Ubuntu
net-snmp package

Merge ~sergiodj/ubuntu/+source/net-snmp:bug1912389-segv-cert-longer-512-bytes-hirsute into ubuntu/+source/net-snmp:ubuntu/hirsute-devel

  1. Git
  2. lp:~sergiodj/ubuntu/+source/net-snmp
  3. bug1912389-segv-cert-longer-512-bytes-hirsute
  4. Merge into ubuntu/hirsute-devel
Proposed by Sergio Durigan Junior
Status: Approved
Approved by: Sergio Durigan Junior
Approved revision: e0b7db537ae67053576d42571acccb3f47b36f3f
Proposed branch: ~sergiodj/ubuntu/+source/net-snmp:bug1912389-segv-cert-longer-512-bytes-hirsute
Merge into: ubuntu/+source/net-snmp:ubuntu/hirsute-devel
Diff against target: 143 lines (+115/-0)
4 files modified
debian/changelog (+12/-0)
debian/patches/lp1912389-libsnmp-Handle-certificate-loading-errors-gracefully.patch (+31/-0)
debian/patches/lp1912389-libsnmp-SSL-Increase-extension-buffer-size-to-preven.patch (+70/-0)
debian/patches/series (+2/-0)
Reviewer Review Type Date Requested Status
Lucas Kanashiro (community) Approve
Canonical Server Core Reviewers Pending
Review via email: mp+403299@code.launchpad.net

Description of the change

This is the fix for bug 1912389 on Hirsute.

The bug is about snmpd segfaulting when two conditions are met:

1) Debug output is enabled (-D flag), and

2) The TLS certificate being used has an extension longer than 512 bytes.

The first condition is obviously easy to reproduce, but the second one is much trickier. After a while struggling with openssl and its very easy configuration (*ahem*), I was finally able to generate a self-signed certificate that triggers the issue. This is going to be an SRU for Hirsute, so I wrote detailed instructions on the bug; please take a look and let me know what you think.

The bug has been fixed upstream and is part of the new 5.9.1.rc1 release. Initially I thought about waiting to see if Debian would pick this up, but given that they're in freeze and the net-snmp maintainer didn't touch the package since last year, I decided to backport this to Impish/Hirsute just in case. Worst case scenario, Debian will release a new net-snmp and then we can drop these patches.

You can find the proposed packages on the following PPA:

https://launchpad.net/~sergiodj/+archive/ubuntu/net-snmp-bug1912389

autopkgtest is still happy:

autopkgtest [20:00:20]: @@@@@@@@@@@@@@@@@@@@ summary
command1 PASS

To post a comment you must log in.
Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

LGTM, +1.

review: Approve
Reply
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Thanks, Lucas.

Uploaded:

$ dput net-snmp_5.9+dfsg-3ubuntu1.21.04.1_source.changes
Trying to upload package to ubuntu
Checking signature on .changes
gpg: /home/sergio/work/net-snmp/net-snmp_5.9+dfsg-3ubuntu1.21.04.1_source.changes: Valid signature from 106DA1C8C3CBBF14
Checking signature on .dsc
gpg: /home/sergio/work/net-snmp/net-snmp_5.9+dfsg-3ubuntu1.21.04.1.dsc: Valid signature from 106DA1C8C3CBBF14
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading net-snmp_5.9+dfsg-3ubuntu1.21.04.1.dsc: done.
  Uploading net-snmp_5.9+dfsg-3ubuntu1.21.04.1.debian.tar.xz: done.
  Uploading net-snmp_5.9+dfsg-3ubuntu1.21.04.1_source.buildinfo: done.
  Uploading net-snmp_5.9+dfsg-3ubuntu1.21.04.1_source.changes: done.
Successfully uploaded packages.

As usual, I'm not pushing the tag until the SRU team accepts the package.

