mirror/freebsd-ports
1
0
Fork 0
mirror of https://git.FreeBSD.org/ports.git synced 2024-12-25 04:43:33 +00:00
Code Issues Releases Activity

o Add a patch for CVE-2007-5846, and add an entry for vuxml.

Browse Source 
Approved by:  portmgr (marcus)
This commit is contained in:
Jun Kuriyama 2007-11-14 05:45:24 +00:00
parent a0319a48de
commit c81bd82f43
Notes: svn2git 2021-03-31 03:12:20 +00:00 
svn path=/head/; revision=202696
10 changed files with 388 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
net-mgmt/net-snmp-devel/Makefile
View File

@ -7,7 +7,7 @@
PORTNAME= snmp
PORTVERSION= 5.3.1
PORTREVISION= 6
PORTREVISION= 7
CATEGORIES= net-mgmt ipv6
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE}
MASTER_SITE_SUBDIR= net-snmp

105
net-mgmt/net-snmp-devel/files/patch-CVE-2007-5846 Normal file
View File

@ -0,0 +1,105 @@
Index: man/snmpd.conf.5.def
===================================================================
--- man/snmpd.conf.5.def (revision 16338)
+++ man/snmpd.conf.5.def (working copy)
@@ -71,6 +71,28 @@
.IP "leave_pidfile yes"
instructs the agent to not remove its pid file on shutdown. Equivalent to
specifying "-U" on the command line.
+.IP "maxGetbulkRepeats NUM"
+Sets the maximum number of responses allowed for a single variable in
+a getbulk request. Set to 0 to enable the default and set it to -1 to
+enable unlimited. Because memory is allocated ahead of time, sitting
+this to unlimited is not considered safe if your user population can
+not be trusted. A repeat number greater than this will be truncated
+to this value.
+.IP
+This is set by default to -1.
+.IP "maxGetbulkResponses NUM"
+Sets the maximum number of responses allowed for a getbulk request.
+This is set by default to 100. Set to 0 to enable the default and set
+it to -1 to enable unlimited. Because memory is allocated ahead of
+time, sitting this to unlimited is not considered safe if your user
+population can not be trusted.
+.IP
+In general, the total number of responses will not be allowed to
+exceed the maxGetbulkResponses number and the total number returned
+will be an integer multiple of the number of variables requested times
+the calculated number of repeats allow to fit below this number.
+.IP
+Also not that processing of maxGetbulkRepeats is handled first.
.SS SNMPv3 Configuration
SNMPv3 requires an SNMP agent to define a unique "engine ID"
in order to respond to SNMPv3 requests.
Index: include/net-snmp/agent/ds_agent.h
===================================================================
--- include/net-snmp/agent/ds_agent.h (revision 16338)
+++ include/net-snmp/agent/ds_agent.h (working copy)
@@ -59,5 +59,7 @@
#define NETSNMP_DS_AGENT_CACHE_TIMEOUT 10 /* default cache timeout */
#define NETSNMP_DS_AGENT_INTERNAL_VERSION 11 /* used by internal queries */
#define NETSNMP_DS_AGENT_INTERNAL_SECLEVEL 12 /* used by internal queries */
+#define NETSNMP_DS_AGENT_MAX_GETBULKREPEATS 13 /* max getbulk repeats */
+#define NETSNMP_DS_AGENT_MAX_GETBULKRESPONSES 14 /* max getbulk respones */
#endif
Index: agent/snmp_agent.c
===================================================================
--- agent/snmp_agent.c (revision 16338)
+++ agent/snmp_agent.c (working copy)
@@ -2156,7 +2156,6 @@
* getbulk prep
*/
int count = count_varbinds(asp->pdu->variables);
-
if (asp->pdu->errstat < 0) {
asp->pdu->errstat = 0;
}
@@ -2173,8 +2172,37 @@
r = 0;
asp->bulkcache = NULL;
} else {
+ int numresponses;
+ int maxbulk =
+ netsnmp_ds_get_int(NETSNMP_DS_APPLICATION_ID,
+ NETSNMP_DS_AGENT_MAX_GETBULKREPEATS);
+ int maxresponses =
+ netsnmp_ds_get_int(NETSNMP_DS_APPLICATION_ID,
+ NETSNMP_DS_AGENT_MAX_GETBULKRESPONSES);
+
+ if (maxresponses == 0)
+ maxresponses = 100; /* more than reasonable default */
+
+ if (maxbulk == 0)
+ maxbulk = -1;
+
+ /* limit getbulk number of repeats to a configured size */
+ if (asp->pdu->errindex > maxbulk && maxbulk != -1) {
+ asp->pdu->errindex = maxbulk;
+ }
+
+ numresponses = asp->pdu->errindex * r;
+
+ /* limit getbulk number of getbulk responses to a configured size */
+ if (maxresponses != -1 && numresponses > maxresponses) {
+ /* attempt to truncate this */
+ asp->pdu->errindex = maxresponses/r;
+ numresponses = asp->pdu->errindex * r;
+ DEBUGMSGTL(("snmp_agent", "truncating number of getbulk repeats to %d\n", asp->pdu->errindex));
+ }
+
asp->bulkcache =
- (netsnmp_variable_list **) malloc(asp->pdu->errindex * r *
+ (netsnmp_variable_list **) malloc(numresponses *
sizeof(struct
varbind_list *));
if (!asp->bulkcache) {
@@ -2184,6 +2212,8 @@
}
DEBUGMSGTL(("snmp_agent", "GETBULK N = %d, M = %d, R = %d\n",
n, asp->pdu->errindex, r));
+ fprintf(stderr, "GETBULK N = %d, M = %d, R = %d\n",
+ n, asp->pdu->errindex, r);
}
/*

