14029 – net-snmp new security issue CVE-2014-3565

Bug 14029 - net-snmp new security issue CVE-2014-3565

Summary: net-snmp new security issue CVE-2014-3565

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	4
Hardware:	i586 Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/610937/
Whiteboard:	MGA3TOO has_procedure advisory MGA3-3...
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2014-09-01 20:30 CEST by David Walser
Modified:	2014-09-05 17:36 CEST (History)
CC List:	2 users (show)

See Also:
Source RPM:	net-snmp-5.7.2-13.1.mga4.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2014-09-01 20:30:34 CEST

A CVE has been assigned for a security issue fixed upstream in net-snmp:
http://openwall.com/lists/oss-security/2014/09/01/1

Advisory:
========================

Updated net-snmp packages fix security vulnerabilities:

A remote denial-of-service flaw was found in the way snmptrapd handled
certain SNMP traps when started with the "-OQ" option. If an attacker sent an
SNMP trap containing a variable with a NULL type where an integer variable
type was expected, it would cause snmptrapd to crash (CVE-2014-3565).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3565
https://bugzilla.redhat.com/show_bug.cgi?id=1125155
========================

Updated packages in core/updates_testing:
========================
net-snmp-5.7.2-7.3.mga3
libnet-snmp30-5.7.2-7.3.mga3
libnet-snmp-devel-5.7.2-7.3.mga3
libnet-snmp-static-devel-5.7.2-7.3.mga3
net-snmp-utils-5.7.2-7.3.mga3
net-snmp-tkmib-5.7.2-7.3.mga3
net-snmp-mibs-5.7.2-7.3.mga3
net-snmp-trapd-5.7.2-7.3.mga3
perl-NetSNMP-5.7.2-7.3.mga3
python-netsnmp-5.7.2-7.3.mga3
net-snmp-5.7.2-13.2.mga4
libnet-snmp30-5.7.2-13.2.mga4
libnet-snmp-devel-5.7.2-13.2.mga4
libnet-snmp-static-devel-5.7.2-13.2.mga4
net-snmp-utils-5.7.2-13.2.mga4
net-snmp-tkmib-5.7.2-13.2.mga4
net-snmp-mibs-5.7.2-13.2.mga4
net-snmp-trapd-5.7.2-13.2.mga4
perl-NetSNMP-5.7.2-13.2.mga4
python-netsnmp-5.7.2-13.2.mga4

from SRPMS:
net-snmp-5.7.2-7.3.mga3.src.rpm
net-snmp-5.7.2-13.2.mga4.src.rpm

Reproducible: 

Steps to Reproduce:

Comment 1 David Walser 2014-09-01 20:30:56 CEST

Testing Procedure: https://bugs.mageia.org/show_bug.cgi?id=12236#c5

Whiteboard: (none) => MGA3TOO has_procedure

Comment 2 William Kenney 2014-09-02 17:42:29 CEST

In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
net-snmp net-snmp-mibs net-snmp-utils perl-NetSNMP libnet-snmp30 net-snmp-mibs

default install of net-snmp net-snmp-mibs net-snmp-utils perl-NetSNMP libnet-snmp30 net-snmp-mibs

[root@localhost wilcal]# urpmi net-snmp
Package net-snmp-5.7.2-7.2.mga3.i586 is already installed
[root@localhost wilcal]# urpmi net-snmp-mibs
Package net-snmp-mibs-5.7.2-7.2.mga3.i586 is already installed
[root@localhost wilcal]# urpmi net-snmp-utils
Package net-snmp-utils-5.7.2-7.2.mga3.i586 is already installed
[root@localhost wilcal]# urpmi perl-NetSNMP
Package perl-NetSNMP-5.7.2-7.2.mga3.i586 is already installed
[root@localhost wilcal]# urpmi net-snmp-utils
Package net-snmp-utils-5.7.2-7.2.mga3.i586 is already installed
[root@localhost wilcal]# urpmi net-snmp-mibs
Package net-snmp-mibs-5.7.2-7.2.mga3.i586 is already installed

Works as expected in: https://bugs.mageia.org/show_bug.cgi?id=12236#c5

install net-snmp net-snmp-mibs net-snmp-utils perl-NetSNMP from updates_testing libnet-snmp30 net-snmp-mibs

stop then restart snmpd

[root@localhost wilcal]# urpmi net-snmp
Package net-snmp-5.7.2-7.3.mga3.i586 is already installed
[root@localhost wilcal]# urpmi net-snmp-mibs
Package net-snmp-mibs-5.7.2-7.3.mga3.i586 is already installed
[root@localhost wilcal]# urpmi net-snmp-utils
Package net-snmp-utils-5.7.2-7.3.mga3.i586 is already installed
[root@localhost wilcal]# urpmi perl-NetSNMP
Package perl-NetSNMP-5.7.2-7.3.mga3.i586 is already installed
[root@localhost wilcal]# urpmi net-snmp-utils
Package net-snmp-utils-5.7.2-7.3.mga3.i586 is already installed
[root@localhost wilcal]# urpmi net-snmp-mibs
Package net-snmp-mibs-5.7.2-7.3.mga3.i586 is already installed

Works as expected in: https://bugs.mageia.org/show_bug.cgi?id=12236#c5

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

CC: (none) => wilcal.int
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA3-32-OK

Comment 3 William Kenney 2014-09-02 18:08:58 CEST

In VirtualBox, M3, KDE, 64-bit

Package(s) under test:
net-snmp net-snmp-mibs net-snmp-utils perl-NetSNMP lib64net-snmp30

default install of net-snmp net-snmp-mibs net-snmp-utils perl-NetSNMP lib64net-snmp30

