Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

net-snmp: CVE-2019-20892

Related Vulnerabilities: CVE-2019-20892  

Source

Debian Bug report logs - #963713
net-snmp: CVE-2019-20892

version graph

Package: src:net-snmp; Maintainer for src:net-snmp is Net-SNMP Packaging Team <pkg-net-snmp-devel@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Thu, 25 Jun 2020 20:33:01 UTC

Severity: grave

Tags: security, upstream

Found in version net-snmp/5.8+dfsg-2

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Net-SNMP Packaging Team <pkg-net-snmp-devel@lists.alioth.debian.org>:
Bug#963713; Package src:net-snmp. (Thu, 25 Jun 2020 20:33:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Net-SNMP Packaging Team <pkg-net-snmp-devel@lists.alioth.debian.org>. (Thu, 25 Jun 2020 20:33:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: net-snmp: CVE-2019-20892
Date: Thu, 25 Jun 2020 22:29:20 +0200
Source: net-snmp
Version: 5.8+dfsg-2
Severity: grave
Tags: security upstream
Justification: user security hole

Hi,

The following vulnerability was published for net-snmp.

CVE-2019-20892[0]:
| net-snmp before 5.8.1.pre1 has a double free in
| usm_free_usmStateReference in snmplib/snmpusm.c via an SNMPv3 GetBulk
| request. NOTE: this affects net-snmp packages shipped to end users by
| multiple Linux distributions, but might not affect an upstream
| release.

See [1] for the CVE heads-up post, and [2] the Launchpad Bug where the
issue originally is tracked from. The issue can be verified with:

| # systemctl stop snmpd.service
| # cat >> /var/lib/snmp/snmpd.conf << __EOF__
| createUser testuser SHA "testpass" AES "testpass"
| __EOF__
| # cat >> /etc/snmp/snmpd.conf << __EOF__
| rwuser testuser
| __EOF__
| # systemctl start snmpd.service
| # snmpbulkget -v3 -Cn1 -Cr1472 -l authPriv -u testuser -a SHA -A testpass -x AES -X testpass 127.0.0.1 1.3.6.1.2.1.1.5 1.3.6.1.2.1.1.7

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-20892
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20892
[1] https://www.openwall.com/lists/oss-security/2020/06/25/4
[2] https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1877027

Please adjust the affected versions in the BTS as needed, I'm not sure
where the issue has been introduced, but possibly does not affect
indeed older suites (please do double check).

Regards,
Salvatore

Information forwarded to debian-bugs-dist@lists.debian.org, Net-SNMP Packaging Team <pkg-net-snmp-devel@lists.alioth.debian.org>:
Bug#963713; Package src:net-snmp. (Thu, 25 Jun 2020 21:27:02 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Net-SNMP Packaging Team <pkg-net-snmp-devel@lists.alioth.debian.org>. (Thu, 25 Jun 2020 21:27:02 GMT) (full text, mbox, link).

Message #10 received at 963713@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 963713@bugs.debian.org
Subject: Re: Bug#963713: net-snmp: CVE-2019-20892
Date: Thu, 25 Jun 2020 23:22:36 +0200
Hi,

On Thu, Jun 25, 2020 at 10:29:20PM +0200, Salvatore Bonaccorso wrote:
> Source: net-snmp
> Version: 5.8+dfsg-2
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> 
> Hi,
> 
> The following vulnerability was published for net-snmp.
> 
> CVE-2019-20892[0]:
> | net-snmp before 5.8.1.pre1 has a double free in
> | usm_free_usmStateReference in snmplib/snmpusm.c via an SNMPv3 GetBulk
> | request. NOTE: this affects net-snmp packages shipped to end users by
> | multiple Linux distributions, but might not affect an upstream
> | release.
> 
> See [1] for the CVE heads-up post, and [2] the Launchpad Bug where the
> issue originally is tracked from. The issue can be verified with:
> 
> | # systemctl stop snmpd.service
> | # cat >> /var/lib/snmp/snmpd.conf << __EOF__
> | createUser testuser SHA "testpass" AES "testpass"
> | __EOF__
> | # cat >> /etc/snmp/snmpd.conf << __EOF__
> | rwuser testuser
> | __EOF__
> | # systemctl start snmpd.service
> | # snmpbulkget -v3 -Cn1 -Cr1472 -l authPriv -u testuser -a SHA -A testpass -x AES -X testpass 127.0.0.1 1.3.6.1.2.1.1.5 1.3.6.1.2.1.1.7
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2019-20892
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20892
> [1] https://www.openwall.com/lists/oss-security/2020/06/25/4
> [2] https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1877027
> 
> Please adjust the affected versions in the BTS as needed, I'm not sure
> where the issue has been introduced, but possibly does not affect
> indeed older suites (please do double check).