15
net-mgmt/net-snmp-devel/files/patch-CVE-2007-5846-agent_read_config.c Normal file
View File

@ -0,0 +1,15 @@
--- agent/agent_read_config.c.orig 2006-04-21 07:15:41.000000000 +0900
+++ agent/agent_read_config.c 2007-11-14 07:49:18.676387454 +0900
@@ -255,6 +255,12 @@
netsnmp_ds_register_config(ASN_BOOLEAN, app, "leave_pidfile",
NETSNMP_DS_APPLICATION_ID,
NETSNMP_DS_AGENT_LEAVE_PIDFILE);
+ netsnmp_ds_register_config(ASN_INTEGER, app, "maxGetbulkRepeats",
+ NETSNMP_DS_APPLICATION_ID,
+ NETSNMP_DS_AGENT_MAX_GETBULKREPEATS);
+ netsnmp_ds_register_config(ASN_INTEGER, app, "maxGetbulkResponses",
+ NETSNMP_DS_APPLICATION_ID,
+ NETSNMP_DS_AGENT_MAX_GETBULKRESPONSES);
netsnmp_init_handler_conf();
#include "agent_module_dot_conf.h"

2
net-mgmt/net-snmp/Makefile
View File

@ -7,7 +7,7 @@
PORTNAME= snmp
PORTVERSION= 5.3.1
PORTREVISION= 6
PORTREVISION= 7
CATEGORIES= net-mgmt ipv6
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE}
MASTER_SITE_SUBDIR= net-snmp

