diff options
author | kuriyama <kuriyama@FreeBSD.org> | 2007-11-14 13:45:24 +0800 |
---|---|---|
committer | kuriyama <kuriyama@FreeBSD.org> | 2007-11-14 13:45:24 +0800 |
commit | 6c36575d271527e0569e73b50d788e0343a03a1e (patch) | |
tree | 4371fedb0e106768ed9d42343dd319be52446e50 | |
parent | 4b3a9247e8128da2837ab8b92081e5a68aab2899 (diff) | |
download | freebsd-ports-graphics-6c36575d271527e0569e73b50d788e0343a03a1e.tar.gz freebsd-ports-graphics-6c36575d271527e0569e73b50d788e0343a03a1e.tar.zst freebsd-ports-graphics-6c36575d271527e0569e73b50d788e0343a03a1e.zip |
o Add a patch for CVE-2007-5846, and add an entry for vuxml.
Approved by: portmgr (marcus)
-rw-r--r-- | net-mgmt/net-snmp-devel/Makefile | 2 | ||||
-rw-r--r-- | net-mgmt/net-snmp-devel/files/patch-CVE-2007-5846 | 105 | ||||
-rw-r--r-- | net-mgmt/net-snmp-devel/files/patch-CVE-2007-5846-agent_read_config.c | 15 | ||||
-rw-r--r-- | net-mgmt/net-snmp/Makefile | 2 | ||||
-rw-r--r-- | net-mgmt/net-snmp/files/patch-CVE-2007-5846 | 105 | ||||
-rw-r--r-- | net-mgmt/net-snmp/files/patch-CVE-2007-5846-agent_read_config.c | 15 | ||||
-rw-r--r-- | net-mgmt/net-snmp53/Makefile | 2 | ||||
-rw-r--r-- | net-mgmt/net-snmp53/files/patch-CVE-2007-5846 | 105 | ||||
-rw-r--r-- | net-mgmt/net-snmp53/files/patch-CVE-2007-5846-agent_read_config.c | 15 | ||||
-rw-r--r-- | security/vuxml/vuln.xml | 25 |
10 files changed, 388 insertions, 3 deletions
diff --git a/net-mgmt/net-snmp-devel/Makefile b/net-mgmt/net-snmp-devel/Makefile index f44730e35ad..40675843b7a 100644 --- a/net-mgmt/net-snmp-devel/Makefile +++ b/net-mgmt/net-snmp-devel/Makefile @@ -7,7 +7,7 @@ PORTNAME= snmp PORTVERSION= 5.3.1 -PORTREVISION= 6 +PORTREVISION= 7 CATEGORIES= net-mgmt ipv6 MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} MASTER_SITE_SUBDIR= net-snmp diff --git a/net-mgmt/net-snmp-devel/files/patch-CVE-2007-5846 b/net-mgmt/net-snmp-devel/files/patch-CVE-2007-5846 new file mode 100644 index 00000000000..f3bc3e56673 --- /dev/null +++ b/net-mgmt/net-snmp-devel/files/patch-CVE-2007-5846 @@ -0,0 +1,105 @@ +Index: man/snmpd.conf.5.def +=================================================================== +--- man/snmpd.conf.5.def (revision 16338) ++++ man/snmpd.conf.5.def (working copy) +@@ -71,6 +71,28 @@ + .IP "leave_pidfile yes" + instructs the agent to not remove its pid file on shutdown. Equivalent to + specifying "-U" on the command line. ++.IP "maxGetbulkRepeats NUM" ++Sets the maximum number of responses allowed for a single variable in ++a getbulk request. Set to 0 to enable the default and set it to -1 to ++enable unlimited. Because memory is allocated ahead of time, sitting ++this to unlimited is not considered safe if your user population can ++not be trusted. A repeat number greater than this will be truncated ++to this value. ++.IP ++This is set by default to -1. ++.IP "maxGetbulkResponses NUM" ++Sets the maximum number of responses allowed for a getbulk request. ++This is set by default to 100. Set to 0 to enable the default and set ++it to -1 to enable unlimited. Because memory is allocated ahead of ++time, sitting this to unlimited is not considered safe if your user ++population can not be trusted. ++.IP ++In general, the