aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorkuriyama <kuriyama@FreeBSD.org>2007-11-14 13:45:24 +0800
committerkuriyama <kuriyama@FreeBSD.org>2007-11-14 13:45:24 +0800
commit6c36575d271527e0569e73b50d788e0343a03a1e (patch)
tree4371fedb0e106768ed9d42343dd319be52446e50
parent4b3a9247e8128da2837ab8b92081e5a68aab2899 (diff)
downloadfreebsd-ports-graphics-6c36575d271527e0569e73b50d788e0343a03a1e.tar.gz
freebsd-ports-graphics-6c36575d271527e0569e73b50d788e0343a03a1e.tar.zst
freebsd-ports-graphics-6c36575d271527e0569e73b50d788e0343a03a1e.zip
o Add a patch for CVE-2007-5846, and add an entry for vuxml.
Approved by: portmgr (marcus)
-rw-r--r--net-mgmt/net-snmp-devel/Makefile2
-rw-r--r--net-mgmt/net-snmp-devel/files/patch-CVE-2007-5846105
-rw-r--r--net-mgmt/net-snmp-devel/files/patch-CVE-2007-5846-agent_read_config.c15
-rw-r--r--net-mgmt/net-snmp/Makefile2
-rw-r--r--net-mgmt/net-snmp/files/patch-CVE-2007-5846105
-rw-r--r--net-mgmt/net-snmp/files/patch-CVE-2007-5846-agent_read_config.c15
-rw-r--r--net-mgmt/net-snmp53/Makefile2
-rw-r--r--net-mgmt/net-snmp53/files/patch-CVE-2007-5846105
-rw-r--r--net-mgmt/net-snmp53/files/patch-CVE-2007-5846-agent_read_config.c15
-rw-r--r--security/vuxml/vuln.xml25
10 files changed, 388 insertions, 3 deletions
diff --git a/net-mgmt/net-snmp-devel/Makefile b/net-mgmt/net-snmp-devel/Makefile
index f44730e35ad..40675843b7a 100644
--- a/net-mgmt/net-snmp-devel/Makefile
+++ b/net-mgmt/net-snmp-devel/Makefile
@@ -7,7 +7,7 @@
PORTNAME= snmp
PORTVERSION= 5.3.1
-PORTREVISION= 6
+PORTREVISION= 7
CATEGORIES= net-mgmt ipv6
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE}
MASTER_SITE_SUBDIR= net-snmp
diff --git a/net-mgmt/net-snmp-devel/files/patch-CVE-2007-5846 b/net-mgmt/net-snmp-devel/files/patch-CVE-2007-5846
new file mode 100644
index 00000000000..f3bc3e56673
--- /dev/null
+++ b/net-mgmt/net-snmp-devel/files/patch-CVE-2007-5846
@@ -0,0 +1,105 @@
+Index: man/snmpd.conf.5.def
+===================================================================
+--- man/snmpd.conf.5.def (revision 16338)
++++ man/snmpd.conf.5.def (working copy)
+@@ -71,6 +71,28 @@
+ .IP "leave_pidfile yes"
+ instructs the agent to not remove its pid file on shutdown. Equivalent to
+ specifying "-U" on the command line.
++.IP "maxGetbulkRepeats NUM"
++Sets the maximum number of responses allowed for a single variable in
++a getbulk request. Set to 0 to enable the default and set it to -1 to
++enable unlimited. Because memory is allocated ahead of time, sitting
++this to unlimited is not considered safe if your user population can
++not be trusted. A repeat number greater than this will be truncated
++to this value.
++.IP
++This is set by default to -1.
++.IP "maxGetbulkResponses NUM"
++Sets the maximum number of responses allowed for a getbulk request.
++This is set by default to 100. Set to 0 to enable the default and set
++it to -1 to enable unlimited. Because memory is allocated ahead of
++time, sitting this to unlimited is not considered safe if your user
++population can not be trusted.
++.IP
++In general, the total number of responses will not be allowed to
++exceed the maxGetbulkResponses number and the total number returned
++will be an integer multiple of the number of variables requested times
++the calculated number of repeats allow to fit below this number.