Reply

Unmerged commits

e0b7db5... by Sergio Durigan Junior

changelog for 5.9+dfsg-3ubuntu1.21.04.1

2afb778... by Sergio Durigan Junior

  * Fix segmentation fault when certificate contains extension
    longer than 512 bytes (LP: #1912389)
    - d/p/lp1912389-libsnmp-Handle-certificate-loading-errors-gracefully.patch:
      Skip certificate if loading fails.
    - d/p/lp1912389-libsnmp-SSL-Increase-extension-buffer-size-to-preven.patch:
      Make sure enough space is allocated for extensions longer than
      512 bytes.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index f5ff71b..2642f0f 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,15 @@
6+net-snmp (5.9+dfsg-3ubuntu1.21.04.1) hirsute; urgency=medium
7+
8+ * Fix segmentation fault when certificate contains extension
9+ longer than 512 bytes (LP: #1912389)
10+ - d/p/lp1912389-libsnmp-Handle-certificate-loading-errors-gracefully.patch:
11+ Skip certificate if loading fails.
12+ - d/p/lp1912389-libsnmp-SSL-Increase-extension-buffer-size-to-preven.patch:
13+ Make sure enough space is allocated for extensions longer than
14+ 512 bytes.
15+
16+ -- Sergio Durigan Junior <sergio.durigan@canonical.com> Tue, 25 May 2021 19:09:11 -0400
17+
18 net-snmp (5.9+dfsg-3ubuntu1) hirsute; urgency=medium
19
20 * Merge with Debian unstable. Remaining changes:
21diff --git a/debian/patches/lp1912389-libsnmp-Handle-certificate-loading-errors-gracefully.patch b/debian/patches/lp1912389-libsnmp-Handle-certificate-loading-errors-gracefully.patch
22new file mode 100644
23index 0000000..52f3a59
24--- /dev/null
25+++ b/debian/patches/lp1912389-libsnmp-Handle-certificate-loading-errors-gracefully.patch
26@@ -0,0 +1,31 @@
27+From: Bart Van Assche <bvanassche@acm.org>
28+Date: Wed, 16 Dec 2020 19:36:55 -0800
29+Subject: libsnmp: Handle certificate loading errors gracefully
30+
31+Instead of crashing (SIGSEGV), skip certificates if loading fails.
32+
33+Reported-by: https://github.com/minfrin
34+Fixes: https://github.com/net-snmp/net-snmp/issues/233
35+
36+Origin: upstream, https://github.com/net-snmp/net-snmp/commit/4c5d2ceae4d4a8b77db48fc8fff77e14943ff4d3
37+Applied-Upstream: 5.9.1.rc1
38+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1912389
39+Bug: https://github.com/net-snmp/net-snmp/issues/233
40+Reviewed-By: Sergio Durigan Junior <sergiodj@ubuntu.com>
41+---
42+ snmplib/snmp_openssl.c | 2 ++
43+ 1 file changed, 2 insertions(+)
44+
45+diff --git a/snmplib/snmp_openssl.c b/snmplib/snmp_openssl.c
46+index 01d72af..22be003 100644
47+--- a/snmplib/snmp_openssl.c
48++++ b/snmplib/snmp_openssl.c
49+@@ -499,6 +499,8 @@ netsnmp_openssl_cert_dump_extensions(X509 *ocert)
50+ extension_name = OBJ_nid2sn(nid);
51+ buf_len = sizeof(buf);
52+ str = _cert_get_extension_str_at(ocert, i, &buf_ptr, &buf_len, 0);
53++ if (!str)
54++ continue;
55+ lf = strchr(str, '\n'); /* look for multiline strings */
56+ if (NULL != lf)
57+ *lf = '\0'; /* only log first line of multiline here */
58diff --git a/debian/patches/lp1912389-libsnmp-SSL-Increase-extension-buffer-size-to-preven.patch b/debian/patches/lp1912389-libsnmp-SSL-Increase-extension-buffer-size-to-preven.patch
59new file mode 100644
60index 0000000..1844823
61--- /dev/null
62+++ b/debian/patches/lp1912389-libsnmp-SSL-Increase-extension-buffer-size-to-preven.patch