[root@localhost wilcal]# urpmi net-snmp
Package net-snmp-5.7.2-7.2.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi net-snmp-mibs
Package net-snmp-mibs-5.7.2-7.2.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi net-snmp-utils
Package net-snmp-utils-5.7.2-7.2.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi perl-NetSNMP
Package perl-NetSNMP-5.7.2-7.2.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64net-snmp30
Package lib64net-snmp30-5.7.2-7.2.mga3.x86_64 is already installed

Works as expected in: https://bugs.mageia.org/show_bug.cgi?id=12236#c5

install net-snmp net-snmp-mibs net-snmp-utils perl-NetSNMP lib64net-snmp30 from updates_testing

stop then restart snmpd

[root@localhost wilcal]# urpmi net-snmp
Package net-snmp-5.7.2-7.3.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi net-snmp-mibs
Package net-snmp-mibs-5.7.2-7.3.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi net-snmp-utils
Package net-snmp-utils-5.7.2-7.3.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi perl-NetSNMP
Package perl-NetSNMP-5.7.2-7.3.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64net-snmp30
Package lib64net-snmp30-5.7.2-7.3.mga3.x86_64 is already installed

Works as expected in: https://bugs.mageia.org/show_bug.cgi?id=12236#c5

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

Whiteboard: MGA3TOO has_procedure MGA3-32-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK

Comment 4 William Kenney 2014-09-02 18:28:43 CEST

In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
net-snmp net-snmp-mibs net-snmp-utils perl-NetSNMP libnet-snmp30

default install of net-snmp net-snmp-mibs net-snmp-utils perl-NetSNMP libnet-snmp30

[root@localhost wilcal]# urpmi net-snmp
Package net-snmp-5.7.2-13.1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi net-snmp-mibs
Package net-snmp-mibs-5.7.2-13.1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi net-snmp-utils
Package net-snmp-utils-5.7.2-13.1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi perl-NetSNMP
Package perl-NetSNMP-5.7.2-13.1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi libnet-snmp30
Package libnet-snmp30-5.7.2-13.1.mga4.i586 is already installed

Works as expected in: https://bugs.mageia.org/show_bug.cgi?id=12236#c5

install net-snmp net-snmp-mibs net-snmp-utils perl-NetSNMP from updates_testing libnet-snmp30 net-snmp-mibs

stop then restart snmpd

[root@localhost wilcal]# urpmi net-snmp
Package net-snmp-5.7.2-13.2.mga4.i586 is already installed
[root@localhost wilcal]# urpmi net-snmp-mibs
Package net-snmp-mibs-5.7.2-13.2.mga4.i586 is already installed
[root@localhost wilcal]# urpmi net-snmp-utils
Package net-snmp-utils-5.7.2-13.2.mga4.i586 is already installed
[root@localhost wilcal]# urpmi perl-NetSNMP
Package perl-NetSNMP-5.7.2-13.2.mga4.i586 is already installed
[root@localhost wilcal]# urpmi libnet-snmp30
Package libnet-snmp30-5.7.2-13.2.mga4.i586 is already installed

Works as expected in: https://bugs.mageia.org/show_bug.cgi?id=12236#c5

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK

Comment 5 William Kenney 2014-09-02 18:47:25 CEST

In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
net-snmp net-snmp-mibs net-snmp-utils perl-NetSNMP lib64net-snmp30

default install of net-snmp net-snmp-mibs net-snmp-utils perl-NetSNMP lib64net-snmp30

[root@localhost wilcal]# urpmi net-snmp
Package net-snmp-5.7.2-13.1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi net-snmp-mibs
Package net-snmp-mibs-5.7.2-13.1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi net-snmp-utils
Package net-snmp-utils-5.7.2-13.1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi perl-NetSNMP
Package perl-NetSNMP-5.7.2-13.1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64net-snmp30
Package lib64net-snmp30-5.7.2-13.1.mga4.x86_64 is already installed

Works as expected in: https://bugs.mageia.org/show_bug.cgi?id=12236#c5

install net-snmp net-snmp-mibs net-snmp-utils perl-NetSNMP from updates_testing lib64net-snmp30 net-snmp-mibs

stop then restart snmpd

[root@localhost wilcal]# urpmi net-snmp
Package net-snmp-5.7.2-13.2.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi net-snmp-mibs
Package net-snmp-mibs-5.7.2-13.2.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi net-snmp-utils
Package net-snmp-utils-5.7.2-13.2.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi perl-NetSNMP
Package perl-NetSNMP-5.7.2-13.2.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64net-snmp30
Package lib64net-snmp30-5.7.2-13.2.mga4.x86_64 is already installed

Works as expected in: https://bugs.mageia.org/show_bug.cgi?id=12236#c5

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK

Comment 6 William Kenney 2014-09-02 18:48:12 CEST

For me this update works fine.
Testing complete for mga3 32-bit & 64-bit
Testing complete for mga4 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push this to updates.
Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 7 claire robinson 2014-09-02 18:54:00 CEST

Advisory from comment 0 uploaded.

Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO has_procedure advisory MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK

Comment 8 Mageia Robot 2014-09-05 11:08:46 CEST

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0371.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2014-09-05 17:36:30 CEST

URL: (none) => http://lwn.net/Vulnerabilities/610937/

Note You need to log in before you can comment on or make changes to this bug.