++.IP
++Also not that processing of maxGetbulkRepeats is handled first.
+ .SS SNMPv3 Configuration
+ SNMPv3 requires an SNMP agent to define a unique "engine ID"
+ in order to respond to SNMPv3 requests.
+Index: include/net-snmp/agent/ds_agent.h
+===================================================================
+--- include/net-snmp/agent/ds_agent.h (revision 16338)
++++ include/net-snmp/agent/ds_agent.h (working copy)
+@@ -59,5 +59,7 @@
+ #define NETSNMP_DS_AGENT_CACHE_TIMEOUT 10 /* default cache timeout */
+ #define NETSNMP_DS_AGENT_INTERNAL_VERSION 11 /* used by internal queries */
+ #define NETSNMP_DS_AGENT_INTERNAL_SECLEVEL 12 /* used by internal queries */
++#define NETSNMP_DS_AGENT_MAX_GETBULKREPEATS 13 /* max getbulk repeats */
++#define NETSNMP_DS_AGENT_MAX_GETBULKRESPONSES 14 /* max getbulk respones */
+
+ #endif
+Index: agent/snmp_agent.c
+===================================================================
+--- agent/snmp_agent.c (revision 16338)
++++ agent/snmp_agent.c (working copy)
+@@ -2156,7 +2156,6 @@
+ * getbulk prep
+ */
+ int count = count_varbinds(asp->pdu->variables);
+-
+ if (asp->pdu->errstat < 0) {
+ asp->pdu->errstat = 0;
+ }
+@@ -2173,8 +2172,37 @@
+ r = 0;
+ asp->bulkcache = NULL;
+ } else {
++ int numresponses;
++ int maxbulk =
++ netsnmp_ds_get_int(NETSNMP_DS_APPLICATION_ID,
++ NETSNMP_DS_AGENT_MAX_GETBULKREPEATS);
++ int maxresponses =
++ netsnmp_ds_get_int(NETSNMP_DS_APPLICATION_ID,
++ NETSNMP_DS_AGENT_MAX_GETBULKRESPONSES);
++
++ if (maxresponses == 0)
++ maxresponses = 100; /* more than reasonable default */
++
++ if (maxbulk == 0)
++ maxbulk = -1;
++
++ /* limit getbulk number of repeats to a configured size */
++ if (asp->pdu->errindex > maxbulk && maxbulk != -1) {
++ asp->pdu->errindex = maxbulk;
++ }
++
++ numresponses = asp->pdu->errindex * r;
++
++ /* limit getbulk number of getbulk responses to a configured size */
++ if (maxresponses != -1 && numresponses > maxresponses) {
++ /* attempt to truncate this */
++ asp->pdu->errindex = maxresponses/r;
++ numresponses = asp->pdu->errindex * r;
++ DEBUGMSGTL(("snmp_agent", "truncating number of getbulk repeats to %d\n", asp->pdu->errindex));
++ }
++
+ asp->bulkcache =
+- (netsnmp_variable_list **) malloc(asp->pdu->errindex * r *
++ (netsnmp_variable_list **) malloc(numresponses *
+ sizeof(struct
+ varbind_list *));
+ if (!asp->bulkcache) {
+@@ -2184,6 +2212,8 @@
+ }
+ DEBUGMSGTL(("snmp_agent", "GETBULK N = %d, M = %d, R = %d\n",
+ n, asp->pdu->errindex, r));
++ fprintf(stderr, "GETBULK N = %d, M = %d, R = %d\n",
++ n, asp->pdu->errindex, r);
+ }
+
+ /*
diff --git a/net-mgmt/net-snmp-devel/files/patch-CVE-2007-5846-agent_read_config.c b/net-mgmt/net-snmp-devel/files/patch-CVE-2007-5846-agent_read_config.c
new file mode 100644
index 00000000000..7400bec0140
--- /dev/null
+++ b/net-mgmt/net-snmp-devel/files/patch-CVE-2007-5846-agent_read_config.c
