Re: [Buildroot] [PATCH] package/netsnmp: revert back to 5.9.3, backport security fix

From: "Yann E. MORIN" <yann.morin.1998@free.fr>
To: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Nicolas Carrier <nicolas.carrier@nav-timing.safrangroup.com>,
	Buildroot List <buildroot@buildroot.org>
Subject: Re: [Buildroot] [PATCH] package/netsnmp: revert back to 5.9.3, backport security fix
Date: Sun, 26 Nov 2023 18:34:21 +0100	[thread overview]
Message-ID: <20231126173421.GC3177259@scaer> (raw)
In-Reply-To: <20231116135136.2337261-1-thomas.petazzoni@bootlin.com>

Thomas, All,

On 2023-11-16 14:51 +0100, Thomas Petazzoni via buildroot spake thusly:
> In commit 13fc9dcb34926e9b6310b23662920c55c96d83a1, netsnmp was bumped
> from 5.9.3 to 5.9.4 to fix two CVEs.
> 
> However, even though it's a minor version bump, there are actually 163
> commits upstream between those two minor releases, and some of them
> are breaking existing use-cases. In particular upstream
> a2cb167514ac0c7e1b04e8f151e0b015501362e0 now requires that config_()
> macros in MIB files are terminated with a semicolon, causing a build
> breakage with existing MIB files that were totally valid with 5.9.3.
> 
> This commit therefore proposes to revert back to 5.9.3, by reverting
> those two commits:
> 
> 56caafceab3ec12669ccb7aa6fc8b653778064e1 package/netsnmp: fix musl build
> 13fc9dcb34926e9b6310b23662920c55c96d83a1 package/netsnmp: security bump to version 5.9.4
> 
> and instead revert the one upstream commit that fixes both CVEs.

s/revert/backport/ as noticed by Baruch.

> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

Applied to master, thanks.

> ---
> Note: for master, we probably want to keep the bump to 5.9.4, as it's
> upstream decision. This commit is really intended for
> 2023.02.x (perhaps other maintenance branches), where we don't want to
> break things for users.

I saw that comment a bit too late, and pushed to master.

However, after reasing the CHANGES file, I noticed that:

    IMPORTANT: SNMP over TLS and/or DTLS are not functioning properly
    in this release with various versions of OpenSSL and will be fixed
    in a future release.

So, it was anyway a good idea to revert (pfeew...)

Regards,
Yann E. MORIN.

