Bug 12880

Summary: net-snmp new denial of service security issues (CVE-2014-2284, CVE-2014-2285)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: sysadmin-bugs, tmb
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/589937/
Whiteboard: MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Source RPM: net-snmp-5.7.2-14.mga5.src.rpm CVE:
Status comment:

Description David Walser 2014-02-26 02:46:22 CET 
Upstream has announced a new version that fixes a security issue:
http://freecode.com/projects/net-snmp/releases/361848

The text there matches that in the CHANGES and NEWS files in the upstream tarball:
"A denial of service attack vector was discovered in the Linux implementation of the ICMP-MIB. This release fixes this bug, and all users are encouraged to update their SNMP agent if they make use of the ICMP-MIB table objects."

I don't recall seeing a CVE request for this issue.

The upstream commit is here:
http://sourceforge.net/p/net-snmp/code/ci/a1fd64716f6794c55c34d77e618210238a73bfa1/

I have checked the patch into Mageia 3, Mageia 4, and Cauldron SVN.

Reproducible: 

Steps to Reproduce:
David Walser 2014-02-26 02:46:41 CET

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 David Walser 2014-03-05 12:37:57 CET 
CVE request for this issue, as well as another:
http://www.openwall.com/lists/oss-security/2014/03/05/2

Severity: normal => major

Comment 2 David Walser 2014-03-05 21:54:23 CET 
For posterity, the issue in the initial report on this bug was fixed upstream in 5.7.2.1 upstream.

There is another denial of service issue in snmptrapd fixed with a patch upstream:
http://sourceforge.net/p/net-snmp/patches/1275/

Both of these issues have been assigned CVEs:
http://openwall.com/lists/oss-security/2014/03/05/9

More information is available on the RedHat bugs linked in that message.

Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated net-snmp packages fix security vulnerabilities:

Remotely exploitable denial of service vulnerability in Net-SNMP, in the
Linux implementation of the ICMP-MIB, making the SNMP agent vulnerable if it
is making use of the ICMP-MIB table objects (CVE-2014-2284).

Remotely exploitable denial of service vulnerability in Net-SNMP, in
snmptrapd, due to how it handles trap requests with an empty community string
when the perl handler is enabled (CVE-2014-2285).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2284
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2285
http://freecode.com/projects/net-snmp/releases/361848
http://openwall.com/lists/oss-security/2014/03/05/9
https://bugzilla.redhat.com/show_bug.cgi?id=1070396
https://bugzilla.redhat.com/show_bug.cgi?id=1072778
========================

Updated packages in core/updates_testing:
========================
net-snmp-5.7.2-7.2.mga3
libnet-snmp30-5.7.2-7.2.mga3
libnet-snmp-devel-5.7.2-7.2.mga3
libnet-snmp-static-devel-5.7.2-7.2.mga3
net-snmp-utils-5.7.2-7.2.mga3
net-snmp-tkmib-5.7.2-7.2.mga3
net-snmp-mibs-5.7.2-7.2.mga3
net-snmp-trapd-5.7.2-7.2.mga3
perl-NetSNMP-5.7.2-7.2.mga3
python-netsnmp-5.7.2-7.2.mga3
net-snmp-5.7.2-13.1.mga4
libnet-snmp30-5.7.2-13.1.mga4
libnet-snmp-devel-5.7.2-13.1.mga4
libnet-snmp-static-devel-5.7.2-13.1.mga4
net-snmp-utils-5.7.2-13.1.mga4
net-snmp-tkmib-5.7.2-13.1.mga4
net-snmp-mibs-5.7.2-13.1.mga4
net-snmp-trapd-5.7.2-13.1.mga4
perl-NetSNMP-5.7.2-13.1.mga4
python-netsnmp-5.7.2-13.1.mga4

from SRPMS:
net-snmp-5.7.2-7.2.mga3.src.rpm
net-snmp-5.7.2-13.1.mga4.src.rpm

Version: Cauldron => 4
Assignee: bugsquad => qa-bugs
Summary: net-snmp new denial of service security issue fixed upstream in 5.7.2.1 => net-snmp new denial of service security issues (CVE-2014-2284, CVE-2014-2285)
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 3 claire robinson 2014-03-06 17:28:57 CET 
Procedure: https://bugs.mageia.org/show_bug.cgi?id=12236#c5

Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 4 claire robinson 2014-03-06 17:46:12 CET 
Advisory uploaded.

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure advisory

Comment 5 claire robinson 2014-03-07 13:08:29 CET 
Testing complete mga4 32 & 64

Whiteboard: MGA3TOO has_procedure advisory => MGA3TOO has_procedure advisory mga4-32-ok mga4-64-ok

Comment 6 claire robinson 2014-03-07 13:58:19 CET 
Testing complete mga3 32 & 64

Validating

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure advisory mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 7 Thomas Backlund 2014-03-07 15:20:58 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0122.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

David Walser 2014-03-07 17:05:00 CET

URL: (none) => http://lwn.net/Vulnerabilities/589937/