@@ -0,0 +1,15 @@
+--- agent/agent_read_config.c.orig 2006-04-21 07:15:41.000000000 +0900
++++ agent/agent_read_config.c 2007-11-14 07:49:18.676387454 +0900
+@@ -255,6 +255,12 @@
+ netsnmp_ds_register_config(ASN_BOOLEAN, app, "leave_pidfile",
+ NETSNMP_DS_APPLICATION_ID,
+ NETSNMP_DS_AGENT_LEAVE_PIDFILE);
++ netsnmp_ds_register_config(ASN_INTEGER, app, "maxGetbulkRepeats",
++ NETSNMP_DS_APPLICATION_ID,
++ NETSNMP_DS_AGENT_MAX_GETBULKREPEATS);
++ netsnmp_ds_register_config(ASN_INTEGER, app, "maxGetbulkResponses",
++ NETSNMP_DS_APPLICATION_ID,
++ NETSNMP_DS_AGENT_MAX_GETBULKRESPONSES);
+ netsnmp_init_handler_conf();
+
+ #include "agent_module_dot_conf.h"
diff --git a/net-mgmt/net-snmp/Makefile b/net-mgmt/net-snmp/Makefile
index f44730e35ad..40675843b7a 100644
--- a/net-mgmt/net-snmp/Makefile
+++ b/net-mgmt/net-snmp/Makefile
@@ -7,7 +7,7 @@
PORTNAME= snmp
PORTVERSION= 5.3.1
-PORTREVISION= 6
+PORTREVISION= 7
CATEGORIES= net-mgmt ipv6
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE}
MASTER_SITE_SUBDIR= net-snmp
diff --git a/net-mgmt/net-snmp/files/patch-CVE-2007-5846 b/net-mgmt/net-snmp/files/patch-CVE-2007-5846
new file mode 100644
index 00000000000..f3bc3e56673
--- /dev/null
+++ b/net-mgmt/net-snmp/files/patch-CVE-2007-5846
@@ -0,0 +1,105 @@
+Index: man/snmpd.conf.5.def
+===================================================================
+--- man/snmpd.conf.5.def (revision 16338)
++++ man/snmpd.conf.5.def (working copy)
+@@ -71,6 +71,28 @@
+ .IP "leave_pidfile yes"
+ instructs the agent to not remove its pid file on shutdown. Equivalent to
+ specifying "-U" on the command line.
++.IP "maxGetbulkRepeats NUM"
++Sets the maximum number of responses allowed for a single variable in
++a getbulk request. Set to 0 to enable the default and set it to -1 to
++enable unlimited. Because memory is allocated ahead of time, sitting
++this to unlimited is not considered safe if your user population can
++not be trusted. A repeat number greater than this will be truncated
++to this value.
++.IP
++This is set by default to -1.
++.IP "maxGetbulkResponses NUM"
++Sets the maximum number of responses allowed for a getbulk request.
++This is set by default to 100. Set to 0 to enable the default and set
++it to -1 to enable unlimited. Because memory is allocated ahead of
++time, sitting this to unlimited is not considered safe if your user
++population can not be trusted.
++.IP
++In general, the total number of responses will not be allowed to
++exceed the maxGetbulkResponses number and the total number returned
++will be an integer multiple of the number of variables requested times
++the calculated number of repeats allow to fit below this number.
++.IP
++Also not that processing of maxGetbulkRepeats is handled first.
+ .SS SNMPv3 Configuration
+ SNMPv3 requires an SNMP agent to define a unique "engine ID"
+ in order to respond to SNMPv3 requests.