105
net-mgmt/net-snmp/files/patch-CVE-2007-5846 Normal file
View File

@ -0,0 +1,105 @@
Index: man/snmpd.conf.5.def
===================================================================
--- man/snmpd.conf.5.def (revision 16338)
+++ man/snmpd.conf.5.def (working copy)
@@ -71,6 +71,28 @@
.IP "leave_pidfile yes"
instructs the agent to not remove its pid file on shutdown. Equivalent to
specifying "-U" on the command line.
+.IP "maxGetbulkRepeats NUM"
+Sets the maximum number of responses allowed for a single variable in
+a getbulk request. Set to 0 to enable the default and set it to -1 to
+enable unlimited. Because memory is allocated ahead of time, sitting
+this to unlimited is not considered safe if your user population can
+not be trusted. A repeat number greater than this will be truncated
+to this value.
+.IP
+This is set by default to -1.
+.IP "maxGetbulkResponses NUM"
+Sets the maximum number of responses allowed for a getbulk request.
+This is set by default to 100. Set to 0 to enable the default and set
+it to -1 to enable unlimited. Because memory is allocated ahead of
+time, sitting this to unlimited is not considered safe if your user
+population can not be trusted.
+.IP
+In general, the total number of responses will not be allowed to
+exceed the maxGetbulkResponses number and the total number returned
+will be an integer multiple of the number of variables requested times
+the calculated number of repeats allow to fit below this number.
+.IP
+Also not that processing of maxGetbulkRepeats is handled first.
.SS SNMPv3 Configuration
SNMPv3 requires an SNMP agent to define a unique "engine ID"
in order to respond to SNMPv3 requests.
Index: include/net-snmp/agent/ds_agent.h
===================================================================
--- include/net-snmp/agent/ds_agent.h (revision 16338)
+++ include/net-snmp/agent/ds_agent.h (working copy)
@@ -59,5 +59,7 @@
#define NETSNMP_DS_AGENT_CACHE_TIMEOUT 10 /* default cache timeout */
#define NETSNMP_DS_AGENT_INTERNAL_VERSION 11 /* used by internal queries */
#define NETSNMP_DS_AGENT_INTERNAL_SECLEVEL 12 /* used by internal queries */
+#define NETSNMP_DS_AGENT_MAX_GETBULKREPEATS 13 /* max getbulk repeats */
+#define NETSNMP_DS_AGENT_MAX_GETBULKRESPONSES 14 /* max getbulk respones */
#endif
Index: agent/snmp_agent.c
===================================================================
--- agent/snmp_agent.c (revision 16338)
+++ agent/snmp_agent.c (working copy)
@@ -2156,7 +2156,6 @@
* getbulk prep
*/
int count = count_varbinds(asp->pdu->variables);
-
if (asp->pdu->errstat < 0) {
asp->pdu->errstat = 0;
}
@@ -2173,8 +2172,37 @@
r = 0;
asp->bulkcache = NULL;
} else {
+ int numresponses;
+ int maxbulk =
+ netsnmp_ds_get_int(NETSNMP_DS_APPLICATION_ID,
+ NETSNMP_DS_AGENT_MAX_GETBULKREPEATS);
+ int maxresponses =
+ netsnmp_ds_get_int(NETSNMP_DS_APPLICATION_ID,
+ NETSNMP_DS_AGENT_MAX_GETBULKRESPONSES);
+
+ if (maxresponses == 0)
+ maxresponses = 100; /* more than reasonable default */
+
+ if (maxbulk == 0)
+ maxbulk = -1;
+
+ /* limit getbulk number of repeats to a configured size */
+ if (asp->pdu->errindex > maxbulk && maxbulk != -1) {
+ asp->pdu->errindex = maxbulk;
+ }
+
+ numresponses = asp->pdu->errindex * r;
+
+ /* limit getbulk number of getbulk responses to a configured size */
+ if (maxresponses != -1 && numresponses > maxresponses) {
+ /* attempt to truncate this */
+ asp->pdu->errindex = maxresponses/r;
+ numresponses = asp->pdu->errindex * r;
+ DEBUGMSGTL(("snmp_agent", "truncating number of getbulk repeats to %d\n", asp->pdu->errindex));
+ }
+
asp->bulkcache =
- (netsnmp_variable_list **) malloc(asp->pdu->errindex * r *
+ (netsnmp_variable_list **) malloc(numresponses *
sizeof(struct
varbind_list *));
if (!asp->bulkcache) {
@@ -2184,6 +2212,8 @@
}
DEBUGMSGTL(("snmp_agent", "GETBULK N = %d, M = %d, R = %d\n",
n, asp->pdu->errindex, r));
+ fprintf(stderr, "GETBULK N = %d, M = %d, R = %d\n",
+ n, asp->pdu->errindex, r);
}
/*

15
net-mgmt/net-snmp/files/patch-CVE-2007-5846-agent_read_config.c Normal file
View File