In Ubuntu
https://launchpad.net/~sergiodj/+archive/ubuntu/net-snmp-bug1877027
was prepared containing a set of commits which seem to adress the
issue (cf. the LP: 1877027 reference).

Regards,
Salvatore

Information forwarded to debian-bugs-dist@lists.debian.org, Net-SNMP Packaging Team <pkg-net-snmp-devel@lists.alioth.debian.org>:
Bug#963713; Package src:net-snmp. (Thu, 25 Jun 2020 21:33:03 GMT) (full text, mbox, link).

Acknowledgement sent to Andreas Hasenack <andreas@canonical.com>:
Extra info received and forwarded to list. Copy sent to Net-SNMP Packaging Team <pkg-net-snmp-devel@lists.alioth.debian.org>. (Thu, 25 Jun 2020 21:33:03 GMT) (full text, mbox, link).

Message #15 received at 963713@bugs.debian.org (full text, mbox, reply):

From: Andreas Hasenack <andreas@canonical.com>
To: 963713@bugs.debian.org
Subject: Re: Bug#963713: net-snmp: CVE-2019-20892
Date: Thu, 25 Jun 2020 18:31:13 -0300
[Message part 1 (text/plain, inline)]
Hi,

we are not happy yet with those commits because they change a struct
without bumping the soname. We are investigating how impactful that is.

On Thu, Jun 25, 2020 at 6:27 PM Salvatore Bonaccorso <carnil@debian.org>
wrote:

> Hi,
>
> On Thu, Jun 25, 2020 at 10:29:20PM +0200, Salvatore Bonaccorso wrote:
> > Source: net-snmp
> > Version: 5.8+dfsg-2
> > Severity: grave
> > Tags: security upstream
> > Justification: user security hole
> >
> > Hi,
> >
> > The following vulnerability was published for net-snmp.
> >
> > CVE-2019-20892[0]:
> > | net-snmp before 5.8.1.pre1 has a double free in
> > | usm_free_usmStateReference in snmplib/snmpusm.c via an SNMPv3 GetBulk
> > | request. NOTE: this affects net-snmp packages shipped to end users by
> > | multiple Linux distributions, but might not affect an upstream
> > | release.
> >
> > See [1] for the CVE heads-up post, and [2] the Launchpad Bug where the
> > issue originally is tracked from. The issue can be verified with:
> >
> > | # systemctl stop snmpd.service
> > | # cat >> /var/lib/snmp/snmpd.conf << __EOF__
> > | createUser testuser SHA "testpass" AES "testpass"
> > | __EOF__
> > | # cat >> /etc/snmp/snmpd.conf << __EOF__
> > | rwuser testuser
> > | __EOF__
> > | # systemctl start snmpd.service
> > | # snmpbulkget -v3 -Cn1 -Cr1472 -l authPriv -u testuser -a SHA -A
> testpass -x AES -X testpass 127.0.0.1 1.3.6.1.2.1.1.5 1.3.6.1.2.1.1.7
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >
> > For further information see:
> >
> > [0] https://security-tracker.debian.org/tracker/CVE-2019-20892
> >     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20892
> > [1] https://www.openwall.com/lists/oss-security/2020/06/25/4
> > [2] https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1877027
> >
> > Please adjust the affected versions in the BTS as needed, I'm not sure
> > where the issue has been introduced, but possibly does not affect
> > indeed older suites (please do double check).
>
> In Ubuntu
> https://launchpad.net/~sergiodj/+archive/ubuntu/net-snmp-bug1877027
> was prepared containing a set of commits which seem to adress the
> issue (cf. the LP: 1877027 reference).
>
> Regards,
> Salvatore
>
>

[Message part 2 (text/html, inline)]

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Jun 26 09:11:16 2020; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started