+Index: include/net-snmp/agent/ds_agent.h
+===================================================================
+--- include/net-snmp/agent/ds_agent.h (revision 16338)
++++ include/net-snmp/agent/ds_agent.h (working copy)
+@@ -59,5 +59,7 @@
+ #define NETSNMP_DS_AGENT_CACHE_TIMEOUT 10 /* default cache timeout */
+ #define NETSNMP_DS_AGENT_INTERNAL_VERSION 11 /* used by internal queries */
+ #define NETSNMP_DS_AGENT_INTERNAL_SECLEVEL 12 /* used by internal queries */
++#define NETSNMP_DS_AGENT_MAX_GETBULKREPEATS 13 /* max getbulk repeats */
++#define NETSNMP_DS_AGENT_MAX_GETBULKRESPONSES 14 /* max getbulk respones */
+
+ #endif
+Index: agent/snmp_agent.c
+===================================================================
+--- agent/snmp_agent.c (revision 16338)
++++ agent/snmp_agent.c (working copy)
+@@ -2156,7 +2156,6 @@
+ * getbulk prep
+ */
+ int count = count_varbinds(asp->pdu->variables);
+-
+ if (asp->pdu->errstat < 0) {
+ asp->pdu->errstat = 0;
+ }
+@@ -2173,8 +2172,37 @@
+ r = 0;
+ asp->bulkcache = NULL;
+ } else {
++ int numresponses;
++ int maxbulk =
++ netsnmp_ds_get_int(NETSNMP_DS_APPLICATION_ID,
++ NETSNMP_DS_AGENT_MAX_GETBULKREPEATS);
++ int maxresponses =
++ netsnmp_ds_get_int(NETSNMP_DS_APPLICATION_ID,
++ NETSNMP_DS_AGENT_MAX_GETBULKRESPONSES);
++
++ if (maxresponses == 0)
++ maxresponses = 100; /* more than reasonable default */
++
++ if (maxbulk == 0)
++ maxbulk = -1;
++
++ /* limit getbulk number of repeats to a configured size */
++ if (asp->pdu->errindex > maxbulk && maxbulk != -1) {
++ asp->pdu->errindex = maxbulk;
++ }
++
++ numresponses = asp->pdu->errindex * r;
++
++ /* limit getbulk number of getbulk responses to a configured size */
++ if (maxresponses != -1 && numresponses > maxresponses) {
++ /* attempt to truncate this */
++ asp->pdu->errindex = maxresponses/r;
++ numresponses = asp->pdu->errindex * r;
++ DEBUGMSGTL(("snmp_agent", "truncating number of getbulk repeats to %d\n", asp->pdu->errindex));
++ }
++
+ asp->bulkcache =
+- (netsnmp_variable_list **) malloc(asp->pdu->errindex * r *
++ (netsnmp_variable_list **) malloc(numresponses *
+ sizeof(struct
+ varbind_list *));
+ if (!asp->bulkcache) {
+@@ -2184,6 +2212,8 @@
+ }
+ DEBUGMSGTL(("snmp_agent", "GETBULK N = %d, M = %d, R = %d\n",
+ n, asp->pdu->errindex, r));
++ fprintf(stderr, "GETBULK N = %d, M = %d, R = %d\n",
++ n, asp->pdu->errindex, r);
+ }
+
+ /*
diff --git a/net-mgmt/net-snmp/files/patch-CVE-2007-5846-agent_read_config.c b/net-mgmt/net-snmp/files/patch-CVE-2007-5846-agent_read_config.c
new file mode 100644
index 00000000000..7400bec0140
--- /dev/null
+++ b/net-mgmt/net-snmp/files/patch-CVE-2007-5846-agent_read_config.c
@@ -0,0 +1,15 @@
+--- agent/agent_read_config.c.orig 2006-04-21 07:15:41.000000000 +0900
++++ agent/agent_read_config.c 2007-11-14 07:49:18.676387454 +0900
+@@ -255,6 +255,12 @@
+ netsnmp_ds_register_config(ASN_BOOLEAN, app, "leave_pidfile",
+ NETSNMP_DS_APPLICATION_ID,
+ NETSNMP_DS_AGENT_LEAVE_PIDFILE);
++ netsnmp_ds_register_config(ASN_INTEGER, app, "maxGetbulkRepeats",
++ NETSNMP_DS_APPLICATION_ID,
++ NETSNMP_DS_AGENT_MAX_GETBULKREPEATS);
++ netsnmp_ds_register_config(ASN_INTEGER, app, "maxGetbulkResponses",
++ NETSNMP_DS_APPLICATION_ID,
++ NETSNMP_DS_AGENT_MAX_GETBULKRESPONSES);
+ netsnmp_init_handler_conf();
+
+ #include "agent_module_dot_conf.h"
diff --git a/net-mgmt/net-snmp53/Makefile b/net-mgmt/net-snmp53/Makefile
index f44730e35ad..40675843b7a 100644
--- a/net-mgmt/net-snmp53/Makefile
+++ b/net-mgmt/net-snmp53/Makefile
@@ -7,7 +7,7 @@
PORTNAME= snmp
PORTVERSION= 5.3.1
-PORTREVISION= 6
+PORTREVISION= 7
CATEGORIES= net-mgmt ipv6
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE}
MASTER_SITE_SUBDIR= net-snmp
diff --git a/net-mgmt/net-snmp53/files/patch-CVE-2007-5846 b/net-mgmt/net-snmp53/files/patch-CVE-2007-5846
new file mode 100644
index 00000000000..f3bc3e56673
--- /dev/null
+++ b/net-mgmt/net-snmp53/files/patch-CVE-2007-5846
@@ -0,0 +1,105 @@
+Index: man/snmpd.conf.5.def
+===================================================================
+--- man/snmpd.conf.5.def (revision 16338)
++++ man/snmpd.conf.5.def (working copy)
+@@ -71,6 +71,28 @@
+ .IP "leave_pidfile yes"
+ instructs the agent to not remove its pid file on shutdown. Equivalent to
+ specifying "-U" on the command line.