total number of responses will not be allowed to ++exceed the maxGetbulkResponses number and the total number returned ++will be an integer multiple of the number of variables requested times ++the calculated number of repeats allow to fit below this number. ++.IP ++Also not that processing of maxGetbulkRepeats is handled first. + .SS SNMPv3 Configuration + SNMPv3 requires an SNMP agent to define a unique "engine ID" + in order to respond to SNMPv3 requests. +Index: include/net-snmp/agent/ds_agent.h +=================================================================== +--- include/net-snmp/agent/ds_agent.h (revision 16338) ++++ include/net-snmp/agent/ds_agent.h (working copy) +@@ -59,5 +59,7 @@ + #define NETSNMP_DS_AGENT_CACHE_TIMEOUT 10 /* default cache timeout */ + #define NETSNMP_DS_AGENT_INTERNAL_VERSION 11 /* used by internal queries */ + #define NETSNMP_DS_AGENT_INTERNAL_SECLEVEL 12 /* used by internal queries */ ++#define NETSNMP_DS_AGENT_MAX_GETBULKREPEATS 13 /* max getbulk repeats */ ++#define NETSNMP_DS_AGENT_MAX_GETBULKRESPONSES 14 /* max getbulk respones */ + + #endif +Index: agent/snmp_agent.c +=================================================================== +--- agent/snmp_agent.c (revision 16338) ++++ agent/snmp_agent.c (working copy) +@@ -2156,7 +2156,6 @@ + * getbulk prep + */ + int count = count_varbinds(asp->pdu->variables); +- + if (asp->pdu->errstat < 0) { + asp->pdu->errstat = 0; + } +@@ -2173,8 +2172,37 @@ + r = 0; + asp->bulkcache = NULL; + } else { ++ int numresponses; ++ int maxbulk = ++ netsnmp_ds_get_int(NETSNMP_DS_APPLICATION_ID, ++ NETSNMP_DS_AGENT_MAX_GETBULKREPEATS); ++ int maxresponses = ++ netsnmp_ds_get_int(NETSNMP_DS_APPLICATION_ID, ++ NETSNMP_DS_AGENT_MAX_GETBULKRESPONSES); ++ ++ if (maxresponses == 0) ++ maxresponses = 100; /* more than reasonable default */ ++ ++ if (maxbulk == 0) ++ maxbulk = -1; ++ ++ /* limit getbulk number of repeats to a configured size */ ++ if (asp->pdu->errindex > maxbulk && maxbulk != -1) { ++ asp->pdu->errindex = maxbulk; ++ } ++ ++ numresponses = asp->pdu->errindex * r; ++ ++ /* limit getbulk number of getbulk responses to a configured size */ ++ if (maxresponses != -1 && numresponses > maxresponses) { ++ /* attempt to truncate this */ ++ asp->pdu->errindex = maxresponses/r; ++ numresponses = asp->pdu->errindex * r; ++ DEBUGMSGTL(("snmp_agent", "truncating number of getbulk repeats to %d\n", asp->pdu->errindex)); ++ } ++ + asp->bulkcache = +- (netsnmp_variable_list **) malloc(asp->pdu->errindex * r * ++ (netsnmp_variable_list **) malloc(numresponses * + sizeof(struct + varbind_list *)); + if (!asp->bulkcache) { +@@ -2184,6 +2212,8 @@ + } + DEBUGMSGTL(("snmp_agent", "GETBULK N = %d, M = %d, R = %d\n", + n, asp->pdu->errindex, r)); ++ fprintf(stderr, "GETBULK N = %d, M = %d, R = %d\n", ++ n, asp->pdu->errindex, r); + } + + /* diff --git a/net-mgmt/net-snmp-devel/files/patch-CVE-2007-5846-agent_read_config.c b/net-mgmt/net-snmp-devel/files/patch-CVE-2007-5846-agent_read_config.c new file mode 100644 index 00000000000..7400bec0140 --- /dev/null +++ b/net-mgmt/net-snmp-devel/files/patch-CVE-2007-5846-agent_read_config.c @@ -0,0 +1,15 @@ +--- agent/agent_read_config.c.orig 2006-04-21 