@ -0,0 +1,15 @@
--- agent/agent_read_config.c.orig 2006-04-21 07:15:41.000000000 +0900
+++ agent/agent_read_config.c 2007-11-14 07:49:18.676387454 +0900
@@ -255,6 +255,12 @@
netsnmp_ds_register_config(ASN_BOOLEAN, app, "leave_pidfile",
NETSNMP_DS_APPLICATION_ID,
NETSNMP_DS_AGENT_LEAVE_PIDFILE);
+ netsnmp_ds_register_config(ASN_INTEGER, app, "maxGetbulkRepeats",
+ NETSNMP_DS_APPLICATION_ID,
+ NETSNMP_DS_AGENT_MAX_GETBULKREPEATS);
+ netsnmp_ds_register_config(ASN_INTEGER, app, "maxGetbulkResponses",
+ NETSNMP_DS_APPLICATION_ID,
+ NETSNMP_DS_AGENT_MAX_GETBULKRESPONSES);
netsnmp_init_handler_conf();
#include "agent_module_dot_conf.h"

2
net-mgmt/net-snmp53/Makefile
View File

@ -7,7 +7,7 @@
PORTNAME= snmp
PORTVERSION= 5.3.1
PORTREVISION= 6
PORTREVISION= 7
CATEGORIES= net-mgmt ipv6
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE}
MASTER_SITE_SUBDIR= net-snmp

105
net-mgmt/net-snmp53/files/patch-CVE-2007-5846 Normal file
View File

@ -0,0 +1,105 @@
Index: man/snmpd.conf.5.def
===================================================================
--- man/snmpd.conf.5.def (revision 16338)
+++ man/snmpd.conf.5.def (working copy)
@@ -71,6 +71,28 @@
.IP "leave_pidfile yes"
instructs the agent to not remove its pid file on shutdown. Equivalent to
specifying "-U" on the command line.
+.IP "maxGetbulkRepeats NUM"
+Sets the maximum number of responses allowed for a single variable in
+a getbulk request. Set to 0 to enable the default and set it to -1 to
+enable unlimited. Because memory is allocated ahead of time, sitting
+this to unlimited is not considered safe if your user population can
+not be trusted. A repeat number greater than this will be truncated
+to this value.
+.IP
+This is set by default to -1.
+.IP "maxGetbulkResponses NUM"
+Sets the maximum number of responses allowed for a getbulk request.
+This is set by default to 100. Set to 0 to enable the default and set
+it to -1 to enable unlimited. Because memory is allocated ahead of
+time, sitting this to unlimited is not considered safe if your user
+population can not be trusted.
+.IP
+In general, the total number of responses will not be allowed to
+exceed the maxGetbulkResponses number and the total number returned
+will be an integer multiple of the number of variables requested times
+the calculated number of repeats allow to fit below this number.
+.IP
+Also not that processing of maxGetbulkRepeats is handled first.
.SS SNMPv3 Configuration
SNMPv3 requires an SNMP agent to define a unique "engine ID"
in order to respond to SNMPv3 requests.
Index: include/net-snmp/agent/ds_agent.h
===================================================================
--- include/net-snmp/agent/ds_agent.h (revision 16338)
+++ include/net-snmp/agent/ds_agent.h (working copy)
@@ -59,5 +59,7 @@
#define NETSNMP_DS_AGENT_CACHE_TIMEOUT 10 /* default cache timeout */
#define NETSNMP_DS_AGENT_INTERNAL_VERSION 11 /* used by internal queries */
#define NETSNMP_DS_AGENT_INTERNAL_SECLEVEL 12 /* used by internal queries */
+#define NETSNMP_DS_AGENT_MAX_GETBULKREPEATS 13 /* max getbulk repeats */
+#define NETSNMP_DS_AGENT_MAX_GETBULKRESPONSES 14 /* max getbulk respones */
#endif
Index: agent/snmp_agent.c
===================================================================
--- agent/snmp_agent.c (revision 16338)
+++ agent/snmp_agent.c (working copy)
@@ -2156,7 +2156,6 @@
* getbulk prep
*/
int count = count_varbinds(asp->pdu->variables);
-
if (asp->pdu->errstat < 0) {
asp->pdu->errstat = 0;
}
@@ -2173,8 +2172,37 @@
r = 0;
asp->bulkcache = NULL;
} else {
+ int numresponses;
+ int maxbulk =
+ netsnmp_ds_get_int(NETSNMP_DS_APPLICATION_ID,
+ NETSNMP_DS_AGENT_MAX_GETBULKREPEATS);
+ int maxresponses =
+ netsnmp_ds_get_int(NETSNMP_DS_APPLICATION_ID,
+ NETSNMP_DS_AGENT_MAX_GETBULKRESPONSES);
+
+ if (maxresponses == 0)
+ maxresponses = 100; /* more than reasonable default */
+
+ if (maxbulk == 0)
+ maxbulk = -1;
+
+ /* limit getbulk number of repeats to a configured size */
+ if (asp->pdu->errindex > maxbulk && maxbulk != -1) {
+ asp->pdu->errindex = maxbulk;
+ }
+
+ numresponses = asp->pdu->errindex * r;
+
+ /* limit getbulk number of getbulk responses to a configured size */
+ if (maxresponses != -1 && numresponses > maxresponses) {
+ /* attempt to truncate this */
+ asp->pdu->errindex = maxresponses/r;
+ numresponses = asp->pdu->errindex * r;
+ DEBUGMSGTL(("snmp_agent", "truncating number of getbulk repeats to %d\n", asp->pdu->errindex));
+ }
+
asp->bulkcache =
- (netsnmp_variable_list **) malloc(asp->pdu->errindex * r *
+ (netsnmp_variable_list **) malloc(numresponses *
sizeof(struct
varbind_list *));
if (!asp->bulkcache) {
@@ -2184,6 +2212,8 @@
}
DEBUGMSGTL(("snmp_agent", "GETBULK N = %d, M = %d, R = %d\n",
n, asp->pdu->errindex, r));
+ fprintf(stderr, "GETBULK N = %d, M = %d, R = %d\n",
+ n, asp->pdu->errindex, r);
}
/*