++.IP "maxGetbulkRepeats NUM"
++Sets the maximum number of responses allowed for a single variable in
++a getbulk request. Set to 0 to enable the default and set it to -1 to
++enable unlimited. Because memory is allocated ahead of time, sitting
++this to unlimited is not considered safe if your user population can
++not be trusted. A repeat number greater than this will be truncated
++to this value.
++.IP
++This is set by default to -1.
++.IP "maxGetbulkResponses NUM"
++Sets the maximum number of responses allowed for a getbulk request.
++This is set by default to 100. Set to 0 to enable the default and set
++it to -1 to enable unlimited. Because memory is allocated ahead of
++time, sitting this to unlimited is not considered safe if your user
++population can not be trusted.
++.IP
++In general, the total number of responses will not be allowed to
++exceed the maxGetbulkResponses number and the total number returned
++will be an integer multiple of the number of variables requested times
++the calculated number of repeats allow to fit below this number.
++.IP
++Also not that processing of maxGetbulkRepeats is handled first.
+ .SS SNMPv3 Configuration
+ SNMPv3 requires an SNMP agent to define a unique "engine ID"
+ in order to respond to SNMPv3 requests.
+Index: include/net-snmp/agent/ds_agent.h
+===================================================================
+--- include/net-snmp/agent/ds_agent.h (revision 16338)
++++ include/net-snmp/agent/ds_agent.h (working copy)
+@@ -59,5 +59,7 @@
+ #define NETSNMP_DS_AGENT_CACHE_TIMEOUT 10 /* default cache timeout */
+ #define NETSNMP_DS_AGENT_INTERNAL_VERSION 11 /* used by internal queries */
+ #define NETSNMP_DS_AGENT_INTERNAL_SECLEVEL 12 /* used by internal queries */
++#define NETSNMP_DS_AGENT_MAX_GETBULKREPEATS 13 /* max getbulk repeats */
++#define NETSNMP_DS_AGENT_MAX_GETBULKRESPONSES 14 /* max getbulk respones */
+
+ #endif
+Index: agent/snmp_agent.c
+===================================================================
+--- agent/snmp_agent.c (revision 16338)
++++ agent/snmp_agent.c (working copy)
+@@ -2156,7 +2156,6 @@
+ * getbulk prep
+ */
+ int count = count_varbinds(asp->pdu->variables);
+-
+ if (asp->pdu->errstat < 0) {
+ asp->pdu->errstat = 0;
+ }
+@@ -2173,8 +2172,37 @@
+ r = 0;
+ asp->bulkcache = NULL;
+ } else {
++ int numresponses;
++ int maxbulk =
++ netsnmp_ds_get_int(NETSNMP_DS_APPLICATION_ID,
++ NETSNMP_DS_AGENT_MAX_GETBULKREPEATS);
++ int maxresponses =
++ netsnmp_ds_get_int(NETSNMP_DS_APPLICATION_ID,
++ NETSNMP_DS_AGENT_MAX_GETBULKRESPONSES);
++
++ if (maxresponses == 0)
++ maxresponses = 100; /* more than reasonable default */
++
++ if (maxbulk == 0)
++ maxbulk = -1;
++
++ /* limit getbulk number of repeats to a configured size */
++ if (asp->pdu->errindex > maxbulk && maxbulk != -1) {
++ asp->pdu->errindex = maxbulk;
++ }
++
