2020-05-06 05:07:45 |
ankur |
bug |
|
|
added bug |
2020-05-07 16:34:17 |
Paride Legovini |
net-snmp (Ubuntu): status |
New |
Incomplete |
|
2020-05-14 14:16:03 |
Paride Legovini |
net-snmp (Ubuntu): status |
Incomplete |
Triaged |
|
2020-05-14 14:25:35 |
Paride Legovini |
net-snmp (Ubuntu): importance |
Undecided |
High |
|
2020-05-14 14:28:49 |
Paride Legovini |
bug |
|
|
added subscriber Paride Legovini |
2020-05-14 14:28:56 |
Paride Legovini |
bug |
|
|
added subscriber Ubuntu Server |
2020-05-14 14:29:04 |
Paride Legovini |
tags |
|
server-next |
|
2020-06-11 14:45:45 |
Ken Mix |
bug |
|
|
added subscriber Ken Mix |
2020-06-11 20:36:07 |
clerum |
bug |
|
|
added subscriber clerum |
2020-06-18 00:41:44 |
Sergio Durigan Junior |
net-snmp (Ubuntu): assignee |
|
Sergio Durigan Junior (sergiodj) |
|
2020-06-23 18:14:24 |
Sergio Durigan Junior |
nominated for series |
|
Ubuntu Groovy |
|
2020-06-23 18:14:24 |
Sergio Durigan Junior |
bug task added |
|
net-snmp (Ubuntu Groovy) |
|
2020-06-23 18:14:24 |
Sergio Durigan Junior |
nominated for series |
|
Ubuntu Focal |
|
2020-06-23 18:14:24 |
Sergio Durigan Junior |
bug task added |
|
net-snmp (Ubuntu Focal) |
|
2020-06-23 18:14:32 |
Sergio Durigan Junior |
net-snmp (Ubuntu Focal): status |
New |
Confirmed |
|
2020-06-23 18:14:35 |
Sergio Durigan Junior |
net-snmp (Ubuntu Groovy): status |
Triaged |
Confirmed |
|
2020-06-23 18:14:41 |
Sergio Durigan Junior |
net-snmp (Ubuntu Focal): importance |
Undecided |
High |
|
2020-06-23 18:14:44 |
Sergio Durigan Junior |
net-snmp (Ubuntu Focal): assignee |
|
Sergio Durigan Junior (sergiodj) |
|
2020-06-23 20:09:55 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~sergiodj/ubuntu/+source/net-snmp/+git/net-snmp/+merge/386281 |
|
2020-06-23 20:25:50 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~sergiodj/ubuntu/+source/net-snmp/+git/net-snmp/+merge/386283 |
|
2020-06-23 20:41:27 |
Sergio Durigan Junior |
description |
Logs:
Apr 30 19:39:11 snmpd[1895]: Cannot adopt OID in UCD-SNMP-MIB: laIndex ::= { laEntry 1 }
Apr 30 19:39:11 snmpd[1895]: /etc/snmp/snmpd.conf: line 157: Warning: Unknown token: defaultMonitors.
Apr 30 19:39:11 snmpd[1895]: /etc/snmp/snmpd.conf: line 160: Warning: Unknown token: linkUpDownNotifications.
Apr 30 19:39:11 snmpd[1895]: /var/lib/snmp/snmpd.conf: line 34: Warning: Unknown token: _mteTTable.
Apr 30 19:39:11 snmpd[1895]: /var/lib/snmp/snmpd.conf: line 35: Warning: Unknown token: _mteTTable.
Apr 30 19:39:11 snmpd[1895]: /var/lib/snmp/snmpd.conf: line 36: Warning: Unknown token: _mteTTable.
Apr 30 19:39:11 snmpd[1895]: /var/lib/snmp/snmpd.conf: line 37: Warning: Unknown token: _mteTTable.
Apr 30 19:39:11 snmpd[1895]: /var/lib/snmp/snmpd.conf: line 38: Warning: Unknown token: _mteTTable.
Apr 30 19:39:11 snmpd[1895]: /var/lib/snmp/snmpd.conf: line 39: Warning: Unknown token: _mteTTable.
Apr 30 19:39:11 snmpd[1895]: /var/lib/snmp/snmpd.conf: line 40: Warning: Unknown token: _mteTTable.
