Debian Bug report logs -
#963713
net-snmp: CVE-2019-20892
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Net-SNMP Packaging Team <pkg-net-snmp-devel@lists.alioth.debian.org>
:
Bug#963713
; Package src:net-snmp
.
(Thu, 25 Jun 2020 20:33:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Net-SNMP Packaging Team <pkg-net-snmp-devel@lists.alioth.debian.org>
.
(Thu, 25 Jun 2020 20:33:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: net-snmp
Version: 5.8+dfsg-2
Severity: grave
Tags: security upstream
Justification: user security hole
Hi,
The following vulnerability was published for net-snmp.
CVE-2019-20892[0]:
| net-snmp before 5.8.1.pre1 has a double free in
| usm_free_usmStateReference in snmplib/snmpusm.c via an SNMPv3 GetBulk
| request. NOTE: this affects net-snmp packages shipped to end users by
| multiple Linux distributions, but might not affect an upstream
| release.
See [1] for the CVE heads-up post, and [2] the Launchpad Bug where the
issue originally is tracked from. The issue can be verified with:
| # systemctl stop snmpd.service
| # cat >> /var/lib/snmp/snmpd.conf << __EOF__
| createUser testuser SHA "testpass" AES "testpass"
| __EOF__
| # cat >> /etc/snmp/snmpd.conf << __EOF__
| rwuser testuser
| __EOF__
| # systemctl start snmpd.service
| # snmpbulkget -v3 -Cn1 -Cr1472 -l authPriv -u testuser -a SHA -A testpass -x AES -X testpass 127.0.0.1 1.3.6.1.2.1.1.5 1.3.6.1.2.1.1.7
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-20892
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20892
[1] https://www.openwall.com/lists/oss-security/2020/06/25/4
[2] https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1877027
Please adjust the affected versions in the BTS as needed, I'm not sure
where the issue has been introduced, but possibly does not affect
indeed older suites (please do double check).
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Net-SNMP Packaging Team <pkg-net-snmp-devel@lists.alioth.debian.org>
:
Bug#963713
; Package src:net-snmp
.
(Thu, 25 Jun 2020 21:27:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Net-SNMP Packaging Team <pkg-net-snmp-devel@lists.alioth.debian.org>
.
(Thu, 25 Jun 2020 21:27:02 GMT) (full text, mbox, link).
Message #10 received at 963713@bugs.debian.org (full text, mbox, reply):
Hi,
On Thu, Jun 25, 2020 at 10:29:20PM +0200, Salvatore Bonaccorso wrote:
> Source: net-snmp
> Version: 5.8+dfsg-2
> Severity: grave
> Tags: security upstream
> Justification: user security hole
>
> Hi,
>
> The following vulnerability was published for net-snmp.
>
> CVE-2019-20892[0]:
> | net-snmp before 5.8.1.pre1 has a double free in
> | usm_free_usmStateReference in snmplib/snmpusm.c via an SNMPv3 GetBulk
> | request. NOTE: this affects net-snmp packages shipped to end users by
> | multiple Linux distributions, but might not affect an upstream
> | release.
>
> See [1] for the CVE heads-up post, and [2] the Launchpad Bug where the
> issue originally is tracked from. The issue can be verified with:
>
> | # systemctl stop snmpd.service
> | # cat >> /var/lib/snmp/snmpd.conf << __EOF__
> | createUser testuser SHA "testpass" AES "testpass"
> | __EOF__
> | # cat >> /etc/snmp/snmpd.conf << __EOF__
> | rwuser testuser
> | __EOF__
> | # systemctl start snmpd.service
> | # snmpbulkget -v3 -Cn1 -Cr1472 -l authPriv -u testuser -a SHA -A testpass -x AES -X testpass 127.0.0.1 1.3.6.1.2.1.1.5 1.3.6.1.2.1.1.7
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2019-20892
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20892
> [1] https://www.openwall.com/lists/oss-security/2020/06/25/4
> [2] https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1877027
>
> Please adjust the affected versions in the BTS as needed, I'm not sure
> where the issue has been introduced, but possibly does not affect
> indeed older suites (please do double check).
In Ubuntu
https://launchpad.net/~sergiodj/+archive/ubuntu/net-snmp-bug1877027
was prepared containing a set of commits which seem to adress the
issue (cf. the LP: 1877027 reference).
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Net-SNMP Packaging Team <pkg-net-snmp-devel@lists.alioth.debian.org>
:
Bug#963713
; Package src:net-snmp
.
(Thu, 25 Jun 2020 21:33:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Andreas Hasenack <andreas@canonical.com>
:
Extra info received and forwarded to list. Copy sent to Net-SNMP Packaging Team <pkg-net-snmp-devel@lists.alioth.debian.org>
.
(Thu, 25 Jun 2020 21:33:03 GMT) (full text, mbox, link).
Message #15 received at 963713@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
we are not happy yet with those commits because they change a struct
without bumping the soname. We are investigating how impactful that is.
On Thu, Jun 25, 2020 at 6:27 PM Salvatore Bonaccorso <carnil@debian.org>
wrote:
> Hi,
>
> On Thu, Jun 25, 2020 at 10:29:20PM +0200, Salvatore Bonaccorso wrote:
> > Source: net-snmp
> > Version: 5.8+dfsg-2
> > Severity: grave
> > Tags: security upstream
> > Justification: user security hole
> >
> > Hi,
> >
> > The following vulnerability was published for net-snmp.
> >
> > CVE-2019-20892[0]:
> > | net-snmp before 5.8.1.pre1 has a double free in
> > | usm_free_usmStateReference in snmplib/snmpusm.c via an SNMPv3 GetBulk
> > | request. NOTE: this affects net-snmp packages shipped to end users by
> > | multiple Linux distributions, but might not affect an upstream
> > | release.
> >
> > See [1] for the CVE heads-up post, and [2] the Launchpad Bug where the
> > issue originally is tracked from. The issue can be verified with:
> >
> > | # systemctl stop snmpd.service
> > | # cat >> /var/lib/snmp/snmpd.conf << __EOF__
> > | createUser testuser SHA "testpass" AES "testpass"
> > | __EOF__
> > | # cat >> /etc/snmp/snmpd.conf << __EOF__
> > | rwuser testuser
> > | __EOF__
> > | # systemctl start snmpd.service
> > | # snmpbulkget -v3 -Cn1 -Cr1472 -l authPriv -u testuser -a SHA -A
> testpass -x AES -X testpass 127.0.0.1 1.3.6.1.2.1.1.5 1.3.6.1.2.1.1.7
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >
> > For further information see:
> >
> > [0] https://security-tracker.debian.org/tracker/CVE-2019-20892
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20892
> > [1] https://www.openwall.com/lists/oss-security/2020/06/25/4
> > [2] https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1877027
> >
> > Please adjust the affected versions in the BTS as needed, I'm not sure
> > where the issue has been introduced, but possibly does not affect
> > indeed older suites (please do double check).
>
> In Ubuntu
> https://launchpad.net/~sergiodj/+archive/ubuntu/net-snmp-bug1877027
> was prepared containing a set of commits which seem to adress the
> issue (cf. the LP: 1877027 reference).
>
> Regards,
> Salvatore
>
>
[Message part 2 (text/html, inline)]
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Jun 26 09:11:16 2020;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.