++ numresponses = asp->pdu->errindex * r;
++
++ /* limit getbulk number of getbulk responses to a configured size */
++ if (maxresponses != -1 && numresponses > maxresponses) {
++ /* attempt to truncate this */
++ asp->pdu->errindex = maxresponses/r;
++ numresponses = asp->pdu->errindex * r;
++ DEBUGMSGTL(("snmp_agent", "truncating number of getbulk repeats to %d\n", asp->pdu->errindex));
++ }
++
+ asp->bulkcache =
+- (netsnmp_variable_list **) malloc(asp->pdu->errindex * r *
++ (netsnmp_variable_list **) malloc(numresponses *
+ sizeof(struct
+ varbind_list *));
+ if (!asp->bulkcache) {
+@@ -2184,6 +2212,8 @@
+ }
+ DEBUGMSGTL(("snmp_agent", "GETBULK N = %d, M = %d, R = %d\n",
+ n, asp->pdu->errindex, r));
++ fprintf(stderr, "GETBULK N = %d, M = %d, R = %d\n",
++ n, asp->pdu->errindex, r);
+ }
+
+ /*
diff --git a/net-mgmt/net-snmp53/files/patch-CVE-2007-5846-agent_read_config.c b/net-mgmt/net-snmp53/files/patch-CVE-2007-5846-agent_read_config.c
new file mode 100644
index 00000000000..7400bec0140
--- /dev/null
+++ b/net-mgmt/net-snmp53/files/patch-CVE-2007-5846-agent_read_config.c
@@ -0,0 +1,15 @@
+--- agent/agent_read_config.c.orig 2006-04-21 07:15:41.000000000 +0900
++++ agent/agent_read_config.c 2007-11-14 07:49:18.676387454 +0900
+@@ -255,6 +255,12 @@
+ netsnmp_ds_register_config(ASN_BOOLEAN, app, "leave_pidfile",
+ NETSNMP_DS_APPLICATION_ID,
+ NETSNMP_DS_AGENT_LEAVE_PIDFILE);
++ netsnmp_ds_register_config(ASN_INTEGER, app, "maxGetbulkRepeats",
++ NETSNMP_DS_APPLICATION_ID,
++ NETSNMP_DS_AGENT_MAX_GETBULKREPEATS);
++ netsnmp_ds_register_config(ASN_INTEGER, app, "maxGetbulkResponses",
++ NETSNMP_DS_APPLICATION_ID,
++ NETSNMP_DS_AGENT_MAX_GETBULKRESPONSES);
+ netsnmp_init_handler_conf();
+
+ #include "agent_module_dot_conf.h"
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml
index ce9f10e41c1..59d7aaf0f38 100644
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@@ -34,6 +34,31 @@ Note: Please add new entries to the beginning of this file.
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="92f86b93-923f-11dc-a2bf-02e081235dab">
+ <topic>net-snmp -- denial of service via GETBULK request</topic>
+ <affects>
+ <package>
+ <name>net-snmp</name>
+ <range><lt>5.3.1_7</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>CVE reports:</p>
+ <blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5846">
+ <p>The SNMP agent (snmp_agent.c) in net-snmp before 5.4.1 allows remote attackers to cause a denial of service (CPU and memory consumption) via a GETBULK request with a large max-repeaters value..</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2007-5846</cvename>
+ </references>
+ <dates>
+ <discovery>2007-11-06</discovery>
+ <entry>2007-11-13</entry>
+ </dates>
+ </vuln>
+
<vuln vid="ff65eecb-91e4-11dc-bd6c-0016179b2dd5">
<topic>flac -- media file processing integer overflow vulnerabilities</topic>
<affects>