Apr 30 19:39:11 snmpd[1895]: Error opening specified endpoint "udp:161"
Apr 30 19:39:11 snmpd[1895]: Server Exiting with code 1 |
[Impact]
When the user requests a bulkget operation using the snmpv3 protocol, and this operation errors out, snmpd will experience a double free error and will abort. This will obviously be very annoying to the user, because from the client side it is not possible to determine why the server suddenly stopped responding.
Upstream has fixed this problem already, albeit it took several patches to get everything right. The fix involved redesigning how a specific struct is manipulated internally, including the addition of a refcount mechanism.
[Test Case]
To reproduce the issue, one can do:
$ lxc launch ubuntu-daily:focal net-snmp-bug1877027-focal
$ lxc shell net-snmp-bug1877027-focal
# apt update
# apt install -y snmpd snmp
# systemctl stop snmpd.service
# cat >> /var/lib/snmp/snmpd.conf << __EOF__
createUser testuser SHA "testpass" AES "testpass"
__EOF__
# cat >> /etc/snmp/snmpd.conf << __EOF__
rwuser testuser
__EOF__
# systemct start snmpd.service
# snmpbulkget -v3 -Cn1 -Cr1472 -l authPriv -u testuser -a SHA -A testpass -x AES -X testpass 127.0.0.1 1.3.6.1.2.1.1.5 1.3.6.1.2.1.1.7
You can check that snmpd crashed by doing:
# systemctl status snmpd.service
[Regression Potential]
Due to the fact that several patches needed to be backported to fix this issue, and that parts of the code had to be redesign in order to guarantee that nothing is being freed twice, there exists the possibility of encountering a regression when dealing with snmpv3, because most of the code that was touched was there to deal with security states of the protocol.
I took a non-trivial amount of time to review the patches and make sure that they are as contained as possible, and I am satisfied with the approach taken by upstream.
[Other Info]
It is interesting to note that when the bug is fixed, the "snmpbulkget" command will fail with:
Error in packet.
Reason: (genError) A general failure occured
This is expected, and upstream also shows this error.
[Original Description]
Logs:
Apr 30 19:39:11 snmpd[1895]: Cannot adopt OID in UCD-SNMP-MIB: laIndex ::= { laEntry 1 }
Apr 30 19:39:11 snmpd[1895]: /etc/snmp/snmpd.conf: line 157: Warning: Unknown token: defaultMonitors.
Apr 30 19:39:11 snmpd[1895]: /etc/snmp/snmpd.conf: line 160: Warning: Unknown token: linkUpDownNotifications.
Apr 30 19:39:11 snmpd[1895]: /var/lib/snmp/snmpd.conf: line 34: Warning: Unknown token: _mteTTable.
Apr 30 19:39:11 snmpd[1895]: /var/lib/snmp/snmpd.conf: line 35: Warning: Unknown token: _mteTTable.
Apr 30 19:39:11 snmpd[1895]: /var/lib/snmp/snmpd.conf: line 36: Warning: Unknown token: _mteTTable.
Apr 30 19:39:11 snmpd[1895]: /var/lib/snmp/snmpd.conf: line 37: Warning: Unknown token: _mteTTable.
Apr 30 19:39:11 snmpd[1895]: /var/lib/snmp/snmpd.conf: line 38: Warning: Unknown token: _mteTTable.
Apr 30 19:39:11 snmpd[1895]: /var/lib/snmp/snmpd.conf: line 39: Warning: Unknown token: _mteTTable.
Apr 30 19:39:11 snmpd[1895]: /var/lib/snmp/snmpd.conf: line 40: Warning: Unknown token: _mteTTable.
Apr 30 19:39:11 snmpd[1895]: Error opening specified endpoint "udp:161"
Apr 30 19:39:11 snmpd[1895]: Server Exiting with code 1 |
|
2020-06-24 14:24:05 |
Andreas Hasenack |
information type |
Public |
Public Security |
|
2020-06-24 18:15:37 |
Steve Beattie |
bug |
|
|
added subscriber Ubuntu Security Sponsors Team |
2020-06-24 21:41:49 |
Steve Beattie |
bug |
|
|
added subscriber Steve Beattie |
2020-06-25 16:39:27 |
Steve Beattie |
cve linked |
|
2019-20892 |
|
2020-07-02 15:47:52 |
Launchpad Janitor |
net-snmp (Ubuntu Focal): status |
Confirmed |
Fix Released |
|
2020-07-03 01:07:38 |
Launchpad Janitor |
net-snmp (Ubuntu Groovy): status |
Confirmed |
Fix Released |
|