Code review comment for ~sergiodj/ubuntu/+source/net-snmp:double-free-bug1877027-groovy

On Wednesday, June 24 2020, Andreas Hasenack wrote:

> First pass:
> - please use full urls for the Origin tag in the DEP3 header, it helps a lot to verify what upstream committed and what we are shipping

Ah, sorry about that. I have now updated the Origin tag with the
complete URL.

> - it's a bit troublesome that the bulk get command still fails. I'm by
> far not an snmp expert, but "error in packet" doesn't look like a
> normal error, but could indicate that something is corrupted, i.e.,
> another bug, maybe a new one, or introduced by these changes. Could
> you clarify with upstream, file a bug there, something like this?

Yep, I also found it strange, and went to great lengths to verify that
this was indeed "normal". As far as I have checked, the error is
expected in this case. The upstream binary (without any of our patches,
compiled directly from the V5-8-patches branch) also displays the error,
and the Fedora net-snmp package too.

I am trying to confirm with upstream that this is OK, and if they say
it's not then I will certainly file a bug.

> I also pinged #security, as I think this is a remote DoS that can be triggered by authenticated users.

Thanks.

--
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14