Bug#908514: libnet-snmp-perl: Use of uninitialized value in pattern match (m//) at /usr/share/perl5/Net/SNMP.pm line 2620

[Michael Pietsch]

Package: libnet-snmp-perl
Version: 6.0.1-2
Severity: normal
Tags: patch upstream



-- System Information:
Debian Release: 9.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-8-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libnet-snmp-perl depends on:
ii  perl  5.24.1-3+deb9u4

libnet-snmp-perl recommends no packages.

Versions of packages libnet-snmp-perl suggests:
pn  libcrypt-des-perl        <none>
ii  libdigest-hmac-perl      1.03+dfsg-1
ii  libio-socket-inet6-perl  2.72-2

Hi,
I have a script that uses SNMP.pm to connect to a device via snmp v3. While executing the `open` sub there occures the following error due to a missing check if a variable is defined before it is used:

```
Use of uninitialized value in pattern match (m//) at /usr/share/perl5/Net/SNMP.pm line 2620.
CRITICAL - cannot create session object: Time synchronization failed during discovery
```

The variable `$this->{_error}` at this line is undefined but is beeing access by `$this->{_error} =~ /usmStatsNotInTimeWindows/`. The following patch fixes this problem by first checking if any error occured (`$this->{_error}` is defined) and only then compares its values:

```
# diff -U 3 SNMP.pm.old SNMP.pm
--- SNMP.pm.old 2018-09-10 19:19:39.200267652 +0200
+++ SNMP.pm     2018-09-10 19:18:55.449787618 +0200
@@ -2618,7 +2618,7 @@
    # assume that the synchronization has failed.

    if (($this->{_security}->discovered()) &&
-       ($this->{_error} =~ /usmStatsNotInTimeWindows/))
+       ((!$this->{_error}) || $this->{_error} =~ /usmStatsNotInTimeWindows/ ))
    {
       $this->_error_clear();
       DEBUG_INFO('discovery and synchronization complete');
```