> ---
>  ...onfiguration-of-NETSNMP_FD_MASK_TYPE.patch | 38 ----------
>  ...agent-disallow-SET-with-NULL-varbind.patch | 72 +++++++++++++++++++
>  package/netsnmp/netsnmp.hash                  |  6 +-
>  package/netsnmp/netsnmp.mk                    |  6 +-
>  4 files changed, 80 insertions(+), 42 deletions(-)
>  delete mode 100644 package/netsnmp/0001-Fix-configuration-of-NETSNMP_FD_MASK_TYPE.patch
>  create mode 100644 package/netsnmp/0001-snmp_agent-disallow-SET-with-NULL-varbind.patch
> 
> diff --git a/package/netsnmp/0001-Fix-configuration-of-NETSNMP_FD_MASK_TYPE.patch b/package/netsnmp/0001-Fix-configuration-of-NETSNMP_FD_MASK_TYPE.patch
> deleted file mode 100644
> index 91a00aec27..0000000000
> --- a/package/netsnmp/0001-Fix-configuration-of-NETSNMP_FD_MASK_TYPE.patch
> +++ /dev/null
> @@ -1,38 +0,0 @@
> -From a62169f1fa358be8f330ea8519ade0610fac525b Mon Sep 17 00:00:00 2001
> -From: Adam Gajda <adgajda@users.noreply.github.com>
> -Date: Mon, 2 Oct 2023 16:40:31 +0200
> -Subject: [PATCH] Fix configuration of NETSNMP_FD_MASK_TYPE
> -
> -Upstream: https://github.com/net-snmp/net-snmp/commit/a62169f1fa358be8f330ea8519ade0610fac525b
> -Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ----
> - configure                        | 2 +-
> - configure.d/config_project_types | 2 +-
> - 2 files changed, 2 insertions(+), 2 deletions(-)
> -
> -diff --git a/configure b/configure
> -index 9f0a173d8a..945a27c663 100755
> ---- a/configure
> -+++ b/configure
> -@@ -30871,7 +30871,7 @@ CFLAGS="$CFLAGS -Werror"
> - 
> - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for the type of fd_set::fds_bits" >&5
> - printf %s "checking for the type of fd_set::fds_bits... " >&6; }
> --for type in __fd_mask __int32_t unknown; do
> -+for type in __fd_mask __int32_t long\ int unknown; do
> -   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
> - /* end confdefs.h.  */
> - 
> -diff --git a/configure.d/config_project_types b/configure.d/config_project_types
> -index 1b4c66b95e..a78e8ebb06 100644
> ---- a/configure.d/config_project_types
> -+++ b/configure.d/config_project_types
> -@@ -66,7 +66,7 @@ netsnmp_save_CFLAGS=$CFLAGS
> - CFLAGS="$CFLAGS -Werror"
> - 
> - AC_MSG_CHECKING([for the type of fd_set::fds_bits])
> --for type in __fd_mask __int32_t unknown; do
> -+for type in __fd_mask __int32_t long\ int unknown; do
> -   AC_COMPILE_IFELSE([AC_LANG_PROGRAM([
> - #include <sys/select.h>
> - #include <stddef.h>
> diff --git a/package/netsnmp/0001-snmp_agent-disallow-SET-with-NULL-varbind.patch b/package/netsnmp/0001-snmp_agent-disallow-SET-with-NULL-varbind.patch
> new file mode 100644
> index 0000000000..3a6321d7a7
> --- /dev/null
> +++ b/package/netsnmp/0001-snmp_agent-disallow-SET-with-NULL-varbind.patch
> @@ -0,0 +1,72 @@
> +From b07627fa67c686b07d1eab123cf3e4887a2a93aa Mon Sep 17 00:00:00 2001
> +From: Bill Fenner <fenner@gmail.com>
> +Date: Fri, 25 Nov 2022 08:41:24 -0800
> +Subject: [PATCH] snmp_agent: disallow SET with NULL varbind
> +
> +Upstream: https://github.com/net-snmp/net-snmp/commit/4589352dac3ae111c7621298cf231742209efd9b
> +
> +[Thomas: this commit was merged as part of
> +https://github.com/net-snmp/net-snmp/pull/490/commits, which fixes
> +https://github.com/net-snmp/net-snmp/issues/474 (CVE-2022-44792) and
> +https://github.com/net-snmp/net-snmp/issues/475 (CVE-2022-44793). The
> +other two commits merged as part of this pull request are related to
> +adding a non-regression test for this, which is not relevant for the
