Ubuntu
net-snmp package

snmpd reads from uninitialised memory

Bug #1308559 reported by Sander Steffann
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
net-snmp (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

All net-snmp-5.4 versions give bogus data when returning the ipAddressPrefix for IPv4 addresses:

ipAddressPrefix.ipv4."94.142.242.194" = ipAddressPrefixOrigin.2.ipv4."88.0.0.0".5
ipAddressPrefix.ipv4."127.0.0.1" = ipAddressPrefixOrigin.1.ipv4."51.101.48.0".0

While the real situation is completely different:

$ ip -4 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    inet 94.142.242.194/29 brd 94.142.242.199 scope global eth0

This seems to be caused by an (open) bug in net-snmp:
http://sourceforge.net/p/net-snmp/bugs/2251/

This seems to cause net-snmp to read from uninitialised memory, which can be a security issue (see the recent heartbleed mess, although this seems much less severe).

As this is a serious problem, but upstream has had this issue open for years, please fix this for the LTS releases.

Sander Steffann (sander-steffann)
information type: Private Security → Public
Revision history for this message
Robie Basak (racb) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. The upstream bug and patch look helpful, and the fix seems trivial. Marking for attention of the security team.

information type: Public → Public Security
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

We typically won't take patches that upstream hasn't commented on, but I agree the patch seems pretty straightforward. LSince Sander commented upstream, let's see what they have to say.

Changed in net-snmp (Ubuntu):
status: New → Confirmed
Revision history for this message
Sander Steffann (sander-steffann) wrote :

Jamie: a comment has arrived :)

It is: "This has been fixed in the current versions in the repository, where the prefix_len function has been rewritten to work as documented."

There is already a fix on the 5.4-patches branch: https://sourceforge.net/p/net-snmp/code/ci/ec96b35d5060c09b9f53d4dec73fb7965c2ac145/

No idea when/if there will be a net-snmp-5.4.5 release with this patch in it though...

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

This has been fixed a while ago, so I'm closing the bug. Feel free to reopen if you consider it's still valid.

Changed in net-snmp (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.