk
> +++ b/package/netsnmp/netsnmp.mk
> @@ -4,13 +4,17 @@
> #
> ################################################################################
>
> -NETSNMP_VERSION = 5.9.4
> +NETSNMP_VERSION = 5.9.3
> NETSNMP_SITE = https://downloads.sourceforge.net/project/net-snmp/net-snmp/$(NETSNMP_VERSION)
> NETSNMP_SOURCE = net-snmp-$(NETSNMP_VERSION).tar.gz
> NETSNMP_LICENSE = Various BSD-like
> NETSNMP_LICENSE_FILES = COPYING
> NETSNMP_CPE_ID_VENDOR = net-snmp
> NETSNMP_CPE_ID_PRODUCT = $(NETSNMP_CPE_ID_VENDOR)
> +# 0001-snmp_agent-disallow-SET-with-NULL-varbind.patch
> +NETSNMP_IGNORE_CVES = \
> + CVE-2022-44792 \
> + CVE-2022-44793
> NETSNMP_SELINUX_MODULES = snmp
> NETSNMP_INSTALL_STAGING = YES
> NETSNMP_CONF_ENV = \
> --
> 2.41.0
>
> _______________________________________________
> buildroot mailing list
> buildroot at buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
More information about the buildroot
mailing list