[net-snmp/f16] fixed CVE-2012-2141: Array index error, leading to out-of heap-based buffer read Resolves: #816549

Jan Šafránek jsafrane at fedoraproject.org
Mon Oct 22 08:22:34 UTC 2012 

commit a151384dba78a321dc0b8163d43ee5bd6c5a218e
Author: Jan Safranek <jsafrane at redhat.com>
Date:   Mon Oct 22 10:09:43 2012 +0200

    fixed CVE-2012-2141: Array index error, leading to out-of heap-based buffer read
    Resolves: #816549

 net-snmp-5.7-CVE-2012-2141.patch |   21 +++++++++++++++++++++
 net-snmp.spec                    |    4 ++++
 2 files changed, 25 insertions(+), 0 deletions(-)
---
diff --git a/net-snmp-5.7-CVE-2012-2141.patch b/net-snmp-5.7-CVE-2012-2141.patch
new file mode 100644
index 0000000..569fd5a
--- /dev/null
+++ b/net-snmp-5.7-CVE-2012-2141.patch
@@ -0,0 +1,21 @@
+commit 4c5633f1603e4bd03ed05c37d782ec8911759c47
+Author: Robert Story <rstory at freesnmp.com>
+Date:   Mon May 14 11:40:06 2012 -0400
+
+    NEWS: snmp: BUG: 3526549: CVE-2012-2141 Array index error leading to crash
+
+diff --git a/agent/mibgroup/agent/extend.c b/agent/mibgroup/agent/extend.c
+index d00475f..1f8586a 100644
+--- a/agent/mibgroup/agent/extend.c
++++ b/agent/mibgroup/agent/extend.c
+@@ -1299,6 +1299,10 @@ handle_nsExtendOutput2Table(netsnmp_mib_handler          *handler,
+                  * Determine which line we've been asked for....
+                  */
+                 line_idx = *table_info->indexes->next_variable->val.integer;
++                if (line_idx < 1 || line_idx > extension->numlines) {
++                    netsnmp_set_request_error(reqinfo, request, SNMP_NOSUCHINSTANCE);
++                    continue;
++                }
+                 cp  = extension->lines[line_idx-1];
+ 
+                 /* 
diff --git a/net-snmp.spec b/net-snmp.spec
index 3286e40..9600feb 100644
--- a/net-snmp.spec
+++ b/net-snmp.spec
@@ -41,6 +41,7 @@ Patch9: net-snmp-5.7.1-systemd.patch
 Patch10: net-snmp-5.7-libtool.patch
 Patch11: net-snmp-5.7-mibs-perl-linking.patch
 Patch12: net-snmp-5.7-hrStorage-units.patch
+Patch13: net-snmp-5.7-CVE-2012-2141.patch
 
 Requires(post): chkconfig
 Requires(preun): chkconfig
@@ -205,6 +206,7 @@ The net-snmp-sysvinit package provides SysV init scripts for Net-SNMP daemons.
 %patch10 -p1 -b .libtool
 %patch11 -p1 -b .mibs-perl
 %patch12 -p1 -b .hrStorage-units
+%patch13 -p1 -b .CVE-2012-2141
 
 %ifarch sparc64 s390 s390x
 # disable failing test - see https://bugzilla.redhat.com/show_bug.cgi?id=680697
@@ -513,6 +515,8 @@ rm -rf ${RPM_BUILD_ROOT}
 %changelog
 * Mon Oct 22 2012 Jan Safranek <jsafrane at redhat.com> - 1:5.7.1-3
 - fixed units in hrStorageTable and hrFSTable (#789441)
+- fixed CVE-2012-2141: Array index error, leading to out-of heap-based
+  buffer read
 
 * Wed Oct  5 2011 Jan Safranek <jsafrane at redhat.com> - 1:5.7.1-2
 - fixed perl linking (#742678)

More information about the scm-commits mailing list