[Pkg-net-snmp-devel] Bug#963713: net-snmp: CVE-2019-20892

[Salvatore Bonaccorso]

Hi,

On Thu, Jun 25, 2020 at 10:29:20PM +0200, Salvatore Bonaccorso wrote:
> Source: net-snmp
> Version: 5.8+dfsg-2
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> 
> Hi,
> 
> The following vulnerability was published for net-snmp.
> 
> CVE-2019-20892[0]:
> | net-snmp before 5.8.1.pre1 has a double free in
> | usm_free_usmStateReference in snmplib/snmpusm.c via an SNMPv3 GetBulk
> | request. NOTE: this affects net-snmp packages shipped to end users by
> | multiple Linux distributions, but might not affect an upstream
> | release.
> 
> See [1] for the CVE heads-up post, and [2] the Launchpad Bug where the
> issue originally is tracked from. The issue can be verified with:
> 
> | # systemctl stop snmpd.service
> | # cat >> /var/lib/snmp/snmpd.conf << __EOF__
> | createUser testuser SHA "testpass" AES "testpass"
> | __EOF__
> | # cat >> /etc/snmp/snmpd.conf << __EOF__
> | rwuser testuser
> | __EOF__
> | # systemctl start snmpd.service
> | # snmpbulkget -v3 -Cn1 -Cr1472 -l authPriv -u testuser -a SHA -A testpass -x AES -X testpass 127.0.0.1 1.3.6.1.2.1.1.5 1.3.6.1.2.1.1.7
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2019-20892
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20892
> [1] https://www.openwall.com/lists/oss-security/2020/06/25/4
> [2] https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1877027
> 
> Please adjust the affected versions in the BTS as needed, I'm not sure
> where the issue has been introduced, but possibly does not affect
> indeed older suites (please do double check).

In Ubuntu
https://launchpad.net/~sergiodj/+archive/ubuntu/net-snmp-bug1877027
was prepared containing a set of commits which seem to adress the
issue (cf. the LP: 1877027 reference).

Regards,
Salvatore