15
net-mgmt/net-snmp53/files/patch-CVE-2007-5846-agent_read_config.c Normal file
View File

@ -0,0 +1,15 @@
--- agent/agent_read_config.c.orig 2006-04-21 07:15:41.000000000 +0900
+++ agent/agent_read_config.c 2007-11-14 07:49:18.676387454 +0900
@@ -255,6 +255,12 @@
netsnmp_ds_register_config(ASN_BOOLEAN, app, "leave_pidfile",
NETSNMP_DS_APPLICATION_ID,
NETSNMP_DS_AGENT_LEAVE_PIDFILE);
+ netsnmp_ds_register_config(ASN_INTEGER, app, "maxGetbulkRepeats",
+ NETSNMP_DS_APPLICATION_ID,
+ NETSNMP_DS_AGENT_MAX_GETBULKREPEATS);
+ netsnmp_ds_register_config(ASN_INTEGER, app, "maxGetbulkResponses",
+ NETSNMP_DS_APPLICATION_ID,
+ NETSNMP_DS_AGENT_MAX_GETBULKRESPONSES);
netsnmp_init_handler_conf();
#include "agent_module_dot_conf.h"

25
security/vuxml/vuln.xml
View File

@ -34,6 +34,31 @@ Note: Please add new entries to the beginning of this file.
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
<vuln vid="92f86b93-923f-11dc-a2bf-02e081235dab">
<topic>net-snmp -- denial of service via GETBULK request</topic>
<affects>
<package>
<name>net-snmp</name>
<range><lt>5.3.1_7</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>CVE reports:</p>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5846">
<p>The SNMP agent (snmp_agent.c) in net-snmp before 5.4.1 allows remote attackers to cause a denial of service (CPU and memory consumption) via a GETBULK request with a large max-repeaters value..</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2007-5846</cvename>
</references>
<dates>
<discovery>2007-11-06</discovery>
<entry>2007-11-13</entry>
</dates>
</vuln>
<vuln vid="ff65eecb-91e4-11dc-bd6c-0016179b2dd5">
<topic>flac -- media file processing integer overflow vulnerabilities</topic>
<affects>