07:15:41.000000000 +0900 ++++ agent/agent_read_config.c 2007-11-14 07:49:18.676387454 +0900 +@@ -255,6 +255,12 @@ + netsnmp_ds_register_config(ASN_BOOLEAN, app, "leave_pidfile", + NETSNMP_DS_APPLICATION_ID, + NETSNMP_DS_AGENT_LEAVE_PIDFILE); ++ netsnmp_ds_register_config(ASN_INTEGER, app, "maxGetbulkRepeats", ++ NETSNMP_DS_APPLICATION_ID, ++ NETSNMP_DS_AGENT_MAX_GETBULKREPEATS); ++ netsnmp_ds_register_config(ASN_INTEGER, app, "maxGetbulkResponses", ++ NETSNMP_DS_APPLICATION_ID, ++ NETSNMP_DS_AGENT_MAX_GETBULKRESPONSES); + netsnmp_init_handler_conf(); + + #include "agent_module_dot_conf.h" diff --git a/net-mgmt/net-snmp/Makefile b/net-mgmt/net-snmp/Makefile index f44730e35ad..40675843b7a 100644 --- a/net-mgmt/net-snmp/Makefile +++ b/net-mgmt/net-snmp/Makefile @@ -7,7 +7,7 @@ PORTNAME= snmp PORTVERSION= 5.3.1 -PORTREVISION= 6 +PORTREVISION= 7 CATEGORIES= net-mgmt ipv6 MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} MASTER_SITE_SUBDIR= net-snmp diff --git a/net-mgmt/net-snmp/files/patch-CVE-2007-5846 b/net-mgmt/net-snmp/files/patch-CVE-2007-5846 new file mode 100644 index 00000000000..f3bc3e56673 --- /dev/null +++ b/net-mgmt/net-snmp/files/patch-CVE-2007-5846 @@ -0,0 +1,105 @@ +Index: man/snmpd.conf.5.def +=================================================================== +--- man/snmpd.conf.5.def (revision 16338) ++++ man/snmpd.conf.5.def (working copy) +@@ -71,6 +71,28 @@ + .IP "leave_pidfile yes" + instructs the agent to not remove its pid file on shutdown. Equivalent to + specifying "-U" on the command line. ++.IP "maxGetbulkRepeats NUM" ++Sets the maximum number of responses allowed for a single variable in ++a getbulk request. Set to 0 to enable the default and set it to -1 to ++enable unlimited. Because memory is allocated ahead of time, sitting ++this to unlimited is not considered safe if your user population can ++not be trusted. A repeat number greater than this will be truncated ++to this value. ++.IP ++This is set by default to -1. ++.IP "maxGetbulkResponses NUM" ++Sets the maximum number of responses allowed for a getbulk request. ++This is set by default to 100. Set to 0 to enable the default and set ++it to -1 to enable unlimited. Because memory is allocated ahead of ++time, sitting this to unlimited is not considered safe if your user ++population can not be trusted. ++.IP ++In general, the total number of responses will not be allowed to ++exceed the maxGetbulkResponses number and the total number returned ++will be an integer multiple of the number of variables requested times ++the calculated number of repeats allow to fit below this number. ++.IP ++Also not that processing of maxGetbulkRepeats is handled first. + .SS SNMPv3 Configuration + SNMPv3 requires an SNMP agent to define a unique "engine ID" + in order to respond to SNMPv3 requests. +Index: include/net-snmp/agent/ds_agent.h +=================================================================== +--- include/net-snmp/agent/ds_agent.h (revision 16338) ++++ include/net-snmp/agent/ds_agent.h (working copy) +@@ -59,5 +59,7 @@ + #define NETSNMP_DS_AGENT_CACHE_TIMEOUT 10 /* default cache timeout */ + #define NETSNMP_DS_AGENT_INTERNAL_VERSION 11 /* used by internal queries */ + #define NETSNMP_DS_AGENT_INTERNAL_SECLEVEL 12 /* used by internal queries */ ++#define NETSNMP_DS_AGENT_MAX_GETBULKREPEATS 13 /* max getbulk repeats */ ++#define NETSNMP_DS_AGENT_MAX_GETBULKRESPONSES 14 /* max getbulk respones */ + + #endif +Index: agent/snmp_agent.c +=================================================================== +--- agent/snmp_agent.c (revision 16338) ++++ agent/snmp_agent.c (working copy) +@@ -2156,7 +2156,6 @@ + * getbulk prep + */ + int count = count_varbinds(asp->pdu->variables); +- + if (asp->pdu->errstat < 0) { + asp->pdu->errstat = 0; + } +@@ -2173,8 +2172,37 @@ + r = 0; + asp->bulkcache = NULL; + } else { ++ int numresponses; ++ int maxbulk = ++ netsnmp_ds_get_int(NETSNMP_DS_APPLICATION_ID, ++ NETSNMP_DS_AGENT_MAX_GETBULKREPEATS); ++ int maxresponses = ++ netsnmp_ds_get_int(NETSNMP_DS_APPLICATION_ID, ++ NETSNMP_DS_AGENT_MAX_GETBULKRESPONSES); ++ ++ if (maxresponses == 0) ++ maxresponses = 100; /* more than reasonable default */ ++ ++ if (maxbulk == 0) ++ maxbulk = -1; ++ ++ /* limit getbulk number of repeats to a configured size */ ++ if (asp->pdu->errindex > maxbulk && maxbulk != -1) { ++ asp->pdu->errindex = maxbulk; ++ } ++ ++ numresponses = asp->pdu->errindex * r; ++ ++ /* limit getbulk number of getbulk responses to a configured size */ ++ if (maxresponses != -1 && numresponses > maxresponses) { ++ /* attempt to truncate this */ ++ asp->pdu->errindex = maxresponses/r; ++ numresponses = asp->pdu->errindex * r; ++ DEBUGMSGTL(("snmp_agent", "truncating number of getbulk repeats to %d\n", asp->pdu->errindex)); ++ } ++ + asp->bulkcache = +- (netsnmp_variable_list **) malloc(asp->pdu->errindex * r * ++ (netsnmp_variable_list **) malloc(numresponses * + sizeof(struct + varbind_list *)); + if (!asp->bulkcache) { +@@ -2184,6 +2212,8 @@ + } + DEBUGMSGTL(("snmp_agent", "GETBULK N = %d, M = %d, R = %d\n", + n, asp->pdu->errindex, r)); ++ fprintf(stderr, "GETBULK N = %d, M = %d, R = %d\n", ++ n, asp->pdu->errindex, r); + } + + /* diff --git a/net-mgmt/net-snmp/files/patch-CVE-2007-5846-agent_read_config.c b/net-mgmt/net-snmp/files/patch-CVE-2007-5846-agent_read_config.c new file mode 100644 index 00000000000..7400bec0140 --- /dev/null +++ b/net-mgmt/net-snmp/files/patch-CVE-2007-5846-agent_read_config.c @@ -0,0 +1,15 @@ +--- agent/agent_read_config.c.orig 2006-04-21 07:15:41.000000000 +0900 ++++ agent/agent_read_config.c 2007-11-14 07:49:18.676387454 +0900 +@@ -255,6 +255,12 @@ + netsnmp_ds_register_config(ASN_BOOLEAN, app, "leave_pidfile", + NETSNMP_DS_APPLICATION_ID, + NETSNMP_DS_AGENT_LEAVE_PIDFILE); ++ netsnmp_ds_register_config(ASN_INTEGER, app, "maxGetbulkRepeats", ++ NETSNMP_DS_APPLICATION_ID, ++ NETSNMP_DS_AGENT_MAX_GETBULKREPEATS); ++ netsnmp_ds_register_config(ASN_INTEGER, app, "maxGetbulkResponses", ++ NETSNMP_DS_APPLICATION_ID, ++ NETSNMP_DS_AGENT_MAX_GETBULKRESPONSES); + netsnmp_init_handler_conf(); + + #include "agent_module_dot_conf.h" diff --git a/net-mgmt/net-snmp53/Makefile b/net-mgmt/net-snmp53/Makefile index f44730e35ad..40675843b7a 100644 --- a/net-mgmt/net-snmp53/Makefile +++ b/net-mgmt/net-snmp53/Makefile @@ -7,7 +7,7 @@ PORTNAME= snmp PORTVERSION= 5.3.1 -PORTREVISION= 6 +PORTREVISION= 7 CATEGORIES= net-mgmt ipv6 MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} MASTER_SITE_SUBDIR= net-snmp diff --git a/net-mgmt/net-snmp53/files/patch-CVE-2007-5846 b/net-mgmt/net-snmp53/files/patch-CVE-2007-5846 new file mode 100644 index 00000000000..f3bc3e56673 --- /dev/null +++ b/net-mgmt/net-snmp53/files/patch-CVE-2007-5846 @@ -0,0 +1,105 @@ +Index: man/snmpd.conf.5.def +=================================================================== +--- man/snmpd.conf.5.def (revision 16338) ++++ man/snmpd.conf.5.def (working copy) +@@ -71,6 +71,28 @@ + .IP "leave_pidfile yes" + instructs the agent to not remove its pid file on shutdown. Equivalent to + specifying "-U" on the command line. ++.IP "maxGetbulkRepeats NUM" ++Sets the maximum number of responses allowed for a single variable in ++a getbulk request. Set to 0 to enable the default and set it to -1 to ++enable unlimited. Because memory is allocated ahead of time, sitting ++this to unlimited is not considered safe if your user population can ++not be trusted. A repeat number greater than this will be truncated ++to this value. ++.IP ++This is set by default to -1. ++.IP "maxGetbulkResponses NUM" ++Sets the maximum number of responses allowed for a getbulk request. ++This is set by default to 100. Set to 0 to enable the default and set ++it to -1 to enable unlimited. Because memory is allocated ahead of ++time, sitting this to unlimited is not considered safe if your user ++population can not be trusted. ++.IP ++In general, the total number of responses will not be allowed to ++exceed the maxGetbulkResponses number and the total number returned ++will be an integer multiple of the number of variables requested times ++the calculated number of repeats allow to fit below this number. ++.IP ++Also not that processing of maxGetbulkRepeats is handled first. + .SS SNMPv3 Configuration + SNMPv3 requires an SNMP agent to define a unique "engine ID" + in order to respond to SNMPv3 requests. +Index: include/net-snmp/agent/ds_agent.h +=================================================================== +--- include/net-snmp/agent/ds_agent.h (revision 16338) ++++ include/net-snmp/agent/ds_agent.h (working copy) +@@ -59,5 +59,7 @@ + #define NETSNMP_DS_AGENT_CACHE_TIMEOUT 10 /* default cache timeout */ + #define NETSNMP_DS_AGENT_INTERNAL_VERSION 11 /* used by internal queries */ + #define NETSNMP_DS_AGENT_INTERNAL_SECLEVEL 12 /* used by internal queries */ ++#define NETSNMP_DS_AGENT_MAX_GETBULKREPEATS 13 /* max getbulk repeats */ ++#define NETSNMP_DS_AGENT_MAX_GETBULKRESPONSES 14 /* max getbulk respones */ + + #endif +Index: agent/snmp_agent.c +=================================================================== +--- agent/snmp_agent.c (revision 16338) ++++ agent/snmp_agent.c (working copy) +@@ -2156,7 +2156,6 @@ + * getbulk prep + */ + int count = count_varbinds(asp->pdu->variables); +- + if (asp->pdu->errstat < 0) { + asp->pdu->errstat = 0; + } +@@ -2173,8 +2172,37 @@ + r = 0; + asp->bulkcache = NULL; + } else { ++ int numresponses; ++ int maxbulk = ++ netsnmp_ds_get_int(NETSNMP_DS_APPLICATION_ID, ++ NETSNMP_DS_AGENT_MAX_GETBULKREPEATS); ++ int maxresponses = ++ netsnmp_ds_get_int(NETSNMP_DS_APPLICATION_ID, ++ NETSNMP_DS_AGENT_MAX_GETBULKRESPONSES); ++ ++ if (maxresponses == 0) ++ maxresponses = 100; /* more than reasonable default */ ++ ++ if (maxbulk == 0) ++ maxbulk = -1; ++ ++ /* limit getbulk number of repeats to a configured size */ ++ if (asp->pdu->errindex > maxbulk && maxbulk != -1) { ++ asp->pdu->errindex = maxbulk; ++ } ++ ++ numresponses = asp->pdu->errindex * r; ++ ++ /* limit getbulk number of getbulk responses to a configured size */ ++ if (maxresponses != -1 && numresponses > maxresponses) { ++ /* attempt to truncate this */ ++ asp->pdu->errindex = maxresponses/r; ++ numresponses = asp->pdu->errindex * r; ++ DEBUGMSGTL(("snmp_agent", "truncating number of getbulk repeats to %d\n", asp->pdu->errindex)); ++ } ++ + asp->bulkcache = +- (netsnmp_variable_list **) malloc(asp->pdu->errindex * r * ++ (netsnmp_variable_list **) malloc(numresponses * + sizeof(struct + varbind_list *)); + if (!asp->bulkcache) { +@@ -2184,6 +2212,8 @@ + } + DEBUGMSGTL(("snmp_agent", "GETBULK N = %d, M = %d, R = %d\n", + n, asp->pdu->errindex, r)); ++ fprintf(stderr, "GETBULK N = %d, M = %d, R = %d\n", ++ n, asp->pdu->errindex, r); + } + + /* diff --git a/net-mgmt/net-snmp53/files/patch-CVE-2007-5846-agent_read_config.c b/net-mgmt/net-snmp53/files/patch-CVE-2007-5846-agent_read_config.c new file mode 100644 index 00000000000..7400bec0140 --- /dev/null +++ b/net-mgmt/net-snmp53/files/patch-CVE-2007-5846-agent_read_config.c @@ -0,0 +1,15 @@ +--- agent/agent_read_config.c.orig 2006-04-21 07:15:41.000000000 +0900 ++++ agent/agent_read_config.c 2007-11-14 07:49:18.676387454 +0900 +@@ -255,6 +255,12 @@ + netsnmp_ds_register_config(ASN_BOOLEAN, app, "leave_pidfile", + NETSNMP_DS_APPLICATION_ID, + NETSNMP_DS_AGENT_LEAVE_PIDFILE); ++ netsnmp_ds_register_config(ASN_INTEGER, app, "maxGetbulkRepeats", ++ NETSNMP_DS_APPLICATION_ID, ++ NETSNMP_DS_AGENT_MAX_GETBULKREPEATS); ++ netsnmp_ds_register_config(ASN_INTEGER, app, "maxGetbulkResponses", ++ NETSNMP_DS_APPLICATION_ID, ++ NETSNMP_DS_AGENT_MAX_GETBULKRESPONSES); + netsnmp_init_handler_conf(); + + #include "agent_module_dot_conf.h" diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index ce9f10e41c1..59d7aaf0f38 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -34,6 +34,31 @@ Note: Please add new entries to the beginning of this file. --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="92f86b93-923f-11dc-a2bf-02e081235dab"> + <topic>net-snmp -- denial of service via GETBULK request</topic> + <affects> + <package> + <name>net-snmp</name> + <range><lt>5.3.1_7</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>CVE reports:</p> + <blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5846"> + <p>The SNMP agent (snmp_agent.c) in net-snmp before 5.4.1 allows remote attackers to cause a denial of service (CPU and memory consumption) via a GETBULK request with a large max-repeaters value..</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2007-5846</cvename> + </references> + <dates> + <discovery>2007-11-06</discovery> + <entry>2007-11-13</entry> + </dates> + </vuln> + <vuln vid="ff65eecb-91e4-11dc-bd6c-0016179b2dd5"> <topic>flac -- media file processing integer overflow vulnerabilities</topic> <affects> |