63@@ -0,0 +1,70 @@
64+From: minfrin <minfrin@users.noreply.github.com>
65+Date: Thu, 17 Dec 2020 12:25:24 +0000
66+Subject: libsnmp, SSL: Increase extension buffer size to prevent a crash
67+
68+Make sure enough space is allocated for extensions longer than 512 bytes. Fix
69+the error message when the extension is too long to clearly differentiate the
70+error from the out of memory case. Fix a crash when the extension is too long.
71+
72+[ bvanassche: edited patch description / fixed an off-by-one error / undid a
73+ code formatting change ]
74+
75+Origin: upstream, https://github.com/net-snmp/net-snmp/commit/bb30f8ee0075750fd3648a6bf3fab543f46152ed
76+Applied-Upstream: 5.9.1.rc1
77+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1912389
78+Bug: https://github.com/net-snmp/net-snmp/issues/233
79+Reviewed-By: Sergio Durigan Junior <sergiodj@ubuntu.com>
80+---
81+ snmplib/snmp_openssl.c | 17 +++++++++++------
82+ 1 file changed, 11 insertions(+), 6 deletions(-)
83+
84+diff --git a/snmplib/snmp_openssl.c b/snmplib/snmp_openssl.c
85+index 22be003..7d6db6a 100644
86+--- a/snmplib/snmp_openssl.c
87++++ b/snmplib/snmp_openssl.c
88+@@ -290,8 +290,11 @@ _cert_get_extension(X509_EXTENSION *oext, char **buf, int *len, int flags)
89+
90+ space = BIO_get_mem_data(bio, &data);
91+ if (buf && *buf) {
92+- if (*len < space)
93+- buf_ptr = NULL;
94++ if (*len < space + 1) {
95++ snmp_log(LOG_ERR, "not enough buffer space to print extension\n");
96++ BIO_vfree(bio);
97++ return NULL;
98++ }
99+ else
100+ buf_ptr = *buf;
101+ }
102+@@ -299,8 +302,7 @@ _cert_get_extension(X509_EXTENSION *oext, char **buf, int *len, int flags)
103+ buf_ptr = calloc(1,space + 1);
104+
105+ if (!buf_ptr) {
106+- snmp_log(LOG_ERR,
107+- "not enough space or error in allocation for extenstion\n");
108++ snmp_log(LOG_ERR, "error in allocation for extension\n");
109+ BIO_vfree(bio);
110+ return NULL;
111+ }
112+@@ -479,7 +481,7 @@ netsnmp_openssl_cert_dump_extensions(X509 *ocert)
113+ {
114+ X509_EXTENSION *extension;
115+ const char *extension_name;
116+- char buf[SNMP_MAXBUF_SMALL], *buf_ptr = buf, *str, *lf;
117++ char buf[SNMP_MAXBUF], *buf_ptr = buf, *str, *lf;
118+ int i, num_extensions, buf_len, nid;
119+
120+ if (NULL == ocert)
121+@@ -499,8 +501,11 @@ netsnmp_openssl_cert_dump_extensions(X509 *ocert)
122+ extension_name = OBJ_nid2sn(nid);
123+ buf_len = sizeof(buf);
124+ str = _cert_get_extension_str_at(ocert, i, &buf_ptr, &buf_len, 0);
125+- if (!str)
126++ if (!str) {
127++ DEBUGMSGT(("9:cert:dump", " %2d: %s\n", i,
128++ extension_name));
129+ continue;
130++ }
131+ lf = strchr(str, '\n'); /* look for multiline strings */
132+ if (NULL != lf)
133+ *lf = '\0'; /* only log first line of multiline here */
134diff --git a/debian/patches/series b/debian/patches/series
135index 13e1907..970ec14 100644
136--- a/debian/patches/series
137+++ b/debian/patches/series
138@@ -37,3 +37,5 @@ snmpd_conf_5_ro_extend
139 Link-libnetsnmptrapd-against-MYSQL_LIBS.patch
140 pkgconfig_install_mode
141 perl_makefile_man3pods
142+lp1912389-libsnmp-Handle-certificate-loading-errors-gracefully.patch
143+lp1912389-libsnmp-SSL-Increase-extension-buffer-size-to-preven.patch

Subscribers

People subscribed via source and target branches