> +security fix itself.]
> +
> +Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
> +---
> + agent/snmp_agent.c | 32 ++++++++++++++++++++++++++++++++
> + 1 file changed, 32 insertions(+)
> +
> +diff --git a/agent/snmp_agent.c b/agent/snmp_agent.c
> +index 867d0c166f..3f678fe2df 100644
> +--- a/agent/snmp_agent.c
> ++++ b/agent/snmp_agent.c
> +@@ -3719,12 +3719,44 @@ netsnmp_handle_request(netsnmp_agent_session *asp, int status)
> +     return 1;
> + }
> + 
> ++static int
> ++check_set_pdu_for_null_varbind(netsnmp_agent_session *asp)
> ++{
> ++    int i;
> ++    netsnmp_variable_list *v = NULL;
> ++
> ++    for (i = 1, v = asp->pdu->variables; v != NULL; i++, v = v->next_variable) {
> ++	if (v->type == ASN_NULL) {
> ++	    /*
> ++	     * Protect SET implementations that do not protect themselves
> ++	     * against wrong type.
> ++	     */
> ++	    DEBUGMSGTL(("snmp_agent", "disallowing SET with NULL var for varbind %d\n", i));
> ++	    asp->index = i;
> ++	    return SNMP_ERR_WRONGTYPE;
> ++	}
> ++    }
> ++    return SNMP_ERR_NOERROR;
> ++}
> ++
> + int
> + handle_pdu(netsnmp_agent_session *asp)
> + {
> +     int             status, inclusives = 0;
> +     netsnmp_variable_list *v = NULL;
> + 
> ++#ifndef NETSNMP_NO_WRITE_SUPPORT
> ++    /*
> ++     * Check for ASN_NULL in SET request
> ++     */
> ++    if (asp->pdu->command == SNMP_MSG_SET) {
> ++	status = check_set_pdu_for_null_varbind(asp);
> ++	if (status != SNMP_ERR_NOERROR) {
> ++	    return status;
> ++	}
> ++    }
> ++#endif /* NETSNMP_NO_WRITE_SUPPORT */
> ++
> +     /*
> +      * for illegal requests, mark all nodes as ASN_NULL 
> +      */
> +-- 
> +2.41.0
> +
> diff --git a/package/netsnmp/netsnmp.hash b/package/netsnmp/netsnmp.hash
> index 7898941271..e1e9d10898 100644
> --- a/package/netsnmp/netsnmp.hash
> +++ b/package/netsnmp/netsnmp.hash
> @@ -1,7 +1,7 @@
>  # Locally calculated after checking pgp signature at
> -# https://sourceforge.net/projects/net-snmp/files/net-snmp/5.9.4/net-snmp-5.9.4.tar.gz.asc
> -# using key 6E6718AEF1EB5C65C32D1B2A356BC0B552D53CAB
> -sha256  8b4de01391e74e3c7014beb43961a2d6d6fa03acc34280b9585f4930745b0544  net-snmp-5.9.4.tar.gz
> +# https://sourceforge.net/projects/net-snmp/files/net-snmp/5.9.3/net-snmp-5.9.3.tar.gz.asc
> +# using key D0F8F495DA6160C44EFFBF10F07B9D2DACB19FD6
> +sha256  2097f29b7e1bf3f1300b4bae52fa2308d0bb8d5d3998dbe02f9462a413a2ef0a  net-snmp-5.9.3.tar.gz
>  
>  # Hash for license file
>  sha256  ed869ea395a1f125819a56676385ab0557a21507764bf56f2943302011381e59  COPYING
> diff --git a/package/netsnmp/netsnmp.mk b/package/netsnmp/netsnmp.mk
> index b5cda30a7b..fafd604879 100644
> --- a/package/netsnmp/netsnmp.mk
> +++ b/package/netsnmp/netsnmp.mk
> @@ -4,13 +4,17 @@
>  #
>  ################################################################################
>  
> -NETSNMP_VERSION = 5.9.4
> +NETSNMP_VERSION = 5.9.3
>  NETSNMP_SITE = https://downloads.sourceforge.net/project/net-snmp/net-snmp/$(NETSNMP_VERSION)
>  NETSNMP_SOURCE = net-snmp-$(NETSNMP_VERSION).tar.gz
>  NETSNMP_LICENSE = Various BSD-like
>  NETSNMP_LICENSE_FILES = COPYING
>  NETSNMP_CPE_ID_VENDOR = net-snmp
>  NETSNMP_CPE_ID_PRODUCT = $(NETSNMP_CPE_ID_VENDOR)
> +# 0001-snmp_agent-disallow-SET-with-NULL-varbind.patch
> +NETSNMP_IGNORE_CVES = \
> +	CVE-2022-44792 \
> +	CVE-2022-44793
>  NETSNMP_SELINUX_MODULES = snmp
>  NETSNMP_INSTALL_STAGING = YES
>  NETSNMP_CONF_ENV = \
> -- 
> 2.41.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot