[Patch] SIGSEGV: crash when certificate contains extension longer than 512 bytes
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Net-SNMP |
Fix Released
|
Unknown
|
|||
net-snmp (Ubuntu) |
Fix Released
|
Medium
|
Sergio Durigan Junior | ||
Hirsute |
Fix Released
|
Medium
|
Sergio Durigan Junior | ||
Impish |
Fix Released
|
Medium
|
Sergio Durigan Junior |
Bug Description
[ Impact ]
Users can experience a segmentation fault on snmpd (part of net-snmp) when using a certificate that contains an extension longer than 512 bytes and debug output (-D) is enabled. Although this only happens when debugging, it seems to be pretty common to find certificates whose extensions are larger than 512 bytes.
[ Test Case ]
Below you can find a step-by-step procedure to reproduce the bug. Bear in mind that the "sed" command may be mangled due to Launchpad's text renderization.
$ lxc launch images:
$ lxc shell net-snmp-bug1912389
# apt update && apt install snmpd -y
# sed -i "s@^#\s*
# openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:2048 -nodes -sha256 -extensions usr_cert -subj '/CN=localhost' -config /etc/ssl/
# mkdir -p $HOME/.
# cp localhost.crt $HOME/.
# systemctl stop snmpd.service
# snmpd -DALL
...
not enough space or error in allocation for extenstion
Segmentation fault (core dumped)
#
[ Where problems could occur ]
The backported patches are very straightforward and only impact code that is run when debug (-D) is active. There is not much room for regression here, especially considering that this is a very recent version of the package that will very likely not be affected by newer rebuilds.
[ Original Description ]
When net-snmp is given a certificate with an extension that is longer than 512 characters, snmp crashes on startup.
Steps to Reproduce:
1. Configure net-snmp using an EV certificate from a CA (in this case Globalsign).
2. Start snmpd.
3.
Actual results:
[root@localhost tls]# systemctl status snmpd.service
● snmpd.service - Simple Network Management Protocol (SNMP) Daemon.
Loaded: loaded (/usr/lib/
Active: failed (Result: core-dump) since Wed 2020-12-16 21:21:59 SAST; 16min ago
Process: 53269 ExecStart=
Main PID: 53269 (code=dumped, signal=SEGV)
Dec 16 21:21:57 localhost systemd[1]: Starting Simple Network Management Protocol (SNMP) Daemon....
Dec 16 21:21:58 localhost snmpd[53269]: refusing to read world readable or writable key /etc/snmp/
Dec 16 21:21:58 localhost snmpd[53269]: not enough space or error in allocation for extenstion
Dec 16 21:21:59 localhost systemd[1]: snmpd.service: Main process exited, code=dumped, status=11/SEGV
Dec 16 21:21:59 localhost systemd[1]: snmpd.service: Failed with result 'core-dump'.
Dec 16 21:21:59 localhost systemd[1]: Failed to start Simple Network Management Protocol (SNMP) Daemon..
Expected results:
Deamon starts without a crash.
Additional info:
Fix available here:
Related branches
- Lucas Kanashiro (community): Approve
- Canonical Server Core Reviewers: Pending requested
-
Diff: 143 lines (+115/-0)4 files modifieddebian/changelog (+12/-0)
debian/patches/lp1912389-libsnmp-Handle-certificate-loading-errors-gracefully.patch (+31/-0)
debian/patches/lp1912389-libsnmp-SSL-Increase-extension-buffer-size-to-preven.patch (+70/-0)
debian/patches/series (+2/-0)
- Lucas Kanashiro (community): Approve
- Canonical Server Core Reviewers: Pending requested
-
Diff: 143 lines (+115/-0)4 files modifieddebian/changelog (+12/-0)
debian/patches/lp1912389-libsnmp-Handle-certificate-loading-errors-gracefully.patch (+31/-0)
debian/patches/lp1912389-libsnmp-SSL-Increase-extension-buffer-size-to-preven.patch (+70/-0)
debian/patches/series (+2/-0)
Changed in netsnmp: | |
status: | Unknown → New |
Changed in netsnmp: | |
status: | New → Fix Released |
Changed in net-snmp (Ubuntu): | |
assignee: | nobody → Sergio Durigan Junior (sergiodj) |
importance: | Undecided → Medium |
description: | updated |
no longer affects: | net-snmp (Ubuntu Focal) |
Thanks for the bug report.
This should have been opened against net-snmp, and not nagios-plugins, right? I'm reassigning it to the proper package.
It seems to me that it's a valid bug, but it would be great to have a more detailed reproducer. I tried editing /etc/ssl/ openssl. cnf and extend the "usr_cert" extension's "nsComment" field to a string that is really long. Then, I generated a self-signed x509 certificate using the "usr_cert" extension:
# openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -extensions usr_cert
Then I edited /etc/snmp/ snmpd.conf and included a "localCert" parameter there:
[snmp] localCert /usr/local/ share/ca- certificates/ cert.crt
Finally, restarting the snmpd.service doesn't seem to trigger the bug. I wonder what I'm doing wrong here... Pointers and advices are